📄 airdecap-ng.c
字号:
memcpy( buffer + n - 4, "-dec", 4 ); memcpy( buffer + n, argv[optind] + n - 4, 5 ); } else { if( n > 5 && ( n + 6 < (int) sizeof( buffer ) ) && argv[optind][n - 5] == '.' ) { memcpy( buffer, argv[optind], n - 5 ); memcpy( buffer + n - 5, "-dec", 4 ); memcpy( buffer + n - 1, argv[optind] + n - 5, 6 ); } else { memset( buffer, 0, sizeof( buffer ) ); snprintf( (char *) buffer, sizeof( buffer ) - 1, "%s-dec", argv[optind] ); } } if( ( f_out = fopen( (char *) buffer, "wb+" ) ) == NULL ) { perror( "fopen failed" ); printf( "Could not create \"%s\".\n", buffer ); return( 1 ); } pfh.magic = TCPDUMP_MAGIC; pfh.version_major = PCAP_VERSION_MAJOR; pfh.version_minor = PCAP_VERSION_MINOR; pfh.thiszone = 0; pfh.sigfigs = 0; pfh.snaplen = 65535; pfh.linktype = ( opt.no_convert ) ? LINKTYPE_IEEE802_11 : LINKTYPE_ETHERNET; n = sizeof( pfh ); if( fwrite( &pfh, 1, n, f_out ) != (size_t) n ) { perror( "fwrite(pcap file header) failed" ); return( 1 ); } /* loop reading and deciphering the packets */ memset( &stats, 0, sizeof( stats ) ); tt = time( NULL ); st_1st = NULL; while( 1 ) { if( time( NULL ) - tt > 0 ) { /* update the status line every second */ printf( "\33[KRead %ld packets...\r", stats.nb_read ); fflush( stdout ); tt = time( NULL ); } /* read one packet */ n = sizeof( pkh ); if( fread( &pkh, 1, n, f_in ) != (size_t) n ) break; if( magic == TCPDUMP_CIGAM ) SWAP32( pkh.caplen ); n = pkh.caplen; if( n <= 0 || n > 65535 ) { printf( "Corrupted file? Invalid packet length %d.\n", n ); break; } if( fread( buffer, 1, n, f_in ) != (size_t) n ) break; stats.nb_read++; h80211 = buffer; if( linktype == LINKTYPE_PRISM_HEADER ) { /* remove the prism header */ if( h80211[7] == 0x40 ) n = 64; /* prism54 */ else { n = *(int *)( h80211 + 4 ); if( magic == TCPDUMP_CIGAM ) SWAP32( n ); } if( n < 8 || n >= (int) pkh.caplen ) continue; h80211 += n; pkh.caplen -= n; } if( linktype == LINKTYPE_RADIOTAP_HDR ) { /* remove the radiotap header */ n = *(unsigned short *)( h80211 + 2 ); if( n <= 0 || n >= (int) pkh.caplen ) continue; h80211 += n; pkh.caplen -= n; } /* remove the FCS if present (madwifi) */ if( check_crc_buf( h80211, pkh.caplen - 4 ) == 1 ) { pkh.len -= 4; pkh.caplen -= 4; } /* check if data */ if( ( h80211[0] & 0x0C ) != 0x08 ) continue; /* check minimum size */ z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30; if( z + 16 > (int) pkh.caplen ) continue; /* check the BSSID */ switch( h80211[0] & 3 ) { case 0: memcpy( bssid, h80211 + 16, 6 ); break; case 1: memcpy( bssid, h80211 + 4, 6 ); break; case 2: memcpy( bssid, h80211 + 10, 6 ); break; default: memcpy( bssid, h80211 + 4, 6 ); break; } if( memcmp( opt.bssid, ZERO, 6 ) != 0 ) if( memcmp( opt.bssid, bssid, 6 ) != 0 ) continue; /* locate the station's MAC address */ switch( h80211[1] & 3 ) { case 1: memcpy( stmac, h80211 + 10, 6 ); break; case 2: memcpy( stmac, h80211 + 4, 6 ); break; case 3: memcpy( stmac, h80211 + 10, 6 ); break; default: continue; } st_prv = NULL; st_cur = st_1st; while( st_cur != NULL ) { if( ! memcmp( st_cur->stmac, stmac, 6 ) ) break; st_prv = st_cur; st_cur = st_cur->next; } /* if it's a new station, add it */ if( st_cur == NULL ) { if( ! ( st_cur = (struct ST_info *) malloc( sizeof( struct ST_info ) ) ) ) { perror( "malloc failed" ); break; } memset( st_cur, 0, sizeof( struct ST_info ) ); if( st_1st == NULL ) st_1st = st_cur; else st_prv->next = st_cur; memcpy( st_cur->stmac, stmac, 6 ); memcpy( st_cur->bssid, bssid, 6 ); } /* check if we haven't already processed this packet */ crc = calc_crc_buf( h80211 + z, pkh.caplen - z ); if( ( h80211[1] & 3 ) == 2 ) { if( st_cur->t_crc == crc ) continue; st_cur->t_crc = crc; } else { if( st_cur->f_crc == crc ) continue; st_cur->f_crc = crc; } /* check the SNAP header to see if data is encrypted * * as unencrypted data begins with AA AA 03 00 00 00 */ if( h80211[z] != h80211[z + 1] || h80211[z + 2] != 0x03 ) { /* check the extended IV flag */ if( ( h80211[z + 3] & 0x20 ) == 0 ) { uchar K[64]; stats.nb_wep++; if( opt.crypt != CRYPT_WEP ) continue; memcpy( K, h80211 + z, 3 ); memcpy( K + 3, opt.wepkey, opt.weplen ); if( decrypt_wep( h80211 + z + 4, pkh.caplen - z - 4, K, 3 + opt.weplen ) == 0 ) continue; /* WEP data packet was successfully decrypted, * * remove the WEP IV & ICV and write the data */ pkh.len -= 8; pkh.caplen -= 8; memcpy( h80211 + z, h80211 + z + 4, pkh.caplen - z ); stats.nb_unwep++; h80211[1] &= 0xBF; if( write_packet( f_out, &pkh, h80211 ) != 0 ) break; } else { stats.nb_wpa++; if( opt.crypt != CRYPT_WPA ) continue; /* if the PTK is valid, try to decrypt */ if( st_cur == NULL || ! st_cur->valid_ptk ) continue; if( st_cur->keyver == 1 ) { if( decrypt_tkip( h80211, pkh.caplen, st_cur->ptk + 32 ) == 0 ) continue; pkh.len -= 20; pkh.caplen -= 20; } else { if( decrypt_ccmp( h80211, pkh.caplen, st_cur->ptk + 32 ) == 0 ) continue; pkh.len -= 16; pkh.caplen -= 16; } /* WPA data packet was successfully decrypted, * * remove the WPA Ext.IV & MIC, write the data */ memcpy( h80211 + z, h80211 + z + 8, pkh.caplen - z ); stats.nb_unwpa++; h80211[1] &= 0xBF; if( write_packet( f_out, &pkh, h80211 ) != 0 ) break; } } else { /* check ethertype == EAPOL */ z += 6; if( h80211[z] != 0x88 || h80211[z + 1] != 0x8E ) { stats.nb_plain++; if( opt.crypt != CRYPT_NONE ) continue; if( write_packet( f_out, &pkh, h80211 ) != 0 ) break; } z += 2; /* type == 3 (key), desc. == 254 (WPA) or 2 (RSN) */ if( h80211[z + 1] != 0x03 || ( h80211[z + 4] != 0xFE && h80211[z + 4] != 0x02 ) ) continue; /* frame 1: Pairwise == 1, Install == 0, Ack == 1, MIC == 0 */ if( ( h80211[z + 6] & 0x08 ) != 0 && ( h80211[z + 6] & 0x40 ) == 0 && ( h80211[z + 6] & 0x80 ) != 0 && ( h80211[z + 5] & 0x01 ) == 0 ) { /* set authenticator nonce */ memcpy( st_cur->anonce, &h80211[z + 17], 32 ); } /* frame 2 or 4: Pairwise == 1, Install == 0, Ack == 0, MIC == 1 */ if( ( h80211[z + 6] & 0x08 ) != 0 && ( h80211[z + 6] & 0x40 ) == 0 && ( h80211[z + 6] & 0x80 ) == 0 && ( h80211[z + 5] & 0x01 ) != 0 ) { if( memcmp( &h80211[z + 17], ZERO, 32 ) != 0 ) { /* set supplicant nonce */ memcpy( st_cur->snonce, &h80211[z + 17], 32 ); } } /* frame 3: Pairwise == 1, Install == 1, Ack == 1, MIC == 1 */ if( ( h80211[z + 6] & 0x08 ) != 0 && ( h80211[z + 6] & 0x40 ) != 0 && ( h80211[z + 6] & 0x80 ) != 0 && ( h80211[z + 5] & 0x01 ) != 0 ) { if( memcmp( &h80211[z + 17], ZERO, 32 ) != 0 ) { /* set authenticator nonce */ memcpy( st_cur->anonce, &h80211[z + 17], 32 ); } /* copy the MIC & eapol frame */ st_cur->eapol_size = ( h80211[z + 2] << 8 ) + h80211[z + 3] + 4; memcpy( st_cur->keymic, &h80211[z + 81], 16 ); memcpy( st_cur->eapol, &h80211[z], st_cur->eapol_size ); memset( st_cur->eapol + 81, 0, 16 ); /* copy the key descriptor version */ st_cur->keyver = h80211[z + 6] & 7; } st_cur->valid_ptk = calc_ptk( st_cur, opt.pmk ); } } fclose( f_in ); fclose( f_out ); /* write some statistics */ printf( "\33[KTotal number of packets read % 8ld\n" "Total number of WEP data packets % 8ld\n" "Total number of WPA data packets % 8ld\n" "Number of plaintext data packets % 8ld\n" "Number of decrypted WEP packets % 8ld\n" "Number of decrypted WPA packets % 8ld\n", stats.nb_read, stats.nb_wep, stats.nb_wpa, stats.nb_plain, stats.nb_unwep, stats.nb_unwpa ); return( 0 );}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -