forked from derv82/wifite
-
Notifications
You must be signed in to change notification settings - Fork 0
/
wifite.py
executable file
·3367 lines (2937 loc) · 150 KB
/
wifite.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
#!/usr/bin/python
# -*- coding: utf-8 -*-
"""
wifite
author: derv82 at gmail
author: bwall @botnet_hunter ([email protected])
author: drone @dronesec ([email protected])
Thanks to everyone that contributed to this project.
If you helped in the past and want your name here, shoot me an email
Licensed under the GNU General Public License Version 2 (GNU GPL v2),
available at: http://www.gnu.org/licenses/gpl-2.0.txt
(C) 2011 Derv Merkler
Ballast Security additions
-----------------
- No longer requires to be root to run -cracked
- cracked.txt changed to cracked.csv and stored in csv format(easier to read, no \x00s)
- Backwards compatibility
- Made a run configuration class to handle globals
- Added -recrack (shows already cracked APs in the possible targets, otherwise hides them)
- Changed the updater to grab files from GitHub and not Google Code
- Use argparse to parse command-line arguments
- -wepca flag now properly initialized if passed through CLI
- parse_csv uses python csv library
-----------------
TODO:
Restore same command-line switch names from v1
If device already in monitor mode, check for and, if applicable, use macchanger
WPS
* Mention reaver automatically resumes sessions
* Warning about length of time required for WPS attack (*hours*)
* Show time since last successful attempt
* Percentage of tries/attempts ?
* Update code to work with reaver 1.4 ("x" sec/att)
WEP:
* ability to pause/skip/continue (done, not tested)
* Option to capture only IVS packets (uses --output-format ivs,csv)
- not compatible on older aircrack-ng's.
- Just run "airodump-ng --output-format ivs,csv", "No interface specified" = works
- would cut down on size of saved .caps
reaver:
MONITOR ACTIVITY!
- Enter ESSID when executing (?)
- Ensure WPS key attempts have begun.
- If no attempts can be made, stop attack
- During attack, if no attempts are made within X minutes, stop attack & Print
- Reaver's output when unable to associate:
[!] WARNING: Failed to associate with AA:BB:CC:DD:EE:FF (ESSID: ABCDEF)
- If failed to associate for x minutes, stop attack (same as no attempts?)
MIGHTDO:
* WPA - crack (pyrit/cowpatty) (not really important)
* Test injection at startup? (skippable via command-line switch)
"""
# ############
# LIBRARIES #
#############
import csv # Exporting and importing cracked aps
import os # File management
import time # Measuring attack intervals
import random # Generating a random MAC address.
import errno # Error numbers
from sys import argv # Command-line arguments
from sys import stdout # Flushing
from shutil import copy # Copying .cap files
# Executing, communicating with, killing processes
from subprocess import Popen, call, PIPE
from signal import SIGINT, SIGTERM
import re # RegEx, Converting SSID to filename
import argparse # arg parsing
import urllib # Check for new versions from the repo
import abc # abstract base class libraries for attack templates
################################
# GLOBAL VARIABLES IN ALL CAPS #
################################
# Console colors
W = '\033[0m' # white (normal)
R = '\033[31m' # red
G = '\033[32m' # green
O = '\033[33m' # orange
B = '\033[34m' # blue
P = '\033[35m' # purple
C = '\033[36m' # cyan
GR = '\033[37m' # gray
# /dev/null, send output from programs so they don't print to screen.
DN = open(os.devnull, 'w')
ERRLOG = open(os.devnull, 'w')
OUTLOG = open(os.devnull, 'w')
###################
# DATA STRUCTURES #
###################
class CapFile:
"""
Holds data about an access point's .cap file, including AP's ESSID & BSSID.
"""
def __init__(self, filename, ssid, bssid):
self.filename = filename
self.ssid = ssid
self.bssid = bssid
class Target:
"""
Holds data for a Target (aka Access Point aka Router)
"""
def __init__(self, bssid, power, data, channel, encryption, ssid):
self.bssid = bssid
self.power = power
self.data = data
self.channel = channel
self.encryption = encryption
self.ssid = ssid
self.wps = False # Default to non-WPS-enabled router.
self.key = ''
class Client:
"""
Holds data for a Client (device connected to Access Point/Router)
"""
def __init__(self, bssid, station, power):
self.bssid = bssid
self.station = station
self.power = power
class RunConfiguration:
"""
Configuration for this rounds of attacks
"""
def __init__(self):
self.REVISION = 86;
self.PRINTED_SCANNING = False
self.TX_POWER = 0 # Transmit power for wireless interface, 0 uses default power
# WPA variables
self.WPA_DISABLE = False # Flag to skip WPA handshake capture
self.WPA_STRIP_HANDSHAKE = True # Use pyrit or tshark (if applicable) to strip handshake
self.WPA_DEAUTH_COUNT = 5 # Count to send deauthentication packets
self.WPA_DEAUTH_TIMEOUT = 10 # Time to wait between deauthentication bursts (in seconds)
self.WPA_ATTACK_TIMEOUT = 500 # Total time to allow for a handshake attack (in seconds)
self.WPA_HANDSHAKE_DIR = 'hs' # Directory in which handshakes .cap files are stored
# Strip file path separator if needed
if self.WPA_HANDSHAKE_DIR != '' and self.WPA_HANDSHAKE_DIR[-1] == os.sep:
self.WPA_HANDSHAKE_DIR = self.WPA_HANDSHAKE_DIR[:-1]
self.WPA_FINDINGS = [] # List of strings containing info on successful WPA attacks
self.WPA_DONT_CRACK = False # Flag to skip cracking of handshakes
self.WPA_DICTIONARY = '/pentest/web/wfuzz/wordlist/fuzzdb/wordlists-user-passwd/passwds/phpbb.txt'
if not os.path.exists(self.WPA_DICTIONARY): self.WPA_DICTIONARY = ''
# Various programs to use when checking for a four-way handshake.
# True means the program must find a valid handshake in order for wifite to recognize a handshake.
# Not finding handshake short circuits result (ALL 'True' programs must find handshake)
self.WPA_HANDSHAKE_TSHARK = True # Checks for sequential 1,2,3 EAPOL msg packets (ignores 4th)
self.WPA_HANDSHAKE_PYRIT = False # Sometimes crashes on incomplete dumps, but accurate.
self.WPA_HANDSHAKE_AIRCRACK = True # Not 100% accurate, but fast.
self.WPA_HANDSHAKE_COWPATTY = False # Uses more lenient "nonstrict mode" (-2)
# WEP variables
self.WEP_DISABLE = False # Flag for ignoring WEP networks
self.WEP_PPS = 600 # packets per second (Tx rate)
self.WEP_TIMEOUT = 600 # Amount of time to give each attack
self.WEP_ARP_REPLAY = True # Various WEP-based attacks via aireplay-ng
self.WEP_CHOPCHOP = True #
self.WEP_FRAGMENT = True #
self.WEP_CAFFELATTE = True #
self.WEP_P0841 = True
self.WEP_HIRTE = True
self.WEP_CRACK_AT_IVS = 10000 # Number of IVS at which we start cracking
self.WEP_IGNORE_FAKEAUTH = True # When True, continues attack despite fake authentication failure
self.WEP_FINDINGS = [] # List of strings containing info on successful WEP attacks.
self.WEP_SAVE = False # Save packets.
# WPS variables
self.WPS_DISABLE = False # Flag to skip WPS scan and attacks
self.WPS_FINDINGS = [] # List of (successful) results of WPS attacks
self.WPS_TIMEOUT = 660 # Time to wait (in seconds) for successful PIN attempt
self.WPS_RATIO_THRESHOLD = 0.01 # Lowest percentage of tries/attempts allowed (where tries > 0)
self.WPS_MAX_RETRIES = 0 # Number of times to re-try the same pin before giving up completely.
# Program variables
self.SHOW_ALREADY_CRACKED = False # Says whether to show already cracked APs as options to crack
self.WIRELESS_IFACE = '' # User-defined interface
self.MONITOR_IFACE = '' # User-defined interface already in monitor mode
self.TARGET_CHANNEL = 0 # User-defined channel to scan on
self.TARGET_ESSID = '' # User-defined ESSID of specific target to attack
self.TARGET_BSSID = '' # User-defined BSSID of specific target to attack
self.IFACE_TO_TAKE_DOWN = '' # Interface that wifite puts into monitor mode
# It's our job to put it out of monitor mode after the attacks
self.ORIGINAL_IFACE_MAC = ('', '') # Original interface name[0] and MAC address[1] (before spoofing)
self.DO_NOT_CHANGE_MAC = True # Flag for disabling MAC anonymizer
self.TARGETS_REMAINING = 0 # Number of access points remaining to attack
self.WPA_CAPS_TO_CRACK = [] # list of .cap files to crack (full of CapFile objects)
self.THIS_MAC = '' # The interfaces current MAC address.
self.SHOW_MAC_IN_SCAN = False # Display MACs of the SSIDs in the list of targets
self.CRACKED_TARGETS = [] # List of targets we have already cracked
self.ATTACK_ALL_TARGETS = False # Flag for when we want to attack *everyone*
self.ATTACK_MIN_POWER = 0 # Minimum power (dB) for access point to be considered a target
self.VERBOSE_APS = True # Print access points as they appear
self.CRACKED_TARGETS = self.load_cracked()
old_cracked = self.load_old_cracked()
if len(old_cracked) > 0:
# Merge the results
for OC in old_cracked:
new = True
for NC in self.CRACKED_TARGETS:
if OC.bssid == NC.bssid:
new = False
break
# If Target isn't in the other list
# Add and save to disk
if new:
self.save_cracked(OC)
def ConfirmRunningAsRoot(self):
if os.getuid() != 0:
print R + ' [!]' + O + ' ERROR:' + G + ' wifite' + O + ' must be run as ' + R + 'root' + W
print R + ' [!]' + O + ' login as root (' + W + 'su root' + O + ') or try ' + W + 'sudo ./wifite.py' + W
exit(1)
def ConfirmCorrectPlatform(self):
if not os.uname()[0].startswith("Linux") and not 'Darwin' in os.uname()[0]: # OSX support, 'cause why not?
print O + ' [!]' + R + ' WARNING:' + G + ' wifite' + W + ' must be run on ' + O + 'linux' + W
exit(1)
def CreateTempFolder(self):
from tempfile import mkdtemp
self.temp = mkdtemp(prefix='wifite')
if not self.temp.endswith(os.sep):
self.temp += os.sep
def save_cracked(self, target):
"""
Saves cracked access point key and info to a file.
"""
self.CRACKED_TARGETS.append(target)
with open('cracked.csv', 'wb') as csvfile:
targetwriter = csv.writer(csvfile, delimiter=',', quotechar='"', quoting=csv.QUOTE_MINIMAL)
for target in self.CRACKED_TARGETS:
targetwriter.writerow([target.bssid, target.encryption, target.ssid, target.key, target.wps])
def load_cracked(self):
"""
Loads info about cracked access points into list, returns list.
"""
result = []
if not os.path.exists('cracked.csv'): return result
with open('cracked.csv', 'rb') as csvfile:
targetreader = csv.reader(csvfile, delimiter=',', quotechar='"')
for row in targetreader:
t = Target(row[0], 0, 0, 0, row[1], row[2])
t.key = row[3]
t.wps = row[4]
result.append(t)
return result
def load_old_cracked(self):
"""
Loads info about cracked access points into list, returns list.
"""
result = []
if not os.path.exists('cracked.txt'):
return result
fin = open('cracked.txt', 'r')
lines = fin.read().split('\n')
fin.close()
for line in lines:
fields = line.split(chr(0))
if len(fields) <= 3:
continue
tar = Target(fields[0], '', '', '', fields[3], fields[1])
tar.key = fields[2]
result.append(tar)
return result
def exit_gracefully(self, code=0):
"""
We may exit the program at any time.
We want to remove the temp folder and any files contained within it.
Removes the temp files/folder and exists with error code "code".
"""
# Remove temp files and folder
if os.path.exists(self.temp):
for f in os.listdir(self.temp):
os.remove(self.temp + f)
os.rmdir(self.temp)
# Disable monitor mode if enabled by us
self.RUN_ENGINE.disable_monitor_mode()
# Change MAC address back if spoofed
mac_change_back()
print GR + " [+]" + W + " quitting" # wifite will now exit"
print ''
# GTFO
exit(code)
def handle_args(self):
"""
Handles command-line arguments, sets global variables.
"""
set_encrypt = False
set_hscheck = False
set_wep = False
capfile = '' # Filename of .cap file to analyze for handshakes
opt_parser = self.build_opt_parser()
options = opt_parser.parse_args()
try:
if not set_encrypt and (options.wpa or options.wep or options.wps):
self.WPS_DISABLE = True
self.WPA_DISABLE = True
self.WEP_DISABLE = True
set_encrypt = True
if options.recrack:
self.SHOW_ALREADY_CRACKED = True
print GR + ' [+]' + W + ' including already cracked networks in targets.'
if options.wpa:
if options.wps:
print GR + ' [+]' + W + ' targeting ' + G + 'WPA' + W + ' encrypted networks.'
else:
print GR + ' [+]' + W + ' targeting ' + G + 'WPA' + W + ' encrypted networks (use ' + G + '-wps' + W + ' for WPS scan)'
self.WPA_DISABLE = False
if options.wep:
print GR + ' [+]' + W + ' targeting ' + G + 'WEP' + W + ' encrypted networks'
self.WEP_DISABLE = False
if options.wps:
print GR + ' [+]' + W + ' targeting ' + G + 'WPS-enabled' + W + ' networks.'
self.WPS_DISABLE = False
if options.channel:
try:
self.TARGET_CHANNEL = int(options.channel)
except ValueError:
print O + ' [!]' + R + ' invalid channel: ' + O + options.channel + W
except IndexError:
print O + ' [!]' + R + ' no channel given!' + W
else:
print GR + ' [+]' + W + ' channel set to %s' % (G + str(self.TARGET_CHANNEL) + W)
if options.mac_anon:
print GR + ' [+]' + W + ' mac address anonymizing ' + G + 'enabled' + W
print O + ' not: only works if device is not already in monitor mode!' + W
self.DO_NOT_CHANGE_MAC = False
if options.interface:
self.WIRELESS_IFACE = options.interface
print GR + ' [+]' + W + ' set interface :%s' % (G + self.WIRELESS_IFACE + W)
if options.monitor_interface:
self.MONITOR_IFACE = options.monitor_interface
print GR + ' [+]' + W + ' set interface already in monitor mode :%s' % (G + self.MONITOR_IFACE + W)
if options.essid:
try:
self.TARGET_ESSID = options.essid
except ValueError:
print R + ' [!]' + O + ' no ESSID given!' + W
else:
print GR + ' [+]' + W + ' targeting ESSID "%s"' % (G + self.TARGET_ESSID + W)
if options.bssid:
try:
self.TARGET_BSSID = options.bssid
except ValueError:
print R + ' [!]' + O + ' no BSSID given!' + W
else:
print GR + ' [+]' + W + ' targeting BSSID "%s"' % (G + self.TARGET_BSSID + W)
if options.showb:
self.SHOW_MAC_IN_SCAN = True
print GR + ' [+]' + W + ' target MAC address viewing ' + G + 'enabled' + W
if options.all:
self.ATTACK_ALL_TARGETS = True
print GR + ' [+]' + W + ' targeting ' + G + 'all access points' + W
if options.power:
try:
self.ATTACK_MIN_POWER = int(options.power)
except ValueError:
print R + ' [!]' + O + ' invalid power level: %s' % (R + options.power + W)
except IndexError:
print R + ' [!]' + O + ' no power level given!' + W
else:
print GR + ' [+]' + W + ' minimum target power set to %s' % (G + str(self.ATTACK_MIN_POWER) + W)
if options.tx:
try:
self.TX_POWER = int(options.tx)
except ValueError:
print R + ' [!]' + O + ' invalid TX power leve: %s' % ( R + options.tx + W)
except IndexError:
print R + ' [!]' + O + ' no TX power level given!' + W
else:
print GR + ' [+]' + W + ' TX power level set to %s' % (G + str(self.TX_POWER) + W)
if options.quiet:
self.VERBOSE_APS = False
print GR + ' [+]' + W + ' list of APs during scan ' + O + 'disabled' + W
if options.check:
try:
capfile = options.check
except IndexError:
print R + ' [!]' + O + ' unable to analyze capture file' + W
print R + ' [!]' + O + ' no cap file given!\n' + W
self.exit_gracefully(1)
else:
if not os.path.exists(capfile):
print R + ' [!]' + O + ' unable to analyze capture file!' + W
print R + ' [!]' + O + ' file not found: ' + R + capfile + '\n' + W
self.exit_gracefully(1)
if options.update:
self.upgrade()
exit(0)
if options.cracked:
if len(self.CRACKED_TARGETS) == 0:
print R + ' [!]' + O + ' There are no cracked access points saved to ' + R + 'cracked.db\n' + W
self.exit_gracefully(1)
print GR + ' [+]' + W + ' ' + W + 'previously cracked access points' + W + ':'
for victim in self.CRACKED_TARGETS:
if victim.wps != False:
print ' %s (%s) : "%s" - Pin: %s' % (
C + victim.ssid + W, C + victim.bssid + W, G + victim.key + W, G + victim.wps + W)
else:
print ' %s (%s) : "%s"' % (C + victim.ssid + W, C + victim.bssid + W, G + victim.key + W)
print ''
self.exit_gracefully(0)
# WPA
if not set_hscheck and (options.tshark or options.cowpatty or options.aircrack or options.pyrit):
self.WPA_HANDSHAKE_TSHARK = False
self.WPA_HANDSHAKE_PYRIT = False
self.WPA_HANDSHAKE_COWPATTY = False
self.WPA_HANDSHAKE_AIRCRACK = False
set_hscheck = True
if options.strip:
self.WPA_STRIP_HANDSHAKE = True
print GR + ' [+]' + W + ' handshake stripping ' + G + 'enabled' + W
if options.wpadt:
try:
self.WPA_DEAUTH_TIMEOUT = int(options.wpadt)
except ValueError:
print R + ' [!]' + O + ' invalid deauth timeout: %s' % (R + options.wpadt + W)
except IndexError:
print R + ' [!]' + O + ' no deauth timeout given!' + W
else:
print GR + ' [+]' + W + ' WPA deauth timeout set to %s' % (G + str(self.WPA_DEAUTH_TIMEOUT) + W)
if options.wpat:
try:
self.WPA_ATTACK_TIMEOUT = int(options.wpat)
except ValueError:
print R + ' [!]' + O + ' invalid attack timeout: %s' % (R + options.wpat + W)
except IndexError:
print R + ' [!]' + O + ' no attack timeout given!' + W
else:
print GR + ' [+]' + W + ' WPA attack timeout set to %s' % (G + str(self.WPA_ATTACK_TIMEOUT) + W)
if options.crack:
self.WPA_DONT_CRACK = False
print GR + ' [+]' + W + ' WPA cracking ' + G + 'enabled' + W
if options.dic:
try:
self.WPA_DICTIONARY = options.dic
except IndexError:
print R + ' [!]' + O + ' no WPA dictionary given!'
else:
if os.path.exists(options.dic):
print GR + ' [+]' + W + ' WPA dictionary set to %s' % (G + self.WPA_DICTIONARY + W)
else:
print R + ' [!]' + O + ' WPA dictionary file not found: %s' % (options.dic)
else:
print R + ' [!]' + O + ' WPA dictionary file not given!'
self.exit_gracefully(1)
if options.tshark:
self.WPA_HANDSHAKE_TSHARK = True
print GR + ' [+]' + W + ' tshark handshake verification ' + G + 'enabled' + W
if options.pyrit:
self.WPA_HANDSHAKE_PYRIT = True
print GR + ' [+]' + W + ' pyrit handshake verification ' + G + 'enabled' + W
if options.aircrack:
self.WPA_HANDSHAKE_AIRCRACK = True
print GR + ' [+]' + W + ' aircrack handshake verification ' + G + 'enabled' + W
if options.cowpatty:
self.WPA_HANDSHAKE_COWPATTY = True
print GR + ' [+]' + W + ' cowpatty handshake verification ' + G + 'enabled' + W
# WEP
if not set_wep and options.chopchop or options.fragment or options.caffeelatte or options.arpreplay \
or options.p0841 or options.hirte:
self.WEP_CHOPCHOP = False
self.WEP_ARPREPLAY = False
self.WEP_CAFFELATTE = False
self.WEP_FRAGMENT = False
self.WEP_P0841 = False
self.WEP_HIRTE = False
if options.chopchop:
print GR + ' [+]' + W + ' WEP chop-chop attack ' + G + 'enabled' + W
self.WEP_CHOPCHOP = True
if options.fragment:
print GR + ' [+]' + W + ' WEP fragmentation attack ' + G + 'enabled' + W
self.WEP_FRAGMENT = True
if options.caffeelatte:
print GR + ' [+]' + W + ' WEP caffe-latte attack ' + G + 'enabled' + W
self.WEP_CAFFELATTE = True
if options.arpreplay:
print GR + ' [+]' + W + ' WEP arp-replay attack ' + G + 'enabled' + W
self.WEP_ARPREPLAY = True
if options.p0841:
print GR + ' [+]' + W + ' WEP p0841 attack ' + G + 'enabled' + W
self.WEP_P0841 = True
if options.hirte:
print GR + ' [+]' + W + ' WEP hirte attack ' + G + 'enabled' + W
self.WEP_HIRTE = True
if options.fakeauth:
print GR + ' [+]' + W + ' ignoring failed fake-authentication ' + R + 'disabled' + W
self.WEP_IGNORE_FAKEAUTH = False
if options.wepca:
try:
self.WEP_CRACK_AT_IVS = int(options.wepca)
except ValueError:
print R + ' [!]' + O + ' invalid number: %s' % ( R + options.wepca + W )
except IndexError:
print R + ' [!]' + O + ' no IV number specified!' + W
else:
print GR + ' [+]' + W + ' Starting WEP cracking when IV\'s surpass %s' % (
G + str(self.WEP_CRACK_AT_IVS) + W)
if options.wept:
try:
self.WEP_TIMEOUT = int(options.wept)
except ValueError:
print R + ' [!]' + O + ' invalid timeout: %s' % (R + options.wept + W)
except IndexError:
print R + ' [!]' + O + ' no timeout given!' + W
else:
print GR + ' [+]' + W + ' WEP attack timeout set to %s' % (
G + str(self.WEP_TIMEOUT) + " seconds" + W)
if options.pps:
try:
self.WEP_PPS = int(options.pps)
except ValueError:
print R + ' [!]' + O + ' invalid value: %s' % (R + options.pps + W)
except IndexError:
print R + ' [!]' + O + ' no value given!' + W
else:
print GR + ' [+]' + W + ' packets-per-second rate set to %s' % (
G + str(options.pps) + " packets/sec" + W)
if options.wepsave:
self.WEP_SAVE = True
print GR + ' [+]' + W + ' WEP .cap file saving ' + G + 'enabled' + W
# WPS
if options.wpst:
try:
self.WPS_TIMEOUT = int(options.wpst)
except ValueError:
print R + ' [!]' + O + ' invalid timeout: %s' % (R + options.wpst + W)
except IndexError:
print R + ' [!]' + O + ' no timeout given!' + W
else:
print GR + ' [+]' + W + ' WPS attack timeout set to %s' % (
G + str(self.WPS_TIMEOUT) + " seconds" + W)
if options.wpsratio:
try:
self.WPS_RATIO_THRESHOLD = float(options.wpsratio)
except ValueError:
print R + ' [!]' + O + ' invalid percentage: %s' % (R + options.wpsratio + W)
except IndexError:
print R + ' [!]' + O + ' no ratio given!' + W
else:
print GR + ' [+]' + W + ' minimum WPS tries/attempts threshold set to %s' % (
G + str(self.WPS_RATIO_THRESHOLD) + "" + W)
if options.wpsretry:
try:
self.WPS_MAX_RETRIES = int(options.wpsretry)
except ValueError:
print R + ' [!]' + O + ' invalid number: %s' % (R + options.wpsretry + W)
except IndexError:
print R + ' [!]' + O + ' no number given!' + W
else:
print GR + ' [+]' + W + ' WPS maximum retries set to %s' % (
G + str(self.WPS_MAX_RETRIES) + " retries" + W)
except IndexError:
print '\nindexerror\n\n'
if capfile != '':
self.RUN_ENGINE.analyze_capfile(capfile)
print ''
def build_opt_parser(self):
""" Options are doubled for backwards compatability; will be removed soon and
fully moved to GNU-style
"""
option_parser = argparse.ArgumentParser()
# set commands
command_group = option_parser.add_argument_group('COMMAND')
command_group.add_argument('--check', help='Check capfile [file] for handshakes.', action='store', dest='check')
command_group.add_argument('-check', action='store', dest='check', help=argparse.SUPPRESS)
command_group.add_argument('--cracked', help='Display previously cracked access points.', action='store_true',
dest='cracked')
command_group.add_argument('-cracked', help=argparse.SUPPRESS, action='store_true', dest='cracked')
command_group.add_argument('--recrack', help='Include already cracked networks in targets.',
action='store_true', dest='recrack')
command_group.add_argument('-recrack', help=argparse.SUPPRESS, action='store_true', dest='recrack')
# set global
global_group = option_parser.add_argument_group('GLOBAL')
global_group.add_argument('--all', help='Attack all targets.', default=False, action='store_true', dest='all')
global_group.add_argument('-all', help=argparse.SUPPRESS, default=False, action='store_true', dest='all')
global_group.add_argument('-i', help='Wireless interface for capturing.', action='store', dest='interface')
global_group.add_argument('--mac', help='Anonymize MAC address.', action='store_true', default=False,
dest='mac_anon')
global_group.add_argument('-mac', help=argparse.SUPPRESS, action='store_true', default=False, dest='mac_anon')
global_group.add_argument('--mon-iface', help='Interface already in monitor mode.', action='store',
dest='monitor_interface')
global_group.add_argument('-c', help='Channel to scan for targets.', action='store', dest='channel')
global_group.add_argument('-e', help='Target a specific access point by ssid (name).', action='store',
dest='essid')
global_group.add_argument('-b', help='Target a specific access point by bssid (mac).', action='store',
dest='bssid')
global_group.add_argument('--showb', help='Display target BSSIDs after scan.', action='store_true',
dest='showb')
global_group.add_argument('-showb', help=argparse.SUPPRESS, action='store_true', dest='showb')
global_group.add_argument('--power', help='Attacks any targets with signal strength > [pow].', action='store',
dest='power')
global_group.add_argument('-power', help=argparse.SUPPRESS, action='store', dest='power')
global_group.add_argument('--tx', help='Set adapter TX power level.', action='store', dest='tx')
global_group.add_argument('-tx', help=argparse.SUPPRESS, action='store', dest='tx')
global_group.add_argument('--quiet', help='Do not print list of APs during scan.', action='store_true',
dest='quiet')
global_group.add_argument('-quiet', help=argparse.SUPPRESS, action='store_true', dest='quiet')
global_group.add_argument('--update', help='Check and update Wifite.', default=False, action='store_true',
dest='update')
global_group.add_argument('-update', help=argparse.SUPPRESS, default=False, action='store_true', dest='update')
# set wpa commands
wpa_group = option_parser.add_argument_group('WPA')
wpa_group.add_argument('--wpa', help='Only target WPA networks (works with --wps --wep).', default=False,
action='store_true', dest='wpa')
wpa_group.add_argument('-wpa', help=argparse.SUPPRESS, default=False, action='store_true', dest='wpa')
wpa_group.add_argument('--wpat', help='Time to wait for WPA attack to complete (seconds).', action='store',
dest='wpat')
wpa_group.add_argument('-wpat', help=argparse.SUPPRESS, action='store', dest='wpat')
wpa_group.add_argument('--wpadt', help='Time to wait between sending deauth packets (seconds).', action='store',
dest='wpadt')
wpa_group.add_argument('-wpadt', help=argparse.SUPPRESS, action='store', dest='wpadt')
wpa_group.add_argument('--strip', help='Strip handshake using tshark or pyrit.', default=False,
action='store_true', dest='strip')
wpa_group.add_argument('-strip', help=argparse.SUPPRESS, default=False, action='store_true', dest='strip')
wpa_group.add_argument('--crack', help='Crack WPA handshakes using [dic] wordlist file.', action='store_true',
dest='crack')
wpa_group.add_argument('-crack', help=argparse.SUPPRESS, action='store_true', dest='crack')
wpa_group.add_argument('--dict', help='Specificy dictionary to use when cracking WPA.', action='store',
dest='dic')
wpa_group.add_argument('-dict', help=argparse.SUPPRESS, action='store', dest='dic')
wpa_group.add_argument('--aircrack', help='Verify handshake using aircrack.', default=False,
action='store_true', dest='aircrack')
wpa_group.add_argument('-aircrack', help=argparse.SUPPRESS, default=False, action='store_true', dest='aircrack')
wpa_group.add_argument('--pyrit', help='Verify handshake using pyrit.', default=False, action='store_true',
dest='pyrit')
wpa_group.add_argument('-pyrit', help=argparse.SUPPRESS, default=False, action='store_true', dest='pyrit')
wpa_group.add_argument('--tshark', help='Verify handshake using tshark.', default=False, action='store_true',
dest='tshark')
wpa_group.add_argument('-tshark', help=argparse.SUPPRESS, default=False, action='store_true', dest='tshark')
wpa_group.add_argument('--cowpatty', help='Verify handshake using cowpatty.', default=False,
action='store_true', dest='cowpatty')
wpa_group.add_argument('-cowpatty', help=argparse.SUPPRESS, default=False, action='store_true', dest='cowpatty')
# set WEP commands
wep_group = option_parser.add_argument_group('WEP')
wep_group.add_argument('--wep', help='Only target WEP networks.', default=False, action='store_true',
dest='wep')
wep_group.add_argument('-wep', help=argparse.SUPPRESS, default=False, action='store_true', dest='wep')
wep_group.add_argument('--pps', help='Set the number of packets per second to inject.', action='store',
dest='pps')
wep_group.add_argument('-pps', help=argparse.SUPPRESS, action='store', dest='pps')
wep_group.add_argument('--wept', help='Sec to wait for each attack, 0 implies endless.', action='store',
dest='wept')
wep_group.add_argument('-wept', help=argparse.SUPPRESS, action='store', dest='wept')
wep_group.add_argument('--chopchop', help='Use chopchop attack.', default=False, action='store_true',
dest='chopchop')
wep_group.add_argument('-chopchop', help=argparse.SUPPRESS, default=False, action='store_true', dest='chopchop')
wep_group.add_argument('--arpreplay', help='Use arpreplay attack.', default=False, action='store_true',
dest='arpreplay')
wep_group.add_argument('-arpreplay', help=argparse.SUPPRESS, default=False, action='store_true',
dest='arpreplay')
wep_group.add_argument('--fragment', help='Use fragmentation attack.', default=False, action='store_true',
dest='fragment')
wep_group.add_argument('-fragment', help=argparse.SUPPRESS, default=False, action='store_true', dest='fragment')
wep_group.add_argument('--caffelatte', help='Use caffe-latte attack.', default=False, action='store_true',
dest='caffeelatte')
wep_group.add_argument('-caffelatte', help=argparse.SUPPRESS, default=False, action='store_true',
dest='caffeelatte')
wep_group.add_argument('--p0841', help='Use P0842 attack.', default=False, action='store_true', dest='p0841')
wep_group.add_argument('-p0841', help=argparse.SUPPRESS, default=False, action='store_true', dest='p0841')
wep_group.add_argument('--hirte', help='Use hirte attack.', default=False, action='store_true', dest='hirte')
wep_group.add_argument('-hirte', help=argparse.SUPPRESS, default=False, action='store_true', dest='hirte')
wep_group.add_argument('--nofakeauth', help='Stop attack if fake authentication fails.', default=False,
action='store_true', dest='fakeauth')
wep_group.add_argument('-nofakeauth', help=argparse.SUPPRESS, default=False, action='store_true',
dest='fakeauth')
wep_group.add_argument('--wepca', help='Start cracking when number of IVs surpass [n].', action='store',
dest='wepca')
wep_group.add_argument('-wepca', help=argparse.SUPPRESS, action='store', dest='wepca')
wep_group.add_argument('--wepsave', help='Save a copy of .cap files to this directory.', default=None,
action='store', dest='wepsave')
wep_group.add_argument('-wepsave', help=argparse.SUPPRESS, default=None, action='store', dest='wepsave')
# set WPS commands
wps_group = option_parser.add_argument_group('WPS')
wps_group.add_argument('--wps', help='Only target WPS networks.', default=False, action='store_true',
dest='wps')
wps_group.add_argument('-wps', help=argparse.SUPPRESS, default=False, action='store_true', dest='wps')
wps_group.add_argument('--wpst', help='Max wait for new retry before giving up (0: never).', action='store',
dest='wpst')
wps_group.add_argument('-wpst', help=argparse.SUPPRESS, action='store', dest='wpst')
wps_group.add_argument('--wpsratio', help='Min ratio of successful PIN attempts/total retries.', action='store',
dest='wpsratio')
wps_group.add_argument('-wpsratio', help=argparse.SUPPRESS, action='store', dest='wpsratio')
wps_group.add_argument('--wpsretry', help='Max number of retries for same PIN before giving up.',
action='store', dest='wpsretry')
wps_group.add_argument('-wpsretry', help=argparse.SUPPRESS, action='store', dest='wpsretry')
return option_parser
def upgrade(self):
"""
Checks for new version, prompts to upgrade, then
replaces this script with the latest from the repo
"""
try:
print GR + ' [!]' + W + ' upgrading requires an ' + G + 'internet connection' + W
print GR + ' [+]' + W + ' checking for latest version...'
revision = get_revision()
if revision == -1:
print R + ' [!]' + O + ' unable to access GitHub' + W
elif revision > self.REVISION:
print GR + ' [!]' + W + ' a new version is ' + G + 'available!' + W
print GR + ' [-]' + W + ' revision: ' + G + str(revision) + W
response = raw_input(GR + ' [+]' + W + ' do you want to upgrade to the latest version? (y/n): ')
if not response.lower().startswith('y'):
print GR + ' [-]' + W + ' upgrading ' + O + 'aborted' + W
self.exit_gracefully(0)
return
# Download script, replace with this one
print GR + ' [+] ' + G + 'downloading' + W + ' update...'
try:
sock = urllib.urlopen('https://github.com/derv82/wifite/raw/master/wifite.py')
page = sock.read()
except IOError:
page = ''
if page == '':
print R + ' [+] ' + O + 'unable to download latest version' + W
self.exit_gracefully(1)
# Create/save the new script
f = open('wifite_new.py', 'w')
f.write(page)
f.close()
# The filename of the running script
this_file = __file__
if this_file.startswith('./'):
this_file = this_file[2:]
# create/save a shell script that replaces this script with the new one
f = open('update_wifite.sh', 'w')
f.write('''#!/bin/sh\n
rm -rf ''' + this_file + '''\n
mv wifite_new.py ''' + this_file + '''\n
rm -rf update_wifite.sh\n
chmod +x ''' + this_file + '''\n
''')
f.close()
# Change permissions on the script
returncode = call(['chmod', '+x', 'update_wifite.sh'])
if returncode != 0:
print R + ' [!]' + O + ' permission change returned unexpected code: ' + str(returncode) + W
self.exit_gracefully(1)
# Run the script
returncode = call(['sh', 'update_wifite.sh'])
if returncode != 0:
print R + ' [!]' + O + ' upgrade script returned unexpected code: ' + str(returncode) + W
self.exit_gracefully(1)
print GR + ' [+] ' + G + 'updated!' + W + ' type "./' + this_file + '" to run again'
else:
print GR + ' [-]' + W + ' your copy of wifite is ' + G + 'up to date' + W
except KeyboardInterrupt:
print R + '\n (^C)' + O + ' wifite upgrade interrupted' + W
self.exit_gracefully(0)
class RunEngine:
def __init__(self, run_config):
self.RUN_CONFIG = run_config
self.RUN_CONFIG.RUN_ENGINE = self
def initial_check(self):
"""
Ensures required programs are installed.
"""
airs = ['aircrack-ng', 'airodump-ng', 'aireplay-ng', 'airmon-ng', 'packetforge-ng']
for air in airs:
if program_exists(air): continue
print R + ' [!]' + O + ' required program not found: %s' % (R + air + W)
print R + ' [!]' + O + ' this program is bundled with the aircrack-ng suite:' + W
print R + ' [!]' + O + ' ' + C + 'http://www.aircrack-ng.org/' + W
print R + ' [!]' + O + ' or: ' + W + 'sudo apt-get install aircrack-ng\n' + W
self.RUN_CONFIG.exit_gracefully(1)
if not program_exists('iw'):
print R + ' [!]' + O + ' airmon-ng requires the program %s\n' % (R + 'iw' + W)
self.RUN_CONFIG.exit_gracefully(1)
printed = False
# Check reaver
if not program_exists('reaver'):
printed = True
print R + ' [!]' + O + ' the program ' + R + 'reaver' + O + ' is required for WPS attacks' + W
print R + ' ' + O + ' available at ' + C + 'http://code.google.com/p/reaver-wps' + W
self.RUN_CONFIG.WPS_DISABLE = True
elif not program_exists('walsh') and not program_exists('wash'):
printed = True
print R + ' [!]' + O + ' reaver\'s scanning tool ' + R + 'walsh' + O + ' (or ' + R + 'wash' + O + ') was not found' + W
print R + ' [!]' + O + ' please re-install reaver or install walsh/wash separately' + W
# Check handshake-checking apps
recs = ['tshark', 'pyrit', 'cowpatty']
for rec in recs:
if program_exists(rec): continue
printed = True
print R + ' [!]' + O + ' the program %s is not required, but is recommended%s' % (R + rec + O, W)
if printed: print ''
def enable_monitor_mode(self, iface):
"""
First attempts to anonymize the MAC if requested; MACs cannot
be anonymized if they're already in monitor mode.
Uses airmon-ng to put a device into Monitor Mode.
Then uses the get_iface() method to retrieve the new interface's name.
Sets global variable IFACE_TO_TAKE_DOWN as well.
Returns the name of the interface in monitor mode.
"""
mac_anonymize(iface)
print GR + ' [+]' + W + ' enabling monitor mode on %s...' % (G + iface + W),
stdout.flush()
call(['airmon-ng', 'start', iface], stdout=DN, stderr=DN)
print 'done'
self.RUN_CONFIG.WIRELESS_IFACE = '' # remove this reference as we've started its monitoring counterpart
self.RUN_CONFIG.IFACE_TO_TAKE_DOWN = self.get_iface()
if self.RUN_CONFIG.TX_POWER > 0:
print GR + ' [+]' + W + ' setting Tx power to %s%s%s...' % (G, self.RUN_CONFIG.TX_POWER, W),
call(['iw', 'reg', 'set', 'BO'], stdout=OUTLOG, stderr=ERRLOG)
call(['iwconfig', iface, 'txpower', self.RUN_CONFIG.TX_POWER], stdout=OUTLOG, stderr=ERRLOG)
print 'done'
return self.RUN_CONFIG.IFACE_TO_TAKE_DOWN
def disable_monitor_mode(self):
"""
The program may have enabled monitor mode on a wireless interface.
We want to disable this before we exit, so we will do that.
"""
if self.RUN_CONFIG.IFACE_TO_TAKE_DOWN == '': return
print GR + ' [+]' + W + ' disabling monitor mode on %s...' % (G + self.RUN_CONFIG.IFACE_TO_TAKE_DOWN + W),
stdout.flush()
call(['airmon-ng', 'stop', self.RUN_CONFIG.IFACE_TO_TAKE_DOWN], stdout=DN, stderr=DN)
print 'done'
def rtl8187_fix(self, iface):
"""
Attempts to solve "Unknown error 132" common with RTL8187 devices.
Puts down interface, unloads/reloads driver module, then puts iface back up.
Returns True if fix was attempted, False otherwise.
"""
# Check if current interface is using the RTL8187 chipset
proc_airmon = Popen(['airmon-ng'], stdout=PIPE, stderr=DN)
proc_airmon.wait()
using_rtl8187 = False
for line in proc_airmon.communicate()[0].split():
line = line.upper()
if line.strip() == '' or line.startswith('INTERFACE'): continue
if line.find(iface.upper()) and line.find('RTL8187') != -1: using_rtl8187 = True
if not using_rtl8187:
# Display error message and exit
print R + ' [!]' + O + ' unable to generate airodump-ng CSV file' + W
print R + ' [!]' + O + ' you may want to disconnect/reconnect your wifi device' + W
self.RUN_CONFIG.exit_gracefully(1)
print O + " [!]" + W + " attempting " + O + "RTL8187 'Unknown Error 132'" + W + " fix..."
original_iface = iface
# Take device out of monitor mode
airmon = Popen(['airmon-ng', 'stop', iface], stdout=PIPE, stderr=DN)
airmon.wait()
for line in airmon.communicate()[0].split('\n'):
if line.strip() == '' or \
line.startswith("Interface") or \
line.find('(removed)') != -1:
continue
original_iface = line.split()[0] # line[:line.find('\t')]
# Remove drive modules, block/unblock ifaces, probe new modules.
print_and_exec(['ifconfig', original_iface, 'down'])
print_and_exec(['rmmod', 'rtl8187'])
print_and_exec(['rfkill', 'block', 'all'])
print_and_exec(['rfkill', 'unblock', 'all'])
print_and_exec(['modprobe', 'rtl8187'])
print_and_exec(['ifconfig', original_iface, 'up'])
print_and_exec(['airmon-ng', 'start', original_iface])
print '\r \r',
print O + ' [!] ' + W + 'restarting scan...\n'
return True
def get_iface(self):
"""
Get the wireless interface in monitor mode.
Defaults to only device in monitor mode if found.
Otherwise, enumerates list of possible wifi devices
and asks user to select one to put into monitor mode (if multiple).
Uses airmon-ng to put device in monitor mode if needed.
Returns the name (string) of the interface chosen in monitor mode.
"""
if not self.RUN_CONFIG.PRINTED_SCANNING:
print GR + ' [+]' + W + ' scanning for wireless devices...'
self.RUN_CONFIG.PRINTED_SCANNING = True
proc = Popen(['iwconfig'], stdout=PIPE, stderr=DN)
iface = ''
monitors = []
adapters = []
for line in proc.communicate()[0].split('\n'):
if len(line) == 0: continue
if ord(line[0]) != 32: # Doesn't start with space
iface = line[:line.find(' ')] # is the interface
if line.find('Mode:Monitor') != -1:
monitors.append(iface)
else:
adapters.append(iface)
if self.RUN_CONFIG.WIRELESS_IFACE != '':
if monitors.count(self.RUN_CONFIG.WIRELESS_IFACE):
return self.RUN_CONFIG.WIRELESS_IFACE
else:
if self.RUN_CONFIG.WIRELESS_IFACE in adapters:
# valid adapter, enable monitor mode
print R + ' [!]' + O + ' could not find wireless interface %s in monitor mode' % (
R + '"' + R + self.RUN_CONFIG.WIRELESS_IFACE + '"' + O)
return self.enable_monitor_mode(self.RUN_CONFIG.WIRELESS_IFACE)
else:
# couldnt find the requested adapter
print R + ' [!]' + O + ' could not find wireless interface %s' % (
'"' + R + self.RUN_CONFIG.WIRELESS_IFACE + O + '"' + W)
self.RUN_CONFIG.exit_gracefully(0)
if len(monitors) == 1:
return monitors[0] # Default to only device in monitor mode
elif len(monitors) > 1:
print GR + " [+]" + W + " interfaces in " + G + "monitor mode:" + W
for i, monitor in enumerate(monitors):
print " %s. %s" % (G + str(i + 1) + W, G + monitor + W)
ri = raw_input("%s [+]%s select %snumber%s of interface to use for capturing (%s1-%d%s): %s" % \
(GR, W, G, W, G, len(monitors), W, G))
while not ri.isdigit() or int(ri) < 1 or int(ri) > len(monitors):
ri = raw_input("%s [+]%s select number of interface to use for capturing (%s1-%d%s): %s" % \
(GR, W, G, len(monitors), W, G))
i = int(ri)
return monitors[i - 1]
proc = Popen(['airmon-ng'], stdout=PIPE, stderr=DN)
for line in proc.communicate()[0].split('\n'):