FlyFar

ESP8266 Beacon Spam - About Creates up to a thousand Wi-Fi access points with custom SSIDs

Jul 24th, 2023
116
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Arduino 8.25 KB | Cybersecurity | 0 0
  1. /*
  2.   ===========================================
  3.        Copyright (c) 2018 Stefan Kremser
  4.               github.com/spacehuhn
  5.   ===========================================
  6. */
  7.  
  8. // ===== Settings ===== //
  9. const uint8_t channels[] = {1, 6, 11}; // used Wi-Fi channels (available: 1-14)
  10. const bool wpa2 = false; // WPA2 networks
  11. const bool appendSpaces = true; // makes all SSIDs 32 characters long to improve performance
  12.  
  13. /*
  14.   SSIDs:
  15.   - don't forget the \n at the end of each SSID!
  16.   - max. 32 characters per SSID
  17.   - don't add duplicates! You have to change one character at least
  18. */
  19. const char ssids[] PROGMEM = {
  20.   "Mom Use This One\n"
  21.   "Abraham Linksys\n"
  22.   "Benjamin FrankLAN\n"
  23.   "Martin Router King\n"
  24.   "John Wilkes Bluetooth\n"
  25.   "Pretty Fly for a Wi-Fi\n"
  26.   "Bill Wi the Science Fi\n"
  27.   "I Believe Wi Can Fi\n"
  28.   "Tell My Wi-Fi Love Her\n"
  29.   "No More Mister Wi-Fi\n"
  30.   "LAN Solo\n"
  31.   "The LAN Before Time\n"
  32.   "Silence of the LANs\n"
  33.   "House LANister\n"
  34.   "Winternet Is Coming\n"
  35.   "Ping’s Landing\n"
  36.   "The Ping in the North\n"
  37.   "This LAN Is My LAN\n"
  38.   "Get Off My LANd\n"
  39.   "The Promised LAN\n"
  40.   "The LAN Down Under\n"
  41.   "FBI Surveillance Van 4\n"
  42.   "Area 51 Test Site\n"
  43.   "Drive-By Wi-Fi\n"
  44.   "Planet Express\n"
  45.   "Wu-Tang LAN\n"
  46.   "Darude LANstorm\n"
  47.   "Never Gonna Give You Up\n"
  48.   "Hide Yo Kids, Hide Yo Wi-Fi\n"
  49.   "Loading…\n"
  50.   "Searching…\n"
  51.   "Rick Astley\n"
  52.   "McDonald Wi-Fi\n"
  53.   "Starbucks Wi-Fi\n"
  54.   "Text dic-kkk for Password\n"
  55.   "Yell **** for Password\n"
  56.   "The Password Is urmum\n"
  57.   "Free Public Wi-Fi\n"
  58.   "No Free Wi-Fi Here\n"
  59.   "Get Your Own Damn Wi-Fi\n"
  60.   "It Hurts When IP\n"
  61.   "Dora the Internet Explorer\n"
  62.   "404 Wi-Fi Unavailable\n"
  63.   "Porque-Fi\n"
  64.   "Titanic Syncing\n"
  65.   "Test Wi-Fi Please Ignore\n"
  66.   "Drop It Like It’s Hotspot\n"
  67.   "Life in the Fast LAN\n"
  68.   "The Creep Next Door\n"
  69.   "Ye Olde Internet\n"
  70. };
  71. // ==================== //
  72.  
  73. // ===== Includes ===== //
  74. #include <ESP8266WiFi.h>
  75.  
  76. extern "C" {
  77. #include "user_interface.h"
  78.   typedef void (*freedom_outside_cb_t)(uint8 status);
  79.   int wifi_register_send_pkt_freedom_cb(freedom_outside_cb_t cb);
  80.   void wifi_unregister_send_pkt_freedom_cb(void);
  81.   int wifi_send_pkt_freedom(uint8 *buf, int len, bool sys_seq);
  82. }
  83. // ==================== //
  84.  
  85. // run-time variables
  86. char emptySSID[32];
  87. uint8_t channelIndex = 0;
  88. uint8_t macAddr[6];
  89. uint8_t wifi_channel = 1;
  90. uint32_t currentTime = 0;
  91. uint32_t packetSize = 0;
  92. uint32_t packetCounter = 0;
  93. uint32_t attackTime = 0;
  94. uint32_t packetRateTime = 0;
  95.  
  96. // beacon frame definition
  97. uint8_t beaconPacket[109] = {
  98.   /*  0 - 3  */ 0x80, 0x00, 0x00, 0x00,             // Type/Subtype: managment beacon frame
  99.   /*  4 - 9  */ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, // Destination: broadcast
  100.   /* 10 - 15 */ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, // Source
  101.   /* 16 - 21 */ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, // Source
  102.  
  103.   // Fixed parameters
  104.   /* 22 - 23 */ 0x00, 0x00,                         // Fragment & sequence number (will be done by the SDK)
  105.   /* 24 - 31 */ 0x83, 0x51, 0xf7, 0x8f, 0x0f, 0x00, 0x00, 0x00, // Timestamp
  106.   /* 32 - 33 */ 0xe8, 0x03,                         // Interval: 0x64, 0x00 => every 100ms - 0xe8, 0x03 => every 1s
  107.   /* 34 - 35 */ 0x31, 0x00,                         // capabilities Tnformation
  108.  
  109.   // Tagged parameters
  110.  
  111.   // SSID parameters
  112.   /* 36 - 37 */ 0x00, 0x20,                         // Tag: Set SSID length, Tag length: 32
  113.   /* 38 - 69 */ 0x20, 0x20, 0x20, 0x20,
  114.   0x20, 0x20, 0x20, 0x20,
  115.   0x20, 0x20, 0x20, 0x20,
  116.   0x20, 0x20, 0x20, 0x20,
  117.   0x20, 0x20, 0x20, 0x20,
  118.   0x20, 0x20, 0x20, 0x20,
  119.   0x20, 0x20, 0x20, 0x20,
  120.   0x20, 0x20, 0x20, 0x20,                           // SSID
  121.  
  122.   // Supported Rates
  123.   /* 70 - 71 */ 0x01, 0x08,                         // Tag: Supported Rates, Tag length: 8
  124.   /* 72 */ 0x82,                    // 1(B)
  125.   /* 73 */ 0x84,                    // 2(B)
  126.   /* 74 */ 0x8b,                    // 5.5(B)
  127.   /* 75 */ 0x96,                    // 11(B)
  128.   /* 76 */ 0x24,                    // 18
  129.   /* 77 */ 0x30,                    // 24
  130.   /* 78 */ 0x48,                    // 36
  131.   /* 79 */ 0x6c,                    // 54
  132.  
  133.   // Current Channel
  134.   /* 80 - 81 */ 0x03, 0x01,         // Channel set, length
  135.   /* 82 */      0x01,               // Current Channel
  136.  
  137.   // RSN information
  138.   /*  83 -  84 */ 0x30, 0x18,
  139.   /*  85 -  86 */ 0x01, 0x00,
  140.   /*  87 -  90 */ 0x00, 0x0f, 0xac, 0x02,
  141.   /*  91 -  92 */ 0x02, 0x00,
  142.   /*  93 - 100 */ 0x00, 0x0f, 0xac, 0x04, 0x00, 0x0f, 0xac, 0x04, /*Fix: changed 0x02(TKIP) to 0x04(CCMP) is default. WPA2 with TKIP not supported by many devices*/
  143.   /* 101 - 102 */ 0x01, 0x00,
  144.   /* 103 - 106 */ 0x00, 0x0f, 0xac, 0x02,
  145.   /* 107 - 108 */ 0x00, 0x00
  146. };
  147.  
  148. // Shift out channels one by one
  149. void nextChannel() {
  150.   if (sizeof(channels) > 1) {
  151.     uint8_t ch = channels[channelIndex];
  152.     channelIndex++;
  153.     if (channelIndex > sizeof(channels)) channelIndex = 0;
  154.  
  155.     if (ch != wifi_channel && ch >= 1 && ch <= 14) {
  156.       wifi_channel = ch;
  157.       wifi_set_channel(wifi_channel);
  158.     }
  159.   }
  160. }
  161.  
  162. // Random MAC generator
  163. void randomMac() {
  164.   for (int i = 0; i < 6; i++){
  165.      macAddr[i] = random(256);
  166.   }
  167. }
  168.  
  169. void setup() {
  170.   // create empty SSID
  171.   for (int i = 0; i < 32; i++)
  172.     emptySSID[i] = ' ';
  173.  
  174.   // for random generator
  175.   randomSeed(os_random());
  176.  
  177.   // set packetSize
  178.   packetSize = sizeof(beaconPacket);
  179.   if (wpa2) {
  180.     beaconPacket[34] = 0x31;
  181.   } else {
  182.     beaconPacket[34] = 0x21;
  183.     packetSize -= 26;
  184.   }
  185.  
  186.   // generate random mac address
  187.   randomMac();
  188.  
  189.   // start serial
  190.   Serial.begin(115200);
  191.   Serial.println();
  192.  
  193.   // get time
  194.   currentTime = millis();
  195.  
  196.   // start WiFi
  197.   WiFi.mode(WIFI_OFF);
  198.   wifi_set_opmode(STATION_MODE);
  199.  
  200.   // Set to default WiFi channel
  201.   wifi_set_channel(channels[0]);
  202.  
  203.   // Display all saved WiFi SSIDs
  204.   Serial.println("SSIDs:");
  205.   int i = 0;
  206.   int len = sizeof(ssids);
  207.   while (i < len) {
  208.     Serial.print((char)pgm_read_byte(ssids + i));
  209.     i++;
  210.   }
  211.  
  212.   Serial.println();
  213.   Serial.println("Started \\o/");
  214.   Serial.println();
  215. }
  216.  
  217. void loop() {
  218.   currentTime = millis();
  219.  
  220.   // send out SSIDs
  221.   if (currentTime - attackTime > 100) {
  222.     attackTime = currentTime;
  223.  
  224.     // temp variables
  225.     int i = 0;
  226.     int j = 0;
  227.     int ssidNum = 1;
  228.     char tmp;
  229.     int ssidsLen = strlen_P(ssids);
  230.     bool sent = false;
  231.  
  232.     // Go to next channel
  233.     nextChannel();
  234.  
  235.     while (i < ssidsLen) {
  236.       // Get the next SSID
  237.       j = 0;
  238.       do {
  239.         tmp = pgm_read_byte(ssids + i + j);
  240.         j++;
  241.       } while (tmp != '\n' && j <= 32 && i + j < ssidsLen);
  242.  
  243.       uint8_t ssidLen = j - 1;
  244.  
  245.       // set MAC address
  246.       macAddr[5] = ssidNum;
  247.       ssidNum++;
  248.  
  249.       // write MAC address into beacon frame
  250.       memcpy(&beaconPacket[10], macAddr, 6);
  251.       memcpy(&beaconPacket[16], macAddr, 6);
  252.  
  253.       // reset SSID
  254.       memcpy(&beaconPacket[38], emptySSID, 32);
  255.  
  256.       // write new SSID into beacon frame
  257.       memcpy_P(&beaconPacket[38], &ssids[i], ssidLen);
  258.  
  259.       // set channel for beacon frame
  260.       beaconPacket[82] = wifi_channel;
  261.  
  262.       // send packet
  263.       if (appendSpaces) {
  264.         for (int k = 0; k < 3; k++) {
  265.           packetCounter += wifi_send_pkt_freedom(beaconPacket, packetSize, 0) == 0;
  266.           delay(1);
  267.         }
  268.       }
  269.  
  270.       // remove spaces
  271.       else {
  272.  
  273.         uint16_t tmpPacketSize = (packetSize - 32) + ssidLen; // calc size
  274.         uint8_t* tmpPacket = new uint8_t[tmpPacketSize]; // create packet buffer
  275.         memcpy(&tmpPacket[0], &beaconPacket[0], 38 + ssidLen); // copy first half of packet into buffer
  276.         tmpPacket[37] = ssidLen; // update SSID length byte
  277.         memcpy(&tmpPacket[38 + ssidLen], &beaconPacket[70], wpa2 ? 39 : 13); // copy second half of packet into buffer
  278.  
  279.         // send packet
  280.         for (int k = 0; k < 3; k++) {
  281.           packetCounter += wifi_send_pkt_freedom(tmpPacket, tmpPacketSize, 0) == 0;
  282.           delay(1);
  283.         }
  284.  
  285.         delete tmpPacket; // free memory of allocated buffer
  286.       }
  287.  
  288.       i += j;
  289.     }
  290.   }
  291.  
  292.   // show packet-rate each second
  293.   if (currentTime - packetRateTime > 1000) {
  294.     packetRateTime = currentTime;
  295.     Serial.print("Packets/s: ");
  296.     Serial.println(packetCounter);
  297.     packetCounter = 0;
  298.   }
  299. }
Add Comment
Please, Sign In to add comment