Add AP Scan

esp32_marauder/Display.h

@@ -64,7 +64,7 @@
 //#define MENU_FONT &FreeMonoBold9pt7b
 //#define MENU_FONT &FreeSans9pt7b
 //#define MENU_FONT &FreeSansBold9pt7b
-#define BUTTON_ARRAY_LEN 8
+#define BUTTON_ARRAY_LEN 9
 #define STATUS_BAR_WIDTH 16
 #define LVGL_TICK_PERIOD 6
 

esp32_marauder/MenuFunctions.cpp

@@ -612,6 +612,7 @@ void MenuFunctions::main(uint32_t currentTime)
     // Stop the current scan
     if ((wifi_scan_obj.currentScanMode == WIFI_SCAN_PROBE) ||
         (wifi_scan_obj.currentScanMode == WIFI_SCAN_AP) ||
+        (wifi_scan_obj.currentScanMode == WIFI_SCAN_TARGET_AP) ||
         (wifi_scan_obj.currentScanMode == WIFI_SCAN_PWN) ||
         (wifi_scan_obj.currentScanMode == WIFI_SCAN_ESPRESSIF) ||
         (wifi_scan_obj.currentScanMode == WIFI_SCAN_ALL) ||
@@ -983,6 +984,7 @@ void MenuFunctions::RunSetup()
   shutdownBLEMenu.list = new LinkedList<MenuNode>();
   generateSSIDsMenu.list = new LinkedList<MenuNode>();
   clearSSIDsMenu.list = new LinkedList<MenuNode>();
+  clearAPsMenu.list = new LinkedList<MenuNode>();
 
   // Work menu names
   mainMenu.name = " ESP32 Marauder ";
@@ -1006,6 +1008,7 @@ void MenuFunctions::RunSetup()
   shutdownBLEMenu.name = " Shutdown BLE ";
   generateSSIDsMenu.name = " Generate SSIDs ";
   clearSSIDsMenu.name = " Clear SSIDs ";
+  clearAPsMenu.name = " Clear APs ";
   
 
   // Build Main Menu
@@ -1083,6 +1086,11 @@ void MenuFunctions::RunSetup()
     this->drawStatusBar();
     wifi_scan_obj.StartScan(WIFI_SCAN_ESPRESSIF, TFT_ORANGE);
   });
+  addNodes(&wifiSnifferMenu, "Scan APs", TFT_MAGENTA, NULL, BEACON_SNIFF, [this]() {
+    display_obj.clearScreen();
+    this->drawStatusBar();
+    wifi_scan_obj.StartScan(WIFI_SCAN_TARGET_AP, TFT_MAGENTA);
+  });
 
   // Build WiFi attack menu
   wifiAttackMenu.parentMenu = &wifiMenu; // Main Menu is second menu parent
@@ -1134,6 +1142,10 @@ void MenuFunctions::RunSetup()
     changeMenu(&clearSSIDsMenu);
     wifi_scan_obj.RunClearSSIDs();
   });
+  addNodes(&wifiGeneralMenu, "Clear APs", TFT_DARKGREY, NULL, CLEAR_ICO, [this]() {
+    changeMenu(&clearAPsMenu);
+    wifi_scan_obj.RunClearAPs();
+  });
 
   // Build shutdown wifi menu
   shutdownWiFiMenu.parentMenu = &wifiGeneralMenu;
@@ -1152,6 +1164,10 @@ void MenuFunctions::RunSetup()
   addNodes(&clearSSIDsMenu, "Back", TFT_LIGHTGREY, NULL, 0, [this]() {
     changeMenu(clearSSIDsMenu.parentMenu);
   });
+  clearAPsMenu.parentMenu = &wifiGeneralMenu;
+  addNodes(&clearAPsMenu, "Back", TFT_LIGHTGREY, NULL, 0, [this]() {
+    changeMenu(clearAPsMenu.parentMenu);
+  });
 
 
   // Build Bluetooth Menu

esp32_marauder/MenuFunctions.h

@@ -158,6 +158,7 @@ class MenuFunctions
     Menu shutdownBLEMenu;
     Menu generateSSIDsMenu;
     Menu clearSSIDsMenu;
+    Menu clearAPsMenu;
 
     static void lv_tick_handler();
 

esp32_marauder/WiFiScan.cpp

@@ -9,6 +9,7 @@ int num_probe = 0;
 int num_eapol = 0;
 
 LinkedList<ssid>* ssids;
+LinkedList<AccessPoint>* access_points;
 
 class bluetoothScanAllCallback: public BLEAdvertisedDeviceCallbacks {
 
@@ -132,6 +133,7 @@ WiFiScan::WiFiScan()
 
 void WiFiScan::RunSetup() {
   ssids = new LinkedList<ssid>();
+  access_points = new LinkedList<AccessPoint>();
   BLEDevice::init("");
   pBLEScan = BLEDevice::getScan(); //create new scan
   this->ble_initialized = true;
@@ -139,6 +141,13 @@ void WiFiScan::RunSetup() {
   this->shutdownBLE();
 }
 
+int WiFiScan::clearAPs() {
+  int num_cleared = access_points->size();
+  access_points->clear();
+  Serial.println("access_points: " + (String)access_points->size());
+  return num_cleared;
+}
+
 int WiFiScan::clearSSIDs() {
   int num_cleared = ssids->size();
   ssids->clear();
@@ -243,6 +252,8 @@ void WiFiScan::StartScan(uint8_t scan_mode, uint16_t color)
     RunEapolScan(scan_mode, color);
   else if (scan_mode == WIFI_SCAN_AP)
     RunBeaconScan(scan_mode, color);
+  else if (scan_mode == WIFI_SCAN_TARGET_AP)
+    RunAPScan(scan_mode, color);
   else if (scan_mode == WIFI_SCAN_PWN)
     RunPwnScan(scan_mode, color);
   else if (scan_mode == WIFI_SCAN_DEAUTH)
@@ -322,6 +333,7 @@ void WiFiScan::StopScan(uint8_t scan_mode)
 {
   if ((currentScanMode == WIFI_SCAN_PROBE) ||
   (currentScanMode == WIFI_SCAN_AP) ||
+  (currentScanMode == WIFI_SCAN_TARGET_AP) ||
   (currentScanMode == WIFI_SCAN_PWN) ||
   (currentScanMode == WIFI_SCAN_ESPRESSIF) ||
   (currentScanMode == WIFI_SCAN_EAPOL) ||
@@ -424,6 +436,39 @@ String WiFiScan::freeRAM()
   return String(s);
 }
 
+// Function to start running a beacon scan
+void WiFiScan::RunAPScan(uint8_t scan_mode, uint16_t color)
+{
+  sd_obj.openCapture("ap");
+
+  Serial.println("Clearing APs: " + (String)access_points->size());
+  access_points->clear();
+  display_obj.TOP_FIXED_AREA_2 = 48;
+  display_obj.tteBar = true;
+  display_obj.print_delay_1 = 15;
+  display_obj.print_delay_2 = 10;
+  //display_obj.clearScreen();
+  display_obj.initScrollValues(true);
+  display_obj.tft.setTextWrap(false);
+  display_obj.tft.setTextColor(TFT_WHITE, color);
+  display_obj.tft.fillRect(0,16,240,16, color);
+  display_obj.tft.drawCentreString(" AP Scan ",120,16,2);
+  display_obj.touchToExit();
+  display_obj.tft.setTextColor(TFT_GREEN, TFT_BLACK);
+  display_obj.setupScrollArea(display_obj.TOP_FIXED_AREA_2, BOT_FIXED_AREA);
+  //wifi_init_config_t cfg = WIFI_INIT_CONFIG_DEFAULT();
+  esp_wifi_init(&cfg);
+  esp_wifi_set_storage(WIFI_STORAGE_RAM);
+  esp_wifi_set_mode(WIFI_MODE_NULL);
+  esp_wifi_start();
+  esp_wifi_set_promiscuous(true);
+  esp_wifi_set_promiscuous_filter(&filt);
+  esp_wifi_set_promiscuous_rx_cb(&apSnifferCallback);
+  esp_wifi_set_channel(set_channel, WIFI_SECOND_CHAN_NONE);
+  this->wifi_initialized = true;
+  initTime = millis();
+}
+
 void WiFiScan::RunLvJoinWiFi(uint8_t scan_mode, uint16_t color) {
 
   display_obj.tft.init();
@@ -446,6 +491,17 @@ void WiFiScan::RunLvJoinWiFi(uint8_t scan_mode, uint16_t color) {
   //display_obj.joinWiFiGFX();
 }
 
+void WiFiScan::RunClearAPs() {
+  display_obj.tft.setTextWrap(false);
+  display_obj.tft.setFreeFont(NULL);
+  display_obj.tft.setCursor(0, 100);
+  display_obj.tft.setTextSize(1);
+  display_obj.tft.setTextColor(TFT_CYAN);
+
+  display_obj.tft.println(F("Clearing APs..."));
+  display_obj.tft.println("APs Cleared: " + (String)this->clearAPs());
+}
+
 void WiFiScan::RunClearSSIDs() {
   display_obj.tft.setTextWrap(false);
   display_obj.tft.setFreeFont(NULL);
@@ -1177,6 +1233,113 @@ void WiFiScan::pwnSnifferCallback(void* buf, wifi_promiscuous_pkt_type_t type)
   }
 }
 
+void WiFiScan::apSnifferCallback(void* buf, wifi_promiscuous_pkt_type_t type)
+{
+  wifi_promiscuous_pkt_t *snifferPacket = (wifi_promiscuous_pkt_t*)buf;
+  WifiMgmtHdr *frameControl = (WifiMgmtHdr*)snifferPacket->payload;
+  wifi_pkt_rx_ctrl_t ctrl = (wifi_pkt_rx_ctrl_t)snifferPacket->rx_ctrl;
+  int len = snifferPacket->rx_ctrl.sig_len;
+
+  String display_string = "";
+  String essid = "";
+
+  if (type == WIFI_PKT_MGMT)
+  {
+    len -= 4;
+    int fctl = ntohs(frameControl->fctl);
+    const wifi_ieee80211_packet_t *ipkt = (wifi_ieee80211_packet_t *)snifferPacket->payload;
+    const WifiMgmtHdr *hdr = &ipkt->hdr;
+
+    // If we dont the buffer size is not 0, don't write or else we get CORRUPT_HEAP
+    if ((snifferPacket->payload[0] == 0x80) && (display_obj.display_buffer->size() == 0))
+    {
+      char addr[] = "00:00:00:00:00:00";
+      getMAC(addr, snifferPacket->payload, 10);
+
+      bool in_list = false;
+      bool mac_match = true;
+
+      for (int i = 0; i < access_points->size(); i++) {
+        mac_match = true;
+        //Serial.print("Checking ");
+        //Serial.print(addr);
+        //Serial.println(" against " + (String)access_points->get(i).essid);
+
+        
+        for (int x = 0; x < 6; x++) {
+          //Serial.println((String)snifferPacket->payload[x + 10] + " | " + (String)access_points->get(i).bssid[x]);
+          if (snifferPacket->payload[x + 10] != access_points->get(i).bssid[x]) {
+            mac_match = false;
+            //Serial.println("MACs do not match");
+            break;
+          }
+        }
+        if (mac_match) {
+          in_list = true;
+          break;
+        }
+      }
+
+      if (!in_list) {
+      
+        delay(random(0, 10));
+        Serial.print("RSSI: ");
+        Serial.print(snifferPacket->rx_ctrl.rssi);
+        Serial.print(" Ch: ");
+        Serial.print(snifferPacket->rx_ctrl.channel);
+        Serial.print(" BSSID: ");
+        Serial.print(addr);
+        display_string.concat(addr);
+        Serial.print(" ESSID: ");
+        display_string.concat(" -> ");
+        for (int i = 0; i < snifferPacket->payload[37]; i++)
+        {
+          Serial.print((char)snifferPacket->payload[i + 38]);
+          display_string.concat((char)snifferPacket->payload[i + 38]);
+          essid.concat((char)snifferPacket->payload[i + 38]);
+        }
+  
+        int temp_len = display_string.length();
+        for (int i = 0; i < 40 - temp_len; i++)
+        {
+          display_string.concat(" ");
+        }
+  
+        Serial.print(" ");
+  
+        if (display_obj.display_buffer->size() == 0)
+        {
+          display_obj.loading = true;
+          display_obj.display_buffer->add(display_string);
+          display_obj.loading = false;
+        }
+        if (essid == "") {
+          essid = "N/A";
+          Serial.print(essid + " ");
+        }
+
+        AccessPoint ap = {essid,
+                          snifferPacket->rx_ctrl.channel,
+                          {snifferPacket->payload[10],
+                           snifferPacket->payload[11],
+                           snifferPacket->payload[12],
+                           snifferPacket->payload[13],
+                           snifferPacket->payload[14],
+                           snifferPacket->payload[15]},
+                          false};
+
+        access_points->add(ap);
+
+        Serial.print(access_points->size());
+
+        Serial.println();
+  
+        sd_obj.addPacket(snifferPacket->payload, len);
+      }
+    }
+  }
+}
+
 void WiFiScan::beaconSnifferCallback(void* buf, wifi_promiscuous_pkt_type_t type)
 {
   wifi_promiscuous_pkt_t *snifferPacket = (wifi_promiscuous_pkt_t*)buf;
@@ -2244,6 +2407,7 @@ void WiFiScan::main(uint32_t currentTime)
   // WiFi operations
   if ((currentScanMode == WIFI_SCAN_PROBE) ||
   (currentScanMode == WIFI_SCAN_AP) ||
+  (currentScanMode == WIFI_SCAN_TARGET_AP) ||
   (currentScanMode == WIFI_SCAN_PWN) ||
   (currentScanMode == WIFI_SCAN_ESPRESSIF) ||
   (currentScanMode == WIFI_SCAN_DEAUTH) ||

esp32_marauder/WiFiScan.h

@@ -45,6 +45,7 @@
 #define LV_JOIN_WIFI 13
 #define LV_ADD_SSID 14
 #define WIFI_ATTACK_BEACON_LIST 15
+#define WIFI_SCAN_TARGET_AP 16
 
 #define GRAPH_REFRESH 100
 
@@ -63,6 +64,13 @@ struct ssid {
   int bssid[6];
 };
 
+struct AccessPoint {
+  String essid;
+  int channel;
+  int bssid[6];
+  bool selected;
+};
+
 class WiFiScan
 {
   private:
@@ -147,6 +155,7 @@ class WiFiScan
     void broadcastRandomSSID(uint32_t currentTime);
     void broadcastCustomBeacon(uint32_t current_time, ssid custom_ssid);
     void broadcastSetSSID(uint32_t current_time, char* ESSID);
+    void RunAPScan(uint8_t scan_mode, uint16_t color);
     void RunRickRoll(uint8_t scan_mode, uint16_t color);
     void RunBeaconSpam(uint8_t scan_mode, uint16_t color);
     void RunBeaconList(uint8_t scan_mode, uint16_t color);
@@ -164,6 +173,8 @@ class WiFiScan
   public:
     WiFiScan();
 
+    //AccessPoint ap_list;
+
     //LinkedList<ssid>* ssids;
 
     int set_channel = 1;
@@ -184,6 +195,7 @@ class WiFiScan
 
     void RunSetup();
     int clearSSIDs();
+    int clearAPs();
     bool addSSID(String essid);
     int generateSSIDs();
     bool shutdownWiFi();
@@ -197,6 +209,7 @@ class WiFiScan
     void RunShutdownBLE();
     void RunGenerateSSIDs();
     void RunClearSSIDs();
+    void RunClearAPs();
     void channelHop();
     uint8_t currentScanMode = 0;
     void main(uint32_t currentTime);
@@ -207,6 +220,7 @@ class WiFiScan
     static void espressifSnifferCallback(void* buf, wifi_promiscuous_pkt_type_t type);
     static void pwnSnifferCallback(void* buf, wifi_promiscuous_pkt_type_t type);
     static void beaconSnifferCallback(void* buf, wifi_promiscuous_pkt_type_t type);
+    static void apSnifferCallback(void* buf, wifi_promiscuous_pkt_type_t type);
     static void deauthSnifferCallback(void* buf, wifi_promiscuous_pkt_type_t type);
     static void probeSnifferCallback(void* buf, wifi_promiscuous_pkt_type_t type);
     static void beaconListSnifferCallback(void* buf, wifi_promiscuous_pkt_type_t type);