Created Beacon Spam Random

esp32_marauder/Display.cpp

@@ -10,11 +10,6 @@ Display::Display()
 {
 }
 
-void Display::main()
-{
-  return;
-}
-
 // Function to prepare the display and the menus
 void Display::RunSetup()
 {
@@ -462,4 +457,8 @@ void Display::listDir(fs::FS &fs, const char * dirname, uint8_t levels) {
 }
 #endif
 
+void Display::main()
+{
+  return;
+}
 // End SPIFFS_functions

esp32_marauder/Display.h

@@ -14,6 +14,7 @@
 
 #define SCREEN_WIDTH 240
 #define SCREEN_HEIGHT 320
+#define STANDARD_FONT_CHAR_LIMIT 40 // number of characters on a single line with normal font
 #define TEXT_HEIGHT 16 // Height of text to be printed and scrolled
 #define BOT_FIXED_AREA 0 // Number of lines in bottom fixed area (lines counted from bottom of screen)
 #define TOP_FIXED_AREA 16 // Number of lines in top fixed area (lines counted from top of screen)

esp32_marauder/MenuFunctions.cpp

@@ -8,20 +8,30 @@ MenuFunctions::MenuFunctions()
 // Function to check menu input
 void MenuFunctions::main()
 {
+  boolean pressed = false;
   // This is code from bodmer's keypad example
   uint16_t t_x = 0, t_y = 0; // To store the touch coordinates
 
   // Get the display buffer out of the way
-  if (wifi_scan_obj.currentScanMode != WIFI_SCAN_OFF)
+  if ((wifi_scan_obj.currentScanMode != WIFI_SCAN_OFF ) &&
+      (wifi_scan_obj.currentScanMode != WIFI_ATTACK_BEACON_SPAM))
     display_obj.displayBuffer();
 
 
   // Pressed will be set true is there is a valid touch on the screen
-  boolean pressed = display_obj.tft.getTouch(&t_x, &t_y);
+  int pre_getTouch = millis();
+
+  // getTouch causes a 10ms delay which makes beacon spam less effective
+  //if (wifi_scan_obj.currentScanMode == WIFI_SCAN_OFF)
+  pressed = display_obj.tft.getTouch(&t_x, &t_y);
   //boolean pressed = false;
 
+  //Serial.print("getTouch: ");
+  //Serial.print(millis() - pre_getTouch);
+  //Serial.println("ms");
+
   
-  // This is if there are scans going on
+  // This is if there are scans/attacks going on
   if ((wifi_scan_obj.currentScanMode != WIFI_SCAN_OFF) && (pressed))
   //if ((wifi_scan_obj.currentScanMode != WIFI_SCAN_OFF) && (x != -1) && (y != -1))
   {  
@@ -30,6 +40,7 @@ void MenuFunctions::main()
     (wifi_scan_obj.currentScanMode == WIFI_SCAN_AP) ||
     (wifi_scan_obj.currentScanMode == WIFI_SCAN_ST) ||
     (wifi_scan_obj.currentScanMode == WIFI_SCAN_ALL) || 
+    (wifi_scan_obj.currentScanMode == WIFI_ATTACK_BEACON_SPAM) ||
     (wifi_scan_obj.currentScanMode == BT_SCAN_ALL) ||
     (wifi_scan_obj.currentScanMode == BT_SCAN_SKIMMERS))
     {
@@ -50,28 +61,31 @@ void MenuFunctions::main()
   }
   
   // / Check if any key coordinate boxes contain the touch coordinates
-  for (uint8_t b = 0; b < BUTTON_ARRAY_LEN; b++) {
-    if (pressed && key[b].contains(t_x, t_y)) {
-      key[b].press(true);  // tell the button it is pressed
-    } else {
-      key[b].press(false);  // tell the button it is NOT pressed
-    }
-  }
-
-  // Check if any key has changed state
-  for (uint8_t b = 0; b < BUTTON_ARRAY_LEN; b++) {
-    display_obj.tft.setFreeFont(MENU_FONT);
-    if (key[b].justPressed()) {
-      key[b].drawButton2(current_menu->list->get(b).name, true);  // draw invert
+  if ((wifi_scan_obj.currentScanMode != WIFI_ATTACK_BEACON_SPAM))
+  {
+    for (uint8_t b = 0; b < BUTTON_ARRAY_LEN; b++) {
+      if (pressed && key[b].contains(t_x, t_y)) {
+        key[b].press(true);  // tell the button it is pressed
+      } else {
+        key[b].press(false);  // tell the button it is NOT pressed
+      }
     }
-
-    // If button was just release, execute the button's function
-    if (key[b].justReleased())
-    {
-      key[b].drawButton2(current_menu->list->get(b).name);     // draw normal
-      current_menu->list->get(b).callable();
+  
+    // Check if any key has changed state
+    for (uint8_t b = 0; b < BUTTON_ARRAY_LEN; b++) {
+      display_obj.tft.setFreeFont(MENU_FONT);
+      if (key[b].justPressed()) {
+        key[b].drawButton2(current_menu->list->get(b).name, true);  // draw invert
+      }
+  
+      // If button was just release, execute the button's function
+      if (key[b].justReleased())
+      {
+        key[b].drawButton2(current_menu->list->get(b).name);     // draw normal
+        current_menu->list->get(b).callable();
+      }
+      display_obj.tft.setFreeFont(NULL);
     }
-    display_obj.tft.setFreeFont(NULL);
   }
   x = -1;
   y = -1;
@@ -131,6 +145,7 @@ void MenuFunctions::RunSetup()
   // Build WiFi attack menu
   wifiAttackMenu.parentMenu = &wifiMenu; // Main Menu is second menu parent
   addNodes(&wifiAttackMenu, "Back", TFT_RED, NULL, 0, [this](){changeMenu(wifiAttackMenu.parentMenu);});
+  addNodes(&wifiAttackMenu, "Beacon Spam Random", TFT_ORANGE, NULL, 1, [this](){wifi_scan_obj.StartScan(WIFI_ATTACK_BEACON_SPAM, TFT_ORANGE);});
   
   // Build Bluetooth Menu
   bluetoothMenu.parentMenu = &mainMenu; // Second Menu is third menu parent

esp32_marauder/WiFiScan.cpp

@@ -1,5 +1,6 @@
 #include "WiFiScan.h"
 
+//esp_err_t esp_wifi_80211_tx(wifi_interface_t ifx, const void *buffer, int len, bool en_sys_seq);
 
 class bluetoothScanAllCallback: public BLEAdvertisedDeviceCallbacks {
     void onResult(BLEAdvertisedDevice advertisedDevice) {
@@ -112,12 +113,15 @@ WiFiScan::WiFiScan()
 // Function to prepare to run a specific scan
 void WiFiScan::StartScan(uint8_t scan_mode, uint16_t color)
 {  
+  //Serial.println("Starting Scan...");
   if (scan_mode == WIFI_SCAN_OFF)
     StopScan(scan_mode);
   else if (scan_mode == WIFI_SCAN_PROBE)
     RunProbeScan(scan_mode, color);
   else if (scan_mode == WIFI_SCAN_AP)
     RunBeaconScan(scan_mode, color);
+  else if (scan_mode == WIFI_ATTACK_BEACON_SPAM)
+    RunBeaconSpam(scan_mode, color);
   else if (scan_mode == BT_SCAN_ALL)
     RunBluetoothScan(scan_mode, color);
   else if (scan_mode == BT_SCAN_SKIMMERS)
@@ -132,10 +136,10 @@ void WiFiScan::StopScan(uint8_t scan_mode)
   if ((currentScanMode == WIFI_SCAN_PROBE) ||
   (currentScanMode == WIFI_SCAN_AP) ||
   (currentScanMode == WIFI_SCAN_ST) ||
-  (currentScanMode == WIFI_SCAN_ALL))
-  {
+  (currentScanMode == WIFI_SCAN_ALL) ||
+  (currentScanMode == WIFI_ATTACK_BEACON_SPAM))
     esp_wifi_set_promiscuous(false);
-  }
+    
   else if ((currentScanMode == BT_SCAN_ALL) ||
   (currentScanMode == BT_SCAN_SKIMMERS))
   {
@@ -151,21 +155,31 @@ void WiFiScan::StopScan(uint8_t scan_mode)
   display_obj.tteBar = false;
 }
 
-// Function for updating scan status
-void WiFiScan::main(uint32_t currentTime)
+// Function to prepare for beacon spam
+void WiFiScan::RunBeaconSpam(uint8_t scan_mode, uint16_t color)
 {
-  // WiFi operations
-  if ((currentScanMode == WIFI_SCAN_PROBE) ||
-  (currentScanMode == WIFI_SCAN_AP) ||
-  (currentScanMode == WIFI_SCAN_ST) ||
-  (currentScanMode == WIFI_SCAN_ALL))
-  {
-    if (currentTime - initTime >= 1000)
-    {
-      initTime = millis();
-      channelHop();
-    }
-  }
+  //Serial.println("Beacon Spam...");
+  display_obj.TOP_FIXED_AREA_2 = 32;
+  display_obj.tteBar = true;
+  display_obj.print_delay_1 = 15;
+  display_obj.print_delay_2 = 10;
+  display_obj.clearScreen();
+  display_obj.initScrollValues(true);
+  display_obj.tft.setTextWrap(false);
+  display_obj.tft.setTextColor(TFT_BLACK, color);
+  display_obj.tft.fillRect(0,0,240,16, color);
+  display_obj.tft.drawCentreString(" Beacon Spam Random ",120,0,2);
+  display_obj.touchToExit();
+  display_obj.tft.setTextColor(TFT_GREEN, TFT_BLACK);
+  packets_sent = 0;
+  //esp_wifi_set_mode(WIFI_MODE_STA);
+  WiFi.mode(WIFI_AP_STA);
+  esp_wifi_set_promiscuous_filter(NULL);
+  esp_wifi_set_promiscuous(true);
+  esp_wifi_set_max_tx_power(78);
+  initTime = millis();
+  //display_obj.clearScreen();
+  //Serial.println("End of func");
 }
 
 // Function to start running a beacon scan
@@ -397,6 +411,61 @@ void WiFiScan::probeSnifferCallback(void* buf, wifi_promiscuous_pkt_type_t type)
   }
 }
 
+// Function for sending crafted beacon frames
+void WiFiScan::broadcastRandomSSID(uint32_t currentTime) {
+
+  set_channel = random(1,12); 
+  esp_wifi_set_channel(set_channel, WIFI_SECOND_CHAN_NONE);
+  delay(1);  
+
+  // Randomize SRC MAC
+  packet[10] = packet[16] = random(256);
+  packet[11] = packet[17] = random(256);
+  packet[12] = packet[18] = random(256);
+  packet[13] = packet[19] = random(256);
+  packet[14] = packet[20] = random(256);
+  packet[15] = packet[21] = random(256);
+
+  packet[37] = 6;
+  
+  
+  // Randomize SSID (Fixed size 6. Lazy right?)
+  packet[38] = alfa[random(65)];
+  packet[39] = alfa[random(65)];
+  packet[40] = alfa[random(65)];
+  packet[41] = alfa[random(65)];
+  packet[42] = alfa[random(65)];
+  packet[43] = alfa[random(65)];
+  
+  packet[56] = set_channel;
+
+  uint8_t postSSID[13] = {0x01, 0x08, 0x82, 0x84, 0x8b, 0x96, 0x24, 0x30, 0x48, 0x6c, //supported rate
+                      0x03, 0x01, 0x04 /*DSSS (Current Channel)*/ };
+
+
+
+  // Add everything that goes after the SSID
+  for(int i = 0; i < 12; i++) 
+    packet[38 + 6 + i] = postSSID[i];
+
+  //Serial.println("About to send packets...");
+
+  esp_wifi_80211_tx(WIFI_IF_AP, packet, sizeof(packet), false);
+  esp_wifi_80211_tx(WIFI_IF_AP, packet, sizeof(packet), false);
+  esp_wifi_80211_tx(WIFI_IF_AP, packet, sizeof(packet), false);
+  //esp_wifi_80211_tx(WIFI_IF_AP, packet, sizeof(packet), false);
+  //esp_wifi_80211_tx(WIFI_IF_AP, packet, sizeof(packet), false);
+  //esp_wifi_80211_tx(WIFI_IF_AP, packet, sizeof(packet), false);
+
+  packets_sent = packets_sent + 3;
+
+  //Serial.print("Packets sent: ");
+  //Serial.println(packets_sent);
+  
+  //Serial.println("Sent packets");
+}
+
+
 //void WiFiScan::sniffer_callback(void* buf, wifi_promiscuous_pkt_type_t type) {
 //  wifi_promiscuous_pkt_t *snifferPacket = (wifi_promiscuous_pkt_t*)buf;
 //  showMetadata(snifferPacket, type);
@@ -412,3 +481,44 @@ void WiFiScan::channelHop()
   esp_wifi_set_channel(set_channel, WIFI_SECOND_CHAN_NONE);
   delay(1);
 }
+
+
+// Function for updating scan status
+void WiFiScan::main(uint32_t currentTime)
+{
+  // WiFi operations
+  if ((currentScanMode == WIFI_SCAN_PROBE) ||
+  (currentScanMode == WIFI_SCAN_AP) ||
+  (currentScanMode == WIFI_SCAN_ST) ||
+  (currentScanMode == WIFI_SCAN_ALL))
+  {
+    if (currentTime - initTime >= 1000)
+    {
+      initTime = millis();
+      channelHop();
+    }
+  }
+  else if ((currentScanMode == WIFI_ATTACK_BEACON_SPAM))
+  {
+    // Need this for loop because getTouch causes ~10ms delay
+    // which makes beacon spam less effective
+    for (int i = 0; i < 55; i++)
+      broadcastRandomSSID(currentTime);
+
+    if (currentTime - initTime >= 1000)
+    {
+      initTime = millis();
+      //Serial.print("packets/sec: ");
+      //Serial.println(packets_sent);
+      String displayString = "";
+      String displayString2 = "";
+      displayString.concat("packets/sec: ");
+      displayString.concat(packets_sent);
+      for (int x = 0; x < STANDARD_FONT_CHAR_LIMIT; x++)
+        displayString2.concat(" ");
+      display_obj.showCenterText(displayString2, 160);
+      display_obj.showCenterText(displayString, 160);
+      packets_sent = 0;
+    }
+  }
+}

esp32_marauder/WiFiScan.h

@@ -6,6 +6,7 @@
 #include <BLEScan.h>
 #include <BLEAdvertisedDevice.h>
 
+#include <WiFi.h>
 #include "esp_wifi.h"
 #include "esp_wifi_types.h"
 #include "Display.h"
@@ -24,6 +25,7 @@
 
 extern Display display_obj;
 
+esp_err_t esp_wifi_80211_tx(wifi_interface_t ifx, const void *buffer, int len, bool en_sys_seq);
 
 class WiFiScan
 {
@@ -32,11 +34,10 @@ class WiFiScan
     bool run_setup = true;
     int set_channel = 1;
     int bluetoothScanTime = 5;
+    int packets_sent = 0;
     const wifi_promiscuous_filter_t filt = {.filter_mask=WIFI_PROMIS_FILTER_MASK_MGMT | WIFI_PROMIS_FILTER_MASK_DATA};
     BLEScan* pBLEScan;
 
-    esp_err_t esp_wifi_80211_tx(wifi_interface_t ifx, const void *buffer, int len, bool en_sys_seq);
-
     String alfa = "1234567890qwertyuiopasdfghjkklzxcvbnm QWERTYUIOPASDFGHJKLZXCVBNM_";
 
     char* prefix = "G";
@@ -70,6 +71,8 @@ class WiFiScan
                     /*36*/  0x00
                     };
 
+    void broadcastRandomSSID(uint32_t currentTime);
+    void RunBeaconSpam(uint8_t scan_mode, uint16_t color);
     void RunBeaconScan(uint8_t scan_mode, uint16_t color);
     void RunProbeScan(uint8_t scan_mode, uint16_t color);
     void RunBluetoothScan(uint8_t scan_mode, uint16_t color);
@@ -77,6 +80,8 @@ class WiFiScan
 
   public:
     WiFiScan();
+
+    
     
     void channelHop();
     uint8_t currentScanMode = 0;

esp32_marauder/esp32_marauder.ino

@@ -47,12 +47,18 @@ void setup()
 void loop()
 {
   // get the current time
+  //if ((wifi_scan_obj.currentScanMode != WIFI_ATTACK_BEACON_SPAM))
   currentTime = millis();
 
   // Update all of our objects
   display_obj.main(); 
   wifi_scan_obj.main(currentTime);
+  //if ((wifi_scan_obj.currentScanMode != WIFI_ATTACK_BEACON_SPAM))
   menu_function_obj.main();
 
+  //Serial.print("Run Time: ");
+  //Serial.print(millis() - currentTime);
+  //Serial.println("ms");
+
   delay(1);
 }