Commit 681ea1d0 authored by Devon Kearns's avatar Devon Kearns

Imported Upstream version 2.2

parents
This diff is collapsed.
##################################
# <jwright> Well, I may be doing stupid things with make
# <jwright> OK, it was Makefile stupid'ness
# <jwright> I don't really understand what the hell I am doing with Make, I'm
# just copying other files and seeing what works.
# <dragorn> heh
# <dragorn> i think thats all anyone does
# <dragorn> make is a twisted beast
##################################
LDLIBS = -lpcap -lcrypt
CFLAGS = -pipe -Wall -D_LINUX -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -I../../..
CFLAGS += -D_OPENSSL_MD4
LDLIBS += -lcrypto
CFLAGS += -g3 -ggdb -g
PROGOBJ = asleap.o genkeys.o utils.o common.o sha1.o
PROG = asleap genkeys
all: $(PROG) $(PROGOBJ)
utils: utils.c utils.h
$(CC) $(CFLAGS) utils.c -c
common: common.c common.h
$(CC) $(CFLAGS) common.c -c
sha1: sha1.c sha1.h
$(CC) $(CFLAGS) sha1.c -c
asleap: asleap.c asleap.h sha1.o common.o common.h utils.o version.h sha1.c \
sha1.h
$(CC) $(CFLAGS) asleap.c -o asleap common.o utils.o sha1.o $(LDLIBS)
genkeys: genkeys.c md4.c md4.h common.o utils.o version.h common.h
$(CC) $(CFLAGS) md4.c genkeys.c -o genkeys common.o utils.o $(LDLIBS)
clean:
$(RM) $(PROGOBJ) $(PROG) *~
strip:
@ls -l $(PROG)
@strip $(PROG)
@ls -l $(PROG)
This diff is collapsed.
Many people have helped with this project, please let me know if you think I
have forgotten you.
Abaddon - for AirJack and for being a badass
Dragorn - lots of code support
Bob H. - inspiration and being cool
Rob Timko - lots of testing, packet captures
Anton Rager - packet captures and testing
Jacob Brown - code support
Devin Akin - Win32 testing, inspiration
George Ou - PPTP stuff, insipration
This diff is collapsed.
/*
* asleap - recover weak LEAP passwords. Pronounced "asleep".
*
* $Id: asleap.h,v 1.17 2007/05/10 19:29:06 jwright Exp $
*
* Copyright (c) 2004, Joshua Wright <jwright@hasborg.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation. See COPYING for more
* details.
*
* asleap is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*/
/*
* Significant code is graciously taken from the following:
* MS-CHAPv2 and attack tools by Jochen Eisinger, Univ. of Freiburg
*/
/* These offsets follow start at the beginning of the IP Header */
//#define GREOFFSET 20
#define IPHDRLEN 20 /* Not always constant, but usually */
#define GREMINHDRLEN 8
#define GRESYNSETFLAG 0x0010
#define GREACKSETFLAG 0x8000
//#define PPPGREOFFSET 16
#define PPPGRECHAPOFFSET 2
#define PPPUSERNAMEOFFSET 54
#define LPEXCH_ERR -1
#define LPEXCH_TIMEOUT 0
#define LEAPEXCHFOUND 1
#define PPTPEXCHFOUND 2
#define GREPROTOPPP 0x880b
#define PPPPROTOCHAP 0xc223
/* asleap data structure, containing information from command line options and
gathered information from the network.
XXX This should *really* be broken up into two structures for command line
configuration information and packet capture results. Such is the result
of poor planning in the initial design. */
struct asleap_data {
char username[256 + 1];
uint8_t eapid;
uint8_t challenge[8];
uint8_t response[24];
uint8_t endofhash[2];
char password[32];
uint8_t nthash[16];
/* for PPTP/true MS-CHAPv2 */
uint8_t pptpauthchal[16];
uint8_t pptppeerchal[16];
// uint8_t pptpchal[8];
// uint8_t pptppeerresp[24];
int eapsuccess;
int skipeapsuccess; /* Don't bother checking for success after auth */
int verbose;
char dictfile[255];
char dictidx[255];
char wordfile[255];
/* Tracking values */
uint8_t leapchalfound;
uint8_t leaprespfound;
uint8_t leapsuccessfound;
uint8_t pptpchalfound;
uint8_t pptprespfound;
uint8_t pptpsuccessfound;
uint8_t manualchalresp;
};
#ifndef BYTESWAP_H
#define BYTESWAP_H
#define __swab16(x) \
({ \
uint16_t __x = (x); \
((uint16_t)( \
(((uint16_t)(__x) & (uint16_t)0x00ffU) << 8) | \
(((uint16_t)(__x) & (uint16_t)0xff00U) >> 8) )); \
})
#define __swab32(x) \
({ \
uint32_t __x = (x); \
((uint32_t)( \
(((uint32_t)(__x) & (uint32_t)0x000000ffUL) << 24) | \
(((uint32_t)(__x) & (uint32_t)0x0000ff00UL) << 8) | \
(((uint32_t)(__x) & (uint32_t)0x00ff0000UL) >> 8) | \
(((uint32_t)(__x) & (uint32_t)0xff000000UL) >> 24) )); \
})
#define __swab64(x) \
({ \
uint64_t __x = (x); \
((uint64_t)( \
(uint64_t)(((uint64_t)(__x) & (uint64_t)0x00000000000000ffULL) << 56) | \
(uint64_t)(((uint64_t)(__x) & (uint64_t)0x000000000000ff00ULL) << 40) | \
(uint64_t)(((uint64_t)(__x) & (uint64_t)0x0000000000ff0000ULL) << 24) | \
(uint64_t)(((uint64_t)(__x) & (uint64_t)0x00000000ff000000ULL) << 8) | \
(uint64_t)(((uint64_t)(__x) & (uint64_t)0x000000ff00000000ULL) >> 8) | \
(uint64_t)(((uint64_t)(__x) & (uint64_t)0x0000ff0000000000ULL) >> 24) | \
(uint64_t)(((uint64_t)(__x) & (uint64_t)0x00ff000000000000ULL) >> 40) | \
(uint64_t)(((uint64_t)(__x) & (uint64_t)0xff00000000000000ULL) >> 56) )); \
})
#ifdef WORDS_BIGENDIAN
#warning "Compiling for big-endian"
#define le16_to_cpu(x) __swab16(x)
#define le32_to_cpu(x) __swab32(x)
#define le64_to_cpu(x) __swab64(x)
#else
#define le16_to_cpu(x) (x)
#define le32_to_cpu(x) (x)
#define le64_to_cpu(x) (x)
#endif
#endif /* BYTESWAP_H */
/*
* asleap - recover weak LEAP passwords. Pronounced "asleep".
*
* $Id: common.c,v 1.6 2007/05/10 19:29:06 jwright Exp $
*
* Copyright (c) 2004, Joshua Wright <jwright@hasborg.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation. See COPYING for more
* details.
*
* asleap is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*/
/*
* Significant code is graciously taken from the following:
* MS-CHAPv2 and attack tools by Jochen Eisinger, Univ. of Freiburg
*/
#include <errno.h>
#include <ctype.h>
#include <string.h>
#include <stdlib.h>
#include <stdint.h>
#include "common.h"
#include "utils.h"
#ifdef _OPENSSL_MD4
#include <openssl/md4.h>
#define MD4Init MD4_Init
#define MD4Update MD4_Update
#define MD4Final MD4_Final
#define MD4WRAP MD4
#else
#include "md4.h"
#define MD4WRAP md4
#endif
/* written from scratch
* Copyright (C) 2001 Jochen Eisinger, University of Freiburg
*/
#define hex2int(c) ((((c) >= '0') && ((c) <= '9')) ? ((c) - '0') : \
((((c) >= 'A') && ((c) <= 'F')) ? ((c) - 'A' + 10) : \
((c) - 'a' + 10)))
/* GetCharArray:
* Convert ASCII String to binary
*/
void getchararray(char *s, unsigned char *a)
{
int i, w, len;
len = strlen(s);
for (i = 0; i < len; i += 2) {
w = hex2int(s[i]);
w <<= 4;
w += hex2int(s[i + 1]);
a[i >> 1] = w;
}
}
/* PutCharArray:
* Convert binary to ASCII String
*/
void PutCharArray(unsigned char *a, int c)
{
char hexcode[] = "0123456789abcdef";
int i;
for (i = 0; i < c; i++)
printf("%c%c", hexcode[a[i] >> 4], hexcode[a[i] & 15]);
}
/*
* converts a string to a mac address...
* returns 1 on success, -1 on failure...
* failure indicates poorly formed input...
*/
int string_to_mac(char *string, unsigned int *mac_buf)
{
char *ptr, *next;
unsigned long val;
int i;
to_upper(string);
ptr = next = string;
for (i = 0; i < 6; i++) {
if ((val = strtoul(next, &ptr, 16)) > 255) {
errno = EINVAL;
return (-1);
}
mac_buf[i] = (unsigned int)val;
if ((next == ptr) && (i != 6 - 1)) {
errno = EINVAL;
return (-1);
}
next = ptr + 1;
}
return (1);
}
void NtPasswordHash(char *secret, int secret_len, unsigned char *hash)
{
int i;
unsigned char unicodePassword[MAX_NT_PASSWORD * 2];
/* Initialize the Unicode version of the secret (== password). */
/* This implicitly supports 8-bit ISO8859/1 characters. */
memset(unicodePassword, 0, sizeof(unicodePassword));
for (i = 0; i < secret_len; i++)
unicodePassword[i * 2] = (unsigned char)secret[i];
/* Unicode is 2 bytes per char */
MD4WRAP(unicodePassword, secret_len * 2, hash);
}
/*
* asleap - recover weak LEAP passwords. Pronounced "asleep".
*
* $Id: common.h,v 1.14 2007/05/10 19:29:06 jwright Exp $
*
* Copyright (c) 2004, Joshua Wright <jwright@hasborg.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation. See COPYING for more
* details.
*
* asleap is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*/
/*
* Significant code is graciously taken from the following:
* MS-CHAPv2 and attack tools by Jochen Eisinger, Univ. of Freiburg
*/
#include <stdio.h>
#include <ctype.h>
#define MD4_SIGNATURE_SIZE 16
/* Prototypes */
void getchararray(char *s, unsigned char *a);
void PutCharArray(unsigned char *a, int c);
int string_to_mac(char *string, unsigned int *mac_buf);
void NtPasswordHash(char *secret, int secret_len, unsigned char *hash);
#define MAX_NT_PASSWORD 256
#define hex2int(c) ((((c) >= '0') && ((c) <= '9')) ? ((c) - '0') : \
((((c) >= 'A') && ((c) <= 'F')) ? ((c) - 'A' + 10) : \
((c) - 'a' + 10)))
/* Structure for the binary output from genkeys - used by asleap to read the
file. */
struct hashpass_rec {
unsigned char rec_size;
char *password;
unsigned char hash[16];
} __attribute__ ((packed));
/* Structure for the index file from genkeys */
struct hashpassidx_rec {
unsigned char hashkey[2];
off_t offset;
unsigned long long int numrec;
} __attribute__ ((packed));
/* Structure for use in sorting hashes into appropriate buckets */
struct hashbucket_rec {
FILE *sbucket;
long numrec;
};
static __inline__ void to_upper(char *s)
{
char *p;
char offset;
offset = 'A' - 'a';
for (p = s; *p != '\0'; p++) {
if (islower(*p)) {
*p += offset;
}
}
}
Sample packet capture files for testing. The password for the LEAP exchange in
"leap.dump" is "qaleap". The password for the LEAP exchange in "leap.apc" is
"blamo".
The password for the PPTP exchange in "pptp.apc" is "turquoise".
File added
File added
File added
This diff is collapsed.
==11449== Memcheck, a memory error detector.
==11449== Copyright (C) 2002-2006, and GNU GPL'd, by Julian Seward et al.
==11449== Using LibVEX rev 1658, a library for dynamic binary translation.
==11449== Copyright (C) 2004-2006, and GNU GPL'd, by OpenWorks LLP.
==11449== Using valgrind-3.2.1, a dynamic binary instrumentation framework.
==11449== Copyright (C) 2000-2006, and GNU GPL'd, by Julian Seward et al.
==11449==
--11449-- Command line
--11449-- ./genkeys
--11449-- -r
--11449-- dict
--11449-- -f
--11449-- out.dat
--11449-- -n
--11449-- out.idx
--11449-- Startup, with flags:
--11449-- -v
--11449-- --show-reachable=yes
--11449-- Contents of /proc/version:
--11449-- Linux version 2.6.19.1 (root@thallium) (gcc version 4.1.1 (Gentoo 4.1.1-r3)) #2 SMP Tue Apr 3 00:18:31 EDT 2007
--11449-- Arch and hwcaps: X86, x86-sse1-sse2
--11449-- Valgrind library directory: /usr/lib/valgrind
--11449-- Reading syms from /lib/ld-2.3.6.so (0x4000000)
--11449-- Reading syms from /home/jwright/asleap/genkeys (0x8048000)
--11449-- Reading syms from /usr/lib/valgrind/x86-linux/memcheck (0x38000000)
--11449-- object doesn't have a symbol table
--11449-- object doesn't have a dynamic symbol table
--11449-- Reading suppressions file: /usr/lib/valgrind/default.supp
--11449-- REDIR: 0x4010DE0 (index) redirected to 0x380269E7 (???)
--11449-- Reading syms from /usr/lib/valgrind/x86-linux/vgpreload_core.so (0x4017000)
--11449-- object doesn't have a symbol table
--11449-- Reading syms from /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so (0x401A000)
--11449-- object doesn't have a symbol table
==11449== WARNING: new redirection conflicts with existing -- ignoring it
--11449-- new: 0x04010DE0 (index ) R-> 0x0401D0DB index
--11449-- Reading syms from /usr/lib/libpcap.so.0.9 (0x4034000)
--11449-- object doesn't have a symbol table
--11449-- Reading syms from /lib/libcrypt-2.3.6.so (0x405A000)
--11449-- object doesn't have a symbol table
--11449-- Reading syms from /usr/lib/libcrypto.so.0.9.8 (0x4088000)
--11449-- object doesn't have a symbol table
--11449-- Reading syms from /lib/libc-2.3.6.so (0x41B4000)
--11449-- object doesn't have a symbol table
--11449-- Reading syms from /lib/libdl-2.3.6.so (0x42C3000)
--11449-- object doesn't have a symbol table
--11449-- REDIR: 0x42190E0 (rindex) redirected to 0x401CFF7 (rindex)
--11449-- REDIR: 0x4218F48 (strncmp) redirected to 0x401D2A9 (strncmp)
--11449-- REDIR: 0x42186C0 (index) redirected to 0x401D0B6 (index)
--11449-- REDIR: 0x4219034 (strncpy) redirected to 0x401DCF0 (strncpy)
--11449-- REDIR: 0x4215EE5 (malloc) redirected to 0x401C3C5 (malloc)
--11449-- REDIR: 0x4219F30 (memset) redirected to 0x401D509 (memset)
genkeys 2.0 - generates lookup file for asleap. <jwright@hasborg.com>
Generating hashes for passwords (this may take some time) ...--11449-- REDIR: 0x4219A30 (memchr) redirected to 0x401D41A (memchr)
--11449-- REDIR: 0x421A3D0 (memcpy) redirected to 0x401DB7A (memcpy)
--11449-- REDIR: 0x4214053 (free) redirected to 0x401BF97 (free)
Done.
14267876 hashes written in 2089.54 seconds: 6828.24 hashes/second
Starting sort (be patient) ...--11449-- REDIR: 0x4216E34 (calloc) redirected to 0x401B686 (calloc)
--11449-- REDIR: 0x421ABE0 (rawmemchr) redirected to 0x401D5B4 (rawmemchr)
--11449-- REDIR: 0x421A0F0 (stpcpy) redirected to 0x401D858 (stpcpy)
Done.
Completed sort in 206994907 compares.
Creating index file (almost finished) ...==11449== Jump to the invalid address stated on the next line
==11449== at 0x82D2D2D: ???
==11449== Address 0x82D2D2D is not stack'd, malloc'd or (recently) free'd
==11449==
==11449== Process terminating with default action of signal 11 (SIGSEGV)
==11449== Bad permissions for mapped region at address 0x82D2D2D
==11449== at 0x82D2D2D: ???
==11449==
==11449== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 7 from 1)
==11449==
==11449== 1 errors in context 1 of 1:
==11449== Jump to the invalid address stated on the next line
==11449== at 0x82D2D2D: ???
==11449== Address 0x82D2D2D is not stack'd, malloc'd or (recently) free'd
--11449--
--11449-- supp: 7 Ubuntu-stripped-ld.so
==11449==
==11449== IN SUMMARY: 1 errors from 1 contexts (suppressed: 7 from 1)
==11449==
==11449== malloc/free: in use at exit: 728 bytes in 2 blocks.
==11449== malloc/free: 14,268,907 allocs, 14,268,905 frees, 736,778,230 bytes allocated.
==11449==
==11449== searching for pointers to 2 not-freed blocks.
==11449== checked 345,776 bytes.
==11449==
==11449== LEAK SUMMARY:
==11449== definitely lost: 0 bytes in 0 blocks.
==11449== possibly lost: 0 bytes in 0 blocks.
==11449== still reachable: 728 bytes in 2 blocks.
==11449== suppressed: 0 bytes in 0 blocks.
--11449-- memcheck: sanity checks: 194959 cheap, 7799 expensive
--11449-- memcheck: auxmaps: 0 auxmap entries (0k, 0M) in use
--11449-- memcheck: auxmaps: 0 searches, 0 comparisons
--11449-- memcheck: SMs: n_issued = 9498 (151968k, 148M)
--11449-- memcheck: SMs: n_deissued = 9258 (148128k, 144M)
--11449-- memcheck: SMs: max_noaccess = 65535 (1048560k, 1023M)
--11449-- memcheck: SMs: max_undefined = 17 (272k, 0M)
--11449-- memcheck: SMs: max_defined = 55 (880k, 0M)
--11449-- memcheck: SMs: max_non_DSM = 292 (4672k, 4M)
--11449-- memcheck: max sec V bit nodes: 1 (0k, 0M)
--11449-- memcheck: set_sec_vbits8 calls: 1 (new: 1, updates: 0)
--11449-- memcheck: max shadow mem size: 4976k, 4M
--11449-- translate: fast SP updates identified: 3,178 ( 91.8%)
--11449-- translate: generic_known SP updates identified: 214 ( 6.1%)
--11449-- translate: generic_unknown SP updates identified: 67 ( 1.9%)
--11449-- tt/tc: 7,826 tt lookups requiring 7,951 probes
--11449-- tt/tc: 7,825 fast-cache updates, 2 flushes
--11449-- transtab: new 2,856 (65,166 -> 1,106,293; ratio 169:10) [0 scs]
--11449-- transtab: dumped 0 (0 -> ??)
--11449-- transtab: discarded 0 (0 -> ??)
--11449-- scheduler: 19,495,988,383 jumps (bb entries).
--11449-- scheduler: 194,959/29,083,611 major/minor sched events.
--11449-- sanity: 194960 cheap, 7799 expensive checks.
--11449-- exectx: 30,011 lists, 30 contexts (avg 0 per list)
--11449-- exectx: 28,537,820 searches, 28,537,790 full compares (999 per 1000)
--11449-- exectx: 0 cmp2, 21 cmp4, 0 cmpAll
/* Copyright 2006 Aruba Networks */
#ifndef IEEE80211_H
#define IEEE80211_H
#define DOT11HDR_A1_LEN 10
#define DOT11HDR_A3_LEN 24
#define DOT11HDR_A4_LEN 30
#define DOT11HDR_MAC_LEN 6
#define DOT11HDR_MINLEN DOT11HDR_A1_LEN
#define DOT11_FC_TYPE_MGMT 0
#define DOT11_FC_TYPE_CTRL 1
#define DOT11_FC_TYPE_DATA 2
#define DOT11_FC_SUBTYPE_ASSOCREQ 0
#define DOT11_FC_SUBTYPE_ASSOCRESP 1
#define DOT11_FC_SUBTYPE_REASSOCREQ 2
#define DOT11_FC_SUBTYPE_REASSOCRESP 3
#define DOT11_FC_SUBTYPE_PROBEREQ 4
#define DOT11_FC_SUBTYPE_PROBERESP 5
#define DOT11_FC_SUBTYPE_BEACON 8
#define DOT11_FC_SUBTYPE_ATIM 9
#define DOT11_FC_SUBTYPE_DISASSOC 10
#define DOT11_FC_SUBTYPE_AUTH 11
#define DOT11_FC_SUBTYPE_DEAUTH 12
#define DOT11_FC_SUBTYPE_PSPOLL 10
#define DOT11_FC_SUBTYPE_RTS 11
#define DOT11_FC_SUBTYPE_CTS 12
#define DOT11_FC_SUBTYPE_ACK 13
#define DOT11_FC_SUBTYPE_CFEND 14
#define DOT11_FC_SUBTYPE_CFENDACK 15
#define DOT11_FC_SUBTYPE_DATA 0
#define DOT11_FC_SUBTYPE_DATACFACK 1
#define DOT11_FC_SUBTYPE_DATACFPOLL 2
#define DOT11_FC_SUBTYPE_DATACFACKPOLL 3
#define DOT11_FC_SUBTYPE_DATANULL 4
#define DOT11_FC_SUBTYPE_CFACK 5
#define DOT11_FC_SUBTYPE_CFACKPOLL 6
#define DOT11_FC_SUBTYPE_CFACKPOLLNODATA 7
#define DOT11_FC_SUBTYPE_QOSDATA 8
/* 9 - 11 reserved as of 11/7/2005 - JWRIGHT */
#define DOT11_FC_SUBTYPE_QOSNULL 12
/* Fixed parameter length values for mgmt frames */
#define DOT11_MGMT_BEACON_FIXEDLEN 12
#define DOT11_MGMT_ASSOCREQ_FIXEDLEN 4
#define DOT11_MGMT_ASSOCRESP_FIXEDLEN 6
#define DOT11_MGMT_AUTH_FIXEDLEN 6
/* Authentication algorithm values */
#define DOT11_MGMT_AUTHALGO_SHARED 1
#define DOT11_MGMT_AUTHALGO_OPEN 0
/* Information element identifiers */
#define DOT11_IE_SSIDSET 0
#define DOT11_IE_DSPARAMSET 3
#define DOT11_IE_RSN 48
#define DOT11_IE_WPA 221
/* IE Cipher suite mechanisms for RSN/WPA */
#define DOT11_RSN_CIPHER_GROUP 0 /* Use the group cipher for unicast */
#define DOT11_RSN_CIPHER_WEP40 1 /* WEP-40 */
#define DOT11_RSN_CIPHER_TKIP 2 /* TKIP */
#define DOT11_RSN_CIPHER_RSVD 3 /* Reserved */
#define DOT11_RSN_CIPHER_CCMP 4 /* CCMP */
#define DOT11_RSN_CIPHER_WEP104 5 /* WEP-104 */
/* IE Authentication suite mechanksms for RSN/WPA */
#define DOT11_RSN_AUTH_PMKDER 1 /* Key derived from PMK via 802.1x or
key caching mechanism. */
#define DOT11_RSN_AUTH_PSK 2 /* Key derived from PSK */
/* RSN/WPA element constants */
#define DOT11_RSN_IE_VERSION 1
#define DOT11_RSN_OUI "\x00\x0f\xac"
#define DOT11_RSN_OUI_LEN 3
#define DOT11_WPA_IE_VERSION 1
#define DOT11_WPA_TAG "\x00\x50\xf2\x01"
#define DOT11_WPA_TAG_LEN 4
#define DOT11_WPA_OUI "\x00\x50\xf2"
#define DOT11_WPA_OUI_LEN 3
/* Authentication identifiers */
#define DOT11_PREVAUTH_INVALID 2
struct dot11hdr {
union {
struct {
uint8_t version:2;
uint8_t type:2;
uint8_t subtype:4;
uint8_t to_ds:1;
uint8_t from_ds:1;
uint8_t more_frag:1;
uint8_t retry:1;
uint8_t pwrmgmt:1;
uint8_t more_data:1;
uint8_t protected:1;
uint8_t order:1;
} __attribute__ ((packed)) fc;
uint16_t fchdr;
} u1;
uint16_t duration;
uint8_t addr1[6];
uint8_t addr2[6];
uint8_t addr3[6];
union {
struct {
uint16_t fragment:4;
uint16_t sequence:12;
} __attribute__ ((packed)) seq;
uint16_t seqhdr;
} u2;
} __attribute__ ((packed));
#define dot11hdra3 dot11hdr
#define ieee80211 dot11hdr
struct dot11hdr_a1 {
union {
struct {
uint8_t version:2;
uint8_t type:2;
uint8_t subtype:4;
uint8_t to_ds:1;
uint8_t from_ds:1;
uint8_t more_frag:1;
uint8_t retry:1;
uint8_t pwrmgmt:1;
uint8_t more_data:1;
uint8_t protected:1;
uint8_t order:1;
} __attribute__ ((packed)) fc;
uint16_t fchdr;
} u1;
uint16_t duration;
uint8_t addr1[6];
} __attribute__ ((packed));
struct dot11hdr_a4 {
union {
struct {
uint8_t version:2;
uint8_t type:2;
uint8_t subtype:4;
uint8_t to_ds:1;
uint8_t from_ds:1;
uint8_t more_frag:1;
uint8_t retry:1;
uint8_t pwrmgmt:1;
uint8_t more_data:1;
uint8_t protected:1;
uint8_t order:1;
} __attribute__ ((packed)) fc;
uint16_t fchdr;
} u1;
uint16_t duration;
uint8_t addr1[6];
uint8_t addr2[6];
uint8_t addr3[6];
union {
struct {
uint16_t fragment:4;
uint16_t sequence:12;
} __attribute__ ((packed)) seq;
uint16_t seqhdr;
} u2;
uint8_t addr4[6];
} __attribute__ ((packed));
struct dot11_mgmt {
union {
struct {
uint16_t auth_algo;
uint16_t auth_transaction;
uint16_t status_code;
/* possibly followed by Challenge text */
uint8_t variable[0];
} __attribute__ ((packed)) auth;
struct {
uint16_t reason_code;
} __attribute__ ((packed)) deauth;
struct {
uint16_t capab_info;
uint16_t listen_interval;
/* followed by SSID and Supported rates */
uint8_t variable[0];
} __attribute__ ((packed)) assoc_req;
struct {
uint16_t capab_info;
uint16_t status_code;
uint16_t aid;
/* followed by Supported rates */
uint8_t variable[0];
} __attribute__ ((packed)) assoc_resp, reassoc_resp;
struct {
uint16_t capab_info;
uint16_t listen_interval;
uint8_t current_ap[6];
/* followed by SSID and Supported rates */
uint8_t variable[0];
} __attribute__ ((packed)) reassoc_req;
struct {
uint16_t reason_code;
} __attribute__ ((packed)) disassoc;
struct {
uint8_t variable[0];
} __attribute__ ((packed)) probe_req;
struct {
uint8_t timestamp[8];
uint16_t beacon_int;
uint16_t capab_info;
/* followed by some of SSID, Supported rates,
* FH Params, DS Params, CF Params, IBSS Params, TIM */
uint8_t variable[0];
} __attribute__ ((packed)) beacon;
} u;
} __attribute__ ((packed));
/* IEEE 802.11 fixed parameters */
struct ieee80211_beacon_fixparm {
uint8_t timestamp[8];
uint16_t beaconinterval;
uint16_t capability;
} __attribute__ ((packed));
struct ieee80211_qos {
uint8_t priority:3;