search

gat3way / AirPirate

Android 802.11 pentesting tool
86 stars 28 forks source link

Question : How's deauth/deassociation going to work? #5

Open ExploiTR opened 5 years ago

ExploiTR commented 5 years ago

The pre-compiled binary didn't work. So, I tried to build it upon myself.

But, after going through the sources, trying to find the actual deauth method.. I couldn't any one function actually doing the work.

What I've found is : Band.sendDeauth() which actually points to the below snippet : 

    public void sendDeauth(String bssid, String hwaddr)
    {
        //TODO
    }

So, my question is how it will do the work. ?

I mean, I just need some help to understand the matter here

ExploiTR commented 5 years ago

I found some comment at : src/com/gat3way/airpirate/Rtl8192Card.java

Will re-open the issue in case I need more help.

gat3way commented 5 years ago

Deauth is not being sent, instead deassotiation frames are sent as in practice it turned out that it works much more reliably against different devices.

gat3way commented 5 years ago

P.S didn't read carefully, yes, rtl8192card extends usbsource and overrides the senddeauth.

ExploiTR commented 5 years ago

@gat3way Well, it's working now. But it's halfway better. I was having problem with the USB endpoint & got "failed to do bulkio"..

After some code changes it's working fine, the WNA1000m is lightened up and I'm getting RX/TX values too.

But, I'm not getting any station / network data. So, what I tried is, I modified the actual deAuth method to use channel 13 as I configured my router to use this :

    @Override
    public void sendDeauth(String bssid, String hwaddr) {
        int val, val1, val2, val3, val4, val5, val6, val7;
        int pktlen = 26;
        byte[] packet = new byte[26 + 32];
        byte[] s_bssid = new byte[6];
        byte[] s_hwaddr = new byte[6];
        int channel = 13;

     /*   // lock on the appropriate channel
        Band band = Band.instance();
        channel = 0;
        for (int i = 0; i < band.networks.size(); i++)
            if (band.networks.get(i).bssid.equals(bssid))
                channel = band.networks.get(i).channel;*/

and Reading the bulkTransfer output by int x = mConnection.bulkTransfer(mInjBulkEndpoint, packet, packet.length, 100); and I'm getting 58 each time.

And, I'm calling sendDeauth like this : using a Handler loop

        updateDeviceStringOnUi(deviceName);
        updateDeviceStatusStringOnUi("Running.");
        Log.d(TAG, "Started rtl8192")

        final Handler handler = new Handler(Looper.getMainLooper());
        handler.post(new Runnable() {
            @Override
            public void run() {
                sendDeauth("B4:xx:xx:xx:F4:3D", "80:xx:xx:xx:57:7b");
                handler.postDelayed(this,1000);
            }
        });

I'm ignoring the station/network problem and setting everything on my own. But still, the deauth doesn't work.

ExploiTR commented 5 years ago

I also checked WireShark with "wlan.fc.type_subtype == 0xc" filter and it didn't detect a single disassoc packet

ExploiTR commented 5 years ago

@gat3way any help? @gat3way