From 11b3b6fbb3bdfb7d9a3fc6648f53fc648fd017d4 Mon Sep 17 00:00:00 2001 From: Noah Axon Date: Mon, 25 Sep 2023 23:09:36 -0500 Subject: [PATCH] Add wifi spamming functionality --- m5stick-nemo.ino | 143 ++++++++++++++++++++++++++++++- wifispam.h | 219 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 358 insertions(+), 4 deletions(-) create mode 100644 wifispam.h diff --git a/m5stick-nemo.ino b/m5stick-nemo.ino index 551df46..8e0241f 100644 --- a/m5stick-nemo.ino +++ b/m5stick-nemo.ino @@ -6,9 +6,10 @@ #include #include "applejuice.h" #include "WORLD_IR_CODES.h" -#include +#include "wifispam.h" #include #include + int advtime = 0; String formattedDate; String dayStamp; @@ -28,7 +29,7 @@ struct MENU { // 0 - Clock // 1 - Main Menu // 2 - Settings Menu -// 3 - Clock set (not implemented yet) +// 3 - Clock set // 4 - Dimmer Time adjustment // 5 - TV B-GONE // 6 - Battery info @@ -36,6 +37,8 @@ struct MENU { // 8 - AppleJuice Menu // 9 - AppleJuice Advertisement // 10 - Credits +// 11 - Wifi beacon spam +// 12 - Wifi spam menu bool isSwitching = true; int current_proc = 0; // Start in Clock Mode @@ -81,6 +84,7 @@ MENU mmenu[] = { { "clock", 0}, { "TV B-GONE", 5}, { "AppleJuice", 8}, + { "WiFi Spam", 12}, { "settings", 2}, }; @@ -640,6 +644,127 @@ void credits_setup(){ M5.Lcd.setTextColor(GREEN, BLACK); } +/// WiFiSPAM /// +void wifispam_setup() { + // create empty SSID + for (int i = 0; i < 32; i++) + emptySSID[i] = ' '; + // for random generator + randomSeed(1); + + // set packetSize + packetSize = sizeof(beaconPacket); + if (wpa2) { + beaconPacket[34] = 0x31; + } else { + beaconPacket[34] = 0x21; + packetSize -= 26; + } + + // generate random mac address + randomMac(); + + //change WiFi mode + WiFi.mode(WIFI_MODE_STA); + + // set channel + esp_wifi_set_channel(channels[0], WIFI_SECOND_CHAN_NONE); + + M5.Lcd.fillScreen(BLACK); + M5.Lcd.setTextSize(3); + M5.Lcd.setCursor(5, 1); + M5.Lcd.println("WiFi Spam"); + delay(2000); + M5.Lcd.setTextSize(2); + current_proc = 11; +} + +void wifispam_loop() { + int i = 0; + int len = 0; + digitalWrite(M5_LED, LOW); //LED ON on Stick C Plus + delay(1); + digitalWrite(M5_LED, HIGH); //LED OFF on Stick C Plus + // put your main code here, to run repeatedly: + currentTime = millis(); + if (currentTime - attackTime > 100) { + switch(spamtype) { + case 1: + len = sizeof(funnyssids); + while(i < len){ + i++; + } + beaconSpam(funnyssids); + break; + case 2: + len = sizeof(rickrollssids); + while(i < len){ + i++; + } + beaconSpam(rickrollssids); + break; + } + } +} + +/// WIFISPAM MENU /// +MENU wsmenu[] = { + { "Funny", 0}, + { "Rickroll", 1}, + { "back", 2}, +}; + +void wsmenu_drawmenu() { + M5.Lcd.setTextSize(2); + M5.Lcd.fillScreen(BLACK); + M5.Lcd.setCursor(0, 8, 1); + for ( int i = 0 ; i < ( sizeof(wsmenu) / sizeof(MENU) ) ; i++ ) { + M5.Lcd.print((cursor == i) ? ">" : " "); + M5.Lcd.println(wsmenu[i].name); + } +} + +void wsmenu_setup() { + M5.Lcd.setRotation(rotation); + cursor = 0; + rstOverride = true; + wsmenu_drawmenu(); + delay(250); // Prevent switching after menu loads up +} + +void wsmenu_loop() { + if (digitalRead(M5_BUTTON_RST) == LOW) { + cursor++; + cursor = cursor % ( sizeof(wsmenu) / sizeof(MENU) ); + wsmenu_drawmenu(); + delay(250); + } + if (digitalRead(M5_BUTTON_HOME) == LOW) { + int option = wsmenu[cursor].command; + // Also borrowed heavily from ronaldstoner / ECTO-1A esp32 AppleJuice + //uint8_t* data; + switch(option) { + case 0: + spamtype = 1; + rstOverride = false; + isSwitching = true; + current_proc = 11; + break; + case 1: + spamtype = 2; + rstOverride = false; + isSwitching = true; + current_proc = 11; + break; + case 2: + rstOverride = false; + isSwitching = true; + current_proc = 1; + break; + } + } +} + /// ENTRY /// void setup() { M5.begin(); @@ -717,6 +842,11 @@ void loop() { case 10: credits_setup(); break; + case 11: + wifispam_setup(); + break; + case 12: + wsmenu_setup(); } } @@ -752,7 +882,12 @@ void loop() { aj_adv(); break; case 10: - // noop - just let the credits stay on screen - break; + // noop - just let the credits stay on screen + break; + case 11: + wifispam_loop(); + break; + case 12: + wsmenu_loop(); } } diff --git a/wifispam.h b/wifispam.h new file mode 100644 index 0000000..c824c6e --- /dev/null +++ b/wifispam.h @@ -0,0 +1,219 @@ +// ===== Settings ===== // +const uint8_t channels[] = {1, 6, 11}; // used Wi-Fi channels (available: 1-14) +const bool wpa2 = true; // WPA2 networks +int spamtype = 1; // 1 = funny, 2 = rickroll, maybe more later + +/* + SSIDs: + - don't forget the \n at the end of each SSID! + - max. 32 characters per SSID + - don't add duplicates! You have to change one character at least +*/ +char ssids[]={}; + +const char funnyssids[] PROGMEM = { + "Mom Use This One\n" + "Abraham Linksys\n" + "Benjamin FrankLAN\n" + "Martin Router King\n" + "John Wilkes Bluetooth\n" + "Pretty Fly for a Wi-Fi\n" + "Bill Wi the Science Fi\n" + "I Believe Wi Can Fi\n" + "Tell My Wi-Fi Love Her\n" + "No More Mister Wi-Fi\n" + "LAN Solo\n" + "The LAN Before Time\n" + "Silence of the LANs\n" + "House LANister\n" + "Winternet Is Coming\n" + "Ping’s Landing\n" + "The Ping in the North\n" + "This LAN Is My LAN\n" + "Get Off My LAN\n" + "The Promised LAN\n" + "The LAN Down Under\n" + "FBI Surveillance Van 4\n" + "Area 51 Test Site\n" + "Drive-By Wi-Fi\n" + "Planet Express\n" + "Wu Tang LAN\n" + "Darude LANstorm\n" + "Never Gonna Give You Up\n" + "Hide Yo Kids, Hide Yo Wi-Fi\n" + "Loading…\n" + "Searching…\n" + "VIRUS.EXE\n" + "Virus-Infected Wi-Fi\n" + "Starbucks Wi-Fi\n" + "Text ###-#### for Password\n" + "Yell ____ for Password\n" + "The Password Is 1234\n" + "Free Public Wi-Fi\n" + "No Free Wi-Fi Here\n" + "Get Your Own Damn Wi-Fi\n" + "It Hurts When IP\n" + "Dora the Internet Explorer\n" + "404 Wi-Fi Unavailable\n" + "Porque-Fi\n" + "Titanic Syncing\n" + "Test Wi-Fi Please Ignore\n" + "Drop It Like It’s Hotspot\n" + "Life in the Fast LAN\n" + "The Creep Next Door\n" + "Ye Olde Internet\n" +}; + +const char rickrollssids[] PROGMEM = { + "01 Never gonna give you up\n" + "02 Never gonna let you down\n" + "03 Never gonna run around\n" + "04 and desert you\n" + "05 Never gonna make you cry\n" + "06 Never gonna say goodbye\n" + "07 Never gonna tell a lie\n" + "08 and hurt you\n" +}; + + +#include + +extern "C" { +#include "esp_wifi.h" + esp_err_t esp_wifi_set_channel(uint8_t primary, wifi_second_chan_t second); + esp_err_t esp_wifi_80211_tx(wifi_interface_t ifx, const void *buffer, int len, bool en_sys_seq); +} + +// run-time variables +char emptySSID[32]; +uint8_t channelIndex = 0; +uint8_t macAddr[6]; +uint8_t wifi_channel = 1; +uint32_t currentTime = 0; +uint32_t packetSize = 0; +uint32_t packetCounter = 0; +uint32_t attackTime = 0; +uint32_t packetRateTime = 0; + +// beacon frame definition +uint8_t beaconPacket[109] = { + /* 0 - 3 */ 0x80, 0x00, 0x00, 0x00, // Type/Subtype: managment beacon frame + /* 4 - 9 */ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, // Destination: broadcast + /* 10 - 15 */ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, // Source + /* 16 - 21 */ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, // Source + + // Fixed parameters + /* 22 - 23 */ 0x00, 0x00, // Fragment & sequence number (will be done by the SDK) + /* 24 - 31 */ 0x83, 0x51, 0xf7, 0x8f, 0x0f, 0x00, 0x00, 0x00, // Timestamp + /* 32 - 33 */ 0xe8, 0x03, // Interval: 0x64, 0x00 => every 100ms - 0xe8, 0x03 => every 1s + /* 34 - 35 */ 0x31, 0x00, // capabilities Tnformation + + // Tagged parameters + + // SSID parameters + /* 36 - 37 */ 0x00, 0x20, // Tag: Set SSID length, Tag length: 32 + /* 38 - 69 */ 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, // SSID + + // Supported Rates + /* 70 - 71 */ 0x01, 0x08, // Tag: Supported Rates, Tag length: 8 + /* 72 */ 0x82, // 1(B) + /* 73 */ 0x84, // 2(B) + /* 74 */ 0x8b, // 5.5(B) + /* 75 */ 0x96, // 11(B) + /* 76 */ 0x24, // 18 + /* 77 */ 0x30, // 24 + /* 78 */ 0x48, // 36 + /* 79 */ 0x6c, // 54 + + // Current Channel + /* 80 - 81 */ 0x03, 0x01, // Channel set, length + /* 82 */ 0x01, // Current Channel + + // RSN information + /* 83 - 84 */ 0x30, 0x18, + /* 85 - 86 */ 0x01, 0x00, + /* 87 - 90 */ 0x00, 0x0f, 0xac, 0x02, + /* 91 - 92 */ 0x02, 0x00, + /* 93 - 100 */ 0x00, 0x0f, 0xac, 0x04, 0x00, 0x0f, 0xac, 0x04, /*Fix: changed 0x02(TKIP) to 0x04(CCMP) is default. WPA2 with TKIP not supported by many devices*/ + /* 101 - 102 */ 0x01, 0x00, + /* 103 - 106 */ 0x00, 0x0f, 0xac, 0x02, + /* 107 - 108 */ 0x00, 0x00 +}; + +// goes to next channel +void nextChannel() { + if (sizeof(channels) > 1) { + uint8_t ch = channels[channelIndex]; + channelIndex++; + if (channelIndex > sizeof(channels)) channelIndex = 0; + + if (ch != wifi_channel && ch >= 1 && ch <= 14) { + wifi_channel = ch; + //wifi_set_channel(wifi_channel); + esp_wifi_set_channel(wifi_channel, WIFI_SECOND_CHAN_NONE); + } + } +} + +// generates random MAC +void randomMac() { + for (int i = 0; i < 6; i++) + macAddr[i] = random(256); +} + +void beaconSpam(const char list[]){ + attackTime = currentTime; + + // temp variables + int i = 0; + int j = 0; + int ssidNum = 1; + char tmp; + int ssidsLen = strlen_P(list); + bool sent = false; + + // go to next channel + nextChannel(); + + while (i < ssidsLen) { + // read out next SSID + j = 0; + do { + tmp = pgm_read_byte(list + i + j); + j++; + } while (tmp != '\n' && j <= 32 && i + j < ssidsLen); + + uint8_t ssidLen = j - 1; + + // set MAC address + macAddr[5] = ssidNum; + ssidNum++; + + // write MAC address into beacon frame + memcpy(&beaconPacket[10], macAddr, 6); + memcpy(&beaconPacket[16], macAddr, 6); + + // reset SSID + memcpy(&beaconPacket[38], emptySSID, 32); + + // write new SSID into beacon frame + memcpy_P(&beaconPacket[38], &list[i], ssidLen); + + // set channel for beacon frame + beaconPacket[82] = wifi_channel; + + // send packet + for (int k = 0; k < 3; k++) { + packetCounter += esp_wifi_80211_tx(WIFI_IF_STA, beaconPacket, packetSize, 0) == 0; + delay(1); + } + i += j; + } +}