Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WPA-SEC multiple improvements #131

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

jacopotediosi
Copy link

@jacopotediosi jacopotediosi commented Jul 29, 2024

This PR is the same as evilsocket#1248, which I submitted to the original evilsocket repository. I'm submitting it here too because the original evilsocket repository seems abandoned and aluminum-ice is actually the fork I use daily in my pwnagotchi.

Description

This PR is a nearly complete rewrite of the wpa-sec plugin to add features and fix bugs.
Below I try to summarize my changes by dividing them into subchapters.

Uploading handshakes and tracking their status

The most notable improvement brought by this PR is definitely the drastic increase in handshakes that are actually uploaded to the wpa-sec website.

There are several reasons why a handshake may be invalid and therefore rejected by the wpa-sec website, including:

  • too much distance from the clients did not allow to capture all the packets needed to crack the handshake;
  • the uploaded pcap file was not yet completed, for example because the pwnagotchi had started writing it when it sent the association frame to the AP but the AP had never responded with the PMKID.

The wpa-sec plugin implementation prior to this PR, uploaded any pcap file contained in the handshakes folder (even if its capture was not completed or if the file was still being written) and did not check the response from the wpa-sec website. If an invalid handshake was uploaded, it was still marked as reported by the plugin and was not retried in subsequent captures.
Additionally, this approach suffered from performance and reliability issues:

  • as the number of pcap files in the handshakes folder increased, it became longer and longer to iterate
  • the list of handshakes already uploaded was saved in a json file. This list was loaded into memory, so it took up more and more RAM as the number of handshakes increased. If pwnagotchi was turned off during writing, the json file was irreparably corrupted.

This PR instead uses a sqlite db to store the status of uploads, which should be a better choice from the point of view of performance, memory usage, and reliability.
Files are added to the database with status TOUPLOAD only when pwnagotchi calls the on_handshake function, that is, when it is guaranteed that a handshake has been captured and that writing to the pcap file has finished.
When there is an internet connection, all files with status TOUPLOAD are uploaded and the response of the wpa-sec API is checked. If a handshake is rejected by the website, it is marked with status INVALID and at the next capture it is set back to TOUPLOAD so it will be retried.

Download cracked passwords into .pcap.cracked single files

The new single_files option is implemented in the config.toml file. This option (which already existed for the Onlinehashcrack plugin), if set to true, downloads the cracked passwords from the wpasec website into individual files with the .pcap.cracked extension, so you can see the cracked WiFi passwords directly in the webgpsmap plugin map.

Download interval

This option was implemented by the commit b1343b2 and allows you to decide how often to download passwords cracked by wpa-sec. I have adjusted the implementation to make it falls back to the default value of 3600 without crashing the plugin if the option is not set in the config.toml file.

On_webook

The previous implementation of the on_webhook function before this commit was broken. When clicking the plugin name in the Plugins tab of the pwnagotchi web UI, you were not actually authenticated to the wpa-sec website, because the code was trying to set the cookie containing the API key on the remote website's origin, so it was obviously not allowed to create cookies due to the Same Origin Policy. The new code implemented by this commit actually authenticates to the wpa-sec website by simulating entering the API key in the website's login form.

Log messages and exception handling

While rewriting the code I improved the log messages and exception handling (for example, by using the logging.exception() method, which prints the exception stacktrace to the logs for easier debugging). Also, this plugin now writes a logging info every time it uploads an handshake to the wpa-sec website, because in my opinion this is a sensitive operation and should be logged.

Motivation and Context

I noticed that most of my handshakes were not listed in the "My Nets" list on the wpa-sec website, so I started investigating why. I eventually found that invalid handshakes were considered reported and were not retried even if a valid handshake was captured for the same AP later.

  • I have raised an issue to propose this change (required) --> About downloading cracked passwords from wpa-sec website into single .pcap.cracked files, please look at this issue from 2020. For everything else, I haven't opened any issues.

How Has This Been Tested?

I have reread the code multiple times and asked a couple of friends for a review. The code has been running on our pwnagotchi instances without any issues for over three weeks. Unfortunately, I have not done any further testing. If you have any suggestions for further testing, please let me know.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change) --> I paid special attention to backwards compatibility. The plugin does not crash even if the new options in the config.toml file are missing.

Checklist:

  • My code follows the code style of this project.
  • My change requires a change to the documentation. --> Maybe? The new single_files and download_interval options should be documented, but I see that, for example, the onlinehashcrack plugin's single_files option was not documented either.
  • I have updated the documentation accordingly.
  • I've read the CONTRIBUTION guide
  • I have signed-off my commits with git commit -s

@jacopotediosi jacopotediosi force-pushed the wpa-sec-single-files-aluminum-ice branch from 706660b to 53f09b1 Compare July 30, 2024 15:12
# WPA-SEC multiple improvements

This commit is a nearly complete rewrite of the wpa-sec plugin to add features and fix bugs.
Below I try to summarize my changes by dividing them into subchapters.

## Uploading handshakes and tracking their status
The most notable improvement brought by this commit is definitely the drastic increase in handshakes that are actually uploaded to the wpa-sec website.

There are several reasons why a handshake may be invalid and therefore rejected by the wpa-sec website, including:
- too much distance from the clients did not allow to capture all the packets needed to crack the handshake;
- the uploaded pcap file was not yet completed, for example because the pwnagotchi had started writing it when it sent the association frame to the AP but the AP had never responded with the PMKID.

The wpa-sec plugin implementation prior to this commit, uploaded any pcap file contained in the handshakes folder (even if its capture was not completed or if the file was still being written) and did not check the response from the wpa-sec website. If an invalid handshake was uploaded, it was still marked as reported by the plugin and was not retried in subsequent captures.
Additionally, this approach suffered from performance and reliability issues:
- as the number of pcap files in the handshakes folder increased, it became longer and longer to iterate
- the list of handshakes already uploaded was saved in a json file. This list was loaded into memory, so it took up more and more RAM as the number of handshakes increased. If pwnagotchi was turned off during writing, the json file was irreparably corrupted.

This commit instead uses a sqlite db to store the status of uploads, which should be a better choice from the point of view of performance, memory usage, and reliability.
Files are added to the database with status `TOUPLOAD` only when pwnagotchi calls the `on_handshake` function, that is, when it is guaranteed that a handshake has been captured and that writing to the pcap file has finished.
When there is an internet connection, all files with status `TOUPLOAD` are uploaded and the response of the wpa-sec API is checked. If a handshake is rejected by the website, it is marked with status `INVALID` and at the next capture it is set back to `TOUPLOAD` so it will be retried.

## Download cracked passwords into .pcap.cracked single files
The new `single_files` option is implemented in the `config.toml` file. This option (which already existed for the Onlinehashcrack plugin), if set to `true`, downloads the cracked passwords from the wpasec website into individual files with the `.pcap.cracked` extension, so you can see the cracked WiFi passwords directly in the webgpsmap plugin map.

## Download interval
This option was implemented by the commit aluminum-ice/pwnagotchi@b1343b2 and allows you to decide how often to download passwords cracked by wpa-sec. I have adjusted the implementation to make it falls back to the default value of 3600 without crashing the plugin if the option is not set in the `config.toml` file.

## On_webook
The previous implementation of the `on_webhook` function before this commit was broken. When clicking the plugin name in the Plugins tab of the pwnagotchi web UI, you were not actually authenticated to the wpa-sec website, because the code was trying to set the cookie containing the API key on the remote website's origin, so it was obviously not allowed to create cookies due to the Same Origin Policy. The new code implemented by this commit actually authenticates to the wpa-sec website by simulating entering the API key in the website's login form.

## Log messages and exception handling
While rewriting the code I improved the log messages and exception handling (for example, by using the `logging.exception()` method, which prints the exception stacktrace to the logs for easier debugging). Also, this plugin now writes a logging info every time it uploads an handshake to the wpa-sec website, because in my opinion this is a sensitive operation and should be logged.
@jacopotediosi jacopotediosi force-pushed the wpa-sec-single-files-aluminum-ice branch from 53f09b1 to 261ad99 Compare August 15, 2024 21:03
@jacopotediosi jacopotediosi changed the title WPA-SEC download into .pcap.cracked single files WPA-SEC multiple improvements Aug 15, 2024
@jacopotediosi
Copy link
Author

Sorry for the multiple force-pushes and the title change. Originally, I was going to create this PR just to add the new single_files option, but then I realized that it would be better to include all the other changes in this one PR. Now the PR should actually be ready to be merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant