ESP32 Wi-Fi Penetration Tool

Main component

This component the main component (also called pseudo-component). It contains attacks implementations themselves and attack wrapper framework.

Theory behind following attacks implementations is in /doc/ATTACK_THEORY.md.

Deauth broadcast

One way to send deauthentication frames is by bypassing Wi-Fi Stack Libaries that block them from being send. For this purpose WSL Bypasser component is being used. For further detail about how the bypass works, see README for WSL Bypasser component.

Deauthentication frame is built with broadcast destination MAC address (ff:ff:ff:ff:ff:ff), source MAC address and BSSID of target AP.

Pros

There doesn’t have to be an active communication in progress. Devices will receive this frame even if they are not actively communicating.

Cons

Some devices are ignoring broadcast deauthentication frames as stated in Aircrack-ng documentation.

Some clients ignore broadcast deauthentications. If this is the case, you will need to send a deauthentication directed at the particular client.

Rogue AP

Another option is to start rogue duplicated AP. This way Wi-Fi Stack Libraries stay untouched and only ESP-IDF API is used for this. Taking in consideration that it’s possible to set any valid MAC address to AP interface, we can create duplicated AP by setting same MAC as the genuine AP has by esp_wifi_set_mac. We know all necessary values from the AP scanner and have them in wifi_ap_record_t structure. From there we can just pass the information to wifi_config_t and configure AP by esp_wifi_set_config. Once this AP is started, whenever it receives Class 2 or 3 frame from any STA, it will respond with deauthentication frame. This behaviour is defined directly in 802.11 standard. STA has no way to verify whether the frame is from genuine AP or rogue one and in defensive manner deauthneticates itself from the network.
This is demonstrated in the following sequence diagram:

Rogue AP sequence diagram

Pros

Deauthentication frames are directed to the STA that sent some frame to AP.

Cons

This apporach requires active communication to be happening.
It may confuse STA completely so it will not be able to authenticate again, or it may try to authenticate with rogue AP instead of the genuine one. (can be fixed by turning duplicated AP on and off giving STA some time to reconnect)

PMKID capture

To capture PMKID from AP the only thing we have to do is to initiate connection and get first handshake message from AP. If PMKID is available, AP will send it as part of the first handshake message, so it doesn’t matter we don’t know the credentials.

Denial of Service

This reuses deauthentication methods from above and just skips handshake capture. It also allows combination of all deauth methods, which makes it more robust against different behaviour of various devices.

Reference

Doxygen API reference available