AngryOxide v0.8.7b releases: 802.11 Attack Tool

by do son · Published January 20, 2024 · Updated February 26, 2024

AngryOxide

AngryOxide was developed as a way to learn Rust, netlink, kernel sockets, and WiFi exploitation all at once.

The overall goal of this tool is to provide a single-interface survey capability with advanced automated attacks that result in valid hashlines you can crack with Hashcat.

This tool is heavily inspired by hcxdumptool and development wouldn’t have been possible without help from ZerBea.

Features

Active state-based attack engine used to retrieve relevant EAPOL messages from Access Points and clients.
Target option that accepts MAC (aabbcc…, aa:bb:cc…) and SSID “Test_SSID” to limit attack scope.
A Terminal-UI that presents all relevant data while still living in the terminal for easy usage over SSH.
Limits DEAUTHENTICATION frames that can cause more damage than good to the authentication sequence.
EAPOL 4-Way-Handshake validation using Nonce Correction, Replay Counter validation, and Temporal validation.
Automatically elicits PMKID from access points where available.
Utilizes GPSD with the ability to set remote GPSD service address.
Provides pcapng files with embedded GPS using the Kismet Format.
Provides a kismetdb file with all frames (with GPS) for post-processing.
Wraps all output files in a gzipped tarball.
Bash autocompletions for easy interface selection are provided.

Attacks

Will by default attack ALL access points in range, unless at least one target is supplied, at which point the tool will only transmit against defined targets. (But will still passively collect on other access points).

Attempts authentication/association sequence to produce EAPOL Message 1 (PMKID Collection)
Attempts to retrieve hidden SSID’s with undirected probe requests.
Utilized Anonymous Reassociation to force Access Points to deauthenticate their clients (MFP Bypass)
Attempts to downgrade RSN modes to WPA2-CCMP (Probe Response Injection)
Attempts to collect EAPOL M2 from stations based solely on Probe Requests (Rogue AP)
Will send controlled deauthentication frames unless told not to (–nodeauth)

All of these attacks are rate-controlled both to prevent erroneous EAPOL timer resets and to maintain some level of OPSEC.