def send_association(STA, AP,elementTag = None):
logger.info("sending an association request packet to " + AP.bssid + " (" + AP.essid + ") ...");
packet = generate_association_packet(STA, AP,elementTag);
STA.send_packet(packet);
logger.info("An association request packet was sent to " + AP.bssid + " (" + AP.essid + ") ...");
def assoc_process(self):
logger.info("association process will start");
packet = radiotap / dot11 / AssocReq / Tagged_param;
self.state = self.FAIL_COMMAND;
self.STA.assoc_found = False;
jobs = list();
result_queue = mp.Queue();
receive_process = mp.Process(target=self.__recv_assoc, args = (result_queue,) );
jobs.append(receive_process);
send_process = mp.Process(target=self.__send_assoc,args=(packet,))
jobs.append(send_process)
for job in jobs:
job.start();
for job in jobs:
job.join();
if result_queue.get():
self.state = self.SUCCESS_COMMAND;
if (self.state == self.SUCCESS_COMMAND):
logger.info("association process was successful")
elif (self.state == self.FAIL_COMMAND):
logger.error("association process was fail");
else:
logger.error("Unexpected error has occured")
def send_qos_null_function_packet(_src_interface,
_dst_interface,
_FCField=0x01):
logger.info("send a Null function (nodata) packet")
packet = generate_qos_null_function_packet(_src_interface, _dst_interface,
_FCField)
_src_interface.send_packet(packet)
def generate_probe_request_packet(_sta_interface, _dst_interface,
tagged_param):
logger.info("generate a probe request packet packet")
return _sta_interface.radiotap / Dot11(
addr1=_dst_interface.mac_address,
addr2=_sta_interface.mac_address,
addr3=_dst_interface.mac_address,
type=0,
subtype=4) / Dot11ProbeReq() / tagged_param
def recv_association(STA, AP):
logger.info("wait until I capture an authentication packet from " + AP.bssid + " (" + AP.essid + ") ...");
packets = STA.recv_packet(filter=lambda x: ( (x.haslayer(Dot11AssoResp))) and (x[Dot11].addr2 == AP.bssid) and (STA.is_packet_for_me(x)));
if(len(packets) == 0):
logger.error("cannot capture an authentication packet from " + AP.bssid + " (" + AP.essid + ") ...");
raise Exception("cannot capture an authentication packet packet from " + AP.bssid + " (" + AP.essid + ") ...");
return packets[0];
def send_authentication(STA, AP):
logger.info("sending an authentication packet to " + AP.bssid + " (" +
AP.essid + ") ...")
packet = generate_authentication_packet(STA, AP)
STA.send_packet(packet)
logger.info("An authentication packet was sent to " + AP.bssid + " (" +
AP.essid + ") ...")
def __check_assoc(self,packet):
seen_receiver = packet[Dot11].addr1;
seen_sender = packet[Dot11].addr2;
seen_bssid = packet[Dot11].addr3;
if (seen_receiver == self.STA.ifc_mac and seen_sender == self.AP.bssid and seen_bssid == self.AP.bssid):
self.STA.assoc_found = True;
logger.info("association packet was received")
return self.STA.assoc_found
def recv_arp_response_packet(src, AP, IP_addr):
logger.info("wait until I capture an arp response packet from " + IP_addr)
packets = src.recv_packet(filter=lambda x: ((x.haslayer(ARP)) and (x[
ARP].op == OP_RESPONSE_CODE) and (x[ARP].psrc == IP_addr) and (
AP.is_packet_transmitted_by_me(x)) and (src.is_packet_for_me(x))))
if (len(packets) == 0):
logger.error("cannot capture an arp response from " + AP.bssid + " (" +
AP.essid + ") .")
return
return packets[0]
def arp_response_process(src, dst, AP):
logger.info("An ARP response process starts")
## receive an arp request packet from dst.
request_packet = recv_arp_request_packet(src, dst, AP)
if (not request_packet):
logger.error("cannot capture an ARP request packet")
return
response_packet = generate_arp_response_packet(src, AP, request_packet)
src.send_packet(response_packet)
logger.info("An ARP response process successfully finished")
def recv_arp_request_packet(src, dst, AP):
logger.info("wait until I capture an arp request packet from " +
dst.mac_address)
packets = src.recv_packet(filter=lambda x: ((x.haslayer(ARP)) and (x[
ARP].op == OP_REQUEST_CODE) and (x[ARP].hwsrc == dst.mac_address) and (
AP.is_packet_transmitted_by_me(x)) and (src.is_packet_for_me(x))))
if (len(packets) == 0):
logger.error("cannot capture an arp request from " + AP.bssid + " (" +
AP.essid + ") .")
return
return packets[0]
def arp_sender_process(STA, AP, Target):
logger.info("ARP request process starts")
## generate an ARP request packet.
arp_requested_packet = generate_arp_request_packet(STA, AP,
Target.IP_address)
## initialization for multi-thread process.
executor = futures.ThreadPoolExecutor(max_workers=2)
## recieve process (worker 1)
recv_thread = executor.submit(recv_arp_response_packet, STA, AP,
Target.IP_address)
## sender process (worker 2)
logger.info("send an ARP request packet.")
send_thread = executor.submit(STA.send_packet, arp_requested_packet)
send_thread.result()
response_packet = recv_thread.result()
if (response_packet):
logger.info("An ARP response packet was successfully received")
logger.info("ARP massage: " + Target.IP_address + " is at " +
response_packet[ARP].hwsrc)
return response_packet
else:
logger.error("An ARP response DHCP offer packet was not received")
def recv_icmp_response_packet(src, dst, AP):
logger.info("wait until I capture an arp request packet from " +
dst.mac_address)
packets = src.recv_packet(filter=lambda x: (
(x.haslayer(ICMP)) and (x[ICMP].type == ICMP_TYPE_RESPONSE) and
(x[Dot11].addr3 == dst.mac_address) and
(AP.is_packet_transmitted_by_me(x)) and (src.is_packet_for_me(x))))
if (len(packets) == 0):
logger.error("cannot capture an arp request from " + AP.bssid + " (" +
AP.essid + ") .")
return
return packets[0]
def recv_probe_response_packet(_src_interface, _dst_interface):
logger.info("wait until I capture a probe response packet from " +
_dst_interface.bssid + " (" + _dst_interface.essid + ") ...")
packets = _src_interface.recv_packet(
filter=lambda x: ((x.haslayer(Dot11ProbeResp)) and
(x[Dot11].addr2 == _dst_interface.bssid) and
(_src_interface.is_packet_for_me(x))))
if (len(packets) == 0):
logger.error("cannot capture a probe response packet from " +
_dst_interface.bssid + " (" + _dst_interface.essid +
") ...")
raise Exception("cannot capture a probe response packet from " +
_dst_interface.bssid + " (" + _dst_interface.essid +
") ...")
return packets[0]
def probe_resq_resp_process(_src_interface, _dst_interface, tagged_param):
logger.info("probe request/response process will start")
## initialization for multi-thread process.
executor = futures.ThreadPoolExecutor(max_workers=2)
## sender process (worker 2)
send_thread = executor.submit(send_probe_request_packet, _src_interface,
_dst_interface, tagged_param)
## recieve process (worker 1)
recv_thread = executor.submit(recv_probe_response_packet, _src_interface,
_dst_interface)
send_thread.result()
response_packet = recv_thread.result()
logger.info("Probe request/response process successfully finished")
return response_packet
def association_process(STA, AP,elementTag = None):
logger.info("association process will start");
## initialization for multi-thread process.
executor = futures.ThreadPoolExecutor(max_workers=2);
## recieve process (worker 1)
recv_thread = executor.submit(recv_association, STA, AP);
## sender process (worker 2)
send_thread = executor.submit(send_association, STA, AP,elementTag);
send_thread.result();
response_packet = recv_thread.result();
if (response_packet[Dot11AssoResp].status == SUCCESS_STATE):
logger.info("Association process successfully finished");
return response_packet;
else:
logger.error("Association process was fail");
def authentication_process(STA, AP):
logger.info("authentication process will start")
## initialization for multi-thread process.
executor = futures.ThreadPoolExecutor(max_workers=2)
## recieve process (worker 1)
recv_thread = executor.submit(recv_authentication, STA, AP)
## sender process (worker 2)
send_thread = executor.submit(send_authentication, STA, AP)
send_thread.result()
response_packet = recv_thread.result()
if (response_packet[Dot11Auth].status == SUCCESS_STATE):
logger.info("An authentication process successfully finished")
return response_packet
else:
logger.error("An authentication process was fail")
def connect_to_open():
ifc_name = "wlx9cc9eb21fa6e"
ifc_mac = "9c:c9:eb:21:fa:6e"
STA = STA_Interface(ifc_name, ifc_mac)
# AP = AP_Interface(bssid="18:ec:e7:5f:a2:04",essid = "Buffalo-A-A200-Open");
AP = AP_Interface(bssid="18:ec:e7:5f:a2:00", essid="Buffalo-G-A200-wpa2")
# send_deauth_packet(STA,AP,reason=3);
# send_disassoc_packet(STA,AP,reason=7);
# send_qos_null_function_packet(STA,AP);
"""
beacon_packet = scan_beacon_packet(STA,AP);
essid_tag = Dot11Elt(ID='SSID', info=AP.essid);
rates_tag = Dot11Elt(ID='Rates', info=STA.dot11_rates);
dsset_tag = Dot11Elt(ID='DSset', info='\x2c');
tagged_param = essid_tag / rates_tag / dsset_tag;
probe_resq_resp_process(STA,AP,tagged_param);
"""
authentication_process(STA, AP)
logger.info("------------------------------------")
association_process(STA, AP)
logger.info("------------------------------------")
dis, off, req, ack = DHCP_cliend_process(STA, AP)
# logger.info("------------------------------------");
server_ipaddr = [
option[1] for option in req[DHCP].options if option[0] == "server_id"
][0]
AP_Interface = Interface(ip_address=server_ipaddr)
# logger.info("------------------------------------")
responce_packet = arp_sender_process(STA, AP, AP_Interface)
AP_Interface.mac_address = responce_packet[ARP].hwsrc
logger.info("------------------------------------")
icmp_sender_process(STA=STA, AP=AP, Target_Interface=AP_Interface)
def icmp_sender_process(STA, AP, Target_Interface):
logger.info("ICMP sender process (to " + Target_Interface.IP_address + ")")
## generate a ICMP request packet.
icmp_packet = generate_icmp_request(STA, AP, Target_Interface)
## initialization for multi-thread process.
executor = futures.ThreadPoolExecutor(max_workers=2)
## recieve process (worker 1)
recv_thread = executor.submit(recv_icmp_response_packet, STA,
Target_Interface, AP)
## sender process (worker 2)
logger.info("send an ICMP request packet.")
send_thread = executor.submit(STA.send_packet, icmp_packet)
## synchronization
a = send_thread.result()
response_packet = recv_thread.result()
if (response_packet):
logger.info("ICMP sender process (to " + Target_Interface.IP_address +
") has finished successsfully")
return response_packet
else:
logger.error("ICMP sender process (to " + Target_Interface.IP_address +
") has failed.")
def generate_second_eap_packet(STA, AP, anonce, rsnInfo, retry_counter=0):
logger.debug("generate a 2/4 hand-shake packet")
Radiotap = STA.radiotap
Dot11_Header = Dot11(addr1=AP.mac_address,
addr2=STA.mac_address,
addr3=AP.mac_address,
FCfield=0x01,
subtype=8,
type=2) / Dot11QoS()
llc_header = LLC(dsap=0xaa, ssap=0xaa, ctrl=0x03)
snap_header = SNAP(OUI=0x000000, code=0x888e)
snonce = generate_nonce(32)
logger.info("generate pmk packet")
pmk = generate_pmk_by_sha1(AP.essid, AP.password)
logger.info("generate ptk packet")
ptk = generate_ptk(pmk, mac2str(AP.mac_address), mac2str(STA.mac_address),
anonce, snonce)
logger.info("generate unicast keys")
STA.keys = generate_unicast_keys(ptk)
kck = STA.keys[0]
eapol_header = generate_EAPOL_Header(snonce,
key_information_=0x010a,
replay_counter=retry_counter,
kck=kck,
KeyData=rsnInfo)
eapol_packet = Radiotap / Dot11_Header / llc_header / snap_header / eapol_header
return eapol_packet
def scan_beacon_packet(STA, AP):
logger.info("Beacon scan process will start")
logger.info("please wait until a beacon packet is scanned from " +
AP.bssid + " (" + AP.essid + ") ...")
packets = STA.recv_packet(filter=lambda x: ((x.haslayer(Dot11Beacon)) and (
x[Dot11].addr2 == AP.bssid) and (STA.is_packet_for_me(x))))
if (len(packets) == 0):
logger.error("cannot scan a beacon packet from " + AP.bssid + " (" +
AP.essid + ") ...")
raise Exception("cannot scan a beacon packet from " + AP.bssid + " (" +
AP.essid + ") ...")
logger.info("Beacon scan process has finished")
return packets[0]
def auto_receiver(STA, AP):
taskContainer = [];
try:
while True:
logger.info("waiting for a packet...")
recv_packet = STA.recv_packet(filter=lambda x: (STA.is_packet_for_me(x) and (not x.haslayer(Dot11Beacon))),timeout = WAIT_TIME);
if recv_packet:
task_thread = Task_Thread(STA,AP,recv_packet[0]);
taskContainer.append(task_thread);
task_thread.start();
except KeyboardInterrupt:
print("try Exec")
logger.info("Interruption has occurred.");
logger.info("Stop auto receiver process");
return;
except Exception as e:
from traceback import print_exc
print_exc()
logger.error("unexpected error has occurred.");
logger.error("Stop auto receiver process");
def DHCP_request_ack_process(STA, AP, offer_packet):
logger.info("DHCP request-ack process will start");
## initialization for multi-thread process.
executor = futures.ThreadPoolExecutor(max_workers=2);
## recieve process (worker 1)
recv_thread = executor.submit(recv_dhcp_packet, STA, AP, ACK_MASSAGE);
## sender process (worker 2)
logger.info("sending a DHCP request packet.");
send_thread = executor.submit(STA.send_packet, offer_packet);
send_thread.result();
response_packet = recv_thread.result();
extract_dhcp_massage_from_packet(response_packet);
if (extract_dhcp_massage_from_packet(response_packet) == ACK_MASSAGE):
logger.info("A DHCP Ack packet was successfully received");
return response_packet;
else:
logger.error("A DHCP Ack packet was not received");
def send_ack_packet(_src_interface, _dst_interface):
logger.info("802.11 acknowledgement packet will send");
packet = generate_ack_packet(_src_interface,_dst_interface)
_src_interface.send_packet(packet);
def generate_ack_packet(_sta_interface,_dst_interface):
logger.info("generate 802.11 acknowledgement packet");
return _sta_interface.radiotap / Dot11(addr1=_dst_interface.mac_address, subtype=13, type=1) / Dot11Ack();
def set_IPaddress_TO_STA(STA, dhcp_offer_packet):
logger.info("setting IP_information to STA...");
bootp_header = dhcp_offer_packet[BOOTP];
dhcp_header = dhcp_offer_packet[DHCP];
STA.IP_address = bootp_header.yiaddr;
STA.subnet_mask = [option[1] for option in dhcp_header.options if option[0] == "subnet_mask"][0];
STA.dns_server = [option[1] for option in dhcp_header.options if option[0] == "name_server"][0];
STA.router = [option[1] for option in dhcp_header.options if option[0] == "router"][0];
STA.lease_time = [option[1] for option in dhcp_header.options if option[0] == "lease_time"][0];
logger.info("");
logger.info("obtained IP information is as follow");
logger.info("------------- obtain IP information --------------");
logger.info("IP addr: " + STA.IP_address);
logger.info("subnet_mask: " + STA.subnet_mask);
logger.info("router: " + STA.router);
logger.info("DNS server:" + STA.dns_server);
logger.info("lease_time:" + str(STA.lease_time));
logger.info("----------------------------------------------------");
def send_probe_request_packet(_src_interface, _dst_interface, tagged_param):
packet = generate_probe_request_packet(_src_interface, _dst_interface,
tagged_param)
_src_interface.send_packet(packet)
logger.info("send a probe request (SSID = " + _dst_interface.essid +
") packet")
def recv_dhcp_packet(STA,AP, dhcp_massage,xid=0x12345678):
logger.info("wait until I capture a DHCP offer packet from DHCP server");
packets = STA.recv_packet(filter=lambda x: ((x.haslayer(DHCP))) and (extract_dhcp_massage_from_packet(x) == dhcp_massage) and (x[Dot11].addr2 == AP.bssid) and (STA.is_packet_for_me(x)));
return packets[0]
def send_Null_Func(self, _FCField=0x01):
logger.info("Null Function (nodata) packet will send")
sendp(packet, iface=self.STA.ifc_name, verbose=0)
logger.info("Null function (nodata) packet was sent")
def run(self):
befMassage ="[No. "+str(self.id)+"] ";
logger.info(befMassage+"I received a packet");
if (self.packet.haslayer(ARP) and self.packet[ARP].pdst== self.STA.IP_address and self.packet[ARP].op == OP_REQUEST_CODE):
logger.info(befMassage+"The received packet is an ARP response packet");
response_packet = generate_arp_response_packet(self.STA, self.AP, self.packet);
self.STA.send_packet(response_packet);
logger.info(befMassage + "sent an ARP response packet successfully");
elif (self.packet.haslayer(ICMP) and (self.packet[ICMP].type == icmp.ICMP_TYPE_REQUEST)):
logger.info(befMassage + "The received packet is an ICMP request packet");
response_packet = icmp.generate_icmp_response_packet(self.STA,self.AP,self.packet);
self.STA.send_packet(response_packet);
logger.info(befMassage + "sent an ICMP response packet successfully");
else:
logger.info(befMassage+"not implement this packet ["+self.packet.summary()+"]");
logger.info("[No. " + str(self.id) + "] "+ "finish process");
def __send_assoc(self,_packet):
logger.info("association packet will be sent");
sleep(0.4);
sendp(_packet,iface=self.STA.ifc_name,verbose=0);
logger.info("association packet was sent");
