def get_vendor_for_mac(mac): """ mac -- First bytes of mac address as "AA:BB:CC" (uppercase!) or byte representation b"\xAA\xBB\xCC\xDD\xEE\xFF" return -- found vendor string or empty string """ if len(MAC_VENDOR) == 0: _load_mac_vendor() if type(mac) == bytes: # assume byte representation: convert to AA:BB:CC" mac = pypacker.mac_bytes_to_str(mac)[0:8] try: return MAC_VENDOR[mac] except KeyError: return ""
def get_vendor_for_mac(mac): """ mac -- First three bytes of mac address at minimum eg "AA:BB:CC...", "AABBCC..." or byte representation b"\xaa\xbb\xcc\xdd\xee\xff" return -- found vendor string or empty string """ if len(MAC_VENDOR) == 1: return "" if len(MAC_VENDOR) == 0: _load_mac_vendor() # avoid loading next time if len(MAC_VENDOR) == 0: MAC_VENDOR["test"] = "test" if type(mac) == bytes: # b"\xaa\xbb\xcc\xdd\xee\xff" -> AA:BB:CC:DD:EE:FF -> AABBCC" mac = pypacker.mac_bytes_to_str(mac)[0:8].replace(":", "") else: # AA:BB:CC -> AABBCC mac = str.upper(mac.replace(":", "")[0:6]) #logger.debug("searching mac %s", mac) return MAC_VENDOR.get(mac, "")
def dhcpProcess(pkt, layer, ts, DiscoverOptionsExactList, DiscoverOptionsPartialList, RequestOptionsExactList, RequestOptionsPartialList, ReleaseOptionsExactList, ReleaseOptionsPartialList, ACKOptionsExactList, ACKOptionsPartialList, AnyOptionsExactList, AnyOptionsPartialList, InformOptionsExactList, InformOptionsPartialList, DiscoverOption55ExactList, DiscoverOption55PartialList, RequestOption55ExactList, RequestOption55PartialList, ReleaseOption55ExactList, ReleaseOption55PartialList, ACKOption55ExactList, ACKOption55PartialList, AnyOption55ExactList, AnyOption55PartialList, InformOption55ExactList, InformOption55PartialList, DiscoverVendorCodeExactList, DiscoverVendorCodePartialList, RequestVendorCodeExactList, RequestVendorCodePartialList, ReleaseVendorCodeExactList, ReleaseVendorCodePartialList, ACKVendorCodeExactList, ACKVendorCodePartialList, AnyVendorCodeExactList, AnyVendorCodePartialList, InformVendorCodeExactList, InformVendorCodePartialList, DiscoverTTLExactList, DiscoverTTLPartialList, RequestTTLExactList, RequestTTLPartialList, ReleaseTTLExactList, ACKTTLExactList, AnyTTLExactList, InformTTLExactList, ACKTTLPartialList, AnyTTLPartialList, InformTTLPartialList, NAKOptionsPartialList, NAKOptionsExactList, NAKOption55PartialList, NAKOption55ExactList, NAKVendorCodePartialList, NAKVendorCodeExactList, NAKTTLPartialList, NAKTTLExactList, OfferOptionsPartialList, OfferOptionsExactList, OfferOption55PartialList, OfferOption55ExactList, OfferVendorCodePartialList, OfferVendorCodeExactList, OfferTTLPartialList, OfferTTLExactList, DeclineOptionsPartialList, DeclineOptionsExactList, DeclineOption55PartialList, DeclineOption55ExactList, DeclineVendorCodePartialList, DeclineVendorCodeExactList, DeclineTTLPartialList, DeclineTTLExactList): if layer == 'eth': src_mac = pkt[ethernet.Ethernet].src_s else: #fake filler mac for all the others that don't have it, may have to add some elif above src_mac = '00:00:00:00:00:00' ip4 = pkt.upper_layer udp1 = pkt.upper_layer.upper_layer fingerprintOptions = None fingerprintOption55 = None fingerprintVendorCode = None timeStamp = datetime.utcfromtimestamp(ts).isoformat() dhcp1 = pkt[dhcp.DHCP] MessageType=getDHCPMessageType(dhcp1.op) clientAddr = dhcp1.ciaddr_s yourAddr = dhcp1.yiaddr_s nextServerAddr = dhcp1.siaddr_s relayServerAddr = dhcp1.giaddr_s clientMAC = pypacker.mac_bytes_to_str(dhcp1.chaddr[0:6]) #dump the padding is pypacker copies it all together [options, messageType, option55, vendorCode] = getDHCPOptions(dhcp1.opts) osGuessOptions = '' osGuessOption55 = '' osGuessVendorCode = '' if messageType == 'Discover': if options != '': osGuessOptions = DHCPFingerprintLookup(DiscoverOptionsExactList, DiscoverOptionsPartialList, options) fingerprintOptions = clientAddr + ';' + clientMAC + ';DHCP;' + messageType + ';Options;' + options + ';' + osGuessOptions if option55 != '': osGuessOption55 = DHCPFingerprintLookup(DiscoverOption55ExactList, DiscoverOption55PartialList, option55) fingerprintOption55 = clientAddr + ';' + clientMAC + ';DHCP;' + messageType + ';Option55;' + option55 + ';' + osGuessOption55 if vendorCode != '': osGuessVendorCode = DHCPFingerprintLookup(DiscoverVendorCodeExactList, DiscoverVendorCodePartialList, vendorCode) fingerprintVendorCode = clientAddr + ';' + clientMAC + ';DHCP;' + messageType + ';VendorCode;' + vendorCode + ';' + osGuessVendorCode elif messageType == 'Offer': if options != '': osGuessOptions = DHCPFingerprintLookup(OfferOptionsExactList, OfferOptionsPartialList, options) fingerprintOptions = ip4.src_s + ';' + src_mac + ';DHCP;' + messageType + ';Options;' + options + ';' + osGuessOptions if option55 != '': osGuessOption55 = DHCPFingerprintLookup(OfferOption55ExactList, OfferOption55PartialList, option55) fingerprintOption55 = ip4.src_s + ';' + src_mac + ';DHCP;' + messageType + ';Option55;' + option55 + ';' + osGuessOption55 if vendorCode != '': osGuessVendorCode = DHCPFingerprintLookup(OfferVendorCodeExactList, OfferVendorCodePartialList, vendorCode) fingerprintVendorCode = ip4.src_s + ';' + src_mac + ';DHCP;' + messageType + ';VendorCode;' + vendorCode + ';' + osGuessVendorCode elif messageType == 'Request': if options != '': osGuessOptions = DHCPFingerprintLookup(RequestOptionsExactList, RequestOptionsPartialList, options) fingerprintOptions = clientAddr + ';' + clientMAC + ';DHCP;' + messageType + ';Options;' + options + ';' + osGuessOptions if option55 != '': osGuessOption55 = DHCPFingerprintLookup(RequestOption55ExactList, RequestOption55PartialList, option55) fingerprintOption55 = clientAddr + ';' + clientMAC + ';DHCP;' + messageType + ';Option55;' + option55 + ';' + osGuessOption55 if vendorCode != '': osGuessVendorCode = DHCPFingerprintLookup(RequestVendorCodeExactList, RequestVendorCodePartialList, vendorCode) fingerprintVendorCode = clientAddr + ';' + clientMAC + ';DHCP;' + messageType + ';VendorCode;' + vendorCode + ';' + osGuessVendorCode elif messageType == 'Decline': if options != '': osGuessOptions = DHCPFingerprintLookup(DeclineOptionsExactList, DeclineOptionsPartialList, options) fingerprintOptions = clientAddr + ';' + clientMAC + ';DHCP;' + messageType + ';Options;' + options + ';' + osGuessOptions if option55 != '': osGuessOption55 = DHCPFingerprintLookup(DeclineOption55ExactList, DeclineOption55PartialList, option55) fingerprintOption55 = clientAddr + ';' + clientMAC + ';DHCP;' + messageType + ';Option55;' + option55 + ';' + osGuessOption55 if vendorCode != '': osGuessVendorCode = DHCPFingerprintLookup(DeclineVendorCodeExactList, DeclineVendorCodePartialList, vendorCode) fingerprintVendorCode = clientAddr + ';' + clientMAC + ';DHCP;' + messageType + ';VendorCode;' + vendorCode + ';' + osGuessVendorCode elif messageType == 'ACK': if options != '': osGuessOptions = DHCPFingerprintLookup(ACKOptionsExactList, ACKOptionsPartialList, options) fingerprintOptions = ip4.src_s + ';' + src_mac + ';DHCP;' + messageType + ';Options;' + options + ';' + osGuessOptions if option55 != '': osGuessOption55 = DHCPFingerprintLookup(ACKOption55ExactList, ACKOption55PartialList, option55) fingerprintOption55 = ip4.src_s + ';' + src_mac + ';DHCP;' + messageType + ';Option55;' + option55 + ';' + osGuessOption55 if vendorCode != '': osGuessVendorCode = DHCPFingerprintLookup(ACKVendorCodeExactList, ACKVendorCodePartialList, vendorCode) fingerprintVendorCode = ip4.src_s + ';' + src_mac + ';DHCP;' + messageType + ';VendorCode;' + vendorCode + ';' + osGuessVendorCode elif messageType == 'NAK': if options != '': osGuessOptions = DHCPFingerprintLookup(NAKOptionsExactList, NAKOptionsPartialList, options) fingerprintOptions = ip4.src_s + ';' + src_mac + ';DHCP;' + messageType + ';Options;' + options + ';' + osGuessOptions if option55 != '': osGuessOption55 = DHCPFingerprintLookup(NAKOption55ExactList, NAKOption55PartialList, option55) fingerprintOption55 = ip4.src_s + ';' + src_mac + ';DHCP;' + messageType + ';Option55;' + option55 + ';' + osGuessOption55 if vendorCode != '': osGuessVendorCode = DHCPFingerprintLookup(NAKVendorCodeExactList, NAKVendorCodePartialList, vendorCode) fingerprintVendorCode = ip4.src_s + ';' + src_mac + ';DHCP;' + messageType + ';VendorCode;' + vendorCode + ';' + osGuessVendorCode elif messageType == 'Release': if options != '': osGuessOptions = DHCPFingerprintLookup(ReleaseOptionsExactList, ReleaseOptionsPartialList, options) fingerprintOptions = clientAddr + ';' + clientMAC + ';DHCP;' + messageType + ';Options;' + options + ';' + osGuessOptions if option55 != '': osGuessOption55 = DHCPFingerprintLookup(ReleaseOption55ExactList, ReleaseOption55PartialList, option55) fingerprintOption55 = clientAddr + ';' + clientMAC + ';DHCP;' + messageType + ';Option55;' + option55 + ';' + osGuessOption55 if vendorCode != '': osGuessVendorCode = DHCPFingerprintLookup(ReleaseVendorCodeExactList, ReleaseVendorCodePartialList, vendorCode) fingerprintVendorCode = clientAddr + ';' + clientMAC + ';DHCP;' + messageType + ';VendorCode;' + vendorCode + ';' + osGuessVendorCode elif messageType == 'Inform': if options != '': osGuessOptions = DHCPFingerprintLookup(InformOptionsExactList, InformOptionsPartialList, options) fingerprintOptions = clientAddr + ';' + clientMAC + ';DHCP;' + messageType + ';Options;' + options + ';' + osGuessOptions if option55 != '': osGuessOption55 = DHCPFingerprintLookup(InformOption55ExactList, InformOption55PartialList, option55) fingerprintOption55 = clientAddr + ';' + clientMAC + ';DHCP;' + messageType + ';Option55;' + option55 + ';' + osGuessOption55 if vendorCode != '': osGuessVendorCode = DHCPFingerprintLookup(InformVendorCodeExactList, InformVendorCodePartialList, vendorCode) fingerprintVendorCode = clientAddr + ';' + clientMAC + ';DHCP;' + messageType + ';VendorCode;' + vendorCode + ';' + osGuessVendorCode # need to revisit this when not printing them as this just makes noise right now. # if messageType != None: #last ditch check against the 'any' field ones # if options != '': # osGuessOptions = DHCPFingerprintLookup(AnyOptionsExactList, AnyOptionsPartialList, options) # print("%s;%s;%s;DHCP;%s;Options;%s;%s" % (timeStamp, clientAddr, clientMAC, messageType, options, osGuessOptions)) # if option55 != '': # osGuessOption55 = DHCPFingerprintLookup(AnyOption55ExactList, AnyOption55PartialList, option55) # print("%s;%s;%s;DHCP;%s;Option55;%s;%s" % (timeStamp, clientAddr, clientMAC, messageType, option55, osGuessOption55)) # if vendorCode != '': # osGuessVendorCode = DHCPFingerprintLookup(AnyVendorCodeExactList, AnyVendorCodePartialList, vendorCode) # print("%s;%s;%s;DHCP;%s;VendorCode;%s;%s" % (timeStamp, clientAddr, clientMAC, messageType, vendorCode, osGuessVendorCode)) return [timeStamp, fingerprintOptions, fingerprintOption55, fingerprintVendorCode]
print(prism.Prism(raw_bytes)) # grab some beacons on the current channel bc_cnt = 0 for i in range(10): raw_bytes = wlan_reader.recv() # drvinfo = radiotap.Radiotap(raw_bytes) drvinfo = prism.Prism(raw_bytes) try: beacon = drvinfo[ieee80211.IEEE80211.Beacon] if beacon is None: continue mac_ap = drvinfo[ieee80211.IEEE80211.MGMTFrame].bssid mac_ap = pypacker.mac_bytes_to_str(mac_ap) # print("beacon: %s" % beacon) # assume ascending order, 1st IE is Beacon ie_ssid = beacon.ies[0].body_bytes # Note: only for prism-header print("bssid: %s, ssid: %s (Signal: -%d dB, Quality: %d)" % (mac_ap, ie_ssid, 0xffffffff ^ drvinfo.dids[3].value, drvinfo.dids[4].value) ) bc_cnt += 1 except Exception as e: print(e) if bc_cnt == 0:
print(prism.Prism(raw_bytes)) # grab some beacons on the current channel bc_cnt = 0 for i in range(10): raw_bytes = wlan_reader.recv() # drvinfo = radiotap.Radiotap(raw_bytes) drvinfo = prism.Prism(raw_bytes) try: beacon = drvinfo[ieee80211.IEEE80211.Beacon] if beacon is None: continue mac_ap = drvinfo[ieee80211.IEEE80211.MGMTFrame].bssid mac_ap = pypacker.mac_bytes_to_str(mac_ap) # print("beacon: %s" % beacon) # assume ascending order, 1st IE is Beacon ie_ssid = beacon.ies[0].body_bytes # Note: only for prism-header print("bssid: %s, ssid: %s (Signal: -%d dB, Quality: %d)" % (mac_ap, ie_ssid, 0xffffffff ^ drvinfo.dids[3].value, drvinfo.dids[4].value)) bc_cnt += 1 except Exception as e: print(e) if bc_cnt == 0: print("got no beacons, try to change channel or get closer to the AP") wlan_reader.close() except socket.error as e: