def get_packet(self, pkt): """ We start broadcasting the beacons on the first received packet :param self: A Lure10 object :param packet: A scapy.layers.RadioTap object :type self: Lure10 :type packet: scapy.layers.RadioTap :return: A tuple containing ["*"] followed by a list of the crafted beacon frames :rtype: tuple(list, list) .. warning: pkt is not used here but should not be removed since this prototype is requirement """ beacons = list() bssid = str() # initiliate the _packets_to_send in first run if self.first_run: self._packets_to_send["*"] = beacons # only run this code once if self.first_run and self.data.args.lure10_exploit: # locate the lure10 file area_file = constants.LOCS_DIR + self.data.args.lure10_exploit with open(area_file) as _file: for line in _file: # remove any white space and store the bssid(fist word) line.strip() bssid = line.split(" ", 1)[0] # craft the required packet parts frame_part_0 = dot11.RadioTap() frame_part_1 = dot11.Dot11(subtype=8, addr1=constants.WIFI_BROADCAST, addr2=bssid, addr3=bssid) frame_part_2 = dot11.Dot11Beacon(cap=0x2105) frame_part_3 = dot11.Dot11Elt(ID="SSID", info="") frame_part_4 = dot11.Dot11Elt(ID="Rates", info=constants.AP_RATES) frame_part_5 = dot11.Dot11Elt(ID="DSset", info=chr(7)) # create a complete packet by combining the parts complete_frame = (frame_part_0 / frame_part_1 / frame_part_2 / frame_part_3 / frame_part_4 / frame_part_5) logger.debug("Add lure10-beacon frame with BSSID %s", bssid) # add the frame to the list beacons.append(complete_frame) # make sure this block is never executed again and the notification occurs self.first_run = False self._packets_to_send["*"] = beacons return self._packets_to_send
def test_is_packet_valid_packet_valid(): """ Test is_packet_valid function with an packet that is not Dot11Beacon """ address = "FF:FF:FF:FF:FF:FF" packet = (dot11.Dot11(type=0, subtype=10, addr3=address) / dot11.Dot11Beacon() / dot11.Dot11Elt(ID=0, info="MY AP") / dot11.Dot11Elt() / dot11.Dot11Elt(ID=3, info=chr(2))) assert recon.is_packet_valid(packet) == True
def test_is_packet_valid_packet_malformed(): """ Test is_packet_valid function with an packet that is not Dot11Beacon """ address = "FF:FF:FF:FF:FF:FF" packet = (dot11.RadioTap() / dot11.Dot11(type=0, subtype=10, addr1=address) / dot11.Dot11Beacon()) assert recon.is_packet_valid(packet) == False
def test_is_target_essid_non_decodable_error(self): """ Assign essid to a constant when it is utf-8 non-decodable """ essid = dot11.Dot11Elt(ID='SSID', info='\x99\x87\x33') packet = dot11.RadioTap() / dot11.Dot11() / dot11.Dot11Beacon() / essid packet.addr3 = "99:99:99:99:99:99" result = self.deauth_obj0._is_target(packet) expected = False message = 'Fail to raise the UnicodeDecodeError for non-printable essid' self.assertEqual(result, expected, message)
def test_is_target_target_ap_bssid_true(self): """ Get the target attacking bssid for the speficic ESSID when --essid is not used """ essid = dot11.Dot11Elt(ID='SSID', info="Evil") packet = dot11.RadioTap() / dot11.Dot11() / dot11.Dot11Beacon() / essid packet.addr3 = "99:99:99:99:99:99" self.deauth_obj0._data.args.deauth_essid = "Evil" result = self.deauth_obj0._is_target(packet) expected = True message = "Fail to check the attacking essid: " + self.target_essid self.assertEqual(result, expected, message)
def test_get_new_ap_packet_no_encryption(sniff): """ Test get_new_ap function with a packet where AP is not encrypted """ name = "MY_AP" channel = 2 address = "FF:FF:FF:FF:FF:FF" packet = (dot11.Dot11(type=0, subtype=10, addr3=address) / dot11.Dot11Beacon(cap=0x0000) / dot11.Dot11Elt(ID=0, info=name) / dot11.Dot11Elt() / dot11.Dot11Elt(ID=3, info=chr(channel))) sniff.return_value = [packet] assert recon.get_new_ap("wlan0") == (name, channel, address, False)
def test_get_new_ap_valid_packet(sniff): """ Test get_new_ap function with a valid(standard) packet """ name = "MY_AP" channel = 2 address = "FF:FF:FF:FF:FF:FF" packet = (dot11.Dot11(type=0, subtype=10, addr3=address) / dot11.Dot11Beacon(cap=0x1111) / dot11.Dot11Elt(ID=0, info=name) / dot11.Dot11Elt() / dot11.Dot11Elt(ID=3, info=chr(channel))) sniff.return_value = [packet] assert recon.get_new_ap("wlan0") == (name, channel, address, True)
def __init__(self, iface, essid, bssid, channel, beacon_interval_sec, packet_callback): self.active = False self.iface = iface self.essid = essid self.bssid = bssid self.channel = channel self.beacon_interval_sec = beacon_interval_sec self.packet_callback = packet_callback self.start_time_secs = time.time() self.sc = 0 self.sender = PacketSender(self.iface) self.beacon_packet = dot11.Dot11(addr1='ff:ff:ff:ff:ff:ff', \ addr2=self.bssid, \ addr3=self.bssid) \ / dot11.Dot11Beacon(cap='ESS+privacy') \ / dot11.Dot11Elt(ID='SSID', \ info=self.essid) \ / dot11.Dot11Elt(ID='DSset', \ info=chr(self.channel)) \ / dot11.Dot11Elt(ID='Rates', \ info='\x82\x84\x0b\x16') \ / dot11.Dot11Elt(ID='RSNinfo', info='\x01\x00\x00\x0f\xac' \ '\x04\x01\x00\x00\x0f' \ '\xac\x04\x01\x00\x00' \ '\x0f\xac\x02\x00\x00') self.watchers = { "interval": None, "timeout": None } self.loop = pyev.Loop() # initialize and start a signal watchers sigterm_watcher = pyev.Signal(signal.SIGTERM, self.loop, self.sigterm_cb) sigterm_watcher.start() sigint_watcher = pyev.Signal(signal.SIGINT, self.loop, self.sigint_cb) sigint_watcher.start() self.loop.data = [sigterm_watcher, sigint_watcher] self.sniff_thread = Thread(target=self.sniff, kwargs=dict(), name='sniff-thread') self.sniff_thread.setDaemon(True)
def get_packet(self, pkt): """ We start broadcasting the beacons on the first received packet. :param self: A Lure10 object. :param packet: A scapy.layers.RadioTap object. :type self: Lure10 :type packet: scapy.layers.RadioTap :return: list with the crafted beacon frames :rtype: list """ beacons = [] if self.first: if self.data.args.lure10_exploit: area_file = constants.LOCS_DIR + self.data.args.lure10_exploit with open(area_file) as a_file: wlans = [x.strip() for x in a_file.readlines()] for wlan in wlans: bssid, essid = wlan.split(' ', 1) # Frequency for channel 7 frequency = struct.pack("<h", 2407 + 7 * 5) ap_rates = "\x0c\x12\x18\x24\x30\x48\x60\x6c" frame = dot11.RadioTap( len=18, present='Flags+Rate+Channel+dBm_AntSignal+Antenna', notdecoded='\x00\x6c' + frequency + '\xc0\x00\xc0\x01\x00\x00') / dot11.Dot11( subtype=8, addr1='ff:ff:ff:ff:ff:ff', addr2=bssid, addr3=bssid) / dot11.Dot11Beacon( cap=0x2105) / dot11.Dot11Elt( ID='SSID', info="") / dot11.Dot11Elt( ID='Rates', info=ap_rates) / dot11.Dot11Elt( ID='DSset', info=chr(7)) beacons.append(frame) self.beacons_num = len(beacons) self.first = False return (["*"], beacons)
def _get_known_beacons(self): """ Retrieve the popular ESSIDs from the text file and then construct all the known beacon frames. :param self: A Beacons object :type self: Beacons :return: A list with all the beacon frames :rtype: list """ beacons = list() essid = str() bssid = self.data.rogue_ap_mac # locate the known WLANS file area_file = constants.KNOWN_WLANS_FILE with open(area_file) as _file: for line in _file: if line.startswith("!"): continue essid = line.rstrip() # craft the required packet parts frame_part_0 = dot11.RadioTap() frame_part_1 = dot11.Dot11( subtype=8, addr1=constants.WIFI_BROADCAST, addr2=bssid, addr3=bssid) frame_part_2 = dot11.Dot11Beacon(cap=constants.KB_BEACON_CAP) frame_part_3 = dot11.Dot11Elt(ID="SSID", info=essid) frame_part_4 = dot11.Dot11Elt( ID="Rates", info=constants.AP_RATES) frame_part_5 = dot11.Dot11Elt(ID="DSset", info=chr(7)) # create a complete packet by combining the parts complete_frame = ( frame_part_0 / frame_part_1 / frame_part_2 / frame_part_3 / frame_part_4 / frame_part_5) # add the frame to the list beacons.append(complete_frame) return beacons
def add_lure10_beacons(self, area_file): with open(area_file) as f: wlans = [x.strip() for x in f.readlines()] for w in wlans: bssid, essid = w.split(' ', 1) # Frequency for channel 7 frequency = struct.pack("<h", 2407 + 7*5) ap_rates = "\x0c\x12\x18\x24\x30\x48\x60\x6c" frame = dot11.RadioTap(len=18, present='Flags+Rate+Channel+dBm_AntSignal+Antenna', \ notdecoded='\x00\x6c' + frequency + \ '\xc0\x00\xc0\x01\x00\x00') \ / dot11.Dot11(subtype=8, addr1='ff:ff:ff:ff:ff:ff', addr2=bssid, addr3=bssid) \ / dot11.Dot11Beacon(cap=0x2105) \ / dot11.Dot11Elt(ID='SSID', info="") \ / dot11.Dot11Elt(ID='Rates', info=ap_rates) \ / dot11.Dot11Elt(ID='DSset', info=chr(7)) self._deauthentication_packets.append(frame)
def test_get_packet_broadcast(self): """ Test get_packet method for crafting the broadcast frame """ # setup the packet sender = "00:00:00:00:00:00" receiver = "11:11:11:11:11:11" essid = dot11.Dot11Elt(ID='SSID', info="") rates = dot11.Dot11Elt(ID='Rates', info="\x03\x12\x96\x18\x24\x30\x48\x60") dsset = dot11.Dot11Elt(ID='DSset', info='\x06') packet = dot11.RadioTap() / dot11.Dot11() / dot11.Dot11Beacon( ) / essid / rates / dsset packet.addr1 = receiver packet.addr2 = sender packet.addr3 = self.target_bssid packet.FCfield = 0x0 # run the method pkts_to_send = self.deauth_obj0.get_packet(packet) message0 = "Failed to return an correct channel" message1 = "Failed to return an correct packets" # check channel: target channel should be one key of # the result self.assertEqual(self.target_channel in pkts_to_send, True, message0) # check the packets # check the disassoction packet result = pkts_to_send[self.target_channel] self.assertEqual(result[0].subtype, 10, message1) self.assertEqual(result[0].addr1, constants.WIFI_BROADCAST, message1) self.assertEqual(result[0].addr2, self.target_bssid, message1) self.assertEqual(result[0].addr3, self.target_bssid, message1) # check the deauthentication packet self.assertEqual(result[1].subtype, 12, message1) self.assertEqual(result[1].addr1, constants.WIFI_BROADCAST, message1) self.assertEqual(result[1].addr2, self.target_bssid, message1) self.assertEqual(result[1].addr3, self.target_bssid, message1)
def __init__(self, ap): threading.Thread.__init__(self) self.ap = ap self.device = NetworkTransmitter(self.ap.iface) self.interval = 0.1 self.beacon_pckt = dot11.Dot11(addr1='ff:ff:ff:ff:ff:ff', \ addr2=self.ap.bssid,\ addr3=self.ap.bssid) \ / dot11.Dot11Beacon(cap='ESS+privacy') \ / dot11.Dot11Elt(ID='SSID', \ info=self.ap.essid) \ / dot11.Dot11Elt(ID='DSset', \ info=chr(self.ap.channel)) \ / dot11.Dot11Elt(ID='Rates', \ info='\x82\x84\x0b\x16') \ / dot11.Dot11Elt(ID='RSNinfo', info='\x01\x00\x00\x0f\xac' \ '\x04\x01\x00\x00\x0f' \ '\xac\x04\x01\x00\x00' \ '\x0f\xac\x02\x00\x00') self.setDaemon(True)
def run_offline_analysis(capture_file, start_time, end_time, sample_seconds, channel): weird_frame_count = 0 bssid_to_ssid_map = {} bssid_infra_macs = defaultdict(set) bssid_associated_macs = defaultdict(set) bssid_beacon_timing_payloads = defaultdict(list) bssid_beacon_data = {} bssid_to_jitter_map = {} bssid_to_power_map = defaultdict(list) noise_measurements = [] action_counter = 0 probe_req_counter = 0 station_counters = defaultdict(DataCounters.zero) pcap_offline_dev = pcapy.open_offline(capture_file) header, payload = pcap_offline_dev.next() while header: try: # Use Scapy for the RadioTap decoding as dpkt's Radiotap decoder is totally broken. radiotap_frame = dot11.RadioTap(payload) if radiotap_frame.dBm_AntNoise is not None: noise_measurements.append(radiotap_frame.dBm_AntNoise) frame = dpkt.radiotap.Radiotap(payload).data frame_type = frame.type frame_subtype = frame.subtype if frame_type == dpkt.ieee80211.MGMT_TYPE: mac = binary_to_mac(frame.mgmt.src) current_counter = station_counters[mac] current_counter.management_frame_count += 1 if frame_subtype == dpkt.ieee80211.M_BEACON: beacon = dot11.Dot11Beacon(frame.beacon.pack()) bssid = binary_to_mac(frame.mgmt.bssid) try: beacon_data = bssid_beacon_data[ bssid] = patched_network_stats(beacon) target_channel = beacon_data.get("channel") except: procedure_logger.exception( "Failed to decode network stats...") target_channel = None if hasattr(frame, 'ssid'): bssid_to_ssid_map[bssid] = frame.ssid.data bssid_infra_macs[bssid].add(mac) if target_channel is None or target_channel == channel: bssid_beacon_timing_payloads[bssid].append( (beacon.timestamp, beacon.beacon_interval)) if radiotap_frame.dBm_AntSignal is not None: bssid_to_power_map[bssid].append( radiotap_frame.dBm_AntSignal) else: procedure_logger.warning( "Off channel beacon ({0} vs {1}) seen for BSSID {2}" "".format(target_channel, channel, bssid)) if frame_subtype == dpkt.ieee80211.M_PROBE_RESP: if hasattr(frame, 'ssid'): bssid = binary_to_mac(frame.mgmt.bssid) bssid_to_ssid_map[bssid] = frame.ssid.data bssid_infra_macs[bssid].add(mac) if frame_subtype in (dpkt.ieee80211.M_ASSOC_REQ, dpkt.ieee80211.M_ASSOC_RESP): current_counter.association_frame_count += 1 if frame_subtype in (dpkt.ieee80211.M_REASSOC_REQ, dpkt.ieee80211.M_REASSOC_RESP): current_counter.reassociation_frame_count += 1 if frame_subtype == dpkt.ieee80211.M_DISASSOC: current_counter.disassociation_frame_count += 1 if frame_subtype == dpkt.ieee80211.M_ACTION: action_counter += 1 if frame_subtype == dpkt.ieee80211.M_PROBE_REQ: probe_req_counter += 1 if frame.retry: current_counter.retry_frame_count += 1 if radiotap_frame.dBm_AntSignal is not None: current_counter.power_measurements.append( radiotap_frame.dBm_AntSignal) if radiotap_frame.Rate is not None: current_counter.rate_measurements.append( radiotap_frame.Rate) if radiotap_frame.Flags.badFCS is not None: current_counter.failed_fcs_count += ( 1 if radiotap_frame.Flags.badFCS else 0) elif frame_type == dpkt.ieee80211.CTL_TYPE: include_in_extra_measurements = True if frame_subtype == dpkt.ieee80211.C_RTS: mac = binary_to_mac(frame.rts.src) current_counter = station_counters[mac] current_counter.cts_frame_count += 1 elif frame_subtype == dpkt.ieee80211.C_CTS: mac = binary_to_mac(frame.cts.dst) include_in_extra_measurements = False current_counter = station_counters[mac] current_counter.rts_frame_count += 1 elif frame_subtype == dpkt.ieee80211.C_ACK: mac = binary_to_mac(frame.ack.dst) include_in_extra_measurements = False current_counter = station_counters[mac] current_counter.ack_frame_count += 1 elif frame_subtype == dpkt.ieee80211.C_BLOCK_ACK: mac = binary_to_mac(frame.back.src) current_counter = station_counters[mac] elif frame_subtype == dpkt.ieee80211.C_BLOCK_ACK_REQ: mac = binary_to_mac(frame.bar.src) current_counter = station_counters[mac] elif frame_subtype == dpkt.ieee80211.C_CF_END: mac = binary_to_mac(frame.cf_end.src) current_counter = station_counters[mac] else: continue if frame.retry: current_counter.retry_frame_count += 1 if include_in_extra_measurements: current_counter.control_frame_count += 1 if radiotap_frame.dBm_AntSignal is not None: current_counter.power_measurements.append( radiotap_frame.dBm_AntSignal) if radiotap_frame.Rate is not None: current_counter.rate_measurements.append( radiotap_frame.Rate) if radiotap_frame.Flags.badFCS is not None: current_counter.failed_fcs_count += ( 1 if radiotap_frame.Flags.badFCS else 0) elif frame_type == dpkt.ieee80211.DATA_TYPE: src_mac = binary_to_mac(frame.data_frame.src) dst_mac = binary_to_mac(frame.data_frame.dst) if hasattr(frame.data_frame, 'bssid'): bssid = binary_to_mac(frame.data_frame.bssid) else: bssid = None current_counter = station_counters[src_mac] dst_current_counter = station_counters[dst_mac] if frame.to_ds and bssid: bssid_infra_macs[bssid].add(dst_mac) bssid_associated_macs[bssid].add(src_mac) elif frame.from_ds and bssid: bssid_infra_macs[bssid].add(src_mac) bssid_associated_macs[bssid].add(dst_mac) current_counter.data_throughput_out += len( frame.data_frame.data) dst_current_counter.data_throughput_in += len( frame.data_frame.data) current_counter.data_frame_count += 1 if frame.retry: current_counter.retry_frame_count += 1 if radiotap_frame.dBm_AntSignal is not None: current_counter.power_measurements.append( radiotap_frame.dBm_AntSignal) if radiotap_frame.Rate is not None: current_counter.rate_measurements.append( radiotap_frame.Rate) if radiotap_frame.Flags.badFCS is not None: current_counter.failed_fcs_count += ( 1 if radiotap_frame.Flags.badFCS else 0) else: pass except dpkt.dpkt.UnpackError: logging.warning( "dpkt lacks support for some IE80211 features. This could be causing spurious decode problems.", exc_info=True) weird_frame_count += 1 header, payload = pcap_offline_dev.next() pcap_offline_dev.close() measurement = Measurement.new( start_time, end_time, sample_seconds, channel, noise_measurements, data_counters=sum_data_counters(station_counters.values()), extra_data={'weird_frame_count': weird_frame_count}) stations = [Station.new(mac_addr) for mac_addr in station_counters.keys()] service_sets = [ ServiceSet.new(bssid, network_name=bssid_to_ssid_map.get(bssid), extra_data=bssid_beacon_data.get(bssid, {})) for bssid in set(bssid_infra_macs.keys()).union( set(bssid_associated_macs.keys())) ] for service_set in service_sets: jitter, bad_intervals, intervals = calculate_beacon_jitter( bssid_beacon_timing_payloads.get(service_set.bssid), service_set.bssid) if jitter is not None: bssid_to_jitter_map[service_set.bssid] = (jitter, bad_intervals, intervals) procedure_logger.info("-----------------") procedure_logger.info("Analysis performed on channel: {0}".format(channel)) procedure_logger.info("Noise Level: {0} +/- {1} dBm".format( measurement.average_noise, measurement.std_dev_noise)) procedure_logger.info("Top level result:\n{0}".format( repr(measurement.data_counters))) procedure_logger.info("Action Frames: {0}".format(action_counter)) procedure_logger.info( "Probe Request Frames: {0}".format(probe_req_counter)) if service_sets: procedure_logger.info("Service Sets seen:") for service_set in service_sets: jitter, bad_intervals, intervals = bssid_to_jitter_map.get( service_set.bssid, (None, None, None)) procedure_logger.info("-- {0} ({1})".format( service_set.bssid, service_set.network_name)) if bad_intervals: procedure_logger.info("---- Changing intervals detected!!!") procedure_logger.info( "---- Intervals Seen: {0}".format(intervals)) if jitter: procedure_logger.info( "---- Avg +/- StdDev Beacon Jitter: {0} +/- {1} (ms)". format( altered_mean(jitter) / 1000.0, altered_stddev(jitter) / 1000.0)) procedure_logger.info( "---- Min/Max Beacon Jitter: {0}/{1} (ms)".format( min(jitter) / 1000.0, max(jitter) / 1000.0)) procedure_logger.info("---- Jitter Count: {0}".format( len(jitter))) procedure_logger.info("{0} unique stations seen.".format(len(stations))) procedure_logger.info("-----------------") return { 'measurement': measurement, 'stations': stations, 'service_sets': service_sets, 'station_counters': station_counters, 'bssid_associated_macs': bssid_associated_macs, 'bssid_infra_macs': bssid_infra_macs, 'bssid_to_ssid_map': bssid_to_ssid_map, 'bssid_to_jitter_map': bssid_to_jitter_map, 'bssid_to_power_map': bssid_to_power_map }