def generate_icmp_request(STA, AP, target):
logger.debug("generate an icmp request packet to " + target.IP_address +
" (" + target.mac_address + ")")
## layer 1
Radiotap = STA.radiotap
## layer 2 (802.11)
Dot11_Header = Dot11(addr1=AP.bssid,
addr2=STA.mac_address,
addr3=target.mac_address,
FCfield=0x01,
subtype=8,
type=2) / Dot11QoS()
llc_header = LLC(dsap=0xaa, ssap=0xaa, ctrl=0x03)
snap_header = SNAP(OUI=0x000000, code=0x0800)
## layer 3 (IP);
IP_header = IP(src=STA.IP_address, dst=target.IP_address)
## layer 4 (ICMP)
icmp_header = ICMP()
return Radiotap / Dot11_Header / llc_header / snap_header / IP_header / icmp_header
def generate_second_eap_packet(STA, AP, anonce, rsnInfo, retry_counter=0):
logger.debug("generate a 2/4 hand-shake packet")
Radiotap = STA.radiotap
Dot11_Header = Dot11(addr1=AP.mac_address,
addr2=STA.mac_address,
addr3=AP.mac_address,
FCfield=0x01,
subtype=8,
type=2) / Dot11QoS()
llc_header = LLC(dsap=0xaa, ssap=0xaa, ctrl=0x03)
snap_header = SNAP(OUI=0x000000, code=0x888e)
snonce = generate_nonce(32)
logger.info("generate pmk packet")
pmk = generate_pmk_by_sha1(AP.essid, AP.password)
logger.info("generate ptk packet")
ptk = generate_ptk(pmk, mac2str(AP.mac_address), mac2str(STA.mac_address),
anonce, snonce)
logger.info("generate unicast keys")
STA.keys = generate_unicast_keys(ptk)
kck = STA.keys[0]
eapol_header = generate_EAPOL_Header(snonce,
key_information_=0x010a,
replay_counter=retry_counter,
kck=kck,
KeyData=rsnInfo)
eapol_packet = Radiotap / Dot11_Header / llc_header / snap_header / eapol_header
return eapol_packet
def generate_icmp_response_packet(src, AP, icmp_request_packet):
logger.debug("generate an ICMP response packet")
## layer 1
Radiotap = src.radiotap
## layer 2 (802.11)
Dot11_Header = Dot11(addr1=AP.bssid,
addr2=src.mac_address,
addr3=icmp_request_packet[Dot11].addr3,
FCfield=0x01,
subtype=8,
type=2) / Dot11QoS()
llc_header = LLC(dsap=0xaa, ssap=0xaa, ctrl=0x03)
snap_header = SNAP(OUI=0x000000, code=0x0800)
## layer 3 (IP);
IP_header = IP(src=src.IP_address, dst=icmp_request_packet[IP].src)
## layer 4 (ICMP)
icmp_header = icmp_request_packet[ICMP].copy()
icmp_header.type = ICMP_TYPE_RESPONSE
del icmp_header.chksum ## for recaluclation a checksum value of ICMP header
return Radiotap / Dot11_Header / llc_header / snap_header / IP_header / icmp_header
def generate_arp_request_packet(STA, AP, requested_ip_addr):
logger.debug("generate an ARP request packet")
## layer 1
Radiotap = STA.radiotap
## layer 2 (802.11)
Dot11_Header = Dot11(addr1=AP.bssid,
addr2=STA.mac_address,
addr3="ff:ff:ff:ff:ff:ff",
FCfield=0x01,
subtype=8,
type=2) / Dot11QoS()
llc_header = LLC(dsap=0xaa, ssap=0xaa, ctrl=0x03)
snap_header = SNAP(OUI=0x000000, code=0x0806)
## layer 2 (arp)
arp_header = ARP(hwlen=6,
plen=4,
op=OP_REQUEST_CODE,
hwsrc=STA.mac_address,
psrc=STA.IP_address,
pdst=requested_ip_addr)
return Radiotap / Dot11_Header / llc_header / snap_header / arp_header
def __generate_radiotap_header(self):
logger.debug("generate a radiotap header beforehand.")
self.radiotap = RadioTap(present='Rate+Channel+Antenna+dBm_AntSignal')
self.radiotap.ChannelFrequency = 5220
self.radiotap.ChannelFlags = 320
self.radiotap.Rate = 0
self.radiotap.dBm_AntSignal = -30
self.radiotap.Antenna = 0
def generate_disassoc_packet(_sta_interface, _dst_interface, reason=3):
logger.debug("generate a disassociation (reason = " + str(reason) +
") packet")
return _sta_interface.radiotap / Dot11(addr1=_dst_interface.mac_address,
addr2=_sta_interface.mac_address,
addr3=_dst_interface.mac_address,
subtype=10,
type=0) / Dot11Disas(reason=reason)
def generate_deauth_packet(_sta_interface, _dst_interface, reason=7):
logger.debug("generate a deauthentication (reason = " + str(reason) +
") packet")
return _sta_interface.radiotap / Dot11(addr1=_dst_interface.mac_address,
addr2=_sta_interface.mac_address,
addr3=_dst_interface.mac_address,
subtype=12,
type=0) / Dot11Deauth(reason=reason)
def generate_qos_null_function_packet(_sta_interface, _dst_interface,
_FCField):
logger.debug("generate a QoS null function packet")
return _sta_interface.radiotap / Dot11(addr1=_dst_interface.mac_address,
addr2=_sta_interface.mac_address,
addr3=_dst_interface.mac_address,
type=2,
subtype=4,
FCfield=_FCField)
def __init__(self,
bssid,
essid,
ip_address="0.0.0.0",
password="******"):
logger.debug("generate an AP interface.")
super().__init__(mac_address=bssid, ip_address=ip_address)
self.bssid = bssid
self.essid = essid
self.password = password
def generate_association_packet(STA, AP,elementTag = None):
logger.debug("generate a association request packet ")
radiotap = STA.radiotap;
dot11 = Dot11(addr1=AP.bssid, addr2=STA.mac_address, addr3=AP.bssid, FCfield=0);
AssocReq = Dot11AssoReq(cap=0x0101, listen_interval=0x00a);
if (elementTag):
Tagged_param = Dot11Elt(ID=0, info="{}".format(AP.essid)) / STA.dot11_rates/elementTag;
return radiotap/ dot11/AssocReq / Tagged_param;
def generate_four_eap_packet(STA, AP, retry_counter):
logger.debug("generate a 4/4 hand-shake packet")
Radiotap = STA.radiotap
Dot11_Header = Dot11(addr1=AP.mac_address,
addr2=STA.mac_address,
addr3=AP.mac_address,
FCfield=0x01,
subtype=8,
type=2) / Dot11QoS()
llc_header = LLC(dsap=0xaa, ssap=0xaa, ctrl=0x03)
snap_header = SNAP(OUI=0x000000, code=0x888e)
snonce = b'\x00' * 0x20
eapol_header = generate_EAPOL_Header(snonce,
key_information_=0x030a,
kck=STA.keys[0],
replay_counter=retry_counter)
eapol_packet = Radiotap / Dot11_Header / llc_header / snap_header / eapol_header
return eapol_packet
def generate_discover_packet(STA,AP,xid=0x12345678):
logger.debug("generate a DHCP discover packet.");
Radiotap = STA.radiotap;
Dot11_Header = Dot11(addr1=AP.mac_address, addr2=STA.mac_address, addr3="ff:ff:ff:ff:ff:ff", FCfield=0x01, subtype=8, type=2) / Dot11QoS();
llc_header = LLC(dsap=0xaa, ssap=0xaa, ctrl=0x03)
snap_header = SNAP(OUI=0x000000, code=ETH_P_IP)
IP_Head = IP(src="0.0.0.0", dst="255.255.255.255");
UDP_Head = UDP(sport=DHCP_CLIENT_PORT, dport=DHCP_SERVER_PORT);
BOOTP_Head = BOOTP(chaddr=mac2str(STA.mac_address), xid=xid);
DHCP_option = [('message-type', DISCOVER_MASSAGE)];
DHCP_option.append(DHCP_OPTION_END_MASSAGE)
DHCP_Head = DHCP(options=DHCP_option);
discover_packet = Radiotap / Dot11_Header / llc_header / snap_header / IP_Head / UDP_Head / BOOTP_Head / DHCP_Head;
return discover_packet
def __init__(self, _ifc_name, _mac_addr, ip_address="0.0.0.0"):
"""
:param ifc_name: WLAN interface to use as a monitor
:param channel: Channel to operate on
:param sta_mac: MAC address of the STA
"""
logger.debug("generate a STA_Interface object ...")
## layer1 (physical layer) information
self.__generate_radiotap_header()
self.dot11_rates = Dot11EltRates()
## layer2 (data link layer) information
self.ifc_name = _ifc_name
self.mac_address = _mac_addr
## layer3 (ip layer) information;
self.IP_address = ip_address
self.subnet_mask = "255.255.255.255"
self.lease_time = 0
self.router = "0.0.0.0"
self.dns_server = "0.0.0.0"
logger.debug("a STA Interface object was generated.")
def generate_arp_response_packet(src, AP, ARP_request_packet):
logger.debug("generate an ARP response packet")
## layer 1
Radiotap = src.radiotap
## layer 2 (802.11)
Dot11_Header = Dot11(addr1=AP.bssid,
addr2=src.mac_address,
addr3=ARP_request_packet[Dot11].addr3,
FCfield=0x01,
subtype=8,
type=2) / Dot11QoS()
llc_header = LLC(dsap=0xaa, ssap=0xaa, ctrl=0x03)
snap_header = SNAP(OUI=0x000000, code=0x0806)
arp_header = ARP_request_packet[ARP].copy()
arp_header.op = OP_RESPONSE_CODE
arp_header.pdst = arp_header.psrc
arp_header.hwdst = arp_header.hwdst
arp_header.psrc = src.IP_address
arp_header.hwsrc = src.mac_address
return Radiotap / Dot11_Header / llc_header / snap_header / arp_header
def four_way_hand_shake(STA, AP, rsnInfo):
### receive a 1/4 EAPOL packet.
first_packet = receive_packet(STA, AP)
logger.debug("received a 1/4 EAPOL packet")
## multithread process start.
executor = futures.ThreadPoolExecutor(max_workers=2)
recv_process = executor.submit(receive_packet, STA, AP)
## send a 2/4 EAPOL packet.
anonce = extract_Nonce_From_EAPOL_Header(first_packet[EAPOL])
retry_counter = extract_Retry_From_EAPOL_Header(first_packet[EAPOL])
second_packet = generate_second_eap_packet(STA,
AP,
anonce,
rsnInfo,
retry_counter=retry_counter)
executor.submit(STA.send_packet, second_packet)
logger.debug("send a 2/4 EAPOL packet")
## recevie a 3/4 EAPOL packet.
third_packet = recv_process.result()
logger.debug("received a 3/4 EAPOL packet")
## extract the retry counter from the 3/4 EAPOL packet.
retry_counter = extract_Retry_From_EAPOL_Header(third_packet[EAPOL])
## extract Group transfer key information.
WPADATA = extract_WPAKeyData_From_EAPOL_Header(third_packet[EAPOL])
unraped_WPADATA = aes_unwrap_key(STA.keys[1], WPADATA)
Length = unraped_WPADATA[1]
STA.gtk = unraped_WPADATA[2 + Length:]
## send a 4/4 EAPOL packet.
fourth_packet = generate_four_eap_packet(STA, AP, retry_counter)
STA.send_packet(fourth_packet)
logger.debug("send a 4/4 EAPOL packet")
def send_disassoc_packet(_src_interface, _dst_interface, reason=3):
packet = generate_disassoc_packet(_src_interface, _dst_interface, reason)
_src_interface.send_packet(packet)
logger.debug("send a disassociation (reason = " + str(reason) + ") packet")
def send_deauth_packet(_src_interface, _dst_interface, reason=7):
packet = generate_deauth_packet(_src_interface, _dst_interface, reason)
_src_interface.send_packet(packet)
logger.debug("send a deauthentication (reason = " + str(reason) +
") packet")
