def generate_icmp_request(STA, AP, target): logger.debug("generate an icmp request packet to " + target.IP_address + " (" + target.mac_address + ")") ## layer 1 Radiotap = STA.radiotap ## layer 2 (802.11) Dot11_Header = Dot11(addr1=AP.bssid, addr2=STA.mac_address, addr3=target.mac_address, FCfield=0x01, subtype=8, type=2) / Dot11QoS() llc_header = LLC(dsap=0xaa, ssap=0xaa, ctrl=0x03) snap_header = SNAP(OUI=0x000000, code=0x0800) ## layer 3 (IP); IP_header = IP(src=STA.IP_address, dst=target.IP_address) ## layer 4 (ICMP) icmp_header = ICMP() return Radiotap / Dot11_Header / llc_header / snap_header / IP_header / icmp_header
def generate_second_eap_packet(STA, AP, anonce, rsnInfo, retry_counter=0): logger.debug("generate a 2/4 hand-shake packet") Radiotap = STA.radiotap Dot11_Header = Dot11(addr1=AP.mac_address, addr2=STA.mac_address, addr3=AP.mac_address, FCfield=0x01, subtype=8, type=2) / Dot11QoS() llc_header = LLC(dsap=0xaa, ssap=0xaa, ctrl=0x03) snap_header = SNAP(OUI=0x000000, code=0x888e) snonce = generate_nonce(32) logger.info("generate pmk packet") pmk = generate_pmk_by_sha1(AP.essid, AP.password) logger.info("generate ptk packet") ptk = generate_ptk(pmk, mac2str(AP.mac_address), mac2str(STA.mac_address), anonce, snonce) logger.info("generate unicast keys") STA.keys = generate_unicast_keys(ptk) kck = STA.keys[0] eapol_header = generate_EAPOL_Header(snonce, key_information_=0x010a, replay_counter=retry_counter, kck=kck, KeyData=rsnInfo) eapol_packet = Radiotap / Dot11_Header / llc_header / snap_header / eapol_header return eapol_packet
def generate_icmp_response_packet(src, AP, icmp_request_packet): logger.debug("generate an ICMP response packet") ## layer 1 Radiotap = src.radiotap ## layer 2 (802.11) Dot11_Header = Dot11(addr1=AP.bssid, addr2=src.mac_address, addr3=icmp_request_packet[Dot11].addr3, FCfield=0x01, subtype=8, type=2) / Dot11QoS() llc_header = LLC(dsap=0xaa, ssap=0xaa, ctrl=0x03) snap_header = SNAP(OUI=0x000000, code=0x0800) ## layer 3 (IP); IP_header = IP(src=src.IP_address, dst=icmp_request_packet[IP].src) ## layer 4 (ICMP) icmp_header = icmp_request_packet[ICMP].copy() icmp_header.type = ICMP_TYPE_RESPONSE del icmp_header.chksum ## for recaluclation a checksum value of ICMP header return Radiotap / Dot11_Header / llc_header / snap_header / IP_header / icmp_header
def generate_arp_request_packet(STA, AP, requested_ip_addr): logger.debug("generate an ARP request packet") ## layer 1 Radiotap = STA.radiotap ## layer 2 (802.11) Dot11_Header = Dot11(addr1=AP.bssid, addr2=STA.mac_address, addr3="ff:ff:ff:ff:ff:ff", FCfield=0x01, subtype=8, type=2) / Dot11QoS() llc_header = LLC(dsap=0xaa, ssap=0xaa, ctrl=0x03) snap_header = SNAP(OUI=0x000000, code=0x0806) ## layer 2 (arp) arp_header = ARP(hwlen=6, plen=4, op=OP_REQUEST_CODE, hwsrc=STA.mac_address, psrc=STA.IP_address, pdst=requested_ip_addr) return Radiotap / Dot11_Header / llc_header / snap_header / arp_header
def __generate_radiotap_header(self): logger.debug("generate a radiotap header beforehand.") self.radiotap = RadioTap(present='Rate+Channel+Antenna+dBm_AntSignal') self.radiotap.ChannelFrequency = 5220 self.radiotap.ChannelFlags = 320 self.radiotap.Rate = 0 self.radiotap.dBm_AntSignal = -30 self.radiotap.Antenna = 0
def generate_disassoc_packet(_sta_interface, _dst_interface, reason=3): logger.debug("generate a disassociation (reason = " + str(reason) + ") packet") return _sta_interface.radiotap / Dot11(addr1=_dst_interface.mac_address, addr2=_sta_interface.mac_address, addr3=_dst_interface.mac_address, subtype=10, type=0) / Dot11Disas(reason=reason)
def generate_deauth_packet(_sta_interface, _dst_interface, reason=7): logger.debug("generate a deauthentication (reason = " + str(reason) + ") packet") return _sta_interface.radiotap / Dot11(addr1=_dst_interface.mac_address, addr2=_sta_interface.mac_address, addr3=_dst_interface.mac_address, subtype=12, type=0) / Dot11Deauth(reason=reason)
def generate_qos_null_function_packet(_sta_interface, _dst_interface, _FCField): logger.debug("generate a QoS null function packet") return _sta_interface.radiotap / Dot11(addr1=_dst_interface.mac_address, addr2=_sta_interface.mac_address, addr3=_dst_interface.mac_address, type=2, subtype=4, FCfield=_FCField)
def __init__(self, bssid, essid, ip_address="0.0.0.0", password="******"): logger.debug("generate an AP interface.") super().__init__(mac_address=bssid, ip_address=ip_address) self.bssid = bssid self.essid = essid self.password = password
def generate_association_packet(STA, AP,elementTag = None): logger.debug("generate a association request packet ") radiotap = STA.radiotap; dot11 = Dot11(addr1=AP.bssid, addr2=STA.mac_address, addr3=AP.bssid, FCfield=0); AssocReq = Dot11AssoReq(cap=0x0101, listen_interval=0x00a); if (elementTag): Tagged_param = Dot11Elt(ID=0, info="{}".format(AP.essid)) / STA.dot11_rates/elementTag; return radiotap/ dot11/AssocReq / Tagged_param;
def generate_four_eap_packet(STA, AP, retry_counter): logger.debug("generate a 4/4 hand-shake packet") Radiotap = STA.radiotap Dot11_Header = Dot11(addr1=AP.mac_address, addr2=STA.mac_address, addr3=AP.mac_address, FCfield=0x01, subtype=8, type=2) / Dot11QoS() llc_header = LLC(dsap=0xaa, ssap=0xaa, ctrl=0x03) snap_header = SNAP(OUI=0x000000, code=0x888e) snonce = b'\x00' * 0x20 eapol_header = generate_EAPOL_Header(snonce, key_information_=0x030a, kck=STA.keys[0], replay_counter=retry_counter) eapol_packet = Radiotap / Dot11_Header / llc_header / snap_header / eapol_header return eapol_packet
def generate_discover_packet(STA,AP,xid=0x12345678): logger.debug("generate a DHCP discover packet."); Radiotap = STA.radiotap; Dot11_Header = Dot11(addr1=AP.mac_address, addr2=STA.mac_address, addr3="ff:ff:ff:ff:ff:ff", FCfield=0x01, subtype=8, type=2) / Dot11QoS(); llc_header = LLC(dsap=0xaa, ssap=0xaa, ctrl=0x03) snap_header = SNAP(OUI=0x000000, code=ETH_P_IP) IP_Head = IP(src="0.0.0.0", dst="255.255.255.255"); UDP_Head = UDP(sport=DHCP_CLIENT_PORT, dport=DHCP_SERVER_PORT); BOOTP_Head = BOOTP(chaddr=mac2str(STA.mac_address), xid=xid); DHCP_option = [('message-type', DISCOVER_MASSAGE)]; DHCP_option.append(DHCP_OPTION_END_MASSAGE) DHCP_Head = DHCP(options=DHCP_option); discover_packet = Radiotap / Dot11_Header / llc_header / snap_header / IP_Head / UDP_Head / BOOTP_Head / DHCP_Head; return discover_packet
def __init__(self, _ifc_name, _mac_addr, ip_address="0.0.0.0"): """ :param ifc_name: WLAN interface to use as a monitor :param channel: Channel to operate on :param sta_mac: MAC address of the STA """ logger.debug("generate a STA_Interface object ...") ## layer1 (physical layer) information self.__generate_radiotap_header() self.dot11_rates = Dot11EltRates() ## layer2 (data link layer) information self.ifc_name = _ifc_name self.mac_address = _mac_addr ## layer3 (ip layer) information; self.IP_address = ip_address self.subnet_mask = "255.255.255.255" self.lease_time = 0 self.router = "0.0.0.0" self.dns_server = "0.0.0.0" logger.debug("a STA Interface object was generated.")
def generate_arp_response_packet(src, AP, ARP_request_packet): logger.debug("generate an ARP response packet") ## layer 1 Radiotap = src.radiotap ## layer 2 (802.11) Dot11_Header = Dot11(addr1=AP.bssid, addr2=src.mac_address, addr3=ARP_request_packet[Dot11].addr3, FCfield=0x01, subtype=8, type=2) / Dot11QoS() llc_header = LLC(dsap=0xaa, ssap=0xaa, ctrl=0x03) snap_header = SNAP(OUI=0x000000, code=0x0806) arp_header = ARP_request_packet[ARP].copy() arp_header.op = OP_RESPONSE_CODE arp_header.pdst = arp_header.psrc arp_header.hwdst = arp_header.hwdst arp_header.psrc = src.IP_address arp_header.hwsrc = src.mac_address return Radiotap / Dot11_Header / llc_header / snap_header / arp_header
def four_way_hand_shake(STA, AP, rsnInfo): ### receive a 1/4 EAPOL packet. first_packet = receive_packet(STA, AP) logger.debug("received a 1/4 EAPOL packet") ## multithread process start. executor = futures.ThreadPoolExecutor(max_workers=2) recv_process = executor.submit(receive_packet, STA, AP) ## send a 2/4 EAPOL packet. anonce = extract_Nonce_From_EAPOL_Header(first_packet[EAPOL]) retry_counter = extract_Retry_From_EAPOL_Header(first_packet[EAPOL]) second_packet = generate_second_eap_packet(STA, AP, anonce, rsnInfo, retry_counter=retry_counter) executor.submit(STA.send_packet, second_packet) logger.debug("send a 2/4 EAPOL packet") ## recevie a 3/4 EAPOL packet. third_packet = recv_process.result() logger.debug("received a 3/4 EAPOL packet") ## extract the retry counter from the 3/4 EAPOL packet. retry_counter = extract_Retry_From_EAPOL_Header(third_packet[EAPOL]) ## extract Group transfer key information. WPADATA = extract_WPAKeyData_From_EAPOL_Header(third_packet[EAPOL]) unraped_WPADATA = aes_unwrap_key(STA.keys[1], WPADATA) Length = unraped_WPADATA[1] STA.gtk = unraped_WPADATA[2 + Length:] ## send a 4/4 EAPOL packet. fourth_packet = generate_four_eap_packet(STA, AP, retry_counter) STA.send_packet(fourth_packet) logger.debug("send a 4/4 EAPOL packet")
def send_disassoc_packet(_src_interface, _dst_interface, reason=3): packet = generate_disassoc_packet(_src_interface, _dst_interface, reason) _src_interface.send_packet(packet) logger.debug("send a disassociation (reason = " + str(reason) + ") packet")
def send_deauth_packet(_src_interface, _dst_interface, reason=7): packet = generate_deauth_packet(_src_interface, _dst_interface, reason) _src_interface.send_packet(packet) logger.debug("send a deauthentication (reason = " + str(reason) + ") packet")