1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
|
#!/usr/bin/python
# coding: utf-8
# $ iw dev wlan0 interface add mon0 type monitor
interface = "mon0"
beacon_interval = 0.4
beacon1_ssid = "internet"
beacon1_mac = "02:03:04:05:06:07"
beacon2_ssid = ["ᖵᕕ", "¬Γٮ Ξ /Δɱ", "ᒣᒥ☐ᙿᐬᗑ", "ᒣᒥ∐ ̿ ᐟᐃ∏",
"┐┌┗┛=/△ㄇ", "┓┏ 凵 =╱⊿┌┬┐", "=╱⊿┌┬┐'"]
beacon2_timeout = 20 # sec.
#######################################################
from scapy.all import *
import time
import sys
import threading
destinations = dict() # key: mac, value:count-down
def build_beacon(daddr, addr, symbol,enc=False):
p = (Dot11(addr1=daddr,addr2=addr,addr3=addr)/
Dot11Beacon(cap="ESS")/
Dot11Elt(ID="SSID",info=symbol)/
Dot11Elt(ID="Rates",info='\x82\x84\x0b\x16')/
Dot11Elt(ID="DSset",info="\x03")/
Dot11Elt(ID="TIM",info="\x00\x01\x00\x00") )
if enc:
p = p / Dot11Elt(ID="RSNinfo", info="\x01\x00\x00\x0f\xac\x04\x01\x00\x00\x0f\xac\x04\x01\x00\x00\x0f\xac\x02\x00\x00")
return RadioTap() / p
def build_deauth(ap_addr, client_addr):
p = (Dot11(addr1=ap_addr, addr2=client_addr, addr3=ap_addr) /
Dot11Deauth(reason=5)) # 5: Disassociated because AP is unable to handle all currently associated STAs
return RadioTap() / p
def sniffer_run(*_):
while True:
p = sniff(count=1, iface=interface)[0]
#print repr(p)
if p.haslayer(Dot11Auth) and \
p.addr1 == beacon1_mac and \
p.addr2 not in destinations.keys():
print "Registered via dot11auth {addr}".format(addr=p.addr2)
destinations[p.addr2] = time.time()
sendp(build_deauth(beacon1_mac, p.addr2), iface=interface, verbose=False)
continue
if p.haslayer(Dot11ProbeReq):
for layer in p.getlayer(Dot11Elt):
field_id, value = p.getlayer(Dot11Elt).getfield_and_val("ID")
if field_id.i2s[value] == "SSID":
if layer.info == beacon1_ssid and p.addr2 not in destinations.keys():
print "registered via Dot11ProbeReq {addr2}".format(addr2=p.addr2)
destinations[p.addr2] = time.time()
sendp(build_deauth(beacon1_mac, p.addr2), iface=interface, verbose=False)
continue
def sender_run(*_):
beacon = build_beacon("ff:ff:ff:ff:ff:ff",beacon1_mac, beacon1_ssid)
last_ts = time.time()
while True:
d = time.time() - last_ts
if beacon_interval - d > 0:
time.sleep(beacon_interval - d)
last_ts = time.time()
sendp(beacon,iface=interface,verbose=False)
for addr,timestamp in destinations.items():
if time.time() - timestamp > beacon2_timeout:
print "{addr} timed out".format(addr=addr)
destinations.pop(addr)
continue
print "Send beacons to {addr}".format(addr=addr)
for i,symbol in zip(range(len(beacon2_ssid)), beacon2_ssid):
bssid = "02:00:00:00:{0:02x}:{1:02x}".format(i/0xff, i%0xff)
p = build_beacon(addr, bssid, symbol, enc=True)
sendp(p, iface=interface, verbose=False)
sniffer_thread = threading.Thread()
sniffer_thread.run = sniffer_run
sniffer_thread.daemon = True
sniffer_thread.start()
sender_thread = threading.Thread()
sender_thread.run = sender_run
sender_thread.daemon = True
sender_thread.start()
try:
while True:
sender_thread.join(1)
if (not sender_thread.is_alive() or
not sniffer_thread.is_alive()):
sys.exit(0)
except KeyboardInterrupt:
sys.exit(1)
|
