Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
scapy-fakebeacon - spawn lots of fake wifi access points by injecting beacon frames with scapy (essid)
#!/usr/bin/env python
# -*- coding: UTF-8 -*-
#
# source: https://www.4armed.com/blog/forging-wifi-beacon-frames-using-scapy/
#
# requires:
# radiotap supported wifi nic/driver (frame injection) (works fine with Ralink RT2571W)
# iwconfig $iface mode monitor
# iw dev $iface set channel $channel
# or
# iwlist iface scan
#
# example:
# spawn 1000 essids (0-999)
# #> python fakebeacon.py $(python -c "print ' '.join(i for i in xrange(1000))")
#
from scapy.all import Dot11,Dot11Beacon,Dot11Elt,RadioTap,sendp,hexdump,RandMAC
import sys
import random
import os
def main():
ssids = sys.argv[2:] #Network name here
iface = sys.argv[1] #Interface name here
frames =[]
for netSSID in ssids:
print netSSID
dot11 = Dot11(type=0, subtype=8, addr1='ff:ff:ff:ff:ff:ff',
addr2=str(RandMAC()), addr3=str(RandMAC()))
beacon = Dot11Beacon(cap='ESS+privacy')
essid = Dot11Elt(ID='SSID',info=netSSID, len=len(netSSID))
rsn = Dot11Elt(ID='RSNinfo', info=(
'\x01\x00' #RSN Version 1
'\x00\x0f\xac\x02' #Group Cipher Suite : 00-0f-ac TKIP
'\x02\x00' #2 Pairwise Cipher Suites (next two lines)
'\x00\x0f\xac\x04' #AES Cipher
'\x00\x0f\xac\x02' #TKIP Cipher
'\x01\x00' #1 Authentication Key Managment Suite (line below)
'\x00\x0f\xac\x02' #Pre-Shared Key
'\x00\x00')) #RSN Capabilities (no extra capabilities)
frame = RadioTap()/dot11/beacon/essid/rsn
print "SSID=%-20s %r"%(netSSID,frame)
frames.append(frame)
sendp(frames, iface=iface, inter=0.0100 if len(frames)<10 else 0, loop=1)
if __name__=="__main__":
main()
@AgeOfMarcus
Copy link

AgeOfMarcus commented Jun 27, 2018

I follow this exact code, but when I scan for APs on my phone or laptop, I never see them.

@anagnostouJohn
Copy link

anagnostouJohn commented Oct 3, 2019

I had the same problem. I switched to kali linux and set the wifi card to monitor mode using airmon-ng airmon-ng start wlan0. After that everything was running like a charm. dont forget wlan0 is the name of my wifi card, so you have to find the name of yours by typing iwconfig and for iface you have to use the name provided by airmon-ng for example my wlan0mon

@solsticedhiver
Copy link

solsticedhiver commented May 14, 2020

This does not work (using python 3.8.2 and scapy 2.4.3)
You need to use bytes for the rsn value:

rsn_array = [b'\x01\x00',
    b'\x00\x0f\xac\x04',
    b'\x02\x00',
    b'\x00\x0f\xac\x04',
    b'\x00\x0f\xac\x02',
    b'\x01\x00',
    b'\x00\x0f\xac\x02',
    b'\x00\x00']
rsn_bytes = b''.join(rsn_array)
rsn = Dot11Elt(ID='RSNinfo', info=rsn_bytes, len=len(rsn_bytes))

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment