wifi-monitor

1. #!/usr/bin/python
2.  
3. import logging
4. logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
5. from scapy.all import *
6. conf.verb = 0
7. import argparse
8. import sys
9. import signal
10. import threading
11. import datetime
12. from subprocess import Popen, PIPE
13. DN = open(os.devnull, 'w')
14.  
15. parser = argparse.ArgumentParser()
16. parser.add_argument("-j", "--join", help="Show all devices that join the network and when they did it (goes by DHCP packets)", action="store_true")
17. args = parser.parse_args()
18.  
19. #Console colors
20. W  = '\033[0m'  # white (normal)
21. R  = '\033[31m' # red
22. G  = '\033[32m' # green
23. O  = '\033[33m' # orange
24. B  = '\033[34m' # blue
25. P  = '\033[35m' # purple
26. C  = '\033[36m' # cyan
27. GR = '\033[37m' # gray
28. T  = '\033[93m' # tan
29.  
30. ipr = Popen(['ip', 'route'], stdout=PIPE, stderr=DN)
31. ipr = ipr.communicate()[0]
32. routerRE = re.search('default via ((\d{2,3}\.\d{1,3}\.\d{1,4}\.)\d{1,3}) \w+ (\w[a-zA-Z0-9]\w[a-zA-Z0-9][0-9]?)', ipr)
33. routerIP = routerRE.group(1)
34. IPprefix = routerRE.group(2)
35. interface = routerRE.group(3)
36. localIP = [x[4] for x in scapy.all.conf.route.routes if x[2] != '0.0.0.0'][0]
37. localMAC = get_if_hwaddr(interface)
38. IPandMAC = []
39. wired = 0
40. new_clients = []
41. start_time = time.time()
42. current_time = 0
43.  
44. print '[+] Running arp scan'
45. ans,unans = arping(IPprefix+'*', timeout=5)
46. for s,r in ans:
47.     hw = r[ARP].hwsrc
48.     ip = r[ARP].psrc
49.     IPandMAC.append([hw, ip, 0, 0, 0, 0]) # data, req2send, clear2send, ack or block ack
50.  
51. t = 0
52. for x in IPandMAC:
53.     if routerIP in x[1]:
54.         routerMAC = x[0]
55.         t = 1
56.         break
57. if t == 0:
58.     sys.exit('Router MAC not found')
59.  
60. #Do nbtscan for windows netbios names
61. print '[+] Running nbtscan'
62. try:
63.     nbt = Popen(['nbtscan', IPprefix+'0/24'], stdout=PIPE, stderr=DN)
64.     nbt = nbt.communicate()[0]
65.     nbt = nbt.splitlines()
66. except:
67.     print '[-] nbtscan error, are you sure it is installed?'
68. if len(nbt) < 5:
69.     print '[-] nbtscan failed'
70. for l in nbt:
71.     if l.startswith(IPprefix):
72.         ip_name = re.search('(\d{2,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+(\w+)', l)
73.         try:
74.             nbtip = ip_name.group(1)
75.         except:
76.             continue
77.         try:
78.             netbios = ip_name.group(2)
79.         except:
80.             continue
81.         for a in IPandMAC:
82.             if nbtip and netbios:
83.                 if 'Sendto' not in netbios:
84.                     if nbtip in a:
85.                         a.append(netbios)
86.  
87. #Start monitor mode
88. print '\n[+] Enabling monitor mode'
89. try:
90.     promisc = Popen(['airmon-ng', 'start', '%s' % interface], stdout=PIPE, stderr=DN)
91.     promisc = promisc.communicate()[0]
92.     monmode = re.search('monitor mode enabled on (.+)\)', promisc)
93.     monmode = monmode.group(1)
94. except OSError, e:
95.     sys.exit('[-] Enabling monitor mode failed, do you have aircrack-ng installed?')
96.  
97. def newclients(pkt):
98.     global IPandMAC
99.     newIP = ''
100.     newMAC = ''
101.     if pkt.haslayer(DHCP):
102.         #Check for message-type == 3 which is the second request the client makes
103.         if pkt[DHCP].options[0][1] == 3:
104.             opt = pkt[DHCP].options
105.             for x in opt:
106.                 if "requested_addr" in repr(x):
107.                     newIP = x[1]
108.                     newMAC = pkt[Ether].src
109.                     if newIP != '' and newMAC != '':
110.                         tstamp = datetime.datetime.fromtimestamp(time.time()).strftime('%Y-%m-%d %H:%M:%S')
111.                         new_clients.append('[%s] %s at %s joined the network' % (tstamp, newMAC, newIP))
112.                         for y in IPandMAC:
113.                             if newIP == y[1]:
114.                                 return
115.                     IPandMAC.append([newMAC, newIP, 0, 0, 0, 0, 0])
116.     if pkt.haslayer(ARP):
117.         if pkt[ARP].op == 2:
118.             for x in IPandMAC:
119.                 if pkt[ARP].hwsrc == x[0]:
120.                     return
121.                 newIP = pkt[ARP].psrc
122.                 newMAC = pkt[ARP].hwsrc
123.             IPandMAC.append([newMAC, newIP, 0, 0, 0, 0, 0])
124.             new_clients.append("Added %s to list due to arp is-at, may've not been caught by initial arp scan" % newIP)
125.  
126. class newDevices(threading.Thread):
127.     def run(self):
128.         sniff(store=0, filter='port 67 or 68', prn=newclients, iface=interface)
129.  
130. nd = newDevices()
131. nd.daemon = True
132. nd.start()
133.  
134. def main(pkt):
135.     global start_time, current_time
136.  
137.     #type 2 is Data, type 0 is Management which is auth/deauth stuff, type 1 is control which is ACKs, request to sent, clear to send stuff
138.     if pkt.haslayer(Dot11):
139.         pkt = pkt[Dot11]
140.         if pkt.type in [1,2]:
141.             dstMAC = pkt.addr1
142.             srcMAC = pkt.addr2 # usually the router
143.             srcMAC2 = pkt.addr3 # if it's comp1 > router > comp2 then this is comp1
144.             if localMAC in [dstMAC, srcMAC, srcMAC2]:
145.                 return
146.             ptype = pkt.type
147.             subtype = pkt.subtype
148.             for x in IPandMAC:
149.                 if srcMAC == x[0] or dstMAC == x[0] or srcMAC2 == x[0]:
150.                     if ptype == 1: # control
151.                         if subtype == 9 or subtype == 13: # block acknowledgement or acknowledgement
152.                             x[5] = x[5]+1
153.                         elif subtype == 11: # request to send
154.                             x[3] = x[3]+1
155.                         elif subtype == 12: # clear to send
156.                             x[4] = x[4]+1
157.                     elif ptype == 2: # data
158.                         x[2] = x[2]+1
159.             current_time = time.time()
160.             if current_time > start_time+1:
161.                 IPandMAC.sort(key=lambda x: float(x[2]), reverse=True) # sort by data packets
162.                 os.system('clear')
163.                 print '               '+GR+'%d'%len(IPandMAC)+W+' clients                '+R+'Data        '+G+'Control Frame'+W
164.                 print '           MAC             IP                    '+G+' Req   Clear    Acks '+W
165.                 for x in IPandMAC:
166.                     if x[2] != 0 or x[3] != 0 or x[4] != 0 or x[5] != 0:
167.                         if routerIP in x:
168.                             print '[+] %s %-15s'%(x[0],x[1])+R+' %7d'%x[2]+G+' %7d %7d %7d' % (x[3], x[4], x[5])+GR+' (router)'+W
169.                         elif len(x) == 7:
170.                             print '[+] %s %-15s'%(x[0],x[1])+R+' %7d'%x[2]+G+' %7d %7d %7d' % (x[3], x[4], x[5])+W+' %s' % x[6]
171.                         else:
172.                             print '[+] %s %-15s'%(x[0],x[1])+R+' %7d'%x[2]+G+' %7d %7d %7d' % (x[3], x[4], x[5])+ W
173.                 print ''
174.                 if args.join:
175.                     for x in new_clients:
176.                         print x
177.                 start_time = time.time()
178.  
179.         def signal_handler(signal, frame):
180.             print 'leaning up...'
181.             Popen(['airmon-ng', 'stop', '%s' % monmode], stdout=PIPE, stderr=DN)
182.             #arp tables seem to get messed up when starting and stopping monitor mode so this heals the arp tables
183.             print 'Restoring arp table...'
184.             Popen(['arp', '-s', routerIP, routerMAC], stdout=PIPE, stderr=DN)
185.             sys.exit(0)
186.         signal.signal(signal.SIGINT, signal_handler)
187.  
188. try:
189.     sniff(iface=monmode, prn=main, store=0)
190. except socket.error, (value, message):
191.     print message
192. except:
193.     raise