Access Point Fuzzer

1. #!/usr/bin/python
2. import signal
3. import sys
4. import time
5. import logging
6. import argparse
7. import random
8. from multiprocessing import Process
9. from scapy.config import *
10. from scapy.layers.dot11 import *
11. from scapy.utils import *
12.  
13. logging.getLogger('scapy.runtime').setLevel(logging.ERROR)
14.  
15.  
16. class FuzzAP(object):
17.     def __init__(self, interface):
18.         self.interface = interface
19.         self.mlist = []
20.         self.sid = []
21.         self.ftime = time.time() * 1000000
22.  
23.     def uptime(self):
24.         microtime = int(round(time.time() * 1000000)) - self.ftime
25.         return microtime
26.  
27.     def generate_mac(self, ouifile):
28.         try:
29.             # Grab a common OUI from file based off of the IEEE list at
30.             # http://standards.ieee.org/develop/regauth/oui/oui.txt
31.             mac = random.choice(open(ouifile).readlines())
32.  
33.         except IOError as ioe:
34.             print 'Cannot read file. Does the file exist?: {0}: {1}'.format(ioe.errno, ioe.strerror)
35.             sys.exit(1)
36.         # We have to create the last three bits of the mac address
37.         # since we grabbed the first three from file
38.         loop = 0
39.         while loop < 3:
40.  
41.             # Generate a random integer between 0 and 255 to match the possible combinations for the MAC
42.             ranint = random.randint(0, 255)
43.  
44.             # We have an exception in case the random integer is less than 16,
45.             # as we would only get one character instead of two
46.             if ranint < 16:
47.  
48.                 int2 = random.randint(0, 15)
49.                 mac += ":" + hex(ranint)[2:] + hex(int2)[2:]
50.                 loop += 1
51.  
52.             else:
53.  
54.                 mac += ":" + hex(ranint)[2:]
55.                 loop += 1
56.  
57.         # When we return the mac, it has newlines due to reading from file.
58.         # We need to strip those before we return the mac
59.         return mac.replace("\n", "")
60.  
61.     def beacon_frame(self, bssids, macaddrs, interface):
62.         while True:
63.             for n in range(len(bssids)):
64.                 sendp(RadioTap() /
65.                       Dot11(addr1='ff:ff:ff:ff:ff:ff',
66.                             addr2=macaddrs[n],
67.                             addr3=macaddrs[n]) /
68.                       Dot11Beacon(cap='ESS', timestamp=self.uptime()) /
69.                       Dot11Elt(ID='SSID', info=bssids[n]) /
70.                       Dot11Elt(ID='Rates', info='\x82\x84\x0b\x16') /
71.                       Dot11Elt(ID='DSset', info="\x03") /
72.                       Dot11Elt(ID='TIM', info="\x00\x01\x00\x00"),
73.                       iface=interface, loop=0, verbose=False)
74.             time.sleep(.102)
75.  
76.     def load_vendor(self, num_of_aps, ouifile):
77.         # Generate some mac addresses and shove them in a list
78.         for n in range(num_of_aps):
79.             self.mlist.append(self.generate_mac(ouifile))
80.  
81.     def load_ssid(self, num_of_aps, ssidfile):
82.         # Grab some random SSIDs from the wigle list and shove'm in a list
83.         for n in range(num_of_aps):
84.             self.sid.append(self.generate_ssid(ssidfile))
85.  
86.     def generate_ssid(self, ssidfile):
87.         try:
88.             # Pull a random SSID from a file with the top 1000 most common SSIDs from https://wigle.net/gps/gps/Stat
89.             ssid = random.choice(open(ssidfile).readlines())
90.             # Return the SSID from file while stripping the new-line from the output
91.             return ssid.replace("\n", "")
92.         except IOError as ioer:
93.             print 'Could not open ssid.txt. Does the file exist? Do you have the correct permissions? {0}: {1}'.format(
94.                 ioer.errno, ioer.strerror)
95.             sys.exit(1)
96.  
97.     def probe_response(self, ssid, macs, rates, stamac):
98.         sendp(RadioTap(present=18479L) /
99.               Dot11(addr2=macs, addr3=macs, addr1=stamac, FCfield=8L) /
100.               Dot11ProbeResp(beacon_interval=102, cap=12548L, timestamp=self.uptime()) /
101.               Dot11Elt(info=ssid, ID=0) /
102.               Dot11Elt(info=rates, ID=1) /
103.               Dot11Elt(info='\x01', ID=3, len=1) /
104.               Dot11Elt(info='\x00', ID=42, len=1) /
105.               Dot11Elt(
106.                   info='\x01\x00\x00\x0f\xac\x02\x02\x00\x00\x0f\xac\x02\x00\x0f\xac\x04\x01\x00\x00\x0f\xac\x02(\x00',
107.                   ID=48, len=24) /
108.               Dot11Elt(info='H`l', ID=50, len=3), iface=self.interface, loop=0, verbose=False)
109.  
110.  
111. def sig_int(sigint, frame):
112.     print('Shutting down....')
113.     sys.exit(0)
114.  
115.  
116. def main():
117.     parser = argparse.ArgumentParser()
118.     parser.add_argument('interface', help='Specifies the interface in monitor mode to use')
119.     parser.add_argument('APs', help='Number of fake access points to create', type=int)
120.     parser.add_argument('OUI', help='File with a OUI on each line')
121.     parser.add_argument('SSID', help='File with a SSID on each line')
122.  
123.     args = parser.parse_args()
124.     ifce = args.interface
125.     APs = args.APs
126.     oui = args.OUI
127.     ssid = args.SSID
128.     signal.signal(signal.SIGINT, sig_int)
129.     fuzz = FuzzAP(ifce)
130.  
131.     # load all of our MACs and SSIDs to spam
132.     fuzz.load_vendor(APs, oui)
133.     fuzz.load_ssid(APs,ssid)
134.  
135.     # Fork out the beacon frames
136.     Process(target=fuzz.beacon_frame, args=(fuzz.sid, fuzz.mlist, ifce)).start()
137.  
138.     # Start sniffing for probe request from our previously forked out
139.     # beacon frames, and grab the ssid, rates, and MAC they are referencing
140.     while True:
141.         ssid = None
142.         rates = None
143.  
144.         # start sniffing
145.         p = sniff(iface=ifce, count=1)[0]
146.  
147.         # If the sniffed packet is a probe request and is sending it to one of our MAC addresses
148.         if p.haslayer(Dot11ProbeReq) and p.addr1 in fuzz.mlist:
149.             pkt = p.getlayer(Dot11Elt)
150.             macs = p.addr1
151.  
152.             # Start Core Security's code
153.             while pkt:
154.                 if pkt.ID == 0:
155.                     # ID 0's info portion of a 802.11 packet is the SSID, grab it
156.                     ssid = pkt.info
157.                 if pkt.ID == 1:
158.                     # ID 1's info portion of a 802.11 packet is the supported rates, grab it
159.                     rates = pkt.info
160.                 pkt = pkt.payload
161.             # End Core Security's code
162.  
163.             fuzz.probe_response(ssid, macs, rates, p.addr2)
164.  
165.  
166. if __name__ == "__main__":
167.     main()