PYTHON - PRACTICE AND FUNCTIONALITY
In the past, there were a lot of programming languages you can use to make your own penetration testing tools, but there was usually one that was the most popular and was your first choice when you thinking about choosing a programming language to make a penetration testing tools, like Perl. Lately, programming languages like Python and Ruby have been widely adopted and proved their usefulness.
In this article, we will try to shed light on some of the Python advantages and functionality. We will divide the article into two parts; the first part will discuss the practical use of Python to perform Wi-Fi attacks, the second part will use Python to perform Exploit Development.
I will try to explain everything in detail. But to be honest, you should be aware of some things so that you do not miss anything.
WHAT YOU NEED AND SHOULD KNOW:
● Basic Knowledge of 802.11 Protocol.
● Basic Knowledge of Wi-Fi Attacks.
● Basic Knowledge of Buffer Overflow Attacks.
● Python's Network Libraries.
WHAT YOU WILL LEARN:
● Perform Wi-Fi Sniffing With Python.
● Perform Wi-Fi Attacks With Python.
● Perform Exploit Development With Python.
Introduction:
With each passing day, the wireless connectivity community has grown, but it has also ushered in many security issues. With wired connectivity, the attacker needs physical access in order to connect and attack, but in the case of wireless connectivity, and attacker needs the availability of the signal to launch an attack. Before proceeding, you should be aware of the terminology used:
Access Point (AP): It is a networking hardware device that allows a Wi-Fi compliant device to connect to a wired network.
Service Set Identifier (SSID): It is a sequence of 0–32 alphanumeric characters. It is used as an identifier for a wireless LAN, and is intended to be unique for a particular area. Since this identifier must often be entered into devices manually by a human user, it is often a human-readable string and thus commonly called the "Network Name".
Basic Service Set Identification (BSSID): It is the MAC address of the wireless AP.
Channel number: This represents the range of the radio frequency used by AP for transmission.
Note: The channel number might get changed due to the auto setting of AP. So, don't get confused if you saw the channel number getting changed.
802.11: Provides bandwidth up to 1-2 Mbps with a 2.4 GHz frequency band. All components of 802.11 are a set of Media Access Control (MAC) and Physical Layer (PHY). The MAC Layer is the subclass of the Data Link Layer.
Frame: It is the Protocol Data Unit (PDU) of the Data Link Layer.
There are three main types of 802.11 Frames:
•Data Frame
•Control Frame
•Management Frame
These Frames are supported by The MAC Layer. The following figure represents the format of the MAC Layer:
(Figure 01). MAC Format
As you can see in the previous figure, there are three Addresses:
●Address 1: It's the MAC Address of the Client.
●Address2: It's the MAC Address of the AP.
●Address3: It's the MAC Address of the Source of Transmission.
In this article, we will focus on the "Management Frame". Now, let's see the transmitted frame between the Client and AP:
(Figure 03). Listing Interfaces
As you can see in the previous figure, we only have one wireless interface corresponding to "wlan0". Let's start by enabling monitor mode on this interface:
(Figure 04). Switching to Monitor Mode
Great. We successfully enabled monitor mode on the interface. We are ready now to write our first program that sniffs SSID, BSSID and Channel of the AP.
Sniffing Beacon Frames:
(Figure 05). Sniffing Beacon Frames
We use the first line to instruct the program to use Python interpreter. Then, we imported Scapy Library and in the next line we also imported Struct library. In the next line, we declared an empty list to store, which will store the MAC Addresses of the APs. Then we made a new function named "info" which takes one argument called "fm". In the next line, we make a condition to look for Dot11 Packets only. In line number 8, we can see that we made another condition using number "0" for the type of the packet which refers to "Management Frame Packets", and number "8" for the subtype of the packets which indicates "Beacon Frames". In the next line, we make a third condition to check for if the MAC Address of the Beacon Frame Packet is already in the list or not. If the MAC Address doesn't exist in our list, we append it to our list. Then, we continue by printing the information we extracted from the packet which indicates the following:
fm.info: The SSID of the AP.
fm.addr2: The MAC Address (BSSID).
ord(fm[Dot11Elt:3].info): ord is a function used to convert text characters into its character code
representation. To understand what Dot11Elt is, you need to know that when the stations start talking with each other,they also sent a wealth of additional information called Information Elements. Each one of the Information Elements packets has an ID Number and every specific packet has its own meaning. What we are looking for is the Information Element (Dott11Elt) packet with IDs Number "3", this packet is called Direct Spectrum (DSset), it contains the Channel number that the AP uses to correspond. In the last line, we used built-in sniff function in Scapy, and assigned it to our interface "wlan0", and we assigned our function called "info" to be applied on each packet we sniff.
Here is the result of the script:
(Figure 06). Output of Sniffing Beacon Frames
Note: We are not doing anything bad here, we are capturing the signals that are already on air.
To understand what are we going to do next, you need to know the code of each subtype we are going to look for:
(Figure 11). Output of Detecting Clients
Next, we will see how to perform active scanning trying to get the APs to respond to us without waiting for APs to send "Beacon Frames" into the air.
As we mentioned before, in Active Scanning, we send a "Probe Request" Frame Packet to force the AP to respond to us with "Probe Response" Frame Packet:
(Figure 14). Output of Active Scanning
As you can see in the preceding figure, our code worked as expected. We forced the APs in our range to announce themselves.
Where have you been?
In an attempt to provide seamless connectivity, your computer and phone often keep a preferred network list, which contains the names of wireless networks you have successfully connected to in the past. Either when your computer boots up or after disconnecting from a network, your computer frequently sends 802.11 Probe Requests to search for each of the network names on that list.
In the next code, we will try to write a code that detects Probe Requests. Our code will print the network name, if the request contains a new network name.
(Figure 15). Detecting Preferred Networks
In the previous figure, we detect the Probe Requests that are in the air, and then we print the network name along with the MAC address of the device (Station) that sent it.
Now, let's start up our script to see Probe Request from the computers or phones in our range:
(Figure 16). Revealing Preferred Networks
As you can see in the previous figure, our code worked as expected. We successfully extracted the Network Name, and the MAC Address of the device it belongs to.
Is there a hidden network in our range?
According to IEEE 802.11 standards, every wireless network must have an identifier that's used by devices to connect to that network. This is called the Service Set Identifier (SSID), it basically means "Network Name".
As we mentioned earlier, every so often, routers broadcast something called a "Beacon Frame". This is nothing more than a transmission that contains information about the network, including the SSID, and is meant to announce that this network exists. This how your phone, for example, knows about all of the Wi-Fi networks around you. (Beacon frames are broadcasted about once every 100 milliseconds.)
The Theory behind Hidden Networks:
Wireless signals are all the same: they start at a source (your router) and travel out in all directions. There's no way to "aim" a Wi-Fi transmission in a straight line from your router to your computer, and even if you could, you wouldn't be able to stop the signal as soon as it reached its intended recipient , it will keep going.
How do we find the Hidden Networks in our range?
Let's assume that your wireless network is NOT broadcasting its SSID. Nobody knows it exists except you. Does that mean you are safe and nobody can find out the existence of your Wi-Fi Network? Actually, even if your network stops broadcasting its SSID, other people can still find it by intercepting your transmissions to the router, and the router's ransmissions to you.
Now, let's write a code to intercept the Hidden Networks transmissions:
(Figure 17). Detecting Hidden Networks
There is only one difference between this code and our previous programs. In this code, we are looking for the "Beacon Frames" that don't contain any SSID and then we print the MAC Address of that network.
Let's see the output of our code:
Let's update our previous code to make it also sniff Probe Responses:
(Figure 19). Decloaking Hidden Networks
As you can see in the previous figure, we only updated our code to look for Probe Responses and filter it to compare the MAC address of the frame with MAC address of the Hidden Network, and then print the Name of the Network as you can see in the next figure:
(Figure 20). Revealing the Name of Hidden Networks
Up to this point, we have seen various sniffing techniques that gather information about the clients and APs around us. Now, we will see how to perform wireless attacks.
Deauthentication Attack:
It's a type of denial of service attack that targets communication between a user and a Wi-Fi wireless access point.
How Does a Deauthentication Attack work?
The 802.11 (Wi-Fi) protocol contains a different type of frame, we have already seen some of it. We already defined Deauthentication Frame, it's subtype of Management Frames, and the client uses it to declare that he wishes to disconnect from AP. The AP also sends the deauthentication frame in the form of a reply. An attacker can send a wireless access point a deauthentication frame at any time, on behalf of the client using the client's MAC Address, which we already talked about how to get it.
It depends on what do you want to do. If you want to deauthenticate the whole AP's Clients you can use this code:
(Figure 21). Deauthenticating the whole AP
On the other side, if you want to target a specific client, you can use this code:
(Figure 22). Deauthenticating Specific Target
It's very easy to understand this code. The frame variable contains the Deauthentication Packet. We used "sendp" to send our packet, which contains the "count" referring to the total number of packets sent, "inter" which indicates the interval between the packets we send.
Now, let's see the output of our code:
(Figure 23). Output of Deauthenticating Script
Detecting Deauthentication Attacks:
There is no counter measure to protect yourself from Deauthentication Attacks, but you can detect it with this code:
(Figure 24). Detecting Deauthentication Attacks
In the past, there were a lot of programming languages you can use to make your own penetration testing tools, but there was usually one that was the most popular and was your first choice when you thinking about choosing a programming language to make a penetration testing tools, like Perl. Lately, programming languages like Python and Ruby have been widely adopted and proved their usefulness.
In this article, we will try to shed light on some of the Python advantages and functionality. We will divide the article into two parts; the first part will discuss the practical use of Python to perform Wi-Fi attacks, the second part will use Python to perform Exploit Development.
I will try to explain everything in detail. But to be honest, you should be aware of some things so that you do not miss anything.
WHAT YOU NEED AND SHOULD KNOW:
● Basic Knowledge of 802.11 Protocol.
● Basic Knowledge of Wi-Fi Attacks.
● Basic Knowledge of Buffer Overflow Attacks.
● Python's Network Libraries.
WHAT YOU WILL LEARN:
● Perform Wi-Fi Sniffing With Python.
● Perform Wi-Fi Attacks With Python.
● Perform Exploit Development With Python.
Introduction:
With each passing day, the wireless connectivity community has grown, but it has also ushered in many security issues. With wired connectivity, the attacker needs physical access in order to connect and attack, but in the case of wireless connectivity, and attacker needs the availability of the signal to launch an attack. Before proceeding, you should be aware of the terminology used:
Access Point (AP): It is a networking hardware device that allows a Wi-Fi compliant device to connect to a wired network.
Service Set Identifier (SSID): It is a sequence of 0–32 alphanumeric characters. It is used as an identifier for a wireless LAN, and is intended to be unique for a particular area. Since this identifier must often be entered into devices manually by a human user, it is often a human-readable string and thus commonly called the "Network Name".
Basic Service Set Identification (BSSID): It is the MAC address of the wireless AP.
Channel number: This represents the range of the radio frequency used by AP for transmission.
Note: The channel number might get changed due to the auto setting of AP. So, don't get confused if you saw the channel number getting changed.
802.11: Provides bandwidth up to 1-2 Mbps with a 2.4 GHz frequency band. All components of 802.11 are a set of Media Access Control (MAC) and Physical Layer (PHY). The MAC Layer is the subclass of the Data Link Layer.
Frame: It is the Protocol Data Unit (PDU) of the Data Link Layer.
There are three main types of 802.11 Frames:
•Data Frame
•Control Frame
•Management Frame
These Frames are supported by The MAC Layer. The following figure represents the format of the MAC Layer:
(Figure 01). MAC Format
As you can see in the previous figure, there are three Addresses:
●Address 1: It's the MAC Address of the Client.
●Address2: It's the MAC Address of the AP.
●Address3: It's the MAC Address of the Source of Transmission.
In this article, we will focus on the "Management Frame". Now, let's see the transmitted frame between the Client and AP:
(Figure 02). Transmitted Frames
In the previous figure, we can see the exchange of frames. Let's take a look at the subtypes of management frame:
Beacon: The AP (Access Point) periodically sends a beacon frame to announce its presence and relay information, such as timestamp, SSID, etc.
Probe Request: The wireless device (client) sends out a probe request to determine which access points are within range.
Probe Response: In the response of the probe request, a station (AP) responds with a probe response frame,containing capability information, supported data rates, etc.
Authentication Request: The client sends an authentication request frame containing its identity.
Authentication Response: The AP responds with either acceptance or rejection of the identity of the client.
Association Request: After successful authentication, the client sends an association request that contains its characteristics, such as supported data rates and the SSID of the AP.
Association Response: AP sends an association response that contains acceptance or rejection. In the case of acceptance, the AP will create an association ID for the client.
Reassociation Request: If a client roams away from the currently associated access point and finds another access point having a stronger beacon signal, the radio NIC will send a reassociation frame to the new access point.
Reassociation Response: An access point sends a reassociation response frame containing an acceptance or rejection notice to the radio NIC requesting reassociation.
Disassociation: A station sends a disassociation frame to another station if it wishes to terminate the association.
Deauthentication: A station sends a deauthentication frame to another station if it wishes to terminate secure communications.
Now, it's time for the practical part. In the following part, we will discuss how to perform wireless attacks with Python.
We will use Kali as our OS to work with these attacks. If you are using Kali as your host on your physical computer or laptop, you will have no problem performing these attacks. But, if you are using Kali as a Virtual Machine, you have to get yourself a USB Wireless Adapter, because the Virtual Machine doesn't use the actual hardware of the Wireless Adapter. You can't control the Wireless Adapter from the Virtual Machine.
Before performing any of these attacks, you need to enable monitor mode on your wireless interface with these commands:
As you can see in the previous figure, we only have one wireless interface corresponding to "wlan0". Let's start by enabling monitor mode on this interface:
Great. We successfully enabled monitor mode on the interface. We are ready now to write our first program that sniffs SSID, BSSID and Channel of the AP.
Sniffing Beacon Frames:
We use the first line to instruct the program to use Python interpreter. Then, we imported Scapy Library and in the next line we also imported Struct library. In the next line, we declared an empty list to store, which will store the MAC Addresses of the APs. Then we made a new function named "info" which takes one argument called "fm". In the next line, we make a condition to look for Dot11 Packets only. In line number 8, we can see that we made another condition using number "0" for the type of the packet which refers to "Management Frame Packets", and number "8" for the subtype of the packets which indicates "Beacon Frames". In the next line, we make a third condition to check for if the MAC Address of the Beacon Frame Packet is already in the list or not. If the MAC Address doesn't exist in our list, we append it to our list. Then, we continue by printing the information we extracted from the packet which indicates the following:
fm.info: The SSID of the AP.
fm.addr2: The MAC Address (BSSID).
ord(fm[Dot11Elt:3].info): ord is a function used to convert text characters into its character code
representation. To understand what Dot11Elt is, you need to know that when the stations start talking with each other,they also sent a wealth of additional information called Information Elements. Each one of the Information Elements packets has an ID Number and every specific packet has its own meaning. What we are looking for is the Information Element (Dott11Elt) packet with IDs Number "3", this packet is called Direct Spectrum (DSset), it contains the Channel number that the AP uses to correspond. In the last line, we used built-in sniff function in Scapy, and assigned it to our interface "wlan0", and we assigned our function called "info" to be applied on each packet we sniff.
Here is the result of the script:
Note: We are not doing anything bad here, we are capturing the signals that are already on air.
To understand what are we going to do next, you need to know the code of each subtype we are going to look for:
(Figure 7). Subtypes of Management Frames
There are two types of scans when dealing with Wireless APs. First, Passive Scan. In Passive Scanning, the WLAN station moves to each channel as per channel list and waits for beacon frames. These frames are buffered and are used to decode and extract information about BSSs.
(Figure 08). Passive Scanning
This passive scanning will save battery power as it does not need to transmit. As shown in the previous figure, the WLAN client receives beacon frames from three access points and hence it will declare that it has found only three BSSs.
(Figure 09). Active Scanning
Second, Active Scan. In Active Scanning, stations plan an active role. Probe Request frames are used to obtain responses from the network of choice. In Active Scanning, the station finds the network rather than waiting for the network to announce its availability to all the stations.
We already know how to look for beacon frames and extract the information we need. Now, we are going to see how to Sniff Probe Requests to extract information, like clients of the AP (the devices that use the AP to connect to internet).
(Figure 10). Detecting Clients of AP
In line number 6, we make a new list to save the MAC address of the clients we find. In the next line, we ask the user to enter the name of the AP, which will be stored in "ap_name" variable. In line number 9, we defined a new function called "probesniff", which takes only one argument called "fm". In the next line, we make a condition looking only for "Probe Requests" Packets. Then, we make a new variable and assign it to the name of the AP. In the next line, we make another condition to check if the name of the AP is the same as the one that user entered. In line number 13, we make a new condition to check if the Client MAC Address already exists in the list of clients or not. If it does not exist, we print the name of AP, the MAC Address of the client we found, and then we append the new MAC address to the list of clients we made earlier.
Now, let's see the output of our script:
Next, we will see how to perform active scanning trying to get the APs to respond to us without waiting for APs to send "Beacon Frames" into the air.
As we mentioned before, in Active Scanning, we send a "Probe Request" Frame Packet to force the AP to respond to us with "Probe Response" Frame Packet:
(Figure 12). Sending Probe Requests
Let's look at the new things added in the preceding program. In line number 5, we imported a new library called "os",this module provides a portable way of using operating system dependent functionality. In line number 8, we make a new variable to store the broadcast receiver, assign it to the value "FF:FF:FF:FF:FF:FF", which will make the frames addressed to every AP in our range. Then, we will assign "RandMAC()" to a new variable which will assign a random MAC every time we use it. In line number 11, we define a new function called "channel_hopper", which will change
the range that we are transmitting on in a random range between "1 to 15". After that, we make a new function called "ProbeSender". In line number 18, we make a new variable and assign it to the structure of Probe Request Frame, which first we need to send a layer of RadioTap, then we put another layer of Dot11, and assign addr1 (Broadcast Receiver) to "m=FF:FF:FF:FF:FF:FF" which, as I said before, will make our Frame addressed to every AP in our range, then we assign addr2 (Source Address) to Random MAC which will assign a new MAC Address to the source address in every frame we send, for addr3 (BSSID), we assign it to also Random MAC which will give another Random MAC Address to the BSS ID. For the third part in our frame, we send a Probe Request layer. As I said before, every management frame has to contain layers called Information Elements which we have to append to our Frame packet as the fourth part. Last, but not least, we try to change our channel as well as sending the frame we made.
Then, we will use this code to sniff the responses of the APs:
(Figure 13). Sniffing Probe Responses
There is nothing different about this code, the only difference is that we are looking for Probe Responses.
Now, let's see the output of our code:
As you can see in the preceding figure, our code worked as expected. We forced the APs in our range to announce themselves.
Where have you been?
In an attempt to provide seamless connectivity, your computer and phone often keep a preferred network list, which contains the names of wireless networks you have successfully connected to in the past. Either when your computer boots up or after disconnecting from a network, your computer frequently sends 802.11 Probe Requests to search for each of the network names on that list.
In the next code, we will try to write a code that detects Probe Requests. Our code will print the network name, if the request contains a new network name.
In the previous figure, we detect the Probe Requests that are in the air, and then we print the network name along with the MAC address of the device (Station) that sent it.
Now, let's start up our script to see Probe Request from the computers or phones in our range:
As you can see in the previous figure, our code worked as expected. We successfully extracted the Network Name, and the MAC Address of the device it belongs to.
Is there a hidden network in our range?
According to IEEE 802.11 standards, every wireless network must have an identifier that's used by devices to connect to that network. This is called the Service Set Identifier (SSID), it basically means "Network Name".
As we mentioned earlier, every so often, routers broadcast something called a "Beacon Frame". This is nothing more than a transmission that contains information about the network, including the SSID, and is meant to announce that this network exists. This how your phone, for example, knows about all of the Wi-Fi networks around you. (Beacon frames are broadcasted about once every 100 milliseconds.)
The Theory behind Hidden Networks:
Wireless signals are all the same: they start at a source (your router) and travel out in all directions. There's no way to "aim" a Wi-Fi transmission in a straight line from your router to your computer, and even if you could, you wouldn't be able to stop the signal as soon as it reached its intended recipient , it will keep going.
How do we find the Hidden Networks in our range?
Let's assume that your wireless network is NOT broadcasting its SSID. Nobody knows it exists except you. Does that mean you are safe and nobody can find out the existence of your Wi-Fi Network? Actually, even if your network stops broadcasting its SSID, other people can still find it by intercepting your transmissions to the router, and the router's ransmissions to you.
Now, let's write a code to intercept the Hidden Networks transmissions:
There is only one difference between this code and our previous programs. In this code, we are looking for the "Beacon Frames" that don't contain any SSID and then we print the MAC Address of that network.
Let's see the output of our code:
(Figure 18). Revealing Hidden Networks
As you can see, there is only one hidden network that I configured earlier.
How do you De-cloak Hidden Networks?
While the Hidden Networks leaves the info field blank during transmitting Beacon Frames, it does transmit the name during the Probe Responses. To discover the hidden name, we must wait for a Probe Response that matches the same MAC Address that we discovered while looking for Hidden Networks in the previous figure.
As you can see in the previous figure, we only updated our code to look for Probe Responses and filter it to compare the MAC address of the frame with MAC address of the Hidden Network, and then print the Name of the Network as you can see in the next figure:
Up to this point, we have seen various sniffing techniques that gather information about the clients and APs around us. Now, we will see how to perform wireless attacks.
Deauthentication Attack:
It's a type of denial of service attack that targets communication between a user and a Wi-Fi wireless access point.
How Does a Deauthentication Attack work?
The 802.11 (Wi-Fi) protocol contains a different type of frame, we have already seen some of it. We already defined Deauthentication Frame, it's subtype of Management Frames, and the client uses it to declare that he wishes to disconnect from AP. The AP also sends the deauthentication frame in the form of a reply. An attacker can send a wireless access point a deauthentication frame at any time, on behalf of the client using the client's MAC Address, which we already talked about how to get it.
It depends on what do you want to do. If you want to deauthenticate the whole AP's Clients you can use this code:
On the other side, if you want to target a specific client, you can use this code:
It's very easy to understand this code. The frame variable contains the Deauthentication Packet. We used "sendp" to send our packet, which contains the "count" referring to the total number of packets sent, "inter" which indicates the interval between the packets we send.
Now, let's see the output of our code:
Detecting Deauthentication Attacks:
There is no counter measure to protect yourself from Deauthentication Attacks, but you can detect it with this code:
(Figure 24). Detecting Deauthentication Attacks
