diff --git a/wifi-beacon-fuzz.py b/wifi-beacon-fuzz.py new file mode 100644 index 0000000..de09559 --- /dev/null +++ b/wifi-beacon-fuzz.py @@ -0,0 +1,113 @@ +from scapy.all import * +import urllib.parse +#from random import randbytes +import random + +iface = 'wlan1' +sender = 'ac:cb:12:ad:58:27' + +def sendProbe(SSID, repeat=3, interval=0.100): + dot11 = Dot11(type=0, subtype=8, addr1='ff:ff:ff:ff:ff:ff', + addr2=sender, addr3=sender) + beacon = Dot11Beacon() + essid = Dot11Elt(ID='SSID',info=SSID, len=len(SSID)) + frame = RadioTap()/dot11/beacon/essid + sendp(frame, iface=iface, inter=interval, count=repeat) + +def sendProbeRaw(SSID, repeat=1, interval=0.200, listedLen=255): + dot11 = Dot11(type=0, subtype=8, addr1='ff:ff:ff:ff:ff:ff', + addr2=sender, addr3=sender) + beacon = Dot11Beacon() + essid = Dot11Elt(ID='SSID',info=RawVal(SSID), len=listedLen) + frame = RadioTap()/dot11/beacon/essid + sendp(frame, iface=iface, inter=interval, count=repeat) + +def sendRandBytesBeacons(numOfBeacons=200, lenOfSSIDs=20, repeat=3, interval=0.100): + for i in range(numOfBeacons): + SSID = randbytes(lenOfSSIDs) + urlEncoded = urllib.parse.quote(SSID) + print(f"\n{i} of {numOfBeacons}\n\tRepeats: {repeat}\n\tLength: {lenOfSSIDs}\n\tSSID: {urlEncoded}\n") + sendProbe(SSID, repeat, interval) + +def sendProbeFuzz(repeat=1, interval=0.150): + randMAC = '6e:07:9e:96:2b:4e' + # randMAC = RandMAC() + randLen = RandNum(0, 255) + randSSIDLen = random.randint(0,255) + randSSIDBytes = random.randbytes(randSSIDLen) + urlEncoded = urllib.parse.quote(randSSIDBytes) + + dot11 = Dot11(type=0, + subtype=8, + addr1='ff:ff:ff:ff:ff:ff', # dst set to broadcast + addr2=randMAC, # random source + addr3=randMAC) # random bssid + + beacon = Dot11Beacon() + + essid = Dot11Elt(ID='SSID', + info=RawVal(randSSIDBytes), + len=RawVal(randLen)) + + frame = RadioTap()/dot11/beacon/essid + + print(f"src={randMAC}, dst=ff:ff:ff:ff:ff:ff, BSSID={randMAC}\n\tSSID Set Length: {randLen}\n\tActual SSID Length: {randSSIDLen}\n\tSSID: {urlEncoded}") + sendp(frame, iface=iface, inter=interval, count=repeat) + +def sendFuzzBeacons(numOfBeacons=200, + repeat=1, + interval=0.150): + + for i in range(numOfBeacons): + print(f"\n{i} of {numOfBeacons}") + sendProbeFuzz() + +def sendRandBytesBeaconsRaw( + numOfBeacons=200, + lenOfSSIDs=256, + listedLen=255, + repeat=1, + interval=0.2): + + for i in range(numOfBeacons): + SSID = random.randbytes(lenOfSSIDs) + urlEncoded = urllib.parse.quote(SSID) + print(f"\n{i} of {numOfBeacons}\n\tRepeats: {repeat}\n\tListed Length: {listedLen}\n\tReal Length: {lenOfSSIDs}\n\tInterval: {interval} Seconds\n\tSSID: {urlEncoded}") + sendProbeRaw(SSID, repeat, interval, listedLen) + + + +#sendRandBytesBeaconsRaw(numOfBeacons=100, lenOfSSIDs=1, listedLen=255, repeat=3, interval=0.15) +#sendRandBytesBeacons(100, 20, 5, 0.1) + + +def fullFuzz( + numOfBeacons=200, + repeat=3, + interval=0.150): + + for i in range(numOfBeacons): + realLenSSID = random.randint(0,255) + SSID = random.randbytes(realLenSSID) + urlEncoded = urllib.parse.quote(SSID) + fakeLenSSID = random.randint(0,255) + senderMAC = RandMAC() + + dot11 = Dot11(type=0, subtype=8, + addr1='ff:ff:ff:ff:ff:ff', + addr2=senderMAC, + addr3=senderMAC) + + beacon = Dot11Beacon() + + essid = Dot11Elt(ID='SSID', + info=SSID, + len=fakeLenSSID) + + frame = RadioTap()/dot11/beacon/essid + + print(f"\n{i}/{numOfBeacons}\n\tEach Repeats: {repeat}\n\tReal Length: {realLenSSID}\n\tFake Length: {fakeLenSSID}\n\tSender MAC: {senderMAC}\n\tSSID: {urlEncoded}\n") + + sendp(frame, iface=iface, inter=interval, count=repeat) + +fullFuzz() \ No newline at end of file