Browse DevX
Sign up for e-mail newsletters from DevX


Secure Your Wireless Networks with Scapy Packet Manipulation : Page 4

To secure a wireless network you must first determine the state of the network and then provide a defense against intrusions. Enter Scapy, a packet-crafting tool written in Python.




Building the Right Environment to Support AI, Machine Learning and Deep Learning

MAC and IP Address Harvesting
The MAC address of a station is a critical identity point for wireless networks. The Dot11 packet has four addresses at the top (see Figure 1). Addr1 is the address for recipients and addr2 is the address for transmitters. These MAC addresses can be harvested very easily. Here is a simple script to capture them:

import sys from scapy import * interface = sys.argv[1] unique = [] def sniffMAC(p): if p.haslayer(Dot11): mac = p.sprintf("[%Dot11.addr1%)|(%Dot11.addr2%)|(%Dot11.addr3%)]") if unique.count(mac) == 0: unique.append(mac) print mac sniff(iface=interface,prn=sniffMAC)

The following is a sample output for the same:

root@bluelinux:/home/shreeraj/wifi# ./sniffmac.py eth1 [ff:ff:ff:ff:ff:ff)|(00:30:bd:ca:1e:1e)|(00:30:bd:ca:1e:1e)] [ff:ff:ff:ff:ff:ff)|(00:12:17:3c:b6:ed)|(00:12:17:3c:b6:ed)] [09:00:07:ff:ff:ff)|(00:12:17:3c:b6:ed)|(00:14:bf:6d:d5:4d)] [00:12:17:3c:b6:ed)|(00:30:65:06:8c:eb)|(00:0f:a3:1f:b4:ff)]

This information can be linked to an access point's MAC address to get a list of clients connecting to that particular access point.

Another way of accessing some internal MAC addresses along with IP addresses is by capturing ARP and IP layers residing in the Dot11 packet. If packets are not encrypted with a WEP key, packets can reveal this internal information. Here is a sample script to harvest these packets and information:

import sys from scapy import * interface = sys.argv[1] unique = [] def sniffarpip(p): if p.haslayer(IP): ip = p.sprintf("IP - [%IP.src%)|(%IP.dst%)]") if unique.count(ip) == 0: unique.append(ip) print ip elif p.haslayer(ARP): arp = p.sprintf("ARP - [%ARP.hwsrc%)|(%ARP.psrc%)]-[%ARP.hwdst%)|(%ARP.pdst%)]") if unique.count(arp) == 0: unique.append(arp) print arp sniff(iface=interface,prn=sniffarpip)

Run this script to fetch IPs and ARPs:

root@bluelinux:/home/shreeraj/wifi# ./sniffarpip.py eth1 IP - [|(] IP - [|(] ARP - [00:0f:a3:1f:b4:ff)|(]-[00:00:00:00:00:00)|(] ARP - [00:30:65:06:8c:eb)|(]-[00:0f:a3:1f:b4:ff)|(]

Some of these addresses may be internal to the network.

A MAC address can help an attacker hack into MAC-filtered access points. An access point authenticates MAC addresses in their auth frames before associating the client address, and an attacker can replicate this behavior by spoofing a MAC address extracted from the sniffed traffic. MAC-based filtering at access points is trivial.

Internal IP disclosure poses another threat. An attacker can bind to an IP address along with a MAC address to become a part of your internal network and start typical scanning tools against the ranges.

Thanks for your registration, follow us on our social networks to keep up-to-date