dcsimg
LinkedIn
Twitter
RSS Feed
Download our iPhone app
TODAY'S HEADLINES  |   ARTICLE ARCHIVE  |   FORUMS  |   TIP BANK
Browse DevX
Sign up for e-mail newsletters from DevX


advertisement
 

Secure Your Wireless Networks with Scapy Packet Manipulation : Page 3

To secure a wireless network you must first determine the state of the network and then provide a defense against intrusions. Enter Scapy, a packet-crafting tool written in Python.


by Shreeraj Shah
Jun 12, 2007
Page 3 of 5
advertisement
Discovering Hidden Access Points and SSID
In many cases access points are deployed in such a way that they are restricted from broadcasting beacon packets. At the same time it is also possible to cloak SSIDs so they cannot be determined by simply looking at the beacon. The previous example detected one beacon packet with cloaked SSID as shown below: 

00:06:25:51:6b:79['\x00\x00\x00\x00\x00\x00\x00'|ESS+privacy]

You can sniff non-beacon packets and try to determine hidden access points or cloaked SSIDs. Management frames probe and associate disclose these values. Scapy has support for several of these layers as well, as shown below:

>>> Dot11
Dot11 Dot11AssoResp Dot11ProbeReq
Dot11ATIM Dot11Auth Dot11ProbeResp
Dot11Addr2MACField Dot11Beacon Dot11ReassoReq
Dot11Addr3MACField Dot11Deauth Dot11ReassoResp
Dot11Addr4MACField Dot11Disas Dot11WEP
Dot11AddrMACField Dot11Elt Dot11AssoReq
Dot11PacketList
>>>

Here is a simple script to extract non-beacon packets and SSIDs: 


#!/usr/bin/env python

import sys
from scapy import *

interface = sys.argv[1]    
unique = []

def sniffNonBeacon(p):	
     if not p.haslayer(Dot11Beacon):
          if unique.count(p.addr2) == 0:
               unique.append(p.addr2)
print p.sprintf("[%Dot11.addr1%][%Dot11.addr2%][%Dot11Elt.info%]")
print p.summary()

sniff(iface=interface,prn=sniffNonBeacon)

This is the output of the script: 


root@bluelinux:/home/shreeraj/wifi# ./sniffnb.py eth1
[00:0b:6c:21:27:c5][00:06:25:51:6b:79]['linksys']
802.11 Management 5L 00:06:25:51:6b:79 > 00:0b:6c:21:27:c5 / Dot11ProbeResp / SSID='linksys' / Dot11Elt / Dot11Elt
[00:06:25:51:6b:79][00:00:00:00:00:00][??]
802.11 Control 13L 00:00:00:00:00:00 > 00:06:25:51:6b:79
[ff:ff:ff:ff:ff:ff][00:0b:6c:21:27:c5]['linksys']
802.11 Management 4L 00:0b:6c:21:27:c5 > ff:ff:ff:ff:ff:ff / Dot11ProbeReq / SSID='linksys' / Dot11Elt

As is evident, we have harvested the 'linksys' SSID for the access point 00:06:25:51:6b:79, extracted from both probe request and response packet. Whenever a new client tries to access the access point, this packet is sent out "in the air" and is served by the corresponding access point. This way you can discover hidden networks in the air.



« Previous Page 12345 Next Page »
Close Icon
Thanks for your registration, follow us on our social networks to keep up-to-date