RSS Feed
Download our iPhone app
Browse DevX
Sign up for e-mail newsletters from DevX


Secure Your Wireless Networks with Scapy Packet Manipulation : Page 3

To secure a wireless network you must first determine the state of the network and then provide a defense against intrusions. Enter Scapy, a packet-crafting tool written in Python.

Discovering Hidden Access Points and SSID
In many cases access points are deployed in such a way that they are restricted from broadcasting beacon packets. At the same time it is also possible to cloak SSIDs so they cannot be determined by simply looking at the beacon. The previous example detected one beacon packet with cloaked SSID as shown below:


You can sniff non-beacon packets and try to determine hidden access points or cloaked SSIDs. Management frames probe and associate disclose these values. Scapy has support for several of these layers as well, as shown below:

>>> Dot11
Dot11 Dot11AssoResp Dot11ProbeReq
Dot11ATIM Dot11Auth Dot11ProbeResp
Dot11Addr2MACField Dot11Beacon Dot11ReassoReq
Dot11Addr3MACField Dot11Deauth Dot11ReassoResp
Dot11Addr4MACField Dot11Disas Dot11WEP
Dot11AddrMACField Dot11Elt Dot11AssoReq

Here is a simple script to extract non-beacon packets and SSIDs:

#!/usr/bin/env python

import sys
from scapy import *

interface = sys.argv[1]    
unique = []

def sniffNonBeacon(p):	
     if not p.haslayer(Dot11Beacon):
          if unique.count(p.addr2) == 0:
print p.sprintf("[%Dot11.addr1%][%Dot11.addr2%][%Dot11Elt.info%]")
print p.summary()


This is the output of the script:

root@bluelinux:/home/shreeraj/wifi# ./sniffnb.py eth1
802.11 Management 5L 00:06:25:51:6b:79 > 00:0b:6c:21:27:c5 / Dot11ProbeResp / SSID='linksys' / Dot11Elt / Dot11Elt
802.11 Control 13L 00:00:00:00:00:00 > 00:06:25:51:6b:79
802.11 Management 4L 00:0b:6c:21:27:c5 > ff:ff:ff:ff:ff:ff / Dot11ProbeReq / SSID='linksys' / Dot11Elt

As is evident, we have harvested the 'linksys' SSID for the access point 00:06:25:51:6b:79, extracted from both probe request and response packet. Whenever a new client tries to access the access point, this packet is sent out "in the air" and is served by the corresponding access point. This way you can discover hidden networks in the air.

Close Icon
Thanks for your registration, follow us on our social networks to keep up-to-date