RSS Feed
Download our iPhone app
Browse DevX
Sign up for e-mail newsletters from DevX


Secure Your Wireless Networks with Scapy Packet Manipulation : Page 4

To secure a wireless network you must first determine the state of the network and then provide a defense against intrusions. Enter Scapy, a packet-crafting tool written in Python.

MAC and IP Address Harvesting
The MAC address of a station is a critical identity point for wireless networks. The Dot11 packet has four addresses at the top (see Figure 1). Addr1 is the address for recipients and addr2 is the address for transmitters. These MAC addresses can be harvested very easily. Here is a simple script to capture them:

import sys
from scapy import *

interface = sys.argv[1]    
unique = []

def sniffMAC(p):
     if p.haslayer(Dot11):
          mac = p.sprintf("[%Dot11.addr1%)|(%Dot11.addr2%)|(%Dot11.addr3%)]")
          if unique.count(mac) == 0:
               print mac	


The following is a sample output for the same:

root@bluelinux:/home/shreeraj/wifi# ./sniffmac.py eth1

This information can be linked to an access point's MAC address to get a list of clients connecting to that particular access point.

Another way of accessing some internal MAC addresses along with IP addresses is by capturing ARP and IP layers residing in the Dot11 packet. If packets are not encrypted with a WEP key, packets can reveal this internal information. Here is a sample script to harvest these packets and information:

import sys
from scapy import *

interface = sys.argv[1]    
unique = []

def sniffarpip(p):
     if p.haslayer(IP):
          ip = p.sprintf("IP - [%IP.src%)|(%IP.dst%)]")
          if unique.count(ip) == 0:
               print ip
          elif p.haslayer(ARP):
arp = p.sprintf("ARP - [%ARP.hwsrc%)|(%ARP.psrc%)]-[%ARP.hwdst%)|(%ARP.pdst%)]")
               if unique.count(arp) == 0:
                    print arp


Run this script to fetch IPs and ARPs:

root@bluelinux:/home/shreeraj/wifi# ./sniffarpip.py eth1
IP - [|(]
IP - [|(]
ARP - [00:0f:a3:1f:b4:ff)|(]-[00:00:00:00:00:00)|(]
ARP - [00:30:65:06:8c:eb)|(]-[00:0f:a3:1f:b4:ff)|(]

Some of these addresses may be internal to the network.

A MAC address can help an attacker hack into MAC-filtered access points. An access point authenticates MAC addresses in their auth frames before associating the client address, and an attacker can replicate this behavior by spoofing a MAC address extracted from the sniffed traffic. MAC-based filtering at access points is trivial.

Internal IP disclosure poses another threat. An attacker can bind to an IP address along with a MAC address to become a part of your internal network and start typical scanning tools against the ranges.

Close Icon
Thanks for your registration, follow us on our social networks to keep up-to-date