RSS Feed
Download our iPhone app
Browse DevX
Sign up for e-mail newsletters from DevX


Secure Your Wireless Networks with Scapy Packet Manipulation : Page 5

To secure a wireless network you must first determine the state of the network and then provide a defense against intrusions. Enter Scapy, a packet-crafting tool written in Python.

Further Intrusion Detection with Sniffing
The methodology defined so far can be used to build intrusion detection systems and can be deployed to monitor wireless traffic. You can sniff this traffic using Scapy and build a script on top of it. This script can help in tracking intrusion detections.

The following sections present some examples of these concepts.

Discovering Rogue Access Points
If an unauthorized access point is deployed on your network, an administrator can find the traffic and exclude it from the network by capturing beacon packets or analyzing wireless IP traffic. For example, suppose your network is and it consists of one access point with an address of 00:15:3d:3c:a6:eb. Your objective is to track down any surrounding access points, other than this access point, that are accessing the network. Here is a little script to monitor traffic:

#!/usr/bin/env python

from scapy import *
import re

interface = sys.argv[1]   
baseMAC = sys.argv[2]  
IPregex = sys.argv[3]

def monitorIPMAC(p):       
     if p.haslayer(IP):
          iplayer = p.getlayer(IP)
          if reg.match(iplayer.src) or reg.match(iplayer.dst):
if not (p.addr1==baseMAC or p.addr2==baseMAC or   p.addr3==baseMAC): 
                    print "---"
                    print "MAC->"+p.addr1+"|"+p.addr2+"|"+p.addr3
                    print "IP->"+iplayer.src+"|"+iplayer.dst
                    print "---"       


The preceding script captures all packets from the air and dissects the IP layer. A decision-making point is the source and destination IP address for the packets. If these packets are not part of an authorized access point defined by the MAC address, then they are reported. This can be a potential access point running on You can verify its existence and traffic from the wire side once you notice intrusion to reduce false positives. This example uses regular expressions to compare the networks. Here's the output of the script:

root@linbliss:/home/shreeraj/idswifi# ./sniffRap.py eth2 00:15:3d:3c:a6:eb 192\.168\.7\.*

The preceding example takes 192\.168\.7\.*, an authorized MAC address of the access point. Traffic for the network that originated from an unauthorized MAC (access point) was sniffed. This could be an intrusion in the network.

Discovering Dummy Access Point
A dummy access point started with the same SSID as a corporate network poses a threat to the network. You can detect this by capturing packets and comparing their MAC addresses with authorized MAC addresses. Here is a simple script to capture a dummy access point:

#!/usr/bin/env python

import sys
from scapy import *

interface = sys.argv[1]   
ssid = "'"+sys.argv[2]+"'"
mac = sys.argv[3]

def monitorSSID(p):      
     if p.haslayer(Dot11Beacon):        
          pssid = p.sprintf("%Dot11Elt.info%")
          pmac = p.sprintf("%Dot11.addr2%")
          if(ssid == pssid):  			
               if not (pmac==mac):
                    print "Dummy AP found -> "+pmac      


The preceding script takes an authorized access point with its base address and SSID and continues sniffing for beacon packets, while looking for the same SSID with a different base MAC. The script reports any and all access points located, as shown below:

root@linbliss:/home/shreeraj/idswifi# ./sniffDap.py eth2 netsquare4 00:12:17:3c:b6:eb
Dummy AP found -> 00:12:17:3c:b6:ed
Dummy AP found -> 00:12:17:3c:b6:ed

Unauthorized MAC Detections
You can detect an attacker who's trying to gain access to access points with MAC addresses that are not part of an authorized list by sniffing all the packets and determining the source of the probe. A list of authorized MACs can be built on the basis of IPs assigned by the DHCP server. For example, to observe traffic originating from unauthorized MACs, prepare a list of authorized MACs and place these in a file. Then use this script:

#!/usr/bin/env python

import sys
from scapy import *

interface = sys.argv[1]  
baseMAC = sys.argv[2]
unique = []

macfile = open("authmac","r")
temp = macfile.readlines()
for line in temp:
      authmac = line.rstrip("\n") 

def monitorUnauthMAC(p): 
     if not p.haslayer(Dot11Beacon):
          if (p.addr1==baseMAC or p.addr2==baseMAC or p.addr3==baseMAC):
if  (unique.count(p.addr1) == 0 and unique.count(p.addr2) == 0 and unique.count(p.addr3) == 0):
print "Unathorized MAC->"+p.addr1+"|"+p.addr2+"|"+p.addr3

Begin by reading the file and then keep monitoring the target access point. A Dot11 packet containing an unauthorized MAC is reported as shown below:

root@linbliss:/home/shreeraj/idswifi# ./sniffUnauthMAC.py eth2 00:15:3d:3c:a6:eb
Unathorized MAC->00:12:17:3c:b6:ed|00:30:65:06:8c:eb|00:50:56:07:01:80
Unathorized MAC->00:30:65:06:8c:eb|00:12:17:3c:b6:ed|00:50:56:07:01:80

This way you can keep monitoring unauthorized traffic coming from war drivers and maintain a whitelist of the MAC addresses.

Detecting Deauth and Disassociation Notification
Raw deauth and disassociation packets arriving from an unauthorized MAC address clearly represent a malicious attempt to disrupt the network. They can lead to denial-of-service (DoS) or man-in-the-middle attacks. The following script can report these packets, complete with MAC address. If the access point is not rebooted and these packets are observable, then someone may be injecting these packets at the client end.

#!/usr/bin/env python

import sys
from scapy import *

interface = sys.argv[1]  

def monitorDPackets(p):  
     if p.haslayer(Dot11Deauth) or p.haslayer(Dot11Disas):
          print "MAC->"+p.addr1+"|"+p.addr2+"|"+p.addr3


This way you can track down any intrusion coming from malicious hardware.

The following are a few other intrusion detection points that you can monitor:

  • Detecting client probes – Clients such as laptops often are configured to connect to their home networks. When used at the workplace, these clients keep sending probe requests on the air for a home network. An attacker can set up an access point to serve these clients. This dual hosting state and network allows the network to be compromised. Continue sniffing the traffic to detect these sorts of likely intrusion points.
  • Ad-hoc client detection – Ad-hoc clients can be detected by sniffing traffic, and they pose a threat to dual-hosted networks.
  • Access point channel change – An access point channel can be changed through unauthorized access or when a dummy access point works on a different channel with the same SSID.
  • Random MACs – If an access point is accessed by random MACs, then you can presume that a tool or script is being run.
  • Determining packet injections – A client that sends several packets without actually connecting to an access point may be trying to inject malicious packets.
  • Deauthentication flood – An access point flooded with deauthentication frames indicates a possible DoS attack attempt. Similarly, other floods using different frames can be detected on the wire.
  • Weak area detections – You can sniff traffic to detect weak areas such as default SSIDs on the network, broadcasting SSIDs, weak IVs, ad-hoc operations, access points running with Hotspot SSID, NetBIOS traffic, ARP packets going out, and authorized clients connecting to rogue access points.

With good sniffing scripts in place alerts can be generated to reduce threats to wireless infrastructure. Once this information is in place you can perform active assessment by injecting packets into a wireless network by patching the driver with appropriate capabilities. Here, too, Scapy comes in handy since it enables you to inject packets at Layer 2 using sendp().

Detect the Vulnerabilities in Your Wireless Network
While wireless assessment is becoming an integral part of penetration testing and network assessments, analyzing wireless networks and related products is a challenging task. The methodology discussed in this article in conjunction with Scapy can help you detect the vulnerabilities in your wireless networks. Scapy works in Python in both interactive and scripting modes, enhancing its effectiveness and making it a must-have tool in a wireless network assessment toolkit. Scapy is also extendable, allowing you to build powerful scripts for performing network monitoring.

Shreeraj Shah, founder and director of Net-Square, is the co-author of Web Hacking: Attacks and Defense published by Addison Wesley. He has presented at conferences including HackInTheBox, RSA, Blackhat, Bellua, CII, and NASSCOM.
Email AuthorEmail Author
Close Icon
Thanks for your registration, follow us on our social networks to keep up-to-date