rpp0 / scapy-fakeap Goto Github PK

Fake wireless Access Point (AP) implementation using Python and Scapy, intended for convenient testing of 802.11 protocols and implementations.

License: GNU General Public License v2.0

Python 100.00%

scapy-fakeap's Introduction

scapy-fakeap

Fake wireless Access Point (AP) implementation using Python and Scapy, intended for convenient testing of 802.11 protocols and implementations. This library is a work in progress, and currently only supports open 802.11 networks.

Motivation

Testing 802.11 protocols and implementations for bugs or security vulnerabilities requires a simple and flexible AP implementation. This library aims to provide these features by using the popular packet manipulation program 'Scapy' for data transmission and reception.

Installation

You will need to have the following packages installed:

scapy
ip
airmon-ng
dnsmasq (optional)

Then, run python2 setup.py install to install scapy-fakeap.

Examples

First, set up your device in monitor mode. You can use airmon-ng or iw:

# iw dev wlan0 interface add mon0 type monitor
# ifconfig mon0 up

From there, setting up a basic AP with scapy-fakeap is extremely simple, as shown in the example below:

# This example is a simple 'hello world' for scapy-fakeap.
# An open network will be created that can be joined by 802.11 enabled devices.

from fakeap import *

ap = FakeAccessPoint('mon0', 'Hello scapy-fakeap world!')
ap.run()

For more examples, please see the 'examples' folder.

Callbacks

The behaviour of the AP can be completely customized by changing the callbacks associated with a certain event. To do this, pass a custom Callbacks() object to the FakeAccessPoint constructor or to an instance during runtime. Currently, the following callbacks are provided:

cb_recv_pkt: Triggered every time a packet is received. This callback defines when all other callbacks are triggered.
cb_dot11_probe_req: Triggered on reception of a Probe Request frame. The default behaviour is to reply with a Probe Response frame.
cb_dot11_beacon: Triggered every 0.1 seconds. The default behaviour is to send a Beacon frame.
cb_dot11_auth: Triggered on reception of an Authentication Request frame. The default behaviour is to reply with an Authentication Response frame.
cb_dot11_assoc_req: Triggered on reception of an Association Request frame. The default behaviour is to reply with an Association Response frame.
cb_dot11_rts: Triggered on reception of an RTS frame. The default behaviour is to reply with a CTS frame.
cb_arp_req: Triggered on reception of an ARP Request. The default behaviour is to reply with an ARP Response.
cb_dot1X_eap_req: Triggered on reception of an 802.1X EAP Request frame. The default behaviour is to reply with an 802.1X EAP Response frame.
cb_dhcp_discover: Triggered on reception of a DHCP Discover message. The default behaviour is to forward the message to dnsmasq.
cb_dhcp_request: Triggered on reception of a DHCP Request message. The default behaviour is to forward the message to dnsmasq.
cb_dns_request: Triggered on reception of a DNS Request message. The default behaviour is to forward the message to dnsmasq.
cb_tint_read: Triggered on reception of a packet from the fakeap virtual interface. This callback defines when callbacks related to this interface are triggered.

Writing your own callback:

The following example shows how a custom callback for a Callbacks() instance can be easily created:

# This example demonstrates how to create a new callback for a specific Callbacks() instance.
# The callback will trigger each time an EAPOL packet is sniffed.

from types import MethodType
from scapy.layers.dot11 import EAPOL
from fakeap import *


def do_something(self):  # Our custom callback
    print("Got EAPOL packet!")


def my_recv_pkt(self, packet):  # We override recv_pkt to include a trigger for our callback
    if EAPOL in packet:
        self.cb_do_something()
    self.recv_pkt(packet)

ap = FakeAccessPoint('mon0', 'My first callback!')
ap.wpa = AP_WLAN_TYPE_WPA2  # Enable WPA2
ap.ieee8021x = 1  # Enable 802.1X (WPA-Enterprise)
my_callbacks = Callbacks(ap)
my_callbacks.cb_recv_pkt = MethodType(my_recv_pkt, my_callbacks)
my_callbacks.cb_do_something = MethodType(do_something, my_callbacks)
ap.callbacks = my_callbacks

ap.run()

Service interaction

Upon instantiation of a FakeAccessPoint object, scapy-fakeap automatically creates the fakeap virtual interface, which may be used for interacting with other services. For example, you can set it as the listen interface for dnsmasq to use a DHCP server for your fake AP.

scapy-fakeap's People

Stargazers

Watchers

Forkers

br0k3ngl255 crudbug fo0nikens x86labs lcmust anujtyagi ver007 miauwuffmiau teddyyy sececter bvachha wrtcoder noscripter digideskio kbdancer manfeel schwanliu windycitysdr milkcandylmt navneetkumar walkinreeds ka9cql simongurney alkorsan timd93 w00t3k sheriffsparks italberto chimelab nicholas1126 luwangg danifich ki4wn tonybb90 morristech yao-t hacker-steroids andrewpalumbo 5l1v3r1 singhamxiao fzxy002763 mavic129 pickepan ro9ueadmin tommalvoriddle macsecurity mstupakov lnznjn ksoy

scapy-fakeap's Issues

Remove airmon dependency

The airmon dependency should disappear over time. Instead, the libnl interface should be used to configure the driver.

Getting passwords that were used to access the ap?

This is not an issue, I’m just wondering if this is possible via a custom callback, I’m interested in testing out what passwords were used to access the ap.

rpyutils module python reqirement

When I import the fakeap module and run the script It tells me to install rpyutils.

I can't install that module as well.

I am using a Kali Linux 2021.2 VM.

Add support for multiple clients to DHCP server

The DHCP server currently only supports one client. Either find a way to use a third party DHCP server or implement a basic service ourselves.

Running a FakeAccessPoint() make my system freeze

I have this program

from fakeap import * ap = FakeAccessPoint("mon0", "testap") ap.run()

I have this interface

sudo iw dev wlo1 interface add mon0 type monitor sudo ip link set mon0 up
I have the same issue as MrSentex (Issue #10 )

I haven't any more information. I looked at the process ressource consumption in top, and everything seems to be ok. Maybe a driver issue (iwlwifi), i have several errors in kernel.log

got a question..

Hey there,
Is the AP that is created under the scapy TCP/IP stack or the Native TCP/IP stack? If it is under the scapy stack then how can I reject packets to the AP? And if it is not, is there a way to create an AP under python which can be integrated with the native tcp/ip stack and can reject packets acting like a traditional firewall?

Cannot start dhcp interface on tun interface

Hi,

When I starting the fakeap, tun interface created successfully but I am not able start dhcp server for that interface. Root cause is mac address is not assigned when fakeap is created. When I try to assign mac address using "ip link", it throwed errors.

I am using isc-dhcp-server in ubuntu to assign ip address for the clients connecting to fakeap

Can you please help

Switching to BSD / MIT?

Hello,

I'm the author of wifiphisher, a tool for automated phishing attacks. I'm considering replacing hostapd in our codebase with your project. There's a ticker for that here.

Wifiphisher is released under the MIT license though while scapy-fakeap is GPLv2. This would lead to releasing all of wifiphisher's next versions under GPL.

Do you consider switching to MIT or BSD for scapy-fakeap so we can avoid that?

Thank you,

George

Could not find IP 224.0.0.251 in ARP table.

When I started a FakeAccessPoint it does not stop getting errors of this style:
Could not find IP 117.208.55.170 in ARP table.
Could not find IP 239.255.255.250 in ARP table.
Could not find IP 239.255.255.250 in ARP table.
Could not find IP 239.255.255.250 in ARP table.
Could not find IP 239.255.255.250 in ARP table.

Substitute sendp with conf.L2socket.send [suggestion / enhancement]

I saw that for sending packets the project uses the sendp method from scapy.
I've read in another issue that this project is not necessarily an efficient AP implementation but is rather focusing on versatility.
Despite that, sendp is a slow method for injecting packets, especially if it is a lot of packets. This is because for every sendp call scapy opens a new socket, sends packets and then closes the socket again. Opening and closing sockets is time consuming.

Alternatively you can open an L2socket at the very start of the program and use only that socket for sending packets.

rpyutils directory missing after install

Hi,

after a python setup.py install your subdirectory rpyutils is missing.

I'm not yet familar with python setuptools to send you a patch right now.
Guess you are faster then I :)

Regards
Andurin

what's the use of get_radiotap_header ?

Radio_tap_header is gnerated by the receiver wireless card . I tried this function and found no use . Infact the reciever wireless card recieves the radio_tap_header according to properties of the sender wireless card like channel , transmission rate etc . Please explain the use of get_radiotap_header and correct me if i am wrong ?

too many packets lost ...

Have you noticed that the packet loss rate is a little high?
Many ICMP (ping) packets between station and the fakeap may be lost, for me, more than 50% sometimes. And I am sure it's not the wifi-adapter's problem.
If I use airbase-ng to setup an AP, then the situation will be much better.

I am not an expert in the network field.
So, I am just curious about that whether it is the problem of scapy or the way you handle dot11 packets?

Unknown error at monitor interface: NameError

Had these lines :

Unknown error at monitor interface: NameError("global name 'EAP' is not defined",)
Unknown error at monitor interface: NameError("global name 'EAPOL' is not defined",)

Fixed them by adding this line in callbacks.py
from scapy.layers.eap import EAPOL, EAP

Not showing up on other devices

Not sure if it's still supported, and i had to change many things. But now that everything looks good I cant connect to the AP nor just see it from other devices