kamene
kamene copied to clipboard
phaethon
Mac OS X wi-fi monitor sniff
There is simple wi-fi sniff script for SSIDs:
from scapy.all import *
ap_list = []
def ssid(pkt):
print(pkt.show())
if pkt.haslayer(Dot11):
if pkt.type == 0 and pkt.subtype == 8:
if pkt.addr2 not in ap_list:
ap_list.append(pkt.addr2)
print("AP: %s SSID: %s" % (pkt.addr2, pkt.info))
sniff(iface='en1', prn=ssid)
Where en1 is wi-fi interface.
When I run this script (from sudo or not), while I am connected to some wi-fi - there are many packets captured (no one is Beacon) (thanks to pkt.show() in script)
But if I force switch interface to monitor mode (through one of these commands)
- sudo tcpdump -p -I -i en1 -y IEEE802_11
- sudo tcpdump -p -I -i en1
- airport en1 sniff 1
- wireshark GUI capture with monitor mode
output of script stops, as there is no packets here at all (while tcpdump captures many beacons well)
Can you explain me, what I am doing wrong, or scapy-py3k needs some patching for mac os x?
Can you record traffic with tcpdump in monitor mode and attach?
Also, you can try recording pcap in tcpdump and reading it in scapy3k with rdpcap, and seeing whether it can be parsed.
I can record traffic by tcpdump successfully, don't know how it helps. And if I use pcap file as input for sniff - it works.
I will attach it later.
So, if you record with tcpdump and open with rdpcap traffic is parsed correctly? And the issue is with capturing?
Any thoughts?
In addition, when I use sendp in fuzzing way, as
from scapy.all import *
sendp(RadioTap(version=0, pad=0)/
Dot11(addr1="ff:ff:ff:ff:ff:ff",addr2="aa:aa:aa:aa:aa:aa",addr3="aa:aa:aa:aa:aa:aa")/
Dot11Beacon(cap="ESS")/
Dot11Elt(ID="SSID",info="RUCTF")/
Dot11Elt(ID="Rates")/
Dot11Elt(ID="DSset")/
Dot11Elt(ID="TIM"),
iface="en1", loop=1, verbose=True)
It prints, that it sends packets, but nothing happened not in wireshark on source mac, not in wireshark in monitor mode on another computer near.
It seems, scapy not able to get or use monitor mode of airport interface. But it is strange, because tcpdump or wireshark can.
P.S. I have check it with original scapy with python2 and nothing happened too((( P.P.S. Mac OS X El Capitan. Checked on Mac mini 12, and MPB13R - no way((
Can you try different combinations of dnet and winpcapy configuration parameters? Change these lines in scapy/arch/unix.py:
scapy.config.conf.use_winpcapy = True
scapy.config.conf.use_dnet = True
to two different combinations 1) winpcapy = False, dnet = True; 2) winpcapy = True; dnet = False, and tell if anything changes. ( @0x5e please, try the same with your issue )
dnet = False - nothing changes
winpcapy = False:
Traceback (most recent call last):
File "sniff.py", line 7, in <module>
sniff(iface='en1', prn=ssid)
File "/usr/local/lib/python3.5/site-packages/scapy/sendrecv.py", line 572, in sniff
s = L2socket(type=ETH_P_ALL, *arg, **karg)
TypeError: 'NoneType' object is not callable
Do you have dnet library installed? (http://libdnet.sourceforge.net/, probably you can find packages) Try installing it and see if anything changes (leaving winpcapy = False)
Of course, libdnet installed (from homebrew). Without it, message is more informative:
Traceback (most recent call last):
File "sniff.py", line 1, in <module>
from scapy.all import *
File "/usr/local/lib/python3.5/site-packages/scapy/all.py", line 16, in <module>
from .arch import *
File "/usr/local/lib/python3.5/site-packages/scapy/arch/__init__.py", line 84, in <module>
from .bsd import *
File "/usr/local/lib/python3.5/site-packages/scapy/arch/bsd.py", line 12, in <module>
from .unix import *
File "/usr/local/lib/python3.5/site-packages/scapy/arch/unix.py", line 22, in <module>
from .pcapdnet import *
File "/usr/local/lib/python3.5/site-packages/scapy/arch/pcapdnet.py", line 22, in <module>
from .cdnet import *
File "/usr/local/lib/python3.5/site-packages/scapy/arch/cdnet.py", line 17, in <module>
raise OSError("Cannot find libdnet.so")
OSError: Cannot find libdnet.so
About previous exception:
if L2socket is None:
L2socket = conf.L2listen
s = L2socket(type=ETH_P_ALL, *arg, **karg)
But if use_winpcapy = False, L2socket is not initialized. It does not passed in parameters and conf.L2listen is initialized as None.
When I return usings to default, I've get:
>>> conf.L2socket
<L2dnetSocket: read/write packets at layer 2 using libdnet and libpcap>
>>> conf.L2listen
<L2pcapListenSocket: read packets at layer 2 using libpcap>
@phaethon same result Mac OS X El Capitan
dnet = False - nothing changes
winpcapy = False:
Traceback (most recent call last): File "sniff.py", line 7, in
sniff(iface='en1', prn=ssid) File "/usr/local/lib/python3.5/site-packages/scapy/sendrecv.py", line 572, in sniff s = L2socket(type=ETH_P_ALL, _arg, *_karg) TypeError: 'NoneType' object is not callable
I have confirmed the exact same problem. I am also able to capture data with tcpdump or wireshark in monitor mode from the airport wireless adapter. I put the card into monitor mode with one of the commands above desscribed by @m-messiah.
I tried sniffing packets with the script above from @m-messiah. I also tried a simple script to forge packets and broadcast a fake AP as in https://www.4armed.com/blog/forging-wifi-beacon-frames-using-scapy/. Neither worked. However, the identical scripts work perfectly on a Raspberry Pi running raspbian Jesse. But on that machine I am using aimon-ng to put an external wifi adapter in monitor mode, creating a mon0 interface.
Any ideas?
Same issue - MacOS Sierra - Scapy3 as of Nov 28th, 2016.
airport shows monitor mode. Running sniff doesn't show any probes or beacons. running tcpdump shows beacons, probes, etc.
Scapy does not appear to get the info.
host:iSniff user$ airport en0 getinfo agrCtlRSSI: -57 agrExtRSSI: 0 agrCtlNoise: -95 agrExtNoise: 0 state: running op mode: station monitor lastTxRate: 145 maxRate: 144 lastAssocStatus: 0 802.11 auth: open link auth: none BSSID: 2a:3e:77:6d:29:2c SSID: GUEST MCS: 15 channel: 153
