代碼如下:
1 #coding=utf-8 2 3 import os 4 import sys 5 import subprocess 6 from scapy.all import * 7 8 9 RSN = 48 #管理幀信息元素(Dot11Elt)ID48是RSN信息 10 WPA = 221 #管理幀信息元素ID221是WPA信息 11 Dot11i = {0:'GroupCipher', 12 1:'WEP-40', 13 2:'TKIP', 14 4:'CCMP', 15 5:'WEP-104' 16 } #RSN信息的第6字節 17 WPA_Auth = {1:'802.11x/PMK', 18 2:'PSK' 19 } #RSN信息的第22字節 20 DN = open(os.devnull,'w') 21 22 def get_wlan_interfaces(): 23 ''' 24 返回當前PC上所有的無線網卡以及網卡所處的模式 25 ''' 26 interfaces = {'monitor':[],'managed':[],'all':[]} 27 proc = subprocess.Popen(['iwconfig'],stdout=subprocess.PIPE,stderr=DN) 28 lines = proc.communicate()[0].split('\n') 29 for line in lines: 30 if line: 31 if line[0] != ' ': 32 iface = line.split(' ')[0] 33 if 'Mode:Monitor' in line: 34 interfaces['monitor'].append(iface) 35 if 'IEEE 802.11' in line: 36 interfaces['managed'].append(iface) 37 interfaces['all'].append(iface) 38 if len(interfaces['managed']) == 0: 39 sys.exit('[!]沒有無線網卡,請插入網卡') 40 return interfaces 41 42 interfaces = get_wlan_interfaces() #獲取當前的無線網卡 43 44 def get_strongest_inface(): 45 ''' 46 通過iwlist dev scan命令,根據無線網卡可獲取到的AP數量來判斷哪個網卡的功率最強 47 ''' 48 iface_APs = [] 49 #interfaces = get_wlan_interfaces() 50 for iface in interfaces['managed']: 51 count = 0 52 if iface: 53 proc = subprocess.Popen(['iwlist',iface,'scan'],stdout=subprocess.PIPE,stderr=DN) 54 lines = proc.communicate()[0].split('\n') 55 for line in lines: 56 if line: 57 if '- Address:' in line: 58 count += 1 59 iface_APs.append((count,iface)) 60 interface = max(iface_APs)[1] 61 return interface 62 63 def start_monitor_mode(): 64 ''' 65 通過airmon-ng工具將無線網卡啟動為監聽狀態 66 ''' 67 if interfaces['monitor']: 68 print '[*]監聽網卡為:%s' % interfaces['monitor'][0] 69 return interfaces['monitor'][0] 70 interface = get_strongest_inface() 71 print '[*]網卡%s開啟監聽模式...' % interface 72 try: 73 os.system('/usr/sbin/airmon-ng start %s' % interface) 74 moni_inface = get_wlan_interfaces()['monitor'] 75 print '[*]監聽網卡為:%s' % moni_inface[0] 76 return moni_inface 77 except: 78 sys.exit('[!]無法開啟監聽模式') 79 80 def get_AP_info(pkt): 81 ''' 82 從Dot11數據包中獲取AP的SSID,BSSID,chanle,加密等信息 83 ''' 84 AP_info = {} 85 bssid = pkt[Dot11][Dot11Elt].info 86 ssid = pkt[Dot11].addr2 87 chanle = str(ord(pkt[Dot11][Dot11Elt][:3].info)) 88 AP_infos = [bssid,chanle] 89 wpa_info,cipher_info = get_Dot11_RSN(pkt) 90 if wpa_info and cipher_info: 91 AP_infos = AP_infos + [wpa_info,cipher_info] 92 AP_info[ssid]=AP_infos 93 return AP_info 94 95 APs_info = {} 96 def get_APs_info(pkt): 97 global APs_info 98 if pkt.haslayer(Dot11) and (pkt.haslayer(Dot11Beacon) or pkt.haslayer(Dot11ProbeResp)): 99 AP_info = get_AP_info(pkt) 100 101 if not APs_info.has_key(AP_info.keys()[0]): 102 APs_info.update(AP_info) 103 return APs_info 104 105 106 already_shows = [] 107 def show_APs_info(pkt): 108 global already_shows 109 APs_info = get_APs_info(pkt) 110 for (key,value) in APs_info.items(): 111 if key not in already_shows: 112 already_shows.append(key) 113 print '-' * 40 114 print ' [+]AP的BSSID:%s' % value[0] 115 print ' [+]AP的SSID:%s' % key 116 print ' [+]AP當前的chanle:%s' % value[1] 117 if len(value) == 4: 118 print ' [+]AP的認證方式為:%s' % value[2] 119 print ' [+]AP的加密算法為:%s' % value[3] 120 else: 121 print ' [+]開放驗證!!' 122 print '-' * 40 123 124 def get_Dot11_RSN(pkt): 125 ''' 126 從Beacon幀以及ProbeResponse幀獲取cipher及auth信息 127 ''' 128 ssid = pkt[Dot11].addr2 129 len_Elt = len(pkt[Dot11Elt].summary().split('/')) 130 #print pkt.show() 131 for i in range(len_Elt): 132 if pkt[Dot11Elt][i].ID == RSN: 133 try: 134 RSN_info = hexstr(pkt[Dot11Elt][i].info) 135 cipher_index = RSN_info.find('ac') #第一個00 0f ac 02中的‘02’代表cipher 136 auth_index = RSN_info.rfind('ac') #從后往前數第一個00 0f ac 02中的‘02’代表AUTH 137 cipher_num = int(RSN_info[(cipher_index + 3):(cipher_index + 5)]) 138 auth_num = int(RSN_info[(auth_index + 3):(auth_index + 5)]) 139 for key,value in Dot11i.items(): 140 if cipher_num == key: 141 cipher_info = value 142 for key,value in WPA_Auth.items(): 143 if auth_num == key: 144 wpa_info = value 145 #print wpa_info,cipher_info 146 return wpa_info,cipher_info 147 except: 148 pass 149 return None,None 150 151 152 153 154 155 def sniffering(interface,action): 156 ''' 157 嗅探5000個數據包 158 ''' 159 print '[*]附近AP信息如下:' 160 sniff(iface=interface,prn=action,count=5000,store=0) 161 162 163 def main(): 164 moni_inface = start_monitor_mode() 165 sniffering(moni_inface, show_APs_info) 166 167 if __name__ == '__main__': 168 main() 169
運行結果如下:
1 # python test_sniff.py 2 WARNING: No route found for IPv6 destination :: (no default route?) 3 [*]監聽網卡為:wlan1mon 4 [*]附近AP信息如下: 5 ---------------------------------------- 6 [+]AP的BSSID:100msh-XXX 7 [+]AP的SSID:84:82:f4:xx:xx:xx 8 [+]AP當前的chanle:11 9 [+]開放驗證!! 10 ---------------------------------------- 11 ---------------------------------------- 12 [+]AP的BSSID:��¡���� 13 [+]AP的SSID:d0:c7:c0:xx:xx:xx 14 [+]AP當前的chanle:11 15 [+]AP的認證方式為:PSK 16 [+]AP的加密算法為:CCMP 17 ---------------------------------------- 18 ---------------------------------------- 19 [+]AP的BSSID:FAST_XXX 20 [+]AP的SSID:78:eb:14:xx:xx:xx 21 [+]AP當前的chanle:11 22 [+]AP的認證方式為:PSK 23 [+]AP的加密算法為:CCMP 24 ---------------------------------------- 25 ---------------------------------------- 26 [+]AP的BSSID:FAST_XXX 27 [+]AP的SSID:0c:72:2c:xx:xx:xx 28 [+]AP當前的chanle:11 29 [+]AP的認證方式為:PSK 30 [+]AP的加密算法為:CCMP 31 ---------------------------------------- 32 ---------------------------------------- 33 [+]AP的BSSID:XXX 34 [+]AP的SSID:80:81:10:xx:xx:xx 35 [+]AP當前的chanle:8 36 [+]AP的認證方式為:PSK 37 [+]AP的加密算法為:TKIP 38 ---------------------------------------- 39 ---------------------------------------- 40 [+]AP的BSSID:XXX 41 [+]AP的SSID:80:81:10:xx:xx:xx 42 [+]AP當前的chanle:8 43 [+]AP的認證方式為:PSK 44 [+]AP的加密算法為:TKIP 45 ---------------------------------------- 46 ---------------------------------------- 47 [+]AP的BSSID:360免費WiFi-44 48 [+]AP的SSID:24:05:0f:xx:xx:xx 49 [+]AP當前的chanle:11 50 [+]AP的認證方式為:PSK 51 [+]AP的加密算法為:CCMP 52 ----------------------------------------