用python编写的无线AP扫描器

代码如下:

  1 #coding=utf-8
  2 
  3 import os
  4 import sys
  5 import subprocess
  6 from scapy.all import *
  7 
  8 
  9 RSN = 48    #管理帧信息元素(Dot11Elt)ID48是RSN信息
 10 WPA = 221   #管理帧信息元素ID221是WPA信息
 11 Dot11i = {0:'GroupCipher',
 12           1:'WEP-40',
 13           2:'TKIP',
 14           4:'CCMP',
 15           5:'WEP-104'
 16           } #RSN信息的第6字节
 17 WPA_Auth = {1:'802.11x/PMK',
 18             2:'PSK'
 19            } #RSN信息的第22字节
 20 DN = open(os.devnull,'w')
 21 
 22 def get_wlan_interfaces():
 23     '''
 24     返回当前PC上所有的无线网卡以及网卡所处的模式
 25     '''
 26     interfaces = {'monitor':[],'managed':[],'all':[]}
 27     proc = subprocess.Popen(['iwconfig'],stdout=subprocess.PIPE,stderr=DN)
 28     lines = proc.communicate()[0].split('\n')
 29     for line in lines:
 30         if line:
 31             if line[0] != ' ':
 32                 iface = line.split(' ')[0]
 33                 if 'Mode:Monitor' in line:
 34                     interfaces['monitor'].append(iface)
 35                 if 'IEEE 802.11' in line:
 36                     interfaces['managed'].append(iface)
 37                 interfaces['all'].append(iface)
 38     if len(interfaces['managed']) == 0:
 39         sys.exit('[!]没有无线网卡,请插入网卡')
 40     return interfaces
 41 
 42 interfaces = get_wlan_interfaces()  #获取当前的无线网卡
 43 
 44 def get_strongest_inface():
 45     '''
 46     通过iwlist dev scan命令,根据无线网卡可获取到的AP数量来判断哪个网卡的功率最强
 47     '''
 48     iface_APs = []
 49     #interfaces = get_wlan_interfaces()
 50     for iface in interfaces['managed']:
 51         count = 0
 52         if iface:
 53             proc = subprocess.Popen(['iwlist',iface,'scan'],stdout=subprocess.PIPE,stderr=DN)
 54             lines = proc.communicate()[0].split('\n')
 55             for line in lines:
 56                 if line:
 57                     if '- Address:' in line:
 58                         count += 1
 59             iface_APs.append((count,iface))
 60     interface = max(iface_APs)[1]
 61     return interface
 62 
 63 def start_monitor_mode():
 64     '''
 65     通过airmon-ng工具将无线网卡启动为监听状态
 66     '''
 67     if interfaces['monitor']:
 68         print '[*]监听网卡为:%s' % interfaces['monitor'][0]
 69         return interfaces['monitor'][0]
 70     interface = get_strongest_inface()
 71     print '[*]网卡%s开启监听模式...' % interface
 72     try:
 73         os.system('/usr/sbin/airmon-ng start %s' % interface)
 74         moni_inface = get_wlan_interfaces()['monitor']
 75         print '[*]监听网卡为:%s' % moni_inface[0]
 76         return moni_inface
 77     except:
 78         sys.exit('[!]无法开启监听模式')
 79         
 80 def get_AP_info(pkt):
 81     '''
 82     从Dot11数据包中获取AP的SSID,BSSID,chanle,加密等信息
 83     '''
 84     AP_info = {}
 85     bssid = pkt[Dot11][Dot11Elt].info
 86     ssid = pkt[Dot11].addr2
 87     chanle = str(ord(pkt[Dot11][Dot11Elt][:3].info))
 88     AP_infos = [bssid,chanle]
 89     wpa_info,cipher_info = get_Dot11_RSN(pkt)
 90     if wpa_info and cipher_info:
 91         AP_infos = AP_infos + [wpa_info,cipher_info]
 92     AP_info[ssid]=AP_infos  
 93     return AP_info
 94 
 95 APs_info = {}
 96 def get_APs_info(pkt):
 97     global APs_info
 98     if pkt.haslayer(Dot11) and (pkt.haslayer(Dot11Beacon) or pkt.haslayer(Dot11ProbeResp)):
 99         AP_info = get_AP_info(pkt)
100         
101         if not APs_info.has_key(AP_info.keys()[0]):
102             APs_info.update(AP_info)   
103     return APs_info
104 
105 
106 already_shows = []
107 def show_APs_info(pkt):
108     global already_shows
109     APs_info = get_APs_info(pkt)
110     for (key,value) in APs_info.items():
111         if key not in already_shows:
112             already_shows.append(key)
113             print '-' * 40
114             print ' [+]AP的BSSID:%s' % value[0]
115             print ' [+]AP的SSID:%s' % key
116             print ' [+]AP当前的chanle:%s' % value[1]
117             if len(value) == 4:
118                 print ' [+]AP的认证方式为:%s' % value[2]
119                 print ' [+]AP的加密算法为:%s' % value[3]
120             else:
121                 print ' [+]开放验证!!'
122             print '-' * 40
123                 
124 def get_Dot11_RSN(pkt):
125     '''
126     从Beacon帧以及ProbeResponse帧获取cipher及auth信息
127     '''
128     ssid = pkt[Dot11].addr2
129     len_Elt = len(pkt[Dot11Elt].summary().split('/'))
130     #print pkt.show()
131     for i in range(len_Elt):
132         if pkt[Dot11Elt][i].ID == RSN:
133             try:
134                 RSN_info = hexstr(pkt[Dot11Elt][i].info)
135                 cipher_index = RSN_info.find('ac') #第一个00 0f ac 02中的‘02’代表cipher
136                 auth_index = RSN_info.rfind('ac')   #从后往前数第一个00 0f ac 02中的‘02’代表AUTH
137                 cipher_num = int(RSN_info[(cipher_index + 3):(cipher_index + 5)])
138                 auth_num = int(RSN_info[(auth_index + 3):(auth_index + 5)])
139                 for key,value in Dot11i.items():
140                     if cipher_num == key:
141                         cipher_info = value
142                 for key,value in WPA_Auth.items():
143                     if auth_num == key:
144                         wpa_info = value
145             #print wpa_info,cipher_info 
146                 return wpa_info,cipher_info
147             except:
148                 pass
149     return None,None
150     
151             
152 
153        
154 
155 def sniffering(interface,action):
156     '''
157     嗅探5000个数据包
158     '''
159     print '[*]附近AP信息如下:'
160     sniff(iface=interface,prn=action,count=5000,store=0)
161     
162           
163 def main():
164     moni_inface = start_monitor_mode()
165     sniffering(moni_inface, show_APs_info)
166 
167 if __name__ == '__main__':
168     main()
169

运行结果如下:

 1 # python test_sniff.py 
 2 WARNING: No route found for IPv6 destination :: (no default route?)
 3 [*]监听网卡为:wlan1mon
 4 [*]附近AP信息如下:
 5 ----------------------------------------
 6  [+]AP的BSSID:100msh-XXX
 7  [+]AP的SSID:84:82:f4:xx:xx:xx
 8  [+]AP当前的chanle:11
 9  [+]开放验证!!
10 ----------------------------------------
11 ----------------------------------------
12  [+]AP的BSSID:��¡����
13  [+]AP的SSID:d0:c7:c0:xx:xx:xx
14  [+]AP当前的chanle:11
15  [+]AP的认证方式为:PSK
16  [+]AP的加密算法为:CCMP
17 ----------------------------------------
18 ----------------------------------------
19  [+]AP的BSSID:FAST_XXX
20  [+]AP的SSID:78:eb:14:xx:xx:xx
21  [+]AP当前的chanle:11
22  [+]AP的认证方式为:PSK
23  [+]AP的加密算法为:CCMP
24 ----------------------------------------
25 ----------------------------------------
26  [+]AP的BSSID:FAST_XXX
27  [+]AP的SSID:0c:72:2c:xx:xx:xx
28  [+]AP当前的chanle:11
29  [+]AP的认证方式为:PSK
30  [+]AP的加密算法为:CCMP
31 ----------------------------------------
32 ----------------------------------------
33  [+]AP的BSSID:XXX
34  [+]AP的SSID:80:81:10:xx:xx:xx
35  [+]AP当前的chanle:8
36  [+]AP的认证方式为:PSK
37  [+]AP的加密算法为:TKIP
38 ----------------------------------------
39 ----------------------------------------
40  [+]AP的BSSID:XXX
41  [+]AP的SSID:80:81:10:xx:xx:xx
42  [+]AP当前的chanle:8
43  [+]AP的认证方式为:PSK
44  [+]AP的加密算法为:TKIP
45 ----------------------------------------
46 ----------------------------------------
47  [+]AP的BSSID:360免费WiFi-44
48  [+]AP的SSID:24:05:0f:xx:xx:xx
49  [+]AP当前的chanle:11
50  [+]AP的认证方式为:PSK
51  [+]AP的加密算法为:CCMP
52 ----------------------------------------

 

posted @ 2016-10-08 15:27  挣扎的猪  阅读(4465)  评论(3编辑  收藏  举报