用python编写的无线AP扫描器
代码如下:
1 #coding=utf-8 2 3 import os 4 import sys 5 import subprocess 6 from scapy.all import * 7 8 9 RSN = 48 #管理帧信息元素(Dot11Elt)ID48是RSN信息 10 WPA = 221 #管理帧信息元素ID221是WPA信息 11 Dot11i = {0:'GroupCipher', 12 1:'WEP-40', 13 2:'TKIP', 14 4:'CCMP', 15 5:'WEP-104' 16 } #RSN信息的第6字节 17 WPA_Auth = {1:'802.11x/PMK', 18 2:'PSK' 19 } #RSN信息的第22字节 20 DN = open(os.devnull,'w') 21 22 def get_wlan_interfaces(): 23 ''' 24 返回当前PC上所有的无线网卡以及网卡所处的模式 25 ''' 26 interfaces = {'monitor':[],'managed':[],'all':[]} 27 proc = subprocess.Popen(['iwconfig'],stdout=subprocess.PIPE,stderr=DN) 28 lines = proc.communicate()[0].split('\n') 29 for line in lines: 30 if line: 31 if line[0] != ' ': 32 iface = line.split(' ')[0] 33 if 'Mode:Monitor' in line: 34 interfaces['monitor'].append(iface) 35 if 'IEEE 802.11' in line: 36 interfaces['managed'].append(iface) 37 interfaces['all'].append(iface) 38 if len(interfaces['managed']) == 0: 39 sys.exit('[!]没有无线网卡,请插入网卡') 40 return interfaces 41 42 interfaces = get_wlan_interfaces() #获取当前的无线网卡 43 44 def get_strongest_inface(): 45 ''' 46 通过iwlist dev scan命令,根据无线网卡可获取到的AP数量来判断哪个网卡的功率最强 47 ''' 48 iface_APs = [] 49 #interfaces = get_wlan_interfaces() 50 for iface in interfaces['managed']: 51 count = 0 52 if iface: 53 proc = subprocess.Popen(['iwlist',iface,'scan'],stdout=subprocess.PIPE,stderr=DN) 54 lines = proc.communicate()[0].split('\n') 55 for line in lines: 56 if line: 57 if '- Address:' in line: 58 count += 1 59 iface_APs.append((count,iface)) 60 interface = max(iface_APs)[1] 61 return interface 62 63 def start_monitor_mode(): 64 ''' 65 通过airmon-ng工具将无线网卡启动为监听状态 66 ''' 67 if interfaces['monitor']: 68 print '[*]监听网卡为:%s' % interfaces['monitor'][0] 69 return interfaces['monitor'][0] 70 interface = get_strongest_inface() 71 print '[*]网卡%s开启监听模式...' % interface 72 try: 73 os.system('/usr/sbin/airmon-ng start %s' % interface) 74 moni_inface = get_wlan_interfaces()['monitor'] 75 print '[*]监听网卡为:%s' % moni_inface[0] 76 return moni_inface 77 except: 78 sys.exit('[!]无法开启监听模式') 79 80 def get_AP_info(pkt): 81 ''' 82 从Dot11数据包中获取AP的SSID,BSSID,chanle,加密等信息 83 ''' 84 AP_info = {} 85 bssid = pkt[Dot11][Dot11Elt].info 86 ssid = pkt[Dot11].addr2 87 chanle = str(ord(pkt[Dot11][Dot11Elt][:3].info)) 88 AP_infos = [bssid,chanle] 89 wpa_info,cipher_info = get_Dot11_RSN(pkt) 90 if wpa_info and cipher_info: 91 AP_infos = AP_infos + [wpa_info,cipher_info] 92 AP_info[ssid]=AP_infos 93 return AP_info 94 95 APs_info = {} 96 def get_APs_info(pkt): 97 global APs_info 98 if pkt.haslayer(Dot11) and (pkt.haslayer(Dot11Beacon) or pkt.haslayer(Dot11ProbeResp)): 99 AP_info = get_AP_info(pkt) 100 101 if not APs_info.has_key(AP_info.keys()[0]): 102 APs_info.update(AP_info) 103 return APs_info 104 105 106 already_shows = [] 107 def show_APs_info(pkt): 108 global already_shows 109 APs_info = get_APs_info(pkt) 110 for (key,value) in APs_info.items(): 111 if key not in already_shows: 112 already_shows.append(key) 113 print '-' * 40 114 print ' [+]AP的BSSID:%s' % value[0] 115 print ' [+]AP的SSID:%s' % key 116 print ' [+]AP当前的chanle:%s' % value[1] 117 if len(value) == 4: 118 print ' [+]AP的认证方式为:%s' % value[2] 119 print ' [+]AP的加密算法为:%s' % value[3] 120 else: 121 print ' [+]开放验证!!' 122 print '-' * 40 123 124 def get_Dot11_RSN(pkt): 125 ''' 126 从Beacon帧以及ProbeResponse帧获取cipher及auth信息 127 ''' 128 ssid = pkt[Dot11].addr2 129 len_Elt = len(pkt[Dot11Elt].summary().split('/')) 130 #print pkt.show() 131 for i in range(len_Elt): 132 if pkt[Dot11Elt][i].ID == RSN: 133 try: 134 RSN_info = hexstr(pkt[Dot11Elt][i].info) 135 cipher_index = RSN_info.find('ac') #第一个00 0f ac 02中的‘02’代表cipher 136 auth_index = RSN_info.rfind('ac') #从后往前数第一个00 0f ac 02中的‘02’代表AUTH 137 cipher_num = int(RSN_info[(cipher_index + 3):(cipher_index + 5)]) 138 auth_num = int(RSN_info[(auth_index + 3):(auth_index + 5)]) 139 for key,value in Dot11i.items(): 140 if cipher_num == key: 141 cipher_info = value 142 for key,value in WPA_Auth.items(): 143 if auth_num == key: 144 wpa_info = value 145 #print wpa_info,cipher_info 146 return wpa_info,cipher_info 147 except: 148 pass 149 return None,None 150 151 152 153 154 155 def sniffering(interface,action): 156 ''' 157 嗅探5000个数据包 158 ''' 159 print '[*]附近AP信息如下:' 160 sniff(iface=interface,prn=action,count=5000,store=0) 161 162 163 def main(): 164 moni_inface = start_monitor_mode() 165 sniffering(moni_inface, show_APs_info) 166 167 if __name__ == '__main__': 168 main() 169
运行结果如下:
1 # python test_sniff.py 2 WARNING: No route found for IPv6 destination :: (no default route?) 3 [*]监听网卡为:wlan1mon 4 [*]附近AP信息如下: 5 ---------------------------------------- 6 [+]AP的BSSID:100msh-XXX 7 [+]AP的SSID:84:82:f4:xx:xx:xx 8 [+]AP当前的chanle:11 9 [+]开放验证!! 10 ---------------------------------------- 11 ---------------------------------------- 12 [+]AP的BSSID:��¡���� 13 [+]AP的SSID:d0:c7:c0:xx:xx:xx 14 [+]AP当前的chanle:11 15 [+]AP的认证方式为:PSK 16 [+]AP的加密算法为:CCMP 17 ---------------------------------------- 18 ---------------------------------------- 19 [+]AP的BSSID:FAST_XXX 20 [+]AP的SSID:78:eb:14:xx:xx:xx 21 [+]AP当前的chanle:11 22 [+]AP的认证方式为:PSK 23 [+]AP的加密算法为:CCMP 24 ---------------------------------------- 25 ---------------------------------------- 26 [+]AP的BSSID:FAST_XXX 27 [+]AP的SSID:0c:72:2c:xx:xx:xx 28 [+]AP当前的chanle:11 29 [+]AP的认证方式为:PSK 30 [+]AP的加密算法为:CCMP 31 ---------------------------------------- 32 ---------------------------------------- 33 [+]AP的BSSID:XXX 34 [+]AP的SSID:80:81:10:xx:xx:xx 35 [+]AP当前的chanle:8 36 [+]AP的认证方式为:PSK 37 [+]AP的加密算法为:TKIP 38 ---------------------------------------- 39 ---------------------------------------- 40 [+]AP的BSSID:XXX 41 [+]AP的SSID:80:81:10:xx:xx:xx 42 [+]AP当前的chanle:8 43 [+]AP的认证方式为:PSK 44 [+]AP的加密算法为:TKIP 45 ---------------------------------------- 46 ---------------------------------------- 47 [+]AP的BSSID:360免费WiFi-44 48 [+]AP的SSID:24:05:0f:xx:xx:xx 49 [+]AP当前的chanle:11 50 [+]AP的认证方式为:PSK 51 [+]AP的加密算法为:CCMP 52 ----------------------------------------