wirelessauthanalysis/wirelessauth.py at main · dj1103/wirelessauthanalysis · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
from scapy.all import sniff, EAP, EAPOL, Dot11

## WARNING ##
# Legal and ethical considerations: Manipulating network traffic,
# even with obsolete security protocols like WEP, can have serious consequences.
# Use these techniques only on networks you own and with explicit permission, or
# for educational and research purposes within a controlled lab environmen.
# Although, this script does not manipulate any network traffic,
# Please consider that you defines the network interface to monitor.


def get_eaptype(eap):
    # reference from IANA: https://www.iana.org/assignments/eap-numbers/eap-numbers.xhtml
    if eap.type == 1:
        authType = "Identity"
    elif eap.type == 4:
        authType = "EAP-MD5"
    elif eap.type == 13:
        authType = "EAP-TLS"
    elif eap.type == 17:
        authType = "EAP-LEAP : Cisco Wirelss"
    elif eap.type == 21:
        authType = "EAP-TTLSv0"
    elif eap.type == 25:
        authType = "PEAP"
    elif eap.type == 26:
        authType = "CHAP"
    elif eap.type == 43:
        authType = "EAP-FAST"
    else:
        authType = f"EAP Method Type Number: {eap.type}"
    return authType


def get_dottype(packet):
    # if packet is Dot11Beacon or Dot11ProbeResp.
    # these are management frames broadcast from AP.
    # if packet.haslayer(dot11.Dot11Beacon) or \
    #    packet.haslayer(dot11.Dot11ProbeResp):
    # check if the 'protected frame' bit in the FCfield
    dot11_layer = packet.getlayer(Dot11)
    fcfield = dot11_layer.FCfield
    if fcfield & 0b01000000:
        return "WEP"
    elif packet.haslayer(Dot11.Dot11Beacon):
        netstatus = packet[Dot11.Dot11Beacon].network_stats()
        if 'WPA' in netstatus['crypto']:
            return "WPA"
        elif 'WPA2' in netstatus['crypto']:
            return "WPA2"
    return "DOT11"


def detect_attack(authType, packetLength):
    # use auth type and packet length to find possible weakness and attack
    # need to develop the logic...
    retStr = "No weakness or possible attack wasn't detected"
    if authType == "WEP":
        retStr = "Weak Encryption.... crackable Access Point (AP) found"
    else:
        return retStr
    return retStr


def process_packet(packet):
    # print(pkt) # - debugging
    # Ether / IP / TCP 52.x.x.x:https > 10.x.x.x:63489 A
    # Ether / IP / TCP 20.x.x.x:https > 10.x.x.x:63124 PA / Raw
    protocol = None
    authType = None
    version = None
    username = None
    packetLength = len(packet)

    # reference from https://scapy.readthedocs.io/en/stable/api/scapy.layers.eap.html
    if packet.haslayer(EAP):
        # if the packet has EAP/EAPOL, then it's a 802.1X/EAP
        protocol = "802.1X/EAP"
        eap = packet[EAP]
        # number to the description
        authType = get_eaptype(eap)
        # the identity has the username
        if eap.type == 1:
            username = getattr(eap, "identity", None)
    elif packet.haslayer(Dot11):
        authType = get_dottype(packet)
    else:
        print(f'Not a 802.1X or 802.11 packet... The packet length is {packetLength}')
        return
    # EAPOL
    if packet.haslayer(EAPOL):
        version = packet[EAPOL].version

    # to detect attack in EAP and dot11
    attack_type = detect_attack(authType, packetLength)

    print(
        f'Protocol: {protocol},\
        Authentication type: {authType},\
        Version: {version},\
        User_Name: {username},\
        Length of the packet: {packetLength},\
        Possible attack: {attack_type}')


if __name__ == "__main__":
    print("To find the interface name, please run the command.. ex. get-netadapter -physical.. ipconfig /all.. such")
    print('Please change the interface to the monitor mode - some of NICs may not support the functionality')
    print("Such as a long range wide-coverage dual-band Wi-Fi Adapter may be beneficial")
    print("This script is a test version.. Please make sure you meet the regulatory requirements/compliance")
    interface = input("Please input the sniffing interface : ")
    print("Starting live wireless auth analysis...")
    # prn is to process packets in real-time and discard them after
    # store = 0 -> do not store them in memory
    sniff(iface=interface, prn=process_packet, store=0)