python broadcast 802.11 frames, using the socket module

Question

I'm trying to capture and send a beacon frame using the following code

def SniffIncomingProbes():

#create a general socket to monitor ongoing traffic
sniffer = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.htons(0x0003))
sniffer.bind((interface, 0x0003))


#byte [30] in the packet is the packet type/subtype field
#\x40 is a probe request, \x80 is a beacon probe
while True: 
    if frame_subtype==8:
        packet =  sniffer.recvfrom(2048)[0]


        if packet[30] == "\x80":
            #byte [67] in the packet contains the length of the SSID
            SSID = packet[68: 68 + ord(packet[67])]
            MAC  = packet[40:46].encode('hex')
            association_set.add((MAC,SSID)) 
            PrintNicely()
            #try and send a beacon on my own
            if len(SSID) == 4:
                newPacket = packet[:68] + "MOSS" + packet[72:]      
                newPacket = newPacket[:46] + ("\xAC\xDC\xDE\xAD\xBE\xEF") + newPacket[52:]

                #get the FRC into unsigned form, convert to a
                #string, and remove the "0x" characters in the beginning of the string
                FCS = str(hex(abs(binascii.crc32(newPacket[:len(packet)-4]))))[2:]          

                if len(FCS)%2 == 1:
                    FCS = "0" + FCS
                print FCS
                print len(FCS)
                newPacket = newPacket[:len(newPacket)-4]+ FCS.decode("hex")

                sniffer.send(newPacket)

    elif frame_subtype==4:
        packet =  sniffer.recvfrom(2048)[0]

        if packet[30] == "\x40":
            #byte [55] in the packet contains the length of the SSID
            SSID = packet[56: 56 + ord(packet[55])]
            MAC  = packet[40:46].encode('hex')
            association_set.add((MAC,SSID)) 
            PrintNicely()

when I run Wireshark and airodump I can see the packets with SSID "MOSS" going through, and it shows up as a beacon on airodump. yet when I run Windows Network Monitor on a remote machine, I don't see these packets going through. also, my CRC checksum seems to be wrong (checked with wireshark). seems like I am not sending the packet correctly and the FCS check failed

any input will be appreciated, thank you in advance.

UPDATE: The frame seqeuence check(FSC) returns Good and is not marked by wireshark anymore, BUT the packet is still not transmitted to any remote machine on the network.

i changed the FSC code to:

def FSCCheckSum(data):

    #get the crc32 checksum of the data, 
    #without the radiotap header(first 30 bytes) and the FSC (last 4 bytes) 
    #and change it to unsigned form
    #convert the hex representation to a string
    #and remove the "0x" characters at the beginning of the string

    FSC = binascii.crc32(data[30:-4]) % (1<<32)
    FSC = str(hex(FSC))[2:]

    #we might get zeroes(not showing) from the left, 
    #so we pad the number from the left with "0"s to match 4 bytes(4 hex pairs)
    FSC = "0" * (8-len(FSC)) + FSC

    #reverse the byte ordering
    return FSC.decode("hex")[::-1]

so I just use the following code to modify the packet. * Notice I also change the source address now

newPacket = packet[:68] + "MOSS" + packet[72:]                  
newPacket = newPacket[:40] + ("\xAC\xDC\xDE\xAD\xBE\xEF") + newPacket[46:]
newPacket = newPacket[:46] + ("\xAC\xDC\xDE\xAD\xBE\xEF") + newPacket[52:]
newPacket = newPacket[:-4] + FSCCheckSum(newPacket)
sniffer.send(newPacket)

(i split setting it with the BSSID so it would be easier to read and understand, i know it can be merged)

Wireshark is inspecting the packets before it is sent to the hardware, the Wifi hardware could be rejecting the packet for transmission because it does not have a valid checksum. Try to get the correct checksum and then redo the experiment. — Liam Kelly, Sep 13 '16 at 17:38
thank you liam, that does make sense, I am looking online for a documentation on how to generate a checksum (since I am sending a raw packet, I assume I have to calculate it on my own) and generating a CRC32 of the packet data is what I came up with. how can I go about calculating it? where can I look for information on the subject? (I looked for it using google, but since I am not sure what I am looking for, I might have missed some relevant results) — Noobay, Sep 13 '16 at 20:45
ok, I found Q.921 @ https://www.itu.int/rec/T-REC-Q.921-199709-I/en Gonna have to do some reading — Noobay, Sep 14 '16 at 03:03
[This](http://stackoverflow.com/questions/11523844/802-11-fcs-crc32) might be a quicker read — Liam Kelly, Sep 14 '16 at 14:29
thank you! I did try using the algorithm offered, but came up empty-handed since it did not work. http://pastebin.com/hh3W4QjU <- this is the code I used. BUT! I did manage to get it working using python's binascii.crc32, just needed to cut off the radiotap header! checksums match to wiresharks' results, now off to test if it works in practice. — Noobay, Sep 15 '16 at 01:17
test failed, also checked with aireplay and it seems my card does not support injecting packets in monitor mode. will try again after I will update the network card driver when I get back home — Noobay, Sep 15 '16 at 08:25
I never knew `binascii` had a `crc32` method. I did not realize that you were trying to sniff that packet you are trying to generate from the same devices. I recommend using another wifi card in monitor mode and putting the packet generating wifi card into master mode. See the `mode` section of [iwconfig](http://linux.die.net/man/8/iwconfig) — Liam Kelly, Sep 15 '16 at 12:58
my card is unable to change to master, already tried that ;) I am looking around for firmware replacement/updates and such. it's currently iwlwifi-3160... thank you though. — Noobay, Sep 15 '16 at 13:04

python broadcast 802.11 frames, using the socket module

0 Answers0

Linked