In this example is the code to create an Answering Machine for Proberequests. The result is that the AP is showing up on a device. The following is my code. I had to change some things up to get it working.
import sys
import os
import time
from scapy.all import *
os.sys.path.append('/usr/lib/python2.7/dist-packages')
conf.iface = "wlan0mon"
class ProbeRequest_am(AnsweringMachine):
function_name = "pram"
mac = "00:11:22:33:44:55"
def is_request(self, pkt):
return Dot11ProbeReq in pkt
def make_reply(self, req):
rep = RadioTap()
rep /= Dot11(addr1=req.addr2, addr2=self.mac, addr3=self.mac, ID = RandShort(), SC= RandShort())
rep /= Dot11ProbeResp(cap="ESS", timestamp=int(time.time()))
rep /= Dot11Elt(ID="SSID",info ="Scapy !")
rep /= Dot11Elt(ID="Rates", info=b'\x82\x84\x0b\x16\x96')
rep /= Dot11Elt(ID="DSset", info=chr(10))
return rep
ProbeRequest_am()()
First of all the AP is not visible on any device I have. But the Output is related to my devices looking for my AP at Home. AFAIK my smartphone (iOS 12.2) will not use it's actual MAC for a Proberequest and the programm should only react on Proberequest. But this is the output from the running script (actual MAC of my iPhone but changed for posting = d0:c5:f3:00:00:00) :
RadioTap / 802.11 Management 4 d0:c5:f3:00:00:00 > ff:ff:ff:ff:ff:ff / Dot11ProbeReq / SSID='My_AP_at_Home' / Dot11Elt / Dot11Elt / Dot11Elt / Dot11Elt / Dot11Elt / Dot11Elt / Dot11Elt / Dot11Elt / Dot11Elt / Dot11Elt ==> RadioTap / 802.11 Management 5 00:11:22:33:44:55 > d0:c5:f3:00:00:00 / Dot11ProbeResp / SSID='Scapy !' / Dot11Elt / Dot11Elt
RadioTap / 802.11 Management 4 d0:c5:f3:00:00:00 > ff:ff:ff:ff:ff:ff / Dot11ProbeReq / Dot11Elt / Dot11Elt / Dot11Elt / Dot11Elt / Dot11Elt / Dot11Elt / Dot11Elt / Dot11Elt / Dot11Elt / Dot11Elt / SSID='+g' ==> RadioTap / 802.11 Management 5 00:11:22:33:44:55 > d0:c5:f3:00:00:00 / Dot11ProbeResp / SSID='Scapy !' / Dot11Elt / Dot11Elt
Is this not working script already enough to deanonymize MAC addresses from Smartphones?
