我怎样才能找到周围的scapy无线网络？

Question

我怎样才能找到scapy无线网络？如果我做sniff()和if pkt.haslayer(Dot11)然后if pkt.info然后我收集它们，但速度很慢，比如我的Android手机做在几秒钟内这个脚本分钟甚至更多...

Answer 1

的原因不同的是，你的手机正在通过向附近的任何接入点发送请求来积极寻找WiFi点 - 嗅探正在监听任何流量。

您可能会发现很多更快：

1. 具体选择网络适配器 - 这样你就不会嗅探所有适配器。
2. 做一些挖掘以找出如何主动查询wifi网络并使用sr与这样的数据包，请阅读IEEE 802.11规范了解更多，我特别寻找“探测请求帧”。

如何从packet header发送无线网络数据包可能帮助，（不是我的代码，而不是由我测试）的例子：

#!/usr/bin/env python 

""" 
802.11 Scapy Packet Example 
Author: Joff Thyer, 2014 
""" 

# if we set logging to ERROR level, it supresses the warning message 
# from Scapy about ipv6 routing 
# WARNING: No route found for IPv6 destination :: (no default route?) 
import logging 
logging.getLogger("scapy.runtime").setLevel(logging.ERROR) 
from scapy.all import * 


class Scapy80211(): 

    def __init__(self,intf='wlan0',ssid='test',\ 
      source='00:00:de:ad:be:ef',\ 
      bssid='00:11:22:33:44:55',srcip='10.10.10.10'): 

     self.rates = "\x03\x12\x96\x18\x24\x30\x48\x60" 

     self.ssid = ssid 
     self.source = source 
     self.srcip = srcip 
     self.bssid = bssid 
     self.intf = intf 
     self.intfmon = intf + 'mon' 

     # set Scapy conf.iface 
     conf.iface = self.intfmon 

     # create monitor interface using iw 
     cmd = '/sbin/iw dev %s interface add %s type monitor >/dev/null 2>&1' \ 
     % (self.intf, self.intfmon) 
     try: 
     os.system(cmd) 
     except: 
     raise 


    def Beacon(self,count=10,ssid='',dst='ff:ff:ff:ff:ff:ff'): 
     if not ssid: ssid=self.ssid 
     beacon = Dot11Beacon(cap=0x2104) 
     essid = Dot11Elt(ID='SSID',info=ssid) 
     rates = Dot11Elt(ID='Rates',info=self.rates) 
     dsset = Dot11Elt(ID='DSset',info='\x01') 
     tim = Dot11Elt(ID='TIM',info='\x00\x01\x00\x00') 
     pkt = RadioTap()\ 
     /Dot11(type=0,subtype=8,addr1=dst,addr2=self.source,addr3=self.bssid)\ 
     /beacon/essid/rates/dsset/tim 

     print '[*] 802.11 Beacon: SSID=[%s], count=%d' % (ssid,count) 
     try: 
     sendp(pkt,iface=self.intfmon,count=count,inter=0.1,verbose=0) 
     except: 
     raise 


    def ProbeReq(self,count=10,ssid='',dst='ff:ff:ff:ff:ff:ff'): 
     if not ssid: ssid=self.ssid 
     param = Dot11ProbeReq() 
     essid = Dot11Elt(ID='SSID',info=ssid) 
     rates = Dot11Elt(ID='Rates',info=self.rates) 
     dsset = Dot11Elt(ID='DSset',info='\x01') 
     pkt = RadioTap()\ 
     /Dot11(type=0,subtype=4,addr1=dst,addr2=self.source,addr3=self.bssid)\ 
     /param/essid/rates/dsset 

     print '[*] 802.11 Probe Request: SSID=[%s], count=%d' % (ssid,count) 
     try: 
     sendp(pkt,count=count,inter=0.1,verbose=0) 
     except: 
     raise 



    def ARP(self,targetip,count=1,toDS=False): 
     if not targetip: return 

     arp = LLC()/SNAP()/ARP(op='who-has',psrc=self.srcip,pdst=targetip,hwsrc=self.source) 
     if toDS: 
     pkt = RadioTap()\ 
       /Dot11(type=2,subtype=32,FCfield='to-DS',\ 
       addr1=self.bssid,addr2=self.source,addr3='ff:ff:ff:ff:ff:ff')\ 
       /arp 
     else: 
     pkt = RadioTap()\ 
       /Dot11(type=2,subtype=32,\ 
       addr1='ff:ff:ff:ff:ff:ff',addr2=self.source,addr3=self.bssid)\ 
       /arp 

     print '[*] ARP Req: who-has %s' % (targetip) 
     try: 
     sendp(pkt,inter=0.1,verbose=0,count=count) 
     except: 
     raise 

     ans = sniff(lfilter = lambda x: x.haslayer(ARP) and x.op == 2, 
     store=1,count=1,timeout=1) 

     if len(ans) > 0: 
     return ans[0][ARP].hwsrc 
     else: 
     return None 


    def DNSQuery(self,query='www.google.com',qtype='A',ns=None,count=1,toDS=False): 
     if ns == None: return 
     dstmac = self.ARP(ns) 

     dns = LLC()/SNAP()/IP(src=self.srcip,dst=ns)/\ 
     UDP(sport=random.randint(49152,65535),dport=53)/\ 
     DNS(qd=DNSQR(qname=query,qtype=qtype)) 

     if toDS: 
     pkt = RadioTap()\ 
       /Dot11(type=2,subtype=32,FCfield='to-DS',\ 
       addr1=self.bssid,addr2=self.source,addr3=dstmac)/dns 
     else: 
     pkt = RadioTap()\ 
       /Dot11(type=2,subtype=32,\ 
       addr1=dstmac,addr2=self.source,addr3=self.bssid)/dns 

     print '[*] DNS query %s (%s) -> %s?' % (query,qtype,ns) 
     try: 
     sendp(pkt,count=count,verbose=0) 
     except: 
     raise 

# main routine 
if __name__ == "__main__": 
    print """ 
[*] 802.11 Scapy Packet Crafting Example 
[*] Assumes 'wlan0' is your wireless NIC! 
[*] Author: Joff Thyer, 2014 
""" 
    sdot11 = Scapy80211(intf='wlan0') 
    sdot11.Beacon() 
    sdot11.ProbeReq() 
    sdot11.DNSQuery(ns='10.10.10.2') 

Answer 2

我曾经写了一个脚本，可以扫描无线网络。 其简单易用：

python rs.py mon0 

这里mon0是我们的接口。代码中有评论可以正确理解它。

#Implementation of a wireless scanner using Scapy library 

#!/usr/bin/env python 
# rs.py - Wireless AP scanner 
#author rahil sharma 
# date 15/3/2013 @rs 
#usage python rs.py mon0 
#where mon0 is your monitoring interface 
#used this using my alfa card in bactrack 
import sys, os, signal 
from multiprocessing import Process 

from scapy.all import * 

interface='' # monitor interface 
aps = {} # dictionary to store unique APs 

# process unique sniffed Beacons and ProbeResponses. 
#haslayer packet has Dot11 layer present 
#ord() string to integer ex ord('a) will give 97 
def sniffAP(p): 
    if ((p.haslayer(Dot11Beacon))): 
     ssid  = p[Dot11Elt].info 
     bssid  = p[Dot11].addr3  
     channel = int(ord(p[Dot11Elt:3].info)) 
     capability = p.sprintf("{Dot11Beacon:%Dot11Beacon.cap%}\ 
       {Dot11ProbeResp:%Dot11ProbeResp.cap%}") 

     # Check for encrypted networks 
    #now we put Dot11Beacon.cap info in capability and using regular expression search inbuilt function in python we search for privacy if it is present then the network is encrypted 
    #output of the above cap file is somewhat like this short-slot+DSSS-OFDM+res15+ESS 
     if re.search("privacy", capability): enc = 'Y' 
     else: enc = 'N' 

     # Save discovered AP 
     aps[p[Dot11].addr3] = enc 

     # Display discovered AP  
     print "%02d %s %s %s" % (int(channel), enc, bssid, ssid) 

# Channel hopper - we are making a channel hopper because we want to scan the whole wireless spectrum. 
#first choose a random channel using randrange function 
#use system to run the shell command iw dev wlan0 set channel 1 
#exit when a keyboard interrupt is given CTrl+c 
def channel_hopper(): 
    while True: 
     try: 
      channel = random.randrange(1,15) 
      os.system("iw dev %s set channel %d" % (interface, channel)) 
      time.sleep(1) 
     except KeyboardInterrupt: 
      break 
      # Capture interrupt signal and cleanup before exiting 
#terminate is used to end the child process 
#before exiting the program we will be displaying number of aps found etc. 
#here Cntrl+c is used to 
#signal_handler used to do clean up before the program exits 
def signal_handler(signal, frame): 
    p.terminate() 
    p.join() 

    print "\n-=-=-=-=-= STATISTICS =-=-=-=-=-=-" 
    print "Total APs found: %d" % len(aps) 
    print "Encrypted APs : %d" % len([ap for ap in aps if aps[ap] =='Y']) 
    print "Unencrypted APs: %d" % len([ap for ap in aps if aps[ap] =='N']) 

    sys.exit(0) 
#use this for command line variables 
#for checking the number of command line variables and if they are in right order 
if __name__ == "__main__": 
    if len(sys.argv) != 2: 
     print "Usage %s monitor_interface" % sys.argv[0] 
     sys.exit(1) 

    interface = sys.argv[1] 
#take mon0 as interface given in the fist command line variable 
    # Print the program header 
    print "-=-=-=-=-=-= rs_scan.py =-=-=-=-=-=-" 
    print "CH ENC BSSID    SSID" 

    # Start the channel hopper 
    #In multiprocessing, processes are spawned by creating a Process object and then calling its start() method 
    p = Process(target = channel_hopper) 
    p.start() 

    # Capture CTRL-C 
    #this will call the signal handler CTRL+C comes under the SIGINT 
    signal.signal(signal.SIGINT, signal_handler) 

    # Start the sniffer 
    sniff(iface=interface,prn=sniffAP) 
    #inbuit scapy function to start sniffing calls a function which defines the criteria and we need to give the interface`enter code here`