wifi_send_pkt_freedom packet injection

All ESP8266 boards running MicroPython.
Official boards are the Adafruit Huzzah and Feather boards.
Target audience: MicroPython users with an ESP8266 board.
Post Reply
User avatar
mcauser
Posts: 507
Joined: Mon Jun 15, 2015 8:03 am

wifi_send_pkt_freedom packet injection

Post by mcauser » Mon May 22, 2017 12:30 am

Has anyone experimented with wifi_send_pkt_freedom()?

Espressif have written a function that lets you sends any packet you'd like to the network.
http://hackaday.com/2016/01/14/inject-p ... n-esp8266/
https://hackaday.io/project/9333-weeken ... -dark-side

You can also enter monitor mode and listen to all wifi traffic regardless of the target mac address.

I'm going to attempt to add a freedom() method to modnetwork. eg.

Code: Select all

import network
sta_if = network.WLAN(network.STA_IF)
sta_if.active(True)
channel = 12
packet = bytearray(b'\x80\x00.......')
sta_if.freedom(channel, packet)
Once I get it working, I'll try to show a fake AP with a 802.11 beacon frame.
https://mrncciew.com/2014/10/08/802-11- ... con-frame/
https://gist.github.com/dpavlin/b8a9663 ... 83cde48ffb

Try to deauth another of my ESP8266s.
https://mrncciew.com/2014/10/11/802-11- ... on-frames/
https://github.com/RandDruid/esp8266-deauth
https://github.com/spacehuhn/esp8266_deauther

And learn about all of the other 802.11 management frames that we take for granted.
https://mrncciew.com/2014/09/29/cwap-80 ... ame-types/

User avatar
mcauser
Posts: 507
Joined: Mon Jun 15, 2015 8:03 am

Re: wifi_send_pkt_freedom packet injection

Post by mcauser » Fri May 26, 2017 2:29 pm

rmokerone's doing something similar - sniffing all packets:
https://github.com/micropython/micropython/pull/3075

User avatar
mcauser
Posts: 507
Joined: Mon Jun 15, 2015 8:03 am

Re: wifi_send_pkt_freedom packet injection

Post by mcauser » Thu Jun 01, 2017 10:18 am

Managed to create a fake AP using wifi_send_pkt_freedom.

In micropython/esp8266/modnetwork.c, add the following before method isconnected() and make deploy:

Code: Select all

STATIC mp_obj_t esp_freedom(mp_obj_t self_in, mp_obj_t chan_in, mp_obj_t buf_in) {
    require_if(self_in, STATION_IF);
    if ((wifi_get_opmode() & STATION_MODE) == 0) {
        nlr_raise(mp_obj_new_exception_msg(&mp_type_OSError,
            "STA must be active"));
    }

    int channel = mp_obj_get_int(chan_in);
    mp_buffer_info_t bufinfo;
    mp_get_buffer_raise(buf_in, &bufinfo, MP_BUFFER_READ);

    wifi_station_disconnect();
    wifi_promiscuous_enable(1);
    wifi_set_channel(channel);

    wifi_send_pkt_freedom(bufinfo.buf, bufinfo.len, false);
    wifi_send_pkt_freedom(bufinfo.buf, bufinfo.len, false);
    wifi_send_pkt_freedom(bufinfo.buf, bufinfo.len, false);
    wifi_promiscuous_enable(0);

    return mp_const_none;
}
STATIC MP_DEFINE_CONST_FUN_OBJ_3(esp_freedom_obj, esp_freedom);
And further down in STATIC const mp_map_elem_t wlan_if_locals_dict_table add:

Code: Select all

{ MP_OBJ_NEW_QSTR(MP_QSTR_freedom), (mp_obj_t)&esp_freedom_obj },
Usage: sta_if.freedom(channel, packet)

Fake AP Example:

Code: Select all

import network
import time
import uos
sta_if = network.WLAN(network.STA_IF)
sta_if.active(True)
sta_if.scan()

def beacon(ssid, channel, times):
	packet = bytearray([0x80,0x00,0x00,0x00,0xff,0xff,0xff,0xff,0xff,0xff,0xb8,0xe8,0x56,0x33,0xde,0x01,0xb8,0xe8,0x56,0x33,0xde,0x01,0xc0,0x6c,0x83,0x51,0xf7,0x8f,0x0f,0x00,0x00,0x00,0x64,0x00,0x01,0x04,0x00,0x00])
	packet[37] = len(ssid)
	packet.extend(ssid)
	packet.extend(bytearray([0x01,0x08,0x82,0x84,0x8b,0x96,0x24,0x30,0x48,0x6c,0x03,0x01,0x01]))
	packet[-1] = channel
	for i in range(times):
		packet[10] = packet[16] = uos.urandom(1)[0]
		packet[11] = packet[17] = uos.urandom(1)[0]
		packet[12] = packet[18] = uos.urandom(1)[0]
		packet[13] = packet[19] = uos.urandom(1)[0]
		packet[14] = packet[20] = uos.urandom(1)[0]
		packet[15] = packet[21] = uos.urandom(1)[0]
		sta_if.freedom(channel, packet)
		time.sleep_ms(10)

# create a fake AP called Foo
beacon('Foo', 1, 50)

linsen
Posts: 1
Joined: Mon Jul 17, 2017 12:33 am

Re: wifi_send_pkt_freedom packet injection

Post by linsen » Mon Jul 17, 2017 12:38 am

wifi_send_pkt_freedom always return -1?

K0IN
Posts: 1
Joined: Tue Jan 09, 2018 9:57 pm

Re: wifi_send_pkt_freedom packet injection

Post by K0IN » Tue Jan 09, 2018 9:58 pm

can u upload the full binary with the wifi_send_pkt_freedom implemented pls?

Post Reply