Scapyによる802.11 frame injectionを実践してみる
無線LAN通信(IEEE802.11)における 802.11 frame injectionを調べていたときに、「frame injection に成功していることを他のデバイスで確認する方法」として Scapy による 802.11 frame injection を試していました。ところが、Scapy 2.1-dev のマニュアルの手順をそのまま実践しても、送信した 802.11 フレームを他のデバイスで観測できませんでした*1。
試行錯誤した結果、Scapy で送信した 802.11 フレームを他のデバイスで観測できました。この日記では、Scapy による 802.11 frame injection の実践方法と観測方法をメモしておきます。
実践環境
802.11 frame injection を実践した環境は以下の通りです。
- ノートPC
- 「BackTrack 5 R3」*2を USB メモリから起動
- Scapy(BackTrack 5 R3 に収録されているバージョン)
- 802.11 frame injection が可能な無線 LAN ネットワークカードを準備
- Galaxy Nexus(SC-04D)
- Android 4.1.1
- アプリ「Wifi Analyzer」バージョン3.2.1 (secroidの評価)
- iPad2
- iOS 6.0.1
1 のノート PC で 802.11 frame injection を実施、2,3 の「Galaxy Nexus(SC-04D)」、「iPad2」で送信した 802.11 フレームを観測、という環境で実践しました。
Scapy による 802.11 frame injection
Scapy による 802.11 frame injection を実施する手順としては、Scapy を起動して以下を実行するだけです。これは、Scapy 2.1-dev のマニュアルの手順に RadioTap() を付与した手順となります。
sendp(RadioTap()/Dot11(addr1="ff:ff:ff:ff:ff:ff",addr2="00:11:22:33:44:55",addr3="00:11:22:33:44:55")/Dot11Beacon(cap="ESS")/Dot11Elt(ID="SSID",info="scapy-frame-injection")/Dot11Elt(ID="Rates",info='\x82\x84\x0b\x16')/Dot11Elt(ID="DSset",info="\x06")/Dot11Elt(ID="TIM",info="\x00\x01\x00\x00"),iface="wlan1mon",loop=1,inter=0.1)
上記 802.11 frame injectionを実行すると、0.1 秒ごとに SSID「scapy-frame-injection」の 802.11 Beacon フレームを送信できます。送信した 802.11 フレームを後述の観測方法で確認できました。実践環境にあわせて Dot11() の引数 addr2, addr3、sendp() の引数 iface, inter を変更します。
送信した 802.11 フレームの観測方法
次の 2 つの方法で、Scapy で送信した 802.11 フレーム(Beacon フレーム)を観測できました。
アプリ「Wifi Analyzer」による観測
Android で動作するアプリ「Wifi Analyzer」を使うと、SSID ごとにシグナル強度[dBm]、使用しているチャネルなどが分かります。Scapy で 802.11 Beacon フレームを送信すると、指定した SSID がアプリ上に描画されます。SSID「scapy-frame-injection」で送信すると、下図のようになりました。この「Wifi Analyzer」の動作から、「Galaxy Nexus(SC-04D)」が Scapy で送信した 802.11 フレームを受信していると判断しました。
iOS の [設定]-[Wi-Fi] による観測
iOS の [設定]-[Wi-Fi]では、接続する無線 LAN アクセスポイント(SSID)を指定できます。Scapy で 802.11 Beacon フレームを送信すると、指定した SSID が接続できるネットワークに表示されます。SSID「scapy-frame-injection」で送信すると、下図のようになりました。この結果から、「iPad2」が Scapy で送信した 802.11 フレームを受信していると判断しました。
最後に、「Scapy 2.1-dev マニュアルの手順」、「この日記の手順」で送信した 802.11 フレームを Wireshark でテキスト出力した結果*3を掲載しています。興味がある方だけどうぞ。
「Scapy 2.1-dev マニュアルの手順」と「この日記の手順」における 802.11 フレームの違い
「Scapy 2.1-dev マニュアルの手順」を実行した場合でも、同ノート PC で動作する Wireshark では、送信した 802.11 フレームをパケットキャプチャできました。「Scapy 2.1-dev マニュアルの手順」、「この日記の手順」をそれぞれ実行して、Wireshark でパケットキャプチャした 802.11 フレームを比較してみると、次の点が異なりました。
- RadioTap Header
- 「Scapy 2.1-dev マニュアルの手順」の場合、invalid。
- 送信された 802.11 フレームの数
- 「Scapy 2.1-dev マニュアルの手順」の場合、1 フレーム。
- 「この日記の手順」の場合、2 フレーム。
- sendp() の引数 inter で指定した秒間隔で 2 つずつ送信していたことから判断。
Scapy 2.1-dev マニュアルの手順で送信した 802.11 フレーム
Frame 1: 74 bytes on wire (592 bits), 74 bytes captured (592 bits)
WTAP_ENCAP: 23
Arrival Time: Dec 2, 2012 00:49:56.579624000 東京 (標準時)
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1354376996.579624000 seconds
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 74 bytes (592 bits)
Capture Length: 74 bytes (592 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: radiotap:wlan]
Radiotap Header v128, Length 0 (invalid)
Header revision: 128
Header pad: 0
Header length: 0
IEEE 802.11 Beacon frame, Flags: ........
Type/Subtype: Beacon frame (0x08)
Frame Control: 0x0080 (Normal)
Version: 0
Type: Management frame (0)
Subtype: 8
Flags: 0x0
.... ..00 = DS status: Not leaving DS or network is operating in AD-HOC mode (To DS: 0 From DS: 0) (0x00)
.... .0.. = More Fragments: This is the last fragment
.... 0... = Retry: Frame is not being retransmitted
...0 .... = PWR MGT: STA will stay up
..0. .... = More Data: No data buffered
.0.. .... = Protected flag: Data is not protected
0... .... = Order flag: Not strictly ordered
Duration: 0
Destination address: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff)
Source address: 00:11:22:33:44:55 (00:11:22:33:44:55)
BSS Id: 00:11:22:33:44:55 (00:11:22:33:44:55)
Fragment number: 0
Sequence number: 0
IEEE 802.11 wireless LAN management frame
Fixed parameters (12 bytes)
Timestamp: 0x0000000000000000
Beacon Interval: 0.102400 [Seconds]
Capabilities Information: 0x0001
.... .... .... ...1 = ESS capabilities: Transmitter is an AP
.... .... .... ..0. = IBSS status: Transmitter belongs to a BSS
.... ..0. .... 00.. = CFP participation capabilities: No point coordinator at AP (0x0000)
.... .... ...0 .... = Privacy: AP/STA cannot support WEP
.... .... ..0. .... = Short Preamble: Short preamble not allowed
.... .... .0.. .... = PBCC: PBCC modulation not allowed
.... .... 0... .... = Channel Agility: Channel agility not in use
.... ...0 .... .... = Spectrum Management: dot11SpectrumManagementRequired FALSE
.... .0.. .... .... = Short Slot Time: Short slot time not in use
.... 0... .... .... = Automatic Power Save Delivery: apsd not implemented
..0. .... .... .... = DSSS-OFDM: DSSS-OFDM modulation not allowed
.0.. .... .... .... = Delayed Block Ack: delayed block ack not implemented
0... .... .... .... = Immediate Block Ack: immediate block ack not implemented
Tagged parameters (38 bytes)
Tag: SSID parameter set: scapy-frame-injection
Tag Number: SSID parameter set (0)
Tag length: 21
SSID: scapy-frame-injection
Tag: Supported Rates 1(B), 2(B), 5.5, 11, [Mbit/sec]
Tag Number: Supported Rates (1)
Tag length: 4
Supported Rates: 1(B) (0x82)
Supported Rates: 2(B) (0x84)
Supported Rates: 5.5 (0x0b)
Supported Rates: 11 (0x16)
Tag: DS Parameter set: Current Channel: 6
Tag Number: DS Parameter set (3)
Tag length: 1
Current Channel: 6
Tag: Traffic Indication Map (TIM): DTIM 0 of 0 bitmap
Tag Number: Traffic Indication Map (TIM) (5)
Tag length: 4
DTIM count: 0
DTIM period: 1
Bitmap control: 0x00
.... ...0 = Multicast: False
0000 000. = Bitmap Offset: 0x00
Partial Virtual Bitmap: 00
この日記の手順で送信した 802.11 フレーム
No. Time Source Destination Protocol Info
1 2012-12-02 00:53:02.288311 00:11:22:33:44:55 ff:ff:ff:ff:ff:ff 802.11 Beacon frame, SN=0, FN=0, Flags=........, BI=100, SSID=scapy-frame-injection
Frame 1: 82 bytes on wire (656 bits), 82 bytes captured (656 bits)
WTAP_ENCAP: 23
Arrival Time: Dec 2, 2012 00:53:02.288311000 東京 (標準時)
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1354377182.288311000 seconds
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 82 bytes (656 bits)
Capture Length: 82 bytes (656 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: radiotap:wlan]
Radiotap Header v0, Length 8
Header revision: 0
Header pad: 0
Header length: 8
Present flags
.... .... .... .... .... .... .... ...0 = TSFT: False
.... .... .... .... .... .... .... ..0. = Flags: False
.... .... .... .... .... .... .... .0.. = Rate: False
.... .... .... .... .... .... .... 0... = Channel: False
.... .... .... .... .... .... ...0 .... = FHSS: False
.... .... .... .... .... .... ..0. .... = dBm Antenna Signal: False
.... .... .... .... .... .... .0.. .... = dBm Antenna Noise: False
.... .... .... .... .... .... 0... .... = Lock Quality: False
.... .... .... .... .... ...0 .... .... = TX Attenuation: False
.... .... .... .... .... ..0. .... .... = dB TX Attenuation: False
.... .... .... .... .... .0.. .... .... = dBm TX Power: False
.... .... .... .... .... 0... .... .... = Antenna: False
.... .... .... .... ...0 .... .... .... = dB Antenna Signal: False
.... .... .... .... ..0. .... .... .... = dB Antenna Noise: False
.... .... .... .... .0.. .... .... .... = RX flags: False
.... .... .... .0.. .... .... .... .... = Channel+: False
.... .... .... 0... .... .... .... .... = HT information: False
..0. .... .... .... .... .... .... .... = Radiotap NS next: False
.0.. .... .... .... .... .... .... .... = Vendor NS next: False
0... .... .... .... .... .... .... .... = Ext: False
IEEE 802.11 Beacon frame, Flags: ........
Type/Subtype: Beacon frame (0x08)
Frame Control: 0x0080 (Normal)
Version: 0
Type: Management frame (0)
Subtype: 8
Flags: 0x0
.... ..00 = DS status: Not leaving DS or network is operating in AD-HOC mode (To DS: 0 From DS: 0) (0x00)
.... .0.. = More Fragments: This is the last fragment
.... 0... = Retry: Frame is not being retransmitted
...0 .... = PWR MGT: STA will stay up
..0. .... = More Data: No data buffered
.0.. .... = Protected flag: Data is not protected
0... .... = Order flag: Not strictly ordered
Duration: 0
Destination address: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff)
Source address: 00:11:22:33:44:55 (00:11:22:33:44:55)
BSS Id: 00:11:22:33:44:55 (00:11:22:33:44:55)
Fragment number: 0
Sequence number: 0
IEEE 802.11 wireless LAN management frame
Fixed parameters (12 bytes)
Timestamp: 0x0000000000000000
Beacon Interval: 0.102400 [Seconds]
Capabilities Information: 0x0001
.... .... .... ...1 = ESS capabilities: Transmitter is an AP
.... .... .... ..0. = IBSS status: Transmitter belongs to a BSS
.... ..0. .... 00.. = CFP participation capabilities: No point coordinator at AP (0x0000)
.... .... ...0 .... = Privacy: AP/STA cannot support WEP
.... .... ..0. .... = Short Preamble: Short preamble not allowed
.... .... .0.. .... = PBCC: PBCC modulation not allowed
.... .... 0... .... = Channel Agility: Channel agility not in use
.... ...0 .... .... = Spectrum Management: dot11SpectrumManagementRequired FALSE
.... .0.. .... .... = Short Slot Time: Short slot time not in use
.... 0... .... .... = Automatic Power Save Delivery: apsd not implemented
..0. .... .... .... = DSSS-OFDM: DSSS-OFDM modulation not allowed
.0.. .... .... .... = Delayed Block Ack: delayed block ack not implemented
0... .... .... .... = Immediate Block Ack: immediate block ack not implemented
Tagged parameters (38 bytes)
Tag: SSID parameter set: scapy-frame-injection
Tag Number: SSID parameter set (0)
Tag length: 21
SSID: scapy-frame-injection
Tag: Supported Rates 1(B), 2(B), 5.5, 11, [Mbit/sec]
Tag Number: Supported Rates (1)
Tag length: 4
Supported Rates: 1(B) (0x82)
Supported Rates: 2(B) (0x84)
Supported Rates: 5.5 (0x0b)
Supported Rates: 11 (0x16)
Tag: DS Parameter set: Current Channel: 6
Tag Number: DS Parameter set (3)
Tag length: 1
Current Channel: 6
Tag: Traffic Indication Map (TIM): DTIM 0 of 0 bitmap
Tag Number: Traffic Indication Map (TIM) (5)
Tag length: 4
DTIM count: 0
DTIM period: 1
Bitmap control: 0x00
.... ...0 = Multicast: False
0000 000. = Bitmap Offset: 0x00
Partial Virtual Bitmap: 00
No. Time Source Destination Protocol Info
2 2012-12-02 00:53:02.289289 00:11:22:33:44:55 ff:ff:ff:ff:ff:ff 802.11 Beacon frame, SN=0, FN=0, Flags=........, BI=100, SSID=scapy-frame-injection
Frame 2: 87 bytes on wire (696 bits), 87 bytes captured (696 bits)
WTAP_ENCAP: 23
Arrival Time: Dec 2, 2012 00:53:02.289289000 東京 (標準時)
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1354377182.289289000 seconds
[Time delta from previous captured frame: 0.000978000 seconds]
[Time delta from previous displayed frame: 0.000978000 seconds]
[Time since reference or first frame: 0.000978000 seconds]
Frame Number: 2
Frame Length: 87 bytes (696 bits)
Capture Length: 87 bytes (696 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: radiotap:wlan]
Radiotap Header v0, Length 13
Header revision: 0
Header pad: 0
Header length: 13
Present flags
.... .... .... .... .... .... .... ...0 = TSFT: False
.... .... .... .... .... .... .... ..0. = Flags: False
.... .... .... .... .... .... .... .1.. = Rate: True
.... .... .... .... .... .... .... 0... = Channel: False
.... .... .... .... .... .... ...0 .... = FHSS: False
.... .... .... .... .... .... ..0. .... = dBm Antenna Signal: False
.... .... .... .... .... .... .0.. .... = dBm Antenna Noise: False
.... .... .... .... .... .... 0... .... = Lock Quality: False
.... .... .... .... .... ...0 .... .... = TX Attenuation: False
.... .... .... .... .... ..0. .... .... = dB TX Attenuation: False
.... .... .... .... .... .0.. .... .... = dBm TX Power: False
.... .... .... .... .... 0... .... .... = Antenna: False
.... .... .... .... ...0 .... .... .... = dB Antenna Signal: False
.... .... .... .... ..0. .... .... .... = dB Antenna Noise: False
.... .... .... .... .0.. .... .... .... = RX flags: False
.... .... .... .0.. .... .... .... .... = Channel+: False
.... .... .... 0... .... .... .... .... = HT information: False
..0. .... .... .... .... .... .... .... = Radiotap NS next: False
.0.. .... .... .... .... .... .... .... = Vendor NS next: False
0... .... .... .... .... .... .... .... = Ext: False
Data Rate: 1.0 Mb/s
IEEE 802.11 Beacon frame, Flags: ........
Type/Subtype: Beacon frame (0x08)
Frame Control: 0x0080 (Normal)
Version: 0
Type: Management frame (0)
Subtype: 8
Flags: 0x0
.... ..00 = DS status: Not leaving DS or network is operating in AD-HOC mode (To DS: 0 From DS: 0) (0x00)
.... .0.. = More Fragments: This is the last fragment
.... 0... = Retry: Frame is not being retransmitted
...0 .... = PWR MGT: STA will stay up
..0. .... = More Data: No data buffered
.0.. .... = Protected flag: Data is not protected
0... .... = Order flag: Not strictly ordered
Duration: 0
Destination address: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff)
Source address: 00:11:22:33:44:55 (00:11:22:33:44:55)
BSS Id: 00:11:22:33:44:55 (00:11:22:33:44:55)
Fragment number: 0
Sequence number: 0
IEEE 802.11 wireless LAN management frame
Fixed parameters (12 bytes)
Timestamp: 0x0000000000000000
Beacon Interval: 0.102400 [Seconds]
Capabilities Information: 0x0001
.... .... .... ...1 = ESS capabilities: Transmitter is an AP
.... .... .... ..0. = IBSS status: Transmitter belongs to a BSS
.... ..0. .... 00.. = CFP participation capabilities: No point coordinator at AP (0x0000)
.... .... ...0 .... = Privacy: AP/STA cannot support WEP
.... .... ..0. .... = Short Preamble: Short preamble not allowed
.... .... .0.. .... = PBCC: PBCC modulation not allowed
.... .... 0... .... = Channel Agility: Channel agility not in use
.... ...0 .... .... = Spectrum Management: dot11SpectrumManagementRequired FALSE
.... .0.. .... .... = Short Slot Time: Short slot time not in use
.... 0... .... .... = Automatic Power Save Delivery: apsd not implemented
..0. .... .... .... = DSSS-OFDM: DSSS-OFDM modulation not allowed
.0.. .... .... .... = Delayed Block Ack: delayed block ack not implemented
0... .... .... .... = Immediate Block Ack: immediate block ack not implemented
Tagged parameters (38 bytes)
Tag: SSID parameter set: scapy-frame-injection
Tag Number: SSID parameter set (0)
Tag length: 21
SSID: scapy-frame-injection
Tag: Supported Rates 1(B), 2(B), 5.5, 11, [Mbit/sec]
Tag Number: Supported Rates (1)
Tag length: 4
Supported Rates: 1(B) (0x82)
Supported Rates: 2(B) (0x84)
Supported Rates: 5.5 (0x0b)
Supported Rates: 11 (0x16)
Tag: DS Parameter set: Current Channel: 6
Tag Number: DS Parameter set (3)
Tag length: 1
Current Channel: 6
Tag: Traffic Indication Map (TIM): DTIM 0 of 0 bitmap
Tag Number: Traffic Indication Map (TIM) (5)
Tag length: 4
DTIM count: 0
DTIM period: 1
Bitmap control: 0x00
.... ...0 = Multicast: False
0000 000. = Bitmap Offset: 0x00
Partial Virtual Bitmap: 00
*1:「実際には受信できているかもしれないが、僕の観測方法では分からなかった」という表現がより正確です。
*2:以前こんなつぶやきを書きましたが、「BackTrack 5」でも 802.11 frame injection に成功すると思います。つぶやき時点では、BackTrackのバージョン(収録されている Scapy のバージョン)依存を考えていました。
*3:[File]メニュー - [Export Packet Dissections] - [as "Plain Text" file...]の実行結果となります。実行時には、[Packet Format] の [Packet details] で「All expanded」を選択しました。掲載するにあたり、「Source address」,「Bss Id」だけは「00:11:22:33:44:55」に置換しました。
