Create WLAN SSID Sniffer Using Python Socket Module

Posted by Suraj Singh on July 19, 2017 · 17 mins read
hii readers,



Today, In This Post I Am Going To Show You How To Create WLAN SSID Sniffing Script Using Python And Socket Module.
And If You Are A New Visitor On My Blog Then I Will Suggest You To Take A Look On My Blog Index For My Previous Interesting And Knowledgeable Posts.
So, Let's Focus To Our Main Topic.

To Create A WLAN SSID Sniffer Script Using Socket Module First We Need To Understand Basic Structure Of Wireless Devices And Their Procedure. So, To Make Your All Queries Clear Here, I am Writing Some Important Information In Question And Answer Way.

Q 1. What Is Beacon Frames?

Ans. Check This Previous Post Beacon Frame, IEEE 802.11

Q 2. What Is Monitor Mode?

Ans. Check This Previous Post 2-Easiest Way To Enable Wireless Lan Monitor Mode.

Q 3. What we are going to do?

Ans. First, We Will Start Our Wireless LAN Monitor Modes To Capture All Packets Available On Air. Then We Will Use Python Socket Module To Capture all Packets From WLAN Interface And After That, We Will Try To Filter Useful Frames From Packets To Find Required Information. Here, Useful Frames Means RadioTab Header Frame And Beacon Frame. As I Already Described In This Previous Post  Beacon Frame, IEEE 802.11 Beacon Frame Provides Various Important Information's About Wireless Access Point. So, In Simple Words, We Will Try To Find And Filter Beacon Frames From All Captured Packets To Extract Required Access Point Information.

So, Let's Move Ahead And Try To Understand These Codes.  Here, This Is My Codes

1. ap_socket.py

 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# +++++++++++++++++++++++++++++++++++++++++
#
# WLAN BEACON FRAME EXTRACTOR
# +++++++++++++++++++++++++++++++++++++++++
#
#
# Author :
# surajsinghbisht054@gmail.com
# http://www.bitforestinfo.com
# github.com/surajsinghbisht054
#
#
# This Script Is Created For Educational And Practise Purpose Only
#
#
# import module
import socket
import struct

# create Socket
s = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.htons(0x0003))

# bind with monitor mode interface
s.bind(('mon0',0x0003))


# function for formating mac addresses
def addr(s):
return "{}{}:{}{}:{}{}:{}{}:{}{}:{}{}".format(*s.upper())

# Founded Access Point List
ap_list = []


# loop
while True:
# Sniff Packet and get packet from list
pkt = s.recvfrom(2048)[0]

# Check RadioTap Header Frame In Packet
if pkt[2:4]=='$\x00':

# Get Total Length Of RadioTap Header Packet Bytes
len_of_header = struct.unpack('h', pkt[2:4])[0]

# Extract RadioTap Header
radio_tap_header_frame = pkt[:len_of_header].encode('hex')

# Now, assume that next frame from radiotap is Beacon Frame
beacon_frame = pkt[len_of_header:len_of_header+24].encode('hex')

# Frame Type
f_type = beacon_frame[:2]

# Extract Addr1
addr1 = beacon_frame[8:20]

# Extract Addr2
addr2 = beacon_frame[20:32]

# Extract Addr3
addr3 = beacon_frame[32:44]

# Try To Extract SSID if present
try:
len_of_ssid = ord(pkt[73])
ssid = pkt[74:74+len_of_ssid]
except:
ssid = "Unknown"

# Verify that extract frame is a beacon frame and not printed yet
if addr2 not in ap_list and f_type=='80':

# append addr2 in ap_list
ap_list.append(addr2)

# Print Info
print """
++++++++++ [ Beacon Frame ] ++++++++++++++++++++

Frame Type : {}
SSID : {}
Receiver : {}
Transmitter : {}
Source : {}


""".format(f_type, # Frame Type
ssid , # SSID
addr(addr1), # Addr1
addr(addr2), # Addr2
addr(addr3) # Addr3
)

To Run These Codes On Your System, First You need to start your wireless monitor mode. for more info about monitor mode check here 2-Easiest Way To Enable Wireless Lan Monitor Mode.
Then, Type On Terminal

 sudo python ap_socket.py 


My Output:



aya@bitforestinfo:~$ sudo python ap_socket.py 

++++++++++ [ Beacon Frame ] ++++++++++++++++++++

Frame Type : 80
SSID : E*****e
Receiver : FF:FF:FF:FF:FF:FF
Transmitter : C8:**:**:**:**:5B
Source : C8:**:**:**:**:5B





Now, Let me explain you these python codes in simple way by dividing all codes in small parts with explanation.


Code Part 1.

import socket module and struct module


#
# import module
import socket
import struct



Code Part 2.

Here, In This Codes First Statement Is For Creating RAW Socket Object And Second Statement is for binding RAW Socket With Monitor Mode Enabled Interface.


# create Socket
s = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.ihtons(0x0003))

# bind with monitor mode interface
s.bind(('mon0',0x0003))



Code Part 3.

addr(s) function is only for formatting provided mac address in standard way.
For Example:

Input ------> addr(ffffffffffff)
Output ---------------------> FF:FF:FF:FF:FF:FF



# function for formating mac addresses
def addr(s):
return "{}{}:{}{}:{}{}:{}{}:{}{}:{}{}".format(*s.upper())

# Founded Access Point List
ap_list = []



Code Part 4.

Here,  pkt = s.recvfrom(2048)[0] statement is for capturing packets from WLAN Interface and Then, if pkt[2:4]=='$\x00': Statement is for Verifying RadioTap  Availability In Captured Packets. After Finding RadioTap,  len_of_header = struct.unpack('h', pkt[2:4])[0] Statement Extract RadioTap Frame Length. radio_tap_header_frame = pkt[:len_of_header].encode('hex') Statement is For Extracting RadioTap From Captured Packets.


# loop
while True:
# Sniff Packet and get packet from list
pkt = s.recvfrom(2048)[0]

# Check RadioTap Header Frame In Packet
if pkt[2:4]=='$\x00':

# Get Total Length Of RadioTap Header Packet Bytes
len_of_header = struct.unpack('h', pkt[2:4])[0]

# Extract RadioTap Header
radio_tap_header_frame = pkt[:len_of_header].encode('hex')



Code Part 5.

In This Part All Statements are responsible for extracting various information from beacon frame.

Extract Beacon Frames From Captured Packets.
beacon_frame = pkt[len_of_header:len_of_header+24].encode('hex')
Extract Frame Subtype.
f_type = beacon_frame[:2]

Extract Receiver MAC Address.
addr1  = beacon_frame[8:20]

Extract Transmitter MAC Address.
addr2  = beacon_frame[20:32]

Extract Source MAC Address.
addr3  = beacon_frame[32:44]
  
Extract SSID From Frame.
ssid   = pkt[74:74+len_of_ssid]

  # Now, assume that next frame from radiotap is Beacon Frame
beacon_frame = pkt[len_of_header:len_of_header+24].encode('hex')

# Frame Type
f_type = beacon_frame[:2]

# Extract Addr1
addr1 = beacon_frame[8:20]

# Extract Addr2
addr2 = beacon_frame[20:32]

# Extract Addr3
addr3 = beacon_frame[32:44]

# Try To Extract SSID if present
try:
len_of_ssid = ord(pkt[73])
ssid = pkt[74:74+len_of_ssid]
except:
ssid = "Unknown"



Code Part 6.

And At The End, In this Part, if addr2 not in ap_list and f_type=='80': Statement is for Verifying Beacon Frame And Also For Not Repeating Same Address Again.



  # Verify that extract frame is a beacon frame and not printed yet
if addr2 not in ap_list and f_type=='80':

# append addr2 in ap_list
ap_list.append(addr2)

# Print Info
print """
++++++++++ [ Beacon Frame ] ++++++++++++++++++++

Frame Type : {}
SSID : {}
Receiver : {}
Transmitter : {}
Source : {}


""".format(f_type, # Frame Type
ssid , # SSID
addr(addr1), # Addr1
addr(addr2), # Addr2
addr(addr3) # Addr3
)


Done!

You Can Also Download Raw Code From Here