I'm using two Wi-Fi dongles to send probe requests on the first, and monitor the sent requests and responses on the second. I've managed to construct a packet using Scapy and am sending it via the first interface. I can see the request in Wireshark using the second interface, but even though I have at least 7 APs in reach, none of them responds to my requests.
This is my code to send the probe requests:
ssid = "" # undirected probe, wildcard
channel = 1
interface = "wlan1"
senderaddress = "34:0a:33:33:cc:ff"
dst='ff:ff:ff:ff:ff:ff'
param = Dot11ProbeReq()
essid = Dot11Elt(ID='SSID',info=ssid)
dsset = Dot11Elt(ID='DSset',info='\x01')
probe_request= RadioTap()/Dot11(type=0,subtype=4,FCfield=0,addr1=dst,addr2=senderaddress,addr3=dst)/param/essid/dsset
sendp(probe_request, iface=interface, verbose=1)
As mentioned, I can monitor the probe requests, but don't receive any responses. So don't most other devices in the vicinity, I'm super surprised by how many probe requests are sent and how few receive a response.
To try out whether I'd receive a response when re-sending a message that has received a response before, I tried copying the bytes of a probe request some other device sent and sending that, too - it gets sent but I still don't receive any responses. This is the code:
raw_hex_bytes = b'\x00\x00\x0f\x00\x2e\x00\x00\x00\x10\x02\x7b\x09\xa0\x00\xa4\x40\x00\x00\x00\xff\xff\xff\xff\xff\xff\x72\x28\x24\x35\x00\x4d\xff\xff\xff\xff\xff\xff\x30\x9a\x00\x00\x01\x04\x02\x04\x0b\x16\x32\x08\x0c\x12\x18\x24\x30\x48\x60\x6c\x03\x01\x04\x2d\x1a\xad\x01\x13\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\xbf\x0c\x92\xf9\x91\x33\xfa\xff\x62\x03\xfa\xff\x62\x03\xdd\x07\x00\x50\xf2\x08\x00\x2a\x00\x7f\x0b\x00\x00\x0a\x02\x00\x40\x00\x00\x00\x01\x20\xff\x03\x02\x00\x07\xdd\x0a\x50\x6f\x9a\x16\x03\x01\x01\x65\x01\x01\xdd\x08\x8c\xfd\xf0\x01\x01\x02\x01\x00'
probe_request_packet = RadioTap(raw_hex_bytes)
print("Probe Request Packet Summary:")
print(probe_request_packet.summary())
sendp(probe_request_packet, iface=interface, verbose=1)
Can anybody explain why I can't seem to receive responses? And why even a message that has previously received a response can't get one anymore?
Thank you so much in advance!
I found out what the problem was by tackling it in two ways - first of all, I monitored not only channel 1, but also channel 6 simultaneously. Most routers in my vicinity seemed to respond to probe requests on channel 6, so re-sending captured requests there did the trick. By taking a raw hex string like above and succinctly sending it again and again while taking off specific parts, I was able to pinpoint that what my original requests were missing were supported rates. Once I added them to my script, I received probe responses to my own requests as well.
from scapy.all import *
ssid = ""
channel = 6
interface = "wlan1"
sender = "34:0a:33:33:cc:ff"
dest = "ff:ff:ff:ff:ff:ff"
def send_probe_req(senderaddr, destaddr, ssid, interface, channel):
radiotap = RadioTap()
dot11 = Dot11(type=0, subtype=0x04, addr1=destaddr, addr2=senderaddr, addr3=destaddr)
# rates content isn't important, it just HAS to have supported rates in the request
rates = b'\x00'
#rates_content = b'\x82\x84\x8b\x96'
rates = Dot11Elt(ID='Rates',info=rates_content)
dot11_probe_req = Dot11ProbeReq() / Dot11Elt(ID="SSID", info=ssid)
frame = radiotap / dot11 / dot11_probe_req / rates
sendp(frame, iface=interface)