原理
根据802.11协议,发现热点使用的是广播,并且是明文,所以在混杂模式下发送beacon帧或者在接收到Probe request之后返回Probe response即可模拟一个热点,接收到Association request 或者其它请求可以不用理会,这里的目的只是生成一个假热点,不会实现连接认证等步骤
IEEE官方网站
可以在这里查看相关资料,也可以百度
beacon帧格式
WiFi的帧格式如下:
关于每个字段的意义,可以看这篇文章
beacon帧type=0,subtype=8。一个典型的beacon帧分析看这里
关于element ID,简单地,可以看这篇文章
beacon帧举例:
uint8_t beacon_frame[]={
/*FC*/ 0x80 ,0x0 ,
/*DID*/ 0x0 ,0x0 ,
/*MAC Addr*/ 0xff ,0xff ,0xff ,0xff ,0xff ,0xff ,0x8 ,0x9b ,0x4b ,0x92 ,0x3e ,0xcd ,0x8 ,0x9b ,0x4b ,0x92 ,0x3e ,0xcd ,
/*SC*/ 0x30 ,0x4f ,
/*Timestamp*/ 0x80 ,0x51 ,0xcb ,0x68 ,0xd ,0x0 ,0x0 ,0x0 ,
/*BeaconInterval*/0x64 ,0x0 ,
/*CapabilityInfo*/0x31 ,0x0 ,
/*SSID(ElementID(1 Byte)-Length(1 Byte)-Data(Length Bytes))*/
0x0 ,28 ,'0','0','0','0','0','0','0','0','0','0','0','0','0','0','0',
'0','0','0','0','0','0','0','0','0','0','0','0','0',
0x1 ,0x8 ,0x82 ,0x84 ,0x8b ,0x96 ,0xc ,0x12 ,0x18 ,0x24 ,
/*Below same as SSID,elementID different*/
0x3 ,0x1 ,0xb ,
0x5 ,0x4 ,0x1 ,0x2 ,0x0 ,0x0 ,
0x2a ,0x1 ,0x0 ,
0x32 ,0x4 ,0x30 ,0x48 ,0x60 ,0x6c ,
0x30 ,0x14 ,0x1 ,0x0 ,0x0 ,0xf ,0xac ,0x4 ,0x1 ,0x0 ,0x0 ,0xf ,0xac ,0x4 ,0x1 ,0x0 ,0x0 ,0xf ,0xac ,0x2 ,0xc ,0x0 ,
0x2d ,0x1a ,0xed ,0x11 ,0x1b ,0xff ,0xff ,0x0 ,0x0 ,0x0 ,0x0 ,0x0 ,0x0 ,0x0 ,0x0 ,0x0 ,0x0 ,0x1 ,0x1 ,0x0 ,0xba ,0x0,
0xa5, 0x10 ,0xf2 ,0x50 ,0x0 ,0x0 ,0x0 ,0x0 ,0x0 };
为保证所有的beacon帧都能被识别成一个热点,源mac地址应都不一样,最好信道也不一样,经测试,很多手机会过滤mac相同的beacon,只显示其中一个热点
实现
esp8266
8266支持混杂模式,在这个模式下可以接收和发送有限制的底层数据。station模式下进入混杂模式,发送WiFi beacon帧
注意:不能链接任何wifi,先调用wifi_station_disconnect();断开连接,避免自动连接上了wifi
每次发送要确保上一次已经发送完毕了(发送回调函数调用后)再发送
//汉字:2个字节+'\0'==>每个汉字3字节
uint8_t ssids[4][28]={{"一、泉眼无声惜细流"},{"二、树阴照水爱晴柔"},{"三、小荷才露尖尖角"},{"四、早有蜻蜓立上头"}};
void send_beacon()
{
static int count=0;
wifi_set_channel(count+5);
beacon_frame[10] = count+1;
beacon_frame[16] = count+1;
os_memcpy(beacon_frame+38,ssids[count],28);
beacon_frame[78] = count+5;
wifi_send_pkt_freedom(beacon_frame,sizeof(beacon_frame),0);
os_printf("send %d bytes data,ssid:%s\n",sizeof(beacon_frame),ssids[count]);
if(++count ==4)
count=0;
}
void on_reedom_pkg_sent(uint8 status)
{
if(status == 0)
{
//sent succeed
os_printf("send beacon success\n");
}
send_beacon();
}
wifi_set_opmode(STATION_MODE);
wifi_promiscuous_enable(0);
wifi_station_disconnect();
wifi_set_promiscuous_rx_cb(on_wifi_promiscuous_received);
wifi_promiscuous_enable(1);
wifi_register_send_pkt_freedom_cb(on_reedom_pkg_sent);
send_beacon();
linux
需要网卡及驱动支持混杂模式即可,原理相同
附录
esp8266混杂模式接收到的部分原始数据
接收到的数据先用十六进制输出,然后用ascll码输出
a6 10 15 51 0 0 0 0 0 0 0 0 80 0 0 0 ff ff ff ff ff ff b8 55 10 6 88 f b8 55 10 6 88 f e0 25 ac 3 33 7e 52 1 0 0 64 0 11 4 0 f 54 4f 54 4f 4c 49 4e 4b 5f 30 36 38 38 30 46 1 8 82 84 8b 96 c 12 18 24 3 1 b 5 4 0 1 0 0 2a 1 4 32 4 30 48 60 6c 2d 1a 6e 18 1e ff 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 3d 16 b 1 0 15 1
�Q��������U��U��%�3~RdTOTOLINK_06880����$
*20H`l-n�=
b2 4b 1e 50 a 6a 0 7 40 0 b 0
�KP
j@
a2 10 66 50 0 0 0 0 e2 0 0 0 8 42 0 0 ff ff ff ff ff ff bc d1 77 f ac 7c 0 e0 4c 4f 83 87 20 11 3 23 63 60 0 7 79 7a 70 31 32 30 1 0 66 0 20 11 0 e0 4c 4f 83 87
�fPB��������w�|�LO�� #c`yzp120f �LO��
b3 4b b7 50 a 4c 4 7 40 0 b 0
�K�P
L@
bb 10 c3 50 0 0 0 0 0 0 0 0 80 0 0 0 ff ff ff ff ff ff 16 cf 92 37 bd a2 16 cf 92 37 bd a2 70 ed 80 b5 ed 73 52 1 0 0 64 0 31 4 0 7 70 72 69 6e 74 65 72 1 8 82 84 8b 96 c 12 18 24 3 1 b 5 4 1 2 0 0 7 6 30 30 20 1 b 14 2a 1 0 32 4 30 48 60 6c 30 14 1 0 0 f ac 4 1 0 0 f ac 4 1 0 0 f ac 2 c 0 2d 1a 6c 11 1b ff 0 0 0 1 0 c3 0
��P�������ϒ7��ϒ7��p퀵�sRd1printe����$
00
*20H`l0���-l��
ab 0 4 51 0 0 0 0 0 0 0 0 50 0 3a 1 e8 b4 c8 ad e2 47 b8 55 10 69 aa 82 b8 55 10 69 aa 82 20 61 2b 5e bc f6 28 3 0 0 64 0 11 4 0 4 31 30 31 31 1 8 82 84 8b 96 c 12 18 24 3 1 b 2a 1 0 32 4 30 48 60 6c 2d 1a 6e 18 1e ff ff 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 3d 16 b 7 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 4 1
�QP:�ȭ�G�Ui���Ui�� a+^��(d101����$
*20H`l-n��=
a8 4b 12 50 85 7e 0 6 40 0 b 0
�KP�~@
ac 10 a 51 0 0 0 0 0 0 0 0 80 0 0 0 ff ff ff ff ff ff b8 55 10 69 aa 82 b8 55 10 69 aa 82 30 61 73 21 bd f6 28 3 0 0 64 0 11 4 0 4 31 30 31 31 1 8 82 84 8b 96 c 12 18 24 3 1 b 5 4 0 1 0 0 2a 1 4 32 4 30 48 60 6c 2d 1a 6e 18 1e ff ff 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 3d 16 b 7 0 0 0 0 0 0 0 0 0 0 1 0 a 1
�
Q��������Ui���Ui��0as!��(d101����$
*20H`l-n��=
a7 4b 12 50 85 70 0 6 40 0 b 0
�KP�p@
a3 10 2d 51 0 0 0 0 0 0 0 0 80 0 0 0 ff ff ff ff ff ff a8 ad 3d c1 32 14 a8 ad 3d c1 32 14 40 94 76 51 92 ff 2a 2 0 0 64 0 11 4 0 d 43 68 69 6e 61 4e 65 74 2d 4e 72 48 4b 1 8 82 84 8b 96 c 12 18 24 3 1 b 5 4 0 1 0 0 2a 1 4 32 4 30 48 60 6c 2d 1a 2c 18 1e ff ff 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 3d 16 b 0 0 1 0 2d 1
�-Q���������=�2��=�2@�vQ��*dChinaNet-NrH����$
*20H`l-,��=
-
b7 4b 99 50 7 fe 5 16 e2 0 0 0 88 42 2c 0 28 b2 bd 43 61 38 8 9b 4b 92 3e cd 0 1a 20 e0 2 ee 0 6b 0 0 2c 67 0 20 0 0 12 88 43 35 1 0 fe 5 0 6b 0 1a 20 e0 2 ee
�K�P���B,(��Ca�K�>� ��k,g �C5�k ��
b2 4b 18 50 b 5e 0 7 40 0 b 0
�KP
^@
9e 10 d7 50 0 0 0 0 0 0 0 0 80 0 0 0 ff ff ff ff ff ff 24 69 68 c3 6a ee 24 69 68 c3 6a ee 30 8 7 9 9 af 51 0 0 0 64 0 31 4 0 b 4c 61 6f 43 68 61 6e 67 53 68 61 1 8 82 84 8b 96 c 12 18 24 3 1 b 5 7 0 1 0 0 0 0 0 2a 1 0 32 4 30 48 60 6c 2d 1a 6e 10 3 ff ff 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 3d 16 b 7 1 0 d7 0
��P�������$ih�j�$ih�j�0 �Qd1
LaoChangSh����$
*20H`l-n��=
�
a6 4b 12 50 87 74 0 1f c3 0 b 0
�KP�t�
a7 10 15 51 0 0 0 0 0 0 0 0 80 0 0 0 ff ff ff ff ff ff b8 55 10 6 88 f b8 55 10 6 88 f 20 26 e6 41 39 7e 52 1 0 0 64 0 11 4 0 f 54 4f 54 4f 4c 49 4e 4b 5f 30 36 38 38 30 46 1 8 82 84 8b 96 c 12 18 24 3 1 b 5 4 0 1 0 0 2a 1 4 32 4 30 48 60 6c 2d 1a 6e 18 1e ff 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 3d 16 b 1 0 15 1
�Q��������U��U� &�A9~RdTOTOLINK_06880����$
*20H`l-n�=
bc 10 c3 50 0 0 0 0 0 0 0 0 80 0 0 0 ff ff ff ff ff ff 16 cf 92 37 bd a2 16 cf 92 37 bd a2 a0 ed 81 65 f2 73 52 1 0 0 64 0 31 4 0 7 70 72 69 6e 74 65 72 1 8 82 84 8b 96 c 12 18 24 3 1 b 5 4 0 2 0 0 7 6 30 30 20 1 b 14 2a 1 0 32 4 30 48 60 6c 30 14 1 0 0 f ac 4 1 0 0 f ac 4 1 0 0 f ac 2 c 0 2d 1a 6c 11 1b ff 0 0 0 1 0 c3 0
��P�������ϒ7��ϒ7����e�sRd1printe����$
00
*20H`l0���-l��
a0 10 d7 50 0 0 0 0 0 0 0 0 80 0 0 0 ff ff ff ff ff ff 24 69 68 c3 6a ee 24 69 68 c3 6a ee 40 8 8 99 a af 51 0 0 0 64 0 31 4 0 b 4c 61 6f 43 68 61 6e 67 53 68 61 1 8 82 84 8b 96 c 12 18 24 3 1 b 5 7 0 1 0 0 0 0 0 2a 1 0 32 4 30 48 60 6c 2d 1a 6e 10 3 ff ff 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 3d 16 b 7 1 0 d7 0
��P�������$ih�j�$ih�j�@
�Qd1
LaoChangSh����$
*20H`l-n��=
�
aa 4b 12 50 85 8c 0 6 40 0 b 0
�KP��@
ad 10 a 51 0 0 0 0 0 0 0 0 80 0 0 0 ff ff ff ff ff ff b8 55 10 69 aa 82 b8 55 10 69 aa 82 60 61 73 d1 c1 f6 28 3 0 0 64 0 11 4 0 4 31 30 31 31 1 8 82 84 8b 96 c 12 18 24 3 1 b 5 4 0 1 0 0 2a 1 4 32 4 30 48 60 6c 2d 1a 6e 18 1e ff ff 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 3d 16 b 7 0 0 0 0 0 0 0 0 0 0 1 0 a 1
�
Q��������Ui���Ui��`as���(d101����$
*20H`l-n��=
be 10 c3 50 0 0 0 0 0 0 0 0 80 0 0 0 ff ff ff ff ff ff 16 cf 92 37 bd a2 16 cf 92 37 bd a2 b0 ed 80 f5 f3 73 52 1 0 0 64 0 31 4 0 7 70 72 69 6e 74 65 72 1 8 82 84 8b 96 c 12 18 24 3 1 b 5 4 1 2 0 0 7 6 30 30 20 1 b 14 2a 1 0 32 4 30 48 60 6c 30 14 1 0 0 f ac 4 1 0 0 f ac 4 1 0 0 f ac 2 c 0 2d 1a 6c 11 1b ff 0 0 0 1 0 c3 0
��P�������ϒ7��ϒ7������sRd1printe����$
00
*20H`l0���-l��
a7 4b 2a 50 87 55 2 1f c3 0 b 0
�K*P�U�
b5 10 ba 50 0 0 0 0 0 0 0 0 80 0 0 0 ff ff ff ff ff ff 8 9b 4b 92 3e cd 8 9b 4b 92 3e cd 10 72 a 64 67 10 b 0 0 0 64 0 31 0 0 6 76 61 6e 6b 69 61 1 8 82 84 8b 96 c 12 18 24 3 1 b 5 4 1 2 0 0 2a 1 0 32 4 30 48 60 6c 30 14 1 0 0 f ac 4 1 0 0 f ac 4 1 0 0 f ac 2 c 0 2d 1a ed 11 1b ff ff 0 0 0 0 0 0 0 0 0 0 1 1 0 ba 0
��P�������K�>�K�>�r
dg
d1vanki����$
*20H`l0���-����
b7 4b 99 50 7 f8 5 16 e2 0 0 0 88 42 2c 0 28 b2 bd 43 61 38 8 9b 4b 92 3e cd 0 1a 20 e0 2 ee 50 6b 0 0 31 67 0 20 0 0 64 0 31 0 1 0 f8 5 50 6b 0 1a 20 e0 2 ee
�K�P���B,(��Ca�K�>� ��Pk1g d1�Pk ��
ab 4b 12 50 85 86 0 6 40 0 b 0
�KP��@
b2 4b 18 50 b 5e 0 7 40 0 b 0
�KP
^@
b8 9 1e 50 0 0 0 0 0 0 0 0 c8 11 2c 0 8 9b 4b 92 3e cd 78 4f 43 67 9f e9 8 9b 4b 92 3e cd 50 bb 6 0 0 0 f5 db 51 a0 0 a8 6f ae 1 0 1e 0 50 bb 8 9b 4b 92 3e cd
� P��K�>�xOCg��K�>�P���Q��o�P�K�>�
ac 10 a 51 0 0 0 0 0 0 0 0 80 0 0 0 ff ff ff ff ff ff b8 55 10 69 aa 82 b8 55 10 69 aa 82 70 61 73 61 c3 f6 28 3 0 0 64 0 11 4 0 4 31 30 31 31 1 8 82 84 8b 96 c 12 18 24 3 1 b 5 4 0 1 0 0 2a 1 4 32 4 30 48 60 6c 2d 1a 6e 18 1e ff ff 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 3d 16 b 7 0 0 0 0 0 0 0 0 0 0 1 0 a 1
�
Q��������Ui���Ui��pasa��(d101����$
*20H`l-n��=
aa 4b 12 50 85 8b 0 6 40 0 b 0
�KP��@
a9 4b 12 50 85 7c 0 6 40 0 b 0
�KP�|@
b3 10 ba 50 0 0 0 0 0 0 0 0 80 0 0 0 ff ff ff ff ff ff 8 9b 4b 92 3e cd 8 9b 4b 92 3e cd 20 72 74 8 69 10 b 0 0 0 64 0 31 0 0 6 76 61 6e 6b 69 61 1 8 82 84 8b 96 c 12 18 24 3 1 b 5 4 0 2 0 0 2a 1 0 32 4 30 48 60 6c 30 14 1 0 0 f ac 4 1 0 0 f ac 4 1 0 0 f ac 2 c 0 2d 1a ed 11 1b ff ff 0 0 0 0 0 0 0 0 0 0 1 1 0 ba 0
��P�������K�>�K�>� ri
d1vanki����$
*20H`l0���-����
a4 10 d8 50 0 0 0 0 0 0 0 0 80 0 0 0 ff ff ff ff ff ff 28 2c b2 80 a2 6 28 2c b2 80 a2 6 50 3b 80 e9 b1 76 52 1 0 0 64 0 31 4 0 c 63 68 69 70 72 69 73 65 30 30 30 31 1 8 82 84 8b 96 c 12 18 24 3 1 b 5 7 0 1 1 0 0 0 0 2a 1 0 32 4 30 48 60 6c 2d 1a 6e 10 3 ff ff 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 3d 16 b 1 0 d8 0
��P�������(,���(,���P;��vRd1chiprise000����$
*20H`l-n��=
�
a9 10 15 51 0 0 0 0 0 0 0 0 80 0 0 0 ff ff ff ff ff ff b8 55 10 6 88 f b8 55 10 6 88 f 50 26 24 f2 3d 7e 52 1 0 0 64 0 11 4 0 f 54 4f 54 4f 4c 49 4e 4b 5f 30 36 38 38 30 46 1 8 82 84 8b 96 c 12 18 24 3 1 b 5 4 0 1 0 0 2a 1 4 32 4 30 48 60 6c 2d 1a 6e 18 1e ff 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 3d 16 b 1 0 15 1
�Q��������U��U�P&$�=~RdTOTOLINK_06880����$
*20H`l-n�=
c4 10 c3 50 0 0 0 0 0 0 0 0 80 0 0 0 ff ff ff ff ff ff 16 cf 92 37 bd a2 16 cf 92 37 bd a2 d0 ed 81 15 f7 73 52 1 0 0 64 0 31 4 0 7 70 72 69 6e 74 65 72 1 8 82 84 8b 96 c 12 18 24 3 1 b 5 4 1 2 0 0 7 6 30 30 20 1 b 14 2a 1 0 32 4 30 48 60 6c 30 14 1 0 0 f ac 4 1 0 0 f ac 4 1 0 0 f ac 2 c 0 2d 1a 6c 11 1b ff 0 0 0 1 0 c3 0
��P�������ϒ7��ϒ7�����sRd1printe����$
00
*20H`l0���-l��
bb 9 1e 50 0 0 0 0 0 0 0 0 c8 1 2c 0 8 9b 4b 92 3e cd 78 4f 43 67 9f e9 8 9b 4b 92 3e cd 60 bb 6 0 0 0 6 0 0 0 64 0 11 4 1 0 1e 0 60 bb 8 9b 4b 92 3e cd
� P��K�>�xOCg��K�>�`�d`�K�>�