How to Build a WiFi Scanner in Python using Scapy

Building a Wi-Fi scanner in Python using Scapy that finds and displays available nearby wireless networks and their MAC address, dBm signal, channel and encryption type.
Abdou Rockikz · 6 min read · Updated mar 2020 · Ethical Hacking · Packet Manipulation Using Scapy


Have you ever wanted to build a tool to display nearby wireless networks along with their MAC address and some other useful information ? Well, in this tutorial, we are going to build a Wi-Fi scanner using Scapy library in Python.

If you're on this field for a while, you might have seen airodump-ng utility that sniff, capture and decode 802.11 frames to display nearby wireless networks in a nice format, in this tutorial, we will do a similar one.

Getting Started

To get started, you need to install Scapy, I have cloned the developement version, you can also install it using pip:

pip3 install scapy

Or you can clone the current developement version in Github:

git clone https://github.com/secdev/scapy.git
cd scapy
sudo python setup.py install

Note: This tutorial assumes you are using any Unix-based environment, it is also suggested you use Kali Linux.

After that, we gonna use pandas just for printing in a nice format (you can change that obviously):

pip3 install pandas

Now the code of this tutorial won't work if you do not enable monitor mode in your network interface, please install aircrack-ng (comes pre-installed on Kali) and run the following command:

Enabling Monitor Mode using airmon-ng

Now you can check your interface name using iwconfig:

Checking interface name using iwconfig

As you can see, our interface is now in monitor mode and has the name of "wlan0mon".

You can also use iwconfig itself to change your network card into monitor mode:

sudo ifconfig wlan0 down
sudo iwconfig wlan0 mode monitor

Writing the Code

Let's get started, open up a new Python file and import the necessary modules:

from scapy.all import *
from threading import Thread
import pandas
import time
import os

Next, we need to initialize an empty data frame that stores our networks:

# initialize the networks dataframe that will contain all access points nearby
networks = pandas.DataFrame(columns=["BSSID", "SSID", "dBm_Signal", "Channel", "Crypto"])
# set the index BSSID (MAC address of the AP)
networks.set_index("BSSID", inplace=True)

So I've set the BSSID (MAC address of the access point) as the index of each row, as it is unique for every device.

If you're familiar with Scapy, then you know for sure that we are going to use the sniff() function, which takes the callback function that is executed whenever a packet is sniffed, let's implement this function:

def callback(packet):
    if packet.haslayer(Dot11Beacon):
        # extract the MAC address of the network
        bssid = packet[Dot11].addr2
        # get the name of it
        ssid = packet[Dot11Elt].info.decode()
        try:
            dbm_signal = packet.dBm_AntSignal
        except:
            dbm_signal = "N/A"
        # extract network stats
        stats = packet[Dot11Beacon].network_stats()
        # get the channel of the AP
        channel = stats.get("channel")
        # get the crypto
        crypto = stats.get("crypto")
        networks.loc[bssid] = (ssid, dbm_signal, channel, crypto)

This callback makes sure that the sniffed packet has a beacon layer on it, if it is the case, then it will extract the BSSID, SSID (name of access point), signal and some stats. the Scapy's Dot11Beacon class has the awesome network_stats() function that extracts some useful information from the network, such as the channel, rates and the encryption type. Finally, we add these information to the dataframe with the BSSID as the index.

You will encounter some networks that doesn't have the SSID (ssid equals to ""), this is an indicator that it's a hidden network. In hidden networks, the access point leaves the info field blank to hide the discovery of the network name, you will still find them using this tutorial's script, but without a network name.

Now we need a way to visualize this dataframe. Since we're going to use sniff() function (which blocks and start sniffing in the main thread), we need to use a separate thread to print the content of networks dataframe, the below code does that:

def print_all():
    while True:
        os.system("clear")
        print(networks)
        time.sleep(0.5)

To the main code now:

if __name__ == "__main__":
    # interface name, check using iwconfig
    interface = "wlan0mon"
    # start the thread that prints all the networks
    printer = Thread(target=print_all)
    printer.daemon = True
    printer.start()
    # start sniffing
    sniff(prn=callback, iface=interface)

Changing Channels

Now if you execute this, you will notice not all nearby networks are available, that's because we're listening on one WLAN channel only. We can use the iwconfig command to change the channel, here is the Python function for it:

def change_channel():
    ch = 1
    while True:
        os.system(f"iwconfig {interface} channel {ch}")
        # switch channel from 1 to 14 each 0.5s
        ch = ch % 14 + 1
        time.sleep(0.5)

For instance, if you want to change to channel 2, the command would be:

iwconfig wlan0mon channel 2

Great, so this will change channels incrementally from 1 to 14 every 0.5 seconds, spawning the thread that runs this function:

    # start the channel changer
    channel_changer = Thread(target=change_channel)
    channel_changer.daemon = True
    channel_changer.start()

Note: Channels 12 and 13 are allowed in low-power mode, while channel 14 is banned and only allowed in Japan.

Check the full code here.

Here is a screenshot of my execution:

Example execution of Wi-Fi Scanner using Scapy in Python

Conclusion

Alright, in this tutorial, we wrote a simple Wi-Fi scanner using Scapy library that sniffs and decode beacon frames which are transmitted every time by access points, they serve to announce the presence of a wireless network.

Learn alsoHow to Create Fake Access Points using Scapy in Python.

Happy Sniffing ♥

View Full Code
Sharing is caring!



Read Also





Comment panel

   
Comment system is still in Beta, if you find any bug, please consider contacting us here.