def generator(self, ip_dst, n_generations, n_packets, selected_layer):
# Select the final layer for randomize
if selected_layer == "UDP":
layer = UDP()
elif selected_layer == "TCP":
layer = TCP()
else:
layer = ICMP()
for i in range(n_generations):
print('Generating packets. (%s of %s)\n' % (i + 1, n_generations))
pkts_send = [
fuzz(IP(dst=ip_dst, src=RandIP())) / fuzz(layer) /
str(RandString()) for j in range(n_packets)
]
self.send_pkts(pkts_send)
def fuzz(self, target):
for fc in self.frame_combos:
p = fc[0] # base packet
if p is not None:
p = p(addr1=target) # dot11 packet
for fp in fc[1:]:
p /= fuzz(fp())
print(p.show())
self.f_send(p)
def write_data(addr):
try:
data = raw_input("Enter data to be written: ")
packet = fuzz(L2CAP_Hdr(data))
srbt1(addr, packet, 0)
except Exception as e:
print("\n[!] Error: ")
print(e)
print('')
def main():
random.seed(args.seed)
patterns = []
for i in xrange(args.patterns):
transport = random.choice([UDP, TCP])
dst, src = get_rand_mac(), get_rand_mac()
# cannot use fuzz() for Ethernet, or scapy tries to resolve the MAC
# addresses based on the IP addresses
p = Ether(dst=dst, src=src) / fuzz(IP()) / fuzz(transport())
payload = "a" * (args.psize - len(p))
p = p / payload
patterns.append(p)
packets = []
for i in xrange(args.packets):
p = random.choice(patterns)
packets.append(p)
with open(args.out, 'w') as f:
f.write("{} {}\n".format(args.packets, args.psize))
for p in packets:
f.write(str(p))
def main():
random.seed(args.seed)
patterns = []
for i in range(args.patterns):
transport = random.choice([UDP, TCP])
dst, src = get_rand_mac(), get_rand_mac()
# cannot use fuzz() for Ethernet, or scapy tries to resolve the MAC
# addresses based on the IP addresses
p = Ether(dst=dst, src=src) / fuzz(IP()) / fuzz(transport())
payload = "a" * (args.psize - len(p))
p = p / payload
patterns.append(p)
packets = []
for i in range(args.packets):
p = random.choice(patterns)
packets.append(p)
with open(args.out, 'w') as f:
f.write("{} {}\n".format(args.packets, args.psize))
for p in packets:
f.write(str(p))
def gen_flags(self, field):
"""
Generates random valid flags.
"""
sample = fuzz(self.protocol())
# Since scapy lazily evaluates fuzzing, we first must set a
# legitimate value for scapy to evaluate what combination of flags it is
sample.flags = sample.flags
return str(sample.flags)
def run_scapy(target, test_type, max_packets, return_packets, fuzz):
packet_type = scapy.ICMP()
if fuzz:
packet_type = scapy.fuzz(packet_type)
packet_gen = scapy.IP(dst=target) / packet_type
packets = scapy.send(packet_gen,
return_packets=return_packets,
verbose=not return_packets,
count=max_packets)
if return_packets:
packets.show()
def gen_flags(self, field):
"""
Generates a random set of flags. 50% of the time it picks randomly from
a list of real flags, otherwise it returns fuzzed flags.
"""
if random.random() < 0.5:
return random.choice(['S', 'A', 'SA', 'PA', 'FA', 'R', 'P', 'F', 'RA', ''])
else:
sample = fuzz(self.protocol())
# Since scapy lazily evaluates fuzzing, we first must set a
# legitimate value for scapy to evaluate what combination of flags it is
sample.flags = sample.flags
return str(sample.flags)
def gen_udp_pkt(src=None, dst=None, payload_len=-1):
"""Generate random IP/UDP[Payload] packet
:src: source IP address
:dst: destination IP address
:payload_len: size of payload
:returns: packet as raw bytes
"""
getipaddr = lambda addr: rand_ipaddr() if addr is None else addr
sip = getipaddr(src)
dip = getipaddr(dst)
payload = get_payload(payload_len)
pkt = fuzz(IP(src=sip, dst=dip) / UDP()) / payload
# pkt.show2()
# os.write(2, str(pkt))
return str(pkt)
def gen(self, field):
"""
Generates a value for this field.
"""
assert field in self.fields
if field in self.generators:
return self.generators[field](field)
# Dual field accessors are fields that require two pieces of information
# to retrieve them (for example, "options-eol"). These are delimited by
# a dash "-".
base = field.split("-")[0]
if "-" in field and base in self.generators:
return self.generators[base](field)
sample = fuzz(self.protocol())
new_value = getattr(sample, field)
if new_value == None:
new_value = 0
elif type(new_value) != int:
new_value = new_value._fix()
return new_value
def run(self, hosts, dport=53):
# Send SYN with random Src Port for each Dst port
for host in hosts:
packet = IP(dst=host) / UDP(dport=dport) / fuzz(DNS())
answer = self.send_receive(packet)
from scapy.all import IPv6, Dot1Q, IP, Ether, UDP, TCP
except ModuleNotFoundError as err:
print(err + ": Scapy")
import sys
path = str(sys.argv[1]) + "/pcap/fuzzy.pcap"
pktdump = PcapWriter(path, append=False, sync=True)
for i in range(0, 2000):
# Generate random protocol bases, use a fuzz() over the combined packet
# for full fuzzing.
eth = Ether(src=RandMAC(), dst=RandMAC())
vlan = Dot1Q()
ipv4 = IP(src=RandIP(), dst=RandIP())
ipv6 = IPv6(src=RandIP6(), dst=RandIP6())
udp = UDP(dport=RandShort(), sport=RandShort())
tcp = TCP(dport=RandShort(), sport=RandShort())
# IPv4 packets with fuzzing
pktdump.write(fuzz(eth / ipv4 / udp))
pktdump.write(fuzz(eth / ipv4 / tcp))
pktdump.write(fuzz(eth / vlan / ipv4 / udp))
pktdump.write(fuzz(eth / vlan / ipv4 / tcp))
# IPv6 packets with fuzzing
pktdump.write(fuzz(eth / ipv6 / udp))
pktdump.write(fuzz(eth / ipv6 / tcp))
pktdump.write(fuzz(eth / vlan / ipv6 / udp))
pktdump.write(fuzz(eth / vlan / ipv6 / tcp))
#!/usr/bin/python
#-*- coding: utf-8 -*-
# Docs for interactive use
# https://scapy.readthedocs.io/en/latest/usage.html?highlight=fuzz#fuzzing
# Interactive example: >>> send(IP(dst="127.0.0.1")/fuzz(UDP()/NTP(version=4)),loop=1)
from scapy.all import sr1, IP, fuzz, UDP, NTP
target = "127.0.0.1"
target = "192.168.49.39"
while True:
sr1(IP(dst=target) / fuzz(UDP() / NTP(version=4)), inter=4, timeout=1)
pkt = []
for i in range(0, size):
if traffic_opt == "fuzzy":
eth = Ether(src=RandMAC(), dst=RandMAC())
vlan = Dot1Q()
udp = UDP(dport=RandShort(), sport=RandShort())
ipv4 = IP(src=RandIP(), dst=RandIP(), len=random.randint(0, 100))
ipv6 = IPv6(src=RandIP6(), dst=RandIP6(), plen=random.randint(0, 100))
tcp = TCP(dport=RandShort(), sport=RandShort(), flags='S',
dataofs=random.randint(0, 15))
# IPv4 packets with fuzzing
pkt.append(fuzz(eth / ipv4 / udp))
pkt.append(fuzz(eth / ipv4 / tcp))
pkt.append(fuzz(eth / vlan / ipv4 / udp))
pkt.append(fuzz(eth / vlan / ipv4 / tcp))
# IPv6 packets with fuzzing
pkt.append(fuzz(eth / ipv6 / udp))
pkt.append(fuzz(eth / ipv6 / tcp))
pkt.append(fuzz(eth / vlan / ipv6 / udp))
pkt.append(fuzz(eth / vlan / ipv6 / tcp))
else:
mac_addr_src = "52:54:00:FF:FF:{:02X}".format(i % 0xff)
mac_addr_dst = "80:FF:FF:FF:FF:{:02X}".format(i % 0xff)
src_port = 200 + (i % 20)
dst_port = 1000 + (i % 20)
def syn(ip, port):
# 发送SYN包判断端口是否开放
ans, unans = sr(IP(dst=ip) / fuzz(TCP(dport=port, flags="S")))
return ans, unans
