def dnspunch(self):
# punchpkt
e = scapy.Ether(dst=self.router_mac)
self.msg("sending punchies...")
pkt = scapy.IP(src=self.server_ip, dst=self.attacker_ip)
pkt /= scapy.UDP(sport=53, dport=53)
pkt /= scapy.Raw("udp holepunch test")
scapy.sendp(e / pkt, iface=self.interface)
# rqpkt
self.msg("sending DNS request to %s asking %s..." %
(self.server_ip, self.domain))
pkt = scapy.IP(src=self.attacker_ip, dst=self.server_ip)
pkt /= scapy.UDP(sport=53, dport=53)
pkt /= scapy.DNS(rd=1, qd=scapy.DNSQR(qname=self.domain))
x, u = scapy.srp(e / pkt, timeout=5, iface=self.interface)
self.msg('ok')
for p in x[0]:
p.show()
if p[1].proto == 1:
print "%s %s/%s" % (p[1].sprintf("%IP.src%"),
p[1].sprintf("%ICMP.type%"),
p[1].sprintf("%ICMP.code%"))
else:
p[1].show()
def simple_udp_packet(pktlen=100,
eth_dst='00:01:02:03:04:05',
eth_src='00:06:07:08:09:0a',
dl_vlan_enable=False,
vlan_vid=0,
vlan_pcp=0,
dl_vlan_cfi=0,
ip_src='192.168.0.1',
ip_dst='192.168.0.2',
ip_tos=0,
ip_ttl=64,
udp_sport=1234,
udp_dport=80,
ip_ihl=None,
ip_options=False):
"""
Return a simple dataplane UDP packet
Supports a few parameters:
@param len Length of packet in bytes w/o CRC
@param eth_dst Destination MAC
@param eth_src Source MAC
@param dl_vlan_enable True if the packet is with vlan, False otherwise
@param vlan_vid VLAN ID
@param vlan_pcp VLAN priority
@param ip_src IP source
@param ip_dst IP destination
@param ip_tos IP ToS
@param ip_ttl IP TTL
@param udp_dport UDP destination port
@param udp_sport UDP source port
Generates a simple UDP packet. Users shouldn't assume anything about
this packet other than that it is a valid ethernet/IP/UDP frame.
"""
if MINSIZE > pktlen:
pktlen = MINSIZE
# Note Dot1Q.id is really CFI
if (dl_vlan_enable):
pkt = scapy.Ether(dst=eth_dst, src=eth_src)/ \
scapy.Dot1Q(prio=vlan_pcp, id=dl_vlan_cfi, vlan=vlan_vid)/ \
scapy.IP(src=ip_src, dst=ip_dst, tos=ip_tos, ttl=ip_ttl, ihl=ip_ihl)/ \
scapy.UDP(sport=udp_sport, dport=udp_dport)
else:
if not ip_options:
pkt = scapy.Ether(dst=eth_dst, src=eth_src)/ \
scapy.IP(src=ip_src, dst=ip_dst, tos=ip_tos, ttl=ip_ttl, ihl=ip_ihl)/ \
scapy.UDP(sport=udp_sport, dport=udp_dport)
else:
pkt = scapy.Ether(dst=eth_dst, src=eth_src)/ \
scapy.IP(src=ip_src, dst=ip_dst, tos=ip_tos, ttl=ip_ttl, ihl=ip_ihl, options=ip_options)/ \
scapy.UDP(sport=udp_sport, dport=udp_dport)
pkt = pkt / ("D" * (pktlen - len(pkt)))
return pkt
def UDPWithOptions(version, srcaddr, dstaddr, sport=0, lifetime=39):
if version == 4:
packet = (scapy.IP(src=srcaddr, dst=dstaddr, ttl=lifetime, tos=0x83) /
scapy.UDP(sport=sport, dport=53) / UDP_PAYLOAD)
else:
packet = (scapy.IPv6(
src=srcaddr, dst=dstaddr, fl=0xbeef, hlim=lifetime, tc=0x83) /
scapy.UDP(sport=sport, dport=53) / UDP_PAYLOAD)
return ("UDPv%d packet with options" % version, packet)
def craft_pfcp_session_modify_packet():
global peer_address, peer_seid
udp = scapy.UDP()
ip = scapy.IP()
ip.src = localaddr
ip.dst = peer_address
#fill pfcp header
pfcp_header = pfcp.PFCP()
pfcp_header.version = 1
pfcp_header.S = 1
pfcp_header.message_type = 52
pfcp_header.seid = peer_seid
pfcp_header.seq = 2
mod = pfcp.PFCPSessionModificationRequest()
fseid = pfcp.IE_FSEID()
fseid.v4 = 1
fseid.seid = 1
fseid.ipv4 = "1.1.1.1"
mod.IE_list.append(fseid)
far1 = pfcp.IE_UpdateFAR()
#FAR id
farid1 = pfcp.IE_FAR_Id()
farid1.id = 2
far1.IE_list.append(farid1)
#Apply Action
appAction1 = pfcp.IE_ApplyAction()
appAction1.FORW = 1
far1.IE_list.append(appAction1)
updforwarding = pfcp.IE_UpdateForwardingParameters()
destintf1 = pfcp.IE_DestinationInterface()
destintf1.interface = 0 #access
updforwarding.IE_list.append(destintf1)
outerHeader = pfcp.IE_OuterHeaderCreation()
outerHeader.GTPUUDPIPV4 = 1
outerHeader.ipv4 = ENODEB_IPV4
outerHeader.TEID = TEID
updforwarding.IE_list.append(outerHeader)
far1.IE_list.append(updforwarding)
mod.IE_list.append(far1)
udp = scapy.UDP()
ip = scapy.IP()
ip.src = localaddr
ip.dst = upfaddr
modify_pkt = ip / udp / pfcp_header / mod
return modify_pkt
def _CheckNullEncryptionTunnelMode(self, version):
family = net_test.GetAddressFamily(version)
netid = self.RandomNetid()
local_addr = self.MyAddress(version, netid)
remote_addr = self.GetRemoteAddress(version)
# Borrow the address of another netId as the source address of the tunnel
tun_local = self.MyAddress(version, self.RandomNetid(netid))
# For generality, pick a tunnel endpoint that's not the address we
# connect the socket to.
tun_remote = TUNNEL_ENDPOINTS[version]
# Output
self.xfrm.AddSaInfo(tun_local, tun_remote, 0xABCD,
xfrm.XFRM_MODE_TUNNEL, 123,
xfrm_base._ALGO_CRYPT_NULL,
xfrm_base._ALGO_AUTH_NULL, None, None, None, netid)
# Input
self.xfrm.AddSaInfo(tun_remote, tun_local, 0x9876,
xfrm.XFRM_MODE_TUNNEL, 456,
xfrm_base._ALGO_CRYPT_NULL,
xfrm_base._ALGO_AUTH_NULL, None, None, None, None)
sock = net_test.UDPSocket(family)
self.SelectInterface(sock, netid, "mark")
sock.bind((local_addr, 0))
local_port = sock.getsockname()[1]
remote_port = 5555
xfrm_base.ApplySocketPolicy(sock, family, xfrm.XFRM_POLICY_OUT, 0xABCD,
123, (tun_local, tun_remote))
xfrm_base.ApplySocketPolicy(sock, family, xfrm.XFRM_POLICY_IN, 0x9876,
456, (tun_remote, tun_local))
# Create and receive an ESP packet.
IpType = {4: scapy.IP, 6: scapy.IPv6}[version]
input_pkt = (IpType(src=remote_addr, dst=local_addr) /
scapy.UDP(sport=remote_port, dport=local_port) /
"input hello")
input_pkt = IpType(str(input_pkt)) # Compute length, checksum.
input_pkt = xfrm_base.EncryptPacketWithNull(input_pkt, 0x9876, 1,
(tun_remote, tun_local))
self.ReceivePacketOn(netid, input_pkt)
msg, addr = sock.recvfrom(1024)
self.assertEquals("input hello", msg)
self.assertEquals((remote_addr, remote_port), addr[:2])
# Send and capture a packet.
sock.sendto("output hello", (remote_addr, remote_port))
packets = self.ReadAllPacketsOn(netid)
self.assertEquals(1, len(packets))
output_pkt = packets[0]
output_pkt, esp_hdr = xfrm_base.DecryptPacketWithNull(output_pkt)
self.assertEquals(output_pkt[scapy.UDP].len, len("output_hello") + 8)
self.assertEquals(remote_addr, output_pkt.dst)
self.assertEquals(remote_port, output_pkt[scapy.UDP].dport)
# length of the payload plus the UDP header
self.assertEquals("output hello", str(output_pkt[scapy.UDP].payload))
self.assertEquals(0xABCD, esp_hdr.spi)
def getUDPInfo(oAdapter, sTargetIP):
data = '03661471 0000000001000000' + ipToHex(oAdapter[1] +
'.1.1') + '1027 00000000'
oIP = scapy.IP(dst=sTargetIP)
oUDP = scapy.UDP(sport=random.randint(1024, 65535), dport=48899)
oLoad = scapy.Raw(load=binascii.unhexlify(data.replace(' ', '')))
oResp = scapy.sr1(oIP / oUDP / oLoad, timeout=iTIMEOUT)
if oResp is None:
print('[!] Error, device not responding to TwinCAT discovery packets!')
return
dResp = oResp.getlayer(scapy.Raw).load
sResp = binascii.hexlify(dResp)
sNetid = hexToIP(sResp[24:36])
namelength = int(sResp[54:56] + sResp[52:54], 16)
sName = str(dResp[28:27 + namelength])
i = ((27 + namelength) * 2) + 18
sPreKernel = ''.join(
map(str.__add__, sResp[i:i + 24][-2::-2], sResp[i:i + 24][-1::-2]))
sKernel = str(int(sPreKernel[16:24], 16)) + '.' + str(
int(sPreKernel[8:16], 16)) + '.' + str(int(sPreKernel[:8], 16))
i += (24 + 528)
sTCVer = str(int(sResp[i:i + 2], 16)) + '.' + str(
int(sResp[i + 2:i + 4], 16)) + '.' + str(
int((''.join(
map(str.__add__, sResp[i + 4:i + 8][-2::-2],
sResp[i + 4:i + 8][-1::-2]))), 16))
print('[+] IP: ' + sTargetIP + ', NAME: ' + sName + ', RNETID: ' + sNetid +
', TCVer: ' + sTCVer + ', WinVer: ' + sKernel)
return sNetid
def run(self):
if not bHasScapy:
self.gom.echo('No scapy support :(')
return False
self.results = {}
self.up = {}
self.down = {}
target = scapy.IP(dst=self.target)
self.gom.echo("Sending probe to\t" + str(target.dst) +
"\tusing port\t" + str(self.port))
p = scapy.IP(dst=target.dst) / scapy.UDP(dport=self.port)
ans, unans = scapy.sr(p,
timeout=self.timeout,
iface=self.iface,
retry=0)
# self.gom.echo(ans.summary( lambda(s,r) : r.sprintf("%IP.src% is alive") ))
if ans:
for a in ans:
self.up[len(self.up) + 1] = a[0][0].dst
self.add_data_to_kb("alive", a[0][0].dst)
self.add_data_to_kb("hosts", a[0][0].dst)
self.add_data_to_kb("targets", a[0][0].dst)
#self.add_data_to_kb(ans[0][0].dst + "_trace", ans[0][0].dst)
# else:
# self.down[len(self.up)+1] = ans[0][0].dst
# self.gom.echo("Answer of type " + str(icmptypes[ans[0][0].type]) + " from " + str(ans[0][0].dst))
self.results = self.up
return True
def traceroute(destination,
minttl=1,
maxttl=24,
dport=33434,
trtype='udp'):
""" Traceroute """
results = []
for ttl in range(minttl, maxttl):
pkt = scapy.IP(dst=destination, ttl=ttl) / scapy.UDP(
dport=random.randint(33434, 33534))
# --------------------------------- #
# Send the packet and get a reply #
# --------------------------------- #
reply = scapy.sr1(pkt, timeout=5, inter=0.05, verbose=0)
if reply is None:
print("Exiting as no reply ... ")
results.append((ttl, "Exiting no reply", None, None))
break
elif reply.type == 3:
print("Done {} hops away: {} {} {}".format(
ttl, reply.src, reply.type, reply.time))
#results.append((ttl, reply.src, reply.time, reply.type))
break
else:
#print("{} hops away {} {} {}".format(ttl, reply.src, reply.type, reply.time))
results.append((ttl, reply.src, reply.time, reply.type))
return results
def main():
parser = argparse.ArgumentParser(
"frag6.py", description="IPv6 fragementation test tool")
parser.add_argument(
'--sendif',
nargs=1,
required=True,
help='The interface through which the packet will be sent')
parser.add_argument('--recvif',
nargs=1,
required=True,
help='The interface on which to check for the packet')
parser.add_argument('--src',
nargs=1,
required=True,
help='The source IP address')
parser.add_argument('--to',
nargs=1,
required=True,
help='The destination IP address')
parser.add_argument('--debug',
required=False,
action='store_true',
help='Enable test debugging')
args = parser.parse_args()
# Start sniffing on recvif
sniffer = Sniffer(args, check_icmp6_error)
########################################################################
#
# A single start fragment with zero length IPv6 header (jumbo).
# Make sure we do hit the Fragment case, which is tricky as the
# jumbogram needs to be > 64k.
#
# A: Jumbo-Fragment not allowed.
# R: ICMPv6 param problem.
#
#data = "6" * (65536 - 2 - 6 - 8 - 8)
data = "6" * 65512
ip6f01 = sp.Ether() / \
sp.IPv6(src=args.src[0], dst=args.to[0], plen=0) / \
sp.IPv6ExtHdrHopByHop(options=sp.Jumbo(jumboplen=65536)) / \
sp.IPv6ExtHdrFragment(offset=0, m=1, id=6) / \
sp.UDP(dport=3456, sport=6543) / \
data
if args.debug:
ip6f01.display()
sp.sendp(ip6f01, iface=args.sendif[0], verbose=False)
# We should only need to sleep 0.10 but it seems scapy
# takes time for this one.
sleep(75)
sniffer.setEnd()
sniffer.join()
if not sniffer.foundCorrectPacket:
sys.exit(1)
sys.exit(0)
def _build_pkt(spec, size):
eth = scapy.Ether(src=spec.src_mac, dst=spec.dst_mac)
ip = scapy.IP(src=spec.src_ip, dst=spec.dst_ip)
udp = scapy.UDP(sport=10001, dport=10002, chksum=0)
payload = ('hello' + '0123456789' * 200)[:size - len(eth / ip / udp)]
pkt = eth / ip / udp / payload
return str(pkt)
def check_dhcp_request(iface, server, range_start, range_end, timeout=5):
"""Provide interface, server endpoint and pool of ip adresses
Should be used after offer received
>>> check_dhcp_request('eth1','10.10.0.5','10.10.0.10','10.10.0.15')
"""
scapy.conf.iface = iface
scapy.conf.checkIPaddr = False
fam, hw = scapy.get_if_raw_hwaddr(iface)
ip_address = next(utils.pick_ip(range_start, range_end))
# note lxc dhcp server does not respond to unicast
dhcp_request = (scapy.Ether(src=hw, dst="ff:ff:ff:ff:ff:ff") /
scapy.IP(src="0.0.0.0", dst="255.255.255.255") /
scapy.UDP(sport=68, dport=67) /
scapy.BOOTP(chaddr=hw) /
scapy.DHCP(options=[("message-type", "request"),
("server_id", server),
("requested_addr", ip_address),
"end"]))
ans, unans = scapy.srp(dhcp_request, nofilter=1, multi=True,
timeout=timeout, verbose=0)
return ans
def udp_scan(target_ip, target_port):
try:
udp_packet = scapy.UDP(dport=target_port)
ip_packet = scapy.IP(dst=target_ip)
packet_sent = ip_packet / udp_packet
response = scapy.sr1(packet_sent, timeout=5, verbose=False)
if response.haslayer(scapy.UDP):
return "port {} : OPEN ".format(target_port)
elif response.haslayer(scapy.ICMP):
if int(response.getlayer(scapy.ICMP).type) == 3 and int(response.getlayer(scapy.ICMP).code) == 3:
return False
elif int(response.getlayer(scapy.ICMP).type) == 3 and int(response.getlayer(scapy.ICMP).code) in [1, 2, 9,
10, 13]:
return "port {} : Filtered ".format(target_port)
except AttributeError:
retrans = []
for count in range(0, 3):
retrans.append(scapy.sr1(packet_sent, timeout=2, verbose=False))
for item in retrans:
try:
if item.haslayer(scapy.UDP):
udp_scan(target_ip, target_port)
except AttributeError:
return "port {} : OPEN | Filtered ".format(target_port)
except KeyboardInterrupt:
print("[-] ctr+c ... Quiting")
sys.exit(1)
def UDP(version, srcaddr, dstaddr, sport=0):
ip = _GetIpLayer(version)
# Can't just use "if sport" because None has meaning (it means unspecified).
if sport == 0:
sport = _RandomPort()
return ("UDPv%d packet" % version, ip(src=srcaddr, dst=dstaddr) /
scapy.UDP(sport=sport, dport=53) / UDP_PAYLOAD)
def make_falcon_task_pkt(dst_ip,
cluster_id,
local_cluster_id,
src_id,
dst_id=0,
q_len=0,
seq_num=1000,
pkt_len=128,
**kwargs):
eth_hdr = make_eth_hdr(**kwargs)
falcon_hdr = FalconPacket(pkt_type=PKT_TYPE_NEW_TASK,
cluster_id=cluster_id,
local_cluster_id=local_cluster_id,
src_id=src_id,
dst_id=dst_id,
q_len=q_len,
seq_num=seq_num)
data_len = pkt_len - len(eth_hdr) - len(falcon_hdr)
if data_len <= 0:
data_len = 1
payload = generate_load(data_len)
pkt = scapy.IP(dst=dst_ip) / scapy.UDP(
dport=FALCON_PORT) / falcon_hdr / payload
return pkt
def gen_untagged_packet():
eth = scapy.Ether(src='02:1e:67:9f:4d:ae', dst='06:16:3e:1b:72:32')
ip = scapy.IP()
udp = scapy.UDP(sport=10001, dport=10002)
payload = 'truculence'
pkt = eth / ip / udp / payload
return pkt
def handle_packet(packet):
ip = packet.getlayer(scapy.IP)
udp = packet.getlayer(scapy.UDP)
dns = packet.getlayer(scapy.DNS)
# standard (a record) dns query
if dns.qr == 0 and dns.opcode == 0:
queried_host = dns.qd.qname[:-1]
resolved_ip = None
if dns_map.get(queried_host):
resolved_ip = dns_map.get(queried_host)
elif dns_map.get('*'):
resolved_ip = dns_map.get('*')
if resolved_ip:
dns_answer = scapy.DNSRR(rrname=queried_host + '.',
ttl=330,
type="A",
rclass="IN",
rdata=resolved_ip)
dns_reply = scapy.IP(src=ip.dst, dst=ip.src) / \
scapy.UDP(sport=udp.dport,dport=udp.sport) / \
scapy.DNS(
id = dns.id,
qr = 1,
aa = 0,
rcode = 0,
qd = dns.qd,
an = dns_answer
)
print "Send %s has %s to %s" % (queried_host, resolved_ip, ip.src)
scapy.send(dns_reply, iface=dev)
def make_falcon_task_done_pkt(dst_ip,
cluster_id,
local_cluster_id,
src_id,
dst_id=0,
is_idle=False,
q_len=0,
seq_num=1000,
pkt_len=128,
**kwargs):
eth_hdr = make_eth_hdr(**kwargs)
if is_idle:
falcon_hdr = FalconPacket(pkt_type=PKT_TYPE_TASK_DONE_IDLE,
cluster_id=cluster_id,
local_cluster_id=local_cluster_id,
src_id=src_id,
dst_id=dst_id,
q_len=q_len,
seq_num=seq_num)
else:
falcon_hdr = FalconPacket(pkt_type=PKT_TYPE_TASK_DONE,
cluster_id=cluster_id,
local_cluster_id=local_cluster_id,
src_id=src_id,
dst_id=dst_id,
q_len=q_len,
seq_num=seq_num)
pkt = scapy.IP(dst=dst_ip) / scapy.UDP(dport=FALCON_PORT) / falcon_hdr
return pkt
def check_dhcp_on_eth(iface, timeout):
"""Check if there is roque dhcp server in network on given iface
@iface - name of the ethernet interface
@timeout - scapy timeout for waiting on response
>>> check_dhcp_on_eth('eth1')
"""
scapy.conf.iface = iface
scapy.conf.checkIPaddr = False
dhcp_options = [("message-type", "discover"),
("param_req_list",
utils.format_options([
1, 2, 3, 4, 5, 6, 11, 12, 13, 15, 16, 17, 18, 22, 23,
28, 40, 41, 42, 43, 50, 51, 54, 58, 59, 60, 66, 67
])), "end"]
fam, hw = scapy.get_if_raw_hwaddr(iface)
dhcp_discover = (scapy.Ether(src=hw, dst="ff:ff:ff:ff:ff:ff") /
scapy.IP(src="0.0.0.0", dst="255.255.255.255") /
scapy.UDP(sport=68, dport=67) / scapy.BOOTP(chaddr=hw) /
scapy.DHCP(options=dhcp_options))
ans, unans = scapy.srp(dhcp_discover,
multi=True,
nofilter=1,
timeout=timeout,
verbose=0)
return ans
def dhcp_release(ip, hw, server):
x_id = random.randrange(1, 1000000)
hw_str = scapy.mac2str(hw)
dhcp_release_pkt = scapy.IP(src=ip, dst=server) / scapy.UDP(sport=68, dport=67) / scapy.BOOTP(ciaddr=ip, xid=x_id, chaddr=hw_str) / scapy.DHCP(options=[('message-type', 'release'),('server_id', server), ('end')])
scapy.send(dhcp_release_pkt, verbose=0)
def generate(self, ip_dst=None, eth_dst=None):
"""Generates a mDNS v4 packet for multicast DNS config
Args:
ip_dst: IP destination address (Optional)
eth_dst: Ethernet (layer 2) destination address (Optional)
"""
# Overwrite standard fields if desired
sta_ip = (ip_dst if ip_dst is not None else MDNS_V4_IP_DST)
sta_hw = (eth_dst if eth_dst is not None else MDNS_V4_MAC_DST)
# Create mDNS layer
qdServer = scapy.DNSQR(qname=self.src_ipv4, qtype=MDNS_QTYPE)
mDNS = scapy.DNS(rd=MDNS_RECURSIVE, qd=qdServer)
# Create UDP
udp = scapy.UDP(sport=MDNS_UDP_PORT, dport=MDNS_UDP_PORT)
# Create IP layer
ip4 = scapy.IP(src=self.src_ipv4, dst=sta_ip, ttl=255)
# Create Ethernet layer
ethernet = scapy.Ether(src=self.src_mac, dst=sta_hw)
self.packet = ethernet / ip4 / udp / mDNS
return self.packet
def make_UDP_hdr(l4source=None, l4dst=None, **kwargs):
hdr = scapy.UDP()
if l4source:
hdr[scapy.UDP].sport = l4source
if l4dst:
hdr[scapy.UDP].dport = l4dst
return hdr
def send_packet(self, req, **kwargs):
# XXX: match flow enties instead
# print self.response_app.host_ip_mac
src_ip = kwargs['src'].encode('utf-8')
dst_ip = kwargs['dst'].encode('utf-8')
src_mac = self.response_app.host_ip_mac[src_ip]
try:
dst_mac = self.response_app.host_ip_mac[dst_ip]
except:
dst_mac = "00:00:00:ff:00:00"
dpid = self.response_app.host_ip_dpid[src_ip]
ret = get_switch(self.response_app, dpid)
# print ret[0].to_dict()
# return json.dumps(ret[0].to_dict())
datapath = ret[0].dp
ofproto = datapath.ofproto
parser = datapath.ofproto_parser
packet = Scapy.Ether(src=src_mac, dst=dst_mac) / Scapy.IP(
src=src_ip, dst=dst_ip) / Scapy.UDP() / "Hello World"
packet = str(packet)
# XXX; pretty hard code....
# dpid==1 => send vid=1
if datapath.id == 1:
actions = [
parser.OFPActionPushVlan(),
parser.OFPActionSetField(vlan_vid=1),
parser.OFPActionOutput(ofproto.OFPP_TABLE)
]
else:
actions = [
parser.OFPActionPushVlan(),
parser.OFPActionSetField(vlan_vid=2),
parser.OFPActionOutput(ofproto.OFPP_TABLE)
]
out = parser.OFPPacketOut(
datapath=datapath,
buffer_id=ofproto.OFP_NO_BUFFER,
in_port=self.response_app.host_ip_port[src_ip],
actions=actions,
data=packet)
datapath.send_msg(out)
## XXX: pretty bad... sleep will hang the controller
# timeout 300 ms
timeout = 300
delta = 50
self.response_app.forward_list = [dpid]
cur_ts = int(round(time.time() * 1000))
self.response_app.trace_ts = cur_ts
while (cur_ts - self.response_app.trace_ts < timeout):
time.sleep(delta / 1000)
cur_ts = int(round(time.time() * 1000))
return json.dumps(self.response_app.forward_list)
def handle_packet(packet):
ip = packet.getlayer(scapy.IP)
udp = packet.getlayer(scapy.UDP)
# Ignore packets containing data we aren't interested
# in.
if hasattr(packet, 'qd') and packet.qd is not None:
queried_host = packet.qd.qname[:-1].decode("utf-8")
if queried_host is None:
print("queried_host is None, dropping request")
return
# If the queried_host is one of the domains we want
# to spoof, return the spoof_ip.
if queried_host in spoof_domains:
print("!!!! Spoofing DNS request for %s by %s !!!!"
% (queried_host, ip.src))
resolved_ip = spoof_ip
# Else use dns.resolver to make a real DNS "A record"
# request, and return the result of that.
else:
print("Forwarding DNS request for %s by %s" %
(queried_host, ip.src))
a_records = dns.resolver.query(queried_host, 'A')
resolved_ip = a_records[0].address
# Build the DNS answer
dns_answer = scapy.DNSRR(
rrname=queried_host + ".",
ttl=330,
type="A",
rclass="IN",
rdata=resolved_ip)
# Build the DNS response by constructing the IP
# packet, the UDP "datagram" that goes inside the
# packet, and finally the DNS response that goes
# inside the datagram.
dns_response = \
scapy.IP(src=ip.dst, dst=ip.src) / \
scapy.UDP(
sport=udp.dport,
dport=udp.sport
) / \
scapy.DNS(
id = packet[scapy.DNS].id,
qr = 1,
aa = 0,
rcode = 0,
qd = packet.qd,
an = dns_answer
)
print("Resolved DNS request for %s to %s for %s" %
(queried_host, resolved_ip, ip.src))
# Use scapy to send our response back to your phone.
scapy.send(dns_response, iface=iface)
else:
print("Ignoring unrecognized packet from %s" % ip.src)
def send_packet(self, iface, src_mac, src_ip, src_port, dst_mac, dst_ip,
dst_port):
ethernet = scapy.Ether(dst=dst_mac, src=src_mac, type=0x0800)
ip = scapy.IP(src=src_ip, dst=dst_ip)
udp = scapy.UDP(sport=int(src_port), dport=int(dst_port))
data = "Hello udp"
packet = ethernet / ip / udp / data
scapy.sendp(packet, iface=iface)
def make_udp_hdr(sport=None, dport=None, **kwargs):
""" Create the UDP headers."""
hdr = scapy.UDP()
if sport:
hdr[scapy.UDP].sport = sport
if dport:
hdr[scapy.UDP].dport = dport
return hdr
def gen_packet(self, dst_ip="0.0.0.0"):
eth = scapy.Ether(src='02:1e:67:9f:4d:ae', dst='06:16:3e:1b:72:32')
ip = scapy.IP(src='1.2.3.4', dst=dst_ip)
udp = scapy.UDP(sport=10001, dport=10002)
payload = ('hello' + '0123456789' * 200)[:60 - len(eth / ip / udp)]
pkt = eth / ip / udp / payload
return bytes(pkt)
def ScanUdpPort(dst_host, dst_port, src_port, _timeout):
pkt = scapy.IP(dst=dst_host) / scapy.UDP(sport=src_port, dport=dst_port)
rply = scapy.sr1(pkt, verbose=0, timeout=_timeout)
CustomPrint(" - \t\t" + str(dst_port) + "/u\t", "WHITE", False)
if rply is None:
CustomPrint("closed", "RED")
else:
CustomPrint("open", "GREEN")
def main():
parser = argparse.ArgumentParser("CVE-2019-icmp.py",
description="CVE-2019-icmp test tool")
parser.add_argument(
'--sendif',
nargs=1,
required=True,
help='The interface through which the packet will be sent')
parser.add_argument('--recvif',
nargs=1,
required=True,
help='The interface on which to check for the packet')
parser.add_argument('--src',
nargs=1,
required=True,
help='The source IP address')
parser.add_argument('--to',
nargs=1,
required=True,
help='The destination IP address')
args = parser.parse_args()
# Send the allowed packet to establish state
udp = sp.Ether() / \
sp.IP(src=args.src[0], dst=args.to[0]) / \
sp.UDP(dport=53, sport=1234)
sp.sendp(udp, iface=args.sendif[0], verbose=False)
# Start sniffing on recvif
sniffer = Sniffer(args, check_icmp_error)
# Send the bad error packet
icmp_reachable = sp.Ether() / \
sp.IP(src=args.src[0], dst=args.to[0]) / \
sp.ICMP(type=3, code=3) / \
sp.IP(src=args.src[0], dst=args.to[0]) / \
sp.UDP(dport=53, sport=1234)
sp.sendp(icmp_reachable, iface=args.sendif[0], verbose=False)
sniffer.join()
if sniffer.foundCorrectPacket:
sys.exit(1)
sys.exit(0)
def setUp(self):
"""
Setup class for DNS_Amplification.
"""
# Create scapy packet (valid attack)
self.pkt = scapy.IP(src="10.0.2.15",
dst="dns.google") \
/ scapy.UDP(dport=53) \
/ scapy.DNS(rd=1, qd=scapy.DNSQR(qname="google.com", qtype="ANY"))
# Create a scapy packet (invalid attack)
self.pkt2 = scapy.IP(src="10.0.2.15",
dst="0.0.0.0") \
/ scapy.UDP(dport=53) \
/ scapy.DNS(rd=1, qd=scapy.DNSQR(qname="google.com", qtype="ANY"))
# Create DNS Amplification object
self.dns_amp_obj = DNS_Amplification()
def correct_packet(source_port, identification):
UDP_header = network.UDP(sport=53, dport=source_port)
raw_packet = network.DNS(id=identification,
ancount=1,
an=network.DNSRR(
rrname="one.yumi.ipl.eecs.case.edu",
rdata="129.22.150.112"))
return UDP_header / raw_packet
