def dnspunch(self): # punchpkt e = scapy.Ether(dst=self.router_mac) self.msg("sending punchies...") pkt = scapy.IP(src=self.server_ip, dst=self.attacker_ip) pkt /= scapy.UDP(sport=53, dport=53) pkt /= scapy.Raw("udp holepunch test") scapy.sendp(e / pkt, iface=self.interface) # rqpkt self.msg("sending DNS request to %s asking %s..." % (self.server_ip, self.domain)) pkt = scapy.IP(src=self.attacker_ip, dst=self.server_ip) pkt /= scapy.UDP(sport=53, dport=53) pkt /= scapy.DNS(rd=1, qd=scapy.DNSQR(qname=self.domain)) x, u = scapy.srp(e / pkt, timeout=5, iface=self.interface) self.msg('ok') for p in x[0]: p.show() if p[1].proto == 1: print "%s %s/%s" % (p[1].sprintf("%IP.src%"), p[1].sprintf("%ICMP.type%"), p[1].sprintf("%ICMP.code%")) else: p[1].show()
def simple_udp_packet(pktlen=100, eth_dst='00:01:02:03:04:05', eth_src='00:06:07:08:09:0a', dl_vlan_enable=False, vlan_vid=0, vlan_pcp=0, dl_vlan_cfi=0, ip_src='192.168.0.1', ip_dst='192.168.0.2', ip_tos=0, ip_ttl=64, udp_sport=1234, udp_dport=80, ip_ihl=None, ip_options=False): """ Return a simple dataplane UDP packet Supports a few parameters: @param len Length of packet in bytes w/o CRC @param eth_dst Destination MAC @param eth_src Source MAC @param dl_vlan_enable True if the packet is with vlan, False otherwise @param vlan_vid VLAN ID @param vlan_pcp VLAN priority @param ip_src IP source @param ip_dst IP destination @param ip_tos IP ToS @param ip_ttl IP TTL @param udp_dport UDP destination port @param udp_sport UDP source port Generates a simple UDP packet. Users shouldn't assume anything about this packet other than that it is a valid ethernet/IP/UDP frame. """ if MINSIZE > pktlen: pktlen = MINSIZE # Note Dot1Q.id is really CFI if (dl_vlan_enable): pkt = scapy.Ether(dst=eth_dst, src=eth_src)/ \ scapy.Dot1Q(prio=vlan_pcp, id=dl_vlan_cfi, vlan=vlan_vid)/ \ scapy.IP(src=ip_src, dst=ip_dst, tos=ip_tos, ttl=ip_ttl, ihl=ip_ihl)/ \ scapy.UDP(sport=udp_sport, dport=udp_dport) else: if not ip_options: pkt = scapy.Ether(dst=eth_dst, src=eth_src)/ \ scapy.IP(src=ip_src, dst=ip_dst, tos=ip_tos, ttl=ip_ttl, ihl=ip_ihl)/ \ scapy.UDP(sport=udp_sport, dport=udp_dport) else: pkt = scapy.Ether(dst=eth_dst, src=eth_src)/ \ scapy.IP(src=ip_src, dst=ip_dst, tos=ip_tos, ttl=ip_ttl, ihl=ip_ihl, options=ip_options)/ \ scapy.UDP(sport=udp_sport, dport=udp_dport) pkt = pkt / ("D" * (pktlen - len(pkt))) return pkt
def UDPWithOptions(version, srcaddr, dstaddr, sport=0, lifetime=39): if version == 4: packet = (scapy.IP(src=srcaddr, dst=dstaddr, ttl=lifetime, tos=0x83) / scapy.UDP(sport=sport, dport=53) / UDP_PAYLOAD) else: packet = (scapy.IPv6( src=srcaddr, dst=dstaddr, fl=0xbeef, hlim=lifetime, tc=0x83) / scapy.UDP(sport=sport, dport=53) / UDP_PAYLOAD) return ("UDPv%d packet with options" % version, packet)
def craft_pfcp_session_modify_packet(): global peer_address, peer_seid udp = scapy.UDP() ip = scapy.IP() ip.src = localaddr ip.dst = peer_address #fill pfcp header pfcp_header = pfcp.PFCP() pfcp_header.version = 1 pfcp_header.S = 1 pfcp_header.message_type = 52 pfcp_header.seid = peer_seid pfcp_header.seq = 2 mod = pfcp.PFCPSessionModificationRequest() fseid = pfcp.IE_FSEID() fseid.v4 = 1 fseid.seid = 1 fseid.ipv4 = "1.1.1.1" mod.IE_list.append(fseid) far1 = pfcp.IE_UpdateFAR() #FAR id farid1 = pfcp.IE_FAR_Id() farid1.id = 2 far1.IE_list.append(farid1) #Apply Action appAction1 = pfcp.IE_ApplyAction() appAction1.FORW = 1 far1.IE_list.append(appAction1) updforwarding = pfcp.IE_UpdateForwardingParameters() destintf1 = pfcp.IE_DestinationInterface() destintf1.interface = 0 #access updforwarding.IE_list.append(destintf1) outerHeader = pfcp.IE_OuterHeaderCreation() outerHeader.GTPUUDPIPV4 = 1 outerHeader.ipv4 = ENODEB_IPV4 outerHeader.TEID = TEID updforwarding.IE_list.append(outerHeader) far1.IE_list.append(updforwarding) mod.IE_list.append(far1) udp = scapy.UDP() ip = scapy.IP() ip.src = localaddr ip.dst = upfaddr modify_pkt = ip / udp / pfcp_header / mod return modify_pkt
def _CheckNullEncryptionTunnelMode(self, version): family = net_test.GetAddressFamily(version) netid = self.RandomNetid() local_addr = self.MyAddress(version, netid) remote_addr = self.GetRemoteAddress(version) # Borrow the address of another netId as the source address of the tunnel tun_local = self.MyAddress(version, self.RandomNetid(netid)) # For generality, pick a tunnel endpoint that's not the address we # connect the socket to. tun_remote = TUNNEL_ENDPOINTS[version] # Output self.xfrm.AddSaInfo(tun_local, tun_remote, 0xABCD, xfrm.XFRM_MODE_TUNNEL, 123, xfrm_base._ALGO_CRYPT_NULL, xfrm_base._ALGO_AUTH_NULL, None, None, None, netid) # Input self.xfrm.AddSaInfo(tun_remote, tun_local, 0x9876, xfrm.XFRM_MODE_TUNNEL, 456, xfrm_base._ALGO_CRYPT_NULL, xfrm_base._ALGO_AUTH_NULL, None, None, None, None) sock = net_test.UDPSocket(family) self.SelectInterface(sock, netid, "mark") sock.bind((local_addr, 0)) local_port = sock.getsockname()[1] remote_port = 5555 xfrm_base.ApplySocketPolicy(sock, family, xfrm.XFRM_POLICY_OUT, 0xABCD, 123, (tun_local, tun_remote)) xfrm_base.ApplySocketPolicy(sock, family, xfrm.XFRM_POLICY_IN, 0x9876, 456, (tun_remote, tun_local)) # Create and receive an ESP packet. IpType = {4: scapy.IP, 6: scapy.IPv6}[version] input_pkt = (IpType(src=remote_addr, dst=local_addr) / scapy.UDP(sport=remote_port, dport=local_port) / "input hello") input_pkt = IpType(str(input_pkt)) # Compute length, checksum. input_pkt = xfrm_base.EncryptPacketWithNull(input_pkt, 0x9876, 1, (tun_remote, tun_local)) self.ReceivePacketOn(netid, input_pkt) msg, addr = sock.recvfrom(1024) self.assertEquals("input hello", msg) self.assertEquals((remote_addr, remote_port), addr[:2]) # Send and capture a packet. sock.sendto("output hello", (remote_addr, remote_port)) packets = self.ReadAllPacketsOn(netid) self.assertEquals(1, len(packets)) output_pkt = packets[0] output_pkt, esp_hdr = xfrm_base.DecryptPacketWithNull(output_pkt) self.assertEquals(output_pkt[scapy.UDP].len, len("output_hello") + 8) self.assertEquals(remote_addr, output_pkt.dst) self.assertEquals(remote_port, output_pkt[scapy.UDP].dport) # length of the payload plus the UDP header self.assertEquals("output hello", str(output_pkt[scapy.UDP].payload)) self.assertEquals(0xABCD, esp_hdr.spi)
def getUDPInfo(oAdapter, sTargetIP): data = '03661471 0000000001000000' + ipToHex(oAdapter[1] + '.1.1') + '1027 00000000' oIP = scapy.IP(dst=sTargetIP) oUDP = scapy.UDP(sport=random.randint(1024, 65535), dport=48899) oLoad = scapy.Raw(load=binascii.unhexlify(data.replace(' ', ''))) oResp = scapy.sr1(oIP / oUDP / oLoad, timeout=iTIMEOUT) if oResp is None: print('[!] Error, device not responding to TwinCAT discovery packets!') return dResp = oResp.getlayer(scapy.Raw).load sResp = binascii.hexlify(dResp) sNetid = hexToIP(sResp[24:36]) namelength = int(sResp[54:56] + sResp[52:54], 16) sName = str(dResp[28:27 + namelength]) i = ((27 + namelength) * 2) + 18 sPreKernel = ''.join( map(str.__add__, sResp[i:i + 24][-2::-2], sResp[i:i + 24][-1::-2])) sKernel = str(int(sPreKernel[16:24], 16)) + '.' + str( int(sPreKernel[8:16], 16)) + '.' + str(int(sPreKernel[:8], 16)) i += (24 + 528) sTCVer = str(int(sResp[i:i + 2], 16)) + '.' + str( int(sResp[i + 2:i + 4], 16)) + '.' + str( int((''.join( map(str.__add__, sResp[i + 4:i + 8][-2::-2], sResp[i + 4:i + 8][-1::-2]))), 16)) print('[+] IP: ' + sTargetIP + ', NAME: ' + sName + ', RNETID: ' + sNetid + ', TCVer: ' + sTCVer + ', WinVer: ' + sKernel) return sNetid
def run(self): if not bHasScapy: self.gom.echo('No scapy support :(') return False self.results = {} self.up = {} self.down = {} target = scapy.IP(dst=self.target) self.gom.echo("Sending probe to\t" + str(target.dst) + "\tusing port\t" + str(self.port)) p = scapy.IP(dst=target.dst) / scapy.UDP(dport=self.port) ans, unans = scapy.sr(p, timeout=self.timeout, iface=self.iface, retry=0) # self.gom.echo(ans.summary( lambda(s,r) : r.sprintf("%IP.src% is alive") )) if ans: for a in ans: self.up[len(self.up) + 1] = a[0][0].dst self.add_data_to_kb("alive", a[0][0].dst) self.add_data_to_kb("hosts", a[0][0].dst) self.add_data_to_kb("targets", a[0][0].dst) #self.add_data_to_kb(ans[0][0].dst + "_trace", ans[0][0].dst) # else: # self.down[len(self.up)+1] = ans[0][0].dst # self.gom.echo("Answer of type " + str(icmptypes[ans[0][0].type]) + " from " + str(ans[0][0].dst)) self.results = self.up return True
def traceroute(destination, minttl=1, maxttl=24, dport=33434, trtype='udp'): """ Traceroute """ results = [] for ttl in range(minttl, maxttl): pkt = scapy.IP(dst=destination, ttl=ttl) / scapy.UDP( dport=random.randint(33434, 33534)) # --------------------------------- # # Send the packet and get a reply # # --------------------------------- # reply = scapy.sr1(pkt, timeout=5, inter=0.05, verbose=0) if reply is None: print("Exiting as no reply ... ") results.append((ttl, "Exiting no reply", None, None)) break elif reply.type == 3: print("Done {} hops away: {} {} {}".format( ttl, reply.src, reply.type, reply.time)) #results.append((ttl, reply.src, reply.time, reply.type)) break else: #print("{} hops away {} {} {}".format(ttl, reply.src, reply.type, reply.time)) results.append((ttl, reply.src, reply.time, reply.type)) return results
def main(): parser = argparse.ArgumentParser( "frag6.py", description="IPv6 fragementation test tool") parser.add_argument( '--sendif', nargs=1, required=True, help='The interface through which the packet will be sent') parser.add_argument('--recvif', nargs=1, required=True, help='The interface on which to check for the packet') parser.add_argument('--src', nargs=1, required=True, help='The source IP address') parser.add_argument('--to', nargs=1, required=True, help='The destination IP address') parser.add_argument('--debug', required=False, action='store_true', help='Enable test debugging') args = parser.parse_args() # Start sniffing on recvif sniffer = Sniffer(args, check_icmp6_error) ######################################################################## # # A single start fragment with zero length IPv6 header (jumbo). # Make sure we do hit the Fragment case, which is tricky as the # jumbogram needs to be > 64k. # # A: Jumbo-Fragment not allowed. # R: ICMPv6 param problem. # #data = "6" * (65536 - 2 - 6 - 8 - 8) data = "6" * 65512 ip6f01 = sp.Ether() / \ sp.IPv6(src=args.src[0], dst=args.to[0], plen=0) / \ sp.IPv6ExtHdrHopByHop(options=sp.Jumbo(jumboplen=65536)) / \ sp.IPv6ExtHdrFragment(offset=0, m=1, id=6) / \ sp.UDP(dport=3456, sport=6543) / \ data if args.debug: ip6f01.display() sp.sendp(ip6f01, iface=args.sendif[0], verbose=False) # We should only need to sleep 0.10 but it seems scapy # takes time for this one. sleep(75) sniffer.setEnd() sniffer.join() if not sniffer.foundCorrectPacket: sys.exit(1) sys.exit(0)
def _build_pkt(spec, size): eth = scapy.Ether(src=spec.src_mac, dst=spec.dst_mac) ip = scapy.IP(src=spec.src_ip, dst=spec.dst_ip) udp = scapy.UDP(sport=10001, dport=10002, chksum=0) payload = ('hello' + '0123456789' * 200)[:size - len(eth / ip / udp)] pkt = eth / ip / udp / payload return str(pkt)
def check_dhcp_request(iface, server, range_start, range_end, timeout=5): """Provide interface, server endpoint and pool of ip adresses Should be used after offer received >>> check_dhcp_request('eth1','10.10.0.5','10.10.0.10','10.10.0.15') """ scapy.conf.iface = iface scapy.conf.checkIPaddr = False fam, hw = scapy.get_if_raw_hwaddr(iface) ip_address = next(utils.pick_ip(range_start, range_end)) # note lxc dhcp server does not respond to unicast dhcp_request = (scapy.Ether(src=hw, dst="ff:ff:ff:ff:ff:ff") / scapy.IP(src="0.0.0.0", dst="255.255.255.255") / scapy.UDP(sport=68, dport=67) / scapy.BOOTP(chaddr=hw) / scapy.DHCP(options=[("message-type", "request"), ("server_id", server), ("requested_addr", ip_address), "end"])) ans, unans = scapy.srp(dhcp_request, nofilter=1, multi=True, timeout=timeout, verbose=0) return ans
def udp_scan(target_ip, target_port): try: udp_packet = scapy.UDP(dport=target_port) ip_packet = scapy.IP(dst=target_ip) packet_sent = ip_packet / udp_packet response = scapy.sr1(packet_sent, timeout=5, verbose=False) if response.haslayer(scapy.UDP): return "port {} : OPEN ".format(target_port) elif response.haslayer(scapy.ICMP): if int(response.getlayer(scapy.ICMP).type) == 3 and int(response.getlayer(scapy.ICMP).code) == 3: return False elif int(response.getlayer(scapy.ICMP).type) == 3 and int(response.getlayer(scapy.ICMP).code) in [1, 2, 9, 10, 13]: return "port {} : Filtered ".format(target_port) except AttributeError: retrans = [] for count in range(0, 3): retrans.append(scapy.sr1(packet_sent, timeout=2, verbose=False)) for item in retrans: try: if item.haslayer(scapy.UDP): udp_scan(target_ip, target_port) except AttributeError: return "port {} : OPEN | Filtered ".format(target_port) except KeyboardInterrupt: print("[-] ctr+c ... Quiting") sys.exit(1)
def UDP(version, srcaddr, dstaddr, sport=0): ip = _GetIpLayer(version) # Can't just use "if sport" because None has meaning (it means unspecified). if sport == 0: sport = _RandomPort() return ("UDPv%d packet" % version, ip(src=srcaddr, dst=dstaddr) / scapy.UDP(sport=sport, dport=53) / UDP_PAYLOAD)
def make_falcon_task_pkt(dst_ip, cluster_id, local_cluster_id, src_id, dst_id=0, q_len=0, seq_num=1000, pkt_len=128, **kwargs): eth_hdr = make_eth_hdr(**kwargs) falcon_hdr = FalconPacket(pkt_type=PKT_TYPE_NEW_TASK, cluster_id=cluster_id, local_cluster_id=local_cluster_id, src_id=src_id, dst_id=dst_id, q_len=q_len, seq_num=seq_num) data_len = pkt_len - len(eth_hdr) - len(falcon_hdr) if data_len <= 0: data_len = 1 payload = generate_load(data_len) pkt = scapy.IP(dst=dst_ip) / scapy.UDP( dport=FALCON_PORT) / falcon_hdr / payload return pkt
def gen_untagged_packet(): eth = scapy.Ether(src='02:1e:67:9f:4d:ae', dst='06:16:3e:1b:72:32') ip = scapy.IP() udp = scapy.UDP(sport=10001, dport=10002) payload = 'truculence' pkt = eth / ip / udp / payload return pkt
def handle_packet(packet): ip = packet.getlayer(scapy.IP) udp = packet.getlayer(scapy.UDP) dns = packet.getlayer(scapy.DNS) # standard (a record) dns query if dns.qr == 0 and dns.opcode == 0: queried_host = dns.qd.qname[:-1] resolved_ip = None if dns_map.get(queried_host): resolved_ip = dns_map.get(queried_host) elif dns_map.get('*'): resolved_ip = dns_map.get('*') if resolved_ip: dns_answer = scapy.DNSRR(rrname=queried_host + '.', ttl=330, type="A", rclass="IN", rdata=resolved_ip) dns_reply = scapy.IP(src=ip.dst, dst=ip.src) / \ scapy.UDP(sport=udp.dport,dport=udp.sport) / \ scapy.DNS( id = dns.id, qr = 1, aa = 0, rcode = 0, qd = dns.qd, an = dns_answer ) print "Send %s has %s to %s" % (queried_host, resolved_ip, ip.src) scapy.send(dns_reply, iface=dev)
def make_falcon_task_done_pkt(dst_ip, cluster_id, local_cluster_id, src_id, dst_id=0, is_idle=False, q_len=0, seq_num=1000, pkt_len=128, **kwargs): eth_hdr = make_eth_hdr(**kwargs) if is_idle: falcon_hdr = FalconPacket(pkt_type=PKT_TYPE_TASK_DONE_IDLE, cluster_id=cluster_id, local_cluster_id=local_cluster_id, src_id=src_id, dst_id=dst_id, q_len=q_len, seq_num=seq_num) else: falcon_hdr = FalconPacket(pkt_type=PKT_TYPE_TASK_DONE, cluster_id=cluster_id, local_cluster_id=local_cluster_id, src_id=src_id, dst_id=dst_id, q_len=q_len, seq_num=seq_num) pkt = scapy.IP(dst=dst_ip) / scapy.UDP(dport=FALCON_PORT) / falcon_hdr return pkt
def check_dhcp_on_eth(iface, timeout): """Check if there is roque dhcp server in network on given iface @iface - name of the ethernet interface @timeout - scapy timeout for waiting on response >>> check_dhcp_on_eth('eth1') """ scapy.conf.iface = iface scapy.conf.checkIPaddr = False dhcp_options = [("message-type", "discover"), ("param_req_list", utils.format_options([ 1, 2, 3, 4, 5, 6, 11, 12, 13, 15, 16, 17, 18, 22, 23, 28, 40, 41, 42, 43, 50, 51, 54, 58, 59, 60, 66, 67 ])), "end"] fam, hw = scapy.get_if_raw_hwaddr(iface) dhcp_discover = (scapy.Ether(src=hw, dst="ff:ff:ff:ff:ff:ff") / scapy.IP(src="0.0.0.0", dst="255.255.255.255") / scapy.UDP(sport=68, dport=67) / scapy.BOOTP(chaddr=hw) / scapy.DHCP(options=dhcp_options)) ans, unans = scapy.srp(dhcp_discover, multi=True, nofilter=1, timeout=timeout, verbose=0) return ans
def dhcp_release(ip, hw, server): x_id = random.randrange(1, 1000000) hw_str = scapy.mac2str(hw) dhcp_release_pkt = scapy.IP(src=ip, dst=server) / scapy.UDP(sport=68, dport=67) / scapy.BOOTP(ciaddr=ip, xid=x_id, chaddr=hw_str) / scapy.DHCP(options=[('message-type', 'release'),('server_id', server), ('end')]) scapy.send(dhcp_release_pkt, verbose=0)
def generate(self, ip_dst=None, eth_dst=None): """Generates a mDNS v4 packet for multicast DNS config Args: ip_dst: IP destination address (Optional) eth_dst: Ethernet (layer 2) destination address (Optional) """ # Overwrite standard fields if desired sta_ip = (ip_dst if ip_dst is not None else MDNS_V4_IP_DST) sta_hw = (eth_dst if eth_dst is not None else MDNS_V4_MAC_DST) # Create mDNS layer qdServer = scapy.DNSQR(qname=self.src_ipv4, qtype=MDNS_QTYPE) mDNS = scapy.DNS(rd=MDNS_RECURSIVE, qd=qdServer) # Create UDP udp = scapy.UDP(sport=MDNS_UDP_PORT, dport=MDNS_UDP_PORT) # Create IP layer ip4 = scapy.IP(src=self.src_ipv4, dst=sta_ip, ttl=255) # Create Ethernet layer ethernet = scapy.Ether(src=self.src_mac, dst=sta_hw) self.packet = ethernet / ip4 / udp / mDNS return self.packet
def make_UDP_hdr(l4source=None, l4dst=None, **kwargs): hdr = scapy.UDP() if l4source: hdr[scapy.UDP].sport = l4source if l4dst: hdr[scapy.UDP].dport = l4dst return hdr
def send_packet(self, req, **kwargs): # XXX: match flow enties instead # print self.response_app.host_ip_mac src_ip = kwargs['src'].encode('utf-8') dst_ip = kwargs['dst'].encode('utf-8') src_mac = self.response_app.host_ip_mac[src_ip] try: dst_mac = self.response_app.host_ip_mac[dst_ip] except: dst_mac = "00:00:00:ff:00:00" dpid = self.response_app.host_ip_dpid[src_ip] ret = get_switch(self.response_app, dpid) # print ret[0].to_dict() # return json.dumps(ret[0].to_dict()) datapath = ret[0].dp ofproto = datapath.ofproto parser = datapath.ofproto_parser packet = Scapy.Ether(src=src_mac, dst=dst_mac) / Scapy.IP( src=src_ip, dst=dst_ip) / Scapy.UDP() / "Hello World" packet = str(packet) # XXX; pretty hard code.... # dpid==1 => send vid=1 if datapath.id == 1: actions = [ parser.OFPActionPushVlan(), parser.OFPActionSetField(vlan_vid=1), parser.OFPActionOutput(ofproto.OFPP_TABLE) ] else: actions = [ parser.OFPActionPushVlan(), parser.OFPActionSetField(vlan_vid=2), parser.OFPActionOutput(ofproto.OFPP_TABLE) ] out = parser.OFPPacketOut( datapath=datapath, buffer_id=ofproto.OFP_NO_BUFFER, in_port=self.response_app.host_ip_port[src_ip], actions=actions, data=packet) datapath.send_msg(out) ## XXX: pretty bad... sleep will hang the controller # timeout 300 ms timeout = 300 delta = 50 self.response_app.forward_list = [dpid] cur_ts = int(round(time.time() * 1000)) self.response_app.trace_ts = cur_ts while (cur_ts - self.response_app.trace_ts < timeout): time.sleep(delta / 1000) cur_ts = int(round(time.time() * 1000)) return json.dumps(self.response_app.forward_list)
def handle_packet(packet): ip = packet.getlayer(scapy.IP) udp = packet.getlayer(scapy.UDP) # Ignore packets containing data we aren't interested # in. if hasattr(packet, 'qd') and packet.qd is not None: queried_host = packet.qd.qname[:-1].decode("utf-8") if queried_host is None: print("queried_host is None, dropping request") return # If the queried_host is one of the domains we want # to spoof, return the spoof_ip. if queried_host in spoof_domains: print("!!!! Spoofing DNS request for %s by %s !!!!" % (queried_host, ip.src)) resolved_ip = spoof_ip # Else use dns.resolver to make a real DNS "A record" # request, and return the result of that. else: print("Forwarding DNS request for %s by %s" % (queried_host, ip.src)) a_records = dns.resolver.query(queried_host, 'A') resolved_ip = a_records[0].address # Build the DNS answer dns_answer = scapy.DNSRR( rrname=queried_host + ".", ttl=330, type="A", rclass="IN", rdata=resolved_ip) # Build the DNS response by constructing the IP # packet, the UDP "datagram" that goes inside the # packet, and finally the DNS response that goes # inside the datagram. dns_response = \ scapy.IP(src=ip.dst, dst=ip.src) / \ scapy.UDP( sport=udp.dport, dport=udp.sport ) / \ scapy.DNS( id = packet[scapy.DNS].id, qr = 1, aa = 0, rcode = 0, qd = packet.qd, an = dns_answer ) print("Resolved DNS request for %s to %s for %s" % (queried_host, resolved_ip, ip.src)) # Use scapy to send our response back to your phone. scapy.send(dns_response, iface=iface) else: print("Ignoring unrecognized packet from %s" % ip.src)
def send_packet(self, iface, src_mac, src_ip, src_port, dst_mac, dst_ip, dst_port): ethernet = scapy.Ether(dst=dst_mac, src=src_mac, type=0x0800) ip = scapy.IP(src=src_ip, dst=dst_ip) udp = scapy.UDP(sport=int(src_port), dport=int(dst_port)) data = "Hello udp" packet = ethernet / ip / udp / data scapy.sendp(packet, iface=iface)
def make_udp_hdr(sport=None, dport=None, **kwargs): """ Create the UDP headers.""" hdr = scapy.UDP() if sport: hdr[scapy.UDP].sport = sport if dport: hdr[scapy.UDP].dport = dport return hdr
def gen_packet(self, dst_ip="0.0.0.0"): eth = scapy.Ether(src='02:1e:67:9f:4d:ae', dst='06:16:3e:1b:72:32') ip = scapy.IP(src='1.2.3.4', dst=dst_ip) udp = scapy.UDP(sport=10001, dport=10002) payload = ('hello' + '0123456789' * 200)[:60 - len(eth / ip / udp)] pkt = eth / ip / udp / payload return bytes(pkt)
def ScanUdpPort(dst_host, dst_port, src_port, _timeout): pkt = scapy.IP(dst=dst_host) / scapy.UDP(sport=src_port, dport=dst_port) rply = scapy.sr1(pkt, verbose=0, timeout=_timeout) CustomPrint(" - \t\t" + str(dst_port) + "/u\t", "WHITE", False) if rply is None: CustomPrint("closed", "RED") else: CustomPrint("open", "GREEN")
def main(): parser = argparse.ArgumentParser("CVE-2019-icmp.py", description="CVE-2019-icmp test tool") parser.add_argument( '--sendif', nargs=1, required=True, help='The interface through which the packet will be sent') parser.add_argument('--recvif', nargs=1, required=True, help='The interface on which to check for the packet') parser.add_argument('--src', nargs=1, required=True, help='The source IP address') parser.add_argument('--to', nargs=1, required=True, help='The destination IP address') args = parser.parse_args() # Send the allowed packet to establish state udp = sp.Ether() / \ sp.IP(src=args.src[0], dst=args.to[0]) / \ sp.UDP(dport=53, sport=1234) sp.sendp(udp, iface=args.sendif[0], verbose=False) # Start sniffing on recvif sniffer = Sniffer(args, check_icmp_error) # Send the bad error packet icmp_reachable = sp.Ether() / \ sp.IP(src=args.src[0], dst=args.to[0]) / \ sp.ICMP(type=3, code=3) / \ sp.IP(src=args.src[0], dst=args.to[0]) / \ sp.UDP(dport=53, sport=1234) sp.sendp(icmp_reachable, iface=args.sendif[0], verbose=False) sniffer.join() if sniffer.foundCorrectPacket: sys.exit(1) sys.exit(0)
def setUp(self): """ Setup class for DNS_Amplification. """ # Create scapy packet (valid attack) self.pkt = scapy.IP(src="10.0.2.15", dst="dns.google") \ / scapy.UDP(dport=53) \ / scapy.DNS(rd=1, qd=scapy.DNSQR(qname="google.com", qtype="ANY")) # Create a scapy packet (invalid attack) self.pkt2 = scapy.IP(src="10.0.2.15", dst="0.0.0.0") \ / scapy.UDP(dport=53) \ / scapy.DNS(rd=1, qd=scapy.DNSQR(qname="google.com", qtype="ANY")) # Create DNS Amplification object self.dns_amp_obj = DNS_Amplification()
def correct_packet(source_port, identification): UDP_header = network.UDP(sport=53, dport=source_port) raw_packet = network.DNS(id=identification, ancount=1, an=network.DNSRR( rrname="one.yumi.ipl.eecs.case.edu", rdata="129.22.150.112")) return UDP_header / raw_packet