def __init__(self, user_querier: UserQuerier, interface="mon0"):
self.async_sniffer = AsyncSniffer(prn=self.handle_packet,
store=False,
iface=interface,
monitor=True)
self.device_dectect_stream = Subject()
self.user_querier = user_querier
def __init__(self,
dhcp_store: MutableMapping[str, DHCPDescriptor],
gw_info: UplinkGatewayInfo,
dhcp_wait: Condition,
iface: str = "dhcp0",
lease_renew_wait_min: int = 200):
"""
Implement DHCP client to allocate IP for given Mac address.
DHCP client state is maintained in user provided hash table.
Args:
dhcp_store: maintain DHCP transactions, key is mac address.
gw_info_map: stores GW IP info from DHCP server
dhcp_wait: notify users on new DHCP packet
iface: DHCP egress and ingress interface.
"""
self._sniffer = AsyncSniffer(iface=iface,
filter="udp and (port 67 or 68)",
prn=self._rx_dhcp_pkt)
self.dhcp_client_state = dhcp_store # mac => DHCP_State
self.dhcp_gw_info = gw_info
self._dhcp_notify = dhcp_wait
self._dhcp_interface = iface
self._msg_xid = 0
self._lease_renew_wait_min = lease_renew_wait_min
self._monitor_thread = threading.Thread(
target=self._monitor_dhcp_state)
self._monitor_thread.daemon = True
self._monitor_thread_event = threading.Event()
class Sniffer:
"""Sniff incoming packets for SYN/ACK responses."""
def __init__(self, scan_filter, timeout):
"""Initialize Sniffer."""
self.packets = list()
self.sniffer = AsyncSniffer(
filter=scan_filter,
prn=self.packets.append,
)
self.timeout = timeout
def start(self):
"""Start sniffing."""
self.sniffer.start()
def stop(self):
"""Stop sniffing."""
time.sleep(self.timeout)
self.sniffer.stop()
def open_ports(self):
"""Return open ports."""
live_ports = set()
for packet in self.packets:
if packet["TCP"].flags == "SA":
live_ports.add(packet.sport)
return sorted(live_ports)
def start(self, asynchronous: bool = False) -> None:
"""
This function starts the netbios spoofer (and the network sniffer).
"""
self.run = True
logger.warning("The netbios spoofer starts up...")
if asynchronous:
sniffer = AsyncSniffer(
store=False,
filter="(port 5353 or port 5355 or port 137) and proto UDP",
stop_filter=lambda x: not self.run,
prn=self.identify_packet,
iface=self.iface,
)
sniffer.start()
else:
sniff(
store=False,
filter="(port 5353 or port 5355 or port 137) and proto UDP",
stop_filter=lambda x: not self.run,
prn=self.identify_packet,
iface=self.iface,
)
logger.critical("The netbios spoofer is stopped.")
class Sniffer(object):
def __init__(self, iface, *args, **kwargs):
self.iface = iface
self.sniffer = None
self.stop_filter = None
def start_sniff(self, stop_filter):
assert self.sniffer is None
self.stop_filter = stop_filter
self.sniffer = AsyncSniffer(
iface=self.iface,
stop_filter=stop_filter,
)
self.sniffer.start()
def wait_for_sniff_results(self, timeout=5):
assert self.sniffer is not None
self.sniffer.join(timeout=timeout)
sniffer = self.sniffer
self.sniffer = None
if sniffer.results is None:
return []
return [
p for p in sniffer.results
# filter out packets only belonging to stop_filter if
# it existed
if sniffer.kwargs.get("stop_filter") is None
or sniffer.kwargs["stop_filter"](p)
]
def test_scapy_sniffer(self):
send_data = [
Ether(src="99:54:8f:91:12:f6", dst="44:35:a2:a6:d0:bd") /
IPv6(src="fe80::1", dst="fe80::2") / ICMPv6EchoRequest(),
Ether(src="44:35:a2:a6:d0:bd", dst="99:54:8f:91:12:f6") /
IPv6(src="fe80::2", dst="fe80::1") / ICMPv6EchoReply(),
Ether(src="1f:db:ed:9c:26:6e", dst="18:39:3c:e8:1f:ad") /
IPv6(src="2001:db8:8a5a:4020:f160:162:c83d:527d",
dst="2001:db8:2932:29c9:35eb:9377:ae68:634d") /
UDP(sport=31245, dport=8788) / b"abcdef",
Ether(src="18:39:3c:e8:1f:ad", dst="1f:db:ed:9c:26:6e") /
IPv6(src="2001:db8:2932:29c9:35eb:9377:ae68:634d",
dst="2001:db8:8a5a:4020:f160:162:c83d:527d") /
UDP(sport=8788, dport=31245) / b"12345",
]
sniffer = AsyncSniffer()
sniffer.start()
self.spawn.expect(r"Initializing L2listen with arguments")
self.spawn.expect(r"Bound socket to '(.*)'\s")
remote = self.spawn.match.group(1)
# wait a bit to avoid race where socket is not bound yet
time.sleep(.5)
for packet in send_data:
time.sleep(.001) # some spacing for test stability
self.assertEqual(len(raw(packet)),
self.comm_sock.sendto(raw(packet), remote))
for packet in send_data:
self.spawn.expect(r"Receiving on L2listen with arguments")
results = sniffer.stop()
self.assertIsNotNone(results)
self.assertEqual(len(send_data), len(results))
for pkt in send_data:
self.assertIn(Ether(raw(pkt)), results)
def __init__(self, scan_filter, timeout):
"""Initialize Sniffer."""
self.packets = list()
self.sniffer = AsyncSniffer(
filter=scan_filter,
prn=self.packets.append,
)
self.timeout = timeout
def start_sniff(self, stop_filter):
assert self.sniffer is None
self.stop_filter = stop_filter
self.sniffer = AsyncSniffer(
iface=self.iface,
stop_filter=stop_filter,
)
self.sniffer.start()
def main():
t = AsyncSniffer(iface=s.INT,
filter=filter,
prn=lambda pkt: pkt_receiver(pkt, p_tracker))
t.start()
log("Service started successfully")
while True:
time.sleep(10)
tracker_cleanup()
def start_sniffer(iface, count=None, stop_filter=None):
sniffer = AsyncSniffer(
iface=iface,
filter="udp and dst port 547",
count=count,
stop_filter=stop_filter,
)
sniffer.start()
return sniffer
def sniff_start(self, ifname):
p_list[:] = []
self.summary_txt = ''
self.detail_txt = ''
self.hexdump_txt = ''
self.prev_idx = 0
self.curr_idx = 0
self.sniffer = AsyncSniffer(iface=ifname,
prn=lambda x: p_list.append(x))
self.sniffer.start()
def make_pcaps():
#don't think I'll need more but make an hour worth of
#one minute pcap files
for i in range(60):
#if we need we can narrow the interface we use to sniff by changing
#the args to AsyncSniffer()
t = AsyncSniffer()
t.start()
time.sleep(60)
z = t.stop()
wrpcap(f"test_{i}.pcap", z)
def sniff(self, count=0):
"""
start async sniffer
"""
logger.info("starting to sniff packets")
# TODO filter all outcoming packets
self.sniffer = AsyncSniffer(session=TCPSession,
prn=self._store,
iface=self.interface,
count=count,
store=False)
self.sniffer.start()
def async_monitoring(self):
"""
Start threads for each interface that will sniff all packets incoming to the network
:return: self.threads_monitor
"""
if len(self.ifaces_names) != 0:
self.threads_monitor = []
for name, ip in zip(self.ifaces_names, self.ifaces_ip):
monitor_process = AsyncSniffer(iface=name,
filter='icmp and not host %s' %
ip)
monitor_process.start()
self.threads_monitor.append(monitor_process)
def start_listen_data(self):
'''
The different mac address make the filter very hard to match
'''
hard_code_mac = '04:00:00:00:00:04'
filter_exp = 'ether src host {0} or {1}'.format(
self.dst_mac, hard_code_mac)
self.async_sniffer = AsyncSniffer(iface=self.iface,
prn=self.handle_recive_packet,
filter=filter_exp,
store=0)
self.async_sniffer.start()
time.sleep(0.1)
def send_and_exp_any_dhcp6(cls, send_pkt, client=True, ipv6_src=None):
sniffer = AsyncSniffer(iface=cls.tap)
sniffer.start()
time.sleep(cls.pre_sniffer_wait)
cls._sendp(send_pkt, client=client, ipv6_src=ipv6_src)
time.sleep(cls.post_sniffer_wait)
return [
pkt for pkt in sniffer.stop() if cls._contains_dhcp(pkt) and
# filter out sent packet
(UDP not in pkt or raw(pkt[UDP].payload) != raw(send_pkt)) and
# filter out ICMPv6 since error notifications can also contain
# the sent packets and we are not interested in error
# notifications
ICMPv6DestUnreach not in pkt
]
class Sniffer(Thread):
def __init__(self, filter):
super().__init__()
self.filter = "host %s" % filter
self.daemon = True
self.socket = None
self.use_pcap = True
self.is_admin = False
logger.info(
'Local network adapter information, choose a network you want to '
'capture.'
)
message = '----- Local IP Address -----\n'
ifaces = []
if WINDOWS:
import ctypes
from scapy.all import IFACES
if ctypes.windll.shell32.IsUserAnAdmin():
self.is_admin = True
for i, iface in enumerate(sorted(IFACES)):
dev = IFACES[iface]
ifaces.append(dev.description)
message += "{0} {1} {2}\n".format(
i, dev.description, dev.ip)
else:
if os.getuid() == 0:
self.is_admin = True
ifaces = get_if_list()
for i, iface in enumerate(ifaces):
ip = get_if_addr(iface)
message += "{0} {1} {2}\n".format(i, iface, ip)
data_to_stdout(message)
choose = input('Choose>: ').strip()
self.interface = ifaces[int(choose)]
self.use_pcap = True
self.stop_sniffer = Event()
self.pcap = None
def run(self):
self.pcap = AsyncSniffer()
# In order to ensure that all packets can be captured,
# a adapter must be specified. If it is all adapters,
# it will lost the data package
self.pcap._run(iface=self.interface, filter=self.filter)
def join(self, timeout=None):
self.pcap.continue_sniff = False
super().join(timeout)
def setUpClassDevices(cls):
BridgeTools.delete_ns_all()
BridgeTools.create_veth_pair(cls.gtp_veth, cls.gtp_veth_ns)
BridgeTools.ifup_netdev(cls.gtp_veth, cls.gtp_pkt_dst + "/24")
BridgeTools.create_veth_pair(cls.sgi_veth, cls.sgi_veth1)
BridgeTools.create_ns_and_move_veth(cls.NS_NAME, cls.sgi_veth1, cls.inner_src_ip + "/24")
BridgeTools.ifup_netdev(cls.sgi_veth, cls.inner_dst_ip + "/24")
BridgeTools.ifup_netdev(cls.gtp_veth_ns, cls.gtp_pkt_src + "/24")
gw_ip = IPAddress(version=IPAddress.IPV4, address=socket.inet_aton(cls.sgi_veth_ip))
cls.ebpf_man = EbpfManager(cls.sgi_veth, cls.gtp_veth, gw_ip, bpf_ul_file=UL_HANDLER, bpf_dl_file=DL_HANDLER, bpf_header_path=BPF_HEADER_PATH)
cls.ebpf_man.detach_dl_ebpf()
cls.ebpf_man.attach_dl_ebpf()
cls.sniffer = AsyncSniffer(
iface='gtpu_sys_2152',
store=False,
prn=cls.pkt_cap_fun,
)
cls.sniffer.start()
def setUpClassDevices(cls):
BridgeTools.delete_ns_all()
BridgeTools.create_veth_pair(cls.gtp_veth, cls.gtp_veth_ns)
BridgeTools.ifup_netdev(cls.gtp_veth, cls.gtp_pkt_dst + "/24")
BridgeTools.create_veth_pair(cls.sgi_veth, cls.sgi_veth1)
BridgeTools.create_ns_and_move_veth(cls.NS_NAME, cls.gtp_veth_ns,
cls.gtp_pkt_src + "/24")
BridgeTools.ifup_netdev(cls.sgi_veth, cls.sgi_veth_ip + "/24")
BridgeTools.ifup_netdev(cls.sgi_veth1)
cls.ebpf_man = ebpf_manager(cls.sgi_veth, cls.gtp_veth,
cls.sgi_veth_ip, True, UL_HANDLER)
cls.ebpf_man.detach_ul_ebpf()
cls.ebpf_man.attach_ul_ebpf()
time.sleep(2)
cls.sniffer = AsyncSniffer(
iface=cls.sgi_veth1,
store=False,
prn=cls.pkt_cap_fun,
)
cls.sniffer.start()
async def _slice_one_pcap(self, path: str):
load_delay = 1
self._logger.debug(f'Slicing pcap: {path}')
try:
sn = AsyncSniffer(filter='tcp', offline=path, session=IPSession)
sn.start()
while sn.running:
await asyncio.sleep(load_delay)
sessions = sn.results.sessions(full_duplex)
sessions = await self.sessions_dumper.retrieve(sessions)
await self.db.push_streams(sessions)
except Exception as e:
self._logger.error(f'Got an exception {e}', e)
self._logger.debug(f'Finished slicing of {path} with total {len(sessions)} sessions')
def init_test_sniffer():
"""
For testing
"""
# packets = AsyncSniffer(monitor=True, count=0)
packets = AsyncSniffer(count=0)
packets.start()
input("Press enter to stop sniffing: ")
packets.stop()
packets.join()
def sniff_routine() -> PacketList:
sniffer = AsyncSniffer(prn=lambda x: x.summary(), filter='ip')
while True:
start = input("Type start to start capturing\n")
if start == "start":
print("Starting to capture...")
break
sniffer.start()
while True:
stop = input("To stop capturing type stop\n")
if stop == "stop":
break
sniff_result = sniffer.stop()
wrpcap("output/output.cap", sniff_result)
return sniff_result
def __init__(self, publishers, params):
"""Initializes and starts the background scanning for Dash Button ARP
packets, publishing the MAC address to the destination when one is
detected.
"""
super().__init__(publishers, params)
self.log.info("Configuing Dash Scanner")
self.devices = get_sequential_param_pairs(params, "MAC", "Destination")
if self.poll > 0:
raise ValueError("DashSensor is not a polling sensor!")
self.sniffer = AsyncSniffer(prn=self.arp_received,
filter="arp",
store=0,
count=0)
self.sniffer.start()
class DeviceSniffer:
def __init__(self, user_querier: UserQuerier, interface="mon0"):
self.async_sniffer = AsyncSniffer(prn=self.handle_packet,
store=False,
iface=interface,
monitor=True)
self.device_dectect_stream = Subject()
self.user_querier = user_querier
def __del__(self):
self.device_dectect_stream.on_completed()
@staticmethod
def is_probe_request(packet: Packet):
return packet.type == 0 and packet.subtype == 4
def handle_packet(self, packet: Packet):
if not DeviceSniffer.is_probe_request(packet):
return
try:
target_ssid = packet.getlayer(Dot11Elt).getfieldval("info").decode(
"utf-8")
if len(target_ssid) == 0:
return
source_mac_addr = packet.addr2.upper()
userid = self.user_querier.get_userid(target_ssid, source_mac_addr)
if userid is not None:
self.device_dectect_stream.on_next(userid)
except Exception as err:
self.device_dectect_stream.on_error(err)
def get_observable(self) -> Subject:
return self.device_dectect_stream
def start(self):
self.async_sniffer.start()
def stop(self):
self.async_sniffer.stop()
def start_scapy_scan(self) -> List[bool]:
"""
This function starts AsyncSniffer and scapy scan,
finally stops AsyncSniffer.
"""
no_error = False
_targets = self._targets
info("Start AsyncSniffer using Scapy...")
sniffer = AsyncSniffer(
iface=self.iface,
lfilter=lambda p: ((ARP in p and p.psrc in _targets) or
(IP in p and p.src in _targets)),
prn=self.scapy_match,
)
sniffer.start()
try:
results = self.scapy_scan()
except Exception as e:
error = e
else:
no_error = True
finally:
info("Stop AsyncSniffer, scan end.")
sniffer.stop()
if no_error:
return results
else:
raise error
def campaign1(s, HOST, TCP_PORT, UDP_PORT, client_ip):
conn, addr = s.accept()
conn_ip = addr[0]
if (conn_ip != client_ip):
return
if (conn):
try:
sniffer = AsyncSniffer(iface='lo',
prn=printPacket,
filter='dst port {}'.format(UDP_PORT))
sniffer.start()
time.sleep(1)
#Initialization check:
check = conn.recv(255)
print("[-] {}".format(check))
response = 'yes'
conn.sendall(response)
time.sleep(1)
#UDP packet:
request = conn.recv(255)
print("[-] {}".format(request))
#Start UDP server
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.bind((HOST, UDP_PORT))
print('[+] UDP server started')
response = 'yes'
except:
response = 'no'
raise
try:
conn.sendall(response)
data, address = sock.recvfrom(1024)
time.sleep(1)
print('[*] Received: {}'.format(data))
result = 'Success, report is: \n{}'.format(info)
sock.sendto(result, address)
sniffer.stop()
except:
result = 'Failed, report is: \n{}'.format(info)
sock.sendto(result, address)
sniffer.stop()
except:
print('[+] Error connecting to client')
s.shutdown(socket.SHUT_RDWR)
s.close()
raise
s.shutdown(socket.SHUT_RDWR)
s.close()
def mac_sniffer(st=10):
IFACE = "mon0"
SNIFF_TIME = st
t = AsyncSniffer(iface=IFACE, prn=store_packets)
t.start()
waiter(SNIFF_TIME)
t.stop()
def collect_devices(iface, src_mac, timeout=5) -> List[EthernetDevice]:
global PING_RESULT
PING_RESULT = {}
devices = []
filter_exp = 'ether dst host {0} and ether[16:2] == 0x01cc'.format(
src_mac)
command_line = message_helper.build_eth_command(
dest_mac="ff:ff:ff:ff:ff:ff",
src_mac=src_mac,
message_type=PING_PKT,
message_bytes=[]
)
async_sniffer = AsyncSniffer(
iface=iface,
prn=handle_ping_receive_packet,
filter=filter_exp
)
async_sniffer.start()
time.sleep(.1)
sendp(command_line, iface=iface, verbose=0, count=1)
time.sleep(timeout)
async_sniffer.stop()
for key in PING_RESULT.keys():
devices.append(EthernetDevice(key))
return devices
def wait_for_async_sniffing(*args, **kwargs):
"""Starts AsyncSniffer and waits until it starts sniffing."""
lock = threading.Lock()
if "started_callback" in kwargs:
original_started_callback = kwargs["started_callback"]
def combined_started_callback():
lock.release()
original_started_callback()
else:
combined_started_callback = lock.release
kwargs["started_callback"] = combined_started_callback
kwargs["L2socket"] = L2ListenSocketOutgoing
lock.acquire()
asniff = AsyncSniffer(*args, **kwargs)
asniff.start()
lock.acquire()
return asniff
def run(self):
a = AsyncSniffer(iface=self.iface, prn=self.callback)
a.start()
c = ProgressBar()
while self.do_run:
c.update(len(self.found))
sleep(1) # be nice to the cpu
a.stop()
