def exploit_test(src, dst, iface, count):
pkt = IP(src=src, dst=dst) / UDP(dport=518) / \
Raw(load="\x01\x03\x00\x00\x00\x00\x00\x01\x00\x02\x02\xE8")
send(pkt, iface=iface, count=count)
pkt = IP(src=src, dst=dst) / UDP(dport=635) \
/ Raw(load="^\xB0\x02\x89\x06\xFE\xC8\x89F\x04\xB0\x06\x89F")
send(pkt, iface=iface, count=count)
def RECEIVED_RRQ(self, pkt):
ip = pkt[IP]
options = pkt[TFTP_Options]
self.l3 = IP(src=ip.dst, dst=ip.src) / UDP(sport=self.my_tid,
dport=ip.sport) / TFTP()
self.filename = pkt[TFTP_RRQ].filename
self.blk = 1
self.data = None
if self.filename in self.store:
self.data = self.store[self.filename]
elif self.dir is not None:
fn = os.path.abspath(os.path.join(self.dir, self.filename))
if fn.startswith(
self.dir): # Check we're still in the server's directory
try:
self.data = open(fn).read()
except IOError:
pass
if self.data is None:
self.data = self.joker
if options:
opt = [x for x in options.options if x.oname.upper() == "BLKSIZE"]
if opt:
self.blksize = int(opt[0].value)
self.debug(2, "Negotiated new blksize at %i" % self.blksize)
self.last_packet = self.l3 / TFTP_OACK() / TFTP_Options(
options=opt)
self.send(self.last_packet)
def make_reply(self, req):
ip = req.getlayer(IP)
dns = req.getlayer(DNS)
resp = IP(dst=ip.src, src=ip.dst) / UDP(dport=ip.sport, sport=ip.dport)
rdata = self.match.get(dns.qd.qname, self.joker)
resp /= DNS(id=dns.id,
qr=1,
qd=dns.qd,
an=DNSRR(rrname=dns.qd.qname, ttl=10, rdata=rdata))
return resp
def ddos_test(src, dst, iface, count):
pkt = IP(src=src, dst=dst) / ICMP(type=8, id=678) / Raw(load='1234')
send(pkt, iface=iface, count=count)
pkt = IP(src=src, dst=dst) / ICMP(type=0) / Raw(load='AAAAAAAAAA')
send(pkt, iface=iface, count=count)
pkt = IP(src=src, dst=dst) / UDP(dport=31335) / Raw(load='PONG')
send(pkt, iface=iface, count=count)
pkt = IP(src=src, dst=dst) / ICMP(type=8, id=456)
send(pkt, iface=iface, count=count)
def BEGIN(self):
self.blocksize = 512
self.my_tid = self.sport or RandShort()._fix()
bind_bottom_up(UDP, TFTP, dport=self.my_tid)
self.server_tid = None
self.res = ""
self.l3 = IP(dst=self.server) / UDP(sport=self.my_tid,
dport=self.port) / TFTP()
self.last_packet = self.l3 / TFTP_RRQ(filename=self.filename,
mode="octet")
self.send(self.last_packet)
self.awaiting = 1
raise self.WAITING()
def make_reply(self, req):
mac = req.src
if type(self.pool) is list:
if not mac in self.leases:
self.leases[mac] = self.pool.pop()
ip = self.leases[mac]
else:
ip = self.pool
repb = req.getlayer(BOOTP).copy()
repb.op="BOOTREPLY"
repb.yiaddr = ip
repb.siaddr = self.gw
repb.ciaddr = self.gw
repb.giaddr = self.gw
del(repb.payload)
rep=Ether(dst=mac)/IP(dst=ip)/UDP(sport=req.dport,dport=req.sport)/repb
return rep
def dyndns_del(nameserver, name, type="ALL", ttl=10):
"""Send a DNS delete message to a nameserver for "name"
dyndns_del(nameserver, name, type="ANY", ttl=10) -> result code (0=ok)
example: dyndns_del("ns1.toto.com", "dyn.toto.com")
RFC2136
"""
zone = name[name.find(".") + 1:]
r = sr1(IP(dst=nameserver) / UDP() / DNS(
opcode=5,
qd=[DNSQR(qname=zone, qtype="SOA")],
ns=[DNSRR(rrname=name, type=type, rclass="ANY", ttl=0, rdata=b"")]),
verbose=0,
timeout=5)
if r and r.haslayer(DNS):
return r.getlayer(DNS).rcode
else:
return -1
def dyndns_add(nameserver, name, rdata, type="A", ttl=10):
"""Send a DNS add message to a nameserver for "name" to have a new "rdata"
dyndns_add(nameserver, name, rdata, type="A", ttl=10) -> result code (0=ok)
example: dyndns_add("ns1.toto.com", "dyn.toto.com", "127.0.0.1")
RFC2136
"""
zone = name[name.find(".") + 1:]
r = sr1(IP(dst=nameserver) / UDP() /
DNS(opcode=5,
qd=[DNSQR(qname=zone, qtype="SOA")],
ns=[DNSRR(rrname=name, type="A", ttl=ttl, rdata=rdata)]),
verbose=0,
timeout=5)
if r and r.haslayer(DNS):
return r.getlayer(DNS).rcode
else:
return -1
def BEGIN(self):
self.data = [
self.origdata[i * self.blocksize:(i + 1) * self.blocksize]
for i in range(len(self.origdata) / self.blocksize + 1)
]
self.my_tid = self.sport or RandShort()._fix()
bind_bottom_up(UDP, TFTP, dport=self.my_tid)
self.server_tid = None
self.l3 = IP(dst=self.server) / UDP(sport=self.my_tid,
dport=self.port) / TFTP()
self.last_packet = self.l3 / TFTP_WRQ(filename=self.filename,
mode="octet")
self.send(self.last_packet)
self.res = ""
self.awaiting = 0
raise self.WAITING_ACK()
def ack_WRQ(self, pkt):
ip = pkt[IP]
self.ip = ip.dst
self.dst = ip.src
self.filename = pkt[TFTP_WRQ].filename
options = pkt[TFTP_Options]
self.l3 = IP(src=ip.dst, dst=ip.src) / UDP(sport=self.my_tid,
dport=pkt.sport) / TFTP()
if options is None:
self.last_packet = self.l3 / TFTP_ACK(block=0)
self.send(self.last_packet)
else:
opt = [x for x in options.options if x.oname.upper() == "BLKSIZE"]
if opt:
self.blksize = int(opt[0].value)
self.debug(2, "Negotiated new blksize at %i" % self.blksize)
self.last_packet = self.l3 / TFTP_OACK() / TFTP_Options(
options=opt)
self.send(self.last_packet)
def snmpwalk(dst, oid="1", community=b"public"):
try:
while 1:
r = sr1(IP(dst=dst) / UDP(sport=RandShort()) /
SNMP(community=community,
PDU=SNMPnext(varbindlist=[SNMPvarbind(oid=oid)])),
timeout=2,
chainCC=1,
verbose=0,
retry=2)
if ICMP in r:
print(repr(r))
break
if r is None:
print("No answers")
break
print("%-40s: %r" % (r[SNMPvarbind].oid.val, r[SNMPvarbind].value))
oid = r[SNMPvarbind].oid
except KeyboardInterrupt:
pass
def ikescan(ip):
return sr(
IP(dst=ip) / UDP() / ISAKMP(init_cookie=RandString(8), exch_type=2) /
ISAKMP_payload_SA(prop=ISAKMP_payload_Proposal()))
def ikev2scan(ip):
return sr(
IP(dst=ip) / UDP() / IKEv2(init_SPI=RandString(8), exch_type=34) /
IKEv2_payload_SA(prop=IKEv2_payload_Proposal()))
def dhcp_request(iface=None,**kargs):
if conf.checkIPaddr != 0:
warning("conf.checkIPaddr is not 0, I may not be able to match the answer")
if iface is None:
iface = conf.iface
hw = get_if_raw_hwaddr(iface)
return srp1(Ether(dst="ff:ff:ff:ff:ff:ff")/IP(src="0.0.0.0",dst="255.255.255.255")/UDP(sport=68,dport=67)
/BOOTP(chaddr=hw)/DHCP(options=[("message-type","discover"),"end"]),iface=iface,**kargs)
def scan_test(src, dst, iface, count):
pkt = IP(src=src, dst=dst) / UDP(dport=7) / Raw(load='cybercop')
send(pkt)
pkt = IP(src=src, dst=dst) / UDP(dport=10000) / Raw(load='Amanda')
send(pkt, iface=iface, count=count)
def dup_UDP(pkt):
u_pkt = pkt.getlayer(UDP)
sport = u_pkt.sport
dport = u_pkt.dport
n_pkt = UDP(sport=sport, dport=dport)
return n_pkt