class Ability(ns.AbilityBase): _info = ns.AbilityInfo( name='Displaying text', description='Demonstrate the output capabilities', tags=[ns.Tag.EXAMPLE], ) _option_list = [ ns.IpOpt(ns.OptNames.IP_DST, default='127.0.0.1', comment='an IP'), ] def main(self): self._view.success('Display in green') self._view.delimiter('A dashed line with title') # with a fixed len self._view.delimiter() # a dashed line with the same length self._view.warning('Display in yellow') self._view.error('A red IP: {}'.format(self.ip_dst)) self._view.fail('Display in cyan') self._view.progress('Display in blue') self._view.debug('Display in purple') self._view.success('Display in your default terminal color') self._view.info('{}Display in bold{}'.format( self._view.start_effect('bold'), self._view.end_color())) self._view.info('{}Underline our text{}'.format( self._view.start_effect('underline'), self._view.end_color())) # To mix a color and an effect requires to memorize the previous # modification to apply it again after every call of endcolor() self._view.warning('Mixing a color and {} in the middle'.format( self._view.with_effect('underline', 'an effect', text.Log.colors['warning'])))
class Ability(ns.AbilityBase): _info = ns.AbilityInfo( name='TCP sync server', description='use the tcp_client ability to simply ' 'send data over tcp in a synchronous way', ) _option_list = [ ns.PortOpt(ns.OptNames.PORT_DST, default=2222, comment='listening port on the TCP server'), ns.IpOpt(ns.OptNames.IP_DST, default='127.0.0.1', comment='server IP address'), ns.StrOpt('msg', default='Hello from PacketWeaver\n', comment='Message to send over TCP') ] _dependencies = ['tcpclnt'] def main(self): inst = self.get_dependency('tcpclnt', protocol='IPv4', ip_dst=self.ip_dst, port_dst=self.port_dst) to_tcp, out_pipe = multiprocessing.Pipe() out_pipe_2, from_tcp = multiprocessing.Pipe() inst.add_in_pipe(out_pipe) inst.add_out_pipe(out_pipe_2) self._view.debug('Starting tcpclnt') inst.start() self._view.debug('Send msg') to_tcp.send(self.msg) r = from_tcp.recv() self._view.info('{}'.format(r)) self._view.debug('Stop tcpclnt') inst.stop() inst.join() self._view.success('All done') def howto(self): self._view.delimiter('TCP synchronous server') self._view.info(""" A simple ability that connect to a TCP server, send a string and await for a response. It can easily be tested against a netcat emulated server: 1. the command "nc -lp 2222" will listen to the port 2222 2. running the ability in another terminal will write your message to the netcat output 3. writing a short text in the netcat view will send back a message, terminating the ability """)
class Ability(ns.AbilityBase): _info = ns.AbilityInfo(name='Ping a target', ) _option_list = [ ns.IpOpt('ip_dst', default='8.8.8.8', comment='Ping Destination IP'), ] def main(self): cmd = '/bin/ping6' if self.ip_dst.find(':') != -1 else '/bin/ping' rc = subprocess.call([cmd, '-c 1', '-w 1', self.ip_dst], stdout=os.open('/dev/null', os.O_WRONLY), stderr=os.open('/dev/null', os.O_WRONLY)) if rc == 0: self._view.success('{} is UP'.format(self.ip_dst)) else: self._view.warning('{} is DOWN'.format(self.ip_dst))
class Ability(ns.ThreadedAbilityBase): _option_list = [ ns.StrOpt( 'cacert_file', '/etc/ssl/certs/ca-certificates.crt', 'Path of a file containing the list of trusted CAs', optional=True ), ns.StrOpt('alpn', None, 'Application-Layer Protocol Negotiation value (as a CSV)', optional=True), ns.StrOpt('cipher_suites', ':'.join([ # List from ANSSI TLS guide v.1.1 p.51 'ECDHE-ECDSA-AES256-GCM-SHA384', 'ECDHE-RSA-AES256-GCM-SHA384', 'ECDHE-ECDSA-AES128-GCM-SHA256', 'ECDHE-RSA-AES128-GCM-SHA256', 'ECDHE-ECDSA-AES256-SHA384', 'ECDHE-RSA-AES256-SHA384', 'ECDHE-ECDSA-AES128-SHA256', 'ECDHE-RSA-AES128-SHA256', 'ECDHE-ECDSA-CAMELLIA256-SHA384', 'ECDHE-RSA-CAMELLIA256-SHA384', 'ECDHE-ECDSA-CAMELLIA128-SHA256', 'ECDHE-RSA-CAMELLIA128-SHA256', 'DHE-RSA-AES256-GCM-SHA384', 'DHE-RSA-AES128-GCM-SHA256', 'DHE-RSA-AES256-SHA256', 'DHE-RSA-AES128-SHA256', 'AES256-GCM-SHA384', 'AES128-GCM-SHA256', 'AES256-SHA256', 'AES128-SHA256', 'CAMELLIA128-SHA256' ]), 'Proposed Ordered Cipher Suite List'), ns.BoolOpt('compress', False, 'Should TLS compression be used?'), ns.ChoiceOpt( 'version', ['SSLv3', 'TLSv1', 'TLSv1.1', 'TLSv1.2'], default='TLSv1.2', comment='SSL/TLS protocol version', ), ns.StrOpt('cert_file', '/etc/ssl/certs/ssl-cert-snakeoil.pem', 'Server Certificate'), ns.StrOpt('key_file', '/etc/ssl/private/ssl-cert-snakeoil.key', 'Server Private Key'), ns.ChoiceOpt('protocol', ['IPv4', 'IPv6'], comment='IPv4 or IPv6'), ns.IpOpt(ns.OptNames.IP_DST, '127.0.0.1', 'Binding IP'), ns.PortOpt(ns.OptNames.PORT_DST, 0, 'Binding Port'), ns.NumOpt('backlog_size', 10, 'Backlog size provided to listen()'), ns.NumOpt('timeout', 30, 'Timeout for sockets'), ns.CallbackOpt(ns.OptNames.CALLBACK, comment='Callback returning a service ability to handle a new connection'), ns.StrOpt('client_info_name', 'client_info', 'Name of the service ability option that will contain the information about the client that is at the other end of the TCP connection' ) ] _info = ns.AbilityInfo( name='TLS Server', description='Binds to a port, accept TLS connections and starts new abilities to handle them', authors=['Florian Maury',], tags=[ns.Tag.TCP_STACK_L4], type=ns.AbilityType.COMPONENT ) def __init__(self, *args, **kwargs): super(Ability, self).__init__(*args, **kwargs) self._stop_evt = threading.Event() def stop(self): super(Ability, self).stop() self._stop_evt.set() def _accept_new_connection(self, s): # accepting the connection clt_sock, clt_info = s.accept() # Getting the service ability new_abl = self.callback() # Giving to the service ability the informations about the client new_abl.set_opt(self.client_info_name, '{}:{}'.format(clt_info[0], clt_info[1])) # Creating the pipes in_pipe_in, in_pipe_out = multiprocessing.Pipe() out_pipe_in, out_pipe_out = multiprocessing.Pipe() new_abl.add_in_pipe(in_pipe_out) new_abl.add_out_pipe(out_pipe_in) # Starting the service ability new_abl.start() return clt_sock, in_pipe_in, out_pipe_out, new_abl def _serve(self, server_sock): to_read = [server_sock] to_write = [] ready_to_read = [] ready_to_write = [] service_abilities = [] while not self._stop_evt.is_set(): # Waiting for sockets to be ready readable, writable, errored = select.select(to_read, to_write, [], 0.1) # Adding the sockets that are ready to the list of the already ready sockets ready_to_write += writable to_write = [x for x in to_write if x not in ready_to_write] ready_to_read += readable to_read = [x for x in to_read if x not in ready_to_read] if len(ready_to_read) > 0: # For each socket that is ready to be read for s in ready_to_read: if s is server_sock: # This socket is the server_sock (the one we can run accept upon) new_sock, new_in_pipe, new_out_pipe, new_abl = self._accept_new_connection(s) to_read.append(new_sock) to_read.append(new_out_pipe) to_read.append(s) to_write.append(new_sock) to_write.append(new_in_pipe) service_abilities.append((new_abl, new_sock, new_in_pipe, new_out_pipe)) ready_to_read.pop(ready_to_read.index(s)) else: # The socket is one of the socket connected to a client # StopIteration should not happen because we know that the element must be present # We also know that there should be only one answer so calling on next is efficient # Finally, we use a generator expression because it is more efficient (only generates up to the # first matching occurrence. A list expression would have iterated over the whole list abl, sock, in_pipe, out_pipe = next( (srv for srv in service_abilities if s is srv[1] or s is srv[3]) ) if s is sock and in_pipe in ready_to_write: try: in_pipe.send(s.recv(65535)) to_read.append(s) to_write.append(in_pipe) except: abl.stop() sock.close() in_pipe.close() out_pipe.close() abl.join() finally: ready_to_write.pop(ready_to_write.index(in_pipe)) ready_to_read.pop(ready_to_read.index(sock)) elif s is out_pipe and sock in ready_to_write: try: sock.send(out_pipe.recv()) to_read.append(out_pipe) to_write.append(sock) except: abl.stop() sock.close() in_pipe.close() out_pipe.close() abl.join() finally: ready_to_write.pop(ready_to_write.index(sock)) ready_to_read.pop(ready_to_read.index(out_pipe)) for abl, sock, in_pipe, out_pipe in service_abilities: abl.stop() sock.close() in_pipe.close() out_pipe.close() abl.join() def main(self): # Check Python version py_ver = sys.version_info if ( py_ver.major < 2 or ( py_ver.major == 2 and ( py_ver.minor < 7 or (py_ver.minor >= 7 and py_ver.micro < 10) ) ) ): raise Exception('Your version of Python and Python-ssl are too old. Please upgrade to more "current" versions') # Set up SSL/TLS context tls_version_table = { 'SSLv3': ssl.PROTOCOL_SSLv23, 'TLSv1': ssl.PROTOCOL_TLSv1, 'TLSv1.1': ssl.PROTOCOL_TLSv1_1, 'TLSv1.2': ssl.PROTOCOL_TLSv1_2, } tls_version = tls_version_table[self.version] ctx = ssl.SSLContext(tls_version) if not isinstance(self.alpn, type(None)): ctx.set_alpn_protocols(','.join(self.alpn)) ctx.set_ciphers(self.cipher_suites) if not isinstance(self.cacert_file, type(None)): ctx.load_verify_locations(cafile=self.cacert_file) ctx.load_cert_chain(self.cert_file, self.key_file) if self.protocol == 'IPv4': server_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) else: server_sock = socket.socket(socket.AF_INET6, socket.SOCK_STREAM) server_sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) server_sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEPORT, 1) ssl_sock = ctx.wrap_socket(server_sock, server_side=True) ssl_sock.bind(('' if isinstance(self.ip_dst, type(None)) else self.ip_dst, self.port_dst)) ssl_sock.listen(self.backlog_size) ssl_sock.settimeout(self.timeout) self._serve(ssl_sock) try: server_sock = ssl_sock.unwrap() server_sock.shutdown(socket.SHUT_RDWR) except: pass finally: server_sock.close()
class Ability(ns.ThreadedAbilityBase): _option_list = [ ns.NICOpt(ns.OptNames.INPUT_INTERFACE, default=None, comment='Sniffed interface'), ns.NICOpt(ns.OptNames.OUTPUT_INTERFACE, default=None, comment='Injection interface', optional=True), ns.MacOpt(ns.OptNames.MAC_SRC, default=None, comment='Source Mac', optional=True), ns.MacOpt(ns.OptNames.MAC_DST, default=None, comment='Destination Mac', optional=True), ns.IpOpt(ns.OptNames.IP_SRC, default=None, comment='Source IP', optional=True), ns.IpOpt(ns.OptNames.IP_DST, default=None, comment='Destination IP', optional=True), ns.PortOpt(ns.OptNames.PORT_SRC, default=None, comment='Source Port', optional=True), ns.PortOpt(ns.OptNames.PORT_DST, default=None, comment='Destination Port', optional=True), ns.OptionTemplateEntry( lambda x: 0 == len( [e for e in x.lower() if e not in "0123456789abcdef"]), ns.StrOpt('ether_type', default='0800', comment='Filter by ether_type (hexa)', optional=True)), ns.ChoiceOpt(ns.OptNames.L4PROTOCOL, ['tcp', 'udp'], comment='L4 Protocol over IP', optional=True), ns.StrOpt('bridge', default=None, comment="""Specify the bridge to use for sniffing. If the bridge does not exist, it will be created and the input and output interfaces will be bridged together.""", optional=True), ns.BoolOpt('mux', default=False, comment="""True if messages to send are prefixed with either \\x00 or \\xFF. If a prefix is used, \\x00 means the message is to be sent through the sniffing interface (supposedly back to the sender, but who knows?!). If the prefix values \\xFF, then the message is sent through the output interface. If no prefix are used and this option values False, then messages are always sent through the output interface. """), ns.BoolOpt('bidirectional', default=False, comment='Whether communications must be intercepted ' 'in one way or both ways.'), ns.BoolOpt('quiet', default=True, comment='Whether to log errors.'), ] _info = ns.AbilityInfo( name='Message Interceptor', description=""" This module sniffs some frames and reports them in the in_pkt channel. Original frames might be dropped and new frames can be injected back in. If an outerface is specified, the interface and the outerface are bridged together and intercepted frames are dropped.""", authors=[ 'Florian Maury', ], tags=[ ns.Tag.INTRUSIVE, ], type=ns.AbilityType.COMPONENT) _dependencies = ['netfilter', 'capture', 'sendraw', 'demux'] @classmethod def check_preconditions(cls, module_factory): l_dep = [] if not ns.HAS_PYROUTE2: l_dep.append('PyRoute2 support missing or broken. ' 'Please install pyroute2 or proceed to an update.') l_dep += super(Ability, cls).check_preconditions(module_factory) return l_dep def _check_parameter_consistency(self): """ Check whether all provided parameters are sensible, including whether related parameters have consistent values :return: bool, True if parameter values are consistent """ if (self.port_src is not None or self.port_dst is not None) \ and self.protocol is None: self._view.error('If src port or dst port are defined, ' 'a protocol must be specified.') return False if self.outerface is None and self.mux is True: self._view.error('Message are supposed to be prefixed, ' 'but output interface is unspecified!?') return False if self.interface is None: self._view.error('An input channel must be defined.') return False if self.interface is not None \ and self.outerface is not None \ and self.interface == self.outerface: self._view.error( 'Input interface and output interface cannot be the same. ' 'If you are sniffing and T-mode and you want to inject traffic' ' back, please instanciate your own send_packet ability') return False br_name = ns.in_bridge(self.interface) if (br_name is not None and self.bridge is not None and br_name != self.bridge): self._view.error( 'Input interface is already in a different bridge. ' 'You might be breaking something here :)') return False if ns.is_bridge(self.interface): self._view.error('A bridge cannot be enslaved to another bridge. ' 'Input interface is a bridge.') return False if self.outerface is not None and ns.is_bridge(self.outerface): self._view.error('A bridge cannot be enslaved to another bridge. ' 'Output interface is a bridge.') return False return True def _build_bpf(self, mac_src, mac_dst, ether_type, ip_src, ip_dst, proto, port_src, port_dst): """ Builds a BPF from the provided parameters :param mac_src: Source MAC address (may be None) :param mac_dst: Destination MAC address (may be None) :param ip_src: Source IP address (may be None) :param ip_dst: Destination IP address (may be None) :param proto: Protocol (either "udp" or "tcp" or None) :param port_src: Source Port (may be None) :param port_dst: Destination Port (may be None) :param bidirectional: Bool telling whether the connection must be extracted in one way or in both ways :return: the BPF expression as a string """ bpf = set() bpf.add('ether proto 0x{}'.format(ether_type)) if self.bidirectional: if mac_src is not None and mac_dst is not None: bpf.add('(ether src {} and ether dst {}) ' 'or (ether src {} and ether dst {})'.format( mac_src, mac_dst, mac_dst, mac_src)) elif mac_src is not None and mac_dst is None: bpf.add('ether {}'.format(mac_src)) elif mac_dst is not None and mac_src is None: bpf.add('ether {}'.format(mac_src)) if ip_src is not None and ip_dst is not None: bpf.add('(src host {} and dst host {}) ' 'or (src host {} and dst host {})'.format( ip_src, ip_dst, ip_dst, ip_src)) elif ip_src is not None and ip_dst is None: bpf.add('host {}'.format(ip_src)) elif ip_dst is not None and ip_src is None: bpf.add('host {}'.format(ip_dst)) if proto is not None: bpf.add(proto) if port_src is not None and port_dst is not None: bpf.add('(src port {} and dst port {}) ' 'or (src port {} and dst port {})'.format( port_src, port_dst, port_dst, port_src)) elif port_src is not None and port_dst is None: bpf.add('port {}'.format(port_src)) elif port_dst is not None and port_src is None: bpf.add('port {}'.format(port_dst)) else: if not isinstance(mac_src, type(None)): bpf.add('ether src {}'.format(mac_src)) if not isinstance(mac_dst, type(None)): bpf.add('ether dst {}'.format(mac_dst)) if not isinstance(ip_src, type(None)): bpf.add('src host {}'.format(ip_src)) bpf.add('ip or ip6') if not isinstance(ip_dst, type(None)): bpf.add('dst host {}'.format(ip_dst)) bpf.add('ip or ip6') if not isinstance(proto, type(None)): bpf.add(proto) if not isinstance(port_src, type(None)): bpf.add('src port {}'.format(port_src)) if not isinstance(port_dst, type(None)): bpf.add('dst port {}'.format(port_dst)) return '({})'.format(') and ('.join(list(bpf))) def main(self): if not self._check_parameter_consistency(): self._view.warning('Inconsistent parameters') return bpf_expr = self._build_bpf(self.mac_src, self.mac_dst, self.ether_type, self.ip_src, self.ip_dst, self.protocol, self.port_src, self.port_dst) if self.outerface is not None: # Bridge only the output NIC at the moment, # to create the bridge but not let the traffic go through bridge_name = ns.bridge_iface_together(self.outerface, bridge=self.bridge) # Configure the firewall to drop relevant frames/packets fw_abl = self.get_dependency('netfilter', interface=self.interface, outerface=self.outerface, mac_src=self.mac_src, mac_dst=self.mac_dst, ip_src=self.ip_src, ip_dst=self.ip_dst, protocol=self.protocol, port_src=self.port_src, port_dst=self.port_dst) fw_abl.start() # Configure the sniffing ability sniff_abl = self.get_dependency('capture', bpf=bpf_expr, interface=bridge_name) self._transfer_out(sniff_abl) sniff_abl.start() # Configure the sending ability, if a pipe is provided was_source = self._is_source() if not was_source: if self.mux is True: out1, in1 = multiprocessing.Pipe() send_raw_abl1 = self.get_dependency( 'sendraw', outerface=self.interface) send_raw_abl1.add_in_pipe(in1) send_raw_abl1.start() out2, in2 = multiprocessing.Pipe() send_raw_abl2 = self.get_dependency( 'sendraw', outerface=self.outerface) send_raw_abl2.add_in_pipe(in2) send_raw_abl2.start() demux_abl = self.get_dependency('demux') self._transfer_in(demux_abl) demux_abl.start(demux={ '\x00': out1, '\xFF': out2 }, quiet=self.quiet, deepcopy=False) else: send_raw_abl = self.get_dependency( 'sendraw', outerface=self.outerface) self._transfer_in(send_raw_abl) send_raw_abl.start() else: send_raw_abl = None # Finally adds the input NIC to the bridge, now that relevant # packets are dropped, to let through all irrelevant packets ns.bridge_iface_together(self.interface, bridge=bridge_name) # Wait for the stop event self._wait() # Stopping Ability sniff_abl.stop() sniff_abl.join() if not was_source: if self.mux is True: demux_abl.stop() send_raw_abl1.stop() send_raw_abl2.stop() demux_abl.join() send_raw_abl1.join() send_raw_abl2.join() else: send_raw_abl.stop() send_raw_abl.join() fw_abl.stop() fw_abl.join() ns.unbridge(bridge_name) else: # We are only acting on a single interface # Configure the sniffing ability sniff_abl = self.get_dependency('capture', bpf=bpf_expr, interface=self.interface) self._transfer_out(sniff_abl) sniff_abl.start() was_source = self._is_source() if not was_source: send_raw_abl = self.get_dependency('sendraw', outerface=self.interface) self._transfer_in(send_raw_abl) send_raw_abl.start() # Wait for the stop event self._wait() # Stopping Ability sniff_abl.stop() sniff_abl.join() if not was_source: send_raw_abl.stop() send_raw_abl.join()
class Ability(ns.ThreadedAbilityBase): _option_list = [ ns.StrOpt('cacert_file', '/etc/ssl/certs/ca-certificates.crt', 'Path of a file containing the list of trusted CAs'), ns.StrOpt('alpn', None, 'Application-Layer Protocol Negotiation value (as a CSV)', optional=True), ns.StrOpt( 'cipher_suites', ':'.join([ # List from ANSSI TLS guide v.1.1 p.51 'ECDHE-ECDSA-AES256-GCM-SHA384', 'ECDHE-RSA-AES256-GCM-SHA384', 'ECDHE-ECDSA-AES128-GCM-SHA256', 'ECDHE-RSA-AES128-GCM-SHA256', 'ECDHE-ECDSA-AES256-SHA384', 'ECDHE-RSA-AES256-SHA384', 'ECDHE-ECDSA-AES128-SHA256', 'ECDHE-RSA-AES128-SHA256', 'ECDHE-ECDSA-CAMELLIA256-SHA384', 'ECDHE-RSA-CAMELLIA256-SHA384', 'ECDHE-ECDSA-CAMELLIA128-SHA256', 'ECDHE-RSA-CAMELLIA128-SHA256', 'DHE-RSA-AES256-GCM-SHA384', 'DHE-RSA-AES128-GCM-SHA256', 'DHE-RSA-AES256-SHA256', 'DHE-RSA-AES128-SHA256', 'AES256-GCM-SHA384', 'AES128-GCM-SHA256', 'AES256-SHA256', 'AES128-SHA256', 'CAMELLIA128-SHA256' ]), 'Proposed Ordered Cipher Suite List'), ns.BoolOpt('compress', False, 'Should TLS compression be used?'), ns.ChoiceOpt( 'version', ['SSLv3', 'TLSv1', 'TLSv1.1', 'TLSv1.2'], default='TLSv1.2', comment='SSL/TLS protocol version', ), ns.StrOpt('cert_file', None, 'Client Certificate', optional=True), # To be set only in case of mutual authn ns.StrOpt('key_file', None, 'Client Private Key', optional=True), # To be set only in case of mutual authn ns.ChoiceOpt('protocol', ['IPv4', 'IPv6'], comment='IPv4 or IPv6'), ns.IpOpt(ns.OptNames.IP_SRC, None, 'Local (Source) IP', optional=True), ns.IpOpt(ns.OptNames.IP_DST, '127.0.0.1', 'Remote (Destination) IP'), ns.StrOpt('hostname', None, 'Remote Name (dnsName)', optional=True), ns.PortOpt(ns.OptNames.PORT_SRC, 0, 'Local (Source) Port (0 = Random Port)'), ns.PortOpt(ns.OptNames.PORT_DST, 0, 'Remote (Destination) Port'), ns.OptionTemplateEntry(lambda x: 0 <= x <= 10, ns.NumOpt('timeout', 5, 'Connect Timeout')) ] _info = ns.AbilityInfo( name='TLS Client', description='Connects then sends and receives TLS records', authors=['Florian Maury'], tags=[ns.Tag.TCP_STACK_L4], type=ns.AbilityType.COMPONENT) def __init__(self, *args, **kwargs): super(Ability, self).__init__(*args, **kwargs) self._stop_evt = threading.Event() def stop(self): super(Ability, self).stop() self._stop_evt.set() def _serve(self, ssl_sock): to_read = [ssl_sock] + self._builtin_in_pipes to_write = [ssl_sock] + self._builtin_out_pipes ready_to_read = [] ready_to_write = [] while not self._stop_evt.is_set(): # Waiting for sockets to be ready readable, writable, errored = select.select( to_read, to_write, [], 0.1) # Adding the sockets that are ready to the list of the already ready sockets ready_to_write += writable to_write = [x for x in to_write if x not in ready_to_write] ready_to_read += readable to_read = [x for x in to_read if x not in ready_to_read] if len(ready_to_read) > 0: # For each socket that is ready to be read for s in ready_to_read: if s is ssl_sock and all([ out in ready_to_write for out in self._builtin_out_pipes ]): try: msg = ssl_sock.recv(65535) if len(msg) == 0: raise EOFError self._send(msg) to_read.append(ssl_sock) to_write += self._builtin_out_pipes except: self.stop() finally: ready_to_read.pop(ready_to_read.index(s)) for out in self._builtin_out_pipes: ready_to_write.pop(ready_to_write.index(out)) elif s in self._builtin_in_pipes and ssl_sock in ready_to_write: try: ssl_sock.send(self._recv()) to_read += self._builtin_in_pipes to_write.append(ssl_sock) except: self.stop() finally: for p in self._builtin_in_pipes: ready_to_read.pop(ready_to_read.index(p)) ready_to_write.pop(ready_to_write.index(ssl_sock)) def main(self): # Check Python version py_ver = sys.version_info if (py_ver.major < 2 or (py_ver.major == 2 and (py_ver.minor < 7 or (py_ver.minor >= 7 and py_ver.micro < 10)))): raise Exception( 'Your version of Python and Python-ssl are too old. Please upgrade to more "current" versions' ) if self._is_sink() or self._is_source(): raise Exception( 'This ability must be connected through pipes to other abilities!' ) # Set up SSL/TLS context tls_version_table = { 'SSLv3': ssl.PROTOCOL_SSLv23, 'TLSv1': ssl.PROTOCOL_TLSv1, 'TLSv1.1': ssl.PROTOCOL_TLSv1_1, 'TLSv1.2': ssl.PROTOCOL_TLSv1_2, } tls_version = tls_version_table[self.version] ctx = ssl.SSLContext(tls_version) if not isinstance(self.alpn, type(None)): ctx.set_alpn_protocols(','.join(self.alpn)) ctx.set_ciphers(self.cipher_suites) ctx.load_verify_locations(cafile=self.cacert_file) if isinstance(self.key_file, type(None)) ^ isinstance( self.cert_file, type(None)): raise Exception( 'Both key_file and cert_file must be set or none of them.') if not isinstance(self.key_file, type(None)): ctx.load_cert_chain(self.cert_file, self.key_file) if self.protocol == 'IPv4': s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) else: s = socket.socket(socket.AF_INET6, socket.SOCK_STREAM) s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEPORT, 1) if isinstance(self.hostname, type(None)): ssl_sock = ctx.wrap_socket(s) else: ssl_sock = ctx.wrap_socket(s, server_hostname=self.hostname) ssl_sock.bind( ('' if isinstance(self.ip_src, type(None)) else self.ip_src, self.port_src)) ssl_sock.connect((self.ip_dst, self.port_dst)) self._serve(ssl_sock) try: s = ssl_sock.unwrap() s.shutdown(socket.SHUT_RDWR) except: pass finally: s.close()
class Ability(ns.ThreadedAbilityBase): _option_list = [ ns.PathOpt('fake_zone', must_exist=True, readable=True, is_dir=False), ns.PathOpt('policy_zone', must_exist=True, readable=True, is_dir=False), ns.IpOpt(ns.OptNames.IP_SRC, default=None, optional=True), ns.IpOpt(ns.OptNames.IP_DST, default=None, optional=True), ns.PortOpt(ns.OptNames.PORT_DST, optional=True, default=53), ns.NICOpt(ns.OptNames.INPUT_INTERFACE), ns.NICOpt(ns.OptNames.OUTPUT_INTERFACE, default=None, optional=True), ns.BoolOpt('quiet', default=True) ] _info = ns.AbilityInfo( name='DNSProxy', description='Replacement for DNSProxy', authors=['Florian Maury', ], tags=[ns.Tag.TCP_STACK_L5, ns.Tag.THREADED, ns.Tag.DNS], type=ns.AbilityType.STANDALONE ) _dependencies = [ 'mitm', ('dnsproxysrv', 'base', 'DNSProxy Server'), ('scapy_splitter', 'base', 'DNS Metadata Extractor'), ('scapy_unsplitter', 'base', 'DNS Metadata Reverser'), ] def main(self): dns_srv_abl = self.get_dependency( 'dnsproxysrv', fake_zone=self.fake_zone, policy_zone=self.policy_zone, quiet=self.quiet ) mitm_abl = self.get_dependency( 'mitm', interface=self.interface, outerface=self.outerface, ip_src=self.ip_src, ip_dst=self.ip_dst, port_dst=self.port_dst, protocol='udp', mux=True ) scapy_dns_metadata_splitter = self.get_dependency('scapy_splitter', quiet=self.quiet) scapy_dns_metadata_reverser = self.get_dependency('scapy_unsplitter', quiet=self.quiet) mitm_abl | scapy_dns_metadata_splitter | dns_srv_abl | scapy_dns_metadata_reverser | mitm_abl self._start_wait_and_stop( [dns_srv_abl, mitm_abl, scapy_dns_metadata_reverser, scapy_dns_metadata_splitter] ) def howto(self): print("""This DNS proxy intercepts DNS requests at OSI layer 2. For each intercepted request, this proxy can either fake an answer and send it to the requester or forward the request to the original recipient. Fake answers are authoritative, and they may contain DNS records for IPv4 or IPv6 addresses, denials of existence (nxdomain or empty answers), errors (SERVFAIL or truncated answer), NS records, MX records, and in fact whatever record you can think of. Special handling is done for denials of existence, NS records, MX records, and SRV records, to either synthesize a SOA record or add the corresponding glues whenever available. Whether to fake answers is instructed through a DNS master file that contains policies. Policies are formated as TXT records whose first word is the mnemonic of a record type (A, AAAA, NS, etc.) or the "ANY" keyword. ANY means all types of records. The second word is the policy decision. It can be one of the following: * PASSTHRU: the request is forwarded, unaltered, to the original destination. * NODATA: the request is answered with the indication that there is no such DNS record for this record type at the requested domain name. * NXDOMAIN: the request is answered with the indication that the requested domain name does not exist and that no records can be found at this name and under it. This policy only works only with the keyword "ANY". * SERVFAIL: the request is answered with the indication that the server is unable to provide a valid answer at the moment. This will generally force implementations to retry the request against another server, whenever possible. * TCP: the request is answered with an empty answer and the indication that the complete answer would truncated. This will force RFC-compliant implementation to retry the request over TCP. TCP is currently unsupported by this ability. * FAKE: the request is answered with fake data as specified in the fake zone, as described hereunder. The policy zone file must contain records whose owner name is fully qualified domain names. For instance, to fake a request for the IPv4 address of ssi.gouv.fr, one would write in the policy file: ssi.gouv.fr. IN TXT "A FAKE" The policy zone file can use wildcards to cover all domain names under some domain name. For instance, to let through all requests for all domain names under the fr TLD, one would write: *.fr IN TXT "ANY PASSTHRU" The wildcard matching is similar to that of the DNS. That means that if both previous policies are in the policy file, all requests for any records and names under the fr TLD would be let through, save for a request for the IPv4 of ssi.gouv.fr. If two policies are defined for a given name (be it an ANY policy and a record type-specific policy or two ANY policies or even two exact match policies), the first record to match is used. Thus, one can write a default policy using the wildcard expression "*.". For instance, to answer that there is no record for any NAPTR record, whatever the requested name is, and unless there is an explicit other policy to apply, one would write: *. IN TXT "NAPTR NODATA" If no policy can be found for a domain name and a record type, the request is dropped. If the received request cannot be parsed into a valid DNS message, the "packet" is let through. We think this is a reasonable behaviour, because it might not be at all a DNS request. The fake zone file is also a DNS master file containing all the records required to synthesize the fake answer, as instructed by the policy. For instance, according to the previously described policy for ssi.gouv.fr IPv4, one would have to write something among the likes of: ssi.gouv.fr. 3600 IN A 127.0.0.1 This would instruct this ability to answer "ssi.gouv.fr. A?" requests with a fake answer with a TTL of 1 hour, and an IPv4 address equal to 127.0.0.1. All domain names in the fake zone file must also be fully-qualified, and wildcards also apply, as described before. For example, the following files could be used: --- Policy file: --- *. IN TXT "NAPTR NODATA" *.fr. IN TXT "ANY PASSTHRU" ssi.gouv.fr. IN TXT "A FAKE" ssi.gouv.fr. IN TXT "AAAA FAKE" --- Fake zone file: --- ssi.gouv.fr. 3600 IN A 127.0.0.1 ssi.gouv.fr. 7200 IN AAAA 2001:db8::1 --- The IP parameters and the destination port serves to better target the requests for which to answer fake records. The input NIC is the network card connected to the victim. The output NIC is optional; it may be specified if the real DNS server is connected to a different card than the victim. """)
class Ability(ns.ThreadedAbilityBase): _option_list = [ ns.ChoiceOpt('protocol', ['IPv4', 'IPv6'], comment='IPv4 or IPv6'), ns.IpOpt(ns.OptNames.IP_SRC, None, 'Local (Source) IP', optional=True), ns.IpOpt(ns.OptNames.IP_DST, '127.0.0.1', 'Remote (Destination) IP'), ns.PortOpt(ns.OptNames.PORT_SRC, 0, 'Local (Source) Port (0 = Random Port)'), ns.PortOpt(ns.OptNames.PORT_DST, 0, 'Remote (Destination) Port'), ns.OptionTemplateEntry(lambda x: 0 <= x <= 10, ns.NumOpt('timeout', 5, 'Connect Timeout')) ] _info = ns.AbilityInfo(name='TCP Client', description='Sends and receives segments', authors=[ 'Florian Maury', ], tags=[ns.Tag.TCP_STACK_L4], type=ns.AbilityType.COMPONENT) @staticmethod def _forward_outgoing(sock, stop_evt, poller, receiver): while not stop_evt.is_set(): if poller(0.1): try: s = receiver() except EOFError: break sock.send(str(s)) @staticmethod def _forward_incoming(sock, stop_evt, sender, stopper): # Timeout is set back to 0.1 second for polling purposes sock.settimeout(0.1) while not stop_evt.is_set(): try: s = sock.recv(65535) except socket.timeout: continue if len(s) == 0: # Socket is closed! break sender(s) stopper() def main(self): if self._is_sink() or self._is_source(): raise Exception( 'This ability must be connected through pipes to other abilities!' ) if self.protocol == 'IPv4': s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) else: s = socket.socket(socket.AF_INET6, socket.SOCK_STREAM) s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEPORT, 1) s.bind(('' if isinstance(self.ip_src, type(None)) else self.ip_src, self.port_src)) s.settimeout(self.timeout) s.connect((self.ip_dst, self.port_dst)) stop_evt = threading.Event() out_thr = threading.Thread(target=self._forward_outgoing, args=(s, stop_evt, self._poll, self._recv)) out_thr.start() in_thr = threading.Thread(target=self._forward_incoming, args=(s, stop_evt, self._send, self.stop)) in_thr.start() self._wait() stop_evt.set() out_thr.join() in_thr.join() s.close()
class Ability(ns.ThreadedAbilityBase): _option_list = [ ns.NICOpt(ns.OptNames.INPUT_INTERFACE, default=None, comment='Input interface', optional=True), ns.NICOpt(ns.OptNames.OUTPUT_INTERFACE, default=None, comment='Output interface', optional=True), ns.MacOpt(ns.OptNames.MAC_SRC, default=None, comment='Source Mac', optional=True), ns.MacOpt(ns.OptNames.MAC_DST, default=None, comment='Destination Mac', optional=True), ns.IpOpt(ns.OptNames.IP_SRC, default=None, comment='Source IP', optional=True), ns.IpOpt(ns.OptNames.IP_DST, default=None, comment='Destination IP', optional=True), ns.PortOpt(ns.OptNames.PORT_SRC, default=None, comment='Source Port', optional=True), ns.PortOpt(ns.OptNames.PORT_DST, default=None, comment='Destination Port', optional=True), ns.ChoiceOpt(ns.OptNames.L4PROTOCOL, ['tcp', 'udp'], comment='L4 Protocol over IP', optional=True), ] _info = ns.AbilityInfo( name='Netfilter Config', description='Configure Ebtables and IPtables rules to drop ' 'specified traffic', authors=['Florian Maury', ], tags=[ns.Tag.TCP_STACK_L2, ns.Tag.TCP_STACK_L3], type=ns.AbilityType.COMPONENT ) @classmethod def check_preconditions(cls, module_factory): l_dep = [] if not ns.HAS_IPTC and not ns.HAS_IPTABLES: l_dep.append( 'IPTC support missing or broken and IPtables CLI missing too. ' 'Please install python-iptables, install iptables or proceed ' 'to an update.') l_dep += super(Ability, cls).check_preconditions(module_factory) return l_dep def _configure_firewall_rules(self, iface, oface, mac_src, mac_dst, ip_src, ip_dst, proto, port_src, port_dst): """ Sets the firewall rules to drop traffic that is intercepted! :param mac_src: Source MAC address (may be None) :param mac_dst: Destination MAC address (may be None) :param ip_src: Source IP address (may be None) :param ip_dst: Destination IP address (may be None) :param proto: Protocol (either "udp" or "tcp" or None) :param port_src: Source Port (may be None) :param port_dst: Destination Port (may be None) :return: the BPF expression as a string """ if not isinstance(mac_src, type(None))\ or not isinstance(mac_dst, type(None)): ns.drop_frames(iface, oface, mac_src, mac_dst) if ( not isinstance(ip_src, type(None)) or not isinstance(ip_dst, type(None)) or not isinstance(proto, type(None)) or not isinstance(port_src, type(None)) or not isinstance(port_dst, type(None)) ): ns.drop_packets(iface, oface, ip_src, ip_dst, proto, port_src, port_dst, bridge=True) def _unconfigure_firewall_rules(self, iface, oface, mac_src, mac_dst, ip_src, ip_dst, proto, port_src, port_dst): """ Sets the firewall rules to drop traffic that is intercepted! :param mac_src: Source MAC address (may be None) :param mac_dst: Destination MAC address (may be None) :param ip_src: Source IP address (may be None) :param ip_dst: Destination IP address (may be None) :param proto: Protocol (either "udp" or "tcp" or None) :param port_src: Source Port (may be None) :param port_dst: Destination Port (may be None) :return: the BPF expression as a string """ if not isinstance(mac_src, type(None)) \ or not isinstance(mac_dst, type(None)): ns.undrop_frames(iface, oface, mac_src, mac_dst) if ( not isinstance(ip_src, type(None)) or not isinstance(ip_dst, type(None)) or not isinstance(proto, type(None)) or not isinstance(port_src, type(None)) or not isinstance(port_dst, type(None)) ): ns.undrop_packets(iface, oface, ip_src, ip_dst, proto, port_src, port_dst, bridge=True) def main(self): self._configure_firewall_rules( self.interface, self.outerface, self.mac_src, self.mac_dst, self.ip_src, self.ip_dst, self.protocol, self.port_src, self.port_dst, ) self._wait() self._unconfigure_firewall_rules( self.interface, self.outerface, self.mac_src, self.mac_dst, self.ip_src, self.ip_dst, self.protocol, self.port_src, self.port_dst, )
class Ability(ns.ThreadedAbilityBase): _option_list = [ ns.ChoiceOpt('protocol', ['IPv4', 'IPv6'], comment='IPv4 or IPv6'), ns.IpOpt(ns.OptNames.IP_DST, '127.0.0.1', 'Binding IP'), ns.PortOpt(ns.OptNames.PORT_DST, 0, 'Binding Port'), ns.NumOpt('backlog_size', 10, 'Backlog size provided to listen()'), ns.NumOpt('timeout', 30, 'Timeout for sockets'), ns.CallbackOpt( ns.OptNames.CALLBACK, comment='Callback returning an ability to handle a new connection' ), ns.StrOpt( 'client_info_name', None, 'Name of the service ability option that will contain the information about the client that is at the other end of the TCP connection', optional=True) ] _info = ns.AbilityInfo( name='TCP Server', description= 'Binds to a port, accept connections and starts new abilities to handle them', authors=[ 'Florian Maury', ], tags=[ns.Tag.TCP_STACK_L4], type=ns.AbilityType.COMPONENT) def __init__(self, *args, **kwargs): super(Ability, self).__init__(*args, **kwargs) self._stop_evt = threading.Event() def stop(self): super(Ability, self).stop() self._stop_evt.set() def _accept_new_connection(self, s): # accepting the connection clt_sock, clt_info = s.accept() # Getting the service ability new_abl = self.callback() # Giving to the service ability the information about the client if not isinstance(self.client_info_name, type(None)): new_abl.set_opt(self.client_info_name, '{}:{}'.format(clt_info[0], clt_info[1])) # Creating the pipes in_pipe_in, in_pipe_out = multiprocessing.Pipe() out_pipe_in, out_pipe_out = multiprocessing.Pipe() new_abl.add_in_pipe(in_pipe_out) new_abl.add_out_pipe(out_pipe_in) # Starting the service ability new_abl.start() return clt_sock, in_pipe_in, out_pipe_out, new_abl def _serve(self, server_sock): to_read = [server_sock] to_write = [] ready_to_read = [] ready_to_write = [] service_abilities = [] while not self._stop_evt.is_set(): # Waiting for sockets to be ready readable, writable, errored = select.select( to_read, to_write, [], 0.1) # Adding the sockets that are ready to the list of the already ready sockets ready_to_write += writable to_write = [x for x in to_write if x not in ready_to_write] ready_to_read += readable to_read = [x for x in to_read if x not in ready_to_read] if len(ready_to_read) > 0: # For each socket that is ready to be read for s in ready_to_read: if s is server_sock: # This socket is the server_sock (the one we can run accept upon) new_sock, new_in_pipe, new_out_pipe, new_abl = self._accept_new_connection( s) to_read.append(new_sock) to_read.append(new_out_pipe) to_read.append(s) to_write.append(new_sock) to_write.append(new_in_pipe) service_abilities.append( (new_abl, new_sock, new_in_pipe, new_out_pipe)) ready_to_read.pop(ready_to_read.index(s)) else: # The socket is one of the socket connected to a client # StopIteration should not happen because we know that the element must be present # We also know that there should be only one answer so calling on next is efficient # Finally, we use a generator expression because it is more efficient (only generates up to the # first matching occurrence. A list expression would have iterated over the whole list abl, sock, in_pipe, out_pipe = next( (srv for srv in service_abilities if s is srv[1] or s is srv[3])) if s is sock and in_pipe in ready_to_write: try: in_pipe.send(s.recv(65535)) to_read.append(s) to_write.append(in_pipe) except: abl.stop() sock.close() in_pipe.close() out_pipe.close() abl.join() finally: ready_to_write.pop( ready_to_write.index(in_pipe)) ready_to_read.pop(ready_to_read.index(sock)) elif s is out_pipe and sock in ready_to_write: try: sock.send(out_pipe.recv()) to_read.append(out_pipe) to_write.append(sock) except: abl.stop() sock.close() in_pipe.close() out_pipe.close() abl.join() finally: ready_to_write.pop(ready_to_write.index(sock)) ready_to_read.pop( ready_to_read.index(out_pipe)) for abl, sock, in_pipe, out_pipe in service_abilities: abl.stop() sock.close() in_pipe.close() out_pipe.close() abl.join() def main(self): if self.protocol == 'IPv4': server_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) else: server_sock = socket.socket(socket.AF_INET6, socket.SOCK_STREAM) server_sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) server_sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEPORT, 1) server_sock.bind( ('' if isinstance(self.ip_dst, type(None)) else self.ip_dst, self.port_dst)) server_sock.listen(self.backlog_size) server_sock.settimeout(self.timeout) self._serve(server_sock) server_sock.close()
class Ability(ns.AbilityBase): _info = ns.AbilityInfo( name='Demo options', description='Demonstrate all available options', tags=[ns.Tag.EXAMPLE], ) _option_list = [ ns.ChoiceOpt('option', ['normal', 'bypass_cache'], default='normal', comment='Define if cache must be bypassed ' 'when using generators (except "nb")'), ns.NumOpt('nb', default=3, comment='Times to display everything'), ns.IpOpt(ns.OptNames.IP_DST, default='127.0.0.1', comment='use as default the standardized dst_ip option name'), ns.StrOpt('msg', default='my message', comment='A string message'), ns.PortOpt(ns.OptNames.PORT_DST, default=2222, comment='A string message'), ns.MacOpt(ns.OptNames.MAC_SRC, default='Mac00', comment='Source MAC address'), ns.BoolOpt('a_bool', default=True, comment='A True/False value'), ns.PathOpt('path', default='pw.ini', comment='Path to an existing file') # must_exist=True), ] def display(self): for i in range(self.nb): self._view.delimiter('Round {}'.format(i + 1)) self._view.info('[{}] - {} - {}'.format(self.mac_src, self.ip_dst, self.port_dst)) self._view.progress('{}'.format(self.msg)) self._view.debug('{}'.format(self.a_bool)) self._view.warning('{} (abs: {})'.format( self.path, os.path.abspath(self.path))) self._view.delimiter() self._view.info('') def display_bypass_cache(self): for i in range(self.nb): self._view.delimiter('Round {}'.format(i + 1)) self._view.info('[{}] - {} - {}'.format( self.get_opt('mac_src', bypass_cache=True), self.get_opt('ip_dst', bypass_cache=True), self.get_opt('port_dst', bypass_cache=True), )) self._view.progress('{}'.format( self.get_opt('msg', bypass_cache=True))) self._view.debug('{}'.format( self.get_opt('a_bool', bypass_cache=True))) self._view.warning('{} (abs: {})'.format( self.get_opt('path', bypass_cache=True), os.path.abspath(self.get_opt('path', bypass_cache=True)))) self._view.delimiter() self._view.info('') def main(self): if self.nb <= 0: self._view.error( 'The number must be greater than 0 ({} given)'.format(self.nb)) return elif self.nb > 2000: self._view.warning('{} rounds is quite a lot! ' 'Please try with a lower number.'.format( self.nb)) return if self.option == 'normal': self.display() elif self.option == 'bypass_cache': self.display_bypass_cache() self._view.success('Done!') return 'Done' def howto(self): self._view.delimiter('Module option demonstration') self._view.info(""" This ability make use of all the PacketWeaver framework supported options. Their names are either specified using a label, or a predefined value using a OptNames.VAL . The latter solution is preferred as it helps getting a clean input interface across different abilities. You may play with the different options, modifying their value with either: - a fixed value - a fixed value randomly drawn (e.g RandIP4() for the dst_ip) - a random generator (e.g RandIP4) The ability will display their value three times so you can see how they behave. """)