def _do_request_lease(self, mac_address, ip=None, timeout_sec=10):
logging.debug(
f"Requesting lease for mac {mac_address} ip {ip} iface {self._net_iface}"
)
mac_raw = codecs.decode(mac_address.replace(':', ''), 'hex')
if ip is None:
broadcast_flag = scapy.fields.FlagValue(0b1000000000000000,
"???????????????B")
dhcp_discover = l2.Ether(src=self._real_mac, dst='ff:ff:ff:ff:ff:ff') / \
inet.IP(src='0.0.0.0', dst='255.255.255.255') / \
inet.UDP(dport=67, sport=68) / \
dhcp.BOOTP(chaddr=mac_raw, xid=scapy.volatile.RandInt(), flags=broadcast_flag) / dhcp.DHCP(options=[('message-type', 'discover'), 'end'])
dhcp_offer = sendrecv.srp1(dhcp_discover,
iface=self._net_iface,
verbose=self._verbose,
timeout=timeout_sec)
if dhcp_offer is None:
raise TimeoutError(
f"Timeout. failed to get offer for mac {mac_address} iface: {self._net_iface}"
)
ip = dhcp_offer[dhcp.BOOTP].yiaddr
server_id = DHCPRequestor._server_id_from_offer(
dhcp_offer[dhcp.BOOTP])
xid_cookie = dhcp_offer[dhcp.BOOTP].xid
else:
server_id = None
xid_cookie = 0
return self._dhcp_request(mac_raw,
ip,
xid_cookie,
server_id,
timeout_sec=timeout_sec)
def dhcp_ack(self, device, fromBackdoor=False):
yiaddr = device.yiaddr
print('ack ip: %s' % yiaddr)
packet = (
l2.Ether(dst="ff:ff:ff:ff:ff:ff", src=self.etherSrc) /
inet.IP(src=self.myIP, dst=yiaddr) / inet.UDP(sport=67, dport=68) /
dhcp.BOOTP(op=2,
chaddr=macTransfer(device.hwAddr),
yiaddr=yiaddr,
xid=device.xid) / dhcp.DHCP(options=[
("message-type", "ack"),
("lease_time", 7200),
("server_id", self.myIP),
("subnet_mask", self.subnetMask),
("router", self.router),
("vendor_class_id", device.vendor_class_id),
#("client_id",device.client_id),
"end"
]))
try:
if fromBackdoor == False:
sendrecv.sendp(packet,
iface=self.iface,
count=1,
verbose=False)
except:
raise
device.yiaddr_acked = True
def dhcp_offer(self, device, fromBackdoor=False):
if device.yiaddr == '0.0.0.0':
yiaddr = self.ip_addr_allocate(device.hwAddr)
device.yiaddr = yiaddr
else:
yiaddr = device.yiaddr
print('offer ip: %s' % yiaddr)
packet = (
l2.Ether(dst="ff:ff:ff:ff:ff:ff", src=self.etherSrc) /
inet.IP(src=self.myIP, dst="255.255.255.255") /
inet.UDP(sport=67, dport=68) /
dhcp.BOOTP(op=2,
chaddr=macTransfer(device.hwAddr),
yiaddr=yiaddr,
xid=device.xid) /
dhcp.DHCP(options=[("message-type", "offer"), ("lease_time", 7200),
("server_id", self.myIP),
("vendor_class_id",
device.vendor_class_id), "end"]))
#print(str(packet).encode('hex'))
#print(macTransfer("00:0e:5e:00:00:0a"))
try:
if fromBackdoor == False:
sendrecv.sendp(packet,
iface=self.iface,
count=1,
verbose=False)
except:
raise
def main(self):
try:
while not self.is_stopped():
if self._poll(0.1):
s = self._recv()
try:
demux_tok, metadata_len = struct.unpack('!cH', s[:3])
metadata = s[3:metadata_len+3]
data = s[metadata_len+3:]
parsed_metadata = l2.Ether(metadata)
parsed_data = scapy_dns.DNS(data)
if demux_tok == '\x00':
forged_metadata = self._forge_scapy_response(parsed_metadata)
m = forged_metadata / parsed_data
self._send(demux_tok + str(m))
elif demux_tok == '\xFF':
if parsed_metadata.haslayer(scapy_inet.IP):
del parsed_metadata[scapy_inet.IP].chksum
else:
del parsed_metadata[scapy_inet6.IPv6].chksum
del parsed_metadata[scapy_inet.UDP].chksum
m = parsed_metadata / parsed_data
self._send(demux_tok + str(m))
else:
if not self.quiet:
self._view.error('Invalid demux token: {:x}. Dropping.'.format(ord(demux_tok)))
except:
if not self.quiet:
self._view.error('Unparsable frame. Dropping: ' + str(e))
print s
except (IOError, EOFError):
pass
def get_mac(ip):
arp_request = l2.ARP(pdst=ip)
broadcast = l2.Ether(dst="ff:ff:ff:ff:ff:ff")
arp_request_broadcast = broadcast / arp_request
answered_list = srp(arp_request_broadcast, timeout=5, verbose=False)[0]
# print("---- Length: " + str(len(str(answered_list))))
# print(str(ls(answered_list[0][1])) + "\n\n")
return answered_list[0][1].hwsrc
def _forge_scapy_response(self, scapy_msg):
new_msg = l2.Ether(src=scapy_msg[l2.Ether].dst, dst=scapy_msg[l2.Ether].src)
if scapy_msg.haslayer(scapy_inet.IP):
new_msg /= scapy_inet.IP(src=scapy_msg[scapy_inet.IP].dst, dst=scapy_msg[scapy_inet.IP].src)
else:
new_msg /= scapy_inet.IPv6(src=scapy_msg[scapy_inet6.IPv6].dst, dst=scapy_msg[scapy_inet6.IPv6].src)
new_msg /= scapy_inet.UDP(sport=scapy_msg[scapy_inet.UDP].dport, dport=scapy_msg[scapy_inet.UDP].sport)
return new_msg
def arp_request(iface: str, dst: str, retry=2, timeout=1) -> Optional[str]:
""" Sends an ARP request and attempts to return target's MAC address """
local_ip, local_mac = unpack_iface(iface)
rsp = srp(l2.Ether(dst='ff:ff:ff:ff:ff:ff', src=local_mac) / l2.ARP(
hwsrc=local_mac, psrc=local_ip, hwdst='ff:ff:ff:ff:ff:ff', pdst=dst),
timeout=timeout,
retry=retry,
verbose=False)
if not rsp[0]:
return
return rsp[0][0][1]['ARP'].hwsrc
def dhcp_flood(**kwargs):
iface = kwargs["interface"]
count = kwargs["count"]
unique_hexdigits = str.encode("".join(set(string.hexdigits.lower())))
packet = (l2.Ether(dst="ff:ff:ff:ff:ff:ff") /
inet.IP(src="0.0.0.0", dst="255.255.255.255") /
inet.UDP(sport=68, dport=67) /
dhcp.BOOTP(chaddr=volatile.RandString(12, unique_hexdigits)) /
dhcp.DHCP(options=[("message-type", "discover"), "end"]))
sendrecv.sendp(packet, iface=iface, count=count)
def datagram_received(self, data, addr):
try:
packet = l2.Ether(data)
except Exception as e:
log.error("Failed to decode packet from %s: %r", addr, e)
return
if packet.src not in self._remote_mac_to_forwarder_addr:
self._remote_mac_to_forwarder_addr[packet.src] = addr
log.info("MAC %s is forwarded by %s", packet.src, addr)
self._inbox_queue.put_nowait(packet)
def arp_response(src: str,
src_mac: str,
dst: str,
dst_mac: str,
count=3,
interval=0.1) -> None:
""" Sends an ARP response """
for i in range(count):
sendp(l2.Ether(dst=dst_mac, src=src_mac) / l2.ARP(
op="is-at", hwsrc=src_mac, psrc=src, hwdst=dst_mac, pdst=dst),
verbose=False)
if interval > 0:
sleep(interval)
def scan(ip): # Función que dado una IP o un rango de IP escanea una subred
# Creamos un objeto ARP con la dirección IP objetivo
arp_request = scapy.ARP(pdst=ip)
# Lo vamos a enviar por broadcast, por eso ponemos como mac todo 1
broadcast = scapy.Ether(dst="ff:ff:ff:ff:ff:ff")
arp_request_broadcast = broadcast / arp_request
# scapy.srp() envía el paquete arp_request_broadcast y mete en answered_list las respuestas
# [0] permite listar solo las respuestas
answered_list = scapy.srp(arp_request_broadcast, timeout=1,
verbose=False)[0]
clients_list = []
for element in answered_list:
client_dict = {"ip": element[1].psrc, "mac": element[1].hwsrc}
clients_list.append(client_dict)
return clients_list
def run(self):
try:
while self.running:
# Get the packet anf timestamp from pcap
ret = self.pcap.__next__()
if not ret:
continue
ts, pkt = ret
packet = l2.Ether(str(pkt))
packet.time = ts
# Put the packet in the sniffed queue to be processed later
ctx.sniffed_packets.put(packet)
# Write the packet in the dump file
if self.dumpfile:
scapy.utils.wrpcap(self.dumpfile, packet, append=True)
except StopIteration:
# Raised when EOF is reached while reading from a file
self.end(False)
except Exception as e:
print "Hoooooolay: %s" %str(e)
def main(self):
try:
while not self.is_stopped():
if self._poll(0.1):
s = self._recv()
try:
m = l2.Ether(s)
data = str(m[scapy_dns.DNS])
if m.haslayer(scapy_inet.UDP):
m[scapy_inet.UDP].remove_payload()
else:
m[scapy_inet.UDP].remove_payload()
metadata = str(m)
self._send('{}{}{}'.format(
struct.pack('!H', len(metadata)), metadata, data))
except Exception as e:
if not self.quiet:
self._view.error('Unparsable frame. Dropping: ' +
str(e))
print(s)
except (IOError, EOFError):
pass
def _dhcp_request(self,
mac_raw,
requested_ip,
xid_cookie=0,
server_id="0.0.0.0",
timeout_sec=10):
logging.debug(
f"Sending dhcp request for {requested_ip} cookie {xid_cookie} server id {server_id} net {self._net_iface}"
)
broadcast_flag = scapy.fields.FlagValue(0b1000000000000000,
"???????????????B")
dhcp_options = [("message-type", "request")]
if server_id is not None:
dhcp_options.append(("server_id", server_id))
dhcp_options.extend([("requested_addr", requested_ip),
("param_req_list", 0), "end"])
dhcp_request = l2.Ether(src=self._real_mac, dst="ff:ff:ff:ff:ff:ff") / \
inet.IP(src="0.0.0.0", dst="255.255.255.255") / \
inet.UDP(sport=68, dport=67) / \
dhcp.BOOTP(chaddr=mac_raw, xid=xid_cookie, flags=broadcast_flag) / \
dhcp.DHCP(options=dhcp_options)
# send request, wait for ack
dhcp_reply = sendrecv.srp1(dhcp_request,
iface=self._net_iface,
verbose=self._verbose,
timeout=timeout_sec)
if dhcp_reply is None:
raise TimeoutError(
f"DHCP request timeout on net {self._net_iface}")
reply = DHCPRequestor._dhcp_reply_info(dhcp_reply)
if dhcp.DHCPTypes[reply['message-type']] != 'ack':
raise Exception("Failed to get ack %s" % reply)
return reply
deserialized_data = json.loads(data)
if not re.search(flag_re, deserialized_data['Description']):
new_packets.append(packet)
continue
deserialized_data['Description'] = args.flag
new_json = json.dumps(deserialized_data, indent=4).encode()
new_data = xor_data(new_json, key)
new_length = xor_data(key, len(new_data).to_bytes(2, 'big'))
new_payload = key + new_length + new_data
# checksum isn't validated by scapy upon rebuilt unless the property is missing
del packet['IP'].len
del packet['IP'].chksum
del packet['TCP'].chksum
raw_payload.load = new_payload
packet['TCP'].payload = raw_payload
packet['TCP'].explicit = tcp_packet.explicit
new_packet = l2.Ether(packet.build())
new_packet['TCP'].time = tcp_packet.time
new_packet.time = packet.time
new_packets.append(new_packet)
else:
new_packets.append(packet)
new_plist = PacketList(new_packets)
wrpcap(args.output, new_plist)
print(
f"Dumped the modified capture to {args.output}; be sure to verify with ctf-solve.py!"
)
def getFrame(self):
frame = l2.Ether()
ipPacket = inet.IP()
if (srcmac := self.lineEdit_mac_SRCMAC.text()) != ":::::":
frame.src = srcmac
