def run_on_host(self,target):
"""
runs once on each host that is alive in the netrange
"""
host=target.interface
if self.state==self.HALT:
return
if self.doscanrand:
mysender=sender(target=host)
mpacker=packetConstructor()
#self.port is really self.fromport here
#print "source=%s dest=%s"%(source,dest)
mpacker.TCP(self.source,host,["SYN"],self.fromport,self.port,"")
mysender.sendto(mpacker.get(),"TCP",(host,0))
#if you don't sleep, you'll miss some ports.
time.sleep(0.01)
else:
ret=self.C_isOpen(host, self.port)
if ret==1:
self.log("Found %s port %d open"%(host,self.port))
self.openhosts.append(host)
elif ret==0:
self.log("Found %s port %d closed"%(host,self.port))
self.closedhosts.append(host)
return
def run_on_host(self, target, source=None):
"""
runs once on each host that is alive in the netrange
we do the get_callback_interface here because doing it only once for a
large netblock means we might miss the fact that we crossed
interfaces...
"""
if not source:
source = self.engine.get_callback_interface(
target=target.interface)
host = target.interface
#no scanrand for now
if 0 and self.doscanrand:
mysender = sender(target=host)
mpacker = packetConstructor()
#self.port is really self.fromport here
#print "source=%s dest=%s"%(source,dest)
mpacker.TCP(source, host, ["SYN"], self.fromport, self.port, "")
mysender.sendto(mpacker.get(), "TCP", (host, 0))
#if you don't sleep, you'll miss some ports.
time.sleep(0.05)
else:
ret = self.C_isClosed(host, self.port)
if ret == 1:
self.log("Found %s port %d closed" % (host, self.port))
self.closedhosts.append(host)
return
def send_udp_packet(self):
"""
Sends a UDP packet to a closed UDP port with some IP flags set.
This triggers an ICMP message, ideally, and we then examine
the result to set some of our variables.
1) This packet has 300 bytes of "data".
"""
self.log("Sending UDP packet to %s:%d to elicit ICMP response" %
(self.host, self.closed_udp_port))
mysender = sender(target=self.host, iface=self.iface)
udppacker = packetConstructor()
udp_data = "A" * 300
udppacker.UDP(self.source, self.host, self.udpfromport,
self.closed_udp_port, udp_data)
udpdata = udppacker.get()
ippacker = packetConstructor()
#set DF flag here
#flags is set as a 16 bit number...
ippacker.IP(self.source, self.host, udpdata, ipid=0x7788, flags=0x4000)
ipdata = ippacker.get()
#now send the data across the wire - need to prepend the ethernet header, of course
mysender.send(self.eth_header + ipdata, "IP")
return
def send_tcp_ecn(self):
"""
Explicit congestion notification test on open TCP socket
"""
self.log("Sending TCP ECN attempt to port %d from port %d" %
(self.tcp_dest_port, self.tcp_local_port))
tcp_dest_port = self.tcp_dest_port
mysender = sender(target=self.host, iface=self.iface)
tcppacker = packetConstructor()
ippacker = packetConstructor()
flags = "SYN ECN CNG"
tcppacker.TCP(self.source, self.host, flags, self.tcp_local_port,
tcp_dest_port, "")
tcpdata = tcppacker.get()
ippacker = packetConstructor()
#set DF flag here
#flags is set as a 16 bit number...
ippacker.IP(self.source,
self.host,
tcpdata,
protocol="TCP",
ipid=0x7789,
flags=0x0000)
ipdata = ippacker.get()
#now send the data across the wire - need to prepend the ethernet header, of course
mysender.send(self.eth_header + ipdata, "IP")
return
def run_on_host(self, target):
"""
runs once on each host that is alive in the netrange
"""
host = target.interface
if self.state == self.HALT:
return
mpacker = packetConstructor()
mysender = sender(iface=self.iface, target=self.host)
if self.doscanrand:
devlog("icmpsweep", "Scanning %s from %s" % (host, self.source))
mpacker.ICMP_ECHO_REQUEST(self.source, host, 0, 0, "")
# XXX: this inits it's own sender() doesn't use self.mysender
self.eth_header = get_ethernet_header(self.host, self.iface)
if self.eth_header == "":
self.log(
"Ethernet header did not get displayed properly - exiting")
return 0
data = self.eth_header + mpacker.get()
mysender.send(data, "IP")
#if you don't sleep, you'll miss some ports.
time.sleep(self.sleeptime)
return
def make_dns_replies(self, txid, dest_port, name, sources, target,
authorityname, response_ip):
"""
Sends DNS reples from sources ( a list of IP's) to target
authority_name is the new name of their IP server
response_ip is the new IP of their name server
"""
for source in sources:
real_ip = exploitutils.get_source_ip(target)
if real_ip == None:
self.log("You have no default gateway for target ip %s" %
target)
self.log("Cannot continue - exiting")
return
iface = ip2iface[
real_ip] #actual ip->interface mapping done here so we know our gateway
try:
self.mysender = sender(iface)
except socket.error:
self.log("Cannot use raw socket!")
return
gateway = gateway_from_iface.get(iface, None)
if not gateway:
#self.log("No gateway found, must be on local network")
dest_mac_address = mac_from_ip.get(target)
if not dest_mac_address:
self.log(
"Cannot get mac address for %s - perhaps ping it to add it to arp cache?"
% target)
return
else:
#self.log("dest_mac_address=%s"%dest_mac_address)
pass
else:
#self.log("Gateway found: %s"%gateway)
dest_mac_address = mac_from_ip.get(gateway)
if dest_mac_address == None:
self.log("Cannot find destination mac address for %s" %
gateway)
return
dnsconstructor = packetConstructor()
dnsconstructor.DNSResponse(txid, name, authorityname, response_ip)
dnsdata = dnsconstructor.get()
udpconstructor = packetConstructor()
udpconstructor.UDP(source, target, 53, dest_port, dnsdata)
udpdata = udpconstructor.get()
myconstructor = packetConstructor()
eth_header = myconstructor.Ethernet(self.mysender.hardware_address,
dest_mac_address, "IP")
ip_packet = myconstructor.IP(source, target, udpdata)
data = myconstructor.get()
self.dns_replies += [data]
#print "Data: %s"%(data.encode("HEX"))
return
def make_dns_request(self, source, target, name):
"""
Sends a DNS Query to our target
"""
real_ip = exploitutils.get_source_ip(target)
if real_ip == None:
self.log("You have no default gateway for target ip %s" % target)
self.log("Cannot continue - exiting")
return
iface = ip2iface[
real_ip] #actual ip->interface mapping done here so we know our gateway
try:
self.mysender = sender(iface)
except socket.error:
self.log("Cannot use raw socket!")
return
gateway = gateway_from_iface.get(iface, None)
if not gateway:
#self.log("No gateway found, must be on local network")
dest_mac_address = mac_from_ip.get(target)
if not dest_mac_address:
self.log(
"Cannot get mac address for %s - perhaps ping it to add it to arp cache?"
% target)
return
else:
#self.log("dest_mac_address=%s"%dest_mac_address)
pass
else:
#self.log("Gateway found: %s"%gateway)
dest_mac_address = mac_from_ip.get(gateway)
if dest_mac_address == None:
self.log("Cannot find destination mac address for %s" %
gateway)
return
dnsconstructor = packetConstructor()
txid = random.randint(1, 65535)
self.txid = txid
dnsconstructor.DNSQuery(txid, name)
dnsdata = dnsconstructor.get()
udpconstructor = packetConstructor()
udp_source_port = random.randint(1, 65535)
udpconstructor.UDP(source, target, udp_source_port, 53, dnsdata)
udpdata = udpconstructor.get()
myconstructor = packetConstructor()
eth_header = myconstructor.Ethernet(self.mysender.hardware_address,
dest_mac_address, "IP")
ip_packet = myconstructor.IP(source, target, udpdata)
data = myconstructor.get()
#print "Data: %s"%(data.encode("HEX"))
self.dns_requests += [data]
return
def can_scanrand(self):
if self.node.nodetype != "LocalNode":
return 0
try:
mysender=sender()
except:
self.log("Failed to open a raw socket...")
return 0
return 1
def run_on_host(self, target):
"""
runs once on each host that is alive in the netrange
"""
host = target.interface
if self.state == self.HALT:
return
if self.doscanrand:
mysender = sender(target=host)
for i in range(0, self.iterations):
#test each port multiple times.
numports = len(self.portlist) - len(self.closedports.keys())
if numports == 0:
self.log("All ports were closed")
break
self.log("Running iteration %d/%d on %d ports" %
(i, self.iterations, numports))
for port in self.portlist:
if self.state == self.HALT:
return
if port % 1000 == 0:
self.log("Testing port %d" % port)
if port in self.closedports:
#no need to test this port, already know it's closed
continue
if self.doscanrand:
mpacker = packetConstructor()
#self.port is really self.fromport here
#print "source=%s dest=%s"%(source,dest)
mpacker.UDP(self.source, host, self.fromport, port, "")
mysender.sendto(mpacker.get(), "UDP", (host, 0))
#if you don't sleep, you'll miss some ports.
time.sleep(self.sleeptime)
else:
ret = self.C_isOpen(host, self.port)
if ret == 1:
self.log("Found %s port %d open" % (host, self.port))
self.openhosts.append(host)
elif ret == 0:
self.log("Found %s port %d closed" % (host, self.port))
self.closedhosts.append(host)
if self.state != self.HALT:
#if we are not halted, let's wait for the rest of the packets just in case
self.log("Sleeping for 5 seconds to recover all packets")
time.sleep(5)
return
def __init__(self, logger=None):
if logger:
self.log = logger
self.txid = 0 #default for replies (we set this when we send a request)
self.dns_replies = []
self.dns_requests = []
try:
self.mysender = sender("eth0")
except socket.error:
self.log("Cannot use raw socket!")
return
def can_scanrand(self):
if self.node.nodetype != "LocalNode":
self.log("Cannot do a scanrand-style scan from a remote node.")
#can't do scanrand from remote nodes
return 0
try:
mysender = sender()
except:
self.log("Failed to open a raw socket...")
return 0
return 1
def send_echo_request_packet(self):
"""
Sends a ICMP ECHO REQUEST packet with a non-zero code
field.
Also send a non-default TOS field.
"""
icmppacker = packetConstructor()
icmppacker.ICMP_ECHO_REQUEST(self.source,
self.host,
0,
0,
code=1,
tos=0xfe)
data = self.eth_header + icmppacker.get()
mysender = sender(target=self.host, iface=self.iface)
mysender.send(data, "IP")
return
def run_on_host(self,target):
"""
runs once on each host that is alive in the netrange
"""
host=target.interface
if self.state==self.HALT:
return
mpacker=packetConstructor()
mysender=sender()
if self.doscanrand:
mpacker.ICMP_ECHO_REQUEST(self.source,host,0,0,"")
data=self.eth_header + mpacker.get()
mysender.send(data,"IP")
#if you don't sleep, you'll miss some ports.
time.sleep(self.sleeptime)
return
def send_tcp_request_packet(self):
tcp_dest_port = self.tcp_dest_port
mysender = sender(target=self.host, iface=self.iface)
tcppacker = packetConstructor()
ippacker = packetConstructor()
flags = "SYN"
tcppacker.TCP(self.source, self.host, flags, self.tcp_local_port,
tcp_dest_port, "")
tcpdata = tcppacker.get()
ippacker = packetConstructor()
#set DF flag here
#flags is set as a 16 bit number...
ippacker.IP(self.source,
self.host,
tcpdata,
protocol="TCP",
ipid=0x7788,
flags=0x4000)
ipdata = ippacker.get()
#now send the data across the wire - need to prepend the ethernet header, of course
mysender.send(self.eth_header + ipdata, "IP")
return
def scanrand(self, allports, scanMode=SYNSCAN):
# Fast CANVAS SCAN
#first, we need to register as a callback with the sniffer
#then we need to scan the ports
if self.UUID:
self.log("Don't do scanrand when looking for UUID")
return 0
if not self.engine.sniffer_isactive():
self.log("sniffer not active")
self.setInfo(
"Portscan: sniffer not active - cannot do raw socket mode.")
return 0
if self.node.nodetype != "LocalNode":
self.log("Cannot do a scanrand-style scan from a remote node.")
#can't do scanrand from remote nodes
return 0
# scanrand not supported for IPv6 yet
if ":" in self.host:
self.log("[XXX] no IPv6 support for ScanRand yet !")
return 0
try:
mysender = sender(target=self.host)
except:
self.log("Failed to open a raw socket...")
return 0
if scanMode == SYNSCAN:
closedfs = "ipsource(%s) tcpflags(RST) tcpflags(ACK)" % self.host
openfs = "ipsource(%s) tcpflags(SYN) tcpflags(ACK)" % self.host
self.engine.register_sniffer_callback(self.opencallback, openfs)
elif scanMode in [FINSCAN, XMASSCAN, NULLSCAN]:
closedfs = "ipsource(%s) tcpflags(RST) tcpflags(ACK)" % self.host
self.engine.register_sniffer_callback(self.finXmasNullCallback,
closedfs)
top = 2
source = self.source
self.log("Source IP=%s" % source)
mpacker = packetConstructor()
dest = self.host
for tries in range(1, top):
self.log("Try %d/%d" % (tries, top - 1))
#have to do retries to make sure things work - well, no we don't
#but we'll leave the possibility in regardless
totallength = len(allports)
current = 0
for port in allports:
if self.done:
self.engine.unregister_sniffer_callback(self.opencallback)
return 0
if self.state == self.HALT:
self.log("Ending portscan on port %d" % port)
self.setInfo("%s stopped on port %d" % (NAME, port))
self.log("Open ports found so far: %s" % self.openports)
self.target.replace_knowledge("TCPPORTS", self.openports,
100)
self.engine.unregister_sniffer_callback(self.opencallback)
return 0
mpacker.clear()
if scanMode == SYNSCAN:
mpacker.TCP(source, dest, ["SYN"], self.port, port, "")
elif scanMode == FINSCAN:
mpacker.TCP(source, dest, ["FIN"], self.port, port, "")
elif scanMode == XMASSCAN:
mpacker.TCP(source, dest, ["PSH", "FIN", "URG"], self.port,
port, "")
elif scanMode == NULLSCAN:
mpacker.TCP(source, dest, [], self.port, port, "")
mysender.sendto(mpacker.get(), "TCP", (dest, 0))
current += 1
if current % 100 == 0:
self.log("%d ports scanned" % current)
self.setProgress(
((current * 1.0) / (totallength * 1.0)) * 100)
#if you don't sleep, you'll miss some ports.
time.sleep(0.01)
mysender.close() #close all raw sockets for sending
self.log("Sleeping to recover any lost packets...")
time.sleep(2)
if scanMode == SYNSCAN:
self.engine.unregister_sniffer_callback(self.opencallback)
elif scanMode in [FINSCAN, XMASSCAN, NULLSCAN]:
self.engine.unregister_sniffer_callback(self.finXmasNullCallback)
return 1