def service_craft(pkt, fp, mac, service, type_=False): try: ether = Ether() ether.src = mac ether.dst = pkt[Ether].dst ether.type = 0x800 except IndexError: ether = None ip = IP() ip.src = pkt[IP].dst ip.dst = pkt[IP].src ip.ttl = int(fp.ttl, 16) ip.flags = 0x4000 tcp = TCP() tcp.sport = pkt[TCP].dport tcp.dport = pkt[TCP].sport if type_: tcp.flags = 0x018 # PSH / ACK tcp.seq = pkt[TCP].seq tcp.ack = pkt[TCP].ack data = service[pkt[TCP].dport] fin_pkt = ip / tcp / data if ether is None else ether / ip / tcp / data return fin_pkt else: tcp.flags = 0x012 # SYN / ACK tcp.seq = pkt[TCP].seq tcp.ack = pkt[TCP].seq + 1 fin_pkt = ip / tcp if ether is None else ether / ip / tcp return fin_pkt
def cb(dummy, payload): pkt = IP(payload.get_data()) # set the TTL pkt.ttl = 24 # clear the IP checksum so that Scapy recalculates it, since we modified the IP header del pkt.chksum # reinject the packet! payload.set_verdict_modified(nfqueue.NF_ACCEPT, str(pkt), len(pkt))
def seqgen_pkt_craft(pkt, fp, mac, pno): try: ether = Ether() ether.src = mac ether.dst = pkt[Ether].dst ether.type = 0x800 except IndexError: ether = None ip = IP() ip.src = pkt[IP].dst ip.dst = pkt[IP].src ip.ttl = int(fp.probe['T1']['TTL'], 16) ip.flags = fp.probe['T1']['DF'] ip.id = fp.ip_id_gen() tcp = TCP() s_val = fp.probe['T1']['S'] if s_val == 'Z': tcp.seq = 0 elif s_val == 'A': tcp.seq = pkt[TCP].ack elif s_val == 'A+': tcp.seq = pkt[TCP].ack + 1 else: tcp.seq = fp.tcp_seq_gen() a_val = fp.probe['T1']['A'] if a_val == 'Z': tcp.ack = 0 elif a_val == 'S': tcp.ack = pkt[TCP].seq elif a_val == 'S+': tcp.ack = pkt[TCP].seq + 1 else: tcp.ack = pkt[TCP].seq + 369 flag_val = fp.probe['T1']['F'] tcp.flags = flag_val tcp.window = fp.probe['WIN']['W' + pno] tcp.sport = pkt[TCP].dport tcp.dport = pkt[TCP].sport tcp.options = fp.probe['OPS']['O' + pno] rd_val = fp.probe['T1']['RD'] if rd_val != '0': crc = int(rd_val, 16) data = b'TCP Port is closed\x00' data += compensate(data, crc) fin_pkt = ip / tcp / data if ether is None else ether / ip / tcp / data else: fin_pkt = ip / tcp if ether is None else ether / ip / tcp return fin_pkt
def cmd_icmp_ping(ip, interface, count, timeout, wait, verbose): """The classic ping tool that send ICMP echo requests. \b # habu.icmp.ping 8.8.8.8 IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding """ if interface: conf.iface = interface conf.verb = False conf.L3socket = L3RawSocket layer3 = IP() layer3.dst = ip layer3.tos = 0 layer3.id = 1 layer3.flags = 0 layer3.frag = 0 layer3.ttl = 64 layer3.proto = 1 # icmp layer4 = ICMP() layer4.type = 8 # echo-request layer4.code = 0 layer4.id = 0 layer4.seq = 0 pkt = layer3 / layer4 counter = 0 while True: ans = sr1(pkt, timeout=timeout) if ans: if verbose: ans.show() else: print(ans.summary()) del (ans) else: print('Timeout') counter += 1 if count != 0 and counter == count: break sleep(wait) return True
def udp_craft(pkt, mac, fp): try: ether = Ether() ether.src = mac ether.dst = pkt[Ether].dst ether.type = 0x800 except IndexError: ether = None ip = IP() ip.src = pkt[IP].dst ip.dst = pkt[IP].src ip.ttl = int(fp.probe['U1']['TTL'], 16) ip.flags = fp.probe['U1']['DF'] ip.len = 56 ip.id = 4162 icmp = ICMP() icmp.type = 3 icmp.unused = 0 icmp.code = 13 # code 3 for reply iperror = IPerror() iperror.proto = 'udp' iperror.ttl = 0x3E iperror.len = fp.probe['U1']['RIPL'] iperror.id = fp.probe['U1']['RID'] ripck_val = fp.probe['U1']['RIPCK'] if ripck_val == 'G': pass elif ripck_val == 'Z': iperror.chksum = 0 else: iperror.chksum = pkt[IP].chksum udperror = UDPerror() udperror.sport = pkt[UDP].sport udperror.dport = pkt[UDP].dport udperror.len = pkt[UDP].len if fp.probe['U1']['RUCK'] == 'G': udperror.chksum = pkt[UDP].chksum else: udperror.chksum = fp.probe['U1']['RUCK'] try: ipl = int(fp.probe['U1']['IPL'], 16) except KeyError: ipl = None data = pkt[Raw].load fin_pkt = ip / icmp / iperror / udperror / data if ether is None else ether / ip / icmp / iperror / udperror / data return fin_pkt
def cmd_ping(ip, interface, count, timeout, wait, verbose): """The classic ping tool that send ICMP echo requests. \b # habu.ping 8.8.8.8 IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding """ if interface: conf.iface = interface conf.verb = False conf.L3socket=L3RawSocket layer3 = IP() layer3.dst = ip layer3.tos = 0 layer3.id = 1 layer3.flags = 0 layer3.frag = 0 layer3.ttl = 64 layer3.proto = 1 # icmp layer4 = ICMP() layer4.type = 8 # echo-request layer4.code = 0 layer4.id = 0 layer4.seq = 0 pkt = layer3 / layer4 counter = 0 while True: ans = sr1(pkt, timeout=timeout) if ans: if verbose: ans.show() else: print(ans.summary()) del(ans) else: print('Timeout') counter += 1 if count != 0 and counter == count: break sleep(wait) return True
def ecn_craft(pkt, mac, fp): try: ether = Ether() ether.src = mac ether.dst = pkt[Ether].dst ether.type = 0x800 except IndexError: ether = None ip = IP() ip.src = pkt[IP].dst ip.dst = pkt[IP].src ip.ttl = int(fp.probe['ECN']['TTL'], 16) ip_flag = fp.probe['ECN']['DF'] if ip_flag == 'Y': ip.flags = 2 else: ip.flags = 0 ip.id = fp.ip_id_gen() tcp = TCP() w_val = fp.probe['ECN']['W'] if w_val == 'ECHOED': tcp.window = pkt[TCP].window else: tcp.window = w_val tcp.sport = pkt[TCP].dport tcp.dport = pkt[TCP].sport cc_val = fp.probe['ECN']['CC'] if cc_val == 'Y': tcp.flags = 0x52 elif cc_val == 'N': tcp.flags = 0x12 elif cc_val == 'S': tcp.flags = 0xD2 else: tcp.flags = 0x10 o_val = fp.probe['ECN']['O'] if o_val == 'EMPTY': pass else: tcp.options = o_val fin_pkt = ip / tcp if ether is None else ether / ip / tcp return fin_pkt
def IP_layer(attributes): layer3 = IP() layer3.version = attributes['version'] layer3.ihl = attributes['ihl'] layer3.tos = attributes['tos'] layer3.len = attributes['len'] layer3.id = attributes['id'] layer3.flags = attributes['flags'] layer3.frag = attributes['frag'] layer3.ttl = attributes['ttl'] layer3.proto = attributes['proto'] layer3.src = attributes['src'] layer3.dst = attributes['dst'] return layer3
def cmd_ping(ip, interface, count, timeout, wait, verbose): if interface: conf.iface = interface conf.verb = False conf.L3socket = L3RawSocket layer3 = IP() layer3.dst = ip layer3.tos = 0 layer3.id = 1 layer3.flags = 0 layer3.frag = 0 layer3.ttl = 64 layer3.proto = 1 # icmp layer4 = ICMP() layer4.type = 8 # echo-request layer4.code = 0 layer4.id = 0 layer4.seq = 0 pkt = layer3 / layer4 counter = 0 while True: ans = sr1(pkt, timeout=timeout) if ans: if verbose: ans.show() else: print(ans.summary()) del (ans) else: print('Timeout') counter += 1 if count != 0 and counter == count: break sleep(wait) return True
def icmp_craft(pkt, fp, mac): try: ether = Ether() ether.src = mac ether.dst = pkt[Ether].dst ether.type = 0x800 except IndexError: ether = None ip = IP() ip.src = pkt[IP].dst ip.dst = pkt[IP].src ip.ttl = int(fp.probe['IE']['TTL'], 16) dfi_flag = fp.probe['IE']['DFI'] if dfi_flag == 'N': ip.flags = 0 elif dfi_flag == 'S': ip.flags = pkt[IP].flags elif dfi_flag == 'Y': ip.flags = 2 else: ip.flags = 0 if pkt[IP].flags == 2 else 2 ip.id = fp.ip_id_icmp_gen() icmp = ICMP() icmp.type = 0 icmp.id = pkt[ICMP].id cd_val = fp.probe['IE']['CD'] if cd_val == 'Z': icmp.code = 0 elif cd_val == 'S': icmp.code = pkt[ICMP].code else: icmp.code = random.randint(0, 15) icmp.seq = pkt[ICMP].seq data = pkt[ICMP].payload fin_pkt = ip / icmp / data if ether is None else ether / ip / icmp / data return fin_pkt
def main(args): print "[*] Comenzando el fuzzing..." pkt_lst = [] for i in xrange(args.count): ip_layer = IP(dst=args.target) # Fuzz IP layer # # Src ramdon? if random_bool(): ip_layer.src = str(RandIP()) # IP ID if random_bool(): ip_layer.id = int(RandShort()) # IP TTL if random_bool(): ip_layer.ttl = int(RandInt()) % 255 icmp_layer = ICMP() # Fuzz ICMP layer # # Type random if random_bool(): icmp_layer.type = int(RandByte()) # Seq random if random_bool(): icmp_layer.seq = int(RandShort()) pkt = ip_layer/icmp_layer pkt_lst.append(pkt) sendp(pkt_lst, inter=args.interval) print "[*] Enviado %s paquetes" % i
if tmp > 0 and tmp < ttldiff: ttldiff = tmp print "%s is probably %d hops away (at least one way ;))" % (dst,ttldiff+1) data = "GET / HTTP/1.0\nHost: "+target+"\nUser-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2\nAccept: text/html,application/xhtml+xml,application/xml;q = 0.9,*/*;q = 0.8\nAccept-Language: en-us,en;q = 0.5\n" res = sr1(ip/TCP(sport = my_sport, dport = my_dport, flags = "PA", seq = my_seq, ack = my_ack)/data,retry = 3,timeout = 2) my_ack = res.seq my_seq = my_seq+len(data) data = "Accept-Charset: ISO-8859-2,utf-8;q = 0.7,*;q = 0.7\nPragma: no-cache\nCache-Control: no-cache\n\n" while 1 == 1: ip.ttl = my_ttl rcv = sr1(ip/TCP(sport = my_sport, dport = my_dport, flags = "A", seq = my_seq, ack = my_ack)/data,retry = 2,timeout = 1) if rcv: print "%2d : %15s rcv proto %s, TTL %3d" % (my_ttl,rcv.src,rcv.proto,rcv.ttl) if rcv.proto == 6: if dttl != rcv.ttl: print "Probable SYN proxy, SA TTL %d, now TTL %d" % (dttl,rcv.ttl) print "done, got: TCP flags: %s" % TCPflags(rcv.payload.flags) if len(rcv.payload.payload) < 10: cap = sniff(filter = "tcp and port 80 and port %d and host %s" % (my_sport,dst), count = 1,timeout = 5) for tmp in cap: if tmp.payload.proto == 6 and len(tmp.payload.payload.payload) < 10: rcv = tmp.payload break
ip_source[index] = str(ip_source[index]) + str(i) else: index += 1 ip_source[index] = "" print(ip_source) print(ip_dest) ip_header.version = 4 ip_header.ihl = ip_hdr_len // 4 ip_header.tos = 0x0 ip_header.len = (ip_hdr_len + udp_pkt_len) ip_header.id = 0 ip_header.flags = 0 ip_header.frag = 0 ip_header.ttl = 64 ip_header.proto = 17 #ip_header.chksum= 0x7ce6 ip_header.src = ip_src ip_header.dst = ip_dst del ip_header.chksum ip_header = ip_header.__class__(str(ip_header)) #ip_header.show2() #print("-------------------------------------") #hexdump((ip_header.version << 4) | ip_header.ihl) #print(ip_header.version << 4) #print(ip_header.ihl) #print(ip_header.proto) #hexdump(ip_header)
def t2tot7_craft(pkt, fp, mac, tno): try: ether = Ether() ether.src = mac ether.dst = pkt[Ether].dst ether.type = 0x800 except IndexError: ether = None ip = IP() ip.src = pkt[IP].dst ip.dst = pkt[IP].src ip.ttl = int(fp.probe[tno]['TTL'], 16) ip.flags = fp.probe[tno]['DF'] ip.id = random.randint(1, 1000) tcp = TCP() s_val = fp.probe[tno]['S'] if s_val == 'Z': tcp.seq = 0 elif s_val == 'A': tcp.seq = pkt[TCP].ack elif s_val == 'A+': tcp.seq = pkt[TCP].ack + 1 else: tcp.seq = pkt[TCP].ack + 369 a_val = fp.probe[tno]['A'] if a_val == 'Z': tcp.ack = 0 elif a_val == 'S': tcp.ack = pkt[TCP].seq elif a_val == 'S+': tcp.ack = pkt[TCP].seq + 1 else: tcp.ack = pkt[TCP].seq + 369 flag_val = fp.probe[tno]['F'] tcp.flags = flag_val w_val = fp.probe[tno]['W'] if w_val == 'ECHOED': tcp.window = pkt[TCP].window else: tcp.window = w_val tcp.sport = pkt[TCP].dport tcp.dport = pkt[TCP].sport o_val = fp.probe[tno]['O'] if o_val == 'EMPTY': pass else: tcp.options = o_val rd_val = fp.probe[tno]['RD'] if rd_val != '0': crc = int(rd_val, 16) data = b'TCP Port is closed\x00' data += compensate(data, crc) fin_pkt = ip / tcp / data if ether is None else ether / ip / tcp / data else: fin_pkt = ip / tcp if ether is None else ether / ip / tcp return fin_pkt
tmp = defttl - dttl if tmp > 0 and tmp < ttldiff: ttldiff = tmp print "%s is probably %d hops away (at least one way ;))" % (target, ttldiff + 1) pkt = IP(dst=target) / TCP( sport=my_sport, dport=my_dport, flags="A", seq=my_seq, ack=my_ack) if tseho > 0: pkt.payload.options = [('NOP', None), ('NOP', None), ('Timestamp', (tsval, tseho))] while 1 == 1: pkt.ttl = my_ttl rcv = sr1(pkt, retry=2, timeout=1) if rcv: print "%2d : %15s rcv proto %s, TTL %3d" % (my_ttl, rcv.src, rcv.proto, rcv.ttl) if rcv.haslayer(TCP): print "done, got: TCP flags: %s" % TCPflags( rcv.getlayer(TCP).flags) break else: print "%2d : ???.???.???.???" % my_ttl if my_ttl > 20: print "out of TTL ;)" break
data = ( "GET / HTTP/1.0\nHost: " + target + "\nUser-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2\nAccept: text/html,application/xhtml+xml,application/xml;q = 0.9,*/*;q = 0.8\nAccept-Language: en-us,en;q = 0.5\n" ) res = sr1(ip / TCP(sport=my_sport, dport=my_dport, flags="PA", seq=my_seq, ack=my_ack) / data, retry=3, timeout=2) my_ack = res.seq my_seq = my_seq + len(data) data = "Accept-Charset: ISO-8859-2,utf-8;q = 0.7,*;q = 0.7\nPragma: no-cache\nCache-Control: no-cache\n\n" while 1 == 1: ip.ttl = my_ttl rcv = sr1(ip / TCP(sport=my_sport, dport=my_dport, flags="A", seq=my_seq, ack=my_ack) / data, retry=2, timeout=1) if rcv: print "%2d : %15s rcv proto %s, TTL %3d" % (my_ttl, rcv.src, rcv.proto, rcv.ttl) if rcv.proto == 6: if dttl != rcv.ttl: print "Probable SYN proxy, SA TTL %d, now TTL %d" % (dttl, rcv.ttl) print "done, got: TCP flags: %s" % TCPflags(rcv.payload.flags) if len(rcv.payload.payload) < 10: cap = sniff(filter="tcp and port 80 and port %d and host %s" % (my_sport, dst), count=1, timeout=5) for tmp in cap: if tmp.payload.proto == 6 and len(tmp.payload.payload.payload) < 10: rcv = tmp.payload break