def _do_request_lease(self, mac_address, ip=None, timeout_sec=10): logging.debug( f"Requesting lease for mac {mac_address} ip {ip} iface {self._net_iface}" ) mac_raw = codecs.decode(mac_address.replace(':', ''), 'hex') if ip is None: broadcast_flag = scapy.fields.FlagValue(0b1000000000000000, "???????????????B") dhcp_discover = l2.Ether(src=self._real_mac, dst='ff:ff:ff:ff:ff:ff') / \ inet.IP(src='0.0.0.0', dst='255.255.255.255') / \ inet.UDP(dport=67, sport=68) / \ dhcp.BOOTP(chaddr=mac_raw, xid=scapy.volatile.RandInt(), flags=broadcast_flag) / dhcp.DHCP(options=[('message-type', 'discover'), 'end']) dhcp_offer = sendrecv.srp1(dhcp_discover, iface=self._net_iface, verbose=self._verbose, timeout=timeout_sec) if dhcp_offer is None: raise TimeoutError( f"Timeout. failed to get offer for mac {mac_address} iface: {self._net_iface}" ) ip = dhcp_offer[dhcp.BOOTP].yiaddr server_id = DHCPRequestor._server_id_from_offer( dhcp_offer[dhcp.BOOTP]) xid_cookie = dhcp_offer[dhcp.BOOTP].xid else: server_id = None xid_cookie = 0 return self._dhcp_request(mac_raw, ip, xid_cookie, server_id, timeout_sec=timeout_sec)
def dhcp_ack(self, device, fromBackdoor=False): yiaddr = device.yiaddr print('ack ip: %s' % yiaddr) packet = ( l2.Ether(dst="ff:ff:ff:ff:ff:ff", src=self.etherSrc) / inet.IP(src=self.myIP, dst=yiaddr) / inet.UDP(sport=67, dport=68) / dhcp.BOOTP(op=2, chaddr=macTransfer(device.hwAddr), yiaddr=yiaddr, xid=device.xid) / dhcp.DHCP(options=[ ("message-type", "ack"), ("lease_time", 7200), ("server_id", self.myIP), ("subnet_mask", self.subnetMask), ("router", self.router), ("vendor_class_id", device.vendor_class_id), #("client_id",device.client_id), "end" ])) try: if fromBackdoor == False: sendrecv.sendp(packet, iface=self.iface, count=1, verbose=False) except: raise device.yiaddr_acked = True
def dhcp_offer(self, device, fromBackdoor=False): if device.yiaddr == '0.0.0.0': yiaddr = self.ip_addr_allocate(device.hwAddr) device.yiaddr = yiaddr else: yiaddr = device.yiaddr print('offer ip: %s' % yiaddr) packet = ( l2.Ether(dst="ff:ff:ff:ff:ff:ff", src=self.etherSrc) / inet.IP(src=self.myIP, dst="255.255.255.255") / inet.UDP(sport=67, dport=68) / dhcp.BOOTP(op=2, chaddr=macTransfer(device.hwAddr), yiaddr=yiaddr, xid=device.xid) / dhcp.DHCP(options=[("message-type", "offer"), ("lease_time", 7200), ("server_id", self.myIP), ("vendor_class_id", device.vendor_class_id), "end"])) #print(str(packet).encode('hex')) #print(macTransfer("00:0e:5e:00:00:0a")) try: if fromBackdoor == False: sendrecv.sendp(packet, iface=self.iface, count=1, verbose=False) except: raise
def main(self): try: while not self.is_stopped(): if self._poll(0.1): s = self._recv() try: demux_tok, metadata_len = struct.unpack('!cH', s[:3]) metadata = s[3:metadata_len+3] data = s[metadata_len+3:] parsed_metadata = l2.Ether(metadata) parsed_data = scapy_dns.DNS(data) if demux_tok == '\x00': forged_metadata = self._forge_scapy_response(parsed_metadata) m = forged_metadata / parsed_data self._send(demux_tok + str(m)) elif demux_tok == '\xFF': if parsed_metadata.haslayer(scapy_inet.IP): del parsed_metadata[scapy_inet.IP].chksum else: del parsed_metadata[scapy_inet6.IPv6].chksum del parsed_metadata[scapy_inet.UDP].chksum m = parsed_metadata / parsed_data self._send(demux_tok + str(m)) else: if not self.quiet: self._view.error('Invalid demux token: {:x}. Dropping.'.format(ord(demux_tok))) except: if not self.quiet: self._view.error('Unparsable frame. Dropping: ' + str(e)) print s except (IOError, EOFError): pass
def get_mac(ip): arp_request = l2.ARP(pdst=ip) broadcast = l2.Ether(dst="ff:ff:ff:ff:ff:ff") arp_request_broadcast = broadcast / arp_request answered_list = srp(arp_request_broadcast, timeout=5, verbose=False)[0] # print("---- Length: " + str(len(str(answered_list)))) # print(str(ls(answered_list[0][1])) + "\n\n") return answered_list[0][1].hwsrc
def _forge_scapy_response(self, scapy_msg): new_msg = l2.Ether(src=scapy_msg[l2.Ether].dst, dst=scapy_msg[l2.Ether].src) if scapy_msg.haslayer(scapy_inet.IP): new_msg /= scapy_inet.IP(src=scapy_msg[scapy_inet.IP].dst, dst=scapy_msg[scapy_inet.IP].src) else: new_msg /= scapy_inet.IPv6(src=scapy_msg[scapy_inet6.IPv6].dst, dst=scapy_msg[scapy_inet6.IPv6].src) new_msg /= scapy_inet.UDP(sport=scapy_msg[scapy_inet.UDP].dport, dport=scapy_msg[scapy_inet.UDP].sport) return new_msg
def arp_request(iface: str, dst: str, retry=2, timeout=1) -> Optional[str]: """ Sends an ARP request and attempts to return target's MAC address """ local_ip, local_mac = unpack_iface(iface) rsp = srp(l2.Ether(dst='ff:ff:ff:ff:ff:ff', src=local_mac) / l2.ARP( hwsrc=local_mac, psrc=local_ip, hwdst='ff:ff:ff:ff:ff:ff', pdst=dst), timeout=timeout, retry=retry, verbose=False) if not rsp[0]: return return rsp[0][0][1]['ARP'].hwsrc
def dhcp_flood(**kwargs): iface = kwargs["interface"] count = kwargs["count"] unique_hexdigits = str.encode("".join(set(string.hexdigits.lower()))) packet = (l2.Ether(dst="ff:ff:ff:ff:ff:ff") / inet.IP(src="0.0.0.0", dst="255.255.255.255") / inet.UDP(sport=68, dport=67) / dhcp.BOOTP(chaddr=volatile.RandString(12, unique_hexdigits)) / dhcp.DHCP(options=[("message-type", "discover"), "end"])) sendrecv.sendp(packet, iface=iface, count=count)
def datagram_received(self, data, addr): try: packet = l2.Ether(data) except Exception as e: log.error("Failed to decode packet from %s: %r", addr, e) return if packet.src not in self._remote_mac_to_forwarder_addr: self._remote_mac_to_forwarder_addr[packet.src] = addr log.info("MAC %s is forwarded by %s", packet.src, addr) self._inbox_queue.put_nowait(packet)
def arp_response(src: str, src_mac: str, dst: str, dst_mac: str, count=3, interval=0.1) -> None: """ Sends an ARP response """ for i in range(count): sendp(l2.Ether(dst=dst_mac, src=src_mac) / l2.ARP( op="is-at", hwsrc=src_mac, psrc=src, hwdst=dst_mac, pdst=dst), verbose=False) if interval > 0: sleep(interval)
def scan(ip): # Función que dado una IP o un rango de IP escanea una subred # Creamos un objeto ARP con la dirección IP objetivo arp_request = scapy.ARP(pdst=ip) # Lo vamos a enviar por broadcast, por eso ponemos como mac todo 1 broadcast = scapy.Ether(dst="ff:ff:ff:ff:ff:ff") arp_request_broadcast = broadcast / arp_request # scapy.srp() envía el paquete arp_request_broadcast y mete en answered_list las respuestas # [0] permite listar solo las respuestas answered_list = scapy.srp(arp_request_broadcast, timeout=1, verbose=False)[0] clients_list = [] for element in answered_list: client_dict = {"ip": element[1].psrc, "mac": element[1].hwsrc} clients_list.append(client_dict) return clients_list
def run(self): try: while self.running: # Get the packet anf timestamp from pcap ret = self.pcap.__next__() if not ret: continue ts, pkt = ret packet = l2.Ether(str(pkt)) packet.time = ts # Put the packet in the sniffed queue to be processed later ctx.sniffed_packets.put(packet) # Write the packet in the dump file if self.dumpfile: scapy.utils.wrpcap(self.dumpfile, packet, append=True) except StopIteration: # Raised when EOF is reached while reading from a file self.end(False) except Exception as e: print "Hoooooolay: %s" %str(e)
def main(self): try: while not self.is_stopped(): if self._poll(0.1): s = self._recv() try: m = l2.Ether(s) data = str(m[scapy_dns.DNS]) if m.haslayer(scapy_inet.UDP): m[scapy_inet.UDP].remove_payload() else: m[scapy_inet.UDP].remove_payload() metadata = str(m) self._send('{}{}{}'.format( struct.pack('!H', len(metadata)), metadata, data)) except Exception as e: if not self.quiet: self._view.error('Unparsable frame. Dropping: ' + str(e)) print(s) except (IOError, EOFError): pass
def _dhcp_request(self, mac_raw, requested_ip, xid_cookie=0, server_id="0.0.0.0", timeout_sec=10): logging.debug( f"Sending dhcp request for {requested_ip} cookie {xid_cookie} server id {server_id} net {self._net_iface}" ) broadcast_flag = scapy.fields.FlagValue(0b1000000000000000, "???????????????B") dhcp_options = [("message-type", "request")] if server_id is not None: dhcp_options.append(("server_id", server_id)) dhcp_options.extend([("requested_addr", requested_ip), ("param_req_list", 0), "end"]) dhcp_request = l2.Ether(src=self._real_mac, dst="ff:ff:ff:ff:ff:ff") / \ inet.IP(src="0.0.0.0", dst="255.255.255.255") / \ inet.UDP(sport=68, dport=67) / \ dhcp.BOOTP(chaddr=mac_raw, xid=xid_cookie, flags=broadcast_flag) / \ dhcp.DHCP(options=dhcp_options) # send request, wait for ack dhcp_reply = sendrecv.srp1(dhcp_request, iface=self._net_iface, verbose=self._verbose, timeout=timeout_sec) if dhcp_reply is None: raise TimeoutError( f"DHCP request timeout on net {self._net_iface}") reply = DHCPRequestor._dhcp_reply_info(dhcp_reply) if dhcp.DHCPTypes[reply['message-type']] != 'ack': raise Exception("Failed to get ack %s" % reply) return reply
deserialized_data = json.loads(data) if not re.search(flag_re, deserialized_data['Description']): new_packets.append(packet) continue deserialized_data['Description'] = args.flag new_json = json.dumps(deserialized_data, indent=4).encode() new_data = xor_data(new_json, key) new_length = xor_data(key, len(new_data).to_bytes(2, 'big')) new_payload = key + new_length + new_data # checksum isn't validated by scapy upon rebuilt unless the property is missing del packet['IP'].len del packet['IP'].chksum del packet['TCP'].chksum raw_payload.load = new_payload packet['TCP'].payload = raw_payload packet['TCP'].explicit = tcp_packet.explicit new_packet = l2.Ether(packet.build()) new_packet['TCP'].time = tcp_packet.time new_packet.time = packet.time new_packets.append(new_packet) else: new_packets.append(packet) new_plist = PacketList(new_packets) wrpcap(args.output, new_plist) print( f"Dumped the modified capture to {args.output}; be sure to verify with ctf-solve.py!" )
def getFrame(self): frame = l2.Ether() ipPacket = inet.IP() if (srcmac := self.lineEdit_mac_SRCMAC.text()) != ":::::": frame.src = srcmac