def run_on_host(self,target): """ runs once on each host that is alive in the netrange """ host=target.interface if self.state==self.HALT: return if self.doscanrand: mysender=sender(target=host) mpacker=packetConstructor() #self.port is really self.fromport here #print "source=%s dest=%s"%(source,dest) mpacker.TCP(self.source,host,["SYN"],self.fromport,self.port,"") mysender.sendto(mpacker.get(),"TCP",(host,0)) #if you don't sleep, you'll miss some ports. time.sleep(0.01) else: ret=self.C_isOpen(host, self.port) if ret==1: self.log("Found %s port %d open"%(host,self.port)) self.openhosts.append(host) elif ret==0: self.log("Found %s port %d closed"%(host,self.port)) self.closedhosts.append(host) return
def run_on_host(self, target, source=None): """ runs once on each host that is alive in the netrange we do the get_callback_interface here because doing it only once for a large netblock means we might miss the fact that we crossed interfaces... """ if not source: source = self.engine.get_callback_interface( target=target.interface) host = target.interface #no scanrand for now if 0 and self.doscanrand: mysender = sender(target=host) mpacker = packetConstructor() #self.port is really self.fromport here #print "source=%s dest=%s"%(source,dest) mpacker.TCP(source, host, ["SYN"], self.fromport, self.port, "") mysender.sendto(mpacker.get(), "TCP", (host, 0)) #if you don't sleep, you'll miss some ports. time.sleep(0.05) else: ret = self.C_isClosed(host, self.port) if ret == 1: self.log("Found %s port %d closed" % (host, self.port)) self.closedhosts.append(host) return
def send_udp_packet(self): """ Sends a UDP packet to a closed UDP port with some IP flags set. This triggers an ICMP message, ideally, and we then examine the result to set some of our variables. 1) This packet has 300 bytes of "data". """ self.log("Sending UDP packet to %s:%d to elicit ICMP response" % (self.host, self.closed_udp_port)) mysender = sender(target=self.host, iface=self.iface) udppacker = packetConstructor() udp_data = "A" * 300 udppacker.UDP(self.source, self.host, self.udpfromport, self.closed_udp_port, udp_data) udpdata = udppacker.get() ippacker = packetConstructor() #set DF flag here #flags is set as a 16 bit number... ippacker.IP(self.source, self.host, udpdata, ipid=0x7788, flags=0x4000) ipdata = ippacker.get() #now send the data across the wire - need to prepend the ethernet header, of course mysender.send(self.eth_header + ipdata, "IP") return
def send_tcp_ecn(self): """ Explicit congestion notification test on open TCP socket """ self.log("Sending TCP ECN attempt to port %d from port %d" % (self.tcp_dest_port, self.tcp_local_port)) tcp_dest_port = self.tcp_dest_port mysender = sender(target=self.host, iface=self.iface) tcppacker = packetConstructor() ippacker = packetConstructor() flags = "SYN ECN CNG" tcppacker.TCP(self.source, self.host, flags, self.tcp_local_port, tcp_dest_port, "") tcpdata = tcppacker.get() ippacker = packetConstructor() #set DF flag here #flags is set as a 16 bit number... ippacker.IP(self.source, self.host, tcpdata, protocol="TCP", ipid=0x7789, flags=0x0000) ipdata = ippacker.get() #now send the data across the wire - need to prepend the ethernet header, of course mysender.send(self.eth_header + ipdata, "IP") return
def run_on_host(self, target): """ runs once on each host that is alive in the netrange """ host = target.interface if self.state == self.HALT: return mpacker = packetConstructor() mysender = sender(iface=self.iface, target=self.host) if self.doscanrand: devlog("icmpsweep", "Scanning %s from %s" % (host, self.source)) mpacker.ICMP_ECHO_REQUEST(self.source, host, 0, 0, "") # XXX: this inits it's own sender() doesn't use self.mysender self.eth_header = get_ethernet_header(self.host, self.iface) if self.eth_header == "": self.log( "Ethernet header did not get displayed properly - exiting") return 0 data = self.eth_header + mpacker.get() mysender.send(data, "IP") #if you don't sleep, you'll miss some ports. time.sleep(self.sleeptime) return
def make_dns_replies(self, txid, dest_port, name, sources, target, authorityname, response_ip): """ Sends DNS reples from sources ( a list of IP's) to target authority_name is the new name of their IP server response_ip is the new IP of their name server """ for source in sources: real_ip = exploitutils.get_source_ip(target) if real_ip == None: self.log("You have no default gateway for target ip %s" % target) self.log("Cannot continue - exiting") return iface = ip2iface[ real_ip] #actual ip->interface mapping done here so we know our gateway try: self.mysender = sender(iface) except socket.error: self.log("Cannot use raw socket!") return gateway = gateway_from_iface.get(iface, None) if not gateway: #self.log("No gateway found, must be on local network") dest_mac_address = mac_from_ip.get(target) if not dest_mac_address: self.log( "Cannot get mac address for %s - perhaps ping it to add it to arp cache?" % target) return else: #self.log("dest_mac_address=%s"%dest_mac_address) pass else: #self.log("Gateway found: %s"%gateway) dest_mac_address = mac_from_ip.get(gateway) if dest_mac_address == None: self.log("Cannot find destination mac address for %s" % gateway) return dnsconstructor = packetConstructor() dnsconstructor.DNSResponse(txid, name, authorityname, response_ip) dnsdata = dnsconstructor.get() udpconstructor = packetConstructor() udpconstructor.UDP(source, target, 53, dest_port, dnsdata) udpdata = udpconstructor.get() myconstructor = packetConstructor() eth_header = myconstructor.Ethernet(self.mysender.hardware_address, dest_mac_address, "IP") ip_packet = myconstructor.IP(source, target, udpdata) data = myconstructor.get() self.dns_replies += [data] #print "Data: %s"%(data.encode("HEX")) return
def make_dns_request(self, source, target, name): """ Sends a DNS Query to our target """ real_ip = exploitutils.get_source_ip(target) if real_ip == None: self.log("You have no default gateway for target ip %s" % target) self.log("Cannot continue - exiting") return iface = ip2iface[ real_ip] #actual ip->interface mapping done here so we know our gateway try: self.mysender = sender(iface) except socket.error: self.log("Cannot use raw socket!") return gateway = gateway_from_iface.get(iface, None) if not gateway: #self.log("No gateway found, must be on local network") dest_mac_address = mac_from_ip.get(target) if not dest_mac_address: self.log( "Cannot get mac address for %s - perhaps ping it to add it to arp cache?" % target) return else: #self.log("dest_mac_address=%s"%dest_mac_address) pass else: #self.log("Gateway found: %s"%gateway) dest_mac_address = mac_from_ip.get(gateway) if dest_mac_address == None: self.log("Cannot find destination mac address for %s" % gateway) return dnsconstructor = packetConstructor() txid = random.randint(1, 65535) self.txid = txid dnsconstructor.DNSQuery(txid, name) dnsdata = dnsconstructor.get() udpconstructor = packetConstructor() udp_source_port = random.randint(1, 65535) udpconstructor.UDP(source, target, udp_source_port, 53, dnsdata) udpdata = udpconstructor.get() myconstructor = packetConstructor() eth_header = myconstructor.Ethernet(self.mysender.hardware_address, dest_mac_address, "IP") ip_packet = myconstructor.IP(source, target, udpdata) data = myconstructor.get() #print "Data: %s"%(data.encode("HEX")) self.dns_requests += [data] return
def can_scanrand(self): if self.node.nodetype != "LocalNode": return 0 try: mysender=sender() except: self.log("Failed to open a raw socket...") return 0 return 1
def run_on_host(self, target): """ runs once on each host that is alive in the netrange """ host = target.interface if self.state == self.HALT: return if self.doscanrand: mysender = sender(target=host) for i in range(0, self.iterations): #test each port multiple times. numports = len(self.portlist) - len(self.closedports.keys()) if numports == 0: self.log("All ports were closed") break self.log("Running iteration %d/%d on %d ports" % (i, self.iterations, numports)) for port in self.portlist: if self.state == self.HALT: return if port % 1000 == 0: self.log("Testing port %d" % port) if port in self.closedports: #no need to test this port, already know it's closed continue if self.doscanrand: mpacker = packetConstructor() #self.port is really self.fromport here #print "source=%s dest=%s"%(source,dest) mpacker.UDP(self.source, host, self.fromport, port, "") mysender.sendto(mpacker.get(), "UDP", (host, 0)) #if you don't sleep, you'll miss some ports. time.sleep(self.sleeptime) else: ret = self.C_isOpen(host, self.port) if ret == 1: self.log("Found %s port %d open" % (host, self.port)) self.openhosts.append(host) elif ret == 0: self.log("Found %s port %d closed" % (host, self.port)) self.closedhosts.append(host) if self.state != self.HALT: #if we are not halted, let's wait for the rest of the packets just in case self.log("Sleeping for 5 seconds to recover all packets") time.sleep(5) return
def __init__(self, logger=None): if logger: self.log = logger self.txid = 0 #default for replies (we set this when we send a request) self.dns_replies = [] self.dns_requests = [] try: self.mysender = sender("eth0") except socket.error: self.log("Cannot use raw socket!") return
def can_scanrand(self): if self.node.nodetype != "LocalNode": self.log("Cannot do a scanrand-style scan from a remote node.") #can't do scanrand from remote nodes return 0 try: mysender = sender() except: self.log("Failed to open a raw socket...") return 0 return 1
def send_echo_request_packet(self): """ Sends a ICMP ECHO REQUEST packet with a non-zero code field. Also send a non-default TOS field. """ icmppacker = packetConstructor() icmppacker.ICMP_ECHO_REQUEST(self.source, self.host, 0, 0, code=1, tos=0xfe) data = self.eth_header + icmppacker.get() mysender = sender(target=self.host, iface=self.iface) mysender.send(data, "IP") return
def run_on_host(self,target): """ runs once on each host that is alive in the netrange """ host=target.interface if self.state==self.HALT: return mpacker=packetConstructor() mysender=sender() if self.doscanrand: mpacker.ICMP_ECHO_REQUEST(self.source,host,0,0,"") data=self.eth_header + mpacker.get() mysender.send(data,"IP") #if you don't sleep, you'll miss some ports. time.sleep(self.sleeptime) return
def send_tcp_request_packet(self): tcp_dest_port = self.tcp_dest_port mysender = sender(target=self.host, iface=self.iface) tcppacker = packetConstructor() ippacker = packetConstructor() flags = "SYN" tcppacker.TCP(self.source, self.host, flags, self.tcp_local_port, tcp_dest_port, "") tcpdata = tcppacker.get() ippacker = packetConstructor() #set DF flag here #flags is set as a 16 bit number... ippacker.IP(self.source, self.host, tcpdata, protocol="TCP", ipid=0x7788, flags=0x4000) ipdata = ippacker.get() #now send the data across the wire - need to prepend the ethernet header, of course mysender.send(self.eth_header + ipdata, "IP") return
def scanrand(self, allports, scanMode=SYNSCAN): # Fast CANVAS SCAN #first, we need to register as a callback with the sniffer #then we need to scan the ports if self.UUID: self.log("Don't do scanrand when looking for UUID") return 0 if not self.engine.sniffer_isactive(): self.log("sniffer not active") self.setInfo( "Portscan: sniffer not active - cannot do raw socket mode.") return 0 if self.node.nodetype != "LocalNode": self.log("Cannot do a scanrand-style scan from a remote node.") #can't do scanrand from remote nodes return 0 # scanrand not supported for IPv6 yet if ":" in self.host: self.log("[XXX] no IPv6 support for ScanRand yet !") return 0 try: mysender = sender(target=self.host) except: self.log("Failed to open a raw socket...") return 0 if scanMode == SYNSCAN: closedfs = "ipsource(%s) tcpflags(RST) tcpflags(ACK)" % self.host openfs = "ipsource(%s) tcpflags(SYN) tcpflags(ACK)" % self.host self.engine.register_sniffer_callback(self.opencallback, openfs) elif scanMode in [FINSCAN, XMASSCAN, NULLSCAN]: closedfs = "ipsource(%s) tcpflags(RST) tcpflags(ACK)" % self.host self.engine.register_sniffer_callback(self.finXmasNullCallback, closedfs) top = 2 source = self.source self.log("Source IP=%s" % source) mpacker = packetConstructor() dest = self.host for tries in range(1, top): self.log("Try %d/%d" % (tries, top - 1)) #have to do retries to make sure things work - well, no we don't #but we'll leave the possibility in regardless totallength = len(allports) current = 0 for port in allports: if self.done: self.engine.unregister_sniffer_callback(self.opencallback) return 0 if self.state == self.HALT: self.log("Ending portscan on port %d" % port) self.setInfo("%s stopped on port %d" % (NAME, port)) self.log("Open ports found so far: %s" % self.openports) self.target.replace_knowledge("TCPPORTS", self.openports, 100) self.engine.unregister_sniffer_callback(self.opencallback) return 0 mpacker.clear() if scanMode == SYNSCAN: mpacker.TCP(source, dest, ["SYN"], self.port, port, "") elif scanMode == FINSCAN: mpacker.TCP(source, dest, ["FIN"], self.port, port, "") elif scanMode == XMASSCAN: mpacker.TCP(source, dest, ["PSH", "FIN", "URG"], self.port, port, "") elif scanMode == NULLSCAN: mpacker.TCP(source, dest, [], self.port, port, "") mysender.sendto(mpacker.get(), "TCP", (dest, 0)) current += 1 if current % 100 == 0: self.log("%d ports scanned" % current) self.setProgress( ((current * 1.0) / (totallength * 1.0)) * 100) #if you don't sleep, you'll miss some ports. time.sleep(0.01) mysender.close() #close all raw sockets for sending self.log("Sleeping to recover any lost packets...") time.sleep(2) if scanMode == SYNSCAN: self.engine.unregister_sniffer_callback(self.opencallback) elif scanMode in [FINSCAN, XMASSCAN, NULLSCAN]: self.engine.unregister_sniffer_callback(self.finXmasNullCallback) return 1