def __main_thread(self, server, targets):
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.settimeout(5)
if ':' in server:
server, port = server.split(':', 1)
else:
port = 53
try:
port = int(port)
except:
port = 53
sock.connect((server, port))
for target in targets:
dnsqr = MetaPacket.new('dnsqr')
dnsqr.set_field('dnsqr.qname', target)
mpkt = MetaPacket.new('dns')
mpkt.set_fields('dns', {
'id' : randint(0, 2L**16-1),
'qd' : dnsqr})
sock.send(mpkt.get_raw())
def send_redirect(self, sip, dip):
key = sip + ':' + dip
delay = self.connections.get(key, None)
if delay and (time.time() - delay) <= self.delay:
return
self.connections[key] = time.time()
pkt = MetaPacket.new('ip') / MetaPacket.new('icmp')
pkt.set_field('ip.src', self.gateway)
pkt.set_field('ip.dst', dip)
pkt.set_field('icmp.type', 5) # Redirect
pkt.set_field('icmp.code', 0) # Redirect for network
pkt.set_field('icmp.gw', self.source)
self.packets += 1
self.session.context.si_l3(pkt)
self.session.output_page.user_msg(
_('%s to %s matches - redirect to %s') % (sip, dip, self.source),
STATUS_INFO, AUDIT_NAME)
self.summary = AUDIT_MSG % (_('%d redirects sent') % self.packets)
self.percentage = (self.percentage + 536870911) % \
gobject.G_MAXINT
def send_redirect(self, sip, dip):
key = sip + ':' + dip
delay = self.connections.get(key, None)
if delay and (time.time() - delay) <= self.delay:
return
self.connections[key] = time.time()
pkt = MetaPacket.new('ip') / MetaPacket.new('icmp')
pkt.set_field('ip.src', self.gateway)
pkt.set_field('ip.dst', dip)
pkt.set_field('icmp.type', 5) # Redirect
pkt.set_field('icmp.code', 0) # Redirect for network
pkt.set_field('icmp.gw', self.source)
self.packets += 1
self.session.context.si_l3(pkt)
self.session.output_page.user_msg(
_('%s to %s matches - redirect to %s') % (sip, dip, self.source),
STATUS_INFO, AUDIT_NAME)
self.summary = AUDIT_MSG % (_('%d redirects sent') % self.packets)
self.percentage = (self.percentage + 536870911) % \
gobject.G_MAXINT
def __thread_main(self):
try:
log.debug('Entered in __thread_main')
packets = 0
probes = self.probes
while probes != 0 and self.internal:
pkt = MetaPacket.new('ip') / MetaPacket.new('tcp')
if self.sip is True:
sip = random_ip()
elif self.sip != '0.0.0.0':
sip = self.sip
if self.sport is True:
sport = randint(1, 65535)
else:
sport = self.sport
pkt.set_fields('ip', {'dst': self.dip, 'src': sip})
pkt.set_fields(
'tcp', {
'sport': sport,
'dport': self.dport,
'flags': TH_SYN,
'seq': randint(0, 2L**32 - 1)
})
self.context.si_l3(pkt)
sleep(self.delay)
probes -= 1
packets += 1
if self.probes > 0:
self.summary = AUDIT_MSG % _('%d of %d sent' \
% (packets, self.probes))
self.percentage = (packets / float(self.probes)) * 100.0
else:
self.summary = AUDIT_MSG % _('%d sent' % packets)
self.percentage = (self.percentage + 536870911) % \
gobject.G_MAXINT
if self.internal:
self.summary = AUDIT_MSG % _('Finished with %d sent' % packets)
self.internal = False
else:
self.summary = AUDIT_MSG % _('stopped')
self.percentage = 100.0
self.state = self.NOT_RUNNING
except Exception, err:
log.error(generate_traceback())
def __thread_main(self):
try:
log.debug('Entered in __thread_main')
packets = 0
probes = self.probes
while probes != 0 and self.internal:
pkt = MetaPacket.new('ip') / MetaPacket.new('tcp')
if self.sip is True:
sip = random_ip()
elif self.sip != '0.0.0.0':
sip = self.sip
if self.sport is True:
sport = randint(1, 65535)
else:
sport = self.sport
pkt.set_fields('ip', {
'dst' : self.dip,
'src' : sip})
pkt.set_fields('tcp', {
'sport' : sport,
'dport' : self.dport,
'flags' : TH_SYN,
'seq' : randint(0, 2L**32-1)})
self.context.si_l3(pkt)
sleep(self.delay)
probes -= 1
packets += 1
if self.probes > 0:
self.summary = AUDIT_MSG % _('%d of %d sent' \
% (packets, self.probes))
self.percentage = (packets / float(self.probes)) * 100.0
else:
self.summary = AUDIT_MSG % _('%d sent' % packets)
self.percentage = (self.percentage + 536870911) % \
gobject.G_MAXINT
if self.internal:
self.summary = AUDIT_MSG % _('Finished with %d sent' % packets)
self.internal = False
else:
self.summary = AUDIT_MSG % _('stopped')
self.percentage = 100.0
self.state = self.NOT_RUNNING
except Exception, err:
log.error(generate_traceback())
def send_tcpkill(ctx, src, dst, sport, dport, seq):
mpkt = MetaPacket.new('ip') / MetaPacket.new('tcp')
mpkt.set_fields('ip', {'src': src, 'dst': dst})
mpkt.set_fields('tcp', {
'sport': sport,
'dport': dport,
'seq': seq,
'ack': 0,
'flags': TH_RST
})
ctx.si_l3(mpkt)
def send_dhcp(self, sip, dip, dmac, bootpkt):
mpkt = MetaPacket.new('eth') / \
MetaPacket.new('ip') / \
MetaPacket.new('udp') / bootpkt
mpkt.set_field('eth.dst', dmac)
mpkt.set_field('ip.src', sip)
mpkt.set_field('ip.dst', dip)
mpkt.set_field('udp.sport', 67)
mpkt.set_field('udp.dport', 68)
self.percentage = (self.percentage + 536870911) % \
gobject.G_MAXINT
self.session.context.si_l2(mpkt)
def send_tcpkill(ctx, src, dst, sport, dport, seq):
mpkt = MetaPacket.new('ip') / MetaPacket.new('tcp')
mpkt.set_fields('ip', {
'src' : src,
'dst' : dst})
mpkt.set_fields('tcp', {
'sport' : sport,
'dport' : dport,
'seq' : seq,
'ack' : 0,
'flags' : TH_RST})
ctx.si_l3(mpkt)
def __on_discover(self, mpkt):
values = self.get_values(mpkt)
spoof = MetaPacket.new_from_layer(mpkt, 'bootp')
spoof.set_field('bootp.op', BOOTP_REPLY)
try:
client_ip = self.pool_iter.next()
except StopIteration:
log.debug('No available IP address')
return
spoof.set_field('bootp.yiaddr', client_ip)
spoof.set_field('bootp.siaddr', self.session.context.get_ip1())
options = self.setup_options(values).items()
options.append(('message-type', 'offer'))
options.append('end')
spoof.set_field('dhcp.options', options)
self.send_dhcp(
self.session.context.get_ip1(),
mpkt.l3_src != '0.0.0.0' and mpkt.l3_src or '255.255.255.255',
mpkt.l2_src, spoof)
def __ping_thread(self):
# TODO: maybe will be better to use IPy or something
# like that to handle also IPv6
ip = unpack('!I', inet_aton(self.ip))[0]
nm = unpack('!I', inet_aton(self.netmask))[0]
last = unpack('!I', '\xff\xff\xff\xff')[0]
start = ip & nm
end = (last ^ nm) | ip
sent = 0
totals = float(end - start)
# NB: With this method we ping also broadcast and reserved
# addresses
pkt = MetaPacket.new('eth') / MetaPacket.new('arp')
pkt.set_field('eth.src', self.sess.context.get_mac1())
pkt.set_field('eth.dst', 'ff:ff:ff:ff:ff:ff')
pkt.set_field('arp.hwsrc', self.sess.context.get_mac1())
pkt.set_field('arp.hwdst', '00:00:00:00:00:00')
pkt.set_field('arp.psrc', self.sess.context.get_ip1())
while self.internal and start <= end:
pkt.set_field('arp.pdst', inet_ntoa(pack('!I', start)))
self.sess.context.si_l2(pkt)
time.sleep(0.01)
self.percentage = (sent / totals) * 100.0
start += 1
sent += 1
if not self.internal:
self.summary = AUDIT_MSG % _('stopped')
self.sess.output_page.user_msg(
_('Scanning for hosts on iface %s with IP: %s and Netmask: %s stopped') \
% (self.iface, self.ip, self.netmask), STATUS_WARNING, AUDIT_NAME)
else:
self.summary = AUDIT_MSG % _('finished')
self.sess.output_page.user_msg(
_('Scanning for hosts on iface %s with IP: %s and Netmask: %s finished') \
% (self.iface, self.ip, self.netmask), STATUS_INFO, AUDIT_NAME)
self.internal = False
self.state = self.NOT_RUNNING
self.percentage = 100.0
def send_icmp_echo(self, ctx, sip, dip, smac, dmac):
mpkt = MetaPacket.new('eth') / \
MetaPacket.new('ip') / \
MetaPacket.new('icmp') / \
MetaPacket.new('raw')
mpkt.set_field('eth.dst', dmac)
mpkt.set_field('eth.src', smac)
mpkt.set_field('ip.src', sip)
mpkt.set_field('ip.dst', dip)
mpkt.set_field('raw.load', ping_payload)
#log.info(mpkt.summary())
#log.info('Sending ICMP echo (%s -> %s) [%s -> %s]' % (
# sip, dip, smac, dmac))
ctx.si_l2(mpkt)
def send_arp(self, ctx, type, sip, smac, dip, dmac):
mpkt = MetaPacket.new('eth') / MetaPacket.new('arp')
mpkt.set_field('eth.dst', dmac)
if type == ARP_REQUEST:
dmac = '00:00:00:00:00:00'
mpkt.set_field('arp.op', type)
mpkt.set_field('arp.hwsrc', smac)
mpkt.set_field('arp.hwdst', dmac)
mpkt.set_field('arp.psrc', sip)
mpkt.set_field('arp.pdst', dip)
#log.info(mpkt.summary())
#log.info('Sending %s (%s -> %s) [%s -> %s]' % (
# type == ARP_REQUEST and 'who-has' or 'is-at',
# sip, dip, smac, dmac))
ctx.si_l2(mpkt)
def inject_buffer(ctx, conn, index, buff):
if conn.l4_proto == NL_TYPE_TCP:
proto = 'tcp'
elif conn.l4_proto == NL_TYPE_UDP:
proto = 'udp'
else:
return False
mpkt = MetaPacket.new('ip') / MetaPacket.new(proto)
if index == 0:
mpkt.l3_src = conn.l3_addr1
mpkt.l3_dst = conn.l3_addr2
mpkt.l4_src = conn.l4_addr1
mpkt.l4_dst = conn.l4_addr2
else:
mpkt.l3_src = conn.l3_addr2
mpkt.l3_dst = conn.l3_addr1
mpkt.l4_src = conn.l4_addr2
mpkt.l4_dst = conn.l4_addr1
mpkt.l4_proto = conn.l4_proto
mpkt.set_fields('ip', {
'src' : mpkt.l3_src,
'dst' : mpkt.l3_dst})
mpkt.set_fields(proto, {
'sport' : mpkt.l4_src,
'dport' : mpkt.l4_dst})
mpkt.inject = buff
mpkt.inject_len = len(buff)
index += 2
conn.flags = CN_INJECTED
conn.buffers.append((index, buff))
ctx.inject_buffer(mpkt)
return True
def poison(self, sess, host, target, hwsrc, hwdst, packets, delay):
pkt = MetaPacket.new('eth') / MetaPacket.new('arp')
if hwdst:
pkt.set_field('eth.dst', hwdst)
pkt.set_field('arp.hwdst', hwdst)
else:
pkt.set_field('arp.hwdst', 'ff:ff:ff:ff:ff:ff')
pkt.set_field('arp.op', 'is-at')
pkt.set_field('arp.psrc', host)
pkt.set_field('arp.pdst', target)
if hwsrc:
pkt.set_field('arp.hwsrc', hwsrc)
self.status.info(_('Starting ARP cache poison against %s '
'(capturing packets directed to %s)') % (target, host))
send = sess.context.s_l2(pkt, repeat=packets, delay=delay)
def inject_buffer(ctx, conn, index, buff):
if conn.l4_proto == NL_TYPE_TCP:
proto = 'tcp'
elif conn.l4_proto == NL_TYPE_UDP:
proto = 'udp'
else:
return False
mpkt = MetaPacket.new('ip') / MetaPacket.new(proto)
if index == 0:
mpkt.l3_src = conn.l3_addr1
mpkt.l3_dst = conn.l3_addr2
mpkt.l4_src = conn.l4_addr1
mpkt.l4_dst = conn.l4_addr2
else:
mpkt.l3_src = conn.l3_addr2
mpkt.l3_dst = conn.l3_addr1
mpkt.l4_src = conn.l4_addr2
mpkt.l4_dst = conn.l4_addr1
mpkt.l4_proto = conn.l4_proto
mpkt.set_fields('ip', {'src': mpkt.l3_src, 'dst': mpkt.l3_dst})
mpkt.set_fields(proto, {'sport': mpkt.l4_src, 'dport': mpkt.l4_dst})
mpkt.inject = buff
mpkt.inject_len = len(buff)
index += 2
conn.flags = CN_INJECTED
conn.buffers.append((index, buff))
ctx.inject_buffer(mpkt)
return True
def __main_thread(self, server, targets):
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.settimeout(5)
if ':' in server:
server, port = server.split(':', 1)
else:
port = 53
try:
port = int(port)
except:
port = 53
sock.connect((server, port))
for target in targets:
dnsqr = MetaPacket.new('dnsqr')
dnsqr.set_field('dnsqr.qname', target)
mpkt = MetaPacket.new('dns')
mpkt.set_fields('dns', {'id': randint(0, 2L**16 - 1), 'qd': dnsqr})
sock.send(mpkt.get_raw())
def __init__(self, sess, ip, delay, probes, report):
AuditOperation.__init__(self)
self.session = sess
self.pkt = MetaPacket.new('arp')
self.pkt.set_field('arp.pdst', ip)
self.delay = delay
self.probes = probes
self.report = report
self.packets = 0
self.times = []
self.sender = None
def execute_audit(self, sess, inp_dict):
datalink = sess.context.datalink()
if datalink not in (IL_TYPE_ETH, IL_TYPE_TR, IL_TYPE_FDDI):
self.status.error(_('Could not run arpcachepoison. Datalink '
'not supported. Ethernet needed.'))
return False
host = inp_dict['host']
hwsrc = inp_dict['hwsrc']
target = inp_dict['target']
packets = inp_dict['packets']
delay = max(300, inp_dict['delay'])
if packets <= 0:
packets = -1
if not is_ip(host):
self.status.error(_('Not a valid IP address for host'))
return False
if not is_ip(target):
self.status.error(_('Not a valid IP address for target'))
return False
if hwsrc and not is_mac(hwsrc):
self.status.error(_('Not a valid MAC address for hwsrc'))
return False
if target != '0.0.0.0':
# We have to solve the IP as MAC address
pkt = MetaPacket.new('arp')
pkt.set_field('arp.pdst', target)
sess.context.sr_l3(pkt, timeout=4,
onerror=self.on_error,
onreply=self.on_resolved,
udata=(sess, host, target, hwsrc, packets, delay))
self.status.info(_('Trying to resolve IP: %s') % target)
else:
self.poison(sess, host, target, hwsrc, '', packets, delay)
return True
def udp_injector(context, mpkt, length):
mpkt.set_fields('udp', {
'sport' : mpkt.l4_src,
'dport' : mpkt.l4_dst,
'chksum' : None})
length += UDP_LENGTH
mpkt.session = None
injector = AuditManager().get_injector(0, STATELESS_IP_MAGIC)
is_ok, length = injector(context, mpkt, length)
length = context.get_mtu() - length
if length > mpkt.inject_len:
length = mpkt.inject_len
payload = mpkt.inject[:length]
payload_pkt = MetaPacket.new('raw')
payload_pkt.set_field('raw.load', payload)
mpkt.add_to('udp', payload_pkt)
return True, length
def __on_request(self, mpkt):
values = self.get_values(mpkt)
spoof = MetaPacket.new_from_layer(mpkt, 'bootp')
spoof.set_field('bootp.op', BOOTP_REPLY)
if 'requested_addr' in values:
client_ip = values.pop('requested_addr')
else:
client_ip = mpkt.get_field('bootp.ciaddr')
if client_ip == '0.0.0.0':
log.debug('Client ip is 0.0.0.0 Exit!')
return
spoof.set_field('bootp.yiaddr', client_ip)
if 'server_id' in values:
server_ip = values.pop('server_id')
else:
server_ip = self.session.context.get_ip1()
spoof.set_field('bootp.siaddr', server_ip)
options = self.setup_options(values)
options['server_id'] = server_ip
options = options.items()
options.append(('message-type', 'ack'))
options.append('end')
spoof.set_field('dhcp.options', options)
self.send_dhcp(
self.session.context.get_ip1(),
mpkt.l3_src != '0.0.0.0' and mpkt.l3_src or '255.255.255.255',
mpkt.l2_src, spoof)
def udp_injector(context, mpkt, length):
mpkt.set_fields('udp', {
'sport': mpkt.l4_src,
'dport': mpkt.l4_dst,
'chksum': None
})
length += UDP_LENGTH
mpkt.session = None
injector = AuditManager().get_injector(0, STATELESS_IP_MAGIC)
is_ok, length = injector(context, mpkt, length)
length = context.get_mtu() - length
if length > mpkt.inject_len:
length = mpkt.inject_len
payload = mpkt.inject[:length]
payload_pkt = MetaPacket.new('raw')
payload_pkt.set_field('raw.load', payload)
mpkt.add_to('udp', payload_pkt)
return True, length
def smb(mpkt):
try:
nbt = MetaPacket.new_from_str('nbt', mpkt.data)
except:
return
sess = sessions.lookup_session(mpkt, SMB_PORTS, SMB_NAME)
if not sess:
if nbt.get_field('smb.Start', '') != '\xffSMB':
return
# From server
if mpkt.l4_src in SMB_PORTS and \
nbt.get_field('smb.Command', 0) == 0x72:
mpkt.set_cfield('banner', 'SMB')
# Negotiate response
sess = sessions.lookup_session(mpkt, SMB_PORTS, SMB_NAME, True)
session_data = SMBSession()
sess.data = session_data
if nbt.get_field('smbneg_resp.SecurityMode', None) == 0:
session_data.auth_type = PLAIN_TEXT_AUTH
session_data.status = WAITING_PLAIN_TEXT
else:
keylength, challenge = nbt.get_fields(
'smbneg_resp', ('EncryptionKeyLength', 'EncryptionKey')
)
if challenge:
keylength -= 1
while keylength >= 0:
session_data.challenge += struct.pack("B",
(challenge >> (8 * keylength)) & 255
)
keylength -= 1
session_data.status = WAITING_ENCRYPT
session_data.auth_type = CHALLENGE_RESPONSE_AUTH
else:
session_data.status = WAITING_CHALLENGE
session_data.auth_type = NTLMSSP_AUTH
# From client
if mpkt.l4_dst in SMB_PORTS and \
nbt.get_field('smb.Command', 0) == 0x73:
blob = nbt.get_field('smbsax_req_as.SecurityBlob', '')
idx = blob.find("NTLMSSP")
if idx < 0:
return
blob = blob[idx:]
if blob[8] != '\x01':
return
sess = sessions.lookup_session(mpkt, SMB_PORTS, SMB_NAME, True)
session_data = SMBSession()
session_data.status = WAITING_CHALLENGE
session_data.auth_type = NTLMSSP_AUTH
sess.data = session_data
else:
session_data = sess.data
# Client packets
if mpkt.l4_dst in SMB_PORTS:
if session_data.auth_type == NTLMSSP_AUTH and \
session_data.status == LOGON_COMPLETED_FAILURE:
session_data.status = WAITING_CHALLENGE
if nbt.get_field('smb.Start', '') != '\xffSMB':
return
if nbt.get_field('smb.Command', 0) == 0x73:
if session_data.status == WAITING_PLAIN_TEXT or \
session_data.status == WAITING_ENCRYPT:
resp1, resp2, user, domain, os = \
nbt.get_fields('smbsax_req',
('ANSIPassword',
'UnicodePassword',
'Account',
'PrimaryDomain',
'NativeOS'))
path = nbt.get_field('smbtcax_req.Path', '')
session_data.response1 = resp1
session_data.response2 = resp2
session_data.user = user
session_data.domain = domain
if os:
session_data.domain += ' OS: %s' % os
if path:
session_data.domain += ' PATH: %s' % path
# Empty session
if not resp1.replace('\x00', '') and \
not resp2.replace('\x00', ''):
session_data.response1 = ''
session_data.response2 = ''
session_data.user = ''
#session_data.domain = ''
session_data.status = WAITING_LOGON_RESPONSE
elif session_data.status == WAITING_RESPONSE:
blob = nbt.get_field('smbsax_req_as.SecurityBlob', '')
idx = blob.find("NTLMSSP")
if idx < 0:
return
blob = blob[idx:]
if blob[8] == '\x03':
lm_len = ord(blob[12])
lm_off = ord(blob[16])
nt_len = ord(blob[20])
nt_off = ord(blob[24])
dm_len = ord(blob[28])
dm_off = ord(blob[32])
un_len = ord(blob[36])
un_off = ord(blob[40])
if nt_len != 24:
session_data.status = WAITING_CHALLENGE
return
session_data.user = blob[un_off:un_off + un_len].replace('\x00', '')
session_data.domain = blob[dm_off:dm_off + dm_len].replace('\x00', '')
if lm_len == 24:
session_data.response1 = blob[lm_off:lm_off + 24]
session_data.response2 = blob[nt_off:nt_off + 24]
session_data.status = WAITING_LOGON_RESPONSE
else:
# Server packets
if nbt.get_field('smb.Command', 0) == 0x73:
if session_data.status == WAITING_CHALLENGE:
blob = nbt.get_field('smbsax_resp_as.SecurityBlob', '')
idx = blob.find('NTLMSSP')
if idx < 0:
return
blob = blob[idx:]
if blob[8] == '\x02':
session_data.challenge = blob[8 + 16:8 + 16 + 8]
session_data.status = WAITING_RESPONSE
elif session_data.status == WAITING_LOGON_RESPONSE:
if mpkt.get_field('smb.Error_Class', 0) == 0:
session_data.status = LOGON_COMPLETED_OK
session_data.report(mpkt, manager)
sessions.delete_session(sess)
else:
session_data.status = LOGON_COMPLETED_FAILURE
session_data.report(mpkt, manager)
if session_data.auth_type == CHALLENGE_RESPONSE_AUTH:
session_data.status = WAITING_ENCRYPT
def smb(mpkt):
try:
nbt = MetaPacket.new_from_str('nbt', mpkt.data)
except:
return
sess = sessions.lookup_session(mpkt, SMB_PORTS, SMB_NAME)
if not sess:
if nbt.get_field('smb.Start', '') != '\xffSMB':
return
# From server
if mpkt.l4_src in SMB_PORTS and \
nbt.get_field('smb.Command', 0) == 0x72:
mpkt.set_cfield('banner', 'SMB')
# Negotiate response
sess = sessions.lookup_session(mpkt, SMB_PORTS, SMB_NAME, True)
session_data = SMBSession()
sess.data = session_data
if nbt.get_field('smbneg_resp.SecurityMode', None) == 0:
session_data.auth_type = PLAIN_TEXT_AUTH
session_data.status = WAITING_PLAIN_TEXT
else:
keylength, challenge = nbt.get_fields(
'smbneg_resp',
('EncryptionKeyLength', 'EncryptionKey'))
if challenge:
keylength -= 1
while keylength >= 0:
session_data.challenge += struct.pack(
"B", (challenge >> (8 * keylength)) & 255)
keylength -= 1
session_data.status = WAITING_ENCRYPT
session_data.auth_type = CHALLENGE_RESPONSE_AUTH
else:
session_data.status = WAITING_CHALLENGE
session_data.auth_type = NTLMSSP_AUTH
# From client
if mpkt.l4_dst in SMB_PORTS and \
nbt.get_field('smb.Command', 0) == 0x73:
blob = nbt.get_field('smbsax_req_as.SecurityBlob', '')
idx = blob.find("NTLMSSP")
if idx < 0:
return
blob = blob[idx:]
if blob[8] != '\x01':
return
sess = sessions.lookup_session(mpkt, SMB_PORTS, SMB_NAME, True)
session_data = SMBSession()
session_data.status = WAITING_CHALLENGE
session_data.auth_type = NTLMSSP_AUTH
sess.data = session_data
else:
session_data = sess.data
# Client packets
if mpkt.l4_dst in SMB_PORTS:
if session_data.auth_type == NTLMSSP_AUTH and \
session_data.status == LOGON_COMPLETED_FAILURE:
session_data.status = WAITING_CHALLENGE
if nbt.get_field('smb.Start', '') != '\xffSMB':
return
if nbt.get_field('smb.Command', 0) == 0x73:
if session_data.status == WAITING_PLAIN_TEXT or \
session_data.status == WAITING_ENCRYPT:
resp1, resp2, user, domain, os = \
nbt.get_fields('smbsax_req',
('ANSIPassword',
'UnicodePassword',
'Account',
'PrimaryDomain',
'NativeOS'))
path = nbt.get_field('smbtcax_req.Path', '')
session_data.response1 = resp1
session_data.response2 = resp2
session_data.user = user
session_data.domain = domain
if os:
session_data.domain += ' OS: %s' % os
if path:
session_data.domain += ' PATH: %s' % path
# Empty session
if not resp1.replace('\x00', '') and \
not resp2.replace('\x00', ''):
session_data.response1 = ''
session_data.response2 = ''
session_data.user = ''
#session_data.domain = ''
session_data.status = WAITING_LOGON_RESPONSE
elif session_data.status == WAITING_RESPONSE:
blob = nbt.get_field('smbsax_req_as.SecurityBlob', '')
idx = blob.find("NTLMSSP")
if idx < 0:
return
blob = blob[idx:]
if blob[8] == '\x03':
lm_len = ord(blob[12])
lm_off = ord(blob[16])
nt_len = ord(blob[20])
nt_off = ord(blob[24])
dm_len = ord(blob[28])
dm_off = ord(blob[32])
un_len = ord(blob[36])
un_off = ord(blob[40])
if nt_len != 24:
session_data.status = WAITING_CHALLENGE
return
session_data.user = blob[un_off:un_off +
un_len].replace(
'\x00', '')
session_data.domain = blob[dm_off:dm_off +
dm_len].replace(
'\x00', '')
if lm_len == 24:
session_data.response1 = blob[lm_off:lm_off +
24]
session_data.response2 = blob[nt_off:nt_off + 24]
session_data.status = WAITING_LOGON_RESPONSE
else:
# Server packets
if nbt.get_field('smb.Command', 0) == 0x73:
if session_data.status == WAITING_CHALLENGE:
blob = nbt.get_field('smbsax_resp_as.SecurityBlob', '')
idx = blob.find('NTLMSSP')
if idx < 0:
return
blob = blob[idx:]
if blob[8] == '\x02':
session_data.challenge = blob[8 + 16:8 + 16 + 8]
session_data.status = WAITING_RESPONSE
elif session_data.status == WAITING_LOGON_RESPONSE:
if mpkt.get_field('smb.Error_Class', 0) == 0:
session_data.status = LOGON_COMPLETED_OK
session_data.report(mpkt, manager)
sessions.delete_session(sess)
else:
session_data.status = LOGON_COMPLETED_FAILURE
session_data.report(mpkt, manager)
if session_data.auth_type == CHALLENGE_RESPONSE_AUTH:
session_data.status = WAITING_ENCRYPT
class SnoopTab(UmitView):
icon_name = gtk.STOCK_INFO
tab_position = gtk.POS_LEFT
label_text = _('DNS Cache snoop')
name = 'DNSCacheSnoop'
def create_ui(self):
self.active = False
self.output = []
self.toolbar = gtk.Toolbar()
self.toolbar.set_style(gtk.TOOLBAR_ICONS)
self.toolbar.set_orientation(gtk.ORIENTATION_HORIZONTAL)
for name, stock, cb in (('Copy', gtk.STOCK_COPY, self.__on_copy),
('Open', gtk.STOCK_OPEN, self.__on_open),
('Execute', gtk.STOCK_EXECUTE,
self.__on_execute)):
act = gtk.Action(name, name, '', stock)
act.connect('activate', cb)
self.toolbar.insert(act.create_tool_item(), -1)
self._main_widget.pack_start(self.toolbar, False, False)
self.server = gtk.Entry()
self._main_widget.pack_start(self.server, False, False)
self.store = gtk.ListStore(bool, str, int)
self.tree = gtk.TreeView(self.store)
self.tree.append_column(
gtk.TreeViewColumn('', gtk.CellRendererToggle(), active=0))
rend = gtk.CellRendererText()
rend.connect('edited', self.__edited_cb)
rend.set_property('editable', True)
col = gtk.TreeViewColumn('Host', rend, text=1)
col.set_expand(True)
self.tree.append_column(col)
self.tree.append_column(
gtk.TreeViewColumn('TTL', gtk.CellRendererText(), text=2))
self.tree.set_rules_hint(True)
self.selection = self.tree.get_selection()
self.menu = gtk.Menu()
for name, stock, cb in (('Add', gtk.STOCK_ADD, self.__on_add),
('Remove', gtk.STOCK_REMOVE,
self.__on_remove)):
act = gtk.Action(name, name, '', stock)
act.connect('activate', cb)
self.menu.append(act.create_menu_item())
self.tree.connect('button-press-event', self.__on_button)
sw = gtk.ScrolledWindow()
sw.set_policy(gtk.POLICY_AUTOMATIC, gtk.POLICY_AUTOMATIC)
sw.set_shadow_type(gtk.SHADOW_ETCHED_IN)
sw.add(self.tree)
self._main_widget.pack_start(sw)
self._main_widget.show_all()
def __edited_cb(self, rend, path, new_text):
iter = self.store.get_iter_from_string(path)
self.store.set_value(iter, 1, new_text)
def __on_button(self, tree, evt):
if evt.button != 3:
return False
self.menu.show_all()
self.menu.popup(None, None, None, evt.button, evt.time)
return True
def __on_add(self, widget):
model, iter = self.selection.get_selected()
newrow = (False, 'edit me', 0)
if not iter:
self.store.append(newrow)
else:
self.store.insert_after(None, iter, newrow)
def __on_remove(self, widget):
model, iter = self.selection.get_selected()
if iter:
self.store.remove(iter)
def __on_copy(self, act):
out = ''
for row in self.store:
out += "[%s] %s (%d)\n" % (row[0] and '+' or '-', row[1], row[2])
if out:
clip = gtk.clipboard_get()
clip.set_text('Result for %s DNS server\n' %
self.server.get_text() + out)
def __on_execute(self, act):
if self.active:
return
self.active = True
self.thread = None
self.tree.set_sensitive(False)
self.server.set_sensitive(False)
self.toolbar.set_sensitive(False)
server = self.server.get_text()
targets = [row[1] for row in self.store]
self.thread = Thread(target=self.__main_thread,
name='DNSCacheSnoop',
kwargs={
'targets': targets,
'server': server
})
self.thread.setDaemon(True)
self.thread.start()
gobject.timeout_add(1000, self.__check_finished)
def __check_finished(self):
if self.thread is not None:
return True
log.debug(str(self.output))
idx = 0
while idx < len(self.output):
present, ttl = self.output[idx]
iter = self.store.get_iter((idx, ))
if iter:
self.store.set(iter, 0, present, 2, ttl)
idx += 1
self.output = []
self.tree.set_sensitive(True)
self.server.set_sensitive(True)
self.toolbar.set_sensitive(True)
self.active = False
return False
def __on_open(self, act):
dialog = gtk.FileChooserDialog(_('Select a query file'),
PMApp().main_window,
gtk.FILE_CHOOSER_ACTION_OPEN,
(gtk.STOCK_OPEN, gtk.RESPONSE_ACCEPT,
gtk.STOCK_CANCEL, gtk.RESPONSE_REJECT))
if dialog.run() == gtk.RESPONSE_ACCEPT:
fname = dialog.get_filename()
if fname:
fd = open(fname, 'r')
contents = fd.read()
fd.close()
self.store.clear()
for line in contents.splitlines():
line = line.strip()
if line:
self.store.append((False, line, 0))
dialog.hide()
dialog.destroy()
def __main_thread(self, server, targets):
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.settimeout(5)
if ':' in server:
server, port = server.split(':', 1)
else:
port = 53
try:
port = int(port)
except:
port = 53
sock.connect((server, port))
for target in targets:
dnsqr = MetaPacket.new('dnsqr')
dnsqr.set_field('dnsqr.qname', target)
mpkt = MetaPacket.new('dns')
mpkt.set_fields('dns', {'id': randint(0, 2L**16 - 1), 'qd': dnsqr})
sock.send(mpkt.get_raw())
try:
buff = sock.recv(1024)
mpkt = MetaPacket.new_from_str('dns', buff)
if mpkt.get_field('dns.ancount', 0) == 0:
self.output.append((False, 0))
else:
found = False
qd = mpkt.get_field('dns.an', None)
while qd is not None:
rrname = qd.get_field('dnsrr.rrname', '')
if rrname.startswith(target):
self.output.append((True, \
qd.get_field('dnsrr.ttl', 0)))
log.debug('Reply for %s' % target)
found = True
break
qd = mpkt.get_field('dnsrr.payload', None)
if not found:
self.output.append((False, 0))
log.debug('No reply for %s' % target)
except Exception, exc:
log.debug('Cannot parse DNS reply for %s ' \
'or timeout occurred' % target)
log.error(generate_traceback())
self.output.append((False, 0))
def _inject_tcp(self, context, mpkt, length):
"""
Function that manages injection of fragments in active TCP connection
"""
ident = TCPIdent.create(mpkt)
sess = SessionManager().get_session(ident)
if not sess:
log.debug("No TCP session found.")
return False, length
if ident.l3_src == sess.ident.l3_src:
status = sess.data[1]
ostatus = sess.data[0]
else:
status = sess.data[0]
ostatus = sess.data[1]
mpkt.set_fields('tcp', {
'sport' : mpkt.l4_src,
'dport' : mpkt.l4_dst,
'dataofs' : 5,
'chksum' : None,
'urgptr' : 0,
'flags' : TH_PSH,
'options' : {}})
if status.injectable & INJ_FIN or \
not status.injectable & INJ_FWD or \
not ostatus.injectable & INJ_FWD:
log.debug("Session is not injectable.")
return False, length
mpkt.set_fields('tcp', {
'seq' : status.last_seq + status.seq_adj,
'ack' : status.last_ack - ostatus.seq_adj})
if status.last_ack != 0:
mpkt.set_field('tcp.flags', mpkt.l4_flags | TH_ACK)
mpkt.session = sess.prev
length += 20 + mpkt.l2_len
injector = AuditManager().get_injector(0, mpkt.session.ident.magic)
is_ok, length = injector(context, mpkt, length)
if not is_ok:
return is_ok, length
length = context.get_mtu() - length
if length > mpkt.inject_len:
length = mpkt.inject_len
payload = mpkt.inject[:length]
payload_pkt = MetaPacket.new('raw')
payload_pkt.set_field('raw.load', payload)
mpkt.add_to('tcp', payload_pkt)
status.seq_adj += length
mpkt.data_len = length
return True, length
