def ecn_craft(pkt, mac, fp): try: ether = Ether() ether.src = mac ether.dst = pkt[Ether].dst ether.type = 0x800 except IndexError: ether = None ip = IP() ip.src = pkt[IP].dst ip.dst = pkt[IP].src ip.ttl = int(fp.probe['ECN']['TTL'], 16) ip_flag = fp.probe['ECN']['DF'] if ip_flag == 'Y': ip.flags = 2 else: ip.flags = 0 ip.id = fp.ip_id_gen() tcp = TCP() w_val = fp.probe['ECN']['W'] if w_val == 'ECHOED': tcp.window = pkt[TCP].window else: tcp.window = w_val tcp.sport = pkt[TCP].dport tcp.dport = pkt[TCP].sport cc_val = fp.probe['ECN']['CC'] if cc_val == 'Y': tcp.flags = 0x52 elif cc_val == 'N': tcp.flags = 0x12 elif cc_val == 'S': tcp.flags = 0xD2 else: tcp.flags = 0x10 o_val = fp.probe['ECN']['O'] if o_val == 'EMPTY': pass else: tcp.options = o_val fin_pkt = ip / tcp if ether is None else ether / ip / tcp return fin_pkt
def service_craft(pkt, fp, mac, service, type_=False): try: ether = Ether() ether.src = mac ether.dst = pkt[Ether].dst ether.type = 0x800 except IndexError: ether = None ip = IP() ip.src = pkt[IP].dst ip.dst = pkt[IP].src ip.ttl = int(fp.ttl, 16) ip.flags = 0x4000 tcp = TCP() tcp.sport = pkt[TCP].dport tcp.dport = pkt[TCP].sport if type_: tcp.flags = 0x018 # PSH / ACK tcp.seq = pkt[TCP].seq tcp.ack = pkt[TCP].ack data = service[pkt[TCP].dport] fin_pkt = ip / tcp / data if ether is None else ether / ip / tcp / data return fin_pkt else: tcp.flags = 0x012 # SYN / ACK tcp.seq = pkt[TCP].seq tcp.ack = pkt[TCP].seq + 1 fin_pkt = ip / tcp if ether is None else ether / ip / tcp return fin_pkt
def seqgen_pkt_craft(pkt, fp, mac, pno): try: ether = Ether() ether.src = mac ether.dst = pkt[Ether].dst ether.type = 0x800 except IndexError: ether = None ip = IP() ip.src = pkt[IP].dst ip.dst = pkt[IP].src ip.ttl = int(fp.probe['T1']['TTL'], 16) ip.flags = fp.probe['T1']['DF'] ip.id = fp.ip_id_gen() tcp = TCP() s_val = fp.probe['T1']['S'] if s_val == 'Z': tcp.seq = 0 elif s_val == 'A': tcp.seq = pkt[TCP].ack elif s_val == 'A+': tcp.seq = pkt[TCP].ack + 1 else: tcp.seq = fp.tcp_seq_gen() a_val = fp.probe['T1']['A'] if a_val == 'Z': tcp.ack = 0 elif a_val == 'S': tcp.ack = pkt[TCP].seq elif a_val == 'S+': tcp.ack = pkt[TCP].seq + 1 else: tcp.ack = pkt[TCP].seq + 369 flag_val = fp.probe['T1']['F'] tcp.flags = flag_val tcp.window = fp.probe['WIN']['W' + pno] tcp.sport = pkt[TCP].dport tcp.dport = pkt[TCP].sport tcp.options = fp.probe['OPS']['O' + pno] rd_val = fp.probe['T1']['RD'] if rd_val != '0': crc = int(rd_val, 16) data = b'TCP Port is closed\x00' data += compensate(data, crc) fin_pkt = ip / tcp / data if ether is None else ether / ip / tcp / data else: fin_pkt = ip / tcp if ether is None else ether / ip / tcp return fin_pkt
def cmd_icmp_ping(ip, interface, count, timeout, wait, verbose): """The classic ping tool that send ICMP echo requests. \b # habu.icmp.ping 8.8.8.8 IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding """ if interface: conf.iface = interface conf.verb = False conf.L3socket = L3RawSocket layer3 = IP() layer3.dst = ip layer3.tos = 0 layer3.id = 1 layer3.flags = 0 layer3.frag = 0 layer3.ttl = 64 layer3.proto = 1 # icmp layer4 = ICMP() layer4.type = 8 # echo-request layer4.code = 0 layer4.id = 0 layer4.seq = 0 pkt = layer3 / layer4 counter = 0 while True: ans = sr1(pkt, timeout=timeout) if ans: if verbose: ans.show() else: print(ans.summary()) del (ans) else: print('Timeout') counter += 1 if count != 0 and counter == count: break sleep(wait) return True
def udp_craft(pkt, mac, fp): try: ether = Ether() ether.src = mac ether.dst = pkt[Ether].dst ether.type = 0x800 except IndexError: ether = None ip = IP() ip.src = pkt[IP].dst ip.dst = pkt[IP].src ip.ttl = int(fp.probe['U1']['TTL'], 16) ip.flags = fp.probe['U1']['DF'] ip.len = 56 ip.id = 4162 icmp = ICMP() icmp.type = 3 icmp.unused = 0 icmp.code = 13 # code 3 for reply iperror = IPerror() iperror.proto = 'udp' iperror.ttl = 0x3E iperror.len = fp.probe['U1']['RIPL'] iperror.id = fp.probe['U1']['RID'] ripck_val = fp.probe['U1']['RIPCK'] if ripck_val == 'G': pass elif ripck_val == 'Z': iperror.chksum = 0 else: iperror.chksum = pkt[IP].chksum udperror = UDPerror() udperror.sport = pkt[UDP].sport udperror.dport = pkt[UDP].dport udperror.len = pkt[UDP].len if fp.probe['U1']['RUCK'] == 'G': udperror.chksum = pkt[UDP].chksum else: udperror.chksum = fp.probe['U1']['RUCK'] try: ipl = int(fp.probe['U1']['IPL'], 16) except KeyError: ipl = None data = pkt[Raw].load fin_pkt = ip / icmp / iperror / udperror / data if ether is None else ether / ip / icmp / iperror / udperror / data return fin_pkt
def cmd_ping(ip, interface, count, timeout, wait, verbose): """The classic ping tool that send ICMP echo requests. \b # habu.ping 8.8.8.8 IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding """ if interface: conf.iface = interface conf.verb = False conf.L3socket=L3RawSocket layer3 = IP() layer3.dst = ip layer3.tos = 0 layer3.id = 1 layer3.flags = 0 layer3.frag = 0 layer3.ttl = 64 layer3.proto = 1 # icmp layer4 = ICMP() layer4.type = 8 # echo-request layer4.code = 0 layer4.id = 0 layer4.seq = 0 pkt = layer3 / layer4 counter = 0 while True: ans = sr1(pkt, timeout=timeout) if ans: if verbose: ans.show() else: print(ans.summary()) del(ans) else: print('Timeout') counter += 1 if count != 0 and counter == count: break sleep(wait) return True
def icmp_craft(pkt, fp, mac): try: ether = Ether() ether.src = mac ether.dst = pkt[Ether].dst ether.type = 0x800 except IndexError: ether = None ip = IP() ip.src = pkt[IP].dst ip.dst = pkt[IP].src ip.ttl = int(fp.probe['IE']['TTL'], 16) dfi_flag = fp.probe['IE']['DFI'] if dfi_flag == 'N': ip.flags = 0 elif dfi_flag == 'S': ip.flags = pkt[IP].flags elif dfi_flag == 'Y': ip.flags = 2 else: ip.flags = 0 if pkt[IP].flags == 2 else 2 ip.id = fp.ip_id_icmp_gen() icmp = ICMP() icmp.type = 0 icmp.id = pkt[ICMP].id cd_val = fp.probe['IE']['CD'] if cd_val == 'Z': icmp.code = 0 elif cd_val == 'S': icmp.code = pkt[ICMP].code else: icmp.code = random.randint(0, 15) icmp.seq = pkt[ICMP].seq data = pkt[ICMP].payload fin_pkt = ip / icmp / data if ether is None else ether / ip / icmp / data return fin_pkt
def forge(self, job, seq): sport = 0 while sport < 1024: sport = int(RandShort()) l4 = (TCP(sport=sport, dport=job['dp'])) if ':' in job['dip']: ip = IPv6(src=self.source[1], dst=job['dip']) else: ip = IP(src=self.source[0], dst=job['dip']) if seq == 1: ip.flags = 'evil' return ip / l4
def IP_layer(attributes): layer3 = IP() layer3.version = attributes['version'] layer3.ihl = attributes['ihl'] layer3.tos = attributes['tos'] layer3.len = attributes['len'] layer3.id = attributes['id'] layer3.flags = attributes['flags'] layer3.frag = attributes['frag'] layer3.ttl = attributes['ttl'] layer3.proto = attributes['proto'] layer3.src = attributes['src'] layer3.dst = attributes['dst'] return layer3
def forge(self, job, seq): sport = 0 while sport < 1024: sport = int(RandShort()) if self.args.connect == 'tcpsyn': l4 = (TCP(sport=sport, dport=job['dp'])) if self.args.connect == 'dnsudp': l4 = (UDP(sport=sport, dport=job['dp']) / DNS(qd=DNSQR(qname=job['domain']))) if ':' in job['dip']: ip = IPv6(src=self.source[1], dst=job['dip']) else: ip = IP(src=self.source[0], dst=job['dip']) if seq == 1: ip.flags = 'evil' return ip / l4
def cmd_ping(ip, interface, count, timeout, wait, verbose): if interface: conf.iface = interface conf.verb = False conf.L3socket = L3RawSocket layer3 = IP() layer3.dst = ip layer3.tos = 0 layer3.id = 1 layer3.flags = 0 layer3.frag = 0 layer3.ttl = 64 layer3.proto = 1 # icmp layer4 = ICMP() layer4.type = 8 # echo-request layer4.code = 0 layer4.id = 0 layer4.seq = 0 pkt = layer3 / layer4 counter = 0 while True: ans = sr1(pkt, timeout=timeout) if ans: if verbose: ans.show() else: print(ans.summary()) del (ans) else: print('Timeout') counter += 1 if count != 0 and counter == count: break sleep(wait) return True
try: my_ack = lpkt.seq+len(lpkt.load) except: my_ack = lpkt.seq my_seq = lpkt.ack my_sport = lpkt.dport ### got timestamp tseho = 0 for opt in lpkt.getlayer(TCP).options: if "Timestamp" in opt: tseho = opt[1][0] tsval = tseho + 3 ip = IP(dst = target) data="######injected######\n" ip.id = lpkt.id+1 ip.flags = lpkt.flags pkt = ip/TCP(sport = my_sport, dport = my_dport, flags = "A", seq = my_seq, ack = my_ack, window = lpkt.window+1)/data if tseho > 0: pkt.payload.options = [('NOP', None), ('NOP', None),('Timestamp',(tsval,tseho))] print "####### sending:" send(pkt)
for i in ip_src: if i.isdigit(): ip_source[index] = str(ip_source[index]) + str(i) else: index += 1 ip_source[index] = "" print(ip_source) print(ip_dest) ip_header.version = 4 ip_header.ihl = ip_hdr_len // 4 ip_header.tos = 0x0 ip_header.len = (ip_hdr_len + udp_pkt_len) ip_header.id = 0 ip_header.flags = 0 ip_header.frag = 0 ip_header.ttl = 64 ip_header.proto = 17 #ip_header.chksum= 0x7ce6 ip_header.src = ip_src ip_header.dst = ip_dst del ip_header.chksum ip_header = ip_header.__class__(str(ip_header)) #ip_header.show2() #print("-------------------------------------") #hexdump((ip_header.version << 4) | ip_header.ihl) #print(ip_header.version << 4) #print(ip_header.ihl) #print(ip_header.proto)
def t2tot7_craft(pkt, fp, mac, tno): try: ether = Ether() ether.src = mac ether.dst = pkt[Ether].dst ether.type = 0x800 except IndexError: ether = None ip = IP() ip.src = pkt[IP].dst ip.dst = pkt[IP].src ip.ttl = int(fp.probe[tno]['TTL'], 16) ip.flags = fp.probe[tno]['DF'] ip.id = random.randint(1, 1000) tcp = TCP() s_val = fp.probe[tno]['S'] if s_val == 'Z': tcp.seq = 0 elif s_val == 'A': tcp.seq = pkt[TCP].ack elif s_val == 'A+': tcp.seq = pkt[TCP].ack + 1 else: tcp.seq = pkt[TCP].ack + 369 a_val = fp.probe[tno]['A'] if a_val == 'Z': tcp.ack = 0 elif a_val == 'S': tcp.ack = pkt[TCP].seq elif a_val == 'S+': tcp.ack = pkt[TCP].seq + 1 else: tcp.ack = pkt[TCP].seq + 369 flag_val = fp.probe[tno]['F'] tcp.flags = flag_val w_val = fp.probe[tno]['W'] if w_val == 'ECHOED': tcp.window = pkt[TCP].window else: tcp.window = w_val tcp.sport = pkt[TCP].dport tcp.dport = pkt[TCP].sport o_val = fp.probe[tno]['O'] if o_val == 'EMPTY': pass else: tcp.options = o_val rd_val = fp.probe[tno]['RD'] if rd_val != '0': crc = int(rd_val, 16) data = b'TCP Port is closed\x00' data += compensate(data, crc) fin_pkt = ip / tcp / data if ether is None else ether / ip / tcp / data else: fin_pkt = ip / tcp if ether is None else ether / ip / tcp return fin_pkt
my_seq = lpkt.ack my_sport = lpkt.dport ### got timestamp tseho = 0 for opt in lpkt.getlayer(TCP).options: if "Timestamp" in opt: tseho = opt[1][0] tsval = tseho + 3 ip = IP(dst=target) data = "######injected######\n" ip.id = lpkt.id + 1 ip.flags = lpkt.flags pkt = ip / TCP(sport=my_sport, dport=my_dport, flags="A", seq=my_seq, ack=my_ack, window=lpkt.window + 1) / data if tseho > 0: pkt.payload.options = [('NOP', None), ('NOP', None), ('Timestamp', (tsval, tseho))] print "####### sending:" send(pkt)