def seqgen_pkt_craft(pkt, fp, mac, pno):
try:
ether = Ether()
ether.src = mac
ether.dst = pkt[Ether].dst
ether.type = 0x800
except IndexError:
ether = None
ip = IP()
ip.src = pkt[IP].dst
ip.dst = pkt[IP].src
ip.ttl = int(fp.probe['T1']['TTL'], 16)
ip.flags = fp.probe['T1']['DF']
ip.id = fp.ip_id_gen()
tcp = TCP()
s_val = fp.probe['T1']['S']
if s_val == 'Z':
tcp.seq = 0
elif s_val == 'A':
tcp.seq = pkt[TCP].ack
elif s_val == 'A+':
tcp.seq = pkt[TCP].ack + 1
else:
tcp.seq = fp.tcp_seq_gen()
a_val = fp.probe['T1']['A']
if a_val == 'Z':
tcp.ack = 0
elif a_val == 'S':
tcp.ack = pkt[TCP].seq
elif a_val == 'S+':
tcp.ack = pkt[TCP].seq + 1
else:
tcp.ack = pkt[TCP].seq + 369
flag_val = fp.probe['T1']['F']
tcp.flags = flag_val
tcp.window = fp.probe['WIN']['W' + pno]
tcp.sport = pkt[TCP].dport
tcp.dport = pkt[TCP].sport
tcp.options = fp.probe['OPS']['O' + pno]
rd_val = fp.probe['T1']['RD']
if rd_val != '0':
crc = int(rd_val, 16)
data = b'TCP Port is closed\x00'
data += compensate(data, crc)
fin_pkt = ip / tcp / data if ether is None else ether / ip / tcp / data
else:
fin_pkt = ip / tcp if ether is None else ether / ip / tcp
return fin_pkt
def cmd_icmp_ping(ip, interface, count, timeout, wait, verbose):
"""The classic ping tool that send ICMP echo requests.
\b
# habu.icmp.ping 8.8.8.8
IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding
IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding
IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding
IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding
"""
if interface:
conf.iface = interface
conf.verb = False
conf.L3socket = L3RawSocket
layer3 = IP()
layer3.dst = ip
layer3.tos = 0
layer3.id = 1
layer3.flags = 0
layer3.frag = 0
layer3.ttl = 64
layer3.proto = 1 # icmp
layer4 = ICMP()
layer4.type = 8 # echo-request
layer4.code = 0
layer4.id = 0
layer4.seq = 0
pkt = layer3 / layer4
counter = 0
while True:
ans = sr1(pkt, timeout=timeout)
if ans:
if verbose:
ans.show()
else:
print(ans.summary())
del (ans)
else:
print('Timeout')
counter += 1
if count != 0 and counter == count:
break
sleep(wait)
return True
def udp_craft(pkt, mac, fp):
try:
ether = Ether()
ether.src = mac
ether.dst = pkt[Ether].dst
ether.type = 0x800
except IndexError:
ether = None
ip = IP()
ip.src = pkt[IP].dst
ip.dst = pkt[IP].src
ip.ttl = int(fp.probe['U1']['TTL'], 16)
ip.flags = fp.probe['U1']['DF']
ip.len = 56
ip.id = 4162
icmp = ICMP()
icmp.type = 3
icmp.unused = 0
icmp.code = 13 # code 3 for reply
iperror = IPerror()
iperror.proto = 'udp'
iperror.ttl = 0x3E
iperror.len = fp.probe['U1']['RIPL']
iperror.id = fp.probe['U1']['RID']
ripck_val = fp.probe['U1']['RIPCK']
if ripck_val == 'G':
pass
elif ripck_val == 'Z':
iperror.chksum = 0
else:
iperror.chksum = pkt[IP].chksum
udperror = UDPerror()
udperror.sport = pkt[UDP].sport
udperror.dport = pkt[UDP].dport
udperror.len = pkt[UDP].len
if fp.probe['U1']['RUCK'] == 'G':
udperror.chksum = pkt[UDP].chksum
else:
udperror.chksum = fp.probe['U1']['RUCK']
try:
ipl = int(fp.probe['U1']['IPL'], 16)
except KeyError:
ipl = None
data = pkt[Raw].load
fin_pkt = ip / icmp / iperror / udperror / data if ether is None else ether / ip / icmp / iperror / udperror / data
return fin_pkt
def cmd_ping(ip, interface, count, timeout, wait, verbose):
"""The classic ping tool that send ICMP echo requests.
\b
# habu.ping 8.8.8.8
IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding
IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding
IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding
IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding
"""
if interface:
conf.iface = interface
conf.verb = False
conf.L3socket=L3RawSocket
layer3 = IP()
layer3.dst = ip
layer3.tos = 0
layer3.id = 1
layer3.flags = 0
layer3.frag = 0
layer3.ttl = 64
layer3.proto = 1 # icmp
layer4 = ICMP()
layer4.type = 8 # echo-request
layer4.code = 0
layer4.id = 0
layer4.seq = 0
pkt = layer3 / layer4
counter = 0
while True:
ans = sr1(pkt, timeout=timeout)
if ans:
if verbose:
ans.show()
else:
print(ans.summary())
del(ans)
else:
print('Timeout')
counter += 1
if count != 0 and counter == count:
break
sleep(wait)
return True
def ecn_craft(pkt, mac, fp):
try:
ether = Ether()
ether.src = mac
ether.dst = pkt[Ether].dst
ether.type = 0x800
except IndexError:
ether = None
ip = IP()
ip.src = pkt[IP].dst
ip.dst = pkt[IP].src
ip.ttl = int(fp.probe['ECN']['TTL'], 16)
ip_flag = fp.probe['ECN']['DF']
if ip_flag == 'Y':
ip.flags = 2
else:
ip.flags = 0
ip.id = fp.ip_id_gen()
tcp = TCP()
w_val = fp.probe['ECN']['W']
if w_val == 'ECHOED':
tcp.window = pkt[TCP].window
else:
tcp.window = w_val
tcp.sport = pkt[TCP].dport
tcp.dport = pkt[TCP].sport
cc_val = fp.probe['ECN']['CC']
if cc_val == 'Y':
tcp.flags = 0x52
elif cc_val == 'N':
tcp.flags = 0x12
elif cc_val == 'S':
tcp.flags = 0xD2
else:
tcp.flags = 0x10
o_val = fp.probe['ECN']['O']
if o_val == 'EMPTY':
pass
else:
tcp.options = o_val
fin_pkt = ip / tcp if ether is None else ether / ip / tcp
return fin_pkt
def IP_layer(attributes):
layer3 = IP()
layer3.version = attributes['version']
layer3.ihl = attributes['ihl']
layer3.tos = attributes['tos']
layer3.len = attributes['len']
layer3.id = attributes['id']
layer3.flags = attributes['flags']
layer3.frag = attributes['frag']
layer3.ttl = attributes['ttl']
layer3.proto = attributes['proto']
layer3.src = attributes['src']
layer3.dst = attributes['dst']
return layer3
def cmd_ping(ip, interface, count, timeout, wait, verbose):
if interface:
conf.iface = interface
conf.verb = False
conf.L3socket = L3RawSocket
layer3 = IP()
layer3.dst = ip
layer3.tos = 0
layer3.id = 1
layer3.flags = 0
layer3.frag = 0
layer3.ttl = 64
layer3.proto = 1 # icmp
layer4 = ICMP()
layer4.type = 8 # echo-request
layer4.code = 0
layer4.id = 0
layer4.seq = 0
pkt = layer3 / layer4
counter = 0
while True:
ans = sr1(pkt, timeout=timeout)
if ans:
if verbose:
ans.show()
else:
print(ans.summary())
del (ans)
else:
print('Timeout')
counter += 1
if count != 0 and counter == count:
break
sleep(wait)
return True
def icmp_craft(pkt, fp, mac):
try:
ether = Ether()
ether.src = mac
ether.dst = pkt[Ether].dst
ether.type = 0x800
except IndexError:
ether = None
ip = IP()
ip.src = pkt[IP].dst
ip.dst = pkt[IP].src
ip.ttl = int(fp.probe['IE']['TTL'], 16)
dfi_flag = fp.probe['IE']['DFI']
if dfi_flag == 'N':
ip.flags = 0
elif dfi_flag == 'S':
ip.flags = pkt[IP].flags
elif dfi_flag == 'Y':
ip.flags = 2
else:
ip.flags = 0 if pkt[IP].flags == 2 else 2
ip.id = fp.ip_id_icmp_gen()
icmp = ICMP()
icmp.type = 0
icmp.id = pkt[ICMP].id
cd_val = fp.probe['IE']['CD']
if cd_val == 'Z':
icmp.code = 0
elif cd_val == 'S':
icmp.code = pkt[ICMP].code
else:
icmp.code = random.randint(0, 15)
icmp.seq = pkt[ICMP].seq
data = pkt[ICMP].payload
fin_pkt = ip / icmp / data if ether is None else ether / ip / icmp / data
return fin_pkt
def main(args):
print "[*] Comenzando el fuzzing..."
pkt_lst = []
for i in xrange(args.count):
ip_layer = IP(dst=args.target)
# Fuzz IP layer
#
# Src ramdon?
if random_bool():
ip_layer.src = str(RandIP())
# IP ID
if random_bool():
ip_layer.id = int(RandShort())
# IP TTL
if random_bool():
ip_layer.ttl = int(RandInt()) % 255
icmp_layer = ICMP()
# Fuzz ICMP layer
#
# Type random
if random_bool():
icmp_layer.type = int(RandByte())
# Seq random
if random_bool():
icmp_layer.seq = int(RandShort())
pkt = ip_layer/icmp_layer
pkt_lst.append(pkt)
sendp(pkt_lst, inter=args.interval)
print "[*] Enviado %s paquetes" % i
def main(self, *args):
"""
Main function
"""
if not self.ip:
try:
self.ip = gethostbyname(self.host)
except:
self._write_result('Host not found: %s' % self.host)
return
id = randint(0, self.MAX_ID - self.NUMBER_OF_PACKETS)
ids = []
# sending packets
for i in xrange(self.NUMBER_OF_PACKETS):
self._check_stop()
packet = IP(dst=self.ip, src=SANDBOX_IP) / ICMP()
packet.id = id
try:
data = sr1(packet, timeout=self.ICMP_TIMEOUT)
if not data:
raise Exception('Host unreachable')
ids.append((i + 1, str(id), str(data.id)))
except Exception as e:
ids.append((i + 1, str(id), 'N/A (%s)' % str(e)))
id += 1
self._write_result('#\tSrc ID\tDst ID')
for id in ids:
self._write_result('%i\t%s\t%s' % id)
try:
my_ack = lpkt.seq+len(lpkt.load)
except:
my_ack = lpkt.seq
my_seq = lpkt.ack
my_sport = lpkt.dport
### got timestamp
tseho = 0
for opt in lpkt.getlayer(TCP).options:
if "Timestamp" in opt:
tseho = opt[1][0]
tsval = tseho + 3
ip = IP(dst = target)
data="######injected######\n"
ip.id = lpkt.id+1
ip.flags = lpkt.flags
pkt = ip/TCP(sport = my_sport, dport = my_dport, flags = "A", seq = my_seq, ack = my_ack, window = lpkt.window+1)/data
if tseho > 0:
pkt.payload.options = [('NOP', None), ('NOP', None),('Timestamp',(tsval,tseho))]
print "####### sending:"
send(pkt)
for i in ip_src:
if i.isdigit():
ip_source[index] = str(ip_source[index]) + str(i)
else:
index += 1
ip_source[index] = ""
print(ip_source)
print(ip_dest)
ip_header.version = 4
ip_header.ihl = ip_hdr_len // 4
ip_header.tos = 0x0
ip_header.len = (ip_hdr_len + udp_pkt_len)
ip_header.id = 0
ip_header.flags = 0
ip_header.frag = 0
ip_header.ttl = 64
ip_header.proto = 17
#ip_header.chksum= 0x7ce6
ip_header.src = ip_src
ip_header.dst = ip_dst
del ip_header.chksum
ip_header = ip_header.__class__(str(ip_header))
#ip_header.show2()
#print("-------------------------------------")
#hexdump((ip_header.version << 4) | ip_header.ihl)
#print(ip_header.version << 4)
#print(ip_header.ihl)
def t2tot7_craft(pkt, fp, mac, tno):
try:
ether = Ether()
ether.src = mac
ether.dst = pkt[Ether].dst
ether.type = 0x800
except IndexError:
ether = None
ip = IP()
ip.src = pkt[IP].dst
ip.dst = pkt[IP].src
ip.ttl = int(fp.probe[tno]['TTL'], 16)
ip.flags = fp.probe[tno]['DF']
ip.id = random.randint(1, 1000)
tcp = TCP()
s_val = fp.probe[tno]['S']
if s_val == 'Z':
tcp.seq = 0
elif s_val == 'A':
tcp.seq = pkt[TCP].ack
elif s_val == 'A+':
tcp.seq = pkt[TCP].ack + 1
else:
tcp.seq = pkt[TCP].ack + 369
a_val = fp.probe[tno]['A']
if a_val == 'Z':
tcp.ack = 0
elif a_val == 'S':
tcp.ack = pkt[TCP].seq
elif a_val == 'S+':
tcp.ack = pkt[TCP].seq + 1
else:
tcp.ack = pkt[TCP].seq + 369
flag_val = fp.probe[tno]['F']
tcp.flags = flag_val
w_val = fp.probe[tno]['W']
if w_val == 'ECHOED':
tcp.window = pkt[TCP].window
else:
tcp.window = w_val
tcp.sport = pkt[TCP].dport
tcp.dport = pkt[TCP].sport
o_val = fp.probe[tno]['O']
if o_val == 'EMPTY':
pass
else:
tcp.options = o_val
rd_val = fp.probe[tno]['RD']
if rd_val != '0':
crc = int(rd_val, 16)
data = b'TCP Port is closed\x00'
data += compensate(data, crc)
fin_pkt = ip / tcp / data if ether is None else ether / ip / tcp / data
else:
fin_pkt = ip / tcp if ether is None else ether / ip / tcp
return fin_pkt
my_seq = lpkt.ack
my_sport = lpkt.dport
### got timestamp
tseho = 0
for opt in lpkt.getlayer(TCP).options:
if "Timestamp" in opt:
tseho = opt[1][0]
tsval = tseho + 3
ip = IP(dst=target)
data = "######injected######\n"
ip.id = lpkt.id + 1
ip.flags = lpkt.flags
pkt = ip / TCP(sport=my_sport,
dport=my_dport,
flags="A",
seq=my_seq,
ack=my_ack,
window=lpkt.window + 1) / data
if tseho > 0:
pkt.payload.options = [('NOP', None), ('NOP', None),
('Timestamp', (tsval, tseho))]
print "####### sending:"
