def service_craft(pkt, fp, mac, service, type_=False):
try:
ether = Ether()
ether.src = mac
ether.dst = pkt[Ether].dst
ether.type = 0x800
except IndexError:
ether = None
ip = IP()
ip.src = pkt[IP].dst
ip.dst = pkt[IP].src
ip.ttl = int(fp.ttl, 16)
ip.flags = 0x4000
tcp = TCP()
tcp.sport = pkt[TCP].dport
tcp.dport = pkt[TCP].sport
if type_:
tcp.flags = 0x018 # PSH / ACK
tcp.seq = pkt[TCP].seq
tcp.ack = pkt[TCP].ack
data = service[pkt[TCP].dport]
fin_pkt = ip / tcp / data if ether is None else ether / ip / tcp / data
return fin_pkt
else:
tcp.flags = 0x012 # SYN / ACK
tcp.seq = pkt[TCP].seq
tcp.ack = pkt[TCP].seq + 1
fin_pkt = ip / tcp if ether is None else ether / ip / tcp
return fin_pkt
def cb(dummy, payload): pkt = IP(payload.get_data()) # set the TTL pkt.ttl = 24 # clear the IP checksum so that Scapy recalculates it, since we modified the IP header del pkt.chksum # reinject the packet! payload.set_verdict_modified(nfqueue.NF_ACCEPT, str(pkt), len(pkt))
def seqgen_pkt_craft(pkt, fp, mac, pno):
try:
ether = Ether()
ether.src = mac
ether.dst = pkt[Ether].dst
ether.type = 0x800
except IndexError:
ether = None
ip = IP()
ip.src = pkt[IP].dst
ip.dst = pkt[IP].src
ip.ttl = int(fp.probe['T1']['TTL'], 16)
ip.flags = fp.probe['T1']['DF']
ip.id = fp.ip_id_gen()
tcp = TCP()
s_val = fp.probe['T1']['S']
if s_val == 'Z':
tcp.seq = 0
elif s_val == 'A':
tcp.seq = pkt[TCP].ack
elif s_val == 'A+':
tcp.seq = pkt[TCP].ack + 1
else:
tcp.seq = fp.tcp_seq_gen()
a_val = fp.probe['T1']['A']
if a_val == 'Z':
tcp.ack = 0
elif a_val == 'S':
tcp.ack = pkt[TCP].seq
elif a_val == 'S+':
tcp.ack = pkt[TCP].seq + 1
else:
tcp.ack = pkt[TCP].seq + 369
flag_val = fp.probe['T1']['F']
tcp.flags = flag_val
tcp.window = fp.probe['WIN']['W' + pno]
tcp.sport = pkt[TCP].dport
tcp.dport = pkt[TCP].sport
tcp.options = fp.probe['OPS']['O' + pno]
rd_val = fp.probe['T1']['RD']
if rd_val != '0':
crc = int(rd_val, 16)
data = b'TCP Port is closed\x00'
data += compensate(data, crc)
fin_pkt = ip / tcp / data if ether is None else ether / ip / tcp / data
else:
fin_pkt = ip / tcp if ether is None else ether / ip / tcp
return fin_pkt
def cmd_icmp_ping(ip, interface, count, timeout, wait, verbose):
"""The classic ping tool that send ICMP echo requests.
\b
# habu.icmp.ping 8.8.8.8
IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding
IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding
IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding
IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding
"""
if interface:
conf.iface = interface
conf.verb = False
conf.L3socket = L3RawSocket
layer3 = IP()
layer3.dst = ip
layer3.tos = 0
layer3.id = 1
layer3.flags = 0
layer3.frag = 0
layer3.ttl = 64
layer3.proto = 1 # icmp
layer4 = ICMP()
layer4.type = 8 # echo-request
layer4.code = 0
layer4.id = 0
layer4.seq = 0
pkt = layer3 / layer4
counter = 0
while True:
ans = sr1(pkt, timeout=timeout)
if ans:
if verbose:
ans.show()
else:
print(ans.summary())
del (ans)
else:
print('Timeout')
counter += 1
if count != 0 and counter == count:
break
sleep(wait)
return True
def udp_craft(pkt, mac, fp):
try:
ether = Ether()
ether.src = mac
ether.dst = pkt[Ether].dst
ether.type = 0x800
except IndexError:
ether = None
ip = IP()
ip.src = pkt[IP].dst
ip.dst = pkt[IP].src
ip.ttl = int(fp.probe['U1']['TTL'], 16)
ip.flags = fp.probe['U1']['DF']
ip.len = 56
ip.id = 4162
icmp = ICMP()
icmp.type = 3
icmp.unused = 0
icmp.code = 13 # code 3 for reply
iperror = IPerror()
iperror.proto = 'udp'
iperror.ttl = 0x3E
iperror.len = fp.probe['U1']['RIPL']
iperror.id = fp.probe['U1']['RID']
ripck_val = fp.probe['U1']['RIPCK']
if ripck_val == 'G':
pass
elif ripck_val == 'Z':
iperror.chksum = 0
else:
iperror.chksum = pkt[IP].chksum
udperror = UDPerror()
udperror.sport = pkt[UDP].sport
udperror.dport = pkt[UDP].dport
udperror.len = pkt[UDP].len
if fp.probe['U1']['RUCK'] == 'G':
udperror.chksum = pkt[UDP].chksum
else:
udperror.chksum = fp.probe['U1']['RUCK']
try:
ipl = int(fp.probe['U1']['IPL'], 16)
except KeyError:
ipl = None
data = pkt[Raw].load
fin_pkt = ip / icmp / iperror / udperror / data if ether is None else ether / ip / icmp / iperror / udperror / data
return fin_pkt
def cmd_ping(ip, interface, count, timeout, wait, verbose):
"""The classic ping tool that send ICMP echo requests.
\b
# habu.ping 8.8.8.8
IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding
IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding
IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding
IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding
"""
if interface:
conf.iface = interface
conf.verb = False
conf.L3socket=L3RawSocket
layer3 = IP()
layer3.dst = ip
layer3.tos = 0
layer3.id = 1
layer3.flags = 0
layer3.frag = 0
layer3.ttl = 64
layer3.proto = 1 # icmp
layer4 = ICMP()
layer4.type = 8 # echo-request
layer4.code = 0
layer4.id = 0
layer4.seq = 0
pkt = layer3 / layer4
counter = 0
while True:
ans = sr1(pkt, timeout=timeout)
if ans:
if verbose:
ans.show()
else:
print(ans.summary())
del(ans)
else:
print('Timeout')
counter += 1
if count != 0 and counter == count:
break
sleep(wait)
return True
def ecn_craft(pkt, mac, fp):
try:
ether = Ether()
ether.src = mac
ether.dst = pkt[Ether].dst
ether.type = 0x800
except IndexError:
ether = None
ip = IP()
ip.src = pkt[IP].dst
ip.dst = pkt[IP].src
ip.ttl = int(fp.probe['ECN']['TTL'], 16)
ip_flag = fp.probe['ECN']['DF']
if ip_flag == 'Y':
ip.flags = 2
else:
ip.flags = 0
ip.id = fp.ip_id_gen()
tcp = TCP()
w_val = fp.probe['ECN']['W']
if w_val == 'ECHOED':
tcp.window = pkt[TCP].window
else:
tcp.window = w_val
tcp.sport = pkt[TCP].dport
tcp.dport = pkt[TCP].sport
cc_val = fp.probe['ECN']['CC']
if cc_val == 'Y':
tcp.flags = 0x52
elif cc_val == 'N':
tcp.flags = 0x12
elif cc_val == 'S':
tcp.flags = 0xD2
else:
tcp.flags = 0x10
o_val = fp.probe['ECN']['O']
if o_val == 'EMPTY':
pass
else:
tcp.options = o_val
fin_pkt = ip / tcp if ether is None else ether / ip / tcp
return fin_pkt
def IP_layer(attributes):
layer3 = IP()
layer3.version = attributes['version']
layer3.ihl = attributes['ihl']
layer3.tos = attributes['tos']
layer3.len = attributes['len']
layer3.id = attributes['id']
layer3.flags = attributes['flags']
layer3.frag = attributes['frag']
layer3.ttl = attributes['ttl']
layer3.proto = attributes['proto']
layer3.src = attributes['src']
layer3.dst = attributes['dst']
return layer3
def cmd_ping(ip, interface, count, timeout, wait, verbose):
if interface:
conf.iface = interface
conf.verb = False
conf.L3socket = L3RawSocket
layer3 = IP()
layer3.dst = ip
layer3.tos = 0
layer3.id = 1
layer3.flags = 0
layer3.frag = 0
layer3.ttl = 64
layer3.proto = 1 # icmp
layer4 = ICMP()
layer4.type = 8 # echo-request
layer4.code = 0
layer4.id = 0
layer4.seq = 0
pkt = layer3 / layer4
counter = 0
while True:
ans = sr1(pkt, timeout=timeout)
if ans:
if verbose:
ans.show()
else:
print(ans.summary())
del (ans)
else:
print('Timeout')
counter += 1
if count != 0 and counter == count:
break
sleep(wait)
return True
def icmp_craft(pkt, fp, mac):
try:
ether = Ether()
ether.src = mac
ether.dst = pkt[Ether].dst
ether.type = 0x800
except IndexError:
ether = None
ip = IP()
ip.src = pkt[IP].dst
ip.dst = pkt[IP].src
ip.ttl = int(fp.probe['IE']['TTL'], 16)
dfi_flag = fp.probe['IE']['DFI']
if dfi_flag == 'N':
ip.flags = 0
elif dfi_flag == 'S':
ip.flags = pkt[IP].flags
elif dfi_flag == 'Y':
ip.flags = 2
else:
ip.flags = 0 if pkt[IP].flags == 2 else 2
ip.id = fp.ip_id_icmp_gen()
icmp = ICMP()
icmp.type = 0
icmp.id = pkt[ICMP].id
cd_val = fp.probe['IE']['CD']
if cd_val == 'Z':
icmp.code = 0
elif cd_val == 'S':
icmp.code = pkt[ICMP].code
else:
icmp.code = random.randint(0, 15)
icmp.seq = pkt[ICMP].seq
data = pkt[ICMP].payload
fin_pkt = ip / icmp / data if ether is None else ether / ip / icmp / data
return fin_pkt
def main(args):
print "[*] Comenzando el fuzzing..."
pkt_lst = []
for i in xrange(args.count):
ip_layer = IP(dst=args.target)
# Fuzz IP layer
#
# Src ramdon?
if random_bool():
ip_layer.src = str(RandIP())
# IP ID
if random_bool():
ip_layer.id = int(RandShort())
# IP TTL
if random_bool():
ip_layer.ttl = int(RandInt()) % 255
icmp_layer = ICMP()
# Fuzz ICMP layer
#
# Type random
if random_bool():
icmp_layer.type = int(RandByte())
# Seq random
if random_bool():
icmp_layer.seq = int(RandShort())
pkt = ip_layer/icmp_layer
pkt_lst.append(pkt)
sendp(pkt_lst, inter=args.interval)
print "[*] Enviado %s paquetes" % i
if tmp > 0 and tmp < ttldiff: ttldiff = tmp print "%s is probably %d hops away (at least one way ;))" % (dst,ttldiff+1) data = "GET / HTTP/1.0\nHost: "+target+"\nUser-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2\nAccept: text/html,application/xhtml+xml,application/xml;q = 0.9,*/*;q = 0.8\nAccept-Language: en-us,en;q = 0.5\n" res = sr1(ip/TCP(sport = my_sport, dport = my_dport, flags = "PA", seq = my_seq, ack = my_ack)/data,retry = 3,timeout = 2) my_ack = res.seq my_seq = my_seq+len(data) data = "Accept-Charset: ISO-8859-2,utf-8;q = 0.7,*;q = 0.7\nPragma: no-cache\nCache-Control: no-cache\n\n" while 1 == 1: ip.ttl = my_ttl rcv = sr1(ip/TCP(sport = my_sport, dport = my_dport, flags = "A", seq = my_seq, ack = my_ack)/data,retry = 2,timeout = 1) if rcv: print "%2d : %15s rcv proto %s, TTL %3d" % (my_ttl,rcv.src,rcv.proto,rcv.ttl) if rcv.proto == 6: if dttl != rcv.ttl: print "Probable SYN proxy, SA TTL %d, now TTL %d" % (dttl,rcv.ttl) print "done, got: TCP flags: %s" % TCPflags(rcv.payload.flags) if len(rcv.payload.payload) < 10: cap = sniff(filter = "tcp and port 80 and port %d and host %s" % (my_sport,dst), count = 1,timeout = 5) for tmp in cap: if tmp.payload.proto == 6 and len(tmp.payload.payload.payload) < 10: rcv = tmp.payload break
ip_source[index] = str(ip_source[index]) + str(i)
else:
index += 1
ip_source[index] = ""
print(ip_source)
print(ip_dest)
ip_header.version = 4
ip_header.ihl = ip_hdr_len // 4
ip_header.tos = 0x0
ip_header.len = (ip_hdr_len + udp_pkt_len)
ip_header.id = 0
ip_header.flags = 0
ip_header.frag = 0
ip_header.ttl = 64
ip_header.proto = 17
#ip_header.chksum= 0x7ce6
ip_header.src = ip_src
ip_header.dst = ip_dst
del ip_header.chksum
ip_header = ip_header.__class__(str(ip_header))
#ip_header.show2()
#print("-------------------------------------")
#hexdump((ip_header.version << 4) | ip_header.ihl)
#print(ip_header.version << 4)
#print(ip_header.ihl)
#print(ip_header.proto)
#hexdump(ip_header)
def t2tot7_craft(pkt, fp, mac, tno):
try:
ether = Ether()
ether.src = mac
ether.dst = pkt[Ether].dst
ether.type = 0x800
except IndexError:
ether = None
ip = IP()
ip.src = pkt[IP].dst
ip.dst = pkt[IP].src
ip.ttl = int(fp.probe[tno]['TTL'], 16)
ip.flags = fp.probe[tno]['DF']
ip.id = random.randint(1, 1000)
tcp = TCP()
s_val = fp.probe[tno]['S']
if s_val == 'Z':
tcp.seq = 0
elif s_val == 'A':
tcp.seq = pkt[TCP].ack
elif s_val == 'A+':
tcp.seq = pkt[TCP].ack + 1
else:
tcp.seq = pkt[TCP].ack + 369
a_val = fp.probe[tno]['A']
if a_val == 'Z':
tcp.ack = 0
elif a_val == 'S':
tcp.ack = pkt[TCP].seq
elif a_val == 'S+':
tcp.ack = pkt[TCP].seq + 1
else:
tcp.ack = pkt[TCP].seq + 369
flag_val = fp.probe[tno]['F']
tcp.flags = flag_val
w_val = fp.probe[tno]['W']
if w_val == 'ECHOED':
tcp.window = pkt[TCP].window
else:
tcp.window = w_val
tcp.sport = pkt[TCP].dport
tcp.dport = pkt[TCP].sport
o_val = fp.probe[tno]['O']
if o_val == 'EMPTY':
pass
else:
tcp.options = o_val
rd_val = fp.probe[tno]['RD']
if rd_val != '0':
crc = int(rd_val, 16)
data = b'TCP Port is closed\x00'
data += compensate(data, crc)
fin_pkt = ip / tcp / data if ether is None else ether / ip / tcp / data
else:
fin_pkt = ip / tcp if ether is None else ether / ip / tcp
return fin_pkt
tmp = defttl - dttl
if tmp > 0 and tmp < ttldiff:
ttldiff = tmp
print "%s is probably %d hops away (at least one way ;))" % (target,
ttldiff + 1)
pkt = IP(dst=target) / TCP(
sport=my_sport, dport=my_dport, flags="A", seq=my_seq, ack=my_ack)
if tseho > 0:
pkt.payload.options = [('NOP', None), ('NOP', None),
('Timestamp', (tsval, tseho))]
while 1 == 1:
pkt.ttl = my_ttl
rcv = sr1(pkt, retry=2, timeout=1)
if rcv:
print "%2d : %15s rcv proto %s, TTL %3d" % (my_ttl, rcv.src, rcv.proto,
rcv.ttl)
if rcv.haslayer(TCP):
print "done, got: TCP flags: %s" % TCPflags(
rcv.getlayer(TCP).flags)
break
else:
print "%2d : ???.???.???.???" % my_ttl
if my_ttl > 20:
print "out of TTL ;)"
break
data = (
"GET / HTTP/1.0\nHost: "
+ target
+ "\nUser-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2\nAccept: text/html,application/xhtml+xml,application/xml;q = 0.9,*/*;q = 0.8\nAccept-Language: en-us,en;q = 0.5\n"
)
res = sr1(ip / TCP(sport=my_sport, dport=my_dport, flags="PA", seq=my_seq, ack=my_ack) / data, retry=3, timeout=2)
my_ack = res.seq
my_seq = my_seq + len(data)
data = "Accept-Charset: ISO-8859-2,utf-8;q = 0.7,*;q = 0.7\nPragma: no-cache\nCache-Control: no-cache\n\n"
while 1 == 1:
ip.ttl = my_ttl
rcv = sr1(ip / TCP(sport=my_sport, dport=my_dport, flags="A", seq=my_seq, ack=my_ack) / data, retry=2, timeout=1)
if rcv:
print "%2d : %15s rcv proto %s, TTL %3d" % (my_ttl, rcv.src, rcv.proto, rcv.ttl)
if rcv.proto == 6:
if dttl != rcv.ttl:
print "Probable SYN proxy, SA TTL %d, now TTL %d" % (dttl, rcv.ttl)
print "done, got: TCP flags: %s" % TCPflags(rcv.payload.flags)
if len(rcv.payload.payload) < 10:
cap = sniff(filter="tcp and port 80 and port %d and host %s" % (my_sport, dst), count=1, timeout=5)
for tmp in cap:
if tmp.payload.proto == 6 and len(tmp.payload.payload.payload) < 10:
rcv = tmp.payload
break
