|
@ -8,6 +8,7 @@ import os |
|
|
|
|
|
|
|
|
recv_count = 0 |
|
|
recv_count = 0 |
|
|
|
|
|
|
|
|
|
|
|
server_port = 50508 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@ -17,18 +18,15 @@ class Sniffer(Thread): |
|
|
super().__init__() |
|
|
super().__init__() |
|
|
|
|
|
|
|
|
self.daemon = True |
|
|
self.daemon = True |
|
|
self.vpn_addr = None |
|
|
|
|
|
|
|
|
|
|
|
self.current_phase = 1 |
|
|
|
|
|
self.spoof_count = 0 |
|
|
|
|
|
self.spoof_port = 0 |
|
|
|
|
|
|
|
|
|
|
|
self.recv_count = 0 |
|
|
self.recv_count = 0 |
|
|
|
|
|
|
|
|
self.socket = None |
|
|
self.socket = None |
|
|
self.iface = iface |
|
|
self.iface = iface |
|
|
self.stop_sniffer = Event() |
|
|
self.stop_sniffer = Event() |
|
|
|
|
|
|
|
|
|
|
|
self.debug_src = "" |
|
|
|
|
|
self.debug_sport = 0 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def run(self): |
|
|
def run(self): |
|
|
self.socket = conf.L2listen( |
|
|
self.socket = conf.L2listen( |
|
|
type=ETH_P_ALL, |
|
|
type=ETH_P_ALL, |
|
@ -46,37 +44,10 @@ class Sniffer(Thread): |
|
|
self.stop_sniffer.set() |
|
|
self.stop_sniffer.set() |
|
|
super().join(timeout) |
|
|
super().join(timeout) |
|
|
|
|
|
|
|
|
def get_vpn_addr(self): |
|
|
|
|
|
return self.vpn_addr |
|
|
|
|
|
|
|
|
|
|
|
def set_phase(self, phase): |
|
|
|
|
|
self.current_phase = phase |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def check_for_req(self, packet): |
|
|
|
|
|
|
|
|
|
|
|
ip_layer = packet.getlayer(IP) |
|
|
|
|
|
|
|
|
|
|
|
# for phase 1 (on ubuntu 19) we wanna look for a reset |
|
|
|
|
|
# with source of private vpn address and dest of gateway |
|
|
|
|
|
|
|
|
|
|
|
if self.current_phase == 1: |
|
|
|
|
|
|
|
|
|
|
|
if "10." in ip_layer.src: |
|
|
|
|
|
|
|
|
|
|
|
if ip_layer.src == self.vpn_addr: |
|
|
|
|
|
print("multiple matches for: " + str(self.vpn_addr)) |
|
|
|
|
|
# could make the scan stop after this point but |
|
|
|
|
|
# only takes a second or two to finish up |
|
|
|
|
|
|
|
|
|
|
|
print("Victim private ip is: " + str(ip_layer.src)) |
|
|
|
|
|
self.vpn_addr = ip_layer.src |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def handle_debug_packet(self, payload): |
|
|
def handle_debug_packet(self, payload): |
|
|
some_packet = IP(bytes(payload)) |
|
|
some_packet = IP(bytes(payload)) |
|
|
print("some genie debug packet..") |
|
|
|
|
|
|
|
|
print("genie debug packet..") |
|
|
some_packet.show() |
|
|
some_packet.show() |
|
|
|
|
|
|
|
|
|
|
|
|
|
@ -90,7 +61,7 @@ class Sniffer(Thread): |
|
|
tcp_sport = packet[TCP].sport |
|
|
tcp_sport = packet[TCP].sport |
|
|
tcp_dport = packet[TCP].dport |
|
|
tcp_dport = packet[TCP].dport |
|
|
|
|
|
|
|
|
if tcp_dport == 50508: |
|
|
|
|
|
|
|
|
if tcp_dport == server_port: |
|
|
print("sniffed a debug packet..") |
|
|
print("sniffed a debug packet..") |
|
|
#packet.show() |
|
|
#packet.show() |
|
|
|
|
|
|
|
@ -98,11 +69,30 @@ class Sniffer(Thread): |
|
|
some_payload = packet[TCP].payload |
|
|
some_payload = packet[TCP].payload |
|
|
self.handle_debug_packet(some_payload) |
|
|
self.handle_debug_packet(some_payload) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
self.debug_src = packet[IP].src |
|
|
|
|
|
self.debug_sport = tcp_sport |
|
|
|
|
|
|
|
|
self.recv_count += 1 |
|
|
self.recv_count += 1 |
|
|
|
|
|
|
|
|
if (tcp_sport != 2222 and tcp_dport != 2222) or (tcp_sport != 22 and tcp_dport != 22): |
|
|
|
|
|
|
|
|
|
|
|
self.check_for_req(packet) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def send_debug_packet(sniffer): |
|
|
|
|
|
|
|
|
|
|
|
debug_port = sniffer.debug_sport |
|
|
|
|
|
debug_ip = sniffer.debug_src |
|
|
|
|
|
|
|
|
|
|
|
if debug_port == 0 or debug_ip == '': |
|
|
|
|
|
print("There was no debug source connection to send to") |
|
|
|
|
|
return |
|
|
|
|
|
|
|
|
|
|
|
print("sending debug packet to " + str(debug_ip) + ":" + str(debug_port)) |
|
|
|
|
|
|
|
|
|
|
|
packet = IP(dst=debug_ip) / TCP(dport=debug_port, sport=server_port, flags='R') |
|
|
|
|
|
send(packet, iface="ens18") |
|
|
|
|
|
print("sent debug packet: ") |
|
|
|
|
|
packet.show() |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def main(): |
|
|
def main(): |
|
@ -110,9 +100,37 @@ def main(): |
|
|
sniffer = Sniffer(iface='ens18') |
|
|
sniffer = Sniffer(iface='ens18') |
|
|
print('starting sniffer..') |
|
|
print('starting sniffer..') |
|
|
sniffer.start() |
|
|
sniffer.start() |
|
|
|
|
|
time.sleep(3) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
done = False |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
while not(done): |
|
|
|
|
|
|
|
|
|
|
|
print("Enter action to take..") |
|
|
|
|
|
print("1. Keep sniffing") |
|
|
|
|
|
print("2. Send packet back") |
|
|
|
|
|
print("3. Quit") |
|
|
|
|
|
|
|
|
|
|
|
answer = input("Enter answer: ") |
|
|
|
|
|
|
|
|
|
|
|
if answer == "1": |
|
|
|
|
|
print("sleeping for sniffer..") |
|
|
|
|
|
time.sleep(5) |
|
|
|
|
|
elif answer == "2": |
|
|
|
|
|
send_debug_packet(sniffer) |
|
|
|
|
|
elif answer == "3": |
|
|
|
|
|
print("ending the sniffer") |
|
|
|
|
|
done = True |
|
|
|
|
|
|
|
|
|
|
|
print("user answer was: " + str(answer)) |
|
|
|
|
|
print("\n") |
|
|
|
|
|
time.sleep(1) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
time.sleep(30) |
|
|
|
|
|
|
|
|
print("\n\nFinished sniffing for debug packets") |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if __name__ == '__main__': |
|
|
if __name__ == '__main__': |
|
|