Python scapy.all.sr1() Examples
The following are 17
code examples of scapy.all.sr1().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
scapy.all
, or try the search function
.
Example #1
Source File: urgent11_detector.py From urgent11-detector with GNU Affero General Public License v3.0 | 6 votes |
def detect(self, dst_port): with get_safe_src_port() as src_port: for _ in range(CFG_RETRANSMISSION_RATE): # We start by adding normal TCP Options tcp_options = [(TCP_OPTION_MSS, struct.pack('>H', 1460)), (TCP_OPTION_NOP, b''), # WNDSCL option with invalid length, # followed by a valid one: (TCP_OPTION_WNDSCL, b''), (TCP_OPTION_WNDSCL, b'\0')] pkt = IP(dst=self._target) / TCP(sport=src_port, dport=dst_port, flags=TCP_SYN_FLAG, options=tcp_options) response = sr1(pkt, verbose=False, timeout=CFG_PACKET_TIMEOUT) if response is not None: break if response is None: self.vxworks_score = 0 self.ipnet_score = 50 elif (validate_flags(response, TCP_RST_FLAG) and validate_ports(response, dst_port, src_port)): self.vxworks_score = 100 self.ipnet_score = 100 else: self.vxworks_score = -100 self.ipnet_score = -100
Example #2
Source File: urgent11_detector.py From urgent11-detector with GNU Affero General Public License v3.0 | 6 votes |
def detect(self, dst_port): # Establish a valid connection sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) with contextlib.closing(sock) as legitimate_connection: legitimate_connection.settimeout(CFG_PACKET_TIMEOUT) legitimate_connection.connect((self._target, dst_port)) _, src_port = legitimate_connection.getsockname() _, dst_port = legitimate_connection.getpeername() # DoS the connection using CVE-2019-12258 for _ in range(CFG_RETRANSMISSION_RATE): # Malformed tcp options tcp_options = [(TCP_OPTION_WNDSCL, b'')] pkt = IP(dst=self._target) / TCP(sport=src_port, dport=dst_port, seq=0x4141, ack=0x4141, flags='S', options=tcp_options) response = sr1(pkt, verbose=False, timeout=CFG_PACKET_TIMEOUT) if response is not None: break # Check whether we managed to exploit CVE-2019-12258 if response is None: self.vxworks_score = 0 self.ipnet_score = 0 elif (validate_flags(response, TCP_RST_FLAG) and validate_ports(response, dst_port, src_port)): self.vxworks_score = 100 self.ipnet_score = 100 self.vulnerable_cves = ['CVE-2019-12258'] else: self.vxworks_score = 0 self.ipnet_score = 0
Example #3
Source File: mptcp_scanner.py From mptcp-abuse with GNU General Public License v2.0 | 6 votes |
def checkMPTCPSupportViaRST(port,target,timeout,localIP,MpCapAlreadyPassed=False): MpCapPassed = MpCapAlreadyPassed #TODO: Abstract this out more elegantly so i dont repeat code from elsewhere if not MpCapPassed: pkt = makeMPCapableSyn(localIP, port, target) response=sr1(pkt,timeout=timeout) if response and getMpOption(pkt.getlayer("TCP")) is not None: MpCapPassed = True if MpCapPassed: pkt = makeJoinSyn(localIP, port, target) response=sr1(pkt,timeout=timeout) #TODO: Add checks for other types of response (such as ICMP) #TODO: Make this clearer #Check for the flag with a mask print response.getlayer("TCP").flags if (0x04 & response.getlayer("TCP").flags) == 0x04: print "RST Test indicates MPTCP support" return True else: print "RST Test indicates host doesn't understand MPTCP" return False
Example #4
Source File: arp.py From kube-hunter with Apache License 2.0 | 5 votes |
def execute(self): config = get_config() self_ip = sr1(IP(dst="1.1.1.1", ttl=1) / ICMP(), verbose=0, timeout=config.network_timeout)[IP].dst arp_responses, _ = srp( Ether(dst="ff:ff:ff:ff:ff:ff") / ARP(op=1, pdst=f"{self_ip}/24"), timeout=config.network_timeout, verbose=0, ) # arp enabled on cluster and more than one pod on node if len(arp_responses) > 1: # L3 plugin not installed if not self.detect_l3_on_host(arp_responses): self.publish_event(PossibleArpSpoofing())
Example #5
Source File: mptcp_scanner.py From mptcp-abuse with GNU General Public License v2.0 | 5 votes |
def joinScan(targetIPList,portList,localIP,reuseRandoms=False,timeout=None): #TODO: Add return details #TODO: Decide where this fits in the workflow, after an open TCP port maybe? #TODO: Decide how we want to handle the return values from this raise NotImplementedError #The option to reuse random numbers for "increased speed" if reuseRandoms: sourceAddr = localIP sport = randintb(16) initSeq = randintb(32) if timeout is None: timeout=5 for targetIP in targetIPList: for port in portList: #First send a packet and see if we get a TCP response pkt = makeMPCapableSyn(localIP,port,targetIP) response=sr1(pkt,timeout=timeout) if response is not None: #if we do then send an invalid MPTCP join and see if we get a RST pkt = makeJoinSyn(sourceAddr, port, targetIP) response2=sr1(pkt,timeout=timeout) #If we get a RST then we know this host supports MPTCP if response2 is None: print "Target supports MPTCP but is being shifty" #If we get a normal TCP reply we know it doesn't else: mpopt = getMpOption(pkt.getlayer("TCP")) if mpopt is None: print "We have a normal TCP packet here" else: print "This header contains the following MPTCP options:", for mpo in mpopt: print mpo.name #If we get an MPACK then the host is HORRIBLY broken somehow else: #If we don't then this is just a vanilla TCP print "The host seems down?"
Example #6
Source File: core.py From mptcp-abuse with GNU General Public License v2.0 | 5 votes |
def run(self, state, pkt, wait,timeout=None): """Send pkt, receive the answer if wait is True, and return a tuple (validity of reply packet, reply packet). If no test function is given, assume it's valid.""" self.dbgshow(pkt) if wait: # do we wait for a reply ? self.debug("Waiting for packet...", level=2) if pkt is None: timeout, buffermode = None, False if type(wait) is tuple: wait, timeout, buffermode = wait #print wait #wait, buffermode = wait if hasattr(wait, '__call__'): ans = self.waitForPacket(filterfct=wait, timeout=timeout) # if buffermode: # ans is a buffer (list) # self.debug("Entering buffer mode.", level=1) # return [self.packetReceived(pkt,buffermode=True) for pkt in ans] else: raise Exception("error, no packet generated.") else: #TODO: Make sure this waits continuously in a non blocking mode, convert this to dumping from a queue ans=sr1(pkt) else: send(pkt) #print pkt self.first = True # prev_pkt shouldnt be taken into account self.debug("Packet sent, no waiting, going on with next.",2) return (True, None) # no reply, no check return self.packetReceived(ans) # post-reply actions
Example #7
Source File: urgent11_detector.py From urgent11-detector with GNU Affero General Public License v3.0 | 5 votes |
def detect(self, dst_port): pkt = IP(dst=self._target) / ICMP(type=ICMP_ECHO_REQUEST, code=0x41) response = sr1(pkt, verbose=False, timeout=CFG_PACKET_TIMEOUT) if response is None: self.ipnet_score = 0 elif response['ICMP'].code == 0: self.ipnet_score = 20 else: self.ipnet_score = -20
Example #8
Source File: urgent11_detector.py From urgent11-detector with GNU Affero General Public License v3.0 | 5 votes |
def detect(self, dst_port): pkt = IP(dst=self._target) / ICMP(ICMP_TIMESTAMP_REQUEST_TRUNCATED) response = sr1(pkt, verbose=False, timeout=CFG_PACKET_TIMEOUT) if response is None: self.ipnet_score = 0 elif response['ICMP'].type == ICMP_TIMESTAMP_REPLY: self.ipnet_score = 90 else: self.ipnet_score = -30 # CLI Logic
Example #9
Source File: arp.py From kube-hunter with Apache License 2.0 | 5 votes |
def try_getting_mac(self, ip): config = get_config() ans = sr1(ARP(op=1, pdst=ip), timeout=config.network_timeout, verbose=0) return ans[ARP].hwsrc if ans else None
Example #10
Source File: dns.py From kube-hunter with Apache License 2.0 | 5 votes |
def execute(self): config = get_config() logger.debug("Attempting to get kube-dns pod ip") self_ip = sr1(IP(dst="1.1.1.1", ttl=1) / ICMP(), verbose=0, timeout=config.netork_timeout)[IP].dst cbr0_ip, cbr0_mac = self.get_cbr0_ip_mac() kubedns = self.get_kube_dns_ip_mac() if kubedns: kubedns_ip, kubedns_mac = kubedns logger.debug(f"ip={self_ip} kubednsip={kubedns_ip} cbr0ip={cbr0_ip}") if kubedns_mac != cbr0_mac: # if self pod in the same subnet as kube-dns pod self.publish_event(PossibleDnsSpoofing(kubedns_pod_ip=kubedns_ip)) else: logger.debug("Could not get kubedns identity")
Example #11
Source File: common_utils.py From cotopaxi with GNU General Public License v2.0 | 4 votes |
def udp_sr1(test_params, udp_test, dtls_wrap=False): """Send UDP test message to server using UDP protocol and parses response.""" response = None sent_time = test_params.report_sent_packet() if not dtls_wrap: if test_params.ip_version == 4: udp_test_packet = IP() / UDP() / Raw(udp_test) udp_test_packet[IP].src = test_params.src_endpoint.ip_addr udp_test_packet[IP].dst = test_params.dst_endpoint.ip_addr elif test_params.ip_version == 6: udp_test_packet = IPv6() / UDP() / Raw(udp_test) udp_test_packet[IPv6].src = test_params.src_endpoint.ipv6_addr udp_test_packet[IPv6].dst = test_params.dst_endpoint.ip_addr udp_test_packet[UDP].sport = test_params.src_endpoint.port udp_test_packet[UDP].dport = test_params.dst_endpoint.port del udp_test_packet[UDP].chksum # if test_params.verbose: # udp_test_packet.show() if test_params.timeout_sec == 0: test_params.timeout_sec = 0.0001 response = sr1( udp_test_packet, verbose=test_params.verbose, timeout=test_params.timeout_sec, retry=test_params.nr_retries, ) if response: print_verbose( test_params, "Received response - size: {}".format(len(response)) ) test_params.report_received_packet(sent_time) else: # do_patch() if test_params.ip_version == 4: sock = ssl.wrap_socket(socket.socket(socket.AF_INET, socket.SOCK_DGRAM)) sock.connect( (test_params.dst_endpoint.ip_addr, test_params.dst_endpoint.port) ) sock.send(udp_test) response = IP() / UDP() / Raw(sock.recv()) if response: test_params.report_sent_packet(sent_time) # sock.close() return response
Example #12
Source File: cmd_tcp_isn.py From habu with BSD 3-Clause "New" or "Revised" License | 4 votes |
def cmd_tcp_isn(ip, port, count, iface, graph, verbose): """Create TCP connections and print the TCP initial sequence numbers for each one. \b $ sudo habu.tcp.isn -c 5 www.portantier.com 1962287220 1800895007 589617930 3393793979 469428558 Note: You can get a graphical representation (needs the matplotlib package) using the '-g' option to better understand the randomness. """ conf.verb = False if iface: iface = search_iface(iface) if iface: conf.iface = iface['name'] else: logging.error('Interface {} not found. Use habu.interfaces to show valid network interfaces'.format(iface)) return False isn_values = [] for _ in range(count): pkt = IP(dst=ip)/TCP(sport=RandShort(), dport=port, flags="S") ans = sr1(pkt, timeout=0.5) if ans: send(IP(dst=ip)/TCP(sport=pkt[TCP].sport, dport=port, ack=ans[TCP].seq + 1, flags='A')) isn_values.append(ans[TCP].seq) if verbose: ans.show2() if graph: try: import matplotlib.pyplot as plt except ImportError: print("To graph support, install matplotlib") return 1 plt.plot(range(len(isn_values)), isn_values, 'ro') plt.show() else: for v in isn_values: print(v) return True
Example #13
Source File: cmd_crack_snmp.py From habu with BSD 3-Clause "New" or "Revised" License | 4 votes |
def cmd_crack_snmp(ip, community, port, stop, verbose): """Launches snmp-get queries against an IP, and tells you when finds a valid community string (is a simple SNMP cracker). The dictionary used is the distributed with the onesixtyone tool https://github.com/trailofbits/onesixtyone Example: \b # habu.crack.snmp 179.125.234.210 Community found: private Community found: public Note: You can also receive messages like \<UNIVERSAL\> \<class 'scapy.asn1.asn1.ASN1\_Class\_metaclass'\>, I don't know how to supress them for now. """ FILEDIR = os.path.dirname(os.path.abspath(__file__)) DATADIR = os.path.abspath(os.path.join(FILEDIR, '../data')) COMMFILE = Path(os.path.abspath(os.path.join(DATADIR, 'dict_snmp.txt'))) if community: communities = [community] else: with COMMFILE.open() as cf: communities = cf.read().split('\n') conf.verb = False for pkt in IP(dst=ip)/UDP(sport=port, dport=port)/SNMP(community="public", PDU=SNMPget(varbindlist=[SNMPvarbind(oid=ASN1_OID("1.3.6.1"))])): if verbose: print(pkt[IP].dst) for community in communities: if verbose: print('.', end='') sys.stdout.flush() pkt[SNMP].community=community ans = sr1(pkt, timeout=0.5, verbose=0) if ans and UDP in ans: print('\n{} - Community found: {}'.format(pkt[IP].dst, community)) if stop: break return True
Example #14
Source File: cmd_tcp_flags.py From habu with BSD 3-Clause "New" or "Revised" License | 4 votes |
def cmd_tcp_flags(ip, port, flags, rflags, verbose): """Send TCP packets with different flags and tell what responses receives. It can be used to analyze how the different TCP/IP stack implementations and configurations responds to packet with various flag combinations. Example: \b # habu.tcp_flags www.portantier.com S -> SA FS -> SA FA -> R SA -> R By default, the command sends all possible flag combinations. You can specify which flags must ever be present (reducing the quantity of possible combinations), with the option '-f'. Also, you can specify which flags you want to be present on the response packets to show, with the option '-r'. With the next command, you see all the possible combinations that have the FIN (F) flag set and generates a response that contains the RST (R) flag. Example: \b # habu.tcp_flags -f F -r R www.portantier.com FPA -> R FSPA -> R FAU -> R """ conf.verb = False pkts = IP(dst=ip) / TCP(flags=(0, 255), dport=port) out = "{:>8} -> {:<8}" for pkt in pkts: if not flags or all(i in pkt.sprintf(r"%TCP.flags%") for i in flags): ans = sr1(pkt, timeout=0.2) if ans: if not rflags or all(i in ans.sprintf(r"%TCP.flags%") for i in rflags): print(out.format(pkt.sprintf(r"%TCP.flags%"), ans.sprintf(r"%TCP.flags%"))) return True
Example #15
Source File: cmd_traceroute.py From habu with BSD 3-Clause "New" or "Revised" License | 4 votes |
def cmd_traceroute(ip, port, iface): """TCP traceroute. Identify the path to a destination getting the ttl-zero-during-transit messages. Note: On the internet, you can have various valid paths to a device. Example: \b # habu.traceroute 45.77.113.133 IP / ICMP 192.168.0.1 > 192.168.0.5 time-exceeded ttl-zero-during-transit / IPerror / TCPerror IP / ICMP 10.242.4.197 > 192.168.0.5 time-exceeded ttl-zero-during-transit / IPerror / TCPerror / Padding IP / ICMP 200.32.127.98 > 192.168.0.5 time-exceeded ttl-zero-during-transit / IPerror / TCPerror / Padding . IP / ICMP 4.16.180.190 > 192.168.0.5 time-exceeded ttl-zero-during-transit / IPerror / TCPerror . IP / TCP 45.77.113.133:http > 192.168.0.5:ftp_data SA / Padding Note: It's better if you use a port that is open on the remote system. """ conf.verb = False if iface: iface = search_iface(iface) if iface: conf.iface = iface['name'] else: logging.error('Interface {} not found. Use habu.interfaces to show valid network interfaces'.format(iface)) return False pkts = IP(dst=ip, ttl=(1, 16)) / TCP(dport=port) for pkt in pkts: ans = sr1(pkt, timeout=1, iface=conf.iface) if not ans: print('.') continue print(ans.summary()) if TCP in ans and ans[TCP].flags == 18: break return True
Example #16
Source File: cmd_icmp_ping.py From habu with BSD 3-Clause "New" or "Revised" License | 4 votes |
def cmd_icmp_ping(ip, interface, count, timeout, wait, verbose): """The classic ping tool that send ICMP echo requests. \b # habu.icmp.ping 8.8.8.8 IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding """ if interface: conf.iface = interface conf.verb = False conf.L3socket=L3RawSocket layer3 = IP() layer3.dst = ip layer3.tos = 0 layer3.id = 1 layer3.flags = 0 layer3.frag = 0 layer3.ttl = 64 layer3.proto = 1 # icmp layer4 = ICMP() layer4.type = 8 # echo-request layer4.code = 0 layer4.id = 0 layer4.seq = 0 pkt = layer3 / layer4 counter = 0 while True: ans = sr1(pkt, timeout=timeout) if ans: if verbose: ans.show() else: print(ans.summary()) del(ans) else: print('Timeout') counter += 1 if count != 0 and counter == count: break sleep(wait) return True
Example #17
Source File: mptcp_scanner.py From mptcp-abuse with GNU General Public License v2.0 | 4 votes |
def defaultScan(targetIPList,portList,localIP=None,checkHostUp=True,reuseRandoms=False,timeout=None): #The option to reuse random numbers for "increased speed" if reuseRandoms: sourcAddr = localIP sport = randintb(16) initSeq = randintb(32) if timeout is None: timeout=5 #Form of results # results = {"targetIP": # [{"porta","ResponseType"}, # {"porta","ResponseType"}, # {"porta","ResponseType"} # ] # } results = {} for targetIP in targetIPList: print "Testing:", targetIP, localIP = localIP if localIP else get_local_ip_address(targetIP) gatewayIP = Route().route(str(targetIP))[2] if checkHostUp and gatewayIP == '0.0.0.0': print "... on local network...", arpadd = getmacbyip(str(targetIP)) if arpadd == None: print " not got MAC, skipping" continue if arpadd == "ff:ff:ff:ff:ff:ff": print "This appears to be localhost?" else: print " at ARP:", arpadd else: print "Via", gatewayIP, " Not on local network" for port in portList: pkt = makeMPCapableSyn(localIP,port,targetIP) response=sr1(pkt,timeout=timeout) if response is None: pass #print "No pkt received from ", targetIP,":", port else: processedResponse = processResponsePacketSimple(response,targetIP,localIP,port,timeout) if targetIP in results: if processedResponse is not None: results[targetIP].append(processedResponse) else: if processedResponse is not None: results[targetIP] = [processedResponse] #if True or port % 100 == 0: # print "\n\tChecking port: ", port return results