DiabloHorn

1. #!/usr/bin/env python
2. """
3.    Author: DiabloHorn (http://diablohorn.wordpress.com)
4.    Purpose: Scan for hosts which are suitable to perform an idle scan.
5.    More info: http://nmap.org/book/idlescan.html
6. """
7. import sys
8. import getopt
9. from scapy import *
10.  
11. def analyzeIPID(lipid):
12.     """
13.        Analyze the list of ipids to determine if it's incremental
14.        Shameless port from:
15.        https://metasploit.com/trac/browser/framework3/trunk/modules/auxiliary/scanner/ip/ipidseq.rb
16.    """
17.     allzeros = True
18.     allsame = True
19.     mul256 = True
20.     inc = True
21.     diffs = []
22.     i = 1
23.     if conf.verb > 0:
24.         print "[*] Analyzing %s" % lipid
25.         print "[*] Length  %s" % len(lipid)
26.     if len(lipid) < 2:
27.         return "Unknown"
28.     while i < len(lipid):
29.         p = lipid[i - 1]
30.         c = lipid[i]
31.         if p != 0 or c != 0:
32.             allzeros = False
33.  
34.         if p <= c:
35.             diffs.append(c - p)
36.         else:
37.             diffs.append(c - p + 65536)
38.  
39.         if len(lipid) > 2 and diffs[i - 1] > 20000:
40.             return "Randomized"
41.  
42.         i+=1
43.  
44.     if allzeros:
45.         return "All zeros"
46.  
47.     for diff in diffs:
48.         if diff > 1000 and ((diff % 256) != 0 or ((diff  % 256) == 0 and diff >= 25600)):
49.             return "Random positive increment"
50.  
51.         if diff != 0:
52.             allsame = False
53.            
54.         if diff > 5120 or (diff % 256) !=0:
55.             mul256 = False
56.            
57.         if diff >= 10:
58.             inc = False
59.  
60.     if allsame:
61.         return "Constant"
62.  
63.     if mul256:
64.         return "Broken little-endian incremental"
65.  
66.     if inc:
67.         return "Incemental!"
68.    
69.     return "unknown"
70.  
71. def txthelp():
72.     print "[*] DiabloHorn http://diablohorn.wordpress.com"
73.     print "[*] " + sys.argv[0] + " [-v] -t <target> [-w] <waittime>"
74.     sys.exit(0)
75.  
76. if __name__ == "__main__":
77.    
78.     if len(sys.argv) <= 1:
79.         txthelp()
80.     print
81.     rawdata = dict()
82.     conf.verb=0
83.     pcktIPID=IP()
84.     try:
85.         opts, args = getopt.getopt(sys.argv[1:],"vht:w:",["verbose","help","target=","waittime="])
86.     except getopt.GetoptError, err:
87.         print str(err)
88.         txthelp()
89.         sys.exit(0)
90.    
91.     for o,a in opts:
92.         if o in ("-h","--help"):
93.             txthelp()
94.         elif o in ("-v","--verbose"):
95.             conf.verb = 2
96.         elif o in ("-t","--target"):
97.             pcktIPID.dst=a
98.         elif o in ("-w","--wait"):
99.             to = float(a)
100.         else:
101.             print "Unknown option"
102.             sys.exit(1)
103.     if conf.verb > 0:
104.         print "[*] verbose set to: " + str(conf.verb)
105.         print "[*] target set to: " + str(pcktIPID.dst)
106.     print "[*] Starting scan"
107.    
108.     """
109.        Send the packets
110.    """
111.     for i in range(0,5):
112.         res,unans=sr(pcktIPID/TCP(dport=[80,443]),timeout=to)
113.         """
114.        Receive answers
115.        """
116.         for s,r in res:
117.             ipsrc = r[IP].src
118.             ipsrcid = r[IP].id
119.             if ipsrc in rawdata:
120.                 rawdata[ipsrc].append(ipsrcid)
121.             else:
122.                 rawdata[ipsrc] = [ipsrcid]
123.     """
124.        Analyze and print results
125.    """
126.     for k,v in rawdata.iteritems():
127.         rawdata[k] = analyzeIPID(v)
128.         print "[*] %s = %s" % (k,rawdata[k])