This is default featured slide 1 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 2 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 3 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 4 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 5 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

Showing posts with label MITM. Show all posts
Showing posts with label MITM. Show all posts

sharkPy - NSA Tool to Dissect, Analyze, and Interact with Network Packet Data using Wireshark and libpcap capabilities

June 22, 2017  , , , , , , , , , , , , ,  


A python module to dissect, analyze, and interact with network packet data as native Python objects using Wireshark and libpcap capabilities. sharkPy dissect modules extend and otherwise modify Wireshark's tshark. SharkPy packet injection and pcap file writing modules wrap useful libpcap functionality.

SharkPy comes with six modules that allows one to explore, create, and/or modify packet data and (re)send data over network, and write (possibly modified) packets to a new pcap output file. This is all done within python program or interactive python session.
  1. sharkPy.file_dissector -- dissect capture file packets using Wireshark's dissection libraries and present detailed packet dissections to caller as native Python objects.
  2. sharkPy.wire_dissector -- capture packets from interface and dissect captured packets using Wireshark's dissection libraries. Presents packets to callers as native Python objects.
  3. sharkPy.file_writer -- write (possibly modified) packets to a new output pcap file. For example, one can dissect packet capture file using sharkPy.file_dissector, create new packets based on the packets in the dissected file, and then write new/modified packets to an output pcap file.
  4. sharkPy.wire_writer -- write arbitrary data (e.g. modified packets) to specified network interface using libpcap functionality. Currently, sharkPy users are responsible for correctly building packets that are transmitted using this module's functionality.
  5. sharkPy.utils -- a set of utility functions
  6. sharkPy.protocol_blender -- protocol specific convenience functions. Currently contains functions for ipv4 and tcp over ipv4.
SharkPy is provided "as-is" with NO WARRANTIES expressed or implied under GPLv2. Use at your own risk.

Design Goals
  1. Deliver dissected packet data to callers as native python objects.
  2. Provide functionality within a Python environment, either a python program or interactive python session.
  3. Make commands non-blocking whenever reasonable providing command results to caller on-demand.
  4. Be easy to understand and use assuming one understands Wireshark and python basics.
  5. Pack functionality into a small number of commands.
  6. Build and install as little C-code as possible by linking to preexisting Wireshark shared libs.

Why sharkPy?
SharkPy has a long-term goal of segmenting Wireshark's incredible diversity of capabilities into a set of shared libraries that are smaller, more modular, more easily compiled and linked into other projects. This goal seperates sharkPy from other similar efforts that endeavor to marry Wireshark/tshark and Python.
The first step is provide Wireshark/tshark capabilities as Python modules that can be compiled/linked outside of Wireshark's normal build process. This has been achieved at least for some linux environments/distros. Next step is to expand to a broader range of linux distros and Windows improving stability along the way. Once this is completed and sharkPy's capabilities are similar to those provided by tshark, the sharkPy project devs will start the process of segmenting the code base as described above.

HOW-TO

VM INSTALL

Should install/run on most linux distros as long as Wireshark version 2.0.1 or newer is installed and the following steps (or equivalent) are successful.

## ubuntu-16.04-desktop-amd64 -- clean install
sudo apt-get git
git clone https://github.com/NationalSecurityAgency/sharkPy
sudo apt-get install libpcap-dev
sudo apt-get install libglib2.0-dev
sudo apt-get install libpython-dev
sudo apt-get install wireshark-dev       #if you didn't build/install wireshark (be sure wireshark libs are in LD_LIBRARY_PATH)
sudo apt-get install wireshark           #if you didn't build/install wireshark (be sure wireshark libs are in LD_LIBRARY_PATH)
cd sharkPy
sudo ./setup install

DOCKER

Set up
First, make sharkPy directory and place Dockerfile into it. cd into this new directory.<br/>

Build sharkPy Docker image
docker build -t "ubuntu16_04:sharkPy" .

Notes:
  • build will take a while and should be completely automated.
  • sharkPy dist code will be in /sharkPy
  • build creates Ubuntu 16.04 image and installs sharkPy as a Python module

Run interactively as Docker container.
Should give you command prompt 
docker run -it ubuntu16_04:sharkPy /bin/bash

Command prompt and access to host NICs (to allow for network capture) 
docker run -it --net=host ubuntu16_04:sharkPy /bin/bash


sharkPy API

Dissecting packets from file

dissect_file(file_path, options=[], timeout=10): collect packets from packet capture file delivering packet dissections when requested using get_next_from_file function.
  • name of packet capture file.
  • collection and dissection options. Options are disopt.DECODE_AS and disopt.NAME_RESOLUTION.
  • timeout: amount of time (in seconds) to wait before file open fails.
  • RETURNS tuple (p, exit_event, shared_pipe):
    • p: dissection process handle.
    • exit_event: event handler used to signal that collection should stop.
    • shared_pipe: shared pipe that dissector returns dissection trees into.
    • NOTE: users should not directly interact with these return objects. Instead returned tuple is passed into get_next_from_file and close_file functions as input param.
get_next_from_file(dissect_process,timeout=None): get next available packet dissection.
  • dissect_process: tuple returned from the dissect_file function.
  • timeout: amount to time to wait (in seconds) before operation timesout.
  • RETURNS root node of packet dissection tree.
close_file(dissect_process): stop and clean up.
  • dissect_process: tuple returned from the dissect_file function.
  • RETURNS None.
  • NOTE: close_file MUST be called on each session.

Dissecting packets from wire

dissect_wire(interface, options=[], timeout=None): collect packets from interface delivering packet dissections when requested using get_next function.
  • name of interface to capture from.
  • collection and dissection options. Options are disopt.DECODE_AS, disopt.NAME_RESOLUTION, and disopt.NOT_PROMISCUOUS.
  • timeout: amount of time (in seconds) to wait before start capture fails.
  • RETURNS tuple (p, exit_event, shared_queue).
    • p: dissection process handle.
    • exit_event: event handler used to signal that collection should stop.
    • shared_queue: shared queue that dissector returns dissection trees into.
    • NOTE: users should not directly interact with these return objects. Instead returned tuple is passed into get_next_from_wire and close_wire functions as input param.
get_next_from_wire(dissect_process,timeout=None): get next available packet dissection from live capture.
  • dissect_process: tuple returned from the dissect_wire function.
  • timeout: amount to time to wait (in seconds) before operation timesout.
  • RETURNS root node of packet dissection tree.
close_wire(dissect_process): stop and clean up from live capture.
  • dissect_process: tuple returned from the dissect_wire function.
  • RETURNS None.
  • NOTE: close_wire MUST be called on each capture session.

Writing data/packets on wire or to file

wire_writer(write_interface_list): wire_writer constructor. Used to write arbitrary data to interfaces.
  • write_interface_list: list of interface names to write to.
  • RETURNS: wire_writer object.
    • wire_writer.cmd: pass a command to writer.
      • wr.cmd(command=wr.WRITE_BYTES, command_data=data_to_write, command_timeout=2)
      • wr.cmd(command=wr.SHUT_DOWN_ALL, command_data=None, command_data=2)
      • wr.cmd(command=wr.SHUT_DOWN_NAMED, command_data=interface_name, command_data=2)
    • wire_writer.get_rst(timeout=1): RETURNS tuple (success/failure, number_of_bytes_written)
file_writer(): Creates a new file_writer object to write packets to an output pcap file.
  • make_pcap_error_buffer(): Creates a correctly sized and initialized error buffer.
    • Returns error buffer.
  • pcap_write_file(output_file_path, error_buffer): create and open new pcap output file.
    • output_file_path: path for newly created file.
    • err_buffer: error buffer object returned by make_pcap_error_buffer(). Any errors messages will be written to this buffer.
    • RETURNS: ctypes.c_void_p, which is a context object required for other write related functions.
  • pcap_write_packet(context, upper_time_val, lower_time_val, num_bytes_to_write, data_to_write, error_buffer): writes packets to opened pcap output file.
    • context: object returned by pcap_write_file().
    • upper_time_val: packet epoch time in seconds. Can be first value in tuple returned from utility function get_pkt_times().
    • lower_time_val: packet epoch time nano seconds remainder. Can be second value in tuple returned from utility function get_pkt_times().
    • num_bytes_to_write: number of bytes to write to file, size of data buffer.
    • data_to_write: buffer of data to write.
    • err_buffer: error buffer object returned by make_pcap_error_buffer(). Any errors messages will be written to this buffer.
    • RETURNS 0 on success, -1 on failure. Error message will be available in err_buffer.
  • pcap_close(context): MUST be called to flush write buffer, close write file, and free allocated resources.
    • context: object returned by pcap_write_file().
    • RETURNS: None.

Utility functions

do_funct_walk(root_node, funct, aux=None): recursively pass each node in dissection tree (and aux) to function. Depth first walk.
  • root_node: node in dissection tree that will be the first to be passed to function.
  • funct: function to call.
  • aux: optional auxilliary variable that will be passed in as parameter as part of each function call.
  • RETURNS None.
get_node_by_name(root_node, name): finds and returns a list of dissection nodes in dissection tree with a given name (i.e. 'abbrev').
  • root_node: root of dissection tree being passed into function.
  • name: Name of node used as match key. Matches again 'abbrev' attribute.
  • RETURNS: a list of nodes in dissection tree with 'abbrev' attribute that matches name.
  • NOTE: 'abbrev' attribute is not necessarily unique in a given dissection tree. This is the reason that this function returns a LIST of matching nodes.
get_node_data_details(node): Returns a tuple of values that describe the data in a given dissection node.
  • node: node that will have its details provided.
  • RETURNS: tuple (data_len,first_byte_index, last_byte_index, data, binary_data).
    • data_len: number of bytes in node's data.
    • first_byte_index: byte offset from start of packet where this node's data starts.
    • last_byte_index: byte offset from start of packet where this node's data ends.
    • data: string representation of node data.
    • binary_data: binary representation of node data.
get_pkt_times(pkt=input_packet): Returns tuple containing packet timestamp information.
  • pkt: packet dissection tree returned from one of sharkPy's dissection routines.
  • RETURNS: The tuple (epoch_time_seconds, epoch_time_nanosecond_remainder). These two values are required for file_writer instances.
find_replace_data(pkt, field_name, test_val, replace_with=None, condition_funct=condition_data_equals, enforce_bounds=True, quiet=True): A general search, match, and replace data in packets.
  • pkt: packet dissection tree returned from one of sharkPy's dissection routines.
  • field_name: the 'abbrev' field name that will have its data modified/replaced.
  • test_val: data_val/buffer that will be used for comparison in matching function.
  • replace_with: data that will replace the data in matching dissection fields.
  • condition_funct: A function that returns True or False and has the prototype condition_funct(node_val, test_val, pkt_dissection_tree). Default is the condition_data_equals() function that returns True if node_val == test_val. This is a literal byte for byte matching.
  • enforce_bounds: If set to True, enforces condition that len(replace_with) == len(node_data_to_be_replaced). Good idea to keep this set to its default, which is True.
  • quiet: If set to False, will print error message to stdout if the target field 'abbrev' name cannot be found in packet dissection tree.
  • RETURNS: new packet data represented as a hex string or None if target field is not in packet.
condition_data_equals(node_val, test_val, pkt_dissection_tree=None): A matching function that can be passed to find_replace_data().
  • node_val: value from the dissected packet that is being checked
  • test_val: value that node_val will be compared to.
  • pkt_dissection_tree: entire packet dissection tree. Not used in this comparison.
  • RETURNS True if a byte for byte comparison reveals that node_val == test_val. Otherwise, returns False.
condition_always_true(node_val=None, test_val=None, pkt_dissection_tree=None): A matching function that can be passed to find_replace_data().
  • node_val: Not used in this comparison
  • test_val: Not used in this comparison
  • pkt_dissection_tree: entire packet dissection tree. Not used in this comparison.
  • RETURNS True ALWAYS. Useful of the only matching criteria is that the target field exists in packet dissection.

Protocol Blender

ipv4_find_replace(pkt_dissection, src_match_value=None, dst_match_value=None, new_srcaddr=None, new_dstaddr=None, update_checksum=True, condition_funct=sharkPy.condition_data_equals): Modifies select ipv4 fields.
  • pkt_dissection: packet dissection tree.
  • src_match_value: current source ip address to look for (in hex). This value will be replaced.
  • dst_match_value: current destination ip address to look for (in hex). This value will be replaced.
  • new_srcaddr: replace current source ip address with this ip address (in hex).
  • new_dstaddr: replace current destination ip address with this ip address (in hex).
  • update_checksum: fixup ipv4 checksum if True (default).
  • condition_funct: matching function used to find correct packets to modify.
tcp_find_replace(pkt_dissection, src_match_value=None, dst_match_value=None, new_srcport=None, new_dstport=None, update_checksum=True, condition_funct=sharkPy.condition_data_equals): Modifies select fields for tcp over ipv4.
  • pkt_dissection: packet dissection tree.
  • src_match_value: current source tcp port to look for (in hex). This value will be replaced.
  • dst_match_value: current destination tcp port to look for (in hex). This value will be replaced.
  • new_srcaddr: replace current source tcp port with this tcp port (in hex).
  • new_dstaddr: replace current destination tcp port with this tcp port (in hex).
  • update_checksum: fixup tcp checksum if True (default).
  • condition_funct: matching function used to find correct packets to modify.

Dissect packets in a capture file
>>> import sharkPy

Supported options so far are DECODE_AS and NAME_RESOLUTION (use option to disable)
>>> in_options=[(sharkPy.disopt.DECODE_AS, r'tcp.port==8888-8890,http'), (sharkPy.disopt.DECODE_AS, r'tcp.port==9999:3,http')]

Start file read and dissection.
>>> dissection = sharkPy.dissect_file(r'/home/me/capfile.pcap', options=in_options)

Use sharkPy.get_next_from_file to get packet dissections of read packets.
>>> rtn_pkt_dissections_list = []
>>> for cnt in xrange(13):
...     pkt = sharkPy.get_next_from_file(dissection)
...     rtn_pkt_dissections_list.append(pkt)

Node Attributes: 
 abbrev:     frame.
 name:       Frame.
 blurb:      None.
 fvalue:     None.
 level:      0.
 offset:     0.
 ftype:      1.
 ftype_desc: FT_PROTOCOL.
 repr:       Frame 253: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface 0.
 data:       005056edfe68000c29....<rest edited out>

Number of child nodes: 17
 frame.interface_id
 frame.encap_type
 frame.time
 frame.offset_shift
 frame.time_epoch
 frame.time_delta
 frame.time_delta_displayed
 frame.time_relative
 frame.number
 frame.len
 frame.cap_len
 frame.marked
 frame.ignored
 frame.protocols
 eth
 ip
 tcp

  Node Attributes: 
   abbrev:     frame.interface_id.
   name:       Interface id.
   blurb:      None.
   fvalue:     0.
   level:      1.
   offset:     0.
   ftype:      6.
   ftype_desc: FT_UINT32.
   repr:       Interface id: 0 (eno16777736).
   data:       None.

  Number of child nodes: 0

...<remaining edited out>

Must always close sessions
>>> sharkPy.close_file(dissection)

Take a packet dissection tree and index all nodes by their names (abbrev field)
>>> pkt_dict = {}
>>> sharkPy.collect_proto_ids(rtn_pkt_dissections_list[0], pkt_dict)

Here are all the keys used to index this packet dissection
>>> print pkt_dict.keys()
['tcp.checksum_bad', 'eth.src_resolved', 'tcp.flags.ns', 'ip', 'frame', 'tcp.ack', 'tcp', 'frame.encap_type', 'eth.ig', 'frame.time_relative', 'ip.ttl', 'tcp.checksum_good', 'tcp.stream', 'ip.version', 'tcp.seq', 'ip.dst_host', 'ip.flags.df', 'ip.flags', 'ip.dsfield', 'ip.src_host', 'tcp.len', 'ip.checksum_good', 'tcp.flags.res', 'ip.id', 'ip.flags.mf', 'ip.src', 'ip.checksum', 'eth.src', 'text', 'frame.cap_len', 'ip.hdr_len', 'tcp.flags.cwr', 'tcp.flags', 'tcp.dstport', 'ip.host', 'frame.ignored', 'tcp.window_size', 'eth.dst_resolved', 'tcp.flags.ack', 'frame.time_delta', 'tcp.flags.urg', 'ip.dsfield.ecn', 'eth.addr_resolved', 'eth.lg', 'frame.time_delta_displayed', 'frame.time', 'tcp.flags.str', 'ip.flags.rb', 'tcp.flags.fin', 'ip.dst', 'tcp.flags.reset', 'tcp.flags.ecn', 'tcp.port', 'eth.type', 'ip.checksum_bad', 'tcp.window_size_value', 'ip.addr', 'ip.len', 'frame.time_epoch', 'tcp.hdr_len', 'frame.number', 'ip.dsfield.dscp', 'frame.marked', 'eth.dst', 'tcp.flags.push', 'tcp.srcport', 'tcp.checksum', 'tcp.urgent_pointer', 'eth.addr', 'frame.offset_shift', 'tcp.window_size_scalefactor', 'ip.frag_offset', 'tcp.flags.syn', 'frame.len', 'eth', 'ip.proto', 'frame.protocols', 'frame.interface_id']

Note that pkt_dict entries are lists given that 'abbrevs' are not always unique within a packet.
>>> val_list = pkt_dict['tcp']

Turns out that 'tcp' list has only one element as shown below.
>>> for each in val_list:
...     print each
... 
Node Attributes: 
 abbrev:     tcp.
 name:       Transmission Control Protocol.
 blurb:      None.
 fvalue:     None.
 level:      0.
 offset:     34.
 ftype:      1.
 ftype_desc: FT_PROTOCOL.
 repr:       Transmission Control Protocol, Src Port: 52630 (52630), Dst Port: 80 (80), Seq: 1, Ack: 1, Len: 0.
 data:       cd960050df6129ca0d993e7750107d789f870000.

Number of child nodes: 15
 tcp.srcport
 tcp.dstport
 tcp.port
 tcp.port
 tcp.stream
 tcp.len
 tcp.seq
 tcp.ack
 tcp.hdr_len
 tcp.flags
 tcp.window_size_value
 tcp.window_size
 tcp.window_size_scalefactor
 tcp.checksum
 tcp.urgent_pointer

Shortcut for finding a node by name:
>>> val_list = sharkPy.get_node_by_name(rtn_pkt_dissections_list[0], 'ip')

Each node in a packet dissection tree has attributes and a child node list.
>>> pkt = val_list[0]

This is how one accesses attributes
>>> print pkt.attributes.abbrev
tcp
>>> print pkt.attributes.name
Transmission Control Protocol

Here's the pkt's child list
>>> print pkt.children
[<sharkPy.dissect.file_dissector.node object at 0x10fda90>, <sharkPy.dissect.file_dissector.node object at 0x10fdb10>, <sharkPy.dissect.file_dissector.node object at 0x10fdbd0>, <sharkPy.dissect.file_dissector.node object at 0x10fdc90>, <sharkPy.dissect.file_dissector.node object at 0x10fdd50>, <sharkPy.dissect.file_dissector.node object at 0x10fddd0>, <sharkPy.dissect.file_dissector.node object at 0x10fde50>, <sharkPy.dissect.file_dissector.node object at 0x10fded0>, <sharkPy.dissect.file_dissector.node object at 0x10fdf90>, <sharkPy.dissect.file_dissector.node object at 0x1101090>, <sharkPy.dissect.file_dissector.node object at 0x11016d0>, <sharkPy.dissect.file_dissector.node object at 0x11017d0>, <sharkPy.dissect.file_dissector.node object at 0x1101890>, <sharkPy.dissect.file_dissector.node object at 0x1101990>, <sharkPy.dissect.file_dissector.node object at 0x1101b50>]

Get useful information about a dissection node's data
>>> data_len, first_byte_offset, last_byte_offset, data_string_rep, data_binary_rep=sharkPy.get_node_data_details(pkt)
>>> print data_len
54
>>> print first_byte_offset
0
>>> print last_byte_offset
53
>>> print data_string_rep
005056edfe68000c29....<rest edited out>
>>> print binary_string_rep
<prints binary spleg, edited out>

CAPTURE PACKETS FROM NETWORK AND DISSECT THEM

SharkPy wire_dissector provides additional NOT_PROMISCUOUS option
>>> in_options=[(sharkPy.disopt.DECODE_AS, r'tcp.port==8888-8890,http'), (sharkPy.disopt.DECODE_AS, r'tcp.port==9999:3,http'), (sharkPy.disopt.NOT_PROMISCUOUS, None)]

Start capture and dissection. Note that caller must have appropriate permissions. Running as root could be dangerous!
>>> dissection = sharkPy.dissect_wire(r'eno16777736', options=in_options)
>>> Running as user "root" and group "root". This could be dangerous.

Use sharkPy.get_next_from_wire to get packet dissections of captured packets.
>>> for cnt in xrange(13):
...     pkt=sharkPy.get_next_from_wire(dissection)
...     sharkPy.walk_print(pkt) ## much better idea to save pkts in a list

Must always close capture sessions
>>> sharkPy.close_wire(dissection)

WRITE DATA (packets) TO NETWORK

Create writer object using interface name
>>> wr = sharkPy.wire_writer(['eno16777736'])

Send command to write data to network with timeout of 2 seconds
>>> wr.cmd(wr.WRITE_BYTES,'  djwejkweuraiuhqwerqiorh', 2)

Check for failure. If successful, get return values.
>>> if(not wr.command_failure.is_set()):
...     print wr.get_rst(1)
... 
(0, 26) ### returned success and wrote 26 bytes. ###

WRITE PACKETS TO OUTPUT PCAP FILE

Create file writer object
>>> fw = file_writer()

Create error buffer
>>> errbuf = fw.make_pcap_error_buffer()

Open/create new output pcap file into which packets will be written
>>> outfile = fw.pcap_write_file(r'/home/me/test_output_file.pcap', errbuf)

Dissect packets in an existing packet capture file.
>>> sorted_rtn_list = sharkPy.dissect_file(r'/home/me/tst.pcap', timeout=20)

Write first packet into output pcap file.

Get first packet dissection
>>> pkt_dissection=sorted_rtn_list[0]

Acquire packet information required for write operation
>>> pkt_frame = sharkPy.get_node_by_name(pkt_dissection, 'frame')
>>> frame_data_length, first_frame_byte_index, last_frame_byte_index, frame_data_as_string, frame_data_as_binary = sharkPy.get_node_data_details(pkt_frame[0])
>>> utime, ltime = sharkPy.get_pkt_times(pkt_dissection)

Write packet into output file
>>> fw.pcap_write_packet(outfile, utime, ltime, frame_data_length, frame_data_as_binary, errbuf)

Close output file and clean-up
>>> fw.pcap_close(outfile)

Match and replace before writing new packets to output pcap file
import sharkPy, binascii

test_value1 = r'0xc0a84f01'
test_value2 = r'c0a84fff'
test_value3 = r'005056c00008'

fw = sharkPy.file_writer()
errbuf = fw.make_pcap_error_buffer()
outfile = fw.pcap_write_file(r'/home/me/test_output_file.pcap', errbuf)
sorted_rtn_list = sharkPy.dissect_file(r'/home/me/tst.pcap', timeout=20)

for pkt in sorted_rtn_list:

    # do replacement
    new_str_data = sharkPy.find_replace_data(pkt, r'ip.src', test_value1, r'01010101')
    new_str_data = sharkPy.find_replace_data(pkt, r'ip.dst', test_value2, r'02020202')
    new_str_data = sharkPy.find_replace_data(pkt, r'eth.src', test_value3, r'005050505050')

    # get detains required to write to output pcap file
    pkt_frame = sharkPy.get_node_by_name(pkt, 'frame')
    fdl, ffb, flb, fd, fbd = sharkPy.get_node_data_details(pkt_frame[0])
    utime, ltime = sharkPy.get_pkt_times(pkt)

    if(new_str_data is None):
        new_str_data = fd

    newbd = binascii.a2b_hex(new_str_data)
    fw.pcap_write_packet(outfile, utime, ltime, fdl, newbd, errbuf)

fw.pcap_close(outfile)


Read More

WiFi-Pumpkin v0.8.5 - Framework for Rogue Wi-Fi Access Point Attack

May 13, 2017  , , , , , , , , , , , , , ,  


WiFi-Pumpkin is a very complete framework for auditing Wi-Fi security. The main feature is the ability to create a fake AP and make Man In The Middle attack, but the list of features is quite broad.

Installation
  • Python 2.7
 git clone https://github.com/P0cL4bs/WiFi-Pumpkin.git
 cd WiFi-Pumpkin
 ./installer.sh --install
or download .deb file to install
sudo dpkg -i wifi-pumpkin-0.8.5-all.deb
sudo apt-get -f install # force install dependencies if not install normally
refer to the wiki for Installation

Features
  • Rogue Wi-Fi Access Point
  • Deauth Attack Clients AP
  • Probe Request Monitor
  • DHCP Starvation Attack
  • Credentials Monitor
  • Transparent Proxy
  • Windows Update Attack
  • Phishing Manager
  • Partial Bypass HSTS protocol
  • Support beef hook
  • ARP Poison
  • DNS Spoof
  • Patch Binaries via MITM
  • Karma Attacks (support hostapd-mana)
  • LLMNR, NBT-NS and MDNS poisoner (Responder)
  • Pumpkin-Proxy (ProxyServer (mitmproxy API))
  • Capture images on the fly
  • TCP-Proxy (with scapy)

Plugins
Plugin Description
dns2proxy This tools offer a different features for post-explotation once you change the DNS server to a Victim.
sslstrip2 Sslstrip is a MITM tool that implements Moxie Marlinspike's SSL stripping attacks based version fork @LeonardoNve/@xtr4nge.
sergio-proxy Sergio Proxy (a Super Effective Recorder of Gathered Inputs and Outputs) is an HTTP proxy that was written in Python for the Twisted framework.
BDFProxy-ng Patch Binaries via MITM: BackdoorFactory + mitmProxy, bdfproxy-ng is a fork and review of the original BDFProxy @secretsquirrel.
Responder Responder an LLMNR, NBT-NS and MDNS poisoner. Author: Laurent Gaffie

Transparent Proxy



Transparent proxies(mitmproxy) that you can use to intercept and manipulate HTTP traffic modifying requests and responses, that allow to inject javascripts into the targets visited. You can easily implement a module to inject data into pages creating a python file in directory "plugins/extension/" automatically will be listed on Pumpkin-Proxy tab.

Plugins Example Dev
from mitmproxy.models import decoded # for decode content html
from plugins.extension.plugin import PluginTemplate

class Nameplugin(PluginTemplate):
   meta = {
       'Name'      : 'Nameplugin',
       'Version'   : '1.0',
       'Description' : 'Brief description of the new plugin',
       'Author'    : 'by dev'
   }
   def __init__(self):
       for key,value in self.meta.items():
           self.__dict__[key] = value
       # if you want set arguments check refer wiki more info. 
       self.ConfigParser = False # No require arguments 

   def request(self, flow):
       print flow.__dict__
       print flow.request.__dict__ 
       print flow.request.headers.__dict__ # request headers
       host = flow.request.pretty_host # get domain on the fly requests 
       versionH = flow.request.http_version # get http version 
       
       # get redirect domains example
       # pretty_host takes the "Host" header of the request into account,
       if flow.request.pretty_host == "example.org":
           flow.request.host = "mitmproxy.org"
           
       # get all request Header example 
       self.send_output.emit("\n[{}][HTTP REQUEST HEADERS]".format(self.Name))
       for name, valur in flow.request.headers.iteritems():
           self.send_output.emit('{}: {}'.format(name,valur))
           
       print flow.request.method # show method request 
       # the model printer data
       self.send_output.emit('[NamePlugin]:: this is model for save data logging')

   def response(self, flow):
       print flow.__dict__
       print flow.response.__dict__
       print flow.response.headers.__dict__ #convert headers for python dict
       print flow.response.headers['Content-Type'] # get content type
        
       #every HTTP response before it is returned to the client
       with decoded(flow.response):
           print flow.response.content # content html
           flow.response.content.replace('</body>','<h1>injected</h1></body>') # replace content tag 
      
       del flow.response.headers["X-XSS-Protection"] # remove protection Header
       
       flow.response.headers["newheader"] = "foo" # adds a new header
       #and the new header will be added to all responses passing through the proxy

About plugins
plugins on the wiki

TCP-Proxy Server
A proxy that you can place between in a TCP stream. It filters the request and response streams with (scapy module) and actively modify packets of a TCP protocol that gets intercepted by WiFi-Pumpkin. this plugin uses modules to view or modify the intercepted data that possibly easiest implementation of a module, just add your custom module on "plugins/analyzers/" automatically will be listed on TCP/UDP Proxy tab.
from scapy.all import *
from scapy_http import http # for layer HTTP
from default import PSniffer # base plugin class

class ExamplePlugin(PSniffer):
    _activated     = False
    _instance      = None
    meta = {
        'Name'      : 'Example',
        'Version'   : '1.0',
        'Description' : 'Brief description of the new plugin',
        'Author'    : 'your name',
    }
    def __init__(self):
        for key,value in self.meta.items():
            self.__dict__[key] = value

    @staticmethod
    def getInstance():
        if ExamplePlugin._instance is None:
            ExamplePlugin._instance = ExamplePlugin()
        return ExamplePlugin._instance

    def filterPackets(self,pkt): # (pkt) object in order to modify the data on the fly
        if pkt.haslayer(http.HTTPRequest): # filter only http request 
        
            http_layer = pkt.getlayer(http.HTTPRequest) # get http fields as dict type
            ip_layer = pkt.getlayer(IP)# get ip headers fields as dict type
            
            print http_layer.fields['Method'] # show method http request
            # show all item in Header request http
            for item in http_layer.fields['Headers']:
                print('{} : {}'.format(item,http_layer.fields['Headers'][item]))
            
            print ip_layer.fields['src'] # show source ip address 
            print ip_layer.fields['dst'] # show destiny ip address 
            
            print http_layer # show item type dict
            print ip_layer # show item type dict
            
            return self.output.emit({'name_module':'send output to tab TCP-Proxy'})


Read More

EAPHammer - Targeted Evil Twin Attacks Against WPA2-Enterprise Networks [Indirect Wireless Pivots Using Hostile Portal Attacks]

May 01, 2017  , , , , , , , , , , , , , , , ,  


EAPHammer is a toolkit for performing targeted evil twin attacks against WPA2-Enterprise networks. It is designed to be used in full scope wireless assessments and red team engagements. As such, focus is placed on providing an easy-to-use interface that can be leveraged to execute powerful wireless attacks with minimal manual configuration. To illustrate how fast this tool is, here's an example of how to setup and execute a credential stealing evil twin attack against a WPA2-TTLS network in just two commands:
# generate certificates
./eaphammer --cert-wizard

# launch attack
./eaphammer -i wlan0 --channel 4 --auth ttls --wpa 2 --essid CorpWifi --creds
Leverages a lightly modified version of hostapd-wpe, dnsmasq, dsniff, Responder, and Python 2.7.

Features
  • Steal RADIUS credentials from WPA-EAP and WPA2-EAP networks.
  • Perform hostile portal attacks to steal AD creds and perform indirect wireless pivots
  • Perform captive portal attacks
  • Built-in Responder integration
  • Support for Open networks and WPA-EAP/WPA2-EAP
  • No manual configuration necessary for most attacks.
  • No manual configuration necessary for installation and setup process

Upcoming Features
  • Perform seemeless MITM attacks with partial HSTS bypasses
  • Support attacks against WPA-PSK/WPA2-PSK
  • Support for SSID cloaking
  • Generate timed payloads for indirect wireless pivots
  • Integrated PowerShell payload generation
  • impacket integration for SMB relay attacks
  • directed rogue AP attacks (deauth then evil twin from PNL, deauth then karma + ACL)
  • Updated hostapd-wpe that works with the latest version of Hostapd
  • Integrated website cloner for cloning captive portal login pages
  • Integrated HTTP server
Will this tool ever support Karma attacks?
  • At some point yes, but for now the focus has been on directed evil twin attacks.
  • If Karma attacks are like a wireless grenade launcher, this tool is more like an easy-to-use wireless sniper rifle

Setup Guide

Kali Setup Instructions
Begin by cloning the eaphammer repo using the following command.
git clone https://github.com/s0lst1c3/eaphammer.git
Next run the kali-setup.py file as shown below to complete the eaphammer setup process. This will install dependencies and compile hostapd.
python setup.py

Other Distros
If you are not using Kali, you can still compile eaphammer. I just haven't written a setup script for your distro yet, which means you'll have to do it manually. Ask yourself whether you understand the following:
  • python-devel vs python-dev
  • service vs systemctl
  • network-manager vs NetworkManager
  • httpd vs apache2
If you looked at this list and immediately realized that each pair of items was to some extent equivalent (well, except for service vs systemctl, but you catch my drift), you'll probably have no problems getting this package to work on the distro of your choice. If not, please just stick with Kali until support is added for other distros.
With that out of the way, here are the generic setup instructions:
Use your package manager to install each of the dependencies listed in kali-dependencies.txt. Package names can vary slightly from distro to distro, so you may get a "package not found" error or similar. If this occurs, just use Google to find out what the equivalent package is for your distro and install that instead.
Once you have installed each of the dependencies listed in kali-dependencies.txt, you'll need to install some additional packages that ship with Kali by default. These packages are listed below. If you're on a distro that uses httpd instead of apache2, install that instead.
  • dsniff
  • apache2
Compile hostapd using the following commands:
cd hostapd-eaphammer
make
Open config.py in the text editor of your choice and edit the following lines so that to values that work for your distro:
# change this to False if you cannot/will not use systemd
use_systemd = True

# change this to 'NetworkManager' if necessary
network_manager = 'network-manager'

# change this 'httpd' if necessary
httpd = 'apache2'

Usage Guide

x.509 Certificate Generation
Eaphammer provides an easy-to-use wizard for generating x.509 certificates. To launch eaphammer's certificate wizard, just use the command shown below.
./eaphammer --cert-wizard

Stealing RADIUS Credentials From EAP Networks
To steal RADIUS credentials by executing an evil twin attack against an EAP network, use the --creds flag as shown below.
./eaphammer --bssid 1C:7E:E5:97:79:B1 --essid Example --channel 2 --interface wlan0 --auth ttls --creds
The flags shown above are self explanatory. For more granular control over the attack, you can use the --wpa flag to specify WPA vs WPA2 and the --auth flag to specify the eap type. Note that for cred reaping attacks, you should always specify an auth type manually since the the --auth flag defaults to "open" when omitted.
./eaphammer --bssid 00:11:22:33:44:00 --essid h4x0r --channel 4 --wpa 2 --auth ttls --interface wlan0 --creds
Please refer to the options described in Additional Options section of this document for additional details about these flags.

Stealing AD Credentials Using Hostile Portal Attacks
Eaphammer can perform hostile portal attacks that can force LLMNR/NBT-NS enabled Windows clients into surrendering password hashes. The attack works by forcing associations using an evil twin attack, then forcing associated clients to attempt NetBIOS named resolution using a Redirect To SMB attack. While this occurs, eaphammer runs Responder in the background to perform a nearly instantaneous LLMNR/NBT-NS poisoning attack against the affected wireless clients. The result is an attack that causes affected devices to not only connect to the rogue access point, but send NTLM hashes to the rogue access point as well.
The --hostile-portal flag can be used to execute a hostile portal attack, as shown in the examples below.
./eaphammer --interface wlan0 --bssid 1C:7E:E5:97:79:B1 --essid EvilC0rp --channel 6 --auth peap --wpa 2 --hostile-portal

./eaphammer --interface wlan0 --essid TotallyLegit --channel 1 --auth open --hostile-portal

Performing Indirect Wireless Pivots Using Hostile Portal Attacks
The hostile portal attack described in Stealing AD Credentials Using Hostile Portal Attacks can be used to perform an SMB relay attack against the affected devices. An attacker can use hostile portal attack to perform an SMB relay attack that places timed reverse shell on an authorized wireless devices. The attacker can then disengage the attack to allow the authorized device to reconnect to the targetted network. When the attacker receives the reverse shell, he or she will have the same level of authorization as the attacker.

Performing Captive Portal Attacks
To perform a captive portal attack using eaphammer, use the --captive-portal flag as shown below.
./eaphammer --bssid 1C:7E:E5:97:79:B1 --essid HappyMealz --channel 6 --interface wlan0 --captive-portal
This will cause eaphammer to execute an evil twin attack in which the HTTP(S) traffic of all affected wireless clients are redirected to a website you control. Eaphammer will leverage Apache2 to serve web content out of /var/www/html if used with the default Apache2 configuration. Future iterations of eaphammer will provide an integrated HTTP server and website cloner for attacks against captive portal login pages.

Additional Options
  • --cert-wizard - Use this flag to create a new RADIUS cert for your AP.
  • -h, --help - Display detailed help message and exit.
  • -i, --interface - Specify the a PHY interface on which to create your AP.
  • -e ESSID, --essid ESSID - Specify access point ESSID.
  • -b BSSID, --bssid BSSID - Specify access point BSSID.
  • --hw-mode HW-MODE - Specify access point hardware mode (default: g).
  • -c CHANNEL, --channel CHANNEL - Specify access point channel.
  • --wpa {1,2} - Specify WPA type (default: 2).
  • --auth {peap,ttls,open} - Specify auth type (default: open).
  • --creds - Harvest EAP creds using an evil twin attack.
  • --hostile-portal - Force clients to connect to hostile portal.
  • --captive-portal - Force clients to connect to a captive portal.


Read More

Evilginx - MITM Attack Framework [Advanced Phishing With Two-factor Authentication Bypass]

April 17, 2017  , , , , , , , , ,  


Evilginx is a man-in-the-middle attack framework used for phishing credentials and session cookies of any web service. It's core runs on Nginx HTTP server, which utilizes proxy_pass and sub_filter to proxy and modify HTTP content, while intercepting traffic between client and server.

You can learn how it works and how to install everything yourself on:

Usage
usage: evilginx_parser.py [-h] -i INPUT -o OUTDIR -c CREDS [-x]

optional arguments:
  -h, --help            show this help message and exit
  -i INPUT, --input INPUT
                        Input log file to parse.
  -o OUTDIR, --outdir OUTDIR
                        Directory where output files will be saved.
  -c CREDS, --creds CREDS
                        Credentials configuration file.
  -x, --truncate        Truncate log file after parsing.
Example:
python evilginx_parser.py -i /var/log/evilginx-google.log -o ./logs -c google.creds

Video

Read More

SSLsplit - transparent SSL/TLS interception

March 16, 2017  , , , , , , , , , , , , ,  


SSLsplit is a tool for man-in-the-middle attacks against SSL/TLS encrypted network connections. It is intended to be useful for network forensics, application security analysis and penetration testing.
SSLsplit is designed to transparently terminate connections that are redirected to it using a network address translation engine. SSLsplit then terminates SSL/TLS and initiates a new SSL/TLS connection to the original destination address, while logging all data transmitted. Besides NAT based operation, SSLsplit also supports static destinations and using the server name indicated by SNI as upstream destination. SSLsplit is purely a transparent proxy and cannot act as a HTTP or SOCKS proxy configured in a browser.

SSLsplit supports plain TCP, plain SSL, HTTP and HTTPS connections over both IPv4 and IPv6. SSLsplit fully supports Server Name Indication (SNI) and is able to work with RSA, DSA and ECDSA keys and DHE and ECDHE cipher suites. Depending on the version of OpenSSL built against, SSLsplit supports SSL 3.0, TLS 1.0, TLS 1.1 and TLS 1.2, and optionally SSL 2.0 as well.
For SSL and HTTPS connections, SSLsplit generates and signs forged X509v3 certificates on-the-fly, mimicking the original server certificate's subject DN, subjectAltName extension and other characteristics. SSLsplit has the ability to use existing certificates of which the private key is available, instead of generating forged ones. SSLsplit supports NULL-prefix CN certificates but otherwise does not implement exploits against specific certificate verification vulnerabilities in SSL/TLS stacks.
SSLsplit implements a number of defences against mechanisms which would normally prevent MitM attacks or make them more difficult. SSLsplit can deny OCSP requests in a generic way. For HTTP and HTTPS connections, SSLsplit removes response headers for HPKP in order to prevent public key pinning, for HSTS to allow the user to accept untrusted certificates, and Alternate Protocols to prevent switching to QUIC/SPDY. HTTP compression, encodings and keep-alive are disabled to make the logs more readable.
As an experimental feature, SSLsplit supports STARTTLS and similar mechanisms, where a protocol starts on a plain text TCP connection and is later upgraded to SSL/TLS through protocol-specific means, such as the STARTTLS command in SMTP. SSLsplit supports generic upgrading of TCP connections to SSL.
See the manual page sslsplit(1) for details on using SSLsplit and setting up the various NAT engines.

Requirements
SSLsplit depends on the OpenSSL and libevent 2.x libraries. The build depends on GNU make and a POSIX.2 environment in PATH . If available, pkg-config is used to locate and configure the dependencies. The optional unit tests depend on the check library.
SSLsplit currently supports the following operating systems and NAT mechanisms:
  • FreeBSD: pf rdr and divert-to, ipfw fwd, ipfilter rdr
  • OpenBSD: pf rdr-to and divert-to
  • Linux: netfilter REDIRECT and TPROXY
  • Mac OS X: pf rdr and ipfw fwd
Support for local process information ( -i ) is currently available on Mac OS X and FreeBSD.
SSL/TLS features and compatibility greatly depend on the version of OpenSSL linked against; for optimal results, use a recent release of OpenSSL proper. OpenSSL forks like LibreSSL and BoringSSL may or may not work.

Installation
With OpenSSL, libevent 2.x, pkg-config and check available, run: 
make
make test       # optional unit tests
make install    # optional install
Dependencies are autoconfigured using pkg-config. If dependencies are not picked up and fixing PKG_CONFIG_PATH does not help, you can specify their respective locations manually by setting OPENSSL_BASE , LIBEVENT_BASE and/or CHECK_BASE to the respective prefixes.
You can override the default install prefix ( /usr/local ) by setting PREFIX . For more build options see GNUmakefile .


Read More

[Subterfuge v1.0] Automated Man-in-the-Middle Attack Framework

January 20, 2014  , , , , , ,  


Subterfuge, a Framework to take the arcane art of Man-in-the-Middle Attacks and make it as simple as point and shoot. Subterfuge demonstrates vulnerabilities in the ARP Protocol by harvesting credentials that go across the network and even exploiting machines by injecting malicious code directly into their browsing sessions.



The first step in any Subterfuge attack is gaining a Man-in-the-Middle position. Currently, Subterfuge only ships with one method of establishing itself as MITM, ARP Cache Poisoning. Nevertheless, as a framework, its modular design allows it to support multiple methods.

Some used attacks

  • ARP Cache Poisoning
  • Dynamic Poison Retention & ARPBLock
Subterfuge comes with modules that give the ability to leverage the position quickly and easily. Moreover, if your needs are particularly specific, you can create a module for Subterfuge without the need to launch your own attack from scratch. Subterfuge comes packaged with several default modules that you can use to great effect.

List of some integrated modules

  • Credential Harvester
  • Session Hijacking
  • HTTP Code Injection
  • Denial of Service
  • Tunnel Block
  • Network View
  • Evilgrade
Version 1.0 is the first release of Subterfuge to have come out of Beta! It includes significant package upgrades, compatibility fixes, a modified interface, and a whole new packaging system.

The tool comes with a rich documentation and examples. Take care to go through the website.

Read More

[Wi-fEye] Automated Network Testing Tool

August 28, 2013  , , , ,  


Wi-fEye is an automated wirelress penetration testing tool written in python , its designed to simplify common attacks that can be performed on wifi networks so that they can be executed quickly and easily.

Wifi has three main menus :

  1. Cracking menu: contains attacks that could allow us to crack wifi passwords weather is WEP , WPA or WPA2:
    • Enable monitor mode
    • View avalale Wireless Networks
    • Launch Airodump-ng on a specific AP
    • WEP cracking: here you can perform a number of attacks to crack WEP passwords :
      • Interactive packet replay.
      • Fake Authentication Attack.
      • Korek Chopchop Attack.
      • Fragmentation Attack.
      • Hirte Attack (cfrag attack).
      • Wesside-ng.
  2. WPA Cracking: here you can perform a number of attacks to crack WPA passwords , this menu is devided into two sections:
    • launch a brute force attack against a WPS-enabled network to crack WPA/WPA2 without a dictionary.
    • Obtain handshake: This will automatically attempt to obtain the handshake
    • Cracking: After obtaining the handshake or if you have the handshake ready then you can attempt to crack it in this section , you can choose to use you wordlist straight away with aircrack-ng or you can add to a table and then crack the password.
  3. MITM: this menu will allow you to do the following Automatically:
    • Enable IP forwarding.
    • ARP Spoof.
    • Launch ettercap (Text mode).
    • Sniff SSL/HTTPS traffic.
    • Sniff URLs and send them to browser.
    • Sniff images.
    • DNS Spoof.
    • HTTP Session Hijacking (using Hamster).
  4. Others: this menu will allow you to o the following automatically:
    • Change MAC Address.
    • Create a fake access point.
    • Hijack software updates (using Evilgrade).

Platforms supported:

Wi-fEye is written in Python and should run on any UNIX based platform with a Python interpreter, as long as all needed modules and programs have been installed. So far it has been successfully tested on:
  • Linux
  • FreeBSD

Read More
Subscribe to: Posts (Atom)