DiabloHorn/whitelist_finder.py

## whitelist_finder.py
#!/usr/bin/env python
#DiabloHorn - https://diablohorn.com
#Find whitelisted IP addresses on a network & application level
import sys
import logging
import threading
import argparse

from scapy.all import *

logging.basicConfig(level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s')

class checkreply(threading.Thread):
    def __init__(self, iface, srcports, spoofedips):
        self.iface = iface
        self.srcports = srcports
        self.sips = []
        self.started = True

        with open(spoofedips, 'r') as fsrcips:
            for line in fsrcips:
                self.sips.append(line.strip())
        threading.Thread.__init__(self)

    def __buildportfilter(self, ports):
        filterstr = 'port {0}'.format(ports[0])
        for i in ports[1:]:
            filterstr += ' or port {0}'.format(i)
        return filterstr

    def run(self):
        logging.debug('Sniffer thread called')
        filterstr = self.__buildportfilter(self.srcports)
        sniff(iface=self.iface,store=0,prn=self.checkport,stop_filter=self.stopflag,filter="tcp and {0}".format(filterstr))

    def stopflag(self, pktdata):
        logging.debug('Sniffer thread check stop flag')
        if self.started:
            return False
        return True

    def stopsniffer(self):
        self.started = False

    def checkport(self,pktdata):
        logging.debug('Sniffer packet inspection triggered')
        if pktdata.haslayer(IP) and pktdata.haslayer(TCP):
            ipdata = pktdata.getlayer(IP)
            tcpdata = pktdata.getlayer(TCP)
            if ipdata.src in self.sips and ((tcpdata.flags >> 2) & 1):
                #we got a rst from spoofed IP, thus we found possible ip
                logging.info('{0} possibly allowed in whitelist RST'.format(ipdata.src))
            if ipdata.dst in self.sips and ((tcpdata.flags >> 1) & 1) and ((tcpdata.flags >> 4) & 1):
                #we got syn/ack, found possible ip
                logging.info('{0} possibly allowed in whitelist SYN/ACK'.format(ipdata.dst))
                ackpkt = IP(src=ipdata.dst,dst=ipdata.src) / TCP(dport=tcpdata.sport,sport=tcpdata.dport,seq=tcpdata.ack,ack=(tcpdata.seq+1),flags='A')
                send(ackpkt,verbose=False)
            if ipdata.dst in self.sips and ((tcpdata.flags >> 4) & 1) and ((tcpdata.flags >> 3) & 1):
                if tcpdata.sport == 3306:
                    self.check_mysql(ipdata.dst,tcpdata.payload)

    def check_mysql(self, ip, data):
        banner = 'is not allowed to connect'
        if banner not in str(data):
            logging.info('{0} confirmed allowed in whitelist'.format(ip))

if __name__ == "__main__":
    parser = argparse.ArgumentParser(description='scan target with spoofed IP to identify whitelist')
    parser.add_argument('targetip',type=str,help='target ip to perform port scan on')
    parser.add_argument('-i', '--iface',type=str,required=True,help='network interface to use')
    parser.add_argument('-p', '--ports',nargs='+',type=int,required=True,help='space separated list of ports')
    parser.add_argument('-s', '--srcips',type=str,required=True,help='file with IPs to spoof')
    myargs = parser.parse_args()

    try:
        replychecker = checkreply(myargs.iface,myargs.ports,myargs.srcips)
        replychecker.start()
        time.sleep(10)
        for port in myargs.ports:
            with open(myargs.srcips, 'r') as fsrcips:
                for line in fsrcips:
                    pkt = IP(dst='{0}'.format(myargs.targetip),src='{0}'.format(line.strip())) / TCP(dport=port,flags='S')
                    send(pkt,verbose=False)

        time.sleep(30)
        replychecker.stopsniffer()
        replychecker.join()
    except KeyboardInterrupt:
        logging.info('ctrl-c stopping sniffer')
        replychecker.stopsniffer()
        replychecker.join()
	#!/usr/bin/env python
	#DiabloHorn - https://diablohorn.com
	#Find whitelisted IP addresses on a network & application level
	import sys
	import logging
	import threading
	import argparse

	from scapy.all import *

	logging.basicConfig(level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s')

	class checkreply(threading.Thread):
	def __init__(self, iface, srcports, spoofedips):
	self.iface = iface
	self.srcports = srcports
	self.sips = []
	self.started = True

	with open(spoofedips, 'r') as fsrcips:
	for line in fsrcips:
	self.sips.append(line.strip())
	threading.Thread.__init__(self)

	def __buildportfilter(self, ports):
	filterstr = 'port {0}'.format(ports[0])
	for i in ports[1:]:
	filterstr += ' or port {0}'.format(i)
	return filterstr

	def run(self):
	logging.debug('Sniffer thread called')
	filterstr = self.__buildportfilter(self.srcports)
	sniff(iface=self.iface,store=0,prn=self.checkport,stop_filter=self.stopflag,filter="tcp and {0}".format(filterstr))

	def stopflag(self, pktdata):
	logging.debug('Sniffer thread check stop flag')
	if self.started:
	return False
	return True

	def stopsniffer(self):
	self.started = False

	def checkport(self,pktdata):
	logging.debug('Sniffer packet inspection triggered')
	if pktdata.haslayer(IP) and pktdata.haslayer(TCP):
	ipdata = pktdata.getlayer(IP)
	tcpdata = pktdata.getlayer(TCP)
	if ipdata.src in self.sips and ((tcpdata.flags >> 2) & 1):
	#we got a rst from spoofed IP, thus we found possible ip
	logging.info('{0} possibly allowed in whitelist RST'.format(ipdata.src))
	if ipdata.dst in self.sips and ((tcpdata.flags >> 1) & 1) and ((tcpdata.flags >> 4) & 1):
	#we got syn/ack, found possible ip
	logging.info('{0} possibly allowed in whitelist SYN/ACK'.format(ipdata.dst))
	ackpkt = IP(src=ipdata.dst,dst=ipdata.src) / TCP(dport=tcpdata.sport,sport=tcpdata.dport,seq=tcpdata.ack,ack=(tcpdata.seq+1),flags='A')
	send(ackpkt,verbose=False)
	if ipdata.dst in self.sips and ((tcpdata.flags >> 4) & 1) and ((tcpdata.flags >> 3) & 1):
	if tcpdata.sport == 3306:
	self.check_mysql(ipdata.dst,tcpdata.payload)

	def check_mysql(self, ip, data):
	banner = 'is not allowed to connect'
	if banner not in str(data):
	logging.info('{0} confirmed allowed in whitelist'.format(ip))

	if __name__ == "__main__":
	parser = argparse.ArgumentParser(description='scan target with spoofed IP to identify whitelist')
	parser.add_argument('targetip',type=str,help='target ip to perform port scan on')
	parser.add_argument('-i', '--iface',type=str,required=True,help='network interface to use')
	parser.add_argument('-p', '--ports',nargs='+',type=int,required=True,help='space separated list of ports')
	parser.add_argument('-s', '--srcips',type=str,required=True,help='file with IPs to spoof')
	myargs = parser.parse_args()

	try:
	replychecker = checkreply(myargs.iface,myargs.ports,myargs.srcips)
	replychecker.start()
	time.sleep(10)
	for port in myargs.ports:
	with open(myargs.srcips, 'r') as fsrcips:
	for line in fsrcips:
	pkt = IP(dst='{0}'.format(myargs.targetip),src='{0}'.format(line.strip())) / TCP(dport=port,flags='S')
	send(pkt,verbose=False)

	time.sleep(30)
	replychecker.stopsniffer()
	replychecker.join()
	except KeyboardInterrupt:
	logging.info('ctrl-c stopping sniffer')
	replychecker.stopsniffer()
	replychecker.join()