Instantly share code, notes, and snippets.

Embed
What would you like to do?
Identify whitelisted IP addresses using spoofing techniques in conjunction with arp poisoning
#!/usr/bin/env python
#DiabloHorn - https://diablohorn.com
#Find whitelisted IP addresses on a network & application level
import sys
import logging
import threading
import argparse
from scapy.all import *
logging.basicConfig(level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s')
class checkreply(threading.Thread):
def __init__(self, iface, srcports, spoofedips):
self.iface = iface
self.srcports = srcports
self.sips = []
self.started = True
with open(spoofedips, 'r') as fsrcips:
for line in fsrcips:
self.sips.append(line.strip())
threading.Thread.__init__(self)
def __buildportfilter(self, ports):
filterstr = 'port {0}'.format(ports[0])
for i in ports[1:]:
filterstr += ' or port {0}'.format(i)
return filterstr
def run(self):
logging.debug('Sniffer thread called')
filterstr = self.__buildportfilter(self.srcports)
sniff(iface=self.iface,store=0,prn=self.checkport,stop_filter=self.stopflag,filter="tcp and {0}".format(filterstr))
def stopflag(self, pktdata):
logging.debug('Sniffer thread check stop flag')
if self.started:
return False
return True
def stopsniffer(self):
self.started = False
def checkport(self,pktdata):
logging.debug('Sniffer packet inspection triggered')
if pktdata.haslayer(IP) and pktdata.haslayer(TCP):
ipdata = pktdata.getlayer(IP)
tcpdata = pktdata.getlayer(TCP)
if ipdata.src in self.sips and ((tcpdata.flags >> 2) & 1):
#we got a rst from spoofed IP, thus we found possible ip
logging.info('{0} possibly allowed in whitelist RST'.format(ipdata.src))
if ipdata.dst in self.sips and ((tcpdata.flags >> 1) & 1) and ((tcpdata.flags >> 4) & 1):
#we got syn/ack, found possible ip
logging.info('{0} possibly allowed in whitelist SYN/ACK'.format(ipdata.dst))
ackpkt = IP(src=ipdata.dst,dst=ipdata.src) / TCP(dport=tcpdata.sport,sport=tcpdata.dport,seq=tcpdata.ack,ack=(tcpdata.seq+1),flags='A')
send(ackpkt,verbose=False)
if ipdata.dst in self.sips and ((tcpdata.flags >> 4) & 1) and ((tcpdata.flags >> 3) & 1):
if tcpdata.sport == 3306:
self.check_mysql(ipdata.dst,tcpdata.payload)
def check_mysql(self, ip, data):
banner = 'is not allowed to connect'
if banner not in str(data):
logging.info('{0} confirmed allowed in whitelist'.format(ip))
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='scan target with spoofed IP to identify whitelist')
parser.add_argument('targetip',type=str,help='target ip to perform port scan on')
parser.add_argument('-i', '--iface',type=str,required=True,help='network interface to use')
parser.add_argument('-p', '--ports',nargs='+',type=int,required=True,help='space separated list of ports')
parser.add_argument('-s', '--srcips',type=str,required=True,help='file with IPs to spoof')
myargs = parser.parse_args()
try:
replychecker = checkreply(myargs.iface,myargs.ports,myargs.srcips)
replychecker.start()
time.sleep(10)
for port in myargs.ports:
with open(myargs.srcips, 'r') as fsrcips:
for line in fsrcips:
pkt = IP(dst='{0}'.format(myargs.targetip),src='{0}'.format(line.strip())) / TCP(dport=port,flags='S')
send(pkt,verbose=False)
time.sleep(30)
replychecker.stopsniffer()
replychecker.join()
except KeyboardInterrupt:
logging.info('ctrl-c stopping sniffer')
replychecker.stopsniffer()
replychecker.join()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment