Identify whitelisted IP addresses using spoofing techniques in conjunction with arp poisoning

whitelist_finder.py

#!/usr/bin/env python
#DiabloHorn - https://diablohorn.com
#Find whitelisted IP addresses on a network & application level
import sys
import logging
import threading
import argparse

from scapy.all import *

logging.basicConfig(level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s')

class checkreply(threading.Thread):
    def __init__(self, iface, srcports, spoofedips):
        self.iface = iface
        self.srcports = srcports
        self.sips = []
        self.started = True

        with open(spoofedips, 'r') as fsrcips:
            for line in fsrcips:
                self.sips.append(line.strip())
        threading.Thread.__init__(self)

    def __buildportfilter(self, ports):
        filterstr = 'port {0}'.format(ports[0])
        for i in ports[1:]:
            filterstr += ' or port {0}'.format(i)
        return filterstr

    def run(self):
        logging.debug('Sniffer thread called')
        filterstr = self.__buildportfilter(self.srcports)
        sniff(iface=self.iface,store=0,prn=self.checkport,stop_filter=self.stopflag,filter="tcp and {0}".format(filterstr))

    def stopflag(self, pktdata):
        logging.debug('Sniffer thread check stop flag')
        if self.started:
            return False
        return True

    def stopsniffer(self):
        self.started = False
        
    def checkport(self,pktdata):
        logging.debug('Sniffer packet inspection triggered')
        if pktdata.haslayer(IP) and pktdata.haslayer(TCP):
            ipdata = pktdata.getlayer(IP)
            tcpdata = pktdata.getlayer(TCP)
            if ipdata.src in self.sips and ((tcpdata.flags >> 2) & 1):
                #we got a rst from spoofed IP, thus we found possible ip
                logging.info('{0} possibly allowed in whitelist RST'.format(ipdata.src))
            if ipdata.dst in self.sips and ((tcpdata.flags >> 1) & 1) and ((tcpdata.flags >> 4) & 1):
                #we got syn/ack, found possible ip
                logging.info('{0} possibly allowed in whitelist SYN/ACK'.format(ipdata.dst))
                ackpkt = IP(src=ipdata.dst,dst=ipdata.src) / TCP(dport=tcpdata.sport,sport=tcpdata.dport,seq=tcpdata.ack,ack=(tcpdata.seq+1),flags='A')
                send(ackpkt,verbose=False)
            if ipdata.dst in self.sips and ((tcpdata.flags >> 4) & 1) and ((tcpdata.flags >> 3) & 1):  
                if tcpdata.sport == 3306:
                    self.check_mysql(ipdata.dst,tcpdata.payload)
                
    def check_mysql(self, ip, data):
        banner = 'is not allowed to connect'
        if banner not in str(data):
            logging.info('{0} confirmed allowed in whitelist'.format(ip))                

if __name__ == "__main__":
    parser = argparse.ArgumentParser(description='scan target with spoofed IP to identify whitelist')
    parser.add_argument('targetip',type=str,help='target ip to perform port scan on')
    parser.add_argument('-i', '--iface',type=str,required=True,help='network interface to use')
    parser.add_argument('-p', '--ports',nargs='+',type=int,required=True,help='space separated list of ports')
    parser.add_argument('-s', '--srcips',type=str,required=True,help='file with IPs to spoof')
    myargs = parser.parse_args()

    try:
        replychecker = checkreply(myargs.iface,myargs.ports,myargs.srcips)
        replychecker.start()    
        time.sleep(10)
        for port in myargs.ports:
            with open(myargs.srcips, 'r') as fsrcips:
                for line in fsrcips:
                    pkt = IP(dst='{0}'.format(myargs.targetip),src='{0}'.format(line.strip())) / TCP(dport=port,flags='S')
                    send(pkt,verbose=False)

        time.sleep(30)
        replychecker.stopsniffer()
        replychecker.join()
    except KeyboardInterrupt:
        logging.info('ctrl-c stopping sniffer')
        replychecker.stopsniffer()
        replychecker.join()