|
from scapy.all import *
|
|
|
|
'''
|
|
Note: linux might send an RST for forged SYN packets. Disable it by executing:
|
|
#> iptables -A OUTPUT -p tcp --tcp-flags RST RST -s <src_ip> -j DROP
|
|
'''
|
|
|
|
dst = "192.168.56.6"
|
|
dport = 80
|
|
sport = random.randint(1024,65535)
|
|
seq = random.randint(1, 50000)
|
|
|
|
pkt = IP(dst = dst)
|
|
|
|
# 3whs start
|
|
|
|
# SYN
|
|
pkt_syn = pkt/TCP(sport = sport, dport = dport, seq = seq, flags = 'S')
|
|
|
|
# SYN/ACK
|
|
pkt_syn_ack = sr1(pkt_syn, verbose = 0)
|
|
|
|
# ACK
|
|
seq += 1
|
|
if pkt_syn_ack.ack != seq:
|
|
print 'Bad ACK number !'
|
|
|
|
ack = pkt_syn_ack.seq + 1
|
|
pkt_ack = pkt/TCP(sport = sport, dport = dport, seq = seq, ack = ack, flags = 'A')
|
|
send(pkt_ack)
|
|
|
|
# 3whs end
|
|
|
|
http_req = '\r\n'.join(['GET /index.html{} HTTP/1.1'
|
|
,'Host: {}'.format(dst)
|
|
,'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0'
|
|
,'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
|
|
,'Accept-Language: en-US,en;q=0.5'
|
|
,'Accept-Encoding: gzip, deflate'
|
|
,'Connection: keep-alive'
|
|
,'\r\n'])
|
|
|
|
# Send GET request
|
|
pkt_http_req = pkt/TCP(sport = sport, dport = dport, seq = seq, ack = ack, flags = 'AP')/http_req.format('')
|
|
pkt_http_resp = sr1(pkt_http_req, verbose = 0)
|
|
pkt_http_resp = sniff(filter = 'tcp', count = 1)
|
|
|
|
print pkt_http_resp[0].payload
|
|
|
|
# Send GET request with wrong SEQ: SEQ + 1
|
|
pkt_http_req = pkt/TCP(sport = sport, dport = dport, seq = pkt_http_resp[0].ack + 1, ack = pkt_http_resp[0].seq, flags = 'AP')/http_req.format('?xss=%3Cimg%20src=x%20onerror=alert(0)%3E')
|
|
pkt_http_resp = sr1(pkt_http_req, verbose = 0)
|
|
pkt_http_resp = sniff(filter = 'tcp', count = 1)
|
|
|
|
print pkt_http_resp[0].payload
|