#!/usr/bin/python from scapy import * BOUNCE_IP = "192.168.0.2" VICTIM_IP = "192.168.0.3" MY_IP = "192.168.0.1" PORT_TO_TEST = 80 OPEN_PORT_ON_BOUNCE = 23 SOURCE_PORT = 21 print "Victim = " + VICTIM_IP print "Bounce = " + BOUNCE_IP print "Me = " + MY_IP print "Port to be tested = " + `PORT_TO_TEST` i = IP() i.dst = BOUNCE_IP i.src = MY_IP tcp = TCP() tcp.sport = SOURCE_PORT tcp.dport=OPEN_PORT_ON_BOUNCE # 2 is SYN tcp.flags = 2 p = i/tcp/"" print "\nSending two packets to bounce machine to check that it is really idle\n" ans = sr1(p, timeout=2, verbose=0) if (ans is None): print "Bounce machine appears to be down\n"; sys.exit (2); test_bounce_id = ans.id print "The first id is: " + `test_bounce_id` + "" ans = sr1(p, timeout=2, verbose=0) if (ans is None): print "Bounce machine appears to be down\n"; sys.exit (2); last_bounce_id = ans.id print "The second id is: " + `last_bounce_id` + "\n" if (last_bounce_id == (test_bounce_id + 1)): print "The bounce is idle - can be used\n" elif (last_bounce_id == test_bounce_id): if (last_bounce_id == 0): print "The bounce could be a linux box which sends a 0 id for the SYN-ACC - cannot be used\n" sys.exit (1) else: print "The bounce doesn't increment its ids - cannot be used\n" sys.exit (1) else: print "The id isn't incremented by 1 - cannot be used\n" sys.exit (1) print "Now sending spoofed packet to victim\n" scan_packet = TCP() scan_packet.sport = SOURCE_PORT scan_packet.dport = PORT_TO_TEST # 2 is SYN scan_packet.flags = 2 i = IP() i.dst = VICTIM_IP i.src = BOUNCE_IP p = i/scan_packet/"" ans = sr1(p, timeout=5, verbose=0) i = IP() i.dst = BOUNCE_IP i.src = MY_IP tcp = TCP() tcp.sport = SOURCE_PORT tcp.dport=OPEN_PORT_ON_BOUNCE # 2 is SYN tcp.flags = 2 p = i/tcp/"" print "Sending packet to bounce machine to check the state of the id\n" ans = sr1(p, timeout=2, verbose=0) if (ans is None): print "Bounce machine appears to be down\n"; sys.exit (2); new_bounce_id = ans.id print "The last id on bounce was: " + `last_bounce_id` + "" print "The new id on bounce is: " + `new_bounce_id` + "\n" if (new_bounce_id == (last_bounce_id + 2)): print "The id was incremented by one between our tests, therefore the victim machine sent a SYN-ACC to the bounce machine in response to our fake SYN which the bounce machine then replied to with a RST. This implies the port is open on the victim\n" elif (new_bounce_id == (last_bounce_id + 1)): print "The id was not incremented between our tests, therefore the victim must have sent a RST to the bounce machine which the bonce machine then ignored. This implies the port is closed on the victim\n" else: print "The id was incremented by more than 1 between our tests, therefore the bounce machine sent out more than one packet between checks so we cannot determine if the port is open or closed\n"