kamorin / dhcpig Goto Github PK

Installed it, tried running it and getting this error. For context, I am running Pop-OS! 21.04.

Hello !

There is no installation support. I've made a pull request #11 which add pybuild support to install the script on the system.

Cheers,

Hi !

I'm currently packaging the dhcpig tool for Debian, but i can't activate the uscan subsystem (which tracks updates in the mainstream project) without having a tag or a github release to catch.
Is it possible to support versions (through tags on master) or using the github releases ?

Thanks!

I use RandMAC() function from scapy.all

something error.

sh-3.2# python dhcp.3.py -c -v3 -l -a -i -o eth0
Traceback (most recent call last):
File "dhcp.3.py", line 86, in
from scapy.all import *
File "/usr/local/lib/python2.7/site-packages/scapy/all.py", line 25, in
from route import *
File "/usr/local/lib/python2.7/site-packages/scapy/route.py", line 162, in
conf.route=Route()
File "/usr/local/lib/python2.7/site-packages/scapy/route.py", line 22, in init
self.resync()
File "/usr/local/lib/python2.7/site-packages/scapy/route.py", line 31, in resync
self.routes = read_routes()
File "/usr/local/lib/python2.7/site-packages/scapy/arch/unix.py", line 86, in read_routes
ifaddr = scapy.arch.get_if_addr(netif)
File "/usr/local/lib/python2.7/site-packages/scapy/arch/init.py", line 36, in get_if_addr
return socket.inet_ntoa(get_if_raw_addr(iff))
File "/usr/local/lib/python2.7/site-packages/scapy/arch/pcapdnet.py", line 187, in get_if_raw_addr
i = dnet.intf()
AttributeError: 'module' object has no attribute 'intf'

Test in Mac.

Before asking anything, allow me to grat you for this fine piece of art :)

(Please excuse my english, not my natural lang)
I'm testing different DHCP vectors, and wanted to try this app, but got a Python error when running it. I'm going to mess with the code, 'cos I'm guessing the problem is between 'pig.py' and fresh 'scappy' lib updates; but maybe you have it fixed.
The problem is when DHCPig tries to create a packet, possible passing a packet attribute value as a datatype that scapy does not like.
I'm testing in a internal VirtualBox network, using VMs btw.

The command:
$ ./pig.py --show-options enp0s3 > output.txt 2> error.txt

----[ output.txt ]----
[ -- ] [INFO] - using interface enp0s3
[DBG ] Thread 0 - (Sniffer) READY
[DBG ] Thread 1 - (Sender) READY
[--->] DHCP_Discover
[ ?? ] waiting for first DHCP Server response
[ ?? ] waiting for first DHCP Server response
[DBG ] ARP_Request 10.10.0.101 from 10.10.0.1
[ <- ] ARP_Response 10.10.0.101 : 08:00:27:7e:13:1f
[ ?? ] waiting for first DHCP Server response
[ -- ] timeout waiting on dhcp packet count 1
[ ?? ] waiting for first DHCP Server response
[ -- ] timeout waiting on dhcp packet count 2
[ ?? ] waiting for first DHCP Server response
[ ?? ] waiting for first DHCP Server response
[ -- ] timeout waiting on dhcp packet count 3
[ ?? ] waiting for first DHCP Server response
[ -- ] timeout waiting on dhcp packet count 4
[ ?? ] waiting for first DHCP Server response
[ ?? ] waiting for first DHCP Server response
[ ?? ] waiting for first DHCP Server response
[ ?? ] waiting for first DHCP Server response
[ ?? ] waiting for first DHCP Server response
[ ?? ] waiting for first DHCP Server response
[ ?? ] waiting for first DHCP Server response
[ ?? ] waiting for first DHCP Server response
[ ?? ] waiting for first DHCP Server response
[ ?? ] waiting for first DHCP Server response
[ ?? ] waiting for first DHCP Server response
[ ?? ] waiting for first DHCP Server response
[ ?? ] waiting for first DHCP Server response
[ -- ] [FAIL] No DHCP offers detected - aborting
[ -- ] ----- ABORT ... -----
[DBG ] Waiting for Thread 0 to die ...
[DBG ] Waiting for Thread 1 to die ...
----[ EOF ]----

----[ error.txt ]----
Exception in thread Thread-2:
Traceback (most recent call last):
File "/usr/lib/python2.7/threading.py", line 801, in __bootstrap_inner
self.run()
File "./pig.py", line 516, in run
sendPacket(dhcp_discover)
File "./pig.py", line 413, in sendPacket
sendp(pkt, iface=conf.iface)
File "/usr/local/lib/python2.7/dist-packages/scapy/sendrecv.py", line 315, in sendp
verbose=verbose, realtime=realtime, return_packets=return_packets)
File "/usr/local/lib/python2.7/dist-packages/scapy/sendrecv.py", line 276, in __gen_send
s.send(p)
File "/usr/local/lib/python2.7/dist-packages/scapy/arch/linux.py", line 551, in send
return SuperSocket.send(self, x)
File "/usr/local/lib/python2.7/dist-packages/scapy/supersocket.py", line 42, in send
sx = raw(x)
File "/usr/local/lib/python2.7/dist-packages/scapy/compat.py", line 72, in raw
return x.bytes()
File "/usr/local/lib/python2.7/dist-packages/scapy/packet.py", line 345, in bytes
return self.build()
File "/usr/local/lib/python2.7/dist-packages/scapy/packet.py", line 444, in build
p = self.do_build()
File "/usr/local/lib/python2.7/dist-packages/scapy/packet.py", line 429, in do_build
pay = self.do_build_payload()
File "/usr/local/lib/python2.7/dist-packages/scapy/packet.py", line 416, in do_build_payload
return self.payload.do_build()
File "/usr/local/lib/python2.7/dist-packages/scapy/packet.py", line 429, in do_build
pay = self.do_build_payload()
File "/usr/local/lib/python2.7/dist-packages/scapy/packet.py", line 416, in do_build_payload
return self.payload.do_build()
File "/usr/local/lib/python2.7/dist-packages/scapy/packet.py", line 429, in do_build
pay = self.do_build_payload()
File "/usr/local/lib/python2.7/dist-packages/scapy/packet.py", line 416, in do_build_payload
return self.payload.do_build()
File "/usr/local/lib/python2.7/dist-packages/scapy/packet.py", line 429, in do_build
pay = self.do_build_payload()
File "/usr/local/lib/python2.7/dist-packages/scapy/packet.py", line 416, in do_build_payload
return self.payload.do_build()
File "/usr/local/lib/python2.7/dist-packages/scapy/packet.py", line 426, in do_build
pkt = self.self_build()
File "/usr/local/lib/python2.7/dist-packages/scapy/packet.py", line 407, in self_build
p = f.addfield(self, p, val)
File "/usr/local/lib/python2.7/dist-packages/scapy/fields.py", line 521, in addfield
return s + self.i2m(pkt, val)
File "/usr/local/lib/python2.7/dist-packages/scapy/layers/dhcp.py", line 269, in i2m
lval = [f.addfield(pkt,b"",f.any2i(pkt,val)) for val in lval]
File "/usr/local/lib/python2.7/dist-packages/scapy/fields.py", line 841, in addfield
s = self.field.addfield(pkt, s, v)
File "/usr/local/lib/python2.7/dist-packages/scapy/fields.py", line 80, in addfield
return s+struct.pack(self.fmt, self.i2m(pkt,val))
error: cannot convert argument to integer
----[ EOF ]----

The OS:
Linux testVM 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u3 (2018-03-02) x86_64 GNU/Linux

Others:

$ python -V
Python 2.7.13

$ pip show scapy
Name: scapy
Version: 2.4.0
Summary: Scapy: interactive packet manipulation tool
Home-page: http://www.secdev.org/projects/scapy
Author: Pierre LALET, Guillaume VALADON
Author-email: [email protected]
License: GPLv2
Location: /usr/local/lib/python2.7/dist-packages
Requires:

Hello !

help targets return "None" due to invalid docstring positioning. The pull request #10 correct the bug.

Cheers,

Hi. I have see in log of "isc-dhcp-server" and this is result:

server dhcpd[9033]: DHCPDISCOVER from 00:16:36:61:e6:fe via bond0 server dhcpd[9033]: Reclaiming abandoned lease 192.168.1.81. server dhcpd[9033]: ICMP Echo reply while lease 192.168.1.81 valid. server dhcpd[9033]: Abandoning IP address 192.168.1.81: pinged before offer
...not work... why?

Thanks for this great work (at last a DOS tool made the right way!), but I have two (related) remarks.

In the ReadMe, in the Defense section you mention only DHCP Snooping. This measure alone is not sufficient as you need to enable Port Security to protect against DHCP-based DOS attacks. DHCP Snooping alone will only reliably protect against DHCP spoofing (which is unrelated to DHCPig activity).

Enabling only DHCP Snooping works against your tool because it sets the random MAC only in the DHCP message but does not forge the layer 2 sender MAC address. Once DHCP Snooping is enabled, DHCPig packets are dropped simply because of this mismatch between these two MAC addresses.

If you modify DHCPig to also forge the layer 2 sender MAC address to make it match the DHCP message MAC address, DHCPig will most likely completely bypass DHCP Snooping.

You will find all the information in this article I just wrote about practical DHCP exploitation which notably features DHCPig and Yersinia. The latter forges the layer 2 sender MAC address and has therefore no problem in bypassing DHCP Snooping. So if Yersinia can do it, there is no reason why DHCPig would not.

So, to summarize, my two points are:

• The ReadMe only mention DHCP Snooping while it should also add Port Security. This, I think, is an issue (either don't suggest a protection or suggest a complete one).

• To bypass DHCP Snooping, DHCPig should forge the layer 2 MAC sender address too. Whether or not this is an issue is up to you as this merely a design choice. This will make filtering out the answers to your own DISCOVER messages harder as DHCPig will need to build a set of faked MAC addresses.... unless it decides to blindly accept any OFFER no matter if it is the actual recipient, which may also be doable for piggy DOS tool (but its impact may be less predictable then, creating a set() of generated MAC addresses would more on the conservative side and with no noticeable impact as DHCPig doesn't focus so much on speed). I'm think out loud but at the end these are, as I said, design choices.

On current Kali, it fails sending the DHCP discover packet.

root@kali:~# dhcpig eth0
[ -- ] [INFO] - using interface eth0
[DBG ] Thread 0 - (Sniffer) READY
[DBG ] Thread 1 - (Sender) READY
[--->] DHCP_Discover
Exception in thread Thread-2:
Traceback (most recent call last):
  File "/usr/lib/python2.7/threading.py", line 801, in __bootstrap_inner
    self.run()
  File "/usr/bin/dhcpig", line 516, in run
    sendPacket(dhcp_discover)
  File "/usr/bin/dhcpig", line 413, in sendPacket
    sendp(pkt, iface=conf.iface)
  File "/usr/lib/python2.7/dist-packages/scapy/sendrecv.py", line 315, in sendp
    verbose=verbose, realtime=realtime, return_packets=return_packets)
  File "/usr/lib/python2.7/dist-packages/scapy/sendrecv.py", line 276, in __gen_send
    s.send(p)
  File "/usr/lib/python2.7/dist-packages/scapy/arch/linux.py", line 551, in send
    return SuperSocket.send(self, x)
  File "/usr/lib/python2.7/dist-packages/scapy/supersocket.py", line 42, in send
    sx = raw(x)
  File "/usr/lib/python2.7/dist-packages/scapy/compat.py", line 72, in raw
    return x.__bytes__()
  File "/usr/lib/python2.7/dist-packages/scapy/packet.py", line 345, in __bytes__
    return self.build()
  File "/usr/lib/python2.7/dist-packages/scapy/packet.py", line 444, in build
    p = self.do_build()
  File "/usr/lib/python2.7/dist-packages/scapy/packet.py", line 429, in do_build
    pay = self.do_build_payload()
  File "/usr/lib/python2.7/dist-packages/scapy/packet.py", line 416, in do_build_payload
    return self.payload.do_build()
  File "/usr/lib/python2.7/dist-packages/scapy/packet.py", line 429, in do_build
    pay = self.do_build_payload()
  File "/usr/lib/python2.7/dist-packages/scapy/packet.py", line 416, in do_build_payload
    return self.payload.do_build()
  File "/usr/lib/python2.7/dist-packages/scapy/packet.py", line 429, in do_build
    pay = self.do_build_payload()
  File "/usr/lib/python2.7/dist-packages/scapy/packet.py", line 416, in do_build_payload
    return self.payload.do_build()
  File "/usr/lib/python2.7/dist-packages/scapy/packet.py", line 429, in do_build
    pay = self.do_build_payload()
  File "/usr/lib/python2.7/dist-packages/scapy/packet.py", line 416, in do_build_payload
    return self.payload.do_build()
  File "/usr/lib/python2.7/dist-packages/scapy/packet.py", line 426, in do_build
    pkt = self.self_build()
  File "/usr/lib/python2.7/dist-packages/scapy/packet.py", line 407, in self_build
    p = f.addfield(self, p, val)
  File "/usr/lib/python2.7/dist-packages/scapy/fields.py", line 521, in addfield
    return s + self.i2m(pkt, val)
  File "/usr/lib/python2.7/dist-packages/scapy/layers/dhcp.py", line 269, in i2m
    lval = [f.addfield(pkt,b"",f.any2i(pkt,val)) for val in lval]
  File "/usr/lib/python2.7/dist-packages/scapy/fields.py", line 841, in addfield
    s = self.field.addfield(pkt, s, v)
  File "/usr/lib/python2.7/dist-packages/scapy/fields.py", line 80, in addfield
    return s+struct.pack(self.fmt, self.i2m(pkt,val))
error: cannot convert argument to integer

[ ?? ] 		waiting for first DHCP Server response
[ ?? ] 		waiting for first DHCP Server response
[ ?? ] 		waiting for first DHCP Server response
[ -- ] timeout waiting on dhcp packet count 1
[ ?? ] 		waiting for first DHCP Server response
[ -- ] timeout waiting on dhcp packet count 2
[ ?? ] 		waiting for first DHCP Server response
[ ?? ] 		waiting for first DHCP Server response
[ -- ] timeout waiting on dhcp packet count 3
[ ?? ] 		waiting for first DHCP Server response
[ -- ] timeout waiting on dhcp packet count 4
[ ?? ] 		waiting for first DHCP Server response
^C[ -- ]  -----  ABORT ...  -----
[DBG ] Waiting for Thread 0 to die ...
[DBG ] Waiting for Thread 1 to die ...

Scapy version: 2.4.0

Hello,
i have this issue when lauching the tool with neighbors-scan-arp option.
I'm going to investigate more in this code, but if you have already an answer please reply me :)
the variable 'dhcpsip' seems None, don't know why ...
Thanks
Laurent

sudo ./pig.py --neighbors-scan-arp -r eth0

WARNING: No route found for IPv6 destination :: (no default route?)
[ -- ] [INFO] - using interface eth0
[DBG ] Thread 0 - (Sniffer) READY
[DBG ] Thread 1 - (Sender) READY
[--->] DHCP_Discover
Traceback (most recent call last):
File "./pig.py", line 690, in
main()
File "./pig.py", line 673, in main
if DO_ARP: neighbors()
File "./pig.py", line 436, in neighbors
net=dhcpsip+"/"+calcCIDR(subnet)
TypeError: unsupported operand type(s) for +: 'NoneType' and 'str'
[--->] DHCP_Discover
[--->] DHCP_Discover
[--->] DHCP_Discover
[<---] DHCP_Offer 00:50:56:ee:02:90 192.168.174.254 IP: 192.168.174.134 for MAC=[de:ad:13:29:6c:96]
[--->] DHCP_Request 192.168.174.134
[<---] DHCP_Offer 00:50:56:ee:02:90 192.168.174.254 IP: 192.168.174.137 for MAC=[de:ad:0c:2b:96:b4]