habu - Network Hacking Toolkit

2017-10-03T13:30:00

Description

[ ![](https://2.bp.blogspot.com/-kSZMw1l_248/WchyAfao8FI/AAAAAAAAI94/smXIUq9ECK0b4Se8iwIEO3AMX0xWtrs3QCLcBGAs/s640/network.jpg) ](<https://2.bp.blogspot.com/-kSZMw1l_248/WchyAfao8FI/AAAAAAAAI94/smXIUq9ECK0b4Se8iwIEO3AMX0xWtrs3QCLcBGAs/s1600/network.jpg>) Habu is to teach (and learn) some concepts about Python and Network Hacking. These are basic functions that help with some tasks for Ethical Hacking and Penetration Testing. Most of them are related with networking, and the implementations are intended to be understandable for who wants to read the source code and learn from that. Some techniques implemented in the current version are: * ARP Poisoning * ARP Sniffing * DHCP Discover * DHCP Starvation * LAND Attack * SNMP Cracking * SYN Flooding * TCP Flags Analysis * TCP ISN Analysis * TCP Port Scan [ ](<https://draft.blogger.com/null>) ** Installation ** To install Habu, simply: $ pip3 install habu [ ](<https://draft.blogger.com/null>) ** Dependencies ** Habu requires: * Click * Python (3.x), * Scapy-Python3 * Matplotlib (Optional, only needed if you want to make some graphs) [ ](<https://draft.blogger.com/null>) ** Get Help ** All the commands implement the option '--help', that shows the help, arguments, options, and default values. [ ](<https://draft.blogger.com/null>) ** Verbose Mode ** Almost all commands implement the verbose mode with the '-v' option. This can give you some extra info about what habu is doing. [ ](<https://draft.blogger.com/null>) ** habu.arpoison: ARP Poisoning ** This command sends ARP 'is-at' packets to each victim, [ poisoning ](<https://www.kitploit.com/search/label/Poisoning>) their ARP tables for send the traffic to your system. $ sudo habu.arpoison 192.168.1.5 192.168.1.6 Ether / ARP is at 00:c2:c6:30:2c:58 says 192.168.1.6 Ether / ARP is at 00:c2:c6:30:2c:58 says 192.168.1.5 Ether / ARP is at 00:c2:c6:30:2c:58 says 192.168.1.6 Ether / ARP is at 00:c2:c6:30:2c:58 says 192.168.1.5 ... ** Note ** : If you want a full working Man In The Middle attack, you need to enable the packet forwarding on your operating system to act like a router. You can do that using: echo 1 > /proc/sys/net/ipv4/ip_forward [ ](<https://draft.blogger.com/null>) ** habu.arpsniff: Discover devices on your LAN capturing ARP packets ** This command listen for ARP packets and shows information each device. Columns: Seconds from last packet | IP | MAC | Vendor 1 192.168.0.1 a4:08:f5:19:17:a4 Sagemcom Broadband SAS 7 192.168.0.2 64:bc:0c:33:e5:57 LG Electronics (Mobile Communications) 2 192.168.0.5 00:c2:c6:30:2c:58 Intel Corporate 6 192.168.0.7 54:f2:01:db:35:58 Samsung Electronics Co.,Ltd [ ](<https://draft.blogger.com/null>) ** habu.contest: Check your connection capabilities ** This command tries to connect to various services and check if you can reach them using your internet connection. $ habu.contest IP: True DNS: True FTP: True SSH: True HTTP: True HTTPS: True [ ](<https://draft.blogger.com/null>) ** habu.dhcp_discover: Discover DHCP servers ** This command send a DHCP request and shows what devices has replied. Using the '-v' parameter (verbose) you can see all the options (like DNS servers) included on the responses. $ sudo habu.dhcp_discover Ether / IP / UDP 192.168.0.1:bootps > 192.168.0.5:bootpc / BOOTP / DHCP [ ](<https://draft.blogger.com/null>) ** habu.dhcp_starvation: Fill the DHCP leases ** This command send multiple DHCP requests from forged MAC addresses to fill the DHCP server leases. When all the available network addresses are assigned, the DHCP server don't send responses. So, some attacks, like DHCP spoofing can be made. $ sudo habu.dhcp_starvation Ether / IP / UDP 192.168.0.1:bootps > 192.168.0.6:bootpc / BOOTP / DHCP Ether / IP / UDP 192.168.0.1:bootps > 192.168.0.7:bootpc / BOOTP / DHCP Ether / IP / UDP 192.168.0.1:bootps > 192.168.0.8:bootpc / BOOTP / DHCP [ ](<https://draft.blogger.com/null>) ** habu.eicar: Prints the EICAR test string ** This command prints the EICAR test string that can be used to test antimalware engines. More info: [ http://www.eicar.org/86-0-Intended-use.html ](<https://www.eicar.org/86-0-Intended-use.html>) $ habu.eicar X5O!P%@AP[4\XZP54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* ** Note: ** The below string is incorrect because is not a good idea write the complete in this text file. Some [ antivirus ](<https://www.kitploit.com/search/label/Antivirus>) program can be detect it like a virus. :) [ ](<https://draft.blogger.com/null>) ** habu.hasher: Computes various hashes with the input data ** This command computes various hashes for the input data, that can be a file or a stream. If the filename is '-', the data is taken from the standard input (stdin) so, three different variants exists to call this command: $ habu.hasher README.rst md5 : 375375d9cfb2aacab7c8d1a9afd3d9b7 sha1 : 21c67b9ef44bc24d47eef6adab648ba34662927e $ cat README.rst | habu.hasher - md5 : 375375d9cfb2aacab7c8d1a9afd3d9b7 sha1 : 21c67b9ef44bc24d47eef6adab648ba34662927e $ habu.hasher - < README.rst md5 : 375375d9cfb2aacab7c8d1a9afd3d9b7 sha1 : 21c67b9ef44bc24d47eef6adab648ba34662927e ** Note: ** The output above shows only MD5 and SHA1 to make it short, but the real output includes more algorithms. You can also specify which algorithm to use. In such case, the output is only the value of the calculated hash: $ habu.hasher -a md5 README.rst 375375d9cfb2aacab7c8d1a9afd3d9b7 [ ](<https://draft.blogger.com/null>) ** habu.ip: Prints your current public IP ** This command prints your current public IP based on the response from [ https://api.ipify.org ](<https://api.ipify.org/>) . $ habu.ip 182.26.32.246 [ ](<https://draft.blogger.com/null>) ** habu.isn: Prints the TCP sequence numbers for an IP ** This command creates TCP connections and prints the TCP initial sequence numbers for each connections. $ sudo habu.isn www.portantier.com 1962287220 1800895007 589617930 3393793979 469428558 You can get a graphical representation (needs the matplotlib package) using the '-g' option: $ sudo habu.isn -g -c 10 www.portantier.com [ ![](https://1.bp.blogspot.com/-GuU_dtJEfgo/WchwtQmFIrI/AAAAAAAAI90/r7SPaHd4iiAKggmGy3Igcq0fJwiaKfeVQCLcBGAs/s1600/habu.png) ](<https://1.bp.blogspot.com/-GuU_dtJEfgo/WchwtQmFIrI/AAAAAAAAI90/r7SPaHd4iiAKggmGy3Igcq0fJwiaKfeVQCLcBGAs/s1600/habu.png>) ** Note: ** The above command uses '-c' option to define that 10 connections must be created. [ ](<https://draft.blogger.com/null>) ** habu.land: Implements the LAND attack ** This command implements the LAND attack, that sends packets forging the source IP address to be the same that the destination IP. Also uses the same source and destination port. The attack is very old, and can be used to make a [ Denial of Service ](<https://www.kitploit.com/search/label/Denial%20of%20Service>) on old systems, like Windows NT 4.0. More information here: [ https://en.wikipedia.org/wiki/LAND ](<https://en.wikipedia.org/wiki/LAND>) sudo habu.land 172.16.0.10 ............ ** Note: ** Each dot (.) is a sent packet. You can specify how many packets send with the '-c' option. The default is never stop. Also, you can specify the destination port, with the '-p' option. [ ](<https://draft.blogger.com/null>) ** habu.ping: ICMP echo requests ** This command implements the classic 'ping' with ICMP echo requests. $ sudo habu.ping 8.8.8.8 IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding [ ](<https://draft.blogger.com/null>) ** habu.snmp_crack: SNMP Community Cracker ** This command launches snmp-get queries against an IP, and tells you when finds a valid community string (is a simple SNMP cracker). The dictionary used is the distributed with the onesixtyone tool ( [ https://github.com/trailofbits/onesixtyone ](<https://github.com/trailofbits/onesixtyone>) ) $ sudo habu.snmp_crack 179.125.234.210 Community found: private Community found: public ** Note: ** You can also receive messages like <UNIVERSAL> <class 'scapy.asn1.asn1.ASN1_Class_metaclass'>, I don't know how to supress them for now. [ ](<https://draft.blogger.com/null>) ** habu.synflood: SYN Flood Attack Implementation ** This command launches a lot of TCP connections and keeps them opened. Some very old systems can suffer a [ Denial of Service ](<https://www.kitploit.com/search/label/Denial%20of%20Service>) with this. More info: [ https://en.wikipedia.org/wiki/SYN_flood ](<https://en.wikipedia.org/wiki/SYN_flood>) $ sudo habu.synflood 172.16.0.10 ................. Each dot is a packet sent. You can use the options '-2' and '-3' to forge the layer 2/3 addresses. If you use them, each connection will be sent from a random layer2 (MAC) and/or layer3 (IP) address. You can choose the number of connections to create with the option '-c'. The default is never stop creating connections. ** Note: ** If you send the packets from your real IP address and you want to keep the connections half-open, you need to setup for [ firewall ](<https://www.kitploit.com/search/label/Firewall>) to don't send the RST packets. With habu, you can do this with the following command (only works with Linux+IPTables): $ sudo habu.firewall --no-rst You can check the results with "iptables -L -n", and you will see something like this: Chain OUTPUT (policy ACCEPT) target prot opt source destination DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x04/0x04 [ ](<https://draft.blogger.com/null>) ** habu.tcpflags: TCP Flag Fuzzer ** This command send TCP packets with different flags and tell you what responses receives. It can be used to analyze how the different TCP/IP stack implementations and configurations responds to packet with various flag combinations. $ sudo habu.tcpflags www.portantier.com S -> SA FS -> SA FA -> R SA -> R By default, the command sends all possible flag combinations. You can specify with flags must ever be present (reducing the quantity of possible combinations), with the option '-f'. Also, you can specify which flags you want to be present on the response packets to show, with the option '-r'. With the next command, you see all the possible combinations that have the FIN (F) flag set and generates a response that contains the RST (R) flag. $ sudo habu.tcpflags -f F -r R www.portantier.com FPA -> R FSPA -> R FAU -> R ** [ Download habu ](<https://github.com/portantier/habu>) **

{"id": "KITPLOIT:8828739412591062572", "vendorId": null, "type": "kitploit", "bulletinFamily": "tools", "title": "habu - Network Hacking Toolkit", "description": "[ ![](https://2.bp.blogspot.com/-kSZMw1l_248/WchyAfao8FI/AAAAAAAAI94/smXIUq9ECK0b4Se8iwIEO3AMX0xWtrs3QCLcBGAs/s640/network.jpg) ](<https://2.bp.blogspot.com/-kSZMw1l_248/WchyAfao8FI/AAAAAAAAI94/smXIUq9ECK0b4Se8iwIEO3AMX0xWtrs3QCLcBGAs/s1600/network.jpg>)\n\n \n\n\nHabu is to teach (and learn) some concepts about Python and Network Hacking. \n\nThese are basic functions that help with some tasks for Ethical Hacking and Penetration Testing. \n\nMost of them are related with networking, and the implementations are intended to be understandable for who wants to read the source code and learn from that. \n\n \n\n\nSome techniques implemented in the current version are: \n\n * ARP Poisoning \n * ARP Sniffing \n * DHCP Discover \n * DHCP Starvation \n * LAND Attack \n * SNMP Cracking \n * SYN Flooding \n * TCP Flags Analysis \n * TCP ISN Analysis \n * TCP Port Scan \n\n \n\n\n[ ](<https://draft.blogger.com/null>) \n** Installation ** \nTo install Habu, simply: \n\n \n \n $ pip3 install habu\n\n[ ](<https://draft.blogger.com/null>) \n \n** Dependencies ** \nHabu requires: \n\n\n * Click \n * Python (3.x), \n * Scapy-Python3 \n * Matplotlib (Optional, only needed if you want to make some graphs) \n\n \n\n\n[ ](<https://draft.blogger.com/null>) \n** Get Help ** \nAll the commands implement the option '--help', that shows the help, arguments, options, and default values. \n \n[ ](<https://draft.blogger.com/null>) \n** Verbose Mode ** \nAlmost all commands implement the verbose mode with the '-v' option. This can give you some extra info about what habu is doing. \n \n[ ](<https://draft.blogger.com/null>) \n** habu.arpoison: ARP Poisoning ** \nThis command sends ARP 'is-at' packets to each victim, [ poisoning ](<https://www.kitploit.com/search/label/Poisoning>) their ARP tables for send the traffic to your system. \n\n \n \n $ sudo habu.arpoison 192.168.1.5 192.168.1.6\n Ether / ARP is at 00:c2:c6:30:2c:58 says 192.168.1.6\n Ether / ARP is at 00:c2:c6:30:2c:58 says 192.168.1.5\n Ether / ARP is at 00:c2:c6:30:2c:58 says 192.168.1.6\n Ether / ARP is at 00:c2:c6:30:2c:58 says 192.168.1.5\n ...\n\n** Note ** : If you want a full working Man In The Middle attack, you need to enable the packet forwarding on your operating system to act like a router. You can do that using: \n\n \n \n echo 1 > /proc/sys/net/ipv4/ip_forward\n\n[ ](<https://draft.blogger.com/null>) \n \n** habu.arpsniff: Discover devices on your LAN capturing ARP packets ** \nThis command listen for ARP packets and shows information each device. \nColumns: Seconds from last packet | IP | MAC | Vendor \n\n \n \n 1 192.168.0.1 a4:08:f5:19:17:a4 Sagemcom Broadband SAS\n 7 192.168.0.2 64:bc:0c:33:e5:57 LG Electronics (Mobile Communications)\n 2 192.168.0.5 00:c2:c6:30:2c:58 Intel Corporate\n 6 192.168.0.7 54:f2:01:db:35:58 Samsung Electronics Co.,Ltd\n\n[ ](<https://draft.blogger.com/null>) \n \n** habu.contest: Check your connection capabilities ** \nThis command tries to connect to various services and check if you can reach them using your internet connection. \n\n \n \n $ habu.contest\n IP: True\n DNS: True\n FTP: True\n SSH: True\n HTTP: True\n HTTPS: True\n\n[ ](<https://draft.blogger.com/null>) \n \n** habu.dhcp_discover: Discover DHCP servers ** \nThis command send a DHCP request and shows what devices has replied. Using the '-v' parameter (verbose) you can see all the options (like DNS servers) included on the responses. \n\n \n \n $ sudo habu.dhcp_discover\n Ether / IP / UDP 192.168.0.1:bootps > 192.168.0.5:bootpc / BOOTP / DHCP\n\n[ ](<https://draft.blogger.com/null>) \n \n** habu.dhcp_starvation: Fill the DHCP leases ** \nThis command send multiple DHCP requests from forged MAC addresses to fill the DHCP server leases. When all the available network addresses are assigned, the DHCP server don't send responses. So, some attacks, like DHCP spoofing can be made. \n\n \n \n $ sudo habu.dhcp_starvation\n Ether / IP / UDP 192.168.0.1:bootps > 192.168.0.6:bootpc / BOOTP / DHCP\n Ether / IP / UDP 192.168.0.1:bootps > 192.168.0.7:bootpc / BOOTP / DHCP\n Ether / IP / UDP 192.168.0.1:bootps > 192.168.0.8:bootpc / BOOTP / DHCP\n\n[ ](<https://draft.blogger.com/null>) \n \n** habu.eicar: Prints the EICAR test string ** \nThis command prints the EICAR test string that can be used to test antimalware engines. More info: [ http://www.eicar.org/86-0-Intended-use.html ](<https://www.eicar.org/86-0-Intended-use.html>) \n\n \n \n $ habu.eicar\n X5O!P%@AP[4\\XZP54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*\n\n** Note: ** The below string is incorrect because is not a good idea write the complete in this text file. Some [ antivirus ](<https://www.kitploit.com/search/label/Antivirus>) program can be detect it like a virus. :) \n[ ](<https://draft.blogger.com/null>) \n \n** habu.hasher: Computes various hashes with the input data ** \nThis command computes various hashes for the input data, that can be a file or a stream. \nIf the filename is '-', the data is taken from the standard input (stdin) so, three different variants exists to call this command: \n\n \n \n $ habu.hasher README.rst\n md5 : 375375d9cfb2aacab7c8d1a9afd3d9b7\n sha1 : 21c67b9ef44bc24d47eef6adab648ba34662927e\n \n $ cat README.rst | habu.hasher -\n md5 : 375375d9cfb2aacab7c8d1a9afd3d9b7\n sha1 : 21c67b9ef44bc24d47eef6adab648ba34662927e\n \n $ habu.hasher - < README.rst\n md5 : 375375d9cfb2aacab7c8d1a9afd3d9b7\n sha1 : 21c67b9ef44bc24d47eef6adab648ba34662927e\n\n** Note: ** The output above shows only MD5 and SHA1 to make it short, but the real output includes more algorithms. \nYou can also specify which algorithm to use. In such case, the output is only the value of the calculated hash: \n\n \n \n $ habu.hasher -a md5 README.rst\n 375375d9cfb2aacab7c8d1a9afd3d9b7\n\n[ ](<https://draft.blogger.com/null>) \n \n** habu.ip: Prints your current public IP ** \nThis command prints your current public IP based on the response from [ https://api.ipify.org ](<https://api.ipify.org/>) . \n\n \n \n $ habu.ip\n 182.26.32.246\n\n[ ](<https://draft.blogger.com/null>) \n \n** habu.isn: Prints the TCP sequence numbers for an IP ** \nThis command creates TCP connections and prints the TCP initial sequence numbers for each connections. \n\n \n \n $ sudo habu.isn www.portantier.com\n 1962287220\n 1800895007\n 589617930\n 3393793979\n 469428558\n\nYou can get a graphical representation (needs the matplotlib package) using the '-g' option: \n\n \n \n $ sudo habu.isn -g -c 10 www.portantier.com\n\n[ ![](https://1.bp.blogspot.com/-GuU_dtJEfgo/WchwtQmFIrI/AAAAAAAAI90/r7SPaHd4iiAKggmGy3Igcq0fJwiaKfeVQCLcBGAs/s1600/habu.png) ](<https://1.bp.blogspot.com/-GuU_dtJEfgo/WchwtQmFIrI/AAAAAAAAI90/r7SPaHd4iiAKggmGy3Igcq0fJwiaKfeVQCLcBGAs/s1600/habu.png>)\n\n** Note: ** The above command uses '-c' option to define that 10 connections must be created. \n \n[ ](<https://draft.blogger.com/null>) \n** habu.land: Implements the LAND attack ** \nThis command implements the LAND attack, that sends packets forging the source IP address to be the same that the destination IP. Also uses the same source and destination port. \nThe attack is very old, and can be used to make a [ Denial of Service ](<https://www.kitploit.com/search/label/Denial%20of%20Service>) on old systems, like Windows NT 4.0. More information here: [ https://en.wikipedia.org/wiki/LAND ](<https://en.wikipedia.org/wiki/LAND>) \n\n \n \n sudo habu.land 172.16.0.10\n ............\n\n** Note: ** Each dot (.) is a sent packet. You can specify how many packets send with the '-c' option. The default is never stop. Also, you can specify the destination port, with the '-p' option. \n[ ](<https://draft.blogger.com/null>) \n \n** habu.ping: ICMP echo requests ** \nThis command implements the classic 'ping' with ICMP echo requests. \n\n \n \n $ sudo habu.ping 8.8.8.8\n IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding\n IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding\n IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding\n IP / ICMP 8.8.8.8 > 192.168.0.5 echo-reply 0 / Padding\n\n[ ](<https://draft.blogger.com/null>) \n \n** habu.snmp_crack: SNMP Community Cracker ** \nThis command launches snmp-get queries against an IP, and tells you when finds a valid community string (is a simple SNMP cracker). \nThe dictionary used is the distributed with the onesixtyone tool ( [ https://github.com/trailofbits/onesixtyone ](<https://github.com/trailofbits/onesixtyone>) ) \n\n \n \n $ sudo habu.snmp_crack 179.125.234.210\n Community found: private\n Community found: public\n\n** Note: ** You can also receive messages like <UNIVERSAL> <class 'scapy.asn1.asn1.ASN1_Class_metaclass'>, I don't know how to supress them for now. \n[ ](<https://draft.blogger.com/null>) \n \n** habu.synflood: SYN Flood Attack Implementation ** \nThis command launches a lot of TCP connections and keeps them opened. Some very old systems can suffer a [ Denial of Service ](<https://www.kitploit.com/search/label/Denial%20of%20Service>) with this. More info: [ https://en.wikipedia.org/wiki/SYN_flood ](<https://en.wikipedia.org/wiki/SYN_flood>) \n\n \n \n $ sudo habu.synflood 172.16.0.10\n .................\n\nEach dot is a packet sent. \nYou can use the options '-2' and '-3' to forge the layer 2/3 addresses. If you use them, each connection will be sent from a random layer2 (MAC) and/or layer3 (IP) address. \nYou can choose the number of connections to create with the option '-c'. The default is never stop creating connections. \n** Note: ** If you send the packets from your real IP address and you want to keep the connections half-open, you need to setup for [ firewall ](<https://www.kitploit.com/search/label/Firewall>) to don't send the RST packets. With habu, you can do this with the following command (only works with Linux+IPTables): \n\n \n \n $ sudo habu.firewall --no-rst\n\nYou can check the results with \"iptables -L -n\", and you will see something like this: \n\n \n \n Chain OUTPUT (policy ACCEPT)\n target prot opt source destination\n DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x04/0x04\n\n[ ](<https://draft.blogger.com/null>) \n \n** habu.tcpflags: TCP Flag Fuzzer ** \nThis command send TCP packets with different flags and tell you what responses receives. \nIt can be used to analyze how the different TCP/IP stack implementations and configurations responds to packet with various flag combinations. \n\n \n \n $ sudo habu.tcpflags www.portantier.com\n S -> SA\n FS -> SA\n FA -> R\n SA -> R\n\nBy default, the command sends all possible flag combinations. You can specify with flags must ever be present (reducing the quantity of possible combinations), with the option '-f'. \nAlso, you can specify which flags you want to be present on the response packets to show, with the option '-r'. \nWith the next command, you see all the possible combinations that have the FIN (F) flag set and generates a response that contains the RST (R) flag. \n\n \n \n $ sudo habu.tcpflags -f F -r R www.portantier.com\n FPA -> R\n FSPA -> R\n FAU -> R\n\n \n \n\n\n** [ Download habu ](<https://github.com/portantier/habu>) **\n", "published": "2017-10-03T13:30:00", "modified": "2017-10-03T13:30:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "http://www.kitploit.com/2017/10/habu-network-hacking-toolkit.html", "reporter": "KitPloit", "references": ["https://github.com/portantier/habu", "https://github.com/trailofbits/onesixtyone"], "cvelist": [], "immutableFields": [], "lastseen": "2021-11-06T02:37:49", "viewCount": 9, "enchantments": {"dependencies": {}, "score": {"value": 0.2, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.2}, "toolHref": "https://github.com/portantier/habu", "_state": {"dependencies": 1645392644}}