Skip to content
hatRiot edited this page Nov 26, 2012 · 17 revisions

NOTE: This is still very much a work in progress, and not all functionality is yet implemented. I will update this readme with a link to the blogpost regarding this.

#ZARP Version 0.04B Network Attack Tool
@ballastsec, @dronesec

#INTRODUCTION Zarp is a network attack tool centered around exploitation of local networks. This does not include system exploitation, but rather abusing networking protocols and stacks to take over, infiltrate, and knock out. Sessions can be managed to quickly poison and sniff multiple systems at once, dumping sensitive information automatically or to the attacker directly. Various sniffers are included to automatically parse usernames and passwords from various protocols, as well as view HTTP traffic and more. DoS attacks are included to knock out various systems and applications. These tools open up the possibility for very complex attack scenarios on live networks quickly, cleanly, and quietly.

#TOOL OVERVIEW POISONERS
These tools work as expected; poisoning hosts for performing MitM, session hijacking, etc.
ARP, DNS, DHCP, NBNS

DOS
Modules used for denial of servicing hosts.
Teardrop, IPv6 NDP RA, Nestea, LAND, TCP SYN, SMB2

SNIFFERS
These post-poisoning modules are useful for intercepting interesting traffic.
HTTP, Password and Username

SCANNERS
Scan networks for victims.
Network Scanner, Service Scanner, Access Point Scanner

EMULATE SERVICES
Pretend you're useful; harvest credentials from automatic login tools or unaware users. Spoofed services have been custom written to act as honeypots; none of these services can actually be used to do useful things as intended.
HTTP, SSH, FTP, SMB

PARAMETER
Perform parameter cracking to gain access to a network. AP cracking is harnessed by Wifite.
WEP Crack, WPA2 Crack, WPS Crack, Router pwn

CLI USAGE AND SHORTCUTS
If you want to clear the screen, typing gibberish ('asdf') will wipe the screen and reprint the current menu.

Typing 'quit' will close out of the application, no matter where you are. Note that this is a 'hard quit', so any running sessions may not be closed gracefully.

Typing 'info [module]' will dump information and usage about the specified module.

'opts' will list session-wide options available for use. As of now only the interface exists, but as time and module development goes on, more will be added. You can set options by typing 'set [key] [value]'.

#USE EXAMPLES

Command line options

bryan@devbox:~/zarp$ sudo ./zarp.py --help
	 ____   __   ____  ____
	(__  ) / _\ (  _ \(  _ '
	 / _/ /    \ )   / ) __/
	(____)\_/\_/(__\_)(__)
	    [Version 0.04B]			
usage: zarp.py [-h] [-q FILTER] [--debug] [--update] [-s SCAN] [--finger] [-a]
               [-w] [--channel CHANNEL] [--ssh] [--ftp] [--http] [--smb]

optional arguments:
  -h, --help         show this help message and exit
  -q FILTER          Quick network sniff with filter
  --debug            Launch Zarp with error logging
  --update           Update Zarp

Scanners:
  -s SCAN            Quick network map
  --finger           Fingerprint scan packets
  -a                 Service scan
  -w                 Wireless AP scan
  --channel CHANNEL  Set channel to scan on

Services:
  --ssh              SSH server
  --ftp              FTP server
  --http             HTTP server
  --smb              SMB listener
bryan@devbox:~/zarp$ 

Main menu

bryan@devbox:~/zarp$ sudo ./zarp.py 
	 ____   __   ____  ____
	(__  ) / _\ (  _ \(  _ '
	 / _/ /    \ )   / ) __/
	(____)\_/\_/(__\_)(__)
	    [Version 0.04B]			
	[1] Poisoners 	 [2] DoS Attacks
	[3] Sniffers 	 [4] Scanners
	[5] Parameter 	 [6] Services
	[7] Sessions

0) Back
> 

ARP Poisoning Session

    [1] ARP Poison
    [2] DNS Poison
    [3] DHCP Poison

0) Back
> 1
[!] Using interface [eth2:08:00:27:2d:7a:6d]
[!] Enter host to poison:   192.168.1.88
[!] Enter address to spoof: 192.168.1.1
[!] Spoof IP 192.168.1.88 from victim 192.168.1.1.  Is this correct? y
[!] Initializing ARP poison..
    [1] ARP Poison
    [2] DNS Poison
    [3] DHCP Poison

0) Back
> 0
            [ZARP]
        [Version 0.02]
    [1] Poisoners    [2] DoS Attacks
    [3] Sniffers     [4] Scanners
    [5] Parameter    [6] Sessions

0) Back
> 6

    [Running sessions]
[!] ARP POISONS [arp]:
    [0] 192.168.1.88


    [1] Stop session
[2] View session
    [3] Start session logger
    [4] Stop session logger

0) Back
>

FTP credential harvesting

bryan@devbox:~/zarp$ sudo ./zarp.py --ftp
[!] Starting FTP server...
[!] Connection from ('192.168.1.118', 54985)
[!] Received 'anonymous:chrome@example.com' from connection.
[!] Connection from ('192.168.1.118', 54986)
[!] Received 'username:password' from connection.
[!] Connection from ('192.168.1.118', 54987)
[!] Received 'bob:th3bu1ld3r' from connection.
^Cbryan@devbox:~/zarp$ 

ARP poisoning while DNS poisoning while sniffing HTTP traffic

	        [ZARP]		
	    [Version 0.03A]			
	[1] Poisoners 	 [2] DoS Attacks
	[3] Sniffers 	 [4] Scanners
	[5] Parameter 	 [6] Spoofer
	[7] Sessions

0) Back
> 7

	[Running sessions]
[!] ARP POISONS [arp]:
	[0] 192.168.1.218
	|-> [!] DNS POISONS [dns]:
	|--> [0] .* -> 192.168.1.1
	|--> [1] boogers.* -> 192.168.1.1
[!] HTTP SNIFFERS [http]:
	[0] 192.168.1.218
	|--> Logging to  /tmp/httplogger.log

	[1] Stop session
	[2] View session
	[3] Start session logger
	[4] Stop session logger

0) Back
> 

Performance of the above:

$ ps aux | grep z[ar]p
root     15117  0.4  1.7 106368 17800 pts/0    Sl+  18:00   0:00 /usr/local/bin/python ./zarp.py
$ cat /proc/15117/status
Name:	zarp.py
State:	S (sleeping)
Tgid:	15117
Pid:	15117
PPid:	15115
TracerPid:	0
Uid:	0	0	0	0
Gid:	0	0	0	0
FDSize:	64
Groups:	0 
VmPeak:	  106368 kB
VmSize:	  106368 kB
VmLck:	       0 kB
VmHWM:	   17800 kB
VmRSS:	   17800 kB
VmData:	   30268 kB
VmStk:	     168 kB
VmExe:	    1468 kB
VmLib:	    4744 kB
VmPTE:	     196 kB
Threads:	3
[snip]
Clone this wiki locally