lost and found ( for me ? ): scapy

[ what’s scapy ]

http://www.secdev.org/projects/scapy/

scapy is packet creation python modules.

scapy machine : backtrack linux 5 : 192.168.10.20

target machine : centos 5.6 : 192.168.10.11

create IP objects

root@bt:~# scapy

Welcome to Scapy (2.1.0)

>>> i = IP()

>>> i.dst = "192.168.10.11"

>>> i.display()

###[ IP ]###

version= 4

ihl= None

tos= 0x0

len= None

id= 1

flags=

frag= 0

ttl= 64

proto= ip

chksum= None

src= 192.168.10.20

dst= 192.168.10.11

\options\

create TCP objects

>>> t = TCP()

>>> t.dport = 80

>>> t.flags = "S"

>>> t.sport = 12345

>>> t.display()

###[ TCP ]###

sport= 12345

dport= www

seq= 0

ack= 0

dataofs= None

reserved= 0

flags= S

window= 8192

chksum= None

urgptr= 0

options= {}

send a syn packet I created as above.

sr1(i/t) sends n’ revieve one packet.

Let’s try :)

>>> sr1(i/t)

Begin emission:

.Finished to send 1 packets.

Received 2 packets, got 1 answers, remaining 0 packets

>>>

capture data on target machine

# tshark -nr scapy.pcap

Running as user "root" and group "root". This could be dangerous.

1 0.000000 192.168.10.20 -> 192.168.10.11 TCP 12345 > 80 [SYN] Seq=0 Win=8192 Len=0

2 0.000005 192.168.10.11 -> 192.168.10.20 TCP 80 > 12345 [SYN, ACK] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460

3 0.002936 192.168.10.20 -> 192.168.10.11 TCP 12345 > 80 [RST] Seq=0 Win=0 Len=0

To avoid scapy machine sending RST packet , add the following command on scapy machine.

root@bt:~# iptables -A OUTPUT -p tcp --tcp-flags RST RST -j DROP

root@bt:~# iptables -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain FORWARD (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

DROP tcp -- anywhere anywhere tcp flags:RST/RST

root@bt:~#

send a syn packet again.

>>> sr1(i/t)

Begin emission:

.Finished to send 1 packets.

Received 2 packets, got 1 answers, remaining 0 packets

RST packet on scapy machine was dropped by iptables.

# tshark -nr scapy.pcap

Running as user "root" and group "root". This could be dangerous.

1 0.000000 192.168.10.20 -> 192.168.10.11 TCP 12345 > 80 [SYN] Seq=0 Win=8192 Len=0

2 0.000005 192.168.10.11 -> 192.168.10.20 TCP 80 > 12345 [SYN, ACK] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460

3 2.999577 192.168.10.11 -> 192.168.10.20 TCP 80 > 12345 [SYN, ACK] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460

so netx , let’s establish TCP connection between scapy machine n’ target machine.

on target machine , open a socket w/ nc command.

nc - arbitrary TCP and UDP connections and listens

# nc -l 80

# lsof -ni:80

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME

nc 16945 root 3u IPv4 2091820 TCP *:http (LISTEN)

send a SYN packet from scapy

>>> sr1(i/t)

Begin emission:

.Finished to send 1 packets.

Received 2 packets, got 1 answers, remaining 0 packets

on target machine

# netstat -an | grep 12345

tcp 0 0 192.168.10.11:80 192.168.10.20:12345 SYN_RECV

create ACK packet on scapy

increment ACK number.

>>> a=TCP()

>>> a.dport=80

>>> a.sport=12345

>>> a.flag="A"

>>> a.ack=1761317212

>>> a.seq=1

>>> a.display()

###[ TCP ]###

sport= 12345

dport= www

seq= 1

ack= 1761317212

dataofs= None

reserved= 0

flags= A

window= 8192

chksum= None

urgptr= 0

options= {}

send ACK packet from scapy

>>> send(i/a)

Sent 1 packets.

>>>

connection established. netstat –an on target machine.

# netstat -an | grep 12345

tcp 0 0 192.168.10.11:80 192.168.10.20:12345 ESTABLISHED

cool tools :)

>>> lsc()

arpcachepoison : Poison target's cache with (your MAC,victim's IP) couple

arping : Send ARP who-has requests to determine which hosts are up

bind_layers : Bind 2 layers on some specific fields' values

corrupt_bits : Flip a given percentage or number of bits from a string

corrupt_bytes : Corrupt a given percentage or number of bytes from a string

defrag : defrag(plist) -> ([not fragmented], [defragmented],

defragment : defrag(plist) -> plist defragmented as much as possible

dyndns_add : Send a DNS add message to a nameserver for "name" to have a new "rdata"

dyndns_del : Send a DNS delete message to a nameserver for "name"

etherleak : Exploit Etherleak flaw

fragment : Fragment a big IP datagram

fuzz : Transform a layer into a fuzzy layer by replacing some default values by random objects

getmacbyip : Return MAC address corresponding to a given IP address

hexdiff : Show differences between 2 binary strings

hexdump : --

hexedit : --

is_promisc : Try to guess if target is in Promisc mode. The target is provided by its ip.

linehexdump : --

ls : List available layers, or infos on a given layer

promiscping : Send ARP who-has requests to determine which hosts are in promiscuous mode

rdpcap : Read a pcap file and return a packet list

send : Send packets at layer 3

sendp : Send packets at layer 2

sendpfast : Send packets at layer 2 using tcpreplay for performance

sniff : Sniff packets

split_layers : Split 2 layers previously bound

sr : Send and receive packets at layer 3

sr1 : Send packets at layer 3 and return only the first answer

srbt : send and receive using a bluetooth socket

srbt1 : send and receive 1 packet using a bluetooth socket

srflood : Flood and receive packets at layer 3

srloop : Send a packet at layer 3 in loop and print the answer each time

srp : Send and receive packets at layer 2

srp1 : Send and receive packets at layer 2 and return only the first answer

srpflood : Flood and receive packets at layer 2

srploop : Send a packet at layer 2 in loop and print the answer each time

traceroute : Instant TCP traceroute

tshark : Sniff packets and print them calling pkt.show(), a bit like text wireshark

wireshark : Run wireshark on a list of packets

wrpcap : Write a list of packets to a pcap file

>>>

lost and found ( for me ? )

lost and found ( for me ? )

scapy

No comments:

Post a Comment