A network packet is divided into layers, and each layer is represented by a Python instance. Thus manipulating a network packet is done by playing with instances’ attributes and methods representing the different layers of the packet. Creating a packet is done by creating instances, one for each layer, and stacking them together. For example, let’s create a TCP/IP packet to port 22:
>>> a=IP( ) (1) >>> a <IP |> >>> a.ttl (2) 64 >>> a.ttl=32 (3) >>> a <IP ttl=32 |> >>> b=TCP(dport=22) (4) >>> c=a/b (5) >>> c
<IP frag=0 ttl=32 proto=TCP |<TCP dport=ssh |>> >>> c.proto
6 (6)
First,1create an IP instance and store it into variablea. All the IP fields are set to their respective default value—the one that can be seen withls( ). Access the fields: they appear as attributes of the instance. 2Ask for the TTL value, which is 64 by default. 3Set it to 32. The representation of the packet shows that the TTL field does not have its default value anymore. Then,4 create a TCP layer. Set some fields’ values directly at instance construction. Then,5stackaandbusing the/operator to create a TCP/IP packet. Notice that some IP fields have their value automatically set to a more useful one.6The IP protocol field value has been overloaded by the TCP layer to beIPPROTO_TCP (i.e., 6).
As we can see in Figure 6-1, each layer can hold three values for each field. The first one, always present, is the default value. The second one can be set by an upper layer that would overload some default values (as TCP did previously for the IP protocol field). The third one is the one set by user, and overloads the previous ones.
We have used ls( )to show information about a layer, which is also a class, but it also works for instances of an object. A new column has appeared before the default values and gives the current value. This column takes into account what the user set and what other layers may have overloaded.
>>> ls(c)
version : BitField = 4 (4) ihl : BitField = None (None) tos : XByteField = 0 (0) Figure 6-1. Field value management and overloading
Lower layer
User set fields
Fields overloaded by upper layer
Default fields
id : ShortField = 1 (1) flags : FlagsField = 0 (0) frag : BitField = 0 (0) ttl : ByteField = 32 (64) proto : ByteEnumField = 6 (0) chksum : XShortField = None (None) src : Emph = '127.0.0.1' (None) dst : Emph = '127.0.0.1' ('127.0.0.1') options : IPoptionsField = '' ('') -- sport : ShortEnumField = 20 (20) dport : ShortEnumField = 22 (80) seq : IntField = 0 (0) ack : IntField = 0 (0) dataofs : BitField = None (None) reserved : BitField = 0 (0) flags : FlagsField = 2 (2) window : ShortField = 8192 (8192) chksum : XShortField = None (None) urgptr : ShortField = 0 (0) options : TCPOptionsField = {} ({})
Fields can be assigned a wrong or cranky value. This is ideal to test network stack robustness and the ability to handle the unexpected.
>>> IP(version=2, ihl=3, options="love", proto=1)/TCP( )
<IP version=2 ihl=3 frag=0 proto=ICMP options='love' |<TCP |>>
Fields can also be assigned a set of values. This is perfect to quickly create a set of packets from a given template, and more particularly to go through many values of a given field (a.k.a.scanning). Packets whose one or more fields contain a set of values will be calledimplicit packets.
>>> pkts = IP(ttl=[1,3,5,(7,10)])/TCP( ) (1) >>> pkts
<IP frag=0 ttl=[1, 3, 5, (7, 10)] proto=TCP |<TCP |>> >>> [pkt for pkt in pkts]
[<IP frag=0 ttl=1 proto=TCP |<TCP |>>, <IP frag=0 ttl=3 proto=TCP |<TCP |>>, <IP frag=0 ttl=5 proto=TCP |<TCP |>>, <IP frag=0 ttl=7 proto=TCP |<TCP |>>, <IP frag=0 ttl=8 proto=TCP |<TCP |>>, <IP frag=0 ttl=9 proto=TCP |<TCP |>>, <IP frag=0 ttl=10 proto=TCP |<TCP |>>]
>>> IP(dst="192.168.*.1-10")/ICMP( ) (2) <IP frag=0 proto=ICMP dst=<Net 192.168.0-2.*> |<ICMP |>> >>> IP(dst="192.168.4.0/24")/TCP(dport=(0,1024)) (3)
<IP frag=0 proto=TCP dst=<Net 192.168.4.0/24> |<TCP dport=(0, 1024) |>>
Here we have created three implicit packets.1The first one is worth seven TCP/IP packets with TTL 1, 3, 5, 7, 8, 9, and 10. This is a partial TCP traceroute.2The sec- ond one will do an ICMP ping scan, going through the first 10 IP addresses of all the 192.168 networks.3The third one will do a TCP SYN scan on all privileged ports of the 192.168.4.0/24 network.
As you can see, scanning doesn’t just mean TCP port scanning. It means taking a field and going through all possible, or interesting, values. According to the fields you choose to scan, you will get a different tool. If you choose TCP destination ports, you will have all kinds of TCP port scanners, depending on which flags you choose to send. If you fix an interesting TTL at the same time, it becomes afirewalker(this network reconnaissance technique will be explained in Section 6.4). If you choose to scan destination IP, depending on whether you go for ICMP, TCP, or ARP, you will have a TCP ping, ICMP ping, or ARP ping IP scanner. If you choose to scan the TTL, you will have a traceroute tool. If your payload is a DNS or IKE request, and you scan the IP destination, you will scan the Internet for DNS servers or VPN concentra- tors. If you choose one DNS server and you scan through IP with reverse DNS request, you will have a reverse DNS bruteforcer. You are only limited by your imagi- nation (or the limits discussed in Chapter 1).