• No results found

Scapy. On-the-fly Packet Generation by Dienstag, 10. Januar 12

N/A
N/A
Protected

Academic year: 2021

Share "Scapy. On-the-fly Packet Generation by Dienstag, 10. Januar 12"

Copied!
37
0
0

Loading.... (view fulltext now)

Full text

(1)

Scapy

On-the-fly Packet Generation

by [email protected]

(2)

Overview

Repetition of network basics

Python Basics

Scapy Basics

Example: SYN Scan

Hands-on:

Traceroute

Promiscuous Scan

(3)

Layers

OSI Model

Abstraction layers

(1) Physical

Bit

(2) Data link

Frames with

physical addressing

(3) Network

Packets and routing

(4) Transport

Connections

(4)

Ethernet

Layer 2 protocol

Frames

(5)

Internet Protocol

Layer 3 protocol

Packets

Sender and receiver identified by „IP“, e.g.

123.45.67.89

„IP“ can have special meaning, like

255.255.255.255 - broadcast

(6)

0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Version| IHL |Type of Service| Total Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identification |Flags| Fragment Offset | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Time to Live | Protocol | Header Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Options | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ... Payload ...

rfc 791

(7)

Address Resolution

Protocol

Who-is-who for the local network

(8)

Address Resolution

Protocol

0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Hardware Type | Protocol Type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | HW Addr. Len. |Proto. Adr. Len| Operation | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sender Hardware Address (Octets 0-3) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sender HW Address (Oct. 4-5) | Sender IP Address (Oct. 0-1) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sender IP Address (Oct. 2-3) | Target HW Address (Oct. 0-1) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Target Hardware Address (Octets 2-5) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Target IP Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

(9)

Address Resolution

Protocol

Message examples:

ARP Request or „where is ...?“

Own

IP and MAC are used as

sender

IP

and HW address

Searched-for

IP is

target

IP

ARP Reply or „I‘am at ...?“

Own

IP and MAC are used as

sender

IP

and HW address

(10)

Transmission Control

Protocol

Layer 4 protocol

Streams/Connections

Ensures correct transmission or error

3-Way-Hand-Shake for connection

establishment

(11)

0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Acknowledgment Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data | |U|A|P|R|S|F| | | Offset| Reserved |R|C|S|S|Y|I| Window | | | |G|K|H|T|N|N| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Checksum | Urgent Pointer | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Options | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ... Payload ...

rfc 793

Transmission Control

Protocol

(12)

IP + TCP

0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Version| IHL |Type of Service| Total Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identification |Flags| Fragment Offset | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Time to Live | Protocol | Header Checksum | IP +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Lay.3 | Source Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Options | Padding | | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Acknowledgment Number | TCP +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Lay.4 | Data | |U|A|P|R|S|F| | | Offset| Reserved |R|C|S|S|Y|I| Window | | | |G|K|H|T|N|N| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Checksum | Urgent Pointer | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Options | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ... Payload ...

(13)

Transmission Control

Protocol

3-way-hand-shake

Ensures Client is actually

talking to Server

(14)

Python Basics

Indentation with white spaces (thus no {})

Dynamic typing

Automatic memory management

(15)

Python Basics

>>>

def

add

(x,y):

...

return

x+y

>>>

>>> a, b =

1234, 5678

>>> c = add(a, b)

>>>

>>>

if

c >

1000

:

...

print

'Big',

c

...

else

:

...

print

'Small',

x

,

y

...

Big 6912

>>>

(16)

Python Basics

>>> li = [

'a'

,

'b'

,

'c'

]

>>>

# Iterate list

...

for

c

in

li:

...

print

c.upper()

...

A

B

C

>>>

# More complex boolean operation:

...

if

False

or

len

(li):

...

print

li[

2

]

...

c

(17)

Python Basics

>>> list()

[]

>>> range(

10

)

[

0

,

1

,

2

,

3

,

4

,

5

,

6

,

7

,

8

,

9

]

>>>

>>>

# Getting information on available functions and

>>>

# objects:

>>> help([])

[...]

>>> help(str)

[...]

>>> help(var)

[...]

>>>

(18)

Scapy

$ sudo scapy

Welcome to Scapy (2.1.0)

>>>

(19)

Workshop

SYN Scan

Traceroute

ARP Spoofing

Promiscuous Scan

(20)

SYN Scan

Simple port scanner

1. Initiate three-way-handshake by sending

SYN to „victim“

2. Get responses (if any)

3. All SYN-ACKs are open ports

All RSTs are closed ports

(21)

SYN Scan

ans, uans= sr(...) - Layer 3 packet send/receive

ans is a list of send and answered packets

uans are the unanswered packets

SYN flag in IP is just „S“

(22)

SYN Scan

p = IP(dst=

"130.83.177.129"

)/TCP(dport=[

22

,

80

], \

flags=

"S"

)

ans, uans = sr(p, timeout=

5

)

for

s,r

in

ans:

# response is SYN-ACK?

if

r.flags &

2

:

print

"port"

,r.sport,

"is open"

else

:

(23)

Traceroute

How do my packets travel the world?

1. Send packets with varying time-to-live,

usually „pings“, but TCP SYNs work better

2. Get responses (ICMP time-exceeded)

(24)

ans, uans= sr(..., timeout=123)

use timeout to restrict waiting for unanswered

packets, in seconds

attr=(0, 90) tells scapy to generate 90 packets

with attributes 0 to 89

(25)

p = IP(dst=

"www.google.com"

,ttl=(

0

,

30

))/TCP(flags=

"S"

)

ans, uans = sr(p, timeout=

5

)

for

s,r

in

ans:

print

s.ttl, r.src

(26)

ARP Spoofing

Clients use ARP packets to populate their own

ARP table, even if they did not ask for it.

1. Get to-be-spoofed IP

2. Send ARP „is-at“ packets to all (broadcast)

with to-be-spoofed IP as source.

3. Route received packets (linux can do that

for us)

(27)

ARP Spoofing

sendp(...) - Layer 2 packet transmission

attribute inter makes scapy wait between

packets and loop sends continuesly

Broadcast MAC: ff:ff:ff:ff:ff:ff

Linux routing can be enabled with:

echo 1 > /proc/sys/net/ipv4/ip_forwarding

(so others can continue using the internet)

(28)

Ether(dst=

"ff:ff:ff:ff:ff:ff"

)/ARP(op=

"is-at"

,

hwsrc=own-MAC, psrc=to-be-spoofed-IP)

sendp(p, loop=

1

, inter=

1.5

)

(29)

Who is sniffing in my LAN?

1. Send packets with invalid destination MAC

to a valid IP

2. Check if that IP answered

3. Other methods exists

(30)

ans,uans = srp() - Layer 2 Send and Receive

ans answered packet tuples

uans unanswered packets

Possible invalid MAC: f1:ff:ff:ff:ff:f1

(31)

Promiscuous Scan

ans,uans = srp(Ether(dst=

"f1:ff:ff:ff:ff:f1"

)/

ARP(pdst=targetnet),timeout=

5

)

if

len

(ans) >

0

:

print

"The following clients are in promiscuous

mode:"

for

snd,rcv

in

ans:

print

rcv.src

if

type

(rcv.payload) ==

type

(ARP()):

print

rcv.payload.psrc

else

:

print

rcv.payload.src

else

:

(32)

Use payload of ICMP packets to transport

messages

use sniff() to receive (see help(sniff) )

(33)

ICMP Chat

sniff(prn, lfilter)

lfilter will be evaluated with each packet, if it

returns True, prn will be called

def foo(bar):

return bar+23

(34)

chatpartner =

"192.168.214.123"

while

1

:

line = sys.stdin.readline()

send(IP(dst=chatpartner)/ICMP(

type

=

"echo-request"

)/

(line.strip()),verbose=

0

)

sniff(prn=

lambda

x: x.payload.payload.payload.load,

lfilter=

lambda

x: x.haslayer(ICMP)

and

x.payload.dst==chatpartner)

(35)

Food for Thought

Wired networks are boring? Hack WLAN!

WLAN is also too boring? Hack GSM!

BBosmocom - GSM Stack for python

Uses (cheap) mobile phones with custom

firmware as radio

(36)

Questions?

Feedback?

(37)

References

Related documents

For instance, an analysis of the maize seed sector from 2003 through 2008, concluding with An Analysis of the Bottlenecks Affecting the Production and Deployment of Maize Seed

The valuation methods provide tools for develop- ing and measuring a design strategy as a component of a larger business strategy: The ability to “value” user experience design

Based on the crystal structure of CutC, Tyr208 and Tyr506 mutants were constructed to determine if the proposed CH–O interactions are important for binding

We pursue our mission by increasing access to benefits, offering the largest national network of dentists, adding innovative new plan features, aggressively working to keep

Additionally, peer-support / counselling networks have been found to be effective in resolving disputes among pupils and in bringing together those involved in

First, Halley looked at his table from a military point of view (per- haps because Graunt did exactly the same thing in 1662) and calculated “the proportion of men able to bear

— Because of variations in scale, other in- accuracies, and difficulty of locating grid lines, the military grid is not used on photographs or uncontroled photomaps. The atlas grid

Notes for students of Jyotisha Bharati, Bharatiya Vidya Bhavan, Mumbai, India, by Anthony Writer 5. Britney Spears became a professional at the age of 11 when she joined