lost and found ( for me ? )

scapy

[ what’s scapy ]


scapy is packet creation python modules.

scapy machine : backtrack linux 5 : 192.168.10.20
target machine : centos 5.6 : 192.168.10.11

create IP objects
root@bt:~# scapy
Welcome to Scapy (2.1.0)
>>> i = IP()
>>> i.dst = "192.168.10.11"
>>> i.display()
###[ IP ]###
 version= 4
 ihl= None
 tos= 0x0
 len= None
 id= 1
 flags=
 frag= 0
 ttl= 64
 proto= ip
 chksum= None
 src= 192.168.10.20
 dst= 192.168.10.11
 \options\


create TCP objects
>>> t = TCP()
>>> t.dport = 80
>>> t.flags = "S"
>>> t.sport = 12345
>>> t.display()
###[ TCP ]###
 sport= 12345
 dport= www
 seq= 0
 ack= 0
 dataofs= None
 reserved= 0
 flags= S
 window= 8192
 chksum= None
 urgptr= 0
 options= {}


send a syn packet I created as above.

sr1(i/t) sends n’ revieve one packet.

Let’s try :)
>>> sr1(i/t)
Begin emission:
.Finished to send 1 packets.
*
Received 2 packets, got 1 answers, remaining 0 packets
<IP  version=4L ihl=5L tos=0x0 len=44 id=0 flags=DF frag=0L ttl=64 proto=tcp chksum=0xa55c src=192.168.10.11 dst=192.168.10.20 options=[] |<TCP  sport=www dport=12345 seq=239470845 ack=1 dataofs=6L reserved=0L flags=SA window=5840 chksum=0xa409 urgptr=0 options=[('MSS', 1460)] |>>
>>>


capture data on target machine
# tshark -nr scapy.pcap
Running as user "root" and group "root". This could be dangerous.
 1   0.000000 192.168.10.20 -> 192.168.10.11 TCP 12345 > 80 [SYN] Seq=0 Win=8192 Len=0
 2   0.000005 192.168.10.11 -> 192.168.10.20 TCP 80 > 12345 [SYN, ACK] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460
 3   0.002936 192.168.10.20 -> 192.168.10.11 TCP 12345 > 80 [RST] Seq=0 Win=0 Len=0


To avoid scapy machine sending RST packet , add the following command on scapy machine.
root@bt:~# iptables -A OUTPUT -p tcp --tcp-flags RST RST -j DROP

root@bt:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DROP       tcp  --  anywhere             anywhere            tcp flags:RST/RST
root@bt:~#


send a syn packet again.
>>> sr1(i/t)
Begin emission:
.Finished to send 1 packets.
*
Received 2 packets, got 1 answers, remaining 0 packets
<IP  version=4L ihl=5L tos=0x0 len=44 id=0 flags=DF frag=0L ttl=64 proto=tcp chksum=0xa55c src=192.168.10.11 dst=192.168.10.20 options=[] |<TCP  sport=www dport=12345 seq=607198198 ack=1 dataofs=6L reserved=0L flags=SA window=5840 chksum=0x7b25 urgptr=0 options=[('MSS', 1460)] |>>


RST packet on scapy machine was dropped by iptables.
# tshark -nr scapy.pcap
Running as user "root" and group "root". This could be dangerous.
 1   0.000000 192.168.10.20 -> 192.168.10.11 TCP 12345 > 80 [SYN] Seq=0 Win=8192 Len=0
 2   0.000005 192.168.10.11 -> 192.168.10.20 TCP 80 > 12345 [SYN, ACK] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460
 3   2.999577 192.168.10.11 -> 192.168.10.20 TCP 80 > 12345 [SYN, ACK] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460


so netx ,  let’s establish TCP connection between scapy machine n’ target machine.

on target machine , open a socket w/ nc command.
nc - arbitrary TCP and UDP connections and listens
# nc -l 80

# lsof -ni:80
COMMAND   PID USER   FD   TYPE  DEVICE SIZE NODE NAME
nc      16945 root    3u  IPv4 2091820       TCP *:http (LISTEN)


send a SYN packet from scapy
>>> sr1(i/t)
Begin emission:
.Finished to send 1 packets.
*
Received 2 packets, got 1 answers, remaining 0 packets
<IP  version=4L ihl=5L tos=0x0 len=44 id=0 flags=DF frag=0L ttl=64 proto=tcp chksum=0xa55c src=192.168.10.11 dst=192.168.10.20 options=[] |<TCP  sport=www dport=12345 seq=1761317211 ack=1 dataofs=6L reserved=0L flags=SA window=5840 chksum=0xc0f5 urgptr=0 options=[('MSS', 1460)] |>>


on target machine
# netstat -an | grep 12345
tcp        0      0 192.168.10.11:80            192.168.10.20:12345         SYN_RECV


create ACK packet on scapy
increment ACK number.
>>> a=TCP()
>>> a.dport=80
>>> a.sport=12345
>>> a.flag="A"
>>> a.ack=1761317212
>>> a.seq=1
>>> a.display()
###[ TCP ]###
 sport= 12345
 dport= www
 seq= 1
 ack= 1761317212
 dataofs= None
 reserved= 0
 flags= A
 window= 8192
 chksum= None
 urgptr= 0
 options= {}


send ACK packet from scapy
>>> send(i/a)
.
Sent 1 packets.
>>>


connection established. netstat –an on target machine.
# netstat -an | grep 12345
tcp        0      0 192.168.10.11:80            192.168.10.20:12345         ESTABLISHED


cool tools :)
>>> lsc()
arpcachepoison      : Poison target's cache with (your MAC,victim's IP) couple
arping              : Send ARP who-has requests to determine which hosts are up
bind_layers         : Bind 2 layers on some specific fields' values
corrupt_bits        : Flip a given percentage or number of bits from a string
corrupt_bytes       : Corrupt a given percentage or number of bytes from a string
defrag              : defrag(plist) -> ([not fragmented], [defragmented],
defragment          : defrag(plist) -> plist defragmented as much as possible
dyndns_add          : Send a DNS add message to a nameserver for "name" to have a new "rdata"
dyndns_del          : Send a DNS delete message to a nameserver for "name"
etherleak           : Exploit Etherleak flaw
fragment            : Fragment a big IP datagram
fuzz                : Transform a layer into a fuzzy layer by replacing some default values by random objects
getmacbyip          : Return MAC address corresponding to a given IP address
hexdiff             : Show differences between 2 binary strings
hexdump             : --
hexedit             : --
is_promisc          : Try to guess if target is in Promisc mode. The target is provided by its ip.
linehexdump         : --
ls                  : List  available layers, or infos on a given layer
promiscping         : Send ARP who-has requests to determine which hosts are in promiscuous mode
rdpcap              : Read a pcap file and return a packet list
send                : Send packets at layer 3
sendp               : Send packets at layer 2
sendpfast           : Send packets at layer 2 using tcpreplay for performance
sniff               : Sniff packets
split_layers        : Split 2 layers previously bound
sr                  : Send and receive packets at layer 3
sr1                 : Send packets at layer 3 and return only the first answer
srbt                : send and receive using a bluetooth socket
srbt1               : send and receive 1 packet using a bluetooth socket
srflood             : Flood and receive packets at layer 3
srloop              : Send a packet at layer 3 in loop and print the answer each time
srp                 : Send and receive packets at layer 2
srp1                : Send and receive packets at layer 2 and return only the first answer
srpflood            : Flood and receive packets at layer 2
srploop             : Send a packet at layer 2 in loop and print the answer each time
traceroute          : Instant TCP traceroute
tshark              : Sniff packets and print them calling pkt.show(), a bit like text wireshark
wireshark           : Run wireshark on a list of packets
wrpcap              : Write a list of packets to a pcap file
>>>

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.