SlideShare a Scribd company logo

BSides London - Scapy Workshop

Download as PPTX, PDF
Adam Maxwell
Adam Maxwell

packets, pcaps and python - BSides London 2014 Scapy Workshop

Technology
1 of 23
packets, pcap’s & python BSides London 2014 Scapy Workshop By Adam Maxwell / @catalyst256
Pre-requites for workshop 1. Have a laptop. 2. Have Scapy installed (VM is fine). • Kali or BackTrack • Linux • Mac OSX • Windows (you’re on your own) 3. If possible clone this GitHub repo: • https://github.com/catalyst256/ScapyWrkShop 4. A BSides London Scapy Cheat Card
What are we going to learn today • Who am I • Scapy - brief intro • Write some packets • Read some packets • Some cool Scapy features • Using Scapy with Python
Who am I – The bad stuff • I don’t work in InfoSec. • I’m not a network engineer. • I am VMware Certified (that impressed you right??). • I work for an insurance company (someone has to). • This is my first EVER workshop (sorry).
Who am I – The slightly better stuff • I’m the author of “The Very Unofficial Dummies Guide to Scapy”. • I hold an OSCP & OSWP and I’ve sat the SANS SEC503 course. • Spend far too much time with the 3 P’s: • Packets • pcaps • Python • I wrote a Maltego Transform set for analyzing pcap files called sniffMyPackets.
Scapy - A Brief Intro • Written by Philippe Biondi. • Based on Python • Some of the cool stuff it can do: • Forge packets • Decode packets • Send & Receive packets • ARP Poisoning • Sniff packets • Current version: 2.2.0-dev • Check out: http://bb.secdev.org/scapy/overview
Packets – Vanilla Packet • Lets create the 3 layers for a TCP packet. • Now lets view it. >>> a = Ether() >>> b = IP() >>> c = TCP() >>> a.show() >>> b.show() >>> c.show()
Packets – Tweak it a bit • Lets change the IP destination port • Lets change the TCP destination port >>> b.dst = ’1.1.1.1' >>> c.dport = 80
Packets – The Humble ICMP • One liner ICMP Packet (Request) • But wait we didn’t set a ICMP Type. • The Scapy default for an ICMP packet is type 8 (or echo-request). >>> i = IP(dst='127.0.0.1')/ICMP()/"HelloWorld" >>> i <IP frag=0 proto=icmp dst=127.0.0.1 |<ICMP |<Raw load='HelloWorld' |>>> >>> ls(ICMP) type : ByteEnumField = (8) …
Packets – The Humble ICMP • Time to release your packet.. • Oh did you want to see the response?? • Change your src IP & dst IP to something “valid” eg. >>> sendp(i) . Sent 1 packets. >>> >>> i[IP].src = '10.1.99.28' >>> i[IP].dst = '10.1.99.1'
Packets – The Humble ICMP • Now lets send it and collect the response. >>> x = sr1(i) Begin emission: ..Finished to send 1 packets. .* Received 4 packets, got 1 answers, remaining 0 packets >>> x <IP version=4L ihl=5L tos=0x0 len=38 id=22514 flags= frag=0L ttl=64 proto=icmp chksum=0x48c6 src=10.1.99.1 dst=10.1.99.28 options=[] | <ICMP type=echo-reply code=0 chksum=0x0 id=0x0 seq=0x0 |<Raw load='HelloWorld' |>>>
Packets – Something a little different? • DNS? • Port Scanner? • Traceroute? • This is actually a ICMP & TCP traceroute, default destination port is 80 (which you can change of course). >>> p = sr1(IP(dst="8.8.8.8")/UDP()/DNS(rd=1,qd=DNSQR(qname="www.citrix.com"))) >>> p=sr(IP(dst="10.1.99.1")/TCP(dport=[23,80,53,443])) >>> p=sr(IP(dst="10.1.99.1")/TCP(dport=80)) >>> traceroute (["www.google.com"], maxttl=20) >>> traceroute(["www.google.com"], dport=443, maxttl=20)
Packets – HTTP GET Request • HTTP packets require the TCP 3 way handshake to be completed first. • Using Python + Scapy it is easier to create the necessary packets. • Scapy uses Raw packets which might get dropped by your Kernel/OS. You may need to run this command (on Linux). iptables -A OUTPUT -p tcp --tcp-flags RST RST -s [source IP] -j DROP
Packets – HTTP GET Request • Using Python the GET Request looks like this: #!/usr/bin/env python from scapy.all import * # Set the GET request get='GET / HTTP/1.0nn' # Set your target ip=IP(dst="www.google.com") # Create a random source port (not needed but nice to have) port=RandNum(1024,65535) # Create the SYN packet SYN=ip/TCP(sport=port, dport=80, flags="S", seq=666) # Send SYN and receive SYN,ACK SYNACK=sr1(SYN) # Create ACK with GET request ACK=ip/TCP(sport=SYNACK.dport, dport=80, flags="A", seq=SYNACK.ack, ack=SYNACK.seq + 1) / get # SEND our ACK-GET request reply,error=sr(ACK) # Print the reply print reply.show()
PCAPS – The 3 R’s • Reading >>> pkts = rdpcap('pcap/evidence02.pcap') >>> pkts <evidence02.pcap: TCP:490 UDP:52 ICMP:0 Other:30> >>> pkts.summary() >>> pkts.nsummary() >>> pkts[48] Pull out DNS packets >>> x = [] >>> for p in pkts: >>> if p.haslayer(UDP) and p.haslayer(DNS): >>> x.append(p) >>> >>> x.nsummary()
PCAPS – The 3 R’s • wRiting >>> wrpcap('pcap/test.pcap', x) >>> wireshark(x) >>> wrpcap('pcap/replay1.pcap',x[0]) >>> wireshark(x[0])
PCAPS – The 3 R’s • Replaying >>> pkts = rdpcap('pcap/replay1.pcap') >>> del pkts[0][Ether].dst >>> del pkts[0][Ether].src >>> pkts[0][IP].src = '10.1.99.28' >>> pkts[0][IP].dst = '8.8.8.8' >>> del pkts[0][IP].chksum >>> del pkts[0][UDP].chksum >>> x = srp1(pkts[0]) >>> x.summary() 'Ether / IP / UDP / DNS Ans "smtp.cs.com." ' >>> srploop(pkts[0]) >>> wrpcap(‘pcap/replay2.pcap’, pkts[0])
Python – Importing Scapy • The quick way • Turn off “warning messages” • Turn off verbose in Scapy interactive from scapy.all import * import logging logging.getLogger("scapy.runtime").setLevel(logging.ERROR) >>> conf.verb = 0 (default is 2)
Python – Simple Packet Sniffer • Sniff all the packets #!/usr/bin/env python import sys from scapy.all import * iface = sys.argv[1] pkts = sniff(iface=iface, prn=lambda x: x.summary())
Python – Simple Packet Sniffer • Sniff some of the packets • Scapy uses Berkeley Packet Filter for filtering packets when sniffing (same as TCPDUMP). #!/usr/bin/env python import sys from scapy.all import * iface = sys.argv[1] pkts = sniff(iface=iface, filter=sys.argv[2], prn=lambda x: x.summary()) sudo ./simplesniffer.py en1 'tcp port 80'
Python – Parse a pcap file • Looking for HTTP traffic?? def find_http_requests(pkts): get_requests = [] http_get = 'GET /' for p in pkts: if p.haslayer(TCP) and p.haslayer(Raw): raw = p.getlayer(Raw).load if http_get in raw: dstip = p.getlayer(IP).dst dport = p.getlayer(TCP).dport srcip = p.getlayer(IP).src new_raw = p.getlayer(Raw).load request = '' host = '' for t in re.finditer('(GET) (S*)', new_raw): request = t.group(2) for s in re.finditer('(Host:) (S*)', new_raw): host = s.group(2) talker = request, srcip, dstip, dport, host if talker not in get_requests: get_requests.append(talker) for url, src, dst, port, host in get_requests: print GREEN + '[+] Web traffic from: ' + str(src) + ' to ' + str(dst) + ' on port ’/ + str(port) + ' to ' + host + ' for ' + url + END
Python – WiFi Fun?? • Create your own De Auth packets?? • Sniff some beacons?? packet = RadioTap()/Dot11(type=0,subtype=12,addr1=client,addr2=bssid,addr3=bssid)/Dot11Deauth(reason=7) def sniffBeacons(p): if p.haslayer(Dot11Beacon): enc = '' ssid = p[Dot11Elt].info bssid = p[Dot11].addr3 channel = int(ord(p[Dot11Elt:3].info)) capability = p.sprintf("{Dot11Beacon:%Dot11Beacon.cap%}{Dot11ProbeResp:%Dot11ProbeResp.cap%}") rssi = (ord(p.notdecoded[-4:-3])-256) if re.search("privacy", capability): enc = 'Y' else: enc = 'N' entity = ssid, bssid, channel, enc, rssi, interface sniff(iface=interface, prn=sniffBeacons)
The End !! • Questions??

Recommended

Scapy the packet 途中01
Scapy the packet 途中01Scapy the packet 途中01
Scapy the packet 途中01saba syake
 
Scapy talk
Scapy talkScapy talk
Scapy talkAshwin Patil, GCIH, GCIA, GCFE
 
走向开源:提交CPAN模块Step by Step
走向开源:提交CPAN模块Step by Step走向开源:提交CPAN模块Step by Step
走向开源:提交CPAN模块Step by Steppluschen
 
Event machine
Event machineEvent machine
Event machinealmeidaricardo
 
The State of Logging on Docker
The State of Logging on DockerThe State of Logging on Docker
The State of Logging on DockerTrevor Parsons
 
Nmap scripting engine
Nmap scripting engineNmap scripting engine
Nmap scripting enginen|u - The Open Security Community
 
Packet Walk(s) In Kubernetes
Packet Walk(s) In KubernetesPacket Walk(s) In Kubernetes
Packet Walk(s) In KubernetesDon Jayakody
 
Puppet Availability and Performance at 100K Nodes - PuppetConf 2014
Puppet Availability and Performance at 100K Nodes - PuppetConf 2014Puppet Availability and Performance at 100K Nodes - PuppetConf 2014
Puppet Availability and Performance at 100K Nodes - PuppetConf 2014Puppet
 

Recommended

Scapy the packet 途中01
Scapy the packet 途中01Scapy the packet 途中01
Scapy the packet 途中01saba syake
 
Scapy talk
Scapy talkScapy talk
Scapy talkAshwin Patil, GCIH, GCIA, GCFE
 
走向开源:提交CPAN模块Step by Step
走向开源:提交CPAN模块Step by Step走向开源:提交CPAN模块Step by Step
走向开源:提交CPAN模块Step by Steppluschen
 
Event machine
Event machineEvent machine
Event machinealmeidaricardo
 
The State of Logging on Docker
The State of Logging on DockerThe State of Logging on Docker
The State of Logging on DockerTrevor Parsons
 
Nmap scripting engine
Nmap scripting engineNmap scripting engine
Nmap scripting enginen|u - The Open Security Community
 
Packet Walk(s) In Kubernetes
Packet Walk(s) In KubernetesPacket Walk(s) In Kubernetes
Packet Walk(s) In KubernetesDon Jayakody
 
Puppet Availability and Performance at 100K Nodes - PuppetConf 2014
Puppet Availability and Performance at 100K Nodes - PuppetConf 2014Puppet Availability and Performance at 100K Nodes - PuppetConf 2014
Puppet Availability and Performance at 100K Nodes - PuppetConf 2014Puppet
 
Ruby 1.9 And Rails 3.0
Ruby 1.9 And Rails 3.0Ruby 1.9 And Rails 3.0
Ruby 1.9 And Rails 3.0ArrrrCamp
 
Logging & Docker - Season 2
Logging & Docker - Season 2Logging & Docker - Season 2
Logging & Docker - Season 2Christian Beedgen
 
zebra & openconfigd Introduction
zebra & openconfigd Introductionzebra & openconfigd Introduction
zebra & openconfigd IntroductionKentaro Ebisawa
 
Performance Tuning Your Puppet Infrastructure - PuppetConf 2014
Performance Tuning Your Puppet Infrastructure - PuppetConf 2014Performance Tuning Your Puppet Infrastructure - PuppetConf 2014
Performance Tuning Your Puppet Infrastructure - PuppetConf 2014Puppet
 
Who Broke My Crypto
Who Broke My CryptoWho Broke My Crypto
Who Broke My CryptoJohn Varghese
 
p4alu: Arithmetic Logic Unit in P4
p4alu: Arithmetic Logic Unit in P4p4alu: Arithmetic Logic Unit in P4
p4alu: Arithmetic Logic Unit in P4Kentaro Ebisawa
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes NetworkingCJ Cullen
 
Fluentd and PHP
Fluentd and PHPFluentd and PHP
Fluentd and PHPchobi e
 
iptables and Kubernetes
iptables and Kubernetesiptables and Kubernetes
iptables and KubernetesHungWei Chiu
 
iptables 101- bottom-up
iptables 101- bottom-upiptables 101- bottom-up
iptables 101- bottom-upHungWei Chiu
 
Skydive, real-time network analyzer
Skydive, real-time network analyzer Skydive, real-time network analyzer
Skydive, real-time network analyzer Sylvain Afchain
 
Distributed app development with nodejs and zeromq
Distributed app development with nodejs and zeromqDistributed app development with nodejs and zeromq
Distributed app development with nodejs and zeromqRuben Tan
 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuceDb Cooper
 
Anatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoortersAnatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoortersSadique Puthen
 
OVN 設定サンプル | OVN config example 2015/12/27
OVN 設定サンプル | OVN config example 2015/12/27OVN 設定サンプル | OVN config example 2015/12/27
OVN 設定サンプル | OVN config example 2015/12/27Kentaro Ebisawa
 
Troubleshooting common oslo.messaging and RabbitMQ issues
Troubleshooting common oslo.messaging and RabbitMQ issuesTroubleshooting common oslo.messaging and RabbitMQ issues
Troubleshooting common oslo.messaging and RabbitMQ issuesMichael Klishin
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap OWASP Delhi
 
NMAP by Shrikant Antre & Shobhit Gautam
NMAP by Shrikant Antre & Shobhit GautamNMAP by Shrikant Antre & Shobhit Gautam
NMAP by Shrikant Antre & Shobhit Gautamn|u - The Open Security Community
 
Nmap for Scriptors
Nmap for ScriptorsNmap for Scriptors
Nmap for Scriptorsn|u - The Open Security Community
 
Guillotina: The Asyncio REST Resource API
Guillotina: The Asyncio REST Resource APIGuillotina: The Asyncio REST Resource API
Guillotina: The Asyncio REST Resource APINathan Van Gheem
 
Layer 2 Hackery
Layer 2 HackeryLayer 2 Hackery
Layer 2 HackerySecurity B-Sides
 
CipherCloud for Salesforce - Solution Overview
CipherCloud for Salesforce - Solution OverviewCipherCloud for Salesforce - Solution Overview
CipherCloud for Salesforce - Solution OverviewCipherCloud
 

More Related Content

What's hot

Ruby 1.9 And Rails 3.0
Ruby 1.9 And Rails 3.0Ruby 1.9 And Rails 3.0
Ruby 1.9 And Rails 3.0ArrrrCamp
 
zebra & openconfigd Introduction
zebra & openconfigd Introductionzebra & openconfigd Introduction
zebra & openconfigd IntroductionKentaro Ebisawa
 
Performance Tuning Your Puppet Infrastructure - PuppetConf 2014
Performance Tuning Your Puppet Infrastructure - PuppetConf 2014Performance Tuning Your Puppet Infrastructure - PuppetConf 2014
Performance Tuning Your Puppet Infrastructure - PuppetConf 2014Puppet
 
p4alu: Arithmetic Logic Unit in P4
p4alu: Arithmetic Logic Unit in P4p4alu: Arithmetic Logic Unit in P4
p4alu: Arithmetic Logic Unit in P4Kentaro Ebisawa
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes NetworkingCJ Cullen
 
Fluentd and PHP
Fluentd and PHPFluentd and PHP
Fluentd and PHPchobi e
 
iptables and Kubernetes
iptables and Kubernetesiptables and Kubernetes
iptables and KubernetesHungWei Chiu
 
iptables 101- bottom-up
iptables 101- bottom-upiptables 101- bottom-up
iptables 101- bottom-upHungWei Chiu
 
Skydive, real-time network analyzer
Skydive, real-time network analyzer Skydive, real-time network analyzer
Skydive, real-time network analyzer Sylvain Afchain
 
Distributed app development with nodejs and zeromq
Distributed app development with nodejs and zeromqDistributed app development with nodejs and zeromq
Distributed app development with nodejs and zeromqRuben Tan
 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuceDb Cooper
 
Anatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoortersAnatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoortersSadique Puthen
 
OVN 設定サンプル | OVN config example 2015/12/27
OVN 設定サンプル | OVN config example 2015/12/27OVN 設定サンプル | OVN config example 2015/12/27
OVN 設定サンプル | OVN config example 2015/12/27Kentaro Ebisawa
 
Troubleshooting common oslo.messaging and RabbitMQ issues
Troubleshooting common oslo.messaging and RabbitMQ issuesTroubleshooting common oslo.messaging and RabbitMQ issues
Troubleshooting common oslo.messaging and RabbitMQ issuesMichael Klishin
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap OWASP Delhi
 
Guillotina: The Asyncio REST Resource API
Guillotina: The Asyncio REST Resource APIGuillotina: The Asyncio REST Resource API
Guillotina: The Asyncio REST Resource APINathan Van Gheem
 

What's hot (20)

Ruby 1.9 And Rails 3.0
Ruby 1.9 And Rails 3.0Ruby 1.9 And Rails 3.0
Ruby 1.9 And Rails 3.0
 
Logging & Docker - Season 2
Logging & Docker - Season 2Logging & Docker - Season 2
Logging & Docker - Season 2
 
zebra & openconfigd Introduction
zebra & openconfigd Introductionzebra & openconfigd Introduction
zebra & openconfigd Introduction
 
Performance Tuning Your Puppet Infrastructure - PuppetConf 2014
Performance Tuning Your Puppet Infrastructure - PuppetConf 2014Performance Tuning Your Puppet Infrastructure - PuppetConf 2014
Performance Tuning Your Puppet Infrastructure - PuppetConf 2014
 
Who Broke My Crypto
Who Broke My CryptoWho Broke My Crypto
Who Broke My Crypto
 
p4alu: Arithmetic Logic Unit in P4
p4alu: Arithmetic Logic Unit in P4p4alu: Arithmetic Logic Unit in P4
p4alu: Arithmetic Logic Unit in P4
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes Networking
 
Fluentd and PHP
Fluentd and PHPFluentd and PHP
Fluentd and PHP
 
iptables and Kubernetes
iptables and Kubernetesiptables and Kubernetes
iptables and Kubernetes
 
iptables 101- bottom-up
iptables 101- bottom-upiptables 101- bottom-up
iptables 101- bottom-up
 
Skydive, real-time network analyzer
Skydive, real-time network analyzer Skydive, real-time network analyzer
Skydive, real-time network analyzer
 
Distributed app development with nodejs and zeromq
Distributed app development with nodejs and zeromqDistributed app development with nodejs and zeromq
Distributed app development with nodejs and zeromq
 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuce
 
Anatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoortersAnatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoorters
 
OVN 設定サンプル | OVN config example 2015/12/27
OVN 設定サンプル | OVN config example 2015/12/27OVN 設定サンプル | OVN config example 2015/12/27
OVN 設定サンプル | OVN config example 2015/12/27
 
Troubleshooting common oslo.messaging and RabbitMQ issues
Troubleshooting common oslo.messaging and RabbitMQ issuesTroubleshooting common oslo.messaging and RabbitMQ issues
Troubleshooting common oslo.messaging and RabbitMQ issues
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap
 
NMAP by Shrikant Antre & Shobhit Gautam
NMAP by Shrikant Antre & Shobhit GautamNMAP by Shrikant Antre & Shobhit Gautam
NMAP by Shrikant Antre & Shobhit Gautam
 
Nmap for Scriptors
Nmap for ScriptorsNmap for Scriptors
Nmap for Scriptors
 
Guillotina: The Asyncio REST Resource API
Guillotina: The Asyncio REST Resource APIGuillotina: The Asyncio REST Resource API
Guillotina: The Asyncio REST Resource API
 

Viewers also liked

CipherCloud for Salesforce - Solution Overview
CipherCloud for Salesforce - Solution OverviewCipherCloud for Salesforce - Solution Overview
CipherCloud for Salesforce - Solution OverviewCipherCloud
 
Finding the Right Balance: Security vs. Performance with Network Storage Systems
Finding the Right Balance: Security vs. Performance with Network Storage SystemsFinding the Right Balance: Security vs. Performance with Network Storage Systems
Finding the Right Balance: Security vs. Performance with Network Storage SystemsArun Olappamanna Vasudevan
 
Emerging Threats and Strategies of Defense
Emerging Threats and Strategies of Defense Emerging Threats and Strategies of Defense
Emerging Threats and Strategies of Defense Alert Logic
 
Docker security introduction-task-2016
Docker security introduction-task-2016Docker security introduction-task-2016
Docker security introduction-task-2016Ricardo Gerardi
 
Pythonによる高位設計フレームワークPyCoRAMでFPGAシステムを開発してみよう
Pythonによる高位設計フレームワークPyCoRAMでFPGAシステムを開発してみようPythonによる高位設計フレームワークPyCoRAMでFPGAシステムを開発してみよう
Pythonによる高位設計フレームワークPyCoRAMでFPGAシステムを開発してみようShinya Takamaeda-Y
 
Presentation cloud security the grand challenge
Presentation cloud security the grand challengePresentation cloud security the grand challenge
Presentation cloud security the grand challengexKinAnx
 
SOME SECURITY CHALLENGES IN CLOUD COMPUTING
SOME SECURITY CHALLENGES IN CLOUD COMPUTINGSOME SECURITY CHALLENGES IN CLOUD COMPUTING
SOME SECURITY CHALLENGES IN CLOUD COMPUTINGHoang Nguyen
 
Cloud Computing 101 Workshop Sample
Cloud Computing 101 Workshop SampleCloud Computing 101 Workshop Sample
Cloud Computing 101 Workshop SampleAlan Quayle
 
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013beltface
 
Security Attacks on RSA
Security Attacks on RSASecurity Attacks on RSA
Security Attacks on RSAPratik Poddar
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
Introduction to Enterprise Architecture and TOGAF 9.1
Introduction to Enterprise Architecture and TOGAF 9.1Introduction to Enterprise Architecture and TOGAF 9.1
Introduction to Enterprise Architecture and TOGAF 9.1iasaglobal
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber SecurityStephen Lahanas
 
Webinar: Accelerate Your Cloud Business With CloudHealth
Webinar: Accelerate Your Cloud Business With CloudHealthWebinar: Accelerate Your Cloud Business With CloudHealth
Webinar: Accelerate Your Cloud Business With CloudHealthCloudHealth by VMware
 
Who am i powerpoint
Who am i powerpointWho am i powerpoint
Who am i powerpointbeachgirl122
 
Internet control message protocol
Internet control message protocolInternet control message protocol
Internet control message protocolasimnawaz54
 

Viewers also liked (19)

Layer 2 Hackery
Layer 2 HackeryLayer 2 Hackery
Layer 2 Hackery
 
CipherCloud for Salesforce - Solution Overview
CipherCloud for Salesforce - Solution OverviewCipherCloud for Salesforce - Solution Overview
CipherCloud for Salesforce - Solution Overview
 
Finding the Right Balance: Security vs. Performance with Network Storage Systems
Finding the Right Balance: Security vs. Performance with Network Storage SystemsFinding the Right Balance: Security vs. Performance with Network Storage Systems
Finding the Right Balance: Security vs. Performance with Network Storage Systems
 
Emerging Threats and Strategies of Defense
Emerging Threats and Strategies of Defense Emerging Threats and Strategies of Defense
Emerging Threats and Strategies of Defense
 
Docker security introduction-task-2016
Docker security introduction-task-2016Docker security introduction-task-2016
Docker security introduction-task-2016
 
Pythonによる高位設計フレームワークPyCoRAMでFPGAシステムを開発してみよう
Pythonによる高位設計フレームワークPyCoRAMでFPGAシステムを開発してみようPythonによる高位設計フレームワークPyCoRAMでFPGAシステムを開発してみよう
Pythonによる高位設計フレームワークPyCoRAMでFPGAシステムを開発してみよう
 
Presentation cloud security the grand challenge
Presentation cloud security the grand challengePresentation cloud security the grand challenge
Presentation cloud security the grand challenge
 
SOME SECURITY CHALLENGES IN CLOUD COMPUTING
SOME SECURITY CHALLENGES IN CLOUD COMPUTINGSOME SECURITY CHALLENGES IN CLOUD COMPUTING
SOME SECURITY CHALLENGES IN CLOUD COMPUTING
 
Cloud Computing 101 Workshop Sample
Cloud Computing 101 Workshop SampleCloud Computing 101 Workshop Sample
Cloud Computing 101 Workshop Sample
 
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
 
Security Attacks on RSA
Security Attacks on RSASecurity Attacks on RSA
Security Attacks on RSA
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
 
Introduction to Enterprise Architecture and TOGAF 9.1
Introduction to Enterprise Architecture and TOGAF 9.1Introduction to Enterprise Architecture and TOGAF 9.1
Introduction to Enterprise Architecture and TOGAF 9.1
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber Security
 
C2S: What’s Next
C2S: What’s NextC2S: What’s Next
C2S: What’s Next
 
Webinar: Accelerate Your Cloud Business With CloudHealth
Webinar: Accelerate Your Cloud Business With CloudHealthWebinar: Accelerate Your Cloud Business With CloudHealth
Webinar: Accelerate Your Cloud Business With CloudHealth
 
Linkedin 101 ppt
Linkedin 101 pptLinkedin 101 ppt
Linkedin 101 ppt
 
Who am i powerpoint
Who am i powerpointWho am i powerpoint
Who am i powerpoint
 
Internet control message protocol
Internet control message protocolInternet control message protocol
Internet control message protocol
 

Similar to BSides London - Scapy Workshop

110864103 adventures-in-bug-hunting
110864103 adventures-in-bug-hunting110864103 adventures-in-bug-hunting
110864103 adventures-in-bug-huntingbob dobbs
 
Pcapy and dpkt - tcpdump on steroids - Ran Leibman - DevOpsDays Tel Aviv 2018
Pcapy and dpkt - tcpdump on steroids - Ran Leibman - DevOpsDays Tel Aviv 2018Pcapy and dpkt - tcpdump on steroids - Ran Leibman - DevOpsDays Tel Aviv 2018
Pcapy and dpkt - tcpdump on steroids - Ran Leibman - DevOpsDays Tel Aviv 2018DevOpsDays Tel Aviv
 
Package Management via Spack on SJTU π Supercomputer
Package Management via Spack on SJTU π SupercomputerPackage Management via Spack on SJTU π Supercomputer
Package Management via Spack on SJTU π SupercomputerJianwen Wei
 
SMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgiSMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgiTakuya ASADA
 
IPLOG? A beginner's IDS for the WIN!
IPLOG? A beginner's IDS for the WIN!IPLOG? A beginner's IDS for the WIN!
IPLOG? A beginner's IDS for the WIN!Nathan Gibbs
 
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...Moabi.com
 
SMP Implementation for OpenBSD/sgi [Japanese Edition]
SMP Implementation for OpenBSD/sgi [Japanese Edition]SMP Implementation for OpenBSD/sgi [Japanese Edition]
SMP Implementation for OpenBSD/sgi [Japanese Edition]Takuya ASADA
 
PACKET Sniffer IMPLEMENTATION
PACKET Sniffer IMPLEMENTATIONPACKET Sniffer IMPLEMENTATION
PACKET Sniffer IMPLEMENTATIONGoutham Royal
 
13048671.ppt
13048671.ppt13048671.ppt
13048671.pptLyVu51
 
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawBeginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawRedspin, Inc.
 
Packaging perl (LPW2010)
Packaging perl (LPW2010)Packaging perl (LPW2010)
Packaging perl (LPW2010)p3castro
 
Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014biicode
 
Plan 9カーネルにおけるTCP/IP実装(未完)
Plan 9カーネルにおけるTCP/IP実装(未完)Plan 9カーネルにおけるTCP/IP実装(未完)
Plan 9カーネルにおけるTCP/IP実装(未完)Ryousei Takano
 
Cs423 raw sockets_bw
Cs423 raw sockets_bwCs423 raw sockets_bw
Cs423 raw sockets_bwjktjpc
 
Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?Nelson Brito
 
Go Faster with Ansible (AWS meetup)
Go Faster with Ansible (AWS meetup)Go Faster with Ansible (AWS meetup)
Go Faster with Ansible (AWS meetup)Richard Donkin
 

Similar to BSides London - Scapy Workshop (20)

Pycon Sec
Pycon SecPycon Sec
Pycon Sec
 
Libpcap
LibpcapLibpcap
Libpcap
 
110864103 adventures-in-bug-hunting
110864103 adventures-in-bug-hunting110864103 adventures-in-bug-hunting
110864103 adventures-in-bug-hunting
 
Pcapy and dpkt - tcpdump on steroids - Ran Leibman - DevOpsDays Tel Aviv 2018
Pcapy and dpkt - tcpdump on steroids - Ran Leibman - DevOpsDays Tel Aviv 2018Pcapy and dpkt - tcpdump on steroids - Ran Leibman - DevOpsDays Tel Aviv 2018
Pcapy and dpkt - tcpdump on steroids - Ran Leibman - DevOpsDays Tel Aviv 2018
 
NMAP - The Network Scanner
NMAP - The Network ScannerNMAP - The Network Scanner
NMAP - The Network Scanner
 
Package Management via Spack on SJTU π Supercomputer
Package Management via Spack on SJTU π SupercomputerPackage Management via Spack on SJTU π Supercomputer
Package Management via Spack on SJTU π Supercomputer
 
SMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgiSMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgi
 
IPLOG? A beginner's IDS for the WIN!
IPLOG? A beginner's IDS for the WIN!IPLOG? A beginner's IDS for the WIN!
IPLOG? A beginner's IDS for the WIN!
 
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
 
SMP Implementation for OpenBSD/sgi [Japanese Edition]
SMP Implementation for OpenBSD/sgi [Japanese Edition]SMP Implementation for OpenBSD/sgi [Japanese Edition]
SMP Implementation for OpenBSD/sgi [Japanese Edition]
 
PACKET Sniffer IMPLEMENTATION
PACKET Sniffer IMPLEMENTATIONPACKET Sniffer IMPLEMENTATION
PACKET Sniffer IMPLEMENTATION
 
13048671.ppt
13048671.ppt13048671.ppt
13048671.ppt
 
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawBeginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
 
Packaging perl (LPW2010)
Packaging perl (LPW2010)Packaging perl (LPW2010)
Packaging perl (LPW2010)
 
Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014
 
Plan 9カーネルにおけるTCP/IP実装(未完)
Plan 9カーネルにおけるTCP/IP実装(未完)Plan 9カーネルにおけるTCP/IP実装(未完)
Plan 9カーネルにおけるTCP/IP実装(未完)
 
Cs423 raw sockets_bw
Cs423 raw sockets_bwCs423 raw sockets_bw
Cs423 raw sockets_bw
 
Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?Protocol T50: Five months later... So what?
Protocol T50: Five months later... So what?
 
Linux Network Stack
Linux Network StackLinux Network Stack
Linux Network Stack
 
Go Faster with Ansible (AWS meetup)
Go Faster with Ansible (AWS meetup)Go Faster with Ansible (AWS meetup)
Go Faster with Ansible (AWS meetup)
 

Recently uploaded

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 

Recently uploaded (20)

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 

BSides London - Scapy Workshop

  • 1. packets, pcap’s & python BSides London 2014 Scapy Workshop By Adam Maxwell / @catalyst256
  • 2. Pre-requites for workshop 1. Have a laptop. 2. Have Scapy installed (VM is fine). • Kali or BackTrack • Linux • Mac OSX • Windows (you’re on your own) 3. If possible clone this GitHub repo: • https://github.com/catalyst256/ScapyWrkShop 4. A BSides London Scapy Cheat Card
  • 3. What are we going to learn today • Who am I • Scapy - brief intro • Write some packets • Read some packets • Some cool Scapy features • Using Scapy with Python
  • 4. Who am I – The bad stuff • I don’t work in InfoSec. • I’m not a network engineer. • I am VMware Certified (that impressed you right??). • I work for an insurance company (someone has to). • This is my first EVER workshop (sorry).
  • 5. Who am I – The slightly better stuff • I’m the author of “The Very Unofficial Dummies Guide to Scapy”. • I hold an OSCP & OSWP and I’ve sat the SANS SEC503 course. • Spend far too much time with the 3 P’s: • Packets • pcaps • Python • I wrote a Maltego Transform set for analyzing pcap files called sniffMyPackets.
  • 6. Scapy - A Brief Intro • Written by Philippe Biondi. • Based on Python • Some of the cool stuff it can do: • Forge packets • Decode packets • Send & Receive packets • ARP Poisoning • Sniff packets • Current version: 2.2.0-dev • Check out: http://bb.secdev.org/scapy/overview
  • 7. Packets – Vanilla Packet • Lets create the 3 layers for a TCP packet. • Now lets view it. >>> a = Ether() >>> b = IP() >>> c = TCP() >>> a.show() >>> b.show() >>> c.show()
  • 8. Packets – Tweak it a bit • Lets change the IP destination port • Lets change the TCP destination port >>> b.dst = ’1.1.1.1' >>> c.dport = 80
  • 9. Packets – The Humble ICMP • One liner ICMP Packet (Request) • But wait we didn’t set a ICMP Type. • The Scapy default for an ICMP packet is type 8 (or echo-request). >>> i = IP(dst='127.0.0.1')/ICMP()/"HelloWorld" >>> i <IP frag=0 proto=icmp dst=127.0.0.1 |<ICMP |<Raw load='HelloWorld' |>>> >>> ls(ICMP) type : ByteEnumField = (8) …
  • 10. Packets – The Humble ICMP • Time to release your packet.. • Oh did you want to see the response?? • Change your src IP & dst IP to something “valid” eg. >>> sendp(i) . Sent 1 packets. >>> >>> i[IP].src = '10.1.99.28' >>> i[IP].dst = '10.1.99.1'
  • 11. Packets – The Humble ICMP • Now lets send it and collect the response. >>> x = sr1(i) Begin emission: ..Finished to send 1 packets. .* Received 4 packets, got 1 answers, remaining 0 packets >>> x <IP version=4L ihl=5L tos=0x0 len=38 id=22514 flags= frag=0L ttl=64 proto=icmp chksum=0x48c6 src=10.1.99.1 dst=10.1.99.28 options=[] | <ICMP type=echo-reply code=0 chksum=0x0 id=0x0 seq=0x0 |<Raw load='HelloWorld' |>>>
  • 12. Packets – Something a little different? • DNS? • Port Scanner? • Traceroute? • This is actually a ICMP & TCP traceroute, default destination port is 80 (which you can change of course). >>> p = sr1(IP(dst="8.8.8.8")/UDP()/DNS(rd=1,qd=DNSQR(qname="www.citrix.com"))) >>> p=sr(IP(dst="10.1.99.1")/TCP(dport=[23,80,53,443])) >>> p=sr(IP(dst="10.1.99.1")/TCP(dport=80)) >>> traceroute (["www.google.com"], maxttl=20) >>> traceroute(["www.google.com"], dport=443, maxttl=20)
  • 13. Packets – HTTP GET Request • HTTP packets require the TCP 3 way handshake to be completed first. • Using Python + Scapy it is easier to create the necessary packets. • Scapy uses Raw packets which might get dropped by your Kernel/OS. You may need to run this command (on Linux). iptables -A OUTPUT -p tcp --tcp-flags RST RST -s [source IP] -j DROP
  • 14. Packets – HTTP GET Request • Using Python the GET Request looks like this: #!/usr/bin/env python from scapy.all import * # Set the GET request get='GET / HTTP/1.0nn' # Set your target ip=IP(dst="www.google.com") # Create a random source port (not needed but nice to have) port=RandNum(1024,65535) # Create the SYN packet SYN=ip/TCP(sport=port, dport=80, flags="S", seq=666) # Send SYN and receive SYN,ACK SYNACK=sr1(SYN) # Create ACK with GET request ACK=ip/TCP(sport=SYNACK.dport, dport=80, flags="A", seq=SYNACK.ack, ack=SYNACK.seq + 1) / get # SEND our ACK-GET request reply,error=sr(ACK) # Print the reply print reply.show()
  • 15. PCAPS – The 3 R’s • Reading >>> pkts = rdpcap('pcap/evidence02.pcap') >>> pkts <evidence02.pcap: TCP:490 UDP:52 ICMP:0 Other:30> >>> pkts.summary() >>> pkts.nsummary() >>> pkts[48] Pull out DNS packets >>> x = [] >>> for p in pkts: >>> if p.haslayer(UDP) and p.haslayer(DNS): >>> x.append(p) >>> >>> x.nsummary()
  • 16. PCAPS – The 3 R’s • wRiting >>> wrpcap('pcap/test.pcap', x) >>> wireshark(x) >>> wrpcap('pcap/replay1.pcap',x[0]) >>> wireshark(x[0])
  • 17. PCAPS – The 3 R’s • Replaying >>> pkts = rdpcap('pcap/replay1.pcap') >>> del pkts[0][Ether].dst >>> del pkts[0][Ether].src >>> pkts[0][IP].src = '10.1.99.28' >>> pkts[0][IP].dst = '8.8.8.8' >>> del pkts[0][IP].chksum >>> del pkts[0][UDP].chksum >>> x = srp1(pkts[0]) >>> x.summary() 'Ether / IP / UDP / DNS Ans "smtp.cs.com." ' >>> srploop(pkts[0]) >>> wrpcap(‘pcap/replay2.pcap’, pkts[0])
  • 18. Python – Importing Scapy • The quick way • Turn off “warning messages” • Turn off verbose in Scapy interactive from scapy.all import * import logging logging.getLogger("scapy.runtime").setLevel(logging.ERROR) >>> conf.verb = 0 (default is 2)
  • 19. Python – Simple Packet Sniffer • Sniff all the packets #!/usr/bin/env python import sys from scapy.all import * iface = sys.argv[1] pkts = sniff(iface=iface, prn=lambda x: x.summary())
  • 20. Python – Simple Packet Sniffer • Sniff some of the packets • Scapy uses Berkeley Packet Filter for filtering packets when sniffing (same as TCPDUMP). #!/usr/bin/env python import sys from scapy.all import * iface = sys.argv[1] pkts = sniff(iface=iface, filter=sys.argv[2], prn=lambda x: x.summary()) sudo ./simplesniffer.py en1 'tcp port 80'
  • 21. Python – Parse a pcap file • Looking for HTTP traffic?? def find_http_requests(pkts): get_requests = [] http_get = 'GET /' for p in pkts: if p.haslayer(TCP) and p.haslayer(Raw): raw = p.getlayer(Raw).load if http_get in raw: dstip = p.getlayer(IP).dst dport = p.getlayer(TCP).dport srcip = p.getlayer(IP).src new_raw = p.getlayer(Raw).load request = '' host = '' for t in re.finditer('(GET) (S*)', new_raw): request = t.group(2) for s in re.finditer('(Host:) (S*)', new_raw): host = s.group(2) talker = request, srcip, dstip, dport, host if talker not in get_requests: get_requests.append(talker) for url, src, dst, port, host in get_requests: print GREEN + '[+] Web traffic from: ' + str(src) + ' to ' + str(dst) + ' on port ’/ + str(port) + ' to ' + host + ' for ' + url + END
  • 22. Python – WiFi Fun?? • Create your own De Auth packets?? • Sniff some beacons?? packet = RadioTap()/Dot11(type=0,subtype=12,addr1=client,addr2=bssid,addr3=bssid)/Dot11Deauth(reason=7) def sniffBeacons(p): if p.haslayer(Dot11Beacon): enc = '' ssid = p[Dot11Elt].info bssid = p[Dot11].addr3 channel = int(ord(p[Dot11Elt:3].info)) capability = p.sprintf("{Dot11Beacon:%Dot11Beacon.cap%}{Dot11ProbeResp:%Dot11ProbeResp.cap%}") rssi = (ord(p.notdecoded[-4:-3])-256) if re.search("privacy", capability): enc = 'Y' else: enc = 'N' entity = ssid, bssid, channel, enc, rssi, interface sniff(iface=interface, prn=sniffBeacons)
  • 23. The End !! • Questions??

Editor's Notes

  1. Wireshark packet summary numbering 1, Scapy starts at 0haslayer &amp; getlayer
  2. Wireshark packet count starts at 1, Scapy starts at 0haslayer &amp; getlayer