Скачать презентацию Scapy Packet Manuplation CE 340 S Kondakcı What
da75ca8bf4b52d4d075caa33749cba7b.ppt
- Количество слайдов: 53
Scapy Packet Manuplation CE 340/S. Kondakcı
What Scapy Does? Creating a packet Send/Receiving packets Basic Scapy commands Capturing packets (and reading packet capture files into Scapy) • Layering packets • More Examples • •
The First Step 1. Install Python 2. 7+ 2. Download and install Scapy 3. (Optional): Install additional software for special features. 4. Run Scapy with root privileges.
UDP Packet Header
Datalink/Pyhsical (MAC) Packet
Hello World send(IP(dst="127. 0. 0. 1")/ICMP()/"Hello. World") • send - this tells Scapy that you want to send a packet (just a single packet) • IP - the protocol of the packet you want to creat e • (dst=” 127. 0. 0. 1”) - the destination IP to send the packet to • /ICMP() - Create an ICMP packet with the default values provided by Scapy • /”Hello. World” - the payload to include in the ICMP packet
Wireshark Capture Scapy command: send(IP(dst="127. 0. 0. 1")/ICMP()/"Hello. World ") Wireshark capture: Internet Protocol Version 4, Src: 127. 0. 0. 12 (127. 0. 0. 12), Dst: 127. 0. 0. 1 (127. 0. 0. 1) Protocol: ICMP Data: 48656 c 6 c 6 f 576 f 726 c 64 or “Hello. World”
Example: Fabricate an ICMP Packet send(IP(src="127. 0. 0. 1", dst="127. 0. 0. 1", ttl=128)/ICMP()/"Hello. World") Wireshark: Internet Protocol Version 4, Src: 127. 0. 0. 1 (127. 0. 0. 1), Dst: 127. 0. 0. 1 (127. 0. 0. 1) Time to live: 128 What does this ICMP packet mean? Internet Protocol Version 4, Src: 127. 0. 0. 1 (127. 0. 0. 1), Dst: 127. 0. 0. 1 (127. 0. 0. 1) Internet Control Message Protocol Type: 0 (Echo (ping) reply)
Sending a ping packet ip=IP() # Creates an IP header ip. src=’ 192. 168. 1. 25′ # Source address in the IP header with local IP ip. dst =’ 192. 168. 1. 100′ # Destination address in the IP header. icmp=ICMP() # Creates an ICMP header icmp. type=8 # Type value inserted in ICMP header as 8 for ping icmp. code=0 # Code value inserted in ICMP header as 0 for ping send(ip/icmp) # Sending packet.
Sending a ping packet with random source IP ip=IP() # Creates an IP header ip. src=Rand. IP() # The source address in the IP header with a random IP ip. dst =’ 192. 168. 1. 100′ # Destination address in the IP header. icmp=ICMP() # Creates an ICMP header icmp. type=8 # Type value inserted in ICMP header as 8 for ping crafting icmp. code=0 # Code value inserted in ICMP header as 0 for ping crafting. send(ip/icmp) # Sending packet.
Sending & Receiving Layer 3 and 2 Packets • sr() – This function sends packets and receives answers. It returns a couple of packet and answers, and the unanswered packets. • sr 1() - This function is a variant that only returns one packet which answered the sent packet sent. • Exp: Simple ICMP packet (layer 3) h=sr 1(IP(dst=“ 127. 0. 0. 1")/ICMP()/”Hello World”) • srp() - This function does the same for layer 2 packets (Ethernet, 802. 3, etc).
Show the Packet Contents • • h=sr 1(IP(dst=“ 127. 0. 0. 1")/ICMP()/”Hello World”) h. show() ###[ IP ]### version= 4 L ihl= 5 L tos= 0 x 0 len= 38 id= 7395 flags= frag= 0 L ttl= 64 proto= icmp chksum= 0 x 83 d 7 src= 127. 0. 0. 1 dst= 127. 0. 0. 1 options ###[ ICMP ]### type= echo-reply code= 0 chksum= 0 x 0 id= 0 x 0 seq= 0 x 0 ###[ Raw ]### load= 'Hello. World' ###[ Padding ]### load= 'x 00xe 7x 03 Nx 99' >>>
Show the TTL of the ICMP reply packet ip=IP() # Create an IP header ip. src=’ 192. 168. 1. 25′ # Source address in the IP header is the loca IP ip. dst =’ 192. 168. 1. 100′ # Destination address in the IP header. icmp=ICMP() # Create an ICMP header icmp. type=8 # Type value inserted in ICMP header as 8 for ping crafting icmp. code=0 # Code value inserted in ICMP header as 0 for ping crafting. p=sr 1(ip/icmp) # Send and receive the packet in the variable p p. ttl # Displays the TTL value in the received IP header of the packet.
Create an ARP request ether=Ether() # Creates an ethernet header ether. src=’ 00: e 0: 1 c: 3 c: 22: b 4′ # Source MAC address in the ethernet header ether. dst=’FF: FF: FF: FF’ # Destination MAC address arp=ARP() # Create an ARP header arp. op=1 # Set the ARP type as 1 arp. hwsrc=’ 00: e 0: 1 c: 3 c: 22: b 4′ # Set the sender MAC address for local IP arp. psrc=’ 192. 168. 1. 25′ # Set the sender IP address for that MAC addr. arp. pdst=’ 192. 168. 1. 100′ # Set the target IP address arp. hwdst=’ 00: 00: 00: 00′ # Set the target MAC address as NULL p=srp 1(ether/arp) # Send the packet at layer 2 using the command srp 1, appending the ether and arp headers.
TCP Connection Establishment
Normal TCP Handshake Client SYN Client SYN/ACK Client ACK Server After this, you are ready to send data 18
SYN Port Scan Client SYN Client SYN/ACK Client RST Server The server is ready, but the client decided not to complete the handshake 19
UDP Scanning • No handshake, so less useful than TCP scans • Much more powerful in newer versions of Nmap • Sends valid UDP requests to well-known ports – Send a DNS query to port 53, etc. • Response indicates open UDP port
TCP Packets p=sr(IP(dst=“ 127. 0. 0. 1")/TCP(dport=23)) Begin emission: . Finished to send 1 packets. * Received 2 packets, got 1 answers, remaining 0 packets >>> p (
TCP Packets a=sr(IP(dst=“ 127. 0. 0. 1")/TCP(dport=[23, 80, 53])) Begin emission: . **Finished to send 3 packets. * Received 4 packets, got 3 answers, remaining 0 packets >>> a (
TCP SYN to port 80 tcp=TCP() # Create a TCP header tcp. dport=80 # The destination port in the TCP header is 80. tcp. flags=’S’ # Set the flag in the TCP header with the SYN bit. ip=IP() # Create an IP header ip. src=’ 192. 168. 1. 25′ # Source address in the IP header is local IP address ip. dst =’ 192. 168. 1. 100′ # Destination address in the IP header. send(ip/tcp) # Send the crafted tcp packet.
Details of the TCP packet >>> p (
The http (port 80) packet IP / TCP 127. 0. 0. 15: ftp_data > 127. 0. 0. 1: http S ==> IP / TCP 127. 0. 0. 1: http > 127. 0. 0. 15: ftp_data SA / Padding S = SYN from client (request from the client)) SA = SYN-ACK from the server (reply from the server)
The telnet (port 23) Packet IP / TCP 127. 0. 0. 1: ftp_data > 127. 0. 0. 1: telnet S ==> IP / TCP 127. 0. 0. 1: telnet > 127. 0. 0. 1: ftp_data RA / Padding SYN Sent from the source Destination responded with a RSTACK (RA) which is a RESet & ACKnowledge flag in the TCP packet telling the source to reset the connection
Port Scan (TCP-SYN Scan) a=sr(IP(dst="127. 0. 0. 1")/TCP(sport=666, dport= [22, 80, 21, 443], flags="S")) Source port=666 Destination ports: 22, 80, 21, and 443 flags="S"= SYN scan
Port Scan (TCP-SYN Scan) cont’d >>> p=sr(IP(dst="127. 0. 0. 1")/TCP(sport=666, dport=[22, 80, 21, 443], flags="S")) Begin emission: ***Finished to send 4 packets. * Received 4 packets, got 4 answers, remaining 0 packets >>> p (
TCP ACK flag sent after SYN flag >>> p=sr(IP(dst="127. 0. 0. 1")/TCP(sport=888, dport=[21, 22, 80, 443], flags="A")) Begin emission: . ***Finished to send 4 packets. * Received 5 packets, got 4 answers, remaining 0 packets >>> p (
DNS Query sr 1(IP(dst="127. 0. 0. 1")/UDP()/DNS(rd=1, qd=D NSQR(qname="www. ieu. edu. tr"))) dst=27. 0. 0. 1 = destionation IP (DNS server) /UDP() = DNS uses UDP protocol /DNS = This is a DNS packet rd=1 = Telling Scapy that recursion is desired qd=DNSQR(qname=”www. ieu. edu. tr ") = Get the DNS info about www. ieu. edu. tr
Traceroute traceroute (["www. google. com"], maxttl=20) Begin emission: . . *Finished to send 20 packets. ********* Received 20 packets, got 18 answers, remaining 2 packets 74. 125. 132. 99: tcp 80 1 172. 1. 16. 2 11 3 80. 3. 129. 161 11 4 212. 43. 163. 221 11 5 62. 252. 192. 157 11 6 62. 253. 187. 178 11 17 74. 125. 132. 99 SA 18 74. 125. 132. 99 SA 19 74. 125. 132. 99 SA 20 74. 125. 132. 99 SA (
ARP Scan on A Network >>> arping(“ 172. 1. 16. *") ***Finished to send 256 packets. * Received 4 packets, got 4 answers, remaining 252 packets 30: 46: 9 a: 83: ab: 70 172. 1. 16. 2 00: 25: 64: 8 b: ed: 1 a 172. 1. 16. 18 00: 26: 55: 00: fc: fe 172. 1. 16. 12 d 8: 9 e: 3 f: b 1: 29: 9 b 172. 1. 16. 22 (
The ICMP, TCP, and UDP Ping: ans, unans=sr(IP(dst=“ 172. 1. 1 -254")/ICMP()) ans, unans=sr( IP(dst=” 172. 1. 1. *”)/TCP(dport=80, flags=”S”) ) ans, unans=sr( IP(dst=“ 172. 1. 1. *"/UDP(dport=0) )
Packet Sniffing sniff() CTRL-C (to stop sniffing) get something like
>>" src="https://present5.com/presentation/da75ca8bf4b52d4d075caa33749cba7b/image-35.jpg" alt="ICMP traffic through eth 0 interface sniff(iface ="eth 0", filter=" icmp", count=10) a=_ >>>" />
ICMP traffic through eth 0 interface sniff(iface ="eth 0", filter=" icmp", count=10) a=_ >>> a. nsummary() 0000 Ether / IP / ICMP / IPerror / UDPerror / DNS Ans "91. 189. 95. 55" 0001 Ether / IP / ICMP / IPerror / UDPerror / DNS Ans "91. 189. 95. 54" 0002 Ether / IP / ICMP 10. 1. 99. 25 > 74. 125. 132. 103 echo-request 0 / Raw 0003 Ether / IP / ICMP 74. 125. 132. 103 > 10. 1. 99. 25 echo-reply 0 / Raw 0004 Ether / IP / ICMP 10. 1. 99. 25 > 74. 125. 132. 103 echo-request 0 / Raw 0005 Ether / IP / ICMP 74. 125. 132. 103 > 10. 1. 99. 25 echo-reply 0 / Raw 0006 Ether / IP / ICMP 10. 1. 99. 25 > 74. 125. 132. 103 echo-request 0 / Raw 0007 Ether / IP / ICMP 74. 125. 132. 103 > 10. 1. 99. 25 echo-reply 0 / Raw 0008 Ether / IP / ICMP / IPerror / UDPerror / DNS Ans "wb-in-f 103. 1 e 100. net. " 0009 Ether / IP / ICMP / IPerror / UDPerror / DNS Ans "wb-in-f 103. 1 e 100. net. “ a[2]
Nping is an open source tool for • network packet generation, • response analysis and response time measurement. • Nping can generate network packets for a wide range of protocols, allowing users full control over protocol headers. Syntax: nping [Probe mode] [Options] {target specification} Example: nping blabla. com Starting Nping 0. 6. 01 ( http: //nmap. org/nping ) at 2012 -06 -20 20: 27 CEST SENT (0. 1879 s) ICMP 192. 168. 60. 129 > 199. 83. 132. 66 Echo request (type=8/code=0) ttl=64 id=53514 iplen=28 SENT (1. 1890 s) ICMP 192. 168. 60. 129 > 199. 83. 132. 66 Echo request (type=8/code=0) ttl=64 id=53514 iplen=28 SENT (2. 1901 s) ICMP 192. 168. 60. 129 > 199. 83. 132. 66 Echo request (type=8/code=0) ttl=64 id=53514 iplen=28
Nping Modes/TCP Probe Modes
Nping Modes/UDP & ICMP Probe Modes
Nping Modes/ARP & IPv 4 Probe Modes
Nping Modes/Echo Client/server Probe Modes
Nping Output
Nping Using TCP Flags nping --tcp -p 80 --flags ack -c 3 aldeid. com
Nping Echo Client/Server nping --echo-server "pass 123" -e eth 0 - vvv nping --echo-client "pass 123" 192. 168. 1. 18 --tcp -p 1 -30 --flags ack
Nmap Single Target Scanning • • • ### Scan a single ip address ### nmap 192. 168. 1. 1 ## Scan a host name ### nmap www. google. com ## Scan a host name with more info### nmap –v myhost. ieu. edu. tr
Nmap Multiple Target Scanning • • nmap 192. 168. 1. 1 192. 168. 1. 2 192. 168. 1. 3 nmap 192. 168. 1. 1, 2, 3 ## You can scan a range of IP address: nmap 192. 168. 1. 1 -20 ## IP address range using a wildcard: nmap 192. 168. 1. * ## Read list of hosts/networks from a file : namp –i. L. /hosts. txt
More Nmap Commands • • ## Detect OS and OS version nmap -A 192. 168. 1. 254 nmap -v -A 192. 168. 1. 1 nmap -A -i. L /tmp/scanlist. txt ## Is a host/network protected by a firewall nmap -s. A 192. 168. 1. 254 ## Scan it when protected by the firewall nmap -PN 192. 168. 1. 1
More Nmap Commands • ## host discovery or ping scan: – nmap -s. P 192. 168. 1. 0/24 • ## perform a fast scan – nmap -F 192. 168. 1. 1 • ## Show only open ports – nmap --open 192. 168. 1. 1 • ## Show all packets sent and received – nmap --packet-trace 192. 168. 1. 1 • Show host interfaces and routes – nmap --iflist
More Nmap Commands • Show host interfaces and routes – nmap --iflist
![Scan Specific ports • • • nmap -p [port] host. Name ## Scan port](https://present5.com/presentation/da75ca8bf4b52d4d075caa33749cba7b/image-49.jpg "Scan Specific ports • • • nmap -p [port] host. Name ## Scan port")
Scan Specific ports • • • nmap -p [port] host. Name ## Scan port 80 nmap -p 80 192. 168. 1. 1 • • ## Scan TCP port 80 nmap -p T: 80 192. 168. 1. 1 • • ## Scan UDP port 53 nmap -p U: 53 192. 168. 1. 1 • • ## Scan two ports ## nmap -p 80, 443 192. 168. 1. 1 • • ## Scan port ranges ## nmap -p 80 -200 192. 168. 1. 1
Scan Specific ports • • • ## Combine all options ## – nmap -p U: 53, 111, 137, T: 21 -25, 80, 139, 8080 192. 168. 1. 1 – nmap -v -s. U -s. T -p U: 53, 111, 137, T: 21 -25, 80, 139, 8080 192. 168. 1. 254 ## Scan all ports with * wildcard: – nmap -p "*" 192. 168. 1. 1 ## Scan top 10 most common ports ## – nmap --top-ports 10 192. 168. 1. 1
Host Discovery (1) • ## host discovery or ping scan: – nmap -s. P 192. 168. 1. 0/24 Host 192. 168. 1. 1 is up (0. 00035 s latency). MAC Address: BC: AE: C 5: C 3: 16: 93 (Unknown) Host 192. 168. 1. 2 is up (0. 0038 s latency). MAC Address: 74: 44: 01: 40: 57: FB (Unknown) Host 192. 168. 1. 5 is up. Host nas 03 (192. 168. 1. 12) is up (0. 0091 s latency). MAC Address: 00: 11: 32: 11: 15: FC (Synology Incorporated) Nmap done: 256 IP addresses (4 hosts up) scanned in 2. 80 second
Host Discovery (2) nmap -O 192. 168. 1. 1 nmap -O --osscan-guess 192. 168. 1. 1 nmap -v -O --osscan-guess 192. 168. 1. 1 Starting Nmap 5. 00 ( http: //nmap. org ) at 2012 -11 -27 01: 29 IST NSE: Loaded 0 scripts for scanning. Initiating ARP Ping Scan at 01: 29 Scanning 192. 168. 1. 1 [1 port] Completed ARP Ping Scan at 01: 29, 0. 01 s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 01: 29 Completed Parallel DNS resolution of 1 host. at 01: 29, 0. 22 s elapsed Initiating SYN Stealth Scan at 01: 29 Scanning 192. 168. 1. 1 [1000 ports] Discovered open port 80/tcp on 192. 168. 1. 1 Discovered open port 22/tcp on 192. 168. 1. 1 Completed SYN Stealth Scan at 01: 29, 0. 16 s elapsed (1000 total ports) Initiating OS detection (try #1) against 192. 168. 1. 1 Retrying OS detection (try #2) against 192. 168. 1. 1 Retrying OS detection (try #3) against 192. 168. 1. 1 Retrying OS detection (try #4) against 192. 168. 1. 1 Retrying OS detection (try #5) against 192. 168. 1. 1 Host 192. 168. 1. 1 is up (0. 00049 s latency). Interesting ports on 192. 168. 1. 1: Not shown: 998 closed ports
Host Discovery (3) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: BC: AE: C 5: C 3: 16: 93 (Unknown) Device type: WAP|general purpose|router|printer|broadband router Running (JUST GUESSING) : Linksys Linux 2. 4. X (95%), Linux 2. 4. X|2. 6. X (94%), Mikro. Tik Router. OS 3. X (92%), Lexmark embedded (90%), Enterasys embedded (89%), D-Link Linux 2. 4. X (89%), Netgear Linux 2. 4. X (89%) Aggressive OS guesses: Open. Wrt White Russian 0. 9 (Linux 2. 4. 30) (95%), Open. Wrt 0. 9 - 7. 09 (Linux 2. 4. 30 - 2. 4. 34) (94%), Open. Wrt Kamikaze 7. 09 (Linux 2. 6. 22) (94%), Linux 2. 4. 21 - 2. 4. 31 (likely embedded) (92%), Linux 2. 6. 15 - 2. 6. 23 (embedded) (92%), Linux 2. 6. 15 - 2. 6. 24 (92%), Mikro. Tik Router. OS 3. 0 beta 5 (92%), Mikro. Tik Router. OS 3. 17 (92%), Linux 2. 6. 24 (91%), Linux 2. 6. 22 (90%) No exact OS matches for host (If you know what OS is running on it, see http: //nmap. org/submit/ ). TCP/IP fingerprint: OS: SCAN(V=5. 00%D=11/27%OT=22%CT=1%CU=30609%PV=Y%DS=1%G=Y%M=BCAEC 5%TM=50 B 3 CA OS: 4 B%P=x 86_64 -unknown-linux-gnu)SEQ(SP=C 8%GCD=1%ISR=CB%TI=Z%CI=Z%II=I%TS=7 OS: )OPS(O 1=M 2300 ST 11 NW 2%O 2=M 2300 ST 11 NW 2%O 3=M 2300 NNT 11 NW 2%O 4=M 2300 ST 11 NW 2%O 5 OS: =M 2300 ST 11 NW 2%O 6=M 2300 ST 11)WIN(W 1=45 E 8%W 2=45 E 8%W 3=45 E 8%W 4=45 E 8%W 5=45 E 8%W OS: 6=45 E 8)ECN(R=Y%DF=Y%T=40%W=4600%O=M 2300 NNSNW 2%CC=N%Q=)T 1(R=Y%DF=Y%T=40%S OS: =O%A=S+%F=AS%RD=0%Q=)T 2(R=N)T 3(R=N)T 4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%R OS: D=0%Q=)T 5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T 6(R=Y%DF=Y%T=40%W= OS: 0%S=A%A=Z%F=R%O=%RD=0%Q=)T 7(R=N)U 1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID OS: =G%RIPCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) Uptime guess: 12. 990 days (since Wed Nov 14 01: 44: 40 2012) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=200 (Good luck!) IP ID Sequence Generation: All zeros Read data files from: /usr/share/nmap OS detection performed. Please report any incorrect results at http: //nmap. org/submit/. Nmap done: 1 IP address (1 host up) scanned in 12. 38 seconds Raw packets sent: 1126 (53. 832 KB) | Rcvd: 1066 (46. 100 KB)