Please note 1st that this is a Linux Tutorial but most of the same will apply to Mac & Windows; Python comes native to Linux so please install Python and put it in your System Path if using Windows.
sudo apt-get install scapy =>
sudo su scapy has to ran as root
type scapy =>
INFO: Can't import python gnuplot wrapper . Won't be able to plot.
INFO: Can't import PyX. Won't be able to use psdump() or pdfdump().
WARNING: No route found for IPv6 destination :: (no default route?)
INFO: Can't import python Crypto lib. Won't be able to decrypt WEP.
INFO: Can't import python Crypto lib. Disabled certificate manipulation tools
Welcome to Scapy (2.2.0)
>>>
this is your new playground, so let's learn a couple of commands to get familiar with the Functions of scapy has built into it
>>>ls()
the ls() command will show you a huge list of Protocols that can be used and new ones can be added also if need be.
>>>lsc()
the lsc() command will give you a much shorter list of commands applicable to the Protocols above... you get the gist now about how to view what is available to you in this Module.
Python has a Standard Library of 80 built in Functions without importing other Modules or Functions from them.
I will start out with Basic Network Protocols & some common Attacks on them becouse they are the nasty buggers we always see in Network Hacking; I am taking this straight from my Terminal & whatever you see here can also be found anywhere on the Web, I just think a nice series of Articles on Protocols & Protocol Hacks is needed HERE!
At any point you need HELP just type help(protocol) or help(command) and you will get the lowdown on how to use those Options
Once I get past the Intro. I will continue with how each can be exploited using scapy.
We will start out with the most Basic Packets of all DHCP this is used to assign IP Addresses; however, since there are so many options available for this I will touch back on it, It will take up a whole Article in it's self to cover DHCP()
We can see the Options though =>
>>> DHCP()
>>> DHCP().show()
###[ DHCP options ]###
options= []
now the Options =>
>>> DHCPOptions
{0: 'pad', 1: , 2: 'time_zone', 3: , 4: , 5: , 6: , 7: , 8: , 9: , 12: 'hostname', 14: 'dump_path', 15: 'domain', 17: 'root_disk_path', 22: 'max_dgram_reass_size', 23: 'default_ttl', 24: 'pmtu_timeout', 28:, 35: 'arp_cache_timeout', 36: 'ether_or_dot3', 37: 'tcp_ttl', 38: 'tcp_keepalive_interval', 39: 'tcp_keepalive_garbage', 40: 'NIS_domain', 41: , 42: , 43: 'vendor_specific', 44: , 45: , 50: , 51: , 53: , 54: , 55: 'param_req_list', 57: , 58: , 59: , 60: 'vendor_class_id', 61: 'client_id', 64: 'NISplus_domain', 65: , 69: , 70: , 71: , 72: , 73: , 74: , 75: , 76: 'StreetTalk_Dir_Assistance', 82: 'relay_agent_Information', 255: 'end'}
Not very many other Protocols have this many as you will soon see, we have countless Options here!
So we will move on to the next most important Protocol ARP! It's a Layer 2 Protocol & works with Layer 3 in networks and in conjunction with DHCP & IP.ARP communicates with other Machines on your Network and associates Hardware Addresses with IP Addresses.
So ARP says."Who has this " RARP says,"This Machine has " and is associated with Mac to IP Identification Only!
>>> ARP().show()
###[ ARP ]###
hwtype= 0x1
ptype= 0x800
hwlen= 6
plen= 4
op= who-has
hwsrc= e0:ca:94:db:2f:d7
psrc= 192.168.1.7
hwdst= 00:00:00:00:00:00
pdst= 0.0.0.0
you can customise any field in any Protocol by using the Protocol().show()or var.show()
Set variable pkt and as above scapy will fill all unused options except Machine & IP destination
>>> pkt=ARP()
>>> pkt.show()
###[ ARP ]###
hwtype= 0x1
ptype= 0x800
hwlen= 6
plen= 4
op= who-has
hwsrc= e0:ca:94:db:2f:d7
psrc= 192.168.1.7
hwdst= 00:00:00:00:00:00
pdst= 0.0.0.0
>>> pkt = ARP(psrc="192.168.1.2", hwsr
c="00:11:22:33:44:55")
>>> pkt
and as you can see I just Spoofed an IP & Mac address
>>>pkt.op
>>>pkt.hwsrc
>>>pkt.len
can all be viewed & chanded induvidually with just this method & when you get better you will build whole Packets at a time like a Pro
The perpose of ARP Spoofing & ARP Cache poisoning is to use MiTM Attacks to intercept Data meant for a particular Machine, and or sending
& receiving request masqeurading as another on a Network and DoS. Being able to write, save, call Packet Streams is simple & I will get to it all
very shortly!As well as Atacks.
Next we have IP()
>>> IP().show()
###[ IP ]###
version= 4
ihl= None
tos= 0x0
len= None
id= 1
flags=
frag= 0
ttl= 64
proto= ip
chksum= None
src= 127.0.0.1
dst= 127.0.0.1
options
>>> pkt = IP(dst="google.com")
>>> pkt
If we send this over the Wire we get only an ICMP response(error)becouse we got no dport
ls(pkt) will also show you a better Table of the same pkt.show() command
>>> ls(pkt)
version : BitField = 4 (4)
ihl : BitField = None (None)
tos : XByteField = 0 (0)
len : ShortField = None (None)
id : ShortField = 1 (1)
flags : FlagsField = 0 (0)
frag : BitField = 0 (0)
ttl : ByteField = 64 (64)
proto : ByteEnumField = 0 (0)
chksum : XShortField = None (None)
src : Emph = '127.0.0.1' (None)
dst : Emph = '127.0.0.1' ('127.0.0.1')
options : PacketListField = [] ([])
So becouse IP piggybacks on TCP we will further build our Packet to send & receive a response
>>> TCP().show()
###[ TCP ]###
sport= ftp_data
dport= http
seq= 0
ack= 0
dataofs= None
reserved= 0
flags= S
window= 8192
chksum= None
urgptr= 0
options= {}
>>> TCPOptions
({0: ('EOL', None), 1: ('NOP', None), 2: ('MSS', '!H'), 3: ('WScale', '!B'), 4: ('SAckOK', None), 5: ('SAck', '!'), 8: ('Timestamp', '!II'), 25: ('Mood', '!p'), 14: ('AltChkSum', '!BH'), 15: ('AltChkSumOpt', None)}, {'AltChkSum': 14, 'Mood': 25, 'AltChkSumOpt': 15, 'SAck': 5, 'Timestamp': 8, 'MSS': 2, 'NOP': 1, 'WScale': 3, 'SAckOK': 4, 'EOL': 0})
>>> pkt = IP(dst="google.com", ttl=20)/TCP(dport=80)
>>> pkt
>
>>> ls(pkt)
version : BitField = 4 (4)
ihl : BitField = None (None)
tos : XByteField = 0 (0)
len : ShortField = None (None)
id : ShortField = 1 (1)
flags : FlagsField = 0 (0)
frag : BitField = 0 (0)
ttl : ByteField = 20 (64)
proto : ByteEnumField = 6 (0)
chksum : XShortField = None (None)
src : Emph = '192.168.1.7' (None)
dst : Emph = Net('google.com') ('127.0.0.1')
options : PacketListField = [] ([])
--
sport : ShortEnumField = 20 (20)
dport : ShortEnumField = 80 (80)
seq : IntField = 0 (0)
ack : IntField = 0 (0)
dataofs : BitField = None (None)
reserved : BitField = 0 (0)
flags : FlagsField = 2 (2)
window : ShortField = 8192 (8192)
chksum : XShortField = None (None)
urgptr : ShortField = 0 (0)
options : TCPOptionsField = {} ({})
Now we can see things have changed a bit ... lets send this Packet on the Wire!
>>> sr1(pkt)
Begin emission:
...Finished to send 1 packets.
....*
Received 8 packets, got 1 answers, remaining 0 packets
>
>>>
the sr1() will send,receive Packets to google
ans,unans is answered or unanswered Packets, so lets look at answered:
>>> ans = sr1(pkt)
Begin emission:
Finished to send 1 packets.
...*
Received 4 packets, got 1 answers, remaining 0 packets
>>> ans.show()
###[ IP ]###
version= 4L
ihl= 5L
tos= 0x20
len= 44
id= 32566
flags=
frag= 0L
ttl= 53
proto= tcp
chksum= 0x1788
src= 74.125.226.193
dst= 192.168.1.7
options
###[ TCP ]###
sport= http
dport= ftp_data
seq= 2628223488L
ack= 1
dataofs= 6L
reserved= 0L
flags= SA
window= 62920
chksum= 0x9470
urgptr= 0
options= [('MSS', 1430)]
>>> ans.summary
>>
Summary is just about the same as sr1()
wireshark(ans) will show you the gui Packet (must have Wireshark installed)
A Packet can travel via TCP or UDP
>>> UDP().show()
###[ UDP ]###
sport= domain
dport= domain
len= None
chksum= None
TCP is Stateless which is why we have Sessions via Cookies on the Web & UDP is Connectionless so we just use Ports.. It's weird I know
Now we create/write a pcap file if we wish to same a particular Packet Capture & it's done like so:
>>>wrpcap("test.pcap", ans) File to write(test.pcap)/Packet(s)(ans)
We read/recall that File like so:
>>> rdpcap("test.pcap")
No comments:
Post a Comment