Networking is a fundamental knowledge area when it comes to effectively investigating, analyzing and researching the vast majority of security-related topics and events. This makes a lot of sense considering that most computers are on a network, such as the internet, for communication purposes. It is likely that when a system has been attacked and/or compromised, it was done so remotely as opposed to locally. Obviously this is just a result of the way our computers communicate these days. Tools and frameworks that are specifically focused on networking are very useful in this type of environment.
Scapy is a packet manipulation library that has the ability to craft, manipulate and even replay packets on the wire. It can be used either in scripts, programs or interactively at the command line. Obviously this has many practical uses when it comes to both network and security-related research/investigation. Before we can practically use this tool, a little primer is in order to get a feel for the library and it's capabilities. This is not meant to be a full manual but rather a quick start guide.
Packet Creation
Scapy allows a packet to be created using layers much in the way that they are logically layered in the same way that the OSI and TCP/IP models. You can even go as far as adding additional layers to a packet, although it really wouldn't make a lot of sense and the response may be unpredictable. A remote host wouldn't really understand a packet that has multiple IP layers since it is an abnormal condition. This could be useful if we are looking for a certain response but it is not likely to yield any useful information.So let's say I want to send a packet to a remote host to confirm if it is running an SMTP (Simple Mail Transfer Protocol) server. SMTP runs on TCP port 25 by default although this isn't a requirement. Let's take a look at how to create a packet for this purpose.
Here are the characteristics of the packet we would like to create:
Source Host: 192.168.93.134
Source Port: 1025
Destination Host: 192.168.93.136
Destination Port: 25
This packet can be created one of two ways. One way is more compact than the other but we will review both.
Method One
The first method is the longest since creation of each layer is performed within a separate declaration.First, let us define the network layer (Layer 3).
>>> l3 = IP(dst="192.168.93.134",ttl="128")
Next, we define the transport layer (Layer 4)
>>> l4 = TCP(sport=1025,dport=25)
Then, we will define the payload that we plan to deliver to the destination.
>>> data = "Testing"
In this case, we are not using a true SMTP value but a plain-text string.
Now we will combine all three layers in to a single packet. The layers are 'layered' on top of one another using the '/' operator.
>>> packet = l3/l4/data
Any undefined values such as source host, flags or TCP Options are set to defaults values. The same is true for layers such as the data link layer. These default values can be obtained by using the following notation within interactive mode:
ls(protocol)
>>> ls(IP)
After a packet has been created, it can be reviewed by simply typing the variable name at the command prompt. This will show the user-defined values of the packet.
>>> packet
<IP frag=0 ttl='128' proto=tcp dst=192.168.93.134 |<TCP sport=1025 dport=smtp |<Raw
load='Testing' |>>>
While the first method provides a more detailed way to craft a packet, the same crafting can also be done in a single line of code. The first method has certain advantages such as reuse of the layer definitions in multiple packet creation. In other words, if we want to change the value at one layer, such as the transport layer, we can change the value of that single layer instead of having to redefine the entire packet.
Method Two
The second method is great for quick packet creation and brevity. All components of the packet can be defined at a single time. Let's take a look at the creation of the same packet that we created in the above section using this shorter method.Once again, here are the characteristics of the packet we would like to create:
Source Host: 192.168.93.134
Source Port: 1025
Destination Host: 192.168.93.136
Destination Port: 25
>>> packet = IP(dst="192.168.93.134",ttl="128")/UDP(sport=1025,dport=25)/"Testing"
This saves us a few lines of code. Let's take a look at the packet.
>>> packet
<IP frag=0 ttl='128' proto=udp dst=192.168.93.134 |<UDP sport=1025 dport=25 |<Raw
load='Testing' |>>>
Packet Details
While packet creation is a great feature, we need a way to extract information from this packet. This includes information such as IP address, port, data, flags and a ton of other header information from each individual layer.
Scapy provides the following methods for extraction of this information:
getlayer()
Using the getlayer() method will retrieve information pertaining to a single layer of a packet. This information includes non-default fields within the layer.
haslayer()
The haslayer() method allows the programmer to check to see if a layer exists. If the value exists, a '1' will be returned. If it does not exists, a '0' will be returned.
show()
The show() method can be used to display information about the packet. This is helpful mainly while in interactive mode. It will display a more human friendly view of the packet fields. It will show both user-defined and default values.
The value of a packet header value can be retrieved using the following syntax:
packet.layer.fieldname
Note: Requesting flag values will result in a decimal representation of the flags that are set so it
is up the the programmer to interpret these values to with their associated flag values.
No comments:
Post a Comment