[Learning] Network Forensics with Scapy library in Python

Hello guys ! Today , I will bring up something new, interesting and essential for you,beginners and anyone who want to expand their networking knowledge

I want to talk about scapy, a library made in Python, with its own CLI. Also, it is considered by many to be one of the most important package tool. Let's get started!

Usage/Functionalites:

+ Network scanning

+ packet exploitation: send, eavesdrop, analyze and fake impersonating network packets

Install:

Read a .pcap file

Besides, Scapy can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery. It can replace hping, arpspoof, arp-sk, arping, p0f and even some parts of Nmap, tcpdump, and tshark

Create a network scanner using scapy 

I have learnt and quickly wrote a Python script to test the powerful of scapy following all steps below:

 Here is the successful result:

Compare to netdiscover

BULD A PACKET

Sending packets and receive answer

Sending HTTP request :

- List module's content

On Wireshark

On HTTP server

Pop-up browser using display =True

Traceroute

Sniffing from a pcap file with scapy

With the rdpcap() function, we can read a pcap file an get a list of packages that can handled directly by Python. We also can have posibility of similar packet capture using sniff()

Scapy also support the BPF (Beerkeley Packet Filter) format, it is a standard format that applying filter over network packets (similar to Wireshark). These filter can be applied on a set of specific packages or directly on an active capture

Advanced sniffing

on specific network interface

prn: function to apply to each packet. If something is returned, it is displayed. For instance you can use prn = lambda x: x.summary()

  

Importing and Exporting Data

Pcap

It's useful to save captured packets to pcap file 

Hexdump

display one or more packets using classic hexdump format

Binary string

SYN Scan (Half Open scanning) with scapy

What is SYN scanning ?

SYN scanning is a tactic that a malicious hacker (or cracker) can use to determine the state of a communications port without establishing a full connection. ... If the server responds with a SYN/ACK (synchronization acknowledged) packet from a particular port, it means the port is open.

When learning scapy, I figure out it can support me building a simple Python script to make sure whether the specific port opened or closed. SYN scan script (Thanks to Microsoft doc)

Here is the result 

Speaking about scapy, as a CTF noob player, I found many challenges require medium skill in using it. In some cases, scapy made everything easier. 

This example help us to know about what scapy could do

Analyzing the code :

rdpcap() --- to loads the entire pcap file to the memory and may uses a lot of memory . Or you also can use sniff()

sniff(offline="your_file.pcap",prn=method_filter_HTTP,store=0)

sniff() reads one packet at a time and passes it to the provided prn function. That store=0 parameter ensures that the packet is deleted from memory as soon as it is processed. So you should consider which method in some cases.

following the .pcap file's challenge, we use icmp (type =8) condition to select which packet have flag clue (ID of ICMP packets had been changed) after except other "normal" ICMP packet. 

That example is simple to beginner .

Another challenge

The task description : 

We have managed to intercept communications from Dr. Evil’s base but it seems to be encrypted. Can you recover the secret message.

Download .tar file and extract :

That is TLS connection between 10.0.2.15 and 52.15.194.28  

We have no RSA key or something to decrypt TLS sessions, so we should ignore this idea

Following the title description , may be flag related to "evil" 

Searching for "evil" in network

I decide to probe more digger this .pcap by scapy

As you can see, flags is declared as evil.

So, I combine all the information above and have an idea : If the IP flags is evil, I write it 1 and push in message, if not , set it 0 and push in. So, here is my simple payload

the result come up with bin format, just convert it to text:

Here comes the flag!

Keep moving to another challenge. the author gave me a file and without description. Check it out!

Extract it , I get a .png file , but when open it, nothing appear. 

Analyze it :

When I see dumpcap, I imediately think of pcap file. After searching for 2 minutes :

I decide to change the file's extension to pcapng and open it :

I think it must be an error here. After searching in Google (again!), I realize pcapfix can solve this problem. Try this!

Open it again and let's see:

Great!

After an hour analyzing this file and look through all protocol, I figure out that ICMP appeared with strange in ID at some connection steps (id =0x0000)

Because request and respond all mixed with each other. I choose this filter :

ip.src_host== 192.168.50.10

to tell them apart and easily look through it . Finaly, I find out the point :

as you can see, the Identification(ip.id) is appeared to be readable when dumped in hex format.

Let's use scapy to get all values in this field of all the ICMP packets from specified IP

This simple script take too much time from me because I have not yet known how to perform ip.id in scapy .

Here is the result :

or if you interested in Tshark 

As you can seen, Scapy is useful tool when we need to work with .pcap file in CTF challenge, or networking in real life. If you spent more time to research in this library, you will discover more interesting stuffs than what I have wrote . Peace!

Happy Learning!