Hello guys ! Today , I will bring up something new, interesting and essential for you,beginners and anyone who want to expand their networking knowledge
I want to talk about scapy, a library made in Python, with its own CLI. Also, it is considered by many to be one of the most important package tool. Let's get started!
Usage/Functionalites:
+ Network scanning
+ packet exploitation: send, eavesdrop, analyze and fake impersonating network packets
Install:
Read a .pcap file
Besides, Scapy can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery. It can replace hping, arpspoof, arp-sk, arping, p0f and even some parts of Nmap, tcpdump, and tshark
I have learnt and quickly wrote a Python script to test the powerful of scapy following all steps below:
Here is the successful result:
Compare to netdiscover
Hexdump
Binary string
SYN scanning is a tactic that a malicious hacker (or cracker) can use to determine the state of a communications port without establishing a full connection. ... If the server responds with a SYN/ACK (synchronization acknowledged) packet from a particular port, it means the port is open.
Speaking about scapy, as a CTF noob player, I found many challenges require medium skill in using it. In some cases, scapy made everything easier.
This example help us to know about what scapy could do
Analyzing the code :
rdpcap() --- to loads the entire pcap file to the memory and may uses a lot of memory . Or you also can use sniff()
sniff(offline="your_file.pcap",prn=method_filter_HTTP,store=0)
sniff()
reads one packet at a time and passes it to the provided prn
function. That store=0
parameter ensures that the packet is deleted from memory as soon as it is processed. So you should consider which method in some cases.We have managed to intercept communications from Dr. Evil’s base but it seems to be encrypted. Can you recover the secret message.
Download .tar file and extract :
That is TLS connection between 10.0.2.15 and 52.15.194.28
We have no RSA key or something to decrypt TLS sessions, so we should ignore this idea
Following the title description , may be flag related to "evil"
Searching for "evil" in network
I decide to probe more digger this .pcap by scapy
As you can see, flags is declared as evil.
So, I combine all the information above and have an idea : If the IP flags is evil, I write it 1 and push in message, if not , set it 0 and push in. So, here is my simple payload
the result come up with bin format, just convert it to text:
Here comes the flag!
Keep moving to another challenge. the author gave me a file and without description. Check it out!
Extract it , I get a .png file , but when open it, nothing appear.
Analyze it :
When I see dumpcap, I imediately think of pcap file. After searching for 2 minutes :
I decide to change the file's extension to pcapng and open it :
I think it must be an error here. After searching in Google (again!), I realize pcapfix can solve this problem. Try this!
Open it again and let's see:
After an hour analyzing this file and look through all protocol, I figure out that ICMP appeared with strange in ID at some connection steps (id =0x0000)
Because request and respond all mixed with each other. I choose this filter :
ip.src_host== 192.168.50.10
to tell them apart and easily look through it . Finaly, I find out the point :
as you can see, the Identification(ip.id) is appeared to be readable when dumped in hex format.
Let's use scapy to get all values in this field of all the ICMP packets from specified IP
This simple script take too much time from me because I have not yet known how to perform ip.id in scapy .
Here is the result :
or if you interested in Tshark
As you can seen, Scapy is useful tool when we need to work with .pcap file in CTF challenge, or networking in real life. If you spent more time to research in this library, you will discover more interesting stuffs than what I have wrote . Peace!
Happy Learning!
Không có nhận xét nào:
Đăng nhận xét