headers
Dustin Berman | 6 Feb 19:30
Picon
Gravatar

Modbus Extensions

I was wondering if anybody had done a Modbus Extension for Scapy?  I am
currently working on one and was just looking to see if someone else had any
start to one.  I was also wondering if there is an easy way to resize a field. 
I receive a packet from a server copy it and change a couple fields around and
only two fields go from two bytes long to only a size byte and I did not know if
there is a way to change the size of the fields without using the variable
length field.  I tried to add just a different class and build the packet that
way but when I did that I always ended up getting an Ethernet trailer and the
packet was all messed up.

Thanks in advance,

Dustin

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org
Permalink | Reply | 0 comments |
headers
maxkweeger | 3 Feb 16:46
Picon
Gravatar

Capture result serveur

Dears,

I'm new in scapy world.
Can you give me an idea for capture response of POP server ?

First I'm connect to proxy
Second I'm connect to POP server

My code :

**********************************************************
from scapy.all import *
dst, dport, sport = "xxx.xxx.xxx.xxx", 8080, int(RandShort())
print "telnet proxy\r\n"
#SYN
syn = IP(dst = dst)/TCP(sport = sport, dport = dport, flags = 'S')

#Send SYN and receive  SYN/ACK
synack = sr1(syn, verbose=0)

#Send ACK
ack = IP(dst = dst)/TCP(sport = syn.sport, dport = dport, seq =
synack.ack, ack = synack.seq+1, flags = 'A')
send(ack, verbose=0)

print "CONNECT pop.xxx.xxx:110 HTTP/1.0\n"
C1 = IP(dst = dst)/TCP(sport = syn.sport, dport = dport, seq =
synack.ack, ack = synack.seq+1, flags = 'PA')/Raw(load = 'C')
rep1 = sr1(C1, verbose=0)
(Continue reading)

Permalink | Reply | 0 comments |
headers
Smitt | 2 Feb 14:39
Picon
Gravatar

Scapy and SQLite3

Hello!

So, I'm beginner in Python, therefore please - 
don't scold me a long time...

I have one question: where can I find 
the definition of variable? For example, in 
fuzz() function there is the following code:
"""Transform a layer into a fuzzy layer by 
replacing some default values by random 
objects"""
    pdb.set_trace()
    if not _inplace:
        p = p.copy()
    q = p
...

And I can't find, what is the q (or p) variable? 
Which is its type and etc.

Thanks. 

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org
Permalink | Reply | 1 comment |
headers
Guillaume Valadon | 1 Feb 13:44
Picon
Favicon

IPv6 Network Security: from theory to practice with Scapy

Hi guys,

I will be giving a dojo at cansecwest on Tuesday March 6th
(http://cansecwest.com/dojos/2012/ipv6_netsec.html).

The dojo focuses on IPv6 network security and uses Scapy to present
examples of IPv6 packets and local attacks.

Guillaume

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org
Permalink | Reply | 0 comments |
headers
jeetika kataria | 30 Jan 16:46
Picon

SNAP header with Q Tag

Hello


Is it possible to add IEEE 802.1Q tag in a SNAP header using scapy?

Thanks.
Permalink | Reply | 0 comments |
headers
Andrew Little | 26 Jan 18:43
Gravatar

DHCPv6OptIAAddress Option extra field

Hello List,

I am trying to test DHCPv6 Authentication with IA_NAs. When I add the following packet...

packet=Ether(dst=dstMAC,src=srcMAC)

/IPv6(src=srcIP,dst=dstIP,hlim=1)
/UDP()
/DHCP6_Request(trid=transactionID)
/DHCP6OptClientId(optlen=14,duid=DUID_LLT(lladdr=clientID))
/DHCP6OptIA_NA(optlen=40,iaid=1,T1=4294967295,T2=4294967295,ianaopts=
 [DHCP6OptIAAddress(addr=requestedAddress,optlen=28)])
/DHCP6OptElapsedTime(optlen=2,elapsedtime=300)
/DHCP6OptOptReq(optlen=4,reqopts=[23,24])
/DHCP6OptServerId(optlen=14,duid=DUID_LLT(lladdr=serverID))



...scapy sends out a packet that has 4 extra bytes after the DHCP6OptIAAddress option. I believe this is the iaid field in that option, b/c when I change the iaid field these extra bytes change accordingly.

However, wireshark sees these bytes as an unknown DHCPv6 option (or other option if the iaid was high enough), thus breaking how wireshark sees these packets. Also, looking at the RFC 3315 (http://www.networksorcery.com/enp/rfc/rfc3315.txt) I cannot find anything that would say that each individual IA_NA needs a separate iaid.

I can get around this by just using the raw packet header...but it's irritating that the header doesn't create the correct packet.

Thanks
Permalink | Reply | 0 comments |
headers
jeetika kataria | 26 Jan 15:43
Picon

Saving Session

Hello List,


I am doing some robustness tests by using Scapy. I dont know how can I save these tests in scapy so that I don't have to create these tests every time I start a new session . Can I save them in a file and then call this in scapy interactive.

P.S.: I am new to scapy

Thanks.
Permalink | Reply | 2 comments |
headers
Lanfeust troy | 25 Jan 22:10
Picon

dns query never response

hi list,


I'm trying to send a dns resquest on my dns server with scappy. Scappy never reveive response and i have nothing in server log

my first test is 

host ns.troy.kvm 192.168.0.3

this is work fine

and into scappy i use :

pkt=IP(dst="192.168.0.3")/UDP(dport=53)/DNS(rd=1,qd=DNSQR(qname="ns.troy.kvm",qtype="A"))
>>> p=sr1(pkt)
Begin emission:
Finished to send 1 packets.
..........^C
Received 10 packets, got 0 answers, remaining 1 packets

where is the problem

thanks
Permalink | Reply | 3 comments |
headers
Uwe Weissenbacher | 25 Jan 17:20
Picon
Favicon
Gravatar

IPv6 neighbor solicitations in scapy

Hi

I'm working with scapy to test some IPv6 stuff and I came to a situation 
where scapy didn't fill out the source MAC address field correctly (in 
my opinion).

The node running scapy has a simple IPv6 routing table:

> # ip -6 route show
> 2001:db8:fe20:100::1 dev eth1  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
> fe80::/65 dev eth1  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
> fe80::/64 dev eth0  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
> fe80::/64 dev eth1  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
> default via fe80::1 dev eth1  metric 1024  mtu 1500 advmss 1440 hoplimit 0

So packets which are sent to networks not directly connected should use 
the default gateway fe80::1

> # ip -6 neighbor show
> fe80::1 dev eth1 lladdr 00:05:73:a0:00:01 router STALE

and the destination MAC should be 00:05:73:a0:00:01, which is a MAC 
address used by Cisco routers speaking HSRP version 2. After looking in 
the scapy sources I found the function getmacbyip6() in inet6.py and 
executed a neighbor solicitaion used by this function with my values:

neighsol('fe80::1','fe80::1','eth1',0)

The dump of this neighbor solicitation has been put up at

http://www.cloudshark.org/captures/12766e13eb2d

As you can see the neighbor advertisement contains two different MAC 
addresses. One in the Ethernet Layer 2 which is always picked by scapy 
in getmacbyipb6

mac = res.src

and the second and correct one can be found in the ICMPv6 option.

As far as I understand RFC2461 the ICMPv6 option MAC address should 
always be used if it is there. Actually Linux does it this way as you 
can see in my "ip -6 neighbor show" output. So I think the code in scapy 
should be extended and the mac should always be set to res.lladdr and 
only to res.src if this fails.  My suggestion for the line above is:

try:
	mac = res.lladdr
except AttributeError:
	mac = res.src

With kind regards,
Uwe Weissenbacher

--

-- 

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org
Permalink | Reply | 6 comments |
headers
jeetika kataria | 25 Jan 12:14
Picon

Ethernet Checkum

I am new to scapy, and I want to know how can I see what checksum scapy calculates for an Ethernet packet. 

The packet which I am creating looks like this: 
"a=Ether(dst='00:1A:92:90:31:D4',src='4c:00:10:50:b4:4e',type=0x8100,tags=Dot1Q(vlan=0,prio=1))/("x"*40)"

Thanks.
Permalink | Reply | 3 comments |
headers
Neil Greenough | 24 Jan 21:16
Favicon
Gravatar

Scapy sniffing inactivity

Hi folks,


I currently have scapy working on an infinite loop sniffing wireless packets using the below line of code in a Python script:

sniff(iface=wlan0, prn=sniffing_method)

My function works fine but I'm looking for a way to programatically (is that a word?) stop the sniffing loop. I've been looking at the PatchSelectStopperTimeout patch for Scapy and I'm wondering if there is anything I can do with this? I am thinking along the lines of, if no new routers detected for over 120 seconds, exit loop. I'm assuming I need to use the 'Stopper' and 'StopperTimeout' functions but I've just got no idea how to implement them. I've been having a play but I'm having no look so does anyone have any pointers? Also, to use this patch, do I need to install anything or should it just work with the latest Scapy library.

Thanks again
Permalink | Reply | 1 comment |

Gmane