headers
Guillaume Valadon | 1 Feb 13:44
Picon
Favicon

IPv6 Network Security: from theory to practice with Scapy

Hi guys,

I will be giving a dojo at cansecwest on Tuesday March 6th
(http://cansecwest.com/dojos/2012/ipv6_netsec.html).

The dojo focuses on IPv6 network security and uses Scapy to present
examples of IPv6 packets and local attacks.

Guillaume

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org
Permalink | Reply | 0 comments |
headers
Guillaume Valadon | 1 Feb 13:54
Picon
Favicon

Re: IPv6 neighbor solicitations in scapy

Hi,

>> The neighbor solicitation sent by Scapy seems correct and uses
>> 00:c0:9f:1a:5b:06 as the source MAC address.
> Yes. The solicitation sent by scapy is correct. I've only see a problem
> with the interpretation of the packet scapy receives.

I finally understood ! So, you mean that the function getmacbyip6()
should check if an ICMPv6NDOptDstLLAddr is present in the neighbor
advertisement and use this address instead of the source mac address in
the Ethernet header.

 > This diff for my suggested patch to take lladdr into account looks like
> this:
> 
> 112c108,111
> <         mac = res.src
> ---
>>         try:
>>           mac = res.lladdr
>>         except AttributeError:
>>           mac = res.src

The patch is incomplete and shoud check if an ICMPv6NDOptDstLLAddr and
then use it:
if ICMPv6NDOptDstLLAddr in res:
  mac = res[ICMPv6NDOptDstLLAddr].lladdr
else:
  mac = res.src
(Continue reading)

Permalink | Reply | 1 comment |
headers
Smitt | 2 Feb 14:39
Picon

Scapy and SQLite3

Hello!

So, I'm beginner in Python, therefore please - 
don't scold me a long time...

I have one question: where can I find 
the definition of variable? For example, in 
fuzz() function there is the following code:
"""Transform a layer into a fuzzy layer by 
replacing some default values by random 
objects"""
    pdb.set_trace()
    if not _inplace:
        p = p.copy()
    q = p
...

And I can't find, what is the q (or p) variable? 
Which is its type and etc.

Thanks. 

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org
Permalink | Reply | 1 comment |
headers
Smitt | 2 Feb 14:45
Picon

Re: Scapy and SQLite3

Sorry, sqlite don't pertain to my question... It's my mistake...

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org
Permalink | Reply | 0 comments |
headers
Uwe Weissenbacher | 2 Feb 17:11
Picon
Favicon

Re: IPv6 neighbor solicitations in scapy

Hi

On 01.02.2012 13:54, Guillaume Valadon wrote:
> Could you test this patch, and post it to the bug tracker if it correct
> the issue ?
> I currently do not have access to the repository.
Tested and I got the correct result:

 >>> getmacbyip6("fe80::1")
'00:05:73:a0:00:01'

Ticket has been opened at http://trac.secdev.org/scapy/ticket/727

With kind regards,
Uwe Weissenbacher

--

-- 

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org
Permalink | Reply | 0 comments |
headers
maxkweeger | 3 Feb 16:46
Picon

Capture result serveur

Dears,

I'm new in scapy world.
Can you give me an idea for capture response of POP server ?

First I'm connect to proxy
Second I'm connect to POP server

My code :

**********************************************************
from scapy.all import *
dst, dport, sport = "xxx.xxx.xxx.xxx", 8080, int(RandShort())
print "telnet proxy\r\n"
#SYN
syn = IP(dst = dst)/TCP(sport = sport, dport = dport, flags = 'S')

#Send SYN and receive  SYN/ACK
synack = sr1(syn, verbose=0)

#Send ACK
ack = IP(dst = dst)/TCP(sport = syn.sport, dport = dport, seq =
synack.ack, ack = synack.seq+1, flags = 'A')
send(ack, verbose=0)

print "CONNECT pop.xxx.xxx:110 HTTP/1.0\n"
C1 = IP(dst = dst)/TCP(sport = syn.sport, dport = dport, seq =
synack.ack, ack = synack.seq+1, flags = 'PA')/Raw(load = 'C')
rep1 = sr1(C1, verbose=0)
(Continue reading)

Permalink | Reply | 0 comments |
headers
Dustin Berman | 6 Feb 19:30
Picon
Favicon

Modbus Extensions

I was wondering if anybody had done a Modbus Extension for Scapy?  I am
currently working on one and was just looking to see if someone else had any
start to one.  I was also wondering if there is an easy way to resize a field. 
I receive a packet from a server copy it and change a couple fields around and
only two fields go from two bytes long to only a size byte and I did not know if
there is a way to change the size of the fields without using the variable
length field.  I tried to add just a different class and build the packet that
way but when I did that I always ended up getting an Ethernet trailer and the
packet was all messed up.

Thanks in advance,

Dustin

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org
Permalink | Reply | 0 comments |
headers
Nicolas Maitre | 12 Feb 12:51
Picon

Design of a MPTCP test suite

Hi,

I'm currently developing a test suite for the Multipath TCP [0]
protocol implementations in the context of a Master's thesis.
The first step was to implement a mptcp dissector in scapy. Mptcp is
actually using several TCP connections to establish a higher-level
multi-flows/paths/interfaces connection. It uses a whole new set of
TCP options as mptcp connection control data, making possible to
aggregate the distincts TCP subflows in a bigger mtpcp data flow.

The only way I've found to implement the dissector was by introducing
python objects for each TCP option in layers/inet.py.

Here is an example that shows how it is logically structured for the moment:

>> a[0].show2()
###[ cooked linux ]###
 pkttype= sent-by-us
 lladdrtype= 0x1
 lladdrlen= 6
 src= '\x00%\xb3\x02\xd24'
 proto= 0x800
###[ IP ]###
    version= 4L
    ihl= 5L
    tos= 0x0
    len= 80
    id= 32501
    flags= DF
    frag= 0L
(Continue reading)

Permalink | Reply | 0 comments |
headers
Qu bo | 13 Feb 07:25
Picon

what is the reply condition for srp1 ?

Dear all,

  I have a very simple question for scapy.

I run ARP spoofing to  one of my windows. code like bellow.

#!/usr/bin/python

from scapy.all import *
import sys

conf.iface="eth2"

a=ARP()
a.pdst="192.168.56.1"
a.hwsrc="11:11:11:11:11:11"
a.psrc="192.168.56.5"
a.hwdst="ff:ff:ff:ff:ff:ff"

send(a)

as you can see I am trying to spoof my windows that 192.168.56.5 is at
11:11:11:11:11:11.

after that I am trying to send a TCP SYN packet to its 135 port
(windows is at 192.168.56.1) with the spoofed MAC.

SPORT=11022
SRCIP="192.168.56.5"
DSTIP="192.168.56.1"
(Continue reading)

Permalink | Reply | 0 comments |
headers
Qu bo | 14 Feb 09:08
Picon

Re: what is the reply condition for srp1 ?

Dear all.

I got it work eventually. the trick is ugly but works for me.

1.I used the wrong MAC (11:11:11:11:11:11). changed it to a normal one
but still faked in my network.

2. put the interface into promiscuous mode. after finished srp1 ,then
turn off promiscuous

3. the working script as bellow.

   the code is ugly too.

#!/usr/bin/python

from scapy.all import *
import sys,os

conf.iface="em1"

a=ARP()
a.pdst="172.27.103.232"
#a.hwsrc="11:11:11:11:11:11"
a.hwsrc="00:40:9d:50:43:b4"
a.psrc="172.27.103.31"
a.hwdst="ff:ff:ff:ff:ff:ff"
SPORT=10422
SRCIP="172.27.103.31"
DSTIP="172.27.103.232"
(Continue reading)

Permalink | Reply | 0 comments |

Gmane