headers
Piotr Kaczorek | 1 Jun 2012 13:23
Picon
Favicon

Re: Retrieving RSSI from WiFi packets

This definately isn't bulletproof (and not 'elegant') but for now I will 
use:
sig_str = -(256-ord(packet.notdecoded[-4:-3]))

Theese bytes seem to give me number shown by wireshark/tcpdump as the 
signal value.

Thank you for help Joshua

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org
Permalink | Reply | 0 comments |
headers
Riccardo Ravaioli | 6 Jun 2012 15:58
Picon

sr function not getting all ICMP messages back

Hi guys,

I dumped some outgoing packets and I'm trying to replay them with a modified TTL value. Say, for example, TTL = 1.
I noticed something odd. If I pass them all to sr I /never/ get all the ICMP time-exceeded messages back.  I do something like this:

ans,unans = sr(myPackets, inter = 1, timeout = 10)

I tried with different values for 'inter', from 0.1 to 5 seconds, but I couldn't notice any improvements. It looks like, as the number of packets I'm passing increases, sr finds it more and more difficult to process ICMP replies or at least pair them with the corresponding packets.

I'm saying this because it doesn't seem to be related to ICMP rate limiting. if I give sr one packet at a time and then pause for, say, 1 sec, I always get *every* ICMP time-exceeded message, even if I pause for just 0.1 seconds:
for p in myPackets:
    sr( p, timout = 10)
    time.sleep(1)

Any clue as to what I'm doing wrong here?

Thanks!

Riccardo.

Permalink | Reply | 0 comments |
headers
bede | 8 Jun 2012 00:11
Favicon

LLMNR listener / spoofer

Forgive me if this has been asked - I looked but could not find it, if so.

I see that there is a module for LLMNR in Scapy.  However, I see no usage
examples.  What I would like to do is make a Scapy script that listens for
LLMNR requests and automatically responds with a specific IP address for
ALL of these requests.  Effectively I want all machines to resolve to a
specific IP address and connect to it.

If I was really smart, I'd try to keep track of what machine asked for
what host so I could forward ports to the end destination for a MiTM
attack, but that isn't my main goal.

So, has this been done?  Or is there a similar example I might be able to
modify to work like this?

Thanks much,
Bede

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org
Permalink | Reply | 0 comments |
headers
Ricardo Oliveira | 12 Jun 2012 03:35
Picon

Scapy and Mac OS x

Hi,

Scapy doesnt seem to install very well on Mac OS. I've spent hours trying to make it work. The problem im
having right now is that whenever i use sniff() inside a module called from the python interpreter i get the
following message:
"WARNING: Unable to guess datalink type (interface=en0 linktype=1). Using Raw"

and it's not able to capture any packets. However, if i use sniff() inside of scapy it works!

Does anyone has the faintest idea of what's happening?

cheers

--Ricardo
---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org
Permalink | Reply | 5 comments |
headers
Zack Payton | 12 Jun 2012 06:42
Picon

Re: Scapy and Mac OS x

Did you manually install it or did you use Mac ports?

On Jun 11, 2012, at 6:35 PM, Ricardo Oliveira <rvelosoo <at> gmail.com> wrote:

> Hi,
> 
> Scapy doesnt seem to install very well on Mac OS. I've spent hours trying to make it work. The problem im
having right now is that whenever i use sniff() inside a module called from the python interpreter i get the
following message:
> "WARNING: Unable to guess datalink type (interface=en0 linktype=1). Using Raw"
> 
> and it's not able to capture any packets. However, if i use sniff() inside of scapy it works!
> 
> Does anyone has the faintest idea of what's happening?
> 
> cheers
> 
> --Ricardo
> ---------------------------------------------------------------------
> To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org
> 

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org
Permalink | Reply | 4 comments |
headers
Ricardo Oliveira | 12 Jun 2012 06:49
Picon

Re: Scapy and Mac OS x

Never mind, i just fixed the problem... i installed manually ports version was installing python 2.5

--Ricardo

On Jun 11, 2012, at 9:42 PM, Zack Payton wrote:

> Did you manually install it or did you use Mac ports?
> 
> On Jun 11, 2012, at 6:35 PM, Ricardo Oliveira <rvelosoo <at> gmail.com> wrote:
> 
>> Hi,
>> 
>> Scapy doesnt seem to install very well on Mac OS. I've spent hours trying to make it work. The problem im
having right now is that whenever i use sniff() inside a module called from the python interpreter i get the
following message:
>> "WARNING: Unable to guess datalink type (interface=en0 linktype=1). Using Raw"
>> 
>> and it's not able to capture any packets. However, if i use sniff() inside of scapy it works!
>> 
>> Does anyone has the faintest idea of what's happening?
>> 
>> cheers
>> 
>> --Ricardo
>> ---------------------------------------------------------------------
>> To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org
>> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org
> 

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org
Permalink | Reply | 3 comments |
headers
Sean Cavanaugh (scavanau | 12 Jun 2012 15:22
Picon
Favicon

RE: Scapy and Mac OS x

Since you figured out rather than saying 'Never mind, I just fixed the
problem' can you provide the solution so its documented for everyone
else to find?

-----Original Message-----
From: Ricardo Oliveira [mailto:rvelosoo <at> gmail.com] 
Sent: Tuesday, June 12, 2012 12:49 AM
To: scapy.ml <at> secdev.org
Subject: Re: [scapy.ml] Scapy and Mac OS x

Never mind, i just fixed the problem... i installed manually ports
version was installing python 2.5

--Ricardo

On Jun 11, 2012, at 9:42 PM, Zack Payton wrote:

> Did you manually install it or did you use Mac ports?
> 
> On Jun 11, 2012, at 6:35 PM, Ricardo Oliveira <rvelosoo <at> gmail.com>
wrote:
> 
>> Hi,
>> 
>> Scapy doesnt seem to install very well on Mac OS. I've spent hours
trying to make it work. The problem im having right now is that whenever
i use sniff() inside a module called from the python interpreter i get
the following message:
>> "WARNING: Unable to guess datalink type (interface=en0 linktype=1).
Using Raw"
>> 
>> and it's not able to capture any packets. However, if i use sniff()
inside of scapy it works!
>> 
>> Does anyone has the faintest idea of what's happening?
>> 
>> cheers
>> 
>> --Ricardo
>> ---------------------------------------------------------------------
>> To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org
>> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org
> 

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org
Permalink | Reply | 2 comments |
headers
Ricardo Oliveira | 12 Jun 2012 18:47
Picon

Re: Scapy and Mac OS x

The problem is that is was not importing all modules of scapy-thats the reason i didnt mention- i had to do
import *

Sent from my iPhone

On Jun 12, 2012, at 6:22 AM, "Sean Cavanaugh (scavanau)" <scavanau <at> cisco.com> wrote:

> Since you figured out rather than saying 'Never mind, I just fixed the
> problem' can you provide the solution so its documented for everyone
> else to find?
> 
> -----Original Message-----
> From: Ricardo Oliveira [mailto:rvelosoo <at> gmail.com] 
> Sent: Tuesday, June 12, 2012 12:49 AM
> To: scapy.ml <at> secdev.org
> Subject: Re: [scapy.ml] Scapy and Mac OS x
> 
> Never mind, i just fixed the problem... i installed manually ports
> version was installing python 2.5
> 
> --Ricardo
> 
> On Jun 11, 2012, at 9:42 PM, Zack Payton wrote:
> 
>> Did you manually install it or did you use Mac ports?
>> 
>> On Jun 11, 2012, at 6:35 PM, Ricardo Oliveira <rvelosoo <at> gmail.com>
> wrote:
>> 
>>> Hi,
>>> 
>>> Scapy doesnt seem to install very well on Mac OS. I've spent hours
> trying to make it work. The problem im having right now is that whenever
> i use sniff() inside a module called from the python interpreter i get
> the following message:
>>> "WARNING: Unable to guess datalink type (interface=en0 linktype=1).
> Using Raw"
>>> 
>>> and it's not able to capture any packets. However, if i use sniff()
> inside of scapy it works!
>>> 
>>> Does anyone has the faintest idea of what's happening?
>>> 
>>> cheers
>>> 
>>> --Ricardo
>>> ---------------------------------------------------------------------
>>> To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org
>>> 
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org
>> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org
> 

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org
Permalink | Reply | 0 comments |
headers
Ricardo Oliveira | 16 Jun 2012 01:37
Picon

"Inter" parameter in sr() function seems to have very low accuracy with sub second values

Hello List,

Im using sr() function with a send=0.002, and when i check the timestamps with tcpdump, i see that the
spacing between pkts is sometimes on the order of 20ms instead of 2ms. Is this a known limitation?  Any plans
to improve it?

cheers

--Ricardo
---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org
Permalink | Reply | 0 comments |
headers
Džiugas Baltrūnas | 20 Jun 2012 12:56
Picon

Routing based on source address and PPP layering

Hello,

I'm using Scapy 2.2.0 on Debian/wheezy and want to send ICMP packets
over one of PPP interfaces (Huawei E173 for GPRS/HSPA mobile
broadband), lets say ppp0 and ppp1. I'm using two routing tables and
two rules so that interface is selected based on source IP address:

# ip rule show
0:	from all lookup local
32764:	from 1.1.1.1 lookup t1
32765:	from 2.2.2.2 lookup t2
32766:	from all lookup main
32767:	from all lookup default

# ip route show table t1
default via 10.64.64.64 dev ppp0
10.64.64.64 dev ppp0  proto kernel  scope link  src 1.1.1.1

# ip route show table t2
default via 10.64.64.65 dev ppp1
10.64.64.65 dev ppp1  proto kernel  scope link  src 2.2.2.2

# ip route show
default via 192.168.1.1 dev eth0
10.64.64.64 dev ppp0  proto kernel  scope link  src 1.1.1.1
10.64.64.65 dev ppp1  proto kernel  scope link  src 2.2.2.2
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.25

Then, if I'm using layer 3 functions and provide source IP address
like IP(src="1.1.1.1", dst="www.secdev.org"), packet still goes
through the default gateway (of main table), which is not an intended
behavior. I would expect that it should behave similar to what ping's
-I flag does, so that it binds to a particular source address.

One of the options for Scapy to send a packet not via default gateway
is to manually alter conf.route, which works but is not really
convenient. Another option is to use layer 2 functions and provide an
interface name, i.e. r = srp(PPP() / IP(dst="www.secdev.org") /
ICMP(), iface="ppp0"). However, playing with various different
layerings, an ICMP packet has never physically left the device.
tcpdump (in LINUX_SLL mode which is the only available for PPP
interfaces) is able to capture the packet, but as a malformed one (Out
ethertype Unknown (0x0003)) and by looking at /proc/net/dev number of
dropped outgoing packets for ppp0 is increased after each execution of
srp(). I believe this is due to the fact that packets are not being
intercepted by the pppd daemon and therefore get rejected.

So I have two questions here:

1) Can Scapy get a route based on the source IP address while still
using layer 3 functions (same as ping -I)?
2) Is it possible to use Scapy's layer 2 functions with PPP
interfaces, so that the packet is layered correctly as a PPP frame and
is not getting dropped by the kernel?

Thanks in advance.

Džiugas

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org
Permalink | Reply | 0 comments |

Gmane