We Keep Coding

Python/Scapy - Sniff, & Store source IP address and source MAC address

Trying to create a function that does the following:
Uses sniff() function to listen for traffic at the en0ps3 interface
Handle traffic picked up by the sniff() function
Store the source IP address and source MAC address.
If an IP address has already been stored, but a different MAC address is seen then the script should also store this additional MAC address
The user should see a list of hosts appear in the terminal while the script is running
(I have another separate sample script that generates ARP traffic for testing functionality)
Output I'm getting is below - can anyone confirm if its correct? I'm new, and struggling with Scapy to validate my work:
^CEther / ARP who has 192.168.1.10 says 192.168.1.1
Ether / ARP is at 10:11:12:ab:ab:ab says 192.168.1.10
Ether / ARP who has 192.168.1.11 says 192.168.1.2
Ether / ARP is at 10:11:12:bc:bc:bc says 192.168.1.11
Ether / ARP who has 192.168.1.12 says 192.168.1.3
Ether / ARP is at 10:11:12:cd:cd:cd says 192.168.1.12
Ether / ARP who has 192.168.1.13 says 192.168.1.4
Ether / ARP is at 10:11:12:de:de:de says 192.168.1.13
Ether / ARP who has 192.168.1.14 says 192.168.1.5
Ether / ARP is at 10:11:12:ef:ef:ef says 192.168.1.14
Ether / ARP who has 192.168.1.15 says 192.168.1.6
Ether / ARP is at 10:11:12:f0:f0:f0 says 192.168.1.15
Ether / ARP is at de:ad:be:ef:de:ad says 192.168.1.10
My code is
from scapy.all import *
ethernetHeader = Ether()
ipHeader = IP()
icmpHeader = ICMP()
pkt = ethernetHeader/ipHeader/icmpHeader ##filtering out ARP traffic with an op code of 2 or "is-at"
def filter_packets(packets):
def packet_handler(pkt):
packets.append(pkt)
return packet_handler
def main():
packets = []
sniff(iface="enp0s3", prn=filter_packets(packets))
for p in packets:
print(p.summary(ipHeader))
main()

DNS port listener not receiving connections

My objective is to build a server socket listening on DNS port for connections, without responding anything, in order to collect some informations about IP addresses that are looking for DNS servers. The only thing I need to collect is the source IP. I wrote this code:
import socket
def create_socket():
global host
global port
global s
try:
host = ''
port = 53
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
except socket.error as msg:
print('Socekt creation error:' + str(msg))
def bind_socket():
try:
print('Binding socket to port: ' + str(port) + ', Host: ' + str(host))
s.bind((host, port))
except socket.error as msg:
print('Socket Binding error: ' + str(msg))
def socket_receive():
while True:
msg = s.recvfrom(1024)
print('IP: ' + str(msg[1]) + ', DATA: ' + msg[0].decode(encoding='cp1252', errors='ignore'))
def main():
create_socket()
bind_socket()
socket_receive()
main()
Unfortunately, I have to run this on a VirtualMachine using VirtualBox. I created a port forwarding rule for the port 53 on my router and I think I did it right, because the site "https://canyouseeme.org/" tells me that my ISP is not blocking the port. I created port forwarding rule on the VirtualMachine, so that all the traffic on the port 53 of the host will be redirected to the guest (where my program is). This is what I hope at least. I created a rule even in Windows Firewall allowing connections for the port 53. Finally, I used iptables to allow incoming traffic on the port 53 of my VirtualMachine. I still don't get anything. Probably I'm missing something, maybe I have to use dnslib in python in order to "attract" connections. Or I need to configure something more on Windows or on the router. Maybe I'm missing some important concepts.
Why I don't get any connections?
PS C:\WINDOWS\system32> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet 2:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Ethernet adapter Ethernet 3:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::e0ce:c8f6:a594:f24d%17
IPv4 Address. . . . . . . . . . . : 192.168.56.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Wireless LAN adapter Connessione alla rete locale (LAN)* 2:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Wireless LAN adapter Connessione alla rete locale (LAN)* 3:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Ethernet adapter Ethernet:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Wireless LAN adapter Wi-Fi:
Connection-specific DNS Suffix . : domain.name
Link-local IPv6 Address . . . . . : fe80::d03d:c2c9:163e:3eb6%6
IPv4 Address. . . . . . . . . . . : 192.168.1.11
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::b239:56ff:fea9:f35e%6
192.168.1.1
Ethernet adapter Connessione di rete Bluetooth 2:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
PS C:\WINDOWS\system32> netstat -na|findstr 53
TCP 0.0.0.0:53 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5353 0.0.0.0:0 LISTENING
TCP 127.0.0.1:5354 0.0.0.0:0 LISTENING
UDP 0.0.0.0:53 *:*
UDP 0.0.0.0:5353 *:*
UDP 0.0.0.0:5353 *:*
UDP 0.0.0.0:5353 *:*
UDP 0.0.0.0:5353 *:*
UDP 0.0.0.0:5353 *:*
UDP 0.0.0.0:5355 *:*
UDP 192.168.1.11:5353 *:*
UDP 192.168.56.1:5353 *:*
UDP [::]:5353 *:*
UDP [::]:5353 *:*
UDP [::]:5353 *:*
UDP [::]:5355 *:*
UDP [::1]:5353 *:*
UFW on the guest:
diego#diego-VirtualBox:~$ sudo ufw status
[sudo] password di diego:
Stato: attivo
A Azione Da
- ------ --
53 ALLOW Anywhere
19 ALLOW Anywhere
5353 ALLOW Anywhere
123 ALLOW Anywhere
53 (v6) ALLOW Anywhere (v6)
19 (v6) ALLOW Anywhere (v6)
5353 (v6) ALLOW Anywhere (v6)
123 (v6) ALLOW Anywhere (v6)
ifconfig on the guest
diego#diego-VirtualBox:~$ sudo ifconfig
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.2.15 netmask 255.255.255.0 broadcast 10.0.2.255
inet6 fe80::7059:da6f:6a4a:8f4e prefixlen 64 scopeid 0x20<link>
ether 08:00:27:34:d5:6d txqueuelen 1000 (Ethernet)
RX packets 395 bytes 307669 (307.6 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 278 bytes 33866 (33.8 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Loopback locale)
RX packets 35 bytes 3215 (3.2 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 35 bytes 3215 (3.2 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
iptables on guest:
diego#diego-VirtualBox:~$ sudo iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ufw-before-logging-input all -- anywhere anywhere
ufw-before-input all -- anywhere anywhere
ufw-after-input all -- anywhere anywhere
ufw-after-logging-input all -- anywhere anywhere
ufw-reject-input all -- anywhere anywhere
ufw-track-input all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:domain

The standard way to debug this is to use wireshark (https://www.wireshark.org/#download) or another packet sniffer . You can install it on both your windows host and the guest instance. Assuming your network is like this:
---------------------------
------------ -------- | |---------------|
|dns client| ---- |router| ---- |win host | guest instance|
------------ -------- ---------------------------
Listen for tcp 53 packets on the windows host's lan adapter (192.168.1.11). If no packets show up there, you have a problem with port forwarding/firewall or win host firewall. Keep in mind your home router may be acting as a DNS server and swallowing the packets.
Listen for tcp 53 packets on the guest instance. (enp0s3) If you see packets at the windows host level, but not the guest, you can try switching the adapter type used bridged instead of NAT or visa versa.
Also, it's best to debug with your DNS client inside the router first, to be sure it's actually making requests to your honeypot. If you're using nslookup or other standard client, you'll need to make sure you've set your windows host as the domain controller. e.g.
% nslookup
> server 192.168.1.1
Default server: 192.168.1.1
Address: 192.168.1.1#53
>
If all that works, I guess people simply aren't probing your network or your ISP has smart intrusion prevention that doesn't stop canyouseme, but stops dns scans ala netcat.

Python regex to match multiple times, store results separately

I'm a network engineer, trying to dip my toes into programming. I got recommended to try Python.
What I'm trying to do is to save some specific data, matching a string with multiple lines with regexp. We got our data to work with stored in SourceData.
SourceData = '
ip route 22.22.22.22 255.255.255.255 TenGigabitEthernet0/1/0 1.1.1.1
ip route 33.33.33.33 255.255.255.255 TenGigabitEthernet0/1/0 1.1.1.1
ip route 11.22.33.44 255.255.255.255 TenGigabitEthernet0/1/0 1.1.1.1
ip route 11.11.12.11 255.255.255.255 TenGigabitEthernet0/1/0 1.1.1.1
ip route 11.11.13.11 255.255.255.255 TenGigabitEthernet0/1/0 1.1.1.1
ip route 11.11.14.0 255.255.255.255 TenGigabitEthernet0/1/0 1.1.1.1
ip route 44.44.44.0 255.255.255.0 TenGigabitEthernet0/1/0 1.1.1.1'
The number of lines stored in SourceData is always unknown. Could be 0 lines (empty) to unlimited lines.
I want to match all lines containing ipv4-addresses starting with 11.
This is what I've come up with as a start:
ip1 = re.search('11\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}', SourceData)
if ip1:
ip1 = ip1.group()
Verify:
>>> print ip1
11.22.33.44
OK, seems to work. The idea is that when the whole SourceData is matched, with the example provided, the final result for this case would be 4 matches:
ip1 = 11.22.33.44
ip2 = 11.11.12.11
ip3 = 11.11.13.11
ip4 = 11.11.14.0
Next to learn, how do I continue to check SourceData for more matches as described above, and how do I store the multiple matches for use later on in the code? For example, later in the code I would like to use the value from a specific match, lets say match number 4 (11.11.14.0).
I have read some guidelines for Python and Regex, but it seems I quite don't understand it :)

You can use re.findall to return all of the matches
>>> re.findall(r'11\.\d{1,3}\.\d{1,3}\.\d{1,3}', SourceData)
['11.22.33.44', '11.11.12.11', '11.11.13.11', '11.11.14.0']

Several methods, one of them being:
import re
string = """
ip route 22.22.22.22 255.255.255.255 TenGigabitEthernet0/1/0 1.1.1.1
ip route 33.33.33.33 255.255.255.255 TenGigabitEthernet0/1/0 1.1.1.1
ip route 11.22.33.44 255.255.255.255 TenGigabitEthernet0/1/0 1.1.1.1
ip route 11.11.12.11 255.255.255.255 TenGigabitEthernet0/1/0 1.1.1.1
ip route 11.11.13.11 255.255.255.255 TenGigabitEthernet0/1/0 1.1.1.1
ip route 11.11.14.0 255.255.255.255 TenGigabitEthernet0/1/0 1.1.1.1
ip route 44.44.44.0 255.255.255.0 TenGigabitEthernet0/1/0 1.1.1.1'
"""
rx = re.compile(r'^[^\d\n]*(11(?:\.\d+){3})', re.M)
lines = [match.group(1) for match in rx.finditer(string)]
print(lines)
This yields:
['11.22.33.44', '11.11.12.11', '11.11.13.11', '11.11.14.0']
The core here is
^ # match start of the line
[^\d\n]* # NOT a digit or a newline, 0+ times
11 # 11
(?:\.\d+){3} # .0-9 three times
.+ # rest of the line
The rest is done via re.finditer() and a list comprehension.
See a demo on regex101.com.

You can use re.findall with a positive lookbehind to ensure that the correct address, just after "ip route", is being matched:
import re
s = """
ip route 22.22.22.22 255.255.255.255 TenGigabitEthernet0/1/0 1.1.1.1
ip route 33.33.33.33 255.255.255.255 TenGigabitEthernet0/1/0 1.1.1.1
ip route 11.22.33.44 255.255.255.255 TenGigabitEthernet0/1/0 1.1.1.1
ip route 11.11.12.11 255.255.255.255 TenGigabitEthernet0/1/0 1.1.1.1
ip route 11.11.13.11 255.255.255.255 TenGigabitEthernet0/1/0 1.1.1.1
ip route 11.11.14.0 255.255.255.255 TenGigabitEthernet0/1/0 1.1.1.1
ip route 44.44.44.0 255.255.255.0 TenGigabitEthernet0/1/0 1.1.1.1'
"""
final_ips = re.findall('(?<=ip route\s)11[\d\.]+', data)
Output:
['11.22.33.44', '11.11.12.11', '11.11.13.11', '11.11.14.0']

How can I put mac os x en1 interface into monitor mode to use with python3 scapy?

On my mac the wireless interface is the en1 interface. I can put the interface into monitor mode using mac's airport application but then it doesn't work with the scapy module when i use python 3. How can i make this work?
Thanks in advance
ifconfig output
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
options=3<RXCSUM,TXCSUM>
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
nd6 options=1<PERFORMNUD>
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=10b<RXCSUM,TXCSUM,VLAN_HWTAGGING,AV>
nd6 options=1<PERFORMNUD>
media: autoselect (none)
status: inactive
fw0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 4078
lladdr 00:3e:e1:ff:fe:0f:0a:4a
nd6 options=1<PERFORMNUD>
media: autoselect <full-duplex>
status: inactive
en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::7ed1:c3ff:fe6e:eeda%en1 prefixlen 64 scopeid 0x6
inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
nd6 options=1<PERFORMNUD>
media: autoselect
status: active
en2: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
options=60<TSO4,TSO6>
media: autoselect <full-duplex>
status: inactive
p2p0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2304
media: autoselect
status: inactive
awdl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1452
inet6 fe80::18b8:64ff:fec8:85%awdl0 prefixlen 64 scopeid 0x9
nd6 options=1<PERFORMNUD>
media: autoselect
status: active
bridge0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=63<RXCSUM,TXCSUM,TSO4,TSO6>
Configuration:
id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0
maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200
root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0
ipfilter disabled flags 0x2
member: en2 flags=3<LEARNING,DISCOVER>
ifmaxaddr 0 port 7 priority 0 path cost 0
nd6 options=1<PERFORMNUD>
media: <unknown type>
status: inactive
Python Script To Detected Packets (After putting en1 into mon mode using airport)
from scapy.all import *
def pktIdentifier(pkt):
if pkt.haslayer(Dot11Beacon):
print ("[+] Detected 802.11 Beacon Frame")
elif pkt.haslayer(Dot11ProbeReq):
print ("[+] Detected 802.11 Probe Frame")
elif pkt.haslayer(TCP):
print ("[+] Detected TCP Packet")
elif pky.haslayer(UDP):
print ("[+] Detected UDP Packet")
conf.iface = 'en1'
sniff(prn=pktIdentifier)
Output of conf.route
Network Netmask Gateway Iface Output IP
0.0.0.0 0.0.0.0 192.168.0.1 en1 192.168.0.7
127.0.0.0 255.0.0.0 0.0.0.0 lo0 127.0.0.1
127.0.0.1 255.255.255.255 0.0.0.0 lo0 127.0.0.1
169.254.0.0 255.255.0.0 0.0.0.0 en1 192.168.0.7
192.168.0.0 255.255.255.0 0.0.0.0 en1 192.168.0.7
192.168.0.1 255.255.255.255 0.0.0.0 en1 192.168.0.7
192.168.0.1 255.255.255.255 0.0.0.0 en1 192.168.0.7
192.168.0.7 255.255.255.255 0.0.0.0 en1 192.168.0.7
192.168.0.255 255.255.255.255 0.0.0.0 en1 192.168.0.7

Short Answer: You could MonkeyPatch the _PcapWrapper_pypcap class. An example Code is provided below.
Slightly Longer Answer: On Mac OS X scapy sniffs on interfaces through libpcap. Instead of calling pcap_open_live we call pcap_create, pcap_set_rfmon and pcap_activate (in this order). This will set the interface in monitor mode and start capturing. I tested the following MonkeyPatch under scapy-python3 (0.21) and macOS Sierra 10.12.6. Make sure you run this Code with admin rights.
from scapy.all import *
import scapy.arch.pcapdnet
from ctypes import POINTER, byref, create_string_buffer
from ctypes.util import find_library
class _PcapWrapper_pypcap_monkeypatched(scapy.arch.pcapdnet._PcapWrapper_pypcap):
def __init__(self, device, snaplen, promisc, to_ms):
self.errbuf = create_string_buffer(PCAP_ERRBUF_SIZE)
self.iface = create_string_buffer(device.encode('ascii'))
#self.pcap = pcap_open_live(self.iface, snaplen, promisc, to_ms, self.errbuf)
STRING = c_char_p
_lib_name = find_library("pcap")
if not _lib_name:
raise OSError("Cannot fine libpcap.so library")
_lib=CDLL(_lib_name)
pcap_create = _lib.pcap_create
pcap_create.restype = POINTER(pcap_t)
pcap_create.argtypes = [STRING, STRING]
pcap_set_rfmon = _lib.pcap_set_rfmon
pcap_set_rfmon.restype = c_int
pcap_set_rfmon.argtypes = [POINTER(pcap_t), c_int]
pcap_activate = _lib.pcap_activate
pcap_activate.restype = c_int
pcap_activate.argtypes = [POINTER(pcap_t)]
self.pcap = pcap_create(self.iface, self.errbuf)
pcap_set_rfmon(self.pcap, 1)
pcap_activate(self.pcap)
self.header = POINTER(pcap_pkthdr)()
self.pkt_data = POINTER(c_ubyte)()
self.bpf_program = bpf_program()
scapy.arch.pcapdnet._PcapWrapper_pypcap = _PcapWrapper_pypcap_monkeypatched
def pktIdentifier(pkt):
if pkt.haslayer(Dot11Beacon):
print("[+] Detected 802.11 Beacon Frame")
elif pkt.haslayer(Dot11ProbeReq):
print("[+] Detected 802.11 Probe Frame")
sniff(iface="en0", prn=pktIdentifier)

When using the sniff function setting monitor=True on Mac OS Catalina always works for me. Example: scapy.all.sniff(iface='en0, monitor=True) then obviously what ever other functions you want.

This is a possible answer: http://www.cqure.net/wp/2014/04/scapy-with-wifi-monitor-rfmon-mode-on-os-x/
If you will file a bug on http://github.com/phaethon/scapy I will assist with patching part.

how to get IP adress of a Host if its Mac address is known using python / scapy

How can i get the IP address of a computer if its mac address is known , using python and scapy may be

You might use the information from the arp cache:
> arp -a
localhost (10.37.129.2) at 0:1c:42:0:0:9 on vnic1 ifscope permanent [ethernet]
localhost (10.37.129.255) at ff:ff:ff:ff:ff:ff on vnic1 ifscope [ethernet]
localhost (10.211.55.2) at 0:1c:42:0:0:8 on vnic0 ifscope permanent [ethernet]
localhost (10.211.55.255) at ff:ff:ff:ff:ff:ff on vnic0 ifscope [ethernet]
fritz.slwlan.box (192.168.0.1) at 0:4:e:2b:28:16 on en1 ifscope [ethernet]
Either you parse the result of "arp -a" on Unix yourself or look at
http://libdnet.sourceforge.net/dnet.html
providing access to the ARP cache from Python.

Perhaps you could use arp-scan, but then you'd have to run as root:
$ arp-scan --interface=eth0 --localnet
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.5.2 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
192.168.1.1 00:c0:9f:09:b8:db QUANTA COMPUTER, INC.
192.168.1.4 00:02:b3:bb:5c:09 Intel Corporation
192.168.1.3 00:02:b3:bb:66:98 Intel Corporation
192.168.1.5 00:02:a5:90:c3:e6 Compaq Computer Corporation
192.168.1.6 00:c0:9f:0b:91:d1 QUANTA COMPUTER, INC.
192.168.1.8 00:02:b3:3d:13:5e Intel Corporation
...
34 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.5.2: 256 hosts scanned in 1.717 seconds (149.10 hosts/sec). 33 responded