I don't know if this is possible but I am wondering?
I am doing some internal pentesting and using Scapy and Netcat, and I created a TCP packet with the payload "testing". I want to get the payload content piped into Netcat's listening port, using this example code:
test = IP(src="192.168.4.134")/TCP(dport=1234)/"testing"
send(test)
but all that ever prints is:
.
Sent 1 packets
Which is what Scapy spits out after its sent the packet. I've been trying to figure out what I need to use in my code to show this. I know Netcat used stdin and stdout, but I don't properly know how to code in Python yet, I'm just practising!
Can anyone help? Regards,
TCP is session based. Machines that want to communicate, must first synchronize (setup a session) with one another.
This process is whats called a 3-way-handshake using the steps: SYN, SYN-ACK, ACK.
1.) Machine A ====SYN====> Machine B (Machines A, running scapy, tries to synch with B, running netcat)
2.) Machine B ==SYN-ACK==> Machine A (Machine B ACKs and SYNs with Machine A)
3.) Machine A ====ACK====> Machine B (Machine A ACKs the SYN-ACK from Machine B)
The machines now have a session (connection) and can send data to one another.
Running netcat on a listening machine and trying to send it a single packet from scapy fails because your machine (A) fails to sync with machine (B) running netcat.
IP 10.22.4.45.20 > 10.1.2.3:1234: Flags [S], seq 0:7, win 8192, length 7
IP 10.1.2.3:1234 > 10.22.4.45:20: Flags [S.], seq 2668993358, ack 1, win 14600, options [mss 1460], length 0
IP 10.22.4.45:20 > 10.1.2.3:1234: Flags [R], seq 1, win 0, length 0
As you can see, machine B (netcat) tries to syn-ack with your machine, but since you just sent it a single packet and aren't listening for the returning SYN-ACK, your machine generates a RST (Reset) and the attempted connection is shutdown before the 3-way-handshake was completed.
There are two options. Either use UDP which is connectionless and doesn't require this connection setup, or do a complete TCP handshake. Scapy has a few ways to help you manage the TCP session creation should you choose the latter: http://trac.secdev.org/scapy/wiki/TCP
Related
I am trying to send a udp packet to a local ip address. This is my example code:
from scapy.all import *
if __name__ == "__main__":
send(IP(dst="127.0.0.1")/UDP(sport=19600,dport=39600)/"abc")
I've started netcat to catch what I am going to send:
nc -ul 39600
Then I am executing the code:
python3 example_scapy_send.py
Nothing is received by the listening netcat.
At the same time I have started wireshark and I can see the packet is sent.
If I send a packet using netcat it is ariving on the listening netcat.
usr#dev:/home/usr# nc -u 127.0.0.1 39600
test
Wireshark:
The only difference I can see is that at layer 2 - destination address is multicast/broadcast when sent with scapy and unicast when sent with netcat. But this is not something I can control.
If I sent the same packet with scapy to another ip on the network (another host) the packet is received (by netcat). So the issue applies only if I am sending to a local address. Tested with any local ip. Not only 127.0.0.1. I've also tested with sendp and sr scapy functions but the result is the same.
Something more: if I've started another scapy script to listen to UDP/39600 (instead of netcat) I can see/I am receiving the packet I've sent.
Any ideas what is wrong?
tests done under ubuntu/scapy 2.5/python 3.8
I couldn't find a way to make it work with send/sendp scapy functions, but instead I tried using standart python socket and it did the job:
someSocket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
someSocket.sendto(bytes('abc', "utf-8"), (127.0.0.1, 39600))
Acording to Scapy troubleshooting:
The loopback interface is a very special interface. Packets going through it are not really assembled and disassembled. The kernel routes the packet to its destination while it is still stored an internal structure. What you see with tcpdump -i lo is only a fake to make you think everything is normal. The kernel is not aware of what Scapy is doing behind his back, so what you see on the loopback interface is also a fake. Except this one did not come from a local structure. Thus the kernel will never receive it.
On Linux, in order to speak to local IPv4 applications, you need to build your packets one layer upper, using a PF_INET/SOCK_RAW socket instead of a PF_PACKET/SOCK_RAW (or its equivalent on other systems than Linux)
So you may need to add line before sending packet:
conf.L3socket = L3RawSocket
In your script. That way everything should supposed to work. At least in my environment worked out fine.
If a socket program runs on a port(say 6053) and if the rule is not added in the firewall the functions recv read and recvfrom are blocked.
How do we check this in C or python and report Port not opened error on linux machines.
Try to connect on that port using socket.connect(), if connection is not successful, then show message that Port not opened.
Tools like nmap can help in determining whether the particular port is open or closed.
TCP :
nmap uses techniques like TCP SYN scan or TCP Connect scan where the server will reply with ACK-RST packet for SYN request incase of closed port. You can notice that, it is determined at the time of 3-way handshake (connection establishment) itself.
UDP : nmap also facilitates the UDP scan, where ICMP based 'Port Unreachable' packet shall be returned in case the UDP packet arrives on a closed UDP port (This also depends on the stack in the OS). Unlike TCP, the UDP is not a connection-based protocol and ICMP is also connection-less, so you might need to send some significant number of UDP packets for a short interval and evaluate based on the responses or some similar logic.
You can arrive on similar technique/logic and determine whether the particular port is open or closed and flash appropriate message for user.
I have three virtual machines all on Centos 6.5.
The current setup is as follows:
A ------(eth0) B (eth1)------- C
Currently, when A pings C, it is routed through B as they are on different networks.
I want to write a script using python and scapy (Used on machine B) that will intercept the packet that passes through eth0.
By intercepting the packet, I can hold it for some time (delay) or do some packet manipulation.
I then want to send the packet to its destined destination.
Does anyone know how I can intercept packets before they reach their end destination using Python and Scapy?
I have read a lot about Netfilter and iptables but not exactly sure how I can intercept the packets and change them.
Thank you in advance
We are running a TCP server client architecture in a same machine, the client connects the server on 127.0.0.1:30008. What we are seeing is that some time TCP connection was getting reset by the Server. We can clearly see that on the tcpdump trace that the RST flag was sent by the server. The client code is in python, and the server code is in C.
What caused server to send this RST flat ? , this setup was used to run for months without any issue, so we are surprised to see what is happening now.
The TCP server getting data from other server via another UDP port, and it's getting transferred via TCP port 30008 to the client, client is listening to the server port in a while loop. Wondering, this Connection RST problems wont happen for the UDP connections right ?
Some time We can see that the server is closing the socket, so client getting the exception "Transport end point closed", what caused this to happen. Client has any thing to do with this issue ?
I checked out internet to see solutions, I can only see this may be due to some router sitting between the server and the client, but in my case that's not the situation.
Please help me to figure out what is going on with the server.
EDIT- Here is the sample tcptrace (Output of "tcpdump -r actuall_trace.pcap"). tcpdump.log - You can see the RST flags at the end of the file. This file includes one entire start to end communication trace.
Thank you.
Your client localhost.36291 is responding with zero-sized accept-window, indicating to the server localhost.30008 that it cannot receive any data.
15:52:59.766558 IP localhost.30008 > localhost.36291: Flags [P.], seq 218350:227950, ack 23328, win 768, options [nop,nop,TS val 2017821166 ecr 2017821158], length 9600
15:52:59.767766 IP localhost.36291 > localhost.30008: Flags [P.], seq 23328:23362, ack 227950, win 0, options [nop,nop,TS val 2017821167 ecr 2017821166], length 34
This is probably because you've filled your receive buffer in the client and probably because you're not reading from the receive buffer until empty.
In your python code, when a select indicates there's data on a file descriptor, you must read from the file descriptor until no data is returned (buffer emptied). Set the socket non-blocking, read until EAGAIN/EWOULDBLOCK.
I am broadcasting UDP packets between 2 machines and listening to them on a third machine. I can see the packets in Wireshark and need any easy way to obtain the "Data" portion of the UDP packets. I have been able to dump the packet infromation to a file using tshark
C:>tshark -V -R "udp" > C:/test.txt
However, this prints out everything in the packet, and i only want to print out the "Data" portion. Is there a way to do this?
Also, if there is a way to capture this in Python, that would be great as well. I have set up the following code:
Host = "myip"
Port = 5000
While True:
sock = socket.socket(socket.AF_INET,socket.SOCK_DGRAM)
sock.bind((Host,Port))
data = sock.recv(4096)
sock.close()
When i implement this code, using my "listening" pc, no data is received.
When i implement this code, using one of my two communicating pcs, "The requested address is not valid in its context"
Mind you, I see all the data being passed between the 2 pcs in Wireshark on my "listening" pc.
Thanks!
McFly,
If you want to do sniffing and display/parse packets in Python, Scapy is the way to go here. Just drop tshark as Scapy can automatically do 99% of what tshark can do out of the box.