Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    fouzhe
    @fouzhe
    So, if I use Fuzz function, can I specify the field to be modified?
    Guillaume Valadon
    @guedou
    If you set the field value to None, yes.
    fouzhe
    @fouzhe

    If you set the field value to None, yes.

    Sometimes, set the field to None can be illegal. Would it be better if we delete the corresponding key-value in the directory pkt.fields?

    Guillaume Valadon
    @guedou
    Sorry, I meant deleting the field value, like pkt.version in your example.
    fouzhe
    @fouzhe
    Thanks!
    If I want to fuzz the version field, del pkt.version before Fuzz can achieve it.
    For example
    pkt=IP(hex_bytes("E5E60014C22E1BDA2F7FF012C0A80166505A0A01"))
    pkt.show2()
    del pkt.version
    pkt_fuzz=fuzz(pkt)  
    pkt.show2()
    fouzhe
    @fouzhe

    Thanks!
    If I want to fuzz the version field, del pkt.version before Fuzz can achieve it.
    For example

    pkt=IP(hex_bytes("E5E60014C22E1BDA2F7FF012C0A80166505A0A01"))
    pkt.show2()
    del pkt.version
    pkt_fuzz=fuzz(pkt)  
    pkt.show2()

    @guedou Hi, based on this, to randomly fuzz any well-formed packet, I'd like to give this a shot like following:

    @conf.commands.register
    def fuzz(p,  # type: Packet
             _inplace=0,  # type: int
             ):
        # type: (...) -> Packet
        """
        Transform a layer into a fuzzy layer by replacing some default values
        by random objects.
    
        :param p: the Packet instance to fuzz
        :return: the fuzzed packet.
        """
        if not _inplace:
            p = p.copy()
        q = p
        while not isinstance(q, NoPayload):
            new_default_fields = {}
            multiple_type_fields = []  # type: List[str]
    -        for f in q.fields_desc:
    +        for f in list(q.fields_desc):
                if isinstance(f, PacketListField):
                    for r in getattr(q, f.name):
                        fuzz(r, _inplace=1)
                elif isinstance(f, MultipleTypeField):
                    # the type of the field will depend on others
                    multiple_type_fields.append(f.name)
                elif f.default is not None:
                    if not isinstance(f, ConditionalField) or f._evalcond(q):
                        rnd = f.randval()
                        if rnd is not None:
                            new_default_fields[f.name] = rnd
    +                    import random
    +                    if random.randint(1,5) == 2:    # randomly delete some fields
    +                        delattr(q, f.name)
            # Process packets with MultipleTypeFields
            if multiple_type_fields:
                # freeze the other random values
                new_default_fields = {
                    key: (val._fix() if isinstance(val, VolatileValue) else val)
                    for key, val in six.iteritems(new_default_fields)
                }
                q.default_fields.update(new_default_fields)
                # add the random values of the MultipleTypeFields
                for name in multiple_type_fields:
                    fld = cast(MultipleTypeField, q.get_field(name))
                    rnd = fld._find_fld_pkt(q).randval()
                    if rnd is not None:
                        new_default_fields[name] = rnd
            q.default_fields.update(new_default_fields)
    +        if _inplace:
    +            q.fields.update(new_default_fields)
            q = q.payload
        return p

    I'm new to scapy thus is not sure whether it is correct.
    Could you please help me?
    Thanks!

    lapinouxxx
    @lapinouxxx

    Hello dev(s) and contributor(s), as I said on github, I have an issue with the wifi card 036ach and scapy. when sniffing, no packet are captured.
    This is how I simply test if the card is working or not :

    └─$ sudo python3                                               
    Python 3.9.2 (default, Feb 28 2021, 17:03:44) 
    [GCC 10.2.1 20210110] on linux
    >>> from scapy.all import *
    >>> sniff(count=4, iface="wlan1mon")
    <Sniffed: TCP:0 UDP:0 ICMP:0 Other:0>
    >>> sniff(count=4, iface="wlan1mon")
    <Sniffed: TCP:0 UDP:0 ICMP:0 Other:0>
    >>> exit()

    As you can see, there is no packet at all.

    Enviromment : 5.10.0-kali9-amd64 #1 SMP Debian 5.10.46-1kali1 (2021-06-25) x86_64 GNU/Linux
    Scapy version : 2.4.4
    Driver of the card : latest
    lapinouxxx
    @lapinouxxx
    ( with the 036nah i have no issue at all fyi , using custom sockets and async sniffing)
    higher75
    @higher75
    who can help me ?
    IP(dst='localhost') / ICMP(type=3,code=0) / ICMPExtensionHeader()
    but the result is that :
    Internet Control Message Protocol
    Type: 3 (Destination unreachable)
    Code: 0 (Network unreachable)
    Checksum: 0xfcff [correct]
    [Checksum Status: Good]
    Unused: 00000000
    Internet Protocol, bogus version (2) ---> Why not an extended data package, but such a package?????
    0010 .... = Version: 2
    i cant understand, Do I need to modify the scapy code to send a normal ICMP extended packet??
    lapinouxxx
    @lapinouxxx
    For my issue, some update, I have the same problem with an Alfa Network AWUS1900. They are sharing the same driver. Maybe scapy doesnt handle yet the driver realtek-rtl88xxau-dkms in the latest version ? I tried to use the version 2.1 but it's the same outcome.
    Guillaume Valadon
    @guedou
    @higher75 I am not familiar with ICMP Extension but I believe that the Scapy implementation is only designed to parse answers.
    @lapinouxxx what are the link layers used by Wireshark with 036nah and 036ach ?
    grandnew
    @grandnew

    Hello, I have a question.
    The post_build doesn't work sometimes.
    For those initialized packets, when some fields are set to other values, those late evaluated fields (like checksums, length, etc.) won't be updated.
    For example, for one IP packet p, when the frag of p is set another value, the chksum field won't be recalculated.
    The reason is that those fields won't be recalculated when they owns value (like this).
    If we run the following code snippet:

    pkt=IP(hex_bytes("450001e0a5764000401148bec0a86488c0a864ff"))
    pkt.show2()
    setattr(pkt, 'frag', 1)
    pkt.show2()

    Then the output is

    ###[ IP ]### 
      version   = 4
      ihl       = 5
      tos       = 0x0
      len       = 480
      id        = 42358
      flags     = DF
      frag      = 0
      ttl       = 64
      proto     = udp
      chksum    = 0x48be
      src       = 192.168.100.136
      dst       = 192.168.100.255
      \options   \
    
    ###[ IP ]### 
      version   = 4
      ihl       = 5
      tos       = 0x0
      len       = 480
      id        = 42358
      flags     = DF
      frag      = 1
      ttl       = 64
      proto     = udp
      chksum    = 0x48be
      src       = 192.168.100.136
      dst       = 192.168.100.255
      \options   \

    However, I think the expected result should be like

    ###[ IP ]### 
      version   = 4
      ihl       = 5
      tos       = 0x0
      len       = 480
      id        = 42358
      flags     = DF
      frag      = 0
      ttl       = 64
      proto     = udp
      chksum    = 0x48be
      src       = 192.168.100.136
      dst       = 192.168.100.255
      \options   \
    
    ###[ IP ]### 
      version   = 4
      ihl       = 5
      tos       = 0x0
      len       = 480
      id        = 42358
      flags     = DF
      frag      = 1
      ttl       = 64
      proto     = udp
      chksum    = 0x48bd
      src       = 192.168.100.136
      dst       = 192.168.100.255
      \options   \

    Is it a bug? If not, how to guarantee the validity of the packet after changing some fields?

    lapinouxxx
    @lapinouxxx
    @guedou you are right, they are not working with wireshark either. I will contact the driver team of these products then. Merci =)
    ( I don't think you will be able to do something about this ... )
    Guillaume Valadon
    @guedou
    @grandnew you need to del() the field or set its value to None. FYI, that’s one of the top stack overflow question.
    grandnew
    @grandnew
    @guedou del() the late evaluated field or setting its value to None indeed works.
    But, if I’m new to the protocol, how to know which field is late evaluated thus it should be deleted after assignment?
    grandnew
    @grandnew
    @guedou By the way, which stack overflow question referred this? I can’t find it, could you please show me the link? Thanks!
    lapinouxxx
    @lapinouxxx
    @guedou you said in 2019, "Don’t call sniff() in threads." in order to not miss data. I agree with you. You suggested to use a custom capture logic . But what your pov about using redis in a callback function instead or a custom capture logic , in order to manage the dissection in a better multi threading way and preventing data loss ?
    Guillaume Valadon
    @guedou
    @lapinouxxx i don’t remind the context =\
    Customizing AsyncSniffer might be a good alternative
    @grandnew try searching « Scapy compute checksum »
    grandnew
    @grandnew

    @guedou del() the late evaluated field or setting its value to None indeed works.
    But, if I’m new to the protocol, how to know which field is late evaluated thus it should be deleted after assignment?

    @guedou Got it, thanks!
    So, for one new protocol, how to know which field is late evaluated thus it should be deleted after assignment?

    Guillaume Valadon
    @guedou
    ls(IP) for example
    It shows the fields assigned to None
    grandnew
    @grandnew
    But, how about those fields (like StrField) whose default value is assigned to None?
    grandnew
    @grandnew

    But, how about those fields (like StrField) whose default value is assigned to None?

    @guedou The fields assigned to None means the default value is None. But the default value of some StrField fields may also be assigned to None.

    eaglerbits
    @eaglerbits
    Hello, I'm new here.
    I need to track Netflix, HBO streaming sessions, I guess Scapy Sessions will be the best way, right?
    gpotter2
    @gpotter2
    @grandnew Interesting question. As of right now, you need to look through the code to see fields that are changed (in post_build) but it would be nice to see which fields are auto computed... lot of work though
    grandnew
    @grandnew
    @gpotter2 Yeah, it can be lots of manual work. For the reason that, apart from post_build, some fields are change in i2m.
    As for those fields changed in i2m, I went through the fields.py and listed them:
    [LenField, FCSField, PacketLenField, StrFixedLenField, StrLenField, _XStrLenField, FieldLenField, LenField, BitFixedLenField, BitFieldLenField, MultiFlagsField, _IPPrefixFieldBase, _ScalingField]
    Merc
    @mercurial12
    In Scapy Sniff, is it possible to filter on a specific src/dst IP or src/dst port?
    Merc
    @mercurial12
    nvm found it
    just uses bpf style filter: https://biot.com/capstats/bpf.html
    drmlbrt
    @drmlbrt
    Question: trying to build a 'test' QOS script. Using Scapy, works ok for my local address. Howver, when I try a corporate IP, it is giving me a routing issue.... WARNING: No route found (no default route?)
    Nils Weiss
    @polybassa
    Hi, will appveyor be available for unit testing in the near future?
    gpotter2
    @gpotter2
    Yes.. we have no plans of switching off Appveyor.. Why ask? Did they have a policy change or something?
    @eaglerbits Probably not. Scapy will only allow you to see what IPs people connect to, so that's what you'll see (and you'll need to maintain a giant list of all Netflix' IPs...)
    eaglerbits
    @eaglerbits
    Right, But do you have a better idea?
    I need to know when a device starts/ends Netflix streamings
    christianwebster
    @christianwebster:matrix.org
    [m]
    Hi everybody, I'm trying to manipulate a 1.3 TLS session with scapy. My test setup uses 3 containers and the mitm container is sniffing the packets. My goal right now is to create a new verify message which is created in the handshake.py (line 1194).
    How do i handle the TLS Connection in scapy and how can i create a new verify message?
    christianwebster
    @christianwebster:matrix.org
    [m]

    :point_up: Edit: Hi everybody, I'm trying to manipulate a 1.3 TLS session with scapy. My test setup uses 3 containers and the mitm container is sniffing the packets. My goal right now is to create a new verify message which is created in the handshake.py (line 1194).
    How do i handle the TLS Connection in scapy and how can i create a new verify message?

    This is some of my code so far: https://pastebin.com/BkD82cXy

    AlexandertheG
    @AlexandertheG
    Hello. How do I make a DNS request in scapy similar to dig NS org. @l.root-servers.net?
    Thanks
    Rui Cunha
    @RuiCunhaM
    Hi everyone, I was not sure if I should open an issue straightaway for this or not, so I'm going to ask it here. I intend to add support for MPTCP v1.0 however I'm not entirely sure what is the best way to do it since we're talking about a TCP option with variable length. Since it's not is individual field, but something inside the options field, I assume I have to parse the bytes content probably to a dictionary, but I do not know the right way to dot it accordingly scapy philosophy. I'm not sure if there is anything similarly already or some type of behavior/functions defined to deal with situations like this. So if someone could give me any hint about the right way to do this I would appreciate. Thank you
    Guillaume Valadon
    @guedou
    @RuiCunhaM did you have a look a the TCPOptionsField object? I don't know MPTCTP but that is a nice place to start experimenting.
    Guillaume Valadon
    @guedou
    @AlexandertheG what did you try?