Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    Jonathon Anderson
    @anderbubble
    @0xKate in your first example, what is the value of the nfs variable? One of the layer classes?
    0xKate
    @0xKate
    Typically the value of nfs/Ether variable in my example is a packet/layer class. What I posted wont work because its a contrib package not derived from packet. Scapy needs to actually load the contrib package to be aware of nfs. There's an example for ospf here https://lost-and-found-narihiro.blogspot.com/2012/11/python-scapy-how-to-load-extension.html but this was python 2.7. I can't find any official documentation on loading contribs for sniffing. Once Scapy is aware of it however, you should be able to do things like if nfs.ACCESS_Call in packet: and packet[nfs.ACCESS_Call].filehandle
    cyril.lu
    @cyril.lu:matrix.org
    [m]

    Hello, I am using scapy with a new protocol, which defines one of its operations like this :

    • each « config packet » is defined by a type, length and value
    • the « set config » is defined by a count and a list of config packets

    For now I defined it like this, which works well for most config packets:

    APP_CONF_PARAMS = {
        # …
        0x06: {
            'name': 'DEVICE_MAC_ADDRESS',
            'field': XLEShortField("value", default=None)},
        0x07: {
            'name': 'DST_MAC_ADDRESS',
            'field': FieldListField('value', [], XLEShortField("item", default=None), length_from=lambda pkt: (pkt.length))}
        # …
    }
    
    APP_CONF_PARAM_NAME_BY_ID = {i: data['name'] for i, data in APP_CONF_PARAMS.items()}
    APP_CONF_PARAM_FIELD_BY_ID = {i: data['field'] for i, data in APP_CONF_PARAMS.items()}
    
    class AppConfigParameter(PacketWithNoPayload):
        fields_desc=[
            XByteEnumField("type", None, APP_CONF_PARAM_NAME_BY_ID),
            FieldLenField("length", None, fmt="B", length_of="value"),
            MultipleTypeField(
                # Use a field from APP_CONF_PARAMS if it can be found
                [(field, (lambda i: lambda pkt: pkt.type == i)(i)) for i,field in APP_CONF_PARAM_FIELD_BY_ID.items()],
                # Handle the parameter as a string if type is unknown
                XStrLenField("value", None, length_from=lambda pkt:pkt.length)
            )
        ]
    
    class SessionSetAppConfigCmd(PacketWithNoPayload):
    
    fields_desc=[
        FieldLenField("numberOfAppConfiguration", None, fmt='B', count_of="appConfiguration"),
        PacketListField("appConfiguration", [], AppConfigParameter,
            count_from=lambda pkt: pkt.numberOfAppConfiguration)
    ]

    I have one problem, with a particular config parameter which is used to define the Mac address length.

    APP_CONF_PARAMS = {
        # …
        0x26: {
            'name': 'MAC_ADDRESS_MODE',
            'field': XByteEnumField("value", default=0x00, enum={
                    0x00: "MAC address is 2 bytes",
                    0x01: "MAC address is 8 bytes"})},
        # …
    }

    When it is set to 0x01, mac addresses should be treated as as XLELongField instead of XLEShortField (as shown above).

    Do you know any other protocol behaving like this, that I could use as an example to implement mine? If not, how would you handle a case like this?
    Jonathon Anderson
    @anderbubble
    @0xKate thank you for all your help so far. I've tried to write a bit of an obtuse script to cast as wide a net as possible, and it's not seeing any of my NFS traffic as NFS traffic. What am I doing wrong? https://gist.github.com/anderbubble/fcd4238b34e17ee1f3289ea8733106e3
    (I know this isn't really how anything should be done; but hopefully my intent is clear enough in the script. For the record, nfs_filter does detect all of the NFS layer classes in the module correctly.
    Jonathon Anderson
    @anderbubble
    I may have figured it out. Turns out I'm mounted via nfs 4.2, and this only supports nfs 3! ,_,
    Jonathon Anderson
    @anderbubble
    Switching to nfs3 still hasn't made scapy dissect these as NFS. Though that was clearly wrong.
    Jonathon Anderson
    @anderbubble
    I think I figured it out! The NFS layers are based on RPC layers. Since RPC doesn't know which port it should be using, it doesn't bind to any ports by default, so there's no way for TCP to go to RPC. So I did bind_layers(TCP, RPC, sport=2049) and bind_layers(TCP, RPC, dport=2049) and now it appears to be working!
    Thanks for your patience!
    Jonathon Anderson
    @anderbubble
    Well, it seems I was prematurely excited. It's actually detecting RPC packets now, but not NFS. But I'm making progress!
    Jonathon Anderson
    @anderbubble
    @0xKate I'm noticing that there is no do_dissect() in https://github.com/secdev/scapy/blob/master/scapy/contrib/nfs.py nor in https://github.com/secdev/scapy/blob/master/scapy/contrib/oncrpc.py. Does that mean that these modules cannot dissect their respective protocols? (i.e., they can only build them?)
    0xKate
    @0xKate
    Yes you are on the right track, what you have should be working. do_dissect() is pretty low level, all you needed is the RPC + transport bindings, and to either import the contrib directly from scapy.contrib import nfs which causes all its bindings to execute, or run load_contrib('nfs') which does the same.
    from scapy.contrib.nfs import ACCESS_Call
    from scapy.contrib.oncrpc import RPC
    from scapy.layers.inet import UDP
    from scapy.main import load_contrib
    from scapy.packet import bind_layers
    from scapy.sendrecv import sniff
    
    if __name__ == '__main__':
        load_contrib('nfs')
    
        bind_layers(UDP, RPC, sport=2049)
        bind_layers(UDP, RPC, dport=2049)
    
        pkts = sniff(offline="nfsv3.pcap")
    
        for packet in pkts:
            if ACCESS_Call in packet:
                print(packet.show())
    gladman88
    @gladman88
    Hello! I have problem with CPU load with scapy. Doesn't matter which filter I set, scapy always use 12.5 percent of CPU when sniffing. I have intel core i7. Even if i didn't get any packets at all - 12,5% of CPU usage. Why it's happening?
    sniff_filter = "tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and dst port 443"
    sniff(filter=sniff_filter, prn=self._packet_callback, store=0)
    Ansis Atteka
    @ansisatteka

    Hi, on hypervisors Virtual Machines (e.g. qemu) are usually connected to Virtual Bridges (e.g. Linux Bridge or OVS bridge) through tap devices.

    When I try to inject Ethernet frame into tap device with sendp(..., iface=vnet0) the frame goes to the VM but not to the Bridge.

    Has anyone figured out how to send such frames with scapy to the Bridge instead? Basically the goal would be that scapy would allow to imitate VM.

    Jan Kaiser
    @jankais3r
    Hi. I am trying to figure out if I could use scapy without sudo privileges to sniff traffic made by the python script itself (e.g. using the requests package). So not sniffing the whole interface traffic, just python. Is such thing possible?
    infern0d
    @infern0d:matrix.org
    [m]
    No it's not possible, you can't sniff a socket used by something else without root. (You can of course read any socket with Scapy but it will consume packets, which isn't what you're asking for)
    higher75
    @higher75
    Sometimes when I use sendpfast() to send a packet, I can't catch it and there is no alert message, but when I use send() instead, I can catch the sent packet, I don't understand why this is, maybe the length of the packet I send is too big?
    Does anyone know?
    bhdrozgn
    @bhdrozgn
    Hi, is there any way to sniff packets with scapy via a remote interface?
    smj
    @smjhero
    Hi, is there any way to implement the same lenfield is used by two or more different varfields, using FieldLenField and StrLenField? Currently I only know how to implem one lenfield -to-one varfields
    WTBCODER
    @WTBCODER
    i have the same problem. Does anyone know how to implement it?
    Paulo Sherring
    @pauloasherring
    Hello all, I have a rather degenerate use for scapy, which is to use it for pcap file manipulation. Is there an easy-ish way to have scapy not to load networking DLLs which requires admin rights, but still load the dissectors, bindings and all?
    grandnew
    @grandnew
    Hi, all. I have one question, why scapy doesn’t support SSH? I think it is very famous and common.
    bhdrozgn
    @bhdrozgn
    I found a way to capture on remote interfaces. For anyone interested in it:
    from scapy import *
    
    def live_capture(*args):
        iface_list = [['-i', iface] for iface in args]
        dumpcap_args = ['dumpcap'] + [arg for sublist in iface_list for arg in sublist] + ['-w', '-']
        dumpcap = subprocess.Popen(args=dumpcap_args, stdout=subprocess.PIPE)
    
        capture = sniff(offline=dumpcap.stdout, prn=lambda pkt: pkt.show(), store=0)
        return capture
    
    # pass your device names
    live_capture('rpcap://[192.168.0.100]:2002/wl1', 'rpcap://[192.168.0.101]:2002/wl1')
    bhdrozgn
    @bhdrozgn
    Is there any way to read a capture file in reverse order or accessing the last packet in a capture file without looping whole file?
    gpotter2
    @gpotter2
    Without loading the entire file it's not possible. A packet in a pcap begins where the previous one ends.
    dorty3541
    @dorty3541
    hello, everyone. Is there any example or manual so I can craft the packets to simulate the whole ike negotiation with the vendor device such as fortigate/cisco?
    agarusa
    @agarusa
    Hi! I went through some docs and some code and it seems that docs are not about latest release (2.4.5) but more like about current repository state. There some functions and classes from docs are absent in release but present in current repository. Was this done intended or is it a bug of documentation, that those structures got into 2.4.5-docs?
    infern0d
    @infern0d:matrix.org
    [m]
    You are absolutely correct, the "latest" (default) doc relates to the current repo. You can find the "stable" = released doc over https://scapy.readthedocs.io/en/stable/
    bhdrozgn
    @bhdrozgn
    How can we write packets sniffed with AsyncSniffer to a pcap file without using prn?
    bhdrozgn
    @bhdrozgn

    How can we write packets sniffed with AsyncSniffer to a pcap file without using prn?

    Okay, I just achieved this by applying the same thing used in sniff method to my AsyncSniffer object:

    from scapy.utils import wrpcap
    from scapy.compat import cast
    from scapy.plist import PacketList
    
    def write_async(capture):
        capture = cast(PacketList, capture.results)
        wrpcap('capture.pcap', capture)
    stryngs
    @stryngs

    Hello all,

    The other day I was working on WEP encryption and decryption with scapy and I came across what I consider a bug in 2.4.5.

    A Python3 example:

    import binascii
    import pyDot11
    from rc4 import rc4
    from scapy.all import *
    
    keyText = '0123456789'
    pkts = rdpcap('../PCAPs/ICMPs/wep_pings.pcap')
    pkt = pkts[0]
    
    iVal = pkt[Dot11WEP].iv.decode('latin1')
    seed = pyDot11.wepCrypto.seedGen(iVal, keyText).decode('latin1')
    stream = rc4(pkt.wepdata.decode('latin1'), iVal+ seed)

    A Python2 example:
    ```

    stryngs
    @stryngs
    ... and my long drawn up post deleted itself, lovely
    Without going into it detailed again let me ask. Is there a reason that hexstr() works differently in Python3 than it did in Python2?
    In [60]: hexstr(stream, onlyhex = 1)
    Out[60]: 'C2 AA C2 AA 03 00 00 00 08 00 45 00 00 54 00 00 40 00 40 01 C3 B0 3B C3 80 C2 A8 64 C2 88 C3 80 C2 A8 64 C2 94 08 00 C2 9D 65 C3 87 06 00 00 C2 9C C3 99 C3 B6 C2 B9 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00'
    With some modifications:
    newStream = []
    newStream.append(" ".join(map(lambda stream:"%02x"%ord(stream), stream)))
    newStream = "  ".join(newStream)
    
    In [65]: newStream
    Out[65]: 'aa aa 03 00 00 00 08 00 45 00 00 54 00 00 40 00 40 01 f0 3b c0 a8 64 88 c0 a8 64 94 08 00 9d 65 c7 06 00 00 9c d9 f6 b9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00'
    the object newStream is the expected output. Thanks for any assistance.
    infern0d
    @infern0d:matrix.org
    [m]
    It's not clear how it's working differently on Python 2 and 3 when reading your examples :/?
    stryngs
    @stryngs
    C2 AA C2 AA -vs- aa aa
    hexstr() is adding C2 to the start of it, twice.
    stryngs
    @stryngs
    @infern0d:matrix.org ^
    stryngs
    @stryngs
    I miss the "old style" way whereby you could do str(<scapy object>) and it would print out the repr. I built pyDot11 around that modeling. The shift for pyDot11 over to Python3 is fun for sure. We can now decrypt WEP natively using Python3 and scapy 2.4.5.
    2 replies
    It will handle Open, WEP or WPA; each with their own trick aside from Open for pure injection.
    The stream obj ^^ debugging took me some time as I kept following the math for RC4 and couldn't wrap my head around the diffs for 2v3; I had "assumed" hexstr() was the same as I had no reason to think otherwise as far as the bytes, their accuracy and order go.
    For the PCAPs in question:
    https://github.com/stryngs/pyDot11
    There is also now a question of Dot11FCS being missing in a unique and interesting way for ICMP these days vs when I took the PCAP of the wep traffic from years back.
    As those bytes don't change it must therefore be the "scapy interpretation".