Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    infern0d
    @infern0d:matrix.org
    [m]
    this function is meant to handle bytes what do you mean bytes are not used
    stryngs
    @stryngs
    If Python2 and Python3 both behaved the same for 2.4.5 it would be considered a non-issue you know?
    gpotter2
    @gpotter2
    The issue is just that you are not passing the bytes as bytes
    Pass it as bytes, you'll get the same result
    You should document yourself about the differences between Python 2 and 3 when it comes to bytes
    stryngs
    @stryngs
    In [12]: stream                                                                                                                                                                                                    
    Out[12]: 'ªª\x03\x00\x00\x00\x08\x00E\x00\x00T\x00\x00@\x00@\x01ð;À¨d\x88À¨d\x94\x08\x00\x9deÇ\x06\x00\x00\x9cÙö¹\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
    
    In [13]: stream.encode()                                                                                                                                                                                           
    Out[13]: b'\xc2\xaa\xc2\xaa\x03\x00\x00\x00\x08\x00E\x00\x00T\x00\x00@\x00@\x01\xc3\xb0;\xc3\x80\xc2\xa8d\xc2\x88\xc3\x80\xc2\xa8d\xc2\x94\x08\x00\xc2\x9de\xc3\x87\x06\x00\x00\xc2\x9c\xc3\x99\xc3\xb6\xc2\xb9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
    
    In [14]: hexstr(stream.encode())                                                                                                                                                                                   
    Out[14]: 'C2 AA C2 AA 03 00 00 00 08 00 45 00 00 54 00 00 40 00 40 01 C3 B0 3B C3 80 C2 A8 64 C2 88 C3 80 C2 A8 64 C2 94 08 00 C2 9D 65 C3 87 06 00 00 C2 9C C3 99 C3 B6 C2 B9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ..........E..T..@.@...;....d......d......e.................................................................'
    .encode incorrectly changes the intended stream bytes
    \xaa \xaa
    gpotter2
    @gpotter2
    You are missing the b'' !!!!
    You are converting a wrong string to wrong bytes
    image.png
    this is python 3
    it's working just fine
    stryngs
    @stryngs
    In [9]: stream
    Out[9]: '\xaa\xaa\x03\x00\x00\x00\x08\x00E\x00\x00T\x00\x00@\x00@\x01\xf0;\xc0\xa8d\x88\xc0\xa8d\x94\x08\x00\x9de\xc7\x06\x00\x00\x9c\xd9\xf6\xb9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
    
    In [10]: stream.encode()
    ---------------------------------------------------------------------------
    UnicodeDecodeError                        Traceback (most recent call last)
    <ipython-input-10-db32f268970b> in <module>()
    ----> 1 stream.encode()
    
    UnicodeDecodeError: 'ascii' codec can't decode byte 0xaa in position 0: ordinal not in range(128)
    I also cannot use "bytes" with respect to WEP or WPA decryption, at least not using the methods and techniques I did with Python2.
    gpotter2
    @gpotter2
    Yes you should use bytes. You cannot not use bytes on Python 3
    stryngs
    @stryngs
    Alright, I'll read it.
    stryngs
    @stryngs

    Hmm. I'd go so far as to say this is a deeper issue

    >>> print(chr(0xaa).encode())
    b'\xc2\xaa'

    At least now I understand why Python2 and Python3 have differences with hexstr()

    This explains where the extra chars come in at...:
    hexstr(x, onlyhex = 1)                                                                                                                                                                                     
    Out[8]: 'C2 AA C2
    So yes, I will agree scapy is doing what Python3 is instructing it to do, which sadly means there is no PEP style fix for this =(
    However, some hackery based off hexstr itself and we've fixed the flaw
    newStream = []
    newStream.append(" ".join(map(lambda stream:"%02x"%ord(stream), stream)))
    newStream = "  ".join(newStream)
    Anywho, I'll be quiet now and let that soak, cheers!
    bhdrozgn
    @bhdrozgn
    Scapy can't process 802.11ax frames when radiotap header has HE_MU field.
    pkt.show() function returns raw bytes, we can't access layers or fields since no layer defined for that frame. Is there a way to access some fields when this is the case?
    2 replies
    stryngs
    @stryngs
    Would anyone here be interested in a workshop on how to leverage scapy for 802.11 concepts? Encryption/Decryption/etc.
    Leonard Crestez
    @cdleonard
    Gentle ping for secdev/scapy#3358 again? It's fully tested but did not receive any review comments
    Eyni, Kave
    @dewebdes

    Decrypt SSL/TSL with specific Private Key

    I have the original certificate, and I want to show HTTPS sniffed traffic in plaint UTF-8 text

    For example, in HTTP traffic we can use this code:
    readable_payload = bytes(packet[TCP].payload).decode('UTF8','replace')

    But for HTTPS this just show unreadable random characters.

    I was read ant test below resources, But not useful:
    https://github.com/secdev/scapy/blob/master/doc/notebooks/tls/notebook2_tls_protected.ipynb
    https://github.com/tintinweb/scapy-ssl_tls

    I want a clean solution like this article that use TSHARK , But I must use SCAPY because I spent too much time on develop my firewall with scapy:
    https://minnmyatsoe.com/2016/01/26/using-tshark-to-decrypt-ssl-tls-packets/

    jacontre-c
    @jacontre-c
    Hi people, around possible ways to do pcap file parsing speed improvements: is there a way to unload L2 protocol types? so capture only focus on applying parsers to the packet, that are known before hand that are applicable? (so instead of checking for ethernet, 802.11, BLE, etc it only applies 802.11 and everything else is returned as RAW)
    stryngs
    @stryngs
    Hello @jacontre-c -- Here is an example where I do what you speak of, but not necessarily L2; you'll have to trace and replace accordingly.
    https://github.com/stryngs/workshops/blob/master/DC28/blRip.py#L34
    2 replies
    agudek
    @agudek
    Hi all, looking at the _IP6PrefixField class in layers.inet6 I noticed the field length gets calculated as the length of the remainder of the packet. Am I reading this correctly, or is there another way of indicating this fields length? If not, this behaviour might fail in situations where this field is not the last field in the packet
    Leonard Crestez
    @cdleonard
    how do I make p.sprintf("%IPv6.nh%") appear as numeric?
    type(p[IPV6].nh) is a number nut I don't understand how sprintf is different
    apparently p.sprintf("%r,IPV6.nh%") does the job but not p.sprintf("%d,IPV6.nh%")
    Sabry Tarek
    @SabryTarek
    Hello folks, I want to save all domains that the user opened in the web browser. I tried to use Scapy but I get only HTTP requests.
    wireless90
    @wireless90
    Hi peeps how do we sniff eapol frames? I tried sniffing and set lfilter to lambda x: EAPOL in x
    1 reply
    And used my android phone to disconnect and reconnect
    But nothing captured
    Matt Keeter
    @mkeeter
    Weird question for folks: should I expect Scapy to detect UDP echo messages that have raw data attached to them?
    If I do something like sr(IPv6(dst="fe80::4:6ff:fe08:a0c") / UDP(dport=7)), then I get a packet back immediately (and see the whole thing in tcpdump)
    However, sr(IPv6(dst="fe80::4:6ff:fe08:a0c") / UDP(dport=7) / Raw("hello, world")) hangs forever
    despite seeing the reply come in in tcpdump:
    tcpdump: listening on enp0s25, link-type EN10MB (Ethernet), capture size 262144 bytes
    22:40:05.414261 94:c6:91:15:77:b9 > 02:04:06:08:0a:0c, ethertype IPv6 (0x86dd), length 74: (hlim 64, next-header UDP (17) payload length: 20) fe80::96c6:91ff:fe15:77b9.53 > fe80::4:6ff:fe08:a0c.7: [udp sum ok] 26725 updateMA [b2&3=0x6c6c] [8311a] [28460q] [28530n] [27748au][|domain]
        0x0000:  6000 0000 0014 1140 fe80 0000 0000 0000  `......@........
        0x0010:  96c6 91ff fe15 77b9 fe80 0000 0000 0000  ......w.........
        0x0020:  0004 06ff fe08 0a0c 0035 0007 0014 148f  .........5......
        0x0030:  6865 6c6c 6f2c 2077 6f72 6c64            hello,.world
    22:40:05.446570 02:04:06:08:0a:0c > 94:c6:91:15:77:b9, ethertype IPv6 (0x86dd), length 74: (hlim 64, next-header UDP (17) payload length: 20) fe80::4:6ff:fe08:a0c.7 > fe80::96c6:91ff:fe15:77b9.53: [udp sum ok] 26725 updateMA [b2&3=0x6c6c] [8311a] [28460q] [28530n] [27748au][|domain]
        0x0000:  6000 0000 0014 1140 fe80 0000 0000 0000  `......@........
        0x0010:  0004 06ff fe08 0a0c fe80 0000 0000 0000  ................
        0x0020:  96c6 91ff fe15 77b9 0007 0035 0014 148f  ......w....5....
        0x0030:  6865 6c6c 6f2c 2077 6f72 6c64            hello,.world
    Oh, I wonder if it's because it's using port 53 by default, which may be... special (since that's the port for DNS)
    Yeah, using sport=2000 seems to work
    bveina
    @bveina
    hi there im new to scappy and had a conceptual question about layer binding
    i want to add a layer beneath USBPcap. for example sake lets just have one field as a byte. later based on that byte i will bind layers below that. but how do i bind that first layer to the upper layer? i want to be greedy and bind any USBPCap.function ==9, but i cant just say bind_layer(USBPcap,DAP_CMD,function==9) becasue its not in scope
    bveina
    @bveina
    or i could reread the documentation and notice its a single = not a ==
    bveina
    @bveina
    ok still churning away at this but not getting very far. ive narrowed it down to a minimal working example that i think should disect as a DAP_CMD but still is decoded as RAW.
    from scapy.all import PcapReader,Packet,bind_layers,ByteField
    from scapy.layers.usb import USBpcap
    
    class DAP_CMD(Packet):
        name = "DapCMD "
        field_desc= [ByteField("cmd",0)]
    
    bind_layers(USBpcap,DAP_CMD, endpoint=2)    
    
    
    p = b'\x1b\x00\xa0\t\xd6\xe2\x88\xb6\xff\xff\x00\x00\x00\x00\t\x00\x00\x01\x00\x0b\x00\x02\x01@\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
    
    pak = USBpcap(p)
    pak.show()
    ###[ USBpcap URB ]### 
      headerLen = 27
      res       = 0
      irpId     = 0xffffb688e2d609a0
      usbd_status= Success
      function  = URB_FUNCTION_BULK_OR_INTERRUPT_TRANSFER
      info      = 0x0
      bus       = 1
      device    = 11
      endpoint  = 0x2
      transfer  = Interrupt
      dataLength= 64
    ###[ Raw ]###
         load      = '\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'