I wanted to create a fake dns response with scapy and it's just doesn't work... When i sniff the packets in Wireshark it shows me that the packets are correct but Windows just takes the genuine response packet althought...
Can someone tell me how to fix it please?
Thanks
import sys
i, o, e = sys.stdin, sys.stdout, sys.stderr
from scapy.all import *
sys.stdin, sys.stdout, sys.stderr = i, o, e
def f(packet):
if DNS in packet and DNSQR in packet :
return True
return False
while True:
a=sniff(lfilter=f,count=1)
ip = a[0].getlayer(IP)
dns = a[0].getlayer(DNS)
pkt = Ether(dst = a[0][Ether].src, src = a[0][Ether].dst)/IP(dst=ip.src, src=ip.dst)/UDP(chksum=None, dport=ip.sport,sport=ip.dport)/DNS(qd=a[0][DNS].qd, qdcount=1, ancount=0, nscount=0, arcount=1, ra = 1, qr = 1, id=dns.id, an = (DNSRR(rrname=dns.qd.qname, type= "A" , ttl=3600, rdata="192.168.1.12")))
pkt.show()
for i in range(10):
sendp(pkt)
You're just sniffing packets, if you want to manipulate packets you should send them to a function then forward them to the destination. use prn attribute in Sniff :
packets = sniff(filter="port 53" , prn=func , count=1)
def func(packet):
if packet.haslayer(UDP) and packet.haslayer(DNS):
manipulate your DNS packet here then forward it
Related
I'm following Black Hat Python (2ed.), in which I'm writing a network scanning tool. The tool is in theory supposed to send UDP packets out to a given subnet, and if a host is up on that subnet, the response packet is decoded, found to contain the message in the original datagram, and used to indicate the host is up. This seems to generally be working well to capture packets; I can go to a website, or ping another host, and the tool reliably provides the correct source and destination addresses for those cases.
Here is the meat of the code (I have not included the class creation, or the passing of the host argument for brevity, but the host is 192.168.10.85).
class IP:
"""layer 3 (IP) packet header decoder"""
def __init__(self, buff=None):
header = struct.unpack('<BBHHHBBH4s4s', buff)
self.ver = header[0] >> 4
self.ihl = header[0] & 0xF
self.tos = header[1]
self.len = header[2]
self.id = header[3]
self.offset = header[4]
self.ttl = header[5]
self.protocol_num = header[6]
self.sum = header[7]
self.src = header[8]
self.dst = header[9]
# make IP addrs human readable
self.src_address = ipaddress.ip_address(self.src)
self.dst_address = ipaddress.ip_address(self.dst)
# the protocol_num is actually a code for the protocol name
self.protocol_name = {1: 'ICMP', 6: 'TCP', 17: 'UDP'}
# try to provide the human version of the protocol, otherwise just give the code
try:
self.protocol = self.protocol_name[self.protocol_num]
except KeyError as error:
self.protocol = self.protocol_num
print(f'Protocol is unrecognized, try googling "IP protocol {self.protocol_num}"')
class ICMP:
"""layer 4 (ICMP) packet header decoder"""
def __init__(self, buff):
header = struct.unpack('<BBHHH', buff)
self.type = header[0]
self.code = header[1]
self.checksum = header[2]
self.ident = header[3]
self.seq_num = header[4]
def udp_sender():
# blasts udp packets into the network to solicit responses
with socket.socket(socket.AF_INET, socket.SOCK_DGRAM) as sender:
for ip in ipaddress.ip_network(SUBNET).hosts():
# time.sleep(1)
print(f'sending a test message to {ip}')
# send our test message out to port 65212 on the destination
sender.sendto(bytes(MESSAGE, 'utf8'), (str(ip), 65212))
class Scanner:
def __init__(self, host):
self.host = host
# create raw socket, bind to public interface
# if windows:
if os.name == 'nt':
socket_protocol = socket.IPPROTO_IP
# if linux/mac:
else:
socket_protocol = socket.IPPROTO_ICMP
self.socket = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket_protocol)
self.socket.bind((host, 0))
# socket options, include header
self.socket.setsockopt(socket_protocol, socket.IP_HDRINCL, 1)
# enable promiscuous mode for windows
if os.name == 'nt':
self.socket.ioctl(socket.SIO_RCVALL, socket.RCVALL_ON)
def sniff(self):
# set of all hosts that are up (respond to our ICMP message)
hosts_up = {f'{str(self.host)} *'}
try:
while True:
# read a packet, and parse the IP header
raw_buffer = self.socket.recvfrom(65535)[0]
# create IP header from the first 20 bytes
ip_header = IP(raw_buffer[0:20])
# if the protocol is ICMP, do some additional things
# print(f'src={ip_header.src_address}, dst={ip_header.dst_address}, prot_name={ip_header.protocol}')
if ip_header.protocol == 'ICMP':
# calculate where the ICMP packet starts
offset = ip_header.ihl * 4
buf = raw_buffer[offset:offset + 8]
# create ICMP structure
icmp_header = ICMP(buf)
print(f'type: {icmp_header.type}, code: {icmp_header.code}')
print(f'src={ip_header.src_address}, dst={ip_header.dst_address}, prot_name={ip_header.protocol}')
if icmp_header.type == 3 and icmp_header.code == 3:
print(f'type: {icmp_header.type}, code: {icmp_header.code}')
print(f'src={ip_header.src_address}, dst={ip_header.dst_address}, prot_name={ip_header.protocol}')
if ipaddress.ip_address(ip_header.src_address) in ipaddress.IPv4Network(SUBNET):
# make sure the packet has our test message
if raw_buffer[len(raw_buffer) - len(MESSAGE):] == bytes(MESSAGE, 'utf8'):
tgt = str(ip_header.src_address)
if tgt != self.host and tgt not in hosts_up:
hosts_up.add(str(ip_header.src_address))
print(f'Host Up: {tgt}')
However, when receiving the ICMP responses as a result of my datagram, the tool reports that the source and destination addresses are the same (my host, 192.168.10.85). Furthermore, while I should be receiving responses with Type 3 and Code 3 (destination unreachable, and port unreachable), but I am receiving (in my program) Type 3 and Code 1.
Here is an example of the output when I issue a ping command while the scanner is running, which seems correct:
src=192.168.10.85, dst=192.168.10.200, prot_name=ICMP type: 0, code: 0 src=192.168.10.200, dst=192.168.10.85, prot_name=ICMP type: 8, code: 0
Here is an example of the output to what I am assuming is the UDP packet response, which seems incorrect):
src=192.168.10.85, dst=192.168.10.85, prot_name=ICMP type: 3, code: 1
If I open wireshark while I'm running my code, I can correctly see the ICMP Type 3/Code 3 responses, so I know they are going through, here is a screen grab of one host on the target subnet as an example:
Why is my scanner not seeing these responses that are in wireshark?
I've tried running wireshark alongside my program, to see if the packets are being correctly decoded, and that the message in the UDP packet is properly in place. All signs indicate that the packets are going out to the hosts I'm trying to detect, and the correct responses are coming back, but my scanner refuses to find them.
I have 2 programs comunicating with each other via ethernet. Sending one is using scapy to encode port, ip and payload before sending it as ethernet frame. My problem is that in payload im sending counter and when reciving that it's sometimes changed to symbol.
\x00\x00\x00\x00\x00\x00\x00\x07
\x00\x00\x00\x00\x00\x00\x00\x08 is fine but next
\x00\x00\x00\x00\x00\x00\x00\t
\x00\x00\x00\x00\x00\x00\x00\n
\x00\x00\x00\x00\x00\x00\x00\x0b its fine again
later they are changed to next asci symbols
My question is how to stop converting bytes to asci?
sender.py
import socket
from scapy.all import *
PADDING_VALUE = b'\xd1'
ETH_P_ALL = 3
DST_IP = "127.0.0.12"
IFACE = "lo"
SRC_IP = "127.0.0.11"
class FpgaMockup:
def __init__(self, setup_iface):
self.setup_sock = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.htons(ETH_P_ALL))
self.setup_sock.bind((setup_iface, 0))
self.padding = 16
def send(self, pkt):
self.setup_sock.send(pkt)
if __name__ == "__main__":
testing_fpga = FpgaMockup(IFACE)
for i in range(100):
packet = IP(dst=DST_IP, src=SRC_IP)/UDP(sport=12666, dport=12666)/Raw(load=int(i).to_bytes(8, "big")+PADDING_VALUE*testing_fpga.padding)
pkt = Ether(packet)
testing_fpga.send(raw(pkt))
print("Finished sending.")
reciever.py
import socket
ETH_P_ALL = 3
s = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.htons(ETH_P_ALL))
s.bind(("lo", 0))
while(True):
pkt = s.recv(4096)
print(pkt)
These are not "changed". \x09 is exactly the same as \t, \x0a is the same as \n. These are just printed differently but nevertheless are the same:
>>> print(b'\x08\x09\x0a\x0b')
b'\x08\t\n\x0b'
>>> b'\x08\x09\x0a\x0b' == b'\x08\t\n\x0b'
True
For more information see the documentation to the syntax of String and Bytes literals.
If you don't want to have this conversation simply enforce writing as a hexadecimal sequence instead of characters:
>>> b'\x08\t\n\x0b'.hex()
'08090a0b'
I'am trying to send UDP packets with images to my friend who is behind his NAT. He forwarded his receiving port but the packets don't arrive using our python code. But nevertheless, when using test code the packet does arrive and the tuple containing IPaddr and PORT are the same.
NOTE: not a single exception was triggered, it simply gets stuck in the recvfrom because there is nothing to read
This is the sample code that I used to test if the packets arrive and it worked:
import socket
IPADDR = '88.1.231.55'
PORTNUM = 8043
PACKETDATA = 'TEEEESSTT'.encode('ascii')
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, 0)
s.sendto(PACKETDATA, (IPADDR, PORTNUM))
s.close()
Init of the UDP class:
def __init__ (self, ip_dest, port_dest, port_src, tcp):
self.TCP = tcp
self.socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
self.dest = (str(ip_dest), int(port_dest))
self.socket.bind(('', port_src))
self.receiveVideoThread = threading.Thread(target=self.receive_video)
self.receiveVideoThread.setDaemon(True)
self.receiveVideoThread.start()
...........
Send the image:
def send_video(self, frame):
if not self.TCP.pauseCall or not self.TCP.endCall:
try:
header = "{}#{}#{}#{}#".format(self.counter, time.time(), '640x480', self.fps).encode("utf-8")
ratio = self.get_compress_ratio(self.fps_friend)
frame = self.rescale_by_height(frame, 320)
self.frame_sent = frame
frame_compressed = self.compress(frame, 1)
self.socket.sendto(header + frame_compressed, self.dest)
self.counter += 1
except Exception as e:
print(e)
return
And recieve:
def receive_video(self):
while not self.TCP.endCall or not self.TCP.pauseCall:
try:
data, _ = self.socket.recvfrom(200)
datagram = data.split(b'#', 4)
self.fps_friend = datagram[3]
........
When we use our code the packets show up on Wireshark but never arrive. When using the sample code the packet does arrive.
Could it be something related to the size of the packets? I've tried compressing the images at the maximum so now the size of an entire UDP packet is ~5KB
I have made a program with Scapy that checks for open ports and for some reason when I check for port 80 for example (scan other computer's port) it says it's closed (RA instead of SA) why is that??
or maybe I have confused SA and RA?
import sys
i, o, e = sys.stdin, sys.stdout, sys.stderr
from scapy.all import *
sys.stdin, sys.stdout, sys.stderr = i, o, e
TARGET_IP = '192.168.1.150'
def main():
packet1 = sr1(IP(dst=TARGET_IP)/TCP(dport=80, seq=123, flags="S"), timeout=1, verbose=0)
packet1.show()
if __name__ == '__main__':
main()
and the output is
###[ TCP ]###
sport = http
dport = ftp_data
seq = 0
ack = 124
dataofs = 5L
reserved = 0L
flags = RA
window = 0
chksum = 0x2aef
urgptr = 0
options = {}
What am I doing incorrect that makes this port closed? I have opened the chrome browser in the other computer and I'm guessing it should work...
Thanks for any help!
Okay, so I'm running Ubunutu 14.04 LTS, and I'm trying to poison my own ARP Cache, by doing this,
my private IP address is 10.0.0.1.
My phone's private IP address is 10.0.0.8.
for this example only let's say my MAC address is axaxaxaxaxax.
I've wrote the following python code:
from binascii import *
from struct import *
import socket;
class ethernetframe:
def __init__(self, destmac, srcmac, ethrtype):
self.destmac = unhexlify(destmac)
self.srcmac = unhexlify(srcmac)
self.ethrtype = unhexlify(ethrtype)
def uniteframe(self, payload):
frame = ''
frame = frame + self.destmac
frame = frame + self.srcmac
frame = frame + self.ethrtype
frame = frame + payload
frame = frame + unhexlify("00000000")
return frame
class arppacket:
def __init__(self,opcode,srcmac,srcip,dstmac,dstip):
if opcode == 1:
dstmac = "000000000000"
opcode = "0001"
else:
opcode = "0002"
self.opcode = unhexlify(opcode)
self.srcmac = unhexlify(srcmac)
self.srcip = pack('!4B',srcip[0],srcip[1],srcip[2],srcip[3])
self.dstmac = unhexlify(dstmac)
self.dstip = pack('!4B',dstip[0],dstip[1],dstip[2],dstip[3])
def unitepacket(self):
packet = ''
packet = packet + "\x00\x01\x08\x00\x06\x04"
packet = packet + self.opcode
packet = packet + self.srcmac
packet = packet + self.srcip
packet = packet + self.dstmac
packet = packet + self.dstip
return packet
e1 = ethernetframe("axaxaxaxaxax","axaxaxaxaxax","0800")
arp1 = arppacket(2,"axaxaxaxaxax",(10,0,0,8),"axaxaxaxaxax",(10,0,0,1))
arpacket = arp1.unitepacket()
fullethframe = e1.uniteframe(arpacket)
s = socket.socket(socket.AF_PACKET,socket.SOCK_RAW,socket.htons(0x0806))
s.bind(("eth0",0))
s.send(fullethframe)
now, I'm monitoring this whole process with Wireshark, the ARP packet is being send and it is formed correctly, In wire shark I see the following line:
10.0.0.8 is at axaxaxaxaxax
This means that I have successfully sent an ARP reply! to my own computer, stating that the MAC address that is resolved for 10.0.0.8 is axaxaxaxaxax
since ARP cache automatically update if a reply is received REGARDLESS if a request was sent, this means that in my NIC driver's arp cache there should've been a line added stating that
10.0.0.8 is resolved with axaxaxaxaxax
however, when I run inside my ubunutu's terminal
arp - a
or
arp - an
it doesn't show up....., which means I've failed to poison my own ARP cache, any ideas how to fix this?
Just a thought here - did you try
arp -an
Without the -n, arp will try to do a reverse name lookup on the hostname(s).