I'm playing around with scapy, trying to do a nmap-like, I succeeded doing a three way handshake and I automatically receive data if I connect to a smtp server but I can't acknowledge it.
I have connected to it via netcat to see why it wouldn't work and nc actually send an ACK packet with the TCP ack field set to the length of the data segment received + 1.
So I am trying to do the same with scapy but I don't know where to find the length of a TCP segment. I tried a lsc(TCP) but I can not see the field.
Here is a wireshark capture of the netcat connection :
And the detail of the packet :
As you can see, the ack field of the packet just below the data is 37 + 1 = 38.
Does someone knows where or how it can be found ?
EDIT:
There is actually no field that gives the segment length but it can be calculated with two methods:
tcp_seg_len = len(rp.getlayer(Raw).load)
# or
ip_total_len = rp.getlayer(IP).len
ip_header_len = rp.getlayer(IP).ihl * 32 / 8
tcp_header_len = rp.getlayer(TCP).dataofs * 32 / 8
tcp_seg_len = ip_total_len - ip_header_len - tcp_header_len
ans_ack,unans_ack = sr(IP(dst=ip)/TCP(sport=pkt[1].dport, \
dport=pkt[1].sport, \
seq=rp[1].ack, \
ack=tcp_seg_len + 1, \
flags="A"), \
verbose=0, timeout=1)
However, when I print the values I get the good ack number but when I watch the wireshark capture, I have a huge ack number and the packet is marked as "ACKed unseen segment". When I look at the bytes in hexa, I got the right value though. Does anyone knows why that happens and how to solve it?
Wireshark uses relative numbers in its display so the right scapy line is :
ans_ack,unans_ack = sr(IP(dst=ip)/TCP(sport=pkt[1].dport, \
dport=pkt[1].sport, \
seq=rp[1].ack, \
ack=rp[1].seq + tcp_seg_len, \
flags="A"), \
verbose=0, timeout=1)
And the following code (see EDIT in the question) does work :
ip_total_len = rp.getlayer(IP).len
ip_header_len = rp.getlayer(IP).ihl * 32 / 8
tcp_header_len = rp.getlayer(TCP).dataofs * 32 / 8
tcp_seg_len = ip_total_len - ip_header_len - tcp_header_len
ans_ack,unans_ack = sr(IP(dst=ip)/TCP(sport=pkt[1].dport, \
dport=pkt[1].sport, \
seq=rp[1].ack, \
ack=rp[1].seq + tcp_seg_len, \
flags="A"), \
verbose=0, timeout=1)
To get the TCP Segment Length (This has been verified for IPv6 traffic):
tcp_header_len = rp.getlayer(TCP).dataofs * 32 / 8
tcp_seg_len = rp.plen - tcp_header_len
Related
I am new to Networking and trying to implement a network calculator using python3 where the client's responsibility is to send operands and operators and the server will calculate the result and send it back to the client. Communication is through UDP messages and I am working on client side. Each message is comprised of a header and a payload and they are described as shown in the below figures.
UDP header:
I am familiar with sending string messages using sockets but having a hard-time with how to make a message with both header and payload and how to assign the bits for various attributes or how to generate message/client id's in the header and If there is any way to automatically generate the Id's. Any help or suggestions will be highly appreciated.
Thanks in advance
I will only do a portion of your homework.
I hope it will help you to find energy to work on missing parts.
import struct
import socket
CPROTO_ECODE_REQUEST, CPROTO_ECODE_SUCCESS, CPROTO_ECODE_FAIL = (0,1,2)
ver = 1 # version of protocol
mid = 0 # initial value
cid = 99 # client Id (arbitrary)
sock = socket.socket( ...) # to be customized
def sendRecv( num1, op, num2):
global mid
ocs = ("+", "-", "*", "/").index( op)
byte0 = ver + (ocs << 3) + (CPROTO_ECODE_REQUEST << 6)
hdr = struct.pack( "!BBH", byte0, mid, cid)
parts1 = (b'0000' + num1.encode() + b'0000').split(b'.')
parts2 = (b'0000' + num2.encode() + b'0000').split(b'.')
msg = hdr + parts1[0][-4:] + parts1[1][:4] + parts2[0][-4:] + parts2[1][:4]
socket.send( msg) # send request
bufr = socket.recv( 512) # get answer
# to do:
# complete socket_send and socket.recv
# unpack bufr into: verr,ecr,opr,value_i, value_f
# verify that verr, ecr, opr, are appropriate
# combine value_i and value_f into answer
mid += 1
return answer
result = sendRecv( '2.47', '+', '46.234')
There are many elements that haven't be specified by your teacher:
what should be the byte-ordering on the network (bigEndian or littleEndian)? The above example suppose it's bigEndian but you can easily modify the 'pack' statement to use littleEndian.
What should the program do if the received packet header is invalid?
What should the program do if there's no answer from server?
Payload: how should we interpret "4 most significant digits of fraction"? Does that mean that the value is in ASCII? That's not specified.
Payload: assuming the fraction is in ASCII, should it be right-justified or left-justified in the packet?
Payload: same question for integer portion.
Payload: if the values are in binary, are they signed or unsigned. It will have an affect on the unpacking statement.
In the program above, I assumed that:
values are positive and in ASCII (without sign)
integer portion is right-justified
fractional portion is left justified
Have fun!
following a tutorial I coded a wifi sniffer in python using sockets (on linux) and the "struct" package. The code is splitted in two parts: the first one decodes the Ipv4 header packets getting the Ips and other information and then sends the remaining data to the second part which decodes ICMP, UDP and TCP packets. When I decode the TCP and UDP packets I can easily get source ports and destinations ports, flags etc... but I'm now looking for the host name. In other words Im trying to see which website is visited by the packet sender/receiver.
How can I get the host name? Is it in the "data" part of the tcp/udp packet, if so how to decode it? Do I have to look at the source and destination ports?
Here is the code: 2 functions for UDP/TCP packets, the data argument is the "data" part from a Ipv4 packet.
def tcp_segment(data):
(src_port, dest_port, sequence, acknowledgement, offset_reserved_flags) = struct.unpack('! H H L L H', data[:14])
offset = (offset_reserved_flags >> 12) * 4
flag_urg = (offset_reserved_flags & 32) >> 5
flag_ack = (offset_reserved_flags & 16) >> 4
flag_psh = (offset_reserved_flags & 8) >> 3
flag_rst = (offset_reserved_flags & 4) >> 2
flag_syn = (offset_reserved_flags & 2) >> 1
flag_fin = offset_reserved_flags & 1
return src_port, dest_port, sequence, acknowledgement, flag_urg, flag_ack, flag_psh, flag_rst, flag_syn, flag_fin, data[offset:]
def udp_segment(data):
src_port, dest_port, size = struct.unpack('! H H 2x H', data[:8])
return src_port, dest_port, size, data[8:]
TCP packet
how to inject zeros to the end of the UDP segment’s header to make it equal to 20 bytes.
Can anyone help me?
this my code :
if UDP in packet:
"""get layers after udp"""
layer_after = packet[UDP].payload.copy()
"""build a padding layer"""
pad = Padding()
pad.load = '\x00' * 12
layer_before = packet.copy()
layer_before[UDP].remove_payload()
packet = layer_before / pad / layer_after
and this is a output for a udp packet :
before : b'\xb8\xaco6\x1c\xa2\xe8\xe72<eP\x08\x00E\x00\x00.\x0bT#\x00\xec\x11\x18~MH\xa9\x82\x83\xca\xf0W+iC8\x00\x1a\x85+H\x00Y\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
--------------------------------------------------------------
after : b'\xb8\xaco6\x1c\xa2\xe8\xe72<eP\x08\x00E\x00\x00.\x0bT#\x00\xec\x11\x18~MH\xa9\x82\x83\xca\xf0W+iC8\x00\x1a\x85+H\x00Y\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
but it adds zeros to the end of packets!!!!!
I have the same question with yours.Maybe you can try this:
if UDP in packet:
layer_after = packet[UDP].payload.copy()
pad = Padding()
pad.load = '\x00' * 12
layer_before = packet.copy()
layer_before[UDP].remove_payload()
packet = layer_before / raw(pad) / layer_after
The padding will follow the end of the UDP segment’s header.I hope this would help you.
I would like to send fragmented packets size of 8 bytes and a random starting offset. Also want to leave out the last fragmented packet.
So far I got everything except the fragment of
from scapy.all import *
from random import randint
dip="MY.IP.ADD.RESS"
payload="A"*250+"B"*500
packet=IP(dst=dip,id=12345,off=123)/UDP(sport=1500,dport=1501)/payload
frags=fragment(packet,fragsize=8)
print(packet.show())
for f in frags:
send(f)
What does the above code do?
It sends IP Fragment Packets size of 8 byte to a destination IP address.
I would like to send IP Fragment Packets with a random Frag Offset.
I can't find anything about fragment() and the only field, I was able to edit was in IP packet instead of each fragmented IP packet.
Does someone have an idea to accomplish this?
Infos: Python2.7, latest version of scapy (pip)
If you want to generate "broken" fragment offset fields, you have to do that yourself. The scapy fragment() function is simple enough:
def fragment(pkt, fragsize=1480):
"""Fragment a big IP datagram"""
fragsize = (fragsize + 7) // 8 * 8
lst = []
for p in pkt:
s = raw(p[IP].payload)
nb = (len(s) + fragsize - 1) // fragsize
for i in range(nb):
q = p.copy()
del(q[IP].payload)
del(q[IP].chksum)
del(q[IP].len)
if i != nb - 1:
q[IP].flags |= 1
q[IP].frag += i * fragsize // 8 # <---- CHANGE THIS
r = conf.raw_layer(load=s[i * fragsize:(i + 1) * fragsize])
r.overload_fields = p[IP].payload.overload_fields.copy()
q.add_payload(r)
lst.append(q)
return lst
Source: https://github.com/secdev/scapy/blob/652b77bf12499451b47609b89abc663aa0f69c55/scapy/layers/inet.py#L891
If you change the marked code line above, you can set the fragment offset to whatever you want.
I am interested in being able to detect specific parameters using the loading time it took a request from when I send it to when it got to the server.
The request I am talking about is the SYN packet in a three way hand shake.
How can I do this?
Looking forward to your answer!
Of course also what language should I use...I am testing with Python + Scapy right now.
If you want to use Scapy (which seems a reasonable choice for what you want to do), you need to use the Packet.time attribute. Here is a simple example:
>>> def measure_delay(packet):
... ans, _ = sr(packet, verbose=False)
... if ans:
... return reduce(lambda x, y: y.time - x.time, ans[0])
...
>>> measure_delay(IP(dst='192.168.1.254')/TCP(dport=80))
0.07259798049926758
From a Unix command line, you can also use hping3, and look for the rtt= value:
# sudo hping3 --syn 192.168.1.254 -p 80 -c 1
HPING 192.168.1.254 (wlan0 192.168.1.254): S set, 40 headers + 0 data bytes
len=44 ip=192.168.1.254 ttl=64 DF id=0 sport=80 flags=SA seq=0 win=14600 rtt=3.1 ms
--- 192.168.1.254 hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 3.1/3.1/3.1 ms