I have captured some traffic and stored on a .pcap file. In there, an ARP poisoning attack occured.
Is there a way of detecting the attacker's IP and MAC adress and victim's IP and MAC adress using scapy in a python script?
I believe a script like this one would do the job
#! /usr/bin/python
from scapy.all import *
pkts = rdpcap('capture2.pcap')
#these are from wireshark
ipadr=['192.168.0.1','192.168.0.2','192.168.0.3','192.168.0.30']
macadr['00:03:ff:98:98:01','00:03:ff:98:98:02','00:03:ff:98:98:03','00:03:ff:98:98:30']
c=-1
for p in pkts:
c=c+1
if p.haslayer(ARP):
#find a packet where p.dst and p.pdst isn't a valid pair
if p.dst != 'ff:ff:ff:ff:ff:ff':
if not(( ipadr[0]==p.pdst and macadr[0]==p.dst ) or ( ipadr[1]==p.pdst and macadr[1]==p.dst) or ( ipadr[2]==p.pdst and macadr[2]==p.dst ) or ( ipadr[3]==p.pdst and macadr[3]==p.dst )) :
print 'packet data ' +p.psrc +" "+p.src+" " + p.pdst + " " + p.dst +" "+str(c)
print 'packet number = ' + str(c)
print 'MAC of attacker = ' + p.dst
print 'IP of attacker = ' + ipadr[macadr.index(p.dst)]
print 'MAC of target = ' + p.src
print 'IP of target = ' + p.psrc
Related
I have a script to listen for incoming traffic and print out only the string “IP 1.1.1.1 53" when a packet hits the line. But now that I’m doing IP resolve on the IPs, I need to access the “ip_src” variable and only do the geolocation once on each ip, rather than resolve the same IP over and over as they come in. My current code is:
#!/usr/bin/python3
from scapy.all import *
import ipinfo
def print_summary(pkt):
if IP in pkt:
ip_src=pkt[IP].src
if UDP in pkt:
udp_sport=pkt[UDP].sport
access_token = ''
handler = ipinfo.getHandler(access_token)
match = handler.getDetails(ip_src)
c = match.details.get('city')
s = match.details.get('region')
strang = ("IP " + str(ip_src) + " " + str(udp_sport) + " " + str(c) + ", " + str(s))
print(strang)
sniff(filter="",prn=print_summary)
As you can see the “print_summary” function is called by “prn” which is called for each pkt. I basically want to mimic the functionality of uniq and sort, since they can successfully filter out duplicates from a file, but I’d like to have it all in one script.
EDIT - Trying Set():
So using the code:
from scapy.all import *
def print_summary(pkt):
if IP in pkt:
ip_src=pkt[IP].src
if UDP in pkt:
udp_sport=pkt[UDP].sport
lines_set = set(ip_src)
strang = ("IP " + str(ip_src) + " " + str(udp_sport))
if ip_src not in lines_set:
for line in lines_set:
print(line)
sniff(filter="",prn=print_summary)
I get the output: (in the terminal each character has a trailing newline)
2 . 3 5 8 0 1 2 . 4 8 0 1 . 6
This adds a set variable to keep track of which addresses you have already seen.
#!/usr/bin/python3
from scapy.all import *
import ipinfo
seen = set()
def print_summary(pkt):
if IP in pkt:
ip_src=pkt[IP].src
if UDP in pkt and ip_src not in seen:
seen.add(ip_src)
udp_sport=pkt[UDP].sport
access_token = ''
handler = ipinfo.getHandler(access_token)
match = handler.getDetails(ip_src)
c = match.details.get('city')
s = match.details.get('region')
strang = ("IP " + str(ip_src) + " " + str(udp_sport) + " " + str(c) + ", " + str(s))
print(strang)
sniff(filter="ip",prn=print_summary)
I also changed the indentation of the second if to avoid getting a traceback if somehow you would receive a packet which doesn't have the IP member; though I also updated the filter expression to hopefully prevent that from ever happening in the first place.
I recently started programming with Python. I work as a network engineer and am currently building a program to pull "state dumps" from Ciena devices. I use netmiko to connect to the device.
Now I always get the following error:
OSError: Search pattern never detected in send_command_expect: 5160_1>
"5160_1>" is the hostname / prompt on the switch. I have read that I can give "expect_string" to a "send_command". Unfortunately, this has no effect and I still get this error.
This is the function with which I create the state dump and call the function for the file download.
def create_sd():
for ip in sw_connect_ips:
try:
sw_connection = ConnectHandler(device_type=sw_dev_type, host=ip, username=sw_usr, password=sw_pw)
try:
print('\nconnnected to host > ' + ip + '\n')
hostname = sw_connection.find_prompt()
print('hostname of device > ' + hostname)
sw_connection.send_command('system server sftp enable', expect_string=hostname)
sw_connection.send_command('configuration save', expect_string=hostname)
sw_output = sw_connection.send_command('system state-dump file-name ' + ip + '_sd_timestamp_' + str(date.hour) + '_' + str(date.minute) + '_' + str(date.second), expect_string=hostname + ' ')
filename = ip + '_sd_timestamp_' + str(date.hour) + '_' + str(date.minute) + '_' + str(date.second)
print('got state-dump ' + filename + ' from host > ' + ip)
logging.debug(sw_output)
logging.debug(sw_connection)
sw_connection.disconnect()
try:
sftp_get(filename, ip)
except:
raise Exception('scp failed')
except:
raise Exception('command does not exist on switch > ' + ip)
except:
raise SSHException('unable to connect to switch check username, password and ip address')
I don't know whether all exceptions make so much sense. Maybe someone has a tip for me.
Thanks in advance.
Edit: What is strange in my opinion is that it only occurs with some switches.
in the command with which the state dump is created, I have increased the "send_command" delay factor to 5.
sw_output = sw_connection.send_command ('system state-dump file-name' + ip + '_sd_timestamp_' + str (date.hour) + '_' + str (date.minute) + '_' + str (date.second) , expect_string = hostname, delay_factor = 5)
As a result, I no longer get a netmiko exception and the program runs without problems.
import socket, sys, string
if len(sys.argv) !=4:
print ("UsageL ./ninjabot.py <server> <port> <channel>")
sys.exit(1)
irc = sys.argv[1]
port = int(sys.argv[2])
chan = sys.argv[3]
sck = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sck.connect((irc, port))
sck.send(b'NICK ninjabot\r\n')
sck.send(b'USER ninjabot ninjabot ninjabot :ninjabot Script\r\n')
sck.send('JOIN ' + " " + chan + '\r\n')
data = ''
while True:
data = sck.recv(1024)
if data.find('PING') != -1:
sck.send('PONG ' + data.split() [1] + '\r\n')
print (data)
print (data)
I get this error in sck.send('JOIN ' + " " + chan + '\r\n') but when i try this:
sck.send(b'JOIN ' + " " + chan + '\r\n')
I get TypeError: can't concat str to bytes
I know there's similar posts with this same issue, but none of those seem to help me.
This is due to the fact that b'JOIN' is of type bytes while " " as well as chan and "\r\n" are of type str.
2 corrections:
chan = sys.argv[3].encode()
sck.send(b'JOIN ' + b" " + chan + b'\r\n')
alternatively you could just:
sck.send(b'JOIN %s\r\n' % chan.encode())
this would be the best style. Similar corrections will be need to be made later in your snippet as well. socket.send is looking for a bytes string, so ensure that all strings which you pass it are either b"" or encoded otherwise using encode()
I followed the tutorial below to implement a packet sniffer in Python:
http://www.binarytides.com/python-packet-sniffer-code-linux/
On receiving each UDP packet, I would like to send an already saved pcap file (test.pcap). The following snippet shows my implementation:
# receive a packet
while True:
packet = s.recvfrom(65565)
#packet string from tuple
packet = packet[0]
#parse ethernet header
eth_length = 14
eth_header = packet[:eth_length]
eth = unpack('!6s6sH' , eth_header)
eth_protocol = socket.ntohs(eth[2])
print 'Destination MAC : ' + eth_addr(packet[0:6]) + ' Source MAC : ' +
eth_addr(packet[6:12]) + ' Protocol : ' + str(eth_protocol)
if eth_addr(packet[6:12]) != my_MAC_address:
#Parse IP packets, IP Protocol number = 8
if eth_protocol == 8 :
#Parse IP header
#take first 20 characters for the ip header
ip_header = packet[eth_length:20+eth_length]
#now unpack them :)
iph = unpack('!BBHHHBBH4s4s' , ip_header)
version_ihl = iph[0]
version = version_ihl >> 4
ihl = version_ihl & 0xF
iph_length = ihl * 4
ttl = iph[5]
protocol = iph[6]
s_addr = socket.inet_ntoa(iph[8]);
d_addr = socket.inet_ntoa(iph[9]);
print 'Version : ' + str(version) + ' IP Header Length : ' + str(ihl) + ' TTL : ' + str(ttl) + ' Protocol : ' + str(protocol) + ' Source Address : ' + str(s_addr) + ' Destination Address : ' + str(d_addr)
#UDP packets
if protocol == 17 :
u = iph_length + eth_length
udph_length = 8
udp_header = packet[u:u+8]
#now unpack them :)
udph = unpack('!HHHH' , udp_header)
source_port = udph[0]
dest_port = udph[1]
length = udph[2]
checksum = udph[3]
print 'Source Port : ' + str(source_port) + ' Dest Port : ' + str(dest_port) + ' Length : ' + str(length) + ' Checksum : ' + str(checksum)
h_size = eth_length + iph_length + udph_length
data_size = len(packet) - h_size
#get data from the packet
data = packet[h_size:]
print 'Data : ' + data
my_pkt = rdpcap("test.pcap")
sendp(my_pkt)
Test.pcap contains a UDP packet with UDP_src=7777 and UDP_dest=9999.
Traffic is generated using netcat as follows:
nc -u -p 7777 ip_dst_addr 9999
The sniffer can receive only first netcat msg and send test.pcap in response. But subsequent netcat msgs are not received at all. However, using any other combination of UDP ports in netcat, the sniffer works fine. For example: running netcat as:
nc -u -p 8888 ip_dst_addr 9999
there is no problem and I am able to send test.pcap in response to each UDP packet/msg.
Any help would be greatly appreciated!
Scapy has several built-in sniffers, that are really easy to use.
>>> help(sniff)
Help on function sniff in module scapy.arch.windows.compatibility:
sniff(count=0, store=1, offline=None, prn=None, stop_filter=None, lfilter=None, L2socket=None, timeout=None, *arg, **karg)
Sniff packets
sniff([count=0,] [prn=None,] [store=1,] [offline=None,] [lfilter=None,] + L2ListenSocket args) -> list of packets
Select interface to sniff by setting conf.iface. Use show_interfaces() to see interface names.
count: number of packets to capture. 0 means infinity
store: whether to store sniffed packets or discard them
prn: function to apply to each packet. If something is returned,
it is displayed. Ex:
ex: prn = lambda x: x.summary()
filter: provide a BPF filter
lfilter: python function applied to each packet to determine
if further action may be done
ex: lfilter = lambda x: x.haslayer(Padding)
offline: pcap file to read packets from, instead of sniffing them
timeout: stop sniffing after a given time (default: None)
L2socket: use the provided L2socket
stop_filter: python function applied to each packet to determine
if we have to stop the capture after this packet
ex: stop_filter = lambda x: x.haslayer(TCP)
Which means you could simply do:
packets = rdpcap("test.pcap")
sniff(lfilter=lambda x: x.haslayer(UDP) and x[Ether].src==sending_mac and x[UDP].sport==port, prn=lambda x: send(packets))
This will append all UDP packets to the test.pcap file
I'm creating a log server, that write incoming and outgoing connections (any type) to a TXT file . everything is working fine and here is my code :
from scapy.all import *
import datetime
from threading import Thread
from Queue import Queue, Empty
from scapy.layers.dns import DNS, DNSQR
firstime = 0
times = time.time()+86400
def print_summary(pkt):
global firstime
global times
if IP in pkt:
ip_src=pkt[IP].src
ip_dst=pkt[IP].dst
else:
ip_src="Null"
ip_dst="Null"
mac_src="Null"
mac_dst="Null"
if TCP in pkt:
tcp_sport=pkt[TCP].sport
tcp_dport=pkt[TCP].dport
else:
tcp_sport="Null"
tcp_dport="Null"
if DNSQR in pkt:
dns = pkt.qd.qname
else:
dns = "NULL"
if Ether in pkt:
mac_src = pkt[Ether].src
mac_dst = pkt[Ether].dst
else:
mac_src = "Null"
mac_dst = "Null"
Clog = " IP src: " + str(ip_src) +" ,MAC src: " + str(mac_src) + " , IP dst: " + str(ip_dst) +" ,MAC dst: "+str(mac_dst)+" ,TCP sport: " + str(tcp_sport) + ",TCP dport: " + str(tcp_dport) +", Time: " + str(time.strftime('%Y-%m-%d %H:%M:%S', time.localtime(pkt.time))) + " Dns: "+dns
if(times > pkt.time):
if(firstime == 0):
f = open("/root/Desktop/LOG-SERVER/"+time.strftime('%Y-%m-%d %H:%M:', time.localtime(time.time()))+".txt",'a')
f.write(Clog+"\n")
f.close()
else:
f.write(Clog+"\n")
f.close()
else:
f = open("/root/Desktop/LOG-SERVER/"+time.strftime('%Y-%m-%d %H:%M:', time.localtime(time.time()))+".txt",'a')
f.write(Clog+"\n")
f.close()
times=times+86400
def startsnif():
sniff(prn=print_summary, store=0)
# you can filter with something like that
#if ( ( pkt[IP].src == "192.168.0.1") or ( pkt[IP].dst == "192.168.0.1") ):
# print("!")
#def writing(log,indexp):
#if(indexp == 0):
#f = open("/root/Desktop/LOG-SERVER/"+time.strftime('%Y-%m-%d %H:%M:', time.localtime(time.time()))+".txt",'a')
#f.write(log+"\n")
#f.close()
#else:
#f.write(log+"\n")
#f.close()
thread.start_new_thread(startsnif,());
while 1:
pass
# or it possible to filter with filter parameter...!
#sniff(filter="ip and host 192.168.0.1",prn=print_summary)
output is:
IP Src: 192.168.10.1 MAC Src: 54:55:12:FC:2D:CA IP Dst:192.168.10.15 MAC Src: 54:55:12:FC:1F:3A TCP sport: 80 TCP dport: 51233 Time:2015-12-16 13:25:11 DNS:Null(IF available DNS Name)
the problem is that the company got mikrotics, mikrotics mirror traffic through a technique called TZSP Sniff which encapsulate the packet with the IP of the router and MAC of the router IP of the destination PC MAC of the destination pc, i was searching and i couldn't find any appropriate solution but i read that you need to strip first 5 bytes of a packet.
is there a way to strip the TZSP encapsulation live(without saving PCAP), could you please explain the process because I'm new to this stuff?
please if you have any question ask I'm not very good in explaining stuff.
Thank you!
After examining the binary of the TZSP packet header it appears that TZSP strip original mac address after adding it's own, so the project was closed thank you for the help.