- In these series of posts we will see how to build some necessary tools from scratch to perform our tasks. Today we focus our attention on network, we are going to build a sniffer and a relative simple parser. Why don’t I use the well-known tcpdump? Wireshark? Tshark? First of all it’s more satisfactory to code your own tool, second it’s a good practice to develop a problem solving attitude and improve our knowledge, and finally it’s so cool to code in Python! ;)
-
- The holy Python helps us, some smart guys of the famous security agency Core Security have coded two modulesPcapy and Impacket. The first one is an interface with the well known libpcap packet capture library, while the second one is a power module to craft and decode packets.
-
- In this post we will see some parts of two scripts, the first yas.py will sniff and save the traffic in a .pcap file, the second, pcapino.py will parse the previous file looking for UDP and TCP connections, in particular the script will show us the following information: the type of layer 4 used (TCP or UDP), the source ip and source port, the destination ip and the destination port, the sequential number, the window size and GET request if they are present. We need this information in order to figure out what a program, maybe potentially dangerous does, in this demonstrative scripts I’ll pay attention on GET request and DNS activity ( most common activities to droppers and/or dnschangers :) ).
-
- The first thing to do is to code the sniffer that dumps all traffic in a .pcap file, let’s see some snippets:
-
- #
- # Yet Another Sniffer - 5D4A LAB - emdel
- # Contact: "echo "emfuckspammer87@gmail.com" | sed s/fuckspammer/del/ "
- # To stop it use ctrl-c ^_* Have fun!
- #
-
- import pcapy, sys
- from pcapy import findalldevs, open_live
- from impacket.ImpactDecoder import EthDecoder
-
- Here we observe clearly the necessary import, in particular pcapy and impacket.
- Now let’s see the part that realizes the dump:
-
- class Handling:
-
- def __init__( self, pcapObj, decoder, dmp ):
- self.d = pcapObj
- self.dec = decoder
- self.dumper = dmp
-
- def PktHandler( self, hdr, data ):
- self.dumper.dump( hdr, data )
-
- Here we notice how, once we have sniffed the packet, how to dump it on the .pcap file.
- Now we must code our parser focusing on tcp and udp, let’s observe the some snippets from the parser:
-
- # pcapino - 5D4A LAB - emdel
- # Description: It is a simple pcap file parser
- # Author: emdel - 5D4A LAB - "echo "emfuckspammer87@gmail.com" | sed s/fuckspammer/del/ "
- # TODO: - Follow TCP sessions - Parse L7 - More support to L2
- # Have fun!
-
- import pcapy, sys, string
- from pcapy import open_offline
- from impacket.ImpactDecoder import EthDecoder
-
- Again the same import except for open_offline, logically we open the file .pcap and so we are not in an online scenario :)
-
- class Handling:
-
- def __init__( self, pcapObj, decoder ):
- self.d = pcapObj
- self.dec = decoder
-
- def PktHandler( self, hdr, data ):
-
- pkt = self.dec.decode( data )
- ip = pkt.child( )
-
- if ip.get_ip_p( ) == 17:
- udp = ip.child( )
- print "| %s\t| %s:%d \t| %s:%d \t| %c\t\t |\t%c\t | %s" % ( "UDP", ip.get_ip_src(), udp.get_uh_sport( ), ip.get_ip_dst(),udp.get_uh_dport( ), "/", "/", "/" )
- ....
-
- Here we see how we handle an UDP packet and how we can print it on the stdout, first we check the protocol field on the IP header to see if it is TCP or UDP and then we manage it properly.
- Now it’s time to launch these scripts and check if they run properly ;) :
-
- [root@zangetsu lab (22:56)]# python yas.py post.pcap
-
- ** Yet Another Sniffer - 5D4A LAB **
-
- :: Interfaces:
- |__ eth0
- |__ bluetooth0
- |__ lo
- :: Datalink: DLT_EN10MB
- :: Sniffing on eth0 - network: xxx.xxx.xxx.0 - mask: 255.255.255.0
-
- :: Packets:
-
- Exiting...
-
- Let’s see what we have sniffed:
-
- ** pcapino - 5D4A LAB **
-
- :: Pcap filter: tcp or udp
- :: Parsing post.pcap
- :: Traffic sniffed on DLT_EN10MB
-
- :: Parsing...
-
- ------------------------------------------------------------------------------------------------------------------------------------
- | TYPE | FROM | TO | SEQ | WIN | GET
- ------------------------------------------------------------------------------------------------------------------------------------
- | TCP | xxx.xxx.xxx.xxx:45235 | 64.4.34.150:1863 | 3771785275 | 1002 |
- | TCP | xxx.xxx.xxx.xxx:45235 | 64.4.34.150:1863 | 3771785280 | 1002 |
- | UDP | xxx.xxx.xxx.xxx:53401 | 208.67.222.222:53 | / | / | /
- | UDP | xxx.xxx.xxx.xxx.:53401 | 208.67.222.222:53 | / | / | /
- | UDP | 208.67.222.222:53 | xxx.xxx.xxx.xxx:53401 | / | / | /
- | TCP | xxx.xxx.xxx.xxx:56529 | 200.123.107.174:80 | 2985889925 | 92 |
- | TCP | xxx.xxx.xxx.xxx:56529 | 200.123.107.174:80 | 2985889925 | 92 | GET /project/impacket.html HTTP/1.1
- | TCP | 200.123.107.174:80 | xxx.xxx.xxx.xxx:56529 | 3980002124 | 17160 |
- | TCP | xxx.xxx.xxx.xxx:56529 | 200.123.107.174:80 | 2985890508 | 108 |
- | TCP | xxx.xxx.xxx.xxx:56529 | 200.123.107.174:80 | 2985890508 | 108 | GET /p_w_picpaths/style.css HTTP/1.1
-
- ...............
-
- As we can see we obtain what we have designed, I’m sorry for this poor layout but this is what wordpress.com offers me, and we have a better idea of what is the activity in our network or in an analysis scenario and maybe we understand what the program tries to do. These two scripts can be easily modified to perform other interesting tasks, e.g see the comments at the beginning of pcapino, we could follow the tcp streams, parse in a better way the protocols at layer 7 of ISO/OSI model, in particular to a hypothetical malware analysis HTTP and IRC, or monitor a worm in its efforts to infect other hosts.
-
- Happy hacking
-
- Regards,
