scapyで作る・解析するパケット

@takahoyo

Python- Pythonimport-

http://www.secdev.org/projects/scapy/ http://www.secdev.org/projects/scapy/doc/index.html

- - - pcap-

- http://yomikata.org/word/scapy

2015/9/30 2

Python 2- 3

Linux- Kali Linux- Ubuntu : sudo apt-get install python-scapy

Mac- brew : brew install libdnet scapy

- - http://www.secdev.org/projects/scapy/doc/installation.html

2015/9/30 3

2015/9/30 4

2015/9/30 5

2015/9/30

2015/9/30

Ethernet IP TCP

- Ex. Ethernet Ether

/-

- Ether()/IP()/TCP()

2015/9/30 8

Ethernet IP TCP

- Ethernet

Src MAC Addr: 00:00:00:00:00:00 Dst MAC Addr: 11:11:11:11:11:11

- IP Src IP Addr: 192.168.1.1 Dst IP Addr: 192.168.1.2

- TCP Src port: 1234 Dst port: 4321 Flag: SYN

2015/9/30 9

- ls()- Ex. Ether ls(Ether)

2015/9/30 10

- Ether(src="11:11:11:11:11:11",

dst="00:00:00:00:00:00)/IP(src="192.168.1.1", dst="192.168.1.2")/TCP(sport=1234, dport=4321, flags="S")

2015/9/30 11

packetpacketpacketWireshark

- wireshark(packet)

packetexample.pcap- wrpcap(example.pcap, packet)

2015/9/30 12

Wireshark

2015/9/30 13

Ether/IP/TCP

- ls()

- L1~L4- L5~L7

2015/9/30 14

2015/9/30 15

2015/9/30 16

- ICMP Echo Request

- send()- send()L2

Wireshark

2015/9/30 17

- sr()

- sr1()

2015/9/30 18

- sr()sr1()

2015/9/30 19

2015/9/30 20

function (, N:None) send(pkt, count=1,inter=1,iface=N) L3sendp(pkt, count=1, inter=1, iface=N) L2sendfast(pkt, pps=N, mbps=N, iface=N) tcpreplaysr(pkt, filter=N, iface=N) : L3srp(pkt, filter=N,iface=N) : L2

sr1(pkt, filter=N, iface=N) : L3srp1(pkt, filter=N, iface=N) : L2

1

srflood(pkt, filter=N, iface=N) : L3srpflood(pkt, filter=N, iface=N): L2

(Flood)

Python

- JPEGpython- - ICMP- - https://www.cloudshark.org/captures/48a2a5e3d98e-

2015/9/30 21

2015/9/30 22

2015/9/30 23

pcap- rdpcap()

- packetspcap- packets[n]n-1

2015/9/30

WiresharkScapy

2015/9/30 25

- packets- packets[n][layername].fieldname- 1: 1IP

- 2: 1ICMP

2015/9/30 26

- for

2015/9/30 27

- Wireshark

. - https://www.cloudshark.org/captures/20532c9a3305- ptunnel

: http://mrt-k.hateblo.jp/entry/2014/02/02/205332- TCPWiresharkFollow TCP Stream- ICMPWireshark- ScapyICMP -

2015/9/30 28

Wireshark

2015/9/30 29

28byte

29byteHTTP

Wireshark

2015/9/30 30

JPEG

Wireshark - ICMPptunnel - 28byteHTTP - GET /flag.jpgflag.jpg - JPEG

Scapy - ICMP - 28byte - JPEG - python

2015/9/30 31

2015/9/30 32

packets[n].time

2015/9/30 33

2015/9/30 34

-

Python- - Python

- Wireshark- nmap- p0f

2015/9/30 35

Python L5~L7 Python

- C

PcapNg- editcap

2015/9/30 36

Scapy- http://www.secdev.org/projects/scapy/doc/index.html

Scapy Cheat Sheet- http://packetlife.net/media/library/36/scapy.pdf

scapy - http://nigaky.hatenablog.com/entry/20110716/1310813250

Scapy- http://mrt-

k.github.io/scapy,nw/2015/02/16/Scapy%E3%81%A7%E3%81%AE%E3%83%91%E3%82%B1%E3%83%83%E3%83%88%E3%81%AE%E6%89%B1%E3%81%84%E6%96%B9/

Scapy presentation- http://www.slideshare.net/reonnishimura5/scapy-presentation

2015/9/30 37

scapyで作る・解析するパケット

Engineering