scapyで作る・解析するパケット
TRANSCRIPT
-
@takahoyo
-
Python- Pythonimport-
http://www.secdev.org/projects/scapy/ http://www.secdev.org/projects/scapy/doc/index.html
- - - pcap-
- http://yomikata.org/word/scapy
2015/9/30 2
-
Python 2- 3
Linux- Kali Linux- Ubuntu : sudo apt-get install python-scapy
Mac- brew : brew install libdnet scapy
- - http://www.secdev.org/projects/scapy/doc/installation.html
2015/9/30 3
-
2015/9/30 4
-
2015/9/30 5
-
2015/9/30
-
2015/9/30
Ethernet IP TCP
-
- Ex. Ethernet Ether
/-
- Ether()/IP()/TCP()
2015/9/30 8
Ethernet IP TCP
-
- Ethernet
Src MAC Addr: 00:00:00:00:00:00 Dst MAC Addr: 11:11:11:11:11:11
- IP Src IP Addr: 192.168.1.1 Dst IP Addr: 192.168.1.2
- TCP Src port: 1234 Dst port: 4321 Flag: SYN
2015/9/30 9
-
- ls()- Ex. Ether ls(Ether)
2015/9/30 10
-
- Ether(src="11:11:11:11:11:11",
dst="00:00:00:00:00:00)/IP(src="192.168.1.1", dst="192.168.1.2")/TCP(sport=1234, dport=4321, flags="S")
2015/9/30 11
-
packetpacketpacketWireshark
- wireshark(packet)
packetexample.pcap- wrpcap(example.pcap, packet)
2015/9/30 12
-
Wireshark
2015/9/30 13
-
Ether/IP/TCP
- ls()
- L1~L4- L5~L7
2015/9/30 14
-
2015/9/30 15
-
2015/9/30 16
- ICMP Echo Request
- send()- send()L2
-
Wireshark
2015/9/30 17
-
- sr()
- sr1()
2015/9/30 18
-
- sr()sr1()
2015/9/30 19
-
2015/9/30 20
function (, N:None) send(pkt, count=1,inter=1,iface=N) L3sendp(pkt, count=1, inter=1, iface=N) L2sendfast(pkt, pps=N, mbps=N, iface=N) tcpreplaysr(pkt, filter=N, iface=N) : L3srp(pkt, filter=N,iface=N) : L2
sr1(pkt, filter=N, iface=N) : L3srp1(pkt, filter=N, iface=N) : L2
1
srflood(pkt, filter=N, iface=N) : L3srpflood(pkt, filter=N, iface=N): L2
(Flood)
-
Python
- JPEGpython- - ICMP- - https://www.cloudshark.org/captures/48a2a5e3d98e-
2015/9/30 21
-
2015/9/30 22
-
2015/9/30 23
-
pcap- rdpcap()
- packetspcap- packets[n]n-1
2015/9/30
-
WiresharkScapy
2015/9/30 25
-
- packets- packets[n][layername].fieldname- 1: 1IP
- 2: 1ICMP
2015/9/30 26
-
- for
2015/9/30 27
-
- Wireshark
. - https://www.cloudshark.org/captures/20532c9a3305- ptunnel
: http://mrt-k.hateblo.jp/entry/2014/02/02/205332- TCPWiresharkFollow TCP Stream- ICMPWireshark- ScapyICMP -
2015/9/30 28
-
Wireshark
2015/9/30 29
28byte
29byteHTTP
-
Wireshark
2015/9/30 30
JPEG
-
Wireshark - ICMPptunnel - 28byteHTTP - GET /flag.jpgflag.jpg - JPEG
Scapy - ICMP - 28byte - JPEG - python
2015/9/30 31
-
2015/9/30 32
-
packets[n].time
2015/9/30 33
-
2015/9/30 34
-
-
Python- - Python
- Wireshark- nmap- p0f
2015/9/30 35
-
Python L5~L7 Python
- C
PcapNg- editcap
2015/9/30 36
-
Scapy- http://www.secdev.org/projects/scapy/doc/index.html
Scapy Cheat Sheet- http://packetlife.net/media/library/36/scapy.pdf
scapy - http://nigaky.hatenablog.com/entry/20110716/1310813250
Scapy- http://mrt-
k.github.io/scapy,nw/2015/02/16/Scapy%E3%81%A7%E3%81%AE%E3%83%91%E3%82%B1%E3%83%83%E3%83%88%E3%81%AE%E6%89%B1%E3%81%84%E6%96%B9/
Scapy presentation- http://www.slideshare.net/reonnishimura5/scapy-presentation
2015/9/30 37