Misc Exercises
Exercise 1
Network sweeping
- Write a script to perform network sweeping i.e. given a IP address range, find all the machines that are alive
- Use any of the host discovery techniques that have been discussed but ARP tends to be neat and faster on local networks
$ sudo python hd_tcp_syn.py 192.168.56.99-110
192.168.56.102 is alive
192.168.56.103 is alive
192.168.56.107 is alive
Exercise 2
Port scanning
- Write a script to perform port scanning i.e. given an IP address, find status of ports on the machine(atleast find any open ports under 1024)
- Use any of the port scanning techniques that have been discussed
$ sudo python tcp_syn_scan.py 192.168.56.107
'ftp_data RA'
'21 RA
'ssh SA'
'telnet RA'
'24 RA'
Exercise 3
IP ID pattern finder
- Write a script that takes a target IP and checks for patterns in the IP ID generation
- Basic checks include: if the IP IDs generated are: all zeros, are all constant, are all randomized or if they are incremental.
Example:
$ sudo python ipidseq.py 192.168.56.101
Target => 192.168.56.101
[+] Sending packets to the target
[+] Analyzing the IPID pattern
[*] IPID generation pattern on scanme.nmap.org is randomized
Python/Scapy tips:
- Use
sr1
for sending packet and recieving first response - Python has in-built function
all()
that comes handy when comparing elements in list. Looking at below examples, think about how you can use it to do other comparisions.
>>> lis = [0,0,0,0]
>>> all(v == 0 for v in lis) # Checking if all elements in list are zero
True
>>> lis = [1,4,6,9,22,65,98,354]
>>>
>>> all(x<y for x, y in zip(lis, lis[1:])) # Checking if the elements are in increasing order
True
Exercise 4
IP ID scanner
- Your might have found a potential ‘zombie’ from the previous scan
- Write a script that takes a
zombie_ip
,victim_ip
.victim_port
Performs a ipid scan (Details in the notes)
For more detailed discussion: Idle scan
Example:
$ sudo python ipidscanner.py 192.168.56.102 192.168.56.103 4444
[+] Sending syn-ack to zombie
[+] Recording initial IPID
[+] Sending spoofed syn to victim
[+] Sending syn-ack to zombie
[+] Recording final IPID
[*] Initial IPID of zombie: 14
[*] Final IPID of zombie: 16
The port 4444 on 192.168.56.103 is open
Python/Scapy tips:
- Use
sr1()
orsend()
to send packets - Send
sr1()
and other packet sending functions take an extra argument verbose, setverbose=0
to avoid scapy output
Solution
idle scan consists of three steps that are repeated for each port:
- Probe the zombie’s IPID and record it. (Send a syn-ack to zombie, record ipid in response)
- Forge a SYN packet with zombie IP as source and victim IP, victim port as destination.
- Probe the zombie’s IP ID again. The target port state is then determined by comparing this new IP ID with the one recorded in step 1.
- At this point, if the zombie’s IPID increased by one that the zombie hasn’t sent out any packets, except for its reply to the attacker’s probe. THis is an indication that the target port might be closed on victim.
- If the zombie’s IPID increased by two, it means the zombie sent out a packet between the two probes. This is an indication that the target port is open on the victim.
- If zombie IPIP increases by more than two, it usually indicates a bad zombie host. It might not have predictable IPID numbers, or might be engaged in communication unrelated to the idle scan.
Exercise 5
Packet hunting
- You are given a PCAP file - boston2016, this PCAP is suspected to be having covert channel activity. (someone trying to transfer data in a packet using unsual methods)
- Your task is to analyze this packet capture and find out the hidden data.
Python/Scapy tips:
rdpcap
to read a pcappacket[protocol]
to extract protocol specific contentpacket[protocol].field
to extract fieldformat(text,'04x')
is how you format into proper hex format in Python.- Use
join
method to join elements of a list".".join([192, 168, 99, 24]) –> 192.168.99.24
Solution hints I:
This is not a packet analysis or CTF class so I’ll describe the solution in plain terms here, try to codify it using Scapy.
- The covert activity might be happening through UDP checksums.
Solution hints II:
Spoilers ahead
- The data is being exfiltrated by one party through checksums.
- To be specific, UDP checksums in DNS queries is where the data is. - Extract the checksums from DNS queries.
- You have to read the checksums in “0x:(hex) format first. format(text,'0x')
- Decode the hex checksums into ascii and that’s the exfiltrated data.
Exercise 6
Packet analysis
Given a pcap file, find all the unique hosts in that pcap file and try and determine their OS.
$ python list_scan.py evidence.pcap
List of all the hosts and possible OS
-------------------------------------
192.168.56.0 - Linux
45.65.29.124 - Windows
198.56.101.2 - Linux
Exercise 7
Dummy network scanner
A client wants you to do a security audit on their network. Client provided you with a network range to scan and set of IP addresses to exclude from scan.
Before you run an actual network scan, write a script that lists all the IP addresses that falls under scan(similar to Nmap list scan). (Network range provided by client minus IP addresses to be excluded)
Example:
$ python list_scan.py --range 192.168.56.1/30 --exclude 192.168.56.2
Range => IPSet(['192.168.56.1/30'])
Exclude => IPSet(['192.168.56.2/32'])
192.168.56.0
192.168.56.1
192.168.56.3
Hints:
netaddr
library deals with Layer 3 addressingnetaddr.IPSet
has a remove method to remove elements
Exercise 8
Local network interface enumeration.
- Use a python library to list all the interfaces on your machine, find as much as you can(interface labels, addressing etc).
- When you print the output, make sure it’s easily readable.
Hints:
netifaces
helps enumerate local interfacesstring .format
method and pprint helps you print stuff beautifully in Python