- Write a script to perform network sweeping i.e. given a IP address range, find all the machines that are alive
- Use any of the host discovery techniques that have been discussed but ARP tends to be neat and faster on local networks
$ sudo python hd_tcp_syn.py 192.168.56.99-110 192.168.56.102 is alive 192.168.56.103 is alive 192.168.56.107 is alive
- Write a script to perform port scanning i.e. given an IP address, find status of ports on the machine(atleast find any open ports under 1024)
- Use any of the port scanning techniques that have been discussed
$ sudo python tcp_syn_scan.py 192.168.56.107 'ftp_data RA' '21 RA 'ssh SA' 'telnet RA' '24 RA'
- Write a script that takes a target IP and checks for patterns in the IP ID generation
- Basic checks include: if the IP IDs generated are: all zeros, are all constant, are all randomized or if they are incremental.
$ sudo python ipidseq.py 192.168.56.101 Target => 192.168.56.101 [+] Sending packets to the target [+] Analyzing the IPID pattern [*] IPID generation pattern on scanme.nmap.org is randomized
sr1for sending packet and recieving first response
- Python has in-built function
all()that comes handy when comparing elements in list. Looking at below examples, think about how you can use it to do other comparisions.
>>> lis = [0,0,0,0] >>> all(v == 0 for v in lis) # Checking if all elements in list are zero True
>>> lis = [1,4,6,9,22,65,98,354] >>> >>> all(x<y for x, y in zip(lis, lis[1:])) # Checking if the elements are in increasing order True
- Your might have found a potential ‘zombie’ from the previous scan
- Write a script that takes a
victim_portPerforms a ipid scan (Details in the notes)
For more detailed discussion: Idle scan
$ sudo python ipidscanner.py 192.168.56.102 192.168.56.103 4444 [+] Sending syn-ack to zombie [+] Recording initial IPID [+] Sending spoofed syn to victim [+] Sending syn-ack to zombie [+] Recording final IPID [*] Initial IPID of zombie: 14 [*] Final IPID of zombie: 16 The port 4444 on 192.168.56.103 is open
send()to send packets
sr1()and other packet sending functions take an extra argument verbose, set
verbose=0to avoid scapy output
idle scan consists of three steps that are repeated for each port:
- Probe the zombie’s IPID and record it. (Send a syn-ack to zombie, record ipid in response)
- Forge a SYN packet with zombie IP as source and victim IP, victim port as destination.
- Probe the zombie’s IP ID again. The target port state is then determined by comparing this new IP ID with the one recorded in step 1.
- At this point, if the zombie’s IPID increased by one that the zombie hasn’t sent out any packets, except for its reply to the attacker’s probe. THis is an indication that the target port might be closed on victim.
- If the zombie’s IPID increased by two, it means the zombie sent out a packet between the two probes. This is an indication that the target port is open on the victim.
- If zombie IPIP increases by more than two, it usually indicates a bad zombie host. It might not have predictable IPID numbers, or might be engaged in communication unrelated to the idle scan.
- You are given a PCAP file - boston2016, this PCAP is suspected to be having covert channel activity. (someone trying to transfer data in a packet using unsual methods)
- Your task is to analyze this packet capture and find out the hidden data.
rdpcapto read a pcap
packet[protocol]to extract protocol specific content
packet[protocol].fieldto extract field
format(text,'04x')is how you format into proper hex format in Python.
joinmethod to join elements of a list
".".join([192, 168, 99, 24]) –> 192.168.99.24
This is not a packet analysis or CTF class so I’ll describe the solution in plain terms here, try to codify it using Scapy.
- The covert activity might be happening through UDP checksums.
- The data is being exfiltrated by one party through checksums.
- To be specific, UDP checksums in DNS queries is where the data is. - Extract the checksums from DNS queries.
- You have to read the checksums in “0x:(hex) format first. format(text,'0x')
- Decode the hex checksums into ascii and that’s the exfiltrated data.
Given a pcap file, find all the unique hosts in that pcap file and try and determine their OS.
$ python list_scan.py evidence.pcap List of all the hosts and possible OS ------------------------------------- 192.168.56.0 - Linux 220.127.116.11 - Windows 18.104.22.168 - Linux
A client wants you to do a security audit on their network. Client provided you with a network range to scan and set of IP addresses to exclude from scan.
Before you run an actual network scan, write a script that lists all the IP addresses that falls under scan(similar to Nmap list scan). (Network range provided by client minus IP addresses to be excluded)
$ python list_scan.py --range 192.168.56.1/30 --exclude 192.168.56.2 Range => IPSet(['192.168.56.1/30']) Exclude => IPSet(['192.168.56.2/32']) 192.168.56.0 192.168.56.1 192.168.56.3
netaddrlibrary deals with Layer 3 addressing
netaddr.IPSethas a remove method to remove elements
- Use a python library to list all the interfaces on your machine, find as much as you can(interface labels, addressing etc).
- When you print the output, make sure it’s easily readable.
netifaceshelps enumerate local interfaces
string .formatmethod and pprint helps you print stuff beautifully in Python