beraldo is currently certified at Apprentice level.

Name: Beraldo Leal
Member since: 2007-06-14 15:32:02
Last Login: 2008-08-15 15:08:58

FOAF RDF Share This

Homepage: http://www.beraldoleal.com

Notes: I'm a Brazilian, living in Sao Paulo/SP who loves geek stuffs.

Recent blog entries by beraldo

Syndication: RSS 2.0

28 Aug 2008 »

Grabbing and sending packets with Scapy (Scapy, part 2)

HI folk, in the last post (a long time ago), I write a short introduction to Scapy tool. With this post, I need, show to you, how grab and send packets with Scapy. This is a good way to develop tools to test any network application, such study Kaminsky's DNS flaw, since no talks about anything else on the Internet.

In scapy there are many methods to send or receive a packet in network. We have the families of commands, below:

  • Send family - Just send packets in layer 2 or 3.
  • Send and Receive family - Send packets in layer 2 or 3 and print or store results.
  • Sniff family - Receive packets in promisc mode and return them in a packet list.

This post is not intended as a reference for each of the families above. For more informations, execute lsc() in scapy and see Scapy doc.

You can see a sample of Sniff family in action, below (execute scapy as root): 

>>> a=sniff(count=2)
>>> a
<Sniffed: UDP:2 ICMP:0 TCP:0 Other:0>
>>> a.nsummary()
0000 Ether / IP / UDP / DNS Qry "www.google.com."
0001 Ether / IP / UDP / DNS Ans "www.l.google.com."
>>> a[0].show()
###[ Ethernet ]###
dst= 00:03:99:89:83:a9
src= 00:1e:c9:1b:7b:da
type= 0x800
###[ IP ]###
version= 4L
ihl= 5L
tos= 0x0
len= 60
id= 12959
flags= DF
frag= 0L
ttl= 64
proto= udp
chksum= 0xd5af
src= 10.1.0.1
dst= 200.170.95.182
options= ''
###[ UDP ]###
sport= 54584
dport= domain
len= 40
chksum= 0x329c
###[ DNS ]###
id= 16628
qr= 0L
opcode= QUERY
aa= 0L
tc= 0L
rd= 1L
ra= 0L
z= 0L
rcode= ok
qdcount= 1
ancount= 0
nscount= 0
arcount= 0
qd
|###[ DNS Question Record ]###
|  qname= 'www.google.com.'
|  qtype= A
|  qclass= IN
an= 0
ns= 0
ar= 0
>>>

You can have many parameters in sniff() function, like a filter , timeout , an interface (iface ), and a function to apply to each packet (prn and lfilter ). 

>>>  sniff(filter="udp and port 53", count=2, iface="eth0")
<Sniffed: UDP:2 ICMP:0 TCP:0 Other:0>
>>>

Sending a simple ICMP packet 

>>> pkt=IP(dst="10.0.0.1")/ICMP()
>>> pkt
<IP  frag=0 proto=icmp dst=10.0.0.1 |<ICMP  |>>
>>> send(pkt,count=2)
..
Sent 2 packets.

Ok, this a simple sample, I know, but you now can use your mind and play with Scapy.

Syndicated 2008-08-28 14:20:24 from beraldoleal.com

1 Jul 2008 »

Scapy, part 1

Okay, you can say: You are outdated!! Since it is a tool of five years old. But I never gave considerable attention to it. In last week I see in top 100 network security tool in Fyodor's site, and I can't stop using it. I am talking about the Scapy, a Python program that enables you to forge, dissect, emit or sniff network packets, probe, scan and what your mind wants.

This is a simple post, only to show the basic concepts of scapy.

What is scapy?

From scapy:

"Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, ...), etc." 

ls -la
teste

Syndicated 2008-07-01 16:45:38 from beraldoleal.com

17 Jun 2008 »

Development at the hackathon, go Forrest go!!

In openbsd-misc mail list:

"Development is really fast right now, because of the hackathon in Edmonton.

We are testing as much as we can before we commit, but as always during these hackathon processes we really depend on our user community -- to track our changes and help spot the occasional bug we accidentally introduce.

We are developing really fast and hard; please help us by testing really fast and hard too.

There are some snapshots being made, of course, but people who are familiar with checking out their own trees can really help us by buildind and running it immediately."

- Theo de Raddt, in a June 11th, 2008 message.

Syndicated 2008-06-17 20:31:40 from beraldoleal.com

1 Apr 2008 »

novo teste

Pense num teste besta...

Syndicated 2008-04-01 02:53:59 from beraldoleal.com

1 Apr 2008 »

Teste

teste de um post rápido para os asides.

Syndicated 2008-04-01 02:52:16 from beraldoleal.com

12 older entries...

 

beraldo certified others as follows:

  • beraldo certified enerv as Journeyer
  • beraldo certified faw as Journeyer
  • beraldo certified terceiro as Journeyer
  • beraldo certified aurium as Journeyer
  • beraldo certified frolic as Journeyer

Others have certified beraldo as follows:

  • faw certified beraldo as Apprentice
  • frolic certified beraldo as Apprentice
  • chalst certified beraldo as Apprentice

[ Certification disabled because you're not logged in. ]

New Advogato Features

FOAF updates: Trust rankings are now exported, making the data available to other users and websites. An external FOAF URI has been added, allowing users to link to an additional FOAF file.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!

X
Share this page