{"id":3247,"date":"2021-06-29T13:05:48","date_gmt":"2021-06-29T11:05:48","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=3247"},"modified":"2023-12-24T12:46:57","modified_gmt":"2023-12-24T11:46:57","slug":"network-paket-analyzation-and-modification","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=3247","title":{"rendered":"Network packet analyzation and modification"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Scapy fundamentals<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Com\u00admands for the inter\u00adac\u00adtive scapy interpreter:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><code>conf.iface<\/code> shows the cur\u00adrent\u00adly used interface<ul><li><code>conf.iface='tun0'<\/code> sets the inter\u00adface to&nbsp;use<\/li><\/ul><\/li><li><code>ls<\/code> shows all protocols<\/li><li><code>ls(TCP)<\/code> shows all known head\u00aders for a giv\u00aden protocol<\/li><li><code>lsc<\/code> shows build-in functions<\/li><li>Details about a pack\u00adet <code>p<\/code>:<ul><li><code data-enlighter-language=\"generic\" class=\"EnlighterJSRAW\"><code>p<\/code><\/code> shows gen\u00ader\u00adal information<\/li><li><code>p.summary()<\/code> shows also gen\u00ader\u00adal information<\/li><li><code>p.show() <\/code>shows each field and its&nbsp;value<\/li><li><code>ls(p)<\/code> shows each field and its val\u00adue and also the default val\u00adues for each&nbsp;field.<\/li><li><code>hexdump(p) <\/code>shows the whole pack\u00adet as&nbsp;hex<\/li><li><code>wireshark(p)<\/code> opens the pack\u00adet in wireshark<\/li><\/ul><\/li><li>Send\u00ading pack\u00adet <code>p<\/code>:<ul><li><code>send(p)<\/code> sends the pack\u00adet and adds lay\u00aders below, e.g. includes it into a Eth\u00ader\u00adnet&nbsp;frame.<\/li><li><code>sendp(p)<\/code> sends the pack\u00adet with\u00adout adding addi\u00adtion\u00adal layers.&nbsp;<\/li><li><code>answered, unanswered = sr(p) <\/code>send and receive packets<\/li><li><code>answered, unanswered = sr1(p)<\/code> send and receive one pack\u00adet and stop&nbsp;then<\/li><\/ul><\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Crafting packets<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Cre\u00adate a sim\u00adple <span class=\"caps\">TCP<\/span>\/<span class=\"caps\">IP<\/span> packet:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">\/\/ Create an IP packet to a host.\np = IP(dst=\"10.10.10.10\")\n\/\/ Add a TCP packet over the IP packet with a destination port.\np \/= TCP(dport=[80, 443])\n\/\/ Send the packet and receive\/evalute 1 return packet.\nsr1(p)\n\n\/\/ The same in one command, also with two return sets:\nanswered, unanswered = sr1(IP(dst=\"10.10.10.10\")\/TCP(dport=[80, 443]))\n\/\/ afterwards you can use the variables to inspect all successful and unsuccessful connection attempts.<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">The pack\u00adets are stacked togeth\u00ader and can mod\u00adi\u00adfied at each&nbsp;level:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"248\" src=\"https:\/\/andreas-klingler.de\/infosec\/wp-content\/uploads\/2021\/06\/Bildschirmfoto-2021-06-29-um-13.24.29-1024x248.png\" alt class=\"wp-image-3254\" srcset=\"https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2021\/06\/Bildschirmfoto-2021-06-29-um-13.24.29-1024x248.png 1024w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2021\/06\/Bildschirmfoto-2021-06-29-um-13.24.29-300x73.png 300w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2021\/06\/Bildschirmfoto-2021-06-29-um-13.24.29-768x186.png 768w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2021\/06\/Bildschirmfoto-2021-06-29-um-13.24.29.png 1502w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">When query\u00ading for a field, it search\u00ades the field through all lev\u00adels. E.g. when typ\u00ading <code>p.payload<\/code> it will return the pay\u00adload from the <span class=\"caps\">IP<\/span> pack\u00adet because the Eth\u00ader\u00adnet pack\u00adet does\u00adn\u2019t have a pay\u00adload field. Alter\u00adna\u00adtive:<code> p[IP].payload<\/code> queries the field for the giv\u00aden pro\u00adto\u00adcol with\u00adin the&nbsp;stack.&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Scapy fun\u00adda\u00admen\u00adtals Com\u00admands for the inter\u00adac\u00adtive scapy inter\u00adpreter: conf.iface shows the cur\u00adrent\u00adly used inter\u00adface&nbsp; conf.iface=\u2018tun0\u2019 sets the inter\u00adface to&nbsp;use ls shows all pro\u00adto\u00adcols ls(<span class=\"caps\">TCP<\/span>) shows all known head\u00aders for a giv\u00aden pro\u00adto\u00adcol lsc shows build-in func\u00adtions Details about a pack\u00adet p: p shows gen\u00ader\u00adal infor\u00adma\u00adtion p.summary() shows also gen\u00ader\u00adal infor\u00adma\u00adtion p.show() shows each field&nbsp;and&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[470,475,476],"tags":[411,178,410],"class_list":["post-3247","post","type-post","status-publish","format-standard","hentry","category-active-enum","category-attack-tool","category-defence-tool","tag-network","tag-python","tag-scapy"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/3247","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3247"}],"version-history":[{"count":9,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/3247\/revisions"}],"predecessor-version":[{"id":3263,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/3247\/revisions\/3263"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3247"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3247"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3247"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}