More Related Content Similar to Pycon Sec (20) Pycon Sec1. PyCon India 2009 Presentation Python tools for Network Security Anand B Pillai (abpillai@gmail.com) 16. Uses the libpcap library behind the scenes to capture packets off the network 17. Libpcap -> Is the most basic library and most widely used for packet capturing. Almost every network security tool which requires packet capturing is based on libpcap 19. Pylibcap - Python module for the libpcap packet capture library, based on the original python libpcap module by Aaron Rhodes, hosted on SF, latest stable rel 0.6.2 42. >>> pc = pcap.pcap(dumpfile='pkts.pcap') 48. Optionally the dispatch method can be used to pass the packet to a call-back function. The callback function accepts the time-stamp, pkt and any other arguments. 49. The loop method works similarly, but in an infinite loop. 50. Examples Import pcap pc = pcap.pcap('wlan0') pc.setfilter('icmp') def process(ts, pkt, *args): """ Process packets """ print ts, pkt if __name__ == "__main__": try: pc.loop(process) except Exception: pc.stats() 56. Supports a number of protocols with an API that allows easy creation of custom protocol classes. 57. Has a Pcap writer class which allows to save pycap packets to pcap files. These files are compatible with tcpdump/wireshark. 59. Using dpkt with pypcap A simple example which prints details of IP traffic in the network. import pcap, dpkt, socket pc = pcap.pcap('wlan0') count =0 def process(ts, pkt, *args): eth = dpkt.ethernet.Ethernet(pkt) ip = eth.data if ip.__class__==dpkt.ip.IP: global count count += 1 60. Using dpkt with pypcap ... src_ip = socket.inet_ntoa(ip.src) dst_ip = socket.inet_ntoa(ip.dst) print 'Packet #%d, %s=>%s, length %d, proto: %d' % (count, src_ip, dst_ip, ip.len, ip.p) if __name__ == "__main__": try: pc.loop(process) except KeyboardInterrupt: print pc.stats() 61. Sample Output anand@anand-laptop:~/programs/python$ sudo python2.5 pcap2.py Packet #1, 192.168.1.2=>66.102.7.99, length 84, proto: 1 Packet #2, 66.102.7.99=>192.168.1.2, length 84, proto: 1 Packet #3, 192.168.1.2=>192.168.1.1, length 70, proto: 17 Packet #4, 192.168.1.1=>192.168.1.2, length 246, proto: 17 Packet #5, 192.168.1.2=>66.102.7.99, length 84, proto: 1 Packet #6, 74.125.67.17=>192.168.1.2, length 80, proto: 6 Packet #7, 192.168.1.2=>74.125.67.17, length 52, proto: 6 Packet #8, 66.102.7.99=>192.168.1.2, length 84, proto: 1 Packet #9, 192.168.1.2=>192.168.1.1, length 70, proto: 17 Packet #10, 192.168.1.1=>192.168.1.2, length 246, proto: 17 ^Packet #11, 192.168.1.2=>66.102.7.99, length 84, proto: 1 63. HTTP Protocol Sniffer (Contd.) if ip.__class__==dpkt.ip.IP: ip1, ip2 = map(socket.inet_ntoa,[ip.src, ip.dst]) if ip.p != 6: return l7 = ip.data sport, dport = [l7.sport, l7.dport] if sport in ports or dport in ports: print 'From %s to %s, length: %d' % (ip1, ip2, len(l7.data)) # Save packet to file... pcw.writepkt(pkt) if __name__ == "__main__": try: pc.loop(process) except KeyboardInterrupt: print pc.stats() pcw.close() 65. Craft packets of a variety of protocols, send them on the wire, recieve replies, match requests and replies... 67. Scapy can be used to write new tools without the need of any special libraries 69. An interactive session with Scapy Send an echo request and dissect the first return packet. >>> from scapy import * >>> ip=IP(dst='www.google.com') >>> icmp=ICMP() >>> sr1(ip/icmp) Begin emission: .Finished to send 1 packets. * Received 2 packets, got 1 answers, remaining 0 packets <IP version=4L ihl=5L tos=0x60 len=28 id=1 flags= frag=0L ttl=239 proto=ICMP chksum=0xc007 src=66.102.7.104 dst=192.168.1.2 options='' |<ICMP type=echo-reply code=0 chksum=0x0 id=0x0 seq=0x0 |>> 71. Host scanner (contd.) >>> results = _[0] >>> for pout, pin in results: ... if pin.flags == 2: print pout.dst ... 210.212.26.5 210.212.26.15 210.212.26.19 210.212.26.20 210.212.26.22 210.212.26.23 210.212.26.24 210.212.26.25 210.212.26.26 210.212.26.27 72. A slow port-scanner from scapy import * def scan(ip,start=80,end=443): open_ports = [] ip=IP(dst=ip)/TCP(dport=range(start,end+1), flags='S') results=sr(ip,verbose=0,timeout=30) for res in results[0]: if res[1]==None: continue if res[1].payload.flags==18: print 'Port %d is open' % res[0].dport open_ports.append(res[0].dport) return open_ports if __name__ == "__main__": print scan('random.org') 74. DNS Query >>> sr1(IP(dst="192.168.1.1")/UDP()/DNS(rd=1,qd=DNSQR(qname="www.python.org"))) Begin emission: .Finished to send 1 packets. * Received 2 packets, got 1 answers, remaining 0 packets <IP version=4L ihl=5L tos=0x0 len=152 id=17093 flags=DF frag=0L ttl=250 proto=UDP chksum=0xba3b src=192.168.1.1 dst=192.168.1.2 options='' |<UDP sport=domain dport=domain len=132 chksum=0xee58 |<DNS id=0 qr=1L opcode=QUERY aa=0L tc=0L rd=1L ra=1L z=0L rcode=ok qdcount=1 ancount=1 nscount=2 arcount=2 qd=<DNSQR qname='www.python.org.' qtype=A qclass=IN |> an=<DNSRR rrname='www.python.org.' type=A rclass=IN ttl=30106 rdata=' 82.94.164.162 ' |> ns=<DNSRR rrname='python.org.' type=NS rclass=IN ttl=27914 rdata='ns.xs4all.nl.' |<DNSRR rrname='python.org.' type=NS rclass=IN ttl=27914 rdata='ns2.xs4all.nl.' |>> ar=<DNSRR rrname='ns.xs4all.nl.' type=A rclass=IN ttl=117171 rdata='194.109.6.67' |<DNSRR rrname='ns2.xs4all.nl.' type=A rclass=IN ttl=117171 rdata='194.109.9.100' |>> |>>> 75. Traceroute >>>ans,unans=sr(IP(dst=' www.google.com ',ttl=(4,25),id=123)/TCP(flags=0x2) Finished to send 22 packets. ********************.. >>> for snd,rcv in ans: ... print snd.ttl, rcv.src, isinstance(rcv.payload, TCP) 8 218.248.255.66 False 9 218.248.250.82 False 10 195.2.7.37 False 11 198.32.146.46 False 12 216.239.43.12 False 13 72.14.238.130 False 14 209.85.243.122 False 15 209.85.251.94 False 16 74.125.19.105 True 77. Passive OS fingerprinting >>> p <Ether dst=00:10:4b:b3:7d:4e src=00:40:33:96:7b:60 type=0x800 |<IP version=4L ihl=5L tos=0x0 len=60 id=61681 flags=DF frag=0L ttl=64 proto=TCP chksum=0xb85e src=192.168.8.10 dst=192.168.8.1 options='' |<TCP sport=46511 dport=80 seq=2023566040L ack=0L dataofs=10L reserved=0L flags=SEC window=5840 chksum=0x570c urgptr=0 options=[('Timestamp', (342940201L, 0L)), ('MSS', 1460), ('NOP', ()), ('SAckOK', ''), ('WScale', 0)] |>>> >>> p0f(p) (1.0, ['Linux 2.4.2 - 2.4.14 (1)']) 84. Dpkt - http://code.google.com/p/dpkt/ 85. Scapy - http://www.secdev.org/projects/scapy/