--- title: Lab Meeting Minutes 2022/7/8 tags: lab_meeting --- > Outline > [TOC] --- # PERAL Lab Meeting - 時間:111 年 7 月 8 日 15:00 - 地點:[Online](https://meet.google.com/zgb-fmhy-gfk) - 出席者:吳坤熹老師、謝萬霖、周以恆、吳騰然、劉怡君、田蕙瑜、洪胤勛、丘世宇、莊才賢、紀見如、劉冠伶、林大智、繆亭霄 - 會議主題: [Scapy](http://ms15.voip.edu.tw/~phoebe/files/ppt/Lab_meeting/Scapy_v3.pptx) - 主講者: 劉怡君 - 主記: 吳騰然 ## 會議內容 ### Outline - What is Scapy? - Background - Layers In Computer Network - Hands on - Interface & Routing - Packet & PacketList - Send/Receive Packets - rdpcap() & wrpcap() - Common applications - Ping, Traceroute - Sniffing - DNS query ### What is Scapy - Interactive packet manipulation program. - Create - Modify - Send/Receive - Sniff - Analyze - Forge or decode packets of a wide number of protocols. - Without further ado, let's see Scapy in action! ### Hands on - Environment - Connect to NCNU’s VPN. - SSH to the VM(10.22.22.36). - Username: lab - Password: Our lab’s default password - type “docker attach \<YourEnglistName>” - ex : docker attach phoebe,Each one has a docker container named by your name. - type “scapy” to enter Scapy ### Hands on - Interface & Routing - `conf.iface` `conf.ifaces` 得到目前主機的 interface - `conf.route` `conf.route6` scapy 的 routing table ![](https://i.imgur.com/SPiwMKn.png) - add a route rule: `conf.route.add(host="172.17.1.4", gw="172.17.0.3")` - 這只在scapy內發揮作用,可以不用擔心影響到整台主機的 routing table - delete a route rule: `conf.route.delete(host="172.17.1.4", gw="172.17.0.3")` ![](https://i.imgur.com/Mh12xix.png) - conf.route.resync() : 把routing table 表格恢復原始狀態 ![](https://i.imgur.com/Bf5CAjJ.png) ### Background - Layers In Computer Network - Computer networking is based on stacked protocol layers. ![](https://i.imgur.com/PmVYJ38.png) ### Hands on - Packet - ls(IP) - show the fields in IP header - a = IP() - a.show() - a = IP(dst="10.99.1.32") ![](https://i.imgur.com/V4BiwEk.png) - pkt = a/UDP(dport=80) - pkt.summary() ![](https://i.imgur.com/bRXudnA.png) - hexdump(pkt) - ![](https://i.imgur.com/Ne1n2gM.png) ### Hands on - Send/Receive Packets - send - Send packets at layer 3. - send(pkt) - ![](https://i.imgur.com/AP8R4N7.png) - 傳送一個 packet - send(pkt, count=5, inter=3) # 5 packets, interval 3 seconds - ![](https://i.imgur.com/RbyZStO.png) - send b = (pkt,count=3,inter=0.5,iface="eth0",return+packets=True) - ![](https://i.imgur.com/iceBZRu.png) - send as a loop (send pkt until ^C) - send(pkt,loop=1,inter=0.5) - req = IP(dst="10.22.22.111")/ICMP() - sr(req) ![](https://i.imgur.com/zZAszPT.png) - sr(pkt,retry=3,timeout=3) - retry ,失敗了之後重傳幾次 ![](https://i.imgur.com/qmLAI26.png) - pkts = IP(dst="10.22.149.0/30")/ICMP() - type(pkts) # scapy.layers.inet.IP - [p for p in pkts] # List comprehension - pkt1 = PacketList(_) # _ is the result of last command - type(pkt1) - pkt1.summary() - pkt1.nsummary() - ![](https://i.imgur.com/t6iXeVm.png) ### Hands on - SndRcvList & PacketList - sr() will return a tuple, including two kinds of classes holding lists of packets: - SndRcvList: Stores the packets we sent and the corresponding responses. - PacketList: If there is any packet that doesn't get the response, it would be placed here. ![](https://i.imgur.com/bdXudBd.png) - ans, unans = sr(pkt1, retry=2, timeout=1) ![](https://i.imgur.com/ip0wkD4.png) - type(ans) - type(unans) - new version use `scapy.plist.QueryAnswer` - ans.summary() - type(ans[0]) ![](https://i.imgur.com/yt5cI2r.png) ### Hands on - Answered & Unanswered Packets ![](https://i.imgur.com/0Kucrjy.png) - resp =ans[0][1] - resp.show() : 查看response ### Hands on - Common applications - Ping - ICMP Ping - srloop(IP(dst="10.22.22.111")/ICMP(),count=4) - ![](https://i.imgur.com/7PEMCs8.png) - ARP Ping - srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst="10.22.149.0/24"), timeout=2) - ![](https://i.imgur.com/tsgy2nj.png) - ans.summary() : 觀看 ARP 得到的主機,也可指定主機 - arping("10.22.149.0/24") - ![](https://i.imgur.com/JEXbXiJ.png) ### Hands on - Common applications - Traceroute - ICMP - ans, unans = sr(IP(dst="8.8.8.8", ttl=(1,10))/ICMP()) - for snd,rcv in ans: print snd.ttl, rcv.src - ![](https://i.imgur.com/eb9TVV1.png) - traceroute("8.8.8.8",maxttl=20) - ![](https://i.imgur.com/w9j3jBf.png) ### Hands on - Common applications - Sniff - sniff(filter="host 172.17.0.15",count=10) - count : 抓幾個封包 - ![](https://i.imgur.com/VkjEcpT.png) :::info 當收集到 10 個封包後,就會自動停止 ::: - AsyncSniffer - s = AsyncSniffer() - s.start() - 直接開始執行 sniff - print('hey') - s.stop() ### Hands on - rdpcap() & wrpcap() - wrpcap() - wrpacp("captured.pcap",pkt1) - rdpcap() - pcap = rdpacp("captured.pcap") - pcap - ![](https://i.imgur.com/sAj4Vyu.png) - pcap.nsummary() - 與 summary 的差別是旁邊有編號 - pcap[3] - 觀看index為3的封包 - pcap[3].command() - 解析該封包如何使用 scapy 的指令產生 - rdpcap 可以直接抓 Wireshark 和 tcpdump 存的 pcap 檔。這很實用。例如你在實驗中,觀察到用 SIP 打電話時,有個情境會造成你的 recorder 當掉。你可以把側錄的封包存下來,之後要測試時就不必操作話機進行實際通話,直接用 scapy 送出封包即可。 [name=Solomon] ### Hands on - Common applications - DNS query - Application Layer - Transport Layer - Network Layer - host = '163.22.22.65' - dnsq = IP(dst=host)/UDP(dport=52)/DNS(qd=DNSQR(qname="iperf.pearl.ncnu.org",qtype="A")) - sr1(dnsq) ![](https://i.imgur.com/XmM8WXO.png) - ls(DNSQR) - 查看 DNSQR 列表. 可看到 Question Section 包含三個欄位: - qname - qtype - qclass - `conf.color_theme = ColorOnBlackTheme()` - 更改 interactive shell theme color ### 建議&問題 1. 這台 10.22.22.36 是之前 Phoebe 建給大家的那台 docker 嗎?[name=solomon] Ans: No. That one has a public IP address (163.22.21.125). It was hacked, so Branko enabled firewall on it. [name=Phoebe] 2. Solomon: Duty Officer, please be reminded that such a security event must be reported to your advisor. 3. P.10 原本講說是二維的,最下面變成三維的是甚麼意思?[name=Jennifer] Ans : 用 ans, unans 去接收, ans 是二維的。若只用 resp 一個變數去接收,resp 就是三維的了。[name=Phoebe] 4. P.7 剛才使用黑色框架的指令,改成UDP()/TCP() 還是可以通過,是為甚麼? [name=branko] Ans : 把 TCP 包在 UDP 中,這沒什麼不行呀?你甚至可以包成 IP 後再包IP一次,這是所謂IP-in-IP Tunnel[name=Solomon] 5. 如何知道回來的封包?[name=Jerry] Ans : 可從 summary() 或 觀看下方回傳的數量 [name=Phoebe] 6. ARP 剛剛看一個一個送出去的,可以讓封包一次整個送出去嗎?[name=Jerry] Ans : 目前還尚未得知 scapy 有無提供此功能 [name=Phoebe] Broadcast會隔久一點才送,若是IP(dst="ms15.ipv6.club.tw", ttl=(1,20))就會一口氣送出去。 7. P.9 做這頁的 Demo 時,有提到新版本的queryanswer 與 sndRcvList 有甚麼差別? [name=angela] Ans : Actually, QueryAnswer is derived from Tuple. https://scapy.readthedocs.io/en/latest/api/scapy.plist.html?highlight=queryanswer#scapy.plist.SndRcvList [name=phoebe] 8. 可以在一些重要指令的地方補個圖片或提前寫在PPT,讓大家可以提前看到結果的樣子,比較好想像。[name=Toby] 9. 如果幫 container 設定 MAC Address 的話,是不是就傳出去了? [name=Lawrence] Ans : 這不是有沒有給 MAC address的問題。如果 VM 和 container 讓你覺得比較複雜,讓我們用實體機來思考這個問題,看你當初權限有沒有給的夠,如果給的夠就可以傳出去 [name=solomon] 10. P.14 sniff 與 AsyncSniff 有甚麼差別 ? [name=August] Ans : 差別於 AsyncSniff 可在背景執行,可以去做其他的事情。sniff 則只能等待回應。 [name=Phoebe] August 在學姐講完後,因為內容太豐富,他試著用自己的話 summarize 一遍,這是很好的習慣。 11. P.14 範例中的filter沒指定,應該全部都收,為甚麼 ICMP 沒有收到 ? [name=Ashley] Ans : 可能中間有參雜其他 protocol,可能導致無法辨識而丟到 other [name=Phoebe] 但 Other 是 UDP 和 TCP 加起來的10倍,值得去看一下裡頭是些什麼東西。 ## 待追蹤事項 1. [name=] ## 臨時動議 - 明後天要停電。正好趁會議時提醒大家將資料備份關機。 --- 散會結束時間:17:11
Last changed by  
lab409
217
Published on HackMD