---
title: Lab Meeting Minutes 2022/7/8
tags: lab_meeting
---
> Outline
> [TOC]
---
# PERAL Lab Meeting
- 時間:111 年 7 月 8 日 15:00
- 地點:[Online](https://meet.google.com/zgb-fmhy-gfk)
- 出席者:吳坤熹老師、謝萬霖、周以恆、吳騰然、劉怡君、田蕙瑜、洪胤勛、丘世宇、莊才賢、紀見如、劉冠伶、林大智、繆亭霄
- 會議主題: [Scapy](http://ms15.voip.edu.tw/~phoebe/files/ppt/Lab_meeting/Scapy_v3.pptx)
- 主講者: 劉怡君
- 主記: 吳騰然
## 會議內容
### Outline
- What is Scapy?
- Background - Layers In Computer Network
- Hands on
- Interface & Routing
- Packet & PacketList
- Send/Receive Packets
- rdpcap() & wrpcap()
- Common applications
- Ping, Traceroute
- Sniffing
- DNS query
### What is Scapy
- Interactive packet manipulation program.
- Create
- Modify
- Send/Receive
- Sniff
- Analyze
- Forge or decode packets of a wide number of protocols.
- Without further ado, let's see Scapy in action!
### Hands on - Environment
- Connect to NCNU’s VPN.
- SSH to the VM(10.22.22.36).
- Username: lab
- Password: Our lab’s default password
- type “docker attach \<YourEnglistName>”
- ex : docker attach phoebe,Each one has a docker container named by your name.
- type “scapy” to enter Scapy
### Hands on - Interface & Routing
- `conf.iface` `conf.ifaces` 得到目前主機的 interface
- `conf.route` `conf.route6` scapy 的 routing table
![](https://i.imgur.com/SPiwMKn.png)
- add a route rule: `conf.route.add(host="172.17.1.4", gw="172.17.0.3")`
- 這只在scapy內發揮作用,可以不用擔心影響到整台主機的 routing table
- delete a route rule:
`conf.route.delete(host="172.17.1.4", gw="172.17.0.3")`
![](https://i.imgur.com/Mh12xix.png)
- conf.route.resync() : 把routing table 表格恢復原始狀態
![](https://i.imgur.com/Bf5CAjJ.png)
### Background - Layers In Computer Network
- Computer networking is based on stacked protocol layers.
![](https://i.imgur.com/PmVYJ38.png)
### Hands on - Packet
- ls(IP) - show the fields in IP header
- a = IP()
- a.show()
- a = IP(dst="10.99.1.32")
![](https://i.imgur.com/V4BiwEk.png)
- pkt = a/UDP(dport=80)
- pkt.summary()
![](https://i.imgur.com/bRXudnA.png)
- hexdump(pkt)
- ![](https://i.imgur.com/Ne1n2gM.png)
### Hands on - Send/Receive Packets
- send
- Send packets at layer 3.
- send(pkt)
- ![](https://i.imgur.com/AP8R4N7.png)
- 傳送一個 packet
- send(pkt, count=5, inter=3) # 5 packets, interval 3 seconds
- ![](https://i.imgur.com/RbyZStO.png)
- send b = (pkt,count=3,inter=0.5,iface="eth0",return+packets=True)
- ![](https://i.imgur.com/iceBZRu.png)
- send as a loop (send pkt until ^C)
- send(pkt,loop=1,inter=0.5)
- req = IP(dst="10.22.22.111")/ICMP()
- sr(req)
![](https://i.imgur.com/zZAszPT.png)
- sr(pkt,retry=3,timeout=3)
- retry ,失敗了之後重傳幾次
![](https://i.imgur.com/qmLAI26.png)
- pkts = IP(dst="10.22.149.0/30")/ICMP()
- type(pkts) # scapy.layers.inet.IP
- [p for p in pkts] # List comprehension
- pkt1 = PacketList(_) # _ is the result of last command
- type(pkt1)
- pkt1.summary()
- pkt1.nsummary()
- ![](https://i.imgur.com/t6iXeVm.png)
### Hands on - SndRcvList & PacketList
- sr() will return a tuple, including two kinds of classes holding lists of packets:
- SndRcvList: Stores the packets we sent and the corresponding responses.
- PacketList: If there is any packet that doesn't get the response, it would be placed here.
![](https://i.imgur.com/bdXudBd.png)
- ans, unans = sr(pkt1, retry=2, timeout=1)
![](https://i.imgur.com/ip0wkD4.png)
- type(ans)
- type(unans)
- new version use `scapy.plist.QueryAnswer`
- ans.summary()
- type(ans[0])
![](https://i.imgur.com/yt5cI2r.png)
### Hands on - Answered & Unanswered Packets
![](https://i.imgur.com/0Kucrjy.png)
- resp =ans[0][1]
- resp.show() : 查看response
### Hands on - Common applications
- Ping
- ICMP Ping
- srloop(IP(dst="10.22.22.111")/ICMP(),count=4)
- ![](https://i.imgur.com/7PEMCs8.png)
- ARP Ping
- srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst="10.22.149.0/24"), timeout=2)
- ![](https://i.imgur.com/tsgy2nj.png)
- ans.summary() : 觀看 ARP 得到的主機,也可指定主機
- arping("10.22.149.0/24")
- ![](https://i.imgur.com/JEXbXiJ.png)
### Hands on - Common applications
- Traceroute
- ICMP
- ans, unans = sr(IP(dst="8.8.8.8", ttl=(1,10))/ICMP())
- for snd,rcv in ans:
print snd.ttl, rcv.src
- ![](https://i.imgur.com/eb9TVV1.png)
- traceroute("8.8.8.8",maxttl=20)
- ![](https://i.imgur.com/w9j3jBf.png)
### Hands on - Common applications
- Sniff
- sniff(filter="host 172.17.0.15",count=10)
- count : 抓幾個封包
- ![](https://i.imgur.com/VkjEcpT.png)
:::info
當收集到 10 個封包後,就會自動停止
:::
- AsyncSniffer
- s = AsyncSniffer()
- s.start()
- 直接開始執行 sniff
- print('hey')
- s.stop()
### Hands on - rdpcap() & wrpcap()
- wrpcap()
- wrpacp("captured.pcap",pkt1)
- rdpcap()
- pcap = rdpacp("captured.pcap")
- pcap
- ![](https://i.imgur.com/sAj4Vyu.png)
- pcap.nsummary()
- 與 summary 的差別是旁邊有編號
- pcap[3]
- 觀看index為3的封包
- pcap[3].command()
- 解析該封包如何使用 scapy 的指令產生
- rdpcap 可以直接抓 Wireshark 和 tcpdump 存的 pcap 檔。這很實用。例如你在實驗中,觀察到用 SIP 打電話時,有個情境會造成你的 recorder 當掉。你可以把側錄的封包存下來,之後要測試時就不必操作話機進行實際通話,直接用 scapy 送出封包即可。
[name=Solomon]
### Hands on - Common applications
- DNS query
- Application Layer
- Transport Layer
- Network Layer
- host = '163.22.22.65'
- dnsq = IP(dst=host)/UDP(dport=52)/DNS(qd=DNSQR(qname="iperf.pearl.ncnu.org",qtype="A"))
- sr1(dnsq)
![](https://i.imgur.com/XmM8WXO.png)
- ls(DNSQR)
- 查看 DNSQR 列表. 可看到 Question Section 包含三個欄位:
- qname
- qtype
- qclass
- `conf.color_theme = ColorOnBlackTheme()`
- 更改 interactive shell theme color
### 建議&問題
1. 這台 10.22.22.36 是之前 Phoebe 建給大家的那台 docker 嗎?[name=solomon]
Ans: No. That one has a public IP address (163.22.21.125). It was hacked, so Branko enabled firewall on it. [name=Phoebe]
2. Solomon: Duty Officer, please be reminded that such a security event must be reported to your advisor.
3. P.10 原本講說是二維的,最下面變成三維的是甚麼意思?[name=Jennifer]
Ans : 用 ans, unans 去接收, ans 是二維的。若只用 resp 一個變數去接收,resp 就是三維的了。[name=Phoebe]
4. P.7 剛才使用黑色框架的指令,改成UDP()/TCP() 還是可以通過,是為甚麼? [name=branko]
Ans : 把 TCP 包在 UDP 中,這沒什麼不行呀?你甚至可以包成 IP 後再包IP一次,這是所謂IP-in-IP Tunnel[name=Solomon]
5. 如何知道回來的封包?[name=Jerry]
Ans : 可從 summary() 或 觀看下方回傳的數量 [name=Phoebe]
6. ARP 剛剛看一個一個送出去的,可以讓封包一次整個送出去嗎?[name=Jerry]
Ans : 目前還尚未得知 scapy 有無提供此功能 [name=Phoebe] Broadcast會隔久一點才送,若是IP(dst="ms15.ipv6.club.tw", ttl=(1,20))就會一口氣送出去。
7. P.9 做這頁的 Demo 時,有提到新版本的queryanswer 與 sndRcvList 有甚麼差別? [name=angela]
Ans : Actually, QueryAnswer is derived from Tuple. https://scapy.readthedocs.io/en/latest/api/scapy.plist.html?highlight=queryanswer#scapy.plist.SndRcvList [name=phoebe]
8. 可以在一些重要指令的地方補個圖片或提前寫在PPT,讓大家可以提前看到結果的樣子,比較好想像。[name=Toby]
9. 如果幫 container 設定 MAC Address 的話,是不是就傳出去了? [name=Lawrence]
Ans : 這不是有沒有給 MAC address的問題。如果 VM 和 container 讓你覺得比較複雜,讓我們用實體機來思考這個問題,看你當初權限有沒有給的夠,如果給的夠就可以傳出去 [name=solomon]
10. P.14 sniff 與 AsyncSniff 有甚麼差別 ? [name=August]
Ans : 差別於 AsyncSniff 可在背景執行,可以去做其他的事情。sniff 則只能等待回應。 [name=Phoebe] August 在學姐講完後,因為內容太豐富,他試著用自己的話 summarize 一遍,這是很好的習慣。
11. P.14 範例中的filter沒指定,應該全部都收,為甚麼 ICMP 沒有收到 ? [name=Ashley]
Ans : 可能中間有參雜其他 protocol,可能導致無法辨識而丟到 other [name=Phoebe] 但 Other 是 UDP 和 TCP 加起來的10倍,值得去看一下裡頭是些什麼東西。
## 待追蹤事項
1. [name=]
## 臨時動議
- 明後天要停電。正好趁會議時提醒大家將資料備份關機。
---
散會結束時間:17:11