Presentation is loading. Please wait.

Presentation is loading. Please wait.

PyCon India 2009 Presentation Python tools for Network Security Anand B Pillai

Published byRachel Osborne Modified over 8 years ago

Similar presentations

Presentation on theme: "PyCon India 2009 Presentation Python tools for Network Security Anand B Pillai"— Presentation transcript:

1 PyCon India 2009 Presentation Python tools for Network Security Anand B Pillai (abpillai@gmail.com)

2 Agenda Brief overview Python tools Pypcap, Dpkt, Scapy Quick introduction to pypcap, dpkt Using Scapy to write your own tools Examples Links Questions

3 Requirements Basic knowledge of Python and using the interpreter Basic knowledge of network protocols – TCP/UDP/ICMP etc Background in Network security is useful

4 Network Security Involves writing software to anticipate, prevent and stop attacks using the network Network security practitioner requires a toolset which allows him to, Capture Packets from the wire Inspect Packets obtained Craft Packets for testing In short, the network security toolset should allow the developer to capture, inspect and create/craft network packets

5 Packet Capture Favorite tool of every network security hacker – Wireshark (previously Ethereal) Uses the libpcap library behind the scenes to capture packets off the network Libpcap → Is the most basic library and most widely used for packet capturing. Almost every network security tool which requires packet capturing is based on libpcap

6 Python + libpcap In the Python world, there are a few extensions to libpcap namely → pypcap, pcapy and python-libcap. Pcapy – By Darknet.org, works best with their Impacket, InlineEgg tools, latest stable rel 0.10.5 Pylibcap - Python module for the libpcap packet capture library, based on the original python libpcap module by Aaron Rhodes, hosted on SF, latest stable rel 0.6.2 Pypcap - Simplified object-oriented Python extension module for libpcap, by dugsong, hosted on Google code, latest stable rel 1.1 I will be focusing on Pypcap for this session

7 Pypcap Grab from http://code.google.com/p/pypcap/http://code.google.com/p/pypcap/ Installs using distutils as any other Python library Requires libpcap library and header files Ubuntu package available Once installed, accessed using import of ”pcap” module >>> import pcap >>>

8 Pypcap in action >>> import pcap >>> pc = pcap.pcap('wlan0') >>> for ts, pkt in pc:... print ts, repr(pkt) 1253881836.82 ^C1253881850.28 Traceback (most recent call last): File " ", line 1, in File "pcap.pyx", line 425, in pcap.pcap.__next__ TypeError: raise: exception class must be a subclass of BaseException >>> pc.stats() (135L, 12L, 0L)

9 Pypcap Create an object of type ”pcap”. If no arguments are passed listens on the first available up interface. >>> import pcap >>> pc = pcap.pcap() To listen to a specific interface pass it explicitly >>> pc = pcap.pcap('wlan0') By default listens promiscously. To listen non- promiscously, >>> pc = pcap.pcap(promisc=False) To use a dumpfile, >>> pc = pcap.pcap(dumpfile='pkts.pcap')

10 Pypcap - Usage Pcap objects are their own iterators, returning the packet timestamp and the packet as a 2-tuple Code is written as follows, iterating on the pcap object >>> pc = pcap.pcap() >>> for ts, pkt in pc:.. # Process pkt Optionally the dispatch method can be used to pass the packet to a call-back function. The callback function accepts the time-stamp, pkt and any other arguments. The loop method works similarly, but in an infinite loop.

11 Examples Import pcap pc = pcap.pcap('wlan0') pc.setfilter('icmp') def process(ts, pkt, *args): """ Process packets """ print ts, pkt if __name__ == "__main__": try: pc.loop(process) except Exception: pc.stats()

12 Dpkt – Packet creation/parsing Dpkt is a library which provides packet creation/parsing capabilities with an object oriented interface Project hosted at http://code.google.com/p/dpkt/http://code.google.com/p/dpkt/ Stable version is 1.6 Pure Python library, installtion using distutils No external depedency Supports a number of protocols with an API that allows easy creation of custom protocol classes. Has a Pcap writer class which allows to save pycap packets to pcap files. These files are compatible with tcpdump/wireshark. Pcap is useful with dpkt than simply by itself

13 Using dpkt with pypcap A simple example which prints details of IP traffic in the network. import pcap, dpkt, socket pc = pcap.pcap('wlan0') count =0 def process(ts, pkt, *args): eth = dpkt.ethernet.Ethernet(pkt) ip = eth.data if ip.__class__==dpkt.ip.IP: global count count += 1

14 Using dpkt with pypcap... src_ip = socket.inet_ntoa(ip.src) dst_ip = socket.inet_ntoa(ip.dst) print 'Packet #%d, %s=>%s, length %d, proto: %d' % (count, src_ip, dst_ip, ip.len, ip.p) if __name__ == "__main__": try: pc.loop(process) except KeyboardInterrupt: print pc.stats()

15 Sample Output anand@anand-laptop:~/programs/python$ sudo python2.5 pcap2.py Packet #1, 192.168.1.2=>66.102.7.99, length 84, proto: 1 Packet #2, 66.102.7.99=>192.168.1.2, length 84, proto: 1 Packet #3, 192.168.1.2=>192.168.1.1, length 70, proto: 17 Packet #4, 192.168.1.1=>192.168.1.2, length 246, proto: 17 Packet #5, 192.168.1.2=>66.102.7.99, length 84, proto: 1 Packet #6, 74.125.67.17=>192.168.1.2, length 80, proto: 6 Packet #7, 192.168.1.2=>74.125.67.17, length 52, proto: 6 Packet #8, 66.102.7.99=>192.168.1.2, length 84, proto: 1 Packet #9, 192.168.1.2=>192.168.1.1, length 70, proto: 17 Packet #10, 192.168.1.1=>192.168.1.2, length 246, proto: 17 ^Packet #11, 192.168.1.2=>66.102.7.99, length 84, proto: 1

16 Http Protocol Sniffer An HTTP protocol sniffer tool which saves http packets to a pcap file. import pcap, dpkt, socket pc = pcap.pcap('wlan0') count =0 ports = (80,8080,888) # Pcap writer pcw = dpkt.pcap.Writer(open('pkts.pcap','wb')) # Snooping on HTTP traffic def process(ts, pkt, *args): eth = dpkt.ethernet.Ethernet(pkt) ip = eth.data

17 HTTP Protocol Sniffer (Contd.) if ip.__class__==dpkt.ip.IP: ip1, ip2 = map(socket.inet_ntoa,[ip.src, ip.dst]) if ip.p != 6: return l7 = ip.data sport, dport = [l7.sport, l7.dport] if sport in ports or dport in ports: print 'From %s to %s, length: %d' % (ip1, ip2, len(l7.data)) # Save packet to file... pcw.writepkt(pkt) if __name__ == "__main__": try: pc.loop(process) except KeyboardInterrupt: print pc.stats() pcw.close()

18 Scapy A powerful interactive, general purpose, packet manipulation program written purely in Python, available as a single file. Craft packets of a variety of protocols, send them on the wire, recieve replies, match requests and replies... Handles most basic tasks like scanning, traceroute, ping, probe etc. Scapy can be used to write new tools without the need of any special libraries Instead of writing 100 lines of code in C for a special tool, write 2 lines in Scapy!

19 An interactive session with Scapy Send an echo request and dissect the first return packet. >>> from scapy import * >>> ip=IP(dst='www.google.com') >>> icmp=ICMP() >>> sr1(ip/icmp) Begin emission:.Finished to send 1 packets. * Received 2 packets, got 1 answers, remaining 0 packets >\

20 A host scanner Enumerate hosts on a network that have port number 80 listening >>> p=IP(dst='210.212.26.27'/24)/TCP(dport=80, flags='S') >>> sr(p) Begin emission:..*....Finished to send 256 packets. ******.*.***..**********.*************.**..*********.........**...*********.***.********.***.****.*******..**.... (This goes on for a while) Received 4963 packets, got 83 answers, remaining 173 packets (, )

21 Host scanner (contd.) >>> results = _[0] >>> for pout, pin in results:... if pin.flags == 2: print pout.dst... 210.212.26.5 210.212.26.15 210.212.26.19 210.212.26.20 210.212.26.22 210.212.26.23 210.212.26.24 210.212.26.25 210.212.26.26 210.212.26.27

22 A slow port-scanner from scapy import * def scan(ip,start=80,end=443): open_ports = [] ip=IP(dst=ip)/TCP(dport=range(start,end+1), flags='S') results=sr(ip,verbose=0,timeout=30) for res in results[0]: if res[1]==None: continue if res[1].payload.flags==18: print 'Port %d is open' % res[0].dport open_ports.append(res[0].dport) return open_ports if __name__ == "__main__": print scan('random.org')

23 A slow port-scanner (contd). Sample Run anand@anand-laptop:~/programs/python$ sudo python portscan.py Port 80 is open Port 113 is open Port 443 is open [80, 113, 443] Scapy has a powerful tool named ”report_ports” which automates the entire process and outputs a Latex table containing the list of open ports. >>> report_ports('random.org',range(80,1024)) Begin emission:.***************

24 DNS Query >>> sr1(IP(dst="192.168.1.1")/UDP()/DNS(rd=1,qd=DNSQR(qname="www.python.org"))) Begin emission:.Finished to send 1 packets. * Received 2 packets, got 1 answers, remaining 0 packets an= ns= > ar= > |>>>

25 Traceroute >>>ans,unans=sr(IP(dst='www.google.com',ttl=(4,25),id=123)/TCP(flags=0x2)www.google.com Finished to send 22 packets. ********************.. >>> for snd,rcv in ans:... print snd.ttl, rcv.src, isinstance(rcv.payload, TCP) 8 218.248.255.66 False 9 218.248.250.82 False 10 195.2.7.37 False 11 198.32.146.46 False 12 216.239.43.12 False 13 72.14.238.130 False 14 209.85.243.122 False 15 209.85.251.94 False 16 74.125.19.105 True

26 Packet Sniffing Scapy can replace wireshark or tcpdump! >>> sniff(iface="wlan0",prn=lambda x:x.summary()) Ether / IP / TCP 217.25.178.5:www > 192.168.1.2:57655 A / Raw Ether / IP / TCP 192.168.1.2:57655 > 217.25.178.5:www A Ether / IP / TCP 217.25.178.5:www > 192.168.1.2:57655 A / Raw Ether / IP / TCP 192.168.1.2:57655 > 217.25.178.5:www A Ether / IP / TCP 217.25.178.5:www > 192.168.1.2:57655 A / Raw Ether / IP / TCP 192.168.1.2:57655 > 217.25.178.5:www A Ether / IP / TCP 217.25.178.5:www > 192.168.1.2:57655 A / Raw Ether / IP / TCP 192.168.1.2:57655 > 217.25.178.5:www A Ether / IP / UDP / DNS Qry "www.google.com." Ether / IP / UDP / DNS Ans "www.l.google.com."

27 Passive OS fingerprinting >>> p <Ether dst=00:10:4b:b3:7d:4e src=00:40:33:96:7b:60 type=0x800 |<IP version=4L ihl=5L tos=0x0 len=60 id=61681 flags=DF frag=0L ttl=64 proto=TCP chksum=0xb85e src=192.168.8.10 dst=192.168.8.1 options='' |<TCP sport=46511 dport=80 seq=2023566040L ack=0L dataofs=10L reserved=0L flags=SEC window=5840 chksum=0x570c urgptr=0 options=[('Timestamp', (342940201L, 0L)), ('MSS', 1460), ('NOP', ()), ('SAckOK', ''), ('WScale', 0)] |>>> >>> p0f(p) (1.0, ['Linux 2.4.2 - 2.4.14 (1)'])

28 Further Capabilities of Scapy are endless, limited only by your imagination and Python skills...! For exploring further, try these links, http://www.secdev.org/projects/scapy/build_your_own_tools. html http://www.secdev.org/projects/scapy/demo.html http://hackaholic.org/papers/blackmagic.txt

29 Real life Examples Python port scan detection tool using pypcap and dpkt written by the author – available as an ASPN Python Cookbok recipe at http://code.activestate.com/recipes/576690/ http://code.activestate.com/recipes/576690/ Good example of using pypcap and dpkt together to write a network security tool Packet monitoring with dpkt and pypcap - http://code.activestate.com/recipes/576678/ http://code.activestate.com/recipes/576678/

30 Links Pypcap - http://code.google.com/p/pypcap/http://code.google.com/p/pypcap/ Dpkt - http://code.google.com/p/dpkt/http://code.google.com/p/dpkt/ Scapy - http://www.secdev.org/projects/scapy/http://www.secdev.org/projects/scapy/ Python-libcap - http://sourceforge.net/projects/pylibpcap/ http://sourceforge.net/projects/pylibpcap/ Pcapy - http://oss.coresecurity.com/projects/pcapy.htm

Download ppt "PyCon India 2009 Presentation Python tools for Network Security Anand B Pillai"

Similar presentations

Network Performance Measurement

Network Performance Measurement
Frenetic: A High-Level Language for OpenFlow Networks Nate Foster, Rob Harrison, Matthew L. Meola, Michael J. Freedman, Jennifer Rexford, David Walker.

Frenetic: A High-Level Language for OpenFlow Networks Nate Foster, Rob Harrison, Matthew L. Meola, Michael J. Freedman, Jennifer Rexford, David Walker.
Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.
Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions April 14, 2015 DRAFT1.

Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions April 14, 2015 DRAFT1.
NetScanTools ® LE Law Enforcement Version of NetScanTools ® from Northwest Performance Software, Inc. netscantools.com.

NetScanTools ® LE Law Enforcement Version of NetScanTools ® from Northwest Performance Software, Inc. netscantools.com.
Tcpdump Traceroute Ping. A packet tracing tool  Works on various host platforms  Captures packets going through a certain network interface  Shows.

Tcpdump Traceroute Ping. A packet tracing tool  Works on various host platforms  Captures packets going through a certain network interface  Shows.
Practical Networking. Introduction  Interfaces, network connections  Netstat tool  Tcpdump: Popular network debugging tool  Used to intercept and.

Practical Networking. Introduction  Interfaces, network connections  Netstat tool  Tcpdump: Popular network debugging tool  Used to intercept and.
CAP6135: Malware and Software Vulnerability Analysis Network Traffic Monitoring Using Wireshark Cliff Zou Spring 2013.

CAP6135: Malware and Software Vulnerability Analysis Network Traffic Monitoring Using Wireshark Cliff Zou Spring 2013.
POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications (1) Programming with Libpcap.

POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications (1) Programming with Libpcap.
CIS 193A – Lesson12 Monitoring Tools. CIS 193A – Lesson12 Focus Question What are the common ways of specifying network packets used in tcpdump, wireshark,

CIS 193A – Lesson12 Monitoring Tools. CIS 193A – Lesson12 Focus Question What are the common ways of specifying network packets used in tcpdump, wireshark,
Using Argus Audit Trails to Enhance IDS Analysis Jed Haile Nitro Data Systems

Using Argus Audit Trails to Enhance IDS Analysis Jed Haile Nitro Data Systems
Linux Networking Commands

Linux Networking Commands
SUSE Linux Enterprise Server Administration (Course 3037) Chapter 7 Connect the SUSE Linux Enterprise Server to the Network.

SUSE Linux Enterprise Server Administration (Course 3037) Chapter 7 Connect the SUSE Linux Enterprise Server to the Network.
Wireshark Presented By: Hiral Chhaya, Anvita Priyam.

Wireshark Presented By: Hiral Chhaya, Anvita Priyam.
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau (20086034) Lee Shirly (20095815) Ong Ivy (20095040)

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
CSCD433 Advanced Networks Fall 2011 Raw vs. Cooked Sockets.

CSCD433 Advanced Networks Fall 2011 Raw vs. Cooked Sockets.
Programming Network Servers Topic 6, Chapters 21, 22 Network Programming Kansas State University at Salina.

Programming Network Servers Topic 6, Chapters 21, 22 Network Programming Kansas State University at Salina.
Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.

Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
Washington WASHINGTON UNIVERSITY IN ST LOUIS January 7,8 2002 MSR Tutorial John DeHart Washington University, Applied Research Lab

Washington WASHINGTON UNIVERSITY IN ST LOUIS January 7, MSR Tutorial John DeHart Washington University, Applied Research Lab
Step-by-Step Intrusion Detection using TCPdump SHADOW.

Step-by-Step Intrusion Detection using TCPdump SHADOW.

Similar presentations

Ads by Google