Thanks for the light meter team.


tcpdump -n -i wlan0 port 80 -X -A -xx -n
0x0120: 436f 6f6b 6965 0d0a 582d 6861 636b 6572 Cookie..X-hacker
0x0130: 3a20 4966 2079 6f75 2772 6520 7265 6164 :.If.you're.read
0x0140: 696e 6720 7468 6973 2c20 796f 7520 7368 ing.this,.you.sh
0x0150: 6f75 6c64 2076 6973 6974 2061 7574 6f6d ould.visit.autom
0x0160: 6174 7469 632e 636f 6d2f 6a6f 6273 2061 attic.com/jobs.a
0x0170: 6e64 2061 7070 6c79 2074 6f20 6a6f 696e nd.apply.to.join
0x0180: 2074 6865 2066 756e 2c20 6d65 6e74 696f .the.fun,.mentio
0x0190: 6e20 7468 6973 2068 6561 6465 722e 0d0a n.this.header...


The URL ? wordpress! Yes, this the wordpress way to hire hackers.

$ gdb -p pid_here
p dup2(open("/tmp/stdout", 1), 1)
p dup2(open("/tmp/stderr", 1), 2)
detach
quit

PS: The files must be created before!

So I decided to change the site to http://blog.beraldoleal.com and centralize some information on http://beraldoleal.com:-D

Happy new year!

Here are the files to download, including lilypond source file.

Turnarounds.pdf
Turnarounds.ly
Turnarounds.midi

Enjoy!

In scapy there are many methods to send or receive a packet in network. We have the families of commands, below:

• Send family - Just send packets in layer 2 or 3.
• Send and Receive family - Send packets in layer 2 or 3 and print or store results.
• Sniff family - Receive packets in promisc mode and return them in a packet list.

This post is not intended as a reference for each of the families above. For more informations, execute lsc() in scapy and see Scapy doc.

You can see a sample of Sniff family in action, below (execute scapy as root):

>>> a=sniff(count=2)
>>> a
<Sniffed: UDP:2 ICMP:0 TCP:0 Other:0>
>>> a.nsummary()
0000 Ether / IP / UDP / DNS Qry "www.google.com."
0001 Ether / IP / UDP / DNS Ans "www.l.google.com."
>>> a[0].show()
###[ Ethernet ]###
dst= 00:03:99:89:83:a9
src= 00:1e:c9:1b:7b:da
type= 0x800
###[ IP ]###
version= 4L
ihl= 5L
tos= 0x0
len= 60
id= 12959
flags= DF
frag= 0L
ttl= 64
proto= udp
chksum= 0xd5af
src= 10.1.0.1
dst= 200.170.95.182
options= ''
###[ UDP ]###
sport= 54584
dport= domain
len= 40
chksum= 0x329c
###[ DNS ]###
id= 16628
qr= 0L
opcode= QUERY
aa= 0L
tc= 0L
rd= 1L
ra= 0L
z= 0L
rcode= ok
qdcount= 1
ancount= 0
nscount= 0
arcount= 0
qd
|###[ DNS Question Record ]###
|  qname= 'www.google.com.'
|  qtype= A
|  qclass= IN
an= 0
ns= 0
ar= 0
>>>

You can have many parameters in sniff() function, like a filter , timeout , an interface (iface ), and a function to apply to each packet (prn and lfilter ).

>>>  sniff(filter="udp and port 53", count=2, iface="eth0")
<Sniffed: UDP:2 ICMP:0 TCP:0 Other:0>
>>>

Sending a simple ICMP packet

>>> pkt=IP(dst="10.0.0.1")/ICMP()
>>> pkt
<IP  frag=0 proto=icmp dst=10.0.0.1 |<ICMP  |>>
>>> send(pkt,count=2)
..
Sent 2 packets.

Ok, this is a simple sample, I know, but you now can use your mind and play with Scapy.

This is a simple post, only to show the basic concepts of scapy.

What is scapy?

From Scapy:

"Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, ...), etc."

What you saw in scapy?

If you, like me, needs tools to:

• Does unitary tests (ping, arp, traceroute, hping2, etc...);
• Sniffing tool for captures packets and possibly dissects them (tcpdump, ethereal, vomit, iptraf, etc...);
• Scanning a given range (nmap, amap, firewalk, etc...);
• Forges packets and sends them (packeth, packit, packet excalibur, nemesis, tcpinject, libnet, etc...), and possibly
• know the service / version of some host. (nmap, xprobe, p0f, cron-OS, queso, etc...)

Then you need know scapy.

Scapy, has the following principle: Machines are good at decoding and humans are good at interpreting:

When a nmap tool say:

Interesting ports on 10.0.0.1:
PORT   STATE    SERVICE
22/tcp filtered ssh

Is different to say: It was an ICMP host unreachable. The port is not filtered, but there is no host behing the firewall.

Okay, its show time!

Install Scapy in your Unix box. Detail in Scapy portability page.

Start scapy:

anita:~# scapy
Welcome to Scapy (v1.1.1 / -)
>>>

First steps with packet manipulation:

>>> ip=IP(ttl=10)
>>> ip
< IP ttl=10 |>
>>> ip.src
’127.0.0.1’
>>> ip.dst="192.168.1.1"
>>> ip
< IP ttl=10 dst=192.168.1.1 |>
>>> ip.src
’192.168.8.14’
>>> del(ip.ttl)
>>> ip
< IP dst=192.168.1.1 |>
>>> ip.ttl
64
>>> tcp=TCP(flags="SF")
>>> pkt=ip/tcp
>>> pkt
>
>>> pkt.command()
"IP(dst='192.168.1.1', ttl=10)/TCP(flags=3)"
>>> pkt.show()
###[ IP ]###
version= 4
ihl= 0
tos= 0x0
len= 0
id= 1
flags=
frag= 0
ttl= 10
proto= tcp
chksum= 0x0
src= 10.1.0.1
dst= 192.168.1.1
options= ''
###[ TCP ]###
sport= ftp_data
dport= www
seq= 0
ack= 0
dataofs= 0
reserved= 0
flags= FS
window= 8192
chksum= 0x0
urgptr= 0
options= {}
>>>

Some stuff you can do on a packet:

• str(pkt) to assemble the packet
• hexdump(pkt) to have an hexa dump
• ls(pkt) to have the list of fields values
• pkt.summary() for a one-line summary
• pkt.show() for a developped view of the packet
• pkt.show2() same as show but on the assembled packet (checksum is calculated, for instance)
• pkt.sprintf() fills a format string with fields values of the packet
• pkt.decode_payload_as() changes the way the payload is decoded
• pkt.psdump() draws a postscript with explained dissection
• pkt.pdfdump() draws a PDF with explained dissection
• pkt.command() return a Scapy command that can generate the packet

You can send, receive, sniffer, and more. I will try show others methods in nexts parts.

And the grand finale:

>>> pkt.pdfdump()

The output:

If I have time, I will write part 2. Bye.

"Development is really fast right now, because of the hackathon in Edmonton.

We are testing as much as we can before we commit, but as always during these hackathon processes we really depend on our user community -- to track our changes and help spot the occasional bug we accidentally introduce.

We are developing really fast and hard; please help us by testing really fast and hard too.

There are some snapshots being made, of course, but people who are familiar with checking out their own trees can really help us by buildind and running it immediately."

- Theo de Raddt, in a June 11th, 2008 message.