work on hw4
This commit is contained in:
David Westgate
parent
d7c965d087
commit
7358b3f1ee
38
hw4/app.py
Normal file
38
hw4/app.py
Normal file
@ -0,0 +1,38 @@
|
||||
from scapy.all import * #pull in all of scapy -- you could do it other ways, but this makes it isomorphic to using scapy command line
|
||||
import socket
|
||||
import sys
|
||||
import time
|
||||
|
||||
def main():
|
||||
if len(sys.argv) > 1: #if we have a command line argument
|
||||
try:
|
||||
packets: PacketList = rdpcap(sys.argv[1])
|
||||
#rdpcap is how we read a previously captured pcap file
|
||||
except:
|
||||
print("File read failure: %s not found" % sys.argv[1])
|
||||
sys.exit(1)
|
||||
else:
|
||||
print("Need a pcap file to read!")
|
||||
sys.exit(1)
|
||||
#bpf = 'tcp and src host 192.168.86.228 and src port 80 and dst host 192.168.86.167'
|
||||
#filtered = packets.filter(bpf)
|
||||
#print(packets) #this gives us a nice summary of what we have in the pcap file
|
||||
|
||||
for p in packets[:5]: #let's only look at the first 100
|
||||
packet : Packet = p
|
||||
#we can filter based on what scapy calls "layers"
|
||||
#each layer is a portion of a packet
|
||||
#so a DNS packet would have an IP layer, a UDP layer, and a DNS layer
|
||||
#ICMP would be IP, TCP, ICMP layers
|
||||
#and because we're on an ethernet network, all of the above also has an ether layer
|
||||
#let's not print DNS packets
|
||||
#if not packet.haslayer(DNS):
|
||||
# print(packet.summary)
|
||||
lsc()
|
||||
#packet.show() #print the contents of the packet
|
||||
#print(packet.summary()) #we also can print out a summary of the packet, similar to tcpdump default output
|
||||
time.sleep(0.2) #small pause between packets
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
||||
14
hw4/hw4.md
14
hw4/hw4.md
@ -14,9 +14,21 @@ First lets open this capture up in wireshark and do a high level overview
|
||||
Knowing we are ultimetly looking to re-construct a firmware download, we can discern some important info from wireshark
|
||||
|
||||
* There are 241,531 packets in this capture, but only some are the traffic directly related to this download
|
||||
* Client of the download is 192.168.86.167 and server origin is 192.168.86.228
|
||||
* Client of the download is 192.168.86.167 and server origin is 192.168.86.228:5000
|
||||
* The download is split over multiple HTTP requests by the shown convention, which themselves are split over multiple TCP requests
|
||||
|
||||
A starting point of a BPF might look like `tcp and src host 192.168.86.228 and src port 5000 and dst host 192.168.86.167`
|
||||
|
||||
As a wireshark filter, this would be `tcp && ip.src == 192.168.86.228 && tcp.srcport == 5000 && ip.dst == 192.168.86.167`
|
||||
|
||||
Before moving on to scapy, we can filter down our `firmware.pcap` to a new capture called `filtered.pcap` with the following command
|
||||
|
||||
```
|
||||
tcpdump -r firmware.pcap -w filtered.pcap 'tcp and src host 192.168.86.228 and src port 5000 and dst host 192.168.86.167'
|
||||
|
||||
```
|
||||
|
||||
|
||||
###
|
||||
|
||||
## Questions
|
||||
|
||||
Reference in New Issue
Block a user