scapy

Network_and_802.11/scapy/traceroute_simple.py

@@ -0,0 +1,16 @@
+from scapy.all import *
+hostname = "google.com"
+for i in range(1, 28):
+ pkt = IP(dst=hostname, ttl=i) / UDP(dport=33434)
+ # Send the packet and get a reply
+ reply = sr1(pkt, verbose=0)
+ if reply is None:
+ # No reply =(
+ break
+ elif reply.type == 3:
+ # We've reached our destination
+ print "Done!", reply.src
+ break
+ else:
+ # We're in the middle somewhere
+ print "%d hops away: " % i , reply.src

Network_and_802.11/wireshark_guide.md

@@ -1,7 +1,6 @@
 # [WIRESHARK GUIDE (by bt3)](https://bt3gl.github.io/wiresharking-for-fun-or-profit.html)
 
 
-
 [Wireshark](https://www.wireshark.org/) is an open source **network packet analyzer** that allows live traffic analysis, with support to several protocols.
 
 Wireshark also allows **network forensic**, being very useful for CTFs for example (check my writeups for the [D-CTF Quals 2014](https://bt3gl.github.io/exploring-d-ctf-quals-2014s-exploits.html) and for the CSAW Quals 2014 in [Networking](https://bt3gl.github.io/csaw-ctf-2014-networking-100-big-data.html) and [Forensics](https://bt3gl.github.io/csaw-ctf-2014-forensics-200-why-not-sftp.html)).
@@ -12,7 +11,7 @@ In this blog post I introduce Wireshark and I talk about my favorite features in
 ------------------------------------------------------
 # The Network Architecture
 
-Before we are able to understand and analyse network traffic packets, we must have an insight of how the network stack works.
+Before we are able to understand and analyze network traffic packets, we must have an insight of how the network stack works.
 
 
 ## The OSI Model
@@ -85,7 +84,7 @@ For instance, in Wireshark we can track the sequence number where a higher layer
 
 ## Switches and Routers
 There are four primary ways to capture traffic from a target device on a
-**switched** network: using a **hub**, using a **tap**, by port mirroring, or by ARP cache poisoning. The first two obviously require a hub or a tap. Port mirroring requires forwarding capability from the switch. A great way to decide which method to use was borrowed by the reference [1]:
+**switched** network: using a **hub**, using a **tap**, by port mirroring, or by ARP spoofing/cache poisoning. The first two obviously require a hub or a tap. Port mirroring requires forwarding capability from the switch. A great way to decide which method to use was borrowed by the reference [1]:
 
 ![](https://i.imgur.com/aRUfmsp.png)
 
@@ -180,7 +179,7 @@ PING www.google.com (74.125.228.210) 56(84) bytes of data.
 ```
 
 
-and **traceroute**:
+and **traceroute** (Windows sends ICMP packets, Linux sends UDP):
 
 ```
 $ traceroute www.google.com
@@ -199,10 +198,11 @@ traceroute to www.google.com (173.194.46.84), 30 hops max, 60 byte packets
 12 ord08s11-in-f20.1e100.net (173.194.46.84) 43.184 ms 39.770 ms 45.095 ms
 ```
 
-The way traceroute works is by sending echo request that have a particular feature in the IP header: **the TTL is 1**. This means that the packet will be dropped at the first router. The the second packet is a reply from the first router along the path to the destination, and so on.
+The way traceroute works is by sending an echo request that has a particular feature in the IP header: **the TTL is 1**. This means that the packet will be dropped at the first hop. The second packet goes through the first hop and then is dropped in the second hop (TTL is 2), and so on.
 
-To make this work, the router replies an ICMP response with a *double-headed packet*, containing a copy of the IP header and the ICMP data that was sent in the original echo request.
+To make this work, the router replies response with a *double-headed packet*, containing a copy of the IP header and the data that was sent in the original echo request.
 
+PS: Check out this post from Julia Evans on how to create a simple [*Traceroute in 15 lines of code using Python's Scapy*](https://jvns.ca/blog/2013/10/31/day-20-scapy-and-traceroute/).
 
 
 ### The Transmission Control Protocol (Layer 4)
@@ -667,7 +667,7 @@ For instance, the following header values can help one to distinguish between se
  - 128 for Windows
  - 255 for Cisco IOS
 * **IP, Don't Fragment Flag**:
- - Set for Linux, Mac OS, Windoes
+ - Set for Linux, Mac OS, Windows
  - Not set for Cisco IOS
 * **TCP, Max Segment Size**:
  - 1440 for Windows
@@ -714,6 +714,10 @@ You can also look at different GET requests with:
 tcp contains "GET"
 ```
 
+### Checking for DNS Leaks with VMs
+
+In a virtual machine look at **statistics --> Endponts**. There should be only one public IP address: the VPN server that the virtual machine is connected to.
+
 ---
 ## ARP Cache Poisoning
 
@@ -727,7 +731,13 @@ When a MAC address is not in the cache list, ARP broadcasts a packet asking whic
 
 An attacker can spoof this process by sending ARP messages to an Ethernet switch or router with fake MAC addresses in order to intercept the traffic of another computer.
 
-ARP cache poising can be crafted using [Cain & Abel](https://www.oxid.it/cain.html).
+In Linux, ARP spoofing can be done with [arpspoof or Ettercap](https://www.irongeek.com/i.php?page=security/arpspoof). For instance, if your wlan0 is at 192.168.0.10 and the router is at 192.168.0.1, you can run:
+
+```
+$ arpspoof -i wlan0 -t 192.168.0.10 192.168.0.1
+```
+
+If you are in Windows, ARP cache poising can be crafted using [Cain & Abel](https://www.oxid.it/cain.html).
 
 
 ### Denial-of-Service
@@ -779,3 +789,15 @@ $ iwconfig eth` channel 4
 ```
 
 
+
+
+
+-------
+## Further References:
+
+- [Wireshark wiki](https://wiki.wireshark.org/)
+- [Practical Packet Analysis, ](https://wiki.wireshark.org/)
+- [Wireshark plugin for writing dissectors in Python](https://github.com/ashdnazg/pyreshark)
+- [Using Wireshark ti check for DNS Leaks](https://lilithlela.cyberguerrilla.org/?p=76081)
+- [Publicly available PCAP files](https://www.netresec.com/?page=PcapFiles)
+- [Malware PCAP files](https://contagiodump.blogspot.se/2013/08/deepend-research-list-of-malware-pcaps.html)