hugo trovao scapy dojo v 1 - media.defcon.org con 27/def con 27 workshops/defcon-27... · of scapy...
TRANSCRIPT
![Page 1: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/1.jpg)
Scapy_Dojo_V_1H U G O T R O VA O
&
R U S H I K E S H D. N A N D E D K A R
![Page 2: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/2.jpg)
Introduction
What is Scapy?
A tool?A library?
||• Maybe a set of
functions helping in generating traffic for specific protocols ./../
![Page 3: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/3.jpg)
Anatomy of scapy for our purpose
Scapy is a flexible tool to
manipulate packets.
Packets are made of layers.
Scapy helps us craft packets
with the layers of our desire and fields of our choice.
Layers are made of fields.
![Page 4: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/4.jpg)
Layers and Fields•What is a layer?• A unit of packet
• Ex: Ether()/IP()/TCP()/Raw(payload)
•What is a field• Layers are composed by logical parts (fields)
• Ex: IP(src="10.0.0.1")
•"Automatic" fields• Some layers can have fields that are computed in context
• Ex: TCP(chksum=0x0bad) # this generates an invalid packet
![Page 5: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/5.jpg)
Scapy basics
![Page 6: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/6.jpg)
Packet building in scapy
•Packets are constructed with parameterized layers.
• Ex: IP(dst="10.0.0.1")/TCP(dport=8080)
•Field layers can be accessed and changed to update an existing layer.
• Ex: pkt[IP].dst = "10.0.0.2”
![Page 7: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/7.jpg)
Displaying packets
•There are 2 modes of displaying packets.• - before "automatic" fields computation (pkt.show()) • - after "automatic" fields computation (pkt.show2()) [this is what goes on wire!]
•hexdump(pkt) will print packet in hex.
•pkt.summary() will show a short summary of the packet.
•ls(IP, verbose=True) # list protocol fields.
•bytes(pkt) return pkt in wire bytes representation.
![Page 8: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/8.jpg)
Sending packets
•Scapy allows sending packets and frames.
•For data link layer, the prime keyword to send frame is ”sendp”.• sendp(layer2_pkt)
•For network layer, the keyword to send packet is ”send”• send(layer3_pkt)
![Page 9: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/9.jpg)
Receiving packets
•Packets/frames can be sniffed from wire/air.• sniff(count=0, store=True, offline=None, prn=None, lfilter=None, L2socket=None, timeout=None, opened_socket=None, stop_filter=None, iface=None, started_callback=None, *arg, **karg)
![Page 10: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/10.jpg)
…
•Packets can be received according to a response of a sent packet
•srp(pkt) will send pkt and return the responses packet at layer 2
•srp1(pkt) will send pkt and return one response packet at layer 2
•sr(pkt) will send pkt and return the responses packet at layer 3
•sr1(pkt) will send pkt and return one response packet at layer 3
•Returns (ans, unans) where ans is (sent, answ)
•rdpcap(filename, count=-1) reads a pcap file and returns a list of packets
![Page 11: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/11.jpg)
DHCP Servers
![Page 12: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/12.jpg)
DHCP protocol
![Page 13: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/13.jpg)
A different approach-Server
l Sniff dhcp traffic with scapy
l “reverse-engineer” reply packets and use this as your “template” packets
l Modify them at your needs (dns server/gateway address/...)
l Reply to DHCP request packets in the network with your modified packets
![Page 14: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/14.jpg)
Video
![Page 15: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/15.jpg)
A different approach-Client
l Sniff dhcp traffic with scapy
l “reverse-engineer” request packets and use this as your “template” packets
l Modify them at your needs (hw address)
l Reply to DHCP request packets in the network with your modified packets
![Page 16: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/16.jpg)
Video
![Page 17: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/17.jpg)
DNS Servers
![Page 18: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/18.jpg)
DNS/mDNS query viewer
l Sniff some DNS/mDNS traffic
l Dissect and understand the protocol
l Implement a viewer for DNS and/or mDNS queries
- DNS: 53/udp
- MDNS: 5353/udp
l Uses multicast traffic destination IP
l Protocols are similar
![Page 19: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/19.jpg)
Video
![Page 20: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/20.jpg)
DNS/mDNS query responder
l Check {dns,mdns}-responder.py for DNS and/or mDNS query responders
- DNS: 53/udp
- MDNS: 5353/udp
l Uses multicast traffic destination IP
l Reply to DNS/mDNS traffic on your network
![Page 21: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/21.jpg)
Video
![Page 22: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/22.jpg)
AJP13
![Page 23: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/23.jpg)
Apache JServ Protocol version 1.3
l Communication protocol for web server/servlet-containers
l Packet oriented protocol
l Binary format to increase performance
l TCP communication with persistent connections
- Default port: tcp/8009
![Page 24: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/24.jpg)
Making an AJP3 layer
https://tomcat.apache.org/connectors-doc-archive/jk2/common/AJPv13.html
![Page 25: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/25.jpg)
Forward Request Packet
Strings are Pascal Strings
![Page 26: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/26.jpg)
Message Types
![Page 27: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/27.jpg)
HTTP method and headers
![Page 28: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/28.jpg)
Attributes
![Page 29: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/29.jpg)
Response Packets
![Page 30: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/30.jpg)
Response headers
![Page 31: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/31.jpg)
Get body chunk
l The container asks for more data from the request (If the body was too large to fit in the first packet sent over or when the request is chuncked). The server will send a body packet back with an amount of data which is the minimum of the request_length, the maximum send body size (8186 (8 Kbytes - 6)), and the number of bytes actually left to send from the request body.
l If there is no more data in the body (i.e. the servlet container is trying to read past the end of the body), the server will send back an "empty" packet, which is a body packet with a payload length of 0. (0x12,0x34,0x00,0x00)
![Page 32: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/32.jpg)
AJP13 - Layers
![Page 33: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/33.jpg)
Layers
l Layers are made describing fields. Each layer has 3 different representations:
- Human (h)
- Internal (I)
- Machine (m)
l The functions to implement in a layer to customize the construction of the packet representations are: i2m, m2i, h2i, i2h, ...
![Page 34: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/34.jpg)
Fieldsl Fields are made describing its representations on
wire and for internal use.
l addfield(pkt, s, val) and getfield(pkt, s) are called for adding or getting a field from a layer
![Page 35: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/35.jpg)
Processing fields
def post_build(self, pkt, pay):"""DEV: called right after the current layer is build.
:param str pkt: the current packet (build by self_buil function):param str pay: the packet payload (build by do_build_payload function):return: a string of the packet with the payload"""return pkt + pay
def dissection_done(self, pkt):"""DEV: will be called after a dissection is completed"""self.post_dissection(pkt)self.payload.dissection_done(pkt)
def post_dissection(self, pkt):"""DEV: is called after the dissection of the whole packet"""pass
def post_dissect(self, s):"""DEV: is called right after the current layer has been dissected"""return s
def pre_dissect(self, s):"""DEV: is called right before the current layer is dissected"""return s
![Page 36: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/36.jpg)
What to implement
l AJP13Header
l AJP13ForwardRequest
l Pascal String Field
l Data length calculation
![Page 37: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/37.jpg)
Video
![Page 38: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/38.jpg)
AJP13 - Fuzzing
![Page 39: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/39.jpg)
Rand generators
l Fuzzing fields with Rand...() generators is easy
l RandInt(), RandShort(), RandIP() RandString(), ... on fields we want to fuzz
1) loop sending a packet
1) Every time the packet is built it call the generators and create new random values
2) don’t forget to save packets for posterior analysis [after anomaly]
2) observe logs in fuzzed application
![Page 40: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/40.jpg)
What to implement-AJP13 as Web Server
l Generate a fuzzing template with Rand generators with AJP13ForwardRequests
l Fuzz ajp13 service on Tomcat on the VM
- /opt/apache-tomcat-.../
l bin/catalina.sh start
l Observe logs
- logs/
![Page 41: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/41.jpg)
Video
![Page 42: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/42.jpg)
What to implement-AJP13 as Servlet Container
l Check test_as_server.py example, and customize it
- Launch it, it will listen in 8009/tcp and reply to web server requests in AJP protocol
l Launch Apache httpd
- Configure httpd with the lines from the config in the sources directory
l Configure modules and insert a ProxyPass directive for ajp13
- bin/httpd -X
l Start making requests to Apache AJP endpoint
- while [[ 1 ]] ; do curl localhost/ajp; done
l Observe logs
![Page 43: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/43.jpg)
Video
![Page 44: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/44.jpg)
LoRaWAN
![Page 45: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/45.jpg)
LoRaWAN
l LoRaWAN is protocol on top of LoRa modulation
l Used in IoT
l Used in star topology
l Essential components
- Application server
- Gateway
- Node
-
![Page 46: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/46.jpg)
LoRaWANOur setup
l End Nodes use LoRa modulation to talk to Gateway
l Gateway use 1700/udp port to talk to application server
- Semtech protocol
l LoRaWAN protocol is used for End Nodes to talk to Application Server
-
![Page 47: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/47.jpg)
LoRaWANOur setup
l LoRaWAN payloads are encrypted with AES
l End Nodes can join the network with:
- ABP (pre shared keys)
- OTAA (keys are exchanged in JoinRequests)
l The communication between the Node and Application server is encrypted. Node talks to Gateway through LoRa and the Gateway uses the Internet to reach the application server.
l Gateway talks to the Application server using messages with gateway and reception information and the received message from the node. In our case its SemtechUDP protocol and LoRaWAN 1.0.1.
![Page 48: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/48.jpg)
LoRaWANOur setup-Protocol
l LoRaWAN Class-A, Version 1.0.1
l https://lora-alliance.org/resource-hub/lorawanr-specification-v101
![Page 49: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/49.jpg)
Protocol Layers
![Page 50: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/50.jpg)
Protocol Layers
![Page 51: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/51.jpg)
Protocol Layers
![Page 52: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/52.jpg)
Protocol Layers
![Page 53: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/53.jpg)
SemtechUDP
l UDP based communication on port 1700
l Based on binary header and json payloads
- we’ll be interested in the data of json payload where the LoRaWAN protocol is being exchanged
l https://github.com/Lora-net/packet_forwarder/blob/master/PROTOCOL.TXT
![Page 54: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/54.jpg)
In practice
l Use the vm and:
- Unpack IQ samples zip to /tmp
- Build and install gr-lora
- Launch scapy-radio and use LoRa radio module
- gnuradio.sniffradio(radio=”LoRa”)
- Dissect sniffed packets
![Page 55: HUGO TROVAO Scapy Dojo V 1 - media.defcon.org CON 27/DEF CON 27 workshops/DEFCON-27... · of scapy for our purpose Scapy is a flexible tool to manipulate packets. Packets are made](https://reader030.vdocuments.net/reader030/viewer/2022040118/5e215e0f1d94b152c81d1978/html5/thumbnails/55.jpg)
Video