Introduction to Information SecurityWireshark and Scapy

1

Exercise 6

2

• Submission deadline extended to 3.5 to fix the following issues:

• Check the exit code only to determine whether convert failed

• Put the explanation as to why fuzzing the first and last 750 is enough at the top of the .txt file

• Use the correct format

• 0x<byte>.<bit>\n

• Bits are numbered from 0 to 7

• Bytes are numbered from 1

• Don't copy the entire file over for every bit flip, that's ridiculously inefficient

The Great Ascent

3

• We shift our focus from low-level vulnerabilities (buffer overflows) to high-level ones (DNS poisoning)

• Network vulnerabilities are just as sophisticated and interesting!

• They are not simpler, but they are easier to debug

• Tools:

• Wireshark (and maybe tcpdump)

• Scapy

A Few Words about Python

4

Python

5

• Probably the best language in the world

• For scripts, we know...

• But also:

• For web development (django, flask)

• For scientific research (numpy, scipy, sympy, matplotlib, ipython notebook)

• For big data analysis (pandas)

• For machine learning (scikit.learn)

• For big and complex systems (twisted, sqlalchemy)

• Other stuff (re, pycrypto, PIL, nltk, scrapy)

A Few Words About Python

6

• How can it be?

• It's modern and cool

• It's extremely dynamic

• Everything is an object (even classes!)

• You can overload and hook just about anything

• Focuses on developer time

• Simplicity

• Interactivity

• As a side-note for skeptics, with stuff like PyPy it's also incredibly fast

Nowadays, that's what takes 90% of the time!

Example

7

class A(object):

def __call__(self, x, y):

return x + y

def __getitem__(self, key):

return key.upper()

def __getattr__(self, key):

return key.ljust(10, '.')

>>> a = A()

>>> a(1, 2)

3

>>> a['foo']

'FOO'

>>> a.foo

'foo.......'

How to Learn

8

• If you're not sure how to do something, Google it or look in Stack Overflow

• Don't copy solutions blindly – but do learn from them

• For example, many of you reinvented the wheel instead of using binascii / struct

• Almost nobody automated the core dump address extraction

• Sounds hard?

Example

9

Back to the Point

10

Wireshark

11

• Allows to capture ("sniff") incoming and outgoing packets

• Amazing deconstruction and visualisation

• Incredible number of supported protocols

• Filters and more

Wireshark

12

Scapy

13

• A Python library that allows constructing, deconstructing, sending, receiving, sniffing and virtually

doing anything you can imagine with packets

• Read the tutorial: http://www.secdev.org/projects/scapy/doc/usage.html

>>> from scapy.all import *

>>> s = IP(dst='212.179.180.89') / TCP(sport=65000, dport=80, flags='S')

>>> a = sr1(s)

>>> a[TCP].sport

80

>>> a[TCP].sprintf('%TCP.flags%')

'SA'

>>> sniff(lfilter=lambda p: UDP in p, prn=lambda p: p.summary())

...

Exercise 7

14

• A series of unrelated question, each about a problem and its solutions

• The problems themselves may have been learned in class

• But anyway, they are explained in detail and are in fact quite simple

• A big open bonus I will personally grade "by ear" (so no appeals – but do try to impress me)