SlideShare ist ein Scribd-Unternehmen logo

True stories on the analysis of network activity using Python

delimitry
delimitry

The document discusses network packet analysis using Python. It provides an overview of network analysis tools like Wireshark and tcpdump, and how to use them to analyze network traffic captured in a pcap file. It also discusses how to create and send network packets using Scapy for tasks like port scanning, and how to filter network traffic using IPv4/IPv6 packet filters like iptables. The document provides examples of summarizing pcap data and crafting network packets for various protocols.

Software
1 von 36
Downloaden Sie, um offline zu lesen
True stories on the analysis of network activity using Python Dmitry Alimov 2018
Outline 1. Theory 2. Network packets analysis 3. IPv4/IPv6 network filters (iptables) Network packets crafting 4. Open ports 2
OSI model 3 Away Pizza Sausage Throw Not Do Please Mnemonic
Internet protocol suite (TCP/IP) model IP, ICMP DHCP, DNS, FTP, HTTP, SNMP, SSH, Telnet TCP, UDP Ethernet, PPP, ARP 4
5 Network packets analysis
Network activity ● Requests ● Used hosts ● Lost packets ● Statistics 6
Tools ● wireshark ● tcpdump ● scapy 7
Wireshark 8
tcpdump Tool for dumping the traffic on a network /mnt/nfs/tcpdump -i eth1 -w ./tcpdump.pcap 'ip and not (src 192.168.17.1 or dst 192.168.17.1) and not broadcast and not multicast and host not 10.12.1.100' & N.B. filters! Examples: # show traffic to 10.12.1.2 that is not ICMP: tcpdump dst 10.12.1.2 and src net and not icmp # show SYNACK packets: tcpdump 'tcp[13]=18' 9
tcpdump output 2017-09-04 11:42:20.475594 IP 127.255.90.99.67 > 127.255.90.99.68: BOOTP/DHCP, Reply, length 357 E.......@.[Z.........C.D.m......&........................N.c.L..................................... ................................................................................................... ..................................................................c.Sc5..6.Dr$.3...........:.....;. ...V..........~..............lab.com......}(..&.#.!.......v..1.........lab.com.. 2017-09-04 11:42:22.322596 IP 127.255.90.18.46800 > 127.255.90.214.51001: Flags [S], seq 3059494393, win 14600, options [mss 1460,sackOK,TS val 4294828083 ecr 0,nop,wscale 7], length 0 2017-09-04 11:42:22.755378 IP 127.255.90.18.45832 > 192.0.1.207.8081: Flags [P.], seq 1:79, ack 1, win 115, length 78 E..v0.@.@.........r......e......P..s....GET /hdr.dat HTTP/1.1 Host: 192.0.1.207:8081 Connection: close Convert pcap to txt: tcpdump -ttttnnr tcpdump.pcap > tcpdump.pcap.txt 10
Test report total DNS sessions: 17 -------------------------------------------------------------------------------- domain name | bad responses -------------------------------------------------------------------------------- host1-lab.com. | 2 host2-lab.com. | 2 host3-lab.com. | 2 TCP sessions stats: -------------------------------------------------------------------------------- destination ip:port | times connected total (good / bad) | total length -------------------------------------------------------------------------------- 192.0.114.207:8081 | 21 (4 good / 17 bad) | 8808 127.255.90.214:51001 | 16 (0 good / 16 bad) | 0 192.0.105.184:443 | 2 (2 good / 0 bad) | 11866 192.0.112.19:8080 | 2 (1 good / 1 bad) | 408 192.0.80.137:42272 | 1 (0 good / 1 bad) | 3057 192.0.80.137:41012 | 1 (1 good / 0 bad) | 3505 UDP sessions stats: -------------------------------------------------------------------------------- destination ip:port | quantity | total length -------------------------------------------------------------------------------- 192.0.80.137:48723 | 1 | 8 192.0.80.137:40030 | 1 | 8 192.0.80.137:59320 | 1 | 8 11
PCAP analysis with Scapy from scapy.all import * packets = rdpcap('tcpdump.pcap') for packet in packets: if TCP in packet: if Raw in packet: print('from {} to {}'.format(packet[IP].src, packet[IP].dst)) print('payload:') print('{}'.format(packet[Raw].load)) > from 127.255.210.110 to 192.0.140.246 > payload: > GET /configs/main.cfg HTTP/1.1 > Host: 192.0.140.246 > Accept: */* 12
13 IPv4/IPv6 packets filtering
IPv4/IPv6 network filters (iptables) iptables/ip6tables — administration tool for IPv4/IPv6 packet filtering and NAT Task: Test IPv4/IPv6 network filters E.g. ICMP, IPv6-ICMP, TCP (SSH), UDP (SNMP, DHCP, DHCPv6) Possible solutions: tcpdump iptables/ip6tables 14
IPv4/IPv6 network filters (iptables) 15
/sbin/ip6tables -x -v -n -L Chain INPUT (policy DROP 6737 packets, 1273025 bytes) pkts bytes target prot opt in out source destination 2 120 DROP tcp * * ::/0 ::/0 tcp dpt:22 /* Drop SSH */ 1 48 DROP udp * * ::/0 ::/0 udp dpt:161 /* Drop SNMP */ 2 160 DROP icmpv6 * * ::/0 ::/0 ipv6-icmptype 137 /* Drop ICMP Redirect Message */ 2 208 ACCEPT all * * ::/0 ::/0 state ESTABLISHED,RELATED 2 208 ACCEPT all lo * ::1 ::1 1 48 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 128 /* Echo Request */ 5342 405940 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 130 /* Multicast Listener Query */ 3 216 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 131 /* Multicast Listener Report */ 1 72 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 132 /* Multicast Listener Done */ 14 1000 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 135 /* Neighbor Discovery (ND) Solicitation */ 1377 99088 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 136 /* Neighbor Discovery (ND) Advertisement */ 1 48 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 141 /* Inverse Neighbor Discovery Solicitation */ 1 48 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 142 /* Inverse Neighbor Discovery Advertisement */ 1 57 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 148 /* Secure ND Certificate Path Solicitation */ 1 57 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 149 /* Secure ND Certificate Path Advertisement */ 1 48 ACCEPT udp * * ::/0 ::/0 udp spt:547 dpt:546 /* Accept DHCPv6 */ Chain OUTPUT (policy ACCEPT 5419 packets, 419928 bytes) pkts bytes target prot opt in out source destination 16
/sbin/ip6tables -x -v -n -L Chain INPUT (policy DROP 6737 packets, 1273025 bytes) pkts bytes target prot opt in out source destination 2 120 DROP tcp * * ::/0 ::/0 tcp dpt:22 /* Drop SSH */ 1 48 DROP udp * * ::/0 ::/0 udp dpt:161 /* Drop SNMP */ 2 160 DROP icmpv6 * * ::/0 ::/0 ipv6-icmptype 137 /* Drop ICMP Redirect Message */ 2 208 ACCEPT all * * ::/0 ::/0 state ESTABLISHED,RELATED 2 208 ACCEPT all lo * ::1 ::1 1 48 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 128 /* Echo Request */ 5342 405940 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 130 /* Multicast Listener Query */ 3 216 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 131 /* Multicast Listener Report */ 1 72 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 132 /* Multicast Listener Done */ 14 1000 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 135 /* Neighbor Discovery (ND) Solicitation */ 1377 99088 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 136 /* Neighbor Discovery (ND) Advertisement */ 1 48 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 141 /* Inverse Neighbor Discovery Solicitation */ 1 48 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 142 /* Inverse Neighbor Discovery Advertisement */ 1 57 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 148 /* Secure ND Certificate Path Solicitation */ 1 57 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 149 /* Secure ND Certificate Path Advertisement */ 1 48 ACCEPT udp * * ::/0 ::/0 udp spt:547 dpt:546 /* Accept DHCPv6 */ Chain OUTPUT (policy ACCEPT 5419 packets, 419928 bytes) pkts bytes target prot opt in out source destination 17
Network packets crafting socket for TCP, UDP (e.g. SNMP, DHCP) -> user permissions socket(AF_INET / AF_INET6, SOCK_STREAM) socket(AF_INET / AF_INET6, SOCK_DGRAM) raw sockets -> root permissions Python + Scapy 18
Examples from scapy.all import * def test_tcp_dpt_22(self): # Check SSH ipv6 = IPv6(dst=self.ipv6) payload = ipv6 / TCP(dport=22) # Send packets at layer 3 and return only the first answer sr1(payload, timeout=2) Begin emission: ..Finished to send 1 packets. 19
Examples from scapy.all import * def test_udp_dpt_161(self): # Check SNMP ipv6 = IPv6(dst=self.ipv6) payload = ipv6 / UDP(dport=161) # Send packets at layer 3 and return only the first answer sr1(payload, timeout=2) 20
Examples from scapy.all import * def test_ipv6_icmptype_128(self): # Check ICMPv6 Echo Request payload = ICMPv6EchoRequest(type=128) ipv6 = IPv6(dst=self.ipv6) sr1(ipv6 / payload, timeout=2) 21
Examples from scapy.all import * def test_ipv6_icmptype_130(self): # add RouterAlert option hbh = IPv6ExtHdrHopByHop(options=[RouterAlert(value=0)]) multicast = 'ff02::1' ipv6 = IPv6(dst=multicast) payload = ICMPv6MLQuery(type=130) sr1(ipv6 / hbh / payload, timeout=2) 22
Scapy “/layers/inet6.py” #138: Do Me - RFC 2894 - Seems painful ... #143: Do Me - RFC 3810 ... #148: Do Me - SEND related - RFC 3971 #149: Do Me - SEND related - RFC 3971 ... # tous les messages MLD sont emis avec une adresse source lien-locale # -> Y veiller dans le post_build si aucune n'est specifiee # La valeur de Hop-Limit doit etre de 1 ... 23 not implemented :(
Examples from scapy.all import * def test_ipv6_icmptype_148(self): # make ICMPv6 type 148 from ICMPv6Unknown payload = ICMPv6Unknown(type=148, msgbody='test_type_148') ipv6 = IPv6(dst=self.ipv6) sr1(ipv6 / payload, timeout=2) 24
PCAP packets replay with Scapy from scapy.all import * packets = rdpcap("tcpdump.pcap") new_mac = 'DE:EE:11:33:33:77' new_src = '123.34.45.56' for packet in packets: packet[Ether].src = new_mac packet[IP].src = new_src send(packet) 25
26 Open ports
Nmap $ nmap -p- 192.168.1.93 Starting Nmap 7.01 ( https://nmap.org ) at 2017-12-15 11:29 MSK Nmap scan report for 192.168.1.93 Host is up (0.038s latency). Not shown: 65524 closed ports PORT STATE SERVICE 22/tcp open ssh 23/tcp open telnet 111/tcp open rpcbind 135/tcp filtered msrpc 136/tcp filtered profile 137/tcp filtered netbios-ns 138/tcp filtered netbios-dgm 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds 593/tcp filtered http-rpc-epmap 9555/tcp open unknown 12345/tcp open unknown 27
Netstat netstat -an Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name tcp 0 0 0.0.0.0:873 0.0.0.0:* LISTEN 0 50500 2805/rsync tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 37787 2605/sshd tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 0 41189 2429/cupsd tcp6 0 0 :::25 :::* LISTEN 0 50340 - udp 0 0 0.0.0.0:68 0.0.0.0:* 0 33595 2584/dhclient 28
Ports monitor No netstat? No problem /proc/net/udp*, /proc/net/tcp*, lsof cat /proc/net/tcp sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode 0: 00000000:0369 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 50500 1 00000000 100 0 0 10 0 1: 00000000:0016 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 37787 1 00000000 100 0 0 10 0 2: 0100007F:0277 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 41189 1 00000000 100 0 0 10 0 sudo lsof -i COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME cupsd 2429 root 9u IPv4 41189 0t0 TCP localhost:ipp (LISTEN) sshd 2605 root 3u IPv4 37787 0t0 TCP *:ssh (LISTEN) rsync 2805 root 4u IPv4 50500 0t0 TCP *:rsync (LISTEN) states = { 0x01: TCP_ESTABLISHED, 0x0A: TCP_LISTEN, ... } 29
Ports monitor import paramiko def send_command(ip, command, login, password, port=22, timeout=30): ssh = paramiko.SSHClient() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) ssh.connect(ip, port=port, timeout=timeout, username=login, password=password) _, stdout, _ = ssh.exec_command(command) stdout_data = stdout.read() ssh.close() return stdout_data def main(): ... output = send_command(ip, 'cd /proc/net/; cat tcp udp tcp6 udp6') ... lsof_data = get_lsof(ip) tables = map_sockets_procs(lsof_data) print(tables) 30
Ports monitor 31 proto | reqcv-q | send-q | local ip:port | foreign ip:port | state | pid | process ------------------------------------------------------------------------------------------------------------- tcp | 0 | 0 | 127.0.0.1:37610 | 0.0.0.0:0 | LISTEN | 1071 | /bin/app tcp | 0 | 0 | 127.0.0.1:37610 | 127.0.0.1:30642 | ESTABLISHED | 1046 | /usr/bin/manager tcp | 0 | 0 | 127.0.0.1:40642 | 127.0.0.1:37610 | ESTABLISHED | 1070 | /default/applauncher udp | 0 | 0 | 0.0.0.0:40019 | 0.0.0.0:0 | | 1407 | /bin/busybox udp | 0 | 0 | 0.0.0.0:40022 | 0.0.0.0:0 | | 1407 | /bin/busybox udp | 0 | 0 | 192.168.13.23:28881 | 0.0.0.0:0 | | ??? | ??? udp | 0 | 0 | 192.168.13.23:28899 | 0.0.0.0:0 | | ??? | ??? tcp6 | 0 | 0 | [::]:31275 | [::]:0 | LISTEN | 1271 | /bin/app tcp6 | 0 | 0 | [::]:61246 | [::]:0 | LISTEN | 1270 | /default/applauncher tcp6 | 0 | 0 | [::]:41226 | [::]:0 | LISTEN | 1246 | /usr/bin/manager tcp6 | 0 | 0 | [::]:31286 | [::]:0 | LISTEN | 1287 | /usr/bin/hstool udp6 | 0 | 0 | [::]:51244 | [::]:0 | | 1270 | /default/applauncher udp6 | 0 | 0 | [::]:51238 | [::]:0 | | 1270 | /default/applauncher tcp6 | 0 | 0 | [::]:22 | [::]:0 | LISTEN | 2605 | /sbin/dropbear tcp6 | 0 | 0 | 0.0.0.0:23 | 0.0.0.0:0 | LISTEN | 2789 | /bin/busybox tcp | 0 | 0 | 0.0.0.0:111 | 0.0.0.0:0 | LISTEN | 767 | /bin/portmap tcp | 0 | 0 | 0.0.0.0:873 | 0.0.0.0:0 | LISTEN | 2805 | /bin/rsync
Questions? https://t.me/spbpython https://t.me/piterpy_meetup
33 Bonus slides
lsof - list open files $ sudo lsof -n COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME init 1 root cwd DIR 0,70 176 258 / init 1 root rtd DIR 0,70 176 258 / init 1 root txt REG 0,70 163096 215892 /sbin/init init 1 root mem REG 0,42 215892 /sbin/init (path dev=0,70) .... init 1 root 2u CHR 1,3 0t0 6 /dev/null init 1 root 3r FIFO 0,10 0t0 34066 pipe init 1 root 4w FIFO 0,10 0t0 34066 pipe init 1 root 5r 0000 0,11 0 7041 anon_inode init 1 root 7u unix 0x0000000000000000 0t0 34067 socket init 1 root 8u unix 0x0000000000000000 0t0 34270 socket init 1 root 11w REG 0,70 95 4137723 /var/log/upstart/acpid.log.1 ... sshd 2963 root 3u IPv4 93504 0t0 TCP *:ssh (LISTEN) ... lsof 9128 d 7w FIFO 0,10 0t0 173854523 pipe 34
List open files # ls -l /proc/2963/exe lrwxrwxrwx 1 root root 0 Dec 18 15:52 /proc/2963/exe -> /usr/sbin/sshd # ls -l /proc/2963/fd/ total 0 dr-x------ 2 root root 0 Dec 18 15:52 . dr-xr-xr-x 9 root root 0 Dec 12 17:55 .. lrwx------ 1 root root 64 Dec 18 15:54 0 -> /dev/null lrwx------ 1 root root 64 Dec 18 15:54 1 -> /dev/null lrwx------ 1 root root 64 Dec 18 15:54 2 -> socket:[93504] # cat /proc/net/tcp sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode 0: 00000000:0369 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 72565 1 0 100 0 0 10 0 1: 00000000:0016 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 93504 1 0 100 0 0 10 0 ... 35 No lsof? No problem :)
Images references https://github.com/spbpython/spb-pig-logo https://www.meetup.com/PiterPy-Meetup/ http://www.i3intl.com/infrastructure/network-services/ http://ciscoccnaselfstudy.blogspot.ru/2015/10/osi-model-layers-and-its-functions-on.html https://commons.wikimedia.org/wiki/File:UDP_encapsulation.svg http://cje-rdp.org/atelier-methodes-dynamiques-de-recherche-demploi/ http://www.freeperformancesoftware.com/product/159/ https://www.brandsoftheworld.com/logo/wireshark http://benrenaut.com/?filter=design https://www.python.org/community/logos/ http://www.iemoji.com/view/emoji/1853/smileys-people/thinking-face http://d.hatena.ne.jp/hirose31/20090401/1238585753 https://thumbs.dreamstime.com/t/toegang-verleende-ontkende-zegel-44982540.jpg 36

Empfohlen

Ipv6 test plan for opnfv poc v2.2 spirent-vctlab
Ipv6 test plan for opnfv poc v2.2 spirent-vctlabIpv6 test plan for opnfv poc v2.2 spirent-vctlab
Ipv6 test plan for opnfv poc v2.2 spirent-vctlab
Iben Rodriguez
 
Cs423 raw sockets_bw
Cs423 raw sockets_bwCs423 raw sockets_bw
Cs423 raw sockets_bw
jktjpc
 
3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub
Cassio Ramos
 
2 netcat enum-pub
2 netcat enum-pub2 netcat enum-pub
2 netcat enum-pub
Cassio Ramos
 
Triển khai vpn client to site qua router gpon
Triển khai vpn client to site qua router gponTriển khai vpn client to site qua router gpon
Triển khai vpn client to site qua router gpon
laonap166
 
Vpn site to site 2 asa qua gpon ftth thực tế
Vpn site to site 2 asa qua gpon ftth thực tếVpn site to site 2 asa qua gpon ftth thực tế
Vpn site to site 2 asa qua gpon ftth thực tế
laonap166
 
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
Андрей Шорин
 
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
Ontico
 

Empfohlen

Ipv6 test plan for opnfv poc v2.2 spirent-vctlab
Ipv6 test plan for opnfv poc v2.2 spirent-vctlabIpv6 test plan for opnfv poc v2.2 spirent-vctlab
Ipv6 test plan for opnfv poc v2.2 spirent-vctlab
Iben Rodriguez
 
Cs423 raw sockets_bw
Cs423 raw sockets_bwCs423 raw sockets_bw
Cs423 raw sockets_bw
jktjpc
 
3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub
Cassio Ramos
 
2 netcat enum-pub
2 netcat enum-pub2 netcat enum-pub
2 netcat enum-pub
Cassio Ramos
 
Triển khai vpn client to site qua router gpon
Triển khai vpn client to site qua router gponTriển khai vpn client to site qua router gpon
Triển khai vpn client to site qua router gpon
laonap166
 
Vpn site to site 2 asa qua gpon ftth thực tế
Vpn site to site 2 asa qua gpon ftth thực tếVpn site to site 2 asa qua gpon ftth thực tế
Vpn site to site 2 asa qua gpon ftth thực tế
laonap166
 
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
Андрей Шорин
 
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
Ontico
 
IPSec VPN
IPSec VPNIPSec VPN
IPSec VPN
NetProtocol Xpert
 
Nmap scripting engine
Nmap scripting engineNmap scripting engine
Nmap scripting engine
n|u - The Open Security Community
 
Complete squid & firewall configuration. plus easy mac binding
Complete squid & firewall configuration. plus easy mac bindingComplete squid & firewall configuration. plus easy mac binding
Complete squid & firewall configuration. plus easy mac binding
Chanaka Lasantha
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20
DefconRussia
 
Debugging Ruby
Debugging RubyDebugging Ruby
Debugging Ruby
Aman Gupta
 
Fosscon 2012 firewall workshop
Fosscon 2012 firewall workshopFosscon 2012 firewall workshop
Fosscon 2012 firewall workshop
jvehent
 
#Include os - From bootloader to REST API with the new C++
#Include os - From bootloader to REST API with the new C++#Include os - From bootloader to REST API with the new C++
#Include os - From bootloader to REST API with the new C++
IncludeOS
 
Debugging 2013- Jesper Brouer
Debugging 2013- Jesper BrouerDebugging 2013- Jesper Brouer
Debugging 2013- Jesper Brouer
Mediehuset Ingeniøren Live
 
Debugging Ruby Systems
Debugging Ruby SystemsDebugging Ruby Systems
Debugging Ruby Systems
Engine Yard
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
Cyber Security Alliance
 
Kernel Recipes 2013 - Deciphering Oopsies
Kernel Recipes 2013 - Deciphering OopsiesKernel Recipes 2013 - Deciphering Oopsies
Kernel Recipes 2013 - Deciphering Oopsies
Anne Nicolas
 
Connectivity for Local Sensors and Actuators Using nRF24L01+
Connectivity for Local Sensors and Actuators Using nRF24L01+Connectivity for Local Sensors and Actuators Using nRF24L01+
Connectivity for Local Sensors and Actuators Using nRF24L01+
Eueung Mulyana
 
PVQA PCAP Analyzer
PVQA PCAP AnalyzerPVQA PCAP Analyzer
PVQA PCAP Analyzer
Sevana Oü
 
SAS (Secure Active Switch)
SAS (Secure Active Switch)SAS (Secure Active Switch)
SAS (Secure Active Switch)
Security Date
 
Ipso vrrp troubleshooting
Ipso vrrp troubleshootingIpso vrrp troubleshooting
Ipso vrrp troubleshooting
Pavan Kumar
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20
DefconRussia
 
הגדרת נתבי סיסקו 1.0
הגדרת נתבי סיסקו 1.0הגדרת נתבי סיסקו 1.0
הגדרת נתבי סיסקו 1.0
ELI KENDEL אלי קנדל
 
Nmap tutorial
Nmap tutorialNmap tutorial
Nmap tutorial
Varun Kakumani
 
selected input/output - sensors and actuators
selected input/output - sensors and actuatorsselected input/output - sensors and actuators
selected input/output - sensors and actuators
Eueung Mulyana
 
Lab 4 marking
Lab 4 markingLab 4 marking
Lab 4 marking
VNG
 
netfilter and iptables
netfilter and iptablesnetfilter and iptables
netfilter and iptables
Kernel TLV
 
Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140)
Bangladesh Network Operators Group
 

Weitere ähnliche Inhalte

Was ist angesagt?

Complete squid & firewall configuration. plus easy mac binding
Complete squid & firewall configuration. plus easy mac bindingComplete squid & firewall configuration. plus easy mac binding
Complete squid & firewall configuration. plus easy mac binding
Chanaka Lasantha
 
Fosscon 2012 firewall workshop
Fosscon 2012 firewall workshopFosscon 2012 firewall workshop
Fosscon 2012 firewall workshop
jvehent
 
Ipso vrrp troubleshooting
Ipso vrrp troubleshootingIpso vrrp troubleshooting
Ipso vrrp troubleshooting
Pavan Kumar
 

Was ist angesagt? (20)

IPSec VPN
IPSec VPNIPSec VPN
IPSec VPN
 
Nmap scripting engine
Nmap scripting engineNmap scripting engine
Nmap scripting engine
 
Complete squid & firewall configuration. plus easy mac binding
Complete squid & firewall configuration. plus easy mac bindingComplete squid & firewall configuration. plus easy mac binding
Complete squid & firewall configuration. plus easy mac binding
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20
 
Debugging Ruby
Debugging RubyDebugging Ruby
Debugging Ruby
 
Fosscon 2012 firewall workshop
Fosscon 2012 firewall workshopFosscon 2012 firewall workshop
Fosscon 2012 firewall workshop
 
#Include os - From bootloader to REST API with the new C++
#Include os - From bootloader to REST API with the new C++#Include os - From bootloader to REST API with the new C++
#Include os - From bootloader to REST API with the new C++
 
Debugging 2013- Jesper Brouer
Debugging 2013- Jesper BrouerDebugging 2013- Jesper Brouer
Debugging 2013- Jesper Brouer
 
Debugging Ruby Systems
Debugging Ruby SystemsDebugging Ruby Systems
Debugging Ruby Systems
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
Kernel Recipes 2013 - Deciphering Oopsies
Kernel Recipes 2013 - Deciphering OopsiesKernel Recipes 2013 - Deciphering Oopsies
Kernel Recipes 2013 - Deciphering Oopsies
 
Connectivity for Local Sensors and Actuators Using nRF24L01+
Connectivity for Local Sensors and Actuators Using nRF24L01+Connectivity for Local Sensors and Actuators Using nRF24L01+
Connectivity for Local Sensors and Actuators Using nRF24L01+
 
PVQA PCAP Analyzer
PVQA PCAP AnalyzerPVQA PCAP Analyzer
PVQA PCAP Analyzer
 
SAS (Secure Active Switch)
SAS (Secure Active Switch)SAS (Secure Active Switch)
SAS (Secure Active Switch)
 
Ipso vrrp troubleshooting
Ipso vrrp troubleshootingIpso vrrp troubleshooting
Ipso vrrp troubleshooting
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20
 
הגדרת נתבי סיסקו 1.0
הגדרת נתבי סיסקו 1.0הגדרת נתבי סיסקו 1.0
הגדרת נתבי סיסקו 1.0
 
Nmap tutorial
Nmap tutorialNmap tutorial
Nmap tutorial
 
selected input/output - sensors and actuators
selected input/output - sensors and actuatorsselected input/output - sensors and actuators
selected input/output - sensors and actuators
 
Lab 4 marking
Lab 4 markingLab 4 marking
Lab 4 marking
 

Ähnlich wie True stories on the analysis of network activity using Python

netfilter and iptables
netfilter and iptablesnetfilter and iptables
netfilter and iptables
Kernel TLV
 
Note I only need the last 3 sub-questions ( e, f and g) 3. Firew.pdf
Note I only need the last 3 sub-questions ( e, f and g) 3. Firew.pdfNote I only need the last 3 sub-questions ( e, f and g) 3. Firew.pdf
Note I only need the last 3 sub-questions ( e, f and g) 3. Firew.pdf
ezonesolutions
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThe Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
Thomas Graf
 
iptable casestudy by sans.pdf
iptable casestudy by sans.pdfiptable casestudy by sans.pdf
iptable casestudy by sans.pdf
Admin621695
 
KVM Security Groups Under the Hood - Wido den Hollander - Your.Online
KVM Security Groups Under the Hood - Wido den Hollander - Your.OnlineKVM Security Groups Under the Hood - Wido den Hollander - Your.Online
KVM Security Groups Under the Hood - Wido den Hollander - Your.Online
ShapeBlue
 
Александр Зайцев - Port Knocking, short notes
Александр Зайцев - Port Knocking, short notes Александр Зайцев - Port Knocking, short notes
Александр Зайцев - Port Knocking, short notes
Positive Hack Days
 
In depth understanding network security
In depth understanding network securityIn depth understanding network security
In depth understanding network security
Thanawan Tuamyim
 

Ähnlich wie True stories on the analysis of network activity using Python (20)

netfilter and iptables
netfilter and iptablesnetfilter and iptables
netfilter and iptables
 
Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140)
 
nftables - the evolution of Linux Firewall
nftables - the evolution of Linux Firewallnftables - the evolution of Linux Firewall
nftables - the evolution of Linux Firewall
 
Pcapy and dpkt - tcpdump on steroids - Ran Leibman - DevOpsDays Tel Aviv 2018
Pcapy and dpkt - tcpdump on steroids - Ran Leibman - DevOpsDays Tel Aviv 2018Pcapy and dpkt - tcpdump on steroids - Ran Leibman - DevOpsDays Tel Aviv 2018
Pcapy and dpkt - tcpdump on steroids - Ran Leibman - DevOpsDays Tel Aviv 2018
 
NMAP - The Network Scanner
NMAP - The Network ScannerNMAP - The Network Scanner
NMAP - The Network Scanner
 
Services
ServicesServices
Services
 
IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for Pentesters
 
IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for Pentesters
 
How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1
 
Note I only need the last 3 sub-questions ( e, f and g) 3. Firew.pdf
Note I only need the last 3 sub-questions ( e, f and g) 3. Firew.pdfNote I only need the last 3 sub-questions ( e, f and g) 3. Firew.pdf
Note I only need the last 3 sub-questions ( e, f and g) 3. Firew.pdf
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThe Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
 
Network traffic analysis course
Network traffic analysis courseNetwork traffic analysis course
Network traffic analysis course
 
iptable casestudy by sans.pdf
iptable casestudy by sans.pdfiptable casestudy by sans.pdf
iptable casestudy by sans.pdf
 
Network Mapper (NMAP)
Network Mapper (NMAP)Network Mapper (NMAP)
Network Mapper (NMAP)
 
KVM Security Groups Under the Hood - Wido den Hollander - Your.Online
KVM Security Groups Under the Hood - Wido den Hollander - Your.OnlineKVM Security Groups Under the Hood - Wido den Hollander - Your.Online
KVM Security Groups Under the Hood - Wido den Hollander - Your.Online
 
Александр Зайцев - Port Knocking, short notes
Александр Зайцев - Port Knocking, short notes Александр Зайцев - Port Knocking, short notes
Александр Зайцев - Port Knocking, short notes
 
PLNOG 13: Piotr Głaska: Quality of service monitoring in IP networks
PLNOG 13: Piotr Głaska: Quality of service monitoring in IP networksPLNOG 13: Piotr Głaska: Quality of service monitoring in IP networks
PLNOG 13: Piotr Głaska: Quality of service monitoring in IP networks
 
Network for amin
Network for aminNetwork for amin
Network for amin
 
Trash Robotic Router Platform - David Melendez - Codemotion Rome 2015
Trash Robotic Router Platform - David Melendez - Codemotion Rome 2015Trash Robotic Router Platform - David Melendez - Codemotion Rome 2015
Trash Robotic Router Platform - David Melendez - Codemotion Rome 2015
 
In depth understanding network security
In depth understanding network securityIn depth understanding network security
In depth understanding network security
 

Mehr von delimitry

Mehr von delimitry (19)

Python Hashlib & A True Story of One Bug
Python Hashlib & A True Story of One BugPython Hashlib & A True Story of One Bug
Python Hashlib & A True Story of One Bug
 
JIT compilation for CPython
JIT compilation for CPythonJIT compilation for CPython
JIT compilation for CPython
 
Data storage systems
Data storage systemsData storage systems
Data storage systems
 
Fuzzing python modules
Fuzzing python modulesFuzzing python modules
Fuzzing python modules
 
Writing file system in CPython
Writing file system in CPythonWriting file system in CPython
Writing file system in CPython
 
CPython logo
CPython logoCPython logo
CPython logo
 
Contribute to CPython
Contribute to CPythonContribute to CPython
Contribute to CPython
 
Buzzword poem generator in Python
Buzzword poem generator in PythonBuzzword poem generator in Python
Buzzword poem generator in Python
 
Numbers obfuscation in Python
Numbers obfuscation in PythonNumbers obfuscation in Python
Numbers obfuscation in Python
 
ITGM #9 - Коварный CodeType, или от segfault'а к работающему коду
ITGM #9 - Коварный CodeType, или от segfault'а к работающему кодуITGM #9 - Коварный CodeType, или от segfault'а к работающему коду
ITGM #9 - Коварный CodeType, или от segfault'а к работающему коду
 
Python dictionary : past, present, future
Python dictionary : past, present, futurePython dictionary : past, present, future
Python dictionary : past, present, future
 
Python dict: прошлое, настоящее, будущее
Python dict: прошлое, настоящее, будущееPython dict: прошлое, настоящее, будущее
Python dict: прошлое, настоящее, будущее
 
Разработка фреймворка на Python для автоматизации тестирования STB боксов
Разработка фреймворка на Python для автоматизации тестирования STB боксовРазработка фреймворка на Python для автоматизации тестирования STB боксов
Разработка фреймворка на Python для автоматизации тестирования STB боксов
 
SchoolCTF 2012 - Tpircsavaj
SchoolCTF 2012 - TpircsavajSchoolCTF 2012 - Tpircsavaj
SchoolCTF 2012 - Tpircsavaj
 
SchoolCTF 2012 - See Shark
SchoolCTF 2012 - See SharkSchoolCTF 2012 - See Shark
SchoolCTF 2012 - See Shark
 
SchoolCTF 2012 - Rings
SchoolCTF 2012 - RingsSchoolCTF 2012 - Rings
SchoolCTF 2012 - Rings
 
SchoolCTF 2012 - Bin Pix
SchoolCTF 2012 - Bin PixSchoolCTF 2012 - Bin Pix
SchoolCTF 2012 - Bin Pix
 
SchoolCTF 2012 - Acid
SchoolCTF 2012 - AcidSchoolCTF 2012 - Acid
SchoolCTF 2012 - Acid
 
Python GC
Python GCPython GC
Python GC
 

Kürzlich hochgeladen

Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
masabamasaba
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
masabamasaba
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile EnvironmentHarnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
VictorSzoltysek
 

Kürzlich hochgeladen (20)

Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
tonesoftg
tonesoftgtonesoftg
tonesoftg
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile EnvironmentHarnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
 

True stories on the analysis of network activity using Python

  • 1. True stories on the analysis of network activity using Python Dmitry Alimov 2018
  • 2. Outline 1. Theory 2. Network packets analysis 3. IPv4/IPv6 network filters (iptables) Network packets crafting 4. Open ports 2
  • 4. Internet protocol suite (TCP/IP) model IP, ICMP DHCP, DNS, FTP, HTTP, SNMP, SSH, Telnet TCP, UDP Ethernet, PPP, ARP 4
  • 6. Network activity ● Requests ● Used hosts ● Lost packets ● Statistics 6
  • 9. tcpdump Tool for dumping the traffic on a network /mnt/nfs/tcpdump -i eth1 -w ./tcpdump.pcap 'ip and not (src 192.168.17.1 or dst 192.168.17.1) and not broadcast and not multicast and host not 10.12.1.100' & N.B. filters! Examples: # show traffic to 10.12.1.2 that is not ICMP: tcpdump dst 10.12.1.2 and src net and not icmp # show SYNACK packets: tcpdump 'tcp[13]=18' 9
  • 10. tcpdump output 2017-09-04 11:42:20.475594 IP 127.255.90.99.67 > 127.255.90.99.68: BOOTP/DHCP, Reply, length 357 E.......@.[Z.........C.D.m......&........................N.c.L..................................... ................................................................................................... ..................................................................c.Sc5..6.Dr$.3...........:.....;. ...V..........~..............lab.com......}(..&.#.!.......v..1.........lab.com.. 2017-09-04 11:42:22.322596 IP 127.255.90.18.46800 > 127.255.90.214.51001: Flags [S], seq 3059494393, win 14600, options [mss 1460,sackOK,TS val 4294828083 ecr 0,nop,wscale 7], length 0 2017-09-04 11:42:22.755378 IP 127.255.90.18.45832 > 192.0.1.207.8081: Flags [P.], seq 1:79, ack 1, win 115, length 78 E..v0.@.@.........r......e......P..s....GET /hdr.dat HTTP/1.1 Host: 192.0.1.207:8081 Connection: close Convert pcap to txt: tcpdump -ttttnnr tcpdump.pcap > tcpdump.pcap.txt 10
  • 11. Test report total DNS sessions: 17 -------------------------------------------------------------------------------- domain name | bad responses -------------------------------------------------------------------------------- host1-lab.com. | 2 host2-lab.com. | 2 host3-lab.com. | 2 TCP sessions stats: -------------------------------------------------------------------------------- destination ip:port | times connected total (good / bad) | total length -------------------------------------------------------------------------------- 192.0.114.207:8081 | 21 (4 good / 17 bad) | 8808 127.255.90.214:51001 | 16 (0 good / 16 bad) | 0 192.0.105.184:443 | 2 (2 good / 0 bad) | 11866 192.0.112.19:8080 | 2 (1 good / 1 bad) | 408 192.0.80.137:42272 | 1 (0 good / 1 bad) | 3057 192.0.80.137:41012 | 1 (1 good / 0 bad) | 3505 UDP sessions stats: -------------------------------------------------------------------------------- destination ip:port | quantity | total length -------------------------------------------------------------------------------- 192.0.80.137:48723 | 1 | 8 192.0.80.137:40030 | 1 | 8 192.0.80.137:59320 | 1 | 8 11
  • 12. PCAP analysis with Scapy from scapy.all import * packets = rdpcap('tcpdump.pcap') for packet in packets: if TCP in packet: if Raw in packet: print('from {} to {}'.format(packet[IP].src, packet[IP].dst)) print('payload:') print('{}'.format(packet[Raw].load)) > from 127.255.210.110 to 192.0.140.246 > payload: > GET /configs/main.cfg HTTP/1.1 > Host: 192.0.140.246 > Accept: */* 12
  • 14. IPv4/IPv6 network filters (iptables) iptables/ip6tables — administration tool for IPv4/IPv6 packet filtering and NAT Task: Test IPv4/IPv6 network filters E.g. ICMP, IPv6-ICMP, TCP (SSH), UDP (SNMP, DHCP, DHCPv6) Possible solutions: tcpdump iptables/ip6tables 14
  • 15. IPv4/IPv6 network filters (iptables) 15
  • 16. /sbin/ip6tables -x -v -n -L Chain INPUT (policy DROP 6737 packets, 1273025 bytes) pkts bytes target prot opt in out source destination 2 120 DROP tcp * * ::/0 ::/0 tcp dpt:22 /* Drop SSH */ 1 48 DROP udp * * ::/0 ::/0 udp dpt:161 /* Drop SNMP */ 2 160 DROP icmpv6 * * ::/0 ::/0 ipv6-icmptype 137 /* Drop ICMP Redirect Message */ 2 208 ACCEPT all * * ::/0 ::/0 state ESTABLISHED,RELATED 2 208 ACCEPT all lo * ::1 ::1 1 48 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 128 /* Echo Request */ 5342 405940 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 130 /* Multicast Listener Query */ 3 216 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 131 /* Multicast Listener Report */ 1 72 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 132 /* Multicast Listener Done */ 14 1000 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 135 /* Neighbor Discovery (ND) Solicitation */ 1377 99088 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 136 /* Neighbor Discovery (ND) Advertisement */ 1 48 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 141 /* Inverse Neighbor Discovery Solicitation */ 1 48 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 142 /* Inverse Neighbor Discovery Advertisement */ 1 57 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 148 /* Secure ND Certificate Path Solicitation */ 1 57 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 149 /* Secure ND Certificate Path Advertisement */ 1 48 ACCEPT udp * * ::/0 ::/0 udp spt:547 dpt:546 /* Accept DHCPv6 */ Chain OUTPUT (policy ACCEPT 5419 packets, 419928 bytes) pkts bytes target prot opt in out source destination 16
  • 17. /sbin/ip6tables -x -v -n -L Chain INPUT (policy DROP 6737 packets, 1273025 bytes) pkts bytes target prot opt in out source destination 2 120 DROP tcp * * ::/0 ::/0 tcp dpt:22 /* Drop SSH */ 1 48 DROP udp * * ::/0 ::/0 udp dpt:161 /* Drop SNMP */ 2 160 DROP icmpv6 * * ::/0 ::/0 ipv6-icmptype 137 /* Drop ICMP Redirect Message */ 2 208 ACCEPT all * * ::/0 ::/0 state ESTABLISHED,RELATED 2 208 ACCEPT all lo * ::1 ::1 1 48 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 128 /* Echo Request */ 5342 405940 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 130 /* Multicast Listener Query */ 3 216 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 131 /* Multicast Listener Report */ 1 72 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 132 /* Multicast Listener Done */ 14 1000 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 135 /* Neighbor Discovery (ND) Solicitation */ 1377 99088 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 136 /* Neighbor Discovery (ND) Advertisement */ 1 48 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 141 /* Inverse Neighbor Discovery Solicitation */ 1 48 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 142 /* Inverse Neighbor Discovery Advertisement */ 1 57 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 148 /* Secure ND Certificate Path Solicitation */ 1 57 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 149 /* Secure ND Certificate Path Advertisement */ 1 48 ACCEPT udp * * ::/0 ::/0 udp spt:547 dpt:546 /* Accept DHCPv6 */ Chain OUTPUT (policy ACCEPT 5419 packets, 419928 bytes) pkts bytes target prot opt in out source destination 17
  • 18. Network packets crafting socket for TCP, UDP (e.g. SNMP, DHCP) -> user permissions socket(AF_INET / AF_INET6, SOCK_STREAM) socket(AF_INET / AF_INET6, SOCK_DGRAM) raw sockets -> root permissions Python + Scapy 18
  • 19. Examples from scapy.all import * def test_tcp_dpt_22(self): # Check SSH ipv6 = IPv6(dst=self.ipv6) payload = ipv6 / TCP(dport=22) # Send packets at layer 3 and return only the first answer sr1(payload, timeout=2) Begin emission: ..Finished to send 1 packets. 19
  • 20. Examples from scapy.all import * def test_udp_dpt_161(self): # Check SNMP ipv6 = IPv6(dst=self.ipv6) payload = ipv6 / UDP(dport=161) # Send packets at layer 3 and return only the first answer sr1(payload, timeout=2) 20
  • 21. Examples from scapy.all import * def test_ipv6_icmptype_128(self): # Check ICMPv6 Echo Request payload = ICMPv6EchoRequest(type=128) ipv6 = IPv6(dst=self.ipv6) sr1(ipv6 / payload, timeout=2) 21
  • 22. Examples from scapy.all import * def test_ipv6_icmptype_130(self): # add RouterAlert option hbh = IPv6ExtHdrHopByHop(options=[RouterAlert(value=0)]) multicast = 'ff02::1' ipv6 = IPv6(dst=multicast) payload = ICMPv6MLQuery(type=130) sr1(ipv6 / hbh / payload, timeout=2) 22
  • 23. Scapy “/layers/inet6.py” #138: Do Me - RFC 2894 - Seems painful ... #143: Do Me - RFC 3810 ... #148: Do Me - SEND related - RFC 3971 #149: Do Me - SEND related - RFC 3971 ... # tous les messages MLD sont emis avec une adresse source lien-locale # -> Y veiller dans le post_build si aucune n'est specifiee # La valeur de Hop-Limit doit etre de 1 ... 23 not implemented :(
  • 24. Examples from scapy.all import * def test_ipv6_icmptype_148(self): # make ICMPv6 type 148 from ICMPv6Unknown payload = ICMPv6Unknown(type=148, msgbody='test_type_148') ipv6 = IPv6(dst=self.ipv6) sr1(ipv6 / payload, timeout=2) 24
  • 25. PCAP packets replay with Scapy from scapy.all import * packets = rdpcap("tcpdump.pcap") new_mac = 'DE:EE:11:33:33:77' new_src = '123.34.45.56' for packet in packets: packet[Ether].src = new_mac packet[IP].src = new_src send(packet) 25
  • 27. Nmap $ nmap -p- 192.168.1.93 Starting Nmap 7.01 ( https://nmap.org ) at 2017-12-15 11:29 MSK Nmap scan report for 192.168.1.93 Host is up (0.038s latency). Not shown: 65524 closed ports PORT STATE SERVICE 22/tcp open ssh 23/tcp open telnet 111/tcp open rpcbind 135/tcp filtered msrpc 136/tcp filtered profile 137/tcp filtered netbios-ns 138/tcp filtered netbios-dgm 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds 593/tcp filtered http-rpc-epmap 9555/tcp open unknown 12345/tcp open unknown 27
  • 28. Netstat netstat -an Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name tcp 0 0 0.0.0.0:873 0.0.0.0:* LISTEN 0 50500 2805/rsync tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 37787 2605/sshd tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 0 41189 2429/cupsd tcp6 0 0 :::25 :::* LISTEN 0 50340 - udp 0 0 0.0.0.0:68 0.0.0.0:* 0 33595 2584/dhclient 28
  • 29. Ports monitor No netstat? No problem /proc/net/udp*, /proc/net/tcp*, lsof cat /proc/net/tcp sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode 0: 00000000:0369 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 50500 1 00000000 100 0 0 10 0 1: 00000000:0016 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 37787 1 00000000 100 0 0 10 0 2: 0100007F:0277 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 41189 1 00000000 100 0 0 10 0 sudo lsof -i COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME cupsd 2429 root 9u IPv4 41189 0t0 TCP localhost:ipp (LISTEN) sshd 2605 root 3u IPv4 37787 0t0 TCP *:ssh (LISTEN) rsync 2805 root 4u IPv4 50500 0t0 TCP *:rsync (LISTEN) states = { 0x01: TCP_ESTABLISHED, 0x0A: TCP_LISTEN, ... } 29
  • 30. Ports monitor import paramiko def send_command(ip, command, login, password, port=22, timeout=30): ssh = paramiko.SSHClient() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) ssh.connect(ip, port=port, timeout=timeout, username=login, password=password) _, stdout, _ = ssh.exec_command(command) stdout_data = stdout.read() ssh.close() return stdout_data def main(): ... output = send_command(ip, 'cd /proc/net/; cat tcp udp tcp6 udp6') ... lsof_data = get_lsof(ip) tables = map_sockets_procs(lsof_data) print(tables) 30
  • 31. Ports monitor 31 proto | reqcv-q | send-q | local ip:port | foreign ip:port | state | pid | process ------------------------------------------------------------------------------------------------------------- tcp | 0 | 0 | 127.0.0.1:37610 | 0.0.0.0:0 | LISTEN | 1071 | /bin/app tcp | 0 | 0 | 127.0.0.1:37610 | 127.0.0.1:30642 | ESTABLISHED | 1046 | /usr/bin/manager tcp | 0 | 0 | 127.0.0.1:40642 | 127.0.0.1:37610 | ESTABLISHED | 1070 | /default/applauncher udp | 0 | 0 | 0.0.0.0:40019 | 0.0.0.0:0 | | 1407 | /bin/busybox udp | 0 | 0 | 0.0.0.0:40022 | 0.0.0.0:0 | | 1407 | /bin/busybox udp | 0 | 0 | 192.168.13.23:28881 | 0.0.0.0:0 | | ??? | ??? udp | 0 | 0 | 192.168.13.23:28899 | 0.0.0.0:0 | | ??? | ??? tcp6 | 0 | 0 | [::]:31275 | [::]:0 | LISTEN | 1271 | /bin/app tcp6 | 0 | 0 | [::]:61246 | [::]:0 | LISTEN | 1270 | /default/applauncher tcp6 | 0 | 0 | [::]:41226 | [::]:0 | LISTEN | 1246 | /usr/bin/manager tcp6 | 0 | 0 | [::]:31286 | [::]:0 | LISTEN | 1287 | /usr/bin/hstool udp6 | 0 | 0 | [::]:51244 | [::]:0 | | 1270 | /default/applauncher udp6 | 0 | 0 | [::]:51238 | [::]:0 | | 1270 | /default/applauncher tcp6 | 0 | 0 | [::]:22 | [::]:0 | LISTEN | 2605 | /sbin/dropbear tcp6 | 0 | 0 | 0.0.0.0:23 | 0.0.0.0:0 | LISTEN | 2789 | /bin/busybox tcp | 0 | 0 | 0.0.0.0:111 | 0.0.0.0:0 | LISTEN | 767 | /bin/portmap tcp | 0 | 0 | 0.0.0.0:873 | 0.0.0.0:0 | LISTEN | 2805 | /bin/rsync
  • 34. lsof - list open files $ sudo lsof -n COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME init 1 root cwd DIR 0,70 176 258 / init 1 root rtd DIR 0,70 176 258 / init 1 root txt REG 0,70 163096 215892 /sbin/init init 1 root mem REG 0,42 215892 /sbin/init (path dev=0,70) .... init 1 root 2u CHR 1,3 0t0 6 /dev/null init 1 root 3r FIFO 0,10 0t0 34066 pipe init 1 root 4w FIFO 0,10 0t0 34066 pipe init 1 root 5r 0000 0,11 0 7041 anon_inode init 1 root 7u unix 0x0000000000000000 0t0 34067 socket init 1 root 8u unix 0x0000000000000000 0t0 34270 socket init 1 root 11w REG 0,70 95 4137723 /var/log/upstart/acpid.log.1 ... sshd 2963 root 3u IPv4 93504 0t0 TCP *:ssh (LISTEN) ... lsof 9128 d 7w FIFO 0,10 0t0 173854523 pipe 34
  • 35. List open files # ls -l /proc/2963/exe lrwxrwxrwx 1 root root 0 Dec 18 15:52 /proc/2963/exe -> /usr/sbin/sshd # ls -l /proc/2963/fd/ total 0 dr-x------ 2 root root 0 Dec 18 15:52 . dr-xr-xr-x 9 root root 0 Dec 12 17:55 .. lrwx------ 1 root root 64 Dec 18 15:54 0 -> /dev/null lrwx------ 1 root root 64 Dec 18 15:54 1 -> /dev/null lrwx------ 1 root root 64 Dec 18 15:54 2 -> socket:[93504] # cat /proc/net/tcp sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode 0: 00000000:0369 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 72565 1 0 100 0 0 10 0 1: 00000000:0016 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 93504 1 0 100 0 0 10 0 ... 35 No lsof? No problem :)