diff --git a/3.06/scapy_reader.py b/3.06/scapy_reader.py new file mode 100644 index 0000000..57608a9 --- /dev/null +++ b/3.06/scapy_reader.py @@ -0,0 +1,19 @@ +#!/opt/pwn.college/python + +from scapy.utils import rdpcap +from scapy.packet import Raw + +pcap_path = "/home/hacker/my_pcaps/3.06.pcap" +pcap_file = rdpcap(pcap_path) + +result = "" +alternate=True +for pkt in pcap_file: + try: + if alternate: + result += pkt[Raw].load.decode() + alternate = not alternate + except: + pass + +print(result) \ No newline at end of file diff --git a/3.08/scapy_ether.py b/3.08/scapy_ether.py new file mode 100644 index 0000000..1ff480b --- /dev/null +++ b/3.08/scapy_ether.py @@ -0,0 +1,6 @@ +from scapy.all import * + +l2=Ether(src='a6:cb:ec:88:05:5e', dst='cc:cc:cc:cc:cc:cc', type=0xFFFF) +pkt=l2 + +ans, unans=srp(pkt, iface='eth0') diff --git a/3.09/scapy_ip.py b/3.09/scapy_ip.py new file mode 100644 index 0000000..1228138 --- /dev/null +++ b/3.09/scapy_ip.py @@ -0,0 +1,7 @@ +from scapy.all import * + +l2=Ether(src='86:22:3f:d1:20:b5', dst='cc:cc:cc:cc:cc:cc') +l3=IP(src='10.0.0.2', dst='10.0.0.3', proto=0xFF) +pkt=l2/l3 + +ans, unans=srp(pkt, iface='eth0') diff --git a/3.11/scapy_tcp_handshake.py b/3.11/scapy_tcp_handshake.py new file mode 100644 index 0000000..30924d8 --- /dev/null +++ b/3.11/scapy_tcp_handshake.py @@ -0,0 +1,15 @@ +from scapy.all import * + +l2=Ether(src='96:e4:fb:1b:7b:fd', dst='cc:cc:cc:cc:cc:cc') +l3=IP(src='10.0.0.2', dst='10.0.0.3') + +syn_l4=TCP(sport=31337, dport=31337, seq=31337, ack=31337, flags=0x02) +syn_pkt=l2/l3/syn_l4 + +ans,unans=srp(syn_pkt, iface='eth0') +print(ans[0].answer[TCP]) + +ack_l4=TCP(sport=31337, dport=31337, seq=31338, ack=ans[0].answer[TCP].seq + 1, flags=0x10) +ack_pkt=l2/l3/ack_l4 + +ans,unans=srp(ack_pkt, iface='eth0') diff --git a/Dojo Notes.md b/Dojo Notes.md index 459735c..b2cb2f2 100644 --- a/Dojo Notes.md +++ b/Dojo Notes.md @@ -140,3 +140,89 @@ int M[12][12]={ - goal is row 2, column 12 (x=0xb, y=1) - ssssdsssddsssdddwwwddwwwwdwwd - lol + +## Project 03 Hacking Network Highways + +### .01 - netcat + +```bash +nc 10.0.0.3 31337 +``` + +### .02 - netcat listener + +```bash +nc -l 31337 +``` + +### .03 - nmap and netcat + +```bash +nmap 10.0.0.0-255 # found in .142 +nc 10.0.0.142 31337 +``` + +### .04 - nmap in parallel and netcat + +- `-sn` for ARP ping scan - no ports just discover host +- `--min-parallelism 10` for at least 10 probes at a time +- consider using `-T4` or `-T5` timing templates +- checked + - `10.0.0.0/19` - only us at .2 + - `10.0.32.0/19` - nothing + - `10.0.64.0/19` - 10.0.90.244 and port is 31337 as expected. stopped here + +### .05 - tcpdump + +- `tcpdump -A 'tcp port 31337'` + - `-A` to print content as ASCII + +### .06 - tcpdump and flow + +- inspecting the /challenge/run python script, we see that it's sending one character at a time, after encoding them +- `tcpdump -s 65535 -nntA 'tcp port 31337' -w /home/hacker/my_pcaps/3.06.pcap` + - `-s` to grab full packet (?) + - `-nn` to avoid resolution of hostnames or port numbers + - `-t` to exclude timestamp + - `-A` to print content as parsable ASCII. important!!! +- then we use scapy to read the packets, skip alternating duplicates, decode, and form a single string +- ehh i messed up something but whatever + +### .07 - mimic and listen + +- `ip addr add 10.0.0.2 dev eth0` assign the address to us, fake +- `nc -l 10.0.0.2 31337` + +### .08 - ether scapy + +- jfc +- ALWAYS be explicit and define the src addresses +- didn't define the src MAC addr, so packets kept going thru `lo` instead of `eth0` +- too stupid to realize it in time too +- anyway, get current MAC addr of `eth0` +- craft Ether packet to given dest addr with type `0xFFFF` +- `srp(pkt, iface='eth0')` + +### .09 - IP scapy + +- similar +- set IP addr with `ifconfig eth0 10.0.0.2` +- add l3 with src and dest IP addr, `proto=0xFF` +- since we need MAC as well, use `srp`, not `sr` + +### .10 - TCP scapy + +- similar +- again, set IP addr +- add l4 with src and dest TCP port, `flags=0x1F` to set ACK (0x10), PSH (0x08), RST (0x04), SYN (0x02), FIN (0x01) flags +- `srp` again + +### .11 - TCP handshake + +- send SYN with specified seq and ack numbers - 31337 both +- get SYNACK + - has ack of 31338, which will be our next syn + - has random syn, add 1 to get next ack +- send ACK with next syn and ack numbers + +### .12 - ARP scapy