some project 3

3.06/scapy_reader.py

@@ -0,0 +1,19 @@
+#!/opt/pwn.college/python
+
+from scapy.utils import rdpcap
+from scapy.packet import Raw
+
+pcap_path = "/home/hacker/my_pcaps/3.06.pcap"
+pcap_file = rdpcap(pcap_path)
+
+result = ""
+alternate=True
+for pkt in pcap_file:
+	try:
+		if alternate:
+			result += pkt[Raw].load.decode()
+		alternate = not alternate
+	except:
+		pass
+
+print(result)

3.08/scapy_ether.py

@@ -0,0 +1,6 @@
+from scapy.all import *
+
+l2=Ether(src='a6:cb:ec:88:05:5e', dst='cc:cc:cc:cc:cc:cc', type=0xFFFF)
+pkt=l2
+
+ans, unans=srp(pkt, iface='eth0')

3.09/scapy_ip.py

@@ -0,0 +1,7 @@
+from scapy.all import *
+
+l2=Ether(src='86:22:3f:d1:20:b5', dst='cc:cc:cc:cc:cc:cc')
+l3=IP(src='10.0.0.2', dst='10.0.0.3', proto=0xFF)
+pkt=l2/l3
+
+ans, unans=srp(pkt, iface='eth0')

3.11/scapy_tcp_handshake.py

@@ -0,0 +1,15 @@
+from scapy.all import *
+
+l2=Ether(src='96:e4:fb:1b:7b:fd', dst='cc:cc:cc:cc:cc:cc')
+l3=IP(src='10.0.0.2', dst='10.0.0.3')
+
+syn_l4=TCP(sport=31337, dport=31337, seq=31337, ack=31337, flags=0x02)
+syn_pkt=l2/l3/syn_l4
+
+ans,unans=srp(syn_pkt, iface='eth0')
+print(ans[0].answer[TCP])
+
+ack_l4=TCP(sport=31337, dport=31337, seq=31338, ack=ans[0].answer[TCP].seq + 1, flags=0x10)
+ack_pkt=l2/l3/ack_l4
+
+ans,unans=srp(ack_pkt, iface='eth0')

Dojo Notes.md

@@ -140,3 +140,89 @@ int M[12][12]={
 - goal is row 2, column 12 (x=0xb, y=1)
 - ssssdsssddsssdddwwwddwwwwdwwd
 - lol
+
+## Project 03 Hacking Network Highways
+
+### .01 - netcat
+
+```bash
+nc 10.0.0.3 31337
+```
+
+### .02 - netcat listener
+
+```bash
+nc -l 31337
+```
+
+### .03 - nmap and netcat
+
+```bash
+nmap 10.0.0.0-255 # found in .142
+nc 10.0.0.142 31337
+```
+
+### .04 - nmap in parallel and netcat
+
+- `-sn` for ARP ping scan - no ports just discover host
+- `--min-parallelism 10` for at least 10 probes at a time
+- consider using `-T4` or `-T5` timing templates
+- checked
+  - `10.0.0.0/19` - only us at .2
+  - `10.0.32.0/19` - nothing
+  - `10.0.64.0/19` - 10.0.90.244 and port is 31337 as expected. stopped here
+
+### .05 - tcpdump
+
+- `tcpdump -A 'tcp port 31337'`
+  - `-A` to print content as ASCII
+
+### .06 - tcpdump and flow
+
+- inspecting the /challenge/run python script, we see that it's sending one character at a time, after encoding them
+- `tcpdump -s 65535 -nntA 'tcp port 31337' -w /home/hacker/my_pcaps/3.06.pcap`
+  - `-s` to grab full packet (?)
+  - `-nn` to avoid resolution of hostnames or port numbers
+  - `-t` to exclude timestamp
+  - `-A` to print content as parsable ASCII. important!!!
+- then we use scapy to read the packets, skip alternating duplicates, decode, and form a single string
+- ehh i messed up something but whatever
+
+### .07 - mimic and listen
+
+- `ip addr add 10.0.0.2 dev eth0` assign the address to us, fake
+- `nc -l 10.0.0.2 31337`
+
+### .08 - ether scapy
+
+- jfc
+- ALWAYS be explicit and define the src addresses
+- didn't define the src MAC addr, so packets kept going thru `lo` instead of `eth0`
+- too stupid to realize it in time too
+- anyway, get current MAC addr of `eth0`
+- craft Ether packet to given dest addr with type `0xFFFF`
+- `srp(pkt, iface='eth0')`
+
+### .09 - IP scapy
+
+- similar
+- set IP addr with `ifconfig eth0 10.0.0.2`
+- add l3 with src and dest IP addr, `proto=0xFF`
+- since we need MAC as well, use `srp`, not `sr`
+
+### .10 - TCP scapy
+
+- similar
+- again, set IP addr
+- add l4 with src and dest TCP port, `flags=0x1F` to set ACK (0x10), PSH (0x08), RST (0x04), SYN (0x02), FIN (0x01) flags
+- `srp` again
+
+### .11 - TCP handshake
+
+- send SYN with specified seq and ack numbers - 31337 both
+- get SYNACK
+  - has ack of 31338, which will be our next syn
+  - has random syn, add 1 to get next ack
+- send ACK with next syn and ack numbers
+
+### .12 - ARP scapy