Something about Python and network analysis

In these series of posts we will see how to build some necessary tools from scratch to perform our tasks. Today we focus our attention on network, we are going to build a sniffer and a relative simple parser. Why don’t I use the well-known tcpdump? Wireshark? Tshark? First of all it’s more satisfactory to code your own tool, second it’s a good practice to develop a problem solving attitude and improve our knowledge, and finally it’s so cool to code in Python! 😉
The holy Python helps us, some smart guys of the famous security agency Core Security have coded two modules Pcapy and Impacket. The first one is an interface with the well known libpcap packet capture library, while the second one is a power module to craft and decode packets.

In this post we will see some parts of two scripts, the first yas.py will sniff and save the traffic in a .pcap file, the second, pcapino.py will parse the previous file looking for UDP and TCP connections, in particular the script will show us the following information: the type of layer 4 used (TCP or UDP), the source ip and source port, the destination ip and the destination port, the sequential number, the window size and GET request if they are present. We need this information in order to figure out what a program, maybe potentially dangerous does, in this  demonstrative scripts I’ll pay attention on GET request and DNS activity ( most common activities to droppers and/or dnschangers :)).

The first thing to do is to code the sniffer that dumps all traffic in a .pcap file, let’s see some snippets:

#
# Yet Another Sniffer - 5D4A LAB - emdel
# Contact: "echo "emfuckspammer87@gmail.com" | sed s/fuckspammer/del/ "
# To stop it use ctrl-c ^_* Have fun!
#

import pcapy, sys
from pcapy import findalldevs, open_live
from impacket.ImpactDecoder import EthDecoder

Here we observe clearly the necessary import, in particular pcapy and impacket.
Now let’s see the part that realizes the dump:

class Handling:

    def __init__( self, pcapObj, decoder, dmp ):
        self.d = pcapObj
        self.dec = decoder
        self.dumper = dmp

    def PktHandler( self, hdr, data ):
        self.dumper.dump( hdr, data )

Here we notice how, once we have sniffed the packet, how to dump it on the .pcap file.
Now we must code our parser focusing on tcp and udp, let’s observe the some snippets from the parser:

# pcapino - 5D4A LAB - emdel
# Description: It is a simple pcap file parser
# Author: emdel - 5D4A LAB - "echo "emfuckspammer87@gmail.com" | sed s/fuckspammer/del/ "
# TODO: - Follow TCP sessions - Parse L7 - More support to L2
# Have fun!

import pcapy, sys, string
from pcapy import open_offline
from impacket.ImpactDecoder import EthDecoder

Again the same import except for open_offline, logically we open the file .pcap and so we are not in an online scenario 🙂

class Handling:

    def __init__( self, pcapObj, decoder ):
        self.d = pcapObj
        self.dec = decoder

    def PktHandler( self, hdr, data ):

        pkt = self.dec.decode( data )
        ip = pkt.child( )

        if ip.get_ip_p( ) == 17:
            udp = ip.child( )
            print "| %s\t| %s:%d \t| %s:%d \t| %c\t\t |\t%c\t | %s" % ( "UDP", ip.get_ip_src(), udp.get_uh_sport( ), ip.get_ip_dst(),udp.get_uh_dport( ), "/", "/", "/" )
....

Here we see how we handle an UDP packet and how we can print it on the stdout, first we check the protocol field on the IP header to see if it is TCP or UDP and then we manage it properly.
Now it’s time to launch these scripts and check if they run properly ;):


[root@zangetsu lab (22:56)]# python yas.py post.pcap

** Yet Another Sniffer - 5D4A LAB **

:: Interfaces:
 |__ eth0
 |__ bluetooth0
 |__ lo
:: Datalink: DLT_EN10MB
:: Sniffing on eth0 - network: xxx.xxx.xxx.0 - mask: 255.255.255.0

:: Packets:

Exiting...

Let’s see what we have sniffed:


** pcapino - 5D4A LAB **

:: Pcap filter: tcp or udp
:: Parsing post.pcap
:: Traffic sniffed on DLT_EN10MB

:: Parsing...

------------------------------------------------------------------------------------------------------------------------------------
| TYPE  |       FROM            |       TO              |       SEQ      |      WIN      |      GET
------------------------------------------------------------------------------------------------------------------------------------
| TCP   | xxx.xxx.xxx.xxx:45235   | 64.4.34.150:1863      | 3771785275     |      1002     |
| TCP   | xxx.xxx.xxx.xxx:45235   | 64.4.34.150:1863      | 3771785280     |      1002     |
| UDP   | xxx.xxx.xxx.xxx:53401   | 208.67.222.222:53     | /              |      /        | /
| UDP   | xxx.xxx.xxx.xxx.:53401   | 208.67.222.222:53     | /              |      /       | /
| UDP   | 208.67.222.222:53     | xxx.xxx.xxx.xxx:53401   | /              |      /        | /
| TCP   | xxx.xxx.xxx.xxx:56529   | 200.123.107.174:80    | 2985889925     |      92       |
| TCP   | xxx.xxx.xxx.xxx:56529   | 200.123.107.174:80    | 2985889925     |      92       | GET /project/impacket.html HTTP/1.1
| TCP   | 200.123.107.174:80    | xxx.xxx.xxx.xxx:56529   | 3980002124     |      17160    |
| TCP   | xxx.xxx.xxx.xxx:56529   | 200.123.107.174:80    | 2985890508     |      108      |
| TCP   | xxx.xxx.xxx.xxx:56529   | 200.123.107.174:80    | 2985890508     |      108      | GET /images/style.css HTTP/1.1

...............

As we can see we obtain what we have designed, I’m sorry for this poor layout but this is what wordpress.com offers me, and we have a better idea of what is the activity in our network or in an analysis scenario and maybe we understand what the program tries to do. These two scripts can be easily modified to perform other interesting tasks, e.g see the comments at the beginning of pcapino, we could follow the tcp streams, parse in a better way the protocols at layer 7 of ISO/OSI model, in particular to a hypothetical malware analysis HTTP and IRC, or monitor a worm in its efforts to infect other hosts.

Happy hacking

Regards,

emdel

Advertisements

2 thoughts on “Something about Python and network analysis

  1. Nice post. I was checking continuously this blog and I am impressed! Very helpful info specifically the last part 🙂 I care for such info much. I was looking for this certain information for a very long time. Thank you and best of luck.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s