Re: Inverse Mapping Layout Through Scapy

From: Cedric Blancher (blancher@cartel-securite.fr)
Date: Thu Mar 01 2007 - 06:37:33 EST


Le mardi 27 février 2007 à 04:23 +0530, Aditya Sood a écrit :
> Want to know your views about Inverse mapping with
> padding through scapy.I have recently put a blog entry
> http://zeroknock.blogspot.com/2007/02/inverse-mapping-via-packet-crafting.html
> Throw more views in this aspect.

Can you please be more specific about what you mean by "inverse
mapping" ? I'm not familiar with this, and thus I don't get what you're
trying to show by adding/removing *raw data* to your TCP RST...

Especialy, what do you mean by "there's a skip in packet from the other
side" ? Is it related to the one out of two "blank lines", that is in
fact written using black color (shown with <- below) and thus being
invisible on your black background ?

>> srloop(IP(dst="www.google.com", ttl=64)/TCP(dport=80,
flags="R")/"XXXXXXXX")
fail 1: IP / TCP 172.16.134.22:ftp-data > 216.239.59.147:www R / Raw <-
fail 1: IP / TCP 172.16.134.22:ftp-data > 216.239.59.147:www R / Raw
fail 1: IP / TCP 172.16.134.22:ftp-data > 216.239.59.147:www R / Raw <-
fail 1: IP / TCP 172.16.134.22:ftp-data > 216.239.59.147:www R / Raw
fail 1: IP / TCP 172.16.134.22:ftp-data > 216.239.59.147:www R / Raw <-
fail 1: IP / TCP 172.16.134.22:ftp-data > 216.239.59.147:www R / Raw
fail 1: IP / TCP 172.16.134.22:ftp-data > 216.239.59.147:www R / Raw <-
fail 1: IP / TCP 172.16.134.22:ftp-data > 216.239.59.147:www R / Raw
fail 1: IP / TCP 172.16.134.22:ftp-data > 216.239.59.147:www R / Raw <-
send...
Sent 9 packets, received 0 packets. 0.0% hits.
(<Results: UDP:0 TCP:0 ICMP:0 Other:0>, <PacketList: UDP:0 TCP:9 ICMP:0
Other:0>)

If so, you should switch to Bob Marley display:

>>> conf.color_theme=RastaTheme()

Then try again :)

Note that IP()/TCP()/"XXXXXXXXX" adds "XXXXXXXXX" as raw TCP data. If
you want to add padding, then you have to use the Padding method:

        IP()/TCP()/Padding("XXXXXXXXX")

Then you'll get something slightly different:

>>> srloop(IP(dst="www.google.com", ttl=64)/TCP(dport=80,
flags="R")/Padding("XXXXXXXXXX"))
fail 1: IP / TCP 172.16.134.22:ftp-data > 66.102.9.147:www R / Padding
fail 1: IP / TCP 172.16.134.22:ftp-data > 66.102.9.147:www R / Padding
fail 1: IP / TCP 172.16.134.22:ftp-data > 66.102.9.147:www R / Padding
fail 1: IP / TCP 172.16.134.22:ftp-data > 66.102.9.147:www R / Padding
fail 1: IP / TCP 172.16.134.22:ftp-data > 66.102.9.147:www R / Padding
fail 1: IP / TCP 172.16.134.22:ftp-data > 66.102.9.147:www R / Padding
fail 1: IP / TCP 172.16.134.22:ftp-data > 66.102.9.147:www R / Padding
fail 1: IP / TCP 172.16.134.22:ftp-data > 66.102.9.147:www R / Padding
send...
Sent 8 packets, received 0 packets. 0.0% hits.
(<Results: UDP:0 TCP:0 ICMP:0 Other:0>, <PacketList: UDP:0 TCP:8 ICMP:0
Other:0>)

BTW, Scapy is indeed a wonderful tool.

Regards.

-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
Cansecwest/core07 *WiFi (in)Security* Security Masters Dojo, Vancouver
http://cansecwest.com/dojowifi.html (Scapy WiFi programming included ;)
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:37 EDT