3

I don't know if this is possible but I am wondering?

I am doing some internal pentesting and using Scapy and Netcat, and I created a TCP packet with the payload "testing". I want to get the payload content piped into Netcat's listening port, using this example code:

test = IP(src="192.168.4.134")/TCP(dport=1234)/"testing"
send(test)

but all that ever prints is:

.
Sent 1 packets

Which is what Scapy spits out after its sent the packet. I've been trying to figure out what I need to use in my code to show this. I know Netcat used stdin and stdout, but I don't properly know how to code in Python yet, I'm just practising!

Can anyone help? Regards,

Mehcs85
  • 37
  • 2
  • 5
  • Run `nc -l -p 1234` on the dst machine... Which doesn't look like you've set in your Scapy IP object. – tMC Aug 21 '12 at 20:59
  • Hi mate, I should have said I have run nc -l -p 1234 on the dst machine. You can't set the destination port in the IP header (object), only in the TCP/UDP layer – Mehcs85 Aug 21 '12 at 21:02
  • you set the dst machine (ip) address in the IP layer. `dst=123.123.123.123` – tMC Aug 21 '12 at 21:02
  • Bah! Jeez yeah I know what you mean now. Anyway I did change it, but no response from Netcat at all. TCPDUMP did display information though. Hmmm – Mehcs85 Aug 21 '12 at 21:26
  • iptables? libpcap will see data even if dropped by a kernel traffic filter. – tMC Aug 22 '12 at 04:37

1 Answers1

3

TCP is session based. Machines that want to communicate, must first synchronize (setup a session) with one another.

This process is whats called a 3-way-handshake using the steps: SYN, SYN-ACK, ACK.

1.) Machine A ====SYN====> Machine B (Machines A, running scapy, tries to synch with B, running netcat)
2.) Machine B ==SYN-ACK==> Machine A (Machine B ACKs and SYNs with Machine A)
3.) Machine A ====ACK====> Machine B (Machine A ACKs the SYN-ACK from Machine B)

The machines now have a session (connection) and can send data to one another.

Running netcat on a listening machine and trying to send it a single packet from scapy fails because your machine (A) fails to sync with machine (B) running netcat.

IP 10.22.4.45.20 > 10.1.2.3:1234: Flags [S], seq 0:7, win 8192, length 7
IP 10.1.2.3:1234 > 10.22.4.45:20: Flags [S.], seq 2668993358, ack 1, win 14600, options [mss 1460], length 0
IP 10.22.4.45:20 > 10.1.2.3:1234: Flags [R], seq 1, win 0, length 0

As you can see, machine B (netcat) tries to syn-ack with your machine, but since you just sent it a single packet and aren't listening for the returning SYN-ACK, your machine generates a RST (Reset) and the attempted connection is shutdown before the 3-way-handshake was completed.

There are two options. Either use UDP which is connectionless and doesn't require this connection setup, or do a complete TCP handshake. Scapy has a few ways to help you manage the TCP session creation should you choose the latter: http://trac.secdev.org/scapy/wiki/TCP

tMC
  • 18,105
  • 14
  • 62
  • 98