"Shroud.py" My pet project that will use missinformation

Discuss how to write good code, break bad code, your current pet projects, or the best way to approach novel problems

"Shroud.py" My pet project that will use missinformation

Post by MRFREE on Sat Nov 09, 2013 12:24 am
([msg=78099]see "Shroud.py" My pet project that will use missinformation[/msg])

So I have been playing with a script in python to better understand networking. So far my script works just like Wireshark, I am using Pcap, dpkt to filter traffic so I can view it in real time, which if I might say so it's very cool. (learned alot)

The reason I post this thread is because I have looked around the world and asked 'professionals' to no satisfaction. I am trying to filter incoming port scans so I can than reply back and make it look like the port is open(when it's not)
MRFREE
New User
New User
 
Posts: 17
Joined: Fri Jun 08, 2012 3:09 am
Blog: View Blog (0)


Re: "Shroud.py" My pet project that will use missinformation

Post by Amazingred on Sat Nov 09, 2013 2:51 am
([msg=78101]see Re: "Shroud.py" My pet project that will use missinformation[/msg])

In terms of TCP UDP having a port in a CLOSED status will make an outside system reply back that nothing is there. Meaning the port will not pass data or send messages so unless i'm missing something I don't think what you're wanting would be possible. What exactly is the benifit you're trying to get out of spoofing/open a closed port anyway just out of curiosity?
There are 10 types of people in the world. Those who understand binary and those who don't.
User avatar
Amazingred
Experienced User
Experienced User
 
Posts: 73
Joined: Wed Jul 25, 2012 7:10 pm
Location: Wayyyyyy out there
Blog: View Blog (0)


Re: Coffeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee

Post by WallShadow on Sat Nov 09, 2013 3:15 am
([msg=78102]see Re: Coffeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee[/msg])

it would be as simple as listening for traffic and sending packets spoofed to look like they came from the ip and port that you are trying to mimic, no?
User avatar
WallShadow
Contributor
Contributor
 
Posts: 594
Joined: Tue Mar 06, 2012 9:37 pm
Blog: View Blog (0)


Re: "Shroud.py" My pet project that will use missinformation

Post by MRFREE on Sat Nov 09, 2013 10:14 pm
([msg=78107]see Re: "Shroud.py" My pet project that will use missinformation[/msg])

Amazingred wrote:In terms of TCP UDP having a port in a CLOSED status will make an outside system reply back that nothing is there. Meaning the port will not pass data or send messages so unless i'm missing something I don't think what you're wanting would be possible. What exactly is the benifit you're trying to get out of spoofing/open a closed port anyway just out of curiosity?

The reason I post this thread is because I have looked around the world and asked 'professionals' to no satisfaction. I am trying to filter incoming port scans so I can than reply back and make it look like the port is open(when it's not)


I am interested in Offensive id's this is just a little pet project to help me understand encapsulation/decapsulations,honeypots, intrusion detection etc...

-- Sat Nov 09, 2013 10:40 pm --

WallShadow wrote:it would be as simple as listening for traffic and sending packets spoofed to look like they came from the ip and port that you are trying to mimic, no?



Thanks for your response.

Thats what I was thinkin, but how do i approach that as an algorithm?

this is the code I have.

Code: Select all
import pcap,dpkt
import socket

def Capture():
    dev= pcap.lookupdev()
    for ts, pkt in pcap.pcap(name=dev, snaplen=65535, promisc=True, immediate=False):
        eth = dpkt.ethernet.Ethernet(pkt)
        if eth.type!=2048: #! 2084 == IPV
            ip = eth.data
            typepack = eth.type
            try:
                dst_ip_6= socket.inet_ntop(socket.AF_INET6, ip.dst)
                print '%s   %s  %s'%(ts,dst_ip_6, typepack)
            except AttributeError:
                print 'Arp Requests'
        else:
            ip = eth.data
            tcp = ip.data
            typepack = eth.type
            try:
                #!head = tcp.pack_hdr
                #!ethhexdump = dpkt.ethernet.dpkt.hexdump
                src_ip = socket.inet_ntoa(ip.src)
                dst_ip = socket.inet_ntoa(ip.dst)
                print '%s   %s:%s / %s:%s %s'%(ts,dst_ip,tcp.dport,src_ip,tcp.sport, typepack)
                if 'free' in tcp.data:
                    print 'Plain text found'
            except AttributeError,TypeError:
                print 'Not sure... Still needs debugging?'

Capture()


-- Sun Nov 10, 2013 5:32 pm --

I think whats really holding me back is the fact that there is possibly hundreds of different port scans that can be performed, so how would filter that?


For anybody else wondering why I am doing this:

Why not, I have learned a lot and personally I think its a cool idea. It might not stop someone, but its a layer no matter how mi'nute. Isn't that what security is all about, multiple layers? Personally im paranoid and want the ability to personally beable to understand and interpret any attacks, without being a skid(professional I.T) and using someone elses software to tell me.

That might all be redundant but, I have heard so many times "Why?" come out of peoples mouths, when what they should be saying is "Why Not". I mean come on, isn't this all about knowledge and tinkering?

So for anyone else that wants to ask why, or that has the opinion that writting this code doesnt matter, I say to you thanks for nothing and if you didnt know the answer, why make a response and let it be known to everyone that you dont understand something as simple as port, raw-sockets and packet filtering?


~rant
MRFREE
New User
New User
 
Posts: 17
Joined: Fri Jun 08, 2012 3:09 am
Blog: View Blog (0)



Return to Programming

Who is online

Users browsing this forum: No registered users and 0 guests