Archive for category Networking

Setting IP options in Scapy

Dur­ing this year iCTF (the world largest online hack­ing com­pe­ti­tion — very cool) my team faced the prob­lem of set­ting an IP header option in Scapy. That was needed to break a ser­vice that was rely­ing on IP addresses for authentication.

Now, Scapy is an awe­some project, but it lacks a bit on the doc­u­men­ta­tion side, as most of it is com­posed by a bunch of slides. Since IP options are over­looked in the docs and there is noth­ing find­able on the web that shows how to set them, I’ll post it here hop­ing to help some future fel­low googler — that might as well be future me.

Option to set: Loose Route/Record Route (the oth­ers work just the same):

>>> ip=IP(src="1.1.1.1", dst="8.8.8.8", options=IPOption('\x83\x03\x10'))
>>> ip.show2()
###[ IP ]###
version= 4L
ihl= 6L
tos= 0x0
len= 24
id= 1
flags=
frag= 0L
ttl= 64
proto= ip
chksum= 0xd4d0
src= 1.1.1.1
dst= 8.8.8.8
\options\
|###[ IP Option Loose Source and Record Route ]###
|  copy_flag= 1L
|  optclass= control
|  option= loose_source_route
|  length= 3
|  pointer= 16
|  routers= []
|###[ IPOption_EOL ]###
|  copy_flag= 0L
|  optclass= contro
|  option= end_of_list

The ‘\x83\x03\x10’ has been cre­ated fol­low­ing the linked specs (\x83 is the type of the option, \x03 is the length, \x10 is the pointer).

Note that if you for­get the IPOp­tion() bit, your packet will be printed cor­rectly with show()/show2() but will refuse to be sent on the net­work. Instead, it will show this error (here for the sake of search engine indexing):

>>> send(IP(src="1.1.1.1", dst="8.8.8.8", options='\x83\x03\x10'))
Traceback (most recent call last):
  File "<console>", line 1, in <module>
  File "/usr/lib/pymodules/python2.6/scapy/sendrecv.py", line 247, in send
    __gen_send(conf.L3socket(*args, **kargs), x, inter=inter, loop=loop, count=count,verbose=verbose, realtime=realtime)
  File "/usr/lib/pymodules/python2.6/scapy/sendrecv.py", line 230, in __gen_send
    s.send(p)
  File "/usr/lib/pymodules/python2.6/scapy/arch/linux.py", line 384, in send
    sx = str(ll(x))
  File "/usr/lib/pymodules/python2.6/scapy/arch/linux.py", line 382, in <lambda>
    ll = lambda x:conf.l2types[sn[3]]()/x
  File "/usr/lib/pymodules/python2.6/scapy/packet.py", line 260, in __div__
    cloneB = other.copy()
  File "/usr/lib/pymodules/python2.6/scapy/packet.py", line 140, in copy
    clone.fields[k]=self.get_field(k).do_copy(clone.fields[k])
  File "/usr/lib/pymodules/python2.6/scapy/fields.py", line 401, in do_copy
    return map(lambda p:p.copy(), x)
  File "/usr/lib/pymodules/python2.6/scapy/fields.py", line 401, in <lambda>
    return map(lambda p:p.copy(), x)
 
AttributeError: 'str' object has no attribute 'copy'

3 Comments