Archive for category Networking
Setting IP options in Scapy
Posted by Luca Invernizzi in Networking, Security on December 6, 2010
During this year iCTF (the world largest online hacking competition — very cool) my team faced the problem of setting an IP header option in Scapy. That was needed to break a service that was relying on IP addresses for authentication.
Now, Scapy is an awesome project, but it lacks a bit on the documentation side, as most of it is composed by a bunch of slides. Since IP options are overlooked in the docs and there is nothing findable on the web that shows how to set them, I’ll post it here hoping to help some future fellow googler — that might as well be future me.
Option to set: Loose Route/Record Route (the others work just the same):
>>> ip=IP(src="1.1.1.1", dst="8.8.8.8", options=IPOption('\x83\x03\x10')) |
>>> ip.show2() |
###[ IP ]### version= 4L ihl= 6L tos= 0x0 len= 24 id= 1 flags= frag= 0L ttl= 64 proto= ip chksum= 0xd4d0 src= 1.1.1.1 dst= 8.8.8.8 \options\ |###[ IP Option Loose Source and Record Route ]### | copy_flag= 1L | optclass= control | option= loose_source_route | length= 3 | pointer= 16 | routers= [] |###[ IPOption_EOL ]### | copy_flag= 0L | optclass= contro | option= end_of_list |
The ‘\x83\x03\x10’ has been created following the linked specs (\x83 is the type of the option, \x03 is the length, \x10 is the pointer).
Note that if you forget the IPOption() bit, your packet will be printed correctly with show()/show2() but will refuse to be sent on the network. Instead, it will show this error (here for the sake of search engine indexing):
>>> send(IP(src="1.1.1.1", dst="8.8.8.8", options='\x83\x03\x10')) |
Traceback (most recent call last): File "<console>", line 1, in <module> File "/usr/lib/pymodules/python2.6/scapy/sendrecv.py", line 247, in send __gen_send(conf.L3socket(*args, **kargs), x, inter=inter, loop=loop, count=count,verbose=verbose, realtime=realtime) File "/usr/lib/pymodules/python2.6/scapy/sendrecv.py", line 230, in __gen_send s.send(p) File "/usr/lib/pymodules/python2.6/scapy/arch/linux.py", line 384, in send sx = str(ll(x)) File "/usr/lib/pymodules/python2.6/scapy/arch/linux.py", line 382, in <lambda> ll = lambda x:conf.l2types[sn[3]]()/x File "/usr/lib/pymodules/python2.6/scapy/packet.py", line 260, in __div__ cloneB = other.copy() File "/usr/lib/pymodules/python2.6/scapy/packet.py", line 140, in copy clone.fields[k]=self.get_field(k).do_copy(clone.fields[k]) File "/usr/lib/pymodules/python2.6/scapy/fields.py", line 401, in do_copy return map(lambda p:p.copy(), x) File "/usr/lib/pymodules/python2.6/scapy/fields.py", line 401, in <lambda> return map(lambda p:p.copy(), x) AttributeError: 'str' object has no attribute 'copy' |