H 430: Scapy (60 pts)

What you need

What is scapy?

Scapy is an interactive environment that lets you build packets of any type you want and send them onto the network, and monitor the responses. It can be used for almost anything you want: port scanning, testing firewalls and IPS systems, attacks, etc.

Testing Networking

On your Linux system, in a Terminal, execute this commannd:
ping -c 2 google.com
You should see two replies, as shown below. If you don't, you need to troubleshoot your networking before continuing with this project.

Downloading and Running Scapy

To install Scapy on a Debian server, execute these commands:
sudo apt update
sudo apt install git -y
git clone https://github.com/secdev/scapy.git
cd scapy
sudo ./run_scapy
Scapy opens, as shown below on this page.


ICMP with Scapy

Sending ICMP Packets with scapy

In the Linux machine, in the Terminal window, at the >>> prompt, type this command, and then press the Enter key:
i = IP()
This creates an object named i of type IP. To see the properties of that object, use the display() method with this command:
i.display()
A list of values appears, starting with the IP version number (4) and ending with the source and destination IP addresses, as shown below on this page.

Use these commands to set the destination IP address and display the properties of the i object again. Replace the IP address in the first command with the IP address of your Target machine:

i.dst="google.com"
i.display()
Notice that scapy automatically fills in your machine's source IP address, as shown below on this page.

Use these commands to create an object named ic of type ICMP and display its properties:

ic = ICMP(id=100)
ic.display()
(I added the "id=100" to make it more reliable, this seems to be a long-standing issue with scapy)

There aren't many properties for this object--it's just an echo-request, as shown below on this page.

Use this command to send the packet onto the network and listen to a single packet in response. Note that the third character is the numeral 1, not a lowercase L:

sr1(i/ic)
This command sends and receives one packet, of type IP at layer 3 and ICMP at layer 4. As you can see in the image below, the response is shown, with ICMP type echo-reply.

Use this command to send a packet that is IP at layer 3, ICMP at layer 4, and that contains data with your name in it (replace YOUR NAME with your own name):

sr1(i/ic/"YOUR NAME")
You should see a reply with a Raw section containing your name, as shown below on this page.

Getting a Flag Value

In a Web browser, open this page, replacing YOURNAME with your own name:
https://games.samsclass.info/tmp/pingYOURNAME.txt
The page is not found, as shown below on this page.

Use Scapy to send an ICMP request with these properties:

H 430.1: Web Page (10 pts)

Refresh the Web page a few times. After a few seconds the flag will appear, as covered in a green box in the image below.

DNS with Scapy

Sending a DNS Request

In the Linux machine, in an SSH window, at the >>> prompt, type these commands, and then press the Enter key:
i = IP()
i.dst = "1.1.1.1"
u = UDP()
d = DNS()
d.qd=DNSQR(qname="www.google.com")
d.display()
This creates a DNS request asking for the A record of "www.google.com", as shown below.

Execute this command to send the request:

sr1(i/u/d)
The server replies an IP address of the server, as shown below.

H 430.3: IP of Flag0 (5 pts)

Find the IP address of this server:
flag0.samsclass.info
That IP address is the flag.

H 430.4: CNAME of Flag1 (10 pts)

Find the CNAME record for this server:
flag1.samsclass.info
That CNAME contains the flag.

H 430.5: DNS Record of Flag2 (15 pts)

Find a DNS record containing a flag for this server:
flag2.samsclass.info
Hint: Know the eight most common DNS records

H 430.6: One (20 pts)

Perform a reverse DNS lookup for this address:
1.1.1.1
Make sure the answer is correct, outlined in green in the image below.

The flag is the text covered by a green rectangle in the image below.


Posted 3-24-19
Cloud instructions added 3-26-19
Formatting of Scapy installation code fixed 7-4-2020
Flag description for 430.4 corrected 8-3-2020
domain name fixed in H 430.5 1-23-21
"id=100" added to ICMP 3-9-23
Title of flag 5 corrected 5-10-23