The Incident Alarm
“Scapy is a Python module created by Philippe Biondi that allows extensive packet manipulation. Scapy allows packet forgery, sniffing, PCAP reading/writing, and real- time interaction with network targets. Scapy can be used interactively from a Python prompt or built into scripts and programs” (from the SANS Institute’s Scapy Cheat Sheet (Links to an external site.)).
Scapy and Python 3 are installed on Kali Linux.
This time, you will write a tool that provides notification of incidents via a live stream of network packets or via a set of packets in a PCAP file.
Instructions
Using Python and scapy, write a program named alarm.py that provides user the
option to analyze a live stream of network packets or a set of PCAPs for incidents. Your tool shall be able to analyze for the following incidents:
• NULL scan
• FIN scan
• Xmas scan
• Usernames and passwords sent in-the-clear via HTTP Basic Authentication or FTP
ALERT #{incident_number}: #{incident} is detected from #{source IP address}
(#{protocol or port number}) (#{payload})!
ALERT #1: Xmas scan is detected from 192.168.1.3 (TCP)!
ALERT
#2: Usernames and passwords sent in-the-clear (HTTP) (username:batman,
password:brucewayne)
python3 alarm.py
eth0
If an incident is detected, alert must be displayed in the format:
Example outputs:
Your program does not need to support saving the stream of packets to a PCAP file or saving a record of detected incidents.
No credit if you program crashes or if exceptions are not handled properly.
Running and Using the Tool
In Kali Linux and assuming you are root, run: . By default with no
arguments, the tool shall sniff on network interface . The tool must handle three
command line arguments:
`-i INTERFACE: Sniff on a specified network interface` `-r PCAPFILE: Read in a PCAP file`
`-h: Display message on how to use tool`
Example 1: shall display something of the like:
Example 2: will read the packets from
Example 3: will sniff packets on a wireless interface
When sniffing on a live interface, the tool must keep running. To quit it, press Control-C
Getting Started
Here is a working (in Python 3)
Feel free to modify the function. What has been written for you: the
handling and parsing of command line arguments, reading of PCAP file, and sniffing of network. Download and use inside of your Kali VM. You will also need to
install to work in conjunction with on Kali Linux as it is not installed.
Run
If you go web browsing in the virtual machine with the alarm running, you will notice the alarm will go off…
Testing Your Tool
Your tool must be able to detect the usernames and passwords sent in-the-clear in , , and from previous Lab.
Here are PCAPs you can also use to test your alarm: Fin.pcap
Xmas.pcap
Null.pcap
References
usage: alarm.py [-h] [-i INTERFACE] [-r PCAPFILE]
A network sniffer that identifies basic vulnerabilities
python3 alarm.py -r set2.pcap set2.pcap
optional arguments:
-h, –help show this help message and exit
-i INTERFACE
Network interface to sniff on
pcapy
python3 alarm.py -h
python3 alarm.py -i en0
alarm.py
packetcallback
scapy
en0
-r PCAPFILE A PCAP file to read
apt-get install python3-pcapy
set1.pcap set2.pcap set3.pcap
• Scapy documentation: https://scapy.readthedocs.io/en/latest/ (Links to an external site.) (Links to an external site.)
• Scapy Cheat Sheet (SANS Institute): https://blogs.sans.org/pen- testing/files/2016/04/ScapyCheatSheet_v0.2.pdf (Links to an external site.) (Links to an external site.)