Introduction to Information Security Wireshark and Scapy 1 Exercise 6 • Submission deadline extended to 3.5 to fix the following issues: • Check the exit code only to determine whether convert failed • Put the explanation as to why fuzzing the first and last 750 is enough at the top of the .txt file • Use the correct format • 0x<byte>.<bit>\n • Bits are numbered from 0 to 7 • Bytes are numbered from 1 • Don't copy the entire file over for every bit flip, that's ridiculously inefficient 2 The Great Ascent • We shift our focus from low-level vulnerabilities (buffer overflows) to high-level ones (DNS poisoning) • Network vulnerabilities are just as sophisticated and interesting! • They are not simpler, but they are easier to debug • Tools: • Wireshark (and maybe tcpdump) • Scapy 3 A Few Words about Python 4 Python • Probably the best language in the world • For scripts, we know... • But also: • For web development (django, flask) • For scientific research (numpy, scipy, sympy, matplotlib, ipython notebook) • For big data analysis (pandas) • For machine learning (scikit.learn) • For big and complex systems (twisted, sqlalchemy) • Other stuff (re, pycrypto, PIL, nltk, scrapy) 5 A Few Words About Python • How can it be? • It's modern and cool • It's extremely dynamic • Everything is an object (even classes!) • You can overload and hook just about anything • Focuses on developer time • Simplicity Nowadays, that's what takes 90% of the time! • Interactivity • As a side-note for skeptics, with stuff like PyPy it's also incredibly fast 6 Example class A(object): >>> a = A() def __call__(self, x, y): >>> a(1, 2) return x + y 3 def __getitem__(self, key): >>> a['foo'] return key.upper() 'FOO' >>> a.foo def __getattr__(self, key): 'foo.......' return key.ljust(10, '.') 7 How to Learn • If you're not sure how to do something, Google it or look in Stack Overflow • Don't copy solutions blindly – but do learn from them • For example, many of you reinvented the wheel instead of using binascii / struct • Almost nobody automated the core dump address extraction • Sounds hard? 8 Example 9 Back to the Point 10 Wireshark • Allows to capture ("sniff") incoming and outgoing packets • Amazing deconstruction and visualisation • Incredible number of supported protocols • Filters and more 11 Wireshark 12 Scapy • A Python library that allows constructing, deconstructing, sending, receiving, sniffing and virtually doing anything you can imagine with packets • Read the tutorial: http://www.secdev.org/projects/scapy/doc/usage.html >>> from scapy.all import * >>> s = IP(dst='212.179.180.89') / TCP(sport=65000, dport=80, flags='S') >>> a = sr1(s) >>> a[TCP].sport 80 >>> a[TCP].sprintf('%TCP.flags%') 'SA' >>> sniff(lfilter=lambda p: UDP in p, prn=lambda p: p.summary()) ... 13 Exercise 7 • A series of unrelated question, each about a problem and its solutions • The problems themselves may have been learned in class • But anyway, they are explained in detail and are in fact quite simple • A big open bonus I will personally grade "by ear" (so no appeals – but do try to impress me) 14.