When it comes to the reconnaissance of some target network, the start point is undoubtedly on host discovering. This task might come together with the ability to sniff and parse the packets flying through the network.
A few weeks ago, I talked about how to use Wireshark for packet sniffing, but what if you don't have Wireshark available to monitor a network traffic?
Again, Python comes with several solutions and today I'm going through the steps to build a UDP Host discovery tool. First, we are going to see how we deal with raw sockets to write a simple sniffer, which is able to view and decode network packets. Then we are going to multithread this process within a subnet, which will result in our scanner.
The cool thing about raw sockets is that they allow access to low-level networking information. For example, we can use it to check IP and ICMP headers, which are in the layer 3 of the OSI model (the network layer).
The cool thing about using UDP datagrams is that, differently from TCP, they do not bring much overhead when sent across an entire subnet (remember the TCP handshaking). All we need to do is wait for the ICMP responses saying whether the hosts are available or closed (unreachable). Remember that ICMP is essentially a special control protocol that issues error reports and can control the behavior of machines in data transfer.
Writing a Packet Sniffer
We start with a very simple task: with Python's socket library, we will write a very simple packet sniffer.
In this sniffer we create a raw socket and then we bind it to the public interface. The interface should be in promiscuous mode, which means that every packet that the network card sees is captured, even those that are not destined to the host.
One detail to remember is that things are slightly different if we are using Windows: in this case we need to send a IOCTL package to set the interface to promiscuous mode. In addition, while Linux needs to use ICMP, Windows allow us to sniff the incoming packets independently of the protocol:
import socket import os # host to listen HOST = '192.168.1.114' def sniffing(host, win, socket_prot): while 1: sniffer = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket_prot) sniffer.bind((host, 0)) # include the IP headers in the captured packets sniffer.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1) if win == 1: sniffer.ioctl(socket.SIO_RCVALL, socket_RCVALL_ON) # read in a single packet print sniffer.recvfrom(65565) def main(host): if os.name == 'nt': sniffing(host, 1, socket.IPPROTO_IP) else: sniffing(host, 0, socket.IPPROTO_ICMP) if __name__ == '__main__': main(HOST)
To test this script, we run the following command in one terminal window:
$ sudo python sniffer.py
$ sudo python raw_socket.py ('E\x00\x00T\xb3\xec\x00\x005\x01\xe4\x13J}\xe1\x11\xc0\xa8\x01r\x00\x00v\xdfx\xa2\x00\x01sr\x98T\x00\x00\x00\x008\xe3\r\x00\x00\x00\x00\x00\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&\'()*+,-./01234567', ('184.108.40.206', 0)) ('E\x00\x00T\xb4\x1b\x00\x005\x01\xe3\xe4J}\xe1\x11\xc0\xa8\x01r\x00\x00~\xd7x\xa2\x00\x02tr\x98T\x00\x00\x00\x00/\xea\r\x00\x00\x00\x00\x00\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&\'()*+,-./01234567', ('220.127.116.11', 0))
Now it's pretty obvious that we need to decode these headers.
Decoding the IP and ICMP Layers
The IP Header
A typical IP header has the following structure, where each field belongs to a variable (this header is originally written in C):
The ICMP Header
In the same way, ICMP can vary in its content but each message contains three elements that are consistent: type and code (tells the receiving host what type of ICMP message is arriving for decoding) and checksum fields.
For our scanner, we are looking for a type value of 3 and a code value of 3, which are the Destination Unreachable class and Port Unreachable errors in ICMP messages.
To represent this header, we create a class, with the help of Python's ctypes library:
import ctypes class ICMP(ctypes.Structure): _fields_ = [ ('type', ctypes.c_ubyte), ('code', ctypes.c_ubyte), ('checksum', ctypes.c_ushort), ('unused', ctypes.c_ushort), ('next_hop_mtu',ctypes.c_ushort) ] def __new__(self, socket_buffer): return self.from_buffer_copy(socket_buffer) def __init__(self, socket_buffer): pass
Writing the Header Decoder
Now we are ready to write our IP/ICMP header decoder. The script below creates a sniffer socket (just as we did before) and then it runs a loop to continually read in packets and decode their information.
Notice that for the IP header, the code reads the packet, unpacks the first 20 bytes to the raw buffer, and then prints the header variables. The ICMP header data comes right after it:
import socket import os import struct import ctypes from ICMPHeader import ICMP # host to listen on HOST = '192.168.1.114' def main(): socket_protocol = socket.IPPROTO_ICMP sniffer = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket_protocol) sniffer.bind(( HOST, 0 )) sniffer.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1) while 1: raw_buffer = sniffer.recvfrom(65565) ip_header = raw_buffer[0:20] iph = struct.unpack('!BBHHHBBH4s4s' , ip_header) # Create our IP structure version_ihl = iph version = version_ihl >> 4 ihl = version_ihl & 0xF iph_length = ihl * 4 ttl = iph protocol = iph s_addr = socket.inet_ntoa(iph); d_addr = socket.inet_ntoa(iph); print 'IP -> Version:' + str(version) + ', Header Length:' + str(ihl) + \ ', TTL:' + str(ttl) + ', Protocol:' + str(protocol) + ', Source:'\ + str(s_addr) + ', Destination:' + str(d_addr) # Create our ICMP structure buf = raw_buffer[iph_length:iph_length + ctypes.sizeof(ICMP)] icmp_header = ICMP(buf) print "ICMP -> Type:%d, Code:%d" %(icmp_header.type, icmp_header.code) + '\n' if __name__ == '__main__': main()
Testing the Decoder
Running the script in one terminal and sending a ping in other will return something like this (notice the ICMP type 0):
$ ping www.google.com PING www.google.com (18.104.22.168) 56(84) bytes of data. 64 bytes from lga15s42-in-f16.1e100.net (22.214.171.124): icmp_seq=1 ttl=56 time=15.7 ms 64 bytes from lga15s42-in-f16.1e100.net (126.96.36.199): icmp_seq=2 ttl=56 time=15.0 ms (...)
$ sudo python ip_header_decode.py IP -> Version:4, Header Length:5, TTL:56, Protocol:1, Source:188.8.131.52, Destination:192.168.1.114 ICMP -> Type:0, Code:0 IP -> Version:4, Header Length:5, TTL:56, Protocol:1, Source:184.108.40.206, Destination:192.168.1.114 ICMP -> Type:0, Code:0 (...)
In the other hand, if we run traceroute instead:
$ traceroute www.google.com traceroute to www.google.com (220.127.116.11), 30 hops max, 60 byte packets 1 * * * 2 * * * 3 18.104.22.168 (22.214.171.124) 17.183 ms 126.96.36.199 (188.8.131.52) 70.563 ms 184.108.40.206 (220.127.116.11) 21.480 ms 4 451be075.cst.lightpath.net (18.104.22.168) 14.639 ms rtr102.wan.hcvlny.cv.net (22.214.171.124) 24.086 ms 451be075.cst.lightpath.net (126.96.36.199) 24.025 ms 5 188.8.131.52 (184.108.40.206) 24.005 ms 220.127.116.11 (18.104.22.168) 23.961 ms 451be0c2.cst.lightpath.net (22.214.171.124) 23.935 ms 6 126.96.36.199 (188.8.131.52) 23.872 ms 46.943 ms * 7 184.108.40.206 (220.127.116.11) 48.906 ms 46.138 ms 46.122 ms 8 18.104.22.168 (22.214.171.124) 46.108 ms 46.095 ms 46.074 ms 9 lga15s43-in-f18.1e100.net (126.96.36.199) 45.997 ms 19.507 ms 16.607 ms
We get something like this (notice the several types of ICMP responses):
sudo python ip_header_decode.py IP -> Version:4, Header Length:5, TTL:252, Protocol:1, Source:188.8.131.52, Destination:192.168.1.114 ICMP -> Type:11, Code:0 (...) IP -> Version:4, Header Length:5, TTL:250, Protocol:1, Source:184.108.40.206, Destination:192.168.1.114 ICMP -> Type:11, Code:0 IP -> Version:4, Header Length:5, TTL:56, Protocol:1, Source:220.127.116.11, Destination:192.168.1.114 ICMP -> Type:3, Code:3 IP -> Version:4, Header Length:5, TTL:249, Protocol:1, Source:18.104.22.168, Destination:192.168.1.114 ICMP -> Type:11, Code:0 (...) IP -> Version:4, Header Length:5, TTL:56, Protocol:1, Source:22.214.171.124, Destination:192.168.1.114 ICMP -> Type:3, Code:3
Writing the Scanner
We are ready to write our full scanner. But, first, let's install netaddr, which is a Python library for representing and manipulating network addresses.
Netaddr supports the ability to work with IPv4 and IPv6 addresses and subnets MAC addresses, among others. This is very useful for our problem, since we want to be able to use a subnet mask such as 192.168.1.0/24.
$ sudo pip install netaddr
We can quickly test this library with the following snippet (which should print "OK"):
import netaddr ip = '192.168.1.114' if ip in netaddr.IPNetwork('192.168.1.0/24'): print('OK!')
Enter the Scanner
To write our scanner we are going to put together everything we have, and then add a loop to spray UDP datagrams with a string signature to all the address within our target subnet.
To make this work, each packet will be sent in a separated thread, to make sure that we are not interfering with the sniff responses:
import threading import time import socket import os import struct from netaddr import IPNetwork, IPAddress from ICMPHeader import ICMP import ctypes # host to listen on HOST = '192.168.1.114' # subnet to target (iterates through all IP address in this subnet) SUBNET = '192.168.1.0/24' # string signature MESSAGE = 'hellooooo' # sprays out the udp datagram def udp_sender(SUBNET, MESSAGE): time.sleep(5) sender = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) for ip in IPNetwork(SUBNET): try: sender.sendto(MESSAGE, ("%s" % ip, 65212)) except: pass def main(): t = threading.Thread(target=udp_sender, args=(SUBNET, MESSAGE)) t.start() socket_protocol = socket.IPPROTO_ICMP sniffer = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket_protocol) sniffer.bind(( HOST, 0 )) sniffer.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1) # continually read in packets and parse their information while 1: raw_buffer = sniffer.recvfrom(65565) ip_header = raw_buffer[0:20] iph = struct.unpack('!BBHHHBBH4s4s' , ip_header) # Create our IP structure version_ihl = iph ihl = version_ihl & 0xF iph_length = ihl * 4 src_addr = socket.inet_ntoa(iph); # Create our ICMP structure buf = raw_buffer[iph_length:iph_length + ctypes.sizeof(ICMP)] icmp_header = ICMP(buf) # check for the type 3 and code and within our target subnet if icmp_header.code == 3 and icmp_header.type == 3: if IPAddress(src_addr) in IPNetwork(SUBNET): if raw_buffer[len(raw_buffer) - len(MESSAGE):] == MESSAGE: print("Host up: %s" % src_addr) if __name__ == '__main__': main()
Finally, running the scanner gives a result similar to this:
$ sudo python scanner.py Host up: 192.168.1.114 (...)
By the way, the results from our scanner can be checked against the values of the IP addresses in your router's DHCP table. They should match!
That's all, folks. Hope you had fun.