Scapy: using p0f

I've recently released a not-yet-applied patch for scapy which improves the use of p0f functionalities.

First, p0f now comes with databases designed for other TCP packets than only SYN packets (one database for SYN/ACK packets, one for RST and RST/ACK packets, and the last one for "stray" ACK packets). Those new databases are slightly different than the original one, and an effort was required to enable scapy's p0f functions to use them.

Now, scapy is able to deal with any kind of TCP packets :

>>> sniff(prn=prnp0f, filter='tcp')
192.168.0.97:33721 - Linux 2.6 (newer, 2) (up: 128 hrs)
-> 147.210.19.96:www (S) (distance 0)
147.210.19.96:www - UNKNOWN [49980:52:1:64:N,N,T,M1460,N,W0,N,N,S:AT:?:?] (up: 946 hrs)
-> 192.168.0.97:33721 (SA)

The (S) and (SA) denote the database used (regular p0f.fp for S, and p0fa.fp for SA).

While working on this I've had two ideas of cool features to add, and I've added them.

The first one is a function to get signatures for the local system. This is done by sniffing packets generated by the use of socket functions, in a function I called p0f_getlocalsigs(). For now, I only use the loopback interface, which causes to generate different signatures than the one generated on regular network interfaces. I'm thinking to add other tests using other interfaces, but nothing is done for now.

Knowing that scapy is not only a sniffing tool, but is also great to forge, manipulate and send packets, the second one is a function that modifies a packet so that it matches a given signature. This work is done by a function called p0f_impersonate:

>>> pkt = p0f_impersonate(IP(dst='www.google.fr')/TCP(sport=12345, dport=80, flags='S'), osgenre='Linux')
>>> prnp0f(pkt)
192.168.0.97:12345 - Linux 2.4 (Google crawlbot) (up: 7326 hrs)
-> Net('www.google.fr'):www (S) (distance 0)
>>> send(pkt)

A (real) p0f running in another window shows:

# p0f
p0f - passive os fingerprinting utility, version 2.0.8
(C) M. Zalewski , W. Stearns
p0f: listening (SYN) on 'eth1', 262 sigs (14 generic, cksum 0F1F5CA2), rule: 'all'.
192.168.0.97:12345 - Linux 2.4 (Google crawlbot) (up: 7326 hrs)
-> 209.85.135.99:80 (distance 0, link: (Google/AOL))

Scapext : Scapy Extended

Scapy is a great tool for network packets manipulation (sniff, dissect, create, send,...).

When I use this tool, I lack some features. So I have written an extension (called Scapext) that, for now, includes :

• GeoIP support (through Maxmind GeoIP Python API). This is faster than the method used in Scapy for now, and easier.


• PFLog pcap type (used by the OpenBSD Packet Filter to log packets ; this allows PF to store valuable information on what happened to the packets logged).


• Early SunRPC support with state handling.

Interested ? See my page about Scapy.

Metasploit Automated Exploitation on N800

As suggested by spaceaquarium, I've tried to get Metasploit Automated Exploitation (one of the killer features of Metasploit Framework 3) working on my N800. And that's easy.

You need Ruby and RubyGems, then install ActiveRecord with gem (for these steps, see my posts about Metasploit Framework and msfweb on N800). Now, install sqlite3-ruby (you may use my package for that).

Last but not least... you need Nmap. You can use this repository.

UPDATE : you can also use my package for Nmap, as it's the latest stable version.

Now, run msfconsole, then :

msf > load db_sqlite3
msf > db_autopwn
[*] Usage: db_autopwn [options]
[...]

msf > db_nmap -p 22,445 [TARGET]

Starting Nmap 3.95 ( http://www.insecure.org/nmap/ ) at 2007-04-11 13:52
[...]
Nmap finished: [...]
msf > db_autopwn -p -t
[*] Analysis completed in [...]
[...]

Nice ! More about this feature here.

msfweb on N800

As I said earlier, I wanted to have msfweb (the Metasploit Framework web interface) running on my N800, because it could be far more easy to use on that kind of devices. Finally it works !

First of all, install Metasploit (read this).

Then, you "only" need to get RubyGems (you can try my package), and get gem files for Rails and its dependencies (you'll find the whole set here). Install each dependency, then Rails itself (run "gem install package-version.gem").

You should be able to run from an xterm (in the directory where you've put Metasploit) the command ./msfweb.

It's a bit slow to start, but it seems to work :

N800 with scapy and metasploit

Thanks to the python package provided by the Maemo "Extras" repository and to the osso-xterm provided by the Maemo-Hackers repository, I have had scapy running on my Nokia N800 for a while.

I have seen that some people had the Metasploit Framework running, thanks to an unreleased Ruby package.

As there is a Ruby file with mud-builder, I have built a Ruby package (you can get it here if you are too lazy to build it yourself) for N800, and... that's it. Just get Metasploit, and run msfcli from an xterm, it works.

As it's not that easy to work with an xterm on the N800 (as on any pocket-sized device), we really need a GUI. For metasploit, one could think of using msfweb plus the integrated web browser. But msfweb does not work for now (needs at least RubyGems and Rails).