So strangely enough I have never really used Scapy or at least for anything meaningful in the past (partly due to the fact that I didn’t know how to use it as well as until now didn’t really think I needed it). I think after tonight my opinion of the tool has changed and certainly could find use for it more sooner than later with the amount of VoIP testing I’ve been doing.
So I was browsing some of SecurityTubes videos and came across a video on creating your own wireless SSID sniffer. The video introduces you to Scapy which is a packet manipulation tool that you can find ready to go in Kali Linux. In short this power tool can be used as a sniffer, crafter and modifier of most common protocols.
To speed things up I will show you the packets I collected using the Scapy interactive interface.
Welcome to Scapy (2.2.0)
>>> conf.iface = "mon0"
>>> pkts = sniff(count=5)
RadioTap / 802.11 Control 12L None > c8:d7:19:0d:24:73 / Raw
RadioTap / 802.11 Data 8L c8:d7:19:0d:24:73 > ac:3c:0b:29:fe:96 / Dot11QoS / Dot11WEP
802.3 90:f6:52:00:ba:b7 > ac:3c:0b:29:fe:96 / LLC / Raw
RadioTap / 802.11 Control 9L None > c8:d7:19:0d:24:73 / Raw
RadioTap / 802.11 Management 8L c8:d7:19:0d:24:73 > ff:ff:ff:ff:ff:ff / Dot11Beacon / SSID='druidia' / Dot11Elt / Dot11Elt / Dot11Elt / Dot11Elt / Dot11Elt / Dot11Elt / Dot11Elt / Dot11Elt / Dot11Elt / Dot11Elt / Dot11Elt / Dot11Elt / Dot11Elt / Dot11Elt / Dot11Elt / Dot11Elt / Dot11Elt
In line #2 I am instructing Scapy to use the the wireless virtual interface mon0 (which has been set to monitor mode). In line #3 I call the sniff() function grabbing 5 packets and storing the contents in an array called “pkts” In line #4 we summarize what we have collected and we can see typical 802.11 Frames (Control, Management and Data). Having a sample management frame (Line #9) gives us all that we will need to create a sniffer. Additionally, If you would like to get a visual breakdown of the packet we could dump the packet to a PDF file using the pdfdump() function as such:
We use pkts to dump the 5th packet in the pkts array we have created. (Line 9 Above which is a management packet)
The output of a management packet should look similar to the following:
Under the 802.11 Header we can see the Type and Subtype of the Management Frame.
Using the following code which I have commented heavily… we have our sniffer.
### We import the scapy module into our program here
from scapy.all import *
#we define a list calles aps to store all APs we detect
aps = 
#The following function is a packet handler that will check each packet as it
#is passed by the sniffer. If the packet has an 802.11 layer and the type is 0
#which is a management frame and subtype 0. If the AP's address is not already in
# the aps list then add it to the list and print it.
def PacketHandler(pkt) :
if pkt.haslayer(Dot11) :
if pkt.type == 0 and pkt.subtype == 8 :
if pkt.addr2 not in aps :
print "Found BSSID %s and SSID %s " %(pkt.addr2, pkt.info)
#Begin sniffing and pass each packet to the PacketHandler function above.
sniff(iface="mon0", prn = PacketHandler)
The output shows as…
Found BSSID c8:d7:19:0d:24:73 and SSID druidia
Found BSSID 00:1d:d3:1b:46:60 and SSID HOME-4662
Found BSSID 02:1d:d3:1b:46:60 and SSID
Found BSSID 06:1d:d3:1b:46:60 and SSID xfinitywifi
Found BSSID 00:1e:2a:57:d0:b4 and SSID NETGEAR
Thanks for reading and P.S. I AM aware of the wireless information contained within this post.
Share the post "Wireless SSID Sniffer in Python"
I just scooped up an Android Mini PC for $35.79 on Amazon for the sole purpose of weaponizing it with some hacking tools including a VoIP sniffing tool that I am currently developing by the name of Prometheus. The native OS on the device is Android 4.0 (Ice Cream Sandwich) which I am not overly impressed with from a performance standpoint. I figure if you are going to sell a device with an OS on it, it should probably run as if the OS were built for the hardware. Now I wouldn’t want to deter anyone from purchasing the device ( too late ) because I do think that $35 is well worth the capabilities that this device withholds.
Any how, I figured I would share the goods incase anyone is looking for a cheap media center or perhaps even something that could suffice as a decent web browsing device. As I mentioned earlier my reason for purchasing it is to eventually utilize it for security testing purposes. At this moment I working on getting a flavor of linux to run on the device with some level of stability. More on my progress soon…
OS: Android 4.0
CPU: Allwinner A10/ 1 GHz Cortex-A8
Internet: Wireless 802.11b/g, WAPI (Ralink8188)
Expansion: Micro TF card, max32GB
IO/Ports: Micro 5pin USB/ USB2.0 data transfer/ OTG and host expand
Share the post "MK-802 Android Mini PC"
Currently working on what I would call my first real tool named Prometheus which is a VoIP sniffing utility. I really don’t want to share too much information on the tool at this time but I will just say that it is coming along well and I hope to share a PoC of the tool within the next few weeks. Below is a screenshot of the command usage:
Share the post "Prometheus"
I didn’t even notice but appearently a directory traversal vulnerability that I discovered back in January was converted into a Metasploit module. Not sure how that one slipped past me… but still cool. Here is the write-up and the source code. Thanks sinn3r!
Share the post "Simple Web Server 2.3-RC1 Metasploit Module"
So I ended up purchasing Security Tube’s Python Scripting Expert course and I am so glad that I did. Right now I am just getting started on Module 2 which focuses on I/O, working with files and much more. Module 1 was a great refresher for me as well as it helped clear up my fuzzy understanding object-oriented programming. The entire module which is broken into 10 parts (videos) covers the essentials of Python programming and is vital to understanding python. Topics such as Lists, Tuples, Functions, Conditions, Classes and much more are explained through practical exercises and examples.
The author, Vivek Ramachandran, delivers the subject at a digestible pace and order which to me is key to putting the puzzle pieces together. As I take this course, it reminds me of the Offensive-Security classes that I have taken in that the teacher finds a way to make complicated material seem much less complicated. At this point in my career I am no longer interested in the multiple choice brain dump exams such as the CEH and CISSP. I don’t want to discredit either of the certs as I think they were both instrumental in me furthering my career, but I think of these certs as more of a badge that you flash to get in the door. For example, it is no secret that right now the industry still recognizes the CEH over the OSCP, but for anyone who can testify to the degree of knowledge gained after taking the OSCP course, they will likely state that CEH holds no water in “Knowledge retention”. To me it is simple, I learn by practical application. Now when I take a course I think about how will the course help me in my career and will I remember what I learned. The OSCP was a course that I could never forget and Security Tube’s Python Scripting Expert course is one that I know I won’t forget either.
As I continue to work through the course I will provide you with a more extensive review.
Share the post "Python Course"
I’ve been really thinking hard about taking this course to help improve my knowledge of python. Python has become a life saver for me at work and it seems like every day I’m finding better and more efficient ways to write my scripts. I’m thinking a course like this would be a great opportunity for me to improve on coding on the fly. If you’d like to check out the course details you can do so here
Share the post "Security Tube Python Certification"
As if the tragic events that took place in the city of Boston wasn’t enough, reports are now stating that malware authors are exploiting the curiosity of Internet users through an email campaign claiming to provide the user with video footage of the explosions that took place at the marathon in Boston.
The email shown below contains a link to a malicious site that hosts two videos of Monday’s events while simultaneously attempting to exploit a vulnerability in the Java platform CVE-2012-1723.
More details on the latest threat can be viewed at naked security.
p.s. The Bruins lost in overtime
Share the post "Spam campaign leverages Boston Marathon events"
I kept hearing about this new remote password change vulnerability on select linksys routers and finally got a chance to take a look at some coverage on it. So it turns out this is a Cross-Site Request Forgery vulnerability which essentially allows you to embed a malicious request against a vulnerable system (Usually an unprotected form or one that does not confirm a submission). I have to say I thought that this was going to be a remote unauthenticated command injection vulnerability of some sort but it looks like at the very least there is some user action required to carry out the attack.
If you are unfamiliar with Cross-Site Request Forgery or you just want to check out the vulnerability itself, there is a decent write up found at Naked Security.
Share the post "Linksys Router Remote Password Change (CSRF)"
Seems like there is a new exploit kit or crimeware kit surfacing every day now. A new crimeware kit labeled “Whitehole” contains contains exploits for a number of known Java vulnerabilities (CVE-2011-3544, CVE-2012-1723, CVE-2012-4681, CVE-2012-5076 and CVE-2013-0422).
More coverage on the new crimeware kit can be found here .
Share the post "Whitehole Exploit Kit In The Wild"
In my last post we worked with Yara and and string detection to identify a specific string of characters in a malicious binary. I also mentioned Yara’s ability to integrate and work with other tools however, I did not provide a practical example. In part 2 of this series I am going to show you how you can easily covert PEiD signatures to Yara compatible signatures to detect packers.
If you are not familiar with packing and the use of the PEiD utility, I will try and sum it up really quick. Packers are utilities (sometimes malicious) that perform compression of code with the intention of obfuscating the signature of a binary to avoid detection by anti-virus and other similar tools. When a packed executable is executed, the compressed content is then decompressed in memory where it can continue to run without detection by most security products.
PEiD is a GUI utility designed for Windows that allows you to detect when the static content of an executable has been packed. In addition to packers, PEiD can identify cryptors and compilers listed within its database.
Converting the PEiD Database
So we need to begin with converting the PEiD signature database. You can download the database from the following location: PEiD DB
Once you have downloaded the database we can use the following python script to convert the database to a Yara friendly database: PEiD Conversion Script
root@bt:/# python peid_to_yara.py -f UserDB.TXT -o packer.yara
So we have now created a PEiD database for Yara and we are ready to scan some files.
Running Yara with PeID
I took the time to download a few malicious files from the malc0de database that we can use for proof of concept and placed them in /malware of my machine.
We can direct Yara to use our PEiD database and scan our malicious files using the following command:
root@bt:/# yara -r packer.yara /malware/
As you can see we were able to identify a number of packed executables within the /malware folder.
Share the post "Working with Yara (Part2: Packers)"