ICSec/packetEssentials

packetEssentials

An essential set of modules for working with packets using the Scapy Library in Python. Highly geared around 802.11, but still useful for Ethernet.

Brief module descriptions

chanFreq

Import for lib/chan_freq.py This class is for channel/frequency specific tasks

• twoFour(val)

  """Converts the 2.4GHz frequency to its decimal-based counterpart"""
  print(chanFreq.twoFour(2412))

• twoFourRev(val)

  """Channel to Frequency converter for 2.4 GHz"""
  print(chanFreq.twoFourRev(4))

• fiveEight(val):

  """Frequency to Channel converter for 5.8 GHz"""
  print(chanFreq.fiveEight(5200))

• fiveEightRev(val):

  """Channel to Frequency converter for 5.8 GHz"""
  print(fiveEightrev(val):

conv

Import for lib/converter.py Class for simple conversions

• symString(packet, field)

  """Shows the symblic string for a given field"""
  for i in range(200):
      p[0].FCfield = i
      print str(i) + '--' + conv.symString(p[0][Dot11], 'FCfield')

drv

Import for lib/drivers.py This class identifies the given offsets for drivers

• drivers(val)

  """Returns the numeric driver offset for a given driver"""
  print drv.drivers('ath9k')

  hd

  Import for lib/handlers.py This class provides useful scapy frame handlers

  • crtlC()

    """Handles what happens when crtl + c occurs
    Tries to deal with unexpected situations in which the collected lists are at
    risk of being lost
    """

  • metaDisplay(orderHigh = True):

    """Returns self.metaCounts and self.metaSums as sorted lists
    The default is to return based on the value order of highest to lowest
    This is useful with regards to 802.11 in general.
    
    If a NIC is in range:
        - The RSSI for a given frame, at a particular point in space,
        relative to the location of the device in earshot can be considered
        the relative volume of the conversation.
    
        - The quantity of frames can be considered a metric of how chatty a
        given NIC is.
    
        - The sum of bytes transferred can be a metric in ratio to quantity,
         and other such things.  Logarithmic graphing helps in this respect.
    """

  • mpTraffic(macX, macY, verbose = False):

    """Packet handler to follow a given pair of MAC addresses
    Uses macPair as a boolean wrapper to determine if both MACs were seen
    """

  • mpTrafficCap(macX, macY, q, verbose = False):

    """Packet handler to follow a given pair of MAC addresses
    Captures self.mpTrafficList
    """

  • solo(macX, verbose = False):

    """Packet handler to follow a given pair of MAC addresses"""

  • soloCap(macX, q, verbose = False):

    """Packet handler to follow a given pair of MAC addresses
    Captures self.soloList
    """

sType

Import for lib/subtypes.py This class is for naming of subtypes where symStrings doesn't work

• mgmtSubtype

  """Returns Management Frame Subtypes"""
  print sType.mgmtSubtype(5)

• ctrlSubtype

  """Returns Control Frame Subtypes"""
  print sType.ctrlSubtype(11)

• dataSubtype

  """Returns Data Frame Subtypes"""
  print sType.dataSubtype(8)

pt

Import for lib/utils.py Class to deal with packet specific options

• byteRip

  """Take a packet and grab a grouping of bytes, based on what you want
  
  byteRip can accept a scapy object or a scapy object in str() format
  Allowing byteRip to accept str() format allows for byte insertion
  
  Example of scapy object definition:
    - stream = Dot11WEP()
  
  Example of scapy object in str() format
    - stream = str(Dot11WEP())
  
  chop is the concept of removing the qty based upon the order
  compress is the concept of removing unwanted spaces
  order is concept of give me first <qty> bytes or gives me last <qty> bytes
  output deals with how the user wishes the stream to be returned
  qty is how many bytes to remove
  """

• crcShave

  """Given a scapy object, iterate through all possible crc32 values
  Shave from left to right by default
  Calculate the CRC32 until there are no more bytes
  Returns True and stops if swVal is found
  
  Useful for throwing things against a wall and seeing what sticks
  
  If you know the scapy/wireshark version of the FCS you are hunting, use the
  swVal.  As an example --> crcShave(sObj, swVal = '0x153e3ebd')
  
  If you want to shave the bytes from right to left, shaveLeft = False
  
  Don't forget to remove the FCS bytes on the end of a frame before using, if
  those bytes are the FCS you hunt.
  
  Example usage as a simple function:
  import binascii
  import packetEssentials as PE
  from scapy.all import *
  from textwrap import wrap
  p = RadioTap(binascii.unhexlify('00 00 38 00 2F 40 40 A0 20 08 00 A0 20 08 00 00 20 33 7B CD 04 00 00 00 10 0C 9E 09 C0 00 A7 00 00 00 00 00 00 00 00 00 61 32 7B CD 00 00 00 00 16 00 11 03 A7 00 A3 01 C4 00 32 05 E0 3E 44 08 00 00 BD 3E 3E 15'.replace(' ', '')))
  swVal = hex(p[Dot11FCS].fcs)
  btVal = ' '.join(wrap(PE.pt.endSwap(swVal).upper()[2:], 2))                ## Useful to know for Endianness
  lbVal = PE.pt.byteRip(p, output = 'hex', qty = 4, order = 'last')
  choppedP = PE.pt.byteRip(p, chop = True, output = 'str', qty = 4, order = 'last')
  x = crcShave(choppedP, swVal = swVal, shaveLeft = False)
  print(x)
  """

• endSwap

  """Takes an object and reverse Endians the bytes
  
  Useful for crc32 within 802.11:
  Autodetection logic built in for the following situations:
  Will take the stryng '0xaabbcc' and return string '0xccbbaa'
  Will take the integer 12345 and return integer 14640
  Will take the bytestream string of 'aabbcc' and return string 'ccbbaa'
  """
  print pt.endSwap('0xaabbcc')
  print pt.endSwap(12345)
  print pt.endSwap('aabbcc')

• fcsGen

  """Return the FCS for a given frame
  start and end are treated as individual bytes to shave left and right,
  that are removed prior to calculating the FCS.
      - Useful if you want to byteRip inline so to speak
  """

• macFilter(mac, pkt):

  """ Combo whitelist and blacklist for given MAC address """

• macPair(macX, macY, pkt):

  """Pair up the MAC addresses, and follow them
  
  macX is weighted before macY, allowing the user to have a ranked format
  For fastest results, use macX as the quietest MAC
  """

• symStryngs(self, scpObj, fld, maxInt = 254):

  """Iterator to show the available opcodes for a given scapy object
  Returns a list object by default of 0-253 for the opcode
  """
      ````

Uninstantiated modules

• lib/nic.py
  • Generates a tap interface

  """Generates a tap interface
  By default, will create tap0 unless an integer parameter is added to Tap()
  """
  ## Create interface of tap3
  import packetEssentials as PE
  nTap = PE.lib.nic.Tap(3)

• lib/unifier.py
  • A singular point of contact for tracking purposes
  • Useful for passing around a Class with its associated objects

  ## Keep track of wlan0mon using ath9k
  import packetEssentials as PE
  nUni = PE.lib.unifier.Unify('wlan0mon')
  print nUni.offset
  print nUni.nic