0

I'm using the script mentioned in this answer: 3 way handshake in Scapy - it is built using scapy framework. This is the github gist for that script: https://gist.github.com/tintinweb/8523a9a43a2fb61a6770

However I'm not sure why it does not work, while curl and telnet commands for the same setup (network flow: tcp dst/src ip and dst/src ports) it work fine.

MY SETUP:

netcat -l 5555 (TCP) <---------- 127.0.0.1 ---------< curl http://127.0.0.1:5555

Script output:

ubunt@ubunt-MS-7A94:~/Desktop$ sudo python TCP_scapy.py 
WARNING: No route found for IPv6 destination :: (no default route?)
DEBUG:__main__:init: ('127.0.0.1', 5555)
DEBUG:__main__:start
DEBUG:__main__:SND: SYN
DEBUG:__main__:RCV: None
DEBUG:__main__:RCV: None
None
DEBUG:__main__:SND: FIN
DEBUG:__main__:RCV: None

TCPDUMP output:

> sudo tcpdump -i any -nn port 5555 -X
12:00:32.668429 IP 127.0.0.1.6320 > 127.0.0.1.5555: Flags [S], seq 905745200, win 8192, length 0
    0x0000:  4500 0028 0001 0000 4006 7ccd 7f00 0001  E..(....@.|.....
    0x0010:  7f00 0001 18b0 15b3 35fc 9330 0000 0000  ........5..0....
    0x0020:  5002 2000 9a50 0000                      P....P..
12:00:33.921969 IP 127.0.0.1.6320 > 127.0.0.1.5555: Flags [P.], seq 905745201:905745230, ack 0, win 8192, length 29
    0x0000:  4500 0045 0001 0000 4006 7cb0 7f00 0001  E..E....@.|.....
    0x0010:  7f00 0001 18b0 15b3 35fc 9331 0000 0000  ........5..1....
    0x0020:  5018 2000 e90c 0000 494e 5445 4e54 494f  P.......INTENTIO
    0x0030:  4e41 4c20 4241 4420 5245 5155 4553 540d  NAL.BAD.REQUEST.
    0x0040:  0a0d 0a0d 0a                             .....
12:00:35.204787 IP 127.0.0.1.6320 > 127.0.0.1.5555: Flags [F], seq 905745230, win 8192, length 0
    0x0000:  4500 0028 0001 0000 4006 7ccd 7f00 0001  E..(....@.|.....
    0x0010:  7f00 0001 18b0 15b3 35fc 934e 0000 0000  ........5..N....
    0x0020:  5001 2000 9a33 0000                      P....3..

The 2 differences that I have found btw/ the packets sent by curl and scapy are:

  • lenght (curl: 74, scapy: 54);
  • scapy sends a broadcast @ Layer 2: ffff:ffff:ffff and curl sends 0000:0000:0000;
Mindaugas Bernatavičius
  • 3,757
  • 4
  • 31
  • 58

1 Answers1

0

The loopback interface (lo) is very specific and injection tools, such as Scapy, may not work as expected on it. You should try to connect to a remote host instead of 127.0.0.1.

Pierre
  • 6,047
  • 1
  • 30
  • 49