Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #31436
    AvatarDege Ratak
    Spectator

    Posted a comment but thought I’d share here as well.

    Don’t import scapy.layers.http
    With the latest version of scapy ( 2.4.2 also tried 2.4.3) a lot has changed with the api.
    For example scapy.TCP, scapy.IP etc no longer visible in Pycharm even if you import scapy.all.
    If you’re like me you might do some digging to find them in the submodules
    so Pycharm is happy
    e.g.
    from scapy.layers.inet import IP, TCP

    You might even be tempted to import scapy.layers.http to see if there a newer ways to detect/modify HttpRequest/Response. 😐

    However, just importing scapy.layers.http will cause problems when running the program.
    Requests will no longer have a Raw layer and you’ll be scratching your head for a while like I was.
    Coming from java land I wasn’t aware that importing a module actually kicks off some initialization of code that can change behaviour in the rest of the lib.
    When you import that module any http packets automatically now have an HTTPRequest or HTTPResponse layer instead of the Raw layer and the code as it is won’t work.
    Just in case anyone else runs into this.

    One question though, I noticed that when requesting the download I’ll actually get two http requests and two http responses. This lead me to add a line that checks if the ack_list already has
    the request packet in it before adding it.

    if scapy_packet[inet.TCP].ack not in ack_list:
    ack_list.append(scapy_packet[inet.TCP].ack)

    In the lecture video I did see that behaviour. Interestingly, with or without this check the result is that it still works. Just wondering why this was the case.
    This was with firefox and curl just running locally.

    #31448
    AvatarDege Ratak
    Spectator

    I figured out why there were duplicate packets.
    Because I initially couldn’t find a non https download link I was running apache locally on the kali host itself to serve up both the original file as well as the evil replacement file.
    This also ended up confusing me when I went to try to target the windows vm as after after running arp spoof I could see all traffic going to/from internet from the windows machine
    but couldn’t see any of the requests made from the windows machine to the kali machine itself. In my overly complicated setup I had to add the iptables INPUT/OUTPUT rules as well as the FORWARD rules so I could see traffic directed to the kali host as well.

Viewing 2 posts - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.