from IPython.core.display import Image
Image(url='http://smhttp.23575.nexcesscdn.net/80ABE1/sbmedia/blog/wp-content/uploads/2013/04/computer-hacker.jpg')
from scapy.all import *
a = sniff(iface="en0", filter="tcp and port 80", count=10)
a
a.res
a.res[0] # first packet
a.res[0] # first packet
a.res[0].show()
a.res[0].show()
# importing pcap file
sample_http = 'data/yahoo_search.cap'
pkts = sniff(offline=sample_http)
# importing pcap file
sample_http = 'data/yahoo_search.cap'
pkts = sniff(offline=sample_http)
# online sniffing
pkts = sniff(filter="tcp and host search.yahoo.com", count=300)
# saving for later
wrpcap("data/yahoo_search.cap", pkts)
pkts
pkts
pkts.nsummary()
pkts.nsummary()
pkts[79].show()
pkts[79].show()
pkts[79].getlayer(Raw)
pkts[79].getlayer(Raw)
first_query = pkts[79].getlayer(Raw)
print first_query.fields.get('load').split('?p=')[1].split('&')[0]
first_query = pkts[79].getlayer(Raw)
print first_query.fields.get('load').split('?p=')[1].split('&')[0]
second_query = pkts[148].getlayer(Raw)
print second_query.fields.get('load').split('?p=')[1].split('&')[0]
second_query = pkts[148].getlayer(Raw)
print second_query.fields.get('load').split('?p=')[1].split('&')[0]
third_query = pkts[227].getlayer(Raw)
print third_query.fields.get('load').split('?p=')[1].split('&')[0]
third_query = pkts[227].getlayer(Raw)
print third_query.fields.get('load').split('?p=')[1].split('&')[0]
from scapy.all import *
# pkts = sniff(filter="tcp and host 8.8.8.8", count=100)
sample_http = 'data/http.cap'
pkts = sniff(offline=sample_http)
pkts
pkts
pkts[3].show()
pkts[3].show()
raw = pkts[3].getlayer(Raw)
load = raw.fields.get('load')
print load
raw = pkts[3].getlayer(Raw)
load = raw.fields.get('load')
print load
# your search term
'GET /download' in load
import select as s
def trace_route(pkts):
for pkt in pkts:
try:
IP_layer = pkt.getlayer(IP)
proto_layer = pkt.getlayer(TCP)
except Exception:
continue
destination = IP_layer.dst
src = IP_layer.src
dport = proto_layer.dport
sport = proto_layer.sport
while True:
try:
res, unans = traceroute(target=destination,
dport=dport, sport=sport,
maxttl=20)
traces = res.res
hops = [src]
for trace in traces:
hops.append(trace[1].src)
return hops, sport
except s.error:
continue
tr = ['192.168.0.1', '10.218.160.4', '10.218.160.2', '10.218.161.61', '10.218.161.34', '10.218.162.20', '10.218.162.26', '92.79.230.53', '92.79.211.210', '213.248.75.217', '80.91.246.6', '80.91.253.215', '213.155.135.215', '213.248.69.62', '93.92.131.65', '93.92.131.110', '93.92.134.70', '81.28.232.189']
tr, sport = trace_route(pkts)
tr
import pygeoip
def map_ip(hops):
gip = pygeoip.GeoIP('data/GeoLiteCity.dat')
coordinates = []
for hop in hops:
geo_data = gip.record_by_addr(hop)
if geo_data:
lat = geo_data['latitude']
lon = geo_data['longitude']
coordinates.append((lon, lat))
return coordinates
coordinates = map_ip(tr)
coordinates
import geojson
def create_geojson(coordinates):
geo_list = []
j = 1
for route in coordinates:
data = {}
data["type"] = "Feature"
data["id"] = j
data["properties"] = {"title": "hop %i" % j}
data["geometry"] = {"type": "LineString",
"coordinates": route}
j += 1
geo_list.append(data)
d = {"type": "FeatureCollection"}
for item in geo_list:
d.setdefault("features", []).append(item)
return geojson.dumps(d)
search_route = create_geojson(coordinates)
print search_route
from IPython.display import HTML
HTML('')
from scapy.all import *
sample_smtp = "data/smtp.pcap"
packets = sniff(offline=sample_smtp)
packets.nsummary()
packets[11]
raw = packets[11].getlayer(Raw)
raw
load = raw.fields.get('load').split()[0]
load
import base64
base64.b64decode(load)
packets[12]
raw = packets[12].getlayer(Raw)
load = raw.fields.get('load')
some_encoded_string = load.split(' ')[1]
print some_encoded_string
base64.b64decode(some_encoded_string)
raw = packets[13].getlayer(Raw)
load = raw.fields.get('load').split()[0]
print load
# what could this be?!?
base64.b64decode(load)
base64.b64decode(load)
def filter_packet_by_string(pkt, string):
if pkt.haslayer(Raw):
raw_load = pkt.getlayer(Raw).fields.get('load')
if string in raw_load:
print pkt.sprintf("\n**QUERY FOUND:**\n"
"From {IP:%IP.src% -> %IP.dst%\n}")
print raw_load
for pkt in packets:
filter_packet_by_string(pkt, 'attachment')
for pkt in packets:
filter_packet_by_string(pkt, 'attachment')
pgp_email_file = open('pgpemail.txt', 'r')
pgp_email = pgp_email_file.read()
print pgp_email
# per RFC 3156
'protocol="application/pgp-encrypted"' in pgp_email
# quick and dirty email parser/traceroute
import spy
pgp_email_file = 'pgpemail.txt'
ip_addrs = spy.parse_email(pgp_email_file)
ip_addrs
tr = spy.trace_route(ip_addrs, 'PGPEmail.geojson')
from IPython.display import HTML
HTML('')
from scapy.all import *
sample_irc = "data/SkypeIRC.cap"
pkts = sniff(offline=sample_irc)
pkts
pkts.show()
pkts.summary(prn=lambda x:x.sprintf("{IP:%IP.src% -> %IP.dst%\n}"
"{Raw:%Raw.load%\n}"))
def filter_packet_by_string(pkt, string):
try:
raw_load = pkt.getlayer(Raw).fields.get('load')
if string in raw_load:
print pkt.sprintf("QUERY FOUND:\nFrom "
"{IP:%IP.src% -> %IP.dst%\n}")
print raw_load
except Exception:
pass
for pkt in pkts:
filter_packet_by_string(pkt, 'amarok')
for pkt in pkts:
filter_packet_by_string(pkt, 'amarok')
import nmap
nm = nmap.PortScanner()
bitbucket = nm.scan('bitbucket.org', '22-443')
bitbucket
bitbucket_hosts = nm.all_hosts()
bitbucket_hosts
import pygeoip
def map_ip(ip):
# locally saved dat file
gip = pygeoip.GeoIP('data/GeoLiteCity.dat')
geo_data = gip.record_by_addr(ip)
if geo_data:
lat = geo_data['latitude']
lon = geo_data['longitude']
return lon, lat
import geojson
def create_geojson(coordinates):
geo_list = []
data = {}
data["type"] = "Feature"
data["id"] = 1
data["properties"] = {"title": "hop %i" % 1}
data["geometry"] = {"type": "Point",
"coordinates": coordinates}
geo_list.append(data)
d = {"type": "FeatureCollection"}
for item in geo_list:
d.setdefault("features", []).append(item)
return geojson.dumps(d)
coordinates = map_ip(bitbucket_hosts[0])
geojson_file = create_geojson(coordinates)
print geojson_file
from IPython.display import HTML
HTML('')