2Scapy Python Tool for Fabricating Handshake
Voila! The OS fingerprinter is convinced that the packets were sent by an iOS device. When we scroll down, we can see the actual HTTP request with the user agent data. At this point, the NAC allows access and we can go back to doing our usual business. Don’t forget to open up iptables:
# iptables -F
So what happened here, exactly? Let’s break it down:
We’re declaring a variable for the captive portal IP address and the source port. The source port is a random integer between 1024 and 65535 so that an ephemeral port is used:
ip=IP(dst=CPIPADDRESS, flags=”DF”, ttl=64)
tcpopt=[(“MSS”,1460), (“NOP”,None), (“WScale”,2), (“NOP”,None), (“NOP”,None), (“Timestamp”,(123,0)), (“SAckOK”,””), (“EOL”,None)]
SYN=TCP(sport=SOURCEP, dport=80, flags=”S”, seq=1000, window=0xffff, options=tcpopt)
Now we’re defining the layers of the packets we will send. ip is the IP layer of our packet with our captive portal as the destination, a don’t-fragment flag set, and a TTL of 64. Now, when Scapy Python Tool is ready to send this particular packet, we’ll simply reference ip.
We define tcpopt with the TCP options we’ll be using. This is the meat and potatoes of the OS signature, so this is based on our signature research.
Next we declare SYN, which is the TCP layer of our packet, defining our randomly chosen ephemeral port, the destination port 80, the SYN flag set, a sequence number, and a window size (also part of the signature). We set the TCP options with our just-defined tcpopt.
Then, we send the SYN request with sr1. However, sr1 means send a packet, and record 1 reply. The reply is then stored as SYNACK:
ACK=TCP(sport=SOURCEP, dport=80, flags=”A”, seq=SYNACK.ack+1, ack=SYNACK.seq+1, window=0xffff)send(ip/ACK)
We sent a SYN packet with sr1, which told Scapy Python Tool to record the reply – in other words, record the SYN-ACK that comes back from the server. That packet is now stored as SYNACK. So, now we’re constructing the third part of the handshake, our ACK. We use the same port information and switch the flag accordingly, and we take the sequence number from the SYN-ACK and increment it by one. Since we’re just acknowledging the SYN-ACK and thus completing the handshake, we only send this packet without needing a reply, so we use the send command instead of sr1:
request=”GET / HTTP/1.1\r\nHost: ” + CPIPADDRESS + “\rMozilla/5.0 (iPad; CPU OS 9_3_2 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13F69 Safari/601.1 \r\n\r\n”PUSH=TCP(sport=SOURCEP, dport=80, flags=”PA”, seq=1001, ack=0, window=0xffff)send(ip/PUSH/request)
Now that the TCP session is established, we craft our GET request for the HTTP server. We’re constructing the payload and storing it as request. Note the use of Python syntax to concatenate the target IP address and create returns and new lines. We construct the TCP layer with the PSH + ACK flag and an incremented sequence number. Finally, another send command to send the packet using the same IP layer, the newly defined TCP layer called PUSH, and the HTTP payload as request:
ST=TCP(sport=SOURCEP, dport=80, flags=”R”, seq=1001, ack=0, window=0xffff)