Using Python for Network Forensics #2.

Hi all.

Today I would like to present second chapter of excerpt from book "Mastering Python Forensics", Copyright © 2015 Packt Publishing, written by authors Dr. Michael Spreitzenbarth and Dr. Johann Uhrmann. The first chapter is here.

So, now we are using Scapy during an investigation. Let's go.

Another great Python-based tool to analyze and manipulate the network trafic is Scapy. According to the developer website, http://www.secdev.org/projects/scapy/:
"Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more."

Scapy differs from the standard tools (and also from Dshell) by providing an investigator with the ability to write small Python scripts that can manipulate or analyze the network trafic-either in a recorded form or in real-time. Furthermore, Scapy has the ability to perform deep packet dissection, passive OS fingerprinting, or plotting via third-party tools, such as GnuPlot, as built-in features are already available.

The following Python script, which is taken from Grow Your Own Forensic Tools: A Taxonomy of Python Libraries Helpful for Forensic Analysis, SANS Institute InfoSec Reading Room, is a very brief example of how powerful Scapy is:

import scapy, GeoIP
from scapy import *
geoIp = GeoIP.new(GeoIP.GEOIP_MEMORY_CACHE)
def locatePackage(pkg):
  src=pkg.getlayer(IP).src
  dst=pkg.getlayer(IP).dst
  srcCountry = geoIp.country_code_by_addr(src)
  dstCountry = geoIp.country_code_by_addr(dst)
  print src+"("+srcCountry+") >> "+dst+"("+dstCountry+")\n"
try:
  while True:
    sniff(filter="ip", prn=locatePackage, store=0)
except KeyboardInterrupt:
  print "\n" + "Scan Aborted!"



This script records the statistics about the geolocation of the IP address source and the destination of an ongoing network connection. After importing the Scapy package into our Python script, we call the sniff function and use a filter to detect only the IP packets. The last parameter in the sniff function is very important if you plan to run Scapy scripts for a long time. With the help of the store parameter, you can tell Scapy to not cache all the packages in RAM during the runtime and thus make the script faster and resource saving. The subsequent function looks up the geolocation of the
source and destination IP address that is extracted from each packet. In the next example, we will illustrate how to build a very simple port scanner with the help of Scapy, as follows:

#!/usr/bin/env python
import sys
from scapy.all import *
targetRange = sys.argv[1]
targetPort = sys.argv[2]
conf.verb=0
p=IP(dst=targetRange)/TCP(dport=int(targetPort), flags="S")
ans,unans=sr(p, timeout=9)
for answers in ans:
        if answers[1].flags == 2:
                print answers[1].src

This small script is able to scan whole IP ranges for a given open port. If you are searching the web servers that are listening on port 80, you can use the script,  as follows:

(labenv)user@lab:~$ ./scanner.py 192.168.161.1/24 80
WARNING: No route found for IPv6 destination :: (no default route?)
Begin emission:..........
192.168.161.12
192.168.161.34
192.168.161.111
....

We can also use the Address Resolution Protocol (ARP) for a reconnaissance of the whole network range that our system is connected to. With the help of the following script, we get a nicely printed table with all the IP addresses that are online and also their corresponding MAC addresses:

#! /usr/bin/env python
import sys
from scapy.all import srp,Ether,ARP,conf
if len(sys.argv) != 2:
        print "Usage: arp_ping <net> (e.g.,: arp_ping 192.168.1.0/24)"
        sys.exit(1)
conf.verb=0
ans,unans=srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=sys.argv[1]),
timeout=9)
print r"+------------------+-----------------+"
print r"|       MAC        |        IP       |"
print r"+------------------+-----------------+"
for snd,rcv in ans:
        print rcv.sprintf(r" %Ether.src% | %ARP.psrc%")
print r"+------------------+-----------------+"

When executing the script, we will receive something similar to this:

(labenv)user@lab:~$ ./arp_ping.py 192.168.161.131/24
WARNING: No route found for IPv6 destination :: (no default route?)
+------------------+-----------------+
|       MAC        |        IP       |
+------------------+-----------------+
 00:50:56:c0:00:08 | 192.168.161.1
 00:50:56:f5:d3:83 | 192.168.161.2
 00:50:56:f1:2d:28 | 192.168.161.254
+------------------+-----------------+

Scripts such as these two can be very useful if no port scanner is available on the system or if you want to chain a port scanner with the other Python-based scripts for your investigation.

I can recomend for your farther network investigation by Scapy great book "Violent Python" written by TJ O’Connor.

So, this chapter provided an overview of the domains of network-based forensic investigations and the examples with Dshell and Scapy. We have demonstrated how to search for suspicious HTTP connections (such as file downloads) or how to search for leaked data through the SMB protocol with Dshell. In the second section, we created our own port scanner with the help of Scapy and used it to gather more information about the potentially compromised systems. After we discussed the areas of forensic algorithms, Windows and Unix systems, as well as the network layer, the following chapter will deal with virtualized systems and hypervisors that are becoming an important part of every company.

Good luck.