00:04 Hello, students. And welcome back. If you're watching this video, that means that you've decided to take the hard way,

00:10 Um, and go through the Maur

00:13 complex and interesting challenge that I have prepared here.

00:16 I'm in this video. We're going to really be digging into python networking. If you're watching this video, you should already completed all the journeymen stuff. And you should be pretty comfortable with networking,

00:25 um,

00:27 or at least willing to beat your head against the wall. Because if you don't understand networking, that's what you're gonna spend the next

00:33 hour or so doing

00:35 in this video. Uh,

00:37 the reason I have you see a vm Lennox PM specifically, and there isn't I have all these different Pat what you go it all these different packet Ah,

00:46 breakdowns are Caesar.

00:48 Because in this video, we're going to be writing

00:52 a packet sniffer

00:53 in python. Those there are probably a lot of you who are familiar with the packet sniffer known as wire shark.

01:02 Looks like this.

01:04 No,

01:06 it's useless. We'll do it with a terminal

01:12 wire shirt.

01:19 Signore Lewis.

01:19 So looks like this

01:23 captures look like this.

01:26 All sorts of data and interesting stuff going on in here, you can

01:30 scroll up. You can expand these fields.

01:33 We're not gonna do anything quite this, uh,

01:36 hard core,

01:37 partially because gu Ys air not fun. And I hate reading Louise,

01:41 and partially because

01:42 there's a lot of that will be just sort of generic programming and

01:47 not really specific to what we're trying to work on.

01:49 So instead of writing a fully fledged, you know,

01:53 breaks out the entire packet shows you the data follows pads and things like that,

01:57 I'm gonna show you a

01:59 python script that it's, you know,

02:01 longer than the ones we've written so far, but

02:05 still relatively short by programmer standards. It'll be less than 200 lines.

02:09 Well, less than 200 lines long.

02:12 And it will be

02:15 the sort of thing that you could very easily stick on a thumb drive and carry with you, or, if you really feel massive mystic something that you can actually just right as you need it and expand as you need it.

02:24 Uh, so the reason why you're gonna want to do this the reason why you would ever want tohave a packet sniffer and python is is that one

02:34 packet sniffers are by and large pretty big things. Things like wire shark,

02:38 their hefty There's a lot to them

02:42 and they take some getting used to.

02:44 So if you're trying to find something that's very small and again I mean very small,

02:49 you can do it in Python. Or if you're just trying to get sort of a more general idea of what sort of traffic you're seeing without going through this whole process of setting it up,

02:58 um, you know, installing it from the Internet and all that sort of thing. The nice thing about running a packet, sniffer and python is that so long as you have python, you have the packet sniffer.

03:07 Ah, a lot of systems won't have wire shark natively installed, but every linen system in the world

03:12 has python and most window systems. At this point that you're gonna be targeting,

03:16 we'll have python, especially if they do development work of any kind.

03:22 So the reason we're using Elin Xbm

03:23 rather than doing it on the Windows machine that we've been using so far, is because in Windows, uh, Ross sockets are no longer of thing.

03:34 What that means is, you can't You can't define your own sockets. You can't create your own sockets at the lowest level.

03:42 You've got sort of three levels of socket

03:45 three levels of definition for the socket. You determine

03:47 I p family,

03:50 family. So for six etcetera,

03:54 and then you've got protocol,

03:59 which would be like TCP

04:01 ew dp

04:02 etcetera.

04:03 And then underneath both of those is Ethernet.

04:08 But the thing is that with normal sockets, you only control the I p family and protocol

04:13 with raw sockets. You actually started the Ethernet layer right here,

04:18 and you're able to control everything up through there. Which means that you can manually write and read the headers,

04:24 Uh, in your i p header in your eye, your protocol header.

04:28 And that would be really handy if you're trying to

04:30 in the good guys world. If you're trying to define our own protocols for your company, trying to use something that's, you know, sort of special on natively built, maybe wanna put special security in it, Whatever.

04:40 That's what Ross Sockets were intended for, what Ross Sockets actually used for,

04:45 you know, Ah, sniffers, malware, doing bad things just in general. So windows kind of lock those down. They made it very very hard to access. Lennix, on the other hand,

04:58 no such problem

04:59 if you wanna make gross out. Because if you want to break everything, break everything. Lennox will always give you enough rope with which to hang yourself.

05:06 And in this case, we're gonna take advantage of that

05:09 so that any further I do We're gonna go ahead. We're gonna get started on the

05:13 python packet sniffer.

05:15 So first thing we're gonna want to do, obviously, is the sort of python intro user been Python Python,

05:24 which is just included any python script

05:28 written on it. Lennox machine. All this is really saying is look in, user, Been python for the

05:35 for the python execute herbal. The python interpreter said that you could run this. That allows you to run it without actually opening the interpreter and then bringing this in and running. It's much easier this way.

05:46 Then we're gonna have some imports that we're gonna look at it in Just a 2nd 1st Go ahead and save this file.

05:54 Cancel.

05:55 Save it as

05:58 python

06:00 packet sniffer.

06:03 Well,

06:04 well, save it in documents.

06:08 All right, so you see a changes color and of course, that's just Jeannie Say Hey, let's be friends.

06:14 So now we're actually writing a python files. So

06:16 Step zero

06:17 imports.

06:19 First thing we know we're gonna want to import beyond anything else without any doubt is socket.

06:25 We're also just so that I can clear the screen and kind of clean things up a little bit. We're gonna import Os

06:32 and we'll have a couple other imports as we go. But for now, let's just start with these two

06:38 s. So the first step in creating

06:40 a raw socket sniffer is to create a socket.

06:43 So we're gonna have death. Maine.

06:46 We're going to do our actual sake creation here.

06:48 So we're going to say,

06:50 Ah, sniffer socket

06:54 equals Sock it, sock it.

06:58 Now, here's where we're gonna start doing things a little bit differently than in the other videos.

07:03 This terminal over here, we're gonna run python important socket.

07:09 We're gonna need to do something a little bit differently because

07:13 using you know, a f I night and all these other things we're doing

07:15 we're not gonna be able to get what we're after.

07:16 So there's actually a difference, uh,

07:19 argument that we can give it so we actually get the entire pack it rather than getting,

07:24 you know, pre broken down and examined packet

07:27 looking socket. Here. You see, someone has a ton of different arguments. Don't have different options.

07:31 The one we're looking for.

07:33 And I am gonna let us treat a little bit not making, you know,

07:36 go through and look up. Each specific item that we're trying to track down

07:40 is this one pf packet

07:43 pf packet is just give me the entire packet. Give me everything in it. I'll do with it what I want so socket dot pf pf

07:53 packet

07:55 socket dot So if you recall, this is normally where we would determine. You know,

08:01 um,

08:03 socks, dream socket d graham, that sort of thing.

08:07 Instead of doing either of those, we're going to create a raw sockets. We're gonna do suck raw,

08:13 suck it dot Suck.

08:16 Now, here's what we're gonna kind of cheat a little bit again. Um, they're a bunch of different arguments you can supply for the third argument here.

08:24 And each one sort of has its own merit, in its own reason. Its own sort of rice on day.

08:28 Ah, the argument we're going to give it is gonna be ht o and s will actually be

08:33 socket

08:35 stopped. HD on us

08:37 00003

08:41 So what is this? You're very, very likely asking.

08:46 Well, I have

08:48 had

08:50 scenario.

08:50 What that is is East P

08:54 Pipi.

08:54 Um

08:56 what? The East v I p is

08:58 find it?

09:03 Yeah.

09:03 So what if p i p. Is is a, um

09:09 a definition saying get anything on Ethernet?

09:13 That is an eye. He packet.

09:15 You could also do, actually, yeah. What a lot of people will do is either type i p,

09:20 which is 0800

09:22 That one works just fine.

09:24 Actually, when I looked through the i p really, you eat all.

09:26 So if we're doing FBI, P would do either type I p

09:31 What we're doing is e p. All because we want to get any packet, whether its i p or not

09:35 a cz you see here, this is for PF packet.

09:37 So each Peola 0003

09:41 That's a macro that's defined within net net either. Not age. It is, however,

09:46 not a mackerel which was brought over to python, Which is why we have to just manually type that in,

09:52 um, things like soccer. Robbie, a packet are just

09:56 Macron's. That python. Did you know the python developers? Did you remember to bring over? If we look at it, we'll see Sock

10:03 right?

10:05 Just three.

10:07 Um

10:09 and that's the distinction. Every all of these capital

10:11 argument Earl of these capitals, you see here in the dirt,

10:15 all those are just just macros that air defined to make it easier. So you don't have to memorize all the numbers. In this case, we cannot. You know, we're unfortunately actually did have toe use a number that was memorized,

10:24 but

10:26 luckily, we're only using one. So it's not so bad.

10:28 Okay, now we've got a sniffer socket. Now,

10:31 those of you who you know, pay attention and are paying attention

10:35 would think that our next step would logically be too

10:39 sniffer socket

10:41 dot Buying

10:41 you would, however, be wrong.

10:45 The reason for that is because we're using a raw socket.

10:48 So Ross sockets actually

10:50 don't do this.

10:56 The reason for that is because it's a raw socket. It's not going on any specific port.

11:01 If we bind it to a specific port, then it's only going to listen to that port

11:05 if we do soccer all without any specific binding. However, it will listen to every port and every bit of traffic it gets anything that comes over Ethernet,

11:13 this sniffer is going to pick up,

11:15 which is handy.

11:18 So instead of fighting, all we're actually going to do now is we're going to receive. We're gonna do sniffer.

11:24 No

11:24 sniffer socket

11:26 dot Received.

11:28 We're going to take in

11:31 a little over 2000 bites. It's enough that will take in any pact we're gonna receive.

11:35 Um,

11:35 not so large that we really need to worry about

11:39 any sort of crazy data. We can, actually, you know, if we wanted to look up and very carefully go through,

11:46 we could find the specific maximum size of these packets and do it that way.

11:50 But it's python. It's for laziness. And we're trying to be Lacey. So we're just going to say OK,

11:56 2000 bites should be big enough.

11:58 Um, we're gonna

12:00 received that data somewhere.

12:03 So now we've got data.

12:05 We've received

12:07 something

12:07 off this socket,

12:09 huh?

12:09 What? That might be

12:11 I guess we'll find out.

12:15 So let's go ahead and run this and see what it does right at. Well, well, actually do one more thing prints

12:20 to receive data.

12:22 Um,

12:24 don't do this one at home on your home computer just because it depends on what you get. But you can do some really weird things and get some weird, really weird results. I'm doing this on a V m.

12:35 Not a big deal. If I break it,

12:35 no problem.

12:37 One thing when you try and run it, a lot of you will have issues. Um, because it's going to tell you you don't have permission to create this Ross socket

12:46 we need to do is you need to go into your set, build commands menu and put a pseudo yours should probably just a python percent off.

12:54 You need to put a pseudo before it to tell it to run. This is work.

12:58 You had a five. It'll ask you for your password.

13:03 Nothing will happen.

13:09 Funnily enough, nothing happened. Actually, sort of

13:11 is a bit of luck to us. It tries to print the date out, but it's not actually a string with which it can handle anything.

13:16 Um, it's it's something sort of different, something called Destruct.

13:20 So it's gonna be the next thing we do is the next thing we're gonna do is actually break this apart

13:26 Now, we could do all of this in Maine and have a really ugly, complicated program to stare at, but instead, we're going to kind of break this apart and functional eyes. So we're gonna create a function here,

13:35 and it's going to be

13:37 Do I really define

13:41 Will do analyze

13:43 either header.

13:46 It's gonna take an argument of data.

13:50 We'll just put return here for a second.

13:56 So we're gonna do analyze

13:58 easy, though.

14:00 And they were gonna give it

14:01 to receive data

14:05 as the argument.

14:09 So

14:09 we've got this big packet of stuff

14:13 we don't really know what we're gonna do with that stuff yet.

14:16 The first step is going to be to break it out.

14:18 Dated that you get over the network is,

14:22 as I mentioned before, just packed into what's called destruct. It's just binary data.

14:26 So what we can do is we can break that binary data out using

14:31 this commands right here,

14:33 which is struck specifically. We're going to be using struck Start on

14:39 struck. Stop, unpack. Pardon me.

14:43 So Okay,

14:46 um,

14:46 to ease, header equals struck,

14:50 not unpack

14:54 data.

14:56 So the specific unpacking that we do is going to be dependent on what we're trying to get.

15:00 So before we go giving it arguments here, although that we will give it one argument, which is this exclamation mark,

15:05 which is the Indian nous of the data. So we're saying we're getting it in Network Indian. You can also put big Indian

15:11 um, for the python documents. The python library here.

15:16 You see that

15:18 the exclamation mark is available for poor souls who can't who claim they can't remember whether network bite order is big or little Indian.

15:24 Ah, you know who says that I help dot Can't be snarky

15:28 anyway,

15:28 So you've got all these for my characters here and, you know, we could use them to try and kind of do this bit by bit. But first, what we want to do is know what we're pulling out for the header.

15:37 Which is why I had this wiki page open

15:41 s. So the first thing we're gonna do is we're gonna say Okay, we're looking at an Ethernet packet. We know that we're only getting an Ethernet packet because again, this

15:50 0003

15:52 So we need to decide what we're gonna break out of it.

15:54 According this wiki page, there's a preamble and a framed a limiter.

15:58 Those are things received by your machine, but those are not

16:03 included in the ether. That header these they're not. Header starts at Mac Destination

16:07 now the Mac destination. For those who see my earlier course of those who have seen any networking courses in general, the Mac addresses the physical address of the

16:17 interface on your machine.

16:18 Um,

16:19 what that means

16:22 pretty simple. It's the actual address. It's sort of like the I P address for your hardware.

16:26 Uh,

16:29 so the first argument or the first field we need to stack and fill out is going to be a Mac destination.

16:36 Now we see the Mac destination is six aka tests, but that means it's six bites, six chunks of eight bits.

16:44 So we need to do.

16:45 We need to find something that is six bites alone.

16:48 You see that none of these are six bites a lot. We've got ones, twos, fours and eights.

16:52 However, we do see that this where's it at?

16:57 String here doesn't have a specified link.

17:00 There's a reason for that. That's kind of what we want to get too down here.

17:03 So

17:07 here we go. The s for my character. The count

17:10 is interpreted as the size and strength.

17:11 What that means is this right here

17:15 you do a number of bites that you're going to get,

17:18 and then it's an ***. So, for example, if we're trying to get six mites

17:23 for a Mac address, we do success,

17:26 and it's going to return into Ethernet. Er,

17:29 it's not going to return into the Ethernet header six s, which is again just a six. Might string

17:36 Ethernet header is going to turn into a triple struck down impact is going to give us back a to pull when we're done with all the format strings. And then from that, we're gonna break out what we're doing.

17:45 So

17:45 success is our first thing, but that's Mac destination. I feel that we're gonna do Max source,

17:52 Which again is

17:52 success nice and easy.

17:55 This 802.1 q tag is optional, and we're not going to be using it.

18:00 Um,

18:00 you're not going to be seeing it used in what you're doing right now.

18:04 Um,

18:07 802.1 q is for villain. It's not in any way related to what we're doing.

18:11 So the next feel that we need that we actually need to deal with is either type. Either type is a two octet aura to bite field, which it should have

18:21 should discuss

18:22 here.

18:23 Um, yeah, I hear you.

18:26 Is that I feel this A to bite field and it's used for two different purposes.

18:30 Ah,

18:30 anything under 1500

18:33 is supposed to determine

18:36 the size of the payload. And, aka tests anything over 1500 indicates the specific protocol in a specific type.

18:42 Um,

18:44 so what that means is, if

18:47 we'll do it.

18:48 First of all, it's two octaves, two bites.

18:51 So we need to find something that's two bytes long,

18:56 which is going to for it, for our case, Be this unsigned short here,

19:02 trying to do h

19:03 so for our purposes. What this means, this whole, you know, if it's over 15 or under 1500

19:08 it

19:10 if we get a value that is over 1500 we need to check that and see if that is

19:15 a protocol with which we're sort of prepared to deal. We're only going to actually deal with one protocol, which is I pee before

19:22 my P V four is going to be protocol 0800 specifically in hacks it 000

19:29 So I pee before

19:32 equals 008

19:36 You're zero.

19:41 Which we can actually see. I had a numbers reference up earlier

19:48 is what happens when you're looking at too many different files. Too many different times.

19:53 Um, okay,

19:56 I'll just pull one up.

19:56 So protocol

19:59 numbers.

20:00 There it is, Diana.

20:02 So I am is the organization with which everyone sort of

20:06 reserves

20:07 protocol, space and protocol information.

20:11 So we're gonna wanna have this up for later on.

20:14 But for now, we're just going to say OK, 0800 is gonna be our i p.

20:18 So

20:21 how do we deal with that? How do we know? Actually, check and make sure you've got the right thing.

20:23 Well, step one, I guess,

20:26 really again. It's kind of a step zero thing. It's going to be to actually break this to pull out

20:32 we're gonna do.

20:34 We'll do dust. Mac Destination Mac equals

20:40 Eastern a header.

20:42 Zero

20:45 source back equals Ethernet Header

20:49 one

20:51 proto equals Ethernet header

20:56 two.

21:00 So we're gonna do a lot of commenting in this, so be prepared for

21:03 even these out a little bit easier.

21:07 Look at

21:11 destination address,

21:15 source, address

21:18 hope.

21:22 And then here is next protocol.

21:26 It's an important thing to notice for every year

21:30 protocol with which we deal is going to have, Well, not everybody all most of the protocols with which we're gonna handle

21:34 we'll have a next particle field. It'll just be It'll just say protocol most the time or type or whatever, but it's actually the protocol that we need to be prepared to handle next. So, for example, again, when you Ethernet header says protocol, I pee before that means the next header. We need to handle this and I be before header.

21:55 So let's do a quick sanity check. Let's see what each of these gives us.

22:07 Five.

22:08 Your password.

22:11 Well,

22:14 my favorite mistake forgot to put me in

22:19 scenario.

22:21 What

22:22 looks like miss type sniffer socket down here.

22:26 Some of you may have noticed that I've been screaming your screens. I apologize for making you sad.

22:37 There we go.

22:42 Okay, so strike is not defined.

22:45 Well, that means that we don't actually have the import that we need to have for it.

22:48 Luckily, someone thought I had it has a structure page open.

22:52 So we're gonna go to the top

22:56 and try and find our import.

23:08 No, it came from a wait. Of course,

23:11 structure is actually the library name. So the import we're gonna do on it took me an embarrassingly long time to realize

23:18 is struck.

23:19 There we go.

23:22 Right now. Let's run it again.

23:26 Okay. Now, we've run into our first

23:30 one of our first, but are

23:32 first major error that's going to change our code a little bit.

23:34 This one is struck dot Unpack requires a specific stringer. You at length?

23:40 So you some we unpack. We're actually on Lee able to give it

23:44 as much data as we're unpacking. It can't leave data alone,

23:47 which means that our data field needs to be sliced.

23:49 So we're gonna do zero through something. We know that this first chunk is six by its second truck is six bites and then h

23:57 is an unsigned short

24:02 still down here,

24:03 ages and unsigned. Short, which is two bites.

24:06 So

24:07 6 12 14

24:10 There you go.

24:11 And then before we go any further, we're gonna change data

24:18 to only be

24:21 14 then onward.

24:22 So we're gonna do this with each of the headers. As we analyze them, we're gonna strip the header out so that the rest of the data doesn't after where the rest of the

24:30 functions don't have to worry about headers that have already been handled.

24:33 Then we're gonna return data.

24:48 We're waiting on it to generate traffic. If it's if you're sitting too long and you're waiting, there is kind of a useful easy trick,

24:53 which is to just go over and press that five obviously might already gave something back.

24:57 Okay, so

25:00 So the field, we got back

25:02 and I'll bring back up again.

25:03 I shouldn't have done that.

25:04 20 in this case, 2048 which is what we're after, right?

25:10 Well, you may not be saying that there's an easy way to tell,

25:19 but

25:22 destined for the hex value of proto is what we actually a seat.

25:25 So that's all you have to do is just print Hex is just do print hex proto,

25:30 and

25:32 it'll come out easier to read.

25:36 Very good.

25:37 Uh,

25:37 in this case is about 08

25:40 He came out as 806

25:42 It's not over after.

25:44 Let's look and see,

25:55 I'm actually gonna put our main here. And you should never do this because it's the wrong thing to do

25:59 of Maine in a while. True loop so that it'll just run and give us data while we want that Data

26:07 five.

26:15 Okay, we're seeing that some of these were coming back a zero. Is there a six summer zero Summer 800

26:21 Um,

26:22 I was there only three digits rather than four in the ***, which would kind of like to have four.

26:27 There are ways that you can actually, you know, format it so that it looks a little bit prettier.