Time
10 hours 10 minutes
Difficulty
Intermediate
CEU/CPE
15

Video Description

Readability in Strings This lesson focuses on making strings more readable. To accomplish this, you need to do an import called a bnascii.hexlify. This turns unknown binary data in ASCII but it looks like hex. Participants learn step by step instructions in creating a readable Ethernet header that is easy to read and print and allows the programmer to view the mac addresses and see what's being done. The lesson also covers how get an argument out of data and view header formats and shows how to utilize a number of socket functions.

Video Transcription

00:04
So, first of all, what you may have noticed is that desk Mac and source macro being printed out. And he's really weird. Ugly strings.
00:11
So what we're going to need to do is we're gonna need to fix those. We're gonna need to make them look a little bit more readable.
00:16
So right now they're just six bites of binary data, and we need them to be
00:22
obviously something else.
00:26
Specifically, we want restrains.
00:28
So to do that, we're gonna need to do yet another import.
00:33
This import is been asking,
00:36
um,
00:38
been ask e is a very, very handy import. All it's really therefore, is to convert binary data to askyou NATO and back and forth so that we can read it more easily.
00:51
So now instead of Ethernet header zero, what we're actually gonna do is been asking
00:56
God.
00:57
And you need the go through and search for this one to give to you for free
01:00
hex. Cliff I
01:03
And this is going to turn this binary data that we don't really know anything about
01:07
in the hex. Well, into ask you specifically. That looks like hex,
01:12
which is what we're after.
01:14
Mac addresses are always in hex,
01:17
the tax decimal. So you want to convert it so that it's hex so that you could more easily read it.
01:22
Now we're gonna print again. We're gonna run it again
01:26
and to forget.
01:26
Okay, so we see that the 080 sixes are sent to broadcast. Where is zero? Well, most in Syria. Hundreds are also sent a broadcast.
01:36
There we go. So, you see, when I generated traffic, they start going to specific Mac addresses
01:40
there, a lot of things being sent to broadcast. And if you want to examine them in wire, shark or whatever, then you'll be able to see what's causing those.
01:49
So one thing that I'm going to do,
01:52
just going to clean things up when we're looking at it.
01:55
Oh, stop system
01:57
clear.
01:59
That's just so that I'll show you what it looks like here.
02:07
That's just so that when we have traffic it well,
02:12
it will spend up a little bit more prettily as we go.
02:15
Um,
02:17
and actually gonna go ahead and move this office system Clear
02:21
where it won't just auto destroy the data.
02:23
We're gonna do it after we received. So each time we get a new packet.
02:27
We're going to clear the old one off the screen.
02:29
Pretty straightforward. There you go.
02:32
Now it just looks like it's manually updating. Lennox is kind of weird about clear, so you can actually just scroll up
02:38
and see the other things. But
02:42
point is that it looks a lot prettier, and it's much, much, much easier to read now.
02:46
Okay,
02:47
so we have sort of, Ah, ugly but workable Ethernet header going on here. Um,
02:54
as we go through and we complete after we complete, everything will go through and, well, actually print everything out to look a little more useful.
03:00
But
03:00
for the time being, this will work. We've got Anita editor that's actually being printed. We got you know, we're able to look at the Mac addresses and see what's being done.
03:07
And again, we have an actual particle.
03:10
Speaking of that particle, we're actually going to use that, and we're gonna say if
03:15
so,
03:17
yeah,
03:19
Hex
03:20
proto
03:23
is 00800 In other words,
03:28
I p
03:30
four.
03:31
But
03:36
we're just gonna create an I p bull
03:39
equals
03:40
true
03:40
Look,
03:43
cattle see everything else lower case, because python
03:46
and we're going to do this up here. If you cool equals false
03:51
now we're just gonna do return. We're also going to be returning to pull in this case, much like the struck out unpack does.
03:58
The way you return it to people we've seen him before with connect or with except and actually I think it's connected. But
04:04
all you gotta do is have multiple arguments receiving,
04:09
and you're good to go.
04:11
You always. If you have more than one received location, you need to always receive the same number. As you are returning,
04:18
you have one. If you return an entire to pull into one location, that's acceptable.
04:24
If you're turned it into one location for every return object, that's acceptable. But you have, like three return values in two weeks and to return locations that won't work.
04:32
In other words, if we had
04:36
returned three overturned three
04:39
that won't work, we'll be able to return it into these simply because
04:44
it doesn't know where to break down what to do with us. Always make sure in general, you just want to make sure that you're returning and receiving the same number of things.
04:50
Okay,
04:51
so now we've got a bull that tells us whether or not the next header is I p
04:57
So we're going to do if I pee Bull
05:02
analyze
05:03
AP header
05:06
data
05:09
data equals Obviously that's not a function. And more obviously it's about to become one death Analyze I p
05:17
header
05:19
is gonna take an argument of data.
05:23
Okay,
05:24
moved on or nice center So we can kind of
05:27
we don't We don't actually want to close this but we can kind of throw the youth and head out the window now
05:30
and look at the always friendly RFC 7 93 RC 7 93 is one of the older or if sees if you look it
05:41
your top
05:42
September 1981 This RFC came about so yeah, this RFC is order than most of the audience If the RFC is not order than you
05:51
Congratulations. You two are older than most of the audience. We're gonna go down here We're gonna look at header format
05:58
on page on Ah Page 15 3.1
06:00
Here we go.
06:04
Close that. Close that out. And Okay,
06:08
so this is TCP I'm sorry we need the i p header not the TCP header.
06:13
So this RFC is for TCP
06:15
there. See? We need is for I p So we'll go ahead and open that one up real quick
06:19
and finding our seas very easy. Google
06:23
I pee before
06:25
or FC
06:27
There you are. See 7 91 That's more like it.
06:30
Now this RFC is kind of handy. It's also if you notice also September 1981 still in older FC
06:36
this one I like because it's got actual links. So here's the Internet header format, as you can see, bit heftier than our
06:45
Eastern that header waas It's gonna take a little bit more time to analyze.
06:48
So first thing, of course we're gonna do We're gonna do
06:51
I p header
06:55
equal Struck's dot unpack
07:00
data
07:01
and we know that's gonna get sliced
07:03
So
07:04
we see that there's four might feel before I feel whatever the way, this is broken down The way you read
07:11
structures like these in our seas
07:12
is this Is
07:15
this right? Here is one bite
07:16
this second,
07:18
third,
07:21
second,
07:23
third and fourth
07:24
user four bite lines. Each line is four bites long.
07:27
So we see we've got options and patting down here. Options are optional.
07:31
I can tell you I have never actually seen I pee before options being used. And we can pretty safely assume that they won't be
07:38
now
07:39
safely assume is sort of the phrase that makes most exploits no, makes most explainable code happen. But in this particular case, it really is incredibly rare and not really worth dealing.
07:49
So we're gonna have four bites and we're gonna have 12345
07:57
five lines. So we know it's gonna be 20 bites long.
08:00
Really? Just that easy.
08:01
So Okay, we've got 20 bites that we've gotta handle now.
08:05
So we see that our 1st 2 fields, we're just gonna do this field by field, Our 1st 2 fields version and I h l,
08:11
um which is Internet header length. The length of the Internet, the length of the I P header
08:16
are both four bit fields. So we're gonna look at our structure and we're gonna say, Oh, hang on,
08:22
We don't have anything. It's half a bite long.
08:24
So how do we do this?
08:26
That's actually pretty easy. We're just going to return
08:28
into something larger and we're gonna mess, and we're gonna move the bits over to where we need them.
08:35
I hear you.
08:37
So
08:37
the smallest that we actually handle
08:41
is one bite.
08:41
However, that one bite is for characters.
08:45
Uh,
08:46
if you use the one bite of use characters, you're gonna run into a bunch of trouble trying to move the bits around
08:52
because python works with binary only if it's either
08:56
and an array of characters or if it's just a imager.
09:00
So instead, we're gonna find the shortest number we can handle. Shortest number we can and we see to be two bites. And that's gonna be a TSH. We're gonna make sure that we always use unsigned because head airfields are never signed.
09:11
You know, i p Header Fields, Ethan ahead, Airfields, whatever. Always gonna use on signed data. So our source structure or unpack er is going to be a capital age.
09:22
It's okay,
09:22
exclamation mark. So that we know we're using Network Indian
09:26
Ever do. H h is two bytes long, which means H is actually gonna be
09:30
all three of these fields.
09:33
We're gonna need to do some magic to those here in a minute,
09:35
which actually didn't do right now.
09:37
So first we're gonna do is Virg
09:39
Perversion
09:41
is going to be I P header
09:45
zero.
09:46
But we've got to do something with it so that we're only getting what we want.
09:48
And the thing we're going to do is we're going to
09:52
shifted to the right
09:54
in this particular case. Friendship, 12 bits.
09:58
Um
10:03
but that means we're gonna take all 12 of these bids right here.
10:07
We're just going to get rid of them.
10:09
We're gonna move version
10:09
over to the right, 12 bits and then everything to the left. A version is just gonna be zeros.
10:16
Well, that does. Functionally is that gets rid of all the other field. It doesn't get rid of them, but in this case, it
10:22
removes the other fields from the version variable. So there were only looking into it We want to see.
10:28
Next thing we're gonna do
10:31
is we're going to move.
10:33
We're gonna make HL HL
10:37
i p header
10:37
zero,
10:39
and we're gonna shift that one right by eight bits.
10:43
But
10:43
there is a bit of an issue because by shifting that one, right, Yes, we're getting rid of type of service, but we're keeping version,
10:48
so we're actually gonna have to do an extra step with that one.
10:52
The extra step we're gonna have to do with that one is to end it
10:56
logically ended against zero X
11:00
and this is gonna be now it's one bite long, so it'll be zero
11:05
zero f translates to
11:09
the binary 1 to 4 zeros
11:11
and then four ones. Now logic lands. If you're unfamiliar with logic interest tables a logical and says on Lee, take the bits
11:20
that exists in both of these things. So, for example, if the I P header shifted right by eight bits is
11:28
ended against this 00001111 If we have 01010101
11:35
The output of that is gonna be
11:37
four zeros. Because those donors, because in one of these two, it's just zeros.
11:43
And that is going to be
11:45
0101
11:48
because it only puts ones where they coincide with boats.
11:52
A good place to look, to learn a little bit more about this.
11:56
Since this isn't really a true tables or logic class
12:00
is
12:03
look
12:05
bit wise. Operators, operations,
12:09
python.
12:13
And it's gonna be
12:15
that's tutorials point Wikipedia, whatever somewhere that'll just show you
12:20
what the actual bit wise
12:22
do
12:22
again. We're not really gonna focus on too heavily because not a logic class. It's okay. We've got a version. We've got our eye. HL Now we need our type of service.
12:31
What type of service, And we're gonna go into RFC. We're gonna get real familiar with our season. This, uh, this video, So I hope you're ready for that
12:39
type of service is a quality of service precedence field. It determines how important this traffic is.
12:46
The R F. C says, You know, this is really important because it says how quickly did is gonna get sense.
12:54
The truth of the matter is, that's not really the case.
12:58
Um,
13:00
type of service hasn't really mattered since I pee before
13:03
since the Internet became a thing,
13:05
you may still see the field used, but it's extremely rare, and very, very few people bother to check with it. But for a packet sniffer,
13:13
we kind of want to know someone's doing weird things in fields. That's one of the handy things about a packet sniffer is that we get to look at whatever we want to look at.
13:20
So we're gonna say type of service
13:24
his i p header
13:24
zero.
13:26
We're gonna do another logical. And
13:28
this time it's gonna be against zero X.
13:31
The whole first bite is zeroed out.
13:33
Second bite is going to be all lefts. Second bite is all ones. This is logically equivalent to,
13:43
huh? There you go. Eight zeros and eight once.
13:48
So Okay, now we've dealt with our first field. Our first unsigned short. Two bites.
13:54
These three fields were done. Next thing we're gonna look at is this fourth field, which is total link.
14:00
Total length is another H another
14:03
unsigned short.
14:05
So we can do. There are two ways you're going about this you can do to H is
14:09
breaking his put
14:11
to age.
14:13
Um,
14:13
where's with a string? The six determines how long the string is for any other argument.
14:18
This number determines how many fields they're going to be. So now this will expands. This will unpack this header this data field
14:28
into two
14:28
unsigned imagers there two unsigned shorts. Rather
14:33
So that means the next thing we want to do is total length or total end. However you want to name the variable, it's going to be I p header.
14:41
It's two people. We can address it with indexes.
14:46
I p header one.
14:54
So that's the total length. Um, really? It's pretty easy to do
14:58
ever. Just gonna From here on, we're just gonna kind of tear through all these fields.
15:01
The next one
15:05
three h
15:09
i p i d
15:11
equals I p header
15:13
two.
15:13
Then we see flags and fragment offset.
15:18
This is when we actually break into in the r f c and really look at.
15:22
So we see their three control flags. The flags field is three bits long, which is really, really ugly, and it bothers me that did that way, but that's not important.
15:31
Um,
15:31
the flags field is three bit, and then there's a 13 bit fragment offset.
15:37
Which means we're gonna have to really break down into this. No, we know that we're gonna need 1/4 h
15:46
scroll back up here.
15:48
So we're in this field or these fields right now. We're gonna have to actually kind of break him down a little bit.
15:56
We're gonna do.
15:58
Flags are equal to
16:02
Pipi. Header
16:03
three
16:04
shifted right. And this is a really horrible logical shift, but shifted right, 13 bits.
16:10
So we're only going to get
16:14
only going to get the 1st 3 bits
16:18
of the flags Field
16:19
of the flags fragment offset Shared field
16:25
Then we're going to do
16:27
frag Offset
16:30
is equal to I p Header
16:33
three
16:34
and it against.
16:36
Now we're going to do a little bit of hex bath,
16:38
so we know that
16:41
zero is all zeros. F is all ones.
16:44
So we need to do zero X.
16:47
We only want to get the 1st 3 bits.
16:48
So we're gonna do
16:51
we see that
16:52
123
16:53
and then just zeroes after that.
16:57
So you have to actually see what
16:59
31 than a zero equals out, too.
17:02
You know, this field,
17:03
we'll go from the right to the left. This fields equal to one and that zero This feels equal to two, and that's a one.
17:11
So join me two plus
17:14
this fields of four.
17:18
And that field is an eight,
17:22
which equals
17:23
14
17:26
uh,
17:26
which we want. Of course, translate
17:29
is 10
17:34
is 10.
17:37
Uh, B is 11 sees 12. 13 is 14
17:45
but we're actually going to mask those out. So we're going to do
17:48
We could have done this a little bit more easily and said, Okay, we want everything except these three
17:53
0001 and then just a bunch of zeroes. After that, we're not gonna actually break out.
18:00
Do 10 or one
18:04
a bunch of ones after that. Rather so now we're going to ignore the 1st 3 bits in this first by it. I know that was a little confusing and a little tricky to follow. Feel free to press the I believe button,
18:15
but we're gonna ignore the 1st 3 bits and we're only going to deal with the last 13. This f it's worth four bits.
18:22
That's eight minutes. 12 minutes, 13th bit.
18:25
Another fragment offset on. Lee actually sees 13 bits. It thinks it sees
18:30
all 16 bits, but only sees 13.
18:33
Then move on to the next one, which is going to resource for us.
18:38
This is where we're gonna bust out another socket function.
18:41
You suck. It actually does deal with this one,
18:45
which is gonna be network to ask you.
18:47
I think it's that basket
18:48
we can always do.
19:07
Uh,
19:07
network, too.
19:10
Points
19:11
we're gonna do No, no, sorry. Never. Cassie. I was correct the first time.
19:15
That's what you get for second guessing yourself, folks.
19:18
All right, so network to ask you
19:22
against And this time we're actually gonna be a different field. We know that it's gonna be
19:27
a string we know that's going to be
19:30
It's the night before. So there's gonna be four bites long,
19:37
so we're going to do for us.
19:41
And we know they're going to love them because they're sourcing the destination for s for us.
19:48
Okay, so then we're in a new network to ask you
19:52
on I p header
19:56
four.
19:57
And
20:00
I actually think I made on this backward.
20:02
No spirit.
20:03
Best address
20:07
never to ask you
20:10
i p header
20:19
so we can do a quick sanity check. We could make sure we've got the right number of fields. At least
20:26
see
20:26
each of the H is air gonna be
20:30
two bites long.
20:33
So therefore, ages too.
20:36
12
20:37
three,
20:38
four.
20:41
And yet sure enough that sanity checks show that I skipped a bunch of fields. Wishful thinking, folks.
20:45
Luckily, these fields are pretty quick gonna do I p t t l which is the number of hops left or the number of computers left before it gives up the search.
20:55
Teach Yellen protocol again. That's gonna be 1/5 h
21:02
DTL equals I P header
21:04
four. I'm gonna get rid of these numbers here, so don't confuse anybody
21:11
logically ships, right? By eight minutes,
21:15
you guys are gonna be old pros that bit wise, Operation by the end of this pro no equals I p header
21:23
for
21:25
and it against
21:26
000 ff
21:32
and then I peace
21:33
will do ch k s u M Check some.
21:37
I'd be header five
21:41
and that's going to make for our six stage
21:45
six ages
21:48
and then to four asses. And that'll be
21:49
67
21:52
Okay, let's do another sanity check.
21:55
So there's six ages. So 12
21:57
three
22:00
for
22:02
56
22:03
And then there, too, for us is one and two and he had options and padding. We're actually not going to notice. We're gonna pretend this one exist. Patting only happens when options happens and options doesn't happen.
22:15
Okay, Now we're working out our entire I P header field our entire high Pienaar structure rather and we need to change data.
22:33
However, there is one thing that we need to do, which is check the protocol field again.
22:37
Did that an ethernet We need to do it. And I Pius Well,
22:41
so
22:41
the i p protocol fields are going to be
22:47
no
22:48
TCP
22:48
UDP. Whatever our next protocol is going to be
22:52
is going to be determined
22:55
here in the U. T. P area.
22:57
So in order to do that, we actually have to do our get ourselves a little bit of an if statement or ah, seriously of statements actually going.
23:06
So we're only in this never gonna deal with T C P and U T P. There could be other protocols and other communications, and you probably will see a few of them once in a while. But in general, if you look for TCP and you d be traffic,
23:18
you're going to see most all I p traffic.
23:21
So we're gonna do if
23:22
I p proto
23:25
equals equals.
23:26
Now we need to get the TCP
23:29
the value or the number of TCP.
23:32
So you look at rear protocols
23:34
where I pulled up earlier. We see that is six
23:40
TCP magic number.
23:41
I don't really want to use magic numbers. If we were being good, we would have defined that up here. But we're not being good. We're cheaters.
23:48
If I be brother equals six,
23:55
the next pro
23:56
equals TCP.
24:00
If I pee proto
24:03
see what you d p is.
24:04
See over here that 17
24:07
If you're pro equals 17
24:11
in a magic number,
24:14
their next Prudhoe
24:15
equals GDP
24:18
and we're gonna return to pull data. And next
24:23
proto
24:26
So okay,
24:26
with a relatively minimal amount of wailing and gnashing of teeth
24:30
we've broken apart the I'd be header and again we're gonna go through Once we're done breaking all the headers apart we're gonna actually print everything out, Make it pretty looking.
24:41
So okay, we've got Richard. We're receiving a to pull. So it'll be data and
24:45
next Perrotto.
24:49
And we need to do another set of F statement. Now there. There are other ways that you can go about doing this. You don't want to do multiple if statements. That's totally cool. You can just return
24:59
next pro.
25:00
Or you could just return the i p. Proto
25:02
and just do the a statement down here. I like to do.
25:04
If statements I like to make the decision within the function
25:07
and then do any logically dealing with the later on, I find it's a little bit easier to read. So if next Perrotto
25:17
p
25:19
analyze
25:22
TCP header
25:23
data,
25:25
First data equals
25:27
you lift
25:29
that wonderful logical trick we found of else? If
25:33
next proto equals equals UDP
25:40
data equals analyze
25:42
GDP, Heather
25:45
data,
25:48
we're just going to do in else
25:52
return.
25:52
Just
25:53
ignore the rest of the data and not worry about it.
25:56
So we see that we have two more functions we need to do, and these two more functions are actually our last major functions. And then we go through and clean everything up,
26:04
analyze TCP
26:07
header
26:10
data,
26:11
turn
26:12
and analyze UDP
26:15
Tedder
26:18
data.
26:21
So again, we're going to turn to our handy dandy r f sees we're gonna in this case, we're in the O. R S C 7 93 the one that I kind of jumped again and take you to look at earlier.
26:30
And this is going to be the TCP
26:33
RFC
26:34
uh, again, since
26:37
1981 that has been around pretty familiar, pretty well established protocol, one that most of your probably relatively familiar with
26:45
we're going to obstruct, unpack. As always, we're going to TCP header
26:48
equal struck
26:52
dot unpack
26:55
data
26:57
and let's see how much we need to slice.
27:00
So you see, the data field done here is actually the the data contained by the TCP
27:06
packet. So we actually aren't going to use that.
27:08
We see. Also, there's an option that padding field again, not commonly used.
27:14
So we're just gonna deal with this 1st 2nd 3rd 4th and fifth lines,
27:18
which he ain't going to be
27:19
20 minutes long.
27:22
She is gonna go up to bite 20 non inclusive,
27:26
and it's time to start working.
27:29
So I see you don't really need to go back to our struck page to see what field going to use pretty much only ever gonna be H and s
27:36
first thing is to bites. It's gonna be sore, sport. We've got a source port of destination port
27:41
and then immediately to make a liar of me from a moment ago. So you've got a sequence in acknowledgement number. Those are actually gonna be a fully full length unsigned INTs.
27:51
There's gonna be an eye
27:53
trying to do to H
27:56
to I.
27:59
And then we've got this absolute monstrosity of flags over here.
28:04
First thing we're going to do is data offset. Well, it's not really first thing. We're gonna do all of it once we're gonna do date offset reserved. And there were new er, Jack, Push reset, Sinn fin. And we're gonna actually go through it. All those flags mean here in just a moment.
28:18
So it's gonna be an h.
28:19
You know, Window is gonna be an age.
28:22
Check some,
28:22
and then the urgent pointer. So we got four ages.
28:26
All right, So
28:27
do a quick sanity check
28:30
to ages.
28:30
12
28:33
two Eyes
28:34
12
28:37
and then for ages. 123 and four.
28:41
All right. Good to go. We've broken up the TCP header into its
28:45
separate fields, and now we need to start work.

Up Next

Python for Security Professionals

This is the archived version of our new Python course! If you would like to view our newly updated course, scroll to the bottom, and click the link.

Instructed By

Instructor Profile Image
Joe Perry
Senior Technical Instructor at FireEye, Inc
Instructor