| commit | 0945bb5dbfa85fa611d2055423d8c3bf4cbf5756 | [log] [tgz] |
|---|---|---|
| author | Matthias St. Pierre <matthias.st.pierre@ncp-e.com> | Sat Nov 19 12:15:51 2022 +0100 |
| committer | GitHub <noreply@github.com> | Sat Nov 19 12:15:51 2022 +0100 |
| tree | 0c2bc3b16dea59cbb0bbd2e31b1cb22c4ac96a9d | |
| parent | 664f5985c24c2eb7645bf76327bd333fab5f92b4 [diff] |
IKEv2: improve and test dissection of decrypted IKEv2 payloads (#3787)
* IKEv2: improve dissection of the IDi and IDr payload
See RFC 7296, section 3.5
* IKEv2: improve dissection of the Configuration payload
See RFC 7296, section 3.15
* IKEv2: test dissection of some decrypted IKEv2 payloads
This commit adds two testcases to the advanced test, which verify
dissecting and building for the two decrypted IKE_AUTH messages
of the pcap file.
* IKEv2 keyexchange with NAT-traversal
- IKE_SA_INIT request
- IKE_SA_INIT response
- IKE_AUTH request
- IKE_AUTH response
- IKE_AUTH request, decrypted (new)
- IKE_AUTH response, decrypted (new)
Effectively, those two testcases combine unit tests for the following
payloads transmitted in the Encrypted payload of the IKE_AUTH exchange:
AUTH, CERTREQ, CERT_CRT, CP, IDi, IDr, Nonce, Notify, Proposal,
SA, TSi, TSr, Transform, VendorID
Also add a forgotten reference to the origin of the capture file: it is
taken from 'Example 2: Dissection of encrypted (and UDP-encapsulated)
IKEv2 and ESP messages' on the Wireshark [SampleCaptures] Wiki page.
Note: The tarfile not only contains the pcap file but also the secrets
which enable Wireshark (v3.6+) to decrypt the IKE and ESP traffic.
The raw frame data was crafted manually using Wireshark for decrypting
the encrypted payload and Scapy for gluing the layers together.
[SampleCaptures]: https://gitlab.com/wireshark/wireshark/-/wikis/SampleCaptures
Scapy is a powerful Python-based interactive packet manipulation program and library.
It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, store or read them using pcap files, match requests and replies, and much more. It is designed to allow fast packet prototyping by using default values that work.
It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, wireshark, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, combining techniques (VLAN hopping+ARP cache poisoning, VoIP decoding on WEP protected channel, ...), etc.
Scapy supports Python 2.7 and Python 3 (3.4 to 3.9). It's intended to be cross platform, and runs on many different platforms (Linux, OSX, *BSD, and Windows).
Scapy is usable either as a shell or as a library. For further details, please head over to Getting started with Scapy, which is part of the documentation.
Scapy can easily be used as an interactive shell to interact with the network. The following example shows how to send an ICMP Echo Request message to github.com, then display the reply source IP address:
sudo ./run_scapy Welcome to Scapy >>> p = IP(dst="github.com")/ICMP() >>> r = sr1(p) Begin emission: .Finished to send 1 packets. * Received 2 packets, got 1 answers, remaining 0 packets >>> r[IP].src '192.30.253.113'
The documentation contains more advanced use cases, and examples.
Other useful resources:
Scapy works without any external Python modules on Linux and BSD like operating systems. On Windows, you need to install some mandatory dependencies as described in the documentation.
On most systems, using Scapy is as simple as running the following commands:
git clone https://github.com/secdev/scapy cd scapy ./run_scapy
To benefit from all Scapy features, such as plotting, you might want to install Python modules, such as matplotlib or cryptography. See the documentation and follow the instructions to install them.
Want to contribute? Great! Please take a few minutes to read this!