Search code examples
pythonscapynetcat

How to make Netcat display Payload of packet

I don't know if this is possible but I am wondering?

I am doing some internal pentesting and using Scapy and Netcat, and I created a TCP packet with the payload "testing". I want to get the payload content piped into Netcat's listening port, using this example code:

test = IP(src="192.168.4.134")/TCP(dport=1234)/"testing"
send(test)

but all that ever prints is:

.
Sent 1 packets

Which is what Scapy spits out after its sent the packet. I've been trying to figure out what I need to use in my code to show this. I know Netcat used stdin and stdout, but I don't properly know how to code in Python yet, I'm just practising!

Can anyone help? Regards,

Solution

  • TCP is session based. Machines that want to communicate, must first synchronize (setup a session) with one another.

    This process is whats called a 3-way-handshake using the steps: SYN, SYN-ACK, ACK.

    1.) Machine A ====SYN====> Machine B (Machines A, running scapy, tries to synch with B, running netcat)
2.) Machine B ==SYN-ACK==> Machine A (Machine B ACKs and SYNs with Machine A)
3.) Machine A ====ACK====> Machine B (Machine A ACKs the SYN-ACK from Machine B)

    The machines now have a session (connection) and can send data to one another.

    Running netcat on a listening machine and trying to send it a single packet from scapy fails because your machine (A) fails to sync with machine (B) running netcat.

    IP 10.22.4.45.20 > 10.1.2.3:1234: Flags [S], seq 0:7, win 8192, length 7
IP 10.1.2.3:1234 > 10.22.4.45:20: Flags [S.], seq 2668993358, ack 1, win 14600, options [mss 1460], length 0
IP 10.22.4.45:20 > 10.1.2.3:1234: Flags [R], seq 1, win 0, length 0

    As you can see, machine B (netcat) tries to syn-ack with your machine, but since you just sent it a single packet and aren't listening for the returning SYN-ACK, your machine generates a RST (Reset) and the attempted connection is shutdown before the 3-way-handshake was completed.

    There are two options. Either use UDP which is connectionless and doesn't require this connection setup, or do a complete TCP handshake. Scapy has a few ways to help you manage the TCP session creation should you choose the latter: http://trac.secdev.org/scapy/wiki/TCP