Application Service Discovery – Week 4

After collecting data by using Wireshark, I started thinking of ways to identify services and hosts in the network.

I found it was quite easy to identify web servers in a network as packets sent by them have a header field called ‘Server’ from which we can identify what server is exactly running like Nginx, Apache, or CISCO IOS server.

Essentially, I wrote a python program that can parse pcap files easily. Although, we’ll need a program that will dynamically capture packets and parse them too, we will see later how will this current program help us.

The following is a code snippet of how I did it:

import dpkt
import socket

data = {}
filename = 'capture.pcap'

pcap = dpkt.pcap.Reader(open(filename,'r'))

for ts, buf in pcap:
 eth = dpkt.ethernet.Ethernet(buf)

ip = eth.data

if isinstance(ip.data, dpkt.tcp.TCP):
 ipAddress = socket.inet_ntoa(ip.dst)
 tcp = ip.data
 try:
 reply = dpkt.http.Response(tcp.data).headers
 except (dpkt.dpkt.NeedData, dpkt.dpkt.UnpackError):
 continue

data[ipAddress] = reply['server']

print data

Now, I’m looking for ideas to identify other services too.

print

Leave a Reply

Your email address will not be published. Required fields are marked *