After collecting data by using Wireshark, I started thinking of ways to identify services and hosts in the network.
I found it was quite easy to identify web servers in a network as packets sent by them have a header field called ‘Server’ from which we can identify what server is exactly running like Nginx, Apache, or CISCO IOS server.
Essentially, I wrote a python program that can parse pcap files easily. Although, we’ll need a program that will dynamically capture packets and parse them too, we will see later how will this current program help us.
The following is a code snippet of how I did it:
import dpkt import socket data = {} filename = 'capture.pcap' pcap = dpkt.pcap.Reader(open(filename,'r')) for ts, buf in pcap: eth = dpkt.ethernet.Ethernet(buf) ip = eth.data if isinstance(ip.data, dpkt.tcp.TCP): ipAddress = socket.inet_ntoa(ip.dst) tcp = ip.data try: reply = dpkt.http.Response(tcp.data).headers except (dpkt.dpkt.NeedData, dpkt.dpkt.UnpackError): continue data[ipAddress] = reply['server'] print data
Now, I’m looking for ideas to identify other services too.
Leave a Reply