Change TCP Payload with nfqueue/scapyPython: Rewriting query within TCP payload using nfqueue/scapyMITM and payload injection with pythonHow do you change the size of figures drawn with matplotlib?Capture TCP-Packets with PythonUsing Scapy to send tcp payload: Why a byte is eaten?scapy receive waiting for 2 packetsHow to passively sniff for TCP/HTTP get requestsPython - Scapy and nfqueue change outgoing GET request, set_payload not effecting payloadlibnetfilter_queue: Why can't I see the TCP payload of packets from nfq_get_payload?Python script used to modify tcp packets using nfqueue and scapyPython: Rewriting query within TCP payload using nfqueue/scapyCreating TCP packets properly in Python

Simulate Bitwise Cyclic Tag

XeLaTeX and pdfLaTeX ignore hyphenation

How to determine if window is maximised or minimised from bash script

Does the radius of the Spirit Guardians spell depend on the size of the caster?

A newer friend of my brother's gave him a load of baseball cards that are supposedly extremely valuable. Is this a scam?

Copycat chess is back

How do you conduct xenoanthropology after first contact?

Pick 2 numbers from [-1,1],what is the probability that their sum is greater than 1?

Is there really no realistic way for a skeleton monster to move around without magic?

Can I make popcorn with any corn?

New order #4: World

I’m planning on buying a laser printer but concerned about the life cycle of toner in the machine

how to create a data type and make it available in all Databases?

Can an x86 CPU running in real mode be considered to be basically an 8086 CPU?

How is the claim "I am in New York only if I am in America" the same as "If I am in New York, then I am in America?

Prevent a directory in /tmp from being deleted

What does "enim et" mean?

Download, install and reboot computer at night if needed

Why Is Death Allowed In the Matrix?

Why has Russell's definition of numbers using equivalence classes been finally abandoned? ( If it has actually been abandoned).

Are tax years 2016 & 2017 back taxes deductible for tax year 2018?

Can you lasso down a wizard who is using the Levitate spell?

What are these boxed doors outside store fronts in New York?

Draw simple lines in Inkscape



Change TCP Payload with nfqueue/scapy


Python: Rewriting query within TCP payload using nfqueue/scapyMITM and payload injection with pythonHow do you change the size of figures drawn with matplotlib?Capture TCP-Packets with PythonUsing Scapy to send tcp payload: Why a byte is eaten?scapy receive waiting for 2 packetsHow to passively sniff for TCP/HTTP get requestsPython - Scapy and nfqueue change outgoing GET request, set_payload not effecting payloadlibnetfilter_queue: Why can't I see the TCP payload of packets from nfq_get_payload?Python script used to modify tcp packets using nfqueue and scapyPython: Rewriting query within TCP payload using nfqueue/scapyCreating TCP packets properly in Python






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








4















Hello I am using nfqueue and scapy and I my goal is to recieve packets at my NFQUEUE, change the payload and resend them.



I can change fields like the TTL without any kind of problem, but when it comes to change the payload, I am encoutering problems.



When I change the payload, I sniff the packet with wireshark and apparently I send the packet with the payload modified, but the server doesn't answer.



This is my code:



#!/usr/bin/env python

import nfqueue
from scapy.all import *
def callback(payload):
data = payload.get_data()
pkt = IP(data)

pkt[TCP].payload = str(pkt[TCP].payload).replace("ABC","GET")

pkt[IP].ttl = 40

print 'Data: '+ str(pkt[TCP].payload)
print 'TTL: ' + str(pkt[IP].ttl)

del pkt[IP].chksum
payload.set_verdict_modified(nfqueue.NF_ACCEPT, str(pkt), len(pkt))
def main():
q = nfqueue.queue()
q.open()
q.bind(socket.AF_INET)
q.set_callback(callback)
q.create_queue(0)
try:
q.try_run() # Main loop
except KeyboardInterrupt:
q.unbind(socket.AF_INET)
q.close()

main()


I have set this rule for outgoing traffic to port 80: iptables -I OUTPUT -s 192.168.1.10 -p tcp --dport 80 -j NFQUEUE



And, to test it, for example I open telnet to google port 80, do a GET / HTTP/1.1 and this is what I see:



TTL: 40
DATA: GET / HTTP/1.1


Now, if I do ABC / HTTP/1.1 I receive no answer! My telnet just get stuck.



I have also tried on HTTP websites browers to browse something, check on wireshark how my TTL is really changing to 40, then, browse the string "ABC" and my browser again get stuck.
I sniff the request changed to GET but I receive no answer.



Thank is kind of giving me a headache and I would really appreciate if someone with more experience could lead me to the right way. Thank you in advance.










share|improve this question

















  • 3





    I think you should trigger recalculation of the TCP checksum field as well, in a similar manner to that of the IP checksum field.

    – Yoel
    Dec 4 '14 at 15:05

















4















Hello I am using nfqueue and scapy and I my goal is to recieve packets at my NFQUEUE, change the payload and resend them.



I can change fields like the TTL without any kind of problem, but when it comes to change the payload, I am encoutering problems.



When I change the payload, I sniff the packet with wireshark and apparently I send the packet with the payload modified, but the server doesn't answer.



This is my code:



#!/usr/bin/env python

import nfqueue
from scapy.all import *
def callback(payload):
data = payload.get_data()
pkt = IP(data)

pkt[TCP].payload = str(pkt[TCP].payload).replace("ABC","GET")

pkt[IP].ttl = 40

print 'Data: '+ str(pkt[TCP].payload)
print 'TTL: ' + str(pkt[IP].ttl)

del pkt[IP].chksum
payload.set_verdict_modified(nfqueue.NF_ACCEPT, str(pkt), len(pkt))
def main():
q = nfqueue.queue()
q.open()
q.bind(socket.AF_INET)
q.set_callback(callback)
q.create_queue(0)
try:
q.try_run() # Main loop
except KeyboardInterrupt:
q.unbind(socket.AF_INET)
q.close()

main()


I have set this rule for outgoing traffic to port 80: iptables -I OUTPUT -s 192.168.1.10 -p tcp --dport 80 -j NFQUEUE



And, to test it, for example I open telnet to google port 80, do a GET / HTTP/1.1 and this is what I see:



TTL: 40
DATA: GET / HTTP/1.1


Now, if I do ABC / HTTP/1.1 I receive no answer! My telnet just get stuck.



I have also tried on HTTP websites browers to browse something, check on wireshark how my TTL is really changing to 40, then, browse the string "ABC" and my browser again get stuck.
I sniff the request changed to GET but I receive no answer.



Thank is kind of giving me a headache and I would really appreciate if someone with more experience could lead me to the right way. Thank you in advance.










share|improve this question

















  • 3





    I think you should trigger recalculation of the TCP checksum field as well, in a similar manner to that of the IP checksum field.

    – Yoel
    Dec 4 '14 at 15:05













4












4








4


5






Hello I am using nfqueue and scapy and I my goal is to recieve packets at my NFQUEUE, change the payload and resend them.



I can change fields like the TTL without any kind of problem, but when it comes to change the payload, I am encoutering problems.



When I change the payload, I sniff the packet with wireshark and apparently I send the packet with the payload modified, but the server doesn't answer.



This is my code:



#!/usr/bin/env python

import nfqueue
from scapy.all import *
def callback(payload):
data = payload.get_data()
pkt = IP(data)

pkt[TCP].payload = str(pkt[TCP].payload).replace("ABC","GET")

pkt[IP].ttl = 40

print 'Data: '+ str(pkt[TCP].payload)
print 'TTL: ' + str(pkt[IP].ttl)

del pkt[IP].chksum
payload.set_verdict_modified(nfqueue.NF_ACCEPT, str(pkt), len(pkt))
def main():
q = nfqueue.queue()
q.open()
q.bind(socket.AF_INET)
q.set_callback(callback)
q.create_queue(0)
try:
q.try_run() # Main loop
except KeyboardInterrupt:
q.unbind(socket.AF_INET)
q.close()

main()


I have set this rule for outgoing traffic to port 80: iptables -I OUTPUT -s 192.168.1.10 -p tcp --dport 80 -j NFQUEUE



And, to test it, for example I open telnet to google port 80, do a GET / HTTP/1.1 and this is what I see:



TTL: 40
DATA: GET / HTTP/1.1


Now, if I do ABC / HTTP/1.1 I receive no answer! My telnet just get stuck.



I have also tried on HTTP websites browers to browse something, check on wireshark how my TTL is really changing to 40, then, browse the string "ABC" and my browser again get stuck.
I sniff the request changed to GET but I receive no answer.



Thank is kind of giving me a headache and I would really appreciate if someone with more experience could lead me to the right way. Thank you in advance.










share|improve this question














Hello I am using nfqueue and scapy and I my goal is to recieve packets at my NFQUEUE, change the payload and resend them.



I can change fields like the TTL without any kind of problem, but when it comes to change the payload, I am encoutering problems.



When I change the payload, I sniff the packet with wireshark and apparently I send the packet with the payload modified, but the server doesn't answer.



This is my code:



#!/usr/bin/env python

import nfqueue
from scapy.all import *
def callback(payload):
data = payload.get_data()
pkt = IP(data)

pkt[TCP].payload = str(pkt[TCP].payload).replace("ABC","GET")

pkt[IP].ttl = 40

print 'Data: '+ str(pkt[TCP].payload)
print 'TTL: ' + str(pkt[IP].ttl)

del pkt[IP].chksum
payload.set_verdict_modified(nfqueue.NF_ACCEPT, str(pkt), len(pkt))
def main():
q = nfqueue.queue()
q.open()
q.bind(socket.AF_INET)
q.set_callback(callback)
q.create_queue(0)
try:
q.try_run() # Main loop
except KeyboardInterrupt:
q.unbind(socket.AF_INET)
q.close()

main()


I have set this rule for outgoing traffic to port 80: iptables -I OUTPUT -s 192.168.1.10 -p tcp --dport 80 -j NFQUEUE



And, to test it, for example I open telnet to google port 80, do a GET / HTTP/1.1 and this is what I see:



TTL: 40
DATA: GET / HTTP/1.1


Now, if I do ABC / HTTP/1.1 I receive no answer! My telnet just get stuck.



I have also tried on HTTP websites browers to browse something, check on wireshark how my TTL is really changing to 40, then, browse the string "ABC" and my browser again get stuck.
I sniff the request changed to GET but I receive no answer.



Thank is kind of giving me a headache and I would really appreciate if someone with more experience could lead me to the right way. Thank you in advance.







python scapy tcp-ip netfilter packet-injection






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Dec 4 '14 at 12:18









aDoNaDoN

82732037




82732037







  • 3





    I think you should trigger recalculation of the TCP checksum field as well, in a similar manner to that of the IP checksum field.

    – Yoel
    Dec 4 '14 at 15:05












  • 3





    I think you should trigger recalculation of the TCP checksum field as well, in a similar manner to that of the IP checksum field.

    – Yoel
    Dec 4 '14 at 15:05







3




3





I think you should trigger recalculation of the TCP checksum field as well, in a similar manner to that of the IP checksum field.

– Yoel
Dec 4 '14 at 15:05





I think you should trigger recalculation of the TCP checksum field as well, in a similar manner to that of the IP checksum field.

– Yoel
Dec 4 '14 at 15:05












2 Answers
2






active

oldest

votes


















6














I added the line for recalculate the TCP checksum, that was usefull.



That only works if I change payload I don't alter the lenght of it, otherwise, I would need to change the field length of the IP Header, and answering myself, and maybe other people that is looking for this answer, I achieve that just by doing:



payload_before = len(pkt[TCP].payload)

pkt[TCP].payload = str(pkt[TCP].payload).replace("Heading","Other string")

payload_after = len(pkt[TCP].payload)

payload_dif = payload_after - payload_before

pkt[IP].len = pkt[IP].len + payload_dif


I know that I have to change more fields, because sometimes, if you add enough payload for needing to fragment into a new packet, you have to change more fields.



Currently I don't know how to achieve this efficiently but little by little. Hope someone find my solution for altering the payload useful.






share|improve this answer























  • Thank for the comment but if you want everything work properly you have to add also 'payload.set_verdict_modified(nfqueue.NF_ACCEPT, str(pkt), len(pkt)+ payload_dif )'

    – A STEFANI
    Jan 31 '18 at 19:47











  • Note that if you set a length, checksum... to None, Scapy will automatically recalculate the values

    – Cukic0d
    Feb 4 at 17:09


















4















In the second case, you are tampering the TCP layer as well as the IP layer.



You're letting Scapy fix the IP checksum, but not the TCP one. Change del pkt[IP].chksum to del pkt[IP].chksum pkt[TCP].chksum in your code.






share|improve this answer























    Your Answer






    StackExchange.ifUsing("editor", function ()
    StackExchange.using("externalEditor", function ()
    StackExchange.using("snippets", function ()
    StackExchange.snippets.init();
    );
    );
    , "code-snippets");

    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "1"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f27293924%2fchange-tcp-payload-with-nfqueue-scapy%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    6














    I added the line for recalculate the TCP checksum, that was usefull.



    That only works if I change payload I don't alter the lenght of it, otherwise, I would need to change the field length of the IP Header, and answering myself, and maybe other people that is looking for this answer, I achieve that just by doing:



    payload_before = len(pkt[TCP].payload)

    pkt[TCP].payload = str(pkt[TCP].payload).replace("Heading","Other string")

    payload_after = len(pkt[TCP].payload)

    payload_dif = payload_after - payload_before

    pkt[IP].len = pkt[IP].len + payload_dif


    I know that I have to change more fields, because sometimes, if you add enough payload for needing to fragment into a new packet, you have to change more fields.



    Currently I don't know how to achieve this efficiently but little by little. Hope someone find my solution for altering the payload useful.






    share|improve this answer























    • Thank for the comment but if you want everything work properly you have to add also 'payload.set_verdict_modified(nfqueue.NF_ACCEPT, str(pkt), len(pkt)+ payload_dif )'

      – A STEFANI
      Jan 31 '18 at 19:47











    • Note that if you set a length, checksum... to None, Scapy will automatically recalculate the values

      – Cukic0d
      Feb 4 at 17:09















    6














    I added the line for recalculate the TCP checksum, that was usefull.



    That only works if I change payload I don't alter the lenght of it, otherwise, I would need to change the field length of the IP Header, and answering myself, and maybe other people that is looking for this answer, I achieve that just by doing:



    payload_before = len(pkt[TCP].payload)

    pkt[TCP].payload = str(pkt[TCP].payload).replace("Heading","Other string")

    payload_after = len(pkt[TCP].payload)

    payload_dif = payload_after - payload_before

    pkt[IP].len = pkt[IP].len + payload_dif


    I know that I have to change more fields, because sometimes, if you add enough payload for needing to fragment into a new packet, you have to change more fields.



    Currently I don't know how to achieve this efficiently but little by little. Hope someone find my solution for altering the payload useful.






    share|improve this answer























    • Thank for the comment but if you want everything work properly you have to add also 'payload.set_verdict_modified(nfqueue.NF_ACCEPT, str(pkt), len(pkt)+ payload_dif )'

      – A STEFANI
      Jan 31 '18 at 19:47











    • Note that if you set a length, checksum... to None, Scapy will automatically recalculate the values

      – Cukic0d
      Feb 4 at 17:09













    6












    6








    6







    I added the line for recalculate the TCP checksum, that was usefull.



    That only works if I change payload I don't alter the lenght of it, otherwise, I would need to change the field length of the IP Header, and answering myself, and maybe other people that is looking for this answer, I achieve that just by doing:



    payload_before = len(pkt[TCP].payload)

    pkt[TCP].payload = str(pkt[TCP].payload).replace("Heading","Other string")

    payload_after = len(pkt[TCP].payload)

    payload_dif = payload_after - payload_before

    pkt[IP].len = pkt[IP].len + payload_dif


    I know that I have to change more fields, because sometimes, if you add enough payload for needing to fragment into a new packet, you have to change more fields.



    Currently I don't know how to achieve this efficiently but little by little. Hope someone find my solution for altering the payload useful.






    share|improve this answer













    I added the line for recalculate the TCP checksum, that was usefull.



    That only works if I change payload I don't alter the lenght of it, otherwise, I would need to change the field length of the IP Header, and answering myself, and maybe other people that is looking for this answer, I achieve that just by doing:



    payload_before = len(pkt[TCP].payload)

    pkt[TCP].payload = str(pkt[TCP].payload).replace("Heading","Other string")

    payload_after = len(pkt[TCP].payload)

    payload_dif = payload_after - payload_before

    pkt[IP].len = pkt[IP].len + payload_dif


    I know that I have to change more fields, because sometimes, if you add enough payload for needing to fragment into a new packet, you have to change more fields.



    Currently I don't know how to achieve this efficiently but little by little. Hope someone find my solution for altering the payload useful.







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered Dec 9 '14 at 13:06









    aDoNaDoN

    82732037




    82732037












    • Thank for the comment but if you want everything work properly you have to add also 'payload.set_verdict_modified(nfqueue.NF_ACCEPT, str(pkt), len(pkt)+ payload_dif )'

      – A STEFANI
      Jan 31 '18 at 19:47











    • Note that if you set a length, checksum... to None, Scapy will automatically recalculate the values

      – Cukic0d
      Feb 4 at 17:09

















    • Thank for the comment but if you want everything work properly you have to add also 'payload.set_verdict_modified(nfqueue.NF_ACCEPT, str(pkt), len(pkt)+ payload_dif )'

      – A STEFANI
      Jan 31 '18 at 19:47











    • Note that if you set a length, checksum... to None, Scapy will automatically recalculate the values

      – Cukic0d
      Feb 4 at 17:09
















    Thank for the comment but if you want everything work properly you have to add also 'payload.set_verdict_modified(nfqueue.NF_ACCEPT, str(pkt), len(pkt)+ payload_dif )'

    – A STEFANI
    Jan 31 '18 at 19:47





    Thank for the comment but if you want everything work properly you have to add also 'payload.set_verdict_modified(nfqueue.NF_ACCEPT, str(pkt), len(pkt)+ payload_dif )'

    – A STEFANI
    Jan 31 '18 at 19:47













    Note that if you set a length, checksum... to None, Scapy will automatically recalculate the values

    – Cukic0d
    Feb 4 at 17:09





    Note that if you set a length, checksum... to None, Scapy will automatically recalculate the values

    – Cukic0d
    Feb 4 at 17:09













    4















    In the second case, you are tampering the TCP layer as well as the IP layer.



    You're letting Scapy fix the IP checksum, but not the TCP one. Change del pkt[IP].chksum to del pkt[IP].chksum pkt[TCP].chksum in your code.






    share|improve this answer



























      4















      In the second case, you are tampering the TCP layer as well as the IP layer.



      You're letting Scapy fix the IP checksum, but not the TCP one. Change del pkt[IP].chksum to del pkt[IP].chksum pkt[TCP].chksum in your code.






      share|improve this answer

























        4












        4








        4








        In the second case, you are tampering the TCP layer as well as the IP layer.



        You're letting Scapy fix the IP checksum, but not the TCP one. Change del pkt[IP].chksum to del pkt[IP].chksum pkt[TCP].chksum in your code.






        share|improve this answer














        In the second case, you are tampering the TCP layer as well as the IP layer.



        You're letting Scapy fix the IP checksum, but not the TCP one. Change del pkt[IP].chksum to del pkt[IP].chksum pkt[TCP].chksum in your code.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Dec 5 '14 at 7:20









        PierrePierre

        4,54912240




        4,54912240



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Stack Overflow!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f27293924%2fchange-tcp-payload-with-nfqueue-scapy%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            Identity Server 4 is not redirecting to Angular app after login2019 Community Moderator ElectionIdentity Server 4 and dockerIdentityserver implicit flow unauthorized_clientIdentityServer Hybrid Flow - Access Token is null after user successful loginIdentity Server to MVC client : Page Redirect After loginLogin with Steam OpenId(oidc-client-js)Identity Server 4+.NET Core 2.0 + IdentityIdentityServer4 post-login redirect not working in Edge browserCall to IdentityServer4 generates System.NullReferenceException: Object reference not set to an instance of an objectIdentityServer4 without HTTPS not workingHow to get Authorization code from identity server without login form

            2005 Ahvaz unrest Contents Background Causes Casualties Aftermath See also References Navigation menue"At Least 10 Are Killed by Bombs in Iran""Iran"Archived"Arab-Iranians in Iran to make April 15 'Day of Fury'"State of Mind, State of Order: Reactions to Ethnic Unrest in the Islamic Republic of Iran.10.1111/j.1754-9469.2008.00028.x"Iran hangs Arab separatists"Iran Overview from ArchivedConstitution of the Islamic Republic of Iran"Tehran puzzled by forged 'riots' letter""Iran and its minorities: Down in the second class""Iran: Handling Of Ahvaz Unrest Could End With Televised Confessions""Bombings Rock Iran Ahead of Election""Five die in Iran ethnic clashes""Iran: Need for restraint as anniversary of unrest in Khuzestan approaches"Archived"Iranian Sunni protesters killed in clashes with security forces"Archived

            Can't initialize raids on a new ASUS Prime B360M-A motherboard2019 Community Moderator ElectionSimilar to RAID config yet more like mirroring solution?Can't get motherboard serial numberWhy does the BIOS entry point start with a WBINVD instruction?UEFI performance Asus Maximus V Extreme