update notes

2024-11-15 21:58:07 +01:00 · 2024-11-15 21:58:07 +01:00 · eb97ca67da
commit eb97ca67da
parent 9daba5a289
4 changed files with 360 additions and 2 deletions
--- a/Blatt02/Blatt02.md
+++ b/Blatt02/Blatt02.md
@ -1 +1,64 @@
 ![image-20241110210209022](./assets/image-20241110210209022.png)
+
+```
+root@pc1:~# tcpdump -i eth1
+tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
+listening on eth1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
+19:35:04.553056 IP6 fe80::216:3eff:fe00:2 > fe80::216:3eff:fe00:4: ICMP6, echo request, id 38058, seq 1, length 64
+19:35:04.555038 IP6 fe80::216:3eff:fe00:4 > fe80::216:3eff:fe00:2: ICMP6, echo reply, id 38058, seq 1, length 64
+19:35:05.554500 IP6 fe80::216:3eff:fe00:2 > fe80::216:3eff:fe00:4: ICMP6, echo request, id 38058, seq 2, length 64
+19:35:05.555265 IP6 fe80::216:3eff:fe00:4 > fe80::216:3eff:fe00:2: ICMP6, echo reply, id 38058, seq 2, length 64
+19:35:06.555772 IP6 fe80::216:3eff:fe00:2 > fe80::216:3eff:fe00:4: ICMP6, echo request, id 38058, seq 3, length 64
+19:35:06.556673 IP6 fe80::216:3eff:fe00:4 > fe80::216:3eff:fe00:2: ICMP6, echo reply, id 38058, seq 3, length 64
+19:35:07.557110 IP6 fe80::216:3eff:fe00:2 > fe80::216:3eff:fe00:4: ICMP6, echo request, id 38058, seq 4, length 64
+19:35:07.557961 IP6 fe80::216:3eff:fe00:4 > fe80::216:3eff:fe00:2: ICMP6, echo reply, id 38058, seq 4, length 64
+19:35:08.558528 IP6 fe80::216:3eff:fe00:2 > fe80::216:3eff:fe00:4: ICMP6, echo request, id 38058, seq 5, length 64
+19:35:08.559256 IP6 fe80::216:3eff:fe00:4 > fe80::216:3eff:fe00:2: ICMP6, echo reply, id 38058, seq 5, length 64
+19:35:08.722292 IP6 fe80::216:3eff:fe00:4 > fe80::216:3eff:fe00:2: ICMP6, echo request, id 10952, seq 1, length 64
+19:35:08.722331 IP6 fe80::216:3eff:fe00:2 > fe80::216:3eff:fe00:4: ICMP6, echo reply, id 10952, seq 1, length 64
+19:35:09.631016 IP6 fe80::216:3eff:fe00:4 > fe80::216:3eff:fe00:2: ICMP6, neighbor solicitation, who has fe80::216:3eff:fe00:2, length 32
+19:35:09.631064 IP6 fe80::216:3eff:fe00:2 > fe80::216:3eff:fe00:4: ICMP6, neighbor advertisement, tgt is fe80::216:3eff:fe00:2, length 24
+19:35:09.723566 IP6 fe80::216:3eff:fe00:4 > fe80::216:3eff:fe00:2: ICMP6, echo request, id 10952, seq 2, length 64
+19:35:09.723596 IP6 fe80::216:3eff:fe00:2 > fe80::216:3eff:fe00:4: ICMP6, echo reply, id 10952, seq 2, length 64
+19:35:10.724802 IP6 fe80::216:3eff:fe00:4 > fe80::216:3eff:fe00:2: ICMP6, echo request, id 10952, seq 3, length 64
+19:35:10.724838 IP6 fe80::216:3eff:fe00:2 > fe80::216:3eff:fe00:4: ICMP6, echo reply, id 10952, seq 3, length 64
+19:35:11.726031 IP6 fe80::216:3eff:fe00:4 > fe80::216:3eff:fe00:2: ICMP6, echo request, id 10952, seq 4, length 64
+19:35:11.726064 IP6 fe80::216:3eff:fe00:2 > fe80::216:3eff:fe00:4: ICMP6, echo reply, id 10952, seq 4, length 64
+19:35:12.727250 IP6 fe80::216:3eff:fe00:4 > fe80::216:3eff:fe00:2: ICMP6, echo request, id 10952, seq 5, length 64
+19:35:12.727282 IP6 fe80::216:3eff:fe00:2 > fe80::216:3eff:fe00:4: ICMP6, echo reply, id 10952, seq 5, length 64
+```
+
+
+
+```
+root@pc1:~# python3 208.py
+Ether / fe80::216:3eff:fe00:2 > ff02::16 (0) / IPv6ExtHdrHopByHop / ICMPv6MLReport2
+Ether / fe80::216:3eff:fe00:2 > ff02::16 (0) / IPv6ExtHdrHopByHop / ICMPv6MLReport2
+Ether / fe80::216:3eff:fe00:4 > ff02::16 (0) / IPv6ExtHdrHopByHop / ICMPv6MLReport2
+Ether / fe80::216:3eff:fe00:4 > ff02::16 (0) / IPv6ExtHdrHopByHop / ICMPv6MLReport2
+Ether / IPv6 / ICMPv6 Echo Request (id: 0x3d3d seq: 0x1)
+Ether / IPv6 / ICMPv6 Echo Reply (id: 0x3d3d seq: 0x1)
+Ether / IPv6 / ICMPv6 Echo Request (id: 0x3d3d seq: 0x2)
+Ether / IPv6 / ICMPv6 Echo Reply (id: 0x3d3d seq: 0x2)
+Ether / IPv6 / ICMPv6 Echo Request (id: 0x3d3d seq: 0x3)
+Ether / IPv6 / ICMPv6 Echo Reply (id: 0x3d3d seq: 0x3)
+Ether / IPv6 / ICMPv6 Echo Request (id: 0x3d3d seq: 0x4)
+Ether / IPv6 / ICMPv6 Echo Reply (id: 0x3d3d seq: 0x4)
+Ether / IPv6 / ICMPv6 Echo Request (id: 0x3d3d seq: 0x5)
+Ether / IPv6 / ICMPv6 Echo Reply (id: 0x3d3d seq: 0x5)
+Ether / IPv6 / ICMPv6 Echo Request (id: 0x6b18 seq: 0x1)
+Ether / IPv6 / ICMPv6 Echo Reply (id: 0x6b18 seq: 0x1)
+Ether / IPv6 / ICMPv6 Echo Request (id: 0x6b18 seq: 0x2)
+Ether / IPv6 / ICMPv6 Echo Reply (id: 0x6b18 seq: 0x2)
+Ether / IPv6 / ICMPv6 Echo Request (id: 0x6b18 seq: 0x3)
+Ether / IPv6 / ICMPv6 Echo Reply (id: 0x6b18 seq: 0x3)
+Ether / IPv6 / ICMPv6 Echo Request (id: 0x6b18 seq: 0x4)                                                                                                                                                                                     Ether / IPv6 / ICMPv6 Echo Reply (id: 0x6b18 seq: 0x4)
+Ether / IPv6 / ICMPv6 Echo Request (id: 0x6b18 seq: 0x5)
+Ether / IPv6 / ICMPv6 Echo Reply (id: 0x6b18 seq: 0x5)
+```
+
+
+
+![image-20241114215255732](https://lsky.mhrooz.xyz/2024/11/14/876adec1dda00.png)
+
+![image-20241114221022240](./assets/image-20241114221022240.png)
--- a/Blatt02/Notes.md
+++ b/Blatt02/Notes.md
@ -305,7 +305,7 @@ Nachdem Sie in Aufgabe A101 die Topologie der virtuellen Infrastruktur vollstän

   x) 使用 `scapy` 发送带有新 MAC 地址的 ARP Reply 和 Neighbor Advertisement (NA) 数据包从 pc1 发给 pc2。查看 pc2 的邻居缓存在接收到数据包后有何反应？

-### **A203 在 C 中实现 ARP**
+### A203 在 C 中实现 ARP

 任务是独立实现 ARP 协议 (参见 RFC 826)。目标是基于 TUN/TAP 设备，在网络内拦截数据流，并通过工具 `arping` 对 ARP 请求发送语义和语法正确的 ARP 响应。

@ -401,11 +401,306 @@ $ arping -I mytap <ip>
 - **OpenVPN**：支持 TUN 和 TAP 两种模式，用户可以根据需求选择相应的接口类型。
 - **虚拟化平台**（如 KVM、VirtualBox）：通常使用 TAP 接口来实现虚拟机与主机网络的连接。

+## Wireshark
+
+`ssh pc1 "tcpdump -i eth1 -s 0 -w - 'not port 22'" | sudo wireshark -k -i-`



+`grep -A awk` 是一种组合使用 `grep` 和 `awk` 命令的方式，用于在文本中搜索特定内容并提取数据。这种组合通常用于更加精细地过滤和处理数据。下面我们来详细解释它们的用法，并通过一些例子展示如何结合 `grep -A` 和 `awk` 来完成任务。
+
+## `grep` 和 `-A` 选项
+
+- **`grep`** 是一个搜索命令，用于在文本中查找特定的字符串或正则表达式匹配项。
+- **`-A` 选项** 表示“after”（之后），用于输出匹配行及其后面的几行内容。
+
+**语法：**
+
+```bash
+grep -A <number> <pattern> <file>
+```
+
+- `<number>`：匹配行之后的行数。
+- `<pattern>`：要搜索的模式或字符串。
+- `<file>`：要搜索的文件名。
+
+**示例：**
+
+假设文件 `sample.txt` 内容如下：
+
+```plaintext
+Line 1: Apple
+Line 2: Orange
+Line 3: Banana
+Line 4: Grape
+Line 5: Mango
+```
+
+使用 `grep -A` 查找包含 `Orange` 的行，并显示它之后的 2 行：
+
+```bash
+grep -A 2 "Orange" sample.txt
+```
+
+**输出：**
+
+```plaintext
+Line 2: Orange
+Line 3: Banana
+Line 4: Grape
+```
+
+在这里，`grep` 输出匹配行 `Line 2: Orange` 以及接下来的 2 行。
+
+## `awk` 命令
+
+`awk` 是一个强大的文本处理工具，可以对 `grep` 的输出结果进行进一步的数据提取和处理。
+
+**基本语法：**
+
+```bash
+awk '<pattern> {action}' <file>
+```
+
+- `<pattern>`：条件或模式，表示当行内容符合该条件时执行 `{action}`。
+- `{action}`：对符合条件的行执行的操作。
+- `<file>`：输入文件，或直接从管道传入数据。
+
+**示例：**
+
+假设 `sample.txt` 内容如下：
+
+```plaintext
+Line 1: Apple
+Line 2: Orange
+Line 3: Banana
+Line 4: Grape
+Line 5: Mango
+```
+
+如果我们只想提取包含 `Orange` 的行的第二列：
+
+```bash
+grep "Orange" sample.txt | awk '{print $2}'
+```
+
+**输出：**
+
+```plaintext
+Orange
+```
+
+### 3. 组合 `grep -A` 和 `awk`
+
+将 `grep -A` 和 `awk` 组合在一起使用可以实现更加精确的数据提取。例如，我们想要查找包含 `Orange` 的行以及后面 2 行，并且只提取这些行的第二列。
+
+**示例：**
+
+```bash
+grep -A 2 "Orange" sample.txt | awk '{print $2}'
+```
+
+**输出：**
+
+```plaintext
+Orange
+Banana
+Grape
+```
+
+### 示例总结
+
+结合 `grep -A` 和 `awk` 的方法适用于以下场景：
+
+1. **grep -A** 用于定位特定模式及其后续行。
+2. **awk** 提取特定列或执行进一步的数据处理。
+
+通过这种组合方式，你可以有效地过滤并提取文本中的信息。
+
+## Scapy
+
+**Scapy** 是一个强大的 Python 库，用于处理网络包。它允许用户创建、发送、接收和分析网络包，广泛用于网络调试、安全测试、包分析等任务。Scapy 支持多种网络协议，如 Ethernet、IP、TCP、UDP、ICMP、ARP 等，因此非常适合网络工程师、渗透测试人员和研究人员。
+
+### Scapy 的基本功能
+
+Scapy 的主要功能包括 **构建网络包**、**发送和接收包**、以及 **分析网络流量**。以下是一些常见的 Scapy 用法。
+
+### 基本用法示例
+
+#### 1. 构建和发送 ICMP（ping）请求
+
+使用 Scapy 发送 ICMP 请求（类似于 `ping` 命令），可以通过构建 IP 层和 ICMP 层来完成。
+
+```python
+from scapy.all import *
+
+# 创建一个 ICMP 请求包
+packet = IP(dst="8.8.8.8") / ICMP()
+
+# 发送并接收响应
+response = sr1(packet, timeout=2)
+
+# 检查是否有响应
+if response:
+    print("Received response from:", response.src)
+else:
+    print("No response")
+```
+
+- `IP(dst="8.8.8.8")`：构建目标 IP 地址为 8.8.8.8 的 IP 层。
+- `/ ICMP()`：在 IP 层上附加 ICMP 协议层，形成一个完整的 ping 包。
+- `sr1()`：发送并接收一个响应包。
+
+#### 2. 发送 ARP 请求（地址解析协议）
+
+构建和发送 ARP 请求来获取局域网中目标 IP 地址的 MAC 地址。
+
+```python
+from scapy.all import *
+
+# 创建一个 ARP 请求包，目标 IP 为 192.168.1.1
+arp_request = ARP(pdst="192.168.1.1")
+
+# 将 ARP 包广播发送到局域网
+broadcast = Ether(dst="ff:ff:ff:ff:ff:ff")
+packet = broadcast / arp_request
+
+# 发送并接收响应
+answered, unanswered = srp(packet, timeout=2, iface="eth0")
+
+# 打印响应结果
+for send, receive in answered:
+    print("MAC Address:", receive.hwsrc, "IP Address:", receive.psrc)
+```
+
+- `ARP(pdst="192.168.1.1")`：创建一个目标 IP 地址为 192.168.1.1 的 ARP 请求。
+- `Ether(dst="ff:ff:ff:ff:ff:ff")`：构建一个以太网广播包，将 ARP 请求广播出去。
+- `srp()`：在数据链路层发送并接收响应。
+
+#### 3. 捕获网络数据包
+
+可以使用 Scapy 监听并捕获网络上的数据包，例如捕获 TCP 包：
+
+```python
+from scapy.all import *
+
+# 定义一个回调函数，用于处理捕获到的数据包
+def packet_callback(packet):
+    if packet.haslayer(TCP):
+        print("Captured TCP Packet:", packet.summary())
+
+# 开始捕获数据包
+sniff(filter="tcp", prn=packet_callback, count=10)
+```
+
+- `sniff()`：用于捕获网络数据包。
+  - `filter="tcp"`：过滤条件，仅捕获 TCP 包。
+  - `prn=packet_callback`：捕获到的数据包会传递到 `packet_callback` 函数。
+  - `count=10`：捕获 10 个数据包后停止。
+
+#### 4. 构建自定义网络包
+
+Scapy 允许构建任意协议层的包，你可以通过叠加不同协议层来构建自定义包：
+
+```python
+from scapy.all import *
+
+# 构建一个自定义的 TCP 数据包
+packet = IP(dst="192.168.1.1") / TCP(dport=80) / "Hello, World!"
+send(packet)
+```
+
+- `IP(dst="192.168.1.1")`：指定目标 IP 地址。
+- `TCP(dport=80)`：指定目标端口为 80（HTTP）。
+- `/"Hello, World!"`：在 TCP 层后添加数据负载。
+
+#### 5. 追踪路由路径（类似于 traceroute）
+
+Scapy 可以通过逐渐增加 TTL 值来模拟 `traceroute` 的功能：
+
+```python
+from scapy.all import *
+
+# 使用 Scapy 的 traceroute 功能
+result, unans = traceroute("google.com", maxttl=20)
+
+# 打印结果
+result.show()
+```
+
+- `traceroute("google.com", maxttl=20)`：设置最大 TTL 为 20，目标为 `google.com`。
+- `result.show()`：显示路由追踪结果。
+
+### Scapy 常用函数
+
+- `send(packet)`：发送数据包，不等待响应。
+- `sr(packet)`：发送数据包并等待响应（适用于网络层）。
+- `sr1(packet)`：发送数据包并等待一个响应包。
+- `srp(packet)`：在链路层发送数据包并等待响应（适用于数据链路层，如 Ethernet）。
+- `sniff()`：监听捕获数据包。
+- `traceroute()`：用于追踪网络路径，类似 `traceroute` 工具。
+
+### 总结
+
+Scapy 是一个功能强大的网络包处理库，主要功能包括：
+
+- **构建**：支持从链路层到应用层的网络包构建。
+- **发送/接收**：可以发送网络包并接收响应，用于网络测试。
+- **捕获/分析**：支持数据包捕获和实时流量分析。
+
+### RFC 826
+
+**Address Resolution module** convert the <protocol type, target protocol address> pair to a 48.bit Ethernet address.
+
+```
+However, the 10Mbit Ethernet requires 48.bit addresses on the physical cable, yet most protocol addresses are not 48.bits long, nor do they necessarily have any relationship to the 48.bit Ethernet address of the hardware. 
+```
+
+```
+As a packet is sent down through the network layers, routing determines the protocol address of the next hop for the packet and on which piece of hardware it expects to find the station with the immediate target protocol address. 
+
+In the case of the 10Mbit Ethernet, address resolution is needed and some lower layer (probably the hardware driver) must consult the Address Resolution module (perhaps implemented in the Ethernet support module) to convert the <protocol type, target protocol address> pair to a 48.bit Ethernet address. 
+
+The Address Resolution module tries to find this pair in a table. If it finds the pair, it gives the corresponding 48.bit Ethernet address back to the caller (hardware driver) which then transmits the packet. 
+
+If it does not, it probably informs the caller that it is throwing the packet away (on the assumption the packet will be retransmitted by a higher network layer), and generates an Ethernet packet with a type field of ether_type$ADDRESS_RESOLUTION. 
+
+The Address Resolution module then sets the ar$hrd field to ares_hrd$Ethernet, ar$pro to the protocol type that is being resolved, ar$hln to 6 (the number of bytes in a 48.bit Ethernet address), ar$pln to the length of an address in that protocol, ar$op to ares_op$REQUEST, ar$sha with the 48.bit ethernet address of itself, ar$spa with the protocol address of itself, and ar$tpa with the protocol address of the machine that is trying to be accessed. 
+
+It does not set ar$tha to anything in particular, because it is this value that it is trying to determine. It could set ar$tha to the broadcast address for the hardware (all ones in the case of the 10Mbit Ethernet) if that makes it convenient for some aspect of the implementation. It then causes this packet to be broadcast to all stations on the Ethernet cable originally determined by the routing mechanism.
+```



+```
+Packet Reception:
+-----------------

+When an address resolution packet is received, the receiving Ethernet module gives the packet to the Address Resolution module which goes through an algorithm similar to the following.

+Negative conditionals indicate an end of processing and a discarding of the packet.
+
+?Do I have the hardware type in ar$hrd?
+Yes: (almost definitely)
+  [optionally check the hardware length ar$hln]
+  ?Do I speak the protocol in ar$pro?
+  Yes:
+    [optionally check the protocol length ar$pln]
+    Merge_flag := false
+    If the pair <protocol type, sender protocol address> is
+        already in my translation table, update the sender
+        hardware address field of the entry with the new
+        information in the packet and set Merge_flag to true.
+    ?Am I the target protocol address?
+    Yes:
+      If Merge_flag is false, add the triplet <protocol type,
+          sender protocol address, sender hardware address> to
+          the translation table.
+      ?Is the opcode ares_op$REQUEST?  (NOW look at the opcode!!)
+      Yes:
+        Swap hardware and protocol fields, putting the local
+            hardware and protocol addresses in the sender fields.
+        Set the ar$op field to ares_op$REPLY
+        Send the packet to the (new) target hardware address on
+            the same hardware on which the request was received.
+```
--- a/Blatt02/assets/image-20241114215255732.png
+++ b/Blatt02/assets/image-20241114215255732.png
--- a/Blatt02/assets/image-20241114221022240.png
+++ b/Blatt02/assets/image-20241114221022240.png