DEVHIDE
Login Or Sign up

How to get the IPv6 headers on WIndows using raw-socket?

129 Views Asked by At

I would like to implement a sniffer for incident response and forensic investigations, to sniff the traffic and identifying malicious packets and C2 (C&C -Command and Control) IP.

In incident response i can't install npcap/winpcap or other librairies detected by antivirus softwares and i should use the faster way to sniff the local traffic. So i would like to develop a simple CLI sniffer (it must be launched on Windows core servers) in a simple executable file to copy/paste it on the server and launch it with admin privileges.

Context example: a ransomware is running on a server and exfiltrate data, there are some NAT (Network Address Translation) between firewalls and the server (so it's difficult to identifying the the malicious traffic).

I write a POC in python on my github.

How i use my raw socket:

from socket import socket, AF_INET6, SOCK_RAW, IPPROTO_IP, IPPROTO_IPV6, IPV6_PKTINFO, SIO_RCVALL, RCVALL_ON, RCVALL_OFF
sock = socket(AF_INET6, SOCK_RAW, IPPROTO_IP)
sock.bind(("<IPv6 address>", 0))
sock.setsockopt(IPPROTO_IPV6, IPV6_PKTINFO, 0)
sock.ioctl(SIO_RCVALL, RCVALL_ON)
while True:
    data, source_address = sock.recvfrom(65535)
sock.ioctl(SIO_RCVALL, RCVALL_ON)
sock.close()

What i get when i sniff a ICMPV6 packet:

0000  80 00 68 62 00 01 42 dc 61 62 63 64 65 66 67 68  ..hb..B.abcdefgh
0010  69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 61  ijklmnopqrstuvwa
0020  62 63 64 65 66 67 68 69                          bcdefghi

It's just the data section without any IPv6 headers so i can't see IPv6 address and protocol type (so i can't parse data).

What i want:

0000   00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00   ..............`.
0010   00 00 00 28 3a 80 fe 80 00 00 00 00 00 00 12 23   ...(:.*........Z
0020   34 45 56 65 67 78 fe 80 00 00 00 00 00 00 00 00   :(B.@.*..P@.....
0030   00 00 00 00 12 23 80 00 68 6a 00 01 42 d4 61 62   .... ...hj..B.ab
0040   63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72   cdefghijklmnopqr
0050   73 74 75 76 77 61 62 63 64 65 66 67 68 69         stuvwabcdefghi

Here i have the Ethernet frame, i would like it but for if you can help me to get only the IPv6 headers, it's okay. If you know how i can get the full ethernet frame, packet and segment it's better for me.

I see IPV6_HDRINCL but it's only to send IPV6 headers not to receive it and i see this RFC, i don't find what i search.

windows ipv6 ethernet packet-sniffers raw-sockets
Original Q&A
0

There are 0 best solutions below

Related Questions in WINDOWS

Related Questions in IPV6

Related Questions in ETHERNET

Related Questions in PACKET-SNIFFERS

Related Questions in RAW-SOCKETS

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Popular Questions

.

Copyright © 2021 Jogjafile Inc.