I would like to implement a sniffer for incident response and forensic investigations, to sniff the traffic and identifying malicious packets and C2 (C&C -Command and Control) IP.
In incident response i can't install npcap
/winpcap
or other librairies detected by antivirus softwares and i should use the faster way to sniff the local traffic. So i would like to develop a simple CLI sniffer (it must be launched on Windows core servers) in a simple executable file to copy/paste it on the server and launch it with admin privileges.
Context example: a ransomware is running on a server and exfiltrate data, there are some NAT (Network Address Translation) between firewalls and the server (so it's difficult to identifying the the malicious traffic).
I write a POC in python on my github.
How i use my raw socket:
from socket import socket, AF_INET6, SOCK_RAW, IPPROTO_IP, IPPROTO_IPV6, IPV6_PKTINFO, SIO_RCVALL, RCVALL_ON, RCVALL_OFF
sock = socket(AF_INET6, SOCK_RAW, IPPROTO_IP)
sock.bind(("<IPv6 address>", 0))
sock.setsockopt(IPPROTO_IPV6, IPV6_PKTINFO, 0)
sock.ioctl(SIO_RCVALL, RCVALL_ON)
while True:
data, source_address = sock.recvfrom(65535)
sock.ioctl(SIO_RCVALL, RCVALL_ON)
sock.close()
What i get when i sniff a ICMPV6 packet:
0000 80 00 68 62 00 01 42 dc 61 62 63 64 65 66 67 68 ..hb..B.abcdefgh
0010 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 61 ijklmnopqrstuvwa
0020 62 63 64 65 66 67 68 69 bcdefghi
It's just the data section without any IPv6 headers so i can't see IPv6 address and protocol type (so i can't parse data).
What i want:
0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 ..............`.
0010 00 00 00 28 3a 80 fe 80 00 00 00 00 00 00 12 23 ...(:.*........Z
0020 34 45 56 65 67 78 fe 80 00 00 00 00 00 00 00 00 :(B.@.*..P@.....
0030 00 00 00 00 12 23 80 00 68 6a 00 01 42 d4 61 62 .... ...hj..B.ab
0040 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 cdefghijklmnopqr
0050 73 74 75 76 77 61 62 63 64 65 66 67 68 69 stuvwabcdefghi
Here i have the Ethernet frame, i would like it but for if you can help me to get only the IPv6 headers, it's okay. If you know how i can get the full ethernet frame, packet and segment it's better for me.
I see IPV6_HDRINCL but it's only to send IPV6 headers not to receive it and i see this RFC, i don't find what i search.