1
00:00:00,180 --> 00:00:05,970
In this video we're going to learn how to work with escapee which is a highly versatile python module

2
00:00:06,000 --> 00:00:13,260
for all things network traffic analysis sniffing back ad manipulation and much more so to kick things

3
00:00:13,260 --> 00:00:19,440
off if you don't have it installed open up a command prompt if you're in Windows or terminal if you're

4
00:00:19,440 --> 00:00:26,010
in Linux and type that or 3 install escapee and that's it.

5
00:00:27,510 --> 00:00:33,060
Oh and if I failed to mention in previous videos I'm using Python 3 in Windows 10.

6
00:00:33,150 --> 00:00:38,940
Now one of the best ways to learn about KP is by visiting the official documentation at escaping that

7
00:00:38,940 --> 00:00:39,670
net.

8
00:00:39,750 --> 00:00:45,720
And of course there are many entire books written on this module so you can check that yourself if you're

9
00:00:45,720 --> 00:00:53,880
interested and I need to point out that most of what I'm doing here and in the rest of the videos does

10
00:00:53,880 --> 00:00:57,120
not come from my stellar or original thinking.

11
00:00:57,120 --> 00:01:04,710
I'm also getting inspiration from many books courses websites and over here I'm going to specify the

12
00:01:04,710 --> 00:01:10,270
best of them in the resources that may accompany this video or this course.

13
00:01:10,270 --> 00:01:12,200
All right so escape.

14
00:01:12,340 --> 00:01:14,720
Now you can work with escapee in multiple ways.

15
00:01:14,730 --> 00:01:19,680
Once you have it installed and added to your bath environment variable you can use it directly in the

16
00:01:19,680 --> 00:01:28,410
command line or in the terminal by typing escapee and it's gonna pop up escapee shell or you can simply

17
00:01:28,410 --> 00:01:33,460
use it in scripts such as importing it in Python and using it accordingly.

18
00:01:33,450 --> 00:01:37,040
Now let's start with the first one and look into a few basic commands.

19
00:01:37,050 --> 00:01:46,410
So in terminal I'm simply going to type escapee hit enter and we're going to see a scabies shell popping

20
00:01:46,410 --> 00:01:47,380
up.

21
00:01:47,730 --> 00:01:52,750
And like I said escaping lets you craft manipulate and forge your network packets.

22
00:01:52,860 --> 00:01:59,820
Not only that but it also allows us to sniff and dissect packets from all over the network across multiple

23
00:01:59,820 --> 00:02:02,730
layers of the OSA model.

24
00:02:02,730 --> 00:02:08,340
Therefore you can use KP for both good and malicious purposes and my intention is to encourage you to

25
00:02:08,340 --> 00:02:10,130
find only good uses to it.

26
00:02:10,860 --> 00:02:16,390
Now what are some of the commands that are mostly used in escape.

27
00:02:16,440 --> 00:02:25,720
So first we have the less which gives us a huge amount of the protocols supported by escapee.

28
00:02:25,720 --> 00:02:33,300
There is no reason for me to actually go through all of them and there is also the less C which is a

29
00:02:33,300 --> 00:02:37,930
list of commands we can run interactively in this shell.

30
00:02:37,950 --> 00:02:46,530
There is also the conf to display and also to modify the current configuration and if you're ever in

31
00:02:46,530 --> 00:02:54,110
trouble you can type help and give it as parameter or whatever you want to find more information about.

32
00:02:54,450 --> 00:02:56,310
For example RTP cap.

33
00:02:57,270 --> 00:03:05,830
OK now let's get practical so let's actually craft a simple packet at the IP layer we'll say back underscore

34
00:03:06,450 --> 00:03:09,000
IP we'll give it a destination.

35
00:03:09,030 --> 00:03:17,280
Equals the GTD SEC dot com which is one of my web sites TTL time to lift done and that's basically all

36
00:03:17,280 --> 00:03:23,820
you need to do to create a packet hit enter and we can look into it with back on their sport but show

37
00:03:26,070 --> 00:03:32,730
we can see the protocol the IP the source destination check some length and other stuff.

38
00:03:33,220 --> 00:03:38,550
And remember I told you about the configuration over here.

39
00:03:38,550 --> 00:03:43,290
Let's make this back and display more nicely by modifying the configuration.

40
00:03:43,290 --> 00:03:56,730
So in the Com over here we can see a variable call or theme black and white to have a nicer display

41
00:03:57,150 --> 00:04:05,640
of the output escape you can modify this color theme color underscore theme so we'll do conf dot color

42
00:04:05,700 --> 00:04:08,170
underscore theme.

43
00:04:08,970 --> 00:04:14,210
This is gonna be color so color on black theme.

44
00:04:14,430 --> 00:04:15,320
Hit enter.

45
00:04:16,800 --> 00:04:23,680
No color on black color on black theme so theme.

46
00:04:23,720 --> 00:04:24,090
All right.

47
00:04:24,720 --> 00:04:30,450
Yeah you can get a sneak preview of it already being modified.

48
00:04:30,450 --> 00:04:34,690
Now we can repeat the command with back on their scoreboard show.

49
00:04:35,370 --> 00:04:38,880
And as you can see this looks much much better.

50
00:04:38,880 --> 00:04:45,960
I said that this KP also lets us deeply analyze and sniff network traffic similar to wire in DCP dump.

51
00:04:46,080 --> 00:04:48,550
Let's just do that on my Wi-Fi network.

52
00:04:49,140 --> 00:04:54,450
So what do we need first is to provide KP with the network interface and the number of packets we want

53
00:04:54,450 --> 00:04:55,740
to sniff.

54
00:04:55,740 --> 00:05:01,020
You could sniff continuously and break the sniff for whenever you want and then you'd be analyzing the

55
00:05:01,020 --> 00:05:08,370
packets you sniffed up until the break point but we'll just do the first version and so let's actually

56
00:05:08,370 --> 00:05:14,870
get the name of my Wi-Fi which I faces from interfaces and my Wi-Fi.

57
00:05:14,880 --> 00:05:24,360
In this case is Intel wireless AC this ninety five sixty two will actually copy this name and then create

58
00:05:24,360 --> 00:05:25,500
a sniffer.

59
00:05:25,500 --> 00:05:36,060
So let's say sniff for underscore equals sniff on my face so interface and then paste my interface name

60
00:05:36,420 --> 00:05:39,260
and the number of bankers we want to snuff.

61
00:05:39,360 --> 00:05:41,120
Let's say 15.

62
00:05:41,420 --> 00:05:45,420
Now this might take a little while to collect 15 packets.

63
00:05:45,870 --> 00:05:48,720
And it's done.

64
00:05:48,730 --> 00:05:58,050
Then we can simply sniff or underscored that show and we get a nice summary overview of each back such

65
00:05:58,050 --> 00:05:58,770
as the tie.

66
00:05:58,770 --> 00:06:06,060
Put the layer the source the destination port etc. We can get deeper into each back and using in the

67
00:06:06,190 --> 00:06:18,870
indexes so we can say sniff or underscore index 5 that show we can see that sixth back at 0 0 1 2 3

68
00:06:19,050 --> 00:06:20,350
4 5.

69
00:06:20,460 --> 00:06:30,300
This back it from 1 72 so we have the destination 1 Ninety five 1 0 8.

70
00:06:30,750 --> 00:06:38,000
The source the destination and all the information with respect to this packet.

71
00:06:38,610 --> 00:06:46,200
If we want to access the load of the packet we could simply say sniffer underscored that so without

72
00:06:46,200 --> 00:06:48,520
the DOT five dot load.

73
00:06:49,110 --> 00:06:58,460
And this is the raw load of the packet but we can do a hex dump with a hex dump and therefore underscore

74
00:06:58,470 --> 00:07:08,580
5 of the load and we get the hex dump of the load or we can go ahead a hex dump of the entire back at

75
00:07:08,580 --> 00:07:14,760
itself and we can see the hex none of the entire packet itself okay.

76
00:07:14,760 --> 00:07:20,010
There are thousands of interesting things you can do with all of these and the rest of the methods you

77
00:07:20,010 --> 00:07:27,540
could for example sniff continuously and the only filter into the output the back is that contains certain

78
00:07:27,540 --> 00:07:35,280
information such as usernames passwords hacking attempts etc. And in this case the sniffer method has

79
00:07:35,280 --> 00:07:43,050
a lot of parameters it can take including I face for the interface and count as we saw beforehand which

80
00:07:43,050 --> 00:07:49,770
allows us to specify a function to run on each back it time time out to stop the sniffer after a given

81
00:07:49,770 --> 00:07:52,070
time filters etc.

82
00:07:52,080 --> 00:07:56,300
Now let's also take the example of sniffing with filters for a specific host.

83
00:07:56,310 --> 00:08:04,140
One of my current Web sites DG dissect dot com so we'll say sniff for sniff and then we'll specify a

84
00:08:04,140 --> 00:08:06,600
filter equals.

85
00:08:06,840 --> 00:08:12,020
But first we need to get the IP of digital sacked dot com so we'll do that with a bang.

86
00:08:12,570 --> 00:08:25,110
Or simply thing digital SAC dot com and get the IP 160 to copy this and then let's specify a filter

87
00:08:25,110 --> 00:08:37,590
for port for 4 and 3 and host the IP and then let's sniff for 15 packets and specify of lambda functions

88
00:08:37,620 --> 00:08:46,350
so now and BDA packs we're gonna look at the summary of each packet.

89
00:08:46,890 --> 00:08:48,590
All right.

90
00:08:48,640 --> 00:08:59,070
And now if I do a refresh on DG D SAC dot com we can see it populated the sniffer.

91
00:08:59,070 --> 00:09:05,540
It actually took the first 15 packets and gathered their summary using the lambda function with defined.

92
00:09:05,670 --> 00:09:16,160
Now I could write this snuff session to file with W R P cap level you are p caps or write back it.

93
00:09:16,380 --> 00:09:24,480
The file is going to be DG t that cap and we want to write this enough for it to file okay and then

94
00:09:24,480 --> 00:09:27,000
we can read it with our DP camp.

95
00:09:27,120 --> 00:09:28,480
We specify the file.

96
00:09:28,490 --> 00:09:32,880
Did you see that cap and that's it.

97
00:09:34,160 --> 00:09:38,930
And it tells us that it has 15 packets.

98
00:09:38,930 --> 00:09:46,520
If I do RTP gap I can do the entire thing in a variable so let's call it read underscored a cap or DP

99
00:09:46,520 --> 00:09:49,810
Cap Digital cap.

100
00:09:50,150 --> 00:09:59,810
We have it instantiated in a variable and then we'll say read cap let's say look at index 5.

101
00:09:59,810 --> 00:10:03,020
And once again we have all the information there.

102
00:10:03,100 --> 00:10:03,440
Okay.

103
00:10:03,440 --> 00:10:08,120
Now let's take the example of sending a simple packet and receiving its response.

104
00:10:08,120 --> 00:10:14,040
We can send back it's a different layers but let's just create and send one at layer 3.

105
00:10:14,060 --> 00:10:25,620
Let's call it back and underscore t IP destination once again DG D SEC dot com over ICMP

106
00:10:28,790 --> 00:10:40,610
and then let's say you are not secured and then we send this packet with the s method methods or we'll

107
00:10:40,610 --> 00:10:46,570
say Assad back it underscored that t this actually sends the packet

108
00:10:50,300 --> 00:10:53,300
we can see the output finish sending one packet.

109
00:10:53,480 --> 00:11:01,790
Or we could write a variable for example let's say rasp from response and SA packet which is basically

110
00:11:01,790 --> 00:11:03,430
the same thing.

111
00:11:05,190 --> 00:11:11,670
And but since this is a variable we can look into it with rest 0.

112
00:11:12,090 --> 00:11:13,040
That summary

113
00:11:17,710 --> 00:11:25,900
and we get its details now to give you an idea of what you can further do is that with escapee You can

114
00:11:25,900 --> 00:11:30,960
also do port scans and trace routes using some of the methods I specified here.

115
00:11:31,030 --> 00:11:36,970
You could for example spoof IP and you could do some flooding and these two actually often come in a

116
00:11:36,970 --> 00:11:38,210
combination.

117
00:11:38,230 --> 00:11:44,340
Now in terms of scripting would escape in Python let's actually take an example of a script for sin

118
00:11:44,410 --> 00:11:48,070
flooding and this is an example inspired by T.J. O'Connor.

119
00:11:48,070 --> 00:11:50,380
Is this book Violent python.

120
00:11:50,380 --> 00:11:54,370
So for that let's actually go into the code editor here.

121
00:11:54,370 --> 00:12:01,640
Visual Basic and type from escapee dot all import everything.

122
00:12:01,840 --> 00:12:05,970
This is how it's usually done instead of just importing scape.

123
00:12:06,150 --> 00:12:09,170
We're just from escapee dot all import everything.

124
00:12:09,580 --> 00:12:12,860
Now let's define a function called floods.

125
00:12:12,880 --> 00:12:22,420
So floods which is going to take two parameters a source and a target and then for let's say source

126
00:12:22,710 --> 00:12:28,430
underscored P in range one hundred one hundred.

127
00:12:29,170 --> 00:12:32,000
Or I could say zero to 50.

128
00:12:32,500 --> 00:12:43,480
What we want to do is to have an IP layer IP so we define it back and here with the source being the

129
00:12:43,480 --> 00:12:53,200
source the destination being the target and then we also need to specify a DCP layer which is going

130
00:12:53,200 --> 00:12:56,850
to be DCP source port.

131
00:12:56,980 --> 00:13:05,110
So as port which is source forth it's going to be source P which with defined over here and then the

132
00:13:05,140 --> 00:13:14,260
port which is the destination for let's say we want to send this chain of backwards to port 600.

133
00:13:14,710 --> 00:13:27,760
And then we create the back end using IP layer over DC b not connecting but layer and ultimately we

134
00:13:27,760 --> 00:13:30,510
will say send B 18.

135
00:13:30,780 --> 00:13:31,750
All right.

136
00:13:31,810 --> 00:13:37,780
Now exiting the loop would define a source which is local host.

137
00:13:37,780 --> 00:13:46,960
So I'm going to flood myself 0 0 1 and then target is gonna be it's not actually that I'm going to flood

138
00:13:46,960 --> 00:13:55,180
myself because this is the source the source is myself and I'm going to send the targets to let's say

139
00:13:56,970 --> 00:14:00,220
what was the IP of the g d dissect dot com.

140
00:14:00,580 --> 00:14:05,430
One more time I think it's this one.

141
00:14:05,620 --> 00:14:06,960
Let's see.

142
00:14:07,150 --> 00:14:18,510
So again we take the IP of DG D SAC dot com and send like safe feet D the inoffensive packets which

143
00:14:18,510 --> 00:14:19,230
is low.

144
00:14:19,450 --> 00:14:22,050
We can consider that a flood.

145
00:14:22,050 --> 00:14:30,330
And finally what do we want to do is to run the floods from source to the target.

146
00:14:31,310 --> 00:14:31,890
And that's it.

147
00:14:31,900 --> 00:14:34,850
Control asked to save this.

148
00:14:35,970 --> 00:14:43,550
And then in a command prompt over here we navigate to the desktop where we have the script the floods

149
00:14:43,570 --> 00:14:48,140
that why and we can simply fire fine floods.

150
00:14:48,260 --> 00:14:48,710
Why.

151
00:14:50,970 --> 00:14:53,870
And we can see it sent.

152
00:14:54,090 --> 00:14:57,540
Actually it sent 50 packets.

153
00:14:58,920 --> 00:15:06,210
However as you can imagine if I modify the range instead of 50 packets I wouldn't be sending a couple

154
00:15:06,210 --> 00:15:07,460
of thousands.

155
00:15:07,500 --> 00:15:13,830
That means that I would be sending DCP send to the target and fill up their connection queue meaning

156
00:15:13,830 --> 00:15:18,500
that I would be actually flooding and empowering them and sending reset packets.

157
00:15:18,600 --> 00:15:23,840
And this is just a sneak preview of what the escaping is actually capable of.

158
00:15:23,850 --> 00:15:28,900
I've only shown you here a very small part of its capacity and there is more to that such as Back at

159
00:15:28,900 --> 00:15:34,770
the injection and deep back at analysis for example and network scanning network filtering advanced

160
00:15:35,460 --> 00:15:37,680
back at grafting and much much more.

161
00:15:37,680 --> 00:15:45,330
Again I highly encourage you to look into the official documentation and into the books written on escape

162
00:15:45,330 --> 00:15:49,730
before a more in-depth understanding of this amazing Python tool.

163
00:15:49,740 --> 00:15:54,120
It's like I always say the only limit is your imagination.