Hello, and welcome to this course in which we're talking about, using Python to perform, active defense at the network level. In this video, we're going to talk about how, PCAP collection can be implemented using Python, and how it can be beneficial for active defense. So, PCAP collection in and of itself seems to be a fairly passive defensive mechanism. Because all that you're doing when you're generating packet capture or PCAP files is collecting that packet data. And so there's no activity actually required on behalf of the defender to perform PCAP collection other than monitoring the network and collecting any PCAPs of interests. Where we're going to be tying this into active defense is in our use of decoys in our defended network. So we could have decoy servers, decoy networks, decoy services, etc., running in the network that we're defending and monitoring. And so that could mean that traffic to a particular sub network to a particular machine, or even to a particular port on a particular machine. Might be part of our active defense strategy, because those are decoy networks, decoys servers or decoys services. And so in this case, what we really want to know is when traffic is being sent to one of those decoys. And this is where PCAP collection could be useful for our active defense. Because, as we collect our PCAPs, we can filter for traffic, that's going to a decoy and therefore is of interest. And so honestly if we get any traffic at all, showing up in our PCAP collection, we know that someone is active on the network, and poking around at things, that are part of our decoy defenses. So what we're going to be doing here is using Python to perform a level of intelligent PCAP collection or PCAP collection that has filters applied to it so that we're not capturing all of the traffic on the network. We're focusing on the subsection of traffic that relates to our decoys. And so, performing traffic collection in Python is very simple escapee. All we need is to use this snip function. And so assuming that the traffic is either going to this machine or that we have network interface card running in promiscuous mode. We'll be able to have visibility into all of the traffic of interest with sniff. And sniff also has the ability to call functions on every packet that it sees. We can do this using prn=analyzePackets in this case. Which for every packet that matches its filter. And since we haven't defined a filter, that means every packet, it's going to call the analyzePackets function for that packet. And so, we've got a couple of different options here for how we're going to perform our intelligent packet or PCAP collection. We could have implemented a filter here, using sniff that is applied to each packet and pulls out the traffic to and from our decoy networks, systems, ports etc. Or we can implement the functionality in our analyzed packets function, which is what we've elected to do here. So up towards the top here we have a dictionary that is defining the decoys in our network. And so in this particular case, both of these IP addresses are for the machine in used for this demonstration. And we're just saying that any web traffic to or from this machine could be considered a decoy. So maybe we're running a decoy web server on this machine, but the rest of the system might be legitimate or this machine is completely masquerading as a fake web server inside the network. And so when we have traffic going to and from this computer, any other computers, we have visibility to our sniff function's going to pull out the packets and call analyze packets. And then we can start searching through to determine if this particular packet of interest matches any of our requirements for decoy packets. So we first test to see if it has an IP layer. And if so we want to determine if the IP address of the client or the server in this communication is one of our decoy machines. And so how we're going to do that here is via a list comprehension. And so you can read this and even write it as a loop. So you're saying for IP in a list of IPS and in this case, we're taking the IP layer of the packet we're passing in and pulling out the source IP address. And then doing the same for the destination IP address. So for IPS in this list of source and destination IP address. If that IP address is contained within decoys, and so decoys is our dictionary up here. And when we say if it's in a dictionary, we're iterating over the keys to the dictionary. So in this case the loopback address and this other local IP address. If the source or destination IP address is in this list of keys, then we return the IP address. And so what we should end up with is a list with between zero and two items. If we have zero items, this means that this packet is not coming from or going to one of the IP addresses that we care about. If we've got one item, we know that it's either coming from or going to one of the IP addresses. We're talking of interest. And if it's got two in it, we know that it's a client and a server both on the same machine. So for example, if we have a web server hosted on this machine, we could visit that web server from the same computer, in which case our source and destination IP addresses would both be local IP addresses. So, with this list we can test if the length of the list is greater than zero. If it is we have one or two IP addresses of interest, meaning that this is a packet that's potentially of interest. And so if we're just implementing decoys at the network level or at the computer level this would be enough to tell us that this is a computer or a network packet that we want to record. However, we can also make the assumption that we're only implementing certain services as decoys on these computers. In which case, we care about the ports on the machine as well. So if it's on a machine that we care about, we want to test the ports as well. And like I said, we're going to be looking for web traffic on this machine and so on. For web traffic, we're most likely talking TCP. However, we could be looking at other types of protocols as well. Maybe we have a fake DNS server that could be running on TCP or UDP. And so since we're using scapy, we have to specify which of those two protocols it is to pull out the source and destination ports for the traffic. And so if our packet of interest has a TCP layer, we're going to define a variable ports as the list of the source port and destination port defined in the TCP layer of the packet. In contrast, if we have a UDP layer, then we pull the source and destination ports out of the UDP layer of the packet. So regardless if we have a TCP and UDP layer will have ports defined as the source and destination. If we don't, we're going to have an empty list of ports, which means that these next few commands won't execute anyway. But assuming that we have that source and destination port, we're going to use a similar list comprehension to above to determine if this is a packet of interest. So we're ignoring any type of traffic on this system except for HTTPS to either the default or secondary HTTPS port. And so how we do that is we loop over this list of ports that we've just created. And we'll return that port value. If that port is in decoys, a decoy IP of zero. So recall that we said that we'll get one or two IP addresses from calculating this at this point we know we have one or two. And they appear as keys in this dictionary. So if we do decoyIP of zero, we're grabbing the first one of it. And we're grabbing the list of values associated with a particular key and then testing if the port that we're currently looking at is in that list of values. So if we have traffic for the loopback address 127.0.0.1 on port 443. At this point we'll use the key 127.0.0.1 to pull this list and then match that particular port number two, the first item in the list. And so if that's the case and we get a match deploy port will have at least one item in it. And if that's the case if the length of deploy port is greater than zero, we're going to use escapees wrp cap for right PCAP to output the packets that we've captured into a packet capture file. And so our arguments, we're going to use the output name of out.pcap. We're specifying that we want to write packet P and we're saying that we want to use the argument append equals true so that we're appending to that list rather than overriding it with each packet. And so, in the end after running this for a while, we should get some amount of web traffic directed to or from a web server. And in this case, and that involves this local machine. So let's give this a run and see how it goes. So we'll minimize this here. And then I'm going to run this with Python. PCAPCollection.py give it a couple of minutes to run here. And then at this point, I'll click around in a web browser for a second. We should have some traffic showing up. So I'm going to terminate this now. And if we do dir out.PCAP, we see that it exists and we've certainly have some contents in it. And so we can take a look at these contents in a few different ways. One option is taking advantage of Scapy in Python. So we can open Python, Command Python will import all of Scapy's functionality from scapy.all import star. And then we can load in the packets that we've read with our rdpcap, the equivalent or the inverse of right PCAP, and then we'll do out.pcap. And then if we take a look at packets, we see that we have 804 TCP packets. No UDP, no ICMP, no author, and this makes sense because we were focusing on TCP and UDP. And we were specifying that we wanted HTTPS Web traffic which would be transmitted over TCP. And so with this, we can take a further look at the packets that it contains. For example, we could say packets zero. Show and see that this is probably an encrypted HTTPS packet at this point. And so this demonstrates at a high level how we could use an intelligent PCAP collection or filtered PCAP collection with Python or active defense. Because if we have a web server running as a decoy on this local machine, we can capture any traffic that's trying to reach. And the data collected in that traffic could be invaluable for our defensive efforts. For example, we could extract intelligence from that traffic to see how someone might try to exploit a web applications that's on them or see if they try to use login credentials for particular web page etc. We could also be more granular than we even are now in our analysis. So we're already collecting PCAP data. For particular decoys services, we could dig in further to it to see if that PCAP data or network traffic contains encoded traffic and decode that traffic. Or look for other signs of abnormalities that might require generating an alert to defenders to say, there's an act of attack going on. Here's the basis for that determination, rather than this, which is more of a passive, collect data so that it's ready if we need it. And so, PCAP collection can be very valuable for active defense because it provides the data that we need for analysis to make decisions. And as we saw in this video, Python can be used to implement very granular PCAP collection. Because we can specify the exact computers, ports, and even dive further into the contents of a packet to specify exactly what traffic we want to look at versus what we want to ignore. Thank you.
