scapy icon indicating copy to clipboard operation
scapy copied to clipboard
verified publisher icon secdev

Issue with Packet Creation in AH Tunnel Mode over Socket

Open Mohammad-b0 opened this issue 1 year ago • 0 comments

Brief description

Issue with bytes packet reconstruction in AH Tunnel mode

Scapy version

2.5.0

Python version

3.8.10

Operating system

Ubuntu 22.04

Additional environment information

No response

How to reproduce

I am encountering a problem when trying to reconstruct packets in AH tunnel mode using Scapy. The packets are sent through a socket using the raw() method.

Setup:

  • AH Tunnel Mode Configuration:
  • Outer IP: src = 192.168.100.4
  • AH Header with Next Header set to IPv4
  • Inner IPv4 packet contains ICMP from 10.0.1.2 to 10.0.1.1
from scapy.all import SecurityAssociation, AH, IP, ICMP, raw

# Security Association Setup
sa = SecurityAssociation(AH, spi=0x222, auth_algo='SHA2-384-192', auth_key=b'secret key', tunnel_header=IP(src='192.168.100.4', dst='192.168.100.6'))

# Packet definition and encryption
packet = packet_from_Interface  # inner IP and ICMP details
e1 = sa.encrypt(packet)
print("AH packet:")
e1.show()

###[ IP ]### 
  version   = 4
  ihl       = 5
  tos       = 0x0
  len       = 140
  id        = 1
  flags     = 
  frag      = 0
  ttl       = 64
  proto     = ah
  chksum    = 0x30e3
  src       = 192.168.100.4
  dst       = 192.168.100.6
  \options   \
###[ AH ]### 
     nh        = 4
     payloadlen= 7
     reserved  = None
     spi       = 0x222
     seq       = 2
     icv       = 266cd31bc38315f1091b8c9affb181b9ec8b33a43b9cb50d
     padding   = None
###[ IP ]### 
        version   = 4
        ihl       = 5
        tos       = 0x0
        len       = 84
        id        = 7564
        flags     = DF
        frag      = 0
        ttl       = 64
        proto     = icmp
        chksum    = 0x71b
        src       = 10.0.1.2
        dst       = 10.0.1.1
        \options   \
###[ ICMP ]### 
           type      = echo-request
           code      = 0
           chksum    = 0xc8bb
           id        = 0x7
           seq       = 0x1
           unused    = ''
###[ Raw ]### 
              load      = '\x0e\\x8fLf\x00\x00\x00\x00\x12t\x03\x00\x00\x00\x00\x00\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&\'()*+,-./01234567'

Actual result

Upon receiving the packet on the receiver side, it is reconstructed using Scapy as follows:

recv_packet = IP(byte_packet_received)
recv_packet.show()```

###[ IP ]### 
  version   = 4
  ihl       = 5
  tos       = 0x0
  len       = 128
  id        = 1
  flags     = 
  frag      = 0
  ttl       = 64
  proto     = ah
  chksum    = 0x30ef
  src       = 192.168.100.4
  dst       = 192.168.100.6
  \options   \
###[ AH ]### 
     nh        = 4
     payloadlen= 4
     reserved  = 0
     spi       = 0x222
     seq       = 1
     icv       = ebf23a021ee0bbf47fab24ac
     padding   = 
###[ Raw ]### 
        load      = 'E\x00\x00T\\xabS@\x00@\x01yS\n\x00\x01\x02\n\x00\x01\x01\x08\x00\\xabB\x00\x08\x00\x01ߒLf\x00\x00\x00\x00X\\xe8\t\x00\x00\x00\x00\x00\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&\'()*+,-./01234567'

Expected result

The reconstructed packet does not include the inner IP details, and using the AH decrypt method yields incorrect results. It appears that the problem might be related to how the packet is constructed on the receiver side.

Question: Does anyone have suggestions on if it is expected behavior of scapy in AH Tunnel mode or how to resolve this issue?

Related resources

No response

Mohammad-b0 avatar May 19 '24 19:05 Mohammad-b0