[Editor's Note: SANS course on advanced pen testing (SEC660) teaches a lot of great, in-depth topics, including exploit development, network manipulation (NAC bypass, Scapy packet crafting, man-in-the-middle attacks, and more), and Python for pen testers with tons of hands-on exercises. The whole class culminates in a full-day, intense capture the flag event, where the winners earn a 660 challenge coin (which includes a cool cipher, natch).
But, when you teach a bunch of skills like that and hold a CtF on the last day, sometimes, a few students get a little too rambunctious in applying their new-found skills. At the risk of being indelicate, I'll come out and say it -- they try to cheat. By using their Python skills along with their MiTM capabilities, they try to snarf flags from other teams
[Editor comment: Dude! A Scapy article by Josh Wright that can help us stay in scope and follow rules of engagement in a pen test? What's not to like? :) --Ed.]
By Joshua Wright, InGuardians
I participate on the Scapy mailing list, helping out with questions where I am able. Recently, I saw a question that piqued my interest:"What I'm looking to do is identify the MAC addresses of client devices without actually sniffing any packets containing actual data relating to website content, email content etc. [...] Are there any packets I could look at that would contain the MAC of client devices but not contain any online usage data as outlined?"
If we want to investigate the presence of wireless client devices but want to avoid capturing any data frames, we can focus on management frames. WiFi networks use management frames to establish a connection to