Scapy, part 1

Okay, you can say: You are outdated!! Since it is a tool of five years old. But I never gave considerable attention to it. In last week I see in top 100 network security tool in Fyodor's site, and I can't stop using it. I am talking about the Scapy, a Python program that enables you to forge, dissect, emit or sniff network packets, probe, scan and what your mind wants.

This is a simple post, only to show the basic concepts of scapy.

What is scapy?

From Scapy:

"Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, ...), etc."

What you saw in scapy?

If you, like me, needs tools to:

  • Does unitary tests (ping, arp, traceroute, hping2, etc...);
  • Sniffing tool for captures packets and possibly dissects them (tcpdump, ethereal, vomit, iptraf, etc...);
  • Scanning a given range (nmap, amap, firewalk, etc...);
  • Forges packets and sends them (packeth, packit, packet excalibur, nemesis, tcpinject, libnet, etc...), and possibly
  • know the service / version of some host. (nmap, xprobe, p0f, cron-OS, queso, etc...)

Then you need know scapy.

Scapy, has the following principle: Machines are good at decoding and humans are good at interpreting:

When a nmap tool say:

Interesting ports on 10.0.0.1:
PORT   STATE    SERVICE
22/tcp filtered ssh

Is different to say: It was an ICMP host unreachable. The port is not filtered, but there is no host behing the firewall.

Okay, its show time!

Install Scapy in your Unix box. Detail in Scapy portability page.

Start scapy:

anita:~# scapy
Welcome to Scapy (v1.1.1 / -)
>>>

First steps with packet manipulation:

>>> ip=IP(ttl=10)
>>> ip
< IP ttl=10 |>
>>> ip.src
’127.0.0.1’
>>> ip.dst="192.168.1.1"
>>> ip
< IP ttl=10 dst=192.168.1.1 |>
>>> ip.src
’192.168.8.14’
>>> del(ip.ttl)
>>> ip
< IP dst=192.168.1.1 |>
>>> ip.ttl
64
>>> tcp=TCP(flags="SF")
>>> pkt=ip/tcp
>>> pkt
>
>>> pkt.command()
"IP(dst='192.168.1.1', ttl=10)/TCP(flags=3)"
>>> pkt.show()
###[ IP ]###
version= 4
ihl= 0
tos= 0x0
len= 0
id= 1
flags=
frag= 0
ttl= 10
proto= tcp
chksum= 0x0
src= 10.1.0.1
dst= 192.168.1.1
options= ''
###[ TCP ]###
sport= ftp_data
dport= www
seq= 0
ack= 0
dataofs= 0
reserved= 0
flags= FS
window= 8192
chksum= 0x0
urgptr= 0
options= {}
>>>

Some stuff you can do on a packet:

  • str(pkt) to assemble the packet
  • hexdump(pkt) to have an hexa dump
  • ls(pkt) to have the list of fields values
  • pkt.summary() for a one-line summary
  • pkt.show() for a developped view of the packet
  • pkt.show2() same as show but on the assembled packet (checksum is calculated, for instance)
  • pkt.sprintf() fills a format string with fields values of the packet
  • pkt.decode_payload_as() changes the way the payload is decoded
  • pkt.psdump() draws a postscript with explained dissection
  • pkt.pdfdump() draws a PDF with explained dissection
  • pkt.command() return a Scapy command that can generate the packet

You can send, receive, sniffer, and more. I will try show others methods in nexts parts.

And the grand finale:

>>> pkt.pdfdump()

The output:

If I have time, I will write part 2. Bye.

Category: Admin

Tagged:

One Response

  1. [...] folk, in the last post (a long time ago), I write a short introduction to Scapy tool . With this post, I need, show to [...]

Leave a Reply