Scapy Primer

June 9, 2012, by | Start Discussion

Overview

Scapy is a wonderful packet crafting tool written by Philippe Biondi. Below is an excerpt from the Scapy documentation neatly describing Scapy.

“Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. Scapy can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery.”

As Scapy uses Python syntax and Python interpreter, it can be used as an interactive shell or as a Python module.  The main advantage of Scapy is its flexibility unlike other packet crafting tools with limited functionalities. Scapy can manipulate and process packets at every TCP/IP layer. It supports wide range of protocols and allows adding your own. As Scapy provides multiple functionalities, you can build custom tools with combined functionalities.  Also very less knowledge is required to write your own tools due to ease of use in Scapy. This article is limited to getting familiar with basic commands, Scapy interactive interface and a demo of SYN port scan in Scapy.

Getting Familiar with Basic Commands

Scapy is already available in major Security distributions such as Backtrack, Security Onion etc. You can also install scapy by following detailed instructions given in the Scapy documentation.

To start Scapy, execute sudo scapy (if normal user) or just scapy (if root).

 

 

Once Scapy is started, you will be provided python interactive shell (>>>).  Once you are inside in interactive shell, the commands such as ls, lsc helps you to navigate further.

Note: The Warning about IPv6 and INFO can be ignored. The gnuplot, PyX packages are required for graphical representation of packets in Scapy.  The packages may be installed if you need the same.
ls() : displays list of supported protocols.  (Output cropped to display only initial few entries)

<>

lsc() : Displays list of available commands in Scapy.
To know more about a command or its option, execute help(cmdname)
e.g. >>>help(arpcachepoison) 

 conf: Displays preferences set for the Scapy session such as routing information, interfaces etc.

Building and assembling your first packet

Python is object oriented language. Each supported protocol is available as a class, in order to build a packet you need to create instances/object of that class and then can access the fields of the protocol.

ip_pkt=IP(): To build a packet at IP layer

ls(ip_pkt): To display the fields associated with the IP protocol. By default essential fields has been already set for packet which is ready to send on network.

Note: First column is the fields associated with the protocol, second column represents type of the field. Third column represents the values set for each field (if not changed, displays default values). Fourth column represents default values set by the Scapy in order to send the packet on network.

To set any fields associated with the protocol, use object. field=<value>
e.g. ip_pkt.src=’10.10.10.1’, ip_pkt.dst=’10.10.10.2’.  

tcp_pkt=TCP(): To build packet at TCP layer.
ls(tcp_pkt):  Displays the fields associated with the TCP protocol. To set any fields associated with the protocol, use object. field=<value>
e.g. tcp_pkt.dport=53, tcp_pkt.dport= [135,139,445,80] which is an array of integer values.

tcpip_pkt=ip_pkt/tcp_pkt: To build a full TCP/IP packet.
Note: The Order does matter here.  Above command will create a ip packet inside tcp packet. (Remember TCP/IP and 4 layers).

tcpip_pkt.show():To display the fields associated with the packet. You can also use ls(tcp_pkt) which displays another representation of the packet as shown above.
This command will display fields and the associated values (either manually set/default).

Ipsum dolor sit amet Lorem Ipsum Dolor sit Amet Loerm Ipsum dolor sit amet
Loerm Ipsum dolor sit amet Loerm Ipsum dolor sit amet Loerm Ipsum dolor sit amet
Loerm Ipsum dolor sit amet Loerm Ipsum dolor sit amet

There are some values for which by default None has been set. These are calculated on the fly when sending a packet.
tcpip_pkt.show2(): To display these calculated fields before sending on network.

Building your Own Port Scanner

According to Wikipedia, Port Scanning is an attack that sends client requests to a range of server port addresses on a host, with the goal of finding an active port. The status will be either Open (indicating service is listening on port), Closed (indicating connections will be denied to the port), Filtered (no reply from the host indicating host behind firewall or any other intermediate device blocking the connection).

There are several types of port scanning, we will be focusing on SYN scanning for demo (a.k.a. Half open scanning). In this technique, If SYN packet is sent to the target host based on response we can determine if the port is open, closed or filtered. (Respose: SYN,ACK – Open , RST,ACK – Closed, No Response – Filtererd ), after receiving the response, the source doesn’t send ACK to complete 3 way connection hence known as Half open scanning.

For Demo, I have set up two VMs, Backtrack5 (IP: 10.10.10.1) and WinXP (IP:10.10.10.2) configured in host only mode.

Nmap SYN scanner output

 

 

res,unans=sr(tcpip_pkt) :  Command send the packet tcpip_pkt which was built in above steps. The variable res will store the packets for which answers were received with full packet response. The variable unans will store the packets for which no answers received.

res.show(): The command will display the packets along with their response. As in SYN scanner, if response packet is received with SA flags, it indicates port is open. If response packet is received with RA flags then it indicates port is closed. 

 As we see in above screenshot, packet 0001 and 0004 are having RA as flags in response packet hence port 137 and port 80 are closed, whereas other packets are having SA as flags hence port 135,139,445 are open which exactly matches with our nmap output.

Sneak peek into Sniffer functionality

Sniffing is technique where it captures traffic on all or just parts of the network from single machine within the network.  To enable sniffing,  use sniff() command. The option count enables to sniff only defined no of packets.
sniffed_pkts=sniff(count-10): Sniffs only first 10 packets.
sniffed_pkts: Displays stats of sniffed packets by protocol wise (TCP,UDP,ICMP,Other).
sniffed_pkts.show():  Displays details of all sniffed packets.
Sniffed_pkts[0000]: Displays details of the first sniffed packet

Scapy Strengths

 The Scapy is capable of doing much powerful things than the one described above. Some of the Scapy projects given below.

References
Scapy Documentation: http://www.secdev.org/projects/scapy/doc
 


Author bio not avialable

Leave a Reply