Packet Crafting using SCAPY

SCAPY – Intro Lab

SCAPY is a wonderful tool that gives nice and easy control over all the layers of of Network Stack. Using python it can be scripted to our needs for any testing purposes.

Building a packet

>>a=IP() An IP packet is created with bare minimum fields set
>>a=IP(dst=”192.168.1.3″) IP packet with fields set in constructor
>>a.src=”192.168.1.2″ Spoofing the packet with any other source address
>>ls(a) List out all the available fields in each layer we can set

>>> ls(a)
version : BitField = 4 (4)
ihl : BitField = None (None)
tos : XByteField = 0 (0)
len : ShortField = None (None)
id : ShortField = 1 (1)
flags : FlagsField = 0 (0)
frag : BitField = 0 (0)
ttl : ByteField = 64 (64)
proto : ByteEnumField = 0 (0)
chksum : XShortField = None (None)
src : Emph = ‘192.168.1.2’ (None)
dst : Emph = ‘192.168.1.3’ (‘127.0.0.1’)
options : PacketListField = [] ([])


>>> a.show()
###[ IP ]###
version= 4
…(skipped)
>>> a.summary()
‘192.168.1.2 > 192.168.1.3 ip’
>>> b.command()
“Ether()/IP(dst=Net(‘www.google.com’))/TCP()/Raw(load=’GET /index.html HTTP/1.0 \\n\\n’)”
>>> send(IP(dst=”192.168.1.3″)/ICMP())


Flooding: Sending packets to a range of IPs.

>>> a=IP(dst=”192.168.1.3/30″)
>>> send(a)
WARNING: Mac address to reach destination not found. Using broadcast.
….
Sent 4 packets.

Scanning all ports

>>>a=a/TCP(dport=(1,50))
>>>send(a)

Sending and Receiving Packets

The sr() function is for sending packets and receiving answers. The function returns a couple of packet and answers, and the unanswered packets.

The function sr1() is a variant that only return one packet that answered the packet (or the packet set) sent. The packets must be layer 3 packets (IP, ARP, etc.). The function srp() do the same for layer 2 packets (Ethernet, 802.3, etc.).

Sample DNSQuery

>>> a=IP(dst=”4.2.2.2″)/UDP()/DNS()
>>> ls(a)
version : BitField = 4 (4)
ihl : BitField = None (None)
tos : XByteField = 0 (0)

id : ShortField = 0 (0)
qr : BitField = 0 (0)
opcode : BitEnumField = 0 (0)
aa : BitField = 0 (0)
tc : BitField = 0 (0)
rd : BitField = 0 (0)
ra : BitField = 0 (0)
z : BitField = 0 (0)
rcode : BitEnumField = 0 (0)
qdcount : DNSRRCountField = 0 (None)
ancount : DNSRRCountField = 0 (None)
nscount : DNSRRCountField = 0 (None)
arcount : DNSRRCountField = 0 (None)
qd : DNSQRField = None (None)
an : DNSRRField = None (None)
ns : DNSRRField = None (None)
ar : DNSRRField = None (None)
>>> a.qd=DNSQR(qname=”www.slashdot.org”)
>>> a
<IP frag=0 proto=udp dst=4.2.2.2 |<UDP sport=domain |<DNS qd=<DNSQR qname=’www.slashdot.org’ |> |>>>

>>> sr1(a)
.Begin emission:
…Finished to send 1 packets.
.*
Received 6 packets, got 1 answers, remaining 0 packets
<IP version=4L ihl=5L tos=0x0 len=186 id=38486 flags= frag=0L ttl=57 proto=udp chksum=0x2327 src=4.2.2.2 dst=192.168.1.10 options=[] |<UDP sport=domain dport=domain len=166 chksum=0xc2bf |<DNS id=0 qr=1L opcode=QUERY aa=0L tc=0L rd=0L ra=1L z=0L rcode=ok qdcount=1 ancount=0 nscount=3 arcount=3 qd=<DNSQR qname=’www.slashdot.org.’ qtype=A qclass=IN |> an=None ns=<DNSRR rrname=’slashdot.org.’ type=NS rclass=IN ttl=38880 rdata=’ns-1.ch3.sourceforge.com.’ |<DNSRR rrname=’slashdot.org.’ type=NS rclass=IN ttl=38880 rdata=’ns-1.sourceforge.com.’ |<DNSRR rrname=’slashdot.org.’ type=NS rclass=IN ttl=38880 rdata=’ns-2.ch3.sourceforge.com.’ |>>> ar=<DNSRR rrname=’ns-1.ch3.sourceforge.com.’ type=A rclass=IN ttl=2816 rdata=’216.34.181.21′ |<DNSRR rrname=’ns-1.sourceforge.com.’ type=A rclass=IN ttl=2816 rdata=’208.122.22.23′ |<DNSRR rrname=’ns-2.ch3.sourceforge.com.’ type=A rclass=IN ttl=2024 rdata=’216.34.181.22′ |>>> |>>>


sr() returns a tuple ans, unans

hence

>>> ans,unans=sr(IP(dst=”www.google.com”)/TCP(dport=80,flags=”S”))
Begin emission:
Finished to send 1 packets.
*
Received 1 packets, got 1 answers, remaining 0 packets
>>> ans
<Results: TCP:1 UDP:0 ICMP:0 Other:0>
>>> unans
<Unanswered: TCP:0 UDP:0 ICMP:0 Other:0>
>>> ans.summary
<bound method SndRcvList.summary of <Results: TCP:1 UDP:0 ICMP:0 Other:0>>
>>> ans.summary()
IP / TCP 192.168.1.10:ftp_data > 209.85.153.104:www S ==> IP / TCP 209.85.153.104:www > 192.168.1.10:ftp_data SA / Padding

We can print the packet communication with required fields as required.

>>>ans,unans=sr(IP(dst=”www.google.com”, ttl=(4,25),id=RandShort())/TCP(flags=0x2)

Now ans has all the packets that are answered (I believe it matches against using sequence numbers). Now we have to print required fields from the packets under ans

ans includes packets that are sent and its corresponding received packet.

>>>for snd, rcv in ans:
… print snd.ttl, snd.dst

1 192.168.1.1
2 122.123.231.221

NOTE: Here it needs indentation, print block should start from col 5 only(1 tab), otherwise it gives error.

This send and receive command send(), sr(), sr1() works for Layer 3 only.
For Layer 2 crafted frames, they are sent using sendp(), srp(), srp1()

ARP Cache Poisoning – send a ARP Response to target with my mac and victim’s IP

>>>arpcachepoison(target, victim, interval=60)

SNIFFING – It can sniff packets, also filters can be applied

>>> a=sniff(filter=”tcp and ( port 25 or port 110 )”,
prn=lambda x: x.sprintf(“%IP.src%:%TCP.sport% -> %IP.dst%:%TCP.dport% %2s,TCP.flags% : %TCP.payload%”))
192.168.8.10:47226 -> 213.228.0.14:110 S :
213.228.0.14:110 -> 192.168.8.10:47226 SA :
192.168.8.10:47226 -> 213.228.0.14:110 A :

Here filter is tcp and port should be either 25 or 110

For each packet, the function prn is applied.

>>> pkts=sniff()
^C>>>                [Run Ping command in another window]
>>> pkts
<Sniffed: TCP:0 UDP:0 ICMP:6 Other:2>
>>> pkts[1]
<Ether dst=00:0c:29:01:22:43 src=00:0c:29:eb:a4:2f type=0x806 |<ARP hwtype=0x1 ptype=0x800 hwlen=6 plen=4 op=is-at hwsrc=00:0c:29:eb:a4:2f psrc=192.168.1.3 hwdst=00:0c:29:01:22:43 pdst=192.168.1.10 |<Padding load=’\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00′ |>>>
>>> for pkt in pkts:
… print pkt.src, pkt.type

00:0c:29:01:22:43 2054
00:0c:29:eb:a4:2f 2054
00:0c:29:01:22:43 2048
00:0c:29:eb:a4:2f 2048

Resources: Scapy Documentation

Advertisements

About wikihead

A security freak
This entry was posted in Articles, Notes, security and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s