Basics Of Scapy

Basics Of Scapy

 

Scapy is a python program that enable user to send, sniff or attack on network. It is an powerful packet manipulation program. It send packets, capture them, match request and replies according to the reply from target. It can perform task like scanning, trace-routing,attacks or network discovery. It can replace tools like Nmap, hping, etc.

There is lots of task we can perform through scapy which other can’t imagine. This tools takes time to understand. So lets start .....

#First we open scapy
Open terminal 
Write scapy on terminal...

#You get the reply on terminal
Welcome to Scapy (2.2.0-dev)
>>>

#Now we check some related functions of scapy
ls(): -   This command shows you all supported protocols by 
            scapy.

lsc():-  This command shows functions which are used to send, 
            sniff or network discovery.

Example: -  
ls   = IP(), TCP(), ARP(), ICMP(), DHCP() etc.
lsc = sr(), sr1(), srp(), srp1(), srloop(), srploop(), sniff(), etc.

ls() :- supported protocols

Above are Number of protocols supported by scapy.

#Now fields of IP() layers (protocol supported by scapy)

>>>ls(IP)

>>>ls(TCP)

#Let’s start with some basic functionality. 
#Create a variable and assign an IP instance OR TCP instance or any scapy supported protocol.  

>>> ip=IP()

Above we create a variable with name ip and tcp and assign instance of IP and TCP respectively. we assign values to ip and tcp variable both, e.g.,
ip.dst=”192.168.11.250”
tcp.dport=80
tcp.sport=4444
tcp.flags=”S” 
tcp.seq=100

After that we type variable name tcp or ip. We saw assign values of tcp and ip both.
>>>tcp
<TCP sport=4444 dport=www seq=100 flags=s  |>
#Below image shows you all assign values and default values of IP/TCP.

Here, we saw some defaults values of fields and assign values . For example ttl value of IP by default is 64 and i assign it to 128. i also assign dst(Destination of IP), dport(destination port of TCP), sport(source port of TCP), flags, seq(sequence of TCP).

#Some more functions
Show() function gives you detailed dissection of a packet, but some automatically computed fields (e.g., checksums) cannot be computed without assembling the packet. If you want to know those values

Show2() will completely assemble the packet and disassemble it again to take into account all the post build operations. 

>>> tcp.show()

>>>tcp.show2()

So, the difference is between in checksum values.


#Sending packets through scapy

Sending packets either at layer2 through sendp() or at layer3 through send(). The packets are sent until Ctrl-C are pressed.



#packet sent on layer3

Above we use send() function to sent packet at layer3 e.g., send(a).

#packet sent on layer2

Above we use sendp function to sent at layer2.

Here, we use protocol Ether/ARP means ethernet layer and Address Resolution Protocol, both are layer2 protocols.

The send and receive functions family will not only send packets and sniff responses but also match sent packet with received responses.

#Functions sr(), sr1(), and srloop() all work at layer3. 
sr() returns the whole results of a probe.

when we send packet through sr() then it stores reply answer and unanswered packets. So, we need to store both ans and uans (ans, uans = _ ). 
ans.show()
uans.show()

sr1() returns only the first reply to a stimulus.

When we sent packets through sr1() it replies with first answer. As above we  saw i got SYN/ACK response.

#Now i use srloop fuction
srloop() function send packets repeatedly and print a summary of the result of each probe. 

Above i used srloop function to send unlimited packets with SYN flag on ip=192.168.11.250 at layer3.

#Some packets send at layer2. 

srp(), srp1(), srploop() do exactly the same job but at layer2.
So, next I going to use srp() function and send ARP packet at layer2 which gives every MAC address of every device.

#Make packet for layer2
a=Ether(dst=”ff:ff:ff:ff:ff:ff”)/ARP(pdst=”192.168.11.0/24”)

#Next send packets at layer2
srp(a)

Above command does same job as perform by sr() function which is used to send packets at layer3.
Simply it gives you result which is need to store data in answered and unanswered variables.
>>> ans,uans=_

>>>ans.show()
Below picture shows you all above commands operation.

Above i got the all MAC address of every device, right now here is five devices:- 
My ip is 192.168.11.9 who broadcast address and every deveice gives their MAC address.

192.168.11.1 says 00:24:a5:b0:f1:38
192.168.11.34 says 08:00:2763:2f:5e
192.168.11.51 says 54:04:a6:07:3c:f0
192.168.11.16 says 90:27:e4:d5:49:55
192.168.11.250 says 54:04:a6:04:3b:05

All device tells their MAC address.


#Now we using srp1() function
a=Ether(dst=”ff:ff:ff:ff:ff:ff”)/ARP(pdst=”192.168.11.0/24”)
srp1(a)

which is also gives us first reply.

Above operation give us MAC(hardware address) of first device means my default gateway. 

#Now we using srploop() function repeatedly send ARP() packets at layer2.

Above we saw all kind of sending and receiving functionality at layer2 and layer3.

Now we perform a task : - scanning 
Port scanning through scapy
TCP/UDP scan

1.Single port scan:- 
ip=IP(dst=”192.168.11.250”)/TCP(dport=80, sport=4444, flags=”S”)
sr1(ip)

Above we perform single port scan and send SYN flag and get the reply of SYN/ACK.

ip=IP(dst="192.168.11.250")/TCP(dport=80, sport=4444, flags="A")
sr1(ip)

Above we perform single port scan and send ACK flag and get the reply of RST.

ip=IP(dst="192.168.11.250")/TCP(dport=80, sport=4444, flags=0x00)
sr(ip)

#Now we going to scan multiple ports
ip=IP(dst="192.168.11.250")/TCP(dport=(1,500), sport=4444, flags="S")
sr(ip)

Above are unanswered packets.