scapy case study

Introduction

What is scapy?

  • A network packet manipulation [Python] program
  • Forge and/or decode network packets with a wide number of internet protcols
  • Handle most classiscal tasks such as hping, arp-sk, arping part of Nmap, tcpdump and shark
  • Runs on Linux, Windows, OSX and Unix with libcap
  • All details on Scapy official website

What makes Scapy so special

With most other networking tools:

  • Lack of flexibilities. User cannot build something outside of developer’s imagine.
  • Lack of integrity. often fails to decode complete packet.

With Scapy:

  • Flexibility. Build extact packets under your needs, even allows to build the packet does not make sense.
  • Integrity. Scapy always able to decode and interprete the full packets.
  • Agility. Everytime you build a new tool, a couple lines of python code works as hundred lines of c progrm.

Scapy versions

Scapy version Python 2.2-2.6 Python 2.7 Python 3.4-3.6 Python 3.7 Python 3.8
2.2.X YES YES NO NO NO
2.3.3 YES YES NO NO NO
2.4.0 NO YES YES NO NO
2.4.2 NO YES YES YES NO
2.4.3-2.4.4 NO YES YES YES YES

Network backgroud

[OSI] and [TCP/IP] models created a wide number of protocols to allow us to exchange the messages with all over the world. One of the reason why it works is because the messages must have a specified format based on the protocol to ensure both sender and receiver will understand. A message with specified format base on the internet protocols is a network packet. A network packet consists of header and data, which also known as a datagram.

OSI Model

Open Systems Interconnection model (OSI model) is an abstract model created by the international organization used to standardization among the different computer systems. It has seven layers and each layer of the OSI model handles a specific job and communicates with its neighboring layers. The OSI model is a universal computer communication language based on the concepts of the seven layers.

A layer is serverd by the layer below it and serves the layer above itself. For instance, a layer calls the next layer to send and receive packets via a specified path, where it provides the path to the application layer abooe it.

TCP/IP Model

TCP/IP model, also known as Transmission Control protocol/Internet protocol, is a suit of communication protocols for computer system interconnections. TCP/IP makes the standard how the data can be exchanged via internet by providing end-to-end communications that identify how it should be broken into packets, addressed, transmitted, routed and received at the destination.

Network Packet

A network packet consists of hearder and data also known as ip datagram consists of a header and data. A header is coded based on the protocols, therefore it has information such as destination address, total length in bits of the header, version and etc. On the other hand, once we specified the length of a datagram header, the remaining bits will be the real message we want to exchange over internet.

Usage

Create a simple packet header

Creating a network packet is one of the main features of Scapy. Initially, I will create a simplest header of a packet, which only contains source ip address and destination ip address.

>>> ip = IP(src="192.168.0.18")                                                 
>>> ip.dst="172.217.165.14"                                                     
ip                                                                          
>>> <IP  src=192.168.0.18 dst=172.217.165.14 |>

what we have done is customizing the values of different layers in the tcp/ip models. If needed, we can also fill in every value by our demand and we are able to define more parameters in our customized packet according to the protocols and models. Code beow is a demostration on layer value assignment.

>>> ip/TCP()                                                                    
<IP  frag=0 proto=tcp src=192.168.0.18 dst=172.217.165.14 |<TCP  |>>
>>> tcp = TCP(sports=1025, dport=80)      

tcp = TCP(sport=1025, dport=80)                                             
>>> (tcp/ip).show() 
 ### [TCP] ###                                                           
  sport     = blackjack
  dport     = http
  seq       = 0
  ack       = 0
  dataofs   = None
  reserved  = 0
  flags     = S
  window    = 8192
  chksum    = None
  urgptr    = 0
  options   = ''
### [IP] ### 
     version   = 4
     ihl       = None
     tos       = 0x0
     len       = None
     id        = 1
     flags     = 
     frag      = 0
     ttl       = 64
     proto     = ip
     chksum    = None
     src       = 192.168.0.18
     dst       = 172.217.165.14
     \options   \

Send and receive packets (sr)

One of the most important segments in network is sending and receiving the packets. The sr() function is how we can implement them. The function will return both answered and unanswered packets. Below is a demonstration on how we use this function to send and receive a ICMP packets, as well as to decode the received the packets.

>>> p = sr1(IP(dst="google.com")/ICMP()/"hi, i am a hacker")                    
Begin emission:
Finished sending 1 packets.
...*
Received 4 packets, got 1 answers, remaining 0 packets
>>> p                                                                           
<IP  version=4 ihl=5 tos=0x0 len=45 id=0 flags= frag=0 ttl=116 proto=icmp chksum=0xd84e src=172.217.0.238 dst=192.168.0.18 |<ICMP  type=echo-reply code=0 chksum=0x2156 id=0x0 seq=0x0 unused='' |<Raw  load='hi, i am a hacker' |>>>

>>> p.show()                                                                    
### [IP] ### 
  version   = 4
  ihl       = 5
  tos       = 0x0
  len       = 45
  id        = 0
  flags     = 
  frag      = 0
  ttl       = 116
  proto     = icmp
  chksum    = 0xd84e
  src       = 172.217.0.238
  dst       = 192.168.0.18
  \options   \
### [ICMP] ### 
     type      = echo-reply
     code      = 0
     chksum    = 0x2156
     id        = 0x0
     seq       = 0x0
     unused    = ''
###[ Raw ]### 
        load      = 'hi, i am a hacker'

Network sniffing

Sinff() is another important functions of Scapy. It could be used to capture and decode the network packets and monitoring the network usages. The “prn” argument provides an interface for uses, which we can pass a function and execute for every packet sniffed. Sniff is an extremely useful function for the administer of a company, because it will capture the packet, but also set alarm to the administration system. Therefore, employees can have the fastest response when a hacker is detected or risky happens. Below is a demonstration of the sniffing result.

>>> sniff(iface="wifi0", prn=lambda x: x.summary())
  802.11 Management 8 ff:ff:ff:ff:ff:ff / 802.11 Beacon / Info SSID / Info Rates / Info DSset / Info TIM / Info 133
  802.11 Management 4 ff:ff:ff:ff:ff:ff / 802.11 Probe Request / Info SSID / Info Rates
  802.11 Management 5 00:0a:41:ee:a5:50 / 802.11 Probe Response / Info SSID / Info Rates / Info DSset / Info 133
  802.11 Management 4 ff:ff:ff:ff:ff:ff / 802.11 Probe Request / Info SSID / Info Rates
  802.11 Management 4 ff:ff:ff:ff:ff:ff / 802.11 Probe Request / Info SSID / Info Rates
  802.11 Management 8 ff:ff:ff:ff:ff:ff / 802.11 Beacon / Info SSID / Info Rates / Info DSset / Info TIM / Info 133
  802.11 Management 11 00:07:50:d6:44:3f / 802.11 Authentication
  802.11 Management 11 00:0a:41:ee:a5:50 / 802.11 Authentication
  802.11 Management 0 00:07:50:d6:44:3f / 802.11 Association Request / Info SSID / Info Rates / Info 133 / Info 149
  802.11 Management 1 00:0a:41:ee:a5:50 / 802.11 Association Response / Info Rates / Info 133 / Info 149
  802.11 Management 8 ff:ff:ff:ff:ff:ff / 802.11 Beacon / Info SSID / Info Rates / Info DSset / Info TIM / Info 133
  802.11 Management 8 ff:ff:ff:ff:ff:ff / 802.11 Beacon / Info SSID / Info Rates / Info DSset / Info TIM / Info 133
  802.11 / LLC / SNAP / ARP who has 172.20.70.172 says 172.20.70.171 / Padding
  802.11 / LLC / SNAP / ARP is at 00:0a:b7:4b:9c:dd says 172.20.70.172 / Padding
  802.11 / LLC / SNAP / IP / ICMP echo-request 0 / Raw
  802.11 / LLC / SNAP / IP / ICMP echo-reply 0 / Raw

Furthermore to track the source and destination ip addresses to determine the risky level.

>>> pkts = sniff(prn=lambda x:x.sprintf("{IP:%IP.src% -> %IP.dst%\n}{Raw:%Raw.load%\n}"))
  192.168.1.100 -> 64.233.167.99

  64.233.167.99 -> 192.168.1.100

  192.168.1.100 -> 64.233.167.99

  192.168.1.100 -> 64.233.167.99

TCP Traceroute

Scapy also has the traceroute function, which used to display the path and measure the transition delays. With lsc() function, we can have detailed information to capture and decode.

>>> ans, unans = sr(IP(dst="google.com", ttl=(4,25),id=RandShort())/TCP(flags=0x
...: 2))                                                                        
Begin emission:
Finished sending 22 packets.
....*.*.*.*..*.*.*.*..*...*.*..*..*..*..*..*...*.*..*..*.*
Received 196 packets, got 21 answers, remaining 1 packets
>>> for snd,rcv in ans: 
...:     print(snd.ttl, rcv.src, isinstance(rcv.payload, TCP)) 
...:                                                                            
4 69.63.248.25 False
5 69.63.248.1 False
6 209.148.228.218 False
11 172.217.1.174 True
12 172.217.1.174 True
13 172.217.1.174 True
21 172.217.1.174 True
22 172.217.1.174 True
23 172.217.1.174 True
24 172.217.1.174 True
>>>                                                                             

>>> lsc()                                                                       
IPID_count          : Identify IP id values classes in a list of packets
arpcachepoison      : Poison target's cache with (your MAC,victim's IP) couple
arping              : Send ARP who-has requests to determine which hosts are up
arpleak             : Exploit ARP leak flaws, like NetBSD-SA2017-002.
bind_layers         : Bind 2 layers on some specific fields' values.
bridge_and_sniff    : Forward traffic between interfaces if1 and if2, sniff and return
chexdump            : Build a per byte hexadecimal representation
computeNIGroupAddr  : Compute the NI group Address. Can take a FQDN as input parameter

Other usage

Scapy has a lot more functionalities, such as rounting, wireless frame injection, SYN scans, probing, unit testing, and etc. There are also a lot of other features and functionalities, such as ARO, BOOTP, Ethernet, SNAP, UDP, TCP, DNS, DHC AND MORE. In addition, scapy also support on multiple applications, such as DHCP spoofing, network discovery, DNS, VLAN and ARP.

Conclusion

OSI and TCP/IP models provide universal languages for computer systems so that they can interactive with each other. Due to the universality, sometimes it could be a challenge to distinct secure and unsecure network requests. Scapy is a powerful interactive python program that allows users to send, sniff, dissect and forge network packets within a wide-range of protocols. Scapy also can be used to probe, scan and even attack networks. The core function of scapy is the sr(), which used to send and receive the network packets. Since the flexibility of the scapy, the users can forge, manipulate a packet strictly followed by the network protocols. Therefore, the hackers can use scapy to make up a packet with fake information, and send and receive the responses from the target addresses. In addition, scapy also provides more advanced functions such as traceroute and hping functions. Unlike these commands on a linux machine, scapy can ping and traceroute for the entire internet. Furthermore, with geolocation packet, it is even able to trace the physical locations of an address.

In conclusion, scapy is a network manipulation tool, which gives both attackers and defenders a powerful network packet modification functionalities to perform some network activities.

References