scapy case study
Introduction
What is scapy?
- A network packet manipulation [Python] program
- Forge and/or decode network packets with a wide number of internet protcols
- Handle most classiscal tasks such as hping, arp-sk, arping part of Nmap, tcpdump and shark
- Runs on Linux, Windows, OSX and Unix with libcap
- All details on Scapy official website
What makes Scapy so special
With most other networking tools:
- Lack of flexibilities. User cannot build something outside of developer’s imagine.
- Lack of integrity. often fails to decode complete packet.
With Scapy:
- Flexibility. Build extact packets under your needs, even allows to build the packet does not make sense.
- Integrity. Scapy always able to decode and interprete the full packets.
- Agility. Everytime you build a new tool, a couple lines of python code works as hundred lines of c progrm.
Scapy versions
| Scapy version | Python 2.2-2.6 | Python 2.7 | Python 3.4-3.6 | Python 3.7 | Python 3.8 |
|---|---|---|---|---|---|
| 2.2.X | YES | YES | NO | NO | NO |
| 2.3.3 | YES | YES | NO | NO | NO |
| 2.4.0 | NO | YES | YES | NO | NO |
| 2.4.2 | NO | YES | YES | YES | NO |
| 2.4.3-2.4.4 | NO | YES | YES | YES | YES |
Network backgroud
[OSI] and [TCP/IP] models created a wide number of protocols to allow us to exchange the messages with all over the world. One of the reason why it works is because the messages must have a specified format based on the protocol to ensure both sender and receiver will understand. A message with specified format base on the internet protocols is a network packet. A network packet consists of header and data, which also known as a datagram.
OSI Model
Open Systems Interconnection model (OSI model) is an abstract model created by the international organization used to standardization among the different computer systems. It has seven layers and each layer of the OSI model handles a specific job and communicates with its neighboring layers. The OSI model is a universal computer communication language based on the concepts of the seven layers.
A layer is serverd by the layer below it and serves the layer above itself. For instance, a layer calls the next layer to send and receive packets via a specified path, where it provides the path to the application layer abooe it.
TCP/IP Model
TCP/IP model, also known as Transmission Control protocol/Internet protocol, is a suit of communication protocols for computer system interconnections. TCP/IP makes the standard how the data can be exchanged via internet by providing end-to-end communications that identify how it should be broken into packets, addressed, transmitted, routed and received at the destination.
Network Packet
A network packet consists of hearder and data also known as ip datagram consists of a header and data. A header is coded based on the protocols, therefore it has information such as destination address, total length in bits of the header, version and etc. On the other hand, once we specified the length of a datagram header, the remaining bits will be the real message we want to exchange over internet.
Usage
Create a simple packet header
Creating a network packet is one of the main features of Scapy. Initially, I will create a simplest header of a packet, which only contains source ip address and destination ip address.
>>> ip = IP(src="192.168.0.18")
>>> ip.dst="172.217.165.14"
ip
>>> <IP src=192.168.0.18 dst=172.217.165.14 |>
what we have done is customizing the values of different layers in the tcp/ip models. If needed, we can also fill in every value by our demand and we are able to define more parameters in our customized packet according to the protocols and models. Code beow is a demostration on layer value assignment.
>>> ip/TCP()
<IP frag=0 proto=tcp src=192.168.0.18 dst=172.217.165.14 |<TCP |>>
>>> tcp = TCP(sports=1025, dport=80)
tcp = TCP(sport=1025, dport=80)
>>> (tcp/ip).show()
### [TCP] ###
sport = blackjack
dport = http
seq = 0
ack = 0
dataofs = None
reserved = 0
flags = S
window = 8192
chksum = None
urgptr = 0
options = ''
### [IP] ###
version = 4
ihl = None
tos = 0x0
len = None
id = 1
flags =
frag = 0
ttl = 64
proto = ip
chksum = None
src = 192.168.0.18
dst = 172.217.165.14
\options \
Send and receive packets (sr)
One of the most important segments in network is sending and receiving the packets. The sr() function is how we can implement them. The function will return both answered and unanswered packets. Below is a demonstration on how we use this function to send and receive a ICMP packets, as well as to decode the received the packets.
>>> p = sr1(IP(dst="google.com")/ICMP()/"hi, i am a hacker")
Begin emission:
Finished sending 1 packets.
...*
Received 4 packets, got 1 answers, remaining 0 packets
>>> p
<IP version=4 ihl=5 tos=0x0 len=45 id=0 flags= frag=0 ttl=116 proto=icmp chksum=0xd84e src=172.217.0.238 dst=192.168.0.18 |<ICMP type=echo-reply code=0 chksum=0x2156 id=0x0 seq=0x0 unused='' |<Raw load='hi, i am a hacker' |>>>
>>> p.show()
### [IP] ###
version = 4
ihl = 5
tos = 0x0
len = 45
id = 0
flags =
frag = 0
ttl = 116
proto = icmp
chksum = 0xd84e
src = 172.217.0.238
dst = 192.168.0.18
\options \
### [ICMP] ###
type = echo-reply
code = 0
chksum = 0x2156
id = 0x0
seq = 0x0
unused = ''
###[ Raw ]###
load = 'hi, i am a hacker'
Network sniffing
Sinff() is another important functions of Scapy. It could be used to capture and decode the network packets and monitoring the network usages. The “prn” argument provides an interface for uses, which we can pass a function and execute for every packet sniffed. Sniff is an extremely useful function for the administer of a company, because it will capture the packet, but also set alarm to the administration system. Therefore, employees can have the fastest response when a hacker is detected or risky happens. Below is a demonstration of the sniffing result.
>>> sniff(iface="wifi0", prn=lambda x: x.summary())
802.11 Management 8 ff:ff:ff:ff:ff:ff / 802.11 Beacon / Info SSID / Info Rates / Info DSset / Info TIM / Info 133
802.11 Management 4 ff:ff:ff:ff:ff:ff / 802.11 Probe Request / Info SSID / Info Rates
802.11 Management 5 00:0a:41:ee:a5:50 / 802.11 Probe Response / Info SSID / Info Rates / Info DSset / Info 133
802.11 Management 4 ff:ff:ff:ff:ff:ff / 802.11 Probe Request / Info SSID / Info Rates
802.11 Management 4 ff:ff:ff:ff:ff:ff / 802.11 Probe Request / Info SSID / Info Rates
802.11 Management 8 ff:ff:ff:ff:ff:ff / 802.11 Beacon / Info SSID / Info Rates / Info DSset / Info TIM / Info 133
802.11 Management 11 00:07:50:d6:44:3f / 802.11 Authentication
802.11 Management 11 00:0a:41:ee:a5:50 / 802.11 Authentication
802.11 Management 0 00:07:50:d6:44:3f / 802.11 Association Request / Info SSID / Info Rates / Info 133 / Info 149
802.11 Management 1 00:0a:41:ee:a5:50 / 802.11 Association Response / Info Rates / Info 133 / Info 149
802.11 Management 8 ff:ff:ff:ff:ff:ff / 802.11 Beacon / Info SSID / Info Rates / Info DSset / Info TIM / Info 133
802.11 Management 8 ff:ff:ff:ff:ff:ff / 802.11 Beacon / Info SSID / Info Rates / Info DSset / Info TIM / Info 133
802.11 / LLC / SNAP / ARP who has 172.20.70.172 says 172.20.70.171 / Padding
802.11 / LLC / SNAP / ARP is at 00:0a:b7:4b:9c:dd says 172.20.70.172 / Padding
802.11 / LLC / SNAP / IP / ICMP echo-request 0 / Raw
802.11 / LLC / SNAP / IP / ICMP echo-reply 0 / Raw
Furthermore to track the source and destination ip addresses to determine the risky level.
>>> pkts = sniff(prn=lambda x:x.sprintf("{IP:%IP.src% -> %IP.dst%\n}{Raw:%Raw.load%\n}"))
192.168.1.100 -> 64.233.167.99
64.233.167.99 -> 192.168.1.100
192.168.1.100 -> 64.233.167.99
192.168.1.100 -> 64.233.167.99
TCP Traceroute
Scapy also has the traceroute function, which used to display the path and measure the transition delays. With lsc() function, we can have detailed information to capture and decode.
>>> ans, unans = sr(IP(dst="google.com", ttl=(4,25),id=RandShort())/TCP(flags=0x
...: 2))
Begin emission:
Finished sending 22 packets.
....*.*.*.*..*.*.*.*..*...*.*..*..*..*..*..*...*.*..*..*.*
Received 196 packets, got 21 answers, remaining 1 packets
>>> for snd,rcv in ans:
...: print(snd.ttl, rcv.src, isinstance(rcv.payload, TCP))
...:
4 69.63.248.25 False
5 69.63.248.1 False
6 209.148.228.218 False
11 172.217.1.174 True
12 172.217.1.174 True
13 172.217.1.174 True
21 172.217.1.174 True
22 172.217.1.174 True
23 172.217.1.174 True
24 172.217.1.174 True
>>>
>>> lsc()
IPID_count : Identify IP id values classes in a list of packets
arpcachepoison : Poison target's cache with (your MAC,victim's IP) couple
arping : Send ARP who-has requests to determine which hosts are up
arpleak : Exploit ARP leak flaws, like NetBSD-SA2017-002.
bind_layers : Bind 2 layers on some specific fields' values.
bridge_and_sniff : Forward traffic between interfaces if1 and if2, sniff and return
chexdump : Build a per byte hexadecimal representation
computeNIGroupAddr : Compute the NI group Address. Can take a FQDN as input parameter
Other usage
Scapy has a lot more functionalities, such as rounting, wireless frame injection, SYN scans, probing, unit testing, and etc. There are also a lot of other features and functionalities, such as ARO, BOOTP, Ethernet, SNAP, UDP, TCP, DNS, DHC AND MORE. In addition, scapy also support on multiple applications, such as DHCP spoofing, network discovery, DNS, VLAN and ARP.
Conclusion
OSI and TCP/IP models provide universal languages for computer systems so that they can interactive with each other. Due to the universality, sometimes it could be a challenge to distinct secure and unsecure network requests. Scapy is a powerful interactive python program that allows users to send, sniff, dissect and forge network packets within a wide-range of protocols. Scapy also can be used to probe, scan and even attack networks. The core function of scapy is the sr(), which used to send and receive the network packets. Since the flexibility of the scapy, the users can forge, manipulate a packet strictly followed by the network protocols. Therefore, the hackers can use scapy to make up a packet with fake information, and send and receive the responses from the target addresses. In addition, scapy also provides more advanced functions such as traceroute and hping functions. Unlike these commands on a linux machine, scapy can ping and traceroute for the entire internet. Furthermore, with geolocation packet, it is even able to trace the physical locations of an address.
In conclusion, scapy is a network manipulation tool, which gives both attackers and defenders a powerful network packet modification functionalities to perform some network activities.