Monday, December 31, 2012

Fun with Scapy

Scapy belongs in any Pythonic Network Engineer's tool bag, IMHO. It allows you to craft your own packet from the ground up. Basically any high level tools you use (nmap, ping, traceroute) is limited by the intention of the creator of the tool, say, if I create a tool called eric-ping and uses IMCP ping, you as the user cannot use TCP ping unless I provide that as an option to you.

But with Scapy, it allows you to craft your own packet at each layer, and take defaults whenever possible to save you time.  Best yet, it takes after the Python object model and leverage what you already know about Python.

The creator of the tool wrote a detail interactive tutorial that is pretty easy to follow:
http://www.secdev.org/projects/scapy/doc/usage.html#interactive-tutorial

Here is the project homepage:
http://www.secdev.org/projects/scapy/

Here is another intro from PacketLife.net:
http://packetlife.net/blog/2011/may/23/introduction-scapy/

I would encourage the motivated to walk thru the tutorial on the Scapy site. Here is my own little experiment:

1. Create a list of eCommerce sites to query port 80 from:


>>> 
>>> ecommerceSites = ["www.overstock.com", "www.ebay.com"]

2. Get the results back: 

>>> answered, unanswered = sr(IP(dst=ecommerceSites)/TCP(dport=(80)))
Begin emission:
....Finished to send 2 packets.
.*….*
Received 11 packets, got 2 answers, remaining 0 packets

3. Pretty print it with socket module to get the DNS name back: 

>>> answered.make_lined_table(lambda (sender,response): ("Commerce Sites", str(socket.gethostbyaddr(sender.dst)), response.sprintf("%IP.src% %IP.proto% %TCP.sport%")))
------------------------------------------+-------------------------+
                                          | Commerce Sites | 
------------------------------------------+-------------------------+
('overstock.com', [], ['173.241.154.10']) | 173.241.154.10 tcp http | 
('www.ebay.com', [], ['66.211.181.161']) | 66.211.181.161 tcp http | 
------------------------------------------+-------------------------+
>>> 
>>> 

I cheated a litte on the example above by not include any sites that uses Akami VIP (www.buy.com, www.zappos.com, etc) or no reverse lookup (amazon.com) to make the result more clear and meaningful. 

Perhaps after I get more experience with the tool I will report back with some more examples. I have some aspiration for projects after seeing how powerful the tool is. 






2 comments:

  1. I want to capture all wireless DATA packet using scapy
    My Code That I have tried as follows

    from scapy.all import *

    def PacketHandler(pkt) :

    if pkt.haslayer == 2 and pkt.subtype==0:

    if pkt.haslayer(IP) :

    ip=pkt.getlayer(IP)
    print ip.dst

    if pkt.haslayer(UDP):
    udp=pkt.getlayer(UDP)
    print udp.dport
    if pkt.haslayer(TCP) :
    tcp=pkt.getlayer(TCP)
    print tcp.port

    sniff(iface="mon0", prn=PacketHandler)

    Using this I want to capture all wireless DATA packets but I am getting only multicast ( IP/UDP) packets.So how can I get all DATA packet in my wireless network. I have disabled password of my Access Point for this ( for some time only) so I can get acccess upto data in packets.

    ReplyDelete
  2. Great blog.you put Good stuff.All the topics were explained briefly.so quickly understand for me. I am waiting for your next fantastic blog.get more...
    Python Training in Chennai | Best Python Training in Chennai

    ReplyDelete