Sunday, 6 May 2018

Getting Familiar with Scapy

Getting Familiar with Scapy

https://blogs.sans.org/pen-testing/files/2016/04/ScapyCheatSheet_v0.2.pdf

Navigating Classes/Layers:

Check the details of each class/layer using ls():

>>> ls(IP)
version    : BitField             = (4)
ihl        : BitField             = (None)
tos        : XByteField           = (0)
len        : ShortField           = (None)
id         : ShortField           = (1)
flags      : FlagsField           = (0)
frag       : BitField             = (0)
ttl        : ByteField            = (64)
proto      : ByteEnumField        = (0)
chksum     : XShortField          = (None)
src        : Emph                 = (None)
dst        : Emph                 = ('127.0.0.1')
options    : PacketListField      = ([])

Check commands available using lsc()

 Format is command(packet)

Sending a Packet:


>>> pkt=IP(dst="google.com")/ICMP()

sr - send & receive
srp - send & receive layer 2

>>> sr1(pkt)
Begin emission:
..................Finished to send 1 packets.
........................................................................................................................................................................................................................................................................................................................................................................................................................^C
Received 426 packets, got 0 answers, remaining 1 packets

sr1 = send and receive 1 packet, will send one and wait for one response

Using just send will just send and not wait for a response
>>> send(pkt)
.
Sent 1 packets.

Using sendp will send the packet at layer 2 (all classes with p are at the layer 2 level)
>>> sendp(pkt)
.
Sent 1 packets.

To see the result, sr always has tuples
>>> (ans,unans) = sr(IP(dst='google.com')/ICMP())

Iterations:
>>> pkts = IP(dst='192.168.0.0/28')
>>> [pkt for pkt in pkts]
[<IP  dst=192.168.0.0 |>, <IP  dst=192.168.0.1 |>, <IP  dst=192.168.0.2 |>, <IP  dst=192.168.0.3 |>, <IP  dst=192.168.0.4 |>, <IP  dst=192.168.0.5 |>, <IP  dst=192.168.0.6 |>, <IP  dst=192.168.0.7 |>, <IP  dst=192.168.0.8 |>, <IP  dst=192.168.0.9 |>, <IP  dst=192.168.0.10 |>, <IP  dst=192.168.0.11 |>, <IP  dst=192.168.0.12 |>, <IP  dst=192.168.0.13 |>, <IP  dst=192.168.0.14 |>, <IP  dst=192.168.0.15 |>]
>>>
 

Reading/logging traffic:


Sniff packets on the interface:

>>> pkts = sniff(count=24)>>> pkts
<Sniffed: TCP:19 UDP:4 ICMP:0 Other:1>





Write the packets to a pcap file:

>>> wrpcap('./cap.pcap', pkts)
 
Write the pcap file back to a rpkts variable:

>>> rpkts = rdpcap('./cap.pcap')
>>> rpkts
<cap.pcap: TCP:19 UDP:4 ICMP:0 Other:1>







Use str() and hexdump() to also see the raw packet

Fuzzing:

verify which fields will be fuzzed by doing something similar to:


>>> (IP(dst='8.8.8.8')/fuzz(UDP()/BOOTP())).show()
State machine!!
http://www.secdev.org/projects/scapy/doc/advanced_usage.html#automata


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)