You are on page 1of 11

8/21/13

InfoSec Institute InfoSec Resources Intense School

Scapy: All-in-One Networking Tool

HOME

CATEGORIES

IT CERTIFICATIONS

CONTRIBUTORS

CONTACT US

STUDENT PAPERS

Search

Scapy: All-in-One Networking Tool
Sudhanshu Chauhan October 02, 2012 Hacking

3

A network is an essential part of any cyber infrastructure. There are various tools available for the networking part of pentesting and other security assessment tasks like Nmap, tcpdump, arpspoof, etc., but one tool which stands out of all is Scapy. Scapy is a powerful interactive packet manipulation tool written in Python, and the best part is that it can also be utilized as a library in Python programs, which provides the pentester the ability to create his/her own tool based on the requirement. In this article we will discuss how we can use Scapy as an interactive tool as well as a library in our programs (Python). It allows us to sniff, create, send and slice packets for analysis. Most of the tools are built with something specific in mind, like Nmap for network scanning or Wireshark for sniffing, but Scapy allows us to build something new utilizing its functionalities and hence opens up a whole new world of networking applications. Unlike other tools which provide an interpreted output of the query, Scapy will present a raw output of any query that we make and let us decide what we need out of it and how to interpret it. This specific advantage of the tool is very helpful during the advanced analysis of the network. Using Scapy we can create and send custom packets over the network and analyze the raw output received with a minimal amount of lines of code, and it supports a wide range of protocols for the purpose. Before going into the details of Scapy, here are few terminologies that need to be discussed: Scanning: The act of probing a host machine to identify any specific detail about it. Eg. Port scanning. Sniffing: The act of intercepting and logging the packets which flow across the network. Fuzzing: A software testing technique in which random data is passed as input to a computer application to check its stability. Scapy provides various commands from basic to advanced level for probing a network. Let’s start with some basic commands for interactive usage: > > > ls( ) : D isplays all the protocols supporte d by Scapy, as show n in figure 1. > > > lsc( ) : D isplays the list of com m ands supporte d by Scapy, as show n in figure 2. > > > conf: D isplays configurations options. > > > he lp( ) : D isplay he lp on a spe cific com m and. Usage e xam ple : he lp( sniff) > > > show ( ) : D isplay the de tails about a spe cific packe t. Usage e xam ple : Ne w packe t.show ( ) Using the above mentioned command would be helpful to further explore the tool.

resources.infosecinstitute.com/scapy-all-in-one-networking-tool/

1/11

We have two options for this purpose: send(). Output of command lsc() Scapy allows us to create custom packets based on the huge set of protocols that it supports.show ( ) We can also create sets of packets based on our requirements.8/21/13 Scapy: All-in-One Networking Tool Figure 1.com ’ ) > > > Ne w packe t. Output of commands ls() and conf Figure 2.com/scapy-all-in-one-networking-tool/ 2/11 .infosecinstitute.ttl= 10 > > > Ne w packe t.com ”) > > > pktport= TCP( dport= [80. > > > base pkt= IP( dst= “w w w . Here is an example of simple IP packets for different port addresses. resources. Let us see how we can create simple packets: > > > Ne w packe t= IP( dst= ’ google .443]) > > > [p for p in base pkt/ pktport] Now when we have created packets we need to send these packets over the network. It decides the routing based on local table. which is a layer 3 send.google .

now we should see how to send and also receive packets. To send our packet we are using send(). The first part contains the packets received as response and the second part contains the packets which were not answered. We can send this packet similar to our previous packet. which is a layer 2 send. > > > Ne w packe t= IP( dst= ”google . which we will see later in the article. as shown in figure 3: > > > se nd( Ne w packe t) Scapy: All-in-One Networking Tool Figure 3. like an ARP request. We can create a ping echo request packet by simply adding the ICMP protocol after our previous packet. loop= 1) As we have seen how to create simple packets and send them.com/scapy-all-in-one-networking-tool/ 3/11 . ‘Results’ and ‘Unanswered’. Again there are two types based on the layers the packets are sent and received: Layer3: sr(): It returns the answered and unanswered packets sr1(): It returns only answered and sent packets Layew2: srp():It returns the answered and unanswered packets srp1(): It returns only answered and sent packets Let’s see an example of the sr function. Although Scapy also provides the functionality of sniffing. So we can divide it into two parts: resources. To send the same packet again and again we can simply add the loop=1 argument with the send packet.com ”) / ICMP( ) The operator ‘/’ is used as a composite operator between two layers. > > > output= sr( IP( dst= ”google .8/21/13 sendp(). Packet creation and sending To see if the packet is really sent we can utilize any sniffer like Wireshark or tcpdump.com ”) / ICMP( ) ) output We see that the ‘output’ contains two different results.infosecinstitute. This functionality is very useful when we need to send some packets and we expect a response for those packets. > > > se nd( Ne w packe t.

unansw e re d= output > > > re sult Scapy: All-in-One Networking Tool The output of the result shows that we got one ICMP packet as a reply.168.add( host= ”192.com/scapy-all-in-one-networking-tool/ 4/11 . > > > conf.118.25 After we are done using this table we can get back to the original table simply by using the resync function.118.route . > > > conf.168.infosecinstitute.route . > > > re sult[0] Figure 4. we can use the command: > > > conf. as shown in figure 4.118.8/21/13 > > > re sult.168. as displayed in figure 5. Now if we want to see the current routing table of our machine. this can be done by using the add function.118.25 ″ ) Now any packet intended for the host 192.2 ″ .re sync( ) resources.168.2 would go through 192. gw = ”192. without affecting the original table.route Scapy allows us to include user specified routes to this table. so we can see the raw packet we got in response by using the following command. Sending and receiving packets If we look closely we can see that this is an echo reply packet for our echo request.

we can also analyze these files using them. so that we can analyze what is happening over the network . iface = ”e th1 ″ . > > > a= sniff( filte r= ”icm p”.com/scapy-all-in-one-networking-tool/ 5/11 . send them and receive them. Configuring the routing table Now that we have seen how to create simple packets.pcap”. As pcap format is supported by many sniffers like Wireshark. we also need to learn how to save these packets for later analysis and also how to read those saved files. as shown in figure 6. prn= lam bda x:x. To save packets we can use the function wrpacp as shown below: > > > w rpcap( “m ypacke ts. Packet sniffing can be done by the simple function sniff: > > > a= sniff( filte r= ”icm p”.sum m ary( ) ) Now as we have seen how easily we can sniff packets using Scapy.infosecinstitute.sum m ary( ) > > > a[1] As demonstrated in the example. the sniff function can sniff the packets and can also filter them based on the user requirements. tim e out= 10.show ( ) > > > rdpkt[1] resources. tcpdump etc. let’s move forward to packet sniffing. > > > rdpkt= rdpcap( “m ypacke ts.8/21/13 Scapy: All-in-One Networking Tool Figure 5. Now to see the output in real time we can use the lambda function along with the show or summary function based on the amount of detail we require. tim e out= 10..pcap”) > > > rdpkt. a) Now if we need to read these packets we can simply use the function rdpcap. iface = ”e th1 ″ . count= 3) > > > a. count= 3.

8/21/13 Scapy: All-in-One Networking Tool Figure 6. Scapy can also perform simple networking functions such as ping. Some features of this course include: Dual Certification . this class teaches you how to use the same hacking techniques to perform a white-hat.* ) Want to learn more?? The InfoSec Institute Ethical Hacking course goes indepth into the techniques used by malicious.unans = sr( IP( dst= ”192.google . and discover where your organization is most vulnerable to black hat hackers.1024) ) ) The output can be analyzed by using the command > > > re s. etherleak.118. writing and reading packets As Scapy allows us to create custom packets. Sniffing.com/scapy-all-in-one-networking-tool/ 6/11 .168. Example of a simple traceroute of google.1 ″ ) / TCP( flags= ”S”. on your organization.sum m ary( ) Apart from packet creation.118. > > > arping( 192. traceroute etc. ethical hack. black hat hackers with attention getting lectures and hands-on lab exercises . We will create a TCP/IP packet with the TCP flag set as ‘S’ (SYN) for port 1-1024.168. srpflood etc. You leave with the ability to quantitatively assess and measure threats to information assets. we can utilize this functionality to perform port scanning. If we need to discover the hosts on the local Ethernet we can use the command arping.com ”) Scapy also contains commands for some network based attacks such as arpcachepoison. While these hacking skills can be used for malicious purposes. dport= ( 1.infosecinstitute. > > > re s. Here is an example of how to perform some simple port scanning using the interactive interface.CEH and CPT 5 days of Intensive Hands-On Labs Expert Instruction CTF exercises in the evening Most up-to-date proprietary courseware available VIEW ETHICAL HACKING resources. These commands can be very useful during a network security analysis.com is shown here: > > > trace route ( “w w w .

utilizing the function fuzz.168.168.py 192.tim e out= 2) #print the re sult for se nd.0/ 24 ″ #cre ate and se nd ARP re que st packe ts re c.py 192. The program simply monitors for any ARP request or reply and prints the associate MAC and IP address. inte r= 1.all im port * print “Usage : scapy.psrc%”) The example output of this program is shown below: root@bt:~ / D e sktop# . here is the example of a simple DNS > > > se nd( IP( dst= ”192.254 Another example code for a simple ARP monitor is shown below (source: http://www. The code shown below is a simple Python program which sends ARP requests and waits for response and displays the response.1 MAC: 00:50:56:f8:5e :b3 < – > IP: 192. #! / usr/ bin/ e nv python from scapy. through simple example codes.argv[1]) .0/ 24 B e gin e m ission: * * Finishe d to se nd 256 packe ts.secdev. The example codes demonstrate how easily we can create programs in Python using the Scapy library and create powerful tools with minimum amount of coding.loop= 1) We have seen how we can use Scapy as a tool and use its various functions interactively.org/projects/scapy/doc/usage.com/scapy-all-in-one-networking-tool/ 7/11 . #!/ usr/ bin/ python #im port sys m odule for com m and line argum e nt im port sys #im port scapy as a library from scapy.8/21/13 fuzzer: Scapy: All-in-One Networking Tool Scapy also provides the functionality of fuzzing.168. re m aining 253 packe ts MAC: 00:50:56:f5:48:7a < – > IP: 192.118.arping.py 192.html#recipes).2 MAC: 00:50:56:c0:00:08 < – > IP: 192.0/ 24 WARNING: No route found for IPv6 de stination :: ( no de fault route ? ) Usage : scapy.sprintf( r”MAC: “+ ”%Ethe r.118.168.168.118.1.all im port * resources.118.arping.1.arping e g: . Now let’s see how to use Scapy in Python programs.unans= srp( Ethe r( dst= ”ff:ff:ff:ff:ff:ff”) / ARP( pdst= sys./ scapy.168. got 3 answ e rs.arping e g: .118. * Re ce ive d 3 packe ts.1 ″ ) / UD P( ) / fuzz( D NS( ) ) ./ scapy./ scapy.arping.168.infosecinstitute.src%”+ ” < – > IP: “+ ” %ARP.re cv in re c: print re cv.

118.at re turn pkt.tim e out= 1) Sam ple output of the D NS fuzze r cre ate d using scapy.com/scapy-all-in-one-networking-tool/ 8/11 .1 Let’s see how we can create a simple DNS fuzzer using the fuzz function demonstrated in the description above.168.118.inte r= 1./ dnsfuzze r. re m aining 1 packe ts OTHER ARTICLES BY SUDHANSHU CHAUHAN Wireshark Netcat: TCP/IP Swiss Army Knife Windows Vulnerability Assessment Interview: Marius Corici. Re ce ive d 0 packe ts.1 00:0c:29:d8:b6:4d 192.118.130 00:50:56:c0:00:08 192.Finishe d to se nd 1 packe ts.py Scapy: All-in-One Networking Tool WARNING: No route found for IPv6 de stination :: ( no de fault route ? ) 00:50:56:c0:00:08 192.168.hw src% %ARP.all im port * #fuzz dns w hile True : sr( IP( dst= sys.8/21/13 de f arp_m onitor_callback( pkt) : if ARP in pkt and pkt[ARP].168.118. re m aining 1 packe ts B e gin e m ission: Finishe d to se nd 1 packe ts.psrc%”) sniff( prn= arp_m onitor_callback. got 0 answ e rs. Re ce ive d 0 packe ts. #!/ usr/ bin/ e nv python #im port m odule sys for com m and line argum e nt im port sys #im port scapy as a library from scapy.2) : #w ho. re m aining 1 packe ts B e gin e m ission: Finishe d to se nd 1 packe ts.118. got 0 answ e rs. Re ce ive d 1 packe ts. got 0 answ e rs.argv[1]) / UD P( ) / fuzz( D NS( ) ) .has or is.py 192.1 WARNING: No route found for IPv6 de stination :: ( no de fault route ? ) B e gin e m ission: .infosecinstitute. CEO of Hack a Server Intrusion Prevention System: First Line of Defense Metadata: The Hidden Treasure Passive Fingerprinting resources. root@bt:~ / D e sktop# . filte r= ”arp”.op in ( 1. store = 0) Exam ple output for the program is show n be low : root@bt:~ / D e sktop# ./ arpm onitor.168.sprintf( “%ARP.168.130 00:0c:29:d8:b6:4d 192.

Scapy is actually not a replacement for tools like Nmap. pypcap.. product demos. It simply allows us try anything we can imagine over a network. arping.infosecinstitute. Scapy: All-in-One Networking Tool Virtualization Security: Hacking VMware with VASTO Wi-Fi Security: The Rise and Fall of WPS Cross-Site Scripting (XSS) LIKE US ON FACEBOOK == STAY UP TO DATE InfoSec Institute Like 5. Some features of this course include: Dual Certification . For example if we need to check if the system we are trying to parse is actually a honeypot or not.com/scapy-all-in-one-networking-tool/ 9/11 .816 AWARD WINNING TRAINING FROM INFOSEC Be the first to hear of new free tutorials. like Pycapy.] The output of all the sample programs is shown in figure 7. tcpdump or p0f. and more. wipe out the need of different tools for different functions and integrate it all into a single package. These tools are developed for specific needs and they all perform their functions very well.. dpkt. yet Scapy turns out be one of the simplest to use and integrate into Python code and hence is widely used. ethical hack. sign up here: Email Yes. There are many other functionalities provided by Scapy. they have the capabilities which no other tool provides. You leave with the ability to quantitatively assess and measure threats to information assets. During a quick security assessment they come in handy and provide us the desired result. Programs using Scapy There are many other third party libraries available for packet manipulation in Python. on your organization. Conclusion We saw that Scapy is very powerful yet easy to use..The most awarded security training company resources. etc. which individually might seem very simple. Send My Free Training & Tutorials Figure 7. The best thing about Scapy is that we can also use it as a Python library. sniff. then tools like Scapy are very useful. but sometimes we need the raw outputs. which considerably reduces the size of the code. etc. black hat hackers with attention getting lectures and hands-on l ab exercises .CEH and CPT 5 days of Intensive Hands-On Labs Expert Instruction CTF exercises in the evening Most up-to-date proprietary courseware available VIEW ETHICAL HACKING Incoming search terms: scapy no route found for ipv6 destination scapy scapy hacking scapy python example fuzzing with scapy scapy sniff( count callback scapy training Python all in one s60v2 scapy sniff prn Www scapy com InfoSec Institute . another example would be to test how a firewall/ IDP/ IPS behaves for different types of custom packets. We'll deliver the best of our free resources to you each month. but once they all are weaved together. traceroute. and discover where your organization is most vulnerable to black hat hackers. Want to l earn m ore?? The InfoSec Institute Ethical Hacking course goes in-depth into the techniques used by malicious. this class teaches you how to use the same hacking techniques to perform a whitehat. training videos. which allows us to create networking tools very quickly without going into the details of creating raw packets from scratch. While these hacking skills can be used for malicious purposes. The inbuilt functions like fuzz. without any interpretation so that we can analyze and make decisions for ourselves.8/21/13 [.

com/scapy-all-in-one-networking-tool/ 10/11 . He is a B.Reply [. AV etc..] Leave A Response Name (required) Comment Email (required) Website Post Comment ARCHIVE August 2013 (26) July 2013 (44) June 2013 (38) RECENT POSTS InfoSec Institute is Hiring: Security Researcher Dictionary Attack Using Burp Suite SANS Investigate Forensics Toolkit – CATEGORIES Application Security (128) Exploit Development (48) Forensics (58) resources..168.*)” line: double quotes are missing. S udhanshu Chauhan October 2.Reply Hi.Tech (CSE) graduate from Amity University..). keep it up. Besides that.] all in one net work tool scapy [.Reply @dejan. 2012 at 11:02 am . thanks for pointing it out. Related Posts 3 Comments dejan October 2. this is a great article. 2012 at 2:51 pm .infosecinstitute.8/21/13 feature hacking Scapy: All-in-One Networking Tool About the Author Sudhanshu Chauhan is a researcher at InfoSec Institute.118. S capy 数据包工具 » el autoctrl November 22. His areas of interest include (but are not limited to) Web Application Security and Bypasssing Security Measures(IDS/IPS. there’s a mistake in the “>>> arping(192.. 2012 at 3:42 pm .

infosecinstitute. iphone 10 .8/21/13 May 2013 (42) April 2013 (56) March 2013 (68) February 2013 (65) January 2013 (65) December 2012 (51) November 2012 (45) October 2012 (59) September 2012 (56) August 2012 (35) July 2012 (21) June 2012 (31) May 2012 (11) April 2012 (16) March 2012 (12) February 2012 (24) January 2012 (22) December 2011 (15) November 2011 (12) October 2011 (12) September 2011 (1) August 2011 (2) July 2011 (7) June 2011 (22) May 2011 (30) April 2011 (33) March 2011 (24) February 2011 (7) January 2011 (2) December 2010 (3) November 2010 (7) October 2010 (1) September 2010 (1) August 2010 (4) July 2010 (2) Forensics Martial Arts Part 2 Scapy: All-in-One Networking Tool General Security (175) Hacking (299) Interviews (33) IT Certifications (65) CCNA (2) CEH (5) CISA (16) CISM (10) CISSP (33) MCITP (2) Management. 2012 45 Id eal S kill S et Fo r t he Penet r at io n Test ing August 27. diarmf. 2010 44 Vu lner ab ilit y S LAAC At t ac k – 0d ay Wind o w s Net w o r k Int er c ep t io n Co nfig u r at io n 39 April 04.InfoSec Institute Back to Top resources.com/scapy-all-in-one-networking-tool/ 11/11 . Und et ec t ab le US B Dr o p p er / S p r ead er September 20. Backtrack 5 . 2012 31 Copyright © 2012 . Compliance. resources infosecinstitute com. i phone. & Auditing (48) Meta (1) Other (79) Reverse Engineering (115) SCADA (5) Virtualization Security (6) Wireless Security (10) SANS Investigate Forensics Toolkit— Forensics Martial Arts Part 1 Android Forensics: Cracking the Pattern Lock Protection WEB SERVER SECURITY Handy Devices Revolution: Another Set of Embedded Devices and Dev Boards Owned by Chrome Extensions Keyloggers: How They Work and More Steganography: What your eyes don’t see Hacker Proofing Apache & PHP Configuration Malicious Firefox Add-Ons: Keylogger POPULAR COMMENTS TAGS POPULAR SEARCH TERMS iphone. network security engineer. backtrack 5 r3 tutorial pdf. 2011 S QL Injec t io n t hr o u g h HTTP Head er s March 30. backtrack 5 r3 tutorial . maltego Ant ivir u s E vasio n: The Making o f a Fu ll. w3af tutorial . iphone 1 .