8/21/13

InfoSec Institute InfoSec Resources Intense School

Scapy: All-in-One Networking Tool

HOME

CATEGORIES

IT CERTIFICATIONS

CONTRIBUTORS

CONTACT US

STUDENT PAPERS

Search

Scapy: All-in-One Networking Tool

Sudhanshu Chauhan October 02, 2012 Hacking

A network is an essential part of any cyber infrastructure. There are various tools available for the networking part of pentesting and other security assessment tasks like Nmap, tcpdump, arpspoof, etc., but one tool which stands out of all is Scapy. Scapy is a powerful interactive packet manipulation tool written in Python, and the best part is that it can also be utilized as a library in Python programs, which provides the pentester the ability to create his/her own tool based on the requirement. In this article we will discuss how we can use Scapy as an interactive tool as well as a library in our programs (Python). It allows us to sniff, create, send and slice packets for analysis. Most of the tools are built with something specific in mind, like Nmap for network scanning or Wireshark for sniffing, but Scapy allows us to build something new utilizing its functionalities and hence opens up a whole new world of networking applications. Unlike other tools which provide an interpreted output of the query, Scapy will present a raw output of any query that we make and let us decide what we need out of it and how to interpret it. This specific advantage of the tool is very helpful during the advanced analysis of the network. Using Scapy we can create and send custom packets over the network and analyze the raw output received with a minimal amount of lines of code, and it supports a wide range of protocols for the purpose. Before going into the details of Scapy, here are few terminologies that need to be discussed: Scanning: The act of probing a host machine to identify any specific detail about it. Eg. Port scanning. Sniffing: The act of intercepting and logging the packets which flow across the network. Fuzzing: A software testing technique in which random data is passed as input to a computer application to check its stability. Scapy provides various commands from basic to advanced level for probing a network. Lets start with some basic commands for interactive usage: > > > ls( ) : D isplays all the protocols supporte d by Scapy, as show n in figure 1. > > > lsc( ) : D isplays the list of com m ands supporte d by Scapy, as show n in figure 2. > > > conf: D isplays configurations options. > > > he lp( ) : D isplay he lp on a spe cific com m and. Usage e xam ple : he lp( sniff) > > > show ( ) : D isplay the de tails about a spe cific packe t. Usage e xam ple : Ne w packe t.show ( ) Using the above mentioned command would be helpful to further explore the tool.

resources.infosecinstitute.com/scapy-all-in-one-networking-tool/

1/11

8/21/13

Scapy: All-in-One Networking Tool

Figure 1. Output of commands ls() and conf

Figure 2. Output of command lsc() Scapy allows us to create custom packets based on the huge set of protocols that it supports. Let us see how we can create simple packets: > > > Ne w packe t= IP( dst= google .com ) > > > Ne w packe t.ttl= 10 > > > Ne w packe t.show ( ) We can also create sets of packets based on our requirements. Here is an example of simple IP packets for different port addresses. > > > base pkt= IP( dst= w w w .google .com ) > > > pktport= TCP( dport= [80,443]) > > > [p for p in base pkt/ pktport] Now when we have created packets we need to send these packets over the network. We have two options for this purpose: send(), which is a layer 3 send. It decides the routing based on local table.

resources.infosecinstitute.com/scapy-all-in-one-networking-tool/

2/11

8/21/13
sendp(), which is a layer 2 send. To send our packet we are using send(), as shown in figure 3: > > > se nd( Ne w packe t)

Scapy: All-in-One Networking Tool

Figure 3. Packet creation and sending To see if the packet is really sent we can utilize any sniffer like Wireshark or tcpdump. Although Scapy also provides the functionality of sniffing, which we will see later in the article. We can create a ping echo request packet by simply adding the ICMP protocol after our previous packet. > > > Ne w packe t= IP( dst= google .com ) / ICMP( ) The operator / is used as a composite operator between two layers. We can send this packet similar to our previous packet. To send the same packet again and again we can simply add the loop=1 argument with the send packet. > > > se nd( Ne w packe t, loop= 1) As we have seen how to create simple packets and send them, now we should see how to send and also receive packets. This functionality is very useful when we need to send some packets and we expect a response for those packets, like an ARP request. Again there are two types based on the layers the packets are sent and received: Layer3: sr(): It returns the answered and unanswered packets sr1(): It returns only answered and sent packets Layew2: srp():It returns the answered and unanswered packets srp1(): It returns only answered and sent packets Lets see an example of the sr function. > > > output= sr( IP( dst= google .com ) / ICMP( ) ) output We see that the output contains two different results, Results and Unanswered. The first part contains the packets received as response and the second part contains the packets which were not answered. So we can divide it into two parts:

resources.infosecinstitute.com/scapy-all-in-one-networking-tool/

3/11

8/21/13
> > > re sult, unansw e re d= output > > > re sult

Scapy: All-in-One Networking Tool

The output of the result shows that we got one ICMP packet as a reply, so we can see the raw packet we got in response by using the following command, as shown in figure 4. > > > re sult[0]

Figure 4. Sending and receiving packets If we look closely we can see that this is an echo reply packet for our echo request. Now if we want to see the current routing table of our machine, we can use the command: > > > conf.route Scapy allows us to include user specified routes to this table, without affecting the original table, this can be done by using the add function. > > > conf.route .add( host= 192.168.118.2 , gw = 192.168.118.25 ) Now any packet intended for the host 192.168.118.2 would go through 192.168.118.25 After we are done using this table we can get back to the original table simply by using the resync function, as displayed in figure 5. > > > conf.route .re sync( )

resources.infosecinstitute.com/scapy-all-in-one-networking-tool/

4/11

8/21/13

Scapy: All-in-One Networking Tool

Figure 5. Configuring the routing table Now that we have seen how to create simple packets, send them and receive them, lets move forward to packet sniffing, so that we can analyze what is happening over the network . Packet sniffing can be done by the simple function sniff: > > > a= sniff( filte r= icm p, iface = e th1 , tim e out= 10, count= 3) > > > a.sum m ary( ) > > > a[1] As demonstrated in the example, the sniff function can sniff the packets and can also filter them based on the user requirements. Now to see the output in real time we can use the lambda function along with the show or summary function based on the amount of detail we require. > > > a= sniff( filte r= icm p, iface = e th1 , count= 3, tim e out= 10, prn= lam bda x:x.sum m ary( ) ) Now as we have seen how easily we can sniff packets using Scapy, we also need to learn how to save these packets for later analysis and also how to read those saved files. To save packets we can use the function wrpacp as shown below: > > > w rpcap( m ypacke ts.pcap, a) Now if we need to read these packets we can simply use the function rdpcap, as shown in figure 6. As pcap format is supported by many sniffers like Wireshark, tcpdump etc., we can also analyze these files using them. > > > rdpkt= rdpcap( m ypacke ts.pcap) > > > rdpkt.show ( ) > > > rdpkt[1]

resources.infosecinstitute.com/scapy-all-in-one-networking-tool/

5/11

8/21/13

Scapy: All-in-One Networking Tool

Figure 6. Sniffing, writing and reading packets As Scapy allows us to create custom packets, we can utilize this functionality to perform port scanning. Here is an example of how to perform some simple port scanning using the interactive interface. We will create a TCP/IP packet with the TCP flag set as S (SYN) for port 1-1024. > > > re s,unans = sr( IP( dst= 192.168.118.1 ) / TCP( flags= S, dport= ( 1,1024) ) ) The output can be analyzed by using the command > > > re s.sum m ary( ) Apart from packet creation, Scapy can also perform simple networking functions such as ping, traceroute etc. Example of a simple traceroute of google.com is shown here: > > > trace route ( w w w .google .com ) Scapy also contains commands for some network based attacks such as arpcachepoison, etherleak, srpflood etc. These commands can be very useful during a network security analysis. If we need to discover the hosts on the local Ethernet we can use the command arping. > > > arping( 192.168.118.* )

Want to learn more?? The InfoSec Institute Ethical Hacking course goes indepth into the techniques used by malicious, black hat hackers with attention getting lectures and hands-on lab exercises . While these hacking skills can be used for malicious purposes, this class teaches you how to use the same hacking techniques to perform a white-hat, ethical hack, on your organization. You leave with the ability to quantitatively assess and measure threats to information assets; and discover where your organization is most vulnerable to black hat hackers. Some features of this course include: Dual Certification - CEH and CPT 5 days of Intensive Hands-On Labs Expert Instruction CTF exercises in the evening Most up-to-date proprietary courseware available

VIEW ETHICAL HACKING

resources.infosecinstitute.com/scapy-all-in-one-networking-tool/

6/11

8/21/13
fuzzer:

Scapy: All-in-One Networking Tool

Scapy also provides the functionality of fuzzing, utilizing the function fuzz, here is the example of a simple DNS

> > > se nd( IP( dst= 192.168.118.1 ) / UD P( ) / fuzz( D NS( ) ) , inte r= 1,loop= 1) We have seen how we can use Scapy as a tool and use its various functions interactively. Now lets see how to use Scapy in Python programs, through simple example codes. The example codes demonstrate how easily we can create programs in Python using the Scapy library and create powerful tools with minimum amount of coding. The code shown below is a simple Python program which sends ARP requests and waits for response and displays the response. #!/ usr/ bin/ python #im port sys m odule for com m and line argum e nt im port sys #im port scapy as a library from scapy.all im port * print Usage : scapy- arping e g: ./ scapy- arping.py 192.168.1.0/ 24 #cre ate and se nd ARP re que st packe ts re c,unans= srp( Ethe r( dst= ff:ff:ff:ff:ff:ff) / ARP( pdst= sys.argv[1]) ,tim e out= 2) #print the re sult for se nd,re cv in re c: print re cv.sprintf( rMAC: + %Ethe r.src%+ < > IP: + %ARP.psrc%) The example output of this program is shown below: root@bt:~ / D e sktop# ./ scapy- arping.py 192.168.118.0/ 24 WARNING: No route found for IPv6 de stination :: ( no de fault route ? ) Usage : scapy- arping e g: ./ scapy- arping.py 192.168.1.0/ 24 B e gin e m ission: * * Finishe d to se nd 256 packe ts. * Re ce ive d 3 packe ts, got 3 answ e rs, re m aining 253 packe ts MAC: 00:50:56:f5:48:7a < > IP: 192.168.118.2 MAC: 00:50:56:c0:00:08 < > IP: 192.168.118.1 MAC: 00:50:56:f8:5e :b3 < > IP: 192.168.118.254 Another example code for a simple ARP monitor is shown below (source: http://www.secdev.org/projects/scapy/doc/usage.html#recipes). The program simply monitors for any ARP request or reply and prints the associate MAC and IP address. #! / usr/ bin/ e nv python from scapy.all im port *

resources.infosecinstitute.com/scapy-all-in-one-networking-tool/

7/11

8/21/13
de f arp_m onitor_callback( pkt) : if ARP in pkt and pkt[ARP].op in ( 1,2) : #w ho- has or is- at re turn pkt.sprintf( %ARP.hw src% %ARP.psrc%) sniff( prn= arp_m onitor_callback, filte r= arp, store = 0) Exam ple output for the program is show n be low : root@bt:~ / D e sktop# ./ arpm onitor.py

Scapy: All-in-One Networking Tool

WARNING: No route found for IPv6 de stination :: ( no de fault route ? ) 00:50:56:c0:00:08 192.168.118.1 00:0c:29:d8:b6:4d 192.168.118.130 00:0c:29:d8:b6:4d 192.168.118.130 00:50:56:c0:00:08 192.168.118.1 Lets see how we can create a simple DNS fuzzer using the fuzz function demonstrated in the description above. #!/ usr/ bin/ e nv python #im port m odule sys for com m and line argum e nt im port sys #im port scapy as a library from scapy.all im port * #fuzz dns w hile True : sr( IP( dst= sys.argv[1]) / UD P( ) / fuzz( D NS( ) ) ,inte r= 1,tim e out= 1) Sam ple output of the D NS fuzze r cre ate d using scapy. root@bt:~ / D e sktop# ./ dnsfuzze r.py 192.168.118.1 WARNING: No route found for IPv6 de stination :: ( no de fault route ? ) B e gin e m ission: .Finishe d to se nd 1 packe ts. Re ce ive d 1 packe ts, got 0 answ e rs, re m aining 1 packe ts B e gin e m ission: Finishe d to se nd 1 packe ts. Re ce ive d 0 packe ts, got 0 answ e rs, re m aining 1 packe ts B e gin e m ission: Finishe d to se nd 1 packe ts. Re ce ive d 0 packe ts, got 0 answ e rs, re m aining 1 packe ts

OTHER ARTICLES BY SUDHANSHU CHAUHAN

Wireshark Netcat: TCP/IP Swiss Army Knife Windows Vulnerability Assessment Interview: Marius Corici, CEO of Hack a Server Intrusion Prevention System: First Line of Defense Metadata: The Hidden Treasure Passive Fingerprinting

resources.infosecinstitute.com/scapy-all-in-one-networking-tool/

8/11

8/21/13
[...] The output of all the sample programs is shown in figure 7.

Scapy: All-in-One Networking Tool

Virtualization Security: Hacking VMware with VASTO Wi-Fi Security: The Rise and Fall of WPS Cross-Site Scripting (XSS)

LIKE US ON FACEBOOK == STAY UP TO DATE

InfoSec Institute
Like 5,816

AWARD WINNING TRAINING FROM INFOSEC

Be the first to hear of new free tutorials, training videos, product demos, and more. We'll deliver the best of our free resources to you each month, sign up here:

Email

Yes, Send My Free Training & Tutorials Figure 7. Programs using Scapy There are many other third party libraries available for packet manipulation in Python, like Pycapy, pypcap, dpkt, etc., yet Scapy turns out be one of the simplest to use and integrate into Python code and hence is widely used. There are many other functionalities provided by Scapy, which individually might seem very simple, but once they all are weaved together, they have the capabilities which no other tool provides. Conclusion We saw that Scapy is very powerful yet easy to use. Scapy is actually not a replacement for tools like Nmap, tcpdump or p0f. These tools are developed for specific needs and they all perform their functions very well. During a quick security assessment they come in handy and provide us the desired result, but sometimes we need the raw outputs, without any interpretation so that we can analyze and make decisions for ourselves. For example if we need to check if the system we are trying to parse is actually a honeypot or not, another example would be to test how a firewall/ IDP/ IPS behaves for different types of custom packets, then tools like Scapy are very useful. The best thing about Scapy is that we can also use it as a Python library, which allows us to create networking tools very quickly without going into the details of creating raw packets from scratch, which considerably reduces the size of the code. It simply allows us try anything we can imagine over a network. The inbuilt functions like fuzz, sniff, traceroute, arping, etc. wipe out the need of different tools for different functions and integrate it all into a single package.

Want to l earn m ore?? The InfoSec Institute Ethical Hacking course goes in-depth into the techniques used by malicious, black hat hackers with attention getting lectures and hands-on l ab exercises . While these hacking skills can be used for malicious purposes, this class teaches you how to use the same hacking techniques to perform a whitehat, ethical hack, on your organization. You leave with the ability to quantitatively assess and measure threats to information assets; and discover where your organization is most vulnerable to black hat hackers. Some features of this course include: Dual Certification - CEH and CPT 5 days of Intensive Hands-On Labs Expert Instruction CTF exercises in the evening Most up-to-date proprietary courseware available

VIEW ETHICAL HACKING

Incoming search terms:

scapy no route found for ipv6 destination scapy scapy hacking scapy python example fuzzing with scapy scapy sniff( count callback scapy training Python all in one s60v2 scapy sniff prn Www scapy com
InfoSec Institute - The most awarded security training company

resources.infosecinstitute.com/scapy-all-in-one-networking-tool/

9/11

8/21/13
feature hacking

Scapy: All-in-One Networking Tool

About the Author

Sudhanshu Chauhan is a researcher at InfoSec Institute. He is a B.Tech (CSE) graduate from Amity University. His areas of interest include (but are not limited to) Web Application Security and Bypasssing Security Measures(IDS/IPS, AV etc.).

Related Posts

3 Comments
dejan October 2, 2012 at 2:51 pm - Reply

Hi, theres a mistake in the >>> arping(192.168.118.*) line: double quotes are missing. Besides that, this is a great article, keep it up.

S udhanshu Chauhan October 2, 2012 at 3:42 pm - Reply

@dejan, thanks for pointing it out.

S capy el autoctrl November 22, 2012 at 11:02 am - Reply

[...] all in one net work tool scapy [...]

Leave A Response
Name (required) Comment

Email (required)

Website

Post Comment

ARCHIVE
August 2013 (26) July 2013 (44) June 2013 (38)

RECENT POSTS
InfoSec Institute is Hiring: Security Researcher Dictionary Attack Using Burp Suite SANS Investigate Forensics Toolkit

CATEGORIES
Application Security (128) Exploit Development (48) Forensics (58)

resources.infosecinstitute.com/scapy-all-in-one-networking-tool/

10/11

8/21/13
May 2013 (42) April 2013 (56) March 2013 (68) February 2013 (65) January 2013 (65) December 2012 (51) November 2012 (45) October 2012 (59) September 2012 (56) August 2012 (35) July 2012 (21) June 2012 (31) May 2012 (11) April 2012 (16) March 2012 (12) February 2012 (24) January 2012 (22) December 2011 (15) November 2011 (12) October 2011 (12) September 2011 (1) August 2011 (2) July 2011 (7) June 2011 (22) May 2011 (30) April 2011 (33) March 2011 (24) February 2011 (7) January 2011 (2) December 2010 (3) November 2010 (7) October 2010 (1) September 2010 (1) August 2010 (4) July 2010 (2) Forensics Martial Arts Part 2

Scapy: All-in-One Networking Tool

General Security (175) Hacking (299) Interviews (33) IT Certifications (65) CCNA (2) CEH (5) CISA (16) CISM (10) CISSP (33) MCITP (2) Management, Compliance, & Auditing (48) Meta (1) Other (79) Reverse Engineering (115) SCADA (5) Virtualization Security (6) Wireless Security (10) SANS Investigate Forensics Toolkit Forensics Martial Arts Part 1 Android Forensics: Cracking the Pattern Lock Protection WEB SERVER SECURITY Handy Devices Revolution: Another Set of Embedded Devices and Dev Boards Owned by Chrome Extensions Keyloggers: How They Work and More Steganography: What your eyes dont see Hacker Proofing Apache & PHP Configuration Malicious Firefox Add-Ons: Keylogger

POPULAR

COMMENTS

TAGS

POPULAR SEARCH TERMS

iphone, i phone, backtrack 5 r3 tutorial , resources infosecinstitute com, diarmf, network security engineer, w3af tutorial , backtrack 5 r3 tutorial pdf, Backtrack 5 , iphone 1 , iphone 10 , maltego

Ant ivir u s E vasio n: The Making o f a Fu ll, Und et ec t ab le US B Dr o p p er / S p r ead er

September 20, 2012 45

Id eal S kill S et Fo r t he Penet r at io n Test ing

August 27, 2010 44

Vu lner ab ilit y

S LAAC At t ac k 0d ay Wind o w s Net w o r k Int er c ep t io n Co nfig u r at io n

39

April 04, 2011

S QL Injec t io n t hr o u g h HTTP Head er s

March 30, 2012 31

Copyright 2012 - InfoSec Institute

Back to Top

resources.infosecinstitute.com/scapy-all-in-one-networking-tool/

11/11