Scapy

Stephen Thorne

NetBox Blue Pty Ltd

About Scapy

• Python script, 12,000 loc.
• Tool for capturing altering and transmitting arbitrary packets.
• Layer 2 and 3.

Simple usage

• How to start it:

• $ sudo python scapy.py
  Welcome to Scapy (1.0.4.1beta)
  >>> 
  

• Root access it required to be able to do packet sniffing and emission.

• >>> p = sniff(count=5)
  >>> p.show()
  0000 Ether / IP / TCP 10.233.200.32:53294 > 10.233.11.43:ssh A
  0001 Ether / ARP who has 10.233.11.189 says 10.233.10.209 / Padding
  0002 Ether / ARP who has 10.233.11.235 says 10.233.0.3 / Padding
  0003 Ether / IP / TCP 10.233.0.24:ideafarm-chat > 10.233.11.43:57462 PA / Raw
  0004 Ether / IP / TCP 10.233.11.43:57462 > 10.233.0.24:ideafarm-chat A

Composing Packets

• Create a TCP Packet. The '/' means to layer two parts together.
• p = IP(dst='10.0.0.1')/TCP(dport=25)

• print p
  <IP  frag=0 proto=TCP dst=10.0.0.1 |<TCP  dport=smtp |>>

• All the required fields will be filled out when transmitting.
• See what the packet looks like:

• >>> str(p)
  'E\x00\x00(\x00\x01\x00\x00@\x06Z\xbb\n\xe9\x0b+\n\x00\x00\x01\x00\x14' \
  '\x00\x19\x00\x00\x00\x00\x00\x00\x00\x00P\x02 \x00o\xa1\x00\x00'

• Recompose it

• >>> IP(str(p))
  <IP  version=4L ihl=5L tos=0x0 len=40 id=1 flags= frag=0L ttl=64 
  proto=TCP chksum=0x5abb src=10.233.11.43 dst=10.0.0.1 options='' 
  |<TCP  sport=ftp-data dport=smtp seq=0L ack=0L dataofs=5L 
  reserved=0L flags=S window=8192 chksum=0x6fa1 urgptr=0 |>>
  

• All unspecified values have been filled out with useful defaults.

Viewing Packets

• Use .show() on a packet to display everything in a nice format

• >>> p.show()
  ###[ IP ]###
    version= 4L
    ihl= 5L
    tos= 0x0
    len= 40
    id= 1
    flags= 
    frag= 0L
    ttl= 64
    proto= TCP
    chksum= 0x5abb
    src= 10.233.11.43
    dst= 10.0.0.1
    options= ''
  ###[ TCP ]###
    sport= ftp-data
    dport= smtp
    seq= 0L
    ack= 0L
    dataofs= 5L
    reserved= 0L
    flags= S
    window= 8192
    chksum= 0x6fa1
    urgptr= 0
    options= {}
  

Modifying Packets

• Packets are composed of layers of objects.
• p = Ether()/IP()/UDP()/DNS()/DNSQR()
• Each sublayer is accessed by its parents .payload attribute.

• print p.payload.payload
  <UDP  sport=domain |<DNS  |<DNSQR  |>>>

• Interesting to note that by composing a DNS payload inside a UDP packet, the 'domain' port (53) has been automatically selected.
• Accessing an attribute of a packet will look at each layer until that attribute is found.
• p.dport == 53
• Modifying an a packet requires that you assign to the correct layer.
• p.payload.dport = 10053

Sending Packets

• Variety of functions
• sendp(packet) layer 2 send.
• send(packet) layer 3 send.
• ans, unans = srp(packet) layer 2 send and receive.
• ans, unans = sr(packet) layer 3 send and receive.
• ans = srp1(packet) layer 2 send and receive, returns first reply.
• ans = sr1(packet) layer 3 send and receive, returns first reply.
• Layer 2 packets generally start with Ether() as their top level. Dot11() can be used if you want to do 802.11 frame injection.
• Layer 3 packets could start with IP(), ARP(), ICMP(), GRE() etc.

Arp Poisoning.

• Will cause a host on the network to have a poisoned arp cache.
• A very simple thing to do.

• arpcachepoison('10.0.0.1', '10.0.0.2')

• Will cause 10.0.0.1 to send the current host all packets originally intended for 10.0.0.2.
• Simple to implement

• def arpcachepoison(target, victim):
      tmac = getmacbyip(target)
      p = Ether(dst=tmac) /ARP(op="who-has", psrc=victim, pdst=target)
      sendp(p, iface_hint=target)

Wake On Lan

• This is possible to do with just a UDP socket, but is an interesting example.
• Network cards, while the machine is asleep listen for a packet that contains 6 0xFF bytes, followed by its mac address 16 times. It doesn't matter what protocol is used.
• Layer 2 and Layer 3 examples:
• mac = '0003e48d0c71'.decode("hex"); eff = '\xff'
• Layer 2: sendp(Ether(dst='ff:ff:ff:ff:ff:ff') /IP(dst='255.255.255.255') /UDP(dport=7) /Raw(eff*6 + mac*16))
• Layer 3: send(IP(dst='255.255.255.255') /UDP(dport=7) /Raw(eff*6 + mac*16))

Analysis of tcpdump data

• Live capture: packets = sniff(count=100, filter='tcp port 80')
• From tcpdump -w: packets = sniff(offline='capture.pcap')

• for p in packets:
      if 'Set-Cookie' in getattr(p, 'load', None):
         p.show()

        >>> packets = sniff(count=100, filter='tcp port 80')
        >>> for p in packets:
        ...     if 'Set-Cookie' in getattr(p, 'load', None):
        ...         p.show()

Advanced Analysis

• How many bytes consumed by each tcp stream:

• from pprint import pprint
  packets = sniff(count=100, filter='tcp')
  def keyfunc(p):
      return tuple(sorted(((p.payload.src, p.sport), (p.payload.dst, p.dport))))
  
  d = dict.fromkeys((keyfunc(p) for p in packets), 0)
  for p in packets:
      d[keyfunc(p)] += len(p)
  
  pprint(d)
  {(('203.144.10.9', 80), ('203.206.56.31', 32847)): 148,
   (('203.144.10.9', 80), ('203.206.56.31', 54117)): 148,
   ...
   (('203.144.10.9', 80), ('203.206.56.31', 59450)): 22667}

Data Correlation

• Accessing data programatically means we can do data correlation much easier than using traditional tools (tcpdump, wireshark).
• Every host that has both spammed netbios traffic, and done a web request:

• packets = sniff(count=1000, filter='tcp port 139 or port 80')
  
  netbios_hosts = set(p.payload.src for p in packets if p.dport == 139)
  web_hosts = set(p.payload.src for p in packets if p.dport == 80)
  
  print netbios_hosts.intersection(web_hosts)

• Note, both Ether and IP have a .src attribute, so it is necessary to refer to p.payload.src, instead of to just p.src. We are interested in ip addresses not mac addresses.

Portscan, Traceroute

• Using this tool to perform a portscan

• ans, unans = sr(IP(dst='10.0.0.0/24')/TCP(dport=80), timeout=5)
  for snd, rcv in ans:
       print snd.dst, 'port', snd.dport, 'open'

• Perform a TCP Traceroute

• target = 'av.com'
  ans, unans = sr(IP(dst=target, ttl=(0,25),id=RandShort())/TCP(flags=0x2, dport=443))
  for snd, rcv in ans:
      print snd.ttl, rcv.src, isinstance(rcv.payload, TCP)

• 0 10.233.255.254 False
  1 10.233.255.254 False
  2 203.55.228.88 False
  ...
  9 216.115.106.207 False
  10 66.218.82.223 False
  11 66.94.234.13 True
  12 66.94.234.13 True
  ...

Connection Tracking Tables

• How do you find out if a NAT box infront of you is having trouble tracking your connections?

• ans, unans = scapy.sr(
          scapy.IP(dst='netboxblue.com')
              /scapy.TCP(dport=9, sport=(40000, 40000+1000)),
          timeout=30)
  if len(ans) < 1000:
      print 'Connection tracking problem'
  

Source Port Blocking

• How do you list all the source ports blocked by your broken ISP?

• # Send a packet with a sourceport from 1024 to 65355
  ans, unans = scapy.sr(
          scapy.IP(dst='netboxblue.com')
              /scapy.TCP(dport=80, sport=(1024, 65000)),
          timeout=30)
  # look through all the packets we didn't get replies for:
  for x in unans:
      print x.sport

Where Do You Get It?

• Scapy Home Page
• Debian, Ubuntu: apt-get install python-scapy
• secdev.org/projects/scapy/portability.html

Conclusion

• Good to have tools
• Sniff, retransmit packets
• portscanning
• arp table modification
• Easy to use.

Questions

• Any questions?