Python Scripting with Scapy



Similar documents
Network Packet Analysis and Scapy Introduction

Network Forensics Network Traffic Analysis

Network Attacks. Blossom Hands-on exercises for computer forensics and security

Scapy. On-the-fly Packet Generation by Dienstag, 10. Januar 12

Forensic Imaging and Artifacts analysis of Linux & Mac (EXT & HFS+)

SQL Injection. Blossom Hands-on exercises for computer forensics and security

Introduction Présentation de scapy. Scapy. Easy Packet Handling. Etienne Maynier. Capitole du Libre 24 Novembre 2012

A Research Study on Packet Sniffing Tool TCPDUMP

Why use Scapy? Blue Team. Red Team. Test IDS/IPS Test Firewall Learn more about TCP/IP (down and dirty) Application response(fuzzing)

Packet Sniffing and Spoofing Lab

Figure 1. Wireshark Menu Bar

Packet Sniffer Detection with AntiSniff

Lab 1: Introduction to the network lab

netkit lab two-hosts Università degli Studi Roma Tre Dipartimento di Informatica e Automazione Computer Networks Research Group

Packet Sniffing on Layer 2 Switched Local Area Networks

Packet Sniffer using Multicore programming. By B.A.Khivsara Assistant Professor Computer Department SNJB s KBJ COE,Chandwad

During your session you will have access to the following lab configuration. CLIENT1 (Windows XP Workstation) /24

Hacking Techniques & Intrusion Detection. Ali Al-Shemery arabnix [at] gmail

Lab 1: Network Devices and Technologies - Capturing Network Traffic

Information Security Training. Assignment 1 Networking

Attack Lab: Attacks on TCP/IP Protocols

Exploring Layer 2 Network Security in Virtualized Environments. Ronny L. Bull & Jeanna N. Matthews

Port Scanning. Objectives. Introduction: Port Scanning. 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap.

Tutorial. Reference for more thorough Mininet walkthrough if desired

Sniffing in a Switched Network

ICS 351: Today's plan

Scanning Tools. Scan Types. Network sweeping - Basic technique used to determine which of a range of IP addresses map to live hosts.

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

EKT 332/4 COMPUTER NETWORK

Lab Conducting a Network Capture with Wireshark

LEARNING COMPUTER SYSTEMS VULNERABILITIES EXPLOITATION THROUGH PENETRATION TEST EXPERIMENTS

Introduction to Network Security Lab 1 - Wireshark

LAB THREE STATIC ROUTING

Intrusion Detection and Prevention: Network and IDS Configuration and Monitoring using Snort

Safe network analysis

Case Study 2 SPR500 Fall 2009

HONEYD (OPEN SOURCE HONEYPOT SOFTWARE)

Own your LAN with Arp Poison Routing

Introduction to Operating Systems

RDP Exploitation using Cain I will demonstrate how to ARP poison a connection between a Windows 7 and Windows 2008 R2 Server using Cain.

Lab - Using Wireshark to View Network Traffic

Workstation ARP. Objective. Background / Preparation

Network Monitoring Tool with LAMP Architecture

Packet Sniffers Submitted in partial fulfillment of the requirement for the award of degree Of MCA

A switch table vulnerability in the Open Floodlight SDN controller

Introducing the Adafruit Bluefruit LE Sniffer

Enumerating and Breaking VoIP

Domain 5.0: Network Tools

Lab 1: Packet Sniffing and Wireshark

PT Activity 8.1.2: Network Discovery and Documentation Topology Diagram

MITM Man in the Middle

Lab VI Capturing and monitoring the network traffic

Track 2 Workshop PacNOG 7 American Samoa. Firewalling and NAT

Detecting Threats in Network Security by Analyzing Network Packets using Wireshark

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

netkit lab MPLS VPNs with overlapping address spaces 1.0 S.Filippi, L.Ricci, F.Antonini Version Author(s)

Computer Networks I Laboratory Exercise 1


Load Balancing Clearswift Secure Web Gateway

CS197U: A Hands on Introduction to Unix

CYBERTRON NETWORK SOLUTIONS

Load Balancing SIP Quick Reference Guide v1.3.1

The BackTrack Successor

Lab - Observing DNS Resolution

MALAYSIAN PUBLIC SECTOR OPEN SOURCE SOFTWARE (OSS) PROGRAMME. COMPARISON REPORT ON NETWORK MONITORING SYSTEMS (Nagios and Zabbix)

Firewalls and Software Updates

co Characterizing and Tracing Packet Floods Using Cisco R

1:1 NAT in ZeroShell. Requirements. Overview. Network Setup

Lab Objectives & Turn In

Load Balancing Trend Micro InterScan Web Gateway

TIBCO Enterprise Administrator Release Notes

Secure Network Access System (SNAS) Indigenous Next Generation Network Security Solutions

CS 326e F2002 Lab 1. Basic Network Setup & Ethereal Time: 2 hrs

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

Modern snoop lab lite version

Mercury User Guide v1.1

Load Balancing Smoothwall Secure Web Gateway

Protecting and controlling Virtual LANs by Linux router-firewall

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

RCL: Software Prototype

Kaseya 2. User Guide. for Network Monitor 4.1

Using RADIUS Agent for Transparent User Identification

Linux MDS Firewall Supplement

PoS(EGICF12-EMITC2)091

ft6 Motivation next step: perform the tests usually tedious, error prone work aided by a tool easily repeatable enter ft6 ft6

CET442L Lab #2. IP Configuration and Network Traffic Analysis Lab

Lab 2. CS-335a. Fall 2012 Computer Science Department. Manolis Surligas

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

QualNet 4.5 Network Emulation Interface Model Library

DIY Device Cloud Documentation

A denial of service attack against the Open Floodlight SDN controller

Introduction to Python

Using WhatsUp IP Address Manager 1.0

Wireshark Tutorial INTRODUCTION

Lab Characterizing Network Applications

Lab - Observing DNS Resolution

Load Balancing Sophos Web Gateway. Deployment Guide

Transcription:

Copyright: The development of this document is funded by Higher Education of Academy. Permission is granted to copy, distribute and /or modify this document under a license compliant with the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/. Python Scripting with Scapy BLOSSOM Manchester Metropolitan University (Funded by Higher Education Academy) l.han@mmu.ac.uk

1. Learning Objectives This lab aims to learn how we use Scapy and python to programme the network monitor tools (manipulating, sending, receiving and sniffing packets. 2. Preparation 1) Under Linux environment 2) Some documents that you may need to refer to: 3. Tasks 'Virtual-MachineGuide.pdf' Linux-Guide.pdf BLOSSOM-UserGuide.pdf Packet Analysis & Introduction to Scapy.pdf Setup & Installation: Start a single virtual machine as you have done with previous exercises (see Virtual Machine Guide): # kvm -cdrom /var/tmp/blossomfiles/blossom-0.98.iso -m 512 -net nic,macaddr=52:54:00:12:34:57 -net vde -name node-one

Task 1 Basic Python Scripting with Scapy 1.1 In previous labs we have learnt how to use many different functions of Scapy, but now we will learn how Scapy can be as a library within Python which will allow us to write scripts or programs to perform tasks such as sending and receiving packets or sniffing packets. First of all, we will open up gedit or your preferred text editor and write a basic Python script to sniff for packets: NOTE: The text following the command to open gedit should be entered within the text editor. Also, '>' signifies the start of a line and should not be included in the script writing. # gedit scapysniff.py a=sniff(count=10) a.nsummary() Save the script, change the mode of the file to be an executable and then execute it: # chmod +x scapysniff.py #./scapysniff.py This will sniff for 10 packets and as soon as 10 packets have sniffed, it will print a summary of the 10 packets that were discovered. 1.2 Next, we will look at a basic script that allows for the sending of packets: # gedit scapysend.py send(ip(dst="1.2.3.4")/icmp()) sendp(ether()/ip(dst="1.2.3.4",ttl=(1,4)), iface="eth1")

The two main lines of code feature different sending functions. Send() is used to send packets at the 3 rd protocol layer, whereas Sendp() is used to send packets at the 2nd protocol layer. The difference is very important as some packets, such as ICMP are specific to certain layers, and it is up to us to know which packets can be used at which layer. 1.3 Scapy also has an array of commands for sending and receiving packets at the same time, which can be utilised in a python script as follows: # gedit scapysendrec.py ans,unans=sr(ip(dst="192.168.86.130",ttl=5)/icmp()) ans.nsummary() unans.nsummary() p=sr1(ip(dst="192.168.86.130")/icmp()/"xxxxxx") p.show() The sr() function is for sending packets and receiving answers, which returns a couple of packets with answers, and also the unanswered packets which can be displayed as shown above. The function sr1() is a variant that only returns on packet that answered the packet that was sent. sr() and sr1() are for layer 3 packets only. If you wish to send and receive layer 2 packets, you must use srp() or srp1(). Create a python script that sends and receives layer 2 packets, and then displays the information pertaining to the packets sent and received.

Task 2 Advanced Python Scripting with Scapy 2.1 Now that we understand the basics of sniffing packets, sending packets and receiving packets within python scripts, we can now learn some more advanced scripting. # gedit scapysr.py import sys from scapy.all import sr1,ip,icmp p=sr1(ip(dst=sys.argv[1])/icmp()) if p: p.show() NOTE: Remember that indentation is extremely important when writing python scripts. The previous script starts to introduce system arguments as an input. The sys.argv[1] as the destination address states that after executing the script, the first argument to follow the execution of the script will be used for the destination address, for example: #./scapysr.py 192.168.86.130 Using this, we now don't have to edit the source file every time we want to use a different IP address. 2.2 Scapy can also make use of methods so that we can make entire programs dedicated to certain functions, such as the live sniffing of packets: # gedit scapylivearp.py def arp_monitor_callback(pkt): if ARP in pkt and pkt[arp].op in (1,2): #who-has or is-at return pkt.sprintf("%arp.hwsrc% %ARP.psrc%") sniff(prn=arp_monitor_callback, filter="arp", store=0)

This will create a live packet sniffer that will return any ARP requests that are seen on all interfaces. The entire method basically states that if a packet is both an ARP packet, and the operation of that packet is either who-has or is-at, then it will return a printed line stating the source MAC address and source IP address of that ARP packet. The method is applied to the sniff command using the prn function. Another important thing to notice is that 'store=0' is applied to the sniff command as well, and this is so that scapy avoids storing all of the packets within its memory. 2.3 There are countless other useful tools that we could create using Scapy as a library within python, such as the following example: # gedit arping2tex.py import sys from scapy.all import srp,ether,arp,conf if len(sys.argv)!= 2: print "Usage: arping2tex <net>\n eg: arping2text 192.168.1.0/24" sys.exit(1) conf.verb=0 ans,unans=srp(ether(dst="ff:ff:ff:ff:ff:ff")/arp(pdst=sys.argv[1]), timeout=2) print r"\begin{tabular}{ l l }" print r"\hline" print r"mac & IP\\" print r"\hline" for snd,rcv in ans: print rcv.sprintf(r"%ether.src% & %ARP.psrc%\\") print r"\hline" print r"\end{tabular}" This script will perform an ARP ping and then report whatever it finds out in LaTeX formatting, so if we were writing a report using LaTeX on a network, we could just copy the result and paste it into our report.

Task 3 Extending Scapy with Add-ons 3.1 If we ever need to add some new protocols or functions to Scapy, they can be written directly into the Scapy source file. # gedit test_interact.py # Set log level to benefit from Scapy warnings import logging logging.getlogger("scapy").setlevel(1) class Test(Packet): name="test packet" fields_desc = [ ShortField("test1", 1), ShortField("test2", 2) ] def make_test(x,y): return Ether()/IP()/Test(test1=x,test2=y) if name == " main ": interact(mydict=globals(), mybanner="test add-on") After this has been saved and made executable, execute the script and we should be confronted with a Scapy shell displaying the banner "Test add-on". Use the following command to see the add-on we created in action: # make_test(42,666) This lab begins to show the potential the Scapy can have when used in combination with Python to perform even more complex tasks, such as crafting packets to perform network attacks, or performing extensive packet sniffing for specific protocols. The possibilities are endless, and the information contained within this document is only a fraction of what can be done using Scapy and Python together.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information