What’s up guys!
Hope y’all been alright lately. I’ve been studying a bunch as part of a certification package I was awarded – focused on network security. While I’m excited to do it and learn a lot of cool stuff, it’s also draining pretty much all my free time.
While I’ve been doing this certification I’ve had to dive deep into a lot of theory-oriented network stuff like frames, packets and all those meaningless terminologies. It’s so much theory that I had to install Scapy just to see some of these packets in action and get hands-on with the damn thing – I mean seriously if you’ve taken some of these certs you’re probably used to how dry and boring it gets just reading about protocols and not actually doing anything.
Anyway we are here to talk about Scapy today and not my boring life 🙂
What is Scapy?
To put it simply, its a packet sniffing and crafting program. There is a lot more you can do with it like decoding certain protocols and interacting with Wireshark captures among other cool things (see the documentation page).
Like most Python libraries, the easiest way to install Scapy is:
python3 -m pip install scapy
Alternatively, you can clone using git and install it the old-school way:
git clone https://github.com/secdev/scapy.git cd scapy sudo python setup.py install
You can find instructions for other specific install on their installation page.
Sniffing Packets with Scapy
Once you have it installed you can simply run scapy from a terminal / command prompt to begin.
Perhaps the most basic function to begin with would be sniff:
results = sniff(count=10)
This would sniff the next 10 incoming packets. Then to see these packets, we could run the following command:
To see a specific packet from those 10 sniffed packets, we would run:
If you wanted to sniff for a specific protocol and filter it from others, use it like so:
results = sniff(count=10, filter="icmp")
This will filter for ICMP protocol (ping for example).
Crafting Packets with Scapy
So let’s begin by crafting a packet to ping google:
pkt = Ether()/IP(dst="www.google.com")/ICMP()/"howdy!" sendp(pkt)
Let’s break some of the first line down:
We assign the full frame to the variable pkt. We begin by giving it the layer 2 Ethernet frame. Notice how we have to give a slash “/” when moving between the OSI layers and protocols. Then we follow it up with the IP protocol (layer 3) and we set the destination to “www.google.com“. Next we do the ICMP protocol (some will say layer 3, others layer 4, whatever) which will execute ping. Finally we add a totally unnecessary payload saying “howdy!” 🙂
I recommend using Wireshark to view the traffic as you’re using Scapy in real-time.
Sending and Tracking Packets with Scapy
Alright this time we’ll send a ping and track it using Scapy:
pkt = IP(dst="www.google.com")/ICMP()/"hello there!" sr1(pkt)
Basically the sr1 function will send and receive one packet – notice “packet” so layer 3 only, for layer 2 use srp().
Everything is the same as explained above, except once we receive a response it will display the replied packet pretty much in a raw text format with the different flags (source, destination, etc.).
Going Deeper with Scapy!
All this stuff has pretty much been taken from Scapy’s documentation page and as a matter of fact you can go way deeper by reading everything written in there… or you can just wait for my next post, which should be soon!
See you next time! 😉