Scapy试水

SCAPY是一个发送伪造网络数据包的工具,最近在做功能测试的时候用到了,本来还以为就简单一个伪造工具,看了功能list才发现还是十分强大的

直接通过pip安装

sudo pip install --upgrade scapy

可能还会缺少下面两个

sudo pip install --upgrade pcapy
sudo pip install --upgrade dnet

安装完import应该就OK了

$ python
Python 2.7.10 (default, Jun 10 2015, 19:42:47)
[GCC 4.2.1 Compatible Apple LLVM 6.1.0 (clang-602.0.53)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> from scapy.all import *
WARNING: No route found for IPv6 destination :: (no default route?)

但是这里有一个IPv6的WARNING,咋们又用不上这玩意,不需要的话直接模块里注释掉,找到下面这个文件

XXXX/site-packages/scapy/all.py

将下面三行注释掉

26 if conf.ipv6_enabled:
27     from utils6 import *
28     from route6 import *

可以列出来所有函数

>>> from scapy.all import *
>>> lsc()
arpcachepoison      : Poison target's cache with (your MAC,victim's IP) couple
arping              : Send ARP who-has requests to determine which hosts are up
bind_layers         : Bind 2 layers on some specific fields' values
bridge_and_sniff    : Forward traffic between two interfaces and sniff packets exchanged
corrupt_bits        : Flip a given percentage or number of bits from a string
corrupt_bytes       : Corrupt a given percentage or number of bytes from a string
defrag              : defrag(plist) -> ([not fragmented], [defragmented],
defragment          : defrag(plist) -> plist defragmented as much as possible
dyndns_add          : Send a DNS add message to a nameserver for "name" to have a new "rdata"
dyndns_del          : Send a DNS delete message to a nameserver for "name"
etherleak           : Exploit Etherleak flaw
fragment            : Fragment a big IP datagram
fuzz                : Transform a layer into a fuzzy layer by replacing some default values by random objects
getmacbyip          : Return MAC address corresponding to a given IP address
hexdiff             : Show differences between 2 binary strings
hexdump             : --
hexedit             : --
is_promisc          : Try to guess if target is in Promisc mode. The target is provided by its ip.
linehexdump         : --
ls                  : List  available layers, or infos on a given layer
promiscping         : Send ARP who-has requests to determine which hosts are in promiscuous mode
rdpcap              : Read a pcap file and return a packet list
send                : Send packets at layer 3
sendp               : Send packets at layer 2
sendpfast           : Send packets at layer 2 using tcpreplay for performance
sniff               : Sniff packets
split_layers        : Split 2 layers previously bound
sr                  : Send and receive packets at layer 3
sr1                 : Send packets at layer 3 and return only the first answer
srbt                : send and receive using a bluetooth socket
srbt1               : send and receive 1 packet using a bluetooth socket
srflood             : Flood and receive packets at layer 3
srloop              : Send a packet at layer 3 in loop and print the answer each time
srp                 : Send and receive packets at layer 2
srp1                : Send and receive packets at layer 2 and return only the first answer
srpflood            : Flood and receive packets at layer 2
srploop             : Send a packet at layer 2 in loop and print the answer each time
traceroute          : Instant TCP traceroute
tshark              : Sniff packets and print them calling pkt.show(), a bit like text wireshark
wireshark           : Run wireshark on a list of packets
wrpcap              : Write a list of packets to a pcap file
>>>

可以看到send和sendp,是可以将包发出去;除此之外,还有receive,arping等,甚至还有shark,wireshark等,可以瞧瞧到底是如何格式化输出的

首先来个简单的,指定dst ip发送一个ICMP包

>>> send(IP(dst = '10.8.156.157')/ICMP())
.
Sent 1 packets.

接收端

# tshark -i eth0 -R 'ip.src == 10.8.156.156'
tshark: Lua: Error during loading:
 [string "/usr/share/wireshark/init.lua"]:45: dofile has been disabled
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
  3.344753 10.8.156.156 -> 10.8.156.157 ICMP 42 Echo (ping) request  id=0x0000, seq=0/0, ttl=64

 

下面伪造个IP,将包发出去

>>> send(IP(src = '1.1.1.1', dst = '10.8.156.157')/ICMP())
.
Sent 1 packets.
>>>

接收端

Capturing on eth0
 12.025786      1.1.1.1 -> 10.8.156.157 ICMP 42 Echo (ping) request  id=0x0000, seq=0/0, ttl=64

这里接收端,直接用scapy的sniff来接收试试

>>> packet = sniff(filter = 'icmp and host 1.1.1.1')
^C>>> packet.show ()
0000 Ether / IP / TCP 10.8.156.157:ssh > 10.8.156.155:52069 PA / Raw
0001 Ether / IP / TCP 10.8.156.155:52069 > 10.8.156.157:ssh A
0002 Ether / IP / ICMP 1.1.1.1 > 10.8.156.157 echo-request 0

这里将ssh的包也抓下来了,原因暂时未明,海可以offline解析数据包

看到了一个内存泄露的帖子

http://blog.xsecure.cn/index.php/post/use_scapy_in_python.html

讲的比较详细,也比较有意思

最后,这里有篇超详细的文档,图文并茂

http://www.secdev.org/projects/scapy/demo.html

发表回复