Shulou(Shulou.com)06/03 Report--

This article is to share with you about how to use scapy in Python. The editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article.

Everyone has learned network programming, right?

Socket-> bind-> listen-> accept- > recv/recvfrom-> send/sendto

In one fell swoop, what select, poll, epoll multiplexing models come in handy.

But this set of things is just to develop applications based on the transport layer TCP and UDP.

Have you ever thought about how to program to send a batch of TCP SYN handshake packages for port scanning?

How can I be programmed to send an ARP packet and IP Datagram with a fake IP address?

Even, how do you program to send an Ethernet data frame with a fake MAC address?

Once you have mastered the above tricks, it is not a problem to play with the data package, and it is easy to develop various artifacts. But be sure to use it on the right path, don't program for the prison.

So how on earth is it structured to send all kinds of data packets? Today I'd like to introduce you to a powerful thing: scapy.

This is a powerful packet construction tool, you can use it in Python, it's time to shout: Python Dafa!

ARP

We operate on ARP. ARP is an address resolution protocol. The MAC address of the network card is used for communication in the local area network, while the IP address is used for network layer communication. Before the data packet of the application is sent, when the Ethernet frame header is added in front of the IP message, you need to fill in the recipient's MAC address. If it is an internal communication within the local area network, the recipient address is the MAC address of the network card of the destination computer. If it is a public network IP address on the Internet, the recipient address is the MAC address of the gateway.

Anyway, there has to be an MAC address, so how do you get it? This is what the ARP protocol does, which translates an IP address into an MAC address.

The process of ARP parsing will not be described in detail here. to put it simply, for example, to query the MAC address of 192.168.1.100, the host uses the ARP protocol to issue a broadcast in the local area network: 192.168.1.100, do you dare to say yes when I call you?

Everyone on the LAN can receive this broadcast (because its recipient's MAC address is FF-FF-FF-FF-FF-FF), but only the guy whose IP address is 192.168.1.100 will reply: Grandpa is here! My MAC address is xxxxxx.

Note that when we normally communicate with applications, the above processes are done automatically by the underlying protocol stack of the operating system, and our applications are not aware of them.

We can use the library Scapy to initiate an ARP parsing.

From scapy.all import * def arp_scan (ip): answer, uanswer = srp (Ether (dst= "ff:ff:ff:ff:ff:ff") / ARP (pdst=ip), inter=0.1, timeout=2, verbose=False) mac_list = [] for send, recv in answer: if recv [ARP] .op = = 2: mac_list.append ((dst= [ARP] .psrc, recv [Ether] .hwsrc) return mac_list

In the above code, an Ethernet frame is sent through the srp function in the scapy library to ff:ff:ff:ff:ff:ff, indicating that this is a broadcast packet, the link layer is above the ARP protocol, and the IP to be parsed is the IP address parameter to be parsed.

Once the above function is executed, you can catch the packet in wireshark:

As mentioned above, under normal circumstances, only the host whose target address I checked will reply me.

But if someone in your local area network has bad intentions, answer me before the real host: Grandpa is here! My MAC address is yyyyyy.

That's too bad, the following communication messages are sent to this fake guy, this is the famous ARP cheating attack!

Just imagine, if the IP address queried is the IP address of the gateway, the consequences will be even more serious. All the network traffic will be sent to this guy.

Since you can send ARP query message, you can also send ARP reply message if you change the above code.

The story of ARP ends here, and let's take a look at it again, using scapy as a port scanner.

Port scan

TCP port scan, by sending the first SYN packet of the three-way handshake, judging whether the port is open according to the returned result:

If ACK+SYN is returned, that is, the flags field is 18, the port is enabled:

If ACK+RST is returned, that is, the flags field is 20, the port is closed:

The following functions can be implemented:

From scapy.all import * def port_scan (port): answer, uanswer = sr (IP (dst= "192.168.1.1") / fuzz (TCP (dport=int (port), flags= "S")) for s, rin ans: if r [TCP] .flags = = 18: print ("port is Open") if r [TCP] .flags = 20: print ("port is Closed")

Grab the bag and see:

Both the handshake package and the return packet of the server can clearly see that batch port scanning can be achieved if the function is called constantly in the loop and passed into different ports.

Scapy's ability to build packets is just the tip of the iceberg. There are more powerful features waiting for you to study.

Learning computer network, do not just stay on the basis of reading books and blog articles, if you can program to send and receive data packets to achieve the functions of ARP, ICMP, DHCP, DNS, or develop some simple network tools, it will definitely be more profound than others.

The above is how to use scapy in Python. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.