Shulou(Shulou.com)06/01 Report--

This article introduces the relevant knowledge of "how to deal with data packets in Scapy". Many people will encounter such a dilemma in the operation of actual cases, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Host probe TCP SYN Ping

Sends an empty TCP packet with only SYN set.

The SYN/ACK or RST response indicates that the machine is up and running.

> ans,unans=sr (IP (dst= "60.205.177.0 packets 28") / TCP (dport=80,flags= "S") Begin emission: Finished sending 16 packets. . *. ^ C Received 92 packets, got 9 answers Remaining 7 packets > > ans.summary (lambda Spheres [1] .returtf ("% IP.src% is alive")) 60.205.177.1 is alive 60.205.177.2 is alive 60.205.177.4 is alive 60.205.177.6 is alive 60.205.177.7 is alive 60.205.177.8 is alive 60.205.177.11 is alive 60.205.177.12 is alive 60.205.177.14 is aliveTCP ACK Ping

Sends an empty TCP packet with only the ACK bit set.

Unsolicited ACK packets should respond through RST, and RST shows a machine.

SYN-ping and ACK-ping may seem redundant, but most stateless firewalls do not filter unsolicited ACK packets, so it is best to use both ping technologies.

> ans, unans = sr (IP (dst='60.205.177.90-105') / TCP (dport=80, flags='A')) Begin emission: Finished sending 16 packets. . *. ... ^ C Received 173packets Got 7 answers, remaining 9 packets > ans.summary (lambda remaining [1] .returtf ("{IP:% IP.src% is alive}") 60.205.177.91 is alive 60.205.177.94 is alive 60.205.177.95 is alive 60.205.177.97 is alive 60.205.177.100 is alive 60.205.177.101 is alive 60.205.177.102 is aliveUDP Ping

When a UDP packet is sent to a given port (with or without a payload), the protocol-specific payload makes the scan more efficient.

Select the port that is most likely to be closed (open UDP ports may receive empty packets, but ignore them).

The unreachable ICMP port indicates that the machine is started.

> ans, unans = sr (IP (dst='60.205.177.100-254') / UDP (dport=90), timeout=0.1) Begin emission: Finished sending 155packets. . *. Received 18 packets, got 11 answers Remaining 144packets > ans.summary (lambda lambda [1] .returtf ("% IP.src% is unreachable")) 60.205.177.106 is unreachable 60.205.177.108 is unreachable 60.205.177.108 is unreachable 60.205.177.111 is unreachable 60.205.177.125 is unreachable 60.205.177.172 is unreachable 60.205.177.191 is unreachable 60.205.177.191 is unreachable 60.205.177.203 is unreachable 60.205.177.224 is unreachable 60.205.177.244 is unreachableARP Ping

ARP Ping can be used to detect viable hosts on the same network / LAN.

Faster and more reliable because it runs on layer 2 only through ARP.

ARP is the backbone protocol for any layer 2 communication.

Because there is no ARP protocol in IPv6, the NDP protocol is defined in the upper layer of IPv6 to realize the address resolution and collision address detection of ARP and the neighbor discovery function of IPV6.

> ans,unans=srp (Ether (dst= "ff:ff:ff:ff:ff:ff") / ARP (pdst= "172.17.51.0 packets 24"), timeout=2) Begin emission: Finished sending 256 packets. *. * *. Received 190 packets, got 162 answers Remaining 94 packets > > ans.summary (lambda r: r [0] .returtf ("% Ether.src%% ARP.pdst%") 00:16:3e:0c:d1:ad 172.17.51.0 00:16:3e:0c:d1:ad 172.17.51.1 00:16:3e:0c:d1:ad 172.17.51.2 00:16:3e:0c:d1:ad 172.17.51.3 00:16:3e:0c:d1:ad 172.17 . 51.4 00:16:3e:0c:d1:ad 172.17.51.5 00:16:3e:0c:d1:ad 172.17.51.6 00:16:3e:0c:d1:ad 172.17.51.7ICMP Ping

ICMP scans involve standard packets sent by the ubiquitous _ ping program.

An ICMP type 8 (echo request) packet is sent to the destination IP, and an ICMP type 0 (echo reply) packet is received indicating that the machine is alive.

Now many hosts and firewalls block these packets, so basic ICMP scanning is unreliable.

ICMP also supports timestamp requests and address mask requests to show the availability of the computer.

> ans Unans=sr (IP (dst= "60.205.177.168-180") / ICMP () > > ans.summary (lambda sviss [0] .returtf ("{IP:% IP.dst% is alive}")) 60.205.177.168 is alive 60.205.177.169 is alive 60.205.177.171 is alive 60.205.177.172 is alive 60.205.177.175 is alive 60.205.177.174 is alive 60.205.177.176 is alive 60.205 .177.179 is alive 60.205.177.178 is alive 60.205.177.180 is alive Service Discovery (Port scan) TCP connection scan

Found a net graph (invading and deleting)

Here's a show of the handshake bag that tcpdump caught.

192.168.2.1.35555 > 192.168.2.12.4444: Flags [S] seq=12345 192.168.2.12.4444 > 192.168.2.1.35555: Flags [S.], seq=9998 ack=12346 192.168.2.1.35555 > 192.168.2.12.4444: Flags [.] Seq=12346 ack=9999

Between the IP and the port number with'.' Separate, ACK with'.' Indicates that SYN is denoted by'S', and [S.] It means SYN+ACK.

Make a three-way handshake package in Scapy step 1-send the client's SYN to the listening server

Make an IP header using the source IP address and the destination IP address.

Make a TCP header, generate the TCP source port, set the target port that the server listens on, set the flag SYN of the TCP, and generate the seq of the client.

Ip=IP (src= "192.168.2.53", dst= "60.205.177.168") syn_packet = TCP (sport=1500, dport=80, flags= "S", seq=100) step 2-listen for server response (SYN-ACK)

Save the response from the server.

Get the TCP serial number of the server and increase the value by 1.

Synack_packet = sr1 (ip/syn_packet) my_ack = synack_packet.seq+1 step 3 sends an acknowledgement of the server response from the client (ACK)

The IP header has the same source and destination as the initial SYN packet.

The TCP header has the same TCP source and destination ports as the syn packet, and only the ACK bit is set. Because the SYN packet consumes a sequence number, the ISN of the client is incremented by 1 and the confirmation value is set to the sequence number value of the incremented server.

Ack_packet = TCP (sport=1500, dport=80, flags= "A", seq=101, ack=my_ack) send (ip/ack_packet)

The complete code is as follows

#! / usr/bin/python from scapy.all import * # build payload get='GET / HTTP/1.0\ n\ n'# set the destination address and source address ip=IP (src= "192.168.2.53", dst= "60.205.177.168") # define a random source port port=RandNum (10241.65535) # build SYN packet SYN=ip/TCP (sport=port, dport=80, flags= "S", seq=42) # send SYN and receive server response (SYN ACK) SYNACK=sr1 (SYN) # build confirmation package ACK=ip/TCP (sport=SYNACK.dport,dport=80,flags= "A", seq=SYNACK.ack,ack=SYNACK.seq+1) / get # send ack confirmation package reply,error=sr (ACK) # print response result print (reply.show ()) SYN scan

SYN scanning is also known as semi-open scanning. You can use this strategy to determine the status of the communication port without establishing a complete connection. The client first sends a syn packet to the host under test. If the port is open, the server will respond to a syn+ack packet, and then the client will send a rst packet for reset. Otherwise, the server will respond directly to a rst packet, indicating that the port is not open. If we send a large number of syn packets without confirmation, the server will continue to send syn+ack packets, which will continue to consume the server's CPU and memory, which is what we often call syn flooding attacks.

Next, we use scapy to simulate syn scanning.

SYN scanning on a single host, on a single port

Send and respond to packets using the sr1 function

Use the sprintf method to print fields in the response. (the "SA" flag indicates an open port, and the "RA" flag indicates a closed port)

> syn_packet = IP (dst='60.205.177.168') / TCP (dport=22,flags='S') > rsp=sr1 (syn_packet) Begin emission: Finished sending 1 packets. * Received 3 packets, got 1 answers, remaining 0 packets > rsp.sprintf ("% IP.src%% TCP.sport%% TCP.flags%") '60.205.177.168 ssh SA' scans SYN on a single host, multiple ports > ans,unans=sr (IP (dst= "60.205.177.168") / TCP (dport= (20Y22), flags= "S") Begin emission: Finished sending 3 packets. .. *. * * Received 7 packets, got 3 answers, remaining 0 packets > ans.summary (lambda Spurs [1] .accountf ("% TCP.sport%% TCP.flags%")) ftp_data RA ftp RA ssh SA scans multiple hosts and ports for SYN

Make_table accepts three values, rows, columns, and table data. (in the following example, the target IP is on the x-axis, the target port is on the y-axis, and the TCP flag in the response is tabular data)

Ports 20 and 22 of 60.205.177.169 do not respond to packets, so it is speculated that a device (firewall) may have been blocked.

> ans,unans = sr (IP (dst= ["60.205.177.168-170"]) / TCP (dport= [20Yue22 Lao80], flags= "S")) Begin emission: Finished sending 9 packets. . *. . . ^ C Received 251packets Got 4 answers, remaining 5 packets > ans.make_table (lambda s: (s [0] .dst, s [0] .dport, s [1] .returtf ("% TCP.flags%")) 60.205.177.168 60.205.177.169 20 RA-22 SA-80 SA SAFin scan

The client sends a packet with the fin flag (closing the connection) to the server. When the server does not respond, it indicates that the port is open, otherwise the rst packet will be received.

Port opening > fin_packet = IP (dst='60.205.177.168') / TCP (dport=4444,flags='F') > resp = sr1 (fin_packet) Begin emission: Finished to send 1 packets. ^ C Received 0 packets, got 0 answers, remaining 1 packets ports closed > fin_packet = IP (dst='60.205.177.168') / TCP (dport=4399,flags='F') > resp = sr1 (fin_packet) > resp.sprintf ('% TCP.flags%') 'RA'NULL scan

Null scan sends a TCP packet with no flag set. When a response packet from rst is received, the port is closed. Otherwise, the port is open. If an ICMP error of type 3 with code 1, 2, 3, 9, 10 or 13 is received, the port has been filtered and the port status cannot be obtained.

Port shutdown > null_scan_resp = sr1 (IP (dst= "60.205.177.168") / TCP (dport=4399,flags= ""), timeout=1) > null_scan_resp.sprintf ('% TCP.flags%') 'RA'Xmas scan

The XMAS scan sends TCP packets with the URG,PUSH,FIN flag, and if no packets are received, the port is considered open, and if RST packets are received, the port is considered closed. If you receive an ICMP error of type 3 with code 1, 2, 3, 9, 10, or 13, the port has been filtered and the port status cannot be obtained.

Port closed > > xmas_scan_resp=sr1 (IP (dst= "60.205.177.168") / TCP (dport=4399,flags= "FPU"), timeout=1) Begin emission: .finished sending 1 packets. * Received 2 packets, got 1 answers, remaining 0 packets > > xmas_scan_resp.sprintf ('% TCP.flags%') 'RA'UDP scan

UDP scanning is most commonly used to detect DNS,SNMP and DHCP services. The client sends an UDP packet with the port number to connect to. If the server responds to the client with UDP packets, the port is open on the server. If an error packet that returns an unreachable type of ICMP port of 3 and code of 3 indicates that the port is down on the server.

> udp_scan=sr1 (IP (dst= "60.205.177.168") / UDP (dport=53), timeout=1)) tracks the route

Tracking routing technology is based on the design of IP protocol. The TTL value in the IP header is considered a hop limit. Whenever the router receives a packet to be forwarded, it subtracts the TTL by 1 and forwards the packet. When the TTL reaches 0, the router sends a reply to the source computer indicating that the packet has been discarded.

The technology behind the various tools is the same, but they are implemented in slightly different ways. The Unix system uses UDP data packets, while Windows tracert sends ICMP requests, and Linux's tcptraceroute uses the TCP protocol.

Use ICMP for route tracking > ans,unans=sr (IP (dst= "49.232.152.189", ttl= (1m 10)) / ICMP () Begin emission: Finished sending 10 packets. *. * ^ C Received 112 packets, got 7 answers Remaining 3 packets > ans.summary (lambda baidu.com [1] .returtf ("% IP.src%")) 10.36.76.142 10.54.138.21 10.36.76.13 45.112.216.134 103.216.40.18 9.102.250.221 10.102.251.214 using tcp for route tracking > ans,unans=sr (IP (dst= "baidu.com", ttl= (1Magne10) / TCP (dport=53,flags= "S")) Begin emission: Finished sending 10 packets. *.. ^ C Received 31 packets, got 9 answers Remaining 1 packets > > ans.summary (lambda ans.summary [1] .returtf ("% IP.src% {ICMP:%ICMP.type%}")) 10.36.76.142 time-exceeded 10.36.76.13 time-exceeded 10.102.252.130 time-exceeded 117.49.35.150 time-exceeded 10.102.34.237 time-exceeded 111.13.123.150 time-exceeded 218.206.88.22 time-exceeded 39.156.67.73 time-exceeded 39.156.27.1 time-exceeded

Scapy contains a built-in traceroute () function to achieve the same function as above

Traceroute ("baidu.com") Begin emission: Finished sending 30 packets. * Received 24 packets, got 24 answers Remaining 6 packets 220.181.38.148:tcp80 2 10.36.76.13 11 3 10.102.252.34 11 4 117.49.35.138 11 5 116.251.112.185 116 36.110.217.9 117 36.110.246.201 11 8 220.181.17.150 11 14 220.181.38.148 SA 15 220.181.38.148 SA 16 220.181.38.148 SA 17 220 .181.38.148 SA 18 220.181.38.148 SA 19 220.181.38.148 SA 20 220.181.38.148 SA 21 220.181.38.148 SA 22 220.181.38.148 SA 23 220.181.38.148 SA 24 220.181.38.148 SA 25 220.181.38.148 SA 26 220.181.38.148 SA 27 220.181.38.148 SA 28 220.181.38.148 SA 29 220 .181.38.148 SA 30 220.181.38.148 SA ( Use DNS to trace routes

We can perform a DNS trace route by specifying the complete packet in the L4 parameter of the traceroute () function

> ans,unans=traceroute ("60.205.177.168", l4=UDP (sport=RandShort ()) / DNS (qd=DNSQR (qname= "thesprawl.org")) Begin emission: * Finished sending 30 packets. . Received 21 packets, got 4 answers, remaining 26 packets 60.205.177.168:udp53 1 10.2.0.1 11 2 114.242.29.1 114 125.33.185.114 11 5 61.49.143.2 11 "how Scapy handles packets" ends here, thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.