Scapy Introduction to Official document translation

• About Scapy
• Why Scapy is so special
• Fast message Design
• Multiple interpretations of a single probe
• Scapy decoding without explanation
• Quickly show Quick Demo
• A reasonable default value
• Learn Python

My English proficiency is limited, translation is inappropriate, please refer to the official website.

About Scapy

Scapyis a Python program that allows users to send, listen, and parse and spoof network messages. These features can be used to create tools for detecting, scanning, and attacking the network.

In other words, Scapy it is a powerful interactive program that manipulates messages. It can forge or parse packets of various protocols, and it also has the ability to send, capture, match requests and respond to these messages and more. Scapyeasy to do like scanning (scanning), route tracking (tracerouting), probing (probing), Unit testing (Units tests), attack (attacks), and Discovery Networks (Network Discorvery) Such a traditional task. It can be substituted,,, hping arpspoof arp-sk arping p0f or even part of Namp , tcpdump and tshark the function.

ScapyPerformance is also excellent in specific tasks that most other tools cannot accomplish, such as sending invalid frames, adding custom 802.11 debug, multi-technology combination (jump Attack (VLAN hopping) +arp cache poisoning (ARP cache poisoning), and WEP encrypted channel ( WEP encrypted channel), VOIP decoding (VoIP decoding), etc.

The concept is very simple. There are Scapy two main things to do: send a delivery paper and receive a response. You define a series of messages, which send these messages, receive responses, match the received responses and requests, and return a list of messages (packet couples) that hold (request, answer) (requests, responses), and a list of messages that do not match ( List). This Nmap hping has a huge advantage for tools like this: the response is not reduced (open/closed/filtered) but the complete message.

On top of this you can build more advanced features, such as you can track the route (traceroutes) and get a result of a source IP with only the starting TTL and the response of the request, you can also ping the entire network and get a list of matching replies, you can also scan the goods and get a L A T E X Report.

ScapyWhy is it so special

First, for most other web tools, you can't make something that the author can't think of. These tools have been limited and fixed by a specific goal, and therefore cannot deviate greatly from this goal. For example, an ARP cache poisoning program will not allow you to use double 802.1q the package content, nor can you find a program that sends a fill (padding) ICMP message (is a fill (padding), not a payload (payload)). In fact, every time you have a new requirement, you need to re-establish a new tool.

Second, these tools often confuse decoding (decoding) and interpreting (interpreting). Machines are good at decoding and can help humans do the job. Explanations should be left to humans. Some programs try to emulate this behavior. For example, they say "This port is open" instead of saying "I received one SYN-ACK ." Sometimes they are right, but sometimes they are not. This is easier for beginners, but when you know what you are doing, you will continue to try to test what actually happened in the interpretation of the program to make your own tools, but this is quite difficult because a lot of information has been lost. So it's often the end you use tcpdump -xX to decode and interpret what these tools throw away.

Third, even those programs that just decode do not give you all the information they receive. The network information they show you is only information that their authors think is sufficient. But these are not complete and are biased for you. For example, do you know what tools are available to get an Ethernet frame filled message (reports the Ethernet padding)?

In fact, every time you run this program, it's more like building a new tool, not dealing with hundreds of lines of C code, you Scapy just need to write a few lines of code.

After probing (probe) (or scanning (scan), route tracking (traceroute), and so on), it Scapy always decodes all detected packets before any explanation. This means that you can probe once and interpret it many times, or you can use route tracking and view the contents of the message population.

Fast message Design

Other tools stick to the command-line run pattern, which leads to a bad syntax for describing a message. For these tools, the solution is to adopt a higher-level but less functional description, in the context of what the author imagines. For example, in a port scan scenario, the port scanner must have only an IP address for the parameter. This is true even if the situation has changed (even if the scenario is tweaked a bit and you still be stuck to a port scan).

ScapyThe principle is to recommend the use of a specific domain language (Domain specific Language (DSL)) to achieve a powerful and fast description of any kind of message. There are many advantages to using the syntax and Python Python interpreter as a syntax and interpreter for a specific domain language (DSL): There is no need to write a separate interpreter, and the user does not have to learn a new language and benefit from this complete, simple and very powerful language.

ScapyAllows the user to describe one or a series of messages as layers stacked together. The data fields for each layer have useful and overloaded default values. Scapyusers are not forced to use pre-defined methods and templates. This reduces the need to write new tools every time you encounter a different situation. In the C language, it is possible to describe a message with an average of 60 lines of code. Use Scapy , the sent message may only need one line of code description and a line of code to print the result. 90% of network probing tools can be Scapy re-implemented using 2 lines of code.

One probe, multiple interpretations

The discovery of the network is a black-box test. When probing a network, many detection messages (stimuli) are sent but only a few of them can be responded to. If the correct detection message is selected, the desired information can be obtained by responding to the message or by the absence of a response. Unlike many other tools, you Scapy get all the information, that is, all the detected messages sent and all the responses received. Users can get the information they want by checking the data. When the amount of data is small, users can view the data directly. In other cases, the interpretation of the data will depend on the difference in focus. Most tools choose to show the content of interest and ignore content that is irrelevant to the point of concern. Because Scapy of the complete raw data, the data can be used multiple times to allow the focus to change during the analysis. For example, it is possible to probe a TCP port scan and focus on (display) the results of the port scan. You can also view the content of the TTL of the response message. A new probe does not need to be done again, but just a change of focus in the existing data.

ScapyDecode without explanation

One problem common to network probing tools is that they all try to explain the responses received rather than just decoding and giving results. Reports that a message such as receiving a TCP reset message on port 80 does not belong to an interpretation error. The report 80 port shutdown is correct in most cases, but in contexts where the author of some particular tool does not think it is wrong. For example, some scanners tend to report a filtered TCP port after receiving an ICMP message that the destination address is unreachable. This may be correct, but in some cases, this indicates that the message was filtered out by the firewall and could not find the message's non-destination host.

Interpreting the results can help users who do not know what a port scan is, but it does more harm than benefit because it is a subjective interpretation of the results. The possible result is that they can explain themselves, and knowledgeable users will try to reverse the interpretation of the tool to get the real reason for this explanation. Unfortunately, there is a lot of information lost in this process.

Quick Show (Fast demo)

First, let's try a little bit and create 4 IP packets at a time to see how this tool works. We first initialize the IP class. Then we re-instantiate it and give the destination address of the 4 IP packets (/30 gives the mask). Using Python syntax, we define this message in a series of clear messages (we develop this implicit packet in a set of explicit packets). Then we exit the interpreter. As the session file we provided, we are using variables that have been saved and then reloaded:

#./scapy.py-s mysessionNew session [Mysession]welcome to Scapy (0.9.. 108Beta>>>IP () <ip |>>>>target="Www.target.com">>>target="Www.target.com/30">>>Ip=ip (Dst=target)>>>Ip<ip dst=<net www.target.com/ -> |>>>>[P forPinchIp][<ip dst=207.171. 175.|&gt, <ip dst=207.171. 175.|> <ip dst=207.171. 175. the|&gt, <ip dst=207.171. 175. to|>]>>>^d

# scapy -s mysessionUsingto Scapy (0.9.17.108beta)>>> ip<IP dst=<Net www.target.com/30 |>

Now, let's manipulate some of the messages:

>>> IP()<IP |>>>> a=IP(dst="172.16.1.40")<IP dst=172.16.1.40 |>>>> a.dst‘172.16.1.40‘>>> a.ttl64

Let's say I want a broadcast MAC address, and load the IP packets to reach ketchup.com and Mayo.com,ttl values from 1 to 9, and load the UDP packets:

>>> Ether(dst="ff:ff:ff:ff:ff:ff")     /IP(dst=["ketchup.com""mayo.com"], ttl=(1,9))     /UDP()

Now we have defined 18 messages in one line (implicit packet).

A reasonable default value

ScapyAttempt to use reasonable default values in all kinds of message data fields, if not overloaded,

• IP Source address selection based on destination address and routing table
• Calibration and automatic calculation
• The source MAC address is selected based on the Output Interface (interface)
• Ethernet type and IP protocol are determined by high level

Other data fields Select the most useful values:

• TCP Source port is 20, destination port is 80
• UDP source port and destination port are 53
• ICMP type is echo request

Learn Python

ScapyUse the Python interpreter as a command panel. This means that you can use the Python language directly (create variables, use loops, define functions, and so on).

If you're just starting Python out and so you don't understand these words, or if you want to learn the language, spend one hours reading a great Python tutorial written by Guido Van Rossum. After this, you will know Python :) (really!) )。 For more in-depth learning, Dive into Python is also a good start.

As a quick start, here's an Python overview of the data types:

• int(Signed, 32bits):42
• long(Signed, infinite):42L
• str: "bell\x07\n" or‘bell\x07\n‘
• tuple(immutable):(1,4,"42")
• list(mutable):[4,2,"1"]
• dict(mutable):{"one":1, "two":2}

PythonDoes not have a block delimiter in it, but is the same as indentation:

if cond:    instr    instrelif cond2:    instrelse:    instr

Scapy Introduction to Official document translation