Scapy Study Notes (3) send packets, SYN and TCP traceroute scans

Reprint Please note: @ small Wuyi: http://www.cnblogs/xiaowuyi

After scapy is installed (the first two notes are described), run sudo scapy in linux.

1. Simple sending package

1. send () sends data packets on the third layer, but does not receive data packets. For example:

>>> send(IP(dst=,ttl=)/ packets.

This is equivalent to pinging Baidu, ttl = 1

2. sendp (), which sends data packets on the second layer, also has no receiving function. For example:

>>> sendp(Ether()/IP(dst=,ttl=)/>>> sendp(Ether()/IP(dst=,ttl=)/ packets.

3. sr (), which sends data packets on the third layer and has the receiving function. For example:

>>> p=sr(IP(dst=,ttl=)/* packets, got  answers, remaining >>><Results: TCP: UDP: ICMP: Other:>, <Unanswered: TCP: UDP: ICMP: Other:>>>> p[<Results: TCP: UDP: ICMP: Other:>>>> p[ IP / ICMP . > . echo-request  ==> IP / ICMP . > . time-exceeded ttl-zero-during-transit / IPerror / ICMPerror

For example, if the ttl is set to 1, 2, 3, and 4 packets consecutively

>>> p=sr(IP(dst=,ttl=(,))/*.*.*.* packets, got  answers, remaining >>><Results: TCP: UDP: ICMP: Other:>, <Unanswered: TCP: UDP: ICMP: Other:>>>> p[ IP / ICMP . > . echo-request  ==> IP / ICMP . > . time-exceeded ttl-zero-during-transit / IPerror / IP / ICMP . > . echo-request  ==> IP / ICMP . > . time-exceeded ttl-zero-during-transit / IPerror / IP / ICMP . > . echo-request  ==> IP / ICMP . > . time-exceeded ttl-zero-during-transit / IPerror / IP / ICMP . > . echo-request  ==> IP / ICMP . > . time-exceeded ttl-zero-during-transit / IPerror />>> 

 

4. sr1 (), which sends data packets on the third layer. It has the receiving function, but only receives the first packet. The preceding four packages are used as an example:

>>> q=sr1(IP(dst=,ttl=(,))/*.*.*.* packets, got  answers, remaining >>><IP  version= ihl= tos= len= id= flags= frag= ttl= proto=icmp chksum= src=. dst=. options=[] |<ICMP  type=time-exceeded code=ttl-zero-during-transit chksum= unused= |<IPerror  version= ihl= tos= len= id= flags= frag= ttl= proto=icmp chksum= src=. dst=. options=[] |<ICMPerror  type=echo-request code= chksum= id= seq= |>>>>>>>= = = = = == = == = .= .= time-= ttl-zero-during-= = = = = = = == = == = .= .= echo-= = = = 

 

5. srloop:

>>> p=srloop(IP(dst=,ttl=)/: IP / ICMP . > . time-exceeded ttl-zero-during-transit / IPerror /: IP / ICMP . > . time-exceeded ttl-zero-during-transit / IPerror /: IP / ICMP . > . time-exceeded ttl-zero-during-transit / IPerror /: IP / ICMP . > . time-exceeded ttl-zero-during-transit / IPerror /: IP / ICMP . > . time-exceeded ttl-zero-during-transit / IPerror /^ packets, received  packets. %>>> p=srloop(IP(dst=,ttl=)/ICMP(),inter=,count=: IP / ICMP . > . time-exceeded ttl-zero-during-transit / IPerror /: IP / ICMP . > . time-exceeded ttl-zero-during-transit / IPerror / packets, received  packets. % hits.

 

Here, when the first statement is executed, it will continuously ping Baidu. When the second statement is executed, it will ping every 3 seconds and run twice in total. Inter indicates the interval, count the number of records.

6. srp (), srp1 (), and srploop () are the same as 3, 4, and 5, but work on the second layer.

Ii. SYN Scanning

SYN scan: Also called half-open scanning, because it does not complete a complete TCP connection. This method sends a SYN group (packet) to the target port. If the target port returns SYN/ACK, it is sure that the port is in the listening status; otherwise, RST/ACK is returned.

>>> sr1(IP(dst=)/TCP(dport=,flags=* packets, got  answers, remaining <IP  version= ihl= tos= len= id= flags= frag= ttl= proto=tcp chksum= src=. dst=. options=[] |<TCP  sport=http dport=ftp_data seq= ack= dataofs= reserved= flags=SA window= chksum= urgptr= |>>>>> sr1(IP(dst=)/TCP(dport=,flags=* packets, got  answers, remaining <IP  version= ihl= tos= len= id= flags= frag= ttl= proto=icmp chksum= src=. dst=. options=[] |<ICMP  type=dest-unreach code=communication-prohibited chksum= unused= |<IPerror  version= ihl= tos= len= id= flags= frag= ttl= proto=tcp chksum= src=. dst=. options=[] |<TCPerror  sport=ftp_data dport= seq= |>>>>

 

According to the results, when scanning port 80 of Baidu (61.135.169.105), ACK = 1 or flags = SA in the returned packet indicates that the port is in the listening status. When scanning port 81, if no ACK is set to 1 or flags is set to 1, it indicates that it is not listening.

To scan multiple ports, run the following statement, for example, scan port 80-83 of Baidu:

>>>sr(IP(dst=)/TCP(dport=(,),flags=))

To scan ports 3389, 80, and:

>>>sr(IP(dst=)/TCP(dport=[,,],flags=))

The result must be displayed in a simple way:

>>>ans,unans=>>>ans.summary(lambda(s,r):r.sprintf(   RA

When I scan for 80-83, I always scan continuously. After I stop using ctrl + C, I can only get two results. I have not figured out why. As follows:

>>> sr(IP(dst=,ttl=)/TCP(dport=(,),flags=*.*^ packets, got  answers, remaining <Results: TCP: UDP: ICMP: Other:>, <Unanswered: TCP: UDP: ICMP: Other:>>>> ans,unans=>>>/ TCP .:ftp_data > .:http S ==> IP / TCP .:http > ./ TCP .:ftp_data > .: S ==> IP / ICMP . > . dest-unreach communication-prohibited / IPerror />>> ans.summary(lambda(s,r):r.sprintf(??      ??

 

Iii. TCP traceroute

Traceroute: used to track the path from the starting point to the destination. With Traceroute, we can know the path of information from your computer to the host on the other end of the Internet. Of course, the path for each packet to arrive at the same destination from a certain source may be different, however, most of the time the routes are the same.

>>> ans,unans=sr(IP(dst=,ttl=(,),id=RandShort())/TCP(flags=*.*.*.*.*.*.*.*.*.*.*Finished to send *.*.*.*.*.*.*.*.*.*....^ packets, got  answers, remaining >>>  snd,rcv  . . . . . . . . . . . . . . . . . . . . . True