程式扎記: [Scapy Tutorial] Introduction

2012年2月23日星期四

[Scapy Tutorial] Introduction

翻譯自這裡
About Scapy :
Scapy 是由 Python 編程的工具, 透過它你可以發送, 監聽與修改封包. 事實上類似的工具也不少. 例如hping, arpspoof, arp-sk, arping, p0f 或是 Nmap, tcpdump, 與 tshark. 但 Scapy 比它們有更多的彈性與優點, 後面再一一介紹. 底下是線上文件對於 Scapy 的說明 :

Scapy is a Python program that enables the user to send, sniff and dissect and forge network packets. This capability allows construction of tools that can probe, scan or attack networks. In other words, Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. Scapy can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery. It can replace hping, arpspoof, arp-sk, arping, p0f and even some parts of Nmap, tcpdump, and tshark.

Scapy also performs very well on a lot of other specific tasks that most other tools can’t handle, like sending invalid frames, injecting your own 802.11 frames, combining techniques (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, ...), etc.

What makes Scapy so special :
跟其他類似工具很不一樣的是, Scapy 允許你課製自己的用法甚至可以自訂 protocol. 這是來自於 Python 是 script language 的優點. 另外它對於 decoding 與 interpreting 保留許多彈性, 讓你可以輕易的進行修改與新增 packets. 並且透過 Python 簡潔且可讀的語法, 你創造出可能連撰寫 Scapy 語言的作者都意想不到的功能. 底下是線上文件對於 Scapy 特點的說明 :

First, with most other networking tools, you won’t build someting the author did not imagine. These tools have been built for a specific goal and can’t deviate much from it. For example, an ARP cache poisoning program won’t let you use double 802.1q encapsulation. Or try to find a program that can send, say, an ICMP packet with padding (I said padding, not payload, see?). In fact, each time you have a new need, you have to build a new tool.

Second, they usually confuse decoding and interpreting. Machines are good at decoding and can help human beings with that. Interpretation is reserved to human beings. Some programs try to mimic this behaviour. For instance they say “this port is open” instead of “I received a SYN-ACK“. Sometimes they are right. Sometimes not. It’s easier for beginners, but when you know what you’re doing, you keep on trying to deduce what really happened from the program’s interpretation to make your own, which is hard because you lost a big amount of information. And you often end up using tcpdump -xX to decode and interpret what the tool missed.

Scapy tries to overcome those problems. It enables you to build exactly the packets you want. Even if I think stacking a 802.1q layer on top of TCP has no sense, it may have some for somebody else working on some product I don’t know. Scapy has a flexible model that tries to avoid such arbitrary limits. You’re free to put any value you want in any field you want, and stack them like you want. You’re an adult after all.

In fact, it’s like building a new tool each time, but instead of dealing with a hundred line C program, you only write 2 lines of Scapy.

After a probe (scan, traceroute, etc.) Scapy always gives you the full decoded packets from the probe, before any interpretation. That means that you can probe once and interpret many times, ask for a traceroute and look at the padding for instance.

Quick demo :
First, we play a bit and create four IP packets at once. Let’s see how it works. Now, let’s manipulate some packets :

You can easily modify or add fields of packet in scapy :

Also you can use below way to add field and copy all fields of an exist packet :

- Sensible default values
Scapy tries to use sensible default values for all packet fields. If not overriden :

* IP source is chosen according to destination and routing table
* Checksum is computed
* Source MAC is chosen according to the output interface
* Ethernet type and IP protocol are determined by the upper layer

Or you can use command ls(IP) to see default of all fields of IP :