Packet Crafting using Powerful tool - Scapy

Scapy is one of the most powerful tool used for packet crafting. Scapy is a python interpreter and through scapy we can perform enhanced techniques of packet crafting. Scapy can craft every value of a network packet like TCP, UDP, ICMP, IP header, etc.

We can use the list of commands, Packet crafting protocols, Configuration through the following commands:

 

ls() — it displays all of the available protocols like TCP, UDP, DHCP, ARP etc.

lsc()– It displays the scapy command functions

Conf -Configuration of scapy

help()– from this, we can look for any command help.

How to set single and multiple packets for crafting.

Use the following commands:

TCP()

TCP().show()

a=TCP() (a act as variable)

a.show()

a=TCP()/IP()/ICMP()/UDP() — store multiple packets protocols in a variable

Let’s craft a Packet:

 

>a=TCP(seq=1,ack=1,sport=80)/IP(ttl=128,len=5)

The data packet has been successfully crafted. The client can send this packet information to the server by using command >>send(a)

Sending/Receiving Packets:

There are 3 main functions to use for sending and receiving:

sr() — The sr() function is for sending packets and receiving answers.

sr1() — This function is a variant that only returns one packet that answered the sent packet.

When using sr() or sr1() the packets send on layer 3 (IP, ARP, etc.)

srp() — The function srp() send the packets on layer 2 (Ethernet, 802.3, etc).

Attacks that can be performed by Scapy Packet Crafting:

  1. Smurf Attack
  2. LAND Attack
  3. SYN Flood Attack
  4. Packet Sniffing
  5. Port Scanning
  1. Smurf Attack

This is a kind of DDoS attack in which a spoofed source address sends a large amount of ICMP packets to the target address. It uses a victim address as a source address to send/broadcast the multiple ICMP ping request. Run Wireshark for analysing the output.

  1. LAND Attack

This is a kind of DoS (Denial of Service) attack in which a packet is sent to a target machine with the same address (Source Address and destination address the same).

> a=IP(src=”192.168.1.1″,dst=”192.168.1.1″)/TCP()

  1. SYN Flood Attack

SYN flood is also known as a half-open attack. In this attack, the attacker sends multiple connection requests to perform the distributed denial of service attack. Run the Wireshark tool for analysing the output.

> a=IP(src=”192.168.1.1″,dst=”10.0.0.1″)/TCP(flags=”S”)

Packet sniffing can also be done through scapy. There is sniff() used for sniffing the packets. An attacker can perform the MITM attack and gather the data packets information through a scapy sniffer. Here below is the usage of the sniff function.

Writing the data packets into a “pcap” file using “wrpcap” command so that we can use Wireshark to dissect them better.

wrpcap(“sniff.pcap”,a) is the command used to write all those sniffed packets into a “pcap” file.

rdpcap(“sniff.pcap”) is the command used to read “pcap” file

So now we have a “pcap” file that contains the data packets output and we can replay that output anytime.

data=rdpcap(“sniff.pcap”,) is the command which stores all our packet information and we can view all our packet detail using data[1] command. Below are the snapshots for the reference.

Multiple things can we have done through scapy like traceroute, dumping the hex file, de-fragmentation, Overlapping fragment, etc. Some Useful Techniques to preform firewall analysis OR Customise the Packets as per the attack Plan.

>> a=IP(dst=”Target”)/TCP(flags=”S”,dport=(21,500)) — Port Scannig

>> a=IP(ihl=2,len=5,flags=”DF”,frag=10,dst=”127.0.0.1″)/ICMP(code=3,seq=1,chksum=0)

>> a=IP(ihl=3,len=6,ttl=128)/UDP(len=5,sport=500)/TCP(dataofs=12,dport=443,seq=1,ack=2)

>> a=ARP() — set for ARP cache Poisoning