Sunday, 8 July 2012

Scapy Part 1

Scapy Packet Manipulation

SCAPY is a very powerful packet crafting, manipulation and analysis tool. Scapy is a set of Python modules that allows the user to create scapy enabled python script or run scapy in “interactive” mode. Once you are in interactive mode scapy provides you with several functions that get more details about SCAPY’s capabilities. The ls() command can be used to get more information about scapy’s supported protocols. If you run the ls() command without anything in the parenthesis scapy will give a list of all of SCAPY’s protocols. Putting one of these protocols inside the parenthesis will list the fields associate with that protocol. Scapy also supports the LSC() command which will give a list of scapy functions. You can get more information about the functions that are available by passing the name of the function you want more information on to the help() function. For example, help(fuzz) will give you more information on the fuzz() function.

Crafting packets with SCAPY

Perhaps SCAPY’s most common use is to craft packets. Packets can be created by calling the methods associated with the specific protocol and passing the fields in that protocol as parameters to the protocol function. For example:

>>>newpacket=TCP(src=””, dst = “”, dport=80)”

  • Note: the “” need to be the correct ones … Urgh

This will create a packet containing a TCP packet from the source IP address of and a destination of IP address and port 80. Since they have not been explicitly defined, the IP and Ether (Ethernet) layers will be populated by the defaults associated with these protocols. You can explicitly define each layer in the protocol stack and add protocols together with the “/” character. The new layers can be the results of other scapy objects or other methods. For example, we can combine our existing “newpacket” variable with another layer like this:


Or we can explicitly define each layer using scapy protocol methods:

>>>Newudppacket=IP(dst=””)/UDP(dport=1000)/”THIS IS MY UDP PAYLOAD”

This will create a “Newudppacket” object containing a UDP packet to a destination IP address of and a destination port of 1000 with a payload of “THIS IS MY UDP PAYLOAD”. Here is another example:

>>>NewTCPPacket=Ether(src="ff:ff:ff:ff:ff:ff")/IP(dst=””)/TCP(dport=80)/"GET / HTTP/1.0\r\n\r\n"

This will create a “NewTCPPacket” object containing a TCP packet to the destination host of “” port 80 with a payload of “GET /HTTP/1.0\r\n\r\n”. This packet could be transmitted to a webserver to request the defalult page or after the TCP handshake has been completed.

1 comment:

Ryan G. said...

Judy had a great presentation on this at SANSFire this year.