Article: Internal networks mapping using Scapy


by Temmar Abdessamad

Scapy is a powerful interactive packet manipulation program which can be used to forge, send and sniff network packets. This capability allows construction of tools that can handle most classical tasks like scanning, tracerouting, probing or attacks. It can be a good an alternative of some tools like hping, arpspoof, arp-sk, arping, p0f and even some parts of Nmap, and tcpdump. The main advantage of using Scapy is it allow you to make your own and customized automated tools depending on the situation and give us more flexibility during a penetration test.

Throughout the article, we will try to use this Python library to map a network through a step by step methodology which can be useful in the reconnaissance and enumeration steps of an internal penetration test.

1. The entry point : DHCP


Once you connect your pentest machine to the target network, if DHCP protocol is configured it will provide you with useful information that are helpful when you start mapping the network. DHCP information can be viewed with ipconfig command in Linux. In order to make profit of our powerful tool Scapy, we will use it to send a DHCP Discover packet out to the network and apply a filter to listen for a response. The DHCP server responds by sending a packet to the broadcast containing all kind of useful information (IP address, Gateway IP Address, DNS Server IP and Domain Name ...etc) :


from scapy.all import *

#get hardware information of our pentest machine
fam, hw = get_if_raw_hwaddr(conf.iface)

# Define a callback function for when DHCP packets are received
def dhcp_print(resp):
print "DHCP offer from : " +resp[Ether].src
print "To : " +resp[Ether].src

#Display DHCP options :

for opt in resp[DHCP].options:
if opt == 'end': # This option indicate the end of a DHCP options area in DHCP message packets
elif opt == 'pad': #This option is used as byte padding to cause subsequent option records to align on a word boundary.
print opt # DHCP option

# Forge our DHCP request
ether = Ether(dst='ff:ff:ff:ff:ff:ff')
ip = IP(src='', dst='')
udp = UDP(sport=68, dport=67)
bootp = BOOTP(chaddr=hw)
dhcp = DHCP(options=[("message-type","discover")])

dhcp_request = ether/ip/udp/bootp/dhcp

# Send the DHCP request

# Set a filter and sniff for any DHCP packets
sniff(prn=dhcp_print, filter='udp and (port 67 or 68)', store=1)

Unlike the ipconfig command, we will have the possibility to view all received responses from all available DHCP servers on the network. And as a result, we can get useful information from all the DHCP servers present on the network.


2. Sniffing network traffic

Sniffing is a passive reconnaissance technique which can be useful during a network discovery process. While sniffing, we will have the possibility to intercept/watch a lot of protocol traffic such as DNS, HTTP, DHCP and ICMP. By analyzing the captured information, we will able to find active hostnames/subnets, VLANS, and domain names.

Using Scapy, we can perform a packet filtering by the sniff() function coupled with nsummary() function to print information about sniffed packets:

>>> a=sniff(filter="icmp", iface="eth1", timeout=10, count=3)
>>> a.summary()
>>> a[1]

The sniff function provides an interpreted output of the query/filter that we make and which can be passed to a function defined by the user, and which will be executed with each packet sniffed. The intended purpose of this is to control how the packet prints out in the console, allowing us to replace the default .nsummary() display with a format of our choice. and let us decide what we need out of it and how to interpret it. This can be very useful during the network discovery or analysis.


# Import Scapy module
from scapy.all import *

# Define a custom action function
def customAction(packet):

## Set a filtering for IP traffic

The full article would be published soon in Hakin9 Magazine. Follow our website to not miss it!

About the author:

Abdessamad Temmar is a student of IT and Information Security and co-organizer of the Moroccan Cyber Security Challenge. Interested on topics related to penetration testing, malware analysis, and network forensics. Experience gained by learning and practicing. Always open to learn more to enhance his knowledge. Information security is a hobby rather a job/study for him. He enjoys writing custom tools using Scapy to automate network Penetration Testing

April 2, 2020
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023