Yasmin Mahmood, CEO of the Malaysian Digital Economic Corporation (MDEC), and...
by Temmar Abdessamad
Scapy is a powerful interactive packet manipulation program which can be used to forge, send and sniff network packets. This capability allows construction of tools that can handle most classical tasks like scanning, tracerouting, probing or attacks. It can be a good an alternative of some tools like hping, arpspoof, arp-sk, arping, p0f and even some parts of Nmap, and tcpdump. The main advantage of using Scapy is it allow you to make your own and customized automated tools depending on the situation and give us more ﬂexibility during a penetration test.
Throughout the article, we will try to use this Python library to map a network through a step by step methodology which can be useful in the reconnaissance and enumeration steps of an internal penetration test.
1. The entry point : DHCP
Once you connect your pentest machine to the target network, if DHCP protocol is conﬁgured it will provide you with useful information that are helpful when you start mapping the network. DHCP information can be viewed with ipconﬁg command in Linux. In order to make proﬁt of our powerful tool Scapy, we will use it to send a DHCP Discover packet out to the network and apply a ﬁlter to listen for a response. The DHCP server responds by sending a packet to the broadcast containing all kind of useful information (IP address, Gateway IP Address, DNS Server IP and Domain Name …etc) :
from scapy.all import * #get hardware information of our pentest machine fam, hw = get_if_raw_hwaddr(conf.iface) # Define a callback function for when DHCP packets are received def dhcp_print(resp): print "DHCP offer from : " +resp[Ether].src print "To : " +resp[Ether].src #Display DHCP options : for opt in resp[DHCP].options: if opt == 'end': # This option indicate the end of a DHCP options area in DHCP message packets break elif opt == 'pad': #This option is used as byte padding to cause subsequent option records to align on a word boundary. break print opt # DHCP option # Forge our DHCP request ether = Ether(dst='ff:ff:ff:ff:ff:ff') ip = IP(src='0.0.0.0', dst='255.255.255.255') udp = UDP(sport=68, dport=67) bootp = BOOTP(chaddr=hw) dhcp = DHCP(options=[("message-type",
"discover")]) dhcp_request = ether/ip/udp/bootp/dhcp # Send the DHCP request sendp(dhcp_request) # Set a filter and sniff for any DHCP packets sniff(prn=dhcp_print, filter='udp and (port 67 or 68)', store=1)
Unlike the ipconfig command, we will have the possibility to view all received responses from all available DHCP servers on the network. And as a result, we can get useful information from all the DHCP servers present on the network.
2. Sniffing network traffic
Sniffing is a passive reconnaissance technique which can be useful during a network discovery process. While sniffing, we will have the possibility to intercept/watch a lot of protocol traffic such as DNS, HTTP, DHCP and ICMP. By analyzing the captured information, we will able to ﬁnd active hostnames/subnets, VLANS, and domain names.
Using Scapy, we can perform a packet ﬁltering by the sniff() function coupled with nsummary() function to print information about sniffed packets:
>>> a=sniff(filter="icmp", iface="eth1", timeout=10, count=3) >>> a.summary() >>> a
The sniff function provides an interpreted output of the query/ﬁlter that we make and which can be passed to a function deﬁned by the user, and which will be executed with each packet sniﬀed. The intended purpose of this is to control how the packet prints out in the console, allowing us to replace the default .nsummary() display with a format of our choice. and let us decide what we need out of it and how to interpret it. This can be very useful during the network discovery or analysis.
# Import Scapy module from scapy.all import * # Define a custom action function def customAction(packet): packet.show() ## Set a filtering for IP traffic sniff(filter="ip",prn=
The full article would be published soon in Hakin9 Magazine. Follow our website to not miss it!
About the author:
Abdessamad Temmar is a student of IT and Information Security and co-organizer of the Moroccan Cyber Security Challenge. Interested on topics related to penetration testing, malware analysis, and network forensics. Experience gained by learning and practicing. Always open to learn more to enhance his knowledge. Information security is a hobby rather a job/study for him. He enjoys writing custom tools using Scapy to automate network Penetration Testing