Sniffing with Scapy

Created On 06. Apr 2020

Updated: 2022-05-01 23:26:54.494957000 +0000

Created By: acidghost

Scapy is an object oriented scripting tool that allows to perform different network sniffing tasks.
On a Linux VM head over to terminal and fire Scapy by typing its name. You will get into the Scapy console.
Let's make a quick tour. Type:

$ IP()
$ ip = IP()

check characteristics with ip.display().
You will see predefined characteristics with that object. Assign an IP of a target machine like this:

$ ip.dst = 192.168.130.160

I am using an IP of a local Windows target machine from my lab. Check the changes after with ip.display().

Create an ICMP object with a variable ping

$ ping = ICMP()

then check the characteristics:

$ ping.display()

Send a packet to a windows machine:

$ windows = sr1(ip/ping)

then check with windows.display(). Send to a Linux machine:

$ ping.display()
$ ip.dst= "192.168.130.120"
$ linux = sr1(ip/ping)
$ linux.display()

Remember: TTL value for windows is 128 and for linux is 64.
Let's identify target's operational system based on the TTL value. Write down this script:

#! /usr/bin/env/python
from scapy.all import *
ans = raw_input("enter the target  Ip: ")
ip = IP()
ping = IMCP()
ip.dst = ans
reply = sr1(ip/ping)
if reply.ttl < 65:
	os = "linux"
else
	os = "windows"

print "Operating system is: " + os

Run in terminal chmod 777 scapyscript.py to change the file to an executable.
Now run the script, type the IP address and see the OS.
And it was that easy!

Getting more technical
some basic commands for interactive usage:
ls(): Displays all the protocols supported by Scapy
lsc(): Displays the list of commands supported by Scapy
conf: Displays all configurations options
help(): Display help on a specific command, for example, help(sniff)
show(): Display the details about a specific packet, for example: somepacket.show()

You can simply sniff packets with scapy with the sniff method. Run this command to sniff the 3 packets on eth0 interface.
>>>packet = sniff(iface="eth0", count=3)
The arguments for the sniff() method are as follows:
count: Number of packets to capture, but 0 means infinity
iface: Interface to sniff; sniff for packets only on this interface
prn: Function to run on each packet
store: Whether to store or discard the sniffed packets; set to 0 when we only need to monitor
timeout: Stops sniffing after a given time; the default value is none
filter: Takes BPF syntax filters to filter sniffing

To see the sniffed packets in real time, we have to use the lambda function, along with the
summary() or show() method:
>>> packet=sniff(filter="icmp", iface="eth0″, count=3, prn=lambda x:x.summary())
Also, it is possible to write the packets to a pcap file with Scapy. To write the packets to a pcap file, we can use the wrpcap() method:
>>> wrpcap("pkt-output.cap" packets)
This will write the packets to a pkt-output.cap file. We can read from the pcap file with rdpcap():
>>> packets = rdpcap("pkt-output.cap")

We will get back to Scapy with many more examples later. Packet Injection and ARP Cache Poisoning are a few tasks worth mentioning. Nevertheless, you must have a basic grip of what it can do.
Remember, it's always more fun to sniff with a friend than just alone

Check out more on Scapy here http://www.secdev.org/projects/scapy/doc/usage.html

Section: Web

Back

Show me a virtuous man and I'll show you someone who's trying too hard.

Sniffing with Scapy