z'Eagle: October 2012

Building packets:

a =IP(dst="www.yahoo.com")
b = IP(dst="192.168.8.1",ttl=12)/UDP(dport=123)
c=Ether()/IP(dst="www.google.com")/TCP()/"GET /index.html HTTP/1.0 \n\n"

d=TCP(dport=80)

Stacking layers: "/"

>>> c=Ether()/a

>>> f=Ether()/IP()/d

>>> a=Ether()/IP(dst="www.yahoo.com")/TCP()/"GET /index.html HTTP/1.0 \n\n"

>>> a

>>> str(_)

'E\x00\x00C\x00\x01\x00\x00@\x06\xf0\xca\xc0\xa8\x00\x94W\xf8p\xb5\x00\x14\x00P\x00\x00\x00\x00\x00\x00\x00\x00P\x02 \x003\xc8\x00\x00GET /index.html HTTP/1.0 \n\n'

>>> b=Ether(_)

>>> b

>>> str(b)

'E\x00\x00C\x00\x01\x00\x00@\x06\xf0\xca\xc0\xa8\x00\x94W\xf8p\xb5\x00\x14\x00P\x00\x00\x00\x00\x00\x00\x00\x00P\x02 \x003\xc8\x00\x00GET /index.html HTTP/1.0 \n\n'

Actions on packets

Command	Effect
str(pkt)	assemble the packet
hexdump(pkt)	have an hexadecimal dump
ls(pkt)	have the list of fields values
pkt.summary()	for a one-line summary
pkt.show()	for a developped view of the packet
pkt.show2()	same as show but on the assembled packet (checksum is calculated, for instance)
pkt.sprintf()	fills a format string with fields values of the packet
pkt.decode_payload_as()	changes the way the payload is decoded
pkt.psdump()	draws a PostScript diagram with explained dissection
pkt.pdfdump()	draws a PDF with explained dissection
pkt.command()	return a Scapy command that can generate the packet

Sending & Receiving

<send() function will send packets at layer 3, sendp() function will work at layer 2>

send(a)

send(IP(dst="10.1.1.1")/ICMP())
sendp(Ether()/IP(dst="1.2.3.4",ttl=(1,4)), iface="eth1")
sendp("some message", iface="eth1", loop=1, inter=0.2)

The sr() function is for sending packets and receiving answers.

sr( IP(dst="target", ttl=(10,20))/TCP(sport=RandShort()) )

to get the response;

res,unans=_
res.summary()

Results:

latest result: _

assigning results to variables>> "_=ans,unans"

actions on Results

Command	Effect
summary()	displays a list of summaries of each packet
nsummary()	same as previous, with the packet number
conversations()	displays a graph of conversations
show()	displays the prefered representation (usually nsummary())
filter()	returns a packet list filtered with a lambda function
hexdump()	returns a hexdump of all packets
hexraw()	returns a hexdump of the Raw layer of all packets
padding()	returns a hexdump of packets with padding
nzpadding()	returns a hexdump of packets with non-zero padding
plot()	plots a lambda function applied to the packet list
make table()	displays a table according to a lambda function

Now with Scanning ports and Pinging IPs;

TCP port scan

scan 10.1.1.1 for open ports(from 1 to 100)

[1,100] >> 1 and 100.

(1,100) >> from 1 to 100

>>> sr(IP(dst="10.1.1.1")/TCP(sport=RandShort(),dport=(1,100),flags="S"))

>>> ans,unans = _

>>> ans.summary()
>>> ans.summary( lambda(s,r): r.sprintf("%TCP.sport% \t %TCP.flags%") )
>>> ans.nsummary(lfilter = lambda (s,r): r.sprintf("%TCP.flags%") == "SA")
>>> ans.summary(lfilter = lambda (s,r): r.sprintf("%TCP.flags%") == "SA",prn=lambda(s,r):r.sprintf("%TCP.sport% is open"))

>>> ans.filter(lambda (s,r):TCP in r and r[TCP].flags&2).make_table(lambda (s,r):

ACK Scan

ans,unans = sr(IP(dst="10.10.1.1")/TCP(dport=[80,666],flags="A"))

ans.summary( lambda(s,r): r.sprintf("%TCP.sport% \t %TCP.flags%") )

TCP Ping:

ans,unans=sr( IP(dst="10.10.1.*")/TCP(dport=80,flags="S") )
ans.summary( lambda(s,r) : r.sprintf("%IP.src% is alive") )

ICMP Ping:

ans,unans=sr(IP(dst="10.10.1.1-254")/ICMP())
ans.summary(lambda (s,r): r.sprintf("%IP.src% is alive") )

Arp Ping:

res,unans = srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst="192.168.1.0/24"))

res.summary(lambda (s,r): r.sprintf("%Ether.src% %ARP.psrc%"))

arping()

z'Eagle

Thursday, October 18, 2012

Scapy cheat sheet (by examples)