Discussion:
Cool things you can do with Scapy
Elad Shapira
2008-05-05 18:16:43 UTC
Permalink
Hello guys,

I'm about to give a lecture in an Infosec meeting and I choose to do a
gig on Scapy (around 40 min).
I thought to call it something like "15 cool things you can do with
Scapy" or something like that.

I'll be using a laptop that contains VMwares (one with Backtrack that
I will activate Scapy from and others if needed). A connection to the
internet will be supplied 2.

I thought of showing 10-15 cool stuff I can do with this cool
tool/framework/language.
I want to prepare 10-15 scenarios and off course scripts and commands,
I'll check there're all A-ok before my lecture.
I want it to be VERY hands on (one slide for beginning and one slide
in the end. Between those 2 slides only demonstrations)

I wanted to consult with you what and ask what do you think will be a.
Cool b. Interesting c. Technical
I thought showing how it replaces network utilities that we use
(Traceroute , ping) ,Pen test related stuff(Port scanning), sniffing ,
dos with spoofing etc.
I'm looking for out of the box scenarios that will extend the
boundaries of this tool.
If some hardware need to be prepared and brought (Access point, switch
etc) pls mention.

10x in advance for every idea you can share.
__________________
Zest
"Security, however, is an art, not a science. " - RFC 3631
Philippe Biondi
2008-05-05 21:09:36 UTC
Permalink
Hi,
Post by Elad Shapira
Hello guys,
I'm about to give a lecture in an Infosec meeting and I choose to do a
gig on Scapy (around 40 min).
I thought to call it something like "15 cool things you can do with
Scapy" or something like that.
please send a link to the slides when it's done!
Post by Elad Shapira
I'll be using a laptop that contains VMwares (one with Backtrack that
I will activate Scapy from and others if needed). A connection to the
internet will be supplied 2.
I thought of showing 10-15 cool stuff I can do with this cool
tool/framework/language. I want to prepare 10-15 scenarios and off
course scripts and commands, I'll check there're all A-ok before my
lecture. I want it to be VERY hands on (one slide for beginning and one
slide in the end. Between those 2 slides only demonstrations)
I wanted to consult with you what and ask what do you think will be a.
Cool b. Interesting c. Technical I thought showing how it replaces
network utilities that we use (Traceroute , ping) ,Pen test related
stuff(Port scanning), sniffing , dos with spoofing etc. I'm looking for
out of the box scenarios that will extend the boundaries of this tool.
If some hardware need to be prepared and brought (Access point, switch
etc) pls mention.
You have many stuff demoed here:
http://secdev.org/projects/scapy/demo.html
Maybe some will catch your attention.

I personnally like

** Stuff on traceroutes
- making a traceroute by hand to show that it is
+ one line to create the stimuli set, send it and gather the answers
res,unans=sr(IP(dst="...",ttl=(1,30))/TCP(sport=RandShort()))
+ one line to make a representation from the raw result
res.make_table(lambda (s,r):(s.dst,s.ttl,r.sprintf("%IP.src% {TCP:%TCP.flags}")))
- then, speaking about traceroute() function that does exactly that for
you:
res2,unans=traceroute("target2")
then showing the difference between a SndRcvResult and a
TracerouteResult with res.show() and res2.show()
and converting res to a TracerouteResult:
res = TracerouteResult(res)
res.show()
- then showing that we can traceroute to many destinations at the same time
res3,unans=traceroute([target,target])
which is nothing more than
res4,unans=sr(IP(dst=[target5, target6,ttl=(1,30))/TCP(sport=RandShort()))
res4=TracerouteResult(res4)
- then sayng that we can add all those results:
allres = res+res2+res3+res4
allres.show()
- and last but not least
(need internet connection)
allres.graph()
(if no internet connection, less pretty, but better than nothing)
allres.graph(ASres=None)
Post by Elad Shapira
a,b=sr(IP(dst="www.target.com")/TCP(sport=[RandShort()]*1000))
a.plot(lambda x:x[1].id)
(yahoo is usually a good target)

** signal strength monitoring
- explain sniff() and prn parameter:
sniff(prn=lambda p: p.summary())
- explain that lambda can be anything your imagination can provide
and use on a wifi card in monitor mode with prism headers
sniff(prn=lambda p: p.sprintf("%-18s,Dot11.addr2%")+("#"*(p.signal/20)))
(test this before. signal strength adjustment may vary from one chipset
to another)

** other simple but neat stuff
- enable/disable some translations:
conf.resolve.add(IP.src,IP.dst, Ether.dst)
conf.noenum.add(IP.proto)
conf.noenum.remove(IP.proto)
- call wireshark on a packet/packet list
a=sniff(...)
wireshark(a)
wireshark(IP()/UDP(sport=5000)/fuzz(SNMP())*1000)
- edit a packet before sending
send(hexedit(IP(dst=..)/UDP()/...)
- import an hexdump capture (from tcpdump, wireshark, scapy...
Post by Elad Shapira
IP.from_hexcap()
<paste here>
0x0000: 4500 0054 0000 4000 4001 a949 c0a8 080e ***@.@..I....
0x0010: c0a8 0801 0800 96e4 ba56 0001 b076 1f48 .........V...v.H
0x0020: e801 0400 0809 0a0b 0c0d 0e0f 1011 1213 ................
0x0030: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 .............!"#
0x0040: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 $%&'()*+,-./0123
0x0050: 3435 45
<^D>
<IP version=4L ihl=5L tos=0x0 len=84 id=0 flags=DF frag=0L ttl=64
proto=icmp chksum=0xa949 src=deneb dst=192.168.8.1 options='' |<ICMP
type=echo-request code=0 chksum=0x96e4 id=0xba56 seq=0x1 |<Raw
load='\xb0v\x1fH\xe8\x01\x04\x00\x08\t\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f
!"#$%&\'()*+,-./012345' |>>>


good luck!
--
Philippe Biondi <phil@ secdev.org> SecDev.org
Computer Security/R&D http://www.secdev.org
PGP KeyID:3D9A43E2 FingerPrint:C40A772533730E39330DC0985EE8FF5F3D9A43E2

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-***@secdev.org
Loading...