Scapy Primer Session at Bangalore Local Security Meetup. Null , SecurityXploded, Garage4hackers , OWASP

1. Null
SecurityXploded
Ashwin Patil
Garage4hackers GCIH, RHCE,CCNA
Information Security Enginner
OWASP

2. Agenda
 Introduction
 Why Scapy ?
 Basic Commands
 Building your first packet
 Assembling full packet
 Write your own Port scanner
 Demo: SYN Scan and IP Spoofing
 Built-in Sniffer Functionality
 Scapy Strengths
 References

3. Introduction
 Powerful interactive packet manipulation program
 Enable to send, sniff, dissect and forge network packets
 Can manipulate and process packets at every layer of TCP/IP
 Supports wide range of Protocols and adding your own.
 Interactive shell OR Python module
 Today : Interactive shell and TCP/IP

4. Why Scapy ?
 Flexible unlike other packet crafting tools with limited
functionalities.
 Little knowledge required to build your own tools
 Single Replacement for Multiple tools such as wireshark, nmap,
hping etc.
 Build your own tools with Combined Techniques
e.g. VLAN hopping + ARP Cache poisoning
 Any field in every TCP/ IP layer can be altered
 Decode packets ( Received a TCP Reset on port 80),
and not Interprets ( Port 80 is Closed)

5. Basic Commands
 Scapy Start
 List of Supported Protocols
 Available Commands in Scapy

6. IP Header
IP Fields in Scapy

7. TCP Header
TCP Fields in Scapy

8. Building your first packet
Building packet at IP layer
Building packet at TCP layer

9. Assembling full packet
Assembling full packet at TCP/IP Packet ready to send with Calculated values

10. Write your own port scanner
Port Scanning :
“An attack that sends client requests to a range of server port addresses on a host,
with the goal of finding an active port”
Result Status :
Open : The host sent a reply indicating that a service is listening on the port.
Closed : The host sent a reply indicating that connections will be denied to the
port.
Filtered: There was no reply from
the host.

11. Demo Time
DEMO

12. Demo : SYN Scan
SYN Scan: a.k.a. Half Open scanning
Sends : SYN Packet
Response:
SYN, ACK- Open,
RST, ACK – Closed,
No response - Filtered
and if Port is open then doesnt send ACK to complete 3way
handshake.

13. Built-in Sniffing Functionality
Sniffing:
”Captures traffic on all or just parts of the network from single
machine within the network”

14. Scapy Strengths
 Rogue Router Advertisements with Scapy
http://samsclass.info/ipv6/proj/flood-router6a.htm
 Malicious Content Harvesting with Python, WebKit, and Scapy
http://dvlabs.tippingpoint.com/blog/2011/11/28/malicious-content-harvesting
 DEEPSEC: Extending Scapy by a GSM Air Interface
http://blog.c22.cc/2011/11/17/deepsec-extending-scapy-by-a-gsm-air-interface/
 Use Scapy to test snort rules
And many more …..

15. References
 Scapy Documentation
ww.secdev.org/projects/scapy/files/scapydoc.pdf
 Nmap port scanning techniques
http://nmap.org/book/man-port-scanning-techniques.html
 http://en.wikipedia.org/wiki/Port_scanner
 http://en.wikipedia.org/wiki/Packet_analyzer
Images:
 http://www.wtcs.org/snmp4tpc/images/IP-Header.jpg
 http://www.wtcs.org/snmp4tpc/images/TCP-Header.jpg

16. Thank You !!!
Comments ,Feedbacks, Suggestions
Twitter : @ashwinpatil
LinkedIn :
http://in.linkedin.com/in/ashwinrp
Slideshare : ashwin_patil
http://www.slideshare.net/ashwin_patil
Image Credit: http://shirtshovel.com/products/geek/tcpip-434.jpg