Reconnaissance: Scanning and DoSing with Scapy
Reconnaissance: Scanning and DoSing with Scapywe have explored a number of packet manipulation equipment.
Hackers-stand up that may be very powerful Reconnaissance: Scanning and DoSing with Scapy:
for network scanning, which includes nmap and hping. As you already know, almost any packet crafting/manipulation device also can be used for DoSing (denial-of-provider attacks). Given the strength of creating pretty much any sort of packet with any characteristics, we are able to in all likelihood locate one with a view to take down almost any host or community.
In this text, we can upload a tool called Scapy to your arsenal of scanning and DoS-ing guns. Scapy is a packet manipulation tool much like nmap and hping, however unlike the ones tools, Scapy is nearly infinitely customizable. This is not to mention that nmap and hping aren’t customizable, however their ability to be custom designed is restricted. They change off ease-of-use for customization. Scapy, then again, has almost no limits in your potential to customise it, however it does have a piece of a mastering curve Reconnaissance: Scanning and DoSing with Scapy.
if you invest the time to understanding Scapy, you’ll be rewarded with a completely powerful weapon Reconnaissance: Scanning and DoSing with Scapy.
know-how TCP/IP
when the use of a tool like Scapy, nmap, hping, and others, it’s miles important you recognize the shape of each the IP header and the TCP header. without that fundamental understanding of these protocols, it is trying to fly an F-16 right into a conflict region with out simple and essential flight training. it’s miles a effective weapon and you may unharness a bomb or , however you’re probable to crash and burn as properly.
in addition, you must be familiar with the TCP header and packet as nicely.
The better you understand the structure of these headers and packets, the higher hacker you’ll be. in any other case, you may be restrained to being a script kiddie with some effective equipment, but without the expertise to apply them efficaciously Reconnaissance: Scanning and DoSing with Scapy.
Scapy is also very flexible. it is able to be custom designed to do ARP spoofing, ARP cache poisoning, packet sniffing and evaluation like tcpdump and Wireshark, injecting 802.1 frames like aireplay-ng, and interpreting VoIP like Cain and Abel. it is written in Python with the aid of Philipe Biondi and is capable of crafting packets in addition to interpreting packets. Its syntax is a chunk obscure, but its strength makes it worth making an investment your time to study.
In this article, i’ll try to introduce you first to Scapy’s syntax after which we will use it for a simple DoS attack.
Step 1: hearth Up Kali & Run Scapy
allow’s fire up Kali, open a terminal and type:
kali > scapy
when we do so, we are able to greeted with display that looks like that above. note the “>>>” spark off. This indicates that Scapy is in interactive mode. All instructions after this could be Scapy commands and may be interpreted via the Scapy interpreter Reconnaissance: Scanning and DoSing with Scapy.
Step 2: View the Scapy Configuration record
Now that we’re inside the Scapy interpreter, allow’s type:
>> conf
As you may see inside the screenshot above, Scapy reveals its configuration report when we type “conf” in. In a later academic, we will paintings with this configuration report in Scapy, however for now, I just need you to recognise wherein it is living Reconnaissance: Scanning and DoSing with Scapy.
Step three: Create a Packet
The splendor of Scapy is its capability to custom build any packet you may believe. typically, the TCP/IP stack of your OS will build a RFC-compliant packet whenever you want to speak over the internet. As a hacker, we frequently need to create a custom/specific packet that might not be RFC-compliant for the purposes of gathering records on our target (i.e., scanning) or probable developing a DoS circumstance via growing a packet that causes the target system to crash (land attack, ping of dying, fragroute, and many others.).
So, permit’s start with the aid of creating a easy IP packet. In Scapy, you first declare a variable that represents your packet and then define the packet attributes one after the other. So, right here we outline our packet as “x” and then give x more than one attributes. permit’s begin by way of defining “x” as an IP packet with a TTL of 64 Reconnaissance: Scanning and DoSing with Scapy.
>>> x=IP(ttl=sixty four)
>>> x
notice that after i have created the variable x and described it as an IP packet with a time to stay (TTL) of 64, I then retyped the variable x and it replied with the value of x. In this case, IP time to live = 64.
Now, allow’s upload a few extra attributes to this variable x, which include a source and vacation spot IP cope with. The syntax is similar to Wireshark or Tcpdump. We constitute the supply IP characteristic with x.src and the destination IP attribute with x.dst followed by way of the fee in double quotation marks (“).
>> x.src=”192.168.1.101″
>>> x.dst=”192.168.1.122”
word that once placing each value, I checked the cost by really retyping the variable followed by means of the characteristic.
Now we’ve got created a packet with the following attributes Reconnaissance: Scanning and DoSing with Scapy:
TTL=64
source IP is 192.168.1.101
vacation spot IP is 192.168.1.122
we can test those by means of now typing the variable name, x, and Scapy will go back our variable with its our attributes.
Step 4: built-in functions
Scapy has big range of built-in features. we will listing those functions by using typing:
>>> lsc()
since the listing is just too lengthy to show in one display, i’ve displayed the first of those capabilities above and the final of those functions beneath. word, some features did no longer match on both display screen.
note the command “ship” on the first line of the second screenshot of the features. that is what we use whilst we want to send a packet. allow’s use it to ship the packet we created above called “x” that has the attributes of TTL=64, source IP deal with of 192.168.1.101, and a destination iP address of 192.168.1.122. Of direction, when we send this packet, it will go to the destination IP address and will have a restriction of sixty four hops (TTL=sixty four) Reconnaissance: Scanning and DoSing with Scapy.
>>> ship(x)
As you could see, our specifically crafted packet x become despatched to the destination IP deal with.
we can use Scapy to craft a packet with just about any value in any of the IP header or TCP header fields, including window length, flags, fragmentation field, acknowledgement value, sequence variety, and so forth.
Step 5: Create an attack
i hope by using now which you getting the idea that Scapy may be used to control any of the fields inside the TCP/IP packet. we are able to play with some of the other fields in a subsequent Scapy educational.
Now, permit’s use this capability to create a malicious packet after which send it to a goal gadget. windows Server 2003 (trust or not, there are still lots of 2003 servers available; check Shodan, Censys, or use Xprobe2 to locate the running system) is susceptible to the “land” assault. that is a DoS attack that sends an oversized packet to the target with the identical supply and destination IP address and the identical supply and vacation spot port. It would not continually crash the machine, but it’ll gradual it down significantly. For internet servers, slowing them down is efficaciously a DoS Reconnaissance: Scanning and DoSing with Scapy.
allow’s create that land assault packet in Scapy. Scapy can take all of the attributes in a single command. So, let’s create our “land” assault packet and ship it 2,000 instances. we can do that through typing:
>>> hip(IP(src=”192.168.1.122″, dst=”192.168.1.122″)/TCP(sport=a hundred thirty five,dport=one hundred thirty five), matter=2000)
allow’s smash down that command.
ship is the command
IP defines the protocol for IP addresses
src=”192.168.1.122″ is the source IP deal with
dst=”192.168.1.122″ is the destination IP cope with
TCP defines the protocol for the ports
sport=a hundred thirty five defines the source port
dport=135 defines the vacation spot port
remember=2000 defines the number of packets we want to send Reconnaissance: Scanning and DoSing with Scapy
If those packets are directed at a windows Server 2003, it could crash the system or at least sluggish it down dramatically. when an internet server is slowed, it efficiently DoSes the website.
precis
Scapy is but any other powerful scanning and DoSing tool in our arsenal of equipment. Scapy is fantastically versatile enabling us to do multiple obligations with this unmarried tool. It has nearly a limiteless capability to create packets with any traits you can imagine and thereby create a unique scanning technique and DoS attacks.
The potential to personalize a packet is where Scapy shines over Nmap and Hping, making it a DoSing cyber weapon not to be missed. This isn’t always to say that Nmap and Hping aren’t customizable, however their potential to be custom designed is restrained, trading off ease of use for customization. Scapy, then again, has nearly no limits in one’s capacity to personalize it, but it does have a piece of a learning curve Reconnaissance: Scanning and DoSing with Scapy.
expertise TCP/IP
while the use of a device like Scapy, Nmap, and Hping, it is vital to apprehend the structure of each the IP header and the TCP header. without that essential knowledge of these protocols, it’s like looking to fly an F-16 into a battle zone with out primary, vital flight schooling — it is a effective weapon, and you would possibly unleash a bomb or two, but you are likely to crash and burn.
more data: TCP & IP Networking basics for the Aspiring Hacker
similarly, you have to be familiar with the TCP header and packet as well:
The higher you recognize the shape of those headers and packets, the better hacker you will be. in any other case, you will be restricted to script-kiddie fame with some powerful equipment and no expertise to use them effectively.
Scapy is also very versatile and may be customized to do ARP spoofing, ARP cache poisoning, packet sniffing and analysis like with Tcpdump and Wireshark, injecting 802.1 frames like with Aireplay-ng, and deciphering VoIP like with Cain and Abel. it’s written in Python, by using Philipe Biondi, and is able to crafting packets in addition to decoding packets. Its syntax is a bit obscure, however its strength makes it worth making an investment the time to research Reconnaissance: Scanning and DoSing with Scapy.
In this text, i’ll try to introduce you first to Scapy’s syntax. Then we’ll use it for a easy but effective DoS attack.
Step 1Start Scapy
right off the bat, let’s begin up Scapy the use of scapy in a brand new terminal window. we’re going to use Kali Linux for this guide, which has Scapy hooked up by default, however it should be similar for other Linux distros.
~# scapy
data: can’t import PyX. may not be able to use psdump() or pdfdump().
warning: IPython now not available. the usage of preferred Python shell rather.
AutoCompletion, history are disabled.
aSPY//YASa
apyyyyCY//////////YCa |
sY//////YSpcs scpCY//Pp | Welcome to Scapy
ayp ayyyyyyySCP//Pp syY//C | version 2.4.0
AYAsAYYYYYYYY///playstation cY//S |
pCCCCY//p cSSps y//Y | https://github.com/secdev/scapy
SPPPP///a pP///AC//Y |
A//A cyP////C | Have a laugh!
p///Ac sC///a |
P////YCpc A//A | Craft packets like I craft my beer.
scccccp///pSP///p p//Y | — Jean De Clerck
sY/////////y caa S//P |
cayCyayP//Ya pY/Ya
sY/PsY////YCc aC//Yp
sc sccaCY//PCypaapyCP//YSs
spCPY//////YPSps
ccaacs
>>>
note the >>> set off after the device’s statistics displays. It suggests that Scapy is in interactive mode. All commands after this may be Scapy commands and could be interpreted by way of the Scapy interpreter.
in case you do not see the above due to the fact you don’t have the tool mounted, you could use pip set up scapy to get it. There also are more moderen improvement versions you can test out if you want Reconnaissance: Scanning and DoSing with Scapy.
~# pip set up scapy
Step 2Create a Packet
The splendor of Scapy is its potential to custom build any packet you can imagine. commonly, the TCP/IP stack of your running system will make an RFC-compliant packet on every occasion you want to communicate over the internet.
As a hacker, we frequently want to create a completely unique packet that might not be RFC-compliant to gather facts on a goal (i.e., scanning). additionally, one could create a DoS circumstance via constructing a packet that causes the target device to crash (e.g., land attack, ping of loss of life, fragroute, etc.) Reconnaissance: Scanning and DoSing with Scapy.
permit’s begin through growing a simple IP packet. In Scapy, you first claim a variable that represents your packet and then outline the packet attributes one by one. In my instance, we define the packet as “x” after which provide it more than one attributes. To observe along, define “x” as an IP packet with a TTL of sixty four.
notice that when I had created the variable x and described it as an IP packet with a time to stay (TTL) of sixty four, I then retyped the variable x, and it responded with the cost of x. In this situation, IP time to stay = 64.
Now, permit’s upload some additional attributes to this variable x, such as a supply and destination IP deal with. The syntax is just like Wireshark or Tcpdump. We represent the source IP characteristic with x.src observed through the fee in double citation marks (“). In my example, i am using 192.168.1.101 as the supply IP address.
>>> x.src=”192.168.1.one hundred and one Reconnaissance: Scanning and DoSing with Scapy”
>>> x
Then, we represent the vacation spot IP attribute with x.dst followed with the aid of the cost in double citation marks (“). In my instance, i am the usage of 192.168.1.122 as the destination IP deal with.
>>> x.dst=”192.168.1.122″
>>> x
notice that once placing every value, I checked the price by means of virtually retyping the variable accompanied with the aid of the attribute. At this point, we have created a packet with the subsequent attributes:
TTL=64
source IP cope with is 192.168.1.a hundred and one
vacation spot IP deal with is 192.168.1.122
you could double test those by means of typing the variable name, x, once again. Scapy will go back the variable with its attributes efficaciously indexed.
Step 3View integrated capabilities
Scapy has a big wide variety of built-in features, and we can listing them all with the lsc() command. note the command send in the list, that’s what’s used when looking to send a packet Reconnaissance: Scanning and DoSing with Scapy Reconnaissance: Scanning.
>>> lsc()
IPID_count : identify IP identification values training in a list of packets
arpcachepoison : Poison target’s cache with (your MAC,sufferer’s IP) couple
arping : ship ARP who-has requests to decide which hosts are up
bind_layers : Bind 2 layers on a few particular fields’ values
bridge_and_sniff : forward traffic among interfaces if1 and if2, sniff and return
chexdump : build a in keeping with byte hexadecimal illustration
computeNIGroupAddr : Compute the NI organization deal with. Can ta ke a FQDN as input parameter
corrupt_bits : turn a given percent or quantity of bits from a string Reconnaissance: Scanning
corrupt_bytes : Corrupt a given percent or variety of bytes from a string
defrag : defrag(plist) -> ([not fragmented], [defragmented],
defragment : defrag(plist) -> plist defragmented as much as viable
dhcp_request : —
dyndns_add : ship a DNS upload message to a nameserver for “name” to have a new “rdata”
dyndns_del : send a DNS delete message to a nameserver for “name”
etherleak : make the most Etherleak flaw
fletcher16_checkbytes: Calculates the Fletcher-sixteen checkbytes back as 2 byte binary-string.
fletcher16_checksum : Calculates Fletcher-sixteen checksum of the given buffer Reconnaissance: Scanning.
fragleak : —
fragleak2 : —
fragment : Fragment a big IP datagram Reconnaissance: Scanning
fuzz : transform a layer into a fuzzy layer via changing some default values with the aid of random items
getmacbyip : return MAC deal with similar to a given IP cope with
getmacbyip6 : Returns the MAC deal with similar to an IPv6 address
hexdiff : display differences between 2 binary strings
hexdump : build a tcpdump like hexadecimal view
hexedit : —
hexstr : —
import_hexcap : —
is_promisc : try to bet if goal is in Promisc mode. The goal is furnished by its ip.vReconnaissance: Scanning
linehexdump : construct an equivalent view of hexdump() on a single line Reconnaissance: Scanning
ls : list to be had layers, or infos on a given layer elegance or name Reconnaissance: Scanning
neighsol : Sends an ICMPv6 Neighbor Solicitation message to get the MAC deal with of the neighbor with detailed IPv6 cope with addr
overlap_frag : construct overlapping fragments to bypass NIPS Reconnaissance: Scanning
promiscping : send ARP who-has requests to determine which hosts are in promiscuous mode
rdpcap : study a pcap or pcapng record and go back a packet list
report_ports : portscan a goal and output a LaTeX table
restart : Restarts scapy
send : send packets at layer three
sendp : send packets at layer 2
sendpfast : ship packets at layer 2 the usage of tcpreplay for performance
sniff :
split_layers : split 2 layers formerly sure
sr : ship and obtain packets at layer 3
sr1 : ship packets at layer 3 and return best the primary answer Reconnaissance: Scanning
sr1flood : Flood and get hold of packets at layer three and return simplest the primary solution
srbt : ship and get hold of the usage of a bluetooth socket Reconnaissance: Scanning
srbt1 : send and get hold of 1 packet the use of a bluetooth socket
srflood : Flood and get hold of packets at layer three Reconnaissance: Scanning
srloop : ship a packet at layer 3 in loop and print the answer every time
srp : send and acquire packets at layer 2 Reconnaissance: Scanning
srp1 : send and obtain packets at layer 2 and return only the primary answer
srp1flood : Flood and get hold of packets at layer 2 and return simplest the primary solution
srpflood : Flood and receive packets at layer 2
srploop : ship a packet at layer 2 in loop and print the solution each time
tcpdump : Run tcpdump or tshark on a list of packets
traceroute : immediate TCP traceroute
traceroute6 : on the spot TCP traceroute the use of IPv6
traceroute_map : Util feature to name traceroute on a couple of targets, then
tshark : Sniff packets and print them calling pkt.summary(), a bit like text wireshark
wireshark : Run wireshark on a listing of packets
wrpcap : Write a listing of packets to a pcap file
permit’s use ship to ship the packet we created above called “x” that has the attributes of TTL=sixty four, a source IP cope with of 192.168.1.one zero one, and a destination IP cope with of 192.168.1.122. Of course, while sending the packet, it will visit the vacation spot IP address and will have a limit of 64 hops (TTL=sixty four) Reconnaissance: Scanning and DoSing with Scapy Reconnaissance: Scanning.
>>> send(x)
.
despatched 1 packets.
As you could see, our particularly crafted “x” packet changed into sent to the destination IP address. Scapy may be used to craft a packet with pretty much any cost in any of the IP header or TCP header fields, such as window length, flags, fragmentation field, acknowledgment cost, sequence number, and so forth Reconnaissance: Scanning and DoSing with Scapy Reconnaissance: Scanning.
Step 4Create an assault
i’m hoping by way of now that you’re getting the idea that Scapy may be used to manipulate any of the fields inside the TCP/IP packet. Now, allow’s use this functionality to create a malicious packet and ship it to a target device.
windows Server 2003 (trust or now not, there are nevertheless tens of millions of 2003 servers out there — check Netcraft or use Xprobe2 to discover the working system) is vulnerable to the “land” attack, a DoS assault that sends an oversized packet to the goal with the same source and vacation spot IP cope with, in addition to the identical source and destination port. It does not continually crash the system however will sluggish it down significantly. For web servers, slowing them down is successfully a DoS.
To create a land assault packet, Scapy can take all of the attributes in a single command. So, use the subsequent layout to create the “land” assault packet and ship it 2,000 times. In that one-liner, send is the command; IP defines the protocol for IP addresses; src=”192.168.1.122″ is the supply IP address; dst=”192.168.1.122″ is the vacation spot IP deal with; TCP defines the protocol for the ports; game=one hundred thirty five defines the supply port, dport=one hundred thirty five defines the vacation spot port; and count=2000 defines the variety of packets to ship Reconnaissance: Scanning and DoSing with Scapy.
>>> send(IP(src=”192.168.1.122″, dst=”192.168.1.122″)/TCP(game=135,dport=one hundred thirty five), depend=2000)
sent 2000 packets.
If those packets are directed at a windows Server 2003, it is able to crash the device or as a minimum gradual it down dramatically. when an internet server is slowed, it efficaciously DoSes the internet site.
Step 5Spoof the MAC cope with
The best trouble with what we’ve carried out above is that we have given away our MAC cope with. i’m certain I don’t have to tell you why this would be an issue, but a MAC deal with can deliver away the manufacturer of your device, giving freely the fact which you’re no longer who you are saying you are.
The send function sends packets at layer three so it handles the routing and layer 2 for you. however, sendp works at layer 2. thanks to Null Byte user Triphat for suggesting the command beneath, which uses the latter feature.
To do the same things as in Step 4 however with spoofing your MAC deal with, sendp is the command;
Ether specifies it is an Ethernet layer (so it is LAN handiest); src=”aa:bb:cc:dd:ee:ff” is the spoofed supply MAC address’s value; IP defines the protocol for IP addresses; src=”192.168.1.122″ is the supply IP cope with; dst=”192.168.1.122″ is the vacation spot IP address; TCP defines the protocol for the ports; recreation=135 defines the source port, dport=135 defines the destination port; and count=2000 defines the number of packets to ship Reconnaissance: Scanning and DoSing with Scapy.
>>> sendp(Ether(src=”aa:bb:cc:dd:ee:ff”)/IP(src=”192.168.1.122″, dst=”192.168.1.122″)/TCP(game=one hundred thirty five,dport=135), count=2000)
…………………………..
despatched 2000 packets.
to peer how this appears from the goal’s point of view, watch the video above to see the packets captured in Wireshark and what they seem like.
Scapy is yet every other robust scanning and DoSing tool in a hacker’s arsenal of guns. it is incredibly flexible, in an effort to perform more than one responsibilities with a single tool. It has nearly an infinite capacity to create packets with any characteristics you may consider and thereby create a completely unique scanning technique and DoS attacks Reconnaissance: Scanning and DoSing with Scapy.
don’t miss: The Everyman’s manual to How network Packets Are Routed throughout the net
need to begin being profitable as a white hat hacker? soar-begin your hacking profession with our 2020 top rate ethical Hacking Certification schooling package from the brand new Null Byte save and recover from 60 hours of training from cybersecurity professionals Reconnaissance: Scanning and DoSing with Scapy.
