def scan(ip):
# scapy.arping(ip)
arp_request = scapy.ARP(pdst=ip) # instance of an ARP packet object
# arp_request.pdst = ip
print(arp_request.summary())
# scapy.ls(scapy.ARP()) # get list of fields for a particular class
broadcast = scapy.Ether(
dst='ff:ff:ff:ff:ff:ff'
) # The boradcast MAC address is a "virtual MAC address" - it does not exist in reality
# broadcast.dst = 'ff:ff:ff:ff:ff:ff'
scapy.ls(scapy.Ether())
arp_request_broadcast = broadcast / arp_request
arp_request_broadcast.show()
answered, unanswered = scapy.srp(
arp_request_broadcast
) # using srp rather tahn sr due to the custom Ether portion of the packet
# answered_list, unanswered_list = scapy.srp(arp_request_broadcast, timeout = 1)
answered_list = scapy.srp(arp_request_broadcast, timeout=1)[0]
answered_list = scapy.srp(arp_request_broadcast, timeout=1,
verbose=False)[0]
for element in answered_list:
print(element[1].psrc)
print(element[1].hwsrc)
print("----------------------------------------------------")
def filterPacketsByCallid(packets, callid):
filteredPackets = []
for packet in packets:
if isCallIdInPacket(packet, callid):
filteredPackets.append(packet)
scapy.ls(packet)
return filteredPackets, len(filteredPackets)
def main():
if len(sys.argv)<5:
print 'pass 4 arguments: <destination> <dst_tor> <repeat> <period(ms)>'
exit(1)
repeat = int(sys.argv[3])
period = float(sys.argv[4])
addr = socket.gethostbyname(sys.argv[1])
iface = get_if()
print "sending on interface %s to %s" % (iface, str(addr))
with open("attributes.txt") as f:
attrList = (line.rstrip() for line in f)
attrList = list(line for line in attrList if line) # Non-blank lines
attrList = attrList[1:] #discard the first one (which is a number for other usage)
for x in attrList:
HulappProtocol.add_IntField(x, 0)
pkt = Ether(src=get_if_hwaddr(iface), dst='ff:ff:ff:ff:ff:ff') / IP(dst=addr, proto=HULAPP_PROTOCOL) / HulappProtocol(dst_tor=int(sys.argv[2]))
# pkt.show2()
ls(pkt)
for i in range(repeat):
pkt[HulappProtocol].seq_no = i;
print "send probe: " + str(i)
sendp(pkt, iface=iface, verbose=False)
sleep(period/1000)
def main():
erp_request = scapy.ARP(pdst = '10.0.2.1/24')
'''
now we are going to set the broadcast objects
now using the Ether class of scapy
'''
broadcast = scapy.Ether()
#now for checking the attributes we are going to use
#scapy.ls method on this conditon please make pass the object not class
print(broadcast.show())
#show gives more details then summary method
scapy.ls(scapy.Ether())
'''
'ff:ff:ff:ff:ff:ff' is the default value for the dst and its means its
request to the all the client
dst : DestMACField = 'ff:ff:ff:ff:ff:ff' (None)
src : SourceMACField = '08:00:27:74:d8:bc' (None)
type : XShortEnumField = 36864 (36864)
'''
'''
now we are going to combining the both ARP and broadcast objects by
using the slash /
'''
arp_request_broadcast = broadcast/erp_request
arp_request_broadcast.show()
print(arp_request_broadcast.summary())
def uploadPacket(packet):
scapy.ls(packet[0][1])
print("----------------------------\n")
if(packet[0][1].op==1):
print("Se recibio nuevo arp request")
print("Se ha suplantado la conexion entre ", packet[0][1].psrc," y ",packet[0][1].pdst)
arpSpoofing(packet[0][1].psrc, packet[0][1].pdst)
return
def send_dns_reply(p):
if IPv6 in p:
ip = p[IPv6]
resp = Ether(dst=p.src, src=p.dst) / IPv6(
dst=ip.src, src=ip.dst) / UDP(dport=ip.sport, sport=ip.dport)
else:
ip = p[IP]
resp = Ether(dst=p.src, src=p.dst) / IP(dst=ip.src, src=ip.dst) / UDP(
dport=ip.sport, sport=ip.dport)
dns = p[DNS]
#only reply to IN, and to messages that dont contain answers
if dns.qd.qclass != 1 or dns.qr != 0:
return
#Make sure the requested name is in unicode here
reqname = dns.qd.qname.decode()
#A request
if dns.qd.qtype == 1:
rdata = config.selfipv4
#AAAA request
elif dns.qd.qtype == 28:
rdata = config.selfaddr
#PTR request
elif dns.qd.qtype == 12:
# To reply for PTR requests for our own hostname
# comment the return statement
return
if reqname == config.selfptr:
#We reply with attacker.domain
rdata = 'attacker.%s' % config.localdomain
else:
return
#Not handled
else:
return
if should_spoof_dns(reqname):
resp /= DNS(id=dns.id,
qr=1,
qd=dns.qd,
an=DNSRR(rrname=dns.qd.qname,
ttl=100,
rdata=rdata,
type=dns.qd.qtype))
try:
sendp(resp, iface=config.default_if, verbose=False)
except socket.error as e:
print('Error sending spoofed DNS')
print(e)
if config.debug:
ls(resp)
print('Sent spoofed reply for %s to %s' % (reqname, ip.src))
else:
if config.verbose or config.debug:
print('Ignored query for %s from %s' % (reqname, ip.src))
def scan(ip):
arp_request = scapy.ARP()
scapy.ls(arp_request) # or arp_request.show()
arp_request.pdst = ip
# scapy.ls(arp_request)
# print(arp_request.summary()) # prints ARP who is pdst says psrc
broadcast = scapy.Ether(dst="ff:ff:ff:ff:ff:ff")
# scapy.ls(broadcast)
# print(broadcast.summary())
arp_request_broadcast = broadcast / arp_request
# print(arp_request_broadcast.summary())
# arp_request_broadcast.show()
answered, unanswered = scapy.srp(arp_request_broadcast, timeout=1)
print(answered.summary())
print(unanswered.summary())
def send_padt(mysrc, mydst, sid):
global _debug, verbose, mylog, myiface
if _debug:
mylog.debug("mysrc=%s" % mysrc)
mylog.debug("mydst=%s" % mydst)
mylog.debug("session-id=%s" % sid)
# from RFC-2516:
# This packet may be sent anytime after a session is established to
# indicate that a PPPoE session has been terminated. It may be sent by
# either the Host or the Access Concentrator. The DESTINATION_ADDR
# field is a unicast Ethernet address, the CODE field is set to 0xa7
# and the SESSION_ID MUST be set to indicate which session is to be
# terminated. No TAGs are required.
# When a PADT is received, no further PPP traffic is allowed to be sent
# using that session. Even normal PPP termination packets MUST NOT be
# sent after sending or receiving a PADT. A PPP peer SHOULD use the
# PPP protocol itself to bring down a PPPoE session, but the PADT MAY
# be used when PPP can not be used.
try:
sesid = int(sid)
except:
print "Session-id must be 10-base integer"
return
eth_frame = scp.Ether(dst=mydst, src=mysrc)
padt_pkt = eth_frame/scp.PPPoED(code=0xa7,sessionid=sesid)
if verbose:
scp.ls(padt_pkt)
#scp.ls(padt_pkt)
mylog.info("sending PADT (sed=%d) pkt from %s (this PC) to %s" % (sesid, mysrc, mydst))
scp.sendp(padt_pkt, iface=myiface, verbose=1)
def main():
if len(sys.argv) < 3:
print 'pass 3 arguments: <destination> <dst_tor> <seq_no>'
exit(1)
addr = socket.gethostbyname(sys.argv[1])
iface = get_if()
print "sending on interface %s to %s" % (iface, str(addr))
with open("attributes.txt") as f:
attrList = (line.rstrip() for line in f)
attrList = list(line for line in attrList if line) # Non-blank lines
for x in attrList:
HulappProtocol.add_IntField(x, 0)
pkt = Ether(src=get_if_hwaddr(iface), dst='ff:ff:ff:ff:ff:ff') / IP(
dst=addr, proto=HULAPP_PROTOCOL) / HulappProtocol(
dst_tor=int(sys.argv[2]), seq_no=int(sys.argv[3]))
# pkt.show2()
ls(pkt)
sendp(pkt, iface=iface, verbose=False)
def write_ipv6_pcap_file(input_file_path, output_file_path):
"""Write a pcap file of traffic converted to IPv6.
Limitations:
- Currently non Ethernet frames are skipped.
- Layers may go missing if you encapsulate IPv4 in IPv6
"""
ipv6_pkts = []
pkts = rdpcap(input_file_path)
for pkt in pkts:
# Ignore Non Ethernet for the moment
if type(pkt) != Ether:
print ("Skipping non Ethernet packet")
continue
# If IPv6 just add packet to to list
if pkt.type == ETH_P_IPV6:
print "Packet is alread IPv6"
ipv6_pkts.append(pkt)
continue
iplayer = pkt.getlayer(IP)
if iplayer != None:
ip6layer = IPv6()
ip6layer.dst = ip4Toip6(iplayer.dst)
ip6layer.src = ip4Toip6(iplayer.src)
ip6layer.payload = iplayer.payload
pkt.type = ETH_P_IPV6
pkt.payload = ip6layer
# Recalulate the checksums of layers
# and add missing fields http://stackoverflow.com/a/11648093/620304
del ip6layer.payload.chksum
ipv6_pkts.append(pkt)
else:
print ("Skipping packet\n" + ls(pkt))
# Write the new pcap
wrpcap(output_file_path, ipv6_pkts)
print ("Packets written to " + output_file_path)
import scapy.all as scapy req = scapy.ARP() print(scapy.ls(req))
def atal(ip):
a = scapy.ARP(ip)
scapy.ls(scapy.ARP)
#!/usr/bin/env python # -*- coding:utf-8 -*- # @Time : 2021/3/13 00:45 # @Author : SecCodeCat from scapy.all import ls from scapy.layers.inet import IP, TCP # https://www.bilibili.com/video/BV1EV411S7py?p=5 07:34 """ 《Python渗透测试实战》配套视频 Scapy使用 类+属性 来构造数据包 Scapy中每一个协议就是一个类,协议中的字段对应着属性 实例化一个协议类,就可以创建一个该协议类型的数据包 """ pkt = IP() ls(pkt) print(pkt) # 这段bytes表示IP数据包的内容,bytes保存的就是原始的字节(二进制)数据,因此bytes对象可用于在网络中传输数据
#!/usr/bin/python3
# Scapy is a python library that allows us to design, manipulate, intercept and process packets
# Scapy sets header fields by default.
# Have to be root to run this.
from scapy.all import IP, ICMP, sr1, ls
ip_layer = IP(src="192.168.0.1", dst="www.google.com")
#print(ip_layer.show())
icmp_req = ICMP()
# Help to list (ls) details about the layer.
print(ls(ip_layer))
print(ip_layer.show())
print(ip_layer.summary())
print(icmp_req.show())
# Add the layers together with /
packet = ip_layer / icmp_req
#print(packet.show())
received_packet = sr1(packet)
if received_packet:
print(received_packet.show())
def send_dns_reply(p):
if IPv6 in p:
ip = p[IPv6]
resp = Ether(dst=p.src, src=p.dst) / IPv6(
dst=ip.src, src=ip.dst) / UDP(dport=ip.sport, sport=ip.dport)
else:
ip = p[IP]
resp = Ether(dst=p.src, src=p.dst) / IP(dst=ip.src, src=ip.dst) / UDP(
dport=ip.sport, sport=ip.dport)
dns = p[DNS]
# only reply to IN, and to messages that dont contain answers
if dns.qd.qclass != 1 or dns.qr != 0:
return
# Make sure the requested name is in unicode here
reqname = dns.qd.qname.decode()
# A query
if dns.qd.qtype == 1:
rdata = config.selfipv4
# AAAA query
elif dns.qd.qtype == 28:
rdata = config.selfaddr
# PTR query
elif dns.qd.qtype == 12:
# To reply for PTR requests for our own hostname
# comment the return statement
return
if reqname == config.selfptr:
#We reply with attacker.domain
rdata = 'attacker.%s' % config.localdomain
else:
return
# SOA query
elif dns.qd.qtype == 6 and config.relay:
if dns.opcode == 5:
if config.verbose or config.debug:
print('Dynamic update found, refusing it to trigger auth')
resp /= DNS(id=dns.id,
qr=1,
qd=dns.qd,
ns=dns.ns,
opcode=5,
rcode=5)
sendp(resp, verbose=False)
else:
rdata = config.selfaddr
resp /= DNS(id=dns.id,
qr=1,
qd=dns.qd,
nscount=1,
arcount=1,
ancount=1,
an=DNSRRSOA(rrname=dns.qd.qname,
ttl=100,
mname="%s." % config.relay,
rname="mitm6",
serial=1337,
type=dns.qd.qtype),
ns=DNSRR(rrname=dns.qd.qname,
ttl=100,
rdata=config.relay,
type=2),
ar=DNSRR(rrname=config.relay,
type=1,
rclass=1,
ttl=300,
rdata=config.selfipv4))
sendp(resp, verbose=False)
if config.verbose or config.debug:
print('Sent SOA reply')
return
#Not handled
else:
return
if should_spoof_dns(reqname):
resp /= DNS(id=dns.id,
qr=1,
qd=dns.qd,
an=DNSRR(rrname=dns.qd.qname,
ttl=100,
rdata=rdata,
type=dns.qd.qtype))
try:
sendp(resp, iface=config.default_if, verbose=False)
except socket.error as e:
print('Error sending spoofed DNS')
print(e)
if config.debug:
ls(resp)
print('Sent spoofed reply for %s to %s' % (reqname, ip.src))
else:
if config.verbose or config.debug:
print('Ignored query for %s from %s' % (reqname, ip.src))
def toList_scapy_field_info(object_):
scapy.ls(object_)
def scan(ip):
arp_request = scapy.ARP(pdst=ip)
print arp_request.summary()
scapy.ls(scapy.ARP())
def scan(ip):
#Below wants more information about the request
arp_request = scapy.ARP()
arp_request.pdst = ip # Will be put in where the IPs are
print(arp_request.summary())
scapy.ls(scapy.ARP())
def scan(ip):
arp_requet = scapy.ARP(pdst=ip) #
broadcast = scapy.Ether()
scapy.ls(scapy.Ether())
print(arp_requet.summary())
def scan(ip):
arp_request = scapy.ARP()
print(arp_request.summary)
scapy.ls(scapy.ARP)
import scapy.all as scapy scapy.ls(scapy.ARP()) # psrc = your ip # hwsrc = your mac # op = 1 for request # op = 2 for response # pdst = target ip # hwdst = target mac #
def sniff_client(pkt):
global AP_INFO
if Dot11QoS in pkt:
if (pkt.addr1 == AP_INFO['mac'] or pkt.addr2 == AP_INFO['mac']
or pkt.addr3 == AP_INFO['mac']
or pkt.addr4 == AP_INFO['mac']) and UDP in pkt:
print(pkt.addr1, pkt.addr2, pkt.addr3, pkt.addr4)
client_data.append(pkt)
sniff(count=int(sys.argv[2]), iface='wlan0mon', prn=sniff_client)
for cd in client_data:
ls(cd)
tmp = cd[Dot11FCS].addr1
cd[Dot11FCS].addr1 = cd[Dot11FCS].addr3
cd[Dot11FCS].addr3 = tmp
tmp = cd[IP].src
cd[IP].src = cd[IP].dst
cd[IP].dst = tmp
del cd[Dot11FCS].fcs
del cd[IP].chksum
del cd[UDP].chksum
cd.show2()
sendp(cd, count=1000)
import scapy.all as scapy
# this is how packet made of
packet = scapy.ARP(op=2,
pdst="192.168.0.117",
hwdst="60:a4:d0:b9:70:74",
psrc="192.168.0.1")
#if we dont specify hwsrc,it will be detected automatically and if we dont specify "op" then it will take 1 value
#op = 1 is request and op=2 is for response
scapy.ls(scapy.ARP)
#packet all information
print(packet.show())
#who sent ip+mac
print(packet.summary())
def scan(ip):
arp_request = scapy.ARP(pdst = ip) # create an instance of the scapy class and set the value of pdst
print(arp_request.summary()) # calls a method in the ARP, implemented by scapy
scapy.ls(scapy.ARP()) # lists all the fileds that can be set
from scapy.all import ICMP
from scapy.all import IP
from scapy.all import sr1
from scapy.all import ls
if __name__ == "__main__":
dest_ip = "www.google.com"
ip_layer = IP(dst=dest_ip)
print(ls(ip_layer)) # displaying complete layer info
# accessing the fields
print("Destination = ", ip_layer.dst)
print("Summary = ", ip_layer.summary())
def scan(ip):
# scp.arping(ip)
arp_request = scp.ARP()
arp_request.pdst = ip
print(arp_request.summary())
scp.ls(scp.ARP())
import scapy.all as scapy
arp_packet = scapy.ARP(op=2,
pdst="192.168.225.249",
hwdst="00-0C-29-52-47-B6",
psrc="192.168.225.230")
scapy.ls(arp_packet)
print(arp_packet.summary())
print(arp_packet.show())