Date created: Friday, April 6, 2018 11:30:44 AM. Last modified: Tuesday, January 16, 2024 3:31:40 PM

Scapy Examples

References:

https://scapy.readthedocs.io/en/latest/index.html

https://github.com/secdev/scapy/tree/master/scapy

 

To Start:

from scapy.all import *

 

Scapy Notes:

List protocols with ls() and funcstions with lsc()
Check a specific protocol with Ether().show() or TCP().show()
List custom modules with: list_contrib()
To load a custom module like MPLS use: load_contrib("mpls")
Check with: MPLS().show()

 

Gratuitous ARP Example:

arp_eth = Ether(src='5e:f1:74:c1:58:bd', dst='ca:01:07:fc:00:08', type="ARP")
arp_arp = ARP(psrc='10.0.255.2', hwsrc='5e:f1:74:c1:58:bd', hwdst='ca:01:07:fc:00:08', pdst='10.0.255.1', op='is-at')
arp_frame=arp_eth/arp_arp
Ether(str(arp_frame))

sendp(arp_frame, iface="eth1")

 

Gratuitous MACs + IPs:

#!/usr/bin/python3

# sudo -H pip3 install scapy


import copy
from scapy.all import *
import time


def main():

    t = UDP(dport=12345)
    i = IP(dst="10.123.254.254", src="10.123.0.0")

    mac = {}

    sent = 0

    for a in range(0, 1):
        for b in range(0, 1):
            for c in range(0, 1):
                for d in range(0, 1):
                    for e in range(0, 32):
                        for f in range(0, 256):

                            src_mac =  "{:02x}".format(int(a))+":"
                            src_mac += "{:02x}".format(int(b))+":"
                            src_mac += "{:02x}".format(int(c))+":"
                            src_mac += "{:02x}".format(int(d))+":"
                            src_mac += "{:02x}".format(int(e))+":"
                            src_mac += "{:02x}".format(int(f))

                            src_ip = "10.123."+str(e)+"."+str(f)

                            # 64:c3:d6:57:ef:f0 is gateway (10.123.254.254) MAC
                            frame = Ether(src=src_mac, dst='64:c3:d6:57:ef:f0',)/i/t

                            try:
                                sendp(frame, iface="enp0s3", verbose=False)
                                sent += 1
                            except Exception as e:
                                print("Couldn't send frame: {}: {}"
                                      .format(frame.show(), e))

                            #time.sleep(.001)

                        print("Sent: {}".format(sent))

if __name__ == '__main__':
    sys.exit(main())

 

HSRP Example:

ip = IP(src='10.0.0.2', dst='224.0.0.2')
udp = UDP()
hsrp = HSRP(group=1, priority=255, virtualIP='10.0.0.2')
frm=Ether()/ip/udp/hsrp
b=str(frm)
c=Ether(b)

>>> c
<Ether dst=01:00:5e:00:00:02 src=9c:4e:36:c9:b4:98 type=IPv4 |<IP version=4L ihl=5L tos=0x0 len=48 id=1 flags= frag=0L ttl=64 proto=udp chksum=0x90b8 src=10.0.0.2 dst=224.0.0.2 options=[] |<UDP sport=1985 dport=1985 len=28 chksum=0x9a5f |<HSRP version=0 opcode=Hello state=Active hellotime=3 holdtime=10 priority=255 group=1 reserved=0 auth='cisco' virtualIP=10.0.0.1 |>>>>

>>> hexdump(c)
0000   01 00 5E 00 00 02 9C 4E  36 C9 B4 98 08 00 45 00   ..^....N6.....E.
0010   00 30 00 01 00 00 40 11  90 B8 0A 00 00 02 E0 00   .0....@.........
0020   00 02 07 C1 07 C1 00 1C  9A 5F 00 00 10 03 0A FF   ........._......
0030   01 00 63 69 73 63 6F 00  00 00 0A 00 00 01         ..cisco.......

 

MPLS Example:

load_contrib("mpls")
mpls_eth = Ether(src="11:11:11:11:11:11", dst="ca:01:07:fc:00:1c", type=0x8847)
mpls_lables=MPLS(label=16, s=0, ttl=255)/MPLS(label=18, s=0, ttl=255)/MPLS(label=18, s=0, ttl=255)/MPLS(label=16, s=1, ttl=255)
mpls_ip = IP(src='10.0.255.2', dst='10.0.255.2')
mpls_icmp = ICMP(type="echo-request")
mpls_raw = Raw(load="Foooooooooooooooook!")
mpls_frame=mpls_eth/mpls_lables/mpls_ip/mpls_icmp/mpls_raw

>>> Ether(str(mpls_frame))
<Ether dst=ca:01:07:fc:00:1c src=11:11:11:11:11:11 type=0x8847 |<MPLS label=16 cos=0 s=0 ttl=255 |<MPLS label=18 cos=0 s=0 ttl=255 |<MPLS label=18 cos=0 s=0 ttl=255 |<MPLS label=16 cos=0 s=1 ttl=255 |<IP version=4 ihl=5 tos=0x0 len=48 id=1 flags= frag=0 ttl=64 proto=icmp chksum=0x68c7 src=10.0.255.2 dst=10.0.255.2 options=[] |<ICMP type=echo-request code=0 chksum=0xcaf3 id=0x0 seq=0x0 |<Raw load='Foooooooooooooooook!' |>>>>>>>>

sendp(mpls_frame, iface="eth1")

sendp(mpls_frame, iface="eth1", loop=1, inter=0.1)

 

MTU Test Example:

# This makes a 1460 byte payload, + 20 byte TCP header + 20 byte IPv4 header == 1500 bytes
p = ''.join(str(x) for x in [i for j in range (146) for i in range(10)])
# Uncomment the following to make a 1501 byte packet:
#p = p + "0"
r = Raw(load=p)
t = TCP(sport=12345,dport=12345,flags=0)
i = IP(dst="89.21.235.194",src="192.168.0.99")
e = Ether()/i/t/r
sendp(e, iface="en0")

 

Ping Example:

ping_eth = Ether(src='5e:f1:74:c1:58:bd', dst='ca:01:07:fc:00:08', type="IPv4")
ping_ip = IP(src='10.0.255.2', dst='10.0.255.1')
ping_icmp = ICMP(type="echo-request")
ping_raw = Raw(load="123456789012345678901234567890")
ping_frame=ping_eth/ping_ip/ping_icmp/ping_raw
Ether(str(ping_frame))

sendp(ping_frame, iface="eth1")

^ Top

Previous page: Example 2, Public Peering using OpenConfig (JSON over gRPC)
Next page: The Monty Hall Problem