Scapy - Packet Crafting

Prerequisite : Basic understanding of the networking protocols whose packets you would like to craft and also the network layers.

Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, trace routing  probing, unit tests, attacks or network discovery. It also performs very well at a lot of other specific tasks that most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, ...), etc. 

It is written in the Python, and is pre-installed on Backtrack 4+. On Ubuntu it can be installed by:

sudo apt-get install scapy

To start Scapy, execute sudo scapy (if normal user) or just scapy (if root).

basic commands

ls() : displays list of supported protocols

ls(IP) Show the contents of the IP structure

lsc() : Displays list of available commands in Scapy. 

  Some of the important commands for sending & receiving packets : 
sr               : Send and receive packets at layer 3
sr1             : Send packets at layer 3 and return only the first answer
srp             : Send and receive packets at layer 2
srp1           : Send and receive packets at layer 2 and return only the first answer
srloop         : Send a packet at layer 3 in loop and print the answer each time
 

Demo 1 : ICMP request
 
Create 3 variables :  E for Ethernet, I for IP, icmp for ICMP
 
 >>>E=Ether()
 >>>I=IP()
 >>>icmp=ICMP()
 
To see the field for each protocol use : <var>.show()
ex : >>>I.show()
 
To set field variable for protocol use : <var>.<field>=value
ex: >>>I.src='192.168.0.1'
Note: Dont set values fields whose values are calculated based on the packet content
 For ex : chksum
 To see their calculated value use show2() instead of show()

Set the fields to the values as specified below

To send packet
>>>sr1p(E/I/icmp)
This sends and show the 1st packet recieved at Layer 2
Use wireshark to capture and analyze the packets. Here since the Ethernet fields are specified, no ARP is used. Just a ICMP request and reply is captured.


Demo 2 : TCP-SYN
Create 2 variables :  I for IP, T for TCP

 >>>I=IP()
 >>>T=TCP()
 
Set the fields to the values as specified below

To send packet
>>>sr1(E/I/icmp)

This sends at Layer 3 and show the 1st packet received 
Use wireshark to capture and analyze the packets. Here since the Ethernet fields are not specified, ARP is used. ARP request and reply along with ICMP request and reply are captured.