Reconnaissance: Scanning and DoSing with Scapy

In this article, we will study an open source tool called Scapy. Scapy is one packet manipulation tool similar to nmap and hping, but unlike these tools, Scapy is completely customizable.

This is not to say that nmap and hping cannot be modified, but their ability to edit is limited. Scapy, on the other hand, has almost no limit to how you can customize it. If you take some time to understand Scapy, you will see what a powerful tool it is.

scapy11

Understanding it

When using a tool like Scapy, nmap, hping and others, it is important to understand the structure of both the IP header and the TCP header. Without this fundamental knowledge of these protocols, it is like trying to fly an F-16 in a war zone without basic and fundamental flight training.

scapy

In addition, you should be familiar with the TCP header and data packets.

scapy1

The better you understand the structure of these headers and packets, the better hacker you will become. Otherwise, you will be limited to being one script kiddie with some powerful tools, but without the knowledge to use them effectively.

Scapy is also very flexible. It can be customized to do ARP spoofing, ARP cache poisoning, packet sniffing and like tcpdump and Wireshark, injecting 802.1 frames like aireplay-ng, and VoIP decoding like Cain and Abel. It is written in by Philipe Biondi and is capable of generating packets as well as decoding packets. Its syntax is a little difficult to understand, but its power makes it worth investing your time to learn.

In this article, I will try to introduce you to the syntax of Scapy first, and then we will use it for a simple DoS attack.

Step 1: Open Kali and run Scapy

Let's start by opening Kali and then a terminal and issue the following command:

kali > scapy

scapy2

It will show us a screen similar to the one above. Notice the “>>>” prompt. This indicates that Scapy is in interactive mode. All commands after that will be Scapy commands and will be interpreted by the Scapy interpreter.

Step 2: View the Scapy configuration file

Now that we're in the Scapy interpreter, let's type:

>>> conf

scapy3

As you can see in the screenshot above, Scapy displays the configuration file when we type “conf”. In a later guide, we'll work with this configuration file in Scapy, but for now, I just want you to know where it is.

Step 3: Create a package

The beauty of Scapy is its ability to custom build any package you can imagine. In general, your operating system's TCP/IP stack will generate an RFC-compliant packet every time you want to communicate over the Internet.

As hackers, we often want to create a custom/unique package that may not be RFC compliant for purposes of gathering information about our target (eg scanning) or possibly creating a DoS attack by creating a package that causes the collapse of the target's system (land attack, ping of death, fragroute, etc.).

So let's start by creating a simple IP packet. In Scapy, you first declare a variable that represents your package and then set the package attributes one by one. So here we define our package as “x” and then give x multiple attributes. Let's start by defining “x” as an IP packet with a TTL of 64.

>>> x=IP(ttl=64)

>>> x

scapy4

Notice that after I created the variable x and set it to an IP packet with a time-to-live (TTL) of 64, I then typed the variable x again and it responded with the value x. In this case, IP time to live = 64.

Now, let's add some additional attributes to this x variable, such as a source and destination IP address. The syntax is similar to Wireshark or Tcpdump. We present the source IP attribute with x.src and the destination IP attribute with x.dst followed by the value in double quotes ("").

>>> x.src=”192.168.1.101″

>>> x.dst=”192.168.1.122″

scapy5

Notice that after setting each value, I checked the value by simply retyping the variable followed by the attribute.

We have now created a package with the following features:

TTL = 64

Source IP is 192.168.1.101

IP is 192.168.1.122

We can check these by now typing the variable name, x, and Scapy will return our variable with its attributes.

scapy6

Step 4: Built-in functions

Scapy has a large number of built-in functions. We can enumerate these functions by typing:

>>> lsc()

scapy7

Since the list is too long to display on one screen, I've shown the first of these functions above and the last of these functions below. Note, some functions did not fit on either screen.

scapy8

Notice the “send” command on the first line of the second screenshot of the functions. This is what we use when we want to send a package. Let's use it to send the packet we created above named “x”, which has the attributes TTL=64, source IP address 192.168.1.101, and destination IP address 192.168.1.122. Of course, when we send this packet, it will go to the destination IP address and have a limit of 64 hops (TTL=64).

>>> send(x)

scapy9

As you can see, the specially configured packet x was sent to the destination IP address.

We can use Scapy to create a packet with almost any value in any field of the IP header or TCP header, such as size, flags, fragmentation field, acknowledgment value, sequence number etc .;

Step 5: Time to attack

I hope you now understand that Scapy can be used to manipulate any of the TCP/IP packet fields. We'll play with some of the other fields in a future guide I'll make for Scapy.

Now, let's use this feature to create a malicious packet and then send it to a target system. Windows Server 2003 (believe it or not, there are still thousands of 2003 servers out there - check Shodan, Censys or use Xprobe2 to find the operating system) is vulnerable to the “land” attack. This is a DoS attack that sends a large packet to the target with the same source and destination IP address but also the same source and destination port. It doesn't always crash the system, but it slows it down significantly. For network servers, slowing them down is essentially a DoS.

Let's perform a land attack on Scapy. Scapy can get all the features with a single command. So let's create the “land” attack packet and send it 2.000 times. We can do this by typing:

>>> send(IP(src=”192.168.1.122″, dst=”192.168.1.122″)/TCP(sport=135,dport=135), count=2000)

Let's analyze this command.

  • We send the order

  • IP defines the addressing protocol

  • src=”192.168.1.122″ is the source IP address

  • dst=”192.168.1.122″ is the destination IP address

  • The TCP defines the protocol for the ports

  • sport=135 sets the source port

  • dport=135 sets the destination port

  • count = 2000 defines the number of packets we want to send

scapy10

If these packages target a Windows Server 2003, they can crash the system or at least slow it down dramatically. When a server slows down, it essentially causes DoSes to the site.

Epilogue

Scapy is yet another powerful scanning and DoSing tool in your toolbox. Scapy is incredibly flexible, allowing us to multitask with this unique tool. It has an almost unlimited ability to create packets with any characteristics you can imagine and thus create a unique scanning technique and DoS attacks.

 

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.
nmap, hping, Scapy, Reconnaissance

Written by Anastasis Vasileiadis

Translations are like women. When they are beautiful they are not faithful and when they are faithful they are not beautiful.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).