# Scapy Intro
- https://thepacketgeek.com/
- http://scapy.readthedocs.io/en/latest/usage.html
- Introduction - https://scapy.readthedocs.io/en/latest/introduction.html#quick-demo
- other Jupyter notebooks: https://github.com/secdev/scapy/tree/master/doc/notebooks


- Scapy is a powerful Python-based interactive packet manipulation program and library
- can be used to forge or decode packets for a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more

- can be run in two different modes:
    - interactively as in these notebook demos or from a terminal window similar to interactive python
    - programmatically from a Python script to create your own tools


## Run jupyter notebook as root in order to run priviledged scapy commands

```bash
$ sudo jupyter notebook --allow-root
```

### Most common commands
- lsc() - list all the scapy commands
- ls() - list all the supported protocols
- send(), - sniff(), - sr*() 

In [1]:
from scapy.all import *

In [2]:
# if you see No module name scapy found, install scapy
! pip install --pre scapy

You should consider upgrading via the '/usr/bin/python3 -m pip install --upgrade pip' command.[0m


In [3]:
# scapy configuration
conf.verb=1
conf.color_theme = RastaTheme()

In [4]:
# see all the config setting
help(conf)

Help on Conf in module scapy.config object:

class Conf(ConfClass)
 |  This object contains the configuration of Scapy.
 |  
 |  Method resolution order:
 |      Conf
 |      ConfClass
 |      builtins.object
 |  
 |  Methods defined here:
 |  
 |  __getattr__(self, attr)
 |  
 |  ----------------------------------------------------------------------
 |  Data descriptors defined here:
 |  
 |  color_theme
 |  
 |  logLevel
 |  
 |  prompt
 |  
 |  use_bpf
 |  
 |  use_pcap
 |  
 |  use_pypy
 |  
 |  version
 |  
 |  ----------------------------------------------------------------------
 |  Data and other attributes defined here:
 |  
 |  ASN1_default_codec = None
 |  
 |  AS_resolver = None
 |  
 |  BTsocket = None
 |  
 |  L2listen = None
 |  
 |  L2socket = None
 |  
 |  L3socket = None
 |  
 |  L3socket6 = None
 |  
 |  USBsocket = None
 |  
 |  auto_crop_tables = True
 |  
 |  auto_fragment = True
 |  
 |  bufsize = 65536
 |  
 |  cache_iflist = {}
 |  
 |  checkIPID = False
 |  
 

In [5]:
# list all the scapy commands
lsc()

IPID_count          : Identify IP id values classes in a list of packets
arpcachepoison      : Poison target's cache with (your MAC,victim's IP) couple
arping              : Send ARP who-has requests to determine which hosts are up
arpleak             : Exploit ARP leak flaws, like NetBSD-SA2017-002.
bind_layers         : Bind 2 layers on some specific fields' values.
bridge_and_sniff    : Forward traffic between interfaces if1 and if2, sniff and return
chexdump            : Build a per byte hexadecimal representation
computeNIGroupAddr  : Compute the NI group Address. Can take a FQDN as input parameter
corrupt_bits        : 
corrupt_bytes       : 
defrag              : defrag(plist) -> ([not fragmented], [defragmented],
defragment          : defragment(plist) -> plist defragmented as much as possible 
dhcp_request        : Send a DHCP discover request and return the answer
dyndns_add          : Send a DNS add message to a nameserver for "name" to have a new "rdata"
dyndns_del         

In [6]:
# list all the supported protocols
ls()

AH         : AH
AKMSuite   : AKM suite
ARP        : ARP
ASN1P_INTEGER : None
ASN1P_OID  : None
ASN1P_PRIVSEQ : None
ASN1_Packet : None
ATT_Error_Response : Error Response
ATT_Exchange_MTU_Request : Exchange MTU Request
ATT_Exchange_MTU_Response : Exchange MTU Response
ATT_Execute_Write_Request : Execute Write Request
ATT_Execute_Write_Response : Execute Write Response
ATT_Find_By_Type_Value_Request : Find By Type Value Request
ATT_Find_By_Type_Value_Response : Find By Type Value Response
ATT_Find_Information_Request : Find Information Request
ATT_Find_Information_Response : Find Information Response
ATT_Handle : ATT Short Handle
ATT_Handle_UUID128 : ATT Handle (UUID 128)
ATT_Handle_Value_Indication : Handle Value Indication
ATT_Handle_Value_Notification : Handle Value Notification
ATT_Handle_Variable : None
ATT_Hdr    : ATT header
ATT_Prepare_Write_Request : Prepare Write Request
ATT_Prepare_Write_Response : Prepare Write Response
ATT_Read_Blob_Request : Read Blob Request
ATT_Read_Blob

In [8]:
# count argument value will sniff that many packets
# Note: generate some packets, from terminal, browser etc.
pkt = sniff(count=2)

In [9]:
type(pkt)

scapy.plist.PacketList

In [10]:
pkt

[31m<[0m[32m[1m[31m[1mSniffed[0m[32m[1m[31m:[0m[32m[1m [33m[1mTCP[0m[32m[1m[31m:[0m[32m[1m[32m[1m0[0m[32m[1m [33m[1mUDP[0m[32m[1m[31m:[0m[32m[1m[32m[1m2[0m[32m[1m [33m[1mICMP[0m[32m[1m[31m:[0m[32m[1m[32m[1m0[0m[32m[1m [33m[1mOther[0m[32m[1m[31m:[0m[32m[1m[32m[1m0[0m[32m[1m[31m>[0m[32m[1m

In [11]:
pkt[0].summary()

'Ether / IP / UDP / DNS Qry "b\'picoctf.org.\'" '

In [41]:
ls(Ether)

dst        : DestMACField                        = (None)
src        : SourceMACField                      = (None)
type       : XShortEnumField                     = (36864)


In [42]:
ls(IP)

version    : BitField (4 bits)                   = (4)
ihl        : BitField (4 bits)                   = (None)
tos        : XByteField                          = (0)
len        : ShortField                          = (None)
id         : ShortField                          = (1)
flags      : FlagsField (3 bits)                 = (<Flag 0 ()>)
frag       : BitField (13 bits)                  = (0)
ttl        : ByteField                           = (64)
proto      : ByteEnumField                       = (0)
chksum     : XShortField                         = (None)
src        : SourceIPField                       = (None)
dst        : DestIPField                         = (None)
options    : PacketListField                     = ([])


In [43]:
ls(UDP)

sport      : ShortEnumField                      = (53)
dport      : ShortEnumField                      = (53)
len        : ShortField                          = (None)
chksum     : XShortField                         = (None)


In [44]:
ls(TCP)

sport      : ShortEnumField                      = (20)
dport      : ShortEnumField                      = (80)
seq        : IntField                            = (0)
ack        : IntField                            = (0)
dataofs    : BitField (4 bits)                   = (None)
reserved   : BitField (3 bits)                   = (0)
flags      : FlagsField (9 bits)                 = (<Flag 2 (S)>)
window     : ShortField                          = (8192)
chksum     : XShortField                         = (None)
urgptr     : ShortField                          = (0)
options    : TCPOptionsField                     = ([])


## Under the Hood
- Scapy uses Python dictionaries as the data structures for packets. 
- Each packet is a collection of nested dictionaries with each layer being a child dictionary of the previous layer, built from the lowest layer up. E.g.
    - Ether | IP | ICMP <br><br>
    - Each field (such as the Ethernet ‘dst’ value or ICMP ‘type’ value) is a key:value pair in the appropriate layer. 
    - These fields (and nested layers) are all mutable so we can reassign them in place using the assignment operator.

In [45]:
ip = IP()
ip.show()

[31m###[[0m[32m[1m [31m[1mIP[0m[32m[1m [31m]###[0m[32m[1m 
  [33m[1mversion[0m[32m[1m[31m=[0m[32m[1m [32m[1m4[0m[32m[1m
  [33m[1mihl[0m[32m[1m[31m=[0m[32m[1m [32m[1mNone[0m[32m[1m
  [33m[1mtos[0m[32m[1m[31m=[0m[32m[1m [32m[1m0x0[0m[32m[1m
  [33m[1mlen[0m[32m[1m[31m=[0m[32m[1m [32m[1mNone[0m[32m[1m
  [33m[1mid[0m[32m[1m[31m=[0m[32m[1m [32m[1m1[0m[32m[1m
  [33m[1mflags[0m[32m[1m[31m=[0m[32m[1m [32m[1m[0m[32m[1m
  [33m[1mfrag[0m[32m[1m[31m=[0m[32m[1m [32m[1m0[0m[32m[1m
  [33m[1mttl[0m[32m[1m[31m=[0m[32m[1m [32m[1m64[0m[32m[1m
  [33m[1mproto[0m[32m[1m[31m=[0m[32m[1m [32m[1mhopopt[0m[32m[1m
  [33m[1mchksum[0m[32m[1m[31m=[0m[32m[1m [32m[1mNone[0m[32m[1m
  [32msrc[0m[32m[1m[31m=[0m[32m[1m [32m127.0.0.1[0m[32m[1m
  [32mdst[0m[32m[1m[31m=[0m[32m[1m [32m127.0.0.1[0m[32m[1m
  \[33m[1moptions[0m[32m[1m\



In [15]:
ip.src = "192.168.47.100" # some spoofed IP?
ip.ttl = 32 # hop limit that limits the lifespan or lieftime of packet in network
ip.show()

###[ IP ]### 
  version   = 4
  ihl       = None
  tos       = 0x0
  len       = None
  id        = 1
  flags     = 
  frag      = 0
  ttl       = 32
  proto     = hopopt
  chksum    = None
  src       = 192.168.47.100
  dst       = 127.0.0.1
  \options   \



## Packet summary and show method
- summary() gives packet summary
- show() method shows detail packet contents

In [17]:
pkts = sniff(count=50)
pkts

<Sniffed: TCP:34 UDP:11 ICMP:0 Other:5>

In [18]:
pkts[0].summary()

'Ether / IP / TCP 127.0.0.1:8889 > 127.0.0.1:36110 PA / Raw'

In [19]:
pkts[0].show()

###[ Ethernet ]### 
  dst       = 00:00:00:00:00:00
  src       = 00:00:00:00:00:00
  type      = 0x800
###[ IP ]### 
     version   = 4
     ihl       = 5
     tos       = 0x0
     len       = 646
     id        = 7544
     flags     = DF
     frag      = 0
     ttl       = 64
     proto     = tcp
     chksum    = 0x1cf8
     src       = 127.0.0.1
     dst       = 127.0.0.1
     \options   \
###[ TCP ]### 
        sport     = 8889
        dport     = 36110
        seq       = 52736345
        ack       = 2986752751
        dataofs   = 8
        reserved  = 0
        flags     = PA
        window    = 672
        chksum    = 0x7b
        urgptr    = 0
        options   = [('NOP', None), ('NOP', None), ('Timestamp', (15895870, 15895868))]
###[ Raw ]### 
           load      = '\x81~\x02N{"metadata": {}, "content": {"execution_state": "busy"}, "msg_type": "status", "header": {"msg_type": "status", "username": "root", "msg_id": "6474a765-3fb332b19265cfbe987cd7af", "session": "dab105dc-9b5

## Digging into Packets Layer by Layer

In [20]:
pkts[0]['Ethernet'].show()

###[ Ethernet ]### 
  dst       = 00:00:00:00:00:00
  src       = 00:00:00:00:00:00
  type      = 0x800
###[ IP ]### 
     version   = 4
     ihl       = 5
     tos       = 0x0
     len       = 646
     id        = 7544
     flags     = DF
     frag      = 0
     ttl       = 64
     proto     = tcp
     chksum    = 0x1cf8
     src       = 127.0.0.1
     dst       = 127.0.0.1
     \options   \
###[ TCP ]### 
        sport     = 8889
        dport     = 36110
        seq       = 52736345
        ack       = 2986752751
        dataofs   = 8
        reserved  = 0
        flags     = PA
        window    = 672
        chksum    = 0x7b
        urgptr    = 0
        options   = [('NOP', None), ('NOP', None), ('Timestamp', (15895870, 15895868))]
###[ Raw ]### 
           load      = '\x81~\x02N{"metadata": {}, "content": {"execution_state": "busy"}, "msg_type": "status", "header": {"msg_type": "status", "username": "root", "msg_id": "6474a765-3fb332b19265cfbe987cd7af", "session": "dab105dc-9b5

In [21]:
pkts[0]['Ethernet']['IP'].show()

###[ IP ]### 
  version   = 4
  ihl       = 5
  tos       = 0x0
  len       = 646
  id        = 7544
  flags     = DF
  frag      = 0
  ttl       = 64
  proto     = tcp
  chksum    = 0x1cf8
  src       = 127.0.0.1
  dst       = 127.0.0.1
  \options   \
###[ TCP ]### 
     sport     = 8889
     dport     = 36110
     seq       = 52736345
     ack       = 2986752751
     dataofs   = 8
     reserved  = 0
     flags     = PA
     window    = 672
     chksum    = 0x7b
     urgptr    = 0
     options   = [('NOP', None), ('NOP', None), ('Timestamp', (15895870, 15895868))]
###[ Raw ]### 
        load      = '\x81~\x02N{"metadata": {}, "content": {"execution_state": "busy"}, "msg_type": "status", "header": {"msg_type": "status", "username": "root", "msg_id": "6474a765-3fb332b19265cfbe987cd7af", "session": "dab105dc-9b5a6f9b661a8138269a7a40", "date": "2018-09-18T04:45:10.866197Z", "version": "5.3"}, "msg_id": "6474a765-3fb332b19265cfbe987cd7af", "parent_header": {"msg_type": "execute_request", "

In [22]:
pkts[0]['Ethernet']['IP']['TCP']

<TCP  sport=8889 dport=36110 seq=52736345 ack=2986752751 dataofs=8 reserved=0 flags=PA window=672 chksum=0x7b urgptr=0 options=[('NOP', None), ('NOP', None), ('Timestamp', (15895870, 15895868))] |<Raw  load='\x81~\x02N{"metadata": {}, "content": {"execution_state": "busy"}, "msg_type": "status", "header": {"msg_type": "status", "username": "root", "msg_id": "6474a765-3fb332b19265cfbe987cd7af", "session": "dab105dc-9b5a6f9b661a8138269a7a40", "date": "2018-09-18T04:45:10.866197Z", "version": "5.3"}, "msg_id": "6474a765-3fb332b19265cfbe987cd7af", "parent_header": {"msg_type": "execute_request", "msg_id": "5898220f304a442983f260f6ff66468e", "username": "username", "session": "bd4ca94fd7784be787f70a2eaa82db02", "date": "2018-09-18T04:45:10.864600Z", "version": "5.2"}, "channel": "iopub", "buffers": []}' |>>

In [23]:
pkts[0]['IP'].ttl

64

In [24]:
pkts[30]['ICMP'].type

IndexError: Layer ['ICMP'] not found

## Packet .command() Method
- .command() method retuns a string of the command necessary to recreate that packet

In [25]:
pkts[2].command()

"Ether(type=2048, dst='00:00:00:00:00:00', src='00:00:00:00:00:00')/IP(len=52, options=[], ihl=5, src='127.0.0.1', frag=0, tos=0, dst='127.0.0.1', version=4, chksum=31086, id=50003, flags=2, proto=6, ttl=64)/TCP(dport=8889, seq=2986752751, window=3625, sport=36110, chksum=65064, dataofs=8, urgptr=0, flags=16, reserved=0, ack=52736939, options=[('NOP', None), ('NOP', None), ('Timestamp', (15895882, 15895870))])"

In [26]:
newPkt = pkts[2]
# or 
# newPkt = eval(pkts[2].command())

In [27]:
newPkt

<Ether  dst=00:00:00:00:00:00 src=00:00:00:00:00:00 type=0x800 |<IP  version=4 ihl=5 tos=0x0 len=52 id=50003 flags=DF frag=0 ttl=64 proto=tcp chksum=0x796e src=127.0.0.1 dst=127.0.0.1 options=[] |<TCP  sport=36110 dport=8889 seq=2986752751 ack=52736939 dataofs=8 reserved=0 flags=A window=3625 chksum=0xfe28 urgptr=0 options=[('NOP', None), ('NOP', None), ('Timestamp', (15895882, 15895870))] |>>>

## Configuration
- conf - global conf object that has all the configuration relevant to scapy

## Using Scapy with Python
- more detail examples later

In [57]:
count = 0
for packet in pkts:
    #print(packet.summary())
    if (packet.haslayer(ICMP)):
        count += 1
        print("ICMP code: "+ str(packet.getlayer(ICMP).code))
    else:
        print(packet.summary())
print('Total ICMP packets: {}'.format(count))

Ether / IP / TCP 127.0.0.1:46361 > 127.0.0.1:48226 A
Ether / IP / TCP 127.0.0.1:46361 > 127.0.0.1:48226 A
Ether / IPv6 / TCP ::1:58804 > ::1:8888 A
Ether / IPv6 / TCP ::1:58804 > ::1:8888 A
Ether / IPv6 / TCP ::1:8888 > ::1:58804 PA / Raw
Ether / IPv6 / TCP ::1:8888 > ::1:58804 PA / Raw
Ether / IPv6 / TCP ::1:58804 > ::1:8888 A
Ether / IPv6 / TCP ::1:58804 > ::1:8888 A
Ether / IPv6 / TCP ::1:59280 > ::1:8888 PA / Raw
Ether / IPv6 / TCP ::1:59280 > ::1:8888 PA / Raw
Ether / IPv6 / TCP ::1:8888 > ::1:59280 A
Ether / IPv6 / TCP ::1:8888 > ::1:59280 A
Ether / IPv6 / TCP ::1:8888 > ::1:59280 PA / Raw
Ether / IPv6 / TCP ::1:8888 > ::1:59280 PA / Raw
Ether / IPv6 / TCP ::1:59280 > ::1:8888 A
Ether / IPv6 / TCP ::1:59280 > ::1:8888 A
ICMP code: 0
ICMP code: 0
ICMP code: 0
ICMP code: 0
Ether / ARP who has 192.168.231.2 says 192.168.231.131
Ether / ARP is at 00:50:56:f9:21:6d says 192.168.231.2 / Padding
ICMP code: 0
ICMP code: 0
ICMP code: 0
ICMP code: 0
ICMP code: 0
ICMP code: 0
ICMP code: 0
I