# Scapy Intro
- https://thepacketgeek.com/
- http://scapy.readthedocs.io/en/latest/usage.html
- Introduction - https://scapy.readthedocs.io/en/latest/introduction.html#quick-demo
- other Jupyter notebooks: https://github.com/secdev/scapy/tree/master/doc/notebooks


- Scapy is a powerful Python-based interactive packet manipulation program and library
- can be used to forge or decode packets for a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more

- can be run in two different modes:
    - interactively as in these notebook demos or from a terminal window similar to interactive python
    - programmatically from a Python script to create your own tools


## Run jupyter notebook as root in order to run priviledged scapy commands

```bash
$ sudo jupyter notebook --allow-root
```
- if the above command doesn't work do the following

```bash
$ pip install notebook
$ sudo -E python -m notebook --allow-root
```

### Most common commands
- lsc() - list all the scapy commands
- ls() - list all the supported protocols
- send(), - sniff(), - sr*() 

In [2]:
from scapy.all import *

In [None]:
# if you see No module name scapy found, install scapy
! pip install --pre scapy

In [3]:
conf

ASN1_default_codec = <ASN1Codec BER[1]>
AS_resolver = <scapy.as_resolvers.AS_resolver_multi object at 0x7fffd19026d0>
BTsocket   = <BluetoothRFCommSocket: read/write packets on a connected L2CAP...
L2listen   = <L2ListenSocket: read packets at layer 2 using Linux PF_PACKET ...
L2socket   = <L2Socket: read/write packets at layer 2 using Linux PF_PACKET ...
L3socket   = <L3PacketSocket: read/write packets at layer 3 using Linux PF_P...
L3socket6  = functools.partial(<L3PacketSocket: read/write packets at layer ...
USBsocket  = None
auto_crop_tables = True
auto_fragment = True
bufsize    = 65536
cache_pcapiflist = {}
checkIPID  = False
checkIPaddr = True
checkIPinIP = True
checkIPsrc = True
check_TCPerror_seqack = False
color_theme = <NoTheme>
commands   = IPID_count : Identify IP id values classes in a list of packets...
contribs   = {}
crypto_valid = True
crypto_valid_advanced = True
debug_dissector = False
debug_match = False
debug_tls  = False
default_l2 = <class 'scapy.packet.Raw'>
d

In [5]:
conf.verb

2

In [6]:
# scapy configuration
conf.verb=1
conf.color_theme = RastaTheme()

In [7]:
# see all the config setting
help(conf)

Help on Conf in module scapy.config object:

class Conf(ConfClass)
 |  This object contains the configuration of Scapy.
 |  
 |  Method resolution order:
 |      Conf
 |      ConfClass
 |      builtins.object
 |  
 |  Methods defined here:
 |  
 |  __getattribute__(self, attr)
 |      Return getattr(self, name).
 |  
 |  ----------------------------------------------------------------------
 |  Data descriptors defined here:
 |  
 |  color_theme
 |  
 |  iface
 |  
 |  logLevel
 |  
 |  prompt
 |  
 |  use_bpf
 |  
 |  use_pcap
 |  
 |  use_pypy
 |  
 |  version
 |  
 |  ----------------------------------------------------------------------
 |  Data and other attributes defined here:
 |  
 |  ASN1_default_codec = None
 |  
 |  AS_resolver = None
 |  
 |  BTsocket = None
 |  
 |  L2listen = None
 |  
 |  L2socket = None
 |  
 |  L3socket = None
 |  
 |  L3socket6 = None
 |  
 |  USBsocket = None
 |  
 |  auto_crop_tables = True
 |  
 |  auto_fragment = True
 |  
 |  bufsize = 65536
 |  

In [8]:
# list all the scapy commands
lsc()

IPID_count            : Identify IP id values classes in a list of packets
arp_mitm              : ARP MitM: poison 2 target's ARP cache
arpcachepoison        : Poison targets' ARP cache
arping                : Send ARP who-has requests to determine which hosts are up
arpleak               : Exploit ARP leak flaws, like NetBSD-SA2017-002.
bind_layers           : Bind 2 layers on some specific fields' values.
bridge_and_sniff      : Forward traffic between interfaces if1 and if2, sniff and return
chexdump              : Build a per byte hexadecimal representation
computeNIGroupAddr    : Compute the NI group Address. Can take a FQDN as input parameter
corrupt_bits          : Flip a given percentage (at least one bit) or number of bits
corrupt_bytes         : Corrupt a given percentage (at least one byte) or number of bytes
defrag                : defrag(plist) -> ([not fragmented], [defragmented],
defragment            : defragment(plist) -> plist defragmented as much as possible 
dhcp_r

In [9]:
# list all the supported protocols
ls()

AD_AND_OR  : None
AD_KDCIssued : None
AH         : AH
AKMSuite   : AKM suite
ARP        : ARP
ASN1P_INTEGER : None
ASN1P_OID  : None
ASN1P_PRIVSEQ : None
ASN1_Packet : None
ASN1_Packet : None
ATT_Error_Response : Error Response
ATT_Exchange_MTU_Request : Exchange MTU Request
ATT_Exchange_MTU_Response : Exchange MTU Response
ATT_Execute_Write_Request : Execute Write Request
ATT_Execute_Write_Response : Execute Write Response
ATT_Find_By_Type_Value_Request : Find By Type Value Request
ATT_Find_By_Type_Value_Response : Find By Type Value Response
ATT_Find_Information_Request : Find Information Request
ATT_Find_Information_Response : Find Information Response
ATT_Handle : ATT Short Handle
ATT_Handle_UUID128 : ATT Handle (UUID 128)
ATT_Handle_Value_Indication : Handle Value Indication
ATT_Handle_Value_Notification : Handle Value Notification
ATT_Handle_Variable : None
ATT_Hdr    : ATT header
ATT_Prepare_Write_Request : Prepare Write Request
ATT_Prepare_Write_Response : Prepare Write Respons

In [10]:
# count argument value will sniff that many packets
# Note: generate some packets, from terminal, browser etc.
pkt = sniff(count=2)

In [11]:
type(pkt)

scapy.plist.PacketList

In [12]:
pkt

[31m<[0m[32m[1m[31m[1mSniffed[0m[32m[1m[31m:[0m[32m[1m [33m[1mTCP[0m[32m[1m[31m:[0m[32m[1m[32m[1m0[0m[32m[1m [33m[1mUDP[0m[32m[1m[31m:[0m[32m[1m[32m[1m2[0m[32m[1m [33m[1mICMP[0m[32m[1m[31m:[0m[32m[1m[32m[1m0[0m[32m[1m [33m[1mOther[0m[32m[1m[31m:[0m[32m[1m[32m[1m0[0m[32m[1m[31m>[0m[32m[1m

In [15]:
pkt[0]

[31m<[0m[32m[1m[31m[1mEther[0m[32m[1m  [33m[1mdst[0m[32m[1m[31m=[0m[32m[1m[32m[1m00:50:56:f6:54:9a[0m[32m[1m [33m[1msrc[0m[32m[1m[31m=[0m[32m[1m[32m[1m00:0c:29:8a:20:62[0m[32m[1m [33m[1mtype[0m[32m[1m[31m=[0m[32m[1m[32m[1mIPv4[0m[32m[1m [31m|[0m[32m[1m[31m<[0m[32m[1m[31m[1mIP[0m[32m[1m  [33m[1mversion[0m[32m[1m[31m=[0m[32m[1m[32m[1m4[0m[32m[1m [33m[1mihl[0m[32m[1m[31m=[0m[32m[1m[32m[1m5[0m[32m[1m [33m[1mtos[0m[32m[1m[31m=[0m[32m[1m[32m[1m0x0[0m[32m[1m [33m[1mlen[0m[32m[1m[31m=[0m[32m[1m[32m[1m63[0m[32m[1m [33m[1mid[0m[32m[1m[31m=[0m[32m[1m[32m[1m6872[0m[32m[1m [33m[1mflags[0m[32m[1m[31m=[0m[32m[1m[32m[1mDF[0m[32m[1m [33m[1mfrag[0m[32m[1m[31m=[0m[32m[1m[32m[1m0[0m[32m[1m [33m[1mttl[0m[32m[1m[31m=[0m[32m[1m[32m[1m64[0m[32m[1m [33m[1mproto[0m[32m[1m[31m=[0m[32m[1m[32m[1mudp[0m[32m[1m [33m[1mchksum[0

In [16]:
pkt[1].summary()

'Ether / IP / UDP / DNS Ans "185.199.108.153" '

In [17]:
ls(Ether)

dst        : DestMACField                        = ('None')
src        : SourceMACField                      = ('None')
type       : XShortEnumField                     = ('36864')


In [18]:
ls(IP)

version    : BitField  (4 bits)                  = ('4')
ihl        : BitField  (4 bits)                  = ('None')
tos        : XByteField                          = ('0')
len        : ShortField                          = ('None')
id         : ShortField                          = ('1')
flags      : FlagsField                          = ('<Flag 0 ()>')
frag       : BitField  (13 bits)                 = ('0')
ttl        : ByteField                           = ('64')
proto      : ByteEnumField                       = ('0')
chksum     : XShortField                         = ('None')
src        : SourceIPField                       = ('None')
dst        : DestIPField                         = ('None')
options    : PacketListField                     = ('[]')


In [19]:
ls(UDP)

sport      : ShortEnumField                      = ('53')
dport      : ShortEnumField                      = ('53')
len        : ShortField                          = ('None')
chksum     : XShortField                         = ('None')


In [20]:
ls(TCP)

sport      : ShortEnumField                      = ('20')
dport      : ShortEnumField                      = ('80')
seq        : IntField                            = ('0')
ack        : IntField                            = ('0')
dataofs    : BitField  (4 bits)                  = ('None')
reserved   : BitField  (3 bits)                  = ('0')
flags      : FlagsField                          = ('<Flag 2 (S)>')
window     : ShortField                          = ('8192')
chksum     : XShortField                         = ('None')
urgptr     : ShortField                          = ('0')
options    : TCPOptionsField                     = ("b''")


## Under the Hood
- Scapy uses Python dictionaries as the data structures for packets. 
- Each packet is a collection of nested dictionaries with each layer being a child dictionary of the previous layer, built from the lowest layer up. E.g.
    - Ether | IP | ICMP <br><br>
    - Each field (such as the Ethernet ‘dst’ value or ICMP ‘type’ value) is a key:value pair in the appropriate layer. 
    - These fields (and nested layers) are all mutable so we can reassign them in place using the assignment operator.

In [None]:
ip = IP()
ip.show()

In [None]:
ip.src = "192.168.47.100" # some spoofed IP?
ip.ttl = 32 # hop limit that limits the lifespan or lieftime of packet in network
ip.show()

## Packet summary and show method
- summary() gives packet summary
- show() method shows detail packet contents

In [None]:
pkts = sniff(count=50)
pkts

In [None]:
pkts[0].summary()

In [None]:
pkts[0].show()

## Digging into Packets Layer by Layer

In [None]:
pkts[0]['Ethernet'].show()

In [None]:
pkts[0]['Ethernet']['IP'].show()

In [None]:
pkts[0]['Ethernet']['IP']['TCP']

In [None]:
pkts[0]['IP'].ttl

In [None]:
pkts[30]['ICMP'].type

## Packet .command() Method
- .command() method retuns a string of the command necessary to recreate that packet

In [None]:
pkts[2].command()

In [None]:
newPkt = pkts[2]
# or 
# newPkt = eval(pkts[2].command())

In [None]:
newPkt

## Configuration
- conf - global conf object that has all the configuration relevant to scapy

## Using Scapy with Python
- more detail examples later

In [None]:
count = 0
for packet in pkts:
    #print(packet.summary())
    if (packet.haslayer(ICMP)):
        count += 1
        print("ICMP code: "+ str(packet.getlayer(ICMP).code))
    else:
        print(packet.summary())
print('Total ICMP packets: {}'.format(count))