# Forging packets with Scapy

From the [official documentation](http://scapy.readthedocs.io/en/latest/introduction.html):
>Scapy is a Python program that enables the user to send, sniff and dissect and forge network packets. This capability allows construction of tools that can probe, scan or attack networks.

Scapy come with an interactive shell (a REPL) that allows you to go step by step into forging, decoding, and sending your packets. It supports a variety of protocols from Layer 2 to Layer 4 and allows for great ease of manipulation and parameterization. The full list of protocols can be obtained using the `ls()` command. Both IPv4 and IPv6 protocols are supported.

The scapy project is now on Github: https://github.com/secdev/scapy/

## Installation
```
pip install scapy
```
The package will be installed in your user folder, and the `scapy` command and libraries should be available in your PATH. Fot the examples below, you should run scapy as `root` or with a user having `sudo` rights.


In [5]:
!pip install scapy==2.4.2



Check that everything went fine by importing the library

In [12]:
from scapy.all import *

## Some DIY examples

### Building a basic IP packet
With no parameterization, the default IP packet's TTL field is set to 64 (default from the Linux kernel, see `/proc/sys/net/ipv4/ip_default_ttl`), the src and dst ip addresses are set to `127.0.0.1`, and Checksum to `None`. The `ls` command tells us more about the fields that compose the IPv4 header.

In [16]:
! cat /proc/sys/net/ipv4/ip_default_ttl

64


Let's create an IP packet. It wil be initialised by the Linux kernel's default values for the IP packet fields.

In [14]:
pkt = IP()
pkt.show()

###[ IP ]### 
  version   = 4
  ihl       = None
  tos       = 0x0
  len       = None
  id        = 1
  flags     = 
  frag      = 0
  ttl       = 64
  proto     = 0
  chksum    = None
  src       = 127.0.0.1
  dst       = 127.0.0.1
  \options   \



This is how you see the different fields in the IP layer

In [15]:
ls(IP)

version    : BitField (4 bits)                   = (4)
ihl        : BitField (4 bits)                   = (None)
tos        : XByteField                          = (0)
len        : ShortField                          = (None)
id         : ShortField                          = (1)
flags      : FlagsField (3 bits)                 = (<Flag 0 ()>)
frag       : BitField (13 bits)                  = (0)
ttl        : ByteField                           = (64)
proto      : ByteEnumField                       = (0)
chksum     : XShortField                         = (None)
src        : SourceIPField                       = (None)
dst        : DestIPField                         = (None)
options    : PacketListField                     = ([])


![Illustration](./iphdr.gif "ip header illustration")

In order to set specific fields of the IPv4 header, we simply specify the field and assciate a value to it.

In [17]:
pkt.dst = "192.168.1.1"
pkt.show()

###[ IP ]### 
  version   = 4
  ihl       = None
  tos       = 0x0
  len       = None
  id        = 1
  flags     = 
  frag      = 0
  ttl       = 64
  proto     = 0
  chksum    = None
  src       = 172.17.0.2
  dst       = 192.168.1.1
  \options   \



We notice in our example that by changing the destination address to `192.168.1.1`, the source address also changed to `192.168.1.16`. The change in address for the src field is related to the scope of the dst address that we just set, which is global. The appropriate source address can be deduced by the following command (look at the `src` field of the result):

In [18]:
! ip route get 192.168.1.1

/bin/sh: 1: ip: not found


*NB.* You can see in the default IP packet that the `proto` field is set to `hopopt`, which is `RFC 8200, IPv6 Hop-by-Hop Option`. This is because the proto field is simply set to 0 as a default value, and this is interpreted as the unrelated hopopt protocol. This is made explicit thanks to the `ls(IP)` command that shows that proto is a ByteEnumField set to (0) by default.

### Build a packet from Layer 2 up
The second layer in the OSI model (L2 for short) is about Ethernet, and other less used protocols. The L2 Ethernet protocol handles the shared medium access and for that needs to uniquely identify every machine interface. This  identifier is called the `Media Access Control (MAC)` and is 48bits long.  Its uniqueness is guaranteed by the IEEE. The MAC contains a vendor part (24 bits) and a machine ID (24 bits). The MAC address is a pure identifier for the interface and does not bear topological significance (not a topological address): it says who the machine is but not where it is. This second part (location) is usually filed by a protocol called `Address Resolution Protocol (ARP)`

First things first: the default packet.

In [19]:
pkt = Ether()
pkt.show()

###[ Ethernet ]### 
  dst       = ff:ff:ff:ff:ff:ff
  src       = 02:42:ac:11:00:02
  type      = 0x9000



In [20]:
ls(Ether)

dst        : DestMACField                        = (None)
src        : SourceMACField                      = (None)
type       : XShortEnumField                     = (36864)


The destination address is set to a broadcast address (all ones), the source address is set to my WiFi interface MAC address (to which my default route is set), and the type is set to a default of : 0x9000 which is "Ethernet Configuration Testing Protocol" (see more on types [here](https://en.wikipedia.org/wiki/EtherType#Examples)).

Using the `ip neigh` command, I now have the MAC address of my router. I set the L2 packet dst address to it as follows:

In [22]:
pkt.dst = 'b0:b2:8f:76:c3:38'
pkt.display()

###[ Ethernet ]### 
  dst       = b0:b2:8f:76:c3:38
  src       = 02:42:ac:11:00:02
  type      = 0x9000



Let's build an IPv4 packet on top of it and see what happens:

In [23]:
pktL3 = pkt/IP(dst='192.168.1.1')
pktL3.show()

###[ Ethernet ]### 
  dst       = b0:b2:8f:76:c3:38
  src       = 02:42:ac:11:00:02
  type      = 0x800
###[ IP ]### 
     version   = 4
     ihl       = None
     tos       = 0x0
     len       = None
     id        = 1
     flags     = 
     frag      = 0
     ttl       = 64
     proto     = 0
     chksum    = None
     src       = 172.17.0.2
     dst       = 192.168.1.1
     \options   \



We can now see that the type changed to IPv4 (0x0800 - Internet Protocol version 4 (IPv4)) as we can see [here](https://en.wikipedia.org/wiki/EtherType#Examples).

### Send an ICMP ECHO request (PING) 
>The Internet Control Message Protocol (ICMP) is a supporting protocol in the Internet protocol suite. It is used by network devices, including routers, to send error messages and operational information indicating, for example, that a requested service is not available or that a host or router could not be reached.
We know (and love) the ICMP protocol for the ping(pong) command, and it is the first use of this protocol for a lot of network and system engineers, beginners and experts alike. Let's forge one of those using scapy.

In [24]:
ls(ICMP)

type       : ByteEnumField                       = (8)
code       : MultiEnumField (Depends on type)    = (0)
chksum     : XShortField                         = (None)
id         : XShortField (Cond)                  = (0)
seq        : XShortField (Cond)                  = (0)
ts_ori     : ICMPTimeStampField (Cond)           = (74195163)
ts_rx      : ICMPTimeStampField (Cond)           = (74195163)
ts_tx      : ICMPTimeStampField (Cond)           = (74195163)
gw         : IPField (Cond)                      = ('0.0.0.0')
ptr        : ByteField (Cond)                    = (0)
reserved   : ByteField (Cond)                    = (0)
length     : ByteField (Cond)                    = (0)
addr_mask  : IPField (Cond)                      = ('0.0.0.0')
nexthopmtu : ShortField (Cond)                   = (0)
unused     : ShortField (Cond)                   = (0)
unused     : IntField (Cond)                     = (0)


In [25]:
pktICMP=ICMP()
pktICMP.show()

###[ ICMP ]### 
  type      = echo-request
  code      = 0
  chksum    = None
  id        = 0x0
  seq       = 0x0



Since every field in the default packet is set to 0, the code field is also set to 0, whcih indicates an `Echo-Reply` type (see [here](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol#Control_messages)). Let's ping the router: 

In [26]:
pktPing = IP(dst="192.168.1.1")/ICMP()
pktPing.show()

###[ IP ]### 
  version   = 4
  ihl       = None
  tos       = 0x0
  len       = None
  id        = 1
  flags     = 
  frag      = 0
  ttl       = 64
  proto     = 1
  chksum    = None
  src       = 172.17.0.2
  dst       = 192.168.1.1
  \options   \
###[ ICMP ]### 
     type      = echo-request
     code      = 0
     chksum    = None
     id        = 0x0
     seq       = 0x0



In [27]:
resp = srloop(pktPing, count = 5)

 end...

PermissionError: [Errno 1] Operation not permitted

In the example above, I forged an ICMP Echo packet (ping request) and sent it 5 times to the router. We can see that the router responded to my requests (Echo reply), as it shows at each step of the loop and the final hit rate (100%). In another terminal, I sniff the sent packets to see how they look. This is the result:

In [29]:
s = sniff(count=10, filter="icmp and ip host 192.168.1.1")

PermissionError: [Errno 1] Operation not permitted

In [30]:
s
s[0]

NameError: name 's' is not defined

Here you can see the full Ping and Pong packets. We can see that the sequence number in the Ping packets does not increment. This is something that does the official ping utility in any OS, as specificied by the ICMP RFC. We can also see how the scapy and the system filled out the appropriate values for the IP header and the L2 header.

Let's count how many hops separate my machine from the google server at `216.58.206.238`. We are going to gradually increment the TTL from 0 to the appropriate value, as follows:

In [32]:
exit_loop=False
i = 0
while  i < 64 and not exit_loop:
    pktPing = IP(dst="216.58.206.238", ttl=i)/ICMP()
    rep,non_rep = sr(pktPing)
    if rep[0][1].type == 11:
        print ('Incrementing ttl to '+str(i+1))
        i = i + 1
    else:
        print ('TTL is '+str(i))
        exit_loop = True
    time.sleep(1)

PermissionError: [Errno 1] Operation not permitted

The announced TTL is 9. You can check with the traceroute tool.

### Have a look at your network configuration

This is usually done using the `ip` utility from Linux. We have seen earlier that the utility shows information contained in /sys, /proc/sys/net, and /proc/net folders of the Linux system. Using Scapy, here is how it looks:

In [33]:
conf

ASN1_default_codec = <ASN1Codec BER[1]>
AS_resolver = <scapy.as_resolvers.AS_resolver_multi object at 0x7f053976f208>
BTsocket   = <BluetoothRFCommSocket: read/write packets on a connected L2CAP...
L2listen   = <L2ListenSocket: read packets at layer 2 using Linux PF_PACKET ...
L2socket   = <L2Socket: read/write packets at layer 2 using Linux PF_PACKET ...
L3socket   = <L3PacketSocket: read/write packets at layer 3 using Linux PF_P...
USBsocket  = None
auto_crop_tables = True
auto_fragment = 1
cache_iflist = {}
cache_in6_getifaddr = []
cache_ipaddrs = {}
checkIPID  = 0
checkIPaddr = 1
checkIPinIP = True
checkIPsrc = 1
check_TCPerror_seqack = 0
color_theme = <NoTheme>
commands   = IPID_count : Identify IP id values classes in a list of packets...
contribs   = {}
crypto_valid = True
crypto_valid_advanced = True
crypto_valid_recent = True
debug_dissector = 0
debug_match = 0
debug_tls  = 0
default_l2 = <class 'scapy.packet.Raw'>
dot15d4_protocol = None
emph       = <Emphasize []>
ethertypes

This configuration is the one from my system, it may differ in yours. We can for example have a look at the routing table:

In [34]:
conf.route

Network     Netmask      Gateway     Iface  Output IP   Metric
0.0.0.0     0.0.0.0      172.17.0.1  eth0   172.17.0.2  0
127.0.0.0   255.0.0.0    0.0.0.0     lo     127.0.0.1   1
172.17.0.0  255.255.0.0  0.0.0.0     eth0   172.17.0.2  0

### Build an IPv6 router sollicitation packet
Credits go to this [page](https://samsclass.info/124/proj11/proj9xN-scapy-ra.html).
In the Neighbor discovery protocol, the Router Advertisement is the packet sent by the router providing the prefix for auto-configuration. In our experiment, we are going to build one of those packets and send it over the network.


We build the ICMPv6 Neighbor Discovery Router Advertisement packet by stacking: the IPv6 header with a destination address of `ff02::1`, a Router Advertisement header with the default values, a linklyaer option (to indicate the MAC address of the Router), the MTU option (default is 1280 for IPv6), and the announced prefix (I a going to announce "ded::/64").

In [36]:
v6 = IPv6(dst='ff02::1')
v6.show()

###[ IPv6 ]### 
  version   = 6
  tc        = 0
  fl        = 0
  plen      = None
  nh        = No Next Header
  hlim      = 64
  src       = ::
  dst       = ff02::1



In [40]:
ra = ICMPv6ND_RA()
ra.show()

###[ ICMPv6 Neighbor Discovery - Router Advertisement ]### 
  type      = Router Advertisement
  code      = 0
  cksum     = None
  chlim     = 0
  M         = 0
  O         = 0
  H         = 0
  prf       = High
  P         = 0
  res       = 0
  routerlifetime= 1800
  reachabletime= 0
  retranstimer= 0



In [41]:
llopt = ICMPv6NDOptSrcLLAddr(lladdr="c4:85:08:be:5c:5d")
llopt.show()

###[ ICMPv6 Neighbor Discovery Option - Source Link-Layer Address ]### 
  type      = 1
  len       = 1
  lladdr    = c4:85:08:be:5c:5d



In [42]:
d = ICMPv6NDOptMTU() 
e = ICMPv6NDOptPrefixInfo(prefixlen = 64, prefix = "dead::")
e.show()

###[ ICMPv6 Neighbor Discovery Option - Prefix Information ]### 
  type      = 3
  len       = 4
  prefixlen = 64
  L         = 1
  A         = 1
  R         = 0
  res1      = 0
  validlifetime= 0xffffffff
  preferredlifetime= 0xffffffff
  res2      = 0x0
  prefix    = dead::



In [43]:
send(v6/ra/llopt/d/e)

PermissionError: [Errno 1] Operation not permitted

This wireshark capture shows the router advertisement packet and two solicitations in my network to auto-configure an address in the subnet (probably my phone and my router).
![alt text](./ipv6-ra.png "IPv6 Router Advertisement packet")