Monday, July 15, 2013

Lets send packet without PING command - Introducing Scapy

Whats scapy?
Its packet manipulation mechanism. One can send and receive the packet of large no. of protocols. Its useful to send and receive reply in order to further analysis. Scapy provides many classical tasks such as :
  • probing
  • tracerouting
  • scanning
  • network discovery

Why to use this as we already have nmap, hping, arpspoor and other network analysis tools?

First, with most other tools, you won't build someting the author did not imagine. These tools have been built for a specific goal and can't deviate much from it. For example, an ARP cache poisoning program won't let you use double 802.1q encapsulation. Or try to find a program that can send, say, an ICMP packet with padding (I said padding, not payload, see?). In fact, each time you have a new need, you have to build a new tool. 

Second, they usually confuse decoding and interpreting. Machines are good at decoding and can help human beings with that. Interpretation is reserved to human beings. Some programs try to mimic this behaviour. For instance they say "this port is open" instead of "I received a SYN-ACK". Sometimes they are right. Sometimes not. It's easier for beginners, but when you know what you're doing, you keep on trying to deduce what really happened from the program's interpretation to make your own, which is hard because you lost a big amount of information. And you often end up using tcpdump -xX to decode and interpret what the tool missed. 

Third, even programs which only decode do not give you all the information they received. The network's vision they give you is the one their author thought was sufficient. But it is not complete, and you have a bias. For instance, do you know a tool that reports the padding ? 

Scapy tries to overcome those problems. It enables you to build exactly the packets you want. Even if I think stacking a 802.1q layer on top of TCP has no sense, it may have some for somebody else working on some product I don't know. Scapy has a flexible model that tries to avoid such arbitrary limits. You're free to put any value you want in any field you want, and stack them like you want. You're an adult after all.
In fact, it's like building a new tool each time, but instead of dealing with a hundred line C program, you only write 2 lines of Scapy. 

After a probe (scan, traceroute, etc.) Scapy always gives you the full decoded packets from the probe, before any interpretation. That means that you can probe once and interpret many times, ask for a traceroute and look at the padding for instance.


Let's create one ICMP echo packet and let us send it to our guest without using ping command.



First step is you need to start scapy which will be installed by default in Kali linux. Just type scappy and you are done. Scapy will run.

#scapy


Opening scapy in Kali linux
Now we need to create one IP packet so we will write this command in order to do it

#chintan=IP()

After creating a packet we need to see what is there inside it. So lets check the packet by giving below command. Here I am using IP() inbuilt function to create a packet.

#chintan.show()

Creating IP Packet
Probably in the starting you might be now aware of scapy. So its obvious that question must arrive in your mind that which types of packets are supported by scapy. You do not need to bother about that. You can just simply type below command in order to check which types of all packets are being supported.

#ls()

Watching list of all supported packets

So our task is to send ping request which means we need to send ICMP echo packet to our guest or victim. So lets create an ICMP echo packet. for that we will call icmp() function.

#icmp=ICMP()

after creating ICMP packets lets check what is there inside it.

#icmp.show()

Creating and watching ICMP packet
As we know that in our chintan packet destination address is 127.0.0.1 which is localhost and we do not want that. So I am changing my destination address to my router address which is probably 192.168.0.1. To do so command is as follows:

#chintan.dst="192.168.0.1"

where chintan is our packet name dst is parameter and we are setting the value of that parameter.

Now lets see the packet by giving below command:

#chintan.show()

Changing destination address in chintan packet
Now it is time to send the packet and following command will be used:

send(chintan/icmp)

Sending packet
As we can see in picture that one packet has been sent.
To see real time packet whether it has been sent or not, lets run wireshark. I will set my interface eth0 to capture the network traffic. Picture is as follows:


Below picture shows that right now there is no any packet shown in wireshark field. As we have not sent any packet.



Below picture shows as soon as we will send one packet it will be captured and seen in wireshark

Sending and confirming echo packet
It is really easy to understand that we can watch in both packet's info column that 1st is the request to the destination 192.168.0.1 and My router is giving me reply on 192.168.41.145 which is my eth0 IP address.

Sending more packets

As we are sending more packets we are getting more results. Thus how we can send and receive packet without using a ping command.


Reference : Scapy Protected by Copyscape Online Copyright Protection

No comments: