关于Scapy

About Scapy

关于Scapy

Scapy is a Python program that enables the user to send, sniff and dissect and forge network packets. This capability allows construction of tools that can probe, scan or attack networks.

Scapy是一个可以让用户发送、侦听和解析并伪装网络报文的Python程序。这些功能可以用于制作侦测、扫描和攻击网络的工具。

in other words, Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. Scapy can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery. It can replace hping, arpspoof, arp-sk, arping, p0f and even some parts of Nmap, tcpdump, and tshark).

换言之,Scapy 是一个强大的操纵报文的交互程序。它可以伪造或者解析多种协议的报文,还具有发送、捕获、匹配请求和响应这些报文以及更多的功能。Scapy 可以轻松地做到像扫描(scanning)、路由跟踪(tracerouting)、探测(probing)、单元测试(unit tests)、攻击(attacks)和发现网络(network discorvery)这样的传统任务。它可以代替hping,arpspoof,arp-sk,arping,p0f 甚至是部分的Namp,tcpdumptshark 的功能。

Scapy also performs very well on a lot of other specific tasks that most other tools can’t handle, like sending invalid frames, injecting your own 802.11 frames, combining techniques (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, ...), etc.

Scapy 在大多数其它工具无法完成的特定任务中也表现优异,比如发送无效帧、添加自定义的802.11的侦、多技术的结合(跳跃攻击(VLAN hopping)+ARP缓存中毒(ARP cache poisoning)、在WEP加密信道(WEP encrypted channel)上的VOIP解码(VOIP decoding))等等。

The idea is simple. Scapy mainly does two things: sending packets and receiving answers. You define a set of packets, it sends them, receives answers, matches requests with answers and returns a list of packet couples (request, answer) and a list of unmatched packets. This has the big advantage over tools like Nmap or hping that an answer is not reduced to (open/closed/filtered), but is the whole packet.

理念非常简单。Scapy 主要做两件事:发送报文和接收回应。您定义一系列的报文,它发送这些报文,收到回应,将收到的回应和请求匹配,返回一个存放着(request, answer)(请求, 回应)的报文对(packet couples)的列表(list)和一个没有匹配的报文的列表(list)。这样对于像Nmaphping 这样的工具有一个巨大的优势:回应没有被减少 (open/closed/filtered)而是完整的报文。

On top of this can be build more high level functions, for example one that does traceroutes and give as a result only the start TTL of the request and the source IP of the answer. One that pings a whole network and gives the list of machines answering. One that does a portscan and returns a LaTeX report.

在这之上可以建立更多的高级功能,比如您可以跟踪路由(traceroutes)并得到一个只有请求的起始TTL和回应的源IP的结果,您也可以ping整个网络并得到匹配的回复的列表,您还可以扫描商品并得到一个LATEX 报表。

What makes Scapy so special

Scapy为何如此特别

First, with most other networking tools, you won’t build someting the author did not imagine. These tools have been built for a specific goal and can’t deviate much from it. For example, an ARP cache poisoning program won’t let you use double 802.1q encapsulation. Or try to find a program that can send, say, an ICMP packet with padding (I said padding, not payload, see?). In fact, each time you have a new need, you have to build a new tool.

第一,对于其它的大多数网络工具来说,您无法制作一些作者无法想到的东西。这些工具已经被一个特定的目标所局限和固定,因此无法和这个目标有大的偏离。比如,一个ARP缓存中毒程序不会让您使用double 802.1q 包裹内容,同样无法找到一个程序可以发送填充(padding)ICMP报文(是填充(padding),不是负载(payload))。事实上,每次有新需求时,您必需重新建立一个新的工具。

Second, they usually confuse decoding and interpreting. Machines are good at decoding and can help human beings with that. Interpretation is reserved to human beings. Some programs try to mimic this behaviour. For instance they say “this port is open” instead of “I received a SYN-ACK“. Sometimes they are right. Sometimes not. It’s easier for beginners, but when you know what you’re doing, you keep on trying to deduce what really happened from the program’s interpretation to make your own, which is hard because you lost a big amount of information. And you often end up using tcpdump -xX to decode and interpret what the tool missed.

第二,这些工具经常混淆解码(decoding)和解释(interpreting)。机器擅长解码并能帮助人类完成这个工作。解释应该留给人类。一些程序试图模拟这个行为。比如它们说“这个端口是打开的”而不是说“我收到一个SYN-ACK.有时它们是对的,但有时不是。这样做对于初学者来说更容易,但是当您知道您正在做什么,您将继续试图推从程序的解释中测实际上发生了什么来制作自己的工具,但是这相当困难,因为大量的信息已经丢失。因此最终常常是您使用tcpdump -xX来解码和解释这些工具丢掉的内容。

Third, even programs which only decode do not give you all the information they received. The network’s vision they give you is the one their author thought was sufficient. But it is not complete, and you have a bias. For instance, do you know a tool that reports the Ethernet padding?

第三,即使是那些只管解码的程序也没有把它们收到的所有的信息交给您。它们给您展示的网络信息只是其作者认为足够的信息。但是这些并不完整,对您来说是偏颇的。比如,您知道有什么工具可以得到以太帧填充的报文吗(reports the Ethernet padding)

Scapy tries to overcome those problems. It enables you to build exactly the packets you want. Even if I think stacking a 802.1q layer on top of TCP has no sense, it may have some for somebody else working on some product I don’t know. Scapy has a flexible model that tries to avoid such arbitrary limits. You’re free to put any value you want in any field you want, and stack them like you want. You’re an adult after all.

 

In fact, it’s like building a new tool each time, but instead of dealing with a hundred line C program, you only write 2 lines of Scapy.

事实上,每次运行本程序,更像是建造一个新的工具,不是处理上百行的C程序代码,您使用Scapy只需写几行代码。

 

After a probe (scan, traceroute, etc.) Scapy always gives you the full decoded packets from the probe, before any interpretation. That means that you can probe once and interpret many times, ask for a traceroute and look at the padding for instance.

在探测(probe)(或者扫描(scan)、路由跟踪(traceroute)等等)之后,Scapy总是在任何的解释之前把探测到的所有的包解码后给您。这意味着您可以探测一次而解释很多次,也可以使用路由跟踪并查看报文填充内容。

快速的报文设计

Fast packet design

Other tools stick to the program-that-you-run-from-a-shell paradigm. The result is an awful syntax to describe a packet. For these tools, the solution adopted uses a higher but less powerful description, in the form of scenarios imagined by the tool’s author. As an example, only the IP address must be given to a port scanner to trigger the port scanning scenario. Even if the scenario is tweaked a bit, you still are stuck to a port scan.

其它的工具坚持命令行运行的模式,这导致描述一个报文需要糟糕的语法。对于这些工具,解决的方法是在其作者想像的情景下,采用一种更高层但是功能更弱的描述方法。举例来说,在端口扫描的情景中,端口扫描器必须的参数只有IP地址。即使情景有所改变,情况依然如此(Even if the scenario is tweaked a bit, you still are stuck to a port scan)。

Scapy’s paradigm is to propose a Domain Specific Language (DSL) that enables a powerful and fast description of any kind of packet. Using the Python syntax and a Python interpreter as the DSL syntax and interpreter has many advantages: there is no need to write a separate interpreter, users don’t need to learn yet another language and they benefit from a complete, concise and very powerful language.

Scapy的原则是推荐使用一种特定领域语言(Domain Specific Language (DSL))以达到对于任何种类报文的功能强大并快速的描述。使用Python语法和Python解释器作为特定领域语言(DSL)的语法和解释器有许多优势:没有必要写一个单独的解释器,用户不需要再学一种新语言并可以从这个完整、简约且非常强大的语言中受益。

Scapy enables the user to describe a packet or set of packets as layers that are stacked one upon another. Fields of each layer have useful default values that can be overloaded. Scapy does not oblige the user to use predetermined methods or templates. This alleviates the requirement of writing a new tool each time a different scenario is required. In C, it may take an average of 60 lines to describe a packet. With Scapy, the packets to be sent may be described in only a single line with another line to print the result. 90% of the network probing tools can be rewritten in 2 lines of Scapy.

Scapy允许用户将一个或一系列报文描述成为一个个堆起来的层(layer)。每层的数据域有有用的且可重载的默认值。Scapy不强制用户使用预先定义的方法和模板。这样每次碰到不同的情景时写新工具的需要得到了减少。在C语言中,描述一个报文可能平均要用60行代码。使用Scapy,发送的报文可能仅需一行代码描述再加一行打印结果的代码。90%的网络探测工具可以使用Scapy使用2行代码重新实现。

一次探测,多次解释

Probe once, interpret many

Network discovery is blackbox testing. When probing a network, many stimuli are sent while only a few of them are answered. If the right stimuli are chosen, the desired information may be obtained by the responses or the lack of responses. Unlike many tools, Scapy gives all the information, i.e. all the stimuli sent and all the responses received. Examination of this data will give the user the desired information. When the dataset is small, the user can just dig for it. In other cases, the interpretation of the data will depend on the point of view taken. Most tools choose the viewpoint and discard all the data not related to that point of view. Because Scapy gives the complete raw data, that data may be used many times allowing the viewpoint to evolve during analysis. For example, a TCP port scan may be probed and the data visualized as the result of the port scan. The data could then also be visualized with respect to the TTL of response packet. A new probe need not be initiated to adjust the viewpoint of the data.

网络的发现是一个黑盒测试。当探测一个网络时,许多侦测报文(stimuli)发送然而它们当中只有少数能够被回应。如果选择了正确的侦测报文,希望得到的信息可以通过回应的报文或者是没有回应的情况来获得。不像很多其它的工具,Scapy得到所有的信息,也就是说,所有的发送的侦测报文和所有收到的回应。通过检查这些数据用户可以得到想要的信息。当数据量较小时,用户可以直接查看数据。在其它情况下,对于数据的解释将依赖于关注点的不同。多数工具选择展示关注点内容而忽略和关注点无关的内容。由于Scapy给出完整的原始数据,因此这些数据可以多次使用从而允许关注点在分析过程中发生变化。比如,可能探测一个TCP端口扫描而关注(展示)端口扫描的结果。同时也可以查看回应报文的TTL方面的内容。一个新的探测并不需要再来一次,而只是在已有的数据中改一下关注点即可。

Scapy解码而不解释

Scapy decodes, it does not interpret

A common problem with network probing tools is they try to interpret the answers received instead of only decoding and giving facts. Reporting something like Received a TCP Reset on port 80 is not subject to interpretation errors. Reporting Port 80 is closed is an interpretation that may be right most of the time but wrong in some specific contexts the tool’s author did not imagine. For instance, some scanners tend to report a filtered TCP port when they receive an ICMP destination unreachable packet. This may be right, but in some cases it means the packet was not filtered by the firewall but rather there was no host to forward the packet to.

网络探测工具所共有的一个问题是它们都试图解释收到的回应而非仅仅解码并给出结果。报告一些类似于80端口收到一个TCP Reset报文这样的消息不属于解释错误。报告80端口关闭在多数情况下是正确的,但是在某些特定的工具的作者没有想到的上下文中是错误的。比如,一些扫描器在收到一个目的地址不可达的ICMP报文后倾向于报告一个过滤TCP端口。这可能是正确的,但是在某些情况下,这表明报文被防火墙过滤掉而找不到报文的非目的主机。

Interpreting results can help users that don’t know what a port scan is but it can also make more harm than good, as it injects bias into the results. What can tend to happen is that so that they can do the interpretation themselves, knowledgeable users will try to reverse engineer the tool’s interpretation to derive the facts that triggered that interpretation. Unfortunately much information is lost in this operation.

解释结果可以帮助那些不知道什么是端口扫描的用户,但是弊大于利,因为这对于结果是一种主观的解释。可能的结果就是它们可以自己解释,知识丰富的用户将试图反向还原这个工具的解释以得到引起这个解释的真正原因。不幸的是,在这个过程中有大量的信息丢失。

快速展示(Quick demo)

First, we play a bit and create four IP packets at once. Let’s see how it works. We first instantiate the IP class. Then, we instantiate it again and we provide a destination that is worth four IP addresses (/30 gives the netmask). Using a Python idiom, we develop this implicit packet in a set of explicit packets. Then, we quit the interpreter. As we provided a session file, the variables we were working on are saved, then reloaded:

首先我们稍微试一下,一次创建4IP报文来看看这个工具是如何工作的。我们首先初始化IP类。然后,我们重新将其实例化并给出4IP报文的目的地址(/30给出掩码)。使用Python语法,我们在一系列明确的报文中定义这个报文(we develop this implicit packet in a set of explicit packets)。然后,我们退出解释器。作为我们提供的会话文件(session file),这些我们正在使用变量已经保存,然后重新加载:

# ./scapy.py -s mysession
New session [mysession]
Welcome to Scapy (0.9.17.108beta)
>>> IP()
<IP |>
>>> target="www.target.com"
>>> target="www.target.com/30"
>>> ip=IP(dst=target)
>>> ip
<IP dst=<Net www.target.com/30> |>
>>> [p for p in ip]
[<IP dst=207.171.175.28 |>, <IP dst=207.171.175.29 |>
 <IP dst=207.171.175.30 |>, <IP dst=207.171.175.31 |>]
>>> ^D

# scapy -s mysession
Using session [mysession]
Welcome to Scapy (0.9.17.108beta)
>>> ip
<IP dst=<Net www.target.com/30 |>

Now, let’s manipulate some packets:

现在,我们来操纵一些报文:

>>> IP()
<IP |>
>>> a=IP(dst="172.16.1.40")
<IP dst=172.16.1.40 |>
>>> a.dst
'172.16.1.40'
>>> a.ttl
64

Let’s say I want a broadcast MAC address, and IP payload to ketchup.com and to mayo.com, TTL value from 1 to 9, and an UDP payload:

让我们来说我想要一个广播的MAC地址,并且负载的IP报文要到达ketchup.commayo.comTTL值从19,并负载UDP报文:

>>> Ether(dst="ff:ff:ff:ff:ff:ff")
     /IP(dst=["ketchup.com", "mayo.com"], ttl=(1,9))
     /UDP()

We have 18 packets defined in 1 line (1 implicit packet)

现在我们在一行(一个确定报文(implicit packet))中定义了18个报文。

合理的默认值

Sensible default values

Scapy tries to use sensible default values for all packet fields. If not overriden,

Scapy试图在所有种类的报文数据域中使用合理的默认值,如果没有被重载的话,

  • IP source is chosen according to destination and routing table
  • Checksum is computed
  • Source MAC is chosen according to the output interface
  • Ethernet type and IP protocol are determined by the upper layer
    • IP源地址根据目的地址和路由表选择
    • 校验和自动计算
    • MAC地址根据输出接口(output interface)选择
    • 以太网类型和IP协议由高层决定

Other fields’ default values are chosen to be the most useful ones:

其它数据域选择最有用的值:

  • TCP source port is 20, destination port is 80.
  • UDP source and destination ports are 53.
  • ICMP type is echo request.

 

  • TCP源端口为20,目的端口为80
  • UDP源端口和目的端口均为53
  • ICMP类型为echo request

学习Python

Learning Python

Scapy uses the Python interpreter as a command board. That means that you can directly use the Python language (assign variables, use loops, define functions, etc.)

Scapy使用Python解释器作为命令面板。这意味着你可以直接使用Python语言(创建变量,使用循环,定义函数等等)

If you are new to Python and you really don’t understand a word because of that, or if you want to learn this language, take an hour to read the very good Python tutorial by Guido Van Rossum. After that, you’ll know Python :) (really!). For a more in-depth tutorial Dive Into Python is a very good start too.

如果你刚开始使用Python并且因此你不理解这些词语,或者如果你想学习这个语言,花一个小时来阅读一个Guido Van Rossum写的非常棒的Python教程。在此之后,你将知道Python :)(真的!)。对于更加深入的学习,Dive Into Python也是一个很好的开始。

For a quick start, here’s an overview of Python’s data types:

作为一个快速的开始,下面是Python数据类型的概览:

  • int(signed, 32bits) : 42
  • long(signed, infinite) : 42L
  • str : "bell\x07\n" or 'bell\x07\n'
  • tuple (immutable): (1,4,"42")
  • list (mutable): [4,2,"1"]
  • dict (mutable): {"one":1, "two":2}

There are no block delimiters in Python. Instead, indendation does matter:

Python中没有块分割符,而是同缩进决定:

if cond:
    instr
    instr
elif cond2:
    instr
else:
    instr

 

posted @ 2016-07-04 18:56  redhat404  阅读(432)  评论(0编辑  收藏  举报