Scapy基础学习之二

TCP路由跟踪测试

#!/usr/bin/python# -*- coding: utf-8 -*-"""A TCP traceroute author:walfred date:2014/10/14 TCP路由跟踪"""from scapy.all import *ans,unans=sr(IP(dst="www.google.com",ttl=(2,25),id=RandShort())/TCP(flags=0x2))for snd,rcv in ans:    print snd.ttl,rcv.src,isinstance(rcv.payload,TCP)

执行结果如下：

walfred@walfred-VirtualBox:~/wmw/scapy/test$ sudo python TCP_tracerout.py Begin emission:..**********..***********Finished to send 24 packets.***Received 28 packets, got 24 answers, remaining 0 packets2 192.168.115.188 True3 192.168.115.188 True4 192.168.115.188 True5 192.168.115.188 True6 192.168.115.188 True7 192.168.115.188 True8 192.168.115.188 True9 192.168.115.188 True10 192.168.115.188 True11 192.168.115.188 True12 192.168.115.188 True13 192.168.115.188 True14 192.168.115.188 True15 192.168.115.188 True16 192.168.115.188 True17 192.168.115.188 True18 192.168.115.188 True19 192.168.115.188 True20 192.168.115.188 True21 192.168.115.188 True22 192.168.115.188 True23 192.168.115.188 True24 192.168.115.188 True25 192.168.115.188 True

super sockets

scapy使用了libdnet和libpcap库创建了super-socket功能，方便提供内核arp缓存和route表查找操作、提供网络防火墙、原始IP包和以太网传输。用户可以方便选择IO层，在第二层中使用PF_INET/SOCK_RAW或者PF_PACKET（比如修改自己的mac地址，LL头数据字段等）。使用这个的方式也很简单，只需要做响应的配置工作即可：

>>> conf.use_pcap=True>>> conf.use_dnet=True

>>> conf.L3socket=L3dnetSocket>>> conf.L3listen=L3pcapListenSocket

注;如果系统中没有这两个包，需要自己下载安装

捕获（sniffing）

#!/usr/bin/python"""    sniffer    author:walfred    date:2014/10/14"""from scapy.all import *#sniff(filter="icmp",count=2)#a=_#a.nsummary()#a[1]#sniff(iface="eth0",prn=lambda x:x.summary())#sniff(iface="eth0",prn=lambda x:x.show())pkts = sniff(prn=lambda x:x.sprintf("{IP:%IP.src% -> %IP.dst%\n}{Raw:%Raw.load%\n}"))

执行结果如下：

192.168.115.78 -> 224.0.0.252192.168.115.178 -> 37.48.93.218199.27.79.209 -> 192.168.115.198'HTTP/1.1 200 OK\r\nServer: nginx\r\nContent-Type: text/plain\r\nLast-Modified: Wed, 30 Mar 2011 05:55:46 GMT\r\nETag: "4d92c5e2-28"\r\nVia: 1.1 varnish\r\nContent-Length: 40\r\nAccept-Ranges: bytes\r\nDate: Tue, 14 Oct 2014 06:49:20 GMT\r\nVia: 1.1 varnish\r\nAge: 3926503\r\nConnection: keep-alive\r\nX-Served-By: cache-iad2124-IAD, cache-lax1434-LAX\r\nX-Cache: HIT, HIT\r\nX-Cache-Hits: 1, 1\r\nX-Timer: S1413269360.510112,VS0,VE0\r\n\r\nd0b6dc32d9d9f48a6d702271b8f25c0da6a823fb'

过滤（filters）

>>> filter_p = sniff(filter="tcp",prn=lambda x: x.sprintf("%IP.src%:%TCP.sport% -> %IP.dst%:%TCP.dport%  %2s,TCP.flags% : %TCP.payload%"))192.168.115.178:?? -> 61.160.98.89:??  ?? : ??61.160.98.89:?? -> 192.168.115.178:??  ?? : ??192.168.115.198:41533 -> 173.194.72.82:http   S : 192.168.115.198:41534 -> 173.194.72.82:http   S : 192.168.115.198:41535 -> 173.194.72.82:http   S : 192.168.115.198:41536 -> 173.194.72.82:http   S : 192.168.115.198:41537 -> 173.194.72.82:http   S : 192.168.115.198:41533 -> 173.194.72.82:http   S : 192.168.115.198:41534 -> 173.194.72.82:http   S : 192.168.115.198:41535 -> 173.194.72.82:http   S : 192.168.115.198:41536 -> 173.194.72.82:http   S : 192.168.115.198:41537 -> 173.194.72.82:http   S : 199.27.79.209:http -> 192.168.115.198:58114  FA : 

上面有些字符乱码，暂时未解决。。。。

导入导出数据

保存数据

wrpcap("test.cap",<span style="font-family: Arial, Helvetica, sans-serif;">filter_p </span>)

载入数据

pkts = rdpcap("test.cap")  或者 pkts = sniff(offline="temp.cap")

十六进制化数据

hexdump(pkts)

字符串化数据

>>> str_p=str(filter_p)>>> str_p"[\x1b[0m<\x1b[0m\x1b[31m\x1b[1mEther\x1b[0m  \x1b[34mdst\x1b[0m\x1b[0m=\x1b[0m\x1b[35m00:03:0f:19:6a:49\x1b[0m \x1b[34msrc\x1b[0m\x1b[0m=\x1b[0m\x1b[35m28:d2:44:3d:40:8e\x1b[0m \x1b[34mtype\x1b[0m\x1b[0m=\x1b[0m\x1b[35mIPv4\x1b[0m \x1b[0m|\x1b[0m\x1b[0m<\x1b[0m\x1b[31m\x1b[1mIP\x1b[0m  \x1b[34mversion\x1b[0m\x1b[0m=\x1b[0m\x1b[35m4L\x1b[0m \x1b[34mihl\x1b[0m\x1b[0m=\x1b[0m\x1b[35m5L\x1b[0m \x1b[34mtos\x1b[0m\x1b[0m=\x1b[0m\x1b[35m0x0\x1b[0m \x1b[34mlen\x1b[0m\x1b[0m=\x1b[0m\x1b[35m60\x1b[0m \x1b[34mid\x1b[0m\x1b[0m=\x1b[0m\x1b[35m22665\x1b[0m \x1b[34mflags\x1b[0m\x1b[0m=\x1b[0m\x1b[35m\x1b[0m \x1b[34mfrag\x1b[0m\x1b[0m=\x1b[0m\x1b[35m0L\x1b[0m \x1b[34mttl\x1b[0m\x1b[0m=\x1b[0m\x1b[35m64\x1b[0m \x1b[34mproto\x1b[0m\x1b[0m=\x1b[0m  。。。。。。。。。。。。。。。。

base64编码数据包（export_object() 和import_object()）

>>> sniff_pkt=filter_p[0]>>> sniff_pkt<Ether  dst=00:03:0f:19:6a:49 src=28:d2:44:3d:40:8e type=IPv4 |<IP  version=4L ihl=5L tos=0x0 len=60 id=22665 flags= frag=0L ttl=64 proto=icmp chksum=0x4de4 src=192.168.115.178 dst=61.160.98.89 options=[] |<ICMP  type=echo-request code=0 chksum=0xb5ec id=0x1 seq=0x976e |<Raw  load='abcdefghijklmnopqrstuvwabcdefghi' |>>>>>>> export_object(sniff_pkt)Traceback (most recent call last):  File "<console>", line 1, in <module>  File "/usr/lib/python2.7/dist-packages/scapy/utils.py", line 421, in export_object    print gzip.zlib.compress(cPickle.dumps(obj,2),9).encode("base64")PicklingError: Can't pickle <type 'function'>: attribute lookup __builtin__.function failed>>> 

出现了该错误，目前还未能解决。。。。。

保存会话

如果在终端执行了许多操作，并且需要保存当前的会话内容以备后来需要，可以使用下面的命令完成：

save_session() 和load_session()

>>> dir()['__builtins__', 'conf', 'filter_p', 'pkts', 'sniff_pkt', 'str_p']>>> save_session("2014_session.scapy")Traceback (most recent call last):  File "<console>", line 1, in <module>  File "/usr/lib/python2.7/dist-packages/scapy/main.py", line 129, in save_session    cPickle.dump(to_be_saved, f, pickleProto)PicklingError: Can't pickle <type 'function'>: attribute lookup __builtin__.function failed

scapy的路由

>>> conf.routeNetwork         Netmask         Gateway         Iface           Output IP127.0.0.0       255.0.0.0       0.0.0.0         lo              127.0.0.1      0.0.0.0         0.0.0.0         192.168.115.1   eth0            192.168.115.198192.168.115.0   255.255.255.0   0.0.0.0         eth0            192.168.115.198

同时可以修改路由表：

>>> conf.route.delt(net="0.0.0.0/0",gw="192.168.115.1")>>> conf.route.add(net="0.0.0.0/0",gw="192.168.115.254")>>> conf.route.add(host="192.168.115.253",gw="192.168.115.1")>>> conf.routeNetwork         Netmask         Gateway         Iface           Output IP127.0.0.0       255.0.0.0       0.0.0.0         lo              127.0.0.1      192.168.115.0   255.255.255.0   0.0.0.0         eth0            192.168.115.1980.0.0.0         0.0.0.0         192.168.8.254   lo              0.0.0.0        0.0.0.0         0.0.0.0         192.168.115.254 eth0            192.168.115.198192.168.115.253 255.255.255.255 192.168.115.1   eth0            192.168.115.198>>> 

使用 resync()可以恢复默认

>>> conf.route.resync()>>> conf.routeNetwork         Netmask         Gateway         Iface           Output IP127.0.0.0       255.0.0.0       0.0.0.0         lo              127.0.0.1      0.0.0.0         0.0.0.0         192.168.115.1   eth0            192.168.115.198192.168.115.0   255.255.255.0   0.0.0.0         eth0            192.168.115.198>>> 

无线数据包抓包和注入

无线网卡的抓包方法：

sniff(iface="wifi360",prn=lambda x:x.sprintf("{Dot11Beacon:%Dot11.addr3%\t%Dot11Beacon.info%\t%PrismHeader.channel%\tDot11Beacon.cap%}"))

scapy提供无线数据包注入的方法。

sendp(Dot11(addr1="ff:ff:ff:ff:ff:ff",addr2=RandMAC(),addr3=RandMAC())/          Dot11Beacon(cap="ESS")/          Dot11Elt(ID="SSID",info=RandString(RandNum(1,50)))/          Dot11Elt(ID="Rates",info='\x82\x84\x0b\x16')/          Dot11Elt(ID="DSset",info="\x03")/          Dot11Elt(ID="TIM",info="\x00\x01\x00\x00"),iface="wifi360",loop=1)