Python for Cyber Security: Scapy

In the world of cybersecurity, the ability to capture, analyze and manipulate network packets is a crucial skill. Python has become a go-to language for cyber security professionals due to its versatility and extensive range of libraries and tools. One such tool that has gained significant popularity in the cybersecurity community is Scapy. Scapy is a Python-based packet manipulation tool that allows security analysts to interact with network protocols and analyze network traffic. With Scapy, cyber security professionals can perform a wide range of tasks, from scanning networks for vulnerabilities to crafting custom packets for testing network security.

In this guide, we will explore the use of Scapy in cyber security and examine some of its key features. Whether you are a seasoned cyber security professional or just starting out, Scapy is a valuable addition to your toolkit.

Introduction to Scapy

Scapy is a powerful Python library that enables users to create, modify, send and sniff network packets. It is widely used in the field of cyber security for tasks such as network scanning, packet analysis and penetration testing. Scapy’s versatility stems from its ability to support numerous protocols and its ease of use.

Scapy operates by creating packet objects, which can be easily modified and sent over a network. It also allows users to capture packets and dissect their contents for analysis. Scapy has built-in support for a wide range of protocols, including IP, TCP, UDP, ICMP and many others. Furthermore, it can be extended with custom protocols and functions, allowing users to tailor the library to their needs.

The Scapy library is designed to be used interactively or as part of a script, making it suitable for both quick experimentation and more complex tasks. It provides an interactive shell called scapy that allows users to interact with the library directly, as well as a Python API for use in scripts and applications.

Installing Scapy

To get started with Scapy, you’ll first need to install it. Scapy runs on Python 2.7 and Python 3.4 or later. The easiest way to install Scapy is using the Python package manager, pip. To install Scapy, open a command prompt or terminal and run the following command:

pip install scapy

Alternatively, you can download the Scapy source code from the GitHub repository and install it manually. Once Scapy is installed, you can start using it in your Python scripts or interactively via the scapy shell.

To launch the Scapy interactive shell, simply type scapy in your command prompt or terminal and hit Enter. You should see the Scapy prompt, which looks like this:

>>> 

Creating and Sending Packets

Scapy makes it easy to create and send packets on a network. To create a packet, you simply instantiate the desired protocol class and set its attributes. For example, to create an IP packet, you would do the following:

from scapy.all import IP

ip_packet = IP(dst="8.8.8.8")

In this example, we’re creating an IP packet with a destination address of 8.8.8.8 (Google’s DNS server). We can also create packets for other protocols, such as TCP or UDP. To create a TCP packet with a source port of 10000 and a destination port of 80, you would do the following:

from scapy.all import TCP

tcp_packet = TCP(sport=10000, dport=80)

To send a packet over the network, you can use the send() function from Scapy. The send() function takes a packet object as its argument and sends it over the network. Here’s an example of how to send an IP packet:

from scapy.all import send

send(ip_packet)

Packet Sniffing and Filtering

Scapy also allows you to sniff network traffic and filter packets based on specific criteria. The sniff() function is used to capture packets and it takes a few optional arguments, such as the number of packets to capture and a filter string.

Here’s an example of how to capture 10 packets and display their summary:

from scapy.all import sniff

packets = sniff(count=10)
packets.summary()

To filter packets based on specific criteria, you can use the filter parameter with the sniff() function. For example, to capture only TCP packets with a destination port of 80, you would use the following code:

from scapy.all import sniff

packets = sniff(count=10, filter="tcp and dst port 80")
packets.summary()

In this example, the filter string “tcp and dst port 80” captures only TCP packets with a destination port of 80.

Packet Analysis and Protocol Dissection

Once you have captured packets, you can analyze and dissect them using Scapy’s built-in functions. Scapy can automatically parse and display packet information, making it easier to understand the structure and contents of network traffic.

For example, to print a detailed view of a single packet, you can use the show() method:

packet = packets[0]
packet.show()

This will display a hierarchical view of the packet’s contents, including protocol headers and payload data.

Scapy also provides methods for extracting and modifying specific fields within a packet. For instance, to access the source and destination IP addresses of an IP packet, you can do the following:

src_ip = packet[IP].src
dst_ip = packet[IP].dst

Traceroute and Port Scanning

Scapy includes several built-in functions for common networking tasks, such as traceroute and port scanning. These functions can be helpful for network diagnostics and security testing.

For example, to perform a traceroute to a specific host, you can use the traceroute() function:

from scapy.all import traceroute

hosts = ['8.8.8.8', 'www.example.com']
result, unans = traceroute(hosts, maxttl=20)
result.show()

This code will perform a traceroute to the specified hosts (8.8.8.8 and www.example.com) and display the results.

To perform a port scan, you can use Scapy’s sr() (send/receive) function along with crafted packets. Here’s an example of a simple TCP SYN port scanner:

from scapy.all import sr, IP, TCP

target = "192.168.1.1"
ports = [22, 80, 443]

packet = IP(dst=target) / TCP(dport=ports, flags="S")
ans, unans = sr(packet, timeout=2, verbose=0)

for sent, received in ans:
    if received[TCP].flags == "SA":
        print(f"Port {sent[TCP].dport} is open")

This script sends TCP SYN packets to the specified target and ports, then checks the response flags for SYN-ACK, indicating an open port.

Wireless Network Analysis

Scapy supports wireless network analysis and can be used to capture and analyze 802.11 (Wi-Fi) packets. To work with wireless packets, you’ll need a compatible wireless adapter and, depending on your operating system, additional configuration steps.

Once your wireless adapter is configured for packet capture, you can use Scapy’s sniff() function to capture wireless packets and analyze them just like wired network traffic. For example, you can filter for specific types of 802.11 packets, such as Beacon or Probe Request frames, to analyze nearby wireless networks and devices.

Exploiting Scapy for Network Security

Scapy is a powerful tool for network security professionals, as it allows you to craft custom packets, perform advanced network scanning and testing and analyze traffic for potential vulnerabilities or malicious activity.

However, with great power comes great responsibility. It’s essential to use Scapy ethically and responsibly, in accordance with applicable laws and regulations and with permission from the network owner when necessary.

Conclusion

Scapy is a versatile and powerful Python library for network packet manipulation, making it an invaluable tool for cyber security professionals, network administrators and anyone interested in understanding and working with network traffic.

By harnessing the power of Python and Scapy, you can create custom packets, perform network scans, analyze traffic and even develop your own network security tools.

As you explore the capabilities of Scapy, remember to use it responsibly and ethically and continue learning about network security and Python programming to enhance your skills and knowledge.