Scapy基础学习之二

TCP路由跟踪测试

#!/usr/bin/python
# -*- coding: utf-8 -*-
"""
A TCP traceroute
 author:walfred
 date:2014/10/14
 TCP路由跟踪
"""
from scapy.all import *


ans,unans=sr(IP(dst="www.google.com",ttl=(2,25),id=RandShort())/TCP(flags=0x2))
for snd,rcv in ans:
    print snd.ttl,rcv.src,isinstance(rcv.payload,TCP)
执行结果如下:

walfred@walfred-VirtualBox:~/wmw/scapy/test$ sudo python TCP_tracerout.py 
Begin emission:
..**********..***********Finished to send 24 packets.
***
Received 28 packets, got 24 answers, remaining 0 packets
2 192.168.115.188 True
3 192.168.115.188 True
4 192.168.115.188 True
5 192.168.115.188 True
6 192.168.115.188 True
7 192.168.115.188 True
8 192.168.115.188 True
9 192.168.115.188 True
10 192.168.115.188 True
11 192.168.115.188 True
12 192.168.115.188 True
13 192.168.115.188 True
14 192.168.115.188 True
15 192.168.115.188 True
16 192.168.115.188 True
17 192.168.115.188 True
18 192.168.115.188 True
19 192.168.115.188 True
20 192.168.115.188 True
21 192.168.115.188 True
22 192.168.115.188 True
23 192.168.115.188 True
24 192.168.115.188 True
25 192.168.115.188 True

super sockets

scapy使用了libdnet和libpcap库创建了super-socket功能,方便提供内核arp缓存和route表查找操作、提供网络防火墙、原始IP包和以太网传输。用户可以方便选择IO层,在第二层中使用PF_INET/SOCK_RAW或者PF_PACKET(比如修改自己的mac地址,LL头数据字段等)。使用这个的方式也很简单,只需要做响应的配置工作即可:
>>> conf.use_pcap=True
>>> conf.use_dnet=True

>>> conf.L3socket=L3dnetSocket
>>> conf.L3listen=L3pcapListenSocket
注;如果系统中没有这两个包,需要自己下载安装

捕获(sniffing)

#!/usr/bin/python

"""
    sniffer
    author:walfred
    date:2014/10/14
"""
from scapy.all import *

#sniff(filter="icmp",count=2)
#a=_
#a.nsummary()
#a[1]

#sniff(iface="eth0",prn=lambda x:x.summary())
#sniff(iface="eth0",prn=lambda x:x.show())

pkts = sniff(prn=lambda x:x.sprintf("{IP:%IP.src% -> %IP.dst%\n}{Raw:%Raw.load%\n}"))

执行结果如下:
192.168.115.78 -> 224.0.0.252

192.168.115.178 -> 37.48.93.218

199.27.79.209 -> 192.168.115.198
'HTTP/1.1 200 OK\r\nServer: nginx\r\nContent-Type: text/plain\r\nLast-Modified: Wed, 30 Mar 2011 05:55:46 GMT\r\nETag: "4d92c5e2-28"\r\nVia: 1.1 varnish\r\nContent-Length: 40\r\nAccept-Ranges: bytes\r\nDate: Tue, 14 Oct 2014 06:49:20 GMT\r\nVia: 1.1 varnish\r\nAge: 3926503\r\nConnection: keep-alive\r\nX-Served-By: cache-iad2124-IAD, cache-lax1434-LAX\r\nX-Cache: HIT, HIT\r\nX-Cache-Hits: 1, 1\r\nX-Timer: S1413269360.510112,VS0,VE0\r\n\r\nd0b6dc32d9d9f48a6d702271b8f25c0da6a823fb'

过滤(filters)

>>> filter_p = sniff(filter="tcp",prn=lambda x: x.sprintf("%IP.src%:%TCP.sport% -> %IP.dst%:%TCP.dport%  %2s,TCP.flags% : %TCP.payload%"))
192.168.115.178:?? -> 61.160.98.89:??  ?? : ??
61.160.98.89:?? -> 192.168.115.178:??  ?? : ??
192.168.115.198:41533 -> 173.194.72.82:http   S : 
192.168.115.198:41534 -> 173.194.72.82:http   S : 
192.168.115.198:41535 -> 173.194.72.82:http   S : 
192.168.115.198:41536 -> 173.194.72.82:http   S : 
192.168.115.198:41537 -> 173.194.72.82:http   S : 
192.168.115.198:41533 -> 173.194.72.82:http   S : 
192.168.115.198:41534 -> 173.194.72.82:http   S : 
192.168.115.198:41535 -> 173.194.72.82:http   S : 
192.168.115.198:41536 -> 173.194.72.82:http   S : 
192.168.115.198:41537 -> 173.194.72.82:http   S : 
199.27.79.209:http -> 192.168.115.198:58114  FA : 

上面有些字符乱码,暂时未解决。。。。

导入导出数据

保存数据
wrpcap("test.cap",<span style="font-family: Arial, Helvetica, sans-serif;">filter_p </span>)

载入数据

pkts = rdpcap("test.cap")  或者 pkts = sniff(offline="temp.cap")

十六进制化数据
hexdump(pkts)

字符串化数据
>>> str_p=str(filter_p)
>>> str_p
"[\x1b[0m<\x1b[0m\x1b[31m\x1b[1mEther\x1b[0m  \x1b[34mdst\x1b[0m\x1b[0m=\x1b[0m\x1b[35m00:03:0f:19:6a:49\x1b[0m \x1b[34msrc\x1b[0m\x1b[0m=\x1b[0m\x1b[35m28:d2:44:3d:40:8e\x1b[0m \x1b[34mtype\x1b[0m\x1b[0m=\x1b[0m\x1b[35mIPv4\x1b[0m \x1b[0m|\x1b[0m\x1b[0m<\x1b[0m\x1b[31m\x1b[1mIP\x1b[0m  \x1b[34mversion\x1b[0m\x1b[0m=\x1b[0m\x1b[35m4L\x1b[0m \x1b[34mihl\x1b[0m\x1b[0m=\x1b[0m\x1b[35m5L\x1b[0m \x1b[34mtos\x1b[0m\x1b[0m=\x1b[0m\x1b[35m0x0\x1b[0m \x1b[34mlen\x1b[0m\x1b[0m=\x1b[0m\x1b[35m60\x1b[0m \x1b[34mid\x1b[0m\x1b[0m=\x1b[0m\x1b[35m22665\x1b[0m \x1b[34mflags\x1b[0m\x1b[0m=\x1b[0m\x1b[35m\x1b[0m \x1b[34mfrag\x1b[0m\x1b[0m=\x1b[0m\x1b[35m0L\x1b[0m \x1b[34mttl\x1b[0m\x1b[0m=\x1b[0m\x1b[35m64\x1b[0m \x1b[34mproto\x1b[0m\x1b[0m=\x1b[0m  。。。。。。。。。。。。。。。。

base64编码数据包(export_object() 和import_object())

>>> sniff_pkt=filter_p[0]
>>> sniff_pkt
<Ether  dst=00:03:0f:19:6a:49 src=28:d2:44:3d:40:8e type=IPv4 |<IP  version=4L ihl=5L tos=0x0 len=60 id=22665 flags= frag=0L ttl=64 proto=icmp chksum=0x4de4 src=192.168.115.178 dst=61.160.98.89 options=[] |<ICMP  type=echo-request code=0 chksum=0xb5ec id=0x1 seq=0x976e |<Raw  load='abcdefghijklmnopqrstuvwabcdefghi' |>>>>
>>> export_object(sniff_pkt)
Traceback (most recent call last):
  File "<console>", line 1, in <module>
  File "/usr/lib/python2.7/dist-packages/scapy/utils.py", line 421, in export_object
    print gzip.zlib.compress(cPickle.dumps(obj,2),9).encode("base64")
PicklingError: Can't pickle <type 'function'>: attribute lookup __builtin__.function failed
>>> 
出现了该错误,目前还未能解决。。。。。

保存会话

如果在终端执行了许多操作,并且需要保存当前的会话内容以备后来需要,可以使用下面的命令完成:
save_session() 和load_session()
>>> dir()
['__builtins__', 'conf', 'filter_p', 'pkts', 'sniff_pkt', 'str_p']
>>> save_session("2014_session.scapy")
Traceback (most recent call last):
  File "<console>", line 1, in <module>
  File "/usr/lib/python2.7/dist-packages/scapy/main.py", line 129, in save_session
    cPickle.dump(to_be_saved, f, pickleProto)
PicklingError: Can't pickle <type 'function'>: attribute lookup __builtin__.function failed

scapy的路由

>>> conf.route
Network         Netmask         Gateway         Iface           Output IP
127.0.0.0       255.0.0.0       0.0.0.0         lo              127.0.0.1      
0.0.0.0         0.0.0.0         192.168.115.1   eth0            192.168.115.198
192.168.115.0   255.255.255.0   0.0.0.0         eth0            192.168.115.198
同时可以修改路由表:
>>> conf.route.delt(net="0.0.0.0/0",gw="192.168.115.1")
>>> conf.route.add(net="0.0.0.0/0",gw="192.168.115.254")
>>> conf.route.add(host="192.168.115.253",gw="192.168.115.1")
>>> conf.route
Network         Netmask         Gateway         Iface           Output IP
127.0.0.0       255.0.0.0       0.0.0.0         lo              127.0.0.1      
192.168.115.0   255.255.255.0   0.0.0.0         eth0            192.168.115.198
0.0.0.0         0.0.0.0         192.168.8.254   lo              0.0.0.0        
0.0.0.0         0.0.0.0         192.168.115.254 eth0            192.168.115.198
192.168.115.253 255.255.255.255 192.168.115.1   eth0            192.168.115.198

>>> 
使用 resync()可以恢复默认
>>> conf.route.resync()
>>> conf.route
Network         Netmask         Gateway         Iface           Output IP
127.0.0.0       255.0.0.0       0.0.0.0         lo              127.0.0.1      
0.0.0.0         0.0.0.0         192.168.115.1   eth0            192.168.115.198
192.168.115.0   255.255.255.0   0.0.0.0         eth0            192.168.115.198

>>> 

无线数据包抓包和注入

无线网卡的抓包方法:
sniff(iface="wifi360",prn=lambda x:x.sprintf("{Dot11Beacon:%Dot11.addr3%\t%Dot11Beacon.info%\t%PrismHeader.channel%\tDot11Beacon.cap%}"))

scapy提供无线数据包注入的方法。
sendp(Dot11(addr1="ff:ff:ff:ff:ff:ff",addr2=RandMAC(),addr3=RandMAC())/
          Dot11Beacon(cap="ESS")/
          Dot11Elt(ID="SSID",info=RandString(RandNum(1,50)))/
          Dot11Elt(ID="Rates",info='\x82\x84\x0b\x16')/
          Dot11Elt(ID="DSset",info="\x03")/
          Dot11Elt(ID="TIM",info="\x00\x01\x00\x00"),iface="wifi360",loop=1)





你可能感兴趣的:(Scapy基础学习之二)