scapy学习笔记(2)
2024-08-25 20:37:47
一、包
包(Packet)是TCP/IP协议通信传输中的数据单位,一般也称“数据包”。其主要由“目的IP地址”、“源IP地址”、“净载数据”等部分构成,包括包头和包体,包头是固定长度,包体的长度不定,各字段长度固定,双方的请求数据包和应答数据包的包头结构是一致的,不同的是包体的定义。 数据包的结构与我们平常写信非常类似,目的IP地址是说明这个数据包是要发给谁的,相当于收信人地址;源IP地址是说明这个数据包是发自哪里的,相当于发信人地址;而净载数据相当于信件的内容。包沿着不同的路径在一个或多个网络中传输,并且在目的地重新组合。
二、常见的几个关键字
ICMP:Internet Control Message Protocol(Internet控制报文协议)的缩写。它是TCP/IP协议族的一个子协议,用于在IP主机、路由器之间传递控制消息。控制消息是指网络通不通、主机是否可达、路由是否可用等网络本身的消息。这些控制消息虽然并不传输用户数据,但是对于用户数据的传递起着重要的作用。
DST:目的地址
SRC:源地址
TTL:(Time To Live ) 生存时间,指定数据包被路由器丢弃之前允许通过的网段数量。TTL是IP协议包中的一个值,它告诉网络,数据包在网络中的时间是否太长而应被丢弃。有很多原因使包在一定时间内不能被传递到目的地。解决方法就是在一段时间后丢弃这个包,然后给发送者一个报文,由发送者决定是否要重发。TTL的初值通常是系统缺省值,是包头中的8位的域。TTL的最初设想是确定一个时间范围,超过此时间就把包丢弃。由于每个路由器都至少要把TTL域减一,TTL通常表示包在被丢弃前最多能经过的路由器个数。当记数到0时,路由器决定丢弃该包,并发送一个ICMP报文给最初的发送者。
三、scapy中常用的几个命令
1、ls():作用也是list show,可以显示所有支持的数据包对象。ls()可以不带参数,也可以带参数,参数可是任何一个具体的包。下面列出了一部分结果:
>>> from scapy.all import *
WARNING: No route found for IPv6 destination :: (no default route?)
>>> ls()
ARP : ARP
ASN1_Packet : None
BOOTP : BOOTP
CookedLinux : cooked linux
DHCP : DHCP options
DHCP6 : DHCPv6 Generic Message)
DHCP6OptAuth : DHCP6 Option - Authentication
DHCP6OptBCMCSDomains : DHCP6 Option - BCMCS Domain Name List
DHCP6OptBCMCSServers : DHCP6 Option - BCMCS Addresses List
DHCP6OptClientFQDN : DHCP6 Option - Client FQDN
DHCP6OptClientId : DHCP6 Client Identifier Option
DHCP6OptDNSDomains : DHCP6 Option - Domain Search List option
DHCP6OptDNSServers : DHCP6 Option - DNS Recursive Name Server
DHCP6OptElapsedTime : DHCP6 Elapsed Time Option
DHCP6OptGeoConf : 列出TCP的所有对象:
>>> from scapy.all import *
WARNING: No route found for IPv6 destination :: (no default route?)
>>> ls(TCP)
sport : ShortEnumField = (20)
dport : ShortEnumField = (80)
seq : IntField = (0)
ack : IntField = (0)
dataofs : BitField = (None)
reserved : BitField = (0)
flags : FlagsField = (2)
window : ShortField = (8192)
chksum : XShortField = (None)
urgptr : ShortField = (0)
options : TCPOptionsField = ({})
列出任意包的情况如:
>>> a=IP(ttl=5)
>>> a.src
'127.0.0.1'
>>> a
<IP ttl=5 |>
>>> a.dst
'127.0.0.1'
>>> a.dst="192.168.0.1"
>>> a
<IP ttl=5 dst=192.168.0.1 |>
>>> ls(a)
version : BitField = 4 (4)
ihl : BitField = None (None)
tos : XByteField = 0 (0)
len : ShortField = None (None)
id : ShortField = 1 (1)
flags : FlagsField = 0 (0)
frag : BitField = 0 (0)
ttl : ByteField = 5 (64)
proto : ByteEnumField = 0 (0)
chksum : XShortField = None (None)
src : Emph = '27.214.7.85' (None)
dst : Emph = '192.168.0.1' ('127.0.0.1')
options : PacketListField = [] ([])
>>>
2、lsc()列出所有函数。如:
>>> lsc()
arpcachepoison : Poison target's cache with (your MAC,victim's IP) couple
arping : Send ARP who-has requests to determine which hosts are up
bind_layers : Bind 2 layers on some specific fields' values
corrupt_bits : Flip a given percentage or number of bits from a string
corrupt_bytes : Corrupt a given percentage or number of bytes from a string
defrag : defrag(plist) -> ([not fragmented], [defragmented],
defragment : defrag(plist) -> plist defragmented as much as possible
dyndns_add : Send a DNS add message to a nameserver for "name" to have a new "rdata"
dyndns_del : Send a DNS delete message to a nameserver for "name"
etherleak : Exploit Etherleak flaw
fragment : Fragment a big IP datagram
fuzz : Transform a layer into a fuzzy layer by replacing some default values by random objects
getmacbyip : Return MAC address corresponding to a given IP address
hexdiff : Show differences between 2 binary strings
hexdump : --
hexedit : --
is_promisc : Try to guess if target is in Promisc mode. The target is provided by its ip.
linehexdump : --
ls : List available layers, or infos on a given layer
promiscping : Send ARP who-has requests to determine which hosts are in promiscuous mode
rdpcap : Read a pcap file and return a packet list
send : Send packets at layer 3
sendp : Send packets at layer 2
sendpfast : Send packets at layer 2 using tcpreplay for performance
sniff : Sniff packets
split_layers : Split 2 layers previously bound
sr : Send and receive packets at layer 3
sr1 : Send packets at layer 3 and return only the first answer
srbt : send and receive using a bluetooth socket
srbt1 : send and receive 1 packet using a bluetooth socket
srflood : Flood and receive packets at layer 3
srloop : Send a packet at layer 3 in loop and print the answer each time
srp : Send and receive packets at layer 2
srp1 : Send and receive packets at layer 2 and return only the first answer
srpflood : Flood and receive packets at layer 2
srploop : Send a packet at layer 2 in loop and print the answer each time
traceroute : Instant TCP traceroute
tshark : Sniff packets and print them calling pkt.show(), a bit like text wireshark
wireshark : Run wireshark on a list of packets
wrpcap : Write a list of packets to a pcap file
3、hide_defaults()方法,用来删除一些用户提供的那些和default value相同的项目
>>> a=IP()/TCP()
>>> b=IP(str(a))
>>> b
<IP version=4L ihl=5L tos=0x0 len=40 id=1 flags= frag=0L ttl=64 proto=tcp chksum=0x7ccd src=127.0.0.1 dst=127.0.0.1 options=[] |<TCP sport=ftp_data dport=http seq=0 ack=0 dataofs=5L reserved=0L flags=S window=8192 chksum=0x917c urgptr=0 |>>
>>> b.hide_defaults()
>>> b
<IP ihl=5L len=40 frag=0 proto=tcp chksum=0x7ccd src=127.0.0.1 |<TCP dataofs=5L chksum=0x917c |>>
4、display():display()方法可以简单查看当前packet的各个参数的取值情况,例子见下。
5、sprintf:输出某一层某个参数的取值,如果不存在就输出??,具体的format是:%[[mt][r],][layer[:nb].]field%,参数的具体信息请参看《Security Power Tools》146页或者http://wikicode.net。例:
>>> a=IP()/TCP()
>>> b=IP(str(a))
>>> b
<IP version=4L ihl=5L tos=0x0 len=40 id=1 flags= frag=0L ttl=64 proto=tcp chksum=0x7ccd src=127.0.0.1 dst=127.0.0.1 options=[] |<TCP sport=ftp_data dport=http seq=0 ack=0 dataofs=5L reserved=0L flags=S window=8192 chksum=0x917c urgptr=0 |>>
>>> b.hide_defaults()
>>> b
<IP ihl=5L len=40 frag=0 proto=tcp chksum=0x7ccd src=127.0.0.1 |<TCP dataofs=5L chksum=0x917c |>>
>>> a.sprintf("%IP.gabuzomeu%")
'??'
四、创建包
第一层:物理层,通过广播的方式进行数据传播(集线器)
第二层:数据链路层,通过MAC进行数据转发(交换机、网桥)
第三层:网络层,通过IP进行数据转发(路由器)
scapy的包创建是按照网络接口层,互联网层,传输层,应用层四层参考模型来完成,各个层都有各自的创建函数,比如IP(),TCP(),UDP()等等,不同层之间通过“/”来连接。例如 ,接前面a的例子:
例1
>>> a=IP(ttl=5)
>>> a.src
'127.0.0.1'
>>> a
<IP ttl=5 |>
>>> a.dst
'127.0.0.1'
>>> a.dst="192.168.0.1"
>>> a
<IP ttl=5 dst=192.168.0.1 |>
>>> packet1=a
>>> packet1
<IP ttl=5 dst=192.168.0.1 |>
例2
>>> packet2=IP(dst="192.168.0.1")/TCP(dport=80)
例3
>>> packet3=IP(dst="www.baidu.com")/ICMP()
>>> packet3
<IP frag=0 proto=icmp dst=Net('www.baidu.com') |<ICMP |>>
>>> ls(packet3)
version : BitField = 4 (4)
ihl : BitField = None (None)
tos : XByteField = 0 (0)
len : ShortField = None (None)
id : ShortField = 1 (1)
flags : FlagsField = 0 (0)
frag : BitField = 0 (0)
ttl : ByteField = 64 (64)
proto : ByteEnumField = 1 (0)
chksum : XShortField = None (None)
src : Emph = '27.214.7.85' (None)
dst : Emph = Net('www.baidu.com') ('127.0.0.1')
options : PacketListField = [] ([])
--
type : ByteEnumField = 8 (8)
code : MultiEnumField = 0 (0)
chksum : XShortField = None (None)
id : ConditionalField = 0 (0)
seq : ConditionalField = 0 (0)
ts_ori : ConditionalField = 4842323 (4842323)
ts_rx : ConditionalField = 4842323 (4842323)
ts_tx : ConditionalField = 4842323 (4842323)
gw : ConditionalField = '0.0.0.0' ('0.0.0.0')
ptr : ConditionalField = 0 (0)
reserved : ConditionalField = 0 (0)
addr_mask : ConditionalField = '0.0.0.0' ('0.0.0.0')
unused : ConditionalField = 0 (0)
例4
>>> target="www.baidu.com/30"
>>> ip=IP(dst=target)
>>> ip
<IP dst=Net('www.baidu.com/30') |>
>>> ls(ip)
version : BitField = 4 (4)
ihl : BitField = None (None)
tos : XByteField = 0 (0)
len : ShortField = None (None)
id : ShortField = 1 (1)
flags : FlagsField = 0 (0)
frag : BitField = 0 (0)
ttl : ByteField = 64 (64)
proto : ByteEnumField = 0 (0)
chksum : XShortField = None (None)
src : Emph = '27.214.7.85' (None)
dst : Emph = Net('www.baidu.com/30') ('127.0.0.1')
options : PacketListField = [] ([])
>>> IP().display()
###[ IP ]###
version = 4
ihl = None
tos = 0x0
len = None
id = 1
flags =
frag = 0
ttl = 64
proto = ip
chksum = None
src = 127.0.0.1
dst = 127.0.0.1
\options \ >>> TCP().display()
###[ TCP ]###
sport = ftp_data
dport = http
seq = 0
ack = 0
dataofs = None
reserved = 0
flags = S
window = 8192
chksum = None
urgptr = 0
options = {}
这里的display()方法可以简单查看当前packet的各个参数的取值情况.
五、包的结构
在Scapy中,scapy为各个层都写了类,使用时,只需要将其实例化,调用类的方法或者改变类的参数取值。如IP()没有传给它参数,那么它的参数就是默认的,如果传了就覆盖了默认值:
>>> a=IP()
>>> a.display()
###[ IP ]###
version = 4
ihl = None
tos = 0x0
len = None
id = 1
flags =
frag = 0
ttl = 64
proto = ip
chksum = None
src = 127.0.0.1
dst = 127.0.0.1
\options \
>>> a=IP(dst="192.168.0.1")
>>> a.display()
###[ IP ]###
version = 4
ihl = None
tos = 0x0
len = None
id = 1
flags =
frag = 0
ttl = 64
proto = ip
chksum = None
src = 27.214.7.** //(本机IP)
dst = 192.168.0.1
\options \ 注意比较这两次display()的不同,第一次是默认值,第二次传入了“192.168.0.1”。
"/"用来连接各层,如IP()/TCP()。如:
>>> IP()
<IP |>
>>> IP()/TCP()
<IP frag=0 proto=tcp |<TCP |>>
>>> Ether()/IP()/TCP()
<Ether type=0x800 |<IP frag=0 proto=tcp |<TCP |>>>
>>> IP()/TCP()/"GET / HTTP/1.0\r\n\r\n"
<IP frag=0 proto=tcp |<TCP |<Raw load='GET / HTTP/1.0\r\n\r\n' |>>>
>>> Ether()/IP()/IP()/UDP()
<Ether type=0x800 |<IP frag=0 proto=ipencap |<IP frag=0 proto=udp |<UDP |>>>>
>>> IP(proto=55,ttl=10)/TCP()
<IP frag=0 ttl=10 proto=55 |<TCP |>>
具体的参数传递过程,在scapy文档中提供了图表,如下:
转自:@小五义:http://www.cnblogs/xiaowuyi
最新文章
- java 选择排序法
- C++Lua配置
- 一个有趣的IE内核检测网站
- Python十分钟学会
- StringUtils 字符串工具类
- (Java)《head first java》值得Java或面向对象基础的新手看。
- 第五篇、HTML标签类型
- Qt5:Qt文件操作类 QFile
- BroadcastReceiver简单应用实例
- mac 卸载通过官网下载包安装的node
- [20190416]完善shared latch测试脚本2.txt
- [OC] NSTimer
- zabbix解决监控图中出现中文乱码问题
- 开源虚拟化KVM(一)搭建部署与概述
- (编辑距离问题 线性DP) nyoj1431-DNA基因鉴定
- 关于原型继承中的constructor重定向的问题
- 团队作业第六次——团队Github实战训练
- centos7.2 部署zabbix 3.2.7
- 异步消息处理机制Handler
- php7 改为从栈上分配内在的思路