Scapy
From charlesreid1
http://bt3gl.github.io/black-hat-python-infinite-possibilities-with-the-scapy-module.html
http://www.packetstan.com/2011/03/extracting-ap-names-from-packet.html
Wireless sniffer in 10 lines: http://www.securitytube.net/video/7262?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SecurityTube+%28SecurityTube.Net%29
Contents
Scapy
Scapy is a Python library for parsing out wireless information. Imagine an API for your hardware, aircrack, nmap, tcpdump, traceroute, and various other networking utilities, all rolled into one Python library. That's Scapy.
References
Great intro to scapy's many functions: http://www.secdev.org/projects/scapy/demo.html
Great video tutorial: https://www.youtube.com/watch?v=-s4iyNSxs1k
Same setup, with a small battery-powered router: http://minipwner.com/index.php/forum/6-minipnwer-use/1787-my-experience-with-aircrack
Installing Scapy on Mac
NameError: global name dnet is not defined
On starting Scapy, I was seeing an error related to dnet.
Scapy has a number of dependencies on the Mac. One of them is a Python module that wraps a C library called dnet. If you try to install pydnet using pip, you will get errors when you run Scapy. But you can install libdnet from source, then build the Python extension yourself.
Hat tip to this page: http://juhalaaksonen.com/blog/2013/12/11/installing-scapy-for-mac-os-x/
#!/bin/sh wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz tar xfz libdnet-1.12.tgz cd libdnet-1.12 ./configure make sudo make install cd python sudo python setup.py install
Alternatively, you could use Homebrew to install libdnet and then install scapy, but that requires you to use Homebrew's Python - you can't mix, for example, a Python.org python install with a Homebrew install of Scapy.
Once you're done, you should be able to fire up scapy and get a command prompt:
Listing Scapy Commands
Once you get to the Scapy prompt, you can see all the different Scapy functions available to you with the lsc() command:
>>> lsc() arpcachepoison : Poison target's cache with (your MAC,victim's IP) couple arping : Send ARP who-has requests to determine which hosts are up bind_layers : Bind 2 layers on some specific fields' values bridge_and_sniff : Forward traffic between two interfaces and sniff packets exchanged corrupt_bits : Flip a given percentage or number of bits from a string corrupt_bytes : Corrupt a given percentage or number of bytes from a string defrag : defrag(plist) -> ([not fragmented], [defragmented], defragment : defrag(plist) -> plist defragmented as much as possible dyndns_add : Send a DNS add message to a nameserver for "name" to have a new "rdata" dyndns_del : Send a DNS delete message to a nameserver for "name" etherleak : Exploit Etherleak flaw fragment : Fragment a big IP datagram fuzz : Transform a layer into a fuzzy layer by replacing some default values by random objects getmacbyip : Return MAC address corresponding to a given IP address hexdiff : Show differences between 2 binary strings hexdump : -- hexedit : -- is_promisc : Try to guess if target is in Promisc mode. The target is provided by its ip. linehexdump : -- ls : List available layers, or infos on a given layer promiscping : Send ARP who-has requests to determine which hosts are in promiscuous mode rdpcap : Read a pcap file and return a packet list send : Send packets at layer 3 sendp : Send packets at layer 2 sendpfast : Send packets at layer 2 using tcpreplay for performance sniff : Sniff packets split_layers : Split 2 layers previously bound sr : Send and receive packets at layer 3 sr1 : Send packets at layer 3 and return only the first answer srbt : send and receive using a bluetooth socket srbt1 : send and receive 1 packet using a bluetooth socket srflood : Flood and receive packets at layer 3 srloop : Send a packet at layer 3 in loop and print the answer each time srp : Send and receive packets at layer 2 srp1 : Send and receive packets at layer 2 and return only the first answer srpflood : Flood and receive packets at layer 2 srploop : Send a packet at layer 2 in loop and print the answer each time traceroute : Instant TCP traceroute tshark : Sniff packets and print them calling pkt.show(), a bit like text wireshark wireshark : Run wireshark on a list of packets wrpcap : Write a list of packets to a pcap file
You can list all of the different layers that are available using the ls() command:
>>> ls()
Using Scapy
Airoscapy: Airodump Clone
Here is an example of using Scapy as an airdoump clone. This shows how to perform basic tasks like interacting with the wireless card and processing packets directly from Python using Scapy:
Simple AP Scanner
This script does exactly what it says: a simple AP scanner. It randomly hops around channels, and adds any APs it sees to a master list.
Analyzing Wifi Conversations
These notes cover the use of Scapy to identify packets flowing between devices (routers and clients) as part of conversations, and gather statistics about those conversations.
Collecting Wifi Data
This material is relevant to the UGR Project on wifi data.
In this project, we'll be using Scapy to monitor incoming packets, and populate a database with observations.
FakeAP
Scapy for Fake AP: https://github.com/rpp0/scapy-fakeap
Flags
 |
scapy a Python library for interfacing with network devices and analyzing packets from Python.
Building Wireless Utilities: Scapy/Airodump Clone · Scapy/AP Scanner Analyzing Conversations: Scapy/Conversations Database: Scapy/Wifi Database Category:Scapy · Category:Python · Category:Networking
|