Scapy is a powerful tool that can be used to manipulate network packets. While we will not be going into great depth of all that can be accomplished with Scapy, we will use it in this recipe to determine which TCP ports are open on a target. In identifying which ports are open on a target, you may be able to determine the types of services that are running and use these to then further your testing.
This is the script that will perform a port scan on a specific target in a given port range. It takes arguments for the target, the start of the port range and the end of the port range:
import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
import sys
from scapy.all import *
if len(sys.argv) !=4:
print "usage: %s target startport endport" % (sys.argv[0])
sys.exit(0)
target = str(sys.argv[1])
startport = int(sys.argv[2])
endport = int(sys.argv[3])
print "Scanning "+target+" for open TCP ports
"
if startport==endport:
endport+=1
for x in range(startport,endport):
packet = IP(dst=target)/TCP(dport=x,flags="S")
response = sr1(packet,timeout=0.5,verbose=0)
if response.haslayer(TCP) and response.getlayer(TCP).flags == 0x12:
print "Port "+str(x)+" is open!"
sr(IP(dst=target)/TCP(dport=response.sport,flags="R"), timeout=0.5, verbose=0)
print "Scan complete!
"The first thing you notice about this recipe is the starting two lines of the script:
import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)These lines serve to suppress a warning created by Scapy when IPv6 routing isn't configured, which causes the following output:
WARNING: No route found for IPv6 destination :: (no default route?)
This isn't essential for the functionality of the script, but it does make the output tidier when you run it.
The next few lines will validate the number of arguments and assign the arguments to variables for use in the script. The script also checks to see whether the start and end of the port range are the same and increments the end port in order for the loop to be able to work.
After all of the setting up, we'll loop through the port range and the real meat of the script comes along. First, we create a rudimentary TCP packet:
packet = IP(dst=target)/TCP(dport=x,flags="S")
We then use the sr1 command. This command is an abbreviation of send/receive1. This command will send the packet we have created and receive the first packet that is sent back. The additional parameters we have supplied include a timeout, so the script will not hang for closed or filtered ports, and the verbose parameter we have set will turn off the output that Scapy normally creates when sending packets.
The script then checks whether there is a response that contains TCP data. If it does contain TCP data, then the script will check for the SYN and ACK flags. The presence of these flags would indicate a SYN-ACK response, which is part of the TCP protocol handshake and shows that the port is open.
If it is determined that a port is open, an output is printed to this effect and the next line of code sends a reset:
sr(IP(dst=target)/TCP(dport=response.sport,flags="R"),timeout=0.5, verbose=0)
This line is necessary in order to close the connection and prevent a TCP SYN-flood attack from occurring if the port range and the number of open ports are large.
In this recipe, we showed you how Scapy can be used to perform a TCP port scan. The techniques used in this recipe can be adapted to perform a UDP port scan on a host or a ping scan on a range of hosts.
This just touches the surface of what Scapy is capable of. For more information, a good place to start is on the official Scapy website at http://www.secdev.org/projects/scapy/.