Scapy如何處理數據包
發(fā)布時(shí)間:2021-09-14 11:25
來(lái)源:億速云
閱讀:0
作者:chen
欄目: 網(wǎng)絡(luò )安全
本篇內容介紹了“Scapy如何處理數據包”的有關(guān)知識�����,在實(shí)際案例的操作過(guò)程中�����,不少人都會(huì )遇到這樣的困境�,接下來(lái)就讓小編帶領(lǐng)大家學(xué)習一下如何處理這些情況吧�!希望大家仔細閱讀����,能夠學(xué)有所成����!
TCP SYN Ping
>>> ans,unans=sr(IP(dst="60.205.177.0/28")/TCP(dport=80,flags="S")) Begin emission: Finished sending 16 packets. .*********..................................................................................^C Received 92 packets, got 9 answers, remaining 7 packets >>> ans.summary(lambda s:s[1].sprintf("%IP.src% is alive")) 60.205.177.1 is alive 60.205.177.2 is alive 60.205.177.4 is alive 60.205.177.6 is alive 60.205.177.7 is alive 60.205.177.8 is alive 60.205.177.11 is alive 60.205.177.12 is alive 60.205.177.14 is aliveTCP ACK Ping
發(fā)送僅設置了ACK位的空TCP數據包����。
未經(jīng)請求的ACK數據包應通過(guò)RST進(jìn)行響應���,RST顯示一臺機器���。
SYN-ping和ACK-ping看起來(lái)可能是多余的�����,但是大多數無(wú)狀態(tài)防火墻不會(huì )過(guò)濾未經(jīng)請求的ACK數據包�,所以最好同時(shí)使用這兩種ping技術(shù)���。
>>> ans, unans = sr(IP(dst='60.205.177.90-105')/TCP(dport=80, flags='A')) Begin emission: Finished sending 16 packets. .*.******....................................................................................................................................................................^C Received 173 packets, got 7 answers, remaining 9 packets >>> ans.summary(lambda s:s[1].sprintf("{IP: %IP.src% is alive}")) 60.205.177.91 is alive 60.205.177.94 is alive 60.205.177.95 is alive 60.205.177.97 is alive 60.205.177.100 is alive 60.205.177.101 is alive 60.205.177.102 is aliveUDP Ping
將UDP數據包發(fā)送給給定的端口(無(wú)論是否帶有有效載荷)���,協(xié)議特定的有效載荷會(huì )使掃描更加有效����。
選擇最有可能關(guān)閉的端口(開(kāi)放的UDP端口可能會(huì )收到空數據包�,但會(huì )忽略它們)�。
ICMP端口不可達表示機器是啟動(dòng)的���。
>>> ans, unans = sr(IP(dst='60.205.177.100-254')/UDP(dport=90),timeout=0.1) Begin emission: Finished sending 155 packets. ..******..*****... Received 18 packets, got 11 answers, remaining 144 packets >>> ans.summary(lambda s:s[1].sprintf("%IP.src% is unreachable")) 60.205.177.106 is unreachable 60.205.177.108 is unreachable 60.205.177.107 is unreachable 60.205.177.111 is unreachable 60.205.177.125 is unreachable 60.205.177.172 is unreachable 60.205.177.191 is unreachable 60.205.177.203 is unreachable 60.205.177.224 is unreachable 60.205.177.242 is unreachable 60.205.177.244 is unreachableARP Ping
由于在 IPv6 中沒(méi)有 ARP協(xié)議�����,所以在 IPv6 上層定義了 NDP 協(xié)議實(shí)現 ARP 的地址解析���,沖突地址檢測等功能以及IPV6 的鄰居發(fā)現功能����。
>>> ans,unans=srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst="172.17.51.0/24"),timeout=2) Begin emission: Finished sending 256 packets. *******************************************************************************.***********************************************************************************........................... Received 190 packets, got 162 answers, remaining 94 packets >>> ans.summary(lambda r: r[0].sprintf("%Ether.src% %ARP.pdst%") ) 00:16:3e:0c:d1:ad 172.17.51.0 00:16:3e:0c:d1:ad 172.17.51.1 00:16:3e:0c:d1:ad 172.17.51.2 00:16:3e:0c:d1:ad 172.17.51.3 00:16:3e:0c:d1:ad 172.17.51.4 00:16:3e:0c:d1:ad 172.17.51.5 00:16:3e:0c:d1:ad 172.17.51.6 00:16:3e:0c:d1:ad 172.17.51.7ICMP Ping
ICMP掃描涉及無(wú)處不在的_ping程序_發(fā)送的標準數據包����。
向目標IP發(fā)送一個(gè)ICMP類(lèi)型8(回顯請求)數據包�����,收到一個(gè)ICMP類(lèi)型0(回顯應答)的包表示機器存活�。
現在許多主機和防火墻阻止這些數據包����,因此基本的ICMP掃描是不可靠的��。
ICMP還支持時(shí)間戳請求和地址掩碼請求�,可以顯示計算機的可用性�����。
>>> ans,unans=sr(IP(dst="60.205.177.168-180")/ICMP()) >>> ans.summary(lambda s:s[0].sprintf("{IP: %IP.dst% is alive}")) 60.205.177.168 is alive 60.205.177.169 is alive 60.205.177.171 is alive 60.205.177.172 is alive 60.205.177.175 is alive 60.205.177.174 is alive 60.205.177.176 is alive 60.205.177.179 is alive 60.205.177.178 is alive 60.205.177.180 is alive服務(wù)發(fā)現(端口掃描)
TCP連接掃描
找了個(gè)網(wǎng)圖( 侵刪)
這里展示一下tcpdump抓到的握手包
192.168.2.1.35555 > 192.168.2.12.4444: Flags [S] seq=12345 192.168.2.12.4444 > 192.168.2.1.35555: Flags [S.], seq=9998 ack=12346 192.168.2.1.35555 > 192.168.2.12.4444: Flags [.] seq=12346 ack=9999
IP與端口號之間以'.'分隔�����,ACK用'.'表示�����,SYN用'S'表示�����,而[S.]則表示SYN+ACK
在Scapy中制作三次握手包
第1步-將客戶(hù)端的SYN發(fā)送到偵聽(tīng)
ip=IP(src="192.168.2.53", dst="60.205.177.168") syn_packet = TCP(sport=1500, dport=80, flags="S", seq=100)
第2步-監聽(tīng)服務(wù)器的響應(SYN-ACK)
synack_packet = sr1(ip/syn_packet) my_ack = synack_packet.seq+1
第3步從客戶(hù)端發(fā)送對服務(wù)器響應的確認(ACK)
ack_packet = TCP(sport=1500, dport=80, flags="A", seq=101, ack=my_ack) send(ip/ack_packet)
完整代碼如下
#!/usr/bin/python from scapy.all import * # 構建payload get='GET / HTTP/1.0\n\n' #設置目的地址和源地址 ip=IP(src="192.168.2.53",dst="60.205.177.168") # 定義一個(gè)隨機源端口 port=RandNum(1024,65535) # 構建SYN的包 SYN=ip/TCP(sport=port, dport=80, flags="S", seq=42) # 發(fā)送SYN并接收服務(wù)器響應(SYN,ACK) SYNACK=sr1(SYN) #構建確認包 ACK=ip/TCP(sport=SYNACK.dport,dport=80,flags="A",seq=SYNACK.ack,ack=SYNACK.seq+1)/get #發(fā)送ack確認包 reply,error=sr(ACK) # 打印響應結果 print(reply.show())
SYN掃描
SYN掃描也稱(chēng)為半開(kāi)放掃描�?����?梢允褂眠@種策略來(lái)確定通信端口的狀態(tài)而無(wú)需建立完整的連接��??蛻?hù)端首先向被測主機發(fā)送一個(gè)syn數據包���,如果端口開(kāi)放����,那么服務(wù)端會(huì )響應一個(gè)syn+ack的數據包�����,之后客戶(hù)端會(huì )發(fā)送rst數據包進(jìn)行重置����。否則服務(wù)端會(huì )直接響應一個(gè)rst包��,表示端口沒(méi)有開(kāi)放��。如果我們發(fā)了大量的syn包而不去確認���,服務(wù)端會(huì )繼續發(fā)送syn+ack的包���,會(huì )不斷的消耗服務(wù)器的CPU和內存�����,這也就是我們常說(shuō)的syn泛洪攻擊了���。
接下來(lái)我們使用scapy來(lái)模擬syn掃描
在單個(gè)主機�����,單個(gè)端口上進(jìn)行SYN掃描
>>> syn_packet = IP(dst='60.205.177.168')/TCP(dport=22,flags='S') >>> rsp=sr1(syn_packet) Begin emission: Finished sending 1 packets. ..* Received 3 packets, got 1 answers, remaining 0 packets >>> rsp.sprintf("%IP.src% %TCP.sport% %TCP.flags%") '60.205.177.168 ssh SA'在單個(gè)主機�����,多個(gè)端口上進(jìn)行SYN掃描
>>> ans,unans=sr(IP(dst="60.205.177.168")/TCP(dport=(20,22),flags="S")) Begin emission: Finished sending 3 packets. ..*..** Received 7 packets, got 3 answers, remaining 0 packets >>> ans.summary(lambda s:s[1].sprintf("%TCP.sport% %TCP.flags%" )) ftp_data RA ftp RA ssh SA對多個(gè)主機�,多個(gè)端口進(jìn)行SYN掃描
60.205.177.169的20和22端口沒(méi)有響應數據包�����,猜測中間可能有設備(防火墻)給攔下了��。
>>> ans,unans = sr(IP(dst=["60.205.177.168-170"])/TCP(dport=[20,22,80],flags="S")) Begin emission: Finished sending 9 packets. ..*..**..*.................................................................................................................................................................................................................................................^C Received 251 packets, got 4 answers, remaining 5 packets >>> ans.make_table(lambda s: (s[0].dst, s[0].dport,s[1].sprintf("%TCP.flags%"))) 60.205.177.168 60.205.177.169 20 RA - 22 SA - 80 SA SAFin 掃描
客戶(hù)端會(huì )發(fā)送帶有fin標志(關(guān)閉連接)的數據包到服務(wù)端�����,當服務(wù)端沒(méi)有響應時(shí)����,表示端口是開(kāi)放狀態(tài)���,否則會(huì )收到rst的包����。
端口開(kāi)放
>>> fin_packet = IP(dst='60.205.177.168')/TCP(dport=4444,flags='F') >>> resp = sr1(fin_packet) Begin emission: Finished to send 1 packets. ^C Received 0 packets, got 0 answers, remaining 1 packets
端口關(guān)閉
>>> fin_packet = IP(dst='60.205.177.168')/TCP(dport=4399,flags='F') >>> resp = sr1(fin_packet) >>> resp.sprintf('%TCP.flags%') 'RA'NULL 掃描
null掃描會(huì )發(fā)送一個(gè)沒(méi)有設置任何flag的TCP數據包����,當收到rst的響應包則表示端口關(guān)閉����,否則表示端口開(kāi)放�����,如果收到類(lèi)型為3且代碼為1����、2���、3����、9����、10或13的ICMP錯誤表示該端口已被過(guò)濾����,獲取不到端口狀態(tài)�。
端口關(guān)閉
>>> null_scan_resp = sr1(IP(dst="60.205.177.168")/TCP(dport=4399,flags=""),timeout=1) >>> null_scan_resp.sprintf('%TCP.flags%') 'RA'Xmas 掃描
XMAS掃描會(huì )發(fā)送帶有URG�,PUSH�����,FIN標志的TCP數據包����,如果未接收到任何數據包����,則認為該端口處于打開(kāi)狀態(tài);如果接收到RST數據包����,則將該端口視為已關(guān)閉����。如果收到類(lèi)型為3且代碼為1�����、2�����、3�、9�����、10或13的ICMP錯誤表示該端口已被過(guò)濾�����,獲取不到端口狀態(tài)����。
端口關(guān)閉
>>> xmas_scan_resp=sr1(IP(dst="60.205.177.168")/TCP(dport=4399,flags=”FPU”),timeout=1) Begin emission: .Finished sending 1 packets. * Received 2 packets, got 1 answers, remaining 0 packets >>> xmas_scan_resp.sprintf('%TCP.flags%') 'RA'UDP掃描
UDP掃描最常見(jiàn)于檢測����,SNMP和DHCP服務(wù)�?���?蛻?hù)端會(huì )發(fā)送帶有要連接的端口號的UDP數據包��。如果服務(wù)器使用UDP數據包響應客戶(hù)端��,那么該端口在服務(wù)器上是開(kāi)放的��。如果返回ICMP端口不可達的類(lèi)型為3和code為3錯誤數據包���,表示該端口在服務(wù)器是關(guān)閉狀態(tài)����。
>>> udp_scan=sr1(IP(dst="60.205.177.168")/UDP(dport=53),timeout=1))
跟蹤路由
跟蹤路由技術(shù)基于IP協(xié)議的設計方式��。IP標頭中的TTL值被視為跳數限制����。每當路由器收到要轉發(fā)的數據包時(shí)��,它將TTL減1并轉發(fā)數據包����。當TTL達到0時(shí)����,路由器將向源計算機發(fā)送答復���,表示數據包已被丟棄��。
各種工具背后的技術(shù)是相同的��,但是實(shí)現它們的方式略有不同���。Unix系統使用UDP數據報文����,而Windows tracert則發(fā)送ICMP請求�,Linux的tcptraceroute使用TCP協(xié)議���。
使用ICMP進(jìn)行路由跟蹤
>>> ans,unans=sr(IP(dst="49.232.152.189",ttl=(1,10))/ICMP()) Begin emission: Finished sending 10 packets. *****.**........................................................................................................^C Received 112 packets, got 7 answers, remaining 3 packets >>> ans.summary(lambda s:s[1].sprintf("%IP.src%")) 10.36.76.142 10.54.138.21 10.36.76.13 45.112.216.134 103.216.40.18 9.102.250.221 10.102.251.214使用tcp進(jìn)行路由跟蹤
>>> ans,unans=sr(IP(dst="baidu.com",ttl=(1,10))/TCP(dport=53,flags="S")) Begin emission: Finished sending 10 packets. *********......................^C Received 31 packets, got 9 answers, remaining 1 packets >>> ans.summary(lambda s:s[1].sprintf("%IP.src% {ICMP:%ICMP.type%}")) 10.36.76.142 time-exceeded 10.36.76.13 time-exceeded 10.102.252.130 time-exceeded 117.49.35.150 time-exceeded 10.102.34.237 time-exceeded 111.13.123.150 time-exceeded 218.206.88.22 time-exceeded 39.156.67.73 time-exceeded 39.156.27.1 time-exceededScapy包含一個(gè)內置的traceroute()函數可以實(shí)現與上面相同的功能
>>> traceroute("baidu.com") Begin emission: Finished sending 30 packets. ************************ Received 24 packets, got 24 answers, remaining 6 packets 220.181.38.148:tcp80 2 10.36.76.13 11 3 10.102.252.34 11 4 117.49.35.138 11 5 116.251.112.185 11 6 36.110.217.9 11 7 36.110.246.201 11 8 220.181.17.150 11 14 220.181.38.148 SA 15 220.181.38.148 SA 16 220.181.38.148 SA 17 220.181.38.148 SA 18 220.181.38.148 SA 19 220.181.38.148 SA 20 220.181.38.148 SA 21 220.181.38.148 SA 22 220.181.38.148 SA 23 220.181.38.148 SA 24 220.181.38.148 SA 25 220.181.38.148 SA 26 220.181.38.148 SA 27 220.181.38.148 SA 28 220.181.38.148 SA 29 220.181.38.148 SA 30 220.181.38.148 SA (<Traceroute: TCP:17 UDP:0 ICMP:7 Other:0>, <Unanswered: TCP:6 UDP:0 ICMP:0 Other:0>使用DNS跟蹤路由
我們可以通過(guò)在traceroute()函數的l4參數中指定完整的數據包來(lái)執行DNS跟蹤路由
>>> ans,unans=traceroute("60.205.177.168",l4=UDP(sport=RandShort())/DNS(qd=DNSQR(qname="thesprawl.org"))) Begin emission: ****Finished sending 30 packets. ................. Received 21 packets, got 4 answers, remaining 26 packets 60.205.177.168:udp53 1 10.2.0.1 11 2 114.242.29.1 11 4 125.33.185.114 11 5 61.49.143.2 11
