當我們所知甚少,很多文章讀來恐難知痛癢︰
What makes Scapy so special
First, with most other networking tools, you won’t build something the author did not imagine. These tools have been built for a specific goal and can’t deviate much from it. For example, an ARP cache poisoning program won’t let you use double 802.1q encapsulation. Or try to find a program that can send, say, an ICMP packet with padding (I said padding, not payload, see?). In fact, each time you have a new need, you have to build a new tool.
Second, they usually confuse decoding and interpreting. Machines are good at decoding and can help human beings with that. Interpretation is reserved for human beings. Some programs try to mimic this behavior. For instance they say “this port is open” instead of “I received a SYN-ACK”. Sometimes they are right. Sometimes not. It’s easier for beginners, but when you know what you’re doing, you keep on trying to deduce what really happened from the program’s interpretation to make your own, which is hard because you lost a big amount of information. And you often end up using tcpdump -xX to decode and interpret what the tool missed.
Third, even programs which only decode do not give you all the information they received. The network’s vision they give you is the one their author thought was sufficient. But it is not complete, and you have a bias. For instance, do you know a tool that reports the Ethernet padding?
Scapy tries to overcome those problems. It enables you to build exactly the packets you want. Even if I think stacking a 802.1q layer on top of TCP has no sense, it may have some for somebody else working on some product I don’t know. Scapy has a flexible model that tries to avoid such arbitrary limits. You’re free to put any value you want in any field you want and stack them like you want. You’re an adult after all.
In fact, it’s like building a new tool each time, but instead of dealing with a hundred line C program, you only write 2 lines of Scapy.
After a probe (scan, traceroute, etc.) Scapy always gives you the full decoded packets from the probe, before any interpretation. That means that you can probe once and interpret many times, ask for a traceroute and look at the padding for instance.
Fast packet design
Other tools stick to the program-that-you-run-from-a-shell paradigm. The result is an awful syntax to describe a packet. For these tools, the solution adopted uses a higher but less powerful description, in the form of scenarios imagined by the tool’s author. As an example, only the IP address must be given to a port scanner to trigger the port scanning scenario. Even if the scenario is tweaked a bit, you still are stuck to a port scan.
Scapy’s paradigm is to propose a Domain Specific Language (DSL) that enables a powerful and fast description of any kind of packet. Using the Python syntax and a Python interpreter as the DSL syntax and interpreter has many advantages: there is no need to write a separate interpreter, users don’t need to learn yet another language and they benefit from a complete, concise and very powerful language.
Scapy enables the user to describe a packet or set of packets as layers that are stacked one upon another. Fields of each layer have useful default values that can be overloaded. Scapy does not oblige the user to use predetermined methods or templates. This alleviates the requirement of writing a new tool each time a different scenario is required. In C, it may take an average of 60 lines to describe a packet. With Scapy, the packets to be sent may be described in only a single line with another line to print the result. 90% of the network probing tools can be rewritten in 2 lines of Scapy.
Probe once, interpret many
Network discovery is blackbox testing. When probing a network, many stimuli are sent while only a few of them are answered. If the right stimuli are chosen, the desired information may be obtained by the responses or the lack of responses. Unlike many tools, Scapy gives all the information, i.e. all the stimuli sent and all the responses received. Examination of this data will give the user the desired information. When the dataset is small, the user can just dig for it. In other cases, the interpretation of the data will depend on the point of view taken. Most tools choose the viewpoint and discard all the data not related to that point of view. Because Scapy gives the complete raw data, that data may be used many times allowing the viewpoint to evolve during analysis. For example, a TCP port scan may be probed and the data visualized as the result of the port scan. The data could then also be visualized with respect to the TTL of response packet. A new probe need not be initiated to adjust the viewpoint of the data.
Scapy decodes, it does not interpret
A common problem with network probing tools is they try to interpret the answers received instead of only decoding and giving facts. Reporting something like Received a TCP Reset on port 80 is not subject to interpretation errors. Reporting Port 80 is closed is an interpretation that may be right most of the time but wrong in some specific contexts the tool’s author did not imagine. For instance, some scanners tend to report a filtered TCP port when they receive an ICMP destination unreachable packet. This may be right, but in some cases, it means the packet was not filtered by the firewall but rather there was no host to forward the packet to.
Interpreting results can help users that don’t know what a port scan is but it can also make more harm than good, as it injects bias into the results. What can tend to happen is that so that they can do the interpretation themselves, knowledgeable users will try to reverse engineer the tool’s interpretation to derive the facts that triggered that interpretation. Unfortunately, much information is lost in this operation.
這時回顧其本,或可自己認識深淺也︰
《鳥哥的 Linux 私房菜》
全世界的人種有很多,人類使用的語言種類也多的很。那如果你想要跟外國人溝通時,除了比手劃腳之外,你要如何跟對方講話? 大概只有兩種方式囉,一種是強迫他學中文,一種則是我們學他的語言,這樣才能溝通啊。在目前世界上的強勢語言還是屬於英語系國家, 所以囉,不管是啥人種,只要學好英文,那麼大家都講英文,彼此就能夠溝通了。希望不久的未來,咱們的中文能夠成為強勢語言啊!
這個觀念延伸到網路上面也是行的通的,全世界的作業系統多的很 ,不是只有 Windows/Linux 而已,還有蘋果電腦自己的作業系統, Unix like 的作業系統也非常多!那麼多的作業系統 (人種) 要如何進行網路溝通 (語言) 呢?那就得要制訂共同遵守的標準才行了。這個標準是由國際組織規範的,你的系統裡面只要提供可以加入該標準的程式碼, 那你就能夠透過這個標準與其他系統進行溝通!所以囉 ,網路是跨平台的,並不是只有 Linux 才這麼做!因此,這部份的資料你學完後,是可以應用在所有作業系統上面的!觀念都相同啊 !
另外,這一個章節旨在引導網路新鮮人快速進入網路的世界,所以鳥哥寫的比較淺顯一些些,基本上, 還有一堆網路硬體與通訊協定並沒有被包含在這篇短文裡頭。如果你的求知慾已經高過本章節, 那麼請自行到書局尋找適合你自己的書籍來閱讀!當然,你也可以在網際網路上面找到你所需要的資料。 在本章最後的參考資料可以瞧一瞧吶!
……
很多時候由於我們的網路連線出現問題,使用類似 ping 的軟體功能卻又無法找出問題點,最常見的是因為路由與 IP 轉遞後所產生的一些困擾 (請參考防火牆與 NAT 主機部分),這個時候要怎麼辦?最簡單的方法就是『分析封包的流向』囉!透過分析封包的流向,我們可以瞭解一條連線應該是如何進行雙向的連線的動作, 也就會清楚的瞭解到可能發生的問題所在了!底下我們就來談一談這個 tcpdump 與圖形介面的封包分析軟體吧!
說實在的,對於 tcpdump 這個軟體來說,你甚至可以說這個軟體其實就是個駭客軟體, 因為他不但可以分析封包的流向,連封包的內容也可以進行『監聽』, 如果你使用的傳輸資料是明碼的話,不得了,在 router 或 hub 上面就可能被人家監聽走了! 我們在第二章談到的 CSMA/CD 流程中,不是說過有所謂的『監聽軟體』嗎?這個 tcpdump 就是啦! 很可怕吶!所以,我們也要來瞭解一下這個軟體啊!(註:這個 tcpdump 必須使用 root 的身份執行)
………
企圖會通,先曉『 Sca 』py 之
『S』timulus response 『c』apture 『a』nalysis
root@kali:~# scapy
WARNING: No route found for IPv6 destination :: (no default route?)
aSPY//YASa
apyyyyCY//////////YCa |
sY//////YSpcs scpCY//Pp | Welcome to Scapy
ayp ayyyyyyySCP//Pp syY//C | Version 2.4.0
AYAsAYYYYYYYY///Ps cY//S |
pCCCCY//p cSSps y//Y | https://github.com/secdev/scapy
SPPPP///a pP///AC//Y |
A//A cyP////C | Have fun!
p///Ac sC///a |
P////YCpc A//A | We are in France, we say Skappee.
scccccp///pSP///p p//Y | OK? Merci.
sY/////////y caa S//P | -- Sebastien Chabal
cayCyayP//Ya pY/Ya |
sY/PsY////YCc aC//Yp
sc sccaCY//PCypaapyCP//YSs
spCPY//////YPSps
ccaacs
using IPython 5.8.0
>>>
『意指』呦☆