文章目录
- 1 scapy简介
- 2 安装和运行scapy
- 3 查看当前网络配置
- 3.1 conf概览
- 3.2 查看网卡及路由
- 3.2.1 查看网卡
- 3.2.2 查看路由
- 3.3.3 查看默认网卡
1 scapy简介 scapy是一个python语言写的,用来操作TCP/IP数据包的库,基本涵盖了wireshark的主要功能,例如抓包、ping、traceroute、嗅探、扫描,但由于其可以按照自己的意愿来拼接和“无中生成”TCP/IP数据包中的内容,因此还可以实现attack的部分功能,并可以移植到任意平台运行。
2 安装和运行scapy scapy官网上有安装教程,不再赘述。建议在venv的虚拟环境下安装Scapy的basic包,不影响主python环境。本文是在windows10+python3.7环境下,安装的scapy2.4.3 basic包。另在windows下使用scapy需要安装npcap软件。
运行venv\Scripts下运行activate进入虚拟环境,再运行scapy。
图中INFO错误是scapy的附加功能,需要依赖一些三方包,不安装也不影响scapy核心功能的使用。
文章图片
scapy的默认主题太暗,建议改成亮色,conf.color_theme=BrightTheme()
conf.color_theme=BrightTheme()
默认主题效果:
文章图片
BrightTheme主题效果:
文章图片
3 查看当前网络配置 venv/Lib/site-packages/scapy/config.py下有一个Conf类,主要存储了scapy最主要的一些配置,比如scapy版本、主题颜色、网卡、路由、是否使用npcap、可以在scapy交互环境中使用哪些命令等。在scapy交互环境中可以直接输入conf来查看相应的内容。
3.1 conf概览
| 命令 | 作用 |
|---|---|
| conf | 显示conf所有配置 |
| conf.iface | 主网卡 |
| conf.route | 获取主路由 |
| conf.commands | 可在交互环境中使用的命令集合 |
| lsc() | 同conf.commands |
conf本质是Conf类的实例:
>>> type(conf)
scapy.config.Conf
Conf类中包含有大量配置,部分配置如下:
>>> conf
ASN1_default_codec =
AS_resolver =
L2socket=
L3socket=
L3socket6= functools.partial( 当前主网卡conf.iface
>>> conf.iface
当前路由表conf.route(部分)
>>> conf.route
NetworkNetmaskGatewayIfaceOutput IPMetric
0.0.0.00.0.0.025.255.255.254ZeroTier One Virtual Port172.28.33.10210034
0.0.0.00.0.0.010.11.91.254Intel(R) Ethernet Connection (5) I219-V #210.11.91.16125
10.11.91.0255.255.255.00.0.0.0Intel(R) Ethernet Connection (5) I219-V #210.11.91.161281
10.11.91.161255.255.255.2550.0.0.0Intel(R) Ethernet Connection (5) I219-V #210.11.91.161281
10.11.91.255255.255.255.2550.0.0.0Intel(R) Ethernet Connection (5) I219-V #210.11.91.161281
127.0.0.0255.0.0.00.0.0.0Npcap Loopback Adapter127.0.0.1281
127.0.0.1255.255.255.2550.0.0.0Npcap Loopback Adapter127.0.0.1281
可在交互环境中使用的命令conf.commands(或者输入lsc() )
>>> conf.commands
IPID_count: Identify IP id values classes in a list of packets
arpcachepoison: Poison target's cache with (your MAC,victim's IP) couple
arping: Send ARP who-has requests to determine which hosts are up
arpleak: Exploit ARP leak flaws, like NetBSD-SA2017-002.
bind_layers: Bind 2 layers on some specific fields' values.
bridge_and_sniff: Forward traffic between interfaces if1 and if2, sniff and return
chexdump: Build a per byte hexadecimal representation
computeNIGroupAddr: Compute the NI group Address. Can take a FQDN as input parameter
corrupt_bits: Flip a given percentage or number of bits from a string
corrupt_bytes: Corrupt a given percentage or number of bytes from a string
defrag: defrag(plist) -> ([not fragmented], [defragmented],
defragment: defragment(plist) -> plist defragmented as much as possible
dhcp_request: Send a DHCP discover request and return the answer
dyndns_add: Send a DNS add message to a nameserver for "name" to have a new "rdata"
dyndns_del: Send a DNS delete message to a nameserver for "name"
etherleak: Exploit Etherleak flaw
explore: Function used to discover the Scapy layers and protocols.
fletcher16_checkbytes: Calculates the Fletcher-16 checkbytes returned as 2 byte binary-string.
fletcher16_checksum : Calculates Fletcher-16 checksum of the given buffer.
fragleak: --
fragleak2: --
fragment: Fragment a big IP datagram
fuzz:
getmacbyip: Return MAC address corresponding to a given IP address
getmacbyip6: Returns the MAC address corresponding to an IPv6 address
hexdiff: Show differences between 2 binary strings
hexdump: Build a tcpdump like hexadecimal view
hexedit: Run hexedit on a list of packets, then return the edited packets.
hexstr: Build a fancy tcpdump like hex from bytes.
import_hexcap: Imports a tcpdump like hexadecimal view
is_promisc: Try to guess if target is in Promisc mode. The target is provided by its ip.
linehexdump: Build an equivalent view of hexdump() on a single line
ls: Listavailable layers, or infos on a given layer class or name.
neighsol: Sends and receive an ICMPv6 Neighbor Solicitation message
overlap_frag: Build overlapping fragments to bypass NIPS
promiscping: Send ARP who-has requests to determine which hosts are in promiscuous mode
rdpcap: Read a pcap or pcapng file and return a packet list
report_ports: portscan a target and output a LaTeX table
restart: Restarts scapy
send: Send packets at layer 3
sendp: Send packets at layer 2
sendpfast: Send packets at layer 2 using tcpreplay for performance
sniff:
split_layers: Split 2 layers previously bound.
sr: Send and receive packets at layer 3
sr1: Send packets at layer 3 and return only the first answer
sr1flood: Flood and receive packets at layer 3 and return only the first answer
srbt: send and receive using a bluetooth socket
srbt1: send and receive 1 packet using a bluetooth socket
srflood: Flood and receive packets at layer 3
srloop: Send a packet at layer 3 in loop and print the answer each time
srp: Send and receive packets at layer 2
srp1: Send and receive packets at layer 2 and return only the first answer
srp1flood: Flood and receive packets at layer 2 and return only the first answer
srpflood: Flood and receive packets at layer 2
srploop: Send a packet at layer 2 in loop and print the answer each time
tcpdump: Run tcpdump or tshark on a list of packets.
tdecode:
traceroute: Instant TCP traceroute
traceroute6: Instant TCP traceroute using IPv6
traceroute_map: Util function to call traceroute on multiple targets, then
tshark: Sniff packets and print them calling pkt.summary().
wireshark:
wrpcap: Write a list of packets to a pcap file
3.2 查看网卡及路由 3.2.1 查看网卡
| 命令 | 作用 |
|---|---|
| get_windows_if_list() | 获取所有网卡 |
| IFACES / ifaces | get_windows_if_list() 的全局变量 |
| IFACES.reload() / ifaces.reload() | 网卡发生变化时,刷新IFACES |
venv/Lib/site-packages/scapy/arch/windows/__init__.py文件get_windows_if_list()用来获取网卡列表:
>>> get_windows_if_list()
[{'name': '有线网',
'win_index': 27,
'description': 'Intel(R) Ethernet Connection (5) I219-V #2',
'guid': '{XX}',
'mac': 'xx:xx:xx:xx:xx:xx',
'ipv4_metric': 25,
'ipv6_metric': 25,
'ips': ['fe80::XXXX:XXXX:XXXX:XXXX', '10.11.91.161']},
{'name': 'Npcap Loopback Adapter',
'win_index': 22,
'description': 'Npcap Loopback Adapter',
'guid': '{XX}',
'mac': 'xx:xx:xx:xx:xx:xx',
'ipv4_metric': 25,
'ipv6_metric': 25,
'ips': ['fe80::XXXX:XXXX:XXXX:XXXX', '169.254.140.26']},
{'name': 'Wifi',
'win_index': 31,
'description': 'Intel(R) Dual Band Wireless-AC 8265 #2',
'guid': '{XX}',
'mac': 'xx:xx:xx:xx:xx:xx',
'ipv4_metric': 25,
'ipv6_metric': 25,
'ips': ['fe80::XXXX:XXXX:XXXX:XXXX', '169.254.62.191']}]
NetworkInterfaceDict中,用NetworkInterface将get_windows_if_list()进行了封装,并在windows/__init__.py中进行了如下初始化,因此可使用IFACES或者ifaces查看网卡列表:
IFACES = ifaces = NetworkInterfaceDict()#NetworkInterfaceDict的无参构造函数不包含任何有用信息
IFACES.load() #这里是真正加载本地网卡的,因此如果网卡列表发生了变化,需要手工重新调用下ifaces.reload()
>>> ifaces
INDEXIFACEIPMAC
27Intel(R) Ethernet Connection (5) I219-V #210.11.91.161XXX
22Npcap Loopback Adapter127.0.0.100:00:00:00:00:00
18SVN Adapter V1.0169.254.112.118XXX
29Microsoft Wi-Fi Direct Virtual Adapter #3169.254.173.211XXX
6Microsoft Wi-Fi Direct Virtual Adapter #4169.254.192.230XXX
21Bluetooth Device (Personal Area Network) #2169.254.227.190XXX
17TAP-Windows Adapter V9169.254.26.68XXX
31Intel(R) Dual Band Wireless-AC 8265 #2169.254.62.191XXX
14ZeroTier One Virtual Port172.28.33.102XXX
10VMware Virtual Ethernet Adapter for VMnet8192.168.15.1XXX
23VMware Virtual Ethernet Adapter for VMnet1192.168.220.1XXX
-2[Unknown] NdisWan AdapterNoneff:ff:ff:ff:ff:ff
-3[Unknown] NdisWan AdapterNoneff:ff:ff:ff:ff:ff
-1[Unknown] NdisWan AdapterNoneff:ff:ff:ff:ff:ff
如果在使用过程中网卡列表发生了变化,需要手动调用ifaces.reload()
class NetworkInterfaceDict(UserDict):
def reload(self):
"""Reload interface list"""
self.restarted_adapter = False
self.data.clear()
if conf.use_pcap:
# Reload from Winpcapy
from scapy.arch.pcapdnet import load_winpcapy
load_winpcapy()
self.load()# reload函数实际上最后也是通过调用load重新加载网卡列表
# Reload conf.iface
conf.iface = get_working_if()#reload函数会同时刷新默认网卡,这里目前有点问题,详见3.2.3节
3.2.2 查看路由
| 命令 | 作用 |
|---|---|
| read_routes() | 查看ipv4路由 |
| Route() | 对read_routes()的封装 |
| conf.route | Route的全局对象 |
| conf.route.route(dst=“www.baidu.com”) | 获取去百度的路由,如果dst=None的话返回默认路由 |
| conf.route.resync() | 如果网络发生了变化,用来刷新conf.route |
>>> read_routes()
[(0,//dest 以十进制显示
0,//netmask 以十进制显示
'10.11.91.254',//nexthop
,//iface
'10.11.91.161',//ip
25), //metric
(0,
0,
'25.255.255.254',
,
'172.28.33.102',
10034),
(168516352,
4294967040,
'0.0.0.0',
,
'10.11.91.161',
281)]
在venv/Lib/site-packages/scapy/route.py文件中对ipv4的route命令进行了封装成了Route类
class Route:
def __init__(self):
self.resync()def resync(self):
from scapy.arch import read_routes
self.invalidate_cache()
self.routes = read_routes()
>>> Route()
NetworkNetmaskGatewayIfaceOutput IPMetric
0.0.0.00.0.0.010.11.91.254Intel(R) Ethernet Connection (5) I219-V #210.11.91.16125
0.0.0.00.0.0.025.255.255.254ZeroTier One Virtual Port172.28.33.10210034
10.11.91.0255.255.255.00.0.0.0Intel(R) Ethernet Connection (5) I219-V #210.11.91.161281
10.11.91.161255.255.255.2550.0.0.0Intel(R) Ethernet Connection (5) I219-V #210.11.91.161281
conf.route初始化时=Route(),如果网络发生变化,需要手动调用conf.route.resync()刷新路由
conf.route = Route()
3.3.3 查看默认网卡
| 命令 | 作用 |
|---|---|
| conf.route.resync() | 刷新路由 |
| conf.iface | conf.iface = conf.route.route(‘0.0.0.0’)[0] ,默认路由对应的网卡 |
conf.iface被初始化为conf.iface = iface = conf.route.route(None, verbose=0)[0],之后如果网卡发生了变化,需要手动指定
conf.route.resync()#这一步不可少,必须先刷新conf.route
conf.route.route(None, verbose=0)[0] # 从conf.route中获取默认路由对应的接口
或者使用ifaces的dev_from_index(INDEX)方法手动指定:
>>> ifaces
INDEXIFACEIPMAC
27Intel(R) Ethernet Connection (5) I219-V #210.11.91.161XXX
22Npcap Loopback Adapter127.0.0.100:00:00:00:00:00
18SVN Adapter V1.0169.254.112.118XXX
29Microsoft Wi-Fi Direct Virtual Adapter #3169.254.173.211XXX
6Microsoft Wi-Fi Direct Virtual Adapter #4169.254.192.230XXX
21Bluetooth Device (Personal Area Network) #2169.254.227.190XXX
17TAP-Windows Adapter V9169.254.26.68XXX
31Intel(R) Dual Band Wireless-AC 8265 #2169.254.62.191XXX
14ZeroTier One Virtual Port172.28.33.102XXX
10VMware Virtual Ethernet Adapter for VMnet8192.168.15.1XXX
23VMware Virtual Ethernet Adapter for VMnet1192.168.220.1XXX
-2[Unknown] NdisWan AdapterNoneff:ff:ff:ff:ff:ff
-3[Unknown] NdisWan AdapterNoneff:ff:ff:ff:ff:ff
-1[Unknown] NdisWan AdapterNoneff:ff:ff:ff:ff:ff
>>> conf.iface=ifaces.dev_from_index(27)
【scapy学习笔记(1)——win10下安装scapy、查看网卡、查看路由】PS:
scapy有一个函数
get_working_if()也可以返回网卡,大多数情况下是正常的,但在有多个route的mask为0.0.0.0时有可能返回错误的结果,原因是该函数调用的路由表中netmask最小的网卡,如下获取到Zerotier虚拟网卡,原因详见win10下scapy get_working_if()不能获得正确的网卡原因分析
>>> Route()
NetworkNetmaskGatewayIfaceOutput IPMetric
0.0.0.00.0.0.010.11.91.254Intel(R) Ethernet Connection (5) I219-V #210.11.91.16125
0.0.0.00.0.0.025.255.255.254ZeroTier One Virtual Port172.28.33.10210034
10.11.91.0255.255.255.00.0.0.0Intel(R) Ethernet Connection (5) I219-V #210.11.91.161281
10.11.91.161255.255.255.2550.0.0.0Intel(R) Ethernet Connection (5) I219-V #210.11.91.161281
>>> get_working_if()
def get_working_if():
try:
iface = min(conf.route.routes, key=lambda x: x[1])[3]#这里有点问题,详见https://blog.csdn.net/austin1000/article/details/100775993
