#sf21veu

Scapy Turned 18
Boy They Grow Up Fast, Don’t They!

Guillaume Valadon
Quarkslab
Hello! #sf21veu

I am Guillaume Valadon
a network and security enthusiast.
I am here to share part of Scapy history. So far,
it is only known by its maintainers.

You can find me at @guedou

 #sf21veu

Get the slides at

https://tknk.io/F5LN
 #sf21veu

What is Scapy?
 In a Nutshell #sf21veu

simplified network interactions in Python

interactive shell & Python module

define a packet and sent it with a single line

srp1(Ether() / IP(dst="sharkfesteurope.wireshark.org") / ICMP())

easily add a new protocol

define a list of fields to parse and construct a header
 Batteries Included #sf21veu

PCAP manipulations
rdpcap() & wrpcap()

many supported protocols

802.11, IPv6, DNS, TLS, BLE, ZigBee, HTTP/2...

multi-platform
Linux, macOS, *BSD, Windows
$ git clone https://github.com/secdev/scapy
$ cd scapy/
$ sudo ./run_scapy #sf21veu

aSPY//YASa
apyyyyCY//////////YCa |
sY//////YSpcs scpCY//Pp | Welcome to Scapy
ayp ayyyyyyySCP//Pp syY//C | Version 2.4.5
AYAsAYYYYYYYY///Ps cY//S |
pCCCCY//p cSSps y//Y | https://github.com/secdev/scapy
SPPPP///a pP///AC//Y |
A//A cyP////C | Have fun!
p///Ac sC///a |
P////YCpc A//A | We are in France, we say Skappee.
scccccp///pSP///p p//Y | OK? Merci.
sY/////////y caa S//P | -- Sebastien Chabal
cayCyayP//Ya pY/Ya |
sY/PsY////YCc aC//Yp
sc sccaCY//PCypaapyCP//YSs
spCPY//////YPSps
>>>
 #sf21veu

>>> r, u = sr(IP(dst="8.8.8.0/24", ttl=3) / TCP(flags="R"))

>>> [p for p in r if not ICMP in p.answer]
 Some Numbers #sf21veu

18 years old
developed by Philippe Biondi, since 2003
maintained by Gabriel, Guillaume & Pierre, since 2012

300 contributors
5 regular ones

50k PyPi installation per day

still a lot of Python2
 Project Management #sf21veu

best effort
volunteer work only
our employers are really supportive

annual release
using master is recommended
 #sf21veu

Before Scapy
 Forging Packets in C #sf21veu

complete control on packet manipulations

set any value to any field

hundred of lines of code

read / parse & forge / send
routing, source address selection, checksums computation...

dnet & pcap libraries

simplified common tasks
code portability
 hping #sf21veu

command-line based network interactions

hping3 --icmp sharkfesteurope.wireshark.org

Tcl scripting
hping3> hping send "ip(daddr=sharkfesteurope.wireshark.org)+icmp()"
 pyrat.py #sf21veu

Scapy ancestor developed in January 2003

https://github.com/secdev/pyrat

validated ideas
protocol stacking
default values
simple packet injection
 #sf21veu

$ sudo python2.7 pyrat.py

Welcome to PyRat
>>> send(Ether() + ARP() + "pyrat was here!")
 #sf21veu

Scapy Concepts
 Default Values #sf21veu

default packet always work

IP(dst="sharkfesteurope.wireshark.org") / TCP()

smart fields values

80 for TCP.dport, 64 for IP.ttl ...

compute values automatically

IP & TCP checksums, source address selection, ...
 Protocols Layers #sf21veu

stack layers with the / operator

DNS() / IPv6() / ARP()

each layer is a Packet object

list of fields and Python methods
 #sf21veu

class UDP(Packet):
name = "UDP"
fields_desc = [ShortEnumField("sport", 53, UDP_SERVICES),
ShortEnumField("dport", 53, UDP_SERVICES),
ShortField("len", None),
XShortField("chksum", None), ]
 Build & Parse #sf21veu

raw() builds a Packet & converts it to bytes

data = raw(IP(ttl=42) / UDP())

each layer can parse itself

p = IP(data)
p.ttl == 42
 Ease of Use #sf21veu

no external dependency
clone the repository and you're good to go

plenty of useful functions

sniff() - sniff packets
wireshark() - view packets in Wireshark
sr() - send & receive packets
hexdump() - hexadecimal view
 #sf21veu

Scapy Take-off
 AnsweringMachine #sf21veu

opposite of sr()
wait for a packet and send an answer

simplify server / client interactions

simple DNS & DHCP daemons
ARP & NDP spoofing
class ProbeRequest_am(AnsweringMachine):
function_name = "pram"

mac = "00:11:22:33:44:55"
#sf21veu

def is_request(self, pkt):

return Dot11ProbeReq in pkt

def make_reply(self, req):

rep = RadioTap()
rep /= Dot11(addr1=req.addr2, addr2=self.mac, addr3=self.mac,
ID=RandShort(), SC=RandShort())
rep /= Dot11ProbeResp(cap="ESS", timestamp=int(time.time())
rep /= Dot11Elt(ID="SSID", info="Scapy !")
rep /= Dot11Elt(ID="Rates", info='\x82\x84\x0b\x16\x96')
rep /= Dot11Elt(ID="DSset", info=orb(10))

return rep
#sf21veu
 IPv6 #sf21veu

initial support in 2005

merged in 2008 in Scapy 2.0

many protocols implemented

NDP, DHCPv6, MIPv6, NIQ...

playground to learn & experiment

CVE-2007-4285 - Cisco IOS & XR crash with a Routing Header
RFC5095 - Deprecation of Type 0 Routing Headers in IPv6
 UTScapy #sf21veu

regression tests needed

IPv6 broken several times during its development
modifying Scapy core impacts protocols

dedicated tool for Scapy campaigns

written in 2005 when pytest was released
Python code between markups
#sf21veu
 Automaton #sf21veu

define finite-state machines

states, conditions & actions

extend the question/answer model

examples: TCP, TFTP
 Pipes #sf21veu

complex data management

sequence of inputs and outputs

many building blocks

sniff packets
transform packets
TCP listen & connect
from scapy.all import *

source = SniffSource(iface=conf.iface)
wire = WiresharkSink() #sf21veu

def transf(pkt):
if not pkt or IP not in pkt:
return pkt
pkt[IP].src = "1.1.1.1"
pkt[IP].dst = "2.2.2.2"
return pkt

source > TransformDrain(transf) > wire

p = PipeEngine(source)
p.start()
p.wait_and_stop()
 traceroute() #sf21veu

typical TTL-based measurement with a twist

specify the IP payload
several target at once

many visualizations
world map
3D representation
#sf21veu
 Scapy 2.0 - May 2008 #sf21veu

$ tree -L 1 -d scapy/
scapy/
split the 14000 lines file ├── arch
allow specific imports ├── asn1
simpler modifications & merges ├── contrib
├── crypto
directories hierarchy ├── layers
├── modules
arch - platform related code
└── tools
layers - protocols on a 'typical' LAN
contrib - exotic protocols 7 directories
 Loss of Speed #sf21veu

less commits after 2010

Philippe was the only developer
contributions were difficult
no release during 3 years

self-hosting limits
switch to Bitbucket in 2013
easier contributions meant more contributors
significant maintenance effort
Commits History #sf21veu

v2.2.0 v2.3.0 v2.4.0

 #sf21veu

Rebirth
 github #sf21veu

move from Bitbucket to github in January 2016

and from Mercurial to git

many benefits
better project visibility
more contributors
github ecosystem: Travis, AppVeyor, codecov, gitter...
 Continuous Integration #sf21veu

first improvement after github migration

Linux, macOS & Windows with Travis and AppVeyor

run UTScapy unit tests automatically

catch bugs across Python versions & platforms
identify regressions
 Python3 #sf21veu

several constraints
Scapy 3.0 PoC, a Python3 rewrite
keep Python2 compatibility
tests only cover 50% of the code

divide & conquer

1. coverage - enhance code coverage
2. convergence - small Python3 related changes
 PEP08 #sf21veu

no coding convention was enforced

confusing for new contributors
difficult to introduce new clean code

constraints
credit original authors
preserve git history
simplify reviews & avoid conflicts
 TLS & X.509 #sf21veu

up to TLS v1.3
sniff
encrypt / decrypt TLS messages
extract certificates

certificates manipulation
parse & display content
verify signatures
change values & resign
 #sf21veu

cert_sharkfesteu = Cert(pem2der(open("sharkfesteu.pem", "rb").read()))

cert_cloudflare = Cert(pem2der(open("cloudflare.pem", "rb").read()))

cert_sharkfesteu.isIssuerCert(cert_cloudflare)
 Automotive #sf21veu

use Scapy for automotive pentest

biggest contrib to date

swiss-army knife
from data-link to application layers: CAN, ISO-TP, OBD…
forge, sniff, MiTM...
 Marketing #sf21veu

reaching out
logo by @BenRenaut
tutorials during conferences
gitter chat

documentations pyramid
concise README
IPython notebooks
scapy.readthedocs.io
 #sf21veu

Some Use Cases

 Exploits #sf21veu

EXTRABACON
part of the NSA Vault7 leak
SNMP RCE on Cisco ASA

IPv6
CVE-2021-24086 & CVE-2019-5597 - fragment header
CVE-2020-25577 & CVE-2020-16898 - router advertisement
 Recent Wireless Vulnerabilities #sf21veu

802.11
KrackAttacks
FragAttacks

BLE
SweynTooth
BLURtooth
 Unit Tests #sf21veu

OS networking stacks
Linux
OpenBSD
FreeBSD
RIOT-OS

eBPF ecosystem
Facebook Katran
xpress-dns
 #sf21veu

Looking Ahead
 #sf21veu
improvements
Python type annotations
eBPF-based per process sniffing
question the Python2 support

experiments
Packet JIT
lazy parsing
Rust core
 #sf21veu

Questions?
Issues?
Pull Requests?