My l3g3nd

There is no spoon

Scapy - Network Enumeration (Part II)

| Comments

Its been a while since I worked on this but I have made some progress in last few days. I have added the SYN scan functionality and also added couple of lines of code to reduce the output on the terminal when the programme is executed. I will explain those at the end of this post.

SYN Scan

In this script I have defined 2 functions “synscan” and “synscan2”to provide ability to specify port range as well as specific ports to be scanned.

synscan function is called when scanning range of ports e.g. 80-120. The function splits up the argument at “–” and passes the two values as port1 and port2 to Scapy. From here Scapy library does its magic. Timeout of “0.5 sec” has been added here in order to stop waiting for eternity when a host is not reachable for any reason.

1
ans, uans = sr(IP(dst=host)/TCP(sport=RandShort(),dport=(port,port2),flags="S"),timeout=0.5)

Also, before working on answered packed I added a check to see of there is/are any answered packets. If there are no answered packets then it just displays “[–] Cannot get to {host}”.

1
2
3
4
if ans:
  ans.summary( lambda(s,r): r.sprintf("%IP.src% \t %TCP.sport% \t %TCP.flags%") )
else:   
  print "[-] Cannot get to {0}...".format(host)

On the other hand, synscan2 function is called when only specific ports are needed to be scanned. They can be specified comma separated like 80,120,3389, etc. Similar to synscan, synscan2 has the timeout of “0.5 sec” and checks whether there are any answered packets before trying to dissect the packet.

1
2
3
4
5
ans, uans = sr(IP(dst=host)/TCP(sport=RandShort(),dport=port,flags="S"),timeout=0.5)
if ans:
  ans.summary( lambda(s,r): r.sprintf("%IP.src% \t %TCP.sport% \t %TCP.flags%") )
else:
  print "[-] Cannot get to {0}...".format(host)    

I have updated the networkenum.py program and created a new file syn_scan.py to my GitHub repo. This is to remind that syn_scan.py should be able to run itself without the use of networkenum.py main program.

Suppressing Excessive Output on Terminal

After getting annoyed by outputs such as below I did some research and figured out how to suppress these messages. Thanks to folks at Infosec Institute.

1
2
3
4
5
Begin emission:..............................Finished to send 1 packets.

AND

WARNING: Mac address to reach destination not found. Using broadcast.

In order to suppress these messages just use conf.verb=0 which removes any messages such as “Begin emission:……Finished to send 1 packets” and add logging.getLogger("scapy.runtime").setLevel(logging.ERROR) to remove any messages such as “WARNING: Mac address to reach destination not found. Using broadcast” message.

This is how script can be called from the networkenum.py program:

1
2
3
4
5
6
7
8
9
10
11
12
13
root@kali:~# sudo python networkenum.py -S  192.168.1.23 445-450
WARNING: No route found for IPv6 destination :: (no default route?)
192.168.1.23   microsoft_ds    SA
192.168.1.23   446     RA
192.168.1.23   447     RA
192.168.1.23   448     RA
192.168.1.23   449     RA
192.168.1.23   450     RA

root@kali:~# sudo python networkenum.py -S  192.168.1.23 445,3389
WARNING: No route found for IPv6 destination :: (no default route?)
192.168.1.23   microsoft_ds    SA
192.168.1.23   3389    SA

Comments