Mac OS X,  Mac Security

Packet Manipulation with Scapy on OS X

Scapy is a (mostly) cross-platform packet manipulation tool. This allows you to craft and edit packets that you then send to other hosts when you open a socket. This is incredibly useful for, for example, capturing a packet being sent to you, manipulating the payload, and passing the packet on to another host. This is a pretty common, albeit slightly more advanced, method of security testing. Installing Scapy is a pretty straight forward process, if a tad bit time consuming compared to something coming in from a standard package.

Before you get started, make sure you have the OS X Developer Tools installed from the Mac App Store. Also, make sure you have ports installed from https://www.macports.org/install.php. You’ll also need pylibpcap, as with most packet manipulation tools, so install that from  Install Pylibpcap, Download from http://sourceforge.net/projects/pylibpcap/. Then there are some dependencies we’ll grab from Mac Ports:

port selfupdate
port upgrade outdated
port install py27-libdnet
port install libdnet

Next, download scapy from http://www.secdev.org/projects/scapy/. Once downloaded, cd into the scapy directory:

cd ~/Downloads/scapy-*

Then run the python installer:

sudo python setup.py install

Once installed, then start scapy with:

sudo scapy

Next, we’ll read a pcap file, which I have at ~/Documents/mypcap

>>> a=rdpcap("/spare/captures/isakmp.cap")
>>> a

You can also build a custom packet, using

>>> a=IP(ttl=10)
>>> a
< IP ttl=10 |>
>>> a.src
’192.168.210.10’
>>> a.dst="192.168.210.11"
>>> a
< IP ttl=10 dst=192.168.210.11 |>
>>> a.src
’192.168.210.10’
>>> del(a.ttl)
>>> a
< IP dst=192.168.210.11 |>
>>> a.ttl
64

So far, very basic. We’ve read a packet and we’ve created a packet. Use send to send a packet:

>>> send(IP(dst="192.168.210.11")/ICMP())

You can also add a Fuzz option, to get into fuzzing, and use sr1 to send and receive packets, rather than just send (thus allowing you to view the response).