January 22, 2019

Linux Scapy Guards Your Servers (part 2) - page 2

Building a Scapy Toolbox

  • December 2, 2010
  • By Paul Ferrill

Much of the discussion to this point has been defensive in nature. One way to go on the offensive is to generate traffic targeted at specific hosts to see what happens. This type of activity falls into the intrusion detection (ID) category. There are many commercial and open source tools that will perform this task but so will Scapy. See the secdev.org website for a good paper on how to use Scapy for this type of task.

Another offensive weapon is to actively scan for potential threats. One such scanning tool looks for rogue DHCP servers. The code to accomplish this is listed on the Scapy wiki. The two lines that do all the work look like this:

dhcp_discover = Ether(dst="ff:ff:ff:ff:ff:ff")/
ans, unans = srp(dhcp_discover, multi=True)

You could test these two lines out using the Scapy interactive prompt or incorporate into your own tool. What you should see as a response will be every Mac and IP address that identifies itself as a DHCP server. If you don't recognize any of the addresses, you may have a rogue DHCP server on your network. The Scapy wiki has a number of other examples of offensive tools that are worth your time to explore.

Wrapping Up

This article really just touches the surface of what you can do with Scapy. Hopefully, it will give you enough information to get started. Waiting until you have a problem to learn what to do about it is never a good idea.

Most Popular LinuxPlanet Stories