• 欢迎访问速搜资源吧,如果在网站上找不到你需要的资源,可以在留言板上留言,管理员会尽量满足你!

【速搜问答】Scapy是什么

问答 admin 3年前 (2020-08-18) 548次浏览 已收录 0个评论

汉英对照:
Chinese-English Translation:

Scapy 是一种用于计算机网络的数据包处理工具,采用Python编写,可以伪造或解码数据包,通过网络发送它们,捕获它们,并匹配请求和响应。它还可以用于处理扫描、跟踪路由、探测、单元测试、攻击和网络发现等任务。 Scapy 是一种用于计算机网络的数据包处理工具,由 Philippe Biondi 用 Python 编写。它可以伪造或解码数据包,通过网络发送它们,捕获它们,并匹配请求和响应。它还可以用于处理扫描、跟踪路由、探测、单元测试、攻击和网络发现等任务。

Scapy is a packet processing tool for computer networks, written in Python, which can forge or decode packets, send them over the network, capture them, and match requests and responses. It can also be used for scanning, tracking routing, probing, unit testing, attacks, and network discovery tasks. Scapy is a packet processing tool for computer networks, written by Philippe Biondi in Python. It can forge or decode packets, send them over the network, capture them, and match requests and responses. It can also be used for scanning, tracking routing, probing, unit testing, attacks, and network discovery tasks.

Scapy 为 libpcap(Windows 上是 WinPCap/Npcap)提供了一个 Python 接口,与 Wireshark 提供视图和捕获 GUI 的方式类似。它可以与许多其他程序接口来提供可视化,包括用于解码数据包的 Wireshark、用于提供图形的 GnuPlot、用于可视化的 graphviz 或 VPython 等。

Scapy provides a python interface for Libpcap (WinPcap / npcap on Windows), similar to the way Wireshark provides views and capture GUI. It can interface with many other programs to provide visualization, including Wireshark for decoding packets, gnuplot for providing graphics, graphviz or VPython for visualization, etc.

Scapy 自 2018 年起开始支持 Python 3(Scapy 2.4.0+)。

Scapy has been supporting Python 3 (scapy 2.4.0 +) since 2018.

Kamene 是 Scapy 的一个独立分支。最初,创建它的目的是向 Scapy 添加 Python 3 的支持,并将其命名为 scapy3k。自 2018 年更名为 Kamene,继续独立发展。

Kamene is an independent branch of scapy. Initially, it was created to add Python 3 support to scapy and name it scapy3k. Since 2018, it has been renamed kamene and continues to develop independently.

Scapy 是一个可以让用户发送、侦听和解析并伪装网络报文的 Python 程序。这些功能可以用于制作侦测、扫描和攻击网络的工具。

Scapy is a python program that allows users to send, listen to, parse and disguise network messages. These functions can be used to create tools for detecting, scanning and attacking networks.

换言之,Scapy 是一个强大的操纵报文的交互程序。它可以伪造或者解析多种协议的报文,还具有发送、捕获、匹配请求和响应这些报文以及更多的功能。Scapy 可以轻松地做到像扫描(scanning)、路由跟踪(tracerouting)、探测(probing)、单元测试(unit tests)、攻击(attacks)和发现网络(network discorvery)这样的传统任务。它可以代替 hping,arpspoof,arp-sk,arping,p0f 甚至是部分的 Namp,tcpdump 和 tshark 的功能。

In other words, scapy is a powerful interactive program for manipulating messages. It can forge or parse messages of various protocols, and has the functions of sending, capturing, matching requests and responding to these messages and more. Scapy can easily accomplish traditional tasks such as scanning, tracerouting, probing, unit tests, attacks, and network discovery. It can replace hping, arpspoof, ARP SK, arping, p0f and even some functions of NAMP, tcpdump and tshark.

Scapy 在大多数其它工具无法完成的特定任务中也表现优异,比如发送无效帧、添加自定义的 802.11 的侦、多技术的结合(跳跃攻击(VLAN hopping)+ARP 缓存中毒(ARP cache poisoning)、在 WEP 加密信道(WEP encrypted channel)上的 VOIP 解码(VOIP decoding))等等等等。

It can’t be used to solve the problems of ARP, ARP and so on.

理念非常简单。Scapy 主要做两件事:发送报文和接收回应。您定义一系列的报文,它发送这些报文,收到回应,将收到的回应和请求匹配,返回一个存放着(request, answer)即(请求, 回应)的报文对(packet couples)的列表(list)和一个没有匹配的报文的列表(list)。这样对于像 Nmap 和 hping 这样的工具有一个巨大的优势:回应没有被减少 (open/closed/filtered)而是完整的报文。

The idea is very simple. Scapy does two things: sending messages and receiving responses. You define a series of messages that send these messages, receive a response, match the received response with the request, return a list of packet pairs stored in (request, answer) and a list of unmatched messages. This has a huge advantage for tools like nmap and hping: the response is not open / closed / filtered, but complete.

在这之上可以建立更多的高级功能,比如您可以跟踪路由(traceroutes)并得到一个只有请求的起始 TTL 和回应的源 IP 的结果,您也可以 ping 整个网络并得到匹配的回复的列表,您还可以扫描商品并得到一个 LATEX 报表。

More advanced functions can be built on top of this. For example, you can trace routes and get a result of only the initial TTL of the request and the source IP of the response. You can also Ping the whole network and get a list of matching replies. You can also scan the products and get a latex Report.

Scapy 为何如此特别

Why is scapy so special

第一,对于其它的大多数网络工具来说,您无法制作一些作者无法想到的东西。这些工具已经被一个特定的目标所局限和固定,因此无法和这个目标有大的偏离。比如,一个 ARP 缓存中毒程序不会让您使用 double 802.1q 包裹内容,同样无法找到一个程序可以发送填充(padding)的 ICMP 报文(是填充(padding),不是负载(payload))。事实上,每次有新需求时,您必需重新建立一个新的工具。

First, for most other web tools, you can’t make things that authors can’t think of. These tools have been limited and fixed by a specific goal, so they can’t deviate greatly from that goal. For example, an ARP cache poisoning program will not let you use double 802.1Q to package the content, and it is also impossible to find a program that can send ICMP messages with padding (padding, not payload). In fact, every time there is a new requirement, you have to rebuild a new tool.

第二,这些工具经常混淆解码(decoding)和解释(interpreting)。机器擅长解码并能帮助人类完成这个工作。解释应该留给人类。一些程序试图模拟这个行为。比如它们说“这个端口是打开的”而不是说“我收到一个 SYN-ACK“.有时它们是对的,但有时不是。这样做对于初学者来说更容易,但是当您知道您正在做什么,您将继续试图推从程序的解释中测实际上发生了什么来制作自己的工具,但是这相当困难,因为大量的信息已经丢失。因此最终常常是您使用 tcpdump -xX 来解码和解释这些工具丢掉的内容。

Second, these tools often confuse decoding with interpretation. Machines are good at decoding and can help humans do this. The explanation should be left to humanity. Some programs try to simulate this behavior. For example, they say “this port is open” instead of “I received a syn-ack”. Sometimes they are right, but sometimes they are not. It’s easier for beginners, but when you know what you’re doing, you’ll continue to try to build your own tools by extrapolating what actually happened from the program’s interpretation, but it’s quite difficult because a lot of information has been lost. So it’s often you who end up using tcpdump – XX to decode and interpret what these tools lose.

第三,即使是那些只管解码的程序也没有把它们收到的所有的信息交给您。它们给您展示的网络信息只是其作者认为足够的信息。但是这些并不完整,对您来说是偏颇的。比如,您知道有什么工具可以得到以太帧填充的报文吗(reports the Ethernet padding)?

Third, even programs that just decode don’t give you all the information they receive. What they show you is only enough information that their authors think is enough. But these are incomplete and biased to you. For example, do you know of any tool that can get reports the Ethernet padding?

事实上,每次运行本程序,更像是建造一个新的工具,不是处理上百行的 C 程序代码,您使用 Scapy 只需写几行代码。

In fact, every time you run this program, it’s more like building a new tool, rather than processing hundreds of lines of C program code. You only need to write a few lines of code when you use scapy.

在探测(probe)(或者扫描(scan)、路由跟踪(traceroute)等等)之后,Scapy 总是在任何的解释之前把探测到的所有的包解码后给您。这意味着您可以探测一次而解释很多次,也可以使用路由跟踪并查看报文填充内容。

After probe (or scan, traceroute, etc.), scapy always decodes all detected packets before any interpretation and gives it to you. This means that you can probe once and interpret many times, or you can use route tracing and see the message padding.

快速的报文设计

Fast message design

其它的工具坚持命令行运行的模式,这导致描述一个报文需要糟糕的语法。对于这些工具,解决的方法是在其作者想像的情景下,采用一种更高层但是功能更弱的描述方法。举例来说,在端口扫描的情景中,端口扫描器必须的参数只有 IP 地址。即使情景有所改变,情况依然如此(Even if the scenario is tweaked a bit, you still are stuck to a port scan)。

Other tools stick to the command line mode, which results in bad syntax for describing a message. For these tools, the solution is to adopt a higher-level but less functional description method in the scenario imagined by their authors. For example, in the case of port scanning, only the IP address is required for the port scanner. Even if the scenario is twisted a bit, you will still be stuck to a port scan.

Scapy 的原则是推荐使用一种特定领域语言(Domain Specific Language (DSL))以达到对于任何种类报文的功能强大并快速的描述。使用 Python 语法和 Python 解释器作为特定领域语言(DSL)的语法和解释器有许多优势:没有必要写一个单独的解释器,用户不需要再学一种新语言并可以从这个完整、简约且非常强大的语言中受益。

The principle of scapy is to recommend a domain specific language (DSL) to achieve powerful and fast description of any kind of message. Using Python syntax and Python interpreter as a syntax and interpreter for a domain specific language (DSL) has many advantages: there is no need to write a separate interpreter, users do not need to learn a new language, and can benefit from this complete, simple, and very powerful language.

Scapy 允许用户将一个或一系列报文描述成为一个个堆起来的层(layer)。每层的数据域有有用的且可重载的默认值。Scapy 不强制用户使用预先定义的方法和模板。这样每次碰到不同的情景时写新工具的需要得到了减少。在 C 语言中,描述一个报文可能平均要用 60 行代码。使用 Scapy,发送的报文可能仅需一行代码描述再加一行打印结果的代码。90%的网络探测工具可以使用 Scapy 使用 2 行代码重新实现。

Scapy allows users to describe a message or a series of messages as layers. Each layer of data fields has useful and overloadable default values. Scapy does not force users to use predefined methods and templates. This reduces the need to write new tools every time you encounter different scenarios. In C language, it may take an average of 60 lines of code to describe a message. With scapy, the message sent may only need a line of code description plus a line of code to print the result. 90% of network detection tools can be re implemented with scapy in two lines of code.

一次探测,多次解释

One probe, many interpretations

网络的发现是一个黑盒测试。当探测一个网络时,许多侦测报文(stimuli)发送然而它们当中只有少数能够被回应。如果选择了正确的侦测报文,希望得到的信息可以通过回应的报文或者是没有回应的情况来获得。不像很多其它的工具,Scapy 得到所有的信息,也就是说,所有的发送的侦测报文和所有收到的回应。通过检查这些数据用户可以得到想要的信息。当数据量较小时,用户可以直接查看数据。在其它情况下,对于数据的解释将依赖于关注点的不同。多数工具选择展示关注点内容而忽略和关注点无关的内容。由于 Scapy 给出完整的原始数据,因此这些数据可以多次使用从而允许关注点在分析过程中发生变化。比如,可能探测一个 TCP 端口扫描而关注(展示)端口扫描的结果。同时也可以查看回应报文的 TTL 方面的内容。一个新的探测并不需要再来一次,而只是在已有的数据中改一下关注点即可。

The discovery of the network is a black box test. When detecting a network, many stimuli are sent, but only a few of them can be responded to. If the correct detection message is selected, the desired information can be obtained by responding message or not responding. Unlike many other tools, scapy gets all the information, that is, all the detected messages sent and all the responses received. By examining the data, users can get the information they want. When the amount of data is small, users can directly view the data. In other cases, the interpretation of the data will depend on different concerns. Most tools choose to present the content of concerns and ignore the content irrelevant to the concerns. Because scapy gives you the complete raw data, it can be used multiple times, allowing concerns to change during analysis. For example, you might probe a TCP port scan and focus on (show) the results of the port scan. At the same time, you can also view the TTL content of the response message. A new probe doesn’t need to be done again, but just change the key point in the existing data.

Scapy 解码而不解释

Scapy decodes without explanation

网络探测工具所共有的一个问题是它们都试图解释收到的回应而非仅仅解码并给出结果。报告一些类似于在 80 端口收到一个 TCP Reset 报文这样的消息不属于解释错误。报告 80 端口关闭在多数情况下是正确的,但是在某些特定的工具的作者没有想到的上下文中是错误的。比如,一些扫描器在收到一个目的地址不可达的 ICMP 报文后倾向于报告一个过滤 TCP 端口。这可能是正确的,但是在某些情况下,这表明报文被防火墙过滤掉而找不到报文的非目的主机。

A common problem with network detection tools is that they all try to interpret the response received rather than just decode and give the result. It is not an interpretation error to report some messages similar to receiving a TCP reset message on port 80. Reporting port 80 shutdown is correct in most cases, but it is wrong in a context that the author of some particular tool did not expect. For example, some scanners tend to report a filtered TCP port after receiving an ICMP message with an unreachable destination address. This may be true, but in some cases, it indicates that the packet is filtered by the firewall and the non destination host of the message cannot be found.

解释结果可以帮助那些不知道什么是端口扫描的用户,但是弊大于利,因为这对于结果是一种主观的解释。可能的结果就是它们可以自己解释,知识丰富的用户将试图反向还原这个工具的解释以得到引起这个解释的真正原因。不幸的是,在这个过程中有大量的信息丢失。

Interpreting the results can help users who don’t know what port scanning is, but it does more harm than good because it is a subjective interpretation of the results. The possible result is that they can explain themselves, and knowledgeable users will try to reverse the explanation of the tool to get the real reason for the explanation. Unfortunately, a lot of information is lost in the process.


速搜资源网 , 版权所有丨如未注明 , 均为原创丨转载请注明原文链接:【速搜问答】Scapy是什么
喜欢 (0)
[361009623@qq.com]
分享 (0)
发表我的评论
取消评论
表情 贴图 加粗 删除线 居中 斜体 签到

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址