Spoof Packets in Scapy

Introduction

In this lab, you will learn how to spoof network packets using Scapy, a powerful Python-based packet manipulation tool. You'll explore practical techniques for crafting and sending custom TCP packets while analyzing the results with Wireshark.

The lab covers essential steps including Scapy installation, Python virtual environment setup, and packet spoofing operations. Through hands-on practice, you'll gain valuable insights into network traffic manipulation and security testing methodologies.

Skills Graph

Install Scapy

In this step, you will install Scapy, a powerful Python-based interactive packet manipulation tool used for network analysis and security testing. Scapy allows you to craft, send, and capture network packets with fine-grained control. Think of it like a Swiss Army knife for network packets - you can build any type of network packet you need.

Before we begin, let's make sure we're in the right working directory. The ~/project directory is where we'll be doing all our work:

cd ~/project

Now we'll install Scapy using Python's package manager pip. Pip is like an app store for Python packages - it downloads and installs software from the Python Package Index (PyPI):

pip install scapy

After installation completes, it's good practice to verify everything installed correctly. We'll do this by checking Scapy's version number. This confirms both that Scapy is installed and that Python can import it successfully:

python -c "import scapy; print(scapy.__version__)"

You should see output similar to this (your version number might be slightly different):

2.4.5

Finally, let's test Scapy's interactive mode. This is like a playground where you can experiment with packet crafting before writing full scripts. To enter the interactive shell:

python -m scapy

You'll know it's working when you see Scapy's command prompt (>>>). You can type exit() when you're ready to leave the interactive shell. Don't worry about exploring it now - we'll cover the interactive features in later steps.

Set Up a Python Environment

In this step, you'll create a dedicated workspace for your Scapy experiments using Python's virtual environment. Think of this like setting up a clean room where you can work without affecting other projects on your computer. Virtual environments help manage package versions and prevent conflicts between different Python projects.

1. First, let's make sure we're starting from the right location. This command navigates to the default working directory where we'll set up our project:

   cd ~/project

2. Now we'll create the virtual environment named scapy-env. This creates a new folder containing all the necessary Python files for an isolated environment:

   python -m venv scapy-env

3. To start using our new environment, we need to activate it. When active, you'll see (scapy-env) at the beginning of your terminal prompt, reminding you which environment you're working in:

   source scapy-env/bin/activate

4. Even though Scapy might be installed on your system already, we'll install it specifically for this environment. This ensures we have the exact version we need for this project:

   pip install scapy

5. Let's verify everything is set up correctly. This command shows all Python packages installed in our virtual environment. You should see scapy in the list, confirming it's ready for use:

   pip list

6. When you're finished working (though don't run this now as we'll use the environment in the next steps), you can deactivate the virtual environment to return to your normal system Python:

   deactivate

Craft a TCP Packet

In this step, you will use Scapy to create a basic TCP packet. Understanding how to construct network packets is essential for network analysis and security testing. We'll build a TCP packet layer by layer, which mimics how real network communication works.

1. First, ensure you're in the correct directory and your virtual environment is active. The virtual environment keeps your Python packages isolated:

   cd ~/project
   source scapy-env/bin/activate

2. Create a new Python script named craft_tcp.py. We'll use the nano text editor, but you can use any editor you prefer:

   nano craft_tcp.py

3. Add the following code to create a simple TCP packet. Let's break down what each part does:

   • The IP layer defines source and destination addresses
   • The TCP layer specifies ports and connection flags (SYN in this case)
   • The / operator combines these layers into a complete packet

   from scapy.all import *
   
   ## Create IP layer
   ip = IP(src="192.168.1.100", dst="192.168.1.1")
   
   ## Create TCP layer
   tcp = TCP(sport=1234, dport=80, flags="S")  ## SYN packet
   
   ## Combine layers to create packet
   packet = ip/tcp
   
   ## Display packet details
   packet.show()

4. Save the file (Ctrl+O, Enter, Ctrl+X in nano) and run it. The .show() method will display the packet structure:

   python craft_tcp.py

5. You should see output similar to this, showing all the packet fields. Notice how Scapy automatically fills some values while others remain None (they'll be calculated when sending):

   ###[ IP ]###
     version= 4
     ihl= None
     tos= 0x0
     len= None
     id= 1
     flags=
     frag= 0
     ttl= 64
     proto= tcp
     chksum= None
     src= 192.168.1.100
     dst= 192.168.1.1
     \options\
   ###[ TCP ]###
        sport= 1234
        dport= http
        seq= 0
        ack= 0
        dataofs= None
        reserved= 0
        flags= S
        window= 8192
        chksum= None
        urgptr= 0
        options= []

Send Spoofed Packets

In this step, you will modify your TCP packet script to send spoofed packets with a fake source IP address. This demonstrates how attackers can mask their origin in network communications. Spoofing is a common technique where the sender intentionally falsifies the source address in IP packets to conceal their identity or impersonate another system.

1. First, ensure you're in the correct directory and your virtual environment is active. The virtual environment keeps your Python packages isolated for this project:

   cd ~/project
   source scapy-env/bin/activate

2. Create a new Python script named send_spoofed.py. We'll use nano text editor which is simple for beginners:

   nano send_spoofed.py

3. Add the following code to send spoofed TCP packets. The code generates random IP addresses in private ranges (192.168.x.x and 10.x.x.x) which are safe for testing. The TCP packet is sent to Google's DNS server (8.8.8.8) on port 53 with SYN flag set:

   from scapy.all import *
   import random
   
   ## Spoofed source IP (using private IP range)
   spoofed_ip = f"192.168.{random.randint(1,254)}.{random.randint(1,254)}"
   
   ## Create and send packet
   packet = IP(src=spoofed_ip, dst="8.8.8.8")/TCP(dport=53, flags="S")
   send(packet, verbose=False)
   
   print(f"Sent spoofed TCP packet from {spoofed_ip} to 8.8.8.8")

4. Save the file (Ctrl+O, Enter, Ctrl+X in nano) and run it. The script will generate and send one spoofed packet:

   python send_spoofed.py

5. You should see output similar to this, showing the fake source IP that was generated:

   Sent spoofed TCP packet from 192.168.45.123 to 8.8.8.8

6. To send multiple packets and see different spoofed IPs in action, modify the script to include a loop. This sends 3 packets with different random source IPs from the 10.x.x.x range:

   for i in range(3):
       spoofed_ip = f"10.0.{random.randint(1,254)}.{random.randint(1,254)}"
       packet = IP(src=spoofed_ip, dst="8.8.8.8")/TCP(dport=53, flags="S")
       send(packet, verbose=False)
       print(f"Sent packet {i+1} from {spoofed_ip}")

Verify with Wireshark

In this step, you will use Wireshark to verify the spoofed packets you sent in the previous step. Wireshark is a powerful network protocol analyzer that allows you to capture and inspect network traffic in real-time. This verification process is crucial because it helps you confirm whether your spoofed packets are actually being transmitted on the network with the modified source IP addresses.

1. First, ensure you're in the correct directory and your virtual environment is active. The virtual environment contains all the necessary Python packages for this lab:

   cd ~/project
   source scapy-env/bin/activate

2. Install Wireshark in the LabEx VM. Wireshark isn't pre-installed, so we need to get it first:

   sudo apt-get update
   sudo apt-get install -y wireshark

3. Start Wireshark in the background. The '&' symbol allows you to continue using the terminal while Wireshark runs:

   wireshark &

4. In Wireshark's interface:

   • Select the active network interface (usually eth0) - this represents your network connection
   • Start packet capture by clicking the shark fin icon - this begins recording all network traffic
   • Apply a display filter: tcp.port == 53 - this filters the view to only show TCP traffic on port 53 (DNS port)

5. In a separate terminal, run your spoofed packet script again. This generates new traffic for Wireshark to capture:

   python send_spoofed.py

6. Observe the results in Wireshark:

   • You should see TCP SYN packets to port 53 - these are the connection initiation packets
   • Verify the source IP addresses match your spoofed IPs - confirming the spoofing worked
   • Note the TCP handshake attempts (SYN packets) - these show the connection attempts

7. To save the capture for later analysis:

   • Click File → Save
   • Save as spoofed_capture.pcap in ~/project - PCAP files contain the raw packet data for future reference

Summary

In this lab, you have learned how to install and configure Scapy for network packet manipulation in an isolated Python virtual environment. The process included setting up the environment, installing Scapy, and verifying its functionality through version checks and interactive testing.

You also gained practical experience in crafting TCP packets, sending spoofed packets to simulate network traffic, and analyzing results using Wireshark. These skills provide a foundation for network security testing and packet manipulation techniques.