I’ve been working on becoming more fluent using Scapy and as a result, I’m picking up Python. Totally by accident. It turns out, I’m growing pretty fond of it. It’s got its quirks, but it’s pretty straight forward.
Anyway, here’s one of the first things that I wrote in it. It sends a DHCP Discover packet out to the network and sniffs, listening for a response. The DHCP server responds by sending a packet to the broadcast containing all sorts of good information.
There’s nothing terribly special about this script.. but it could be used to learn things about a network that you’re connected to.. it could also be used to listen for rogue DHCP servers.. I’m sure there are other uses, but I was just primarily interested in writing something in Python using Scapy. 
Anyway, here it is. By the way, if you’re fluent in Python and/or Scapy and want to offer up suggestions, tips, whatever.. I’d certainly appreciate it.
from scapy.all import * conf.checkIPaddr = False fam,hw = get_if_raw_hwaddr(conf.iface) def dhcp_discover(resp): print "Source: " +resp[Ether].src print "Dest: " +resp[Ether].dst for opt in resp[DHCP].options: if opt == 'end': break elif opt == 'pad': break print opt sendp(Ether(dst="ff:ff:ff:ff:ff:ff")/IP(src="0.0.0.0",dst="255.255.255.255")/UDP(sport=68,dport=67)/BOOTP(chaddr=hw)/DHCP(options=[("message-type","discover")]),count=3) sniff(filter="udp and (port 67 or 68)", prn=dhcp_discover, store=1) |
Here’s what the output looks like:
# ./dhcp-discover.py
…
Sent 3 packets.
Source: 00:11:22:33:44:55
Dest: ff:ff:ff:ff:ff:ff
(‘message-type’, 2)
(‘server_id’, ’192.168.0.1′)
(‘subnet_mask’, ’255.255.255.0′)
(‘lease_time’, 1800)
(‘router’, ’192.168.0.1′)
(‘name_server’, ’192.168.0.1′, ’1.2.3.4′, ’4.3.2.1′)
(‘domain’, ‘Mydomain’)
(26, ‘\x05\xd4′)
The last line, the “(26, ‘\x05\xd4′)”, I’m pretty sure is the MTU response from the server.. but it’s not handled in Scapy’s dhcp.py framework. Tcpdump decodes this line as:
MTU Option 26, length 2: 1492
Anyway, expect to see more Python + Scapy stuff.. if you haven’t used Scapy, I highly suggest that you go and download it and play with it. Here are some good tutorials that I’ve been following on my quest to master Scapy.
http://www.secdev.org/projects/scapy/doc/usage.html
http://www.devx.com/security/Article/34741/1763/page/5 <– Great write up about how to use Scapy to monitor for various wireless attacks
Related posts:
Nice Script!
How do i code a script which tells me all the Host(s) Online on LAN using ARP
Using Python + Scapy it’s really simple..
>>> arping("192.168.0.0/24", timeout=2) Begin emission: **Finished to send 256 packets. Received 2 packets, got 2 answers, remaining 254 packets 00:11:22:33:44:55 192.168.0.1 00:11:22:33:44:66 192.168.0.3 (, )
Also, check out one of my previous posts here. The first script in the post uses Perl to discover network devices via ARP.
Using ‘arping()’ in a script form would look like this:
Hope that answers your question..
from scapy.all import *
arping(“192.168.0.0/24″, timeout=2)
This work like charm!!!!!
Thanks
I was expecting it to be complicated Script
Yeah, I was kind of wondering myself, to be honest. I’ve come to the conclusion, though, that anything with Scapy is pretty straight forward. I wish that there was a way to import the Scapy functions into Perl.. much more fluent in Perl than Python.
Glad I could help.