Creating a Network Scanner using Python Programming.

NETWORK SCANNER

Ø Network Scanner

Network Scanner is very essential tool in terms of Network Penetration Testing and Network Security Assessment. Network Scanning tools are widely used by network administrator as well as penetration tester. Network Scanning is a process in which it identifies active hosts i.e clients or server on the network and their activity to attack a network. We can find IP address as well as MAC Address of the host if it is active on a network. In General Network Scanning is used for system maintenance and security assessment of a network

Ø Importance of Network Scanner

Network Scanner is a Software tool which is used for discovery and investigative purposes to find and categorize which devices are running on a network. In this tool the user inputs the range of IP address to be scanned and the scanner scans the list of IP addresses from the range one by one in order to determine the active device on the Network. With the help of Network Scanner we can :-

o Discover all Devices on the Network

o Display Their IP Address

o Display Their MAC Address

Some example of commonly used network scanning tools are nmap, angry IP Scanner, Zenmap, Advanced IP Scanner. In this book you will learn how you can make your own Network Scanner by python programming and will learn the concept behind the working of network scanner.

Ø Understanding the concept

There are number of ways to discover the clients on the same network. The easiest way is to replicate what a normal device would do to discover another device on same network.

Let’s assume the scenario , We have one network which contains Five Devices named A, B, C, D and Router. All Devices have their corresponding IP addresses and MAC Addresses. Before going further we should get familiar with one very important Concept i.e –

Communication inside the Network is carried out using MAC addresses not IP addresses

Communication inside the network is carried out using MAC addresses with the help of ARP Protocol

ARP PROTOCOL

Address Resolution Protocol (ARP) is a low-level network protocol for mapping IP address to MAC address that is recognized in local area network. A table, usually called ARP cache, is used to maintain a correlation between each MAC address and it’s Corresponding IP address. ARP provides the protocol rules for making this correlation and providing address conversion in both direction.

Some important terms related to the ARP protocol are :-

ARP Cache : After resolving the MAC Address the ARP send it to the source, where it stores table for future refrence. The subsequent communications can use the MAC address from the table.

ARP cache timeout : It indicates the time for which MAC address in ARP Cache can reside.

ARP Request : It is a request which is broadcast a packet over a network to validate weather we came across destination MAC address or not.

ARP Response : It is the MAC address response that source receives from the destination which aids in further communication of data.

Let’s assume the scenario, We have one network which contains Five Devices named A, B, C, D and Router. All Devices have their corresponding IP addresses and MAC Addresses. Device A wants to communicate with device B and Device A knows the IP address of Device B, So for Communication Device A will Broadcast the ARP request over the network asking the IP address, as shown in the picture below –

When a packet is set to be sent over a broadcast MAC address , all clients on the same network will receive the packet, so device A will send the broadcast to all the clients on the same network saying “who has 192.168.1.108”, now all the devices will ignore this packet except the one that has IP address 192.168.1.108 which is device C so, in the next step all devices will do nothing only the Device C which will respond and will send the ARP response to device A saying that “I have 192.168.1.108 and my MAC address is 00:a1:7d:66:22:44”. In this way the device A will have the MAC address of device C and now it will be able to communicate and do whatever task they wanted to do initially, so all of this communication is facilitated through ARP Protocol.

Ø Designing an algorithm to discover clients connected to the Same Network.

GOAL: To Discover Clients on the same network

Steps:

1) Create ARP request directed to broadcast MAC asking for IP

2) Send packet and receive response

3) Parse the response

4) Print the result

Using Scapy to Create an ARP Request

GOAL: To Discover Clients on the same network

Steps:

1) Create ARP request directed to broadcast MAC asking for IP

Two Main Parts:

ü Use ARP to ask who has target IP

ü Set destination MAC to broadcast MAC

Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. Here we will be using scapy to create ARP requests.

There is a function called ARP() in scapy , which is used to craft ARP request.

As we can see that the above script works well. We have created one variable arp_request which contains an instance of ARP packet created by scapy

Scapy ARP class allows us to print the summary of current object that we just created. So this is a method in which ARP class is implemented by scapy and it give us summary of what we have created.

There is another function in scapy called ls(), with help of this function we can learn about classes and different fields which are used.

Hence , Our first part of request is done. Now we need to set destination MAC to broadcast MAC so that the packet get deliver to all clients on the network.

Combining Frames to broadcast Packets

As far we have created a script which successfully creates and send ARP packet to the destination but we want our packet to be deliver to every client which is connected on the network to achive this we need to set destination MAC to broadcast MAC. Now in order to do this we need to use the Ethernet frame because data in the network is sent using the MAC address not using the IP address, source MAC and the destination MAC is set in the Ethernet part of each packet. Therefore we need to create an Ethernet frame and than append that Ethernet frame to our ARP packet.

Here we are going to create an Ethernet frame that will be sent to the broadcast.

In the above script we have created a variable called broadcast which will store the instance of Ethernet frame and that frame contains destination MAC as ff:ff:ff:ff:ff:ff i.e broadcast MAC so that it gets deliver to all the clients over the network.

Hence we have created two packets so far i.e ARP packet which will send ARP request and one Ethernet frame which will set destination MAC to broadcast MAC. Finally we have combined both the packets into one packet by appending them. In python we can do this by using the slash “/” between the instance of packets. In the above script the instance of combined packet is stored in the arp_request_broadcast variable. Show() function is used to see the details of the packets.

Sending and Receiving Packets

Now we have First Part of our algorithm done. We created a packet that will directed to the broadcast MAC address so it is going to be delivered to all the clients and computer on the same network and is going to ask a specific IP that we use as IP variable.

Now it’s time to move to next step in which we will try to send this packet into the network and wait for response, to do this we are going to use scapy module.

Scapy has function called sr() which basically stands for send and receive but we are using different variation of function which is called srp() the only difference is srp() allows us to send packets with custom either parts. srp() function will send the packet that we give it and will receive the response. The srp() function will return the value in the form of response so we need to capture the value returned by it. Srp() function returns two set of values one is of answered packet and other is of unanswered packet Therefore we are capturing it in two variables called answered and unanswered. Srp() function has one field called timeout field we need to set that field. Basically when we set timeout we are saying wait for this amount for seconds , if we don’t get any response than move on don’t keep waiting so here we have set the timeout to 1 and what it will do is whenever this is working if it sends a request and gets no response than it will only wait for one second and than move on, if we don’t have this timeout we will be stuck because if we will not get any response we will never exit.

The above script has successfully scanned the entire subnet and determined the clients or computers which are active in network and also discovered the MAC addresses of the devices from it’s corresponding IP addresses.

Hence the above script can be very crucial in terms of scanning the network, since with the help of ARP request and response we are able to discover all the devices on the network with their respective IP and MAC addresses.

Parsing the response and printing the results.

We have successfully programmed the network scanner that can discover connected clients on the network and can also find their IP and MAC addresses. Now we will enhance the program output by using Escape characters and lists in python.

                 Thanks,

                                        MAYANK BARSAINYA
                                         Founder, M7 SECURITY

Comments

UnknownFebruary 11, 2019 at 11:59 AM
👏👏
ReplyDelete
Replies
UnknownFebruary 11, 2019 at 12:30 PM
GREAT! 👍🏻
ReplyDelete
Replies
amit tomarFebruary 11, 2019 at 11:31 PM
💚 Mayank ✌️
ReplyDelete
Replies
James ZicrovOctober 20, 2021 at 10:02 PM
This is an awesome post which gives almost perfect idea about Network Scanning Tools.

Network Scanning Tools

ReplyDelete
Replies

Add comment

Search This Blog

M7 Information Security Pvt. Ltd.