Designing Basic Network Scanner Using Python
Information gathering is one of the key things in penetration testing or hacking. You can’t control or hack the system if you don’t have enough information about the system.
Suppose that you are connected to a network, and your target machine has also connected to the same network. How can you identify the target machine? For that, you want to know the IP address of that target machine. So you need to discover all devices of that network like gathering their mac address and IP address is the primary step.
You can use NMAP or net discover; these are discovering the devices well. But here, we will give a fundamental step for you to create your network scanner using python.
Our basic Scanner will show all the devices which are connected to the network and their MAC addresses and IP addresses. You can add the OS version of the system and other information with your feature implementation.
When we learn new things, we want to know their basics. We have covered them in the next section. We want to know about broadcast mac, and ARP protocol to design this network scanner. If you know these things, you can go with implementation.
What is BroadcastMac
BroadcastMac is not a device’s MAC address. This is a virtual address. When some packets are needed to be sent to all the devices in the network, then the packets should be addressed to the broadcast IP addresses. Then automatically router will send the packets to all devices which are connected to the same network. The broadcast MAC address is “ff:ff:ff:ff:ff:ff”.
What is ARP Protocol
t is used to discover the MAC address associated with the given IP address. In order to send a data packet through a local network, we need the MAC address of that destination machine. When the packets are travelling inside the local network, their IP addresses are removed from the packet, and the MAC addresses are used to identify the devices. In this phase, we name these packets as frames. Discovering the MAC address of a particular IP address can be done by ARP.
How ARP works?
When a machine(192.168.1.4) wants to know the MAC address of the target IP address(192.168.1.3), it will send the ARP request to broadcast MAC with the message like “who has this IP address”. For example, if the target IP address is 192.168.1.3 then the message look likes “ who has 192.168.1.3”.
The broadcast MAC will send this packet to each an every device of the network. So finally All devices of the network will get this packet.
The devices whose IP addresses are not equal to the target IP address(192.168.1.3) drop the packets. Target IP address machine only send the response message like “ I am this IP address, and my Mac address is this”. For example, the message looks like “ I am 192.168.1.3, and my MAC address is 00:0a:95:9d:68:16 “ to the sender(192.168.1.4).
So the sender will get the target machine Mac address with the help of the ARP protocol. With this ARP protocol, Devices will identify other devices within the network.
Once a device get the MAC address of a particular device, it will save that MAC address with the device IP address locally in a table format which is called an ARP cache table. When a device sends ARP response to another device, the device which received the response never checks the IP address of sender device, and saves it in the ARP cache table with the IP address, sent by the sender machine. We can use this pitfall to do some man in the middle attacks. This is usually called as ARP spoofing. I will cover Man in the middle attack using ARP spoofing in the next article.
So far, so good. Now We have a better understanding of ARP protocol and broadcasting. We can move to implementation of the network scanner.
Implementing the Network scanner
In our python script, we will follow these steps to design our network scanner.
- Creating an arp request packet which has the target IP address.
- Send packet to the broadcast and receive a response from the target IP address.
- parse the response to get the Mac
- print result
Create ARP request packet
ARP data packet can be created using the scapy ARP class in python. Scapy is the base library for networking tools in python. We can create the packet with the target IP address which we want to know. We can send this packet to all devices which are connected in the network using broadcast MAC. An ARP protocol packet is needed to be embedded in the ethernet frame because, in LAN, packets are sent in ethernet frame. For that, we want to create an ethernet frame. In this ethernet frame, we can give the destination as broadcast Mac address. So we append our ARP request packet inside the ethernet frame which is created with destination address as broadcast Mac.
So now we have created an arp_request packet and ether frame. We want to append the arp_request inside the ether_frame. For that, we want to put a ‘/’ to make this happened. The / operator has been used as a composition operator between two layers. In our case, the ARP packet is in the network layer and ethernet frame in the Datalink layer. From here, we have arp_request packet with a target IP address, and that can be sent from our device to broadcast MAC in an ethernet frame.
Send packets and Recieve responses
As the second step, we have to send the ARP request and receive the corresponding ARP response. For that, we can use the srp function of the scapy. The srp() function is for sending packets and receiving answers. The function returns a couple of packets. They are named as 'answered packets' and 'unanswered packets'. For us, we need only answer packets. We store these packets in success_list variable.
But this list has more details. We only need MAC address of the device. So, we have to parse this response.
Parsing the Response
For parsing the response, we have implemented small logic. The success_list has the success of ARP responses. So we want to take every response from the success_list. Each IP address of the success response is stored in psrc variable, and the MAC address is stored in hwsrc variable. We initialise a dictionary which stores the psrc and hwsrc values as key-value pair. Then we can print those things in a table format using the print method of python.
When we have the target IP address/ IP range, we can get their MAC addresses. So how can we get the IP address as console argument?
Get the user inputs as arguments
We want to use the optparse library of the python to get the users input in the command line. We only need the target IP address/ IP range which the user wants to scan. For that, we can define an option ‘t’ or “target” to get the input and store it into the target variable.
After this, we send this target variable( target IP address) to create packets method and send those packets to broadcast. We can get the response and parse it then we print the results in the console.
I think you can get a clear cut idea about designing a simple network scanner. You can improve this scanner by adding an OS version of the target machine. After developing this network scanner, we can do some man in the middle attacks with ARP spoofing that will be my next Article.
You can clone this GitHub repository to get the full code. More details can be found in the wiki page of the repository.
If you liked this, click the 👏 below so other people will see this here on Medium. Do you have any suggestion? Comment below.
