Scapy alternatives

Looking for an alternative tool to replace Scapy? During the review of Scapy we looked at other open source tools. Based on their category, tags, and text, these are the ones that have the best match.

Top 3

  1. Chiron (IPv6 security assessment framework)
  2. pysap (SAP network protocol package generator)
  3. ntopng

These tools are ranked as the best alternatives to Scapy.

Alternatives (by score)

60

Chiron

Introduction

Chiron is a security assessment framework for IPv6. It provides several modules including an IPv6 scanner, IPv6 Local Link, IPv4-to-IPv6 proxy, IPv6 attack module, and IPv6 proxy. These modules help to perform an assessment, like a penetration test.

The tool uses IPv6 extension headers to create a headers chain. This may allow evading security devices like IDS, IPS, and firewalls. Due to the flexibility of the framework, the tool can also be used to perform fuzzing of the IPv6 stack of a device.

Project details

Chiron is written in Python.

Strengths and weaknesses

  • + The source code of this software is available
  • - No releases on GitHub available

Typical usage

  • Network analysis
  • Network scanning
  • Network security monitoring

Chiron review

85

pysap

Introduction

This Python library can be used to craft and send packets using SAP's NI, Message Server, Router, RFC, SNC, Enqueue, and Diag protocols. It is a useful toolkit for those who want to do security assessments in environments that use SAP solutions.

Project details

pysap is written in Python.

Strengths and weaknesses

  • + The source code of this software is available

    pysap review

    93

    ntopng

    Introduction

    The ntopng replaced the older ntop utility. It now focuses on high-speed traffic analysis and flow collection. Typically this is useful for analysis of network traffic and troubleshooting of overused network links.

    Project details

    ntopng is written in C++.

    Strengths and weaknesses

    • + The source code of this software is available

      Typical usage

      • Network analysis
      • Troubleshooting

      ntopng review

      100

      IVRE

      Introduction

      IVRE is a framework to perform reconnaissance for network traffic. It leverages other tools to pull in the data and show it in the web interface.

      Project details

      IVRE is written in Python.

      Strengths and weaknesses

      • + More than 10 contributors
      • + More than 1000 GitHub stars
      • + The source code of this software is available

        Typical usage

        • Digital forensics
        • Information gathering
        • Intrusion detection
        • Network analysis

        IVRE review

        74

        KickThemOut

        Introduction

        Kick devices off your network by performing an ARP spoofing attack.

        Project details

        KickThemOut is written in Python.

        Strengths and weaknesses

        • + More than 500 GitHub stars
        • + The source code of this software is available

          Typical usage

          • Offensive security

          KickThemOut review

          60

          larp

          Introduction

          Larp is a tool to perform ARP poisoning on the network. It is written in Python and can be used for security assessments.

          Project details

          larp is written in Python.

          Strengths and weaknesses

          • + The source code of this software is available

            Typical usage

            • Network spoofing
            • Penetration testing

            larp review

            60

            SCUTUM

            Introduction

            The primary goal of this solution is to prevent ARP spoofing by other computers on the local network. It uses a whitelist and blocks all other systems sending possible malicious ARP requests (e.g. with spoofing attack).

            Project details

            SCUTUM is written in Python.

            Strengths and weaknesses

            • + The source code of this software is available
            • - Full name of author is unknown

            Typical usage

            • Firewall management
            • Network traffic filtering

            SCUTUM review

            84

            addrwatch

            Introduction

            Similar to arpwatch, this tool addrwatch will monitor the pairing between ethernet and IP addresses.

            Main features:

            • IPv4 and IPv6 address monitoring
            • Monitoring multiple network interfaces with one daemon
            • Monitoring of VLAN tagged (802.1Q) packets
            • Output to stdout, plain text files, syslog, sqlite3, MySQL
            • IP address usage history preserving output and logging

            Project details

            84

            arping

            Introduction

            arping is similar to the 'ping' utility for testing a network and the discovery of systems. Where the 'ping' command typically uses the Internet Control Message Protocol (ICMP), arping uses the Address Resolution Protocol (ARP).

            Project details

            63

            ArpON

            Introduction

            ArpOn protects a system by running as a daemon and guard against a Man in the Middle (MitM) attack due to ARP spoofing, cache poisoning, or an ARP poison routing attack.

            The tool works by using three types of inspection to detect a related attack.

            • SARPI (Static ARP Inspection), statically configured networks (without DHCP)
            • DARPI (Dynamic ARP Inspection), dynamically configured networks (with DHCP)
            • HARPI (Hybrid ARP Inspection), statically and dynamically configured networks (with DHCP)

            Project details

            ArpON is written in C.

            Strengths and weaknesses

            • + The source code of this software is available

              ArpON review

              52

              arp-scan

              Introduction

              The arp-scan utility can be used to detect hosts on the network. As it uses ARP, it only applies to IPv4, as IPv6 uses the neighbour discovery protocol (NDP).

              Project details

              64

              THC IPv6 Attack Toolkit (thc-ipv6)

              Introduction

              Tools:
              - parasite6: ICMPv6 neighbor solitication/advertisement spoofer, puts you as man-in-the-middle, same as ARP MitM (and parasite)
              - alive6: an effective alive scanng, which will detect all systems listening to this address
              - dnsdict6: parallel DNS IPv6 dictionary brute-forcer
              - fake_router6: announce yourself as a router on the network, with the highest priority
              - redir6: redirect traffic to you intelligently (man-in-the-middle) with a clever ICMPv6 redirect spoofer
              - toobig6: mtu decreaser with the same intelligence as redir6
              - detect-new-ip6: detect new IPv6 devices which join the network, you can run a script to automatically scan these systems etc.
              - dos-new-ip6: detect new IPv6 devices and tell them that their chosen IP collides on the network (DOS).
              - trace6: very fast traceroute6 with supports ICMP6 echo request and TCP-SYN
              - flood_router6: flood a target with random router advertisements
              - flood_advertise6: flood a target with random neighbor advertisements
              - fuzz_ip6: fuzzer for IPv6
              - implementation6: performs various implementation checks on IPv6
              - implementation6d: listen daemon for implementation6 to check behind a firewall
              - fake_mld6: announce yourself in a multicast group of your choice on the net
              - fake_mld26: same but for MLDv2
              - fake_mldrouter6: fake MLD router messages
              - fake_mipv6: steal a mobile IP to yours if IPSEC is not needed for authentication
              - fake_advertiser6: announce yourself on the network
              - smurf6: local smurfer
              - rsmurf6: remote smurfer, known to work only against Linux targets at the moment
              - exploit6: known IPv6 vulnerabilities to test against a target
              - denial6: a collection of denial-of-service tests against a target
              - thcping6: sends a handcrafted ping6 packet
              - sendpees6: a tool by willdamn@gmail.com, which generates a neighbor solicitation requests with a lot of CGAs (crypto) to keep the CPU busy.

              Project details

              THC IPv6 Attack Toolkit is written in C.

              Strengths and weaknesses

              • + Project is mature (10+ years)
              • + The source code of this software is available

                Typical usage

                • Network analysis
                • Penetration testing
                • Security assessment

                THC IPv6 Attack Toolkit review

                70

                Yersinia

                Introduction

                The Yersinia tool takes advantage of known weaknesses in several network protocols. It helps with trying to abuse the weaknesses to ensure that network protections are implemented where possible.

                Related protocols:

                • Spanning Tree Protocol (STP)
                • Cisco Discovery Protocol (CDP)
                • Dynamic Trunking Protocol (DTP)
                • Dynamic Host Configuration Protocol (DHCP)
                • Hot Standby Router Protocol (HSRP)
                • 802.1q
                • 802.1x
                • Inter-Switch Link Protocol (ISL)
                • VLAN Trunking Protocol (VTP)

                Project details

                67

                Wireshark

                Introduction

                Wireshark is a mature project with many users all over the world. Its library is stable and can be used by both graphical as text-based interfaces. With many books and even conferences around the subject, this tool is a safe bet to have in your toolbox.

                Project details

                Wireshark is written in C.

                Strengths and weaknesses

                • + The source code of this software is available
                • + Well-known tool

                  Typical usage

                  • Network analysis
                  • Network traffic analysis
                  • Security assessment
                  • Troubleshooting

                  Wireshark review

                  70

                  Xplico

                  Introduction

                  With Xplico analysis can be performed on captured internet traffic. The data stored in a pcap file can then be displayed and the related protocol data can be extracted from the capture file. This may include emails, HTTP sessions, VoIP calls, or anything that can be recognized and stored.

                  Project details

                  Some relevant tool missing as an alternative to Scapy? Please contact us with your suggestion.