WiFi Pentesting with Scapy (TL;DR use Bettercap)

Look, if you want to pentest wifi for real, forget this post and just use bettercap, it’s awesome.bettercap/bettercap
The Swiss Army knife for 802.11, BLE and Ethernet networks reconnaissance and MITM attacks. – bettercap/bettercapgithub.com

However, today we just want to tinker and experiment, after all, that’s why we do this right? That said, Scapy is super powerful and allows you to do bespoke testing directly with packets that lead to awesome and interesting results.


Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can’t handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, …), etc.

Welcome to Scapy’s documentation! – Scapy 2.4.2-dev documentation
Edit descriptionscapy.readthedocs.io

Get Started

user@box~:># airmon-ng check kill
user@box~:># airmon-ng start wlan1
user@box~:># airodump-ng mon0
user@box~:># scapy (to bring up shell)
scapy~:># conf.iface = “mon0”
scapy~:># wifiPkts = sniff(count=1)
scapy~:># wifiPkts
scapy~:># wifiPkts.summary()
scapy~:># wifiPkts[0].pdfdump()
scapy~:># wifiPkts.nsummary()
scapy~:># wifiPkts.hexdump()

Packet Handler Functions

  • Packet Processor
  • Parse, Analyse and take Action
  • Injecting Packets

Scapy p.04 – Looking at Packets
Packets, Layers, and Fields. Oh My! Scapy uses Python dictionaries as the data structure for packets. Each packet is a…thepacketgeek.com
Black Hat Python: Infinite possibilities with the Scapy Module
The reason is that crafting TCP sessions with Scapy circumvents the native TCP/IP stack. Since the host is unaware that…bt3gl.github.io
Code Injector with Scapy — Part 9
Hello friends, today we are going to create script which allows us to modify inject code in target request. As usual…medium.com