TL;DR
This article explains how to create a raw socket and use it to do an SYN or ACK or XMAS scan using python, note that you could also use it to make a Denial of Service attack (syn flooding ...)See code below:
import socket,structfrom struct import *# checksum functions needed for tcp checksum , found it in internetdef checksum(msg):s = 0# loop taking 2 characters at a timefor i in range(0, len(msg), 2):w = (ord(msg[i]) << 8) + (ord(msg[i+1]) )s = s + ws = (s>>16) + (s & 0xffff);#s = s + (s >> 16);#complement and mask to 4 byte shorts = ~s & 0xffffreturn s#create a raw sockettry:s = socket.socket(socket.AFINET, socket.SOCKRAW, socket.IPPROTOTCP)except socket.error , msg:print 'Socket could not be created. Error Code : ' + str(msg[0]) + ' Message ' + msg[1]sys.exit()# tell kernel not to put in headers, since we are providing its.setsockopt(socket.IPPROTOIP, socket.IPHDRINCL, 1)# now start constructing the packetpacket = '';sourceip = '127.0.0.1'destip = '127.0.0.1'# or socket.gethostbyname('www.google.com')# ip header fieldsihl = 5version = 4tos = 0totlen = 20id = 54321 #Id of this packetfragoff = 0ttl = 255protocol = socket.IPPROTOTCPcheck = 10 # python seems to correctly fill the checksumsaddr = socket.inetaton ( sourceip ) #Spoof the source ip address if you want todaddr = socket.inetaton ( destip )ihlversion = (version << 4) + ihl# the ! in the pack format string means network orderipheader = pack('!BBHHHBBH4s4s' , ihlversion, tos, totlen, id, fragoff, ttl, protocol, check, saddr, daddr)import socket,structfrom struct import # checksum functions needed for tcp checksum , found it in internetdef checksum(msg):s = 0# loop taking 2 characters at a timefor i in range(0, len(msg), 2):w = (ord(msg[i]) << 8) + (ord(msg[i+1]) )s = s + ws = (s>>16) + (s & 0xffff);#s = s + (s >> 16);#complement and mask to 4 byte shorts = ~s & 0xffffreturn s#create a raw sockettry:s = socket.socket(socket.AFINET, socket.SOCKRAW, socket.IPPROTOTCP)except socket.error , msg:print 'Socket could not be created. Error Code : ' + str(msg[0]) + ' Message ' + msg[1]sys.exit()# tell kernel not to put in headers, since we are providing its.setsockopt(socket.IPPROTOIP, socket.IPHDRINCL, 1)# now start constructing the packetpacket = '';sourceip = '127.0.0.1'destip = '127.0.0.1'# or socket.gethostbyname('www.google.com')# ip header fieldsihl = 5version = 4tos = 0totlen = 20id = 54321 #Id of this packetfragoff = 0ttl = 255protocol = socket.IPPROTOTCPcheck = 10 # python seems to correctly fill the checksumsaddr = socket.inetaton ( sourceip ) #Spoof the source ip address if you want todaddr = socket.inetaton ( destip )ihlversion = (version << 4) + ihl# the ! in the pack format string means network orderipheader = pack('!BBHHHBBH4s4s' , ihlversion, tos, totlen, id, fragoff, ttl, protocol, check, saddr, daddr)# tcp header fieldssource = 12345 # source portdest = 5555 # destination portseq = 0ackseq = 0doff = 5 #4 bit field, size of tcp header, 5 4 = 20 bytes#tcp flagsfin = 0syn = 1rst = 0psh = 0ack = 0urg = 0window = socket.htons (5840)#maximum allowed window sizecheck = 0urgptr = 0offsetres = (doff << 4) + 0tcpflags = fin + (syn << 1) + (rst << 2) + (psh <<3) + (ack << 4) + (urg << 5)# the ! in the pack format string means network ordertcpheader = pack('!HHLLBBHHH' , source, dest, seq, ackseq, offsetres, tcpflags, window, check, urgptr)# pseudo header fields for checksum calcssourceaddress = socket.inetaton( sourceip )destaddress = socket.inetaton(destip)placeholder = 0protocol = socket.IPPROTOTCPtcplength = len(tcpheader)psh = pack('!4s4sBBH' , sourceaddress , destaddress , placeholder , protocol , tcplength);psh = psh + tcpheader;tcpchecksum = checksum(psh)# make the tcp header again and fill the correct checksumtcpheader = pack('!HHLLBBHHH' , source, dest, seq, ackseq, offsetres, tcpflags, window, tcpchecksum , urgptr)# final full packet - syn packets dont have any datapacket = ipheader + tcpheader#Send the packet finally - the port specified has no effects.sendto(packet, (destip , 0 )) # put this in a loop if you want to flood the target# tcp header fieldssource = 12345 # source portdest = 5555 # destination portseq = 0ackseq = 0doff = 5 #4 bit field, size of tcp header, 5 * 4 = 20 bytes#tcp flagsfin = 0syn = 1rst = 0psh = 0ack = 0urg = 0window = socket.htons (5840) # maximum allowed window sizecheck = 0urgptr = 0offsetres = (doff << 4) + 0tcpflags = fin + (syn << 1) + (rst << 2) + (psh <<3) + (ack << 4) + (urg << 5)# the ! in the pack format string means network ordertcpheader = pack('!HHLLBBHHH' , source, dest, seq, ackseq, offsetres, tcpflags, window, check, urgptr)# pseudo header fields for checksum calcssourceaddress = socket.inetaton( sourceip )destaddress = socket.inetaton(destip)placeholder = 0protocol = socket.IPPROTOTCPtcplength = len(tcpheader)psh = pack('!4s4sBBH' , sourceaddress , destaddress , placeholder , protocol , tcplength);psh = psh + tcpheader;tcpchecksum = checksum(psh)# make the tcp header again and fill the correct checksumtcpheader = pack('!HHLLBBHHH' , source, dest, seq, ackseq, offsetres, tcpflags, window, tcpchecksum , urgptr)# final full packet - syn packets dont have any datapacket = ipheader + tcpheader#Send the packet finally - the port specified has no effects.sendto(packet, (destip , 0 ))# put this in a loop if you want to flood the target
