To perform an SNMP amplification attack, follow the given steps:

1. To get started, we should craft an SNMP query to be returned to our system to assess the size of the payload to be used. To send our SNMP query request, we must first build the layers of this request. The first layer that we will need to construct is the IP layer:

2. To build the IP layer of our request, we should assign the IP object to the variable i. By calling the display() function, we can identify the attribute configurations for the object. By default, both the sending and receiving addresses are set to the loopback address of 127.0.0.1. These values can be modified by changing the destination address by setting i.dst equal to the string value of the address of the nameserver to be queried. By calling the display() function again, we can see that not only has the destination address been updated, but Scapy will also automatically update the source IP address to the address associated with the default interface.
3. Now that we have constructed the IP layer of the request, we should proceed to the next layer. As SNMP is handled over UDP, the next layer to construct is the UDP layer:

4. To build the UDP layer of our request, we will use the same technique as we did for the IP layer. In the example provided, the UDP object was assigned to the u variable. As discussed earlier, the default configurations can be identified by calling the display() function. Here, we can see that the default value for both the source and destination ports is listed as domain. As you might likely suspect, this is to indicate the DNS service associated with the port 53. This needs to be changed to the port associated with SNMP:

5. To change the source port and destination port to SNMP, the integer value of 161 should be passed to it; this value corresponds to the UDP port associated with the service. These changes can be verified by once again calling the display() function. Now that the IP and UDP layers have been constructed, we need to build the SNMP layer:

6. To build the SNMP layer of our request, we will use the same technique as we did for both the IP and UDP layers. In the example provided, the SNMP object was assigned to the snmp variable. As discussed earlier, the default configurations can be identified by calling the display() function. Now that the IP, UDP, and SNMP layers have been constructed, we need to build a bulk request to substitute the SNMP GET request that is assigned by default to the PDU value:

7. To build the SNMPbulk() request, we will use the same technique as we did for the IP, UDP, and SNMP layers. In the example provided, the SNMPbulk() request was assigned to the bulk variable. As discussed earlier, the default configurations can be identified by calling the display() function. Here, we can see that there are several values that need to be modified:

8. The SNMP varbindlist needs to be modified to include the queried oid values. Additionally, max_repetitions was assigned the integer value of 50. Now that the bulk request has been configured, the bulk request object should be assigned as the SNMP PDU value:

9. We can verify that the bulk request has been assigned to the SNMP PDU value by calling the display() function. Now that the IP, UDP, and SNMP layers have been constructed and the bulk request has been configured and assigned to the SNMP layer, we can construct the request by stacking these layers:

10. The IP, UDP, and SNMP layers can be stacked by separating the variables with a forward slash. These layers can then be set equal to a new variable that will represent the entire request. The display() function can then be called to view the configurations for the request. Once the request has been built, this can then be passed to the send and receive functions so that we can analyze the response:

11. The response confirms that we have successfully built the desired request and have solicited a sizable payload in comparison to the relatively small request that was initially made. This entire process can similarly be performed with a simple one-liner command in Scapy. This command uses all of the same values that we discussed in the previous exercise:

12. To actually use this command as an attack, the source IP address needs to be changed to the IP address of the target system. By doing this, we should be able to redirect the payload to that victim. This can be done by changing the IP src value to the string equivalent of the target IP address:

13. The send() function should be used to send these spoofed requests, as no response is expected to be returned on the local interface. To confirm that the payload does arrive at the target system, a tcpdump command can be used to capture the incoming traffic:

14. In the example provided, tcpdump is configured to capture traffic going across the eth0 interface that originates from a source IP address of 172.16.69.129 (the IP address of the SNMP host).