Network Interfaces

Network interface is a device connecting a computer to a network
MAC address is associated with each network interfaces
Packets are transmitted between network interfaces
Most LAN broadcast frames
each network interface gets the frames intended for it
traffic sniffing can be accomplished by configuring the network interface to read all frames

Mac Address

• A MAC address is a 48-bit number usually represented in hex
• First 3 Octets of any MAC address are IEEE-assigned Organizational Unique Identifiers
  • each organization has a different Octets
• The next three can be assigned by organizations as they please, with uniqueness being the only constraint
• Organizations can utilize MAC addresses to identify computers on their network
• MAC address can be reconfigured by network interface driver software

Switch

Operates at the link layer, it has multiple ports and connected to computers
It learns the MAC address of each computer connected to it
Forward frames only to the destination computer

Combining switches

• Switches can be arrange into a tree
• Each port learns the MAC address of the machines in the subtree
• Fragments to unknown addresses are broadcast
• Frames to MAC addresses in the same segments as the sender are ignored

MAC Address Filtering

A switch can be configured to provide service to machines with specific MAC addresses, only allow MAC addresses need to be registered with a network administrator

MAC Spoofing attack

• Find out MAC address of target machine
• Reconfigure MAC address of rogue machine
• Turn off or unplug target machine

Viewing and Changing MAC Addresses

ARP

The address resolution protocol (ARP) connects the network layer to the data layer by converting IP addresses to MAC addresses
ARP works by broadcasting requests and caching responses for future use
Each devices has a ARP table that contains mapping of IP to physical MAC Address

ARP Spoofing

It assumes that machines trust each other
requests are not tracked and ARP announcements are not authenticated
Malicious machine can claim that the their MAC address has this IP address and in the future the malicious machine can receive everything that is intended for the target machine

Packet Sniffing and Spoofing

• Packets are received through Network Interface Card (NIC)'s MAC address
• NIC checks the destination address for every packet, if the address matches the cards MAC address, it is further copied into buffer in the kernel

Promiscuous Mode

• The frames that are not destined to a given NIC are discarded
• When operating in promiscuous mode, NIC passes every frame received from network to kernel
• If a sniffer program is registered with the kernel, it will be able to see all the packets

BSD Packet Filter (BPF)

BPF allow a user program to attach a filter to the socket which tells the kernel to discard unwanted packets

• Predefine a list of unwanted prefix of the code
• filter out those code

Packet Sniffing

Packet sniffing describes the process of capturing live data as they flow across a network

Receiving Packets Using Sockets

• Create the socket
• Provide information about server
• Receive packets
  

Receiving Packets Using Raw Sockets

Limitation

• Not portable across different operating systems
• setting filters is not easy
• program does not explore optimization to improve performance
• PCAP(packet capture) library
  • uses raw sockets internally
  • API is standard across all platforms
  • allow programmers to specify filtering rules using human readable boolean expressions

Packets Sniffing Using PCAP API

pcap_compile makes this code usable on multiple OS

Processing captured packets

Type Cast the Ethernet header to check if that is the intended protocol

IP Header

Strip off the ethernet header
typecast the IP header
You need to start at the correct byte for the typecast to work

Check the IP header for the protocol that you want be it TCP or UDP, etc

Further Processing

If we want to further process the packet, we use similar techinique

• calculate the correct header length
• type cast it

Packet Spoofing

When some critical information in the packet is forged, we refer to it as packet spoofing
Many network attacks rely on packet spoofing

Sending Packets without Spoofing

nc-> netcat
l-> listening
u-> local mode
v-> verbose

Spoofing Packets Using Raw Sockets

• Constructing the packet
• Sending the packet out
  
  You will want to set the packet header instead of letting the OS decide on the packets header
  Since it is a raw socket the system will send out the IP Packets as it is

Spoofing Packet: Constructing the Packet

We can fill in the source IP address as anything we want instead of the actual IP address of our system

Spoofing UDP Packets

1.2.3.4 is what is coded into the udp packet

Sniffing and then Spoofing

We Sniff the packet first and gain the relevant information and spoof the packet using these information that we get and replace the packet information with what we want to send

Packet Sniffing Using Scapy

from scapy.all import *

print("SNIFFING PACKETS")
def print_pkt(pkt):
	print("Source IP:",pkt[IP].src)
	print("Destination IP:",pkt[IP].dst)
	print("Protocol",pkt[IP].proto)
pkt = sniff(filter='icmp',prn=print_pkt)

prn is a call back function that is called when the packet matches the filter is found

Spoofing ICMP & UDP Using Scapy

from scapy.all import *

print("SENDING SPOOFED ICMP PACKET ...")
# Constructing a IP header
ip = IP(src='1.2.3.4',dst='93.184.216.34')
# Constructing ICMP info
icmp = ICMP()
pkt = ip/icmp
pkt.show()
send(pkt,verbose=0)

from scapy.all import *

print("SENDING SPOOFED UDP PACKET")
# Constructing a IP header
ip = IP(src='1.2.3.4',dst='10.0.2.69')
# UDP Layer
# sport -> source port
# dport -> destination port
udp = UDP(sport=8888,dport=9090)

data = 'Hello UDP!\n'
# Constructing packet
pkt = ip/udp/data
pkt.show()
send(pkt,verbose=0)

Sniffing and then Spoofing Using Scapy

from scapy.all import *
def spoof_pkt(pkt):
	if ICMP in pkt and pkt[ICMP].type == 8:
		print("Original Packet ...")
		print("Source IP:", pkt[IP].src)
		print("Destination IP:",pkt[IP].dst)
		ip = IP(src=pkt[IP].dst,dst=pkt[IP].src,ihl=pkt[IP].ihl)
		icmp = ICMP(type=0,id=pkt[ICMP].id,seq=pkt[ICMP].seq)
		data = pkt[Raw].load
		newpkt = ip/icmp/data
		print("spoofed Packet...")
		print("Source IP:", newpkt[IP].src)
		print("Destination IP:",newpkt[IP].dst)
		send(newpkt,verbose=0)
pkt = sniff(filter='icmp and src host 10.0.2.69', prn=spoof_pkt)

• if ICMP in pkt and pkt[ICMP].type == 8:
  • checks for the protocol if it is ICMP and is it type 8 which is echo request
• ip = IP(src=pkt[IP].dst, dst=pkt[IP].src, ihl=pkt[IP].ihl)
  • A new IP header is created, swapping the source and destination IP addresses. The Internet Header Length (ihl) is copied from the original packet.
• icmp = ICMP(type=0, id=pkt[ICMP].id, seq=pkt[ICMP].seq)
  • A new ICMP header is created with a type of 0 (which represents an ICMP echo reply), and the ID and sequence numbers are copied from the original packet.
• data = pkt[Raw].load
  • The payload (or data) of the original packet is copied.
• pkt = sniff(filter='icmp and src host 10.0.2.69', prn=spoof_pkt)
  • The script sniffs incoming ICMP packets with a source IP address of 10.0.2.69 and passes them to the spoof_pkt function for spoofing.
    This script is to intercept ICMP echo request packets (often known as "ping" packets) and respond to them with a spoofed ICMP echo reply. Essentially, the script acts as if it's the intended destination of the original ICMP request by crafting a reply and sending it back.

Endianness

Endianness refers to the order in which a given multibyte data item is stored in memory

• little Endian store the most significant byte of data at the highest address
• big endian store the most significant byte of data at the lowest address

Packet sniffing and spoofing lab

The lab is carried under guidance of seed lab to have better understanding of how packet sniffing and spoofing is done in a local network. The result of the lab can be found in 3.1Packet Sniffing and Spoofing