Packet Sniffing And Spoofing - GitHub Pages
1y ago
21 Views
1 Downloads
1.58 MB
37 Pages
Report/dmca
Download PDF

Transcription

Packet Sniffing and SpoofingCS 335: Special Topic in Cyber Security

How Packets Are Received NIC (Network Interface Card) is a physical or logical linkbetween a machine and a network Each NIC has a MAC address Every NIC on the network will hear all the frames on the wire NIC checks the destination address for every packet, if theaddress matches the cards MAC address, it is further copiedinto a buffer in the kernelCS 335: Special Topic in Cyber Security2

Promiscuous Mode The frames that are not destined to a given NIC are discarded When operating in promiscuous mode, NIC passes every framereceived from the network to the kernel If a sniffer program is registered with the kernel, it will be ableto see all the packets In Wi-Fi, it is called Monitor ModeCS 335: Special Topic in Cyber Security3

2.4 ChannelsCHANNELS 1, 6, 11DON’T OVERLAP WITHONE ANOTHERCS 335: Special Topic in Cyber Security4

BSD Packet Filter (BPF) BPF allows a userprogram to attach afilter to the socket,which tells the kernelto discard unwantedpackets. An example of thecompiled BPF code isshown here.CS 335: Special Topic in Cyber Security5

BSD Packet Filter (BPF)setsockopt(sock, SOL SOCKET, SO ATTACH FILTER, &bpf, sizeof(bpf)) A compiled BPF pseudo-code can be attached to a socketthrough setsockopt() When a packet is received by kernel, BPF will be invoked An accepted packet is pushed up the protocol stack. See thediagram on the following slide.CS 335: Special Topic in Cyber Security6

Packet Flow With/Without FiltersCS 335: Special Topic in Cyber Security7

Packet SniffingPacket sniffing describes the process of capturing live dataas they flow across a networkLet’s first see how computers receive packets.CS 335: Special Topic in Cyber Security8

IPv4 address structure Port numbers and IP addresses are in *network byte order*.CS 335: Special Topic in Cyber Security9

Addresses INADDR LOOPBACK (127.0.0.1) always refers to the local host via the loopback device INADDR ANY (0.0.0.0) means any address for binding INADDR BROADCAST (255.255.255.255) means any hostCS 335: Special Topic in Cyber Security10

Functions Create an endpoint for communication- int socket(int domain, int type, int protocol); Bind a name to a socket- int bind(int sockfd, const struct sockaddr *addr, socklen t addrlen); Receive message from socket- ssize t recvfrom(int sockfd, void *buf, size t len, int flags, struct sockaddr *src addr,socklen t *addrlen);CS 335: Special Topic in Cyber Security11

Receiving Packets Using SocketCreate thesocketProvideinformation aboutserverReceivepacketsCS 335: Special Topic in Cyber Security12

Receiving Packets Using Raw SocketCreating a raw socketCapture all types of packetsEnable thepromiscuousmodeWait for packetsCS 335: Special Topic in Cyber Security13

Limitation of the Approach This program is not portable across different operating systems. Setting filters is not easy. The program does not explore any optimization to improve performance. The PCAP library was thus created.-It still uses raw sockets internally, but its API is standard across all platforms. OS specificsare hidden by PCAP’s implementation.-Allows programmers to specify filtering rules using human readable Boolean expressions.CS 335: Special Topic in Cyber Security14

Packet Sniffing Using the pcap APIInitialize a rawsocket, set thenetwork deviceinto promiscuousmode.FilterInvoke this function for every captured packetCS 335: Special Topic in Cyber Security15

Processing Captured Packet: Ethernet HeaderThe packet argumentcontains a copy of thepacket, including theEthernet header. Wetypecast it to the Ethernetheader structure.Now we can accessthe field of thestructureCS 335: Special Topic in Cyber Security16

Ethernet FrameCS 335: Special Topic in Cyber Security17

Processing Captured Packet: IP HeaderFind where the IPheader starts, andtypecast it to the IPHeader structure.Now we can easilyaccess the fields in theIP header.CS 335: Special Topic in Cyber Security18

Further Processing Captured Packet If we want to further process the packet, such as printing out theheader of the TCP, UDP and ICMP, we can use the similar technique.- We move the pointer to the beginning of the next header and type-cast- We need to use the header length field in the IP header to calculate the actual sizeof the IP header In the following example, if we know the next header is ICMP, wecan get a pointer to the ICMP part by doing the following:CS 335: Special Topic in Cyber Security19

Packet Spoofing When some critical information in the packet is forged, we refer to it as packetspoofing. Many network attacks rely on packet spoofing. Let’s see how to send packets without spoofing.CS 335: Special Topic in Cyber Security20

Sending Packets Without SpoofingTesting: Use the netcat (nc)command to run a UDP serveron 10.0.2.5. We then run theprogram on the left from anothermachine. We can see that themessage has been delivered tothe server machine:CS 335: Special Topic in Cyber Security21

Spoofing Packets Using Raw SocketsThere are two major steps in packet spoofing:- Constructing the packet- Sending the packet outCS 335: Special Topic in Cyber Security22

Spoofing Packets Using Raw SocketsWe use setsockopt() toenable IP HDRINCL on thesocket.For raw socketprogramming, since thedestination information isalready included in theprovided IP header, we donot need to fill all the fieldsSince the socket type is rawsocket, the system will sendout the IP packet as is.CS 335: Special Topic in Cyber Security23

Spoofing Packets: Constructing the PacketFill in the ICMP HeaderFind the starting pointof the ICMP header,and typecast it to theICMP structureFill in the ICMPheader fieldsCS 335: Special Topic in Cyber Security24

Spoofing Packets: Constructing the PacketFill in the IP HeaderTypecast the buffer tothe IP structureFill in the IP headerfieldsFinally, send out the packet:CS 335: Special Topic in Cyber Security25

Spoofing UDP PacketsConstructing UDPpackets is similar, exceptthat we need to includethe payload data now.CS 335: Special Topic in Cyber Security26

Spoofing UDP Packets (continued)Testing: Use the nc command to run a UDP server on 10.0.2.5. Wethen spoof a UDP packet from another machine. We can see that thespoofed UDP packet was received by the server machine.CS 335: Special Topic in Cyber Security27

Sniffing and Then Spoofing In many situations, we need to capture packets first, and then spoof a response based onthe captured packets. Procedure (using UDP as example)- Use PCAP API to capture the packets of interests- Make a copy from the captured packet- Replace the UDP data field with a new message and swap the source and destination fields- Send out the spoofed replyCS 335: Special Topic in Cyber Security28

UDP PacketCS 335: Special Topic in Cyber Security29

UDP Packet (Continued)CS 335: Special Topic in Cyber Security30

Packing Sniffing Using ScapyCS 335: Special Topic in Cyber Security31

Spoofing ICMP & UDP Using ScapyCS 335: Special Topic in Cyber Security32

Sniffing and Then Spoofing Using ScapyCS 335: Special Topic in Cyber Security33

Packet Spoofing: Scapy v.s C Python Scapy- Pros: constructing packets is very simple- Cons: much slower than C code C Program (using raw socket)- Pros: much faster- Cons: constructing packets is complicated Hybrid Approach- Using Scapy to construct packets- Using C to slightly modify packets and then send packetsCS 335: Special Topic in Cyber Security34

Endianness Endianness: a term that refers to the order inwhich a given multi-byte data item is stored inmemory.- Little Endian: store the most significant byte ofdata at the highest address- Big Endian: store the most significant byte ofdata at the lowest addressCS 335: Special Topic in Cyber Security35

Endianness In Network Communication Computers with different byte orders will “misunderstand” each other.- Solution: agree upon a common order for communication- This is called “network order”, which is the same as big endian order All computers need to convert data between “host order” and “network order” .CS 335: Special Topic in Cyber Security36

Summary Packet sniffing- Using raw socket- Using PCAP APIs Packet spoofing using raw socket Sniffing and the spoofing EndiannessCS 335: Special Topic in Cyber Security37

CS 335: Special Topic in Cyber Security How Packets Are Received NIC (Network Interface Card) is a physical or logical link between a machine and a network Each NIC has a MAC address Every NIC on the network will hear all the frames on the wire NIC checks the destination address for every packet, if the address matches the cards MAC address, it is further copied

Related Books

Packet Sniffing and Spoofing - UMD

Packet Sniffing and Spoofing - UMD

Ethical Network Surveillance using Packet Sniffing Tools: A Comparative .

Ethical Network Surveillance using Packet Sniffing Tools: A Comparative .

Packet Sniffing: Network Wiretapping - 123seminarsonly

Packet Sniffing: Network Wiretapping - 123seminarsonly

Certifi ed Ethical Hacker (CEH) Version 9 Cert Guide

Certifi ed Ethical Hacker (CEH) Version 9 Cert Guide

Helium Leak Detection Techniques - Paul Scherrer Institut (PSI)

Helium Leak Detection Techniques - Paul Scherrer Institut (PSI)

Lab 1: Packet Sniffing and Wireshark - GitHub Pages

Lab 1: Packet Sniffing and Wireshark - GitHub Pages

Literature Review on an Approach to Detect Packets Using Packet Sniffing

Literature Review on an Approach to Detect Packets Using Packet Sniffing

Sniffing: Cain & Abel (by Zykl0n-B)

Sniffing: Cain & Abel (by Zykl0n-B)

High-Performance Packet Sniffing and Traffic Mining

High-Performance Packet Sniffing and Traffic Mining

1992-8645 Measurement Study on Packet Size and Packet Rate . - Jatit

1992-8645 Measurement Study on Packet Size and Packet Rate . - Jatit

Intrusion Detection, Packet Sniffing

Intrusion Detection, Packet Sniffing

PopularTags

Recent Views