Lab 01 - Packet Sniffing and Spoofing

Environment Setup

In this lab, the promiscuous mode on the Virtual Machine must be set, so that they can listen to and capture all the traffic on the network. To set the promiscuous mode on Virtual machine:

  1. If you already launch the VMware program, shutdown all VMware hosts, and close the VMware program.
  2. Locate the VMX file in the SEEDUbuntu image folder (for example, SEEDUbuntu-16.04-32bit.vmx)
  3. Edit the file and locate the Ethernet section. Add the following new entry for each Ethernet you want to be in promiscuous mode.

    ethernet%d.noPromisc = "FALSE"

    Replace %d with the ethernet number, for example, ethernet0.noPromisc = "FALSE".

  4. Runs the VMware program.
  5. Starts the SEEDUbuntu machine and the interface will now operate in promiscuous mode.
  6. Use PuTTY to log into the SEEDUbuntu and check the IP address.
    • SEEDUbuntu VM:
  7. In the home directory, create a sub-directory and change the working directory to the new directory.

    cd ~
    mkdir sniffspoof
    cd sniffspoof

1.1 Sniffing Packets

  1. This section shows a sample Python code to sniff IP packets. In your home directory, create a Python code by typing nano sample.py and press ENTER, then enter the following code:
    #!/usr/bin/python
    from scapy.all import *
    
    print("SNIFFING PACKETS...")
    
    def print_pkt(pkt):
        pkt.show()
    
    pkt = sniff(filter='icmp', prn=print_pkt)
  2. Now, running the above code with root privileges by entering sudo python sample.py.
  3. In your Windows system, launch a Prompt Command window, enter the following command to generate one ping command to the SEEDUbuntu Linux.

    ping 192.168.247.xxx -n 1

    (where the 192.168.247.xxx is the IP address of the SEEDUbuntu)

  4. On the SEEDUbuntu, you will see that the program acts as a sniffer and captures the ping requests sent by another machine on the same network. Record the output to here:
  5. Press CTRL+C to stop the Python program.
  6. If we run the same program without root privileges by entering python sample.py, you will get an error message on the screen. Write down the error message that shows socket.error (usually at the last line) here:

Capture any TCP packet that comes from a particular IP and with a destination port number 23.

  1. On the Windows, open a Command Prompt window, enter ipconfig to find your windows IP address for the VMware Network Adapter VMnet<number>.
    Your Windows IP address:
  2. Entering nano sample2.py and typing the below Python code that sniffs the TCP traffic from a specific host (your Windows) to port 23.
    #!/usr/bin/python
    from scapy.all import *
    print("SNIFFING PACKETS...")
    def print_pkt(pkt):
         pkt.show()
    pkt = sniff(filter='tcp and (src host 192.168.247.xxx and dst port 23)', prn=print_pkt)
    (192.168.247.xxx is Windows IP address)
  3. Enter clear command to clearn the screen, then click the PuTTY icon on th left-top of the PuTTY program, select Clear Scrollback.
  4. Enter sudo python sample2.py to start sniffing packet.
  5. On the Windows, enter telnet <SEEDUbuntu IP Address>.
  6. On the SEEDUbuntu, you will see that on sending telnet packets from the host IP address, the sniffer program captures the packet. Scroll up to the first capture screen, and find the information for proto, src, dst and dport from the captured output.

    SNIFFING PACKETS...
    ###[ Ethernet ]###
      dst       = 00:0c:29:e9:42:f2
      src       = 00:00:11:22:33:44
      type      = IPv4
    ###[ IP ]###
         version   = 4
         ihl       = 5
         tos       = 0x0
         len       = 52
         id        = 2080
         flags     = DF
         frag      = 0
         ttl       = 128
         proto     =
         chksum    = 0x82cd
         src       =
         dst       =
         \options \
    ###[ TCP ]###
            sport     = 58241
            dport     =
            seq       = 1910557118
            ack       = 0
            dataofs   = 8
            reserved  = 0
            flags     = S
            window    = 64240
            chksum    = 0xe510
            urgptr    = 0
            options = [('MSS', 1460), ('NOP', None), ('WScale', 8), ('NOP', None), ('NOP', None), ('SAckOK', b'')]

Capture packets comes from or to go to a particular subnet.

You can pick any subnet, such as 128.230.0.0/16; you should not pick the subnet that your VM is attached to.

  1. The below Python code sniffs the TCP traffic from a subnet as the source to any destination. (Using nano sample3.py command to create the code)
    #!/usr/bin/python
    from scapy.all import *
    
    print("SNIFFING PACKETS...")
    
    def print_pkt(pkt):
            pkt.show()
    
    pkt = sniff(filter='src net 173.194.208.0/24', prn=print_pkt)
  2. Running the above code with root privileges by entering sudo python sample3.py.
  3. Open a second connection to the SEEDUbuntu by launching the PuTTY program and logging to the SEEDUbuntu. Then enter ping 173.194.208.103 -c 1 command.
  4. On the SEEDUbuntu, you will see that on sending ICMP packet to 173.194.208.103, the sniffer program captures the packet send out from 173.194.208.103. Scroll up to the first capture screen, and find the information for proto, src, dst and type from the captured output.

    SNIFFING PACKETS...
    ###[ Ethernet ]###
      dst       = 00:0c:29:5f:12:4d
      src       = 00:50:56:e0:6e:2b
      type      = 0x800
    ###[ IP ]###
         version = 4
         ihl     = 5
         tos     = 0x0
         len     = 84
         id      = 56061
         flags   =
         frag    = 0
         ttl     = 128
         proto   =
         chksum  = 0x2957
         src     =
         dst     =
         \options \
    ###[ ICMP ]###
            type    =
            code    = 0
            chksum  = 0x7590
            id      = 0x34ee
            seq = 0x1
    ###[ Raw ]###
               load = '\xebNk_\x0e\xcf\x05\x00\x08\t\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&\'()*+,-./01234567'

1.2 Spoofing ICMP Packets

The objective of this section is to spoof IP packets with an arbitrary source IP address. We will spoof ICMP echo request packets, and send them to another machine on the same network. We will use Wireshark to observe whether our request will be accepted by the receiver. If it is accepted, an echo reply packet will be sent to the spoofed IP address.

  1. Create a Python code by entering nano spoof.py command and typing the following code:
    #!/usr/bin/python
    from scapy.all import *
    
    print("SENDING SPOOFED ICMP PACKET..........")
    IPLayer = IP()
    IPLayer.src="192.168.247.xxx"   # <-- IP Address of SEEDUbuntu
    IPLayer.dst="192.168.247.x"     # <-- IP address of Windows
    ICMPpkt = ICMP()
    pkt = IPLayer/ICMPpkt
    pkt.show()
    send(pkt,verbose=0)
  2.  On the SEEDUbuntu GUI system, launch Wireshark application, select ens33 interface (or eth0 interface), then click the Start Capturing Packets button. In the Apply a display filter... field, enter icmp to display ICMP message only.
  3. Running the spoof.py code with root privileges by entering sudo python spoof.py.
  4. You should see two Wireshark captures on the SEEUbuntu GUI that the SEEDUbuntu sends out and the live machine sends back an ICMP response, please fill your packet information for ICMP protocol to here:
    No.TimeSourceDestinationProtocolLengthInfo

1.3 Traceroute

The objective of the section is to implement a simple traceroute tool using Scapy to estimate the distance, in terms of the number of routers, between your VM and a selected destination. We will send a packet (any type) to the destination, with its Time-To-Live (TTL) field set to 1 first. This packet will be dropped by the first router, which will send us an ICMP error message, telling us that the time-to-live has exceeded. Hence, we get the IP address of the first router. We then increase our TTL field to 2, send out another packet, and get the IP address of the second router. We will repeat this procedure until our packet finally reaches the destination.

  1. The below Python code is a simple traceroute implementation using Scapy. It takes hostname or IP address as the input. Enter nano traceroute.py and type the following code:
    #!/usr/bin/python
    from scapy.all import *
    
    ''' Usage: ./traceroute.py "hostname or IP address" '''
    host = sys.argv[1]
    print("Traceroute " + host)
    ttl = 1
    while 1:
        IPLayer = IP()
        IPLayer.dst = host
        IPLayer.ttl = ttl
        ICMPpkt = ICMP();
        pkt = IPLayer/ICMPpkt
    
        # sends packets and waits for first answer
        replypkt = sr1(pkt, verbose=0)
        if replypkt is None:
            break
        elif replypkt[ICMP].type == 0:
            print "%d hops away: " %ttl, replypkt[IP].src
            print "Done", replypkt[IP].src
        else :
            print "%d hops away: " %ttl, replypkt[IP].src
            ttl += 1
  2. Run the above Python code by entering sudo python traceroute.py google.com, you will get response messages, record the output to here:

1.4 Sniffing and-then Spoofing

(Skip this section, the VMware workstation for Windows has some problem...)

In this section, SEEDUbuntu machine pings a non-existing IP address "1.2.3.4".

#!/usr/bin/python
from scapy.all import *

def spoof_pkt(pkt):
    newseq = 0
    if ICMP in pkt:
        print("Original Packet.........")
        print("Source IP: ", pkt[IP].src)
        print("Destination IP: ", pkt[IP].dst)

        srcip = pkt[IP].dst
        dstip = pkt[IP].src
        newihl = pkt[IP].ihl
        newtype = 0
        newid = pkt[ICMP].id
        newseq = pkt[ICMP].seq
        data = pkt[Raw].load

        IPLayer = IP(src=srcip,dst=dstip,ihl=newihl)

        ICMPpkt = ICMP(type=newtype,id=newid,seq=newseq)
        newpkt = IPLayer/ICMPpkt/data

        print ("Spoofing Packet.........")
        print ("Source IP: ", newpkt[IP].src)
        print ("Destination IP: ", newpkt[IP].dst)

        send(newpkt,verbose=0)

pkt = sniff(filter='icmp and src host 192.168.247.129',prn=spoof_pkt)