Lab 01 - Packet Sniffing and Spoofing
In this lab, the promiscuous mode on the Virtual Machine must be set, so that they can listen to and capture all the traffic on the network. To set the promiscuous mode on Virtual machine:
- If you already launch the VMware program, shutdown all VMware hosts, and close the VMware program.
- Locate the VMX file in the SEEDUbuntu image folder (for example, SEEDUbuntu-16.04-32bit.vmx)
- Edit the file and locate the Ethernet section. Add the following new entry for each Ethernet you want to be in promiscuous mode.
Replacewith the ethernet number, for example, .
- Runs the VMware program.
- Starts the SEEDUbuntu machine and the interface will now operate in promiscuous mode.
- Use PuTTY to log into the SEEDUbuntu and check the IP address.
- SEEDUbuntu VM:
- In the home directory, create a sub-directory and change the working directory to the new directory.
1.1 Sniffing Packets
- This section shows a sample Python code to sniff IP packets. In your home directory, create a Python code by typing
#!/usr/bin/python from scapy.all import * print("SNIFFING PACKETS...") def print_pkt(pkt): pkt.show() pkt = sniff(filter='icmp', prn=print_pkt)
and press , then enter the following code:
- Now, running the above code with root privileges by entering .
- In your Windows system, launch a Prompt Command window, enter the following command to generate one ping command to the SEEDUbuntu Linux.
(where the 192.168.247.xxx is the IP address of the SEEDUbuntu)
- On the SEEDUbuntu, you will see that the program acts as a sniffer and captures the ping requests sent by another machine on the same network. Record the output to here:
- Press + to stop the Python program.
- If we run the same program without root privileges by entering socket.error (usually at the last line) here:
, you will get an error message on the screen. Write down the error message that shows
Capture any TCP packet that comes from a particular IP and with a destination port number 23.
- On the Windows, open a Command Prompt window, enter
Your Windows IP address:
to find your windows IP address for the VMware Network Adapter VMnet<number>.
#!/usr/bin/python from scapy.all import * print("SNIFFING PACKETS...") def print_pkt(pkt): pkt.show() pkt = sniff(filter='tcp and (src host 192.168.247.xxx and dst port 23)', prn=print_pkt)(192.168.247.xxx is Windows IP address)
and typing the below Python code that sniffs the TCP traffic from a specific host (your Windows) to port 23.
- Enter command to clearn the screen, then click the PuTTY icon on th left-top of the PuTTY program, select Clear Scrollback.
- Enter to start sniffing packet.
- On the Windows, enter .
- On the SEEDUbuntu, you will see that on sending telnet packets from the host IP address, the sniffer program captures the packet. Scroll up to the first capture screen, and find the information for proto, src, dst and dport from the captured output.
###[ Ethernet ]###
dst = 00:0c:29:e9:42:f2
src = 00:00:11:22:33:44
type = IPv4
###[ IP ]###
version = 4
ihl = 5
tos = 0x0
len = 52
id = 2080
flags = DF
frag = 0
ttl = 128
chksum = 0x82cd
###[ TCP ]###
sport = 58241
seq = 1910557118
ack = 0
dataofs = 8
reserved = 0
flags = S
window = 64240
chksum = 0xe510
urgptr = 0
options = [('MSS', 1460), ('NOP', None), ('WScale', 8), ('NOP', None), ('NOP', None), ('SAckOK', b'')]
Capture packets comes from or to go to a particular subnet.
You can pick any subnet, such as 22.214.171.124/16; you should not pick the subnet that your VM is attached to.
- The below Python code sniffs the TCP traffic from a subnet as the source to any destination. (Using
#!/usr/bin/python from scapy.all import * print("SNIFFING PACKETS...") def print_pkt(pkt): pkt.show() pkt = sniff(filter='src net 126.96.36.199/24', prn=print_pkt)
command to create the code)
- Running the above code with root privileges by entering .
- Open a second connection to the SEEDUbuntu by launching the PuTTY program and logging to the SEEDUbuntu. Then enter command.
- On the SEEDUbuntu, you will see that on sending ICMP packet to 188.8.131.52, the sniffer program captures the packet send out from 184.108.40.206. Scroll up to the first capture screen, and find the information for proto, src, dst and type from the captured output.
###[ Ethernet ]###
dst = 00:0c:29:5f:12:4d
src = 00:50:56:e0:6e:2b
type = 0x800
###[ IP ]###
version = 4
ihl = 5
tos = 0x0
len = 84
id = 56061
frag = 0
ttl = 128
chksum = 0x2957
###[ ICMP ]###
code = 0
chksum = 0x7590
id = 0x34ee
seq = 0x1
###[ Raw ]###
load = '\xebNk_\x0e\xcf\x05\x00\x08\t\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&\'()*+,-./01234567'
1.2 Spoofing ICMP Packets
The objective of this section is to spoof IP packets with an arbitrary source IP address. We will spoof ICMP echo request packets, and send them to another machine on the same network. We will use Wireshark to observe whether our request will be accepted by the receiver. If it is accepted, an echo reply packet will be sent to the spoofed IP address.
- Create a Python code by entering
#!/usr/bin/python from scapy.all import * print("SENDING SPOOFED ICMP PACKET..........") IPLayer = IP() IPLayer.src="192.168.247.xxx" # <-- IP Address of SEEDUbuntu IPLayer.dst="192.168.247.x" # <-- IP address of Windows ICMPpkt = ICMP() pkt = IPLayer/ICMPpkt pkt.show() send(pkt,verbose=0)
command and typing the following code:
- On the SEEDUbuntu GUI system, launch Wireshark application, select ens33 interface (or eth0 interface), then click the button. In the field, enter to display ICMP message only.
- Running the spoof.py code with root privileges by entering .
- You should see two Wireshark captures on the SEEUbuntu GUI that the SEEDUbuntu sends out and the live machine sends back an ICMP response, please fill your packet information for ICMP protocol to here:
No. Time Source Destination Protocol Length Info
The objective of the section is to implement a simple traceroute tool using Scapy to estimate the distance, in terms of the number of routers, between your VM and a selected destination. We will send a packet (any type) to the destination, with its Time-To-Live (TTL) field set to 1 first. This packet will be dropped by the first router, which will send us an ICMP error message, telling us that the time-to-live has exceeded. Hence, we get the IP address of the first router. We then increase our TTL field to 2, send out another packet, and get the IP address of the second router. We will repeat this procedure until our packet finally reaches the destination.
- The below Python code is a simple traceroute implementation using Scapy. It takes hostname or IP address as the input. Enter nano traceroute.py and type the following code:
#!/usr/bin/python from scapy.all import * ''' Usage: ./traceroute.py "hostname or IP address" ''' host = sys.argv print("Traceroute " + host) ttl = 1 while 1: IPLayer = IP() IPLayer.dst = host IPLayer.ttl = ttl ICMPpkt = ICMP(); pkt = IPLayer/ICMPpkt # sends packets and waits for first answer replypkt = sr1(pkt, verbose=0) if replypkt is None: break elif replypkt[ICMP].type == 0: print "%d hops away: " %ttl, replypkt[IP].src print "Done", replypkt[IP].src else : print "%d hops away: " %ttl, replypkt[IP].src ttl += 1
- Run the above Python code by entering
, you will get response messages, record the output to here:
1.4 Sniffing and-then Spoofing
(Skip this section, the VMware workstation for Windows has some problem...)
In this section, SEEDUbuntu machine pings a non-existing IP address "220.127.116.11".
#!/usr/bin/python from scapy.all import * def spoof_pkt(pkt): newseq = 0 if ICMP in pkt: print("Original Packet.........") print("Source IP: ", pkt[IP].src) print("Destination IP: ", pkt[IP].dst) srcip = pkt[IP].dst dstip = pkt[IP].src newihl = pkt[IP].ihl newtype = 0 newid = pkt[ICMP].id newseq = pkt[ICMP].seq data = pkt[Raw].load IPLayer = IP(src=srcip,dst=dstip,ihl=newihl) ICMPpkt = ICMP(type=newtype,id=newid,seq=newseq) newpkt = IPLayer/ICMPpkt/data print ("Spoofing Packet.........") print ("Source IP: ", newpkt[IP].src) print ("Destination IP: ", newpkt[IP].dst) send(newpkt,verbose=0) pkt = sniff(filter='icmp and src host 192.168.247.129',prn=spoof_pkt)