Exploring Packet Sniffing and Spoofing: A Practical Guide
Assignment Source
This write-up is based on the practical assignments from the SEED (Security Education and Evaluation Delivery) program, which is designed to provide hands-on experience in security topics, including network security, penetration testing, and ethical hacking. The specific focus of this assignment is on packet sniffing and spoofing, which are essential techniques for understanding and analyzing network behavior and security vulnerabilities.
About SEED
SEED is an educational initiative that aims to enhance the learning experience of students in cybersecurity and related fields. By providing a series of hands-on labs, SEED helps students develop practical skills and knowledge necessary for real-world applications. The program emphasizes ethical practices and responsible use of technology, preparing students for careers in cybersecurity and IT.
Understanding Packet Sniffing
What is Packet Sniffing?
Packet sniffing refers to the process of capturing and analyzing network packets that travel through a network interface. This technique is widely used for network troubleshooting, monitoring network traffic, and analyzing security vulnerabilities.
Documentation for Packet Sniffing and Spoofing Lab
Task 1.1: Sniffing Packets
Setup Instructions
1. Install Scapy for Python3
First, ensure that Scapy is installed. Run the following command:
sudo pip3 install scapy
Task 1.1A: Sniffing All ICMP Packets
2. Create the Sniffer Program
Create a new Python file named “sniffer.py” with the following code:
#!/usr/bin/python3
from scapy.all import
def print_pkt(pkt):
pkt.show()
pkt = sniff(filter=’icmp’, prn=print_pkt)
3. Make the Program Executable
chmod a+x sniffer.py
4. Run the Program
- With Root Privileges
sudo ./sniffer.py
- Without Root Privileges
./sniffer.py
Task 1.1B: Filtering Packets
5. Capture Specific Packets: Modify the filter in `sniffer.py` for each case and run the program with `sudo ./sniffer.py`. For each case below, capture a screenshot of the terminal output and explain the result.
- Filter for ICMP Packets Only
pkt = sniff(filter=’icmp’, prn=print_pkt)
- Filter for TCP Packets from a Specific IP to Port 23
pkt = sniff(filter=’tcp and src host 192.168.1.1 and dst port 23', prn=print_pkt)
- Filter for Packets from/to a Specific Subnet
pkt = sniff(filter=’net 128.230.0.0/16', prn=print_pkt)
I am Try everything but its not work my doubt in this question but i am unable to connect you because i have no any your contact details so sorry ma’am you seen this message pls contact me on 6201784889 whatsapp or email officialnk0001@gmail.com
Task 1.2: Spoofing ICMP Packets
1. Open Python Interactive Mode
sudo python3
2. Write Code for Spoofing an ICMP Packet
from scapy.all import *
a = IP()
a.src = ‘1.2.3.4’ # Spoofed source IP
a.dst = ‘10.0.2.15’ # Target destination IP
b = ICMP()
p = a/b
send(p)
Task 1.3: Implementing Traceroute
1. Code to Increment TTL
Create a Python script named “traceroute.py”
#!/usr/bin/python3
from scapy.all import *
def traceroute(destination):
for i in range(1, 30): # Set a reasonable limit for TTL
pkt = IP(dst=destination, ttl=i) / ICMP()
reply = sr1(pkt, verbose=0, timeout=1)
if reply is None:
break
else:
print(f”{i}: {reply.src}”)
if reply.src == destination:
print(“Reached destination.”)
break
traceroute(‘8.8.8.8’) # Target destination
2. Run the Script
sudo python3 traceroute.py
Task 1.4: Sniffing and Then Spoofing Packets
1. Set Up the Sniffer and Spoofing Program on VM B
Create a new Python file “sniff_spoof.py” with the following code:
#!/usr/bin/python3
from scapy.all import *
def spoof_reply(pkt):
if pkt.haslayer(ICMP) and pkt[ICMP].type == 8: # Check if it’s an ICMP echo request
ip = IP(src=pkt[IP].dst, dst=pkt[IP].src)
icmp = ICMP(type=0) # Echo reply
spoof_pkt = ip/icmp
send(spoof_pkt)
print(f”Sent spoofed packet to {pkt[IP].src}”)
pkt = sniff(filter=’icmp’, prn=spoof_reply)
2. Make the Program Executable and Run It
chmod a+x sniff_spoof.py
sudo ./sniff_spoof.py
3. Initiate Ping from VM A
- Run a ping command from VM A to any IP (e.g., “ping 10.0.2.5”).
Lab Task Set 2: Writing Programs to Sniff and Spoof Packets
1. Introduction
In this lab task, we explore packet sniffing and spoofing techniques using C programming and the pcap library. The objectives are to understand the mechanics of network sniffers, capture specific types of packets, and implement spoofing methods.
Task 2.1: Writing a Packet Sniffing Program
3.1A: Understanding How a Sniffer Works
Code Snippet
#include <pcap.h>
#include <stdio.h>
#include <stdlib.h>
void got_packet(u_char *args, const struct pcap_pkthdr *header, const u_char *packet) {
printf(“Got a packet\n”);
}
int main() {
pcap_t *handle;
char errbuf[PCAP_ERRBUF_SIZE];
struct bpf_program fp;
char filter_exp[] = “ip proto icmp”; // Filter for ICMP packets
bpf_u_int32 net;
// Open live pcap session on NIC
handle = pcap_open_live(“eth0”, BUFSIZ, 1, 1000, errbuf);
if (handle == NULL) {
fprintf(stderr, “Could not open device %s: %s\n”, “eth0”, errbuf);
return 1;
}
// Compile filter_exp into BPF pseudo-code
if (pcap_compile(handle, &fp, filter_exp, 0, net) == -1) {
fprintf(stderr, “Could not parse filter %s: %s\n”, filter_exp, pcap_geterr(handle));
return 1;
}
// Apply the filter
if (pcap_setfilter(handle, &fp) == -1) {
fprintf(stderr, “Could not install filter %s: %s\n”, filter_exp, pcap_geterr(handle));
return 1;
}
// Capture packets
pcap_loop(handle, -1, got_packet, NULL);
// Clean up
pcap_freecode(&fp);
pcap_close(handle);
return 0;
}
Commands to Compile and Run
Install pcap library (if not already installed)
sudo apt-get install libpcap-dev
Compile the program
gcc -o packet_sniffer packet_sniffer.c -lpcap
Run the sniffer with root privileges
sudo ./packet_sniffer
Question 1: Why Root Privilege is Needed
Root privileges are required because capturing packets from a network interface needs access to raw sockets, which is restricted for security reasons.
Question 2: Promiscuous Mode Demonstration
Promiscuous Mode Implementation
pcap_set_promisc(handle, 1); // Enable promiscuous mode
- Demonstration: Observe captured packets in promiscuous mode compared to normal mode.
4. Task 2.1B: Writing Filters
Filter Expressions
1. Capture ICMP packets between two specific hosts
char filter_exp[] = “icmp and host 192.168.1.1 and host 192.168.1.2”;
2. Capture TCP packets with destination port in the range of 10 to 100
char filter_exp[] = “tcp and portrange 10–100”;
— -
5. Task 2.1C: Sniffing Passwords
Telnet Sniffing Implementation
Modification in Code
Enhance the “got_packet” function to print the payload of TCP packets.
#include <netinet/ip.h>
#include <netinet/tcp.h>
void got_packet(u_char *args, const struct pcap_pkthdr *header, const u_char *packet) {
struct iphdr *ip = (struct iphdr *)(packet + sizeof(struct ethhdr));
struct tcphdr *tcp = (struct tcphdr *)(packet + sizeof(struct ethhdr) + sizeof(struct iphdr));
if (ntohs(tcp->dest) == 23) { // Check if TCP destination port is Telnet (23)
const u_char *data = packet + sizeof(struct ethhdr) + sizeof(struct iphdr) + sizeof(struct tcphdr);
printf(“Telnet Data: %s\n”, data);
}
}
Note:- I have no extra space in my computer to perform this task you have any suggestion ip to connect telnet so pls share other wise i need some machine to install Metasploitable 2 and profarm complete this task
6. Task 2.2: Spoofing
6.1 Task 2.2A: Writing a Spoofing Program
Code Snippet
#include <stdio.h>
#include <string.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <unistd.h>
int main() {
int sd;
struct sockaddr_in sin;
char buffer[1024];
sd = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
if(sd < 0) {
perror(“socket() error”);
return 1;
}
memset(&sin, 0, sizeof(sin));
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = inet_addr(“192.168.1.100”); // Target IP
// Construct packet (omit actual packet construction for brevity)
// e.g., fill buffer with crafted ICMP packet
if(sendto(sd, buffer, sizeof(buffer), 0, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
perror(“sendto() error”);
return 1;
}
close(sd);
return 0;
}
Commands to Compile and Run
Compile the spoofing program
gcc -o packet_spoof packet_spoof.c
Run the spoofing program with root privileges
sudo ./packet_spoof
Task 2.2B: Spoofing an ICMP Echo Request
Implementation
Construct and send an ICMP echo request with a spoofed source IP address.
Example Code to Send an ICMP Echo Request:
// Assume ‘buffer’ is filled with a valid ICMP Echo Request packet
// and the necessary headers are constructed correctly
if(sendto(sd, buffer, packet_length, 0, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
perror(“sendto() error”);
}
Lab Report for Task 2.3: Sniff and then Spoof
Objective
The goal of this lab task was to develop a program that demonstrates sniffing and spoofing techniques using ICMP packets within a Local Area Network (LAN). Specifically, the program captures ICMP echo request packets and sends spoofed ICMP echo replies back to the source, regardless of whether the target IP is active. This task was achieved using packet capturing and manipulation techniques in C.
Code
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <pcap.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <errno.h>
#define INTERFACE “enp0s3”
// Checksum calculation function
unsigned short calculate_checksum(unsigned short *paddress, int len) {
int nleft = len;
int sum = 0;
unsigned short *w = paddress;
unsigned short answer = 0;
while (nleft > 1) {
sum += *w++;
nleft -= 2;
}
if (nleft == 1) {
*((unsigned char *)&answer) = *((unsigned char *)w);
sum += answer;
}
sum = (sum >> 16) + (sum & 0xFFFF);
sum += (sum >> 16);
answer = ~sum;
return answer;
}
// Callback function for packet handling
void packet_handler(u_char *args, const struct pcap_pkthdr *header, const u_char *packet) {
struct ip *ip_hdr = (struct ip *)(packet + 14);
struct icmphdr *icmp_hdr = (struct icmphdr *)(packet + 14 + (ip_hdr->ip_hl * 4));
// Check if it’s an ICMP echo request
if (icmp_hdr->type == ICMP_ECHO) {
printf(“[INFO] ICMP echo request captured from %s to %s\n”,
inet_ntoa(ip_hdr->ip_src), inet_ntoa(ip_hdr->ip_dst));
// Create raw socket
int sd = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
if (sd < 0) {
perror(“[ERROR] Socket creation failed”);
return;
}
printf(“[INFO] Raw socket created\n”);
// Prepare the spoofed ICMP echo reply packet
char buffer[1024];
memset(buffer, 0, sizeof(buffer));
// Construct IP header for the reply
struct ip *ip_reply = (struct ip *)buffer;
ip_reply->ip_hl = 5;
ip_reply->ip_v = 4;
ip_reply->ip_tos = 0;
ip_reply->ip_len = htons(sizeof(struct ip) + sizeof(struct icmphdr));
ip_reply->ip_id = htons(0);
ip_reply->ip_off = 0;
ip_reply->ip_ttl = 64;
ip_reply->ip_p = IPPROTO_ICMP;
ip_reply->ip_src = ip_hdr->ip_dst; // Swap source and destination
ip_reply->ip_dst = ip_hdr->ip_src;
ip_reply->ip_sum = calculate_checksum((unsigned short *)ip_reply, sizeof(struct ip));
printf(“[DEBUG] IP header created with source %s and destination %s\n”,
inet_ntoa(ip_reply->ip_src), inet_ntoa(ip_reply->ip_dst));
// Construct ICMP header for the reply
struct icmphdr *icmp_reply = (struct icmphdr *)(buffer + sizeof(struct ip));
icmp_reply->type = ICMP_ECHOREPLY;
icmp_reply->code = 0;
icmp_reply->checksum = 0;
icmp_reply->un.echo.id = icmp_hdr->un.echo.id;
icmp_reply->un.echo.sequence = icmp_hdr->un.echo.sequence;
icmp_reply->checksum = calculate_checksum((unsigned short *)icmp_reply, sizeof(struct icmphdr));
printf(“[DEBUG] ICMP echo reply created with ID %d and sequence %d\n”,
icmp_reply->un.echo.id, icmp_reply->un.echo.sequence);
// Define destination address for the spoofed packet
struct sockaddr_in dest_info;
dest_info.sin_family = AF_INET;
dest_info.sin_addr = ip_reply->ip_dst;
printf(“[INFO] Sending spoofed ICMP echo reply to %s\n”, inet_ntoa(dest_info.sin_addr));
// Send the spoofed ICMP packet
if (sendto(sd, buffer, ntohs(ip_reply->ip_len), 0,
(struct sockaddr *)&dest_info, sizeof(dest_info)) < 0) {
perror(“[ERROR] sendto() failed”);
} else {
printf(“[SUCCESS] Spoofed ICMP echo reply sent to %s\n”, inet_ntoa(ip_hdr->ip_src));
}
close(sd);
} else {
printf(“[INFO] Non-ICMP packet ignored\n”);
}
}
int main() {
char error_buffer[PCAP_ERRBUF_SIZE];
pcap_t *handle;
// Open the sniffing session on the specified network interface
handle = pcap_open_live(INTERFACE, BUFSIZ, 1, 1000, error_buffer);
if (handle == NULL) {
fprintf(stderr, “[ERROR] Could not open device %s: %s\n”, INTERFACE, error_buffer);
return 2;
}
printf(“[INFO] Listening on interface %s for ICMP echo requests…\n”, INTERFACE);
// Set the filter for ICMP packets only
struct bpf_program fp;
char filter_exp[] = “icmp”;
if (pcap_compile(handle, &fp, filter_exp, 0, PCAP_NETMASK_UNKNOWN) == -1) {
fprintf(stderr, “[ERROR] Could not parse filter %s: %s\n”, filter_exp, pcap_geterr(handle));
return 2;
}
if (pcap_setfilter(handle, &fp) == -1) {
fprintf(stderr, “[ERROR] Could not install filter %s: %s\n”, filter_exp, pcap_geterr(handle));
return 2;
}
// Start packet capture loop
pcap_loop(handle, 0, packet_handler, NULL);
// Cleanup after capture loop ends
pcap_freecode(&fp);
pcap_close(handle);
return 0;
}
Results and Observations
1. ICMP Request Capture The program successfully captured ICMP echo requests initiated from VM A.
2. Spoofed Echo Reply Upon detecting an ICMP echo request, the program constructed and sent a spoofed echo reply back to VM A.
3. Confirmation of Success VM A received the spoofed echo reply, confirming that the ping program always received a response, regardless of whether the target IP was active.
Conclusion
This document provides a comprehensive overview of packet sniffing and spoofing tasks using Scapy and C, including step-by-step guides for implementing the tasks, running the code, and understanding the concepts. Ensure to follow the instructions carefully to complete each part of the lab.
