Raw Sockets

The goals of this lab are to:

1. Learn how to sniff and inject network traffic using raw sockets
2. Examine network traffic using tcpdump and wireshark

To begin, download the appropriate ip_auth container image from Canvas (see the IP spoofing assignment for more details). You will also want to install wireshark and scapy if you do not already have those installed.

Examining Traffic

In a cybersecurity context, packet captures are incredibly useful for identifying or developing attacks. In this section of the lab, you will use wireshark to capture and examine traffic between a legitimate ip_auth client and server. Doing so will guide the development of your authentication bypass attack.

Wireshark has several main areas: the packet list, a protocol dissection of the currently-selected packet at different layers, and the raw bytes of the current packet. There is also a display filter input, which is exceedingly useful to restrict the set of packets that are displayed.

Wireshark also ships with many analyses that can give you a better overview of what a capture contains than trying to look at each packet one-by-one. One useful view is Statistics -> Conversations, which allows you to sort endpoints based on different fields at each layer. For instance, you can filter based on byte or packet volume to quickly highlight nodes that send or receive the most data. An additional built-in filter allows you to extract the payloads of a particular TCP or TLS session. To do so, you can right-click on a packet belonging to a stream of interest and select the appropriate item under the Follow sub-menu.

Injecting and Sniffing Traffic

Armed with insight into how a valid ip_auth session appears on the wire, you will now start building an exploit script. While there are many ways to go about this, we will demonstrate the use of scapy, a popular and flexible framework for raw packet capture and injection. In particular, we will scaffold an exploit using AsyncSniffer to reliably capture responses to the packets we inject. For injection, we will use sendp, which performs link-layer injection.¹

scapy provides the map indexing operator to access the different layers of packets received or constructed by the framework. Relevant to this lab are the Ether, IP, and TCP classes. Application-layer payloads can be set using the aptly-named methods defined on the Packet class.

While scapy automates much of the boilerplate involved in packet construction, you will need to specify a number of header fields at various layers yourself in addition to application-layer payloads. In particular, you will need to ensure that your addresses at each layer are correct, that you are using the correct TCP flags and sequence numbers, etc. You will also need to ensure that you are sniffing and injecting on the correct network interface for your development environment.

Submission Instructions

Submit in Canvas the source code for a program or script that successfully engages in a TCP three-way handshake with the ip_auth server using raw sockets.