The goals of this lab are to:
- Learn how to sniff and inject network traffic using raw sockets
- Examine network traffic using tcpdump and wireshark
To begin, download the appropriate
image from Canvas (see the IP
spoofing assignment for more details). You will also want to install
wireshark and scapy if you do not
already have those installed.
In a cybersecurity context, packet captures are incredibly useful for
identifying or developing attacks. In this section of the lab, you will
use wireshark to capture and
examine traffic between a legitimate
ip_auth client and
server. Doing so will guide the development of your authentication
Wireshark has several main areas: the packet list, a protocol dissection of the currently-selected packet at different layers, and the raw bytes of the current packet. There is also a display filter input, which is exceedingly useful to restrict the set of packets that are displayed.
Wireshark also ships with many analyses that can give you a better
overview of what a capture contains than trying to look at each packet
one-by-one. One useful view is
Statistics -> Conversations, which allows you to sort
endpoints based on different fields at each layer. For instance, you can
filter based on byte or packet volume to quickly highlight nodes that
send or receive the most data. An additional built-in filter allows you
to extract the payloads of a particular TCP or TLS session. To do so,
you can right-click on a packet belonging to a stream of interest and
select the appropriate item under the
Injecting and Sniffing Traffic
Armed with insight into how a valid
appears on the wire, you will now start building an exploit script.
While there are many ways to go about this, we will demonstrate the use
of scapy, a
popular and flexible framework for raw packet capture and injection. In
particular, we will scaffold an exploit using AsyncSniffer
to reliably capture responses to the packets we inject. For injection,
we will use sendp,
which performs link-layer injection.1
scapy provides the map indexing operator to access the different layers of packets received or constructed by the framework. Relevant to this lab are the Ether, IP, and TCP classes. Application-layer payloads can be set using the aptly-named methods defined on the Packet class.
While scapy automates much of the boilerplate involved in packet construction, you will need to specify a number of header fields at various layers yourself in addition to application-layer payloads. In particular, you will need to ensure that your addresses at each layer are correct, that you are using the correct TCP flags and sequence numbers, etc. You will also need to ensure that you are sniffing and injecting on the correct network interface for your development environment.
Submit in Canvas the source code for a program or script that
successfully engages in a TCP three-way handshake with the
ip_auth server using raw sockets.