Python(scapy): how to sniff packets that are only outboun packets - python-3.x

how do I sniff packets that are only outbound packets?
I tried to sniff only destination port but it doesn't succeed at all

Quite easy indeed:
mac = get_if_hwaddr(conf.iface).lower()
sniff(lfilter=lambda pkt:pkt.haslayer(Ether) and pkt[Ether].src.lower()==mac)
If you want to print them:
sniff(lfilter=lambda pkt:pkt.haslayer(Ether) and pkt[Ether].src.lower()==get_if_hwaddr(conf.iface).lower(), prn=lambda x:x.summary())
You may use any other interface than conf.iface

Maybe you can get your device MAC address and filter any packets with that address as source address.

Related

Specify MTU value

I'm trying to pentest some IPSEC implementation for a uni project, and following this guide I'm stuck at:
Step 1 (common): Forging an ICMP PTB packet from the untrusted network The attacker first has to forge an appropriate ICMP PTB packet (a single packet is sufficient). This is done by eavesdropping a valid packet from the IPsec tunnel on the untrusted network. Then the attacker forges an ICMP PTB packet, specifying a very small MTU value equal or smaller than 576 with IPv4 (resp. 1280 with IPv6). The attacker can use 0 for instance. This packet spoofs the IP address of a router of the untrusted network (in case the source IP address is checked), and in order to bypass the IPsec protection mechanism against blind attacks, it includes as a payload a part of the outer IP packet that has just been eavesdropped. This is the only packet an attacker needs to send. None of the following steps involve the attacker.
I know what MTU is, but what does the bold statement mean?
How do I set the MTU size of a packet with scapy?
It means that I have to set the size of a IP packet less than 576 bytes?
It's already set to 140 B,at least it shows this with len command.
There's something that I didn't get right, maybe I have to set the fragmentation?
I know nothing about the subject, but some quick searching seems to indicate that it's referring to an IPv6 ICMP packet with a type of 2 ("packet too big").
Then from some poking around scapy, this appears to be how you'd create one:
from scapy.layers.inet6 import ICMPv6PacketTooBig
icmp_ptb = ICMPv6PacketTooBig(mtu=0)
Of course though, you'll need to do some testing to verify this.

Deauth attack with scapy in python

Hi I'm coming towards you cause I'm currently coding a framework for LAN attack to understand better how it works, and I want to add a deauth attack. Here is the code of the function, but it doesn't work and I do not understand what is wrong.
def disconnect(self):
target_mac = self.t_mac
gw_mac = self.gw_mac # gateway mac address
dot11 = Dot11(type=0, addr1=target_mac, addr2=gw_mac, addr3=gw_mac)
pkt = RadioTap()/dot11/Dot11Deauth(reason=7)
scapy.sendp(pkt, inter=0.1, count=1000, verbose=0)
I am on Windows 10, and analysis the exchange with wireshark.
The packet seems really weird on wireshark.
Hope you can give me some information to help.
Thanks in advance guys ;)
Packet Wireshark Dot11
A Dot11 packet with type 8 and subtype 12 is a Dot11Deauth packet.
So, when you define dot11 try this:
dot11 = Dot11(type=8, subtype=12, addr1=target_mac, addr2=gw_mac, addr3=gw_mac)
Also, try to put your interface in monitor mode and make sure to use a wireless interface (like wlan0, wlan1 and not eth0 wich is ethernet).
Run in shell this commands:
ifconfig <IFACE> down
iwconfig <IFACE> mode monitor
ifconfig <IFACE> up
where IFACE is the interface you want to use. Just run ifconfig to check wich one is available.

tcpreplay is sending packets out of order?

When I use 'tcpreplay' to send packets to my switch, I found that packets are out of order. For example, using tcpreplay -i eth1 test.pcap, I get:
I send packets like **[1,2,3,4,5,……]**,
but switch received **[1,3,4,2,5,……]**.
Does this problem look familiar? How did you solve it?
When you say switch received a different packet order- how are you determining this is the case? I ask because if you are sniffing on the switch port that would seem like a valid way to check for this, but if you're using a SPAN port then yeah, switches can re-order frames in my experience so I'm not that surprised.
When you run tcpdump on the tcpreplay box, which order does it show the packets being sent? Also, is there another switch in between? Because a lot of switches use a "store and forward" approach which can reorder frames (this is also why SPAN ports tend to re-order).
Lastly, tcpreplay always sends packets in order to the kernel/NIC driver/NIC because it processes the pcap file sequentially. If your computer is actually sending frames out of order, then that is happening either in the kernel, NIC driver or NIC hardware/firmware.

Linux: How to send a whole packet to a specific port on another host?

I have captured a TCP packet using libpcap, and I want to send this whole packet(without modifying it) to a specific port on another host(which has another sniffer listening to that port).
Is there any way I can do this?
Thanks a lot!
You didn't specify which programming language you're using and what you've tried so far.
Change the IP address field to the target IP and the TCP port field to the port you want. Don't forget to update both checksums.
If what you want is TCP forwarding, the Linux kernel already does this for you.
netcat may work in this case although I think you may have to reconstruct the header, have not tried.
How to escape hex values in netcat
The other option is to use iptables to tee the packet to the other sniffer while still catching it in you package analyzer
http://www.bjou.de/blog/2008/05/howto-copyteeclone-network-traffic-using-iptables/
Another option is using a port mirror, this goes by a few differnt names depending on the switch being used but it allows you to set a port on a a switch to be essentially a hub.
I think your best bet if you can't get netcat to work is to use iptables and you can add filters to that even.
I don't know whether you HAVE to use C or not, but even if you do, I would recommend building a prototype with Python/Scapy to begin with.
Using scapy, here are the steps:
Read the pcap file using rdpcap().
Grab the destination IP address and TCP destination port number (pkt.getlayer(IP).dst, pkt.getlayer(TCP).dport) and save it as a string in a format that you want (e.g. payload = "192.168.1.1:80").
Change the packet's destination IP address and the destination port number so that it can be received by the other host that is listening on the particular port.
Add the payload on top of the packet (pkt = pkt / payload)
Send the packet (sendp(pkt, iface='eth0'))
You will have to dissect the packet on the other host to grab the payload. Without knowing exactly what is on top of the TCP layer in the original packet, I can't give you an accurate code for this, but should be relatively straight forward.
This is all quite easy with Python/Scapy but I expect it to be much harder with C, having to manually calculate the correct offsets and checksums and things. Good luck, and I hope this helps.

Sniffing 802.3 eth packets with socket raw

I'd need to sniff on an interface BPDU (bridge protocol data unit) packets which are encapsulated in eth frames of type 802.3 with LLC header. I tried to open a socket raw:
skd = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_802_3))
but trying to sniff packets i can't catch them. Looking at include/linux/if_ether.h seems that ETH_P_802_3 was a dummy type...is there a solution or i should use ETH_P_ALL and analize the EtherType field of the ethernet header?
Thank you all!
Sorry, I'm not sure if your question is regarding the ETH_P_ALL flag or if your sniffer simply doesn't work.
I would recommend using ETH_P_ALL and decoding the headers yourself.
If your sniffers not working, make sure that you have promiscuous mode on? From the command line, you can use ifconfig eth0 promisc, assuming your ethernet device is eth0. Or you can set the IFF_PROMISC flag on your device using ioctl.
All that said, unless you have a good reason not to, it's probably strongly worth your while to not reinvent the wheel and simply use libpcap.

Resources