Islamic University of Gaza Faculty of Engineering Computer Engineering Dept. Networking Lab _____________________________________________________________________________________

Lab #1 – part 4

Low level traffic analysis using Python

T.A. Eng. Ali Abu Harb

Prof. Aiman Ahmed Abu Samra

Supported by Eng. Ismael Al-safadi ❤

Requirements:

1. Virtual machine ( VMWare is recommended) 2. Linux OS ( any distribution you want ) 3. WireShark installed (https://www.wireshark.org/download.html) 4. Python interpreter (https://www.python.org/downloads/) 5. Scapy library installed in linux (https://pypi.org/project/scapy/) use this command

to install scapy , root# pip install scapy

In this lab, we will talk about three way handshake and how we can do it using scapy , And what is the problem if we does not follow for the stacking tcp/ip model ,so we will solve this problem also .

Activity #1: Test three way handshake using scapy

1) First off all, Configure the VM Network adapter in NAT (maybe task)

Note:

The difference between Bridged and NAT is that the Bridged takes the physical access of my card , so it will takes the ip from my switch or router , whereas the NAT it will make virtual interface , so it takes its ip from its virtual interface .

After we change the Network Adapter , we must restart the machine Or Restart the service using this command : service networking restart

Then, be sure that the subnet of your linux virtual machine take the same subnet as windows for example 192.168.190.x

2) Consider the windows machine( main machine ) is the server and run the “Server- TCP Reverse Shell.py” , make sure that you specify the ip in binging phase . - So now open the server “Server- TCP Reverse Shell.py” on windows ,

you can find this file in the attachment file of lab1 - Put the ip of the virtual in the the server

- See these images :

-

- - Be sure you replace the ip here with your ip windows, then run this

file . that’s it !

3) Move to VM and start customize your packets following the 3-way handshake

You can find this code in the attachment file So now , I will do 3 way handshake using scapy Q- What is the problem will occur if I do not follow for the stacking tcp ip model ? A- if I send syn flag and got ack and return send syn again, and customize the

packet and resend it , the kernel os will send RST Flag and then close the connection because it will consider illegal connection ! so now we will trace this problem and solve it

But before that , let me remember you how 3 way handshake work

After explaining the code ,run it in your virual machine(linux) , Now, open the Wireshark from the windows and choose the virtual interface, Important ! do not forget to choose the interface of virtual machine !(see the

video of this lab for more information if you not sure ! )

So , lets recap , you will run the server on windows , then client on Linux to send packets, then see the result on wireshark , you will find something like this :

The big question here is, why the RST flag was sent ?

4) Now may you noticed that the VM sends a R flag to force terminate connection Cause Scapy creates it own socket and bypasses the whole TCP/IP stack.

The kernel doesn’t know about it and correctly Sends a RST packet in response to the second part of the handshake cause it didn’t request the connection.

You can solve this problem by trivial solution by drop packets that has RST flag using iptables firewall

Using this rule : iptables -A OUTPUT -p tcp --tcp-flags RST RST -s 192.168.78.130 -j DROP

Activity #2 Sniffing using python

Sniffing is a process of monitoring and capturing all data packets that pass through a given network using software (an application) or a hardware device

1- Hardware.

SPAN [Switch Port Analyzer]

Tap vs SPAN Diagram Port Mirroring also known as SPAN (Switched Port Analyzer), sends a copy of all network packets seen on one port (or an entire VLAN) to another port, where the packets can be analyzed.

Network TAP [Test Access Point]

A hardware tool that allows you to access and monitor your network. TAPs transmit both the send and receive data streams simultaneously on separate dedicated channels, ensuring all data arrives at the monitoring or security device in real time.

2-Software.

We will using here the row socket, which is a sub module in the posix api, it able us to monitor the low level traffic.

Notes :

The data is transmitted in network as big-endian but between the hosts as little-endian.

So , when I received data from the network to my computer, I must transform from big to little endian .

So , we will let Struct module to help us !! Struct module can analyze the data and transform from python type to c type .

struct — Interpret bytes as packed binary data¶

This module performs conversions between Python values and C structs represented as Python bytes objects. This can be used in handling binary data stored in files or from network connections, among other sources. It uses Format Strings as compact descriptions of the layout of the C structs and the intended conversion to/from Python values

Some Important Functions struct.pack(format, v1, v2, ...)

Return a bytes object containing the values v1, v2, … packed according to the format string format. The arguments must match the values required by the format exactly.

struct.unpack(format, buffer)

Unpack from the buffer buffer (presumably packed by pack(format, ...)) according to the format string format. The result is a tuple even if it contains exactly one item. The buffer’s size in bytes must match the size required by the format, as reflected by calcsize().

struct.calcsize(format)

Return the size of the struct (and hence of the bytes object produced by pack(format, ...)) corresponding to the format string format.

Format Characters

Note: A format character may be preceded by an integral repeat count. For example, the format string '4h' means exactly the same as 'hhhh'.

Whitespace characters between formats are ignored; a count and its format must not contain whitespace though.

For the 's' format character, the count is interpreted as the length of the bytes, not a repeat count like for the other format characters; for example, '10s' means a single 10-byte string, while '10c' means 10 characters. If a count is not given, it defaults to 1. For packing, the string is truncated or padded with null bytes as appropriate to make it fit. For unpacking, the resulting bytes object always has exactly the specified number of

bytes. As a special case, '0s' means a single, empty string (while '0c' means 0 characters).

Examples:

use “!” to convert endian formats the result in “digital hex” format so here , I convert from python type to c type then to digital hex format, which means that the

data will receive as c type and I need to convert from c to python type using unpack .

Now , lets take big examples about sniffing !

1- Let’s explain the python sniffer line by line, open file simple_sniffer.py , you can find it in attachment files

The socket.htons(0x0800) syntax shows the protocol of interest. The 0x0800 code defines the protocol ETH_P_IP

We using 3 in our sniffer , #define ETH_P_ALL 0x0003 Every packet (be careful!!!)

All details exists in ” if_ether.h ” in /usr/include/linux

Explain code !

PF_PACKET : is a system call , not exist in windows , so it must run in linux SOCK_RAW : able me to make low level traffic and packet customization raw_data, addr = conn.recvfrom(65536) , Receive data from the socket. The

return value is a pair (bytes, address) where bytes is a bytes object representing the data received and address is the address of the socket sending the data

2- Understanding “packetSniffer.py” line by line & practical part

>> see the code in attachment file

Very important images:

1- Ethernet frame

2- IP header

3- ICMP header

4- Tcp header

5- UDP header

The End *_*