lab #1 part 4 - islamic university of...
TRANSCRIPT
![Page 1: Lab #1 part 4 - Islamic University of Gazasite.iugaza.edu.ps/aabuharb/files/2020/03/lab1_part4.pdfActivity #2 Sniffing using python Sniffing is a process of monitoring and capturing](https://reader033.vdocument.in/reader033/viewer/2022060922/60ae6b6b667aa1502f5d3702/html5/thumbnails/1.jpg)
Islamic University of Gaza Faculty of Engineering Computer Engineering Dept. Networking Lab _____________________________________________________________________________________
Lab #1 – part 4
Low level traffic analysis using Python
T.A. Eng. Ali Abu Harb
Prof. Aiman Ahmed Abu Samra
Supported by Eng. Ismael Al-safadi ❤
![Page 2: Lab #1 part 4 - Islamic University of Gazasite.iugaza.edu.ps/aabuharb/files/2020/03/lab1_part4.pdfActivity #2 Sniffing using python Sniffing is a process of monitoring and capturing](https://reader033.vdocument.in/reader033/viewer/2022060922/60ae6b6b667aa1502f5d3702/html5/thumbnails/2.jpg)
Requirements:
1. Virtual machine ( VMWare is recommended) 2. Linux OS ( any distribution you want ) 3. WireShark installed (https://www.wireshark.org/download.html) 4. Python interpreter (https://www.python.org/downloads/) 5. Scapy library installed in linux (https://pypi.org/project/scapy/) use this command
to install scapy , root# pip install scapy
In this lab, we will talk about three way handshake and how we can do it using scapy , And what is the problem if we does not follow for the stacking tcp/ip model ,so we will solve this problem also .
Activity #1: Test three way handshake using scapy
1) First off all, Configure the VM Network adapter in NAT (maybe task)
![Page 3: Lab #1 part 4 - Islamic University of Gazasite.iugaza.edu.ps/aabuharb/files/2020/03/lab1_part4.pdfActivity #2 Sniffing using python Sniffing is a process of monitoring and capturing](https://reader033.vdocument.in/reader033/viewer/2022060922/60ae6b6b667aa1502f5d3702/html5/thumbnails/3.jpg)
Note:
The difference between Bridged and NAT is that the Bridged takes the physical access of my card , so it will takes the ip from my switch or router , whereas the NAT it will make virtual interface , so it takes its ip from its virtual interface .
After we change the Network Adapter , we must restart the machine Or Restart the service using this command : service networking restart
Then, be sure that the subnet of your linux virtual machine take the same subnet as windows for example 192.168.190.x
2) Consider the windows machine( main machine ) is the server and run the “Server- TCP Reverse Shell.py” , make sure that you specify the ip in binging phase . - So now open the server “Server- TCP Reverse Shell.py” on windows ,
you can find this file in the attachment file of lab1 - Put the ip of the virtual in the the server
![Page 4: Lab #1 part 4 - Islamic University of Gazasite.iugaza.edu.ps/aabuharb/files/2020/03/lab1_part4.pdfActivity #2 Sniffing using python Sniffing is a process of monitoring and capturing](https://reader033.vdocument.in/reader033/viewer/2022060922/60ae6b6b667aa1502f5d3702/html5/thumbnails/4.jpg)
- See these images :
-
- - Be sure you replace the ip here with your ip windows, then run this
file . that’s it !
![Page 5: Lab #1 part 4 - Islamic University of Gazasite.iugaza.edu.ps/aabuharb/files/2020/03/lab1_part4.pdfActivity #2 Sniffing using python Sniffing is a process of monitoring and capturing](https://reader033.vdocument.in/reader033/viewer/2022060922/60ae6b6b667aa1502f5d3702/html5/thumbnails/5.jpg)
3) Move to VM and start customize your packets following the 3-way handshake
You can find this code in the attachment file So now , I will do 3 way handshake using scapy Q- What is the problem will occur if I do not follow for the stacking tcp ip model ? A- if I send syn flag and got ack and return send syn again, and customize the
packet and resend it , the kernel os will send RST Flag and then close the connection because it will consider illegal connection ! so now we will trace this problem and solve it
But before that , let me remember you how 3 way handshake work
![Page 6: Lab #1 part 4 - Islamic University of Gazasite.iugaza.edu.ps/aabuharb/files/2020/03/lab1_part4.pdfActivity #2 Sniffing using python Sniffing is a process of monitoring and capturing](https://reader033.vdocument.in/reader033/viewer/2022060922/60ae6b6b667aa1502f5d3702/html5/thumbnails/6.jpg)
After explaining the code ,run it in your virual machine(linux) , Now, open the Wireshark from the windows and choose the virtual interface, Important ! do not forget to choose the interface of virtual machine !(see the
video of this lab for more information if you not sure ! )
So , lets recap , you will run the server on windows , then client on Linux to send packets, then see the result on wireshark , you will find something like this :
The big question here is, why the RST flag was sent ?
4) Now may you noticed that the VM sends a R flag to force terminate connection Cause Scapy creates it own socket and bypasses the whole TCP/IP stack.
The kernel doesn’t know about it and correctly Sends a RST packet in response to the second part of the handshake cause it didn’t request the connection.
You can solve this problem by trivial solution by drop packets that has RST flag using iptables firewall
Using this rule : iptables -A OUTPUT -p tcp --tcp-flags RST RST -s 192.168.78.130 -j DROP
![Page 7: Lab #1 part 4 - Islamic University of Gazasite.iugaza.edu.ps/aabuharb/files/2020/03/lab1_part4.pdfActivity #2 Sniffing using python Sniffing is a process of monitoring and capturing](https://reader033.vdocument.in/reader033/viewer/2022060922/60ae6b6b667aa1502f5d3702/html5/thumbnails/7.jpg)
Activity #2 Sniffing using python
Sniffing is a process of monitoring and capturing all data packets that pass through a given network using software (an application) or a hardware device
1- Hardware.
SPAN [Switch Port Analyzer]
Tap vs SPAN Diagram Port Mirroring also known as SPAN (Switched Port Analyzer), sends a copy of all network packets seen on one port (or an entire VLAN) to another port, where the packets can be analyzed.
Network TAP [Test Access Point]
A hardware tool that allows you to access and monitor your network. TAPs transmit both the send and receive data streams simultaneously on separate dedicated channels, ensuring all data arrives at the monitoring or security device in real time.
2-Software.
We will using here the row socket, which is a sub module in the posix api, it able us to monitor the low level traffic.
Notes :
The data is transmitted in network as big-endian but between the hosts as little-endian.
So , when I received data from the network to my computer, I must transform from big to little endian .
So , we will let Struct module to help us !! Struct module can analyze the data and transform from python type to c type .
![Page 8: Lab #1 part 4 - Islamic University of Gazasite.iugaza.edu.ps/aabuharb/files/2020/03/lab1_part4.pdfActivity #2 Sniffing using python Sniffing is a process of monitoring and capturing](https://reader033.vdocument.in/reader033/viewer/2022060922/60ae6b6b667aa1502f5d3702/html5/thumbnails/8.jpg)
struct — Interpret bytes as packed binary data¶
This module performs conversions between Python values and C structs represented as Python bytes objects. This can be used in handling binary data stored in files or from network connections, among other sources. It uses Format Strings as compact descriptions of the layout of the C structs and the intended conversion to/from Python values
Some Important Functions struct.pack(format, v1, v2, ...)
Return a bytes object containing the values v1, v2, … packed according to the format string format. The arguments must match the values required by the format exactly.
struct.unpack(format, buffer)
Unpack from the buffer buffer (presumably packed by pack(format, ...)) according to the format string format. The result is a tuple even if it contains exactly one item. The buffer’s size in bytes must match the size required by the format, as reflected by calcsize().
struct.calcsize(format)
Return the size of the struct (and hence of the bytes object produced by pack(format, ...)) corresponding to the format string format.
Format Characters
![Page 9: Lab #1 part 4 - Islamic University of Gazasite.iugaza.edu.ps/aabuharb/files/2020/03/lab1_part4.pdfActivity #2 Sniffing using python Sniffing is a process of monitoring and capturing](https://reader033.vdocument.in/reader033/viewer/2022060922/60ae6b6b667aa1502f5d3702/html5/thumbnails/9.jpg)
Note: A format character may be preceded by an integral repeat count. For example, the format string '4h' means exactly the same as 'hhhh'.
Whitespace characters between formats are ignored; a count and its format must not contain whitespace though.
For the 's' format character, the count is interpreted as the length of the bytes, not a repeat count like for the other format characters; for example, '10s' means a single 10-byte string, while '10c' means 10 characters. If a count is not given, it defaults to 1. For packing, the string is truncated or padded with null bytes as appropriate to make it fit. For unpacking, the resulting bytes object always has exactly the specified number of
![Page 10: Lab #1 part 4 - Islamic University of Gazasite.iugaza.edu.ps/aabuharb/files/2020/03/lab1_part4.pdfActivity #2 Sniffing using python Sniffing is a process of monitoring and capturing](https://reader033.vdocument.in/reader033/viewer/2022060922/60ae6b6b667aa1502f5d3702/html5/thumbnails/10.jpg)
bytes. As a special case, '0s' means a single, empty string (while '0c' means 0 characters).
Examples:
use “!” to convert endian formats the result in “digital hex” format so here , I convert from python type to c type then to digital hex format, which means that the
data will receive as c type and I need to convert from c to python type using unpack .
![Page 11: Lab #1 part 4 - Islamic University of Gazasite.iugaza.edu.ps/aabuharb/files/2020/03/lab1_part4.pdfActivity #2 Sniffing using python Sniffing is a process of monitoring and capturing](https://reader033.vdocument.in/reader033/viewer/2022060922/60ae6b6b667aa1502f5d3702/html5/thumbnails/11.jpg)
Now , lets take big examples about sniffing !
1- Let’s explain the python sniffer line by line, open file simple_sniffer.py , you can find it in attachment files
![Page 12: Lab #1 part 4 - Islamic University of Gazasite.iugaza.edu.ps/aabuharb/files/2020/03/lab1_part4.pdfActivity #2 Sniffing using python Sniffing is a process of monitoring and capturing](https://reader033.vdocument.in/reader033/viewer/2022060922/60ae6b6b667aa1502f5d3702/html5/thumbnails/12.jpg)
The socket.htons(0x0800) syntax shows the protocol of interest. The 0x0800 code defines the protocol ETH_P_IP
We using 3 in our sniffer , #define ETH_P_ALL 0x0003 Every packet (be careful!!!)
All details exists in ” if_ether.h ” in /usr/include/linux
Explain code !
PF_PACKET : is a system call , not exist in windows , so it must run in linux SOCK_RAW : able me to make low level traffic and packet customization raw_data, addr = conn.recvfrom(65536) , Receive data from the socket. The
return value is a pair (bytes, address) where bytes is a bytes object representing the data received and address is the address of the socket sending the data
2- Understanding “packetSniffer.py” line by line & practical part
>> see the code in attachment file
![Page 13: Lab #1 part 4 - Islamic University of Gazasite.iugaza.edu.ps/aabuharb/files/2020/03/lab1_part4.pdfActivity #2 Sniffing using python Sniffing is a process of monitoring and capturing](https://reader033.vdocument.in/reader033/viewer/2022060922/60ae6b6b667aa1502f5d3702/html5/thumbnails/13.jpg)
![Page 14: Lab #1 part 4 - Islamic University of Gazasite.iugaza.edu.ps/aabuharb/files/2020/03/lab1_part4.pdfActivity #2 Sniffing using python Sniffing is a process of monitoring and capturing](https://reader033.vdocument.in/reader033/viewer/2022060922/60ae6b6b667aa1502f5d3702/html5/thumbnails/14.jpg)
![Page 15: Lab #1 part 4 - Islamic University of Gazasite.iugaza.edu.ps/aabuharb/files/2020/03/lab1_part4.pdfActivity #2 Sniffing using python Sniffing is a process of monitoring and capturing](https://reader033.vdocument.in/reader033/viewer/2022060922/60ae6b6b667aa1502f5d3702/html5/thumbnails/15.jpg)
Very important images:
1- Ethernet frame
![Page 16: Lab #1 part 4 - Islamic University of Gazasite.iugaza.edu.ps/aabuharb/files/2020/03/lab1_part4.pdfActivity #2 Sniffing using python Sniffing is a process of monitoring and capturing](https://reader033.vdocument.in/reader033/viewer/2022060922/60ae6b6b667aa1502f5d3702/html5/thumbnails/16.jpg)
2- IP header
3- ICMP header
![Page 17: Lab #1 part 4 - Islamic University of Gazasite.iugaza.edu.ps/aabuharb/files/2020/03/lab1_part4.pdfActivity #2 Sniffing using python Sniffing is a process of monitoring and capturing](https://reader033.vdocument.in/reader033/viewer/2022060922/60ae6b6b667aa1502f5d3702/html5/thumbnails/17.jpg)
4- Tcp header
5- UDP header
The End *_*