Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP...
59
Packet Sniffing and Spoofing Chester Rebeiro IIT Madras Some of the slides borrowed from the book ‘Computer Security: A Hands on Approach’ by Wenliang Du
Transcript of Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP...
![Page 1: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/1.jpg)
Packet Sniffing and Spoofing ChesterRebeiroIITMadras
Someoftheslidesborrowedfromthebook‘ComputerSecurity:AHandsonApproach’byWenliangDu
![Page 2: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/2.jpg)
Shared Networks Everynetworkpacketreacheseverycomputer'snetworkInterfacecard,whichthenfilterspacketsbasedontheMACaddress.
Anetworkpackethasmultipleconcatenatedcomponents.
![Page 3: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/3.jpg)
Packet Flow in the System
NetworkCard
networkpacket
checkifdestinationaddressmatchesthecard'sMACaddress
DMAtransferofpackettokernelmemory
Hardware
Kernelbuffer
LinkLevelDriver
ProtocolStackProtocolStack
Kernel
UserSpaceApplicationsonlyreceivepacketsthataremeantfortheCPUandtheregisteredport
KernelonlyreceivepacketsthataremeantfortheCPU
Allpacketsonthenetworkarrivehere
![Page 4: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/4.jpg)
From the Software
![Page 5: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/5.jpg)
From Software Domain:IPV4.OtheralternativesareAF_INET6andmanymore
Type:datagram,connectionless,fixedlength,unreliable
associateanaddresswiththesocketwiththebindcall
![Page 6: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/6.jpg)
From Software
htons():unsignedshortfromhostordertonetworkorderhtonl():unsignedlongfromhostordertonetworkorderntohs():unsignedshortnetworktohostorderntohl():unsignedlong,networktohostorder
![Page 7: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/7.jpg)
Promiscuous Mode
NetworkCard(P)
networkpacket
Nofilteringdoneifthenetworkcardisworkinginpromiscuousmode
DMAtransferofpackettokernelmemory
Hardware
Kernelbuffer
LinkLevelDriver
ProtocolStack
Kernel
UserSpaceApplicationcanreceivesallpacketsthattheNICreceives.
KernelreceiveallpacketsthattheNICreceives
Allpacketsonthenetworkarrivehere
![Page 8: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/8.jpg)
Packet Sniffers
• Applicationsthatregisterwiththekernelsoastocaptureallpacketsseeninthenetwork.
• Typicallyrequiressuperuserpermissions
![Page 9: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/9.jpg)
Packet Sniffers SpecifythatthesocketyouwanttocreateisaRAWsocket.
Protocolfamily:AF_PACKETimplieslowlevelprotocol
![Page 10: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/10.jpg)
Packet Sniffers Whattypeofpacketsshouldwereceive?ETH_P_ALL,impliesallprotocols.Otheroptionsareforinstance,ETH_P_IP,foronlyIPpackets.
![Page 11: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/11.jpg)
Packet Sniffers ConfiguretheNICtoensurethatallpacketsareacceptedandpassedtothekernel.Ignorethedestinationfieldinthepackets.
![Page 12: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/12.jpg)
Packet Sniffers SpecifythatthesocketyouwanttocreateisaRAWsocket.
RAWSOCKETAnapplicationcreatinganormalsocketlikeastreamordatagram,willnotreceivethepacketheaders.InformationlikeMACaddress,sourceIP,etc.isnotreceived.Insteadonlythepayloadpresentineachpacket.Inrawsockets,theheadersarenotclipped.Applicationobtainsanuninterceptedpacket.
![Page 13: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/13.jpg)
Flooding of Packets in User Space
• Applicationsthatregisterwiththekernelsoastocaptureallpacketsseeninthenetwork.
• Typically,sniffersareonlyinterestedinasmallsubsetofpackets,alltheotherpacketsarediscarded.
• Improvesperformanceconsiderably(lessprocessingtime)• Wouldrequiremuchlessexpensivehardware
• Filtering:BSDpacketfiltering(BPF)providesameansbywhichsnifferscanspecifytothekernel,thepacketstheyareinterestedin.
![Page 14: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/14.jpg)
Filter Requirements
• Mustbeprogrammable• Eachsniffermaybeinterestedinadifferentsetofpackets.
• MustbeasclosetotheNICaspossible(filterasearlyaspossible)• Rulesoutuser-spacefiltering• Kernelbasedfiltering• Hardwarebasedfiltering
![Page 15: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/15.jpg)
Operating System Filters
NetworkCard(P)
networkpacket
Nofilteringdone,ifthenetworkcardisworkinginpromiscuousmode
DMAtransferofpackettokernelmemory
Hardware
Kernelbuffer
LinkLevelDriver
ProtocolStack
Kernel
UserSpace
SnifferonlyreceivesallpacketsthattheNICreceivesANDthatpassthefilter.
KernelreceiveallpacketsthattheNICreceives
Allpacketsonthenetworkarrivehere
Filter
Sniffer
buffer
Filter
tcpdump
buffer
![Page 16: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/16.jpg)
BSD Packet Filters (BPF)
• 1992,StevenMcCanneandVanJacobsonfromLawrenceBerkeleyLaboratory
• IncorporatedinLinuxkernelin1997• Variantsstillusedinlatestversions
• JITengine• Lowlevellanguagedefined• Userlevelapplicationwritesfilterrulesusingthislanguageandattachesittoasocket
• Thekernel,verifiessanityoftheserulesandthenappliesthemtoallpacketsitreceives.
![Page 17: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/17.jpg)
bpf architecture
https://www.kernel.org/doc/Documentation/networking/filter.txt
Architecture
![Page 18: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/18.jpg)
![Page 19: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/19.jpg)
bpf architecture
https://www.kernel.org/doc/Documentation/networking/filter.txt
InstructionSet
![Page 20: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/20.jpg)
bpf architecture
https://www.kernel.org/doc/Documentation/networking/filter.txt
AddressingModes
![Page 21: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/21.jpg)
bpf architecture
https://www.kernel.org/doc/Documentation/networking/filter.txt
Extensions
![Page 22: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/22.jpg)
bpf asm example Load2bytes(halfword)fromthe12thoffsetinthepacket
https://en.wikipedia.org/wiki/EtherType
Avalueof0x0800indicatesthatdataisanIPv4packet
![Page 23: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/23.jpg)
bpf asm example ReacheshereonlyifitisanIPv4packet.WenowcheckifitisaTCPpacket
https://en.wikipedia.org/wiki/EtherType
Atoffset23,avalueof6indicatesthatdataisaTCPpacket
14
IPV4Header
![Page 24: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/24.jpg)
bpf asm another example
Randomlysample25%oftheICMPpackets
![Page 25: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/25.jpg)
bpf_asm
bpf_asm
Bpfassembly
Bpfopcode
![Page 26: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/26.jpg)
bpf in the Linux kernel
• JITcompilerbuiltintotheLinuxkernel• Canbeenabledasfollows:
• Internally64-bitkernelsuseanenhancedBPF(eBPF)format• Internally32-bitkernelsusetheclassicalBPFformat
echo1>/proc/sys/net/core/bpf_jit_enable
![Page 27: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/27.jpg)
Usage in Linux
filtertodumppacketsoninterfaceem1port22.
Createarawsocketandattachthefilter.
![Page 28: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/28.jpg)
setsockopt
• SO_ATTACH_FILTER:attachafiltertoasocket• SO_DETACH_FILTER:detachafilterfromasocket.• SO_LOCK_FILTER:lockafiltertoasocket.Thefiltercannotbedetachedormodified.Anyattempttodetachalockedfilterwillresultinanerror.
![Page 29: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/29.jpg)
Enhanced BPF • Instructionslooksmorelikethatofthenativearchitecture(makescodingsimpler)
• 10registers(R0toR9)insteadof2registers(A,X)witheachregister64bitinsteadof32bit
• AFrameRegister(R10)
![Page 30: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/30.jpg)
Enhanced BPF
• RestrictedCcompiledtoeBPF(C->eBPF->nativecode).• Closer(1-to-1)mappingfromeBPFtonativecode• Instructionslooksmorelikethatofthenativearchitecture(makescodingsimpler)
• 10registers(R0toR9)insteadof2registers(A,X)witheachregister64bitinsteadof32bit
• AFrameRegister(R10)• jt/jfreplacedwithjf/fall-through• bpf_callinstructionwhichcancallotherkernelfunctions
![Page 31: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/31.jpg)
Checks in the Kernel
• Beforeattachingafilter,thefollowingchecksneedtobeperformed.• BPFprogramterminates(doesnothaveanyloops)
• Depthfirstsearchoftheprogram'scontrolflowgraph• Unreachableinstructionsareprohibited
• VerifybysinglesteppingthrougheachlineintheBPFprogram• Ensurevirtualmachinestateandcheckifthestackisvalid• Preventout-of-boundjumpsandout-of-rangedata
• Ensurenopointerarithmetic• Ensureregistersarenotreadbeforebeingaccessed
![Page 32: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/32.jpg)
Limitations
• Notportable.ProgramswrittenforoneoperatingsystemmaynotworkonanotherOS(NocommonAPI)
• Optimizationsinthefilteringnoteasilyachieved.TheJITcompilerintheOScannotextractoptimizations.
• Usabilityisnoteasy.ProgrammerswouldneedtoefficientlydevelopBPFcode.
![Page 33: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/33.jpg)
PCap (Packet Capture)
• ItisalibrarythatprovidesAPIsforpacketcapture.• Hasacompiler(pcap_compile)that
• TakesasinputfilteringrulesusinghumanreadableBooleanexpressions.• ConvertstheBooleanexpressionsintoBPFpseudo-code,whichcanbeusedbythekernel.
• WelldefinedAPIsavailableonmanyplatforms:• PortinLinuxiscalledlibpcap• PortinWindowsiscalledWinPCap.(APIsarecommonacrossports)
![Page 34: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/34.jpg)
PCap filter expressions
Threetypesofqualifiers:type,dir,proto1.type:identifierofamachine,portnumberetc.Optionsinclude:host,net,port,portrangeExamples:hostiitm.ac.inport5000portrange5000-6000
https://linux.die.net/man/7/pcap-filter
![Page 35: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/35.jpg)
PCap filter expressions
Threetypesofqualifiers.2.dir:transferdirectionstoorfromtheid.Optionsinclude:src,dst,srcordst,srcanddst,Examples:srchostiitm.ac.insrcordstport5000(equivalenttoport5000)portrange5000-6000
https://linux.die.net/man/7/pcap-filter
![Page 36: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/36.jpg)
PCap filter expressions Threetypesofqualifiers.3.proto:transferdirectionstoorfromtheid.Optionsinclude:ether,fddi,tr,wlan,ip,ip6,arp,rarp,decnet,tcpandudpExamples:• ethersrcfoo:allethernetpacketswherethesourceaddressishostfoo• arpnet128.3:allarppacketstonetwork128.3• tcpport21:alltcppacketstoport21• udpportrange7000-7009
https://linux.die.net/man/7/pcap-filter
![Page 37: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/37.jpg)
PCap Filter examples
• Examples:
https://linux.die.net/man/7/pcap-filter
hostfooandnotportftpandnotportftp-dataAnytrafficfrom/tothehostnamefooexcepttrafficonftpandftp-dataports
gatewaysnupand(portftporftp-data)AllFTPtrafficthroughthegatewapsnup
gatewaysnupandip[2:2]>576Allgatewaytrafficthroughsnupwithsizegreaterthan576bytes
ether[0]&1=0andip[16]>=224
IPbroadcastormulticasttrafficthatwerenotsentviaEthernetbroadcast/multicastByte0LSB1inEthernetframeindicatesabroadcastIPbroadcasthavedestinationaddress224.0.0.0to239.255.255.255
![Page 38: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/38.jpg)
PCap Filter examples
• Examples:
https://linux.die.net/man/7/pcap-filter
hostheliosand\(hotorace\)
ipandnotnetlocalnet
tcp[tcpflags]&(tcp-syn|tcp-fin)!=0andnotsrcanddstnetlocalnet
![Page 39: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/39.jpg)
PCap Filter examples
• Examples:
https://linux.die.net/man/7/pcap-filter
hostheliosand\(hotorace\)Anytrafficfromthehostnameheliosandwithdestinationhotoracewillbelogged.
ipandnotnetlocalnetTrafficthatisnotsourcedordestinedforlocalhosts
tcp[tcpflags]&(tcp-syn|tcp-fin)!=0andnotsrcanddstnetlocalnetstartandendpackets(theSYNandFINpackets)ofeachTCPconversationthatinvolvesanon-localhost.
![Page 40: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/40.jpg)
tcpdump (uses PCap library) OutputtheBPFcodefortheinputpredicate
FilterIPandUDPpackets
LowlevelBPFoutput
![Page 41: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/41.jpg)
Packet Sniffing using PCap API
IsfilledwiththepacketReceived.ThiscontainstherawICMPpacket
fillscompiledBPFprograminfp.Hastheformstructbpf_program*fp
![Page 42: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/42.jpg)
Processing Ethernet Header
![Page 43: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/43.jpg)
Processing Ethernet Header
![Page 44: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/44.jpg)
Processing IP Packet
*packet
*(packet+sizeof(structethheader))
![Page 45: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/45.jpg)
Processing IP Header
![Page 46: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/46.jpg)
Further Processing of Packet • Ifwewanttofurtherprocessthepacket,suchasprintingouttheheaderoftheTCP,UDPandICMP,wecanusethesimilartechnique.
• Wemovethepointertothebeginningofthenextheaderandtype-cast• WeneedtousetheheaderlengthfieldintheIPheadertocalculatetheactualsizeoftheIPheader
• Inthefollowingexample,ifweknowthenextheaderisICMP,wecangetapointertotheICMPpartbydoingthefollowing:
![Page 47: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/47.jpg)
Packet Spoofing
![Page 48: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/48.jpg)
Sending Normal Packets Using Sockets
-luv:listenforincomingUDPpackets,verbose
![Page 49: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/49.jpg)
Manipulating Transmitted Packets • Generally,transmittingpacketshasonlycontroloffewfieldsintheheader.• Example
• DestinationIPaddresscanbeset• SourceIPaddressisnotset:
• Operatingsystem,willautomaticallyfillthesefieldsbeforetranmittingthepackettothehardware
• Spoofing• Permitsmanipulationofcriticalfieldsinthepacketheaders• Cancreateunrealistic/boguspackets.Forexample:
• TransmitaTCPpacketwithSYNandFINbitsturnedon• TheresponsefromthereceiverisunpredictableanddependsontheOS
• Usedinmanynetworkattackslike• TCPSYNFlooding,TCPsessionhijacking,DNScachepoisoningattack• Suppliedinformationdependsonthetypeofattackbeingcarriedout
![Page 50: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/50.jpg)
Spoofing Tools • Netwox• Scapy• Spoofingfromfirstprinciples
• TwoMajorSteps(1)constructingthepacketinabuffer(thisstepisgoingtodependonthetypeofpacket)(2)sendingthepacketout
![Page 51: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/51.jpg)
Constructing an ICMP Ping Packet STEP1
Pingrequest(echorequest)
![Page 52: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/52.jpg)
Constructing an ICMP Ping Packet STEP1
![Page 53: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/53.jpg)
Sending Spoofed Packets Using Raw Sockets
STEP2
![Page 54: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/54.jpg)
Spoofing UDP Packets
![Page 55: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/55.jpg)
Spoofing UDP Packets
![Page 56: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/56.jpg)
MAC Address Spoofing? HowtospoofMACaddresses?NeedshardwareandOSsupport
#iplinksetdeveth0down
#iplinksetdeveth0addressXX:XX:XX:XX:XX:XX
#iplinksetdeveth0up
MACisrestrictedtolocalnetworks.ThusMACspoofingisonlyaproblemwithinsiderthreats
![Page 57: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/57.jpg)
Sniffing and Spoofing
Threat:ManinthemiddleattacksSniffapacket.Spooftheresponse
• Procedure• UsePCAPAPItocapturethepacketsofinterests• Makeacopyfromthecapturedpacket• ReplacetheUDPdatafieldwithanewmessageandswapthesourceanddestinationfields
• Sendoutthespoofedreply
![Page 58: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/58.jpg)
Sniffing and Spoofing a UDP Example why*4?
![Page 59: Packet Sniffing and Spoofingchester/courses/19e_ns/slides/2...ether[0] & 1 = 0 and ip[16] >= 224 IP broadcast or multicast traffic that were not sent via Ethernet broadcast/multicast](https://reader035.fdocuments.in/reader035/viewer/2022081518/6146a7c5f4263007b1355244/html5/thumbnails/59.jpg)
Sniffing and Spoofing a UDP Example
