Sniff/spoof

 Promiscuous mode: NIC passes every frame to the kernel. Usually frames that have
matching MAC address are passed to the kernel. Other packets will be dropped by
hardware.
 Monitor mode: the “promiscuous mode” for wireless NICs. Because wireless
transmission works on different channels, this requires special hardware. Sometimes it is
impossible to capture all traffic in the physical world.
 BSD Packet Filter (BPF)
o A filtering mechanism implemented inside the kernel.
o We need to implement this filter in kernel space because it is costly to pass them
from kernel to user space.
o BPF Syntax
 Packet sniffing/spoofing
o Sniff: raw socket, pcap, scapy
o Spoof: raw socket, scapy
 Endianness
o Big endian: most significant byte first (e.g. Network, IBM PowerPC)
o Small endian: least significant byte first (e.g. x86, Qualcomm Hexagon)
ARP: Address Resolution Protocol
 Purpose of ARP protocol: find the corresponding MAC address of an IP address inside a
local network.
 Three ways to conduct ARP cache poisoning
o Identities: M (attacker), A (victim), B
o Goal: on machine A, B’s IP address is associated with M’s MAC address.
o Using ARP request
 Spoof a tampered request on behalf of B to A (as if B is requesting A’s
MAC address)
 ARP request
 OPER=1
 SHA=M's MAC
 SPA=B's IP
 TPA=A's IP
o Using ARP reply
  ARP reply (as if B is replying A’s ARP request)
 OPER=2
 SHA=M's MAC
 SPA=B's IP
 THA=A's MAC
 TPA=A's IP
o Using ARP gratuitous message
 Gratuitous message: a broadcast ARP message informing address changes
to the entire network.
 Characteristics: OPER=1, SPA=TPA, THA=BROADCAST
 ARP packet
 OPER=1
 SHA=M's MAC
 SPA=B's IP
 THA=BROADCAST
 TPA=B's IP
 We cannot use ARP to attack remote computers because ARP packets will not be routed
on the Internet.