Professional Documents
Culture Documents
Sniffing & Spoofing LAB
Network Security Training and Workshop
Packet Sniffing & Spoofing LAB
NETWORK SECURITY 1
R I P H A H I N T E R N A T I O N A L U N I V E R S I T Y
R I P H A H I N S T I T U T E O F S Y S T E MS E N G I N E E R I N G
Packet Sniffing & Spoofing LAB
Contents
1. Introduction ............................................................................................................................ 4
2. LAB 1 – Sniffing & Spoofing ..................................................................................................... 4
2.1. Overview .......................................................................................................................... 4
2.2. Using Tools to Sniff and Spoof Packets ............................................................................ 4
2.3. Sniffing Packets ................................................................................................................ 5
2.3.1. Capture only the ICMP packet .................................................................................. 6
2.3.2. Capture TCP packet with a particular IP and destination port 23 ............................ 8
2.3.3. Capture packets comes from or to go to a particular subnet .................................. 9
2.4. Spoofing ICMP Packets ................................................................................................... 10
2.5. Sniffing and‐then Spoofing ............................................................................................. 13
2.6. Writing Programs to Sniff and Spoof Packets ................................................................ 15
2.6.1. Writing Packet Sniffing Program ............................................................................. 15
2.6.2. Writing Filters .......................................................................................................... 18
2.6.3. Sniffing Passwords .................................................................................................. 18
2.6.4. Spoofing .................................................................................................................. 23
2.6.5. Sniff and then Spoof ............................................................................................... 25
3. LAB 2 – ARP Cache Poisoning Attack .................................................................................... 26
3.1. Overview ........................................................................................................................ 26
3.2. ARP Cache Poisoning ...................................................................................................... 27
3.3. MITM Attack on Telnet using ARP Cache Poisoning ...................................................... 32
4. LAB 3 ‐ IP/ICMP Attacks ........................................................................................................ 35
4.1. Overview ........................................................................................................................ 35
4.2. IP Fragmentation ............................................................................................................ 35
4.2.1. Conducting IP Fragmentation ................................................................................. 35
4.2.2. IP Fragments with Overlapping Contents ............................................................... 37
NETWORK SECURITY 2
Packet Sniffing & Spoofing LAB
4.2.3. Sending a Super‐Large Packet ................................................................................. 39
4.2.4. Sending Incomplete IP Packet ................................................................................. 40
4.3. ICMP Redirect Attack ..................................................................................................... 42
4.4. Routing and Reverse Path Filtering ................................................................................ 44
4.4.1. Network Setup ........................................................................................................ 44
4.4.2. Routing Setup .......................................................................................................... 47
4.4.3. Reverse Path Filtering ............................................................................................. 50
NETWORK SECURITY 3
Packet Sniffing & Spoofing LAB
1. Introduction
This manual consists of three labs with the goal of knowing different type of attacks consisting
of spoofing, IP/ICMP and ARP cache poisoning‐based attacks while sniffing the packets to
demonstrate the attacks.
LAB 1 ‐ Sniffing & Spoofing Attacks
LAB 2 ‐ ARP Cache Poisoning Attacks
LAB 3 ‐ IP/ICMP Attacks
2. LAB 1 – Sniffing & Spoofing
2.1. Overview
Packet sniffing and spoofing are two important concepts in network security; they are two major
threats in network communication. Being able to understand these two threats is essential for
understanding security measures in networking. There are many packet sniffing and spoofing
tools, such as Wireshark, Tcpdump, & Scapy etc. Some of these tools are widely used by security
experts, as well as by attackers. Being able to use these tools is important for students, but what
is more important for students in a network security course is to understand how these tools
work, i.e., how packet sniffing and spoofing are implemented in software.
The objective of this lab is two‐fold: learning to use the tools and understanding the technologies
underlying these tools. For the second objective, write simple sniffer and spoofing programs, and
gain an in‐depth understanding of the technical aspects of these programs. This lab covers the
following topics:
• How the sniffing and spoofing work
• Packet sniffing using the pcap library and Scapy
• Packet spoofing using raw socket and Scapy
• Manipulating packets using Scapy
2.2. Using Tools to Sniff and Spoof Packets
Many tools can be used to do sniffing and spoofing, but most of them only provide fixed
functionalities. Scapy is different: it can be used not only as a tool, but also as a building block to
construct other sniffing and spoofing tools, i.e., we can integrate the Scapy functionalities into
our own program. In this set of tasks, we will use Scapy for each task. The current version of the
VM may not have Scapy installed for Python3. We can use the following command to install Scapy
for Python3.
$ sudo pip3 install scapy
NETWORK SECURITY 4
Packet Sniffing & Spoofing LAB
To use Scapy, we can write a Python program, and then execute this program using Python. See
the following example. We should run Python using the root privilege because the privilege is
required for spoofing packets. At the beginning of the program, we should import all Scapy’s
modules.
$ cat mycode.py
$ sudo python3 mycode.py
// Make mycode.py executable (another way to run python programs)
$ chmod a+x mycode.py
$ sudo ./mycode.py
2.3. Sniffing Packets
Wireshark is the most popular sniffing tool, and it is easy to use. We will use it throughout the
entire lab. However, it is difficult to use Wireshark as a building block to construct other tools.
NETWORK SECURITY 5
Packet Sniffing & Spoofing LAB
We will use Scapy for that purpose. The objective of this task is to learn how to use Scapy to do
packet sniffing in Python programs. A sample code is provided in the following:
2.3.1. Capture only the ICMP packet
The above program sniffs packets. For each captured packet, the callback function print pkt() will
be invoked; this function will print out some of the information about the packet. Run the
program with the root privilege and demonstrate that you can indeed capture packets. After that,
run the program again, but without using the root privilege.
// Make the program executable
$ chmod a+x sniffer.py
// Run the program with the root privilege
$ sudo ./sniffer.py
Here we have used ping command to generate ICMP Packets to a different host. Sample
output is shown below:
Once the packet is generated (‐c 1 for single packet), scapy will show the captured packet.
ICMP‐Request:
NETWORK SECURITY 6
Packet Sniffing & Spoofing LAB
ICMP Response:
// Run the program without the root privilege
$ ./sniffer.py
Without root privilege, it gives such an error message:
NETWORK SECURITY 7
Packet Sniffing & Spoofing LAB
Traceback (most recent call last):
File "sniffer.py", line 7, in <module>
pkt = sniff(filter='icmp',prn=print_pkt)
File "/home/seed/.local/lib/python2.7/site‐packages/scapy/sendrecv.py", line 731, in
sniff
*arg, **karg)] = iface
File "/home/seed/.local/lib/python2.7/site‐packages/scapy/arch/linux.py", line 567, in
__init__
self.ins = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.htons(type))
File "/usr/lib/python2.7/socket.py", line 191, in __init__
_sock = _realsocket(family, type, proto)
socket.error: [Errno 1] Operation not permitted
2.3.2. Capture TCP packet with a particular IP and destination port 23
For this task it is required to capture any TCP packet that comes from a particular IP and with a
destination port number 23. Change filter from ICMP to TCP with ‘dst port’ and host IP in the
python script.
You can use any means to generate TCP traffic. Here we have used SSH session to generate a few.
Sample output is shown below:
NETWORK SECURITY 8
Packet Sniffing & Spoofing LAB
2.3.3. Capture packets comes from or to go to a particular subnet
Change filter to ‘dst net’ to filter packets by network. Here I have taken sample IP pool for lab
purposes. 118.107.140.0/27 while my traffic to specific host will be generated to 118.107.140.9
After executing the script, communicate with the destination IP. We have used TCP as a means
of sending packet.
NETWORK SECURITY 9
Packet Sniffing & Spoofing LAB
Once done, similar below observation can be seen.
2.4. Spoofing ICMP Packets
As a packet spoofing tool, Scapy allows us to set the fields of IP packets to arbitrary values. The
objective of this task is to spoof IP packets with an arbitrary source IP address. We will spoof
ICMP echo request packets and send them to another VM on the same network. We will use
Wireshark to observe whether our request will be accepted by the receiver. If it is accepted, an
echo reply packet will be sent to the spoofed IP address. The following code shows an example
of how to spoof an ICMP packets.
>>> from scapy.all import *
>>> a = IP() #Line 1
>>> a.dst = ‘192.168.x.x’ #Line 2
>>> b = ICMP() #Line 3
>>> p = a/b #Line 4
>>> send(p) #Line 5
.
Sent 1 packets.
NETWORK SECURITY 10
Packet Sniffing & Spoofing LAB
In the code above, Line 1 creates an IP object from the IP class; a class attribute is defined for
each IP header field. We can use ls(a) or ls(IP) to see all the attribute names/values. We can also
use a.show() and IP.show() to do the same. Line 2 shows how to set the destination IP address
field. If a field is not set, a default value will be used. Line 3 creates an ICMP object. The default
type is echo request. In Line 4, we stack ‘a’ and ‘b’ together to form a new object. The ‘/’ operator
is overloaded by the IP class, so it no longer represents division; instead, it means adding ‘b’ as
the payload field of ‘a’ and modifying the fields of ‘a’ accordingly. As a result, we get a new object
that represent an ICMP packet. We can now send out this packet using send() in Line 5.
For spoofing, attacker IP is set to “192.168.184.22”. Originate a packet from attacker while
changing the default destination IP to the server’s IP “192.168.184.11”. This will only show
attribute modification while sending a packet. Below are the available attributes that can be
modified:
Using live python for this demonstration use command ‘python’ in privileged mode. We can
change the destination IP and see the packet status.
NETWORK SECURITY 11
Packet Sniffing & Spoofing LAB
Now we will send an ICMP packet using the above attributes.
This was a legitimate communication but now we try to spoof our actual IP with a fake/victim
address.
NETWORK SECURITY 12
Packet Sniffing & Spoofing LAB
2.5. Sniffing and‐then Spoofing
To demonstrate the sniffing and spoofing we know an ICMP packet is generated to and dead/non‐
existing host, no response is expected (timeout). In this task we need to write a program on an
attacker machine to sniff all packets in unified mode and respond back to all received ICMP from
victim’s IP positively, making the victim believe that all these hosts are alive.
Below script uses sniff function from scapy with traffic filtered for victim’s ICMP packets. Where
the output display is a function which is predefined in a manner that the received source and
destination values are swapped and ICMP type change to 0 (echo reply). This auto response to
ICMP packets are performed for type 8(echo request) ICMP only. The important part is that this
program sniffs all packets regardless of destination IP and responses back with the spoofed IP.
We use below script to do so.
After saving/making executable and executing the script, the python program goes into listening
state to capture the echo request and respond likewise. Now on the victim node we generate
three ICMP packets with different destination IP which do not exist in the LAN network, yet it
would get replies from the sniff and spoof script on the attacker.
For this, we use below script to serve the purpose.
NETWORK SECURITY 13
Packet Sniffing & Spoofing LAB
Execute the script to generate the three different ICMP packets.
The attacker sniffs all packets one by one and immediately replies after manipulating the packet
parameters. Note the packets sent by victims and replies from attacker are subsequent.
The Wireshark capture is almost similar on both nodes and shows the three ICMP requests and
their replies. The attacker replies regardless of ping destination, faking the status of IPs being
live.
NETWORK SECURITY 14
Packet Sniffing & Spoofing LAB
2.6. Writing Programs to Sniff and Spoof Packets
2.6.1. Writing Packet Sniffing Program
Sniffer programs can be easily written using the pcap library. With pcap, the task of sniffers
becomes invoking a simple sequence of procedures in the pcap library. At the end of the
sequence, packets will be put in buffer for further processing as soon as they are captured. All
the details of packet capturing are handled by the pcap library.
We wrote following code for packet sniffing in which ens33 is the network adapter ID.
NETWORK SECURITY 15
Packet Sniffing & Spoofing LAB
Switch user to root. Then build and run code with following command.
#gcc ‐o sniff sniff.c ‐lpcap
Ping to the server.
Program showed it received the packets.
Now we update the program and added print functions to see the packets. Code shown below.
NETWORK SECURITY 16
Packet Sniffing & Spoofing LAB
Compile the code in privileged mode i.e. root user, using the below command:
#gcc ‐o sniff_improved sniff_improved.c ‐lpcap
Now, run the program and see response.
NETWORK SECURITY 17
Packet Sniffing & Spoofing LAB
Last 2 responses are performed using the ping command. Hence, we can see the captured ICMP
packets.
2.6.2. Writing Filters
2.6.2.1. Capture ICMP packets between two specific hosts
Now we update the program and change the filter_exp[] to capture the ICMP packets between
two specific hosts in the code below:
char filter_exp[] = "proto ICMP and (host 192.168.150.100 and 192.168.150.125)";
2.6.2.2. Capture TCP packets with destination port in the range from 10 to 100
Update the program and change the filter_exp[] to capture the TCP packets with a destination
port number in the range from 10 to 100 in the code below:
char filter_exp[] = "proto TCP and dst portrange 10‐100";
2.6.3. Sniffing Passwords
Use the sniffer program to capture the password when somebody is using telnet on the network.
Here, we need to modify the sniffer code to print the data part of a captured TCP packet (telnet
uses TCP) as shown in the code below:
NETWORK SECURITY 18
Packet Sniffing & Spoofing LAB
NETWORK SECURITY 19
Packet Sniffing & Spoofing LAB
NETWORK SECURITY 20
Packet Sniffing & Spoofing LAB
NETWORK SECURITY 21
Packet Sniffing & Spoofing LAB
To simplify the problem, on the VM 10.0.2.4, use default telnet port (i.e. 23) with the command
(10.0.2.15 can be replaced with any reachable host, ‘seed’ is a username):
$ telnet 10.0.2.15 ‐l seed
Then, it asks the user to type the password in an interactive prompt. Meanwhile, on the attacker
machine 10.0.2.15, write a program sniff_pwd.c to listen on such telnet packets with filter “tcp
port 23 and src host 10.0.2.4”.
To get TCP payload, we should process captured packets like this:
NETWORK SECURITY 22
Packet Sniffing & Spoofing LAB
print_payload() is a simple parser that makes packet data readable to human. All details can be
found in sniff_pwd.c.
Finally, typing ‘seed’ letter by letter as a password on VM 10.0.2.4. Once a letter is pressed, a TCP
packet is sent from 10.0.2.4, the attacker can sniff a packet with the letter at the end of the data
field as shown below:
2.6.4. Spoofing
When a normal user sends out a packet, operating systems usually do not allow the user to set
all the fields in the protocol headers (such as TCP, UDP, and IP headers). OSes will set most of the
fields, while only allowing users to set a few fields, such as the destination IP address, the
destination port number, etc. However, if users have the root privilege, they can set any arbitrary
field in the packet headers. This is called packet spoofing, and it can be done through raw sockets.
Raw sockets give programmers the absolute control over the packet construction, allowing
programmers to construct any arbitrary packet, including setting the header fields and the
payload.
2.6.4.1. Spoof an ICMP Echo Request
Spoof an ICMP echo request packet on behalf of another machine (i.e., using another machine’s
IP address as its source IP address). This packet should be sent to a remote machine on the
Internet (the machine must be alive). Turn on the Wireshark, so if the spoofing is successful, the
echo reply can be seen coming back from the remote machine.
NETWORK SECURITY 23
Packet Sniffing & Spoofing LAB
For instance, on behalf of VM 10.0.2.4, to spoof an ICMP echo request packet to host
216.58.192.142. I construct the headers as (more details can be found in spoof_icmp.c):
Capture the packet via Wireshark:
NETWORK SECURITY 24
Packet Sniffing & Spoofing LAB
2.6.5. Sniff and then Spoof
Combine the sniffing and spoofing techniques to implement the following sniff‐and‐then‐spoof
program. Require two VMs on the same LAN. From VM A, ping an IP X. This will generate an ICMP
echo request packet. If X is alive, the ping program will receive an echo reply, and print out the
response. Sniff‐and‐then‐spoof program runs on VM B, which monitors the LAN through packet
sniffing. Whenever it sees an ICMP echo request, regardless of what the target IP address is, the
program should immediately send out an echo reply using the packet spoofing technique.
Therefore, regardless of whether machine X is alive or not, the ping program will always receive
a reply, indicating that X is alive.
Modify the function got_packet() in sniff.c: Add the processing of spoofing an ICMP echo reply
packet with the same ICMP id, ICMP seq, reversed src and dst IP in IP header with the captured
packet. For instance, implement it in critical part of sniff_and_then_spoof.c:
NETWORK SECURITY 25
Packet Sniffing & Spoofing LAB
when VM 10.0.2.4 pings an unreachable host 172.17.56.66, run program sniff_and_then_spoof
on VM 10.0.2.15 with root privilege. The spoofed echo replies are accepted as replies from the
destination host.
3. LAB 2 – ARP Cache Poisoning Attack
3.1. Overview
The Address Resolution Protocol (ARP) is a communication protocol used for discovering the link
layer address, such as the MAC address, given an IP address. The ARP protocol is a very simple
protocol, and it does not implement any security measure. The ARP cache poisoning attack is a
common attack against the ARP protocol. Using such an attack, attackers can fool the victim into
accepting forged IP‐to‐MAC mappings. This can cause the victim’s packets to be redirected to the
computer with the forged MAC address, leading to potential man‐in‐the‐middle attacks.
The objective of this lab is to gain the first‐hand experience on the ARP cache poisoning attack
and learn what damages can be caused by such an attack. In particular, use the ARP attack to
launch a man‐in‐the‐middle attack, where the attacker can intercept and modify the packets
between the two victims A and B. Another objective of this lab is to practice packet sniffing and
spoofing skills, as these are essential skills in network security, and they are the building blocks
for many network attack and defense tools. This lab covers the following topics:
NETWORK SECURITY 26
Packet Sniffing & Spoofing LAB
• The ARP protocol
• The ARP cache poisoning attack
• Man‐in‐the‐middle attack
3.2. ARP Cache Poisoning
The objective of this task is to use packet spoofing to launch an ARP cache poisoning attack on a
target, such that when two victim machines A and B try to communicate with each other, their
packets will be intercepted by the attacker, who can make changes to the packets, and can thus
become the man in the middle between A and B. This is called Man‐In‐The‐Middle (MITM) attack.
In this lab, we use ARP cache poisoning to conduct an MITM attack.
• Gateway IP: 192.168.150.1 HWaddr 00:50:56:e7:90:5a
• VM1 ‐ User: IP: 192.168.150.120 HWaddr 00:0c:29:03:4f:d1
• VM2 ‐ Attacker: IP: 192.168.150.125 HWaddr 00:0c:29:a1:82:c8
• VM3 ‐ Server: IP: 192.168.150.130 HWaddr 00:0c:29:74:fe:38
NETWORK SECURITY 27
Packet Sniffing & Spoofing LAB
Following is the ARP table on client VM before attack.
Following is the ARP table on server VM before attack.
Now open Ettercap on attacker VM, then from menu bar select Sniff ‐> Unified sniffing
Select Network interface, here it is ‘ens33’, select and click ‘OK’ button.
NETWORK SECURITY 28
Packet Sniffing & Spoofing LAB
Then click Targets ‐> Current targets
Add the gateway IP in Target 1:
Add client VM IP in Target 2:
NETWORK SECURITY 29
Packet Sniffing & Spoofing LAB
Go to Mitm ‐> ARP poisoning
Select Sniff remote connections and click ‘OK’ button.
Ettercap will start poisoning the cache of client VM.
NETWORK SECURITY 30
Packet Sniffing & Spoofing LAB
Examine the cache of client VM.
From above screenshot, it can be verified that the client ARP cache has been poisoned
successfully. Gateway IP on the client VM has HWaddress of attacker VM.
We should poison ARP cache of both client and server for MITM attack. We add server IP in target
2 and repeat ARP poisoning steps.
NETWORK SECURITY 31
Packet Sniffing & Spoofing LAB
Observe the server ARP cache.
From above screenshot, it can be validated that the server ARP cache has been poisoned
successfully. Gateway IP on the server VM has HWaddress of attacker VM.
3.3. MITM Attack on Telnet using ARP Cache Poisoning
Hosts A and B are communicating using Telnet, and Host M wants to intercept their
communication, so it can make changes to the data sent between A and B. The setup is depicted
in the figure below:
NETWORK SECURITY 32
Packet Sniffing & Spoofing LAB
Turn on the IP forwarding on attacker VM, so it will forward the packets between client and server
by running the following command:
$ sudo sysctl net.ipv4.ip_forward=1
on Attacker VM, use TCPdump by executing the following command:
$ sudo tcpdump ‐i ens33 ‐n port 23 and host 192.168.150.120
From client VM, connect the server VM using telnet command:
NETWORK SECURITY 33
Packet Sniffing & Spoofing LAB
On Attacker VM, the communication between server VM and client VM can be observed clearly
using TCPdump.
NETWORK SECURITY 34
Packet Sniffing & Spoofing LAB
4. LAB 3 ‐ IP/ICMP Attacks
4.1. Overview
The objective of this lab is for students to gain the first‐hand experience on various attacks at the
IP layer. Some of the attacks may not work anymore, but their underlying techniques are quite
generic, and it is important for students to learn these attacking techniques, so when they design
or analyze network protocols, they are aware of what attackers can do to protocols. Moreover,
due to the complexity of IP fragmentation, spoofing fragmented IP packets is non‐trivial.
Constructing spoofed IP fragments is a good practice for students to hone their packet spoofing
skills, which are essential in network security. We will use Scapy to conduct packet spoofing. This
lab covers the following topics:
• The IP and ICMP protocols
• IP Fragmentation and the related attacks
• ICMP redirect attack
• Routing and reverse path filtering
4.2. IP Fragmentation
Two VMs are needed for this task. They should be connected to the same network, so they can
communicate with each other.
4.2.1. Conducting IP Fragmentation
In this task, construct a UDP packet and send it to a UDP server. Use "nc ‐lu 9090" to start a UDP
server.
Instead of building one single IP packet, divide the packet into 3 fragments, each containing 80
bytes of data (the first fragment contains 8 bytes of the UDP header plus 80 bytes of data filled
with A, B and C). If everything is done correctly, the server will display 240 bytes of data in total.
Following is the code for constructing fragments.
NETWORK SECURITY 35
Packet Sniffing & Spoofing LAB
It should be noted that the UDP checksum field needs to be set correctly. If this field is not set,
scapy still calculates the checksum for us, but this checksum will only be based on the data in the
first fragment, which is incorrect. If the checksum field is set to zero, scapy will leave it alone.
Moreover, the recipient will not validate the UDP checksum if it sees a zero in the checksum field,
because in UDP, checksum validation is optional.
Executing the script would send 3 fragmented packets.
Use Wireshark to observe traffic, it should also be noted that by default, Wireshark reassemble
fragments in the last fragment packet and show it as a complete IP/UDP packet.
NETWORK SECURITY 36
Packet Sniffing & Spoofing LAB
To change this behavior, we should disable IP fragment reassembly in Wireshark preferences.
Click the Edit menu in the following sequence: Edit Preferences; click the Protocols dropdown
menu, find and click IPv4. Uncheck the "Reassemble fragmented IPv4 datagrams" option and
save.
Now Wireshark will show 3 packets that were sent. 1st packet has header information and it is
being showed as UDP and other do not have headers that is why they are being shown as IPv4
packets.
4.2.2. IP Fragments with Overlapping Contents
The objective of this task is to create overlapping fragments. In particular, the first two fragments
should overlap. The end of the first fragment and the beginning of the second fragment should
have K bytes of overlapping, i.e., the last K bytes of data in the first fragment should have the
same offsets as the first K bytes of data in the second fragment. The value of K is for this lab is
taken as 40. The offset value of 0, 5 and 10 are given in scapy which means 0, 40 and 80 bytes
respectively for the second fragment.
NETWORK SECURITY 37
Packet Sniffing & Spoofing LAB
Update the previous code to following given below and run it.
The code is executed after sanctioning rights for generating packet fragments.
Observe that fragment A is overlapping on B and fragment B is over overlapping on C. If the
packets are sent in reverse order, the overlapping will also be performed in opposite direction.
NETWORK SECURITY 38
Packet Sniffing & Spoofing LAB
4.2.3. Sending a Super‐Large Packet
The maximum size for an IP packet is 216 octets, because the length field in the IP header has only
16 bits. However, using the IP fragmentation, we can create an IP packet that exceeds this limit.
Once the packet with packet length more than 65507 + 24 = 65535 bytes is created, scapy does
not support sending this packet and crashes with errors. If another fragment is attached, it is
taken as next packet in queue by the server.
Observe the errors originating after executing the code.
NETWORK SECURITY 39
Packet Sniffing & Spoofing LAB
4.2.4. Sending Incomplete IP Packet
In this task, we are going to use Machine A to launch a Denial‐of‐Service attack on Machine B. In
the attack, Machine A sends a lot of incomplete IP packets to B, i.e., these packets consist of IP
fragments, but some fragments are missing. All these incomplete IP packets will stay in the
kernel, until they time out. Potentially, this can cause the kernel to commit a lot of kernel
memory.
The objective of this task is to send a larger size fragmented packet with missing fragments so
that the server queues the fragments and hold the data until the UDP TTL expires for receiving
complete sequence. Within this expiry time if 1000s of packets are send the server buffer will
overflow and cause high CPU utilization / crashes. This emulates the basic concept of DoS attack.
Below is the code used for this kind of DoS attack.
To generate infinite number of packets, unconditional while loop is created to direct the packets
towards server. The above code is executed to generate packet fragments.
While on the server end, high CPU utilization can be observed which is on the verge of crash.
Following screenshot is for CPU utilization before DoS attack:
NETWORK SECURITY 40
Packet Sniffing & Spoofing LAB
High CPU Utilization is observed upon DoS attack causing its pcap to retain fragments till
reception of complete IP packet or until fragmentation expiry.
NETWORK SECURITY 41
Packet Sniffing & Spoofing LAB
Examine the packets in Wireshark as well.
4.3. ICMP Redirect Attack
An ICMP redirect is an error message sent by a router to the sender of an IP packet. Redirects are
used when a router believes a packet is being routed incorrectly, and it would like to inform the
sender that it should use a different router for the subsequent packets sent to that same
destination.
In our VM, there is a countermeasure against the ICMP redirect attack. Before doing the task, we
need to turn off the countermeasure by configuring the operating system to accept ICMP redirect
messages.
$ sudo sysctl net.ipv4.conf.all.accept_redirects=1
We will use three VM’s in this lab.
VM1 ‐ Client: IP: 192.168.150.120 HWaddr 00:0c:29:03:4f:d1
VM2 ‐ Attacker: IP: 192.168.150.125 HWaddr 00:0c:29:a1:82:c8
VM3 ‐ Server: IP: 192.168.150.130 HWaddr 00:0c:29:74:fe:38
NETWORK SECURITY 42
Packet Sniffing & Spoofing LAB
Gateway IP: 192.168.150.1 HWaddr 00:50:56:e7:90:5a
The objective of this task is to launch an ICMP redirect attack on Host VM1 from Host VM2, such
that when Host VM1 sends packets to VM3, it will use VM2 as the router, and hence sends those
packets to VM2. Since VM2 is controlled by the attacker, the attacker can intercept the packets,
make changes, and then sends the modified packets out.
Scapy code for this task is as follows:
The code is executed, and the packets are sent out.
Check the Wireshark for the results.
In between the ICMP redirect, it can be seen that the server has started to respond with HTTP
replies. Look closer at the ICMP redirect packets.
NETWORK SECURITY 43
Packet Sniffing & Spoofing LAB
Crafted ICMP redirect packets are successfully sent using scapy.
4.4. Routing and Reverse Path Filtering
The objective of this task is two‐fold: get familiar with routing and understand a spoof‐prevention
mechanism called reverse path filtering, which prevents outside from spoofing.
4.4.1. Network Setup
10.0.0.120
10.0.0.125
VM1
192.168.150.125
VM2
192.168.150.130
VM3
The 10.0.0.0/24 network should use the "Host‐only" adaptor in VMware. Only Machines VM2
and VM3 are attached to this network.
NETWORK SECURITY 44
Packet Sniffing & Spoofing LAB
The second network 192.168.150.0/24 should use the "NAT" adaptor in VMware. Only Machines
VM1 and VM2 are attached to this network.
Therefore, Machines VM1 and VM3 cannot directly communicate with each other. The network
setup diagram above, shows two machines inside the 192.168.150.0/24 network, but we only
need to include one VM in their setup.
NETWORK SECURITY 45
Packet Sniffing & Spoofing LAB
Since Machine VM2 is attached to both networks, it needs to have two network adaptors, one
using the “NAT” connection type and the other using the “Host‐only” connection type.
VM1 Network.
NETWORK SECURITY 46
Packet Sniffing & Spoofing LAB
VM2 can ping VM1 and VM3.
VM1 can ping VM2 but cannot ping VM3.
The required network setup is ready.
4.4.2. Routing Setup
The objective of this task is to configure the routing on Machines VM1, VM2 and VM3, so VM1
and VM3 can communicate with each other. For this purpose, configure VM2 as a router. Unless
specifically configured, a computer will only act as a host, not as a gateway. Machine VM2 needs
to forward packets, so it needs to function as a gateway. Enable IP forwarding for a computer to
behave like a gateway. IP forwarding can be enabled using the following command:
$ sudo sysctl net.ipv4.ip_forward=1
NETWORK SECURITY 47
Packet Sniffing & Spoofing LAB
Now add route to link with other network with the below command:
$ sudo ip route add 192.168.150.0/24 via 10.0.0.125 dev ens33
$ sudo ip route add 10.0.0.0/24 via 192.168.150.125 dev ens38
After adding routes, the routing table look as follows on VM2.
Now ping VM2 and VM3 from VM1.
Similarly ping VM1 and VM2 from VM3.
NETWORK SECURITY 48
Packet Sniffing & Spoofing LAB
Telnet VM1 from VM3 and check the results.
Successfully connected VM1 from VM3.
Now connect VM3 from VM1 via Telnet.
NETWORK SECURITY 49
Packet Sniffing & Spoofing LAB
Successfully connected VM3 from VM1.
4.4.3. Reverse Path Filtering
Linux kernel implements a filtering rule called reverse path filtering, which ensures the symmetric
routing rule. When a packet with the source IP address X comes from an interface (say I), the OS
will check whether the return packet will return from the same interface, i.e., whether the routing
for packets going to X is symmetric. To check that, the OS conducts a reverse lookup, finds out
which interface will be used to route the return packets back to X. If this interface is not I, i.e.,
different from where the original packet comes from, the routing path is asymmetric. In this case,
the kernel will drop the packet.
The reverse path filtering mechanism can effectively prevent outsiders from spoofing packets
with the source IP address that belongs to the internal network. For example, in the Network
setup diagram depicted above, Machine VM1 cannot send a spoofed packet to Machine VM3
with a source IP address belonging to the 192.168.150.0/24 network.
In this task, we will conduct an experiment to see the reverse path filtering in action. We will
send three spoofed packets on Machine VM1. All these packets should be sent to Machine VM3,
but the source IP addresses should use one of the following:
• An IP address belonging to the network 10.0.0.0/24.
• An IP address belonging to the internal network 192.168.150.0/24.
• An IP address belonging to the Internet, such as 1.2.3.4.
NETWORK SECURITY 50
Packet Sniffing & Spoofing LAB
Following code used on VM1 for sending spoofed ping requests.
Upon Execution this will send 3 ICMP packets with different spoofed IP address as mentioned
above.
During the experiments, run Wireshark on both Machine VM3 and VM2, and check whether the
spoofed packets are forwarded to the internal network or not by VM2. When running Wireshark
on VM2, check the traffic on both network interfaces. If the spoofed packet is forwarded, it
should appear in both interfaces; otherwise, we will only see the packet from the incoming
interface.
Check on VM2 that it only forwards the packing coming from subnet of 10.0.0.0/24, all packets
other than the specified subnet are dropped at VM2.
On VM3 it can be verified that it received only one spoofed ICMP request which was from
10.0.0.0/24 subnet.
NETWORK SECURITY 51