SEED Labs 2.0: Packet Sniffing and Spoofing Lab

Packet Sniffing and Spoofing Lab

Lab Task Set 1: Using Scapy to Sniff and Spoof Packets

Task 1.1: Sniffing Packets

Task 1.1A

使用ifconfig查看网卡名

image-20231113144432050

修改sniffer.py

image-20231113144450752

使用root身份运行命令。

image-20231113145518831

image-20231113145528704

当切换为普通用户权限时,发现无法进行操作。

image-20231113145605277

Task 1.1B

  • Capture only the ICMP packet

image-20231113150806882

image-20231113145518831

  • Capture any TCP packet that comes from a particular IP and with a destination port number 23.

image-20231113150933866

我们写一个发包脚本:

image-20231113151132054

运行这两个python,发现成功运行。

image-20231113151240622

  • Capture packets comes from or to go to a particular subnet. You can pick any subnet, such as 128.230.0.0/16; you should not pick the subnet that your VM is attached to.

image-20231113153542179

image-20231113153530699

Task 1.2: Spoofing ICMP Packets

自己设定IP的源地址和目的地址

image-20231113154009569

image-20231113154002075

可以看到正常发送ICMP,以及正常回显ICMP

image-20231113153947133

Task 1.3: Traceroute

image-20231113155311599

image-20231113155303321

Task 1.4: Sniffing and-then Spoofing

在VM中编写如下代码,当嗅探到有icmp-echo的数据包时,返回给发送数据包的主机一个icmp响应

image-20231113162009725

发现无论ping什么地址,都能获得响应:

image-20231113162123551

同时从欺骗工具来看,是VM发送的响应。

完成如下的命令

image-20231113162317900

image-20231113162309278

发现不存在的地址是不会返回响应的

Lab Task Set 2: Writing Programs to Sniff and Spoof Packets

Task 2.1A: Understanding How a Sniffer Works

编写代码

image-20231113163306764

通过PING baidu来测试

image-20231113163321972

image-20231113163329023

Question 1. Please use your own words to describe the sequence of the library calls that are essential for sniffer programs. This is meant to be a summary, not detailed explanation like the one in the tutorial or book.

通过bpf程序来捕获ICMP的数据包,然后通过指针来对数据包的不同位置(IP头,ICMP头)等进行处理

Question 2. Why do you need the root privilege to run a sniffer program? Where does the program fail if it is executed without the root privilege?

因为bpf程序需要挂载到内核中去,属于特权操作

Question 3. Please turn on and turn off the promiscuous mode in your sniffer program. The value 1 of the third parameter in pcap open live() turns on the promiscuous mode (use 0 to turn it off). Can you demonstrate the difference when this mode is on and off? Please describe how you can demonstrate this. You can use the following command to check whether an interface’s promiscuous mode is on or off (look at the promiscuity’s value).

使用混杂模式可以监听所在网段下其他机器的数据包,关闭则不能。

Task 2.1B: Writing Filters

更改规则和网卡名称:

image-20231113165127861

使用10.9.0.6的容器内部去ping 10.9.0.1

image-20231113165140031

能获取

image-20231113165118390

改变过滤规则

image-20231113165346911

image-20231113165336071

image-20231113165323851

Task 2.1C: Sniffing Passwords.

编写嗅探工具嗅探23端口

image-20231113171048983

以此类推可以得到密码

image-20231113171007413

Task 2.2: Spoofing

Task 2.2A: Write a spoofing program.

从源IP地址“1.1.1.1”向目标IP地址“8.8.8.8”的9090端口发送UDP消息

image-20231113173204693

image-20231113173145978

Task 2.2B: Spoof an ICMP Echo Request.

image-20231113173437373

image-20231113173409185

Question 4. Can you set the IP packet length field to an arbitrary value, regardless of how big the actual packet is?

不可以

Question 5. Using the raw socket programming, do you have to calculate the checksum for the IP header?

不用计算IP头部的checksum

Question 6. Why do you need the root privilege to run the programs that use raw sockets? Where does the program fail if executed without the root privilege?

因为能任意读取发送包意味着很大的安全风险,所以需要root权限

Task 2.3: Sniff and then Spoof

代码如下

image-20231113174032258

sudo ./task23运行

image-20231113173954577

使用另一台机器ping 1.1.1.1,此机器运行上面的程序,结果如下:

image-20231113174010672