Results 1 to 8 of 8

Thread: Forwarding TCP traffic in scapy

  1. #1
    Just burned his ISO
    Join Date
    Mar 2009
    Posts
    11

    Default Forwarding TCP traffic in scapy

    I'm creating an ARP poisoning MITM program with scapy, and I've run into a snag. I can't properly forward a tcp connection from the victim machine to the gateway, and back.

    Basically my code looks like this:
    Code:
    def routep(self, packet):
    	
    		if packet.haslayer(scapy.IP):
    		
    			ether = packet.getlayer(scapy.Ether)
    			ether.src = self.ni.mac
    		
    			# host-to-gateway
    			if packet[scapy.IP].src == self.victimIP:
    				ether.dst = self.gatewayMAC
    				
    			# gateway-to-host
    			elif packet[scapy.IP].dst == self.victimIP:
    				ether.dst = self.victimMAC
    				
    			else:
    				return
    				
    			# fix checksums, lengths, and ACKs by deleting the original values
    			del(packet[scapy.IP].chksum)
    			if packet.haslayer(scapy.UDP):
    				del(packet[scapy.UDP].chksum)
    				del(packet[scapy.UDP].len)
    			elif packet.haslayer(scapy.TCP):
    				del(packet[scapy.TCP].chksum)
    				del(packet[scapy.TCP].ack)
    
    			
    			# do the evil deed :)
    			scapy.sendp(packet, iface=self.ni.name)
    
    scapy.sniff(filter='(src %s) or (dst %s)' % (self.victimIP, self.victimIP), prn=lambda x: self.routep(x))
    This should work, but my machine sends a shitload of RST packets to the destination IP.

    hxxp://trac.secdev.org/scapy/wiki/FAQ

    Here it says,
    The kernel is not aware of what Scapy is doing behind his back. If Scapy sends a SYN, the target replies with a SYN-ACK and your kernel sees it, it will reply with a RST. To prevent this, use local firewall rules (e.g. NetFilter for Linux). Scapy does not mind about local firewalls.
    Is there seriously NO way of doing this without configuring my OS's firewall? Other programs like ettercap get along just fine, so obviously there's some way that they do it. Are there any better methods of forwarding TCP traffic?

  2. #2
    Member
    Join Date
    Jun 2007
    Posts
    218

    Default

    I've never used it but you may want to look into using scapy's routing table. This will let you route packets differently than your system.

    conf.route

  3. #3
    Just burned his ISO
    Join Date
    Mar 2009
    Posts
    11

    Default

    I don't see how that would work...the packet sent by the victim is already destined to 192.168.0.1. How would I route this to the _real_ 192.168.0.1 gateway, without manually changing the packet's destination MAC address?

  4. #4
    Member
    Join Date
    Jun 2007
    Posts
    218

    Default

    I didn't look that closely at your code. I just assumed you had already done the arp poisoning and were looking for a way to route the packets to their correct destination after you had received them.

  5. #5
    Just burned his ISO
    Join Date
    Mar 2009
    Posts
    11

    Default

    Quote Originally Posted by level View Post
    I didn't look that closely at your code. I just assumed you had already done the arp poisoning and were looking for a way to route the packets to their correct destination after you had received them.
    I'm sorry, maybe I didn't explain myself clearly enough. I have already done ARP poisoning on the target machine.

    I ARP poison, say, 192.168.0.4, and tell that machine that the gateway, 192.168.0.1, is located at my attacking machine's MAC address. When my attacking machine receives 192.168.0.4's packets, it needs to send them to the real 192.168.0.1. I have no idea how to do this without manually changing the destination MAC address on each packet.

  6. #6

    Default

    have you tried just setting the ip_forward bit? It works with other arp poisoning techniques.

  7. #7
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    Is there seriously NO way of doing this without configuring my OS's firewall? Other programs like ettercap get along just fine, so obviously there's some way that they do it. Are there any better methods of forwarding TCP traffic?
    Try setting eth0 to 0.0.0.0 and send out arp replies using 192.168.1.125 as the MITM.
    When your machine recive a packet with 192.168.1.125, replie.

    I think the honey project uses this way in its arp program.

  8. #8
    Member imported_blackfoot's Avatar
    Join Date
    Jun 2007
    Posts
    386

    Default script

    Firstly, you must set ipforwarding.

    One of your interfaces should be set to monitor mode and maybe the other to promiscuous.

    You need to be aware that switches do not repeat/resend all traffic like a hub would do.

    From what I understand you wish to reroute packets through your machine then on to the gateway. This is monitoring and as such should not involve recrafting the packets so you should not be concerned whether they are udp or tcp. You will need to flood the hub or switch and hand-out the mac address of your daemon as your gateway ip, then when each packet is captured and analysed it is forwarded to the gateway. You will need to pump occasionally to keep the arp tables correct for your purpose. Yes, you will need to capture packets assigned to the mac of the original gateway and of course change the mac in the header from your analysis machine to that of the gateway.

    The above is trivial really, but the problem with python is that it is so slow. You will drop so many packets that the system is unmanageable. For the adequate collection of a reasonable number of packets you should use 'C' after your concept in python is proved.
    Lux sit

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •