This document describes various modules for network monitoring and packet injection including:
- A packet sniffer using raw sockets to capture packets at the data link layer.
- A wireless network sniffer to capture SSIDs and access point MAC addresses.
- Tools for constructing and injecting raw packets into a target network using raw sockets for network scanning and simulation.
- A UI for monitoring captured packet details like timestamps, source/destination addresses, ports and protocols.
2. Components comprising the toolkit
• Packet Injection using Raw Sockets
• Packet Sniffer using Raw Sockets
• Packet Sniffer using Python - Scapy
• Implementing a Wireless Networks Sniffer
• Automating Network Scans using Nmap
• UI based Packet Monitoring
3. Packet Injection (using Raw Sockets)
• Ability to Construct & Inject Raw Packets into the Target network.
• Powerful as we can simulate responses from the Network
• Finding valid Packets for network by sending arbitrary packets.
4. Creating Raw Sockets in the User Space
• Using socket module , packet interface as the PF_PACKET
and SOCK_RAW as the socket type.
• Socket call accepts three parameters ,socket.htons(0x0800)
specifically signifies the protocol value for the packet which is
IP in this particular case.
• Next we bind the rawSocket to the interface we decide to send
packets over , i.e. Wlan0 here.
• Creating simple packet using the destination Address , Source
address and the protocol value
• Using pack() call , packing the first 6 bytes as destination Mac
Address , next 6 bytes as Source Mac address and next 2
bytes as protocol value.
• Further appending a simple string with packet header.
7. • Raw Sockets provides a way to bypass the whole Network
Stack traversal of a packet and delivers it directly to an
application.
• Using PF_PACKET interface , operates on layer 2 of OSI
Model , i.e. Device Drivers
• No header is stripped off from the packet.
9. Building up the Sniffer Module
• Defining rawSocket using PF_PACKET as the packet interface and
SOCK_RAW to indicate that it is a Raw Socket in the Socket
function.
• Adding the third argument socket.htons(0x0800) protocol value
indicating the kernel that we are particularly interested in IP Packets
• Now calling the recvfrom() call over the rawSocket to read a packet
• Unpacking the ethernet Header using unpack( ) into elements of
tuple
• Converting the unpacked values into their hex values using
binascii.hexlify( ) returning corresponding hex : mac Addresses.
• Parsing the Ethernet Header (14 bytes always) of which the first 6
bytes is the destination mac address , next 6 bytes are source mac
address and the next 2 bytes are protocol value
10. • Next , parsing from byte 14 to 34 , which is the IP Header
• Unpacking the ip Header using unpack( )
• Extracting the Source and Destination IP Addresses
11. Wireless SSID Sniffer
• Gathering the SSIDs and Mac Addresses of Access
Points
• Defining a Packet Handler function to go ahead and check
for Dot11 Layer in the packet header and extracting the
pkt.addr2 component which is the Mac Address of the
Access Point along with the Access point Name pkt.info
• Sniffing using sniff( ) call on a monitor mode interface
14. • The user selects the desired packet and field to be
displayed in the next page.
• The fields are timestamp, source mac, destination mac,
source ip, destination ip, pointer length,source port and
destination port for the packets ARP, IP, or UDP .
15. This page shows the details of each packet of ARP field as
captured by tcpdump: