Scanner , Sniffer & Injector Modules

Network Monitoring Toolkit

Components comprising the toolkit

• Packet Injection using Raw Sockets

• Packet Sniffer using Raw Sockets

• Packet Sniffer using Python - Scapy

• Implementing a Wireless Networks Sniffer

• Automating Network Scans using Nmap

• UI based Packet Monitoring

Packet Injection (using Raw Sockets)• Ability to Construct & Inject Raw Packets into the Target

network.

• Powerful as we can simulate responses from the Network

• Finding valid Packets for network by sending arbitrary packets.

Creating Raw Sockets in the User Space• Using socket module , packet interface as the

PF_PACKET and SOCK_RAW as the socket type.

• Socket call accepts three parameters ,socket.htons(0x0800) specifically signifies the protocol value for the packet which is IP in this particular case.

• Next we bind the rawSocket to the interface we decide to send packets over , i.e. Wlan0 here.

• Creating simple packet using the destination Address , Source address and the protocol value

• Using pack() call , packing the first 6 bytes as destination Mac Address , next 6 bytes as Source Mac address and next 2 bytes as protocol value.

• Further appending a simple string with packet header.

Monitoring the Network (Over the Interface using tcpDump )

Packet Sniffing (Using Raw Sockets)

• Raw Sockets provides a way to bypass the whole Network Stack traversal of a packet and delivers it directly to an application.

• Using PF_PACKET interface , operates on layer 2 of OSI Model , i.e. Device Drivers

• No header is stripped off from the packet.

Understanding Packet Headers

Building up the Sniffer Module • Defining rawSocket using PF_PACKET as the packet interface and SOCK_RAW to indicate that it is a Raw Socket in the Socket function.

• Adding the third argument socket.htons(0x0800) protocol value indicating the kernel that we are particularly interested in IP Packets

• Now calling the recvfrom() call over the rawSocket to read a packet

• Unpacking the ethernet Header using unpack( ) into elements of tuple

• Converting the unpacked values into their hex values using binascii.hexlify( ) returning corresponding hex : mac Addresses.

• Parsing the Ethernet Header (14 bytes always) of which the first 6 bytes is the destination mac address , next 6 bytes are source mac address and the next 2 bytes are protocol value

• Next , parsing from byte 14 to 34 , which is the IP Header

• Unpacking the ip Header using unpack( )

• Extracting the Source and Destination IP Addresses

Wireless SSID Sniffer

• Gathering the SSIDs and Mac Addresses of Access Points

• Defining a Packet Handler function to go ahead and check for Dot11 Layer in the packet header and extracting the pkt.addr2 component which is the Mac Address of the Access Point along with the Access point Name pkt.info

• Sniffing using sniff( ) call on a monitor mode interface

UI Based monitoring of Packets

• The user selects the desired packet and field to be displayed in the next page.

• The fields are timestamp, source mac, destination mac, source ip, destination ip, pointer length,source port and destination port for the packets ARP, IP, or UDP .

This page shows the details of each packet of ARP field as captured by tcpdump: