Goal: learn how IP networking looks at the packet-level, and practice with free software tools that create, handle, and modify TCP/IP packets. Tools: Packet sniffers: tcpdump, Wireshark, tshark Packet crafting tools: Scapy, Unix raw socket layer, libdnet, libnet Routing: Linux route, iproute2 suite, /proc/sys/net/ipv{4,6} entries Firewalling, packet mangling: IPtables/Netfilter firewall, SNAT & DNAT. Books: "Network Intrusion Detection: An Analyst's Handbook" by Stephen Northcutt, Donald McLachlan, and Judy Novak (either 2nd or 3rd edition) will do). You can buy a used copy from Amazon cheaply (practically for the cost of shipping). Freely available online: "How can an internet work and how does the Internet work" by Stanislav Shalunov http://www.mccme.ru/computers/Shalunov-inet.pdf "IPv6 for IPv4 Experts", by Yar Tikhiy https://sites.google.com/site/yartikhiy/home/ipv6book "TCP/IP Guide": http://www.tcpipguide.com/free/index.htm I will assume you are using a Linux machine on which you have root. Mac OS X may work for you, but "your mileage may vary". I use a Mac but prefer Linux. ------------------------------------------------------------------------- 0. Tools to install: Install tcpdump and test it. You should be able to see broadcast traffic on your intreface connected to a live network. E.g., with "tcpdump -n -i eth0" if your interface is eth0; -n is essential for quiet & smooth operation (why?). Also install Wireshark, a GUI packet analyzer. Wireshark and tcpdump use the same method of capturing packets, the Libpcap library. Wireshark's capture filters are the same as tcpdump's, but Wireshark display filters differ; learn to use them as well. In all exercises below, you are expected to look up needed information about protocols involved. No one knows all protocols; Google and Wireshark are the best tool for finding out. 1. Read Chapters 1-5 of the Northcutt book. This book uses tcpdump for all of its examples. Install tcpdump and get comfortable with its options _and_ its filters (see the man page for tcpdump "man tcpdump"). Use it to capture your HTTP session going out to some site. Write filters to capture _only_ the traffic you are interested in. Exercises: - write a tcpdump filter that would capture all ARP request packets. Use it to generate a list of MAC and IP addresses of machines on your network (you can use grep, awk, perl, or any other Unix command line/scripting tools to process the text output of tcpdump). - write a tcpdump filter that matches TCP packets without using using key keyword "tcp" in the filter. Find two ways to do this (one involves matching a byte in the IP header by offset). - write a tcpdump command to run on a remote machine you connect to via SSH that would allow you to observe all TCP traffic on that remote machine _except the packets of your own SSH connection_. Since SSH uses TCP too, and tcpdump runs on a machine that you are continually exchanging traffic with, any tcpdump output will also run back to you over SSH, and tcpdump would capture it, creating a storm of redundant messages (try it!). Find a way to work around it, to see all TCP traffic but yours. 2. Install the tool Scapy http://www.secdev.org/projects/scapy/ and learn to send packets with it. Exercises: - Send ICMP pings to a remote computer and capture the response. Vary the length and the payload of your ICMP echo request packets. Send packets with size of 1000 bytes and the payload of a favorite English text; the remote system should echo them back to you. - Send UDP packets to a remote computer and capture the response. Observe the operation of the traceroute tool and write your own code in Scapy that would send and capture similar packets, but use different packet sizes and ports for equivalent functionality. 3. Read about the ARP protocol and "ARP poisoning" aka "ARP spoofing": http://sid.rstack.org/arp-sk/ (skip to "Quick guide of what you can do with ARP") To build arp-sk, you need the libnet library. A good mirror for it is http://packetfactory.openwall.net/projects/libnet/ With Scapy, send some spoofed ARP packets and see if you can confuse your friends' machines in a small LAN on an isolated switch. DON'T use ARP poisoning on any (repeat, ANY) production networks! If the admins see it, they will be angry with you---and there are both free tools (such as arpwatch) and proprietary tools for commercial switches that will alert them. Look at the arpwatch C source code if you wonder what such code looked like in 1990s-2000s. Now, of course, you can implement a similar tool in Scapy's Python in a screenful of code; to send spoofed ARP packets you only need a Scapy one-liner. Exercises: - Write Scapy code that sends the same packets as arp-sk. - arpspoof is another tool for ARP poisoning, from the dsniff package (https://www.monkey.org/~dugsong/dsniff/). Its default operation is slightly different from arp-sk. Find out how & match it with Scapy commands. - Find Scapy command that does ARP poisoning. Read & understand its code.