Packet Sniffing and Spoofing Lab [10 points]

These exercises are based heavily on those developed at Seed Labs.

Exercises

  1. [2 points] Ping is a tool that repeatedly sends ICMP request packets to a target IP address and listens for replies. Hosts that receive an ICMP request packet reply with an ICMP reply packet. When an ICMP reply is received from the target, the sender knows the target is reachable and can determine the time that it takes packets to make a round trip to the target and back.

    Use Scapy to write your own Ping tool (read more about Scapy). Your Python program should take the target's IP address (say, Google's DNS server at 8.8.8.8) as a command line parameter and should repeatedly send ICMP requests once per second to the target. You can use Scapy's sr1 command to both send a packet and receive a reply for one packet as shown: reply = sr1(<your packet here>) reply is filled by Scapy with the reply packet. If there is no reply, reply is set to None after a brief timeout period.

    Your output should match the built-in Ping command's output.

    Record the average round trip time for your Ping method by saving the time in Python right before sending the packet and comparing it with the time right after the reply returns (e.g., when the reply variable is set by Scapy in the code above). Compare that with the built-in Ping command available from the command line. What differences do you notice? Why are they different? How could you make your code run faster?

    Submit your code and your answers to the questions above.

  2. [4 points] Traceroute is tool to record the path a packet takes as it traverses the Internet from a source machine to a target machine. In this problem you will write your own traceroute program. Your Python program should take the target's IP address (say, Google's DNS server at 8.8.8.8) as a command line parameter.

    To see the the route taken by packets from the source to the target we will use the ttl (time to live) property of packets. The ttl (sometimes called the hop limit) specifies the maximum number of hops a packet can make between computers on the Internet before timing out. Each time a packet hops from one computer to the next, the ttl is decremented by 1. Packets time out if the ttl goes to zero and the computer timing out a packet will send a ICMP error message (type 11, code 0) back to the original sender. For example, if sender of a packet sets ttl=1, the packet would traverse to the first computer on its way to the target, but that first computer would not forward the packet on to the next computer on the Internet because the ttl would be decremented to 0. Instead of forwarding the packet, the computer would send back an ICMP error message.

    We can use Scapy to set the ttl property of a packet. To implement the traceroute command, first the ttl=1. Get a error message reply from the first hop. Then set ttl=2 and get a reply from the second hop. Keep incrementing the ttl until your get a reply from the destination. Use Scapy's sr1 command as described above to send an ICMP packet (you may want to set timeout=2 as a parameter in the sr1 call). Keep track of the computers that replied along the route.

    Submit your version of the traceroute program using a ICMP packet sent to each computer along the way (do not simply call Scapy's built-in traceroute routine!). What could happen to cause an inconsistency in the route you discover? How likely is that to happen while your program runs?

  3. [4 points] Steal telnet passwords. Telnet is a protocol that sets up a virtual terminal between two computers, allowing a user on one computer to type commands into a remote computer. Telnet communicates using TCP on port 23. Unfortunately, however, telnet sends each character typed by user to the remote computer in clear text over the network, including log in user names and passwords. This means we can sniff those communications and recover the user's credentials (do not use telnet in real life! use ssh instead).

    A user sets up a telnet session by typing telnet <ip address of remote computer> The remote computer will then ask for the user's user name and password. Each keystroke typed by the user is sent over the network in the clear (not encrypted). Once authenticated, the user can issue commands on the remote computer.

    Write a program to sniff the username and password keystrokes. You'll need to use two VMs. Run your sniffer on the first VM. Issue the telnet command from the second VM using the first computer's IP address as a target (use the command ifconfig to get the computer's IP address). Telnet sends each character typed by the user in one packet. For example, if the user types a username of "seed" (which is the password on the VMs), telnet will send a packet with a data value of s, then another packet with a data value of e, then a third packet with a data value of e, finally a packet with a data value of d. You can get the data values in a sniffed packet using Scapy by looking at the Raw layer. Print keystroke characters as they are typed, but do not print other packets exchanged or extraneous data (just keystrokes including return characters).

    Submit your sniffer program and sample output that clearly identifies the username and password captured.

    Following the instructions on the Software tab of the course web page to set up two VMs for this problem. In particular, check out Appendix B to get two VMs running at the same time.

Submission Instructions

Create a single .pdf file with your answers to these exercises. Zip your code files together with your .pdf into a single file and submit that file via Canvas. In the text box on your Canvas submission, provide the names of your partners. Only one partner need submit.

Grading rubric

Total of 10 points.

Exercise 1 [2 points]: Create a ping utility using Scapy

  • 0.5 point: Create and send a ICMP packet to the target with an increasing sequence number once per second until the program is terminated
  • 0.5 point: Receive the ICMP reply and print in the normal ping command format, handle missing replies by printing "No reply"
  • 1 point: Answer questions.

Exercise 2 [4 points]: Write a traceroute utility using Scapy

  • 1 point: Create and send UDP packets, increasing the ttl by one each packet
  • 1 point: Record the computers along the way, keep moving if no response
  • 1 point: Stop when you reach the destination
  • 1 point: Answer questions.

Exercise 3 [4 points]: Create a telnet credential sniffer

  • 1 point: Create a sniffer callback function with a filter to capture only telnet packets
  • 2 points: For each packet
    • 1 point: Ignore packets that do not contain a single keystroke
    • 1 point: Print keystrokes, including return characters
  • 1 point: Identify the captured username and password in your program's output.