Transparently sniffing and modify traffic with scapy in-path

January 29, 2017 at 19:42 (linux) (, , , , )

I decided to play a little bit with scapy and tried to find something in the internet that helped me to sniff and modify traffic without ARP-Storming the whole network.

I want to connect a box to my computer eth0 and the network to eth1, so that I’m between the box and the network.

Note: This one does not defeat SSL right now, but that could be easily done with all the tools out there.

The idea is to transparently forward all traffic and only pick out specific packets for modification with scapy.

I did do this with an combination of bridged interface, iptables NFQueue and scapy.

First we gonna create a bridge between eth0 and eth1 to transparently forward all traffic:

ifconfig eth0 0.0.0.0
ifconfig eth1 0.0.0.0
brctl addbr br0
brctl addif br0 eth0 eth1
ifconfig br0 up

Second, we need to setup iptables to send the traffic we want to change to an NFQueue.
Important is that this line is executed within the startup of the scapy script, so the actual modding only happens if the script is running.
It would be bad if the script is not running and the packets don’t traverse..

The line we need to set in the scapy script is:

iptables -A FORWARD -m physdev –physdev-in eth1  -s 192.168.1.10 -j NFQUEUE

Third, our scapy program catches those packets, modify them if they are of interest for us and forwards them accordingly.
Important is to command scapy that it should also forward traffic we do not want to be modified (e.g. other SNMP calls in this example):

https://codepaste.net/y2a2mt

What I actually do is to modify a response of our target system to the monitoring system.
I choose the SNMP response of an HP ProLiant power-supply check that checks if the power supplies are OK or not (or disconnected):

The “original” says that both power-supplies are degraded or in other words they have a problem:

# snmpwalk -v 1 -c public -O eq 192.168.1.10 1.3.6.1.4.1.232.6.2.9.3.1.4
iso.3.6.1.4.1.232.6.2.9.3.1.4.1.1 3
iso.3.6.1.4.1.232.6.2.9.3.1.4.1.2 3

# ./check_psu -H 192.168.1.10
PSU 1 DEGRADED, PSU 2 DEGRADED

after starting the scapy script, it will happily transform to something much better:

#./scapymod.py
Adding iptable rules :
iptables -A FORWARD -m physdev –physdev-in eth1 -s 192.168.1.10 -p udp -j NFQUEUE
[+] Running Main loop
Got a packet ! source ip : 192.168.1.10 dest: 192.168.1.60
Modding…
Old status: 2 (<ASN1_OID[‘.1.3.6.1.4.1.232.6.2.9.3.1.4.1.1’]>)
New status: 2 (OK)
Got a packet ! source ip : 192.168.1.10 dest: 192.168.1.60
Modding…
Old status: 2 (<ASN1_OID[‘.1.3.6.1.4.1.232.6.2.9.3.1.4.1.2’]>)
New status: 2 (OK)

and in the console:

# snmpwalk -v 1 -c public -O eq 192.168.1.10 1.3.6.1.4.1.232.6.2.9.3.1.4
iso.3.6.1.4.1.232.6.2.9.3.1.4.1.1 2
iso.3.6.1.4.1.232.6.2.9.3.1.4.1.2 2

# ./check_psu -H 192.168.1.10
PSU 1 OK, PSU 2 OK

And this all by just carefully crafting and modifying packets

Have Phun :)

Advertisements

Permalink Leave a Comment

Weekend Project: Connect a letterbox to Jabber with XBee

May 16, 2010 at 19:05 (Electronics, linux) (, , , , , , )

As i promised this is my first XBee Project. I just needed a more or less useful application i can “test” the XBee’s in a real environment.

It is in my nature to do crazy things, so i thought it would be really cool to have a notification Jabber Message to my Phone when someone put some letters for me in my letterbox. Here it is ;)

01-08-2010 Update:
The FTDI Chip gives me A fscking LOT PAIN more to come in the next Post. DO NOT USE IT :)

This is my Setup:

  • XBee “Coordinator” API Mode connected through a FTDI USB Chip to a linux box
  • XBee “End Device” Interfaced with an Atmel ATTiny13v power by two 1.5v AA Batteries
  • Perl XBee Module API.pm from Thomas Jager
  • Jabber Perl Modules to enable sending messages
  • Siemens S685IP DECT Phone that can recieve Jabber messages

Before you read further you should note that i flashed the ZIGBEE firmware (XB24-ZB) API on my XBee’s because i don’t want to miss the mesh feature.

This Setup now runs with 2x Alkaline Batterys in the End-Device for 4 weeks now, and is still running!

Read the rest of this entry »

Permalink 4 Comments

Multi-Boot USB Thumb Drive

February 14, 2010 at 01:34 (linux, Uncategorized) (, , , , , , , )

Ever thought it might be cool to only have an USB-Stick where all your individual security / pentest / recovery / hack-a-tack bootdiscs can be booted?

I thought so!

Crawling the Internet looks promising and shows two different ways how to get an bootdisc on your USB thumbdrive:

  • Booting a bootdisc as ISO stored on the drive (which is not compatible to most bootdisc’s)
  • Booting abootdisc ISO extracted to a extra Partition on the USB-Drive (which is more compatible)

Remember: both ways are possible on a single Stick, so you can have ISO’s there AND extra partitions with the contents of the original ISO.

Read the rest of this entry »

Permalink Leave a Comment

SipToSis with Asterisk

February 1, 2010 at 16:59 (Asterisk) (, , , , , )

I was little busy these days, had a lot of work to do like re-waterproofing my bathtub..

2010-02-17 Edit: Please Read the references i shown on the end of this Post to have an HowTo how to exactly install SipToSis! If i find the Time i can write a detailed Howto with Display environment variables etc, but only if i get some comments to do so :)

Nevertheless i finally managed to Get a working Skype <-> Asterisk connection via SipToSis. Hurray!
I didn’t get Skypeiax to work..

This is how i did it – with Asterisk 1.4.x branch on the same machine skype should also do – running Debian 5.0

Read the rest of this entry »

Permalink 1 Comment