Reference no: EM132578227

LAB - Packet Crafting for IDS/IPS

Objectives:
Experiment with reading, writing and modifying packets.

These exercises help you become more familiar with concepts associated with Packet Crafting for IDS/IPS.

Exercise 1:
Enter scapy interface as follows:

The interface prompt is ">>>"

Description: Scapy supplies default values to fields/attributes so we supply the values we want to change only.

1. Craft an ICMP echo request with the following:
• An Ethernet source address of a1:b1:c1:d1:e1:f1
• An Ethernet destination address of a2:b2:c2:d2:e2:f2
• A source IP address of 192.168.1.1
• A destination address of 192.168.1.2
• An ICMP sequence number of 1234
2. Display the frame you just created.
3. Use Scapy to write the frame to the output pcap filename /tmp/icmp.pcap
4. In another terminal use tcpdump or wireshark to examine the record in
/tmp/icmp.pcap to make sure that the frame you crafted matches the specification detailed.
Note: if you choose to use tcpdump, supply the command line option -e to display the Ethernet header.

Exercise 2:
The objective of this exercise is to modify certain field of the packet, following the steps below:

1. Read /tmp/icmp.pcap, which you have created in (Exercise 1) using the same
Scapy session that you have open.
2. Change the value of the ICMP sequence number to 4321 and perform.
3. Write the new record to /tmp/icmp2.pcap
4. Read /tmp/icmp2.pcap in another terminal using tcpdump supplying it the
-vv option to verify that you crafted a valid record. Notice that an error was inadvertently introduced;
5. Correct the issue by changing the record that still exists in your Scapy
interactive session and writing it out again, to /tmp/icmp2.pcap.

6. Return tcpdump in the other terminal to make sure you corrected the issue.

Exercise 3:
Description:
This exercise enables you to craft and send some traffic using Scapy. Specifically, you will craft an ICMP echo request in one Scapy interactive session and send it, listen for it in another Scapy interactive session, and respond with a crafted ICMP echo reply from this second session.

All this is done over the network loopback interface instead of the default
eth0 interface.
This requires you to enter some Scapy configuration commands to assign a particular network socket to use.
You need to open three different terminals for this. All of them require you to be root using the sudo -s command with a password of "training". Scapy requires you to whenever you send a frame or packet to a network interface. This means you need to exit from the current Scapy session with CTRL/D, become root, and then go back into Scapy for one of the terminal open as root.

1. In the first terminal, use tcpdump to sniff traffic you crafted and sent from the Scapy sessions in the other two terminals.

2. In the second terminal, invoke the Scapy interactive interface and
prepare Scapy to sniff an ICMP echo request that was sent from another Scapy session in the third terminal.

• The first command configures Scapy to use the socket support for the loopback interface.
• The second line places Scapy in sniffing mode; specifically, it uses a familiar looking filter format (BPF) to look for a single ICMP echo request from the loopback interface. It puts the response in a list called
r. Scapy waits until it receives a record that matches the sniff criteria.

3. In the third terminal, invoke the Scapy interactive interface and send an ICMP echo request.

You are required to craft an ICMP echo request with a destination IP address of "127.0.0.1" with an ICMP ID value of 10 and an ICMP sequence value of 100. Add any string payload to this, enclosing it in double quotes.

Hint:
An example format would be IP()/ICMP()/"YOUR MESSAGE" where you supply the
IP() and ICMP() appropriate attribute values. Send your ICMP

Send your ICMP echo request. Make sure that you see in the tcpdump output the ICMP echo request you sent and the echo reply that the localhost returned.
Now, return to the Scapy interface that sniffed the packet. Display the received ICMP echo request to find the ICMP ID value of 10, display as 0xa, and the ICMP sequence number of 100.

Next, craft an ICMP echo response. Substitute "YOUR MESSAGE" for the payload that you supplied to the ICMP echo request you sent.

You should see an ICMP echo reply in the tcpdump output that is identical to the one generated by the host if you have successfully sent the ICMP echo reply.

Exercise 4:
Description:
The exercise is to reset an established TCP session on the localhost using Scapy. This requires you to use Scapy to craft a TCP reset segment with all the correct values found in the session to include the source and destination ports, TCP sequence number, and TCP flags.

You need four different terminals in this exercise. Three must be configured as root. Here is the scenario:
First configure the preparation phase by starting tcpdump as root in the first terminal to examine the traffic exchanged on the localhost. In a second terminal as root, enter the Scapy interactive interface and first perform some configuration to send traffic on the loopback interface. In a third terminal as root, set up a netcat listener on port 99.
Finally, in a fourth terminal as user sans, use netcat to connect to the To the netcat listener. You can then craft a packet from Scapy to reset the established connection.

1. In the first terminal as root, start tcpdump to examine the traffic exchanged on the localhost. Make sure to use the option -S to display the absolute TCP sequence numbers that you need to craft the reset.
tcpdump -i lo -ntS ‘tcp and port 99'
2. In a second terminal as root, enter Scapy interactive interface and perform some configuration to send traffic on the loopback interface.
3. In the third terminal as root, set up a netcat listener on port 99.
4. In a fourth terminal as user ct6034, use netcat to connect to the netcat listener. You can then craft a packet from Scapy to reset the established connection.

Attachment:- Packet Crafting.rar