1.

Packet Construction with Scapy

In this exercise, you will practice to construct several packets using scapy. To start, run $sudo python3
(if you work on VM root, sudo is not needed) and then import scapy package:
from [Link] import *
Then, you are ready to practice constructing various packets. In each question, show your screen shots
as the evidence of your work.
1) IP() is the function to construct a default IP header. You can use ls(IP()) to view the content. The
first column is the field of IP header and the third column is the example format for the value of each
field.

My Implementation of above:-

Screenshot 1: Enlisting the fields and their default values for the IP layer

You can assign the value to create the IP header you want. Please construct an ip header iph with
source [Link] and destination [Link]. Use ls to show packet header.

My Implementation of above:-
 Screenshot 2: Constructing an IP Header with Ips for source and destination

2) Create a UDP segment with source port number 5000 and destination port number 5300 and
data=”hello”. Use show2 to show your result.

My Implementation of above:-

Screenshot 3: Creating a UDP segment

3) You can create ping packet by stacking IP header over ICMP(). Create a ping packet with your VM
as source IP and [Link] as your destination IP. Create an ip packet with the same source and
destination IP (as in the ping packet) but with UDP segment in item 2 as its data field. Use show2()
function to show the packet content.

My Implementation of above:-

Screenshot 4: ifconfig displays network interface configuration information

 Screenshot 5: Displaying the details of the IP header and ICMP header

Screenshot 6: UDP Packet with Source Port 5000 to Destination Port 5300 and Payload 'hello'
 4) For a packet pkt, pkt[IP] is IP datagram and pkt[UDP] is the UDP segment of pkt. For ip datagram
in item 3, use show2 to show the UDP segment.

My Implementation of above:-

Screenshot 7: Extracting and display the UDP segment from the udp_pkt packet.

Question 2
a. Task A.

2. Sniffing Packets
Wireshark is the most popular sniffing tool, and it is easy to use. We will use it throughout the entire
lab. The objective of the current task is to learn how to use Scapy to do packet sniffing in Python
programs. A sample code is the following:
-----------------------------------------------------------

#!/usr/bin/python

from [Link] import *

def print_pkt(pkt):

pkt.show2()

pkt = sniff(filter=’icmp’,prn=print_pkt, iface=”br-xxx”) # br-xxx is the interface on VM you want to sniff

------------------------------------------------------

Task A. The above program sniffs packets. For each captured packet, the callback function print pkt()
will be invoked; this function will print out some of the information about the packet. Run the program
with the root privilege and demonstrate that you can indeed capture packets. After that, run the
program again, but without using the root privilege; describe and explain your observations.
// Run the program with the root privilege
 $ sudo python [Link]

// Run the program without the root privilege

$ python [Link]

Figure: ICMP packet sniffed by scapy

The above image represents the first icmp packet sniffed using python program
with scapy using root privileges.

Figure: Error running scapy without root privileges

When the same program is executed without root privileges, it crashes because the
program did not get necessary privileges to sniff packets.
it is clearly visible that when we try to run the packet-sniffing program without utilizing the root
privileges, we get permission errors. This main reason is because of capturing network packets which
mainly demands elevated permissions. However, when we tried to run the program within a Docker
container, it seems to work fine as Docker containers generally have more permissive network
permissions by default.
To summarize, if we tries to capture packets using the "[Link]" program, we'll either need to run it
with root privileges (using "sudo python3 [Link]") or we need to make sure that the user running the
program must have the required network capture permissions. Docker containers may allow packet
capture without requiring root privileges due to their specific network configuration.

Task B. In this task, you need to modify the program to simultaneously achieve two goals:
1. When we sniff packets, we are only interested certain types of packets. Your program only sniffs the
ICMP packet with source IP address [Link].
2. For each captured ICMP packet, reverse the source and destination IP address and modify the ICMP
data field as “COMP8677-yourname”. Finally, send the modified packet.

Run your Wireshark to check if [Link] replied to your packet sent by item 2. If yes, give a
screenshot for one such packet. In this task, provide your program and the said screenshot.

!/usr/bin/python
from [Link] import *
def packet_callback(packet):
if packet[IP].src == '[Link]' and [Link](ICMP):
print('ICMP Packet Captured: ', [Link]())
if packet[ICMP].type == 0: # this is an echo request
 new_packet = IP(dst=packet[IP].src, src=packet[IP].dst)/ICMP(type=8)/"COMP8677-
Riya"
send(new_packet)
print("New packet sent")
sniff(filter="icmp and host [Link]", prn=packet_callback)
Code explanation:
The code will sniff the packets whichever has source IP as [Link] and is ICMP and
display its summary. If the echo request type is 0, which means its ‘reply’ packet
and not ‘request’ packet, we’ll create a new packet with most of the details as same
but with the data as “COMP8677-Riya”.

Figure: ICMP packet summary of sniffed packet

 Figure: New packet with modified data captured using wireshark
To view the data, we have to view it from wireshark as ping command wont display
the packets in the terminal. The data displayed is in hexadecimal which has been
converted to text by wireshark.

Task C. In this task, you will practice more for BPF filter. You have studied one in your Task B.
If necessary, check the reference file [Link]. Test your solution using the sniff function on the
command line of python and show one packet content. Here is my example for the test.

Screenshot : From Lab Manual

a) Capture any TCP packet that comes from [Link] with destination network being your
VM subnet (mostly [Link]/24). We remind you that in order to capture packets from [Link],
you of course need to visit the web site.

b) Capture packets that come from source port 53 and a particular network such as [Link]/24. In
the test, run $dig @[Link] [Link]. (note: if you do your assignment at home, you can
change [Link] to [Link] and the subnet [Link]/16).
Solution to Task C Part (a)

[Link] Program

With reference to Screenshot program, it will capture a single TCP packet that meets our criteria
and display its details using the show() method. For this, we are utilizing the Scapy library of
python and having the necessary permissions in place to capture packets on our network interface
when running this script.

Running [Link] on Mozilla Firefox(in left side) and

(right side) displaying that we are running the program showed in Screenshot using root privileges.

When we run the program and run [Link] website then we get results on the right side
screen.

Output continuation of Screenshot while running the program.

Solution to Task C Part (b)

Program updated as per task C Part (b) (explanation is below)

Explanation of Program shown in Screenshot : The Python script using Scapy library of
python to capture and display the details of a single packet that meets the following criteria: it
 originates from source port 53 and belongs to a specific network range (e.g., [Link]/24). The
captured packet's details are printed using the show() method.

Output on running python program(of Screenshot) with root privileges

b.
Output Continuation of Screenshot (while running python program(of Screenshot) with root
privileges)
 c.
Output Continuation of Screenshot 34(while running python program(of Screenshot) with root
privileges)

Output Continuation of Screenshot (while running python program(of Screenshot) with root
privileges)
Output on running dig@[Link] [Link]

With Reference to Screenshot - The output of the dig command for querying the DNS server at IP
address [Link] for the hostname [Link] would provide DNS-related information.
Solution of Question 3 Part 1

Updated Program for Question 3 Part 1 with better readability

Explanation of Program in Screenshot: The Python script uses the Scapy library of python to create a
fake ARP (Address Resolution Protocol) request. It pretends to be one machine on a network (with IP
address "[Link]") and sends this request to another machine (with IP address "[Link]").
The goal is to trick the second machine into associating the attacker's MAC address with the IP address
"[Link]" in its ARP table. This technique is mainly used in malicious attacks to intercept network
traffic.
Solution of Question 3 Part 2 (Extension of Question 3 Part 1):-

Executing dockps to display the running docker containers

Executing docksh to display the information docker container(specifically of seed-attacker)

 Updated Program for Question 3

Output on running the program displayed above in Screenshot 43 with root privileges

Output showing entry of 10.9.0.11in arp table on running for [Link]

Solution of Question 3 Part 3 (Extension of Question 3 Part 1 and Part 2):-

In this scenario, the primary objective is to manipulate the system at IP address [Link] into believing
that IP address 10.9.0.11corresponds to the attacker's MAC address ([Link]).
Consequently, any data intended for [Link] will be inadvertently routed to the attacker's device. This
deceptive tactic is a crucial component of various "man-in-the-middle" attacks, enabling the attacker to
intercept, modify, or obstruct the victim's communications without their knowledge.
To carry out this attack, the attacker first configures their MAC address (mac_attacker =
"[Link]") and identifies another MAC address they want to impersonate (mac_impersonate
= "[Link]").
Then, a crafted packet is generated to appear as though it originates from the impersonated IP address
(psrc ="[Link]"), but it uses the attacker's MAC address as the source (hwsrc=mac_attacker). This
packet is broadcasted across the entire local network using a broadcast MAC address ("[Link]").
Devices on the network that receive this broadcast request will update their ARP tables. When the
legitimate device with IP address [Link] responds to the request, its response is ignored because the
ARP table has already been modified to associate the attacker's MAC address with this IP address.
As a result, any traffic originally intended for IP address 10.9.0.11from [Link] is now directed to the
attacker's machine. This gives the attacker the ability to intercept and manipulate the traffic as
desired.
It's crucial to emphasize that ARP cache poisoning should only be conducted in a controlled, ethical, and
legal environment. Unauthorized or malicious use of this technique is both illegal and unethical, and can
lead to legal repercussions if performed without proper permissions.