-------------------[ Readings ]------------------- Continue reading about TCP (see previous lecture notes). Today in class we practiced ARP poisoning in a Wi-Fi WLAN. Read the step-by-step guide in http://www.cs.dartmouth.edu/~sergey/cs60/arp/ and practice on your local WLAN (alas, Dartmouth Public & Secure would not work; you need a WLAN that allows VMs to join---most home WLANs do---or a wired LAN). -------------------[ Scapy ARP poisoning ]------------------- How does it work? arpcachepoison() is a very useful function, but what does it do? Scapy is wonderful for being readable. Find the code on your machine (e.g., with locate) and grep it for the function(s) of interest. You will find arpcachepoison() in scapy/layers/l2.py (on my machine, in /usr/share/pyshared and /usr/lib/python2.7/dist-packages/; not sure why there are two copies). Or look in https://github.com/levigross/Scapy/blob/master/scapy/layers/l2.py It's a really simple function, once all the heuristics of filling in an ARP packet and wrapping it in Ethernet are taken into account. -------------------[ Life before Scapy ]------------------- Before Scapy, packet crafting tools used the libraries Libnet and Libdnet (which developed on Libnet). These libraries simplify IP packet creation in C, and so, in combination with Libpcap, they became the foundation of nearly all open source network security tools (and most closed-source commercial ones). There's even a book about them, which can be had very cheaply from Amazon's used books: https://www.amazon.com/Building-Source-Network-Security-Tools/dp/0471205443 One of the first suits of tools for doing ARP poisoning and then transforming the packets flowing through your computer (instead of directly between the poisoned endpoints) was Dsniff (https://www.monkey.org/~dugsong/dsniff/). Dsniff demonstrated rewriting of DNS packets to spoof replies to DNS queries (see dnsspoof.c in https://www.monkey.org/~dugsong/dsniff/dsniff-2.3.tar.gz), of HTTPS certificates, and of SSH1 handshakes (long since deprecated in favor of the more secure SSH2). Dsniff starts with arpspoof (see arpspoof.c). It uses an older version of Libnet 1.0 (see the end of the previous lecture for where to get it). It is pretty transparent, and I could have used it today (as I used it many times in production networks assessments). Also have a look at tcpkill.c . It has a very simple manpage (e.g., https://linux.die.net/man/8/tcpkill), and uses the sniffed TCP packets to inject RSTs into the TCP window, to break all TCP connections. The only non-trivial heuristic in tcpkill is the "severity" parameter. The need for it comes from the fact that a fast TCP connection will move way past the sniffed ACKs and SEQs very quickly, and replaying a RST with them will be _outside_ the moving window and thus ineffective. So the severity parameter quantifies from how many windows ahead to try the SEQ---at least one, but perhaps up to 9. Note that moving the SEQ by one window is a safe bet for a slow connection, so long as a few packets are expected to be exchanged. Each ACK-ed packet will move the window a bit, and so its boundary at the moment of the capture will now be inside the window. Severity 2 and above hedge for the possibility that the window may already slide past that point, on a fast connection, i.e., move by several window sizes by the time our crafted RST packet is made, emitted, and reaches the target.