Security
  • IT Security Knowledge Base
  • Blue team
    • Linux System Hardening
    • Phishing Analysis
    • Snort
    • Yara
  • Capture the Flag
    • OverTheWire
      • Bandit
        • Bandit Level 0
        • Bandit Level 0 → Level 1
        • Bandit Level 1 → Level 2
        • Bandit Level 2 → Level 3
        • Bandit Level 3 → Level 4
        • Bandit Level 4 → Level 5
        • Bandit Level 5 → Level 6
        • Bandit Level 6 → Level 7
        • Bandit Level 7 → Level 8
        • Bandit Level 8 → Level 9
        • Bandit Level 9 → Level 10
        • Bandit Level 10 → Level 11
        • Bandit Level 11 → Level 12
        • Bandit Level 12 → Level 13
        • Bandit Level 13 → Level 14
        • Bandit Level 14 → Level 15
        • Bandit Level 15 → Level 16
        • Bandit Level 16 → Level 17
        • Bandit Level 17 → Level 18
        • Bandit Level 18 → Level 19
        • Bandit Level 19 → Level 20
        • Bandit Level 20→ Level 21
        • Bandit Level 21→ Level 22
        • Bandit Level 22 → Level 23
        • Bandit Level 23 → Level 24
        • Bandit Level 24 → Level 25
        • Bandit Level 25 → Level 26
        • Bandit Level 26 → Level 27
        • Bandit Level 27 → Level 28
        • Bandit Level 28 → Level 29
        • Bandit Level 29 → Level 30
        • Bandit Level 30 → Level 31
        • Bandit Level 31 → Level 32
        • Bandit Level 32 → Level 33
    • OWASP Juice Shop
      • Installation
      • Level 1 - Challenges
      • Level 2 - Challenges
    • TryHackMe Rooms
      • Anthem
      • Capture!
      • Corridor
      • Gotta Catch'em All!
      • Mustacchio
      • Neighbour
      • Opacity
      • Source
    • CEH v12 practical resources
  • Cryptology
    • CryptoHack
      • Course: Introduction to CryptoHack
        • Introduction - Challenges
        • General - Encoding
        • General - XOR
      • Course: Modular Arithmetic
        • General - Mathematics
        • Mathematics - Modular Math
        • Mathematics - Brainteasers Part 1
      • Course: Symmetric Cryptography
        • How AES Works
        • Symmetric Starter
        • Block Ciphers
        • Stream Ciphers
  • Red Team
    • Reconnaissance
      • Foot-printing
      • Scanning (Nmap)
      • Enumeration
    • Vulnerability Analysis
    • Initial Access
      • Obtaining credentials
      • Vulnerability Exploitation
        • Buffer Overflow
        • Metasploit and Armitage
        • Ninja Jonin
    • Active Directory
      • Connect to AD
      • AD Explore
      • CMD and PowerShell enumeration
      • Certificates in AD
      • LDAP Pass-back Attacks
      • Cracking NetNTLM Challenge with Responder
      • Exploring Configuration Files for AD Credentials
      • Pass the hash with evil WinRM
      • Understanding Runas
    • Malware
    • Sniffing
      • Intercept HTTP traffic - Hetty
      • Intercept HTTP traffic - Bettercap
      • Wireshark
    • Social Engineering
    • Denial of Service
    • Web Hacking
      • Burp Suite
      • OWASP ZAP
      • Web servers
      • Web Server Footprinting
      • Directory Enumeration
      • Session Hijacking
      • Web Shells
      • Web vulnerability scanners
      • SQL Injection
    • Cloud
    • Wireless Networks
      • Attacking WEP
      • Attacking WPA/WPA2
    • Mobile Devices
    • Network Security Evasion
    • Privileges Escalation
    • Maintain Access and Hide Malicious Activity
      • Backdooring
    • Cover your Tracks
  • Internet of Things
    • IoT in general
    • Common IoT Protocols
      • CoAP
      • MQTT
      • ZIGBEE
      • Bluetooth
    • Scapy
      • Sniffing and spoofing
      • ARP cache Poisoning
  • Projects
    • Cybersecurity Roadshow
Powered by GitBook
On this page
  • Sniff all ICMP packets.
  • Spoof an ICMP packet
  • Sniffing and-then spoofing
  1. Internet of Things
  2. Scapy

Sniffing and spoofing

All scripts and scenarios assume the use of Linux machines. Some of the attacks is directly transferable to Windows and iOS.

Sniff all ICMP packets.

Obviously, the script is easily modified to sniff different packets. For example, we could filter on port 21 for all FTP traffic with filter='dst port 21'

#!/usr/bin/python3
from scapy.all import *

def print_pkt(pkt):
    pkt.show()
    
pkt = sniff(filter='icmp', prn=print_pkt)

Spoof an ICMP packet

The program first creates an IP packet and sets its destination and source IP address. In this case, destination IP is 10.0.2.5 (the target VM) and source IP is 10.0.2.10 which is an arbitrary IP. From there, an ICMP packet is created, which is encapsulated within the IP packet before the program sends out that packet.

#!/usr/bin/python3
from scapy.all import *

ip_pkt = IP(dst = '10.0.2.5', src = '10.0.2.10')
icmp_pkt = ICMP()
pkt = ip_pkt/icmp_pkt
send(pkt, verbose = 0)

Sniffing and-then spoofing

We can also combine the above to sniff for and respond to all ICMP request packets regardless of the intended receiver.

The function icmp response(pkt) checks if an ICMP packet is in pkt and if that ICMP packet is of type 8, that is a request. If this is the case we craft an IP packet with the source IP as the destination IP of the capture ICMP request. Also, the destination IP is set to be the same as the source IP of the captured ICMP request. Then an ICMP packet of type 0 is created, type 0 is an ICMP reply. Finally, the ICMP packet is added to the IP packet and the response is sent.

#!/usr/bin/python3
from scapy.all import *

def icmp_response(pkt):
    ip_pkt = IP(src=pkt[IP].dst, dst=pkt[IP].src, ihl=pkt[IP].ihl)
    icmp_pkt = ICMP(type=0, id=pkt[ICMP].id, seq=pkt[ICMP].seq)
    data = pkt[RAW].load
    response = ip_pkt/icmp_pkt/data
    send(response)

pkt = sniff(filter = 'icmp and icmp[icmptype]==8', prn=icmp_response)
PreviousScapyNextARP cache Poisoning

Last updated 2 years ago