Alright guys. In the previous post, we built a program that allows us to run an ARP spoofing attack, redirecting the flow of packets in the network and places us in the middle of the connection. Meaning, every data sent or revived from our target machine goes through our own computer, allowing us to see all the information, which I think is pretty cool. The only problem is, we don’t know how to read all the information we get flowing through our computer. In order to do this, we’ll need a packet sniffer and that is what we’ll be building in this post.
This will probably be our easiest build.
I’m excited, I don’t know about you but if we’re being honest, I’m sure you can think of a few crazy things you’d want to try after building this tool.
Lets begin!
The defined sniff function, that takes an interface (which is the interface we want to capture data from), the scapy.sniff function, will sniff the data that flows through the interface that we provide as the iface argument. The store=False, is telling the function not to store anything in memory, so it doesn’t overload our computer and we call the process_sniffed_packet for every packet sniffed.
Then I went ahead to defined the function, which will take the packet sniffed and print it out, so we know that everything is working.. Finally, in the main program, I called the sniff function and give it my interface. I used eth0 because it is the interface that’s connected to the internet and the network that I’m targeting, so in your case, it could be wlan0 (wireless adapter for a WiFi network).
I’m going to test this on my computer because, it’s much easier and if it works, it’ll automatically work when I use it as the man in the middle. When I become the man in the middle the ARP spoofer will be the program doing the hard work and will make the data flow through the provided interface, so the sniffer just analyzes and reads the data that flows through the interface. I’ll be using my browser to generate the traffic, I’m just going to load up google page.
The moment I refreshed the google page, it captured everything. Yes, I know this is all nonsense and has no useful information but you’ll see soon how we can dig into these packets and extract useful information from them, such as username and password.
Now, we’ll take a look at filtering and continue to build on our program as we go. The easiest way to filter packets is by using the filter argument in the sniff function, this arguments allow us filter packets using the Berkeley Packet Filters (BPF) syntax, I suggest reading through the different types of syntax that can be used.
Unfortunately, BPF doesn’t allow the filtering of packets sent over HTTP, packets to/from websites. We’re going to have to install a third party module to be able to filter HTTP packets
We’ll be using pip. PIP is the tool used to install third party modules on Python, the module name we’re installing is “scapy_http”.
Make sure you have pip installed, if you don’t, use this command in your terminal “apt install python3-pip”. Don’t forget the sudo command, if you don’t have root privileges.
Here’s how to install scapy_http:
Here’s the documentation of this module, in case you’d like to go through it. According to the documentation, here’s how to import it:
We’re going to modify our print function, to only print out HTTP packets.
If our packet has a layer and the layer is a HTTP Request, print the packet. So instead of our initial print packet statement that prints all the packet, this print statement prints only the packet with HTTP Request packet.
Our result isn’t great but it’s much more readable than the first one. We’re going to have to keep working on our program and extract only the useful parts that we want.
Now, lets start filtering the needed information, such as login and passwords.
This would omit all the other layers (Ethernet, IP, etc), it’ll only print the raw layer where the load field is, which is essentially what we want to print.
If you want to print a different layer, all you have to do is use the packet name and the layer you want between the square brackets and the field you want within the layer. Meaning you can adapt this program to any packet you want to capture.
We still get a lot of useless information, when we know that what we need is just the credentials.
We need to slightly modify our code to print only usernames and passwords. The if statement, searches to see if the string ‘username’ is in the large bundle of other strings and if found, it prints out the username string. So even if a page is loaded, there won’t be any information printed, until a username is entered.
Now we know that usernames aren’t the only names that programmers call this field. It could be email or login, etc. It’ll be very useful to check for a list of names, so if any of the names occur in the bigger string, it’ll be printed out. We’ll create a list of keywords to use in triggering the print statement and create a for loop to iterate through all the elements in the list.
The HTTP layer contains the useful information on the URL, We’ve seen in earlier explanations and image, how to access the layers and the fields. Like I said earlier, this program can be used to filter data from any field.
Our program is all done, very short and straight to the point. I’m going to modify the program to make it compatible with Python3 and clean it up by defining new functions, to make the program reusable and neat.
Here’s the full code:
I’m really sorry for the delay in my posts, my working laptop is down and I’m waiting on the ordered one, so please bare with me for a little while more.
Next up, we’ll be writing a DNS spoofer program.
If you have any comment, feedback or a program you’d like me to build (relating to hacking), just leave a message in the comment section or message me on Telegram and I’ll get back to you.
Until next time, Keep learning. Keep hacking. And don’t forget to breathe!
Phoenix Information Security 