I am developing an NDIS 6 filter driver of Win7 and Win8 for WinPcap and Nmap. As you know, Nmap is a network scanner. A requirement of Nmap is to capture localhost packets like "ping 127.0.0.1", so that Nmap can test the local machine itself, too. However, it seems that the localhost packets will just return in the TCP/IP stack and never comes to the NDIS layer. Is there any way to resolve this issue? Like adding a loopback adapter or what? Thanks.
You'll need a WFP callout to capture layer-3 loopback packets. TCPIP has a fast-path for loopback that never reaches layer-2 in NDIS.
You can capture localhost (127.0.0.1) traffic in Windows by using raw sockets. There is a great tool called RawCap that sniffs localhost and saves the captured packets in the PCAP format.
http://www.netresec.com/?page=RawCap
Related
Yesterday I successfully performed a MITM attack by ARP poisoning between my router and my Windows7 computer. I used Ettercap on a Linux machine.
However, today, running the same command does not work anymore. It looks like Ettercap cannot reach my computer, which IP is 192.168.0.17.
Here is what I got :
We can see that the only host added to the list is the router one (192.168.0.1)... What I don't understand is that it was working few hours ago.
I noticed also another thing.
using the command
sudo arpspoof -i wlp20s0 -t 192.168.0.17 192.168.0.1
The ARP poisonning DOES work this time. But now the problem is that it is acting like a DDOS on my victim... It completely loses internet connection.
And before it was not, it was working as expected.
So I guess something has changed on my victim computer but I cannot figure what.
Thank you.
IP forwarding is the ability for an operating system to accept incoming network packets on one interface, recognize that it is not meant for the system itself, but that it should be passed on to another network, and then forwards it accordingly.
From https://openvpn.net/faq/what-is-and-how-do-i-enable-ip-forwarding-on-linux/
When you perform MITM packets that don't match your IP are being sent to you and are not passed on correctly so the victim can reach out to the internet. With IP forwarding enabled your computer will reroute the packets correctly and the attacked computer will have access to the internet.
On Linux if I remember correctly:
echo 1 > /proc/sys/net/ipv4/ip_forward
will fo the job.
Arp replies are stored in cache, so first of all do some tricks here:
Remove arp cache from windpws with cmd.
(Cause the first priority is the cache and if host cant find the mac address it will generate an ARP request,then your router will repliy with ARP reply)
issue this command to see arp table:
arp -a
When you do Mitm with arp spoof and your computer looses internet connectivity it might be your DNS misconfiguration.
You ll need to enable dns server.
(If wan to brows web pages)
Try to do it with ettercap and enable arp poision and dns spoof module.
I have succesfully built the CoAP protocol example for ARM mbed (https://developer.mbed.org/teams/sandbox/code/coap-example/file/0681e205d0e9/) on a K64F board. It comes out of the box, except for the server name (coap.me) changed to an internal IP address.
I see that it runs correctly and connects to the network:
[EasyConnect] Using Ethernet
[EasyConnect] Connected to Network successfully
[EasyConnect] IP address 192.168.1.15
[EasyConnect] MAC address 0e:43:54:d9:7c:71
Connected to the network. Opening a socket...
Calculated message length: 11 bytes
Starting server
Sent 11 bytes to coap://192.168.1.10:5683
I have set a computer that can connect to it. It can ping correctly to the board and I see that the ARP is negotiating with the correct MAC address.
I have launched an NMAP test and I see that the port is closed:
PORT STATE SERVICE
5683/udp closed unknown
If I set a CoAP client in the computer (Copper) I see no connection in the terminal.
What I am missing?
Moving this to the answer section as well, in case someone else runs into this problem.
If you want to use an mbed OS 5 device as a UDP server, make sure to call .bind() on the socket.
In order to get the MAC address of destination's computer, the host computer sends an ARP request. At which layer ARP request is made?
It's a link layer as described in ARP article on wiki. It's really helpful to see packet structure by yourself, so I encourage you to install wireshark on your PC, to start sniffing network and to ping non existing IP address in your subnet. Filtering by "arp" will show you something like this:
I have two virtual machines running on the same host and they are both in the same NAT Network. I started a fake bacnet device on one VM (say VM1) using the utility script volttron/scripts/scalability-testing/virtual-drivers/bacnet.py.
The device started up fine. Now from another VM (say VM2) on the same host and same NAT Network I ran the scan_bacnet.py but my fake device on VM1 is not getting listed.
I verified that the ip address on the BACpypes.ini file has the correct address of the host running the scan_bacnet.py script. I also changed the address in BACpypes.ini to include subnet mask (10.0.2.15/24) still no luck.
Below is the content of my BACpypes.ini on file on VM2
[BACpypes]
objectName: Betelgeuse
address: 10.0.2.15/24
objectIdentifier: 599
maxApduLengthAccepted: 1024
segmentationSupported: segmentedBoth
vendorIdentifier: 15
This is the command I ran in VM1 to start the fake bacnet device
python bacnet.py bacnet_registry.csv 10.0.2.5
I am able to ping from one VM to another and running a tcpdump on the source VM shows that the scan_bacnet.py is sending the whois request to the other VM. Running tcpdump on the destination VM shows that the machine is receiving the whois request yet the fake bacnet device isn't receiving the whois request.
What am I doing wrong?
You need to include the subnet mask in the virtual device command line:
python bacnet.py bacnet_registry.csv 10.0.2.5/24
Also you should check the firewall setting on both VMs. CentOS, for instance, defaults to blocking all incoming traffic. (You will still see it in the output tcpdump.) For BACnet you need to open udp port 47808 for all traffic (broadcast and direct).
I'm developing an TCP/IP stack that will run on another device connected by bluetooth.
But I want to test against an working Stack. My testing scenario would be:
MY DEVICE TCP/IP STACK --------------BLUETOOTH ----------------- WINDOWS/MAC TCP/IP Stack.
Anyone have any idea how could I write IP packets over an Bluetooth connection on Linux/Windows or mac ??
One way is you could establish a ppp connection between the device and the PC over bluetooth first. For this you will need support for ppp on the device side. Once you are able to dial-up and establish a ppp connection, tcp/ip can be run over ppp.
These links may be useful (although they are specific to linux):
http://www.daybefore.net/bluetooth_ppp.html
http://www.rpgameplace.de/blog/index.php?/archives/19-Networking-over-Bluetooth-using-BlueZPPP.html