Packet Spoofing

In this lab, the instructions are described based on the following configuration of IP addresses:

it430a: 192.168.172.4
it430b: 192.168.172.5
it430c: 192.168.172.6

Deliverables: In your VMs, the IP addresses may be slightly different from the above. In your lab report, please give the IP addresses of it430a, it430b and it430c so that I can read your report correctly.

[15pts] Part 1: UDP Socket Spoofing

Refer to the lecture notes on UDP Socket Spoofing. Slightly change the code udp_spoof.py in the lecture notes into p01.py as follows:

Source IP address and/or Source Port has to be about you (e.g., your alpha and/or your name). Explain in your lab report how the information is related to you.

Deliverables:

p01.py
A netcat screenshot showing the nc commands and your spoofing attack.

[40pts] Part 2: Crafting a Normal SYN Packet

Create a python program p02.py that sends a normal SYN packet from VM it430a to VM it430b. Your program should create a SYN packet and send it using a raw socket. This task requires complete understanding of how IP and TCP headers work. In particular,

First, start an nc chet server listening at port 9000 on it430b.
```
$ nc -l 9000
```
On it430a, launch Wireshark.
On it430a, run the program p02.py as follows:
```
$ sudo python3 p02.py
```
Then, from Wireshark, you should see:
- A SYN packet from it430a to it430b (with destination port 9000) that p02.py sent, and then
- The corresponding SYN+ACK packet from it430b in return.
- (Your program can stop here; it doesn't need to finish the 3-way handshake protocol. The goal of this part is not to implement the whole TCP protocol with a raw socket; rather, we want to understand how to craft a SYN packet to be used in a SYN flood attack.)
That is, you should something like the picture below (the port number will be different).
In the above, the IP address for it430a is 192.168.172.4 and the IP address for it430b is 192.168.172.5.

IP header and TCP header

Please inspect the layout of the headers carefully.

Internet Datagram Header

 0                   1                   2                   3   
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version|  IHL  |Type of Service|          Total Length         |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|         Identification        |R D M|      Fragment Offset    |
|                               |S F F|                         |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|  Time to Live |    Protocol   |         Header Checksum       |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                       Source Address                          |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Destination Address                        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Options                    |    Padding    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

TCP header format

 0                   1                   2                   3   
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|          Source Port          |       Destination Port        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                        Sequence Number                        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Acknowledgment Number                      |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|  Data |           |U|A|P|R|S|F|                               |
| Offset| Reserved  |R|C|S|S|Y|I|            Window             |
|       |           |G|K|H|T|N|N|                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|           Checksum            |         Urgent Pointer        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Options                    |    Padding    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Requirements

You should only import the following modules. Do NOT import any other module.


import struct
import random
import socket

Tips

You may find this article helpful.

Important: Wireshark will be a critical tool for you. Inspect every piece of the TCP header carefully using Wirshark. In particular, observe a normal TCP connection (try a normal nc chat) and see how a SYN packet looks like.
Refer to the lecture notes on UDP Spoofing to see how to craft an IP header.
For the TCP headers in your SYN packet,
- The source port should be random.
- The sequence number should also be random.
- Only SYN should be set. The other flags should not be set.
- Windows can be any number as long as it's large enough.
- Calculating checksum is a bit complicated. Here's a gift function I give you.
```
def calc_checksum(d):
  total = 0

  for i in range(0, len(d), 2):
      total += d[i]*256 + d[i+1]

  while total > 0xffff: 
      total = (total >> 16) + (total & 0xffff)

  return total ^ 0xffff
```
  In order to put the checksum in the TCP header, you can use the above function as follows:
```
chksum = calc_checksum(srcip + dstip + struct.pack(">BBH", 0, 6, 20) + tcp_header)
```
  - srcip: a bytes object (4-byte IP address for the source IP)
  - dstip: a bytes object (4-byte IP address for the destination IP)
  - struct.pack(">BBH", 0, 6, 20): Just copy and paste this. (If you're curious, 6 means it's a "TCP" packet, and 20 means the TCP packet will be 20 bytes in total).
  - tcp_header: a bytes object. It's the TCP header right before the checksum field. So, it should be 16 bytes long at this moment.
  - chksum will be an integer. Pack it into a bytes object.
A SYN packet should not have any TCP payload.

Common mistakes

If your code doesn't work, please double check the following.

Check if you copy and paste the function calc_checksum correctly.
Check if you give the correct address in the function raw_socket.sendto.
Check if you give the correct value for each field.

Deliverables

p02.py
(In the lab report) Explain how code works and justify in words that your code works correctly. Add screenshots showing that your code works correctly.

[15pts] Part 3: Crafting a SYN Packet with a Spoofed IP address

Warning

Do not flood SYN packets attack on the yard.

We will craft only one packet, and the spoofed IP address is a VM address (i.e., it423c). Again, we don't flood lots of SYN packets with a random IP address.
If you actually launch a SYN flood attack (with legitimate random IP address), the network sensors on the yard will likely detect your play and report it to ITSD saying that your machine is infectd, the aftermath of which could be painful for you.

Create a python program p03.py that sends a SYN packet from VM it430a to VM it430b. However, in this part, the source IP address should contain not the IP address of it430a but the IP address of it430c.

Activity 1

Turn on it430c.
Start an nc chet server listening at port 9000 on it430b.
```
$ nc -l 9000
```
On it430b (note it's not it430a this time), launch Wireshark.
On it430a, run the program p03.py as follows:
```
$ sudo python3 p03.py
```
Then, from Wireshark (again not on it430a but on it430b), you should see:
- A SYN packet from it430c to it430b (with destination port 9000) that p03.py sent on it430a, and then
- The corresponding SYN+ACK packet from it430b to it430c!
- You will see it430c sends RESET packet.
That is, you should something like the picture below (the port number will be different).
In the above, the IP address for it430a is 192.168.172.4 and the IP address for it430b is 192.168.172.5, and the IP address for it430c is 192.168.172.6. Note:
- The first packet was sent from it430a (i.e., from p03.py).
- The second packet was sent from it430b to it430c.
- The third packet was sent from it430c.

Activity 2

Pause VM it430c (from menu: Machine → Pause) and run p03.py again.
Then, from Wireshark (again not on it430a but on it430b), you should see:
- A SYN packet from it430c to it430b (with destination port 9000) that p03.py sent on it430a, and then
- The corresponding SYN+ACK packet from it430b to it430c!
- No RESET packet from it430c (it's paused!)
- Some more SYN+ACK packets retried by it430b.
That is, you should something like the picture below (the port number will be different).
Note:
- The first packet was sent from it430a (i.e., from p03.py).
- The other packets were sent from it430b to it430c.
In particular, you will see that netstat report that the connection is half-open (i.e., SYN_RECV state):
```
$ netstat -n | grep 9000
tcp        0      0 192.168.172.5:9000      192.168.172.6:45296     SYN_RECV
```

Conceptually, if you change p03.py to send a bunch of SYN packets with a random source IP address, that's a SYN flood attack. (Again, don't actually do this).

Deliverables:

p03.py
(In the lab report) Walk through the activities with screenshots (the Wireshark results and the netstat result). Explain what happened in your words.

[20pts] Part 4: Reading Assignment

Click here to download chapter 2 of the following book:
```
Security Engineering, 3rd ed. by Ross Anderson
```
Read the following:

2.4 Geeks - 2.6 Summary
(Eventually, we will finish reading the whole chapter. Expect further reading assignments in later labs.)
In the lab report, give a brief summary of what you read.
- Length of summary: about one page.
- The quality of writing will matter.

[10pts] Lab Report and Submission

Write a lab report by using the provided template (check the lab ground rules). The writing quality of the lab report matters.

~/bin/submit -c=IT430 -p=lab06 *.py lab06.docx