How to "manually" forward IP traffic in local network - sockets

Im a student and as a hobby I am writing a program that is supposed to perform a man in the middle attack with ARP spoofing, and then manipulate the traffic before sending it on to the victim. For this I need to examine the packets, manipulate them and forward them to my victim.
Note: This is strictly a hobby project and the network is my own local network at home. Its just some generic AT&T homeportal and a bunch of machines connected via wireless.
I know that when I enable IP forwarding on my machine, it does the following to packets that are to be forwarded:
Put my MAC as SRC in the ethernet header
Put forwarding target's MAC as DST in ethernet header
Decrement TTL
Recalculate IP Header checksum
Send the packet
Since I want to manipulate the traffic before sending it on, I am trying to write a program that does the manipulation and then the forwarding manually so to speak. What I tried to do:
See if packet is for my victim
If so, manipulate it how I want
Put my homeportals MAC address as SRC in the eth header
Put my victims MAC as DST in eth header
Send the packet
My train of thought was that when looking at the packets it would be indistinguishable from "normal" traffic. If I decrement the TTL and recalc. the checksum and put in my machines MAC as SRC, its kinda easy to notice whats going on if you look at the packets.
However, my method does not work. As in, if I put the homeportals MAC as SRC on the ethernet header, for some reason none of the webpages load on machine A.
If I put in my machines mac address, the webpages load although slowly and wireshark shows me a lot of TCP retransmissions coming from the webpages server, I am guessing this is because my program is forwarding the packet too slowly to machine A and so A can't respond in time?
So anyway, thats pretty much my question: Why can't I pretend to be the homeportal? As in put its MAC address in the ethernet header of the packets I forward to A. Also, what else could cause all the retranmissions from the webpage servers when I use my machines MAC address? English isn't my first language so I hope this is not too vague.

Related

Is there an ethernet link layer protocol to get remote IPv4 settings?

Given one or more embedded devices of the same type with some unknown IPv4 addresses or maybe no IPv4 addresses set at all: is there any Ethernet based network protocol to ”find“ those devices in the local net (LAN) from remote (PC) and get their IPv4 settings?
What not works for me:
ARP: IP address must be known or only finds device I communicated with before (or ugly ARP floods …)
LLDP: point to point only (?), so I would only see the switch between device and me. Also, just announces, no response on request (because there are no requests). Further: asking the switch (which supports LLDP) through SNMP is no option when using dumb switches
IP based protocols: I played with UDP and broadcasts (both as request and response), but that does not work reliably if device and me are on different subnets, and it does not work at all if device has no IPv4 set.
DHCP: does not work in networks without DHCP server, maybe no DHCP client on the embedded device
I assume others had the same problem before, take manufactures of network equipment like access points which should be configured remotely, powerline adapters, switches … all those where the vendor gives you some proprietary tool, the device shows up like magic in a list and you can assign some IPv4 then.
Of course the device must have some daemon listening and responding to certain requests, but what would be a standard protocol for such a task? Or do I have to make up some new protocol for that? May some of the above mentioned is possible, but I overlooked something?
Ethernet only provides a layer 2 connection, so anything Ethernet-based can't ever work across a router (ARP, LLDP - LLDP doesn't even cross a decent switch as it's link layer only).
Depending on the network, routed multicasts or directed broadcasts could work - normally they don't. All vendor tools I've seen just use (Ethernet) broadcasts and don't work across routers.
Most often, simple DNS is used for this purpose - the device registers with the DNS server or is preregistered and you just resolve the name.
Edit: without the router problem, the simplest way is to use a UDP broadcast to some unused port. With DHCP unavailable, the device could fall back to zeroconf (169.254.0.0/16) and broadcast from there.
Without IP, you'd need a "raw" Ethernet socket and use an Ethertype that doesn't interfere with normal network operations.

Hoping Routers / Mac Address / ARP

As a packet travels from a source IP to a destination IP, assuming that it makes hops across many different routers, how does each router know the next MAC address in the sequence. It is my understanding that for communication in a local network, a computer gets the destination MAC address using the Address Resolution Protocol. But for the intermediary router hops, how does a frame get the next set of L2 Mac headers without storing (at least briefly) the IP address of the next router? Is this a separate protocol or something? How does it even know which router (and thus IP in order to get next MAC address?) it should jump to next

Emulate Server-Client TCP Communication

I have a device (made in china) that works great but with a very annoying flaw. It's a massage device that will only work if it is connected to the internet at startup. Once it starts, it would work without the internet until it is turned off. So in short, if the internet is down, it will never work or it is impossible to bring this device on an area with no connection.
What I'm planning to do is emulate its server/client communication at start-up by using an old-PC that would run the server emulator software and some DNS re-routing and a WiFi router (using the PC as WAN).
I'll connect the device on the router, and its communication with the Chinese Server is emulated by the PC.
Can anyone give me an idea where to start, tools needed etc? I'm a programmer but new to packet emulation/replay. I've sniffed packets that the device does and its always consistent on every start/restart of the device. Here's the wireshark capture (IMG):
WireShark Packet Capture
You have two tasks, IMHO neither of them requires special tools:
Redirect requests to local address
You need to setup local DNS server and configure it to provide local IP address on hengdetech lookup. I didn't dive into this part, but google has plenty of forums discussing necessary config for different DNS servers.
Device most likely gets DNS server address from DHCP server. So you need to point device to local DNS instead of default one by configure DHCP server (which is run on your router, I suppose).
Once your DHCP configures local DNS and local DNS redirects hedgdete to local IP address, you are free to go to the second part which is
Emulate server behavior
Server must wait for some initial data from client before sending some data back. Such logic doesn't fit well into common "replay packets" tool capabilities, but it's quite easy to implement dumb TCP server with desired functionality on whatever language you like. Open socket, wait for data, send data, not a big deal, isn't it? So I wouldn't bother searching for the right tool, but would creat new instead.
If you need quick proof of concept, that you understand data flow right, before start coding, you may try netcat utility on Unix system for quick server emulation. I did the following once: extracted exchanged payload data from traces and saved as binaries (e.g. file1.bin is sent by server after the first request, file2.bin is sent after the second etc), then used something like this: cat - file1.bin - file2.bin | nc -l -p <local_port> -n. Using cat without dashes results into nc sending all files content to client, once it connects. Dash means "use data from console input rather than file" and they are used only as flow control. cat hangs on the first dash waiting for user input, so pressing ctrl+d proceeds to next file content and sends file1.bin, then hangs on the second dash. So you wait for the first request, press ctrl+d to send file1.bin content, then wait for the second request, press ctrl+d to send file2.bin content and so on.
EDIT
You generally got the idea of extracting data from wireshark traces right, but I want to clarify some subtlenesses.
When you said "saved binaries", did you mean to save individually captured packets as binaries so that netcat could send them to clients as a reply one by one (with the help of dash) ? If so, how do I save captured packets as binaries? Can I just extract them from the wireshark capture files, paste it on a new file and save as binary?
Only payload part of the packet needs to be saved, not the whole packet. TCP header, IP header and so on shouldn't be extracted, only tcp data section should be saved. Check second part of this answer for howto. I suppose, TCP data in your case consists of binary data rather than plain text, so you need to copy it as "raw binary" and use some binary editor allowing to paste "raw binary" into file such as frhed. So yes, you create new file and paste data copied from wireshark into it, so file consists of exactly the same bytes as packet payload.
Another thing to mention, TCP is a stream protocol, one packet doesn't always mean one response message. If you see several TCP packets of maximum size (aka MTU, which is usually 1.5 Kbytes) without PSH flag followed by packet of lesser size with PSH flag, they all contain parts of the single response message, so their payloads should be combined into one "fileX.bin".

Network port reuse

Imagine there's relatively complex network infrastructure, from PC, then intelligent hub, then router, then area network switches, then internet, and then same chain of devices towards the server.
Imagine I make HTTP request from some local PC's IP address and some its local port, to the remote server's port 80 (HTTP). Under normal circumstances communication goes from connection request packet, through acknowledgments and requests, and then finally till the finalization and channel close. All intelligent network devices can see this communication, and act accordingly.
Now imagine the following situation: PC makes request from its IP address and some fixed source port, receives half of data, and then reboots. After reboot it again makes request from same IP address and same source port.
Question - which possible behavior it will cause at network devices involved? How are they going to handle previous session before PC reboots?
This is very open ended question, and I need your view onto the situation. It is caused by me having strange problems with embedded network device, which reuses port numbers after power-cycle. I plan to see what is going on on the network using Wireshark, but need direction where to look at. Thank you.
Edit: I am adding proxy server(s) into the chain (which can work higher level than layer-3).

Coordinating peer-to-peer messages using multicast, how to get receiving IP?

I have been working on a local LAN service which uses a multicast port to coordinate several machines. Each machine listens on the multicast port for instructions, and when a certain instruction is received, will send messages directly to other machines.
In other words the multicast port is used to coordinate peer-to-peer UDP messaging.
In practice this works quite well but there is a lingering issue related to correctly setting up these peer-to-peer transmissions. Basically, each machine needs to announce on the multicast port its own IP address, so that other machines know where to send messages when they wish to start a P2P transmission.
I realize that in general the idea of identifying the local IP is not necessarily sensible, but I don't see any other way-- the local receiving IP must be announced one way or another. At least I am not working on the internet, so in general I won't need to worry about NATs, just need to identify the local LAN IP. (No more than 1 hop for the multicast packets is allowed.)
I wanted to, if possible, determine the IP passively, i.e., without sending any messages.
I have been using code that calls getifaddrs(), which returns a linked list of NICs on the machine, and I scan this list for non-zero IP addresses and choose the first one.
In general this has worked okay, but we have had issues where for example a machine with both a wired and wifi connection are active, it will identify the wrong one, and the only work-around we found was to turn off the wifi.
Now, I imagine that a more reliable solution would be to send a message to the multicast telling other machines to report back with the source address of the message; that might allow to identify which IP is actually visible to the other machines on the net. Alternatively maybe even just looking at the multicast loopback message would work.
What do you think, are there any passive solutions to identify which address to use? If not, what's the best active solution?
I'm using POSIX socket API from C. Must work on Linux, OS X, Windows. (For Windows I have been using GetAdapterAddresses().)
Your question about how to get the address so you can advertise it right is looking at it from the wrong side. It's a losing proposition to try to guess what your address is. Better for the other side to detect it itself.
When a listening machine receives a message, it is probably doing do using recvfrom(2). The fifth argument is a buffer into which the kernel will store the address of the peer, if the underlying protocol offers it. Since you are using IP/UDP, the buffer should get filled in with a sockaddr_in showing the IP address of the sender.
I'd use the address on the interface I use to send the announcement multicast message -- on the wired interface announce the wired address and on the wireless interface announce the wireless address.
When all the receivers live on the wired side, they will never see the message on the wireless network.
When there is a bridge between the wired and the wireless network, add a second step in discovery for round-trip time estimation, and include a unique host ID in the announcement packet, so multiple routes to the same host can be detected and the best one chosen.
Also, it may be a good idea to add a configuration option to limit the service to certain interfaces.