I have a question for the Low-level networking/Linux gurus,

I have to build two tools for a security project at my university. The first tool is an ARP Poisonning attacker which will poison the ARP cache from a remote host in order to retrieve the data he is sending to another host. I wrote this tool in C using RAW sockets and it works perfectly, i am able to intercept the data transmitted from a host A to a host B and from the host B back to the host A.

The problem comes when writing the second tool which is a sniffer whose purpose is to read/edit/drop packets coming from host A or host B. I imagined a system where when I spot a packet coming from one of those hosts, my program will ask me if I want to let this packet pass, if I want to modify it or if I simply want to drop it. I activated the IP forwarding in linux using

sysctl -w net.ipv4.ip_forward=1

and i am able to read all the data travelling between the two hosts. But i don't know how to edit/drop those packets since it is the role of linux's network stack to manage the input and the output of the packets coming from my network interface. I'm acting only as a passive attacker if you want.

My first idea was to disable the ip forwarding and manage the routing of the packets myself. But when I disable the ip forwarding, I am simply not able to get any data coming from A or B, this is because the linux's network stack drops automatically the packets in kernel mode which IP address is not destined to my computer.

I tried then to activate the promiscuous mode, but this was unecessary since this mode only operates on the physical layer (sees if the target MAC address in the Ethernet received packet matches the MAC address on the local interface). So basically, promiscuous mode helps us to avoid the physical filter of the linux's stack but not the logical one (the target IP address in the packet I am receiving is B's IP address and not mine, so linux's network stack simply drops the packet).

So my question is, how can I manage to edit the packets I am receiving and send them back or simply dropping them if I want to. I know this is a tricky question, I have made some research to find the solution on my own but I didn't find a satisfying answer.

I know there is a solution with iptables, we can ask him to let pass some packets from a certain IP address, but I don't want a solution involving a third-party tool, I want to encapsulate everything in my program.

For information, the development environment is Linux/Ubuntu Kernel 3.0.0-16, and everything is made using the C language.

I figured out why I wasn't receiving any packets when i disabled ip_forwarding. I ran many tests after posting my question here and I realized that when ip_forwarding was disabled, the remote host was sending me very strange TCP packets about every ~10 secs.

In fact, those TCP packets were flagged by wireshark as "TCP retransmission" packets, this is because the remote host was sending me an initial TCP packet and i didn't re-route it to the proper gateway so he didn't get any response.

The default behavior in this case for the remote host was to resend this packet at different time interval, this is actually the normal way a TCP stack should behave. But what I didn't know is that until the remote host doesn't get a response to his initial TCP packet, he will not send any others (for the same application only). So when i was hitting "F5" in the remote host's browser I thought he would generate TCP traffic although he will not get any response and I wasn't aware of this particular behavior of the TCP stack so I simply thought I wasn't getting any answer. The other host (the gateway) was acting exactly the same way, so I can tell that I was wrong thinking Linux's stack was blocking the remote host packets.

What I have to do now is simply re-route properly to the gateway the data I want to let pass and ignore the others. Thank you for your help, hope this might help someone someday.

It sounds like you will need to write your own Netfilter module, which will either handle the behavior you want in kernel or pass it to user space for processing.

For further information on this topic see the following resources:

• Netfilter Hook: Basic Packet Filtering in Kernel
• Linux netfilter Hacking HOWTO
• Creating a simple ‘hello world’ Netfilter module
• Writing Netfilter modules , code here
• Writing a module for netfilter

Are you using libpcap at all? From your question it doesn't sound like you are, which is interesting, since its the best well known and used library for anything related to what you are doing? Are you not using it because its part of the conditions of the assignment to not use it?

If you can use it, I would go with it and check the project ettercap, which has support to rewrite live packets.

http://ettercap.sourceforge.net/

EDIT: Checkout the filter module of ettercap in

https://github.com/drizztbsd/ettercap/blob/master/src/ec_filter.c

particularly look at func_inject