Easy Way to Generate Packets using Scapy

SCAPY STEPS:

1. Now, capture a packet on the port where we want to send our packet from and store it into filename.pcap. Send the file to your desktop using scp

#bash

$tcpdump -i et1_4 -w /mnt/flash/originalpacket.pcap

2. Now, open wireshark and select a packet and go to File > Export selected packet > Give a modifiedpacket.pcap

3. Copy the modifiedpacket.pcap to the switch from where we want to send the packet.

3. In switch (from which we want to send the packet), go to bash and install scapy on the switch from where we want to send

#bash

        $sudo wget scapy.zip

2. Now, run scapy by typing $sudo scapy //now we will get >>>Welcome to scapy

3. If we want to send the packet directly, use

 >>>sendp(rdpcap(“/mnt/flash/modifiedpacket.pcap”),iface=”et1_4”) //this sends the packet on interface et ¼.

Note: The above command can be used to send even many packets. It will send those packets one by one on the given interface. So, essentially, we couldv’e also used

>>>sendp(rdpcap(“/mnt/flash/originalpacket.pcap”),iface=”et1_4”)

(OR)

If we want to modify any fields:

>>>somename=rdpcap(“/mnt/flash/modifiedpacket.pcap”)

>>>somename \\show all the packets in the pcap file

>>>somename[0] \\we choose only the first packet. If we press enter, we will see all the layers in that packet

>>>somename[0][STP] \\we will filter in that packet for only the STP protocol

>>>somename[0][STP].portid = 12345\\we see which fields are there and use that name and then give the value we want. Here, for eg, we want to change the portid field and give it a value of 0X809a

>>>sendp(somename[0],iface=”et1_2”) //sends the selected packet (here, packet 0) on the interface et ½ . We will get a message saying that it has been sent

ARP and types of ARP

INTRODUCTION TO ARP:
* ARP is used to find the MAC address of the device for which we already know the IP address.
* The address resolution protocol (arp) is a protocol used by the IP, specifically IPv4, to map IP network addresses to the hardware addresses used by a data link protocol.
* The protocol operates on the Datalink layer (L2) but carries L3 information (IP addresses)
* There are four types of arp messages that may be sent by the arp protocol. These are identified by four values in the "operation" field of an arp message. The types of message are:
1. ARP request
2. ARP reply
3. RARP request
4. RARP reply
* The format of an arp message is shown below:
*

ARP Cache: * To reduce the number of address resolution requests, a client normally caches resolved addresses for a (short) period of time.
* The arp cache is of a finite size, and would become full of incomplete and obsolete entries for computers that are not in use if it was allowed to grow without check.
* The arp cache is therefore periodically flushed of all entries.
* This deletes unused entries and frees space in the cache.
* It also removes any unsuccessful attempts to contact computers which are not currently running.
* The arp request message ("who is X.X.X.X tell Y.Y.Y.Y", where X.X.X.X and Y.Y.Y.Y are IP addresses) is sent using the Ethernet broadcast address, and an Ethernet protocol type of value 0x806. Since it is broadcast, it is received by all systems in the same collision domain (LAN). This is ensures that is the target of the query is connected to the network, it will receive a copy of the query. Only this system responds. The other systems discard the packet silently.

GRATUITOUS ARP:
* Gratuitous ARP is used when a node (end system) has selected an IP address and then wishes to defend its chosen address on the local area network (i.e. to check no other node is using the same IP address). It can also be used to force a common view of the node's IP address (e.g. after the IP address has changed).
* Use of this is common when an interface is first configured, as the node attempts to clear out any stale caches that might be present on other hosts. The node simply sends an arp request for itself.


STATIC ARP:
* We can manually map an Ip address to a specific IP address.
* In switch (conf)#arp <ip address> <mac address> ARPA
* Then, we can see in ARP table using #show arp
* Note: if we don’t see the mapping, it is because the switch thinks the Ip address is in different subnet. So, we can use #ip address <ip address>/24 and then try the above show command

PROXY ARP:
http://www.cisco.com/c/en/us/support/docs/ip/dynamic-address-allocation-resolution/13718-5.html
* Proxy ARP is the technique in which one host, usually a router, answers ARP requests intended for another machine.
* Proxy ARP is the name given when a node responds to an arp request on behalf of another node. This is commonly used to redirect traffic sent to one IP address to another system.
* Proxy ARP works when the hosts are not configured with a default gateway.
* Thus, if A has to send packet to another Ip address on a different network (or different subnet also)

REVERSE ARP:
* Reverse ARP (RARP) as defined by RFC 903 works the same way as the Address Resolution Protocol (ARP), except that the RARP request packet requests an IP address instead of a media access control (MAC) address.
* RARP often is used by diskless workstations because this type of device has no way to store IP addresses to use when they boot. The only address that is known is the MAC address because it is burned in to the hardware.
* RARP requires a RARP server on the same network segment as the device interface. The figure below illustrates how RARP works.

* Because of the limitations with RARP, most businesses use Dynamic Host Configuration Protocol (DHCP) to assign IP addresses dynamically. DHCP is cost-effective and requires less maintenance than RARP. The most important limitations with RARP are as follows:
* Because RARP uses hardware addresses, if the internetwork is large with many physical networks, a RARP server must be on every segment with an additional server for redundancy. Maintaining two servers for every segment is costly.
* Each server must be configured with a table of static mappings between the hardware addresses and the IP addresses. Maintenance of the IP addresses is difficult.
* RARP only provides IP addresses of the hosts but not subnet masks or default gateways.


UNICAST ARP REQUEST:
* As per RFC 1122: Unicast Poll -- Actively poll the remote host by periodically sending a point-to-point ARP Request to it, and delete the entry if no ARP Reply is received from N successive polls. Again, the timeout should be on the order of a minute, and typically N is 2.
* This is one of four mechanism to timeout the stale ARP entries.

DHCP Snooping

• DHCP snooping is a security feature that acts like a firewall between untrusted hosts and trusted DHCP servers. The DHCP snooping feature performs the following activities:
  

•Validates DHCP messages received from untrusted sources and filters out invalid messages.

•Rate-limits DHCP traffic from trusted and untrusted sources.

•Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.

•Utilizes the DHCP snooping binding database to validate subsequent requests from untrusted hosts.

• DHCP snooping is enabled on a per-VLAN basis. By default, the feature is inactive on all VLANs. You can enable the feature on a single VLAN or a range of VLANs.
  

• Packet Validation:
  
• The switch validates DHCP packets received on the untrusted interfaces of VLANs with DHCP snooping enabled. The switch forwards the DHCP packet unless any of the following conditions occur (in which case the packet is dropped):
  
• The switch receives a packet (such as a DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY packet) from a DHCP server outside the network or firewall.
  
• The switch receives a packet on an untrusted interface, and the source MAC address and the DHCP client hardware address do not match. This check is performed only if the DHCP snooping MAC address verification option is turned on.
  
• The switch receives a DHCPRELEASE or DHCPDECLINE message from an untrusted host with an entry in the DHCP snooping binding table, and the interface information in the binding table does not match the interface on which the message was received.
  
• The switch receives a DHCP packet that includes a relay agent IP address that is not 0.0.0.0.
  

• The default trust state of all interfaces is untrusted. You must configure DHCP server interfaces as trusted. You can also configure other interfaces as trusted if they connect to devices (such as switches or routers) inside your network. You usually do not configure host port interfaces as trusted.
  

More info:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html

Configuring DHCP Server on Arista EOS

We know that Arista's EOS operating system runs on top of Linux. So, in order to configure DHCP Server on Arista's EOS, the way is to install the DHCP package on linux. The steps are shown below:

Configuring DHCP Server and Relay:

Switch1 (server) (et30)-----(et30) DHCPRelay (int vlan 1, switchport access-vlan 1)------Client

On Switch 1 (DHCP Server)

• #int et 30  \\we use et30 because both the switches are connected via et30 on both sides
  

#no switchport

#ip address 10.0.0.1/30

• #ip route 192.168.1.0/24 10.0.0.2  \\giving a static route to the destination n/w (192.X.X.X) and also we specify the next hop which is the Relay (10.0.0.2)
  

• #show version ||to check the fedora version. Eg) fc14 or fc18. If FC18, downgrade to FC14 using #Dir \\check for the image of older version and then #bootfrom <image> • Download the correct RPM from the following URL: http://dl.fedoraproject.org/pub/archive/fedora/linux/updates/, choose i386 architecture and send the file to switch using #copy scp:admin@macbook-pro/Users/Desktop/dhcp.rpm extension: • #extension dhcp.i686.rpm \\To install the dhcp extension • #bash • $sudo vi /etc/dhcp/dhcpd.conf • # DHCP Server Configuration file. #   see /usr/share/doc/dhcp*/dhcpd.conf.sample #   see dhcpd.conf(5) man page ddns-update-style interim; subnet 192.168.1.0 netmask 255.255.255.0 {         option routers                  192.168.1.254;         option subnet-mask              255.255.255.0;         option domain-search              "example.com";         option domain-name-servers       192.168.1.1;         option time-offset              -18000;     # Eastern Standard Time         range 192.168.1.10 192.168.3.99; } subnet 10.0.0.0 netmask 255.255.255.252 { range 10.0.0.1 10.0.0.2; }  (OR) subnet 192.168.1.0 netmask 255.255.255.0 { option routers 192.168.1.254; //the IP address of SVI is the default gateway option subnet-mask 255.255.255.0; range 192.168.1.20 192.168.1.30; } subnet 10.0.0.0 netmask 255.255.255.252 { range 10.0.0.1 10.0.0.2; } • $service dhcpd start \\to start the dhcp service • $service dhcpd status \\to check whether the dhcp service is running • $sudo dhcpd et 30 • $sudo dhcpd vlan1 \\to assign DHCP IP address to devices on vlan1

On Switch 2 (relay),

• Configuring the interface connected to client side:

#conf

#int vlan1

#ip address 192.168.1.254/24 //Making a router and network for the hosts since hosts are connected to relay router

#ip helper 10.0.0.1 \\Configuring this router to act as relay, so use the IP address of the switch 1 interface. It should be assigned for the vlan network

• Configuring the interface connected to server:

(conf)#int et 30  \\connecting it to switch 1

#no switchport

#ip address 10.0.0.2/30 

FOR TROUBLESHOOTING:

#show ip dhcp relay counters

DHCP/ BOOTP

Given in RFC2131

First when device connects to a network, it sends Discover message. It is sent as a Broadcast. It uses Bootstrap Protocol which uses UDP. The ports are always fixed to 68 and 67 respectively for client and server.

SRC: 0.0.0.0 DST: 255.255.255.255

The DHCP servers on the n/w replies with Offers. It is also a broadcast since device doesn’t have IP address. Whichever server replies first, then, other servers will not reply (race condition).

After this, it sends a Request to one DHCP server and it is sent as a broadcast even though it knows the destination IP so that other DHCP servers can know that it chose a different DHCP server and thus, can free the IP.

Now, the server first pings the IP address that it is going to allocate so that it can be sure that the IP has not been assigned statically.If address is used, server sends NAC and the client should DORA again. If no ping reply, only then, it sends an Acknowledgement with an IP address for the client. Thus, client gets its own IP address.

Note that now even other DHCP servers will send an ACK to our IP to tell that we are okay to use it. It will be unicast since we got our IP address.

After getting the IP address, the host sends an ARP for the assigned IP (it is gratuitous ARP since it does ARP for its own IP address. Here, it uses the source IP as 0.0.0.0). If it gets a reply, then, it sends a DHCP Declined to the server since another device already has the same IP address. (It is not done by the DHCP server since the DHCP server can be on different subnet also, hence it is done by the client.)

Note: that both the client and server will use the same Transaction ID.


After the lease time is expired, client sends a DHCP Renew message to DHCP server. The server sends back a ACK and client can keep the IP address for another 90 days.


The DHCP ACK will have details like Lease Time, DNS Server IP address, Subnet Mask, etc…


DHCP RELAY:

We know that DHCP request is sent as broadcast, but it cannot cross routers and vlans. Here, we have to place a dhcp server for each subnet and vlan which is not scalable. Thus, we use DHCP relay.