search

nyu-mlab / iot-inspector-client

IoT Inspector: capturing and analyzing your smart home network traffic
https://inspector.engineering.nyu.edu/
MIT License
416 stars 64 forks source link

Arp-spoof device-to-device traffic #43

Closed crazyideas21 closed 4 years ago

crazyideas21 commented 4 years ago

Write the starter/untested code for @kumarde and he'll take over.

crazyideas21 commented 4 years ago

device-to-device arp spoofing can be implemented around here:

https://github.com/noise-lab/iot-inspector-client/blob/master/v2-src/arp_spoof.py#L77

crazyideas21 commented 4 years ago

Duplicate of #53

crazyideas21 commented 4 years ago

Checked device-to-device arp spoofing and it appeared to work.

Setup:

I checked the mongodb and found the corresponding traffic.

On Chromecast (s2609885b11), I found this flow:

> db.flows.find({device_id: 's2609885b11', 'device_port': 8008}).limit(1).pretty()
{
        "_id" : ObjectId("5e9231068b51a7745506271c"),
        "remote_tracker" : "",
        "protocol" : "tcp",
        "user_key" : "wme5jCMPBLMsXhK2",
        "syn_originator" : "remote",
        "remote_hostname" : "(Local Network)",
        "ts_mod600" : 1586638800,
        "remote_port" : 49229,
        "ts" : 1586639110,
        "ts_mod60" : 1586639100,
        "remote_ip" : "10.0.0.21",
        "ts_min" : 1586639104.7350612,
        "remote_ip_country" : "",
        "is_inspected" : true,
        "remote_web_xray" : "",
        "device_id" : "s2609885b11",
        "client_ts" : 1586639110,
        "total_byte_count" : 1718,
        "remote_hostname_info_source" : "dns",
        "remote_reg_domain" : "(Local Network)",
        "device_port" : 8008,
        "in_byte_count" : 526,
        "ts_mod10" : 1586639110,
        "ts_mod3600" : 1586638800,
        "out_byte_count" : 1192
}

On Macbook Air, I found this flow:

> db.flows.find({device_id: 'sc0c9f6f8ac', 'remote_port': 8008}).limit(1).pretty()
{
        "_id" : ObjectId("5e9230e08b51a7598104755e"),
        "remote_tracker" : "",
        "protocol" : "tcp",
        "user_key" : "wme5jCMPBLMsXhK2",
        "syn_originator" : null,
        "remote_hostname" : "(Local Network)",
        "ts_mod600" : 1586638800,
        "remote_port" : 8008,
        "ts" : 1586639072,
        "ts_mod60" : 1586639040,
        "remote_ip" : "10.0.0.3",
        "ts_min" : 1586639066.7053795,
        "remote_ip_country" : "",
        "is_inspected" : true,
        "remote_web_xray" : "",
        "device_id" : "sc0c9f6f8ac",
        "client_ts" : 1586639072,
        "total_byte_count" : 66,
        "remote_hostname_info_source" : "dns",
        "remote_reg_domain" : "(Local Network)",
        "device_port" : 49211,
        "in_byte_count" : 66,
        "ts_mod10" : 1586639070,
        "ts_mod3600" : 1586638800,
        "out_byte_count" : 0
}

/cc: @kumarde Let me know if this data is good enough for your purpose?

kumarde commented 4 years ago

Yeah, this looks great!

On Sun, Apr 12, 2020, 3:51 PM Danny Y. Huang notifications@github.com wrote:

Checked device-to-device arp spoofing and it appeared to work.

Setup:

  • Macbook Air and Chromecast both running and both under inspection
  • I tried to access the Chromecast's port 8008 from the web browser on the Macbook

I checked the mongodb and found the corresponding traffic.

On Chromecast (s2609885b11), I found this flow:

db.flows.find({device_id: 's2609885b11', 'device_port': 8008}).limit(1).pretty() { "_id" : ObjectId("5e9231068b51a7745506271c"), "remote_tracker" : "", "protocol" : "tcp", "user_key" : "wme5jCMPBLMsXhK2", "syn_originator" : "remote", "remote_hostname" : "(Local Network)", "ts_mod600" : 1586638800, "remote_port" : 49229, "ts" : 1586639110, "ts_mod60" : 1586639100, "remote_ip" : "10.0.0.21", "ts_min" : 1586639104.7350612, "remote_ip_country" : "", "is_inspected" : true, "remote_web_xray" : "", "device_id" : "s2609885b11", "client_ts" : 1586639110, "total_byte_count" : 1718, "remote_hostname_info_source" : "dns", "remote_reg_domain" : "(Local Network)", "device_port" : 8008, "in_byte_count" : 526, "ts_mod10" : 1586639110, "ts_mod3600" : 1586638800, "out_byte_count" : 1192 }

On Macbook Air, I found this flow:

db.flows.find({device_id: 'sc0c9f6f8ac', 'remote_port': 8008}).limit(1).pretty() { "_id" : ObjectId("5e9230e08b51a7598104755e"), "remote_tracker" : "", "protocol" : "tcp", "user_key" : "wme5jCMPBLMsXhK2", "syn_originator" : null, "remote_hostname" : "(Local Network)", "ts_mod600" : 1586638800, "remote_port" : 8008, "ts" : 1586639072, "ts_mod60" : 1586639040, "remote_ip" : "10.0.0.3", "ts_min" : 1586639066.7053795, "remote_ip_country" : "", "is_inspected" : true, "remote_web_xray" : "", "device_id" : "sc0c9f6f8ac", "client_ts" : 1586639072, "total_byte_count" : 66, "remote_hostname_info_source" : "dns", "remote_reg_domain" : "(Local Network)", "device_port" : 49211, "in_byte_count" : 66, "ts_mod10" : 1586639070, "ts_mod3600" : 1586638800, "out_byte_count" : 0 }

/cc: @kumarde https://github.com/kumarde Let me know if this data is good enough for your purpose?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/noise-lab/iot-inspector-client/issues/43#issuecomment-612667244, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAXBQLK2XYL4CDESJ4NSAUDRMILSXANCNFSM4J4A5XAQ .