Closed crazyideas21 closed 4 years ago
device-to-device arp spoofing can be implemented around here:
https://github.com/noise-lab/iot-inspector-client/blob/master/v2-src/arp_spoof.py#L77
Duplicate of #53
Checked device-to-device arp spoofing and it appeared to work.
Setup:
I checked the mongodb and found the corresponding traffic.
On Chromecast (s2609885b11
), I found this flow:
> db.flows.find({device_id: 's2609885b11', 'device_port': 8008}).limit(1).pretty()
{
"_id" : ObjectId("5e9231068b51a7745506271c"),
"remote_tracker" : "",
"protocol" : "tcp",
"user_key" : "wme5jCMPBLMsXhK2",
"syn_originator" : "remote",
"remote_hostname" : "(Local Network)",
"ts_mod600" : 1586638800,
"remote_port" : 49229,
"ts" : 1586639110,
"ts_mod60" : 1586639100,
"remote_ip" : "10.0.0.21",
"ts_min" : 1586639104.7350612,
"remote_ip_country" : "",
"is_inspected" : true,
"remote_web_xray" : "",
"device_id" : "s2609885b11",
"client_ts" : 1586639110,
"total_byte_count" : 1718,
"remote_hostname_info_source" : "dns",
"remote_reg_domain" : "(Local Network)",
"device_port" : 8008,
"in_byte_count" : 526,
"ts_mod10" : 1586639110,
"ts_mod3600" : 1586638800,
"out_byte_count" : 1192
}
On Macbook Air, I found this flow:
> db.flows.find({device_id: 'sc0c9f6f8ac', 'remote_port': 8008}).limit(1).pretty()
{
"_id" : ObjectId("5e9230e08b51a7598104755e"),
"remote_tracker" : "",
"protocol" : "tcp",
"user_key" : "wme5jCMPBLMsXhK2",
"syn_originator" : null,
"remote_hostname" : "(Local Network)",
"ts_mod600" : 1586638800,
"remote_port" : 8008,
"ts" : 1586639072,
"ts_mod60" : 1586639040,
"remote_ip" : "10.0.0.3",
"ts_min" : 1586639066.7053795,
"remote_ip_country" : "",
"is_inspected" : true,
"remote_web_xray" : "",
"device_id" : "sc0c9f6f8ac",
"client_ts" : 1586639072,
"total_byte_count" : 66,
"remote_hostname_info_source" : "dns",
"remote_reg_domain" : "(Local Network)",
"device_port" : 49211,
"in_byte_count" : 66,
"ts_mod10" : 1586639070,
"ts_mod3600" : 1586638800,
"out_byte_count" : 0
}
/cc: @kumarde Let me know if this data is good enough for your purpose?
Yeah, this looks great!
On Sun, Apr 12, 2020, 3:51 PM Danny Y. Huang notifications@github.com wrote:
Checked device-to-device arp spoofing and it appeared to work.
Setup:
- Macbook Air and Chromecast both running and both under inspection
- I tried to access the Chromecast's port 8008 from the web browser on the Macbook
I checked the mongodb and found the corresponding traffic.
On Chromecast (s2609885b11), I found this flow:
db.flows.find({device_id: 's2609885b11', 'device_port': 8008}).limit(1).pretty() { "_id" : ObjectId("5e9231068b51a7745506271c"), "remote_tracker" : "", "protocol" : "tcp", "user_key" : "wme5jCMPBLMsXhK2", "syn_originator" : "remote", "remote_hostname" : "(Local Network)", "ts_mod600" : 1586638800, "remote_port" : 49229, "ts" : 1586639110, "ts_mod60" : 1586639100, "remote_ip" : "10.0.0.21", "ts_min" : 1586639104.7350612, "remote_ip_country" : "", "is_inspected" : true, "remote_web_xray" : "", "device_id" : "s2609885b11", "client_ts" : 1586639110, "total_byte_count" : 1718, "remote_hostname_info_source" : "dns", "remote_reg_domain" : "(Local Network)", "device_port" : 8008, "in_byte_count" : 526, "ts_mod10" : 1586639110, "ts_mod3600" : 1586638800, "out_byte_count" : 1192 }
On Macbook Air, I found this flow:
db.flows.find({device_id: 'sc0c9f6f8ac', 'remote_port': 8008}).limit(1).pretty() { "_id" : ObjectId("5e9230e08b51a7598104755e"), "remote_tracker" : "", "protocol" : "tcp", "user_key" : "wme5jCMPBLMsXhK2", "syn_originator" : null, "remote_hostname" : "(Local Network)", "ts_mod600" : 1586638800, "remote_port" : 8008, "ts" : 1586639072, "ts_mod60" : 1586639040, "remote_ip" : "10.0.0.3", "ts_min" : 1586639066.7053795, "remote_ip_country" : "", "is_inspected" : true, "remote_web_xray" : "", "device_id" : "sc0c9f6f8ac", "client_ts" : 1586639072, "total_byte_count" : 66, "remote_hostname_info_source" : "dns", "remote_reg_domain" : "(Local Network)", "device_port" : 49211, "in_byte_count" : 66, "ts_mod10" : 1586639070, "ts_mod3600" : 1586638800, "out_byte_count" : 0 }
/cc: @kumarde https://github.com/kumarde Let me know if this data is good enough for your purpose?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/noise-lab/iot-inspector-client/issues/43#issuecomment-612667244, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAXBQLK2XYL4CDESJ4NSAUDRMILSXANCNFSM4J4A5XAQ .
Write the starter/untested code for @kumarde and he'll take over.