netspionage: Network Forensics Utility

Introduction

I wanted to learn more about network forensics and apply my knowledge of Python to build a cybersecurity tool, so I created a CLI (command line interface) utility called netspionage. netspionage is a CLI tool developed specifically for performing reconnaissance, enumerating, and detecting attacks that take place on a specified network. I coded it with Python, and it relies on libraries such as scapy, pandas, requests, etc to work.

What is Network Forensics?

Network Forensics is a sub-branch of digital forensics (the process of identifying, collecting, and analyzing digital information from cybercrimes as a part of an investigation). Network Forensics is focused on monitoring and analyzing information specifically about your network in order to target potential vulnerabilities and detect attacks from hackers.

What is Network Reconnaissance?

Aside from using Network Forensics, netspionage also features Network Reconnaissance tools to obtain information about a network. Reconnaissance in Cybersecurity is the process of obtaining information about a target to reveal possible vulnerabilities that a hacker can exploit. In this case, netspionage performs Network Reconnaissance by finding information about a specified network to expose any flaws in the network (ie. revealing open ports).

Functionality

The functionality of the tool can be broken down into three main categories:

1. Scanning: Used to monitor activity / traffic related to your network. This includes scanning ports, revealing intelligence of nearby Wi-Fi access points, and scanning for devices connected to your network.
2. Reconnaissance: Used to accrue information about devices connected to your network. This feature lets you select or input a MAC address (a unique identifier given to a network interface controller of a device) in order to obtain more information about that device (ie. IP address, operating system, etc)
3. Detection: Used to detect attacks that are targeting your network. It checks for ARP Spoofing and TCP SYN Flooding both of which I will explain later on in the article.

Set Up

Before you get started, make sure your computer let’s make sure that your computer is configured properly to run the project.

1. Machine: I would personally recommend using a VM (Virtual Machine) like Virtual Box with an instance of Linux running on it for this project. A standard Mac or Windows computer should be compatible, but. I recommend you use either a VM or a machine that runs Linux. I personally used a Windows machine that ran Virtual Box with an image of Kali Linux for this project.
2. Wireless Network Adapter: I highly recommend that you use a network adapter for this project. A wireless network adapter is a device that supports both monitor mode and packet injection is ideal for this project. You can reference this list to find a wireless network adapter that works for you. I personally used a Panda PAU06 wireless network adapter for this project. It is only limited to the 2.4GHz frequency, but I found that it is easy to configure and a cheap option for beginners.
3. Dev Environment: Once you have all the hardware you need for the project, make sure your machine has Python3 and Pip on it. Then, clone the GitHub repository into your machine and install all the dependencies by typing these commands into your terminal:

# clone the repo
git clone https://github.com/ANG13T/netspionage.git

# change the working directory to netspionage
cd netspionage

# install the requirements
pip3 install -r requirements.txt

4. Network Adapter Config: You should also place your adapter into monitor mode to enable features of netspionage. Follow the instructions below to do so:

# Ensure your Network Adapter is on Monitor Mode 
sudo airmon-ng start wlan0

# List Information about your Adapter
ip a

# Find name of Network Adapter (ie. wlan0mon)

# Set Interface to Name

vim configuration.ini

WiFiInterface=wlan0mon

5. Run netspionage: to begin using netspionage use one of the two commands below:

python3 netspionage.py

OR

sudo -E python3 netspionage.py

Once you run the command, you should be greeted with a large ASCII netspionage banner and a list of options. The features of the tool can be broken down into Network Scanning, Network Reconnaissance, and Attack Detection. I outline how each of the features works and how to use them in the following sections.

Network Scanning

We use network scanning as a way to monitor the status of a network such as its device traffic, port availability, and nearby Wi-Fi access points. I broke this feature down by each of its three functionalities.

Network Scanner

The network scanner prints a list of all the devices connected to the specified network. This list contains pertinent information about each device such as its IP Address, MAC Address, and Operating System. netspionage obtains this information by creating an ARP Request with scapy and sending it to the network IP address specified. For instance, let's say the IP address of our network is “192.168.1.1”. When we send out an ARP Request with the value “192.168.1.1”, we will get a response from the owner of that IP address with information about that device such as its MAC Address. Once we obtain that information, we can send out a broadcast packet by spoofing an ARP Request with the MAC Address of ff:ff:ff:ff:ff:ff This will let us retrieve the IP Address and MAC Address of each device connected to that network. We can also put a “/24” or “/16”. after the IP address to specify an IP range according to the CIDR notation. For example, putting /24 at the back of an IP address gives you an IP range from 192.168.1.0 to 192.168.1.255.

netspionage >> 1
SCAN INPUT >> 1
NET IP ADDRESS (Eg: 192.168.1.1/24) >> 192.168.1.1/24

Wi-Fi Scanner

The Wi-Fi scanner lets you gather information about nearby Wi-Fi access points such as its BSSID, RSSI, SSID, channel number, and encryption type. It does this by using the sniff() function of scapy to monitor packets of data sent by Wi-Fi access points. Every Wi-Fi access point (AP) periodically sends out beacon frames which are packets of data containing information about the AP in order to promote the network to nearby devices. By sniffing for beacon frames, we can obtain information about Wi-Fi access points near us. netspionage derives the BSSID (MAC Address of AP), SSID (Name of AP), RSSI (Received Signal Strength), and Encryption Type (whether or not the AP is password protected WPA2/WPA3 or not) from each Wi-Fi AP it detects. The Wi-Fi Scanner also features channel changing to switch between Wi-Fi channels to obtain information on more local APs. In the U.S., Wi-Fi networks run on 12 different channels in order to spread out device traffic. The channel changer lets us switch between channels consistently in order to obtain a holistic map of Wi-Fi networks nearby.

netspionage >> 1
SCAN INPUT >> 2

Port Scanner

netspionage also features a simple port scanner that aggregates though a list of ports on a specified network to detect whether they are closed or open. Open ports open up vulnerabilities in a network because hackers can exploit the open port to break into a computer. To detect if a port on our network is open or not, netspionage iterates through all the well-known ports of the network assigned by the Internet Assigned Numbers Authority aka IANA (port numbers 0–1023). For each port, netspionage utilizes the socket Python module to attempt to connect to that host. If the connection attempt with the socket is successful, the port is open.

netspionage >> 1
SCAN INPUT >> 3
NET IP ADDRESS (Eg: 192.168.1.1/24) >> 192.168.1.1/24

Network Reconnaissance

netspionage also contains network reconnaissance features by garnering information about devices connected to a network. It does this by obtaining the MAC addresses of devices on the network by sending out an ARP packet. This essentially relies on the same principles of the Network Scanner I mentioned before, but it contains an extra feature of obtaining more information about the device utilizing its MAC address. In this case, a user can enter a MAC address of a device that is connected to the network they are monitoring and netspionage passes that MAC address into the Macvendors.co Mac address vendor lookup to retrieve the vendor of the device and other relevant information. The functionality is broken up into two options…

MAC Address Reconnaissance (Choosing)

This feature lets the user choose the MAC address of a device connected to the network by running a quick network scan and returning a list of MAC address options for the user to select from. This is recommended when a user wants to obtain information about a random device connected to the network and does not care about garnering information about one particular device.

netspionage >> 2
RECON INPUT >> 1
NET IP ADDRESS (Eg: 192.168.1.1/24) >> 192.168.1.1/24

MAC Address Reconnaissance (Input Custom MAC Address)

The second option lets the user manually input a MAC address of a specific device on the network. This provides more specificity and is useful for scenarios where you want to decipher information about one particular device on the network.

netspionage >> 2
RECON INPUT >> 2
MAC ADDRESS (Eg:08:00:69:02:01:FC) >> 08:00:69:02:01:FC

Attack Detection

The attack detection portion of the netspionage utility is in my opinion the most intriguing aspect of the tool. This aspect of the device actively checks for common network attacks such as ARP Spoofing and TCP Flooding and alerts the user when such an incident occurs.

Detect ARP Spoofing Attacks

ARP (Address Resolution Protocol) Spoofing is used to obtain a Man in the Middle situation (MITM) by sending out spoofed ARP packets onto a network enabling the hacker to intercept and modify network traffic. Once the attacker successfully completes a MITM attack, they can view and change every bit of information that passes a device. In a normal, functioning network, devices communicate to a gateway before communicating with the internet. To gain a MITM, a hacker signals spoofed ARP packets to both the gateway and the victim’s device. The hacker sends ARP packets to the gateway which associates the hacker’s device with the IP Address of the victim’s computer and sends another set of spoofed ARP packets to the victim’s computer stating that the hacker’s device has the IP address of the gateway. This will effectively create a MITM situation where anytime a victim sends a packet (ie. an HTTP request) it will be forwarded to the hacker’s computer before it is passed to the gateway, so the victim is unaware the attack is actually occurring. netpionage detects for this kind of MITM situation by sniffing for ARP packets on the network. Once an ARP packet is received, it compares the source MAC Address (which can be spoofed) to the real MAC address of the sender which is retrieved by initiating an ARP Request with the source IP address. By comparing the two MAC addresses, we can tell that there is a MITM in progress if the addresses do not match. This is done by using the scapy module to sniff for ARP packets on the network by using the sniff() function in conjunction with checking the that the type of packet is ARP using the condition packet.haslayer(ARP) Then, we retrieve the real MAC address of the sender using get_mac(packet[ARP].psrc) and we compare the result to the MAC address of the packet sent to us by using packet[ARP].hwsrc If we have a mismatch, we have a hacker to be watching out for!

netspionage >> 3
DETECT INPUT >> 1
NET IP ADDRESS (Eg: 192.168.1.1/24) >> 192.168.1.1/24

Detect SYN Flooding Attacks

A TCP SYN Flooding Attack takes place when a hacker sends out a flood of SYN requests to a target (in this case a router) in order to attack a denial of service where the requests take too many of the router’s resources preventing any valid clients from connecting to the router. This attack works by tampering with the first part of the TCP three-way handshake. Every time a client wants to establish a connection to a server via the TCP protocol, it must exchange three messages with the server — that’s why it is called the “3-Way TCP Handshake”! The series of messages look like the following…

1. The client initiates the request by sending a SYN message to the server

2. The server responds to the client by sending back a SYN-ACK message which acknowledges the client’s SYN request

3. The client responds back to the server with ACK which initiates the connection

During a SYN flood attack, a hacker repeatedly sends SYN packets from different source ports without responding to the server with ACK which makes the server unaware that the attack is actually taking place and responds to each request with a SYN-ACK packet from the source port the hacker specified. During the flood attack, the server will be unable to respond to legitimate clients because it will be too busy responding to the flood of SYN requests initiated by the hacker with SYN-ACK packets. To detect this, netspionage uses scapy to sniff for packets being sent to the network. When it detects an influx of TCP packets being sent to the network by the same source IP, it triggers a detection message.

netspionage >> 3
DETECT INPUT >> 2
NET IP ADDRESS (Eg: 192.168.1.1/24) >> 192.168.1.1/24
TCP NUMBER (Eg: 80) >> 80

Conclusion

All in all, network forensics is an important field of Cybersecurity because it ensures the security, reliability, and compliance of networked systems. netspionage is a utility that aims to streamline this process by providing a toolkit of network analysis tools to protect your network by detecting attacks and scanning for vulnerabilities. I hope this article also gave you a better understanding of how netspionage operates and elucidated some of the underlying vulnerabilities of networks used today.

Thanks for Reading!

• View more of my work on GitHub: https://github.com/ANG13T
• Follow my account on Instagram: https://instagram.com/builds.by.ang
• See what I’m up to on Twitter: https://twitter.com/AngelinaTsuboi
• Support my work on Cash App: https://cash.app/$AngelinaTsuboi