5

I recently read about hack5s' Packet squirrel, and now I am interested in building a similar device that sits between 2 endpoints (say router and PC) and monitor all the traffic but be invisible to the 2 endpoints. (Figure)

enter image description here

I was thinking of using the RPi's ethernet interface as one interface and a USB to ethernet module as the other.

Then the RPi could capture the packets in either direction, replace the MAC addresses and IP addresses and forward them. At the same time all transactions will be logged.

Could anybody point me in the right direction?

Edit: I also found this device (How to create a Pi Zero packet capturing computer), but it seems too easy and too good to be true!

Nht_e0
  • 77
  • 1
  • 6

1 Answers1

6

To make a man in the middle attacker with a Raspberry Pi 3B(+) or 4B is very simple. You will use an additional USB/ethernet dongle so you have a second wired interface eth1 available. Now just bridge eth0 and eth1 and you have a complete transparent and stealth device.

Start with a fresh flashed image Raspberry Pi OS Lite and use systemd-networkd to set it up. Just follow to Use systemd-networkd for general networking. You can use section "♦ Quick Step". Then come back here.

Create these three files to configure the interfaces and the bridge:

rpi ~$ sudo -Es  # if not already done
rpi ~# cat > /etc/systemd/network/02-br0.netdev << EOF
[NetDev]
Name=br0
Kind=bridge
EOF

rpi ~# cat > /etc/systemd/network/04-br0_add-eth.network << EOF
[Match]
Name=eth*
[Network]
Bridge=br0
EOF


rpi ~# cat > /etc/systemd/network/12-br0_up.network << EOF
[Match]
Name=br0
#[Network]
#DHCP=yes


to use static IP uncomment following and comment DHCP=yes


#Address=192.168.50.60/24
#Gateway=192.168.50.1
#DNS=84.200.69.80 1.1.1.1
EOF

Reboot.

The [Network] section in the last file is all commented. This ensures that the device does not get an ip address and is completely invisible on the network. The bridge will do its work without ip addresses.

Just to get updates or to install software you can temporary uncomment
[Network]
DHCP=yes
or the static ip address and do

rpi ~$ sudo systemctl daemon-reload
rpi ~$ sudo systemctl restart systemd-networkd.service

First you should install

rpi ~$ sudo apt install tcpdump

Comment the Network, daemon-reload and restart as shown above.

Now you can sniff the traffic on the line. Here just a short snippet from visiting google.com assuming your sniffed device has ip address 192.168.10.113:

rpi ~$ sudo tcpdump -N -A -i eth1 host 192.168.10.113

21:11:25.080976 IP wq-in-f102.http > titan.46152: Flags [.], ack 75, win 244, options [nop,nop,TS val 1247970405 ecr 10499619], length 0
E..42...l.y.J}.f..
q.P.H6h...+He...........
Jb.e..6#
21:11:25.083929 IP wq-in-f102.http > titan.46152: Flags [P.], seq 1:529, ack 75, win 244, options [nop,nop,TS val 1247970409 ecr 10499619], length 528: HTTP: HTTP/1.1 301 Moved Permanently
E..D2...{.h.J}.f..
q.P.H6h...+He...........
Jb.i..6#HTTP/1.1 301 Moved Permanently
Location: http://www.google.com/
Content-Type: text/html; charset=UTF-8
Date: Wed, 10 Jul 2019 20:11:25 GMT
Expires: Fri, 09 Aug 2019 20:11:25 GMT
Cache-Control: public, max-age=2592000
Server: gws
Content-Length: 219
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN


<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>


21:11:25.084225 IP titan.46152 > wq-in-f102.http: Flags [.], ack 529, win 237, options [nop,nop,TS val 10499624 ecr 1247970409], length 0
E..4~.@.@.....
qJ}.f.H.P.+He6h.............
..6(Jb.i..

You can use nftables to mangle the passing traffic or any other tool. I haven't tried it. That's your exercise :-)

The alphabetical order of the file names is important for execution. In man systemd.network in the second paragraph you will find:

All configuration files are collectively sorted and processed in lexical order, regardless of the directories in which they live. However, files with identical filenames replace each other.

You can use what names you want but you must ensure that a .netdev file is executed before using the bridge name in .network files (ok, systemd will execute it always before .network files). And .network files must have an order. The interfaces must be added to the bridge before bringing up the bridge. I like to use the old style SysV naming for init files with preceded numbers. For me I have reserved 00 to 03 for .netdev, 04 to 07 for wired interfaces, 08 to 11 for wifi interfaces and the rest for others where I use a gap of four numbers to be able to insert additional configuration files.

Ingo
  • 42,107
  • 20
  • 85
  • 197
  • +1 for the details :).

    One question: Is there a specific reason for naming the files like that? (02-br0, 04-br0 and 12-bro) I get the br0 part, but what's the reason behind the numbers? I'm going through the systemd-networkd documentation, but couldn't find anything

     – Nht_e0 Jul 11 '19 at 05:02
  • 1
    @Nht_e0 I have updated the answer at the end. – Ingo Jul 11 '19 at 09:21
  • Just a thought: Since RPi has a wireless interface, can't we use that to connect to the internet? Without disturbing the bridge – Nht_e0 Jul 11 '19 at 18:25
  • Yes we can but then the device isn't invisible anymore. – Ingo Jul 11 '19 at 18:30
  • Can you please clarify? I thought that since the ethernet interfaces do not have addresses, the device will still be invisible (Assuming the device is connected to a completely different wireless network) – Nht_e0 Jul 11 '19 at 18:34
  • @Nht_e0 If on a different wifi network it has an ip address and isn't really invisible, but only not accessable. OK, maybe a bit academic. I'm not sure if you can see the wifi ip address from the wired network and you have to use iptables. – Ingo Jul 11 '19 at 19:06
  • Let us continue this discussion in chat. – Ingo Jul 11 '19 at 19:17