问题
I'm trying to evaluate a tool called ohrwurm, which claims to be able to corrupt RTP traffic between two SIP endpoints. By reading its source code I don't believe it works, and would like other's opinions before I try it out.
It's premise is simple:
- Assume endpoint A has IP address 192.168.0.11, and endpoint B has IP address 192.168.0.22.
- On a third box C on the same subnet as A and B execute the following commands in two SSH sessions:
- arpspoof 192.168.0.11
- arpspoof 192.168.0.22
- Execute ohrwurm.
Taking a look at ohrwurm's source code it does the following:
- Set /proc/sys/net/ipv4/ip_forward to 1.
- Use libpcap in promiscuous mode to intercept all IP packets between the two boxes above.
- For those packets which are SIP, grab the RTP port numbers out.
- For those packets that are UDP and between the two RTP ports grabbed earlier, fuzz the RTP contents.
Here's what I don't get though. I accept that the arpspoof'ing will cause all IP traffic between A and B to travel through C. Moreover, by setting /proc/sys/net/ipv4/ip_forward to 1 we're getting the kernel to forward this IP traffic correctly for us.
But I thought libpcap was read-only? How is it possible to modify packets we've sniffed in promiscuous mode in-situ? You'll notice in ohrwurm.c line 401 that we're even trying to drop RTCP packets! Is this possible?
I know nothing about libpcap, and am curious to know more! Please educate me. Thanks.
回答1:
Libpcap is not able to modify the packets. It can be only used to audit them. You can think of it as the basis to get the packets from the interface to the kernel.
Arpspoof requires other libraries such as "Libnet" to perform ARP spoofing. http://arpspoof.sourceforge.net/ (see the section "Links Related to arpspoof")
Libnet introduces an API that provides access to several protocols. It can be used to create arbitrary packets or modify the ones on the fly. http://libnet.sourceforge.net/
A nice tutorial can be found in: http://networksecurity.org.ua/0596007949/networkst-chp-11-sect-4.html
来源:https://stackoverflow.com/questions/8761725/how-does-ohrwurm-use-libpcap-and-arpspoof-to-corrupt-rtp-traffic