I just wonder that someone sniff my VPN packet and find out where I visit. If destination IP location is fixed in the encrypted packet, I think it's not that hard to decrypt destination IP by copying the IP part and attempt to dictionary attack. Anyone knows about this?
Related
I'm new to the networking world and I'm using Wireshark to learn stuffs about the network.
I was hanging around in Wireshark while I was using my VPN for circumventing the internet filter (living in a dictatorship country).
While I was using the VPN I see packets that their source or destination IP was neither my IP nor VPN server IP.
I considered two things about my problem:
1- I know my VPN uses its VPN server to send my whole packets to that server then forward them to my deserved destination, then take the response and send it to my client (is that correct?).
2- In Wireshark, I just can see the packets that their either source or destination address is my IP address.
My packets before using VPN:
As you can see, their either source or destination IP is my IP (192.168.1.101).
After using VPN, VPN:
Wireshark:
I tried filtering packets with my IP like this ip.addr == 192.168.1.101 to see only the packets that their either source or destination IP was my private IP, and guess what? nothing was changed. Why did this happen? Wasn't that supposed to filter my packets?
I also checked those packets' MAC and compared them with my MAC, and they were identical.
So my main question is why these kinds of wandering packets were showed by Wireshark? Is my VPN client insecure and trying to sending my data to other places? Or I'm wrong about how my VPN works?
Also, I appreciate it If somebody tells me more explanation about how my VPN or Wireshark works so that I have these types of packets in my Wireshark.
First of all your considerations, point no.1 is right, that's how a typical VPN works and point no.2 is wrong.
Wireshark can capture any packet (any source IP or destination IP) flowing in and out of a network adapter technically known as NIC card. NIC cards are the way through which you can connect to a network (Internet). A quick brief of NIC over here
A typical VPN client software would form a virtual NIC to encrypt and send your traffic through it. A quick brief of VPNs over here
So, to see the required traffic in Wireshark, you must capture traffic from an appropriate interface (NIC card). The answer over here might be helpful.
I understand that if I tell my computer to send TCP packets from a fake ip address - say 128.5.32.3 - then my computer will happily send the packets out but not receive them in response.
But why is no response received? At which point in the chain is the return packet dropped?
Or, to give the same question asked another way - if my internet provider assigns me some arbitrary IP address, why can't my computer tell the internet provider to give me a different, arbitrary, IP address?
It's like sending a letter with a return address in it that is invalid. The mail will still get there, but if they send it back the postman (router) will at best be able to deliver it to a fake return address.
Your internet provider gives you an address on internet that isn't arbitrary rather one of it's internet addresses it has allocated. You can't 'move house' by wishing it.
If you do move house by getting another valid address you still need to receive a response using address supplied.
The postmen (routers) are incorruptible AFAIK :)
To start with your question about why no response is received, it is because the response goes to the person whose IP you spoofed. This can be abused, and an example if this is a "smurf attack". You would need to control the spoofed IP in order to receive the response, and there would be no point to spoofing if you had this control.
As for your question about why you cannot make your ISP assign you an IP is because, firstly, your ISP has control of a range of IPs and cannot assign IPs out of its permitted range. Secondly, most ISPs won't take into account the IP that your device wants. It has full control and will control your IP how it wants, so you cannot change your external IP at will.
There are many reasons why an ISP will not give an 'arbitrary' IP address. These include
They themselves only have a block of IP addresses they are allowed to allocate to users, if the IP address you want to use is not in this block there's nothing they can do (even if they want to, which they probably don't)
You are mostly likely being assigned an IP through DHCP (unless your provider is very generous or you are paying for a static IP). This also means that your IP is frequently changing.
The reason you receive no response is, as you put it, because the spoofed address is not your IP address. You are in essence telling the receiver of the TCP packets to respond to a different user (e.g., you send a packet, and they respond to some random stranger).
I am learning how the IP and TCP headers work. The following is my question:
Can a source address and destination address in an IP header be the same? or doesnt it make any sense?
Similarly, can a source and destination port be the same within a TCP header?
I tried searching google but I didnt find anything specific to my question, but rather how the protocols work.
Sure, source and destination IP address can be the same. That simply represents a connection between client and server (or 2 peers) on the same host.
Source and destination port can also be the same. If that happens, it would usually happen by coincidence.
But source and destination IP address being the same and source and destination port being the same? That doesn't make sense. That would represent a TCP connection connected to itself. Even if you wanted to do it (a kind of loopback connection), the protocol wouldn't be able to distinguish packets in one direction from packets in the other direction.
I'm looking for some Linux code to find an IP address from an Ethernet address. I suppose I have to do some inverse ARP trickery but I don't find any example...
http://compnetworking.about.com/od/networkprotocolsip/f/convertipmacadd.htm
Try sending an IP broadcast (e.g. ping 192.168.1.255 if your subnet is 192.168.1.0/24) to prime your ARP cache, followed by arp -a to spit it all out.
For computers that you have communicated with, you can look at their arp entry. This is available in text format in /proc/net/arp for example. Finding an IP address for a MAC that you know but haven't communicated with is significantly more difficult. The closest match, protocol-wise, would be RARP but that's hardly ever in use so your are not likely to get a response.
You can always scan your local subnet to make sure you get a full view in your arp table. See for example fping for an efficient way to do this. Note that hosts don't actually need to respond to the pings in question to appear in the ARP table, so this is useful even in the presence of local firewalls etc.
Take a look at Thomas Habet's Arping. I've not tried it, but the basic idea is to send an ICMP Ping network packet to the MAC address in question using a broadcast destination IP address in the IP header. Only the host with the specified MAC address will reply and the reply will (usually) contain its IP address. It won't always work but it might be good enough for you. See the project readme for limitations.
If I modify the source ip address of all outgoing ip packets from my network to an ip address belonging to someone else (while ensuring that the checksum is correct) then what will happen.
Assume that I have a public IP address connected by a point-to-point link to an ISP.
Will the ISP check that the IP address in my IP packets is correct or will it just forward the packets.
I believe that ISP should just forward the packets.
what mechanisms are present in the Internet that prevent this from happening?
If you do this, you will probably be unable to establish a TCP connection -- the replies will go to the spoofed IP address, preventing the three-way handshake from succeeding.
Your ISP may, or may not, employ egress filtering at their border routers and drop the spoofed packets.
why should your ISP just ignore your attempts to spoof packages with false information?
Were I that ISP I'd not just block the packages but instantly kick you off my network as you're either compromised by some trojan or other malware or are deliberately doing something bad.
I'd do that as a public service to the world at large (trying to block computer criminals) as well as to prevent possible legal steps against me (knowingly helping in criminal activity is still a crime in most places and rightly so).