4

I have an embedded device which connects to the Internet using TCP and UDP using custom protocols on a series of ports along with DHCP, DNS, NTP and ICMP pings. It has two interfaces - a GPRS modem and a Ethernet socket.

I would like to build a proxy so that I can tamper with the communications on the Ethernet side. This would ideally be a framework that allows be to either chose to forward or intercept and modify communications.

I was surprised when I couldn't find any tools, frameworks or tutorials to do this.

Does anyone have any guidance?

edit: this is relevant to reverse engineering because the custom protocols are not understood. By MITMing the connection, it would enable a better understanding of the protocols e.g. what happens when a packet goes missing? Is what appears to be a sequence number important? etc.

Cybergibbons
  • 1,762
  • 2
  • 17
  • 26

2 Answers2

2

I assume that "connects to the internet" just means "uses DHCP to find IP parameters, then uses what it has found to send TCP/UDP packets". I doubt the device actually checks if "the internet" is reachable, except that it possibly tries to connect a server whose IP address is found by DNS.

So noone prevents you from using wireshark on your switches mirror port to trace what the device does on the network, or return some computers' IP as router when the device asks for it. After that, every packet goes to your computer where you can inspect, drop, or change it.

The mitmproxy project does this for http(s), and it comes with a library which should make it possible to re-write all TCP connections - i don't know if UDP works as well. In the documentation, there are many suggestions how to mess with routing tables to route the traffic through your computer, so it will probably be helpful no matter if you expand on their software or write your own.

Guntram Blohm
  • 12,950
  • 2
  • 22
  • 32
  • The device pings the gateway and a server continuously once connected to the network, so it is really checking for a connection to the Internet.

    Already using a switch with mirror port for monitoring, but that doesn't allow me to drop the packets, does it? As the switch has already sent them onto the gateway.

     – Cybergibbons May 23 '14 at 06:54
  • 1
    No, the switch alone won't allow you to drop packets. If i were you, i'd set up a linux box, and change dhcp to return that linux box as the device's router. Then, use iptables to drop packets based on patterns, or re-route them to some software on the box, and use mitmproxy to change what's going out. The mitmproxy docs have some nice examples on this. – Guntram Blohm May 23 '14 at 07:10
2

Another try if you want allot of control is Scapy

Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more

ixje
  • 1,733
  • 14
  • 25