0

Situation: I am trying to intercept TCP (not HTTP) traffic on a Windows machine using Python. I am posting this question as most answers I was able to find teaches how to sniff traffic.

Normal operation:-
Machine A ===> Machine A's TCP/IP stack ===> Machine B

What I am trying to do:-
Machine A ===> Intercept + modify packet ===> Machine A's TCP/IP stack ===> Machine B

Problem: Most common answers point to using scapy module in Python to modify the traffic. However scapy only sniffs the traffic from Machine A, and does not stop the original copy from being dispatched. As a result Machine B will receive two copies of traffic

What scapy does:-
Machine A ===> Machine A's TCP/IP stack ===> Machine B
           ||                                       /\
           \/                                       || (2nd copy)
   Scapy sniffing ===> Scapy modifications ===> Machine A's TCP/IP stack

Question: Is there any way I am able to intercept the traffic instead of sniffing it? The end goal is to have Machine B only receive one copy of the packet, which will the modified one.

Additional information 1: All modules used will need to be able to be contained within one EXE file (a la PyInstaller) for Windows.

Additional information 2: I cannot place a third machine between A and B, so I cannot perform ARP poisoning (which was a considered option).

Additional information 3: if I were to use a proxy, it must be able to intercept traffic from ports other than standard HTTP (80, 443, 8080).

Timothy Wong
  • 173
  • 8
  • 1
    You have to redirect the outgoing traffic of the local machine to your program. There is no universal OS independent way but you don't provide any information about the OS you are using and the permissions you have on this OS. See for example [here for MacOS](https://tlbdk.github.io/mac/proxy/mitmproxy/fiddler/2016/04/14/redirect-outgoing-traffic-for-user-on-mac.html) or [here for Linux](https://stackoverflow.com/questions/44032210/route-outcoming-traffic-to-mitmdump). – Steffen Ullrich Aug 19 '19 at 12:11
  • 1
    I just see two options for your case: 1. use the python binding of netfilter (https://pypi.org/project/NetfilterQueue/), 2. Use a proxy in python (https://twistedmatrix.com). I With both cases you can modify the packet or the payload. – camp0 Aug 19 '19 at 12:12
  • Sorry forgot to mention I needed to do this on a Windows machine. But nevertheless, if I use the proxy, that means that I need to edit the system proxy settings? – Timothy Wong Aug 19 '19 at 12:18
  • @Steffen got a Windows way? I'm not really a Windows person, that's why I'm stuck – Timothy Wong Aug 19 '19 at 12:19
  • 1
    @TimothyWong: My guess is that you need to use the [Windows Filtering Platform](https://docs.microsoft.com/en-us/windows-hardware/drivers/network/windows-filtering-platform-callout-drivers2) for this. [Based on this](https://github.com/TrustRouter/TrustRouter/wiki/Client-Implementation:-Windows) it looks like it can be used with Python but likely not trivial. Anyway, only the mechanism for interception might be a security topic. Details on how to do it in a specific programming language are not a security question but a plain programming question, i.e. off-topic here. – Steffen Ullrich Aug 19 '19 at 12:36
  • A lazy way of doing this is set the DNS of the destination to 127.0.0.1, have your program bind to the right port on 127.0.0.1, open the remote tcp connection to the real destination, connect & forward the send/receive streams. – C.M. Aug 19 '19 at 18:22
  • @C.M.wish I could, but I am running on IP addresses. – Timothy Wong Aug 20 '19 at 02:23

0 Answers0