This tool is about anonymizing IP and MAC Addresses of a given pcap file. This can either be used for:
- Anynomizing a legitimate pcap file.
- Anynomizing a localhost traffic pcap file to make it look real-world.
The purpose for this script is to modify IP and MAC addresses from a pcap file.
I initially made this script when I was creating CTF challenges, specifically forensic ones, and wanted to change the IP and MAC addresses of my localhost traffic into random ones to make the traffic look real. I then thought to further develop it with more options, identification of Ip address classes and more. Whether you want to use it to make a CTF challenge or anonymize a pre-existing pcap file is up to you.
I will present both cases of using the tool:
- (1) Making localhost traffic look real: CTF case.
- (2) Anonymizing real traffic: Pre-existing pcap.
Assume we want to make a very simple CTF challenge. We want to:
- Send a file containing a flag (or some secret credentials) over the internet.
- Capture the traffic.
To do that, we would open a webserver with python like python3 -m http.server hosting a file named secrets.txt.
Using wget/curl or manually going to your browser to get the file - while capturing the traffic with Wireshark - would yield the following traffic:
Obviously, for a CTF challenge this traffic would normally not be acceptable. We would like to change the IP addresses and MAC addresses to make it look more realistic.
Viewing the available options and the use of the tool:
─$ python pcap_anonymizer.py --help
Usage: python script.py --inpcap <input_pcap_file> --outpcap <output_pcap_file> [--whitelist <file>] [--mod_null_mac <yes|no>] [--mod_localhost <yes|no>]
Options:
--inpcap Input PCAP file to anonymize.
--outpcap Output PCAP file name for anonymized packets.
--whitelist Optional file containing IP addresses to exclude from anonymization.
--mod_null_mac Set to 'yes' to anonymize MAC address '00:00:00:00:00:00', 'no' to preserve it. Default: no.
--mod_localhost Set to 'yes' to anonymize localhost IPs ('127.0.0.1'), 'no' to preserve them. Default: no.If we want to change both the localhost IP and MAC, the address we would run to fully anonymize our localhost traffic would be:
python pcap_anonymizer.py --inpcap localhost_traffic.pcapng --outpcap randomized.pcapng --mod_null_mac yes --mod_localhost yes
Let's see the results:
By now you would have a fully randomized pcap file looking completely real world, all by running just this script. Let's also see the case of anonymizing real world traffic.
For this purpose I visited the youtube website to generate actual traffic but also pinged my localhost to generate localhost traffic.
What i will do to further showcase the rest of the flags is:
- To set the
mod_localhostflag tono(you can also just disregard it) to avoid changing the localhost traffic. - Save one of the real world IP addresses into a whitelist.txt in order to avoid changing it.
These could be some of the cases where we want to preserve localhost traffic or some specific IP address.
Let's view the outcome:
In the future I will try and also automate the modification of User-Agent as well as the Host inside a request.