HTTP Header Sniffing: A Python Tutorial for Ethical Hackers

Web sniffing allows us to capture HTTP header packets providing valuable insights into server behavior and configuration

Photo by Emmanuel Edward on Unsplash

Information gathering is a cornerstone of ethical hacking and penetration testing. One powerful technique in this domain is web sniffing, particularly HTTP header sniffing. This tutorial will guide you through creating a Python script to capture and analyze HTTP header packets, providing valuable insights into website behavior and configuration.

HTTP Header Sniffing?

HTTP header sniffing is the process of intercepting and examining the headers of HTTP requests and responses. These headers contain crucial metadata about the communication between clients and servers, offering a wealth of information for security professionals.

Why is It Important?

Understanding HTTP headers is vital for several reasons:

1. Server Configuration Analysis: Headers reveal details about the server’s software, version, and configuration.
2. Security Assessment: By examining cookie attributes and security headers, you can evaluate a website’s security measures.
3. Vulnerability Discovery: Certain headers may expose potential vulnerabilities or misconfigurations.
4. Troubleshooting: For developers, header analysis is crucial in debugging network-related issues.

Remember, misuse of these techniques is illegal and unethical. Always operate within the boundaries of the law and professional ethics.

This script will not function over HTTPS, as the SSL layer is designed to prevent sniffing

Screenshot

How It Works

Our Python script will act as a silent observer in the HTTP communication process:

1. Client Request: A user’s browser sends an HTTP request to a server.
2. Server Response: The server processes the request and sends back an HTTP response with headers.
3. Sniffing Process: Our script intercepts this exchange, focusing on capturing the response headers.

Implementation

We’ll be using Python’s built-in socket module, so no additional installations are necessary. The socket module provides low-level networking interface support, allowing us to interact directly with network protocols.

Create a socket handler for packet sniffing:

import socket
s = socket.socket(socket.PF_PACKET, socket.SOCK_RAW, socket.ntohs(0x0800))

Let’s break down this line:

• socket.PF_PACKET: This parameter allows us to receive packets at the device driver level, bypassing upper-layer protocols.
• socket.SOCK_RAW: This indicates that we want raw network protocol access.
• socket.ntohs(0x0800): This specifies that we're interested in IP packets (0x0800 is the protocol number for IPv4).

Next, Create a loop to continuously read packets from the socket. The 65565 argument in recvfrom() specifies the buffer size, which is set to the maximum possible buffer size for an IP packet. Inside our loop, we’ll process the captured data to extract HTTP headers

while True:
    data = s.recvfrom(65565)
    try:
        # Check for HTTP presence in the response
        if b"HTTP" in data[0][54:]:
            print("\n" + "=" * 50)
            raw = data[0][54:]
            if b"\r\n\r\n" in raw:
                headers = raw.split(b'\r\n\r\n')[0]
                print("[*] HTTP Headers Captured:")
                for header in headers.split(b'\r\n'):
                    print(f"  {header.decode('utf-8', errors='ignore')}")
            else:
                print("[*] Raw HTTP Data:")
                print(raw.decode('utf-8', errors='ignore'))
            print("=" * 50)
    except Exception as e:
        print(f"An error occurred: {e}")
        pass

The Code block does the following:

• Check if the packet contains HTTP data.
• If found, it extracts the raw data starting from the 54th byte (skipping the Ethernet and IP headers).
• It then looks for the end of the headers (marked by ‘\r\n\r\n’) and prints the captured headers.

Here’s the full Python script for our HTTP header sniffer:

import socket

# Author: Suraj Singh Bisht

# Create a raw socket
s = socket.socket(socket.PF_PACKET, socket.SOCK_RAW, socket.ntohs(0x0800))

print("HTTP Header Sniffer - Listening for packets...")


while True:
    data = s.recvfrom(65565)
    try:
        # Check for HTTP presence in the response
        if b"HTTP" in data[0][54:]:
            print("\n" + "=" * 50)
            raw = data[0][54:]
            if b"\r\n\r\n" in raw:
                headers = raw.split(b'\r\n\r\n')[0]
                print("[*] HTTP Headers Captured:")
                for header in headers.split(b'\r\n'):
                    print(f"  {header.decode('utf-8', errors='ignore')}")
            else:
                print("[*] Raw HTTP Data:")
                print(raw.decode('utf-8', errors='ignore'))
            print("=" * 50)
    except Exception as e:
        print(f"An error occurred: {e}")
        pass

Happy learning!