Vous êtes sur la page 1sur 9

Network Packet Crafting, Sniffing, and Parsing:

A primer on crafting, sensing and formatting the output of TCP/UDP/ICMP/rawIP packets using three popular freeware security utilities for UNIX-Based systems

1.

GOAL

To find a flexible freeware packet crafting tool, learn its usage and options, verify its output using TCPdump, and parse this output into an easy-to-read format.

2.

TOOLS USED

Hping 2 Beta ver. 5.4

packet assembler/analyzer tool

TCPdump 3.6.2

http://www.kyuzz.org/antirez/hping.html robust utility that dumps headers of packets from network traffic

Packprint

http://www.tcpdump.org/ simply formats TCPdump output into a clearer scheme http://www.earth.li/projectpurple/progs/packprint.html

 

Notes:

1.It is important that the latest version of tcpdump is used. The version that comes bundled with a standard *NIX installation is often dated, and doesn't support the -X switch for example. 2.These and other utilities are available in the software repository on the internal CSL network at http://10.17.0.101

3.

BACKGROUND

Hping2 and other packet generating utilities follow the same order of operations when creating and sending packets onto a network. These operations are as follows:

memory initialization network initialization packet construction packet injection

(specifying enough memory for the packet) (call to code library that returns RAW socket and connects link-layer interface) (the setting or filling of a specific protocol's flags, headers, and payload) (dropping the packet onto the network For example: different process for IP than for Link Layer)

Hping2's implementation makes the above steps transparent to the user, producing a network tool that easily assembles and sends custom ICMP/UDP/TCP packets, and displays target replies in the same way ping does with ICMP replies. It handles fragmentation and arbitrary packet body and size, and it can be used to transfer files under the above supported protocols. Hping2 is command-line oriented, and employs a large number of extensions.

As described by its programmers, Hping2 can be used for:

Firewall testing

Advanced port scanning

Network testing, using different protocols, TOS, fragmentation

Manual path MTU discovery

Traceroute like, under all the supported protocols

Remote OS fingerprinting

TCP/IP stacks auditing

hping is also a useful tool for students that are learning TCP/IP.

4.

PROCEDURE

Installation of all three utilities is relatively straightforward (see the README of each). In the following examples, packprint, tcpdump, and hping2 reside in the directory "/usr/local/sbin" because this directory is in the system path by default.

The following examples all take place on a linux terminal with root access, connected to a local network, running the KDE environment, and the following setup:

First rootshell window:

Second rootshell window:

  • 5. EXAMPLES

for running TCPdump and Packprint. for running Hping2

1. Creating a simple TCP packet and sniffing it with TCPDUMP: rootshell 1 rootshell 2
1.
Creating a simple TCP packet and sniffing it with TCPDUMP:
rootshell 1
rootshell
2

In the above example, tcpdump is started first (in rootshell 2), with "host 10.17.0.101" specifying the IP address of a local machine in the lab. This parameter is necessary because we only want to see traffic to and from that specific IP. Without it, tcpdump would display ALL local network traffic, making the exercise unnecessarily confusing.

With tcpdump listening, we then proceed to create a packet and send it to "10.17.0.101" by invoking "hping2" in rootshell 1. The switch "-c 1" specifies that the count (number of packets to send) is one. Again, this is done to keep the output simple and uncluttered. Upon hitting enter, we see a quick summary of the packet that has been created. By default, the packet has a TCP header with no flags set, and no data bytes (ie. no payload). In the next line we see the machine respond by resetting the ttl to 255 (from 64), assign an id, etc. Following this are statistics about the packets journey to and from the host computer.

In general, usage for hping2 is as follows:

hping2 (host) [options]

Looking again at rootshell 2, we see the network traffic our synthesized packet has created, complete with standard arp who-has request, arp reply, and a timestamp of each event. Before performing any more examples, it is necessary to recall the structure of this basic TCP header and the headers of a couple of other protocols. Below is a diagram of each, followed by a complete list of the switches which are used with Hping2 to craft such packets, populate their fields, and set their flags. Matching the switches in the list with the appropriate field in the diagrams is a quick way to regain familiarity with the protocols as well as the values of the default settings and how to change each.

0 15 16 IP H EADER 31 4-bit 4-bit header version length 8-bit type of service
0
15
16
IP
H EADER
31
4-bit
4-bit header
version
length
8-bit type of service
(TO S)
16-bit total length (in bytes)
3-bit
16-bit identification
13-bit fragm ent offset
flags
8-bit
tim e
to
live
8-bit protocol
16-bit header checksum
20 bytes
(TTL)
32-bit source IP address
32-bit destination IP address
O ptions
(if
any)
Data
0
15
16
UDP HEADER
31
16-bit source port num ber
16-bit destination port num ber
8
bytes
16-bit
U DP
length
16-bit U DP checksum
Data
(if any)
0
15
16
TCP HEADER
31
16-bit source port num ber
16-bit destination port num ber
32-bit sequence num ber
32-bit acknow ledgm ent num ber
20
bytes
U
A
P
R
S
F
4-bit header
Reserved
R
C
S
S
Y
I
16-bit window size
length
(6
bits)
G
K
H
T
N
N
16-bit TCP checksum
16-bit urgent pointer
O ptions
(if any)
Data
(if any)
usage: hping host [options]
-h
--help
-v
--version
-c
--count
-i
--interval
show this help
show version
packet count
wait (uX for X microseconds, for example -i u1000)

-n

--numeric

numeric output

-q --quiet

quiet

-I --interface interface name (otherwise default routing interface)

-V

--verbose

verbose mode

-D

--debug

debugging info

-z

--bind

bind ctrl+z to ttl

(default to dst port)

-Z

--unbind

unbind ctrl+z

Mode

default mode

TCP

-0

--rawip

RAW IP mode

-1

--icmp

ICMP mode

-2

--udp

UDP mode

-9

--listen

listen mode

IP

-a

--spoof

spoof source address

-t

--ttl

ttl (default 64)

-N

--id

id (default random)

-W

--winid

use win* id byte ordering

-r

--rel

relativize id field

(to estimate host traffic)

-f

--frag

split packets in more frag.

(may pass weak acl)

-x

--morefrag

set more fragments flag

-y

--dontfrag

set dont fragment flag

-g

--fragoff

set the fragment offset

-m

--mtu

set virtual mtu, implies --frag if packet size > mtu

-o

--tos

type of service (default 0x00), try --tos help

-G

--rroute

includes RECORD_ROUTE option and display the route buffer

-H

--ipproto

set the IP protocol field, only in RAW IP mode

ICMP

-C

--icmptype

icmp type (default echo request), try --icmptype help

-K

--icmpcode

icmp code (default 0)

--icmp-help display help for others icmp options

UDP/TCP

-s

--baseport

base source port

(default random)

-p --destport

[+][+]<port> destination port(default 0) ctrl+z inc/dec

-k

--keep

keep still source port

-w

--win

winsize (default 64)

-O

--tcpoff

set fake tcp data offset

(instead of tcphdrlen / 4)

-Q

--seqnum

shows only tcp sequence number

-b

--badcksum

send packets with a bad IP checksum

-M

--setseq

set TCP sequence number

-L

--setack

set TCP ack

-F

--fin

set FIN flag

-S

--syn

set SYN flag

-R

--rst

set RST flag

-P

--push

set PUSH flag

-A

--ack

set ACK flag

-U

--urg

set URG flag

-X

--xmas

set X unused flag (0x40)

-Y

--ymas

set Y unused flag (0x80)

--tcpexitcode

use last tcp->th_flags as exit code

Common

-d

--data

data size

(default is 0)

-E

--file

data from file

-e

--sign

add 'signature'

-j

--dump

dump packets in hex

-J

--print

dump printable characters

-B

--safe

enable 'safe' protocol

-u

--end

tell you when --file reached EOF and prevent rewind

-T

--traceroute traceroute mode

(implies --bind)

2.

Creating, sniffing, and parsing the same TCP Packet

2. Creating, sniffing, and parsing the same TCP Packet This time we've piped the output of

This time we've piped the output of tcpdump to a parser called Pckprint that re-formats the information and makes it more readable, the second window displays a fragment of this information. Although this method is sometimes buggy, we can parse the tcpdump output with packprint in (almost) real-time with the command shown in the window.

The "-s 65535" defines the maximum number of bytes of data that tcpdump captures for each packet. Without this, tcpdump only captures a default of 68 bytes. The entire packet must be captured for the parser to process the data properly. The "-c 1" is used in the same way as for hping2 in Example 1. That is, to limit the number of packets (in this case captured) to 1. The "-w" switch indicates that the traffic is to be dumped to a file ( "-" in this case indicates that the file is actually the screen) and "packprint -" processes this 'file'.

If this command seems counter-intuitive, it is acceptable to first capture the traffic to a file, and then process it, as below:

>> tcpdump host 10.17.0.101 -s 65535 -c 5 -w out.txt >> packprint out.txt

3.

Creating and sniffing a raw IP packet with a spoofed source address

3. Creating and sniffing a raw IP packet with a spoofed source address To see how

To see how we can spoof the source address, tcpdump is set running in rootshell 2 and the hping2 command with the "-a" switch is executed as shown in rootshell 1. To create a raw IP packet, "-0" was specified as per the usage menu.

Note that in this case, although we did assemble and inject the packet -- successfully spoofing the source address as "microsoft.com" -- the host could not establish a connection because the synthesized packet is only the first step in the protocol's handshake (see the line "1 packets transmitted, 0 packets received, 100% packet loss"). Faking the source IP is little more than a neat trick without the trust-exploitation in place that would make it useful in compromising a system.

  • 4. Creating and sniffing a TCP packet with a fake TCP data offset, a specific starting TTL, a non- random ID, a SYN flag set, and a specific TCP sequence number.

3. Creating and sniffing a raw IP packet with a spoofed source address To see how

7

The above is an example of a very customized packet; made so with the appropriate switches and chosen values as shown. The "-vv" in the tcpdump command is to give more detailed (verbose) output. Note that all the values specified at the command line in rootshell 1 appear in the tcpdump stream in rootshell 2

  • 5. Generating and sniffing a specific payload in a simple TCP packet.

The above is an example of a very customized packet; made so with the appropriate switches

By adding the switch "-d 108" we specify that the data field of the packet will have a size of 108 bytes, the "-E in.txt" specifies the location from which this payload is extracted. While being written in the editor, the file looked as shown to the right. The same text is plainly visible in both hex and ascii outputs of the tcpdump stream. Literally any information can be transferred in the clear this way between trusted machines.

The above is an example of a very customized packet; made so with the appropriate switches

HPING AND TCPDUMP IN ACTION

There is no end to the amount of network traffic and security information that can be gathered using basic utilities like Hping2 and TCPdump. Hping2 is a rather small program, but it can perform sophisticated, stealthy scans of net sites and create the illusion of probes from widely dispersed locations. Network weaknesses to certain protocols can be identified, firewalls can be tested, and entire files can be transferred within the payloads of packets that are masquerading as something much more benign. With the right series of scripts taking advantage of the flexibility of Hping and the thoroughness of TCPDump, it is possible to identify very many network vulnerabilities.

With Hping3 currently in the works, and the source code for the current version freely available, Hping2 offers an excellent starting point for new code that can demonstrate the vulnerability of higher-level protocols. A significant example is a trojan that encapsulates and transmits (with no interference from the firewall) private information inside something as innocent as an http request.