Filed under: nping, Packet Challenge | Tags: nping, Packet Challenge, spoof
Jon Wohlberg (@jonw18 on Twitter) sent in a solution to the “Ping me!” packet challenge using nping:
Jon writes:
After opening the packet in tcpdump and wireshark, I immediately noticed that this was an icmp packet. Specifically, it is an icmp echo request or as it is better known as a ping request. According to the instructions we had to craft a packet that would reply to this packet.
Therefore, we need to craft an ICMP echo reply.
In order to craft a packet I could have choosen numerous programs including scapy, hping, and nemesis. However, for this task I choose nping, a packet crafter from the creators of nmap.
First we need to obtain all pertinent information from the packet provided.
1. Source IP (one initiating the echo request) –> 192.168.200.128
2. Destination IP (one receiving the request) –> 192.168.200.129
3. ICMP Type and Code (Stating that this is an echo request)
TYPE = 8
CODE = 0
4. ICMP Identifier –> 0
5. ICMP Sequence number –> 555
6. ICMP Data –> Ping me!
Now that we have all of the important information, we can craft a packet (an ICMP echo reply) to reply to this request. We will be replying with the following information:
1. Source IP (this is the machine responding) –> 192.168.200.129
2. Destination IP (One who originally initiated the request) –> 192.168.200.128
3. ICMP Type and Code (Stating that this is an echo reply)
TYPE = 0
CODE = 0
Per the ICMP rfc (RFC 792), it states that “The identifier and sequence number may be used by the echo sender to aid in matching the replies with the echo requests.” “The echoer returns these same values in the echo reply.”
Meaning the ICMP identifier and sequence number need to be the same.
4. ICMP Identifier –> 0
5. ICMP Sequence number –> 555
The rfc also states “The data received in the echo message must be returned in the echo reply message.”
Translations, the data sent in the echo request must be sent back in the echo reply.
6. ICMP Data –> Ping me!
Now that we have our echo reply values we can craft our packet with nping. The command I used is:
nping –icmp -c 1 –icmp-type 0 –icmp-code 0 –source-ip 192.168.200.129 –dest-ip 192.168.200.128 –icmp-id 555 –icmp-seq 0 –data-string ‘Ping me!’
This command and be broken down as follows:
1. nping –> name of the program
2. –icmp –> tells nping to use the ICMP protocol
3. -c 1 –> tells nping to send only one paket
4. –icmp-type 0 and –icmp-code 0 –> indicates an echo reply
5. –source-ip 192.168.200.129 –> states that this will be the
address replying to echo request. Where the reply originates from.
6. –dest-ip 192.168.200.128 –> where we are sending the reply. This
is the machine that initiated the conversation.
7. –icmp-id 555 –> we need to include the icmp identifier from the
echo request.
8. –icmp-seq 0–> the icmp sequence number from echo request
9. –data-string ‘Ping me!’ –> the data from the echo request that
must be included.
Once we crafted our packet we need to capture the results. This can be done with tcpdump. The command I used was:
tcpdump -vnnX -i eth0 -w 13_answer.pcap icmp
This tell tcpdump to listen in verbose mode, disable name and port resolution, print hex, use interface eth0, write the results to a file and filter on icmp traffic.
tcpdump captures the following echo reply
14:39:57.508501 IP (tos 0x0, ttl 64, id 18673, offset 0, flags [none],
proto ICMP (1), length 36)
192.168.200.129 > 192.168.200.128: ICMP echo reply, id 555, seq 0, length 16
0x0000: 4500 0024 48f1 0000 4001 1f95 c0a8 c881 E..$H…@…….
0x0010: c0a8 c880 0000 b975 022b 0000 5069 6e67 …….u.+..Ping
0x0020: 206d 6521 .me!
After viewing our results in wireshark, we confirmed a successful echo
reply to the challenge.
The capture file can be download from the I Smell Packets Google group at the following URL:
http://groups.google.com/group/ismellpackets
The filename is:
13_answer.pcap
Chris continues:
I hadn’t used nping until this. Pretty cool. Thanks for the write-up Jon. I’ll post a solution using hping tomorrow.
Leave a Comment so far
Leave a comment
I Smell Packets 