Filed under: hping, Packet Challenge | Tags: hping, Packet Challenge, spoof
As promised here’s the solution to the “Ping me!” packet challenge using hping. The first example shows how to craft the reply using just the built-in command line options. As you will see, hping does have some limitations. The second example shows a way to overcome these limitations and craft a better reply.
Example #1 — Crafting a reply using Hping
# hping3 192.168.200.128 -a 192.168.200.129 -c 1 -1 -C 0 -e “Ping me”!
HPING 192.168.200.128 (en1 192.168.200.128): icmp mode set, 28 headers + 8 data bytes
[main] memlockall(): Resource busy
Warning: can’t disable memory paging!
— 192.168.200.128 hping statistic —
1 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
Here is a break down of the command:
- 192.168.200.128 is the destination IP address.
- ‘-a 192.168.200.129’ spoofs the source IP address.
- ‘-c 1’ sends one packet.
- ‘-1’ specifies ICMP.
- ‘-C 0’ specifies ICMP Code 0 aka a echo reply.
The following is the output from tcpdump:
11:40:26.480933 IP 192.168.200.129 > 192.168.200.128: ICMP echo reply, id 6699, seq 0, length 16
- 192.168.200.128 is the destination IP address.
- ‘-a 192.168.200.129’ spoofs the source IP address.
- ‘-c 1’ sends one packet.
- ‘-0’ specifies Raw IP mode.
- ‘-H 1’ set the protocol to ICMP when in Raw mode.
- ‘-E payload.bin’ is the payload.
- ‘-d 16’ is the length of the payload in bytes.
Here is a screenshot of payload.bin
The following is the output from tcpdump:
13:08:58.353552 IP 192.168.200.128 > 192.168.200.129: ICMP echo reply, id 0, seq 555, length 16
With scapy we were able to spoof the source MAC address. Bonus points to anyone who can tell me how we could do the same thing here?
References:
http://www.hping.org/manpage.html
Leave a Comment so far
Leave a comment
I Smell Packets 