I Smell Packets


The “Ping me!” Packet Challenge Solution using Hping
October 7, 2010, 2:51 am
Filed under: hping, Packet Challenge | Tags: , ,

As promised here’s the solution to the “Ping me!” packet challenge using hping.  The first example shows how to craft the reply using just the built-in command line options.  As you will see, hping does have some limitations.  The second example shows a way to overcome these limitations and craft a better reply.

Example #1 — Crafting a reply using Hping

# hping3 192.168.200.128 -a 192.168.200.129 -c 1 -1 -C 0 -e “Ping me”!
HPING 192.168.200.128 (en1 192.168.200.128): icmp mode set, 28 headers + 8 data bytes
[main] memlockall(): Resource busy
Warning: can’t disable memory paging!

— 192.168.200.128 hping statistic —
1 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

Here is a break down of the command:

  • 192.168.200.128 is the destination IP address.
  • ‘-a 192.168.200.129’ spoofs the source IP address.
  • ‘-c 1’ sends one packet.
  • ‘-1’ specifies ICMP.
  • ‘-C 0’ specifies ICMP Code 0 aka a echo reply.

The following is the output from tcpdump:

11:40:26.480933 IP 192.168.200.129 > 192.168.200.128: ICMP echo reply, id 6699, seq 0, length 16

Notice the sequence number? We need to set that sequence number to 555, but hping’s built-in command line options don’t give us the ability to do so.  Let’s try it another way.

Example #2 — Crafting a better reply using Hping

# hping3 192.168.200.129 -a 192.168.200.128 -c 1 -0 -H 1 -E payload.bin -d 16
HPING 192.168.200.129 (en1 192.168.200.129): raw IP mode set, 20 headers + 16 data bytes
[main] memlockall(): Resource busy
Warning: can’t disable memory paging!
— 192.168.200.129 hping statistic —
1 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

The above command let’s us set the ICMP Sequence number, something we weren’t able to do with using hping3’s built-in options.
  • 192.168.200.128 is the destination IP address.
  • ‘-a 192.168.200.129’ spoofs the source IP address.
  • ‘-c 1’ sends one packet.
  • ‘-0’ specifies Raw IP mode.
  • ‘-H 1’ set the protocol to ICMP when in Raw mode.
  • ‘-E payload.bin’ is the payload.
  • ‘-d 16’ is the length of the payload in bytes.

Here is a screenshot of payload.bin

payload.jpg

 

 

 

 

 

 

The following is the output from tcpdump:

13:08:58.353552 IP 192.168.200.128 > 192.168.200.129: ICMP echo reply, id 0, seq 555, length 16

With scapy we were able to spoof the source MAC address.  Bonus points to anyone who can tell me how we could do the same thing here?

 

References:

http://www.hping.org/manpage.html

 

 

Advertisements

Leave a Comment so far
Leave a comment



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s



%d bloggers like this: