“Ping me!” Packet Challenge Follow Up

January 6, 2011, 5:37 am
Filed under: hping, nping, spoof, tcpdump | Tags: hping, nping, Packet Challenge, spoof

This is a follow up to the “Ping me!” packet challenge. In the previous post I asked how you could spoof MAC addresses using Nping and Hping. Here is the answer:

Using Nping

# nping –icmp -c 1 –icmp-type 0 –dest-ip 192.168.200.128 –source-ip 192.168.200.129 –icmp-id 0 –icmp-seq 555 –data-string ‘Ping me!’ –source-mac 00:0c:29:48:55:1f –dest-mac 00:0c:29:a6:5e:2f

Starting Nping 0.5.35DC1 ( http://nmap.org/nping ) at 2011-01-02 09:34 PSTSENT (0.0000s) ICMP 192.168.200.129 > 192.168.200.128 Echo reply (type=0/code=0) ttl=64 id=17243 iplen=36

The following is the output from tcpdump:

# tcpdump -i en1 -e host 192.168.200.128
tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on en1, link-type EN10MB (Ethernet), capture size 65535 bytes21:31:24.609114 00:0c:29:48:55:1f (oui Unknown) > 00:0c:29:a6:5e:2f (oui Unknown), ethertype IPv4 (0x0800), length 50: 192.168.200.129 > 192.168.200.128: ICMP echo reply, id 0, seq 555, length 16

Using Hping

Hping doesn’t have the ability to spoof MAC addresses, but that still doesn’t prevent us from working around it.

The MAC address of most *nix machines can be changed by doing something close to the following:

# ifconfig en1 ether 00:0c:29:48:55:1f

For instructions on how to change MAC addresses on other OSs see the following link:

Changing Your MAC Address In Window XP/Vista, Linux And Mac OS X (Sometimes known as MAC spoofing)

That takes care of the source MAC address, but what about the destination MAC address? This can be spoofed by creating a static ARP entry:

arp -S 192.168.200.128 00:0c:29:a6:5e:2f

Now just run hping as demonstrated in the previous post.

I Smell Packets

I SMELL PACKETS

Pages

Recent Tweets

SANS Institute Training

Links

PCAP Files

Leave a Reply Cancel reply