I Smell Packets

Earlier today I tweeted an easy little packet challenge. The challenge for me was keeping that packet to less than 140 characters. Here is a short description of how I created the challenge:

First, I created the payload for the packet. I did this by placing some text in a file using the following command:

echo 1st2DMmegetsAStarbuckscard > payload.txt

Next, I used a tool called Hping to craft the packet:

hping3 –icmp –file payload.txt –data 26 127.0.0.1

In the above command, the –icmp instructs hping to create an ICMP packet. The –file option specifies a file to be used as the payload. Next, the –data option tells hping how many bytes of data in the payload. In this case, it’s 26 bytes data. Finally there is the destination IP address which is 127.0.0.1.

To capture the packet, I ran a sniffer called tcpdump:

tcpdump -i lo0 -X -s0

Here is packet in HEX:

4500 0036 308b 0000 4001 0000 7f00 0001 7f00 0001 0800 89f3 5a27 0200 3173 7432 444d 6d65 6765 7473 4153 7461 7262 7563 6b73 6361 7264

Decoding the Packet

Here is quick run though of how to decode the packet. First of all, when decoding packets it’s often helpful to have a reference. Here is a link to the SANS website where you can download the TCP/IP Pocket Reference from. I call this the cheat sheet.

There are also a couple of other points to remember:

1. Every two HEX characters equals one byte.

2. Start counting with 0.

Starting with byte 0, there is 45. Highlighted below:

4500 0036 308b 0000 4001 0000 7f00 0001 7f00 0001 0800 89f3 5a27 0200 3173 7432 444d 6d65 6765 7473 4153 7461 7262 7563 6b73 6361 7264

Find the IP header section on the cheat sheet. Notice that in byte 0 we find the IP Version Number and the IP Header Length fields. The 4 in the IP Version Number field means is an IP Version 4 packet. The next field, the IP Header Length, there is a 5. This represents 32-bit words. So, in order to calculate the IP Header Length we need to multiply this field by 4. 5*4=20. Therefore, the IP Header length is 20 bytes.

Next count 20 bytes. Remember, every two HEX characters equals one byte and start counting at 0.

4500 0036 308b 0000 4001 0000 7f00 0001 7f00 0001 0800 89f3 5a27 0200 3173 7432 444d 6d65 6765 7473 4153 7461 7262 7563 6b73 6361 7264

The portion highlighted above is the IP Header. What comes next? To find out look at the Protocol Field of the IP Header. According to the cheat sheet the Protocol Field is found in byte 9 of the IP Header. Looking back at the packet, there is a 01 in there:

4500 0036 308b 0000 4001 0000 7f00 0001 7f00 0001 0800 89f3 5a27 0200 3173 7432 444d 6d65 6765 7473 4153 7461 7262 7563 6b73 6361 7264

Referring back to the cheat sheet, a 1 in the Protocol Field of the IP Header means that the next protocol is going to be ICMP. Remember that when I created this packet I specified ICMP, so this is what one would expect here. Now the ICMP part of the packet. The IP Header Length was 20 bytes, after that begins the ICMP protocol portion. This is highlighted below:

4500 0036 308b 0000 4001 0000 7f00 0001 7f00 0001 0800 89f3 5a27 0200 3173 7432 444d 6d65 6765 7473 4153 7461 7262 7563 6b73 6361 7264

To decode this portion of the packet look at the ICMP Header section of the cheat sheet. The first couple of bytes of the ICMP Header are the Type and Code fields. There is a 0800 in those fields, meaning, referring back to the cheat sheet that this is an ICMP Echo or a PING.

Since it’s a PING, drop down to the Ping section of the cheat sheet and locate the Data section of the ICMP Echo. This Data should contain the text in the payload.txt file. Here is the Data section highlighted:

4500 0036 308b 0000 4001 0000 7f00 0001 7f00 0001 0800 89f3 5a27 0200 3173 7432 444d 6d65 6765 7473 4153 7461 7262 7563 6b73 6361 7264

These bytes fall into the ASCII printable range, so convent it to ASCII.

31 73 74 32 44 4d 6d 65 67 65 74 73 41 53 74 61 72 62 75 63 6b 73 63 61 72 64
1 s t 2 D M m e g e t s A S t a r b u c k s c a r d

This is just a brief explanation. It may seem like a lot of work, but it’s really not that difficult. Like most other things it takes a little practice. Some people can even do this in their sleep, I assure you I’m not one of those people.

Another thing that someone could have done was just to look for that HEX that falls into the ASCII printable range. They would’ve immediately focused in on the payload. Maybe I’ll use some double XOR encryption next time to make it harder. 😉

One of my favorite courses is the SANS Security 503: Intrusion Detection In-Depth course. In that course you get to spend 6 days learning all about TCP/IP and performing traffic analysis. There are a ton of hands-on exercises. And unlike other courses that may teach networking and TCP/IP, in this course you get to learn this stuff from an attackers perspective.

Congratulations to @quine for being the first to send me a message and winning the Starbucks Card. It’s on the way.