Filed under: hping, nping, spoof, tcpdump | Tags: hping, nping, Packet Challenge, spoof
This is a follow up to the “Ping me!” packet challenge. In the previous post I asked how you could spoof MAC addresses using Nping and Hping. Here is the answer:
Using Nping
# nping –icmp -c 1 –icmp-type 0 –dest-ip 192.168.200.128 –source-ip 192.168.200.129 –icmp-id 0 –icmp-seq 555 –data-string ‘Ping me!’ –source-mac 00:0c:29:48:55:1f –dest-mac 00:0c:29:a6:5e:2f
Starting Nping 0.5.35DC1 ( http://nmap.org/nping ) at 2011-01-02 09:34 PSTSENT (0.0000s) ICMP 192.168.200.129 > 192.168.200.128 Echo reply (type=0/code=0) ttl=64 id=17243 iplen=36
Max rtt: N/A | Min rtt: N/A | Avg rtt: N/A
Raw packets sent: 1 (50B) | Rcvd: 0 (0B) | Lost: 1 (100.00%)
Tx time: 0.00083s | Tx bytes/s: 59952.04 | Tx pkts/s: 1199.04
Rx time: 0.99989s | Rx bytes/s: 0.00 | Rx pkts/s: 0.00
Nping done: 1 IP address pinged in 1.00 seconds
The following is the output from tcpdump:
# tcpdump -i en1 -e host 192.168.200.128
tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on en1, link-type EN10MB (Ethernet), capture size 65535 bytes21:31:24.609114 00:0c:29:48:55:1f (oui Unknown) > 00:0c:29:a6:5e:2f (oui Unknown), ethertype IPv4 (0x0800), length 50: 192.168.200.129 > 192.168.200.128: ICMP echo reply, id 0, seq 555, length 16
Using Hping
Hping doesn’t have the ability to spoof MAC addresses, but that still doesn’t prevent us from working around it.
The MAC address of most *nix machines can be changed by doing something close to the following:
# ifconfig en1 ether 00:0c:29:48:55:1f
For instructions on how to change MAC addresses on other OSs see the following link:
Changing Your MAC Address In Window XP/Vista, Linux And Mac OS X (Sometimes known as MAC spoofing)
That takes care of the source MAC address, but what about the destination MAC address? This can be spoofed by creating a static ARP entry:
arp -S 192.168.200.128 00:0c:29:a6:5e:2f
Now just run hping as demonstrated in the previous post.
Filed under: nping, Packet Challenge | Tags: nping, Packet Challenge, spoof
Jon Wohlberg (@jonw18 on Twitter) sent in a solution to the “Ping me!” packet challenge using nping:
Jon writes:
After opening the packet in tcpdump and wireshark, I immediately noticed that this was an icmp packet. Specifically, it is an icmp echo request or as it is better known as a ping request. According to the instructions we had to craft a packet that would reply to this packet.
Therefore, we need to craft an ICMP echo reply.
In order to craft a packet I could have choosen numerous programs including scapy, hping, and nemesis. However, for this task I choose nping, a packet crafter from the creators of nmap.
First we need to obtain all pertinent information from the packet provided.
1. Source IP (one initiating the echo request) –> 192.168.200.128
2. Destination IP (one receiving the request) –> 192.168.200.129
3. ICMP Type and Code (Stating that this is an echo request)
TYPE = 8
CODE = 0
4. ICMP Identifier –> 0
5. ICMP Sequence number –> 555
6. ICMP Data –> Ping me!
Now that we have all of the important information, we can craft a packet (an ICMP echo reply) to reply to this request. We will be replying with the following information:
1. Source IP (this is the machine responding) –> 192.168.200.129
2. Destination IP (One who originally initiated the request) –> 192.168.200.128
3. ICMP Type and Code (Stating that this is an echo reply)
TYPE = 0
CODE = 0
Per the ICMP rfc (RFC 792), it states that “The identifier and sequence number may be used by the echo sender to aid in matching the replies with the echo requests.” “The echoer returns these same values in the echo reply.”
Meaning the ICMP identifier and sequence number need to be the same.
4. ICMP Identifier –> 0
5. ICMP Sequence number –> 555
The rfc also states “The data received in the echo message must be returned in the echo reply message.”
Translations, the data sent in the echo request must be sent back in the echo reply.
6. ICMP Data –> Ping me!
Now that we have our echo reply values we can craft our packet with nping. The command I used is:
nping –icmp -c 1 –icmp-type 0 –icmp-code 0 –source-ip 192.168.200.129 –dest-ip 192.168.200.128 –icmp-id 555 –icmp-seq 0 –data-string ‘Ping me!’
This command and be broken down as follows:
1. nping –> name of the program
2. –icmp –> tells nping to use the ICMP protocol
3. -c 1 –> tells nping to send only one paket
4. –icmp-type 0 and –icmp-code 0 –> indicates an echo reply
5. –source-ip 192.168.200.129 –> states that this will be the
address replying to echo request. Where the reply originates from.
6. –dest-ip 192.168.200.128 –> where we are sending the reply. This
is the machine that initiated the conversation.
7. –icmp-id 555 –> we need to include the icmp identifier from the
echo request.
8. –icmp-seq 0–> the icmp sequence number from echo request
9. –data-string ‘Ping me!’ –> the data from the echo request that
must be included.
Once we crafted our packet we need to capture the results. This can be done with tcpdump. The command I used was:
tcpdump -vnnX -i eth0 -w 13_answer.pcap icmp
This tell tcpdump to listen in verbose mode, disable name and port resolution, print hex, use interface eth0, write the results to a file and filter on icmp traffic.
tcpdump captures the following echo reply
14:39:57.508501 IP (tos 0x0, ttl 64, id 18673, offset 0, flags [none],
proto ICMP (1), length 36)
192.168.200.129 > 192.168.200.128: ICMP echo reply, id 555, seq 0, length 16
0x0000: 4500 0024 48f1 0000 4001 1f95 c0a8 c881 E..$H…@…….
0x0010: c0a8 c880 0000 b975 022b 0000 5069 6e67 …….u.+..Ping
0x0020: 206d 6521 .me!
After viewing our results in wireshark, we confirmed a successful echo
reply to the challenge.
The capture file can be download from the I Smell Packets Google group at the following URL:
http://groups.google.com/group/ismellpackets
The filename is:
13_answer.pcap
Chris continues:
I hadn’t used nping until this. Pretty cool. Thanks for the write-up Jon. I’ll post a solution using hping tomorrow.
I Smell Packets 