Filed under: Packet Challenge, scapy | Tags: Checksum, Packet Challenge, scapy
Here’s a nifty solution to the “Check It Out” Packet Challenge by StalkR (@stalkr_ on Twitter) that uses Scapy:
StalkR writes:
Just seen the challenge and wanted to try 🙂
1) save the hexdump on the blog post into packet.txt
2) turn it back into a hex string
$ awk ‘$0!=””{print $0}’ packet.txt |sed ‘s/ //g’ |tr -d ‘\n’ > packet.hex
3) run scapy
$ scapy
Welcome to Scapy (2.1.0)
4) load hex and decode
$ scapy
>>> p = open(‘packet.hex’).read().decode(‘hex’)
>>> p
‘E\x00\x05\’\x00\x01@\x0[…]’
5) load it as an IP packet
>>> p = IP(p)
>>> p
<IP version=4L ihl=5L tos=0x0 len=1319 […] chksum=0x0
6) remove chksum to force calculation
>>> p.chksum = None
7a) force calculation of chksum either with show2()
>>> p.show2()
###[ IP ]###
[…]
chksum= 0xb27c
7b) or just turn packet into string and load it again:
>>> ‘0x%04x’ % IP(str(p)).chksum
‘0xb27c’
…
Hurray for scapy \o/
Chris continues:
Very cool use of scapy. What other tools could we use to solve this?
As always, if you’d like to submit a challenge to http://www.ismellpackets.com contact me at chris (dot) christianson (at) gmail (dot) com.
Filed under: Packet Challenge, scapy, spoof | Tags: Packet Challenge, scapy, spoof
The winner of The “Ping me!” Packet Challenge is Johannes Ullrich (@johullrich on Twitter) Here’s Johannes’ solution:
Johannes writes:
I used scapy to craft the response. Here is the scapy command line sequence with explanation:
e=Ether(dst=’00:0c:29:a6:5e:2f’, src=’00:0c:29:48:55:1f’, type=0x0800);
The ethernet header: Just reverse source and destination, but keep the type the same.
i=IP(version=4, ihl=5, tos=0, len=36, id=1234, flags=0, frag=0, ttl=64, proto=1, src=’192.168.200.129′,dst=’192.168.200.128′);
For the IP header:
– – we swap the source/destination, but keep everything else the same. TTL could of course be different but lets just assume that the receiving host also uses a Unix’isch starting TTL of 64. I picked a different IP ID just to make a point that it is not necessarily the same as the inbound one.
The ICMP Header:
ic=ICMP(type=0, code=0, id=1, seq=555);
type and code is ‘0’ for an ICMP echo reply. The ID and sequence number have to be the same as in the request.
The payload is the same as the request (Ping me!).
So the complete packet:
p=e/i/ic/’Ping me!’
and then send it at layer 2: sendp(p) (optionally, we could specify the interface here).
Here is the packet as received by tcpdump using the ‘xx’ option to inspect the full ethernet header:
02:19:27.048612 IP 192.168.200.129 > 192.168.200.128: ICMP echo reply, id 1, seq 555, length 16
0x0000: 000c 29a6 5e2f 000c 2948 551f 0800 4500
0x0010: 0024 04d2 0000 4001 63b4 c0a8 c881 c0a8
0x0020: c880 0000 b974 0001 022b 5069 6e67 206d
0x0030: 6521
Chris continues:
Congrats Johannes! Of course if Johannes enters he’s going to win. 🙂 Honorable mention goes out to Jon Wohlberg who used Nping to craft the ICMP echo reply. I’ll post Jon’s solution tomorrow.
I have the opportunity to teach the brand new SANS SEC567: Power Packet Crafting with Scapy course!
If you’re not familiar with Scapy, Scapy is an unbelievably powerful tool that you can use to create all sorts of different packets. If you’ve ever needed to test an IDS/IPS rule, check weather or not a firewall will block something, or test some application to see how it reacts to certain traffic (like for a penetration test for example) Scapy can make your job easier.
The course was written by Judy Novak who used to work for Sourcefire. While at Sourcefire, Judy was responsible for testing IDS/IPS solutions and used Scapy extensively for doing so. She does an excellent job of explaining everything from basics to even the more advanced techniques. The course is jammed packed full of exercises. By the end of the day I can assure you that you will be able to craft some pretty awesome packets.
This course will be having it’s debut in Sacramento. Since this is a debut, you have the opportunity to take the course for half price! How’s that for a bargain? In return, all we ask is that you provide us with some feedback.
If you’d like more information or if you’d like to sign-up, please follow the link below:
SANS: SEC567 Power Packet Crafting with Scapy Debut at Sacramento – Power Packet Crafting with Scapy
I for one had a lot of fun with this week’s challenge. There were packets, magic, and even some shifting. Everything you need in a good packet challenge. Here’s the solution from the creator of the challenge Davy Douhine (@ddouhine on twitter.)
Davy writes:
1. Paste the packet in a text file.
2. Add “0000” at the beginning of each line, manually or with sed:
sed 's/^/0000 /' packet.txt
3. Print the result and copy it.
4. Launch scapy.
5. Import the packet in an object. To do this use the import_hexcap command, paste the packet, and hit CTRL-D:
>>> p1=IP(import_hexcap()) 0000 4500 00c8 21c4 4000 8006 dee4 c0a8 3c01 0000 c0a8 3c35 0014 0841 ea5d efe1 32e0 3fa1 0000 5018 ffff 2c6d 0000 1f8b 0808 d92d 074a 0000 0203 6669 6c65 005d 8ecb 9104 210c 43ef 0000 1385 4210 fe01 e1b8 7ae8 fc43 1871 d8cb 0000 faa0 924b cf82 4812 6419 3aaa e5b4 2e8e 0000 81fd ec8d 87bd e00f c79f f344 767d 41a3 0000 098e 034f f31b 0c39 3f88 9e89 3a46 18dd 0000 af28 706f f8f0 82f7 5db7 d2d0 fc17 634c 0000 54d6 914c 43ed 72c4 532f 6a72 c329 4925 0000 48cb db9c 8564 2cc4 1baf b81c 7a5c cde9 0000 b7af f4b5 5882 c5f9 45c4 852e 62b1 3f3f 0000 c173 e305 f500 0000
6. Display the “p1” object:
>>> p1.display()
###[ IP ]###
version= 4L
ihl= 5L
tos= 0x0
len= 200
id= 8644
flags= DF
frag= 0L
ttl= 128
proto= tcp
chksum= 0xdee4
src= 192.168.60.1
dst= 192.168.60.53
options= ''
###[ TCP ]###
sport= ftp_data
dport= 2113
seq= 3932024801L
ack= 853557153L
dataofs= 5L
reserved= 0L
flags= PA
window= 65535
chksum= 0x2c6d
urgptr= 0
options= []
###[ Raw ]###
load= '\x1f\x8b\x08\x08\xd9-\x07J\x02\x03file\x00]\x8e\xcb\x91\x04!\x0cC\xef\x13\x85B\x10\xfe\x01\xe1\xb8z\xe8\xfcC\x18q\xd8\xcb\xfa\xa0\x92K\xcf\x82H\x12d\x19:\xaa\xe5\xb4.\x8e\x81\xfd\xec\x8d\x87\xbd\xe0\x0f\xc7\x9f\xf3Dv}A\xa3\t\x8e\x03O\xf3\x1b\x0c9?\x88\x9e\x89:F\x18\xdd\xaf(po\xf8\xf0\x82\xf7]\xb7\xd2\xd0\xfc\x17cLT\xd6\x91LC\xedr\xc4S/jr\xc3)I%H\xcb\xdb\x9c\x85d,\xc4\x1b\xaf\xb8\x1cz\\\xcd\xe9\xb7\xaf\xf4\xb5X\x82\xc5\xf9E\xc4\x85.b\xb1??\xc1s\xe3\x05\xf5\x00\x00\x00'
7. We now have a good looking packet. The TCP source port indicates that this should be a ftp-data transfer. In the payload we see the string “file.” This is the name of the file that was transfered. Let’s take a closer look at it.
8. Display the payload of the packet:
>>> a.payload.payload <Raw load='\x08\x08\xd9-\x07J\x02\x03file\x00]\x8e\xcb\x91\x04!\x0cC\xef\x13\x85B\x10\xfe\x01\xe1\xb8z\xe8\xfcC\x18q\xd8\xcb\xfa\xa0\x92K\xcf\x82H\x12d\x19:\xaa\xe5\xb4.\x8e\x81\xfd\xec\x8d\x87\xbd\xe0\x0f\xc7\x9f\xf3Dv}A\xa3\t\x8e\x03O\xf3\x1b\x0c9?\x88\x9e\x89:F\x18\xdd\xaf(po\xf8\xf0\x82\xf7]\xb7\xd2\xd0\xfc\x17cLT\xd6\x91LC\xedr\xc4S/jr\xc3)I%H\xcb\xdb\x9c\x85d,\xc4\x1b\xaf\xb8\x1cz\\\xcd\xe9\xb7\xaf\xf4\xb5X\x82\xc5\xf9E\xc4\x85.b\xb1??\xc1s\xe3\x05\xf5\x00\x00\x00' |>
9. Convert the payload from raw to string and put the result in an object:
>>> strpayload=str(a.payload.payload) '\x1f\x8b\x08\x08\xd9-\x07J\x02\x03file\x00]\x8e\xcb\x91\x04!\x0cC\xef\x13\x85B\x10\xfe\x01\xe1\xb8z\xe8\xfcC\x18q\xd8\xcb\xfa\xa0\x92K\xcf\x82H\x12d\x19:\xaa\xe5\xb4.\x8e\x81\xfd\xec\x8d\x87\xbd\xe0\x0f\xc7\x9f\xf3Dv}A\xa3\t\x8e\x03O\xf3\x1b\x0c9?\x88\x9e\x89:F\x18\xdd\xaf(po\xf8\xf0\x82\xf7]\xb7\xd2\xd0\xfc\x17cLT\xd6\x91LC\xedr\xc4S/jr\xc3)I%H\xcb\xdb\x9c\x85d,\xc4\x1b\xaf\xb8\x1cz\\\xcd\xe9\xb7\xaf\xf4\xb5X\x82\xc5\xf9E\xc4\x85.b\xb1??\xc1s\xe3\x05\xf5\x00\x00\x00'
10. Put it in a file:
>>> fd=open('/tmp/file', 'w')
>>> fd.write(strpayload)
>>> fd.close()
11. Use file magic to guess what sort of file it is:
>>> os.system('file /tmp/file')
/tmp/file: gzip compressed data, was "file", from Unix, max compression
12. It’s a gzip file, decompress it:
>>> fd=gzip.open('/tmp/file', 'r')
>>> fd.read()
'4500 0062 a46a 0000 8011 9c99 c0a8 3c01 c0a8 3c35 5a6d 0202 004e 3523 3c31 353e 4a75 6e20 2033 2031 333a 3136 3a31 3920 4444 4444 4444 4444 2047 656e 6572 6963 4c6f 6709 3009 5657 5253 2056 5048 4f4f 4c51 4a20 5344 464e 4857 2053 4f48 4456 480a\n'
13. So we have a text file with some hex in it that begins with “45…”. Oh no, it’s another packet… 😉 Let’s format it so that it can be imported into scapy. This requires 16 bytes per line with 0000 at the beginning of each. Question for the audience. Does anybody know how to do this in python?
>>> extractedpacket=_
>>> fd.close()
>>> fd=open('/tmp/extpkt', 'w')
>>> fd.write(extractedpacket)
>>> fd.close()
>>> os.system('vi /tmp/extpkt')
>>> os.system("sed 's/^/0000 /' /tmp/extpkt")
0000 4500 0062 a46a 0000 8011 9c99 c0a8 3c01
0000 c0a8 3c35 5a6d 0202 004e 3523 3c31 353e
0000 4a75 6e20 2033 2031 333a 3136 3a31 3920
0000 4444 4444 4444 4444 2047 656e 6572 6963
0000 4c6f 6709 3009 5657 5253 2056 5048 4f4f
0000 4c51 4a20 5344 464e 4857 2053 4f48 4456
0000 480a
14. Import the packet to scapy using import_hexcap:
>>> p2=IP(import_hexcap()) 0000 4500 0062 a46a 0000 8011 9c99 c0a8 3c01 0000 c0a8 3c35 5a6d 0202 004e 3523 3c31 353e 0000 4a75 6e20 2033 2031 333a 3136 3a31 3920 0000 4444 4444 4444 4444 2047 656e 6572 6963 0000 4c6f 6709 3009 5657 5253 2056 5048 4f4f 0000 4c51 4a20 5344 464e 4857 2053 4f48 4456 0000 480a
15. Display the packet details:
>>> p2.display()
###[ IP ]###
version= 4L
ihl= 5L
tos= 0x0
len= 98
id= 42090
flags=
frag= 0L
ttl= 128
proto= udp
chksum= 0x9c99
src= 192.168.60.1
dst= 192.168.60.53
options= ''
###[ UDP ]###
sport= 23149
dport= syslog
len= 78
chksum= 0x3523
###[ Raw ]###
load= 'Jun 3 13:16:19 DDDDDDDD GenericLog\t0\tVWRS VPHOOLQJ SDFNHW SOHDVH\n'
16. We now have a packet containing a syslog message and there are some weird characters in it, “VWRS VPHOOLQJ SDFNHW SOHDVH”.
17. What was the name of that challenge? Caesar’s challenge… hmm… After a quick search we find something called the Caesar cipher. The Caesar cipher is a 2000 year old encryption technique named after Julius Caesar. It is a type of substitution cipher that shifts the characters 3 places.
18. Let’s try it. Shifting the characters in the syslog message by 3 we get: “STOP SMELLING PACKET PLEASE”.
Chris adds:
Thanks to Davy for coming up this week’s challenge. It was fun for me to have the opportunity to work on a challenge for once. If anyone else ever has an idea, let me know and maybe we’ll post it.
Lot’s of people got this one right. Congratulations to Alec Waters (@alecwaters on twitter) for being the first. Thanks to everyone else for playing.
Until next time.
The following are some links to more information about this week’s challenge:
Magic number (programming)
file (Unix)
Caesar cipher
This challenge was a little harder than the previous ones. It seems a lot of people had a hard time taking the hex dump of the packets and converting them into pcap format. So, what I decided to do was break the answer to Fred’s Secret into a couple of different posts. Part 1 will describe how to convert the packets. In Part 2 we’ll go ahead and reveal the solution. This way everyone will still be able to try to find out the answer themselves.
Here are the four packets:
00 0c 29 4c 6d a6 00 0c 29 0e 66 bd 08 00 45 00 00 f6 04 38 40 00 80 06 b7 77 c0 a8 5e 80 c0 a8 5e 81 0d 0d 01 bd 42 d0 33 b5 d2 64 26 85 50 18 fa 97 0e ae 00 00 00 00 00 ca ff 53 4d 42 73 00 00 00 00 18 07 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff fe 00 00 10 00 0c ff 00 ca 00 04 11 0a 00 00 00 00 00 00 00 28 00 00 00 00 00 d4 00 00 a0 8f 00 4e 54 4c 4d 53 53 50 00 01 00 00 00 07 82 08 a2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 01 28 0a 00 00 00 0f 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 32 00 30 00 30 00 32 00 20 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 20 00 50 00 61 00 63 00 6b 00 20 00 33 00 20 00 32 00 36 00 30 00 30 00 00 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 32 00 30 00 30 00 32 00 20 00 35 00 2e 00 31 00 00 00 00 00 00 0c 29 0e 66 bd 00 0c 29 4c 6d a6 08 00 45 00 01 1f 00 9f 40 00 80 06 ba e7 c0 a8 5e 81 c0 a8 5e 80 01 bd 0d 0d d2 64 26 85 42 d0 34 83 50 18 f9 99 80 50 00 00 00 00 00 f3 ff 53 4d 42 73 16 00 00 c0 98 07 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff fe 00 08 10 00 04 ff 00 f3 00 00 00 7e 00 c8 00 4e 54 4c 4d 53 53 50 00 02 00 00 00 0a 00 0a 00 38 00 00 00 05 82 8a a2 89 23 42 01 b1 62 1e d1 00 00 00 00 00 00 00 00 3c 00 3c 00 42 00 00 00 05 01 28 0a 00 00 00 0f 57 00 49 00 4c 00 4d 00 41 00 02 00 0a 00 57 00 49 00 4c 00 4d 00 41 00 01 00 0a 00 57 00 49 00 4c 00 4d 00 41 00 04 00 0a 00 57 00 49 00 4c 00 4d 00 41 00 03 00 0a 00 57 00 49 00 4c 00 4d 00 41 00 00 00 00 00 14 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 35 00 2e 00 31 00 00 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 32 00 30 00 30 00 30 00 20 00 4c 00 41 00 4e 00 20 00 4d 00 61 00 6e 00 61 00 67 00 65 00 72 00 00 00 0c 29 4c 6d a6 00 0c 29 0e 66 bd 08 00 45 00 01 60 04 39 40 00 80 06 b7 0c c0 a8 5e 80 c0 a8 5e 81 0d 0d 01 bd 42 d0 34 83 d2 64 27 7c 50 18 f9 a0 09 36 00 00 00 00 01 34 ff 53 4d 42 73 00 00 00 00 18 07 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff fe 00 08 20 00 0c ff 00 34 01 04 11 0a 00 00 00 00 00 00 00 92 00 00 00 00 00 d4 00 00 a0 f9 00 4e 54 4c 4d 53 53 50 00 03 00 00 00 18 00 18 00 62 00 00 00 18 00 18 00 7a 00 00 00 0a 00 0a 00 48 00 00 00 08 00 08 00 52 00 00 00 08 00 08 00 5a 00 00 00 00 00 00 00 92 00 00 00 05 82 88 a2 05 01 28 0a 00 00 00 0f 77 00 69 00 6c 00 6d 00 61 00 66 00 72 00 65 00 64 00 46 00 52 00 45 00 44 00 be 16 d3 98 51 48 ba f5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 77 72 dd 97 cb d6 6f 8d c7 ca db e1 88 6b c3 2b cc 83 df 15 dc 6e 98 41 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 32 00 30 00 30 00 32 00 20 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 20 00 50 00 61 00 63 00 6b 00 20 00 33 00 20 00 32 00 36 00 30 00 30 00 00 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 32 00 30 00 30 00 32 00 20 00 35 00 2e 00 31 00 00 00 00 00 00 0c 29 0e 66 bd 00 0c 29 4c 6d a6 08 00 45 00 00 a1 00 a0 40 00 80 06 bb 64 c0 a8 5e 81 c0 a8 5e 80 01 bd 0d 0d d2 64 27 7c 42 d0 35 bb 50 18 f8 61 c6 aa 00 00 00 00 00 75 ff 53 4d 42 73 00 00 00 00 98 07 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff fe 00 08 20 00 04 ff 00 75 00 00 00 00 00 4a 00 82 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 35 00 2e 00 31 00 00 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 32 00 30 00 30 00 30 00 20 00 4c 00 41 00 4e 00 20 00 4d 00 61 00 6e 00 61 00 67 00 65 00 72 00 00
Converting the Hex Dump into PCAP using tr, sed, text2pcap, & mergecap.
There are a number of different ways to convert a hex dump into pcap. The method I will demonstrate here will be using the tr, sed, text2pcap, and mergecap commands. This is going to be long and drawn out, perhaps even a little painful. By doing it this way though, we are going to get use a number of different commands. Using these different commands will allow us to see what they do and become familiar with their syntax and how they work. As we go through each step in the process, take a look at the output of the command and try to get a feel of what it is actually doing.
To begin, copy and paste each of the packets into a separate text file (for example 1.txt, 2.txt, 3.txt, 4.txt.)
Then, remove the carriage returns:
tr -d '\n' 1b.txt
Next, get rid of the blank spaces:
sed 's/ //g' 1c.txt
Now, separate the bytes:
sed 's/\(..\)/\1 /g' 1d.txt
Then, prepend a’00000 ‘:
sed 's/^/00000 /' 1e.txt
Finally, convert the hex to pcap using text2pcap:
text2pcap 1e.txt 1f.pcap
All of this can be done on a single line by piping the output of one command into the input of the next command:
tr -d '\n' < 1.txt | sed 's/ //g' | sed 's/\(..\)/\1 /g' | sed 's/^/00000 /' | text2pcap - 1f.pcap
Repeat this process for each of the each of the four packets. Afterwords there should be four pcap files: 1f.pcap, 2f.pcap, 3f.pcap, and 4f.pcap. These four packets now need to combined back into a single file. This can be done using mergecap:
mergecap -w 5.pcap 1f.pcap 2f.pcap 3f.pcap 4f.pcap
If everything worked correctly, the file 5.pcap now contains four packets. To verify this, run tcpdump. Use the -v (verbose) switch to display the length of each packet. This is highlighted below:
tcpdump -nnvr 5.pcap
reading from file 5.pcap, link-type EN10MB (Ethernet)
14:13:33.000000 IP (tos 0x0, ttl 128, id 159, offset 0, flags [DF], proto TCP (6), length 287) 192.168.94.129.445 > 192.168.94.128.3341: P, cksum 0x8050 (correct), 3529778821:3529779068(247) ack 1120941187 win 63897
14:13:52.000000 IP (tos 0x0, ttl 128, id 1081, offset 0, flags [DF], proto TCP (6), length 352) 192.168.94.128.3341 > 192.168.94.129.445: P, cksum 0x0936 (correct), 1:313(312) ack 247 win 63904
14:14:12.000000 IP (tos 0x0, ttl 128, id 160, offset 0, flags [DF], proto TCP (6), length 161) 192.168.94.129.445 > 192.168.94.128.3341: P, cksum 0xc6aa (correct), 247:368(121) ack 313 win 63585
14:18:29.000000 IP (tos 0x0, ttl 128, id 1080, offset 0, flags [DF], proto TCP (6), length 246) 192.168.94.128.3341 > 192.168.94.129.445: P, cksum 0x0eae (correct), 4294967091:1(206) ack 0 win 64151
Remember, the reason for going through this long drawn out process was to demonstrate the use of a number of different commands and how they work. With this knowledge, hopefully we’ll have a better understanding of how to use each of these tools. Perhaps we can even begin writing scripts that automate such processes. 🙂
At the onset I also mentioned that there were a number of other ways to convert a hex dump to pcap. Anyone interested in writing something up on how to use scapy or any another tool to convert the hex dump? If so, let me know and we’ll post it.
Now, it’s back up to you again. What’s Fred’s secret?
Hint: You are going to have to use some brute-force.
The following are links to information on the the use of the tr, sed, text2pcap, and mergecap commands:
tr (Unix)
USEFUL ONE-LINE SCRIPTS FOR SED
text2pcap
mergecap
Tired of trying to convert the hex dump to pcap? Here is a link to the I Smell Packets Group on Google. Download the 5.pcap file.
http://groups.google.com/group/ismellpackets
I Smell Packets 