I Smell Packets

“Ping me!” Packet Challenge Follow Up
January 6, 2011, 5:37 am
Filed under: hping, nping, spoof, tcpdump | Tags: , , ,

This is a follow up to the “Ping me!” packet challenge.  In the previous post I asked how you could spoof MAC addresses using Nping and Hping.  Here is the answer:

Using Nping

# nping –icmp -c 1 –icmp-type 0 –dest-ip –source-ip –icmp-id 0 –icmp-seq 555 –data-string ‘Ping me!’ –source-mac 00:0c:29:48:55:1f –dest-mac 00:0c:29:a6:5e:2f

Starting Nping 0.5.35DC1 ( http://nmap.org/nping ) at 2011-01-02 09:34 PSTSENT (0.0000s) ICMP > Echo reply (type=0/code=0) ttl=64 id=17243 iplen=36

Max rtt: N/A | Min rtt: N/A | Avg rtt: N/A
Raw packets sent: 1 (50B) | Rcvd: 0 (0B) | Lost: 1 (100.00%)
Tx time: 0.00083s | Tx bytes/s: 59952.04 | Tx pkts/s: 1199.04
Rx time: 0.99989s | Rx bytes/s: 0.00 | Rx pkts/s: 0.00
Nping done: 1 IP address pinged in 1.00 seconds

The following is the output from tcpdump:

# tcpdump -i en1 -e  host
tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on en1, link-type EN10MB (Ethernet), capture size 65535 bytes21:31:24.609114 00:0c:29:48:55:1f (oui Unknown) > 00:0c:29:a6:5e:2f (oui Unknown), ethertype IPv4 (0x0800), length 50: > ICMP echo reply, id 0, seq 555, length 16

Using Hping

Hping doesn’t have the ability to spoof MAC addresses, but that still doesn’t prevent us from working around it.

The MAC address of most *nix machines can be changed by doing something close to the following:

# ifconfig en1 ether 00:0c:29:48:55:1f

For instructions on how to change MAC addresses on other OSs see the following link:

Changing Your MAC Address In Window XP/Vista, Linux And Mac OS X (Sometimes known as MAC spoofing)

That takes care of the source MAC address, but what about the destination MAC address?  This can be spoofed by creating a static ARP entry:

arp -S 00:0c:29:a6:5e:2f

Now just run hping as demonstrated in the previous post.


The “Ping me!” Packet Challenge Solution
October 5, 2010, 1:39 am
Filed under: Packet Challenge, scapy, spoof | Tags: , ,

The winner of The “Ping me!” Packet Challenge is Johannes Ullrich (@johullrich on Twitter) Here’s Johannes’ solution:

Johannes writes:

I used scapy to craft the response. Here is the scapy command line sequence with explanation:

e=Ether(dst=’00:0c:29:a6:5e:2f’, src=’00:0c:29:48:55:1f’, type=0x0800);

The ethernet header: Just reverse source and destination, but keep the type the same.

i=IP(version=4, ihl=5, tos=0, len=36, id=1234, flags=0, frag=0, ttl=64, proto=1, src=’′,dst=’′);

For the IP header:
– – we swap the source/destination, but keep everything else the same. TTL could of course be different but lets just assume that the receiving host also uses a Unix’isch starting TTL of 64. I picked a different IP ID just to make a point that it is not necessarily the same as the inbound one.

The ICMP Header:

ic=ICMP(type=0, code=0, id=1, seq=555);

type and code is ‘0’ for an ICMP echo reply. The ID and sequence number have to be the same as in the request.

The payload is the same as the request (Ping me!).

So the complete packet:

p=e/i/ic/’Ping me!’

and then send it at layer 2: sendp(p) (optionally, we could specify the interface here).

Here is the packet as received by tcpdump using the ‘xx’ option to inspect the full ethernet header:

02:19:27.048612 IP > ICMP echo reply, id 1, seq 555, length 16
0x0000:  000c 29a6 5e2f 000c 2948 551f 0800 4500
0x0010:  0024 04d2 0000 4001 63b4 c0a8 c881 c0a8
0x0020:  c880 0000 b974 0001 022b 5069 6e67 206d
0x0030:  6521


Chris continues:

Congrats Johannes!  Of course if Johannes enters he’s going to win. 🙂  Honorable mention goes out to Jon Wohlberg who used Nping to craft the ICMP echo reply.  I’ll post Jon’s solution tomorrow.