I Smell Packets


“Ping me!” Packet Challenge Follow Up
January 6, 2011, 5:37 am
Filed under: hping, nping, spoof, tcpdump | Tags: , , ,

This is a follow up to the “Ping me!” packet challenge.  In the previous post I asked how you could spoof MAC addresses using Nping and Hping.  Here is the answer:

Using Nping

# nping –icmp -c 1 –icmp-type 0 –dest-ip 192.168.200.128 –source-ip 192.168.200.129 –icmp-id 0 –icmp-seq 555 –data-string ‘Ping me!’ –source-mac 00:0c:29:48:55:1f –dest-mac 00:0c:29:a6:5e:2f

Starting Nping 0.5.35DC1 ( http://nmap.org/nping ) at 2011-01-02 09:34 PSTSENT (0.0000s) ICMP 192.168.200.129 > 192.168.200.128 Echo reply (type=0/code=0) ttl=64 id=17243 iplen=36

Max rtt: N/A | Min rtt: N/A | Avg rtt: N/A
Raw packets sent: 1 (50B) | Rcvd: 0 (0B) | Lost: 1 (100.00%)
Tx time: 0.00083s | Tx bytes/s: 59952.04 | Tx pkts/s: 1199.04
Rx time: 0.99989s | Rx bytes/s: 0.00 | Rx pkts/s: 0.00
Nping done: 1 IP address pinged in 1.00 seconds

The following is the output from tcpdump:

# tcpdump -i en1 -e  host 192.168.200.128
tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on en1, link-type EN10MB (Ethernet), capture size 65535 bytes21:31:24.609114 00:0c:29:48:55:1f (oui Unknown) > 00:0c:29:a6:5e:2f (oui Unknown), ethertype IPv4 (0x0800), length 50: 192.168.200.129 > 192.168.200.128: ICMP echo reply, id 0, seq 555, length 16

Using Hping

Hping doesn’t have the ability to spoof MAC addresses, but that still doesn’t prevent us from working around it.

The MAC address of most *nix machines can be changed by doing something close to the following:

# ifconfig en1 ether 00:0c:29:48:55:1f

For instructions on how to change MAC addresses on other OSs see the following link:

Changing Your MAC Address In Window XP/Vista, Linux And Mac OS X (Sometimes known as MAC spoofing)

That takes care of the source MAC address, but what about the destination MAC address?  This can be spoofed by creating a static ARP entry:

arp -S 192.168.200.128 00:0c:29:a6:5e:2f

Now just run hping as demonstrated in the previous post.



Answer to Fred’s Secret Packet Challenge – Part 1
June 2, 2009, 4:53 am
Filed under: mergecap, Packet Challenge, scapy, sed, tcpdump, text2pcap, tr

This challenge was a little harder than the previous ones. It seems a lot of people had a hard time taking the hex dump of the packets and converting them into pcap format. So, what I decided to do was break the answer to Fred’s Secret into a couple of different posts. Part 1 will describe how to convert the packets. In Part 2 we’ll go ahead and reveal the solution. This way everyone will still be able to try to find out the answer themselves.

Here are the four packets:

00 0c 29 4c 6d a6 00 0c 29 0e 66 bd 08 00 45 00
00 f6 04 38 40 00 80 06 b7 77 c0 a8 5e 80 c0 a8
5e 81 0d 0d 01 bd 42 d0 33 b5 d2 64 26 85 50 18
fa 97 0e ae 00 00 00 00 00 ca ff 53 4d 42 73 00
00 00 00 18 07 c8 00 00 00 00 00 00 00 00 00 00
00 00 00 00 ff fe 00 00 10 00 0c ff 00 ca 00 04
11 0a 00 00 00 00 00 00 00 28 00 00 00 00 00 d4
00 00 a0 8f 00 4e 54 4c 4d 53 53 50 00 01 00 00
00 07 82 08 a2 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 05 01 28 0a 00 00 00 0f 00 57 00
69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 32 00
30 00 30 00 32 00 20 00 53 00 65 00 72 00 76 00
69 00 63 00 65 00 20 00 50 00 61 00 63 00 6b 00
20 00 33 00 20 00 32 00 36 00 30 00 30 00 00 00
57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00
32 00 30 00 30 00 32 00 20 00 35 00 2e 00 31 00
00 00 00 00


00 0c 29 0e 66 bd 00 0c 29 4c 6d a6 08 00 45 00
01 1f 00 9f 40 00 80 06 ba e7 c0 a8 5e 81 c0 a8
5e 80 01 bd 0d 0d d2 64 26 85 42 d0 34 83 50 18
f9 99 80 50 00 00 00 00 00 f3 ff 53 4d 42 73 16
00 00 c0 98 07 c8 00 00 00 00 00 00 00 00 00 00
00 00 00 00 ff fe 00 08 10 00 04 ff 00 f3 00 00
00 7e 00 c8 00 4e 54 4c 4d 53 53 50 00 02 00 00
00 0a 00 0a 00 38 00 00 00 05 82 8a a2 89 23 42
01 b1 62 1e d1 00 00 00 00 00 00 00 00 3c 00 3c
00 42 00 00 00 05 01 28 0a 00 00 00 0f 57 00 49
00 4c 00 4d 00 41 00 02 00 0a 00 57 00 49 00 4c
00 4d 00 41 00 01 00 0a 00 57 00 49 00 4c 00 4d
00 41 00 04 00 0a 00 57 00 49 00 4c 00 4d 00 41
00 03 00 0a 00 57 00 49 00 4c 00 4d 00 41 00 00
00 00 00 14 57 00 69 00 6e 00 64 00 6f 00 77 00
73 00 20 00 35 00 2e 00 31 00 00 00 57 00 69 00
6e 00 64 00 6f 00 77 00 73 00 20 00 32 00 30 00
30 00 30 00 20 00 4c 00 41 00 4e 00 20 00 4d 00
61 00 6e 00 61 00 67 00 65 00 72 00 00


00 0c 29 4c 6d a6 00 0c 29 0e 66 bd 08 00 45 00
01 60 04 39 40 00 80 06 b7 0c c0 a8 5e 80 c0 a8
5e 81 0d 0d 01 bd 42 d0 34 83 d2 64 27 7c 50 18
f9 a0 09 36 00 00 00 00 01 34 ff 53 4d 42 73 00
00 00 00 18 07 c8 00 00 00 00 00 00 00 00 00 00
00 00 00 00 ff fe 00 08 20 00 0c ff 00 34 01 04
11 0a 00 00 00 00 00 00 00 92 00 00 00 00 00 d4
00 00 a0 f9 00 4e 54 4c 4d 53 53 50 00 03 00 00
00 18 00 18 00 62 00 00 00 18 00 18 00 7a 00 00
00 0a 00 0a 00 48 00 00 00 08 00 08 00 52 00 00
00 08 00 08 00 5a 00 00 00 00 00 00 00 92 00 00
00 05 82 88 a2 05 01 28 0a 00 00 00 0f 77 00 69
00 6c 00 6d 00 61 00 66 00 72 00 65 00 64 00 46
00 52 00 45 00 44 00 be 16 d3 98 51 48 ba f5 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 77
72 dd 97 cb d6 6f 8d c7 ca db e1 88 6b c3 2b cc
83 df 15 dc 6e 98 41 00 57 00 69 00 6e 00 64 00
6f 00 77 00 73 00 20 00 32 00 30 00 30 00 32 00
20 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00
20 00 50 00 61 00 63 00 6b 00 20 00 33 00 20 00
32 00 36 00 30 00 30 00 00 00 57 00 69 00 6e 00
64 00 6f 00 77 00 73 00 20 00 32 00 30 00 30 00
32 00 20 00 35 00 2e 00 31 00 00 00 00 00


00 0c 29 0e 66 bd 00 0c 29 4c 6d a6 08 00 45 00
00 a1 00 a0 40 00 80 06 bb 64 c0 a8 5e 81 c0 a8
5e 80 01 bd 0d 0d d2 64 27 7c 42 d0 35 bb 50 18
f8 61 c6 aa 00 00 00 00 00 75 ff 53 4d 42 73 00
00 00 00 98 07 c8 00 00 00 00 00 00 00 00 00 00
00 00 00 00 ff fe 00 08 20 00 04 ff 00 75 00 00
00 00 00 4a 00 82 57 00 69 00 6e 00 64 00 6f 00
77 00 73 00 20 00 35 00 2e 00 31 00 00 00 57 00
69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 32 00
30 00 30 00 30 00 20 00 4c 00 41 00 4e 00 20 00
4d 00 61 00 6e 00 61 00 67 00 65 00 72 00 00

Converting the Hex Dump into PCAP using tr, sed, text2pcap, & mergecap.

There are a number of different ways to convert a hex dump into pcap. The method I will demonstrate here will be using the tr, sed, text2pcap, and mergecap commands. This is going to be long and drawn out, perhaps even a little painful. By doing it this way though, we are going to get use a number of different commands. Using these different commands will allow us to see what they do and become familiar with their syntax and how they work. As we go through each step in the process, take a look at the output of the command and try to get a feel of what it is actually doing.

To begin, copy and paste each of the packets into a separate text file (for example 1.txt, 2.txt, 3.txt, 4.txt.)

Then, remove the carriage returns:
tr -d '\n' 1b.txt

Next, get rid of the blank spaces:
sed 's/ //g' 1c.txt

Now, separate the bytes:
sed 's/\(..\)/\1 /g' 1d.txt

Then, prepend a’00000 ‘:
sed 's/^/00000 /' 1e.txt

Finally, convert the hex to pcap using text2pcap:
text2pcap 1e.txt 1f.pcap

All of this can be done on a single line by piping the output of one command into the input of the next command:
tr -d '\n' < 1.txt | sed 's/ //g' | sed 's/\(..\)/\1 /g' | sed 's/^/00000 /' | text2pcap - 1f.pcap

Repeat this process for each of the each of the four packets. Afterwords there should be four pcap files: 1f.pcap, 2f.pcap, 3f.pcap, and 4f.pcap. These four packets now need to combined back into a single file. This can be done using mergecap:

mergecap -w 5.pcap 1f.pcap 2f.pcap 3f.pcap 4f.pcap

If everything worked correctly, the file 5.pcap now contains four packets. To verify this, run tcpdump. Use the -v (verbose) switch to display the length of each packet. This is highlighted below:

tcpdump -nnvr 5.pcap
reading from file 5.pcap, link-type EN10MB (Ethernet)
14:13:33.000000 IP (tos 0x0, ttl 128, id 159, offset 0, flags [DF], proto TCP (6), length 287) 192.168.94.129.445 > 192.168.94.128.3341: P, cksum 0x8050 (correct), 3529778821:3529779068(247) ack 1120941187 win 63897
14:13:52.000000 IP (tos 0x0, ttl 128, id 1081, offset 0, flags [DF], proto TCP (6), length 352) 192.168.94.128.3341 > 192.168.94.129.445: P, cksum 0x0936 (correct), 1:313(312) ack 247 win 63904
14:14:12.000000 IP (tos 0x0, ttl 128, id 160, offset 0, flags [DF], proto TCP (6), length 161) 192.168.94.129.445 > 192.168.94.128.3341: P, cksum 0xc6aa (correct), 247:368(121) ack 313 win 63585
14:18:29.000000 IP (tos 0x0, ttl 128, id 1080, offset 0, flags [DF], proto TCP (6), length 246) 192.168.94.128.3341 > 192.168.94.129.445: P, cksum 0x0eae (correct), 4294967091:1(206) ack 0 win 64151

Remember, the reason for going through this long drawn out process was to demonstrate the use of a number of different commands and how they work. With this knowledge, hopefully we’ll have a better understanding of how to use each of these tools. Perhaps we can even begin writing scripts that automate such processes. 🙂

At the onset I also mentioned that there were a number of other ways to convert a hex dump to pcap. Anyone interested in writing something up on how to use scapy or any another tool to convert the hex dump? If so, let me know and we’ll post it.

Now, it’s back up to you again. What’s Fred’s secret?

Hint: You are going to have to use some brute-force.

The following are links to information on the the use of the tr, sed, text2pcap, and mergecap commands:
tr (Unix)
USEFUL ONE-LINE SCRIPTS FOR SED
text2pcap
mergecap

Tired of trying to convert the hex dump to pcap? Here is a link to the I Smell Packets Group on Google. Download the 5.pcap file.

http://groups.google.com/group/ismellpackets



Fragments in tcpdump and Wireshark
May 19, 2009, 11:07 pm
Filed under: Fragment, tcpdump, Wireshark

After the last Packet Challenge I received questions from a couple of individuals about viewing fragments in tcpdump and Wireshark.

To view the IP ID, the More Fragments Flag, and the Fragment Offset in tcpdump use the -v switch:

tcpdump -v

The -v switch stands for verbose. For even more detailed information add another one or two v’s:

tcpdump -vv or tcpdump -vvv

Wireshark by default reassembles fragments. To change this default behavior edit the preferences. In the Edit menu, select Preferences, expand the Protocols section, select IP, and uncheck the Reassemble fragmented IP datagrams checkbox.

For more information on Fragmentation the following is a link to The TCP/IP Guide section on the IP Message Fragmentation Process:

The TCP/IP Guide – IP Message Fragmentation Process



Packet Challenge
May 6, 2009, 11:57 pm
Filed under: hping, Intrusion Detection In-Depth, Packet Challenge, SANS, tcpdump

Earlier today I tweeted an easy little packet challenge. The challenge for me was keeping that packet to less than 140 characters. Here is a short description of how I created the challenge:

First, I created the payload for the packet. I did this by placing some text in a file using the following command:

echo 1st2DMmegetsAStarbuckscard > payload.txt

Next, I used a tool called Hping to craft the packet:

hping3 –icmp –file payload.txt –data 26 127.0.0.1

In the above command, the –icmp instructs hping to create an ICMP packet. The –file option specifies a file to be used as the payload. Next, the –data option tells hping how many bytes of data in the payload. In this case, it’s 26 bytes data. Finally there is the destination IP address which is 127.0.0.1.

To capture the packet, I ran a sniffer called tcpdump:

tcpdump -i lo0 -X -s0

Here is packet in HEX:

4500 0036 308b 0000 4001 0000 7f00 0001 7f00 0001 0800 89f3 5a27 0200 3173 7432 444d 6d65 6765 7473 4153 7461 7262 7563 6b73 6361 7264

Decoding the Packet

Here is quick run though of how to decode the packet. First of all, when decoding packets it’s often helpful to have a reference. Here is a link to the SANS website where you can download the TCP/IP Pocket Reference from. I call this the cheat sheet.

There are also a couple of other points to remember:

1. Every two HEX characters equals one byte.

2. Start counting with 0.

Starting with byte 0, there is 45. Highlighted below:

4500 0036 308b 0000 4001 0000 7f00 0001 7f00 0001 0800 89f3 5a27 0200 3173 7432 444d 6d65 6765 7473 4153 7461 7262 7563 6b73 6361 7264

Find the IP header section on the cheat sheet. Notice that in byte 0 we find the IP Version Number and the IP Header Length fields. The 4 in the IP Version Number field means is an IP Version 4 packet. The next field, the IP Header Length, there is a 5. This represents 32-bit words. So, in order to calculate the IP Header Length we need to multiply this field by 4. 5*4=20. Therefore, the IP Header length is 20 bytes.

Next count 20 bytes. Remember, every two HEX characters equals one byte and start counting at 0.

4500 0036 308b 0000 4001 0000 7f00 0001 7f00 0001 0800 89f3 5a27 0200 3173 7432 444d 6d65 6765 7473 4153 7461 7262 7563 6b73 6361 7264

The portion highlighted above is the IP Header. What comes next? To find out look at the Protocol Field of the IP Header. According to the cheat sheet the Protocol Field is found in byte 9 of the IP Header. Looking back at the packet, there is a 01 in there:

4500 0036 308b 0000 4001 0000 7f00 0001 7f00 0001 0800 89f3 5a27 0200 3173 7432 444d 6d65 6765 7473 4153 7461 7262 7563 6b73 6361 7264

Referring back to the cheat sheet, a 1 in the Protocol Field of the IP Header means that the next protocol is going to be ICMP. Remember that when I created this packet I specified ICMP, so this is what one would expect here. Now the ICMP part of the packet. The IP Header Length was 20 bytes, after that begins the ICMP protocol portion. This is highlighted below:

4500 0036 308b 0000 4001 0000 7f00 0001 7f00 0001 0800 89f3 5a27 0200 3173 7432 444d 6d65 6765 7473 4153 7461 7262 7563 6b73 6361 7264

To decode this portion of the packet look at the ICMP Header section of the cheat sheet. The first couple of bytes of the ICMP Header are the Type and Code fields. There is a 0800 in those fields, meaning, referring back to the cheat sheet that this is an ICMP Echo or a PING.

Since it’s a PING, drop down to the Ping section of the cheat sheet and locate the Data section of the ICMP Echo. This Data should contain the text in the payload.txt file. Here is the Data section highlighted:

4500 0036 308b 0000 4001 0000 7f00 0001 7f00 0001 0800 89f3 5a27 0200 3173 7432 444d 6d65 6765 7473 4153 7461 7262 7563 6b73 6361 7264


These bytes fall into the ASCII printable range, so convent it to ASCII.

31 73 74 32 44 4d 6d 65 67 65 74 73 41 53 74 61 72 62 75 63 6b 73 63 61 72 64
1 s t 2 D M m e g e t s A S t a r b u c k s c a r d

This is just a brief explanation. It may seem like a lot of work, but it’s really not that difficult. Like most other things it takes a little practice. Some people can even do this in their sleep, I assure you I’m not one of those people.

Another thing that someone could have done was just to look for that HEX that falls into the ASCII printable range. They would’ve immediately focused in on the payload. Maybe I’ll use some double XOR encryption next time to make it harder. 😉

One of my favorite courses is the SANS Security 503: Intrusion Detection In-Depth course. In that course you get to spend 6 days learning all about TCP/IP and performing traffic analysis. There are a ton of hands-on exercises. And unlike other courses that may teach networking and TCP/IP, in this course you get to learn this stuff from an attackers perspective.

Congratulations to @quine for being the first to send me a message and winning the Starbucks Card. It’s on the way.