I Smell Packets


“Ping me!” Packet Challenge Follow Up
January 6, 2011, 5:37 am
Filed under: hping, nping, spoof, tcpdump | Tags: , , ,

This is a follow up to the “Ping me!” packet challenge.  In the previous post I asked how you could spoof MAC addresses using Nping and Hping.  Here is the answer:

Using Nping

# nping –icmp -c 1 –icmp-type 0 –dest-ip 192.168.200.128 –source-ip 192.168.200.129 –icmp-id 0 –icmp-seq 555 –data-string ‘Ping me!’ –source-mac 00:0c:29:48:55:1f –dest-mac 00:0c:29:a6:5e:2f

Starting Nping 0.5.35DC1 ( http://nmap.org/nping ) at 2011-01-02 09:34 PSTSENT (0.0000s) ICMP 192.168.200.129 > 192.168.200.128 Echo reply (type=0/code=0) ttl=64 id=17243 iplen=36

Max rtt: N/A | Min rtt: N/A | Avg rtt: N/A
Raw packets sent: 1 (50B) | Rcvd: 0 (0B) | Lost: 1 (100.00%)
Tx time: 0.00083s | Tx bytes/s: 59952.04 | Tx pkts/s: 1199.04
Rx time: 0.99989s | Rx bytes/s: 0.00 | Rx pkts/s: 0.00
Nping done: 1 IP address pinged in 1.00 seconds

The following is the output from tcpdump:

# tcpdump -i en1 -e  host 192.168.200.128
tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on en1, link-type EN10MB (Ethernet), capture size 65535 bytes21:31:24.609114 00:0c:29:48:55:1f (oui Unknown) > 00:0c:29:a6:5e:2f (oui Unknown), ethertype IPv4 (0x0800), length 50: 192.168.200.129 > 192.168.200.128: ICMP echo reply, id 0, seq 555, length 16

Using Hping

Hping doesn’t have the ability to spoof MAC addresses, but that still doesn’t prevent us from working around it.

The MAC address of most *nix machines can be changed by doing something close to the following:

# ifconfig en1 ether 00:0c:29:48:55:1f

For instructions on how to change MAC addresses on other OSs see the following link:

Changing Your MAC Address In Window XP/Vista, Linux And Mac OS X (Sometimes known as MAC spoofing)

That takes care of the source MAC address, but what about the destination MAC address?  This can be spoofed by creating a static ARP entry:

arp -S 192.168.200.128 00:0c:29:a6:5e:2f

Now just run hping as demonstrated in the previous post.



The “Ping me!” Packet Challenge Solution using Hping
October 7, 2010, 2:51 am
Filed under: hping, Packet Challenge | Tags: , ,

As promised here’s the solution to the “Ping me!” packet challenge using hping.  The first example shows how to craft the reply using just the built-in command line options.  As you will see, hping does have some limitations.  The second example shows a way to overcome these limitations and craft a better reply.

Example #1 — Crafting a reply using Hping

# hping3 192.168.200.128 -a 192.168.200.129 -c 1 -1 -C 0 -e “Ping me”!
HPING 192.168.200.128 (en1 192.168.200.128): icmp mode set, 28 headers + 8 data bytes
[main] memlockall(): Resource busy
Warning: can’t disable memory paging!

— 192.168.200.128 hping statistic —
1 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

Here is a break down of the command:

  • 192.168.200.128 is the destination IP address.
  • ‘-a 192.168.200.129’ spoofs the source IP address.
  • ‘-c 1’ sends one packet.
  • ‘-1’ specifies ICMP.
  • ‘-C 0’ specifies ICMP Code 0 aka a echo reply.

The following is the output from tcpdump:

11:40:26.480933 IP 192.168.200.129 > 192.168.200.128: ICMP echo reply, id 6699, seq 0, length 16

Notice the sequence number? We need to set that sequence number to 555, but hping’s built-in command line options don’t give us the ability to do so.  Let’s try it another way.

Example #2 — Crafting a better reply using Hping

# hping3 192.168.200.129 -a 192.168.200.128 -c 1 -0 -H 1 -E payload.bin -d 16
HPING 192.168.200.129 (en1 192.168.200.129): raw IP mode set, 20 headers + 16 data bytes
[main] memlockall(): Resource busy
Warning: can’t disable memory paging!
— 192.168.200.129 hping statistic —
1 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

The above command let’s us set the ICMP Sequence number, something we weren’t able to do with using hping3’s built-in options.
  • 192.168.200.128 is the destination IP address.
  • ‘-a 192.168.200.129’ spoofs the source IP address.
  • ‘-c 1’ sends one packet.
  • ‘-0’ specifies Raw IP mode.
  • ‘-H 1’ set the protocol to ICMP when in Raw mode.
  • ‘-E payload.bin’ is the payload.
  • ‘-d 16’ is the length of the payload in bytes.

Here is a screenshot of payload.bin

payload.jpg

 

 

 

 

 

 

The following is the output from tcpdump:

13:08:58.353552 IP 192.168.200.128 > 192.168.200.129: ICMP echo reply, id 0, seq 555, length 16

With scapy we were able to spoof the source MAC address.  Bonus points to anyone who can tell me how we could do the same thing here?

 

References:

http://www.hping.org/manpage.html