I Smell Packets

Solution to the “Check It Out” Packet Challenge using Scapy
April 22, 2011, 1:03 am
Filed under: Packet Challenge, scapy | Tags: , ,

Here’s a nifty solution to the “Check It Out” Packet Challenge by StalkR (@stalkr_ on Twitter) that uses Scapy:

StalkR writes:

Just seen the challenge and wanted to try 🙂

1) save the hexdump on the blog post into packet.txt

2) turn it back into a hex string
$ awk ‘$0!=””{print $0}’ packet.txt |sed ‘s/ //g’ |tr -d ‘\n’ > packet.hex

3) run scapy
$ scapy
Welcome to Scapy (2.1.0)

4) load hex and decode
$ scapy
>>> p = open(‘packet.hex’).read().decode(‘hex’)
>>> p

5) load it as an IP packet
>>> p = IP(p)
>>> p
<IP  version=4L ihl=5L tos=0x0 len=1319 […] chksum=0x0

6) remove chksum to force calculation
>>> p.chksum = None

7a) force calculation of chksum either with show2()
>>> p.show2()
###[ IP ]###
chksum= 0xb27c

7b) or just turn packet into string and load it again:
>>> ‘0x%04x’ % IP(str(p)).chksum

Hurray for scapy \o/

Chris continues:

Very cool use of scapy.  What other tools could we use to solve this?

As always, if you’d like to submit a challenge to http://www.ismellpackets.com contact me at chris (dot) christianson (at) gmail (dot) com.

Bookmark and Share



The “Ping me!” Packet Challenge Solution
October 5, 2010, 1:39 am
Filed under: Packet Challenge, scapy, spoof | Tags: , ,

The winner of The “Ping me!” Packet Challenge is Johannes Ullrich (@johullrich on Twitter) Here’s Johannes’ solution:

Johannes writes:

I used scapy to craft the response. Here is the scapy command line sequence with explanation:

e=Ether(dst=’00:0c:29:a6:5e:2f’, src=’00:0c:29:48:55:1f’, type=0x0800);

The ethernet header: Just reverse source and destination, but keep the type the same.

i=IP(version=4, ihl=5, tos=0, len=36, id=1234, flags=0, frag=0, ttl=64, proto=1, src=’′,dst=’′);

For the IP header:
– – we swap the source/destination, but keep everything else the same. TTL could of course be different but lets just assume that the receiving host also uses a Unix’isch starting TTL of 64. I picked a different IP ID just to make a point that it is not necessarily the same as the inbound one.

The ICMP Header:

ic=ICMP(type=0, code=0, id=1, seq=555);

type and code is ‘0’ for an ICMP echo reply. The ID and sequence number have to be the same as in the request.

The payload is the same as the request (Ping me!).

So the complete packet:

p=e/i/ic/’Ping me!’

and then send it at layer 2: sendp(p) (optionally, we could specify the interface here).

Here is the packet as received by tcpdump using the ‘xx’ option to inspect the full ethernet header:

02:19:27.048612 IP > ICMP echo reply, id 1, seq 555, length 16
0x0000:  000c 29a6 5e2f 000c 2948 551f 0800 4500
0x0010:  0024 04d2 0000 4001 63b4 c0a8 c881 c0a8
0x0020:  c880 0000 b974 0001 022b 5069 6e67 206d
0x0030:  6521


Chris continues:

Congrats Johannes!  Of course if Johannes enters he’s going to win. 🙂  Honorable mention goes out to Jon Wohlberg who used Nping to craft the ICMP echo reply.  I’ll post Jon’s solution tomorrow.