I Smell Packets

“Ping me!” Packet Challenge Follow Up
January 6, 2011, 5:37 am
Filed under: hping, nping, spoof, tcpdump | Tags: , , ,

This is a follow up to the “Ping me!” packet challenge.  In the previous post I asked how you could spoof MAC addresses using Nping and Hping.  Here is the answer:

Using Nping

# nping –icmp -c 1 –icmp-type 0 –dest-ip –source-ip –icmp-id 0 –icmp-seq 555 –data-string ‘Ping me!’ –source-mac 00:0c:29:48:55:1f –dest-mac 00:0c:29:a6:5e:2f

Starting Nping 0.5.35DC1 ( http://nmap.org/nping ) at 2011-01-02 09:34 PSTSENT (0.0000s) ICMP > Echo reply (type=0/code=0) ttl=64 id=17243 iplen=36

Max rtt: N/A | Min rtt: N/A | Avg rtt: N/A
Raw packets sent: 1 (50B) | Rcvd: 0 (0B) | Lost: 1 (100.00%)
Tx time: 0.00083s | Tx bytes/s: 59952.04 | Tx pkts/s: 1199.04
Rx time: 0.99989s | Rx bytes/s: 0.00 | Rx pkts/s: 0.00
Nping done: 1 IP address pinged in 1.00 seconds

The following is the output from tcpdump:

# tcpdump -i en1 -e  host
tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on en1, link-type EN10MB (Ethernet), capture size 65535 bytes21:31:24.609114 00:0c:29:48:55:1f (oui Unknown) > 00:0c:29:a6:5e:2f (oui Unknown), ethertype IPv4 (0x0800), length 50: > ICMP echo reply, id 0, seq 555, length 16

Using Hping

Hping doesn’t have the ability to spoof MAC addresses, but that still doesn’t prevent us from working around it.

The MAC address of most *nix machines can be changed by doing something close to the following:

# ifconfig en1 ether 00:0c:29:48:55:1f

For instructions on how to change MAC addresses on other OSs see the following link:

Changing Your MAC Address In Window XP/Vista, Linux And Mac OS X (Sometimes known as MAC spoofing)

That takes care of the source MAC address, but what about the destination MAC address?  This can be spoofed by creating a static ARP entry:

arp -S 00:0c:29:a6:5e:2f

Now just run hping as demonstrated in the previous post.


The “Ping me!” Packet Challenge Solution using Hping
October 7, 2010, 2:51 am
Filed under: hping, Packet Challenge | Tags: , ,

As promised here’s the solution to the “Ping me!” packet challenge using hping.  The first example shows how to craft the reply using just the built-in command line options.  As you will see, hping does have some limitations.  The second example shows a way to overcome these limitations and craft a better reply.

Example #1 — Crafting a reply using Hping

# hping3 -a -c 1 -1 -C 0 -e “Ping me”!
HPING (en1 icmp mode set, 28 headers + 8 data bytes
[main] memlockall(): Resource busy
Warning: can’t disable memory paging!

— hping statistic —
1 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

Here is a break down of the command:

  • is the destination IP address.
  • ‘-a’ spoofs the source IP address.
  • ‘-c 1’ sends one packet.
  • ‘-1’ specifies ICMP.
  • ‘-C 0’ specifies ICMP Code 0 aka a echo reply.

The following is the output from tcpdump:

11:40:26.480933 IP > ICMP echo reply, id 6699, seq 0, length 16

Notice the sequence number? We need to set that sequence number to 555, but hping’s built-in command line options don’t give us the ability to do so.  Let’s try it another way.

Example #2 — Crafting a better reply using Hping

# hping3 -a -c 1 -0 -H 1 -E payload.bin -d 16
HPING (en1 raw IP mode set, 20 headers + 16 data bytes
[main] memlockall(): Resource busy
Warning: can’t disable memory paging!
— hping statistic —
1 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

The above command let’s us set the ICMP Sequence number, something we weren’t able to do with using hping3’s built-in options.
  • is the destination IP address.
  • ‘-a’ spoofs the source IP address.
  • ‘-c 1’ sends one packet.
  • ‘-0’ specifies Raw IP mode.
  • ‘-H 1’ set the protocol to ICMP when in Raw mode.
  • ‘-E payload.bin’ is the payload.
  • ‘-d 16’ is the length of the payload in bytes.

Here is a screenshot of payload.bin








The following is the output from tcpdump:

13:08:58.353552 IP > ICMP echo reply, id 0, seq 555, length 16

With scapy we were able to spoof the source MAC address.  Bonus points to anyone who can tell me how we could do the same thing here?






Another “Ping me!” Packet Challenge Solution
October 6, 2010, 3:35 am
Filed under: nping, Packet Challenge | Tags: , ,

Jon Wohlberg (@jonw18 on Twitter) sent in a solution to the “Ping me!” packet challenge using nping:

Jon writes:

After opening the packet in tcpdump and wireshark, I immediately noticed that this was an icmp packet. Specifically, it is an icmp echo request or as it is better known as a ping request. According to the instructions we had to craft a packet that would reply to this packet.

Therefore, we need to craft an ICMP echo reply.

In order to craft a packet I could have choosen numerous programs including scapy, hping, and nemesis. However, for this task I choose nping, a packet crafter from the creators of nmap.

First we need to obtain all pertinent information from the packet provided.
1. Source IP (one initiating the echo request) –>
2. Destination IP (one receiving the request)  –>
3. ICMP Type and Code (Stating that this is an echo request)
TYPE =  8
CODE = 0
4. ICMP Identifier –> 0
5. ICMP Sequence number –> 555
6. ICMP Data –> Ping me!

Now that we have all of the important information, we can craft a packet (an ICMP echo reply) to reply to this request. We will be replying with the following information:
1. Source IP (this is the machine responding) –>
2. Destination IP (One who originally initiated the request) –>
3. ICMP Type and Code (Stating that this is an echo reply)
TYPE =  0
CODE = 0

Per the ICMP rfc (RFC 792), it states that “The identifier and sequence number may be used by the echo sender to aid in matching the replies with the echo requests.” “The echoer returns these same values in the echo reply.”

Meaning the ICMP identifier and sequence number need to be the same.
4. ICMP Identifier –> 0
5. ICMP Sequence number –> 555

The rfc also states “The data received in the echo message must be returned in the echo reply message.”

Translations, the data sent in the echo request must be sent back in the echo reply.
6. ICMP Data –> Ping me!

Now that we have our echo reply values we can craft our packet with nping. The command I used is:

nping –icmp -c 1 –icmp-type 0 –icmp-code 0 –source-ip –dest-ip –icmp-id 555 –icmp-seq 0 –data-string ‘Ping me!’

This command and be broken down as follows:
1. nping –> name of the program
2. –icmp –> tells nping to use the ICMP protocol
3. -c 1 –> tells nping to send only one paket
4. –icmp-type 0 and –icmp-code 0 –> indicates an echo reply
5. –source-ip –> states that this will be the
address replying to echo request. Where the reply originates from.
6. –dest-ip –> where we are sending the reply. This
is the machine that initiated the conversation.
7. –icmp-id 555 –> we need to include the icmp identifier from the
echo request.
8. –icmp-seq 0–> the icmp sequence number from echo request
9. –data-string ‘Ping me!’ –> the data from the echo request that
must be included.

Once we crafted our packet we need to capture the results. This can be done with tcpdump. The command I used was:

tcpdump -vnnX -i eth0 -w 13_answer.pcap icmp

This tell tcpdump to listen in verbose mode, disable name and port resolution, print hex, use interface eth0, write the results to a file and filter on icmp traffic.

tcpdump captures the following echo reply

14:39:57.508501 IP (tos 0x0, ttl 64, id 18673, offset 0, flags [none],
proto ICMP (1), length 36) > ICMP echo reply, id 555, seq 0, length 16
0x0000:  4500 0024 48f1 0000 4001 1f95 c0a8 c881  E..$H…@…….
0x0010:  c0a8 c880 0000 b975 022b 0000 5069 6e67  …….u.+..Ping
0x0020:  206d 6521                                .me!

After viewing our results in wireshark, we confirmed a successful echo
reply to the challenge.

The capture file can be download from the I Smell Packets Google group at the following URL:


The filename is:


Chris continues:

I hadn’t used nping until this.  Pretty cool.  Thanks for the write-up Jon.  I’ll post a solution using hping tomorrow.


The “Ping me!” Packet Challenge Solution
October 5, 2010, 1:39 am
Filed under: Packet Challenge, scapy, spoof | Tags: , ,

The winner of The “Ping me!” Packet Challenge is Johannes Ullrich (@johullrich on Twitter) Here’s Johannes’ solution:

Johannes writes:

I used scapy to craft the response. Here is the scapy command line sequence with explanation:

e=Ether(dst=’00:0c:29:a6:5e:2f’, src=’00:0c:29:48:55:1f’, type=0x0800);

The ethernet header: Just reverse source and destination, but keep the type the same.

i=IP(version=4, ihl=5, tos=0, len=36, id=1234, flags=0, frag=0, ttl=64, proto=1, src=’′,dst=’′);

For the IP header:
– – we swap the source/destination, but keep everything else the same. TTL could of course be different but lets just assume that the receiving host also uses a Unix’isch starting TTL of 64. I picked a different IP ID just to make a point that it is not necessarily the same as the inbound one.

The ICMP Header:

ic=ICMP(type=0, code=0, id=1, seq=555);

type and code is ‘0’ for an ICMP echo reply. The ID and sequence number have to be the same as in the request.

The payload is the same as the request (Ping me!).

So the complete packet:

p=e/i/ic/’Ping me!’

and then send it at layer 2: sendp(p) (optionally, we could specify the interface here).

Here is the packet as received by tcpdump using the ‘xx’ option to inspect the full ethernet header:

02:19:27.048612 IP > ICMP echo reply, id 1, seq 555, length 16
0x0000:  000c 29a6 5e2f 000c 2948 551f 0800 4500
0x0010:  0024 04d2 0000 4001 63b4 c0a8 c881 c0a8
0x0020:  c880 0000 b974 0001 022b 5069 6e67 206d
0x0030:  6521


Chris continues:

Congrats Johannes!  Of course if Johannes enters he’s going to win. 🙂  Honorable mention goes out to Jon Wohlberg who used Nping to craft the ICMP echo reply.  I’ll post Jon’s solution tomorrow.