Thursday, November 8, 2012

Packet forging with sendip

 


Sendip is a great tool that allows for you too just about craft any packet type that commonly used. Unlike  hping, scapy,etc....... The tool use modules that you specify at the cli with the -p switch. 

It's probably less complex overall  in execution,  than scapy btw. The modules and functions allows what you can executed & the features within those protocols.

The supported  modules as of today are the following;

ipv4 ipv6 icmp tcp udp bgp rip ntp

So what this mean to me and you. We can have fun with the above protocols :)

Now, let look at why one would use sendip;

   1: the testing of IPS rules for a signature matches or expression filters
   2: executing testing of firewall state and session tables and it's controls
   3: wrecking havoc against a resource
   4: help with packet matching and signature creation
   5: for unethical activities
   6: to recreate a previous seen packet for analysis in a controlled environment


Okay that's some of the reason one would use sendip. The sendip  utility requires you to specify at least one module and their's dependencies on how you apply the modules. You can't  callout  for tcp.flag ACK and not have module tcp selected. Or icmp and not have ipv4 or ipv6.

For example, if you want to use BGP; you will need the modules ipv4+tcp+bgp. If you wanted to  craft a packet to simulate  SNMPget, you would need ipv4 +udp.

So what this means, from the cli , you would execute a few "-p" switches during your execution. 

Here's an example;  one of my SERT  team members in my dead-end day-job, wrote a threat advisory of an attack that was identified earlier. 

It  used a mss value of zero plus a few other  characteristics in the threat advisory.


I used sendip to craft the packet , so that I could write a signature and actually trigger that signature on my IDS for testing the validity of that threat and detection.

i.e ( using send ip )

sendip -p ipv4 -p tcp -ts 0 -tn 0 -td 80 -tomss 0 -tfs 1


This created the threat via modules ip and tcp, plus  tcp-syn packet with  dst port 80 (web), seq 0, ip.id 2  and mss value of 0.  A tcpdump of the packet will validate this  forged packet ;


2012-07-03 09:56:36.044893    127.0.0.1 -> 127.0.0.111  TCP 0 > http
[SYN] Seq=0 Win=65535 Len=0 MSS=0

Also tshark could have been used as an alternative

(
tcp.seq == 0 && !(tcp.options.mss_val) && tcp.flags == 0x02 && ip.id == 0x0002  )

A signature could have been written just for this match, but better yet I wrote it just for a match of a mss_value  that equal 0. Since no valid tcp SYN or SYN/ACK packet should ever contain a mss value of zero for the start of a  tcp session, regardless of the  ip.id or sequence number. 


NOTE: This packet would be considered incorrect or  Deceivous,   just from a  mss value of 0.
 
Have a look at the sendip  tool and the capabilities that it allows. You will find strange and unique features within sendip that can be used for a host of reasons; both good or bad.





"Happy packet hunting"
 
Ken Felix

Freelance Security & Network  Engineer
kfelix " a t " hyperfeed.com

No comments:

Post a Comment