Thursday, November 8, 2012
Packet forging with sendip
Sendip is a great tool that allows for you too just about craft any packet type that commonly used. Unlike hping, scapy,etc....... The tool use modules that you specify at the cli with the -p switch.
It's probably less complex overall in execution, than scapy btw. The modules and functions allows what you can executed & the features within those protocols.
The supported modules as of today are the following;
ipv4 ipv6 icmp tcp udp bgp rip ntp
So what this mean to me and you. We can have fun with the above protocols :)
Now, let look at why one would use sendip;
1: the testing of IPS rules for a signature matches or expression filters
2: executing testing of firewall state and session tables and it's controls
3: wrecking havoc against a resource
4: help with packet matching and signature creation
5: for unethical activities
6: to recreate a previous seen packet for analysis in a controlled environment
Okay that's some of the reason one would use sendip. The sendip utility requires you to specify at least one module and their's dependencies on how you apply the modules. You can't callout for tcp.flag ACK and not have module tcp selected. Or icmp and not have ipv4 or ipv6.
For example, if you want to use BGP; you will need the modules ipv4+tcp+bgp. If you wanted to craft a packet to simulate SNMPget, you would need ipv4 +udp.
So what this means, from the cli , you would execute a few "-p" switches during your execution.
Here's an example; one of my SERT team members in my dead-end day-job, wrote a threat advisory of an attack that was identified earlier.
It used a mss value of zero plus a few other characteristics in the threat advisory.
I used sendip to craft the packet , so that I could write a signature and actually trigger that signature on my IDS for testing the validity of that threat and detection.
i.e ( using send ip )
sendip -p ipv4 -p tcp -ts 0 -tn 0 -td 80 -tomss 0 -tfs 1
This created the threat via modules ip and tcp, plus tcp-syn packet with dst port 80 (web), seq 0, ip.id 2 and mss value of 0. A tcpdump of the packet will validate this forged packet ;
2012-07-03 09:56:36.044893 127.0.0.1 -> 127.0.0.111 TCP 0 > http
[SYN] Seq=0 Win=65535 Len=0 MSS=0
Also tshark could have been used as an alternative
( tcp.seq == 0 && !(tcp.options.mss_val) && tcp.flags == 0x02 && ip.id == 0x0002 )
A signature could have been written just for this match, but better yet I wrote it just for a match of a mss_value that equal 0. Since no valid tcp SYN or SYN/ACK packet should ever contain a mss value of zero for the start of a tcp session, regardless of the ip.id or sequence number.
NOTE: This packet would be considered incorrect or Deceivous, just from a mss value of 0.
Have a look at the sendip tool and the capabilities that it allows. You will find strange and unique features within sendip, that can be used for a host of reasons; both good or bad.
"Happy packet hunting"
Freelance Security & Network Engineer
kfelix " a t " hyperfeed.com
Posted by socpuppets at 9:30 AM