Saturday, June 8, 2013

Packet Forgery

In this discussion, we will look at packet forging tool known simply as "sendip".

Sendip is a packet utility tool that comes in handy for typical security personnel. Great for  crafting packets to check firewall policies or ips/idp signatures. Or in some case to  check the behavior of a network device or server.

Sendip used various modules  and supports ipv4 and v6. Each module works on a dependency model

e.g

for a icmp message

ipv4+ icmp

for a udp packet

ipv4 + udp


With the dual ipv4/ipv6  stack support, you can build a slew of options, depending on the modules you enable & the options or switches you use.

Here's a terse output of the udp module;

(snip)
Modules are loaded in the order the -p option appears.  The headers from
each module are put immediately inside the headers from the previos model in
the final packet.  For example, to embed bgp inside tcp inside ipv4, do
sendip -p ipv4 -p tcp -p bgp ....


Modules available at compile time:
    ipv4 ipv6 icmp tcp udp bgp rip ntp



Arguments for module udp:
   -us x    UDP source port
             Default: 0
   -ud x    UDP destination port
             Default: 0
   -ul x    UDP packet legnth
             Default: Correct
   -uc x    UDP checksum
             Default: Correct


And for tcp , we have way more options;

 (snip)
Modules available at compile time:
    ipv4 ipv6 icmp tcp udp bgp rip ntp



Arguments for module tcp:
   -ts x    TCP source port
             Default: 0
   -td x    TCP destination port
             Default: 0
   -tn x    TCP sequence number
             Default: Random
   -ta x    TCP ack number
             Default: 0
   -tt x    TCP data offset
             Default: Correct
   -tr x    TCP header reserved field EXCLUDING ECN and CWR bits
             Default: 0
   -tfe x    TCP ECN bit (rfc2481)
             Default: 0 (options are 0,1,r)
   -tfc x    TCP CWR bit (rfc2481)
             Default: 0 (options are 0,1,r)
   -tfu x    TCP URG bit
             Default: 0, or 1 if -tu specified (options are 0,1,r)
   -tfa x    TCP ACK bit
             Default: 0, or 1 if -ta specified (options are 0,1,r)
   -tfp x    TCP PSH bit
             Default: 0 (options are 0,1,r)
   -tfr x    TCP RST bit
             Default: 0 (options are 0,1,r)
   -tfs x    TCP SYN bit
             Default: 1 (options are 0,1,r)
   -tff x    TCP FIN bit
             Default: 0 (options are 0,1,r)
   -tw x    TCP window size
             Default: 65535
   -tc x    TCP checksum
             Default: Correct
   -tu x    TCP urgent pointer
             Default: 0
   -tonum x    TCP option as string of hex bytes (length is always correct)
             Default: (no options)
   -toeol      TCP option: end of list
   -tonop      TCP option: no op
   -tomss x    TCP option: maximum segment size
   -towscale x    TCP option: window scale (rfc1323)
   -tosackok      TCP option: allow selective ack (rfc2018)
   -tosack x    TCP option: selective ack (rfc2018), format is l_edge1:r_edge1,l_edge2:r_edge2...
   -tots x    TCP option: timestamp (rfc1323), format is tsval:tsecr


Okay let's look at me crafting the following;

sendip -v  -p ipv4 -is 10.253.84.200 -p tcp -tomss 6655 -ts 3400 -td 80 -ifr 1 -ii 1234  www.example.com

ip-ident         1234
ip reserved bit toggle on
Protol      #6 (tcp)
Source-port       3400
Dest-port    80
MSS          6655

I'm also sourcing this packet with my real ip_address, since my new provider has unicast verification enabled :(

A packet capture at the target looks  something like the below;

Internet Protocol, Src: 50.112.xx.xxx (50.112.xxx.xxx), Dst: xxx.xxx.154.11 (xxx.xxx.154.11)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 44
    Identification: 0x04d2 (1234)   <--- ip.identification
    Flags: 0x08
        1... = Reserved bit: Set     <--------my reserved bit set
        .0.. = Don't fragment: Not set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 242
    Protocol: TCP (0x06)
    Header checksum: 0x71fe [correct]
        [Good: True]
        [Bad : False]
    Source: 50.112.xxx.xxx (50.112.xxx.xxx)
    Destination: xxx.xxx.154.11 (xxx.xxx.154.11)
Transmission Control Protocol, Src Port: 3400 (3400), Dst Port: 80 (80), Seq: 0, Len: 0
    Source port: 3400 (3400)     <----source port
    Destination port: 80 (80)     < --- destination port
    Sequence number: 0    (relative sequence number)
    Header length: 24 bytes
    Flags: 0x02 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 65535
    Checksum: 0xea68 [correct]
        [Good Checksum: True]
        [Bad Checksum: False]
    Options: (4 bytes)
        Maximum segment size: 6655 bytes
   <----- MSS value

So if you are curious about ip packet creation,  and detection; " sendip is a must". Imho is simpler to use than scapy,  but with scapy you can do more get more done. For quick easy packet manipulation, nothings beats sendip. I will follow up with a post on scapy.


Ken Felix
Freelance Network/Security Engineer
kfelix    ---at--- hyperfeed ----dot---com

     ^       ^
=(  0   @ )=
      /  * \

No comments:

Post a Comment