In this discussion, we will look at packet forging tool known simply as "sendip".
Sendip is a packet utility tool that comes in handy for typical security personnel. Great for crafting packets to check firewall policies or ips/idp signatures. Or in some case to check the behavior of a network device or server.
Sendip used various modules and supports ipv4 and v6. Each module works on a dependency model
e.g
for a icmp message
ipv4+ icmp
for a udp packet
ipv4 + udp
With the dual ipv4/ipv6 stack support, you can build a slew of options, depending on the modules you enable & the options or switches you use.
Here's a terse output of the udp module;
(snip)
Modules are loaded in the order the -p option appears. The headers from
each module are put immediately inside the headers from the previos model in
the final packet. For example, to embed bgp inside tcp inside ipv4, do
sendip -p ipv4 -p tcp -p bgp ....
Modules available at compile time:
ipv4 ipv6 icmp tcp udp bgp rip ntp
Arguments for module udp:
-us x UDP source port
Default: 0
-ud x UDP destination port
Default: 0
-ul x UDP packet legnth
Default: Correct
-uc x UDP checksum
Default: Correct
And for tcp , we have way more options;
(snip)
Modules available at compile time:
ipv4 ipv6 icmp tcp udp bgp rip ntp
Arguments for module tcp:
-ts x TCP source port
Default: 0
-td x TCP destination port
Default: 0
-tn x TCP sequence number
Default: Random
-ta x TCP ack number
Default: 0
-tt x TCP data offset
Default: Correct
-tr x TCP header reserved field EXCLUDING ECN and CWR bits
Default: 0
-tfe x TCP ECN bit (rfc2481)
Default: 0 (options are 0,1,r)
-tfc x TCP CWR bit (rfc2481)
Default: 0 (options are 0,1,r)
-tfu x TCP URG bit
Default: 0, or 1 if -tu specified (options are 0,1,r)
-tfa x TCP ACK bit
Default: 0, or 1 if -ta specified (options are 0,1,r)
-tfp x TCP PSH bit
Default: 0 (options are 0,1,r)
-tfr x TCP RST bit
Default: 0 (options are 0,1,r)
-tfs x TCP SYN bit
Default: 1 (options are 0,1,r)
-tff x TCP FIN bit
Default: 0 (options are 0,1,r)
-tw x TCP window size
Default: 65535
-tc x TCP checksum
Default: Correct
-tu x TCP urgent pointer
Default: 0
-tonum x TCP option as string of hex bytes (length is always correct)
Default: (no options)
-toeol TCP option: end of list
-tonop TCP option: no op
-tomss x TCP option: maximum segment size
-towscale x TCP option: window scale (rfc1323)
-tosackok TCP option: allow selective ack (rfc2018)
-tosack x TCP option: selective ack (rfc2018), format is l_edge1:r_edge1,l_edge2:r_edge2...
-tots x TCP option: timestamp (rfc1323), format is tsval:tsecr
Okay let's look at me crafting the following;
sendip -v -p ipv4 -is 10.253.84.200 -p tcp -tomss 6655 -ts 3400 -td 80 -ifr 1 -ii 1234 www.example.com
ip-ident 1234
ip reserved bit toggle on
Protol #6 (tcp)
Source-port 3400
Dest-port 80
MSS 6655
I'm also sourcing this packet with my real ip_address, since my new provider has unicast verification enabled :(
A packet capture at the target looks something like the below;
Internet Protocol, Src: 50.112.xx.xxx (50.112.xxx.xxx), Dst: xxx.xxx.154.11 (xxx.xxx.154.11)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 44
Identification: 0x04d2 (1234) <--- ip.identification
Flags: 0x08
1... = Reserved bit: Set <--------my reserved bit set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 242
Protocol: TCP (0x06)
Header checksum: 0x71fe [correct]
[Good: True]
[Bad : False]
Source: 50.112.xxx.xxx (50.112.xxx.xxx)
Destination: xxx.xxx.154.11 (xxx.xxx.154.11)
Transmission Control Protocol, Src Port: 3400 (3400), Dst Port: 80 (80), Seq: 0, Len: 0
Source port: 3400 (3400) <----source port
Destination port: 80 (80) < --- destination port
Sequence number: 0 (relative sequence number)
Header length: 24 bytes
Flags: 0x02 (SYN)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...0 .... = Acknowledgment: Not set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
.... ...0 = Fin: Not set
Window size: 65535
Checksum: 0xea68 [correct]
[Good Checksum: True]
[Bad Checksum: False]
Options: (4 bytes)
Maximum segment size: 6655 bytes <----- MSS value
So if you are curious about ip packet creation, and detection; " sendip is a must". Imho is simpler to use than scapy, but with scapy you can do more get more done. For quick easy packet manipulation, nothings beats sendip. I will follow up with a post on scapy.
Ken Felix
Freelance Network/Security Engineer
kfelix ---at--- hyperfeed ----dot---com
^ ^
=( 0 @ )=
/ * \
No comments:
Post a Comment