Packet manipulation

In this chapter, we’ll try to do variant implementations using the awesome lib, PacketFu[^1].

PacketFu - The packet manipulation

PacketFu Features

  • Manipulating TCP protocol
  • Manipulating UDP protocol
  • Manipulating ICMP protocol
  • Packet Capturing - Support TCPdump style[^2]
  • Read and write PCAP files

Installing PacketFu

Before installing packetfu gem you’ll need to install ruby-dev and libpcap-dev

  1. apt-get -y install libpcap-dev

then install packetfu and pcaprub(required for packet reading and writing from network interfaces)

  • Install packetfu & pcaprub gems
    1. gem install packetfu pcaprub

Basic Usage

Get your interface information

  1. require 'packetfu'
  3. ifconfig = PacketFu::Utils.ifconfig("wlan0")
  4. ifconfig[:iface]
  5. ifconfig[:ip_saddr]
  6. ifconfig[:eth_saddr]

Get MAC address of a remote host

  1. PacketFu::Utils.arp("192.168.0.21", :iface => "wlan0")

Read Pcap file

  1. PacketFu::PcapFile.read_packets("file.pcap")

Building TCP Syn packet

  1. require 'packetfu'
  3. def pkts
  4.   #$config = PacketFu::Config.new(PacketFu::Utils.whoami?(:iface=> "wlan0")).config     # set interface
  5.   $config = PacketFu::Config.new(:iface=> "wlan0").config   # use this line instead of above if you face `whoami?': uninitialized constant PacketFu::Capture (NameError)
  7.   #
  8.   #--> Build TCP/IP
  9.   #
  10.   #- Build Ethernet header:---------------------------------------
  11.   pkt = PacketFu::TCPPacket.new(:config => $config , :flavor => "Linux")    # IP header
  12.   #     pkt.eth_src = "00:11:22:33:44:55"        # Ether header: Source MAC ; you can use: pkt.eth_header.eth_src
  13.   #     pkt.eth_dst = "FF:FF:FF:FF:FF:FF"        # Ether header: Destination MAC ; you can use: pkt.eth_header.eth_dst
  14.   pkt.eth_proto                                  # Ether header: Protocol ; you can use: pkt.eth_header.eth_proto
  15.   #- Build IP header:---------------------------------------------
  16.   pkt.ip_v     = 4                     # IP header: IPv4 ; you can use: pkt.ip_header.ip_v
  17.   pkt.ip_hl    = 5                     # IP header: IP header length ; you can use: pkt.ip_header.ip_hl
  18.   pkt.ip_tos   = 0                     # IP header: Type of service ; you can use: pkt.ip_header.ip_tos
  19.   pkt.ip_len   = 20                    # IP header: Total Length ; you can use: pkt.ip_header.ip_len
  20.   pkt.ip_id                            # IP header: Identification ; you can use: pkt.ip_header.ip_id
  21.   pkt.ip_frag  = 0                     # IP header: Don't Fragment ; you can use: pkt.ip_header.ip_frag
  22.   pkt.ip_ttl   = 115                   # IP header: TTL(64) is the default ; you can use: pkt.ip_header.ip_ttl
  23.   pkt.ip_proto = 6                     # IP header: Protocol = tcp (6) ; you can use: pkt.ip_header.ip_proto
  24.   pkt.ip_sum                           # IP header: Header Checksum ; you can use: pkt.ip_header.ip_sum
  25.   pkt.ip_saddr = "2.2.2.2"             # IP header: Source IP. use $config[:ip_saddr] if you want your real IP ; you can use: pkt.ip_header.ip_saddr
  26.   pkt.ip_daddr = "10.20.50.45"         # IP header: Destination IP ; you can use: pkt.ip_header.ip_daddr
  27.   #- TCP header:-------------------------------------------------
  28.   pkt.payload        = "Hacked!"       # TCP header: packet header(body)
  29.   pkt.tcp_flags.ack  = 0               # TCP header: Acknowledgment
  30.   pkt.tcp_flags.fin  = 0               # TCP header: Finish
  31.   pkt.tcp_flags.psh  = 0               # TCP header: Push
  32.   pkt.tcp_flags.rst  = 0               # TCP header: Reset
  33.   pkt.tcp_flags.syn  = 1               # TCP header: Synchronize sequence numbers
  34.   pkt.tcp_flags.urg  = 0               # TCP header: Urgent pointer
  35.   pkt.tcp_ecn        = 0               # TCP header: ECHO
  36.   pkt.tcp_win        = 8192            # TCP header: Window
  37.   pkt.tcp_hlen       = 5               # TCP header: header length
  38.   pkt.tcp_src        = 5555            # TCP header: Source Port (random is the default )
  39.   pkt.tcp_dst        = 4444            # TCP header: Destination Port (make it random/range for general scanning)
  40.   pkt.recalc                           # Recalculate/re-build whole pkt (should be at the end)
  41.   #--> End of Build TCP/IP
  43.   pkt_to_a = [pkt.to_s]
  44.   return pkt_to_a
  45. end
  48. def scan
  49.   pkt_array = pkts.sort_by{rand}
  50.   puts "-" * " [-] Send Syn flag".length + "\n"  + " [-] Send Syn flag " + "\n"
  52.   inj = PacketFu::Inject.new(:iface => $config[:iface] , :config => $config, :promisc => false)
  53.   inj.array_to_wire(:array => pkt_array)        # Send/Inject the packet through connection
  55.   puts " [-] Done" + "\n" + "-" * " [-] Send Syn flag".length
  56. end
  58. scan

Simple TCPdump

Lets see how we can

  1. require 'packetfu'
  3. capture = PacketFu::Capture.new(:iface=> "wlan0", :promisc => true, :start => true)
  4. capture.show_live

Simple IDS

This is a simple IDS will print source and destination of any communication has “hacked” payload

  1. require 'packetfu'
  3. capture = PacketFu::Capture.new(:iface => "wlan0", :start => true, :filter => "ip")
  4. loop do
  5.   capture.stream.each do |pkt|
  6.     packet = PacketFu::Packet.parse(pkt)
  7.     puts "#{Time.now}: " + "Source IP: #{packet.ip_saddr}" + " --> " + "Destination IP: #{packet.ip_daddr}" if packet.payload =~ /hacked/i
  8.   end
  9. end

Now try to Netcat any open port then send hacked

  1. echo "Hacked" | nc -nv 192.168.0.15 4444

return

  1. 2015-03-04 23:20:38 +0300: Source IP: 192.168.0.13 --> Destination IP: 192.168.0.15

[^1]: PacketFu Homepage
[^2]: TCPdump Cheat sheet