Packet Manipulation

Twitter Github NEW! Black Hat Ruby Buy Me a Coffee
Search…
Packet Manipulation
In this chapter, we'll try to do variant implementations using the awesome lib, PacketFu.
PacketFu - The packet manipulation
PacketFu Features
Manipulating TCP protocol
Manipulating UDP protocol
Manipulating ICMP protocol
Packet Capturing - Support TCPdump style
Read and write PCAP files
Installing PacketFu
Before installing packetfu gem you'll need to install ruby-dev and libpcap-dev
1
apt-get -y install libpcap-dev
Copied!
then install packetfu and pcaprub(required for packet reading and writing from network interfaces)
Install packetfu & pcaprub gems
1
gem install packetfu pcaprub
Copied!
Basic Usage
Get your interface information
1
require 'packetfu'
2
​
3
ifconfig = PacketFu::Utils.ifconfig("wlan0")
4
ifconfig[:iface]
5
ifconfig[:ip_saddr]
6
ifconfig[:eth_saddr]
Copied!
Get MAC address of a remote host
1
PacketFu::Utils.arp("192.168.0.21", :iface => "wlan0")
Copied!
Read Pcap file
1
PacketFu::PcapFile.read_packets("file.pcap")
Copied!
Building TCP Syn packet
1
require 'packetfu'
2
​
3
def pkts
4
  #$config = PacketFu::Config.new(PacketFu::Utils.whoami?(:iface=> "wlan0")).config     # set interface
5
  $config = PacketFu::Config.new(:iface=> "wlan0").config   # use this line instead of above if you face `whoami?': uninitialized constant PacketFu::Capture (NameError)
6
​
7
  #
8
  #--> Build TCP/IP
9
  #
10
  #- Build Ethernet header:---------------------------------------
11
  pkt = PacketFu::TCPPacket.new(:config => $config , :flavor => "Linux")    # IP header
12
  #     pkt.eth_src = "00:11:22:33:44:55"        # Ether header: Source MAC ; you can use: pkt.eth_header.eth_src
13
  #     pkt.eth_dst = "FF:FF:FF:FF:FF:FF"        # Ether header: Destination MAC ; you can use: pkt.eth_header.eth_dst
14
  pkt.eth_proto                                  # Ether header: Protocol ; you can use: pkt.eth_header.eth_proto
15
  #- Build IP header:---------------------------------------------
16
  pkt.ip_v     = 4                     # IP header: IPv4 ; you can use: pkt.ip_header.ip_v
17
  pkt.ip_hl    = 5                     # IP header: IP header length ; you can use: pkt.ip_header.ip_hl
18
  pkt.ip_tos   = 0                     # IP header: Type of service ; you can use: pkt.ip_header.ip_tos
19
  pkt.ip_len   = 20                    # IP header: Total Length ; you can use: pkt.ip_header.ip_len
20
  pkt.ip_id                            # IP header: Identification ; you can use: pkt.ip_header.ip_id
21
  pkt.ip_frag  = 0                     # IP header: Don't Fragment ; you can use: pkt.ip_header.ip_frag
22
  pkt.ip_ttl   = 115                   # IP header: TTL(64) is the default ; you can use: pkt.ip_header.ip_ttl
23
  pkt.ip_proto = 6                     # IP header: Protocol = tcp (6) ; you can use: pkt.ip_header.ip_proto
24
  pkt.ip_sum                           # IP header: Header Checksum ; you can use: pkt.ip_header.ip_sum
25
  pkt.ip_saddr = "2.2.2.2"             # IP header: Source IP. use $config[:ip_saddr] if you want your real IP ; you can use: pkt.ip_header.ip_saddr
26
  pkt.ip_daddr = "10.20.50.45"         # IP header: Destination IP ; you can use: pkt.ip_header.ip_daddr
27
  #- TCP header:-------------------------------------------------
28
  pkt.payload        = "Hacked!"       # TCP header: packet header(body)
29
  pkt.tcp_flags.ack  = 0               # TCP header: Acknowledgment
30
  pkt.tcp_flags.fin  = 0               # TCP header: Finish
31
  pkt.tcp_flags.psh  = 0               # TCP header: Push
32
  pkt.tcp_flags.rst  = 0               # TCP header: Reset
33
  pkt.tcp_flags.syn  = 1               # TCP header: Synchronize sequence numbers
34
  pkt.tcp_flags.urg  = 0               # TCP header: Urgent pointer
35
  pkt.tcp_ecn        = 0               # TCP header: ECHO
36
  pkt.tcp_win        = 8192            # TCP header: Window
37
  pkt.tcp_hlen       = 5               # TCP header: header length
38
  pkt.tcp_src        = 5555            # TCP header: Source Port (random is the default )
39
  pkt.tcp_dst        = 4444            # TCP header: Destination Port (make it random/range for general scanning)
40
  pkt.recalc                           # Recalculate/re-build whole pkt (should be at the end)
41
  #--> End of Build TCP/IP
42
​
43
  pkt_to_a = [pkt.to_s]
44
  return pkt_to_a
45
end
46
​
47
​
48
def scan
49
  pkt_array = pkts.sort_by{rand}
50
  puts "-" * " [-] Send Syn flag".length + "\n"  + " [-] Send Syn flag " + "\n"
51
​
52
  inj = PacketFu::Inject.new(:iface => $config[:iface] , :config => $config, :promisc => false)
53
  inj.array_to_wire(:array => pkt_array)        # Send/Inject the packet through connection
54
​
55
  puts " [-] Done" + "\n" + "-" * " [-] Send Syn flag".length
56
end
57
​
58
scan
Copied!
Simple TCPdump
Lets see how we can
1
require 'packetfu'
2
​
3
capture = PacketFu::Capture.new(:iface=> "wlan0", :promisc => true, :start => true)
4
capture.show_live
Copied!
Simple IDS
This is a simple IDS will print source and destination of any communication has "hacked" payload
1
require 'packetfu'
2
​
3
capture = PacketFu::Capture.new(:iface => "wlan0", :start => true, :filter => "ip")
4
loop do
5
  capture.stream.each do |pkt|
6
    packet = PacketFu::Packet.parse(pkt)
7
    puts "#{Time.now}: " + "Source IP: #{packet.ip_saddr}" + " --> " + "Destination IP: #{packet.ip_daddr}" if packet.payload =~ /hacked/i
8
  end
9
end
Copied!
Now try to Netcat any open port then send hacked
1
echo "Hacked" | nc -nv 192.168.0.15 4444
Copied!
return
1
2015-03-04 23:20:38 +0300: Source IP: 192.168.0.13 --> Destination IP: 192.168.0.15
Copied!
SNMP Enumeration
ARP Spoofing
Copy link
Contents
PacketFu - The packet manipulation
Installing PacketFu
Basic Usage
Building TCP Syn packet
Simple TCPdump
Simple IDS