Packet Manipulation
In this chapter, we'll try to do variant implementations using the awesome lib, PacketFu.

PacketFu - The packet manipulation

PacketFu Features
    Manipulating TCP protocol
    Manipulating UDP protocol
    Manipulating ICMP protocol
    Packet Capturing - Support TCPdump style
    Read and write PCAP files

Installing PacketFu

Before installing packetfu gem you'll need to install ruby-dev and libpcap-dev
1
apt-get -y install libpcap-dev
Copied!
then install packetfu and pcaprub(required for packet reading and writing from network interfaces)
    Install packetfu & pcaprub gems
    1
    gem install packetfu pcaprub
    Copied!

Basic Usage

Get your interface information

1
require 'packetfu'
2
3
ifconfig = PacketFu::Utils.ifconfig("wlan0")
4
ifconfig[:iface]
5
ifconfig[:ip_saddr]
6
ifconfig[:eth_saddr]
Copied!

Get MAC address of a remote host

1
PacketFu::Utils.arp("192.168.0.21", :iface => "wlan0")
Copied!

Read Pcap file

1
PacketFu::PcapFile.read_packets("file.pcap")
Copied!

Building TCP Syn packet

1
require 'packetfu'
2
3
def pkts
4
#$config = PacketFu::Config.new(PacketFu::Utils.whoami?(:iface=> "wlan0")).config # set interface
5
$config = PacketFu::Config.new(:iface=> "wlan0").config # use this line instead of above if you face `whoami?': uninitialized constant PacketFu::Capture (NameError)
6
7
#
8
#--> Build TCP/IP
9
#
10
#- Build Ethernet header:---------------------------------------
11
pkt = PacketFu::TCPPacket.new(:config => $config , :flavor => "Linux") # IP header
12
# pkt.eth_src = "00:11:22:33:44:55" # Ether header: Source MAC ; you can use: pkt.eth_header.eth_src
13
# pkt.eth_dst = "FF:FF:FF:FF:FF:FF" # Ether header: Destination MAC ; you can use: pkt.eth_header.eth_dst
14
pkt.eth_proto # Ether header: Protocol ; you can use: pkt.eth_header.eth_proto
15
#- Build IP header:---------------------------------------------
16
pkt.ip_v = 4 # IP header: IPv4 ; you can use: pkt.ip_header.ip_v
17
pkt.ip_hl = 5 # IP header: IP header length ; you can use: pkt.ip_header.ip_hl
18
pkt.ip_tos = 0 # IP header: Type of service ; you can use: pkt.ip_header.ip_tos
19
pkt.ip_len = 20 # IP header: Total Length ; you can use: pkt.ip_header.ip_len
20
pkt.ip_id # IP header: Identification ; you can use: pkt.ip_header.ip_id
21
pkt.ip_frag = 0 # IP header: Don't Fragment ; you can use: pkt.ip_header.ip_frag
22
pkt.ip_ttl = 115 # IP header: TTL(64) is the default ; you can use: pkt.ip_header.ip_ttl
23
pkt.ip_proto = 6 # IP header: Protocol = tcp (6) ; you can use: pkt.ip_header.ip_proto
24
pkt.ip_sum # IP header: Header Checksum ; you can use: pkt.ip_header.ip_sum
25
pkt.ip_saddr = "2.2.2.2" # IP header: Source IP. use $config[:ip_saddr] if you want your real IP ; you can use: pkt.ip_header.ip_saddr
26
pkt.ip_daddr = "10.20.50.45" # IP header: Destination IP ; you can use: pkt.ip_header.ip_daddr
27
#- TCP header:-------------------------------------------------
28
pkt.payload = "Hacked!" # TCP header: packet header(body)
29
pkt.tcp_flags.ack = 0 # TCP header: Acknowledgment
30
pkt.tcp_flags.fin = 0 # TCP header: Finish
31
pkt.tcp_flags.psh = 0 # TCP header: Push
32
pkt.tcp_flags.rst = 0 # TCP header: Reset
33
pkt.tcp_flags.syn = 1 # TCP header: Synchronize sequence numbers
34
pkt.tcp_flags.urg = 0 # TCP header: Urgent pointer
35
pkt.tcp_ecn = 0 # TCP header: ECHO
36
pkt.tcp_win = 8192 # TCP header: Window
37
pkt.tcp_hlen = 5 # TCP header: header length
38
pkt.tcp_src = 5555 # TCP header: Source Port (random is the default )
39
pkt.tcp_dst = 4444 # TCP header: Destination Port (make it random/range for general scanning)
40
pkt.recalc # Recalculate/re-build whole pkt (should be at the end)
41
#--> End of Build TCP/IP
42
43
pkt_to_a = [pkt.to_s]
44
return pkt_to_a
45
end
46
47
48
def scan
49
pkt_array = pkts.sort_by{rand}
50
puts "-" * " [-] Send Syn flag".length + "\n" + " [-] Send Syn flag " + "\n"
51
52
inj = PacketFu::Inject.new(:iface => $config[:iface] , :config => $config, :promisc => false)
53
inj.array_to_wire(:array => pkt_array) # Send/Inject the packet through connection
54
55
puts " [-] Done" + "\n" + "-" * " [-] Send Syn flag".length
56
end
57
58
scan
Copied!

Simple TCPdump

Lets see how we can
1
require 'packetfu'
2
3
capture = PacketFu::Capture.new(:iface=> "wlan0", :promisc => true, :start => true)
4
capture.show_live
Copied!

Simple IDS

This is a simple IDS will print source and destination of any communication has "hacked" payload
1
require 'packetfu'
2
3
capture = PacketFu::Capture.new(:iface => "wlan0", :start => true, :filter => "ip")
4
loop do
5
capture.stream.each do |pkt|
6
packet = PacketFu::Packet.parse(pkt)
7
puts "#{Time.now}: " + "Source IP: #{packet.ip_saddr}" + " --> " + "Destination IP: #{packet.ip_daddr}" if packet.payload =~ /hacked/i
8
end
9
end
Copied!
Now try to Netcat any open port then send hacked
1
echo "Hacked" | nc -nv 192.168.0.15 4444
Copied!
return
1
2015-03-04 23:20:38 +0300: Source IP: 192.168.0.13 --> Destination IP: 192.168.0.15
Copied!