Packet crafting: a serious crime!
Packet crafting is the art of creating a packet according to various requirements to carry out attacks and to exploit vulnerabilities in a network. It’s mainly used to penetrate into a network’s structure. There are various vulnerability assessment tools used to craft such packets. As a coin has two sides, these tools could be used by hackers to find the vulnerabilities of a targeted system. Crafting is technically advanced and a complex type of vulnerability exploitation, and it’s difficult to detect and diagnose.
Steps involved in packet crafting
The idea behind crafting is to try to simulate an attack and to identify the properties of a network. They are commonly used to invade firewalls and intrusion detection software. The following are the steps involved in packet crafting:
Packet Assembly: This is the first step involved in packet crafting. In this process, the attacker selects the network to be cracked, collects the possible vulnerability information and creates the packet. The packet should be designed in such a way that it should be invisible while passing through a network. For example, for a packet to be invisible, the source address could be spoofed before sending it to a network.
Packet Editing: In this step, the packets are tested before sending. The packets are edited in such a way that maximum information could be retrieved by injecting a minimum number of packets.
Packet Playing: When the packets are ready, packet playing sends them to the targeted machine and collects the resultant packets for further analysis. If the required information is not obtained, the attacker again moves to the editing phase to modify the packet to obtain the required result.
Packet Analysis: The sent packets are received by the attacker and they are analyzed to extract the information. Various sniffing tools like Wireshark, tcpdump, dsniff, etc. are used for this purpose. This step gives a route to the targeted system, or at least gives attackers enough data to tune up the attack.
Tools For Packet Crafting: Hping, Nemesis, Netcat, Scapy, Socat
Let’s carry out a test to understand the creation and working of a crafted packet and its effect on a firewall.
Two Machines (One with Hping and Other with Snort installed).
Working connection between two machines.
This is a utility that helps us to assemble and send ICMP, UDP or TCP packets and then display the results. It’s similar to the ping command, but it offers far more options to customize the packet to be sent. This helps to map the firewall set rules of a targeted system.
Sort is a free network intrusion detection and prevention software. It helps us to carry out real time traffic analysis packet logging, protocol analysis, content searching, etc. on a network.
Figure 1: Packet Crafting test setup
Now we are going to check how a packet can be crafted from a system using Hping, and how it can be customized to be invisible in a network. We are using Snort as the IDS in the target machine. This could prove that packet crafting is a serious issue that should be studied to prevent attacks.
Firstly install Hping on the source machine. It’s a command line multi-platform software. We are using two Linux machines for the test. The installation package could be downloaded from various websites. The next step is to install the intrusion detection software at the destination end. Download the latest version Snort with Winpcap and install it on the machine. Winpcap is a driver that helps in collecting packets. After setting up two machines, establish a connection between the two machines to transfer the packets. Check the connection before sending the packets.
These are the steps to setup the test environment. Now we have to craft the packet using Hping. In Hping there are various arguments to modify the packet to be sent according to the requirement. These could be obtained from the manual page of Hping. Before sending the packet, determine the address of the target machine. Here it is 192.168.0.10. Now write the command for packet creation.
Hping is a command line software. For creating the packets, the commands should be given in a perfect way so that the packet penetrates into the targeted system without being detected. An example is given below:
hping 192.168.0.10 –udp –spoof 192.168.1.150
The packets are sent to the UDP port of machine 192.168.0.10 with a spoofed source IP of 192.168.1.150.
Figure 2: Spoofing to UDP port.
Figure 3: Spoofed address on target system hiding original address
Packet crafting could be used to carry out DOS attacks to a targeted machine. This could be done by flooding packets to a predetermined port. The number of packets reaching the port is beyond the managing capacity of that port. This results in the failure of the system and finally becomes non-responsive to any request made to that particular system.
Before sending a packet to the system Hping could be used to carry out a port scan. This helps the attacker to get the information on available open ports to carry out attack easily. The weakest port is selected to gain access to the system.
hping3 -S 192.168.0.10 -p 80 -c 2
This command scans port number 80 of machine with IP 192.168.0.10. There are even commands to scan the complete ports in a machine. This will give the attacker the complete status of the ports in a system.
hping 192.168.0.10 –S -p 22 –rand-source –flood
This command floods the port number 22 of the mentioned machine. As the flooding starts, the machine becomes non responsive. When the flooding is stopped, the machine comes back to its normal state.
Figure 4: Command for flooding a machine
Figure 5: Result displayed by Snort after flooding.
We can see from the above image that a large number of packets have been dumped to the targeted machine within a small amount of time. The IDS software does not detect the packets while the flooding is in process. But as soon as the flooding is stopped, Snort displays only the number of packets received. The traffic created by flooding the packets cannot be handled by the system and becomes non-responsive. No Signatures are generated during the process.
DNS and ICMP Packet Crafting
Domain Name System is the system responsible for resolving domain names. DNS uses ports 53 UDP for normal operations and can enlist port 53 TCP for zone transfers and other oversized replies. Once the address is entered into the URL, the browser will try to resolve the IP. If the address is not known, then a DNS request will be sent to the DNS server configured on the client. We could craft such a packet using Hping so that the firewall does not block the packet.
hping -2 –p 53 -E data.dns -d 31 192.168.0.10
Here the packet is sent to the port number 53 of the target (192.168.0.10), with the packet containing a file called “data.dns”. The packet size has also been specified as 31.
Figure 6: Sending a file to target’s DNS port
When sending a data file through Hping, the IDS used in the target’s machine does not detect the presence of the attached file. It only displays the total number of packets transmitted and received. Even tough it shows unreachable, the packets are received at the target location.
Hping can also be used to send ICMP (Internet Control Message Protocol) packets. ICMP packets are usually used to troubleshoot networks and for gathering basic information. These packets could be used to check whether a host is alive or not. In most of the firewalls, packets like ICMP and DNS request have the ability to pass by. These crafted ICMP packets helps us to pass through the firewall. At the senders end, we have to specify the type of packet, destination and other details for proper communication.
hping 192.168.0.11 –d 100 –icmp –file /data.dns
Here the file “data.dns” is sent to the target 192.168.0.11 using an ICMP packet.
Figure 7: File sent using ICMP packet
Using such crafted packets, a traffic firewall could be breached. From the above test, we can agree to the fact that packet crafting is a serious issue that should be taken care of.