In this article we will learn about Packet crafting: a serious crime!
What is Packet crafting?
Packet crafting is the art of crafting packets according to various requirements to perform attacks and exploit network vulnerabilities. It is mainly used to penetrate the network structure. Various vulnerability assessment tools are used to create such packets. Since there are two sides to a coin, these tools could be used by hackers to find vulnerabilities in a targeted system. Crafting is a sophisticated and complex type of vulnerability exploit and is difficult to detect and diagnose.
Steps involved in creating packets
The idea behind crafting is to try to simulate an attack and identify network properties. They are commonly used to attack firewalls and intrusion detection software. The following steps involve creating packets:
Build packets: This is the first step in creating packets. In this process, an attacker selects a network to be cracked, gathers information about possible vulnerabilities, and creates a packet. The packet should be designed to be invisible as it passes through the network.
For example, to make a packet invisible, the source address can be spoofed before being sent to the network.
Packet Editing: In this step, packets are tested before being sent. The packets are edited so that maximum information can be obtained by inserting the minimum number of packets.
Packet replay: When packets are ready, packet replay sends them to the target computer and collects the resulting packets for further analysis. If the required information is not obtained, the attacker again enters the modification phase to modify the packet to obtain the desired result.
Packet analysis: Sent packets are received by the attacker and analyzed to obtain information.
Various sniffing tools like Wireshark, tcpdump, dsniff, etc. are used for this purpose. This step provides a path to the target system or at least gives the attackers enough data to fine-tune the attack.
Packet creation tools: Hping, Nemesis, Netcat, Scapy, Socat
Let’s run a test to understand the creation and operation of the crafted packet and its effect on the firewall.
Two machines (one with Hping and one with Snort installed).
A working connection between two machines.
It is a tool that helps us build and send ICMP, UDP or TCP packets and then display the results. It is similar to the ping command, but offers many more options to modify the packet to be sent. This helps to map the rules set by the firewall of the targeted system.
Sort is free network intrusion detection and prevention software. It helps us to perform real-time traffic analysis, packet logging, log analysis, content discovery, etc. in the network.
We will now look at how a packet can be created from the system using Hping and how it can be modified to be invisible on the network. We use Snort as an IDS on the target computer. This could prove that packet creation is a serious problem that should be investigated to prevent attacks.
First, install Hping on the source computer. It is a cross platform command line software. We use two Linux machines for the test. The installation package can be downloaded from various websites.
The next step is to install intrusion detection software on the target end. Download the latest version of Snort with Winpcap and install it on your computer. Winpcap is a driver that helps with packet capture.
After setting up two computers, establish a connection between the two computers to transfer packets. Check the connection before sending packets.
These are the steps to set up a test environment. Now we need to create a packet using Hping. There are various arguments in Hping to modify the packet being sent according to the request. These can be obtained from the Hping man page.
Specify the address of the destination computer before sending the packet. Here is 192.168.0.10. Now write the command to create the packet.
Hping is a command line software. To create packets, the commands should be entered in a perfect way so that the packet penetrates the target system without being detected. An example is shown below:
hping 192.168.0.10 –udp –spoof 192.168.1.150
Packets are sent to the machine’s UDP port 192.168.0.10 with a spoofed source IP of 192.168.1.150.
Packet crafting could be used to perform DOS attacks on a target computer. This can be achieved by flooding packets to a predetermined port. The number of packets reaching the port exceeds the port’s handling capacity. This causes the system to crash and eventually stop responding to any request sent to that particular system.
Before sending a packet to the system, Hping can be used to perform a port scan. This helps the attacker to get information about the available open ports to easily execute the attack. The weakest port is selected to gain access to the system.
hping3 -S 192.168.0.10 -p 80 -c 2
This command scans port number 80 of the machine with IP 192.168.0.10. There are even commands to scan complete ports on a machine. This will give the attacker the full status of the ports on the system.
hping 192.168.0.10 –S -p 22 –rand-source –flood
This command will flood port number 22 of the mentioned machine. Once flooding starts, the machine stops responding. After the flooding stops, the machine will return to normal.
From the image above, we can see that a large number of packets were dumped to the target computer in a short period of time. IDS software does not detect packets when flooding is in progress. However, once congestion is stopped, Snort will only display the number of packets received.
The traffic created by the packet overload cannot be processed by the system and it becomes unresponsive. No signatures are generated during the process.
Creation of DNS and ICMP packets
The Domain Name System is the system responsible for resolving domain names. DNS uses UDP port 53 for normal operations and may acquire TCP port 53 for zone transfers and other redundant responses. Once the address is entered into the URL, the browser will attempt to translate the IP.
If the address is not known, a DNS request will be sent to the DNS server configured on the client. We could create such a packet using Hping so that the firewall does not block the packet.
hping -2 –p 53 -E data.dns -d 31 192.168.0.10
Here, the packet is sent to the destination port number 53 (192.168.0.10) and the packet contains a file called “data.dns”. The packet size was also specified as 31.
When sending a data file via Hping, the IDS used on the target computer does not detect the presence of the attached file. It only shows the total number of packets sent and received. Even if it turns out to be unreachable, the packets are received at the destination.
Hping can also be used to send Internet Control Message Protocol (ICMP) packets. ICMP packets are typically used to troubleshoot networks and gather basic information. These packets can be used to check whether the host is alive or not. In most firewalls, packets like ICMP and DNS requests have the ability to pass through.
These generated ICMP packets help us pass through the firewall. On the senders side, we need to specify the packet type, destination and other details for proper communication.
hping 192.168.0.11 –d 100 –icmp –file /data.dns
Here the “data.dns” file is sent to the destination 192.168.0.11 using an ICMP packet.
Using packets created in this way could break the communication firewall. From the above test, we can agree that packet creation is a serious problem that needs to be taken care of.