Monday, November 30, 2009

Manually modifying a Network packet, the way the pro's do it

In my previous post, i spoke about using ettercap and and a plugin "Isolate", to take down a host on a network. It poisons the arp cache of the victim's machine into linking its own mac address to the router's/gateway's IP address, thus achieving a complete denial of service (google:DOS attact). In this post, im gonna be discussing how you can perform such an attack using a more manual method, manually constructing the malicious packet.

File2cable is a simple program that sends a file as a raw ethernet frame over a specified interface.

Hexedit is a simple hex editor for unix machines.

In this demo, we are going to isolate a host,just like we did with ettercap and it's Isolate plugging.

The first thing that you want to do is to use wireshark and capture a "ARP reply" packet. When you got that packet (to use as a prototype), export that frame/packet bytes to a file (for this example, ill name the file "arp_reply"). Open the file with hexedit (# hexedit -b arp_reply). Now, the idea behind modifying the packet is knowing what to change. You want to have wireshark and hexedit opened side by side so you are watching both screens. In wireshark pay attention to the hexdump frame at the bottom While doing that, in the frame above that select the layer 2 frame(Ethernet II) and notice that a certain amount of bytes are selected in the hexdump below. The selected bytes are a representation of the ethernet frame. Now within that ethernet frame, break it down to tree view and select destination. Notice the selection in the hexdump now. Anything familiar about the hex bytes selected? Its the destination mac address. Now you can select other items in the Ethernet frame II portion and notice the different hex representations for your selections. Now we can change these things using hexedit. We use wireshark as a reference so we know which hex bytes to change in hexedit. This is the main idea of manually altering a packet.

Now im going to tell you everything that you need to change using hexedit. Please note that we are in the hex realm of things, the changes you are going to make are gonna be the hex representations of certain values(Note that the mac address is already in HEX, so no conversion necessary)

[Ethernet II]
Destination: Set this to the mac address of the target host (victim who's arp table we are going to poison)
Source: Set this to your network interface's mac address (put the real thing otherwise it wont work)

[ARP]
Sender MAC address: You must set this to the target host's own mac address (we poison his cache here)
Sender IP address: We set this to the router/gateway's IP address in hex of course
Target MAC address: We set this to the targets mac
Target IP address: we set this to the targets IP address


Press ctrl+x then hit the enter key, to exit and save the packet you just modified. Now to test this attack, on your victims machine, pull up a command prompt and check your arp cache (arp -a). Make a note of your routers ip to mac address mapping. Next send our packet/file onto the wire/network with file2cable, which can also be used in wireless networks as well (# file2cable -i eth0 -f arp_replay). Now go check the arp cache on the victims machine. See the difference? If you try browsing to websites and things dont work, then it worked and this machine has been taken down.

Since a computer's arp cache normally refreshes around every 5 minutes, our attack wont be very long term. What we can do is right a script that would send our malicious packet ever few seconds. We use secounds instead of minutes because the router can send a arp request to the victim and when the victim reponds accordingly, the victim naturally will learn the mac to ip mappings of the arp requester. We can write a script as follows:

#!/bin/bash

while[1];do
file2cable -i eth0 -f arp_reply
sleep 10
done

The above script will loop the file2cable commands every 10 seconds.

Here is a quick visual from an arp cache poisoning attack using hexedit and wireshark to capture and modify an arp packet: http://www.docstoc.com/docs/9852261/ARP-Spoofing-Tutorial.
It should give you an idea visually what you have to do/change when using wireshark and hexedit in conjunction. However, please note that they are performing a different attack from what i demonstrated here. If you think you have my example convered, try their example next and get a good feel for things.

Resources/Good reading:
http://www.docstoc.com/docs/9852261/ARP-Spoofing-Tutorial

No comments:

Post a Comment