Libdnet - Doug Song's "dumb" packet building library (especially see the dnet tool)
Examples
Let's say you've identified a protocol that you want to build packets for
and you do not have an easy way to do it. None of the existing tools such
as hping or nemesis (or whatever) allow you to generate the packet easily
and you don't have the time to implement the protocol in Libnet.
Let's say you wanted to generate a BGP Open.
[---- ETHERNET
SRC: 0:9:43:5f:bc:73 DST: 0:8:e3:60:f:80 PROTO: 800H PLEN: 103 HLEN: 14
\x00\x08\xE3\x60\x0F\x80\x00\x09\x43\x5F\xBC\x73\x08\x00
[---- IP
SRC: 192.168.10.50 DST: 192.168.10.25
HLEN: 20 LEN: 85 ID: 1 FO: 0 TTL: 1 PROTO: 6 HCSUM: 9031
\x45\xC0\x00\x55\x00\x01\x00\x00\x01\x06\x23\x47\xC0\xA8\x0A\x32\xC0\xA8\x0A\x19
[---- TCP
SRC: 179 DST: 11001 SEQ: 3610976348 ACK: 200639118 HLEN: 20 FlAGS: PA WIN: 16339
CSUM: 14248
\x00\xB3\x2A\xF9\xD7\x3B\x20\x5C\x0B\xF5\x82\x8E\x50\x18\x3F\xD3\x37\xA8\x00\x00
[--- APPLICATION
\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x1D\x01\x04\x00\x64\x00\xB4\xA9\xD5\x59\xF7\x00
Now you just past the application payload
# dnet hex "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x1D\x01\x04\x00\x64\x00\xB4\xA9\xD5\x59\xF7\x00" | nc 127.0.0.1 179
So the output in tethereal would be:
Frame 4 (95 bytes on wire, 95 bytes captured)
Arrival Time: May 12, 2003 17:35:41.750849000
Time delta from previous packet: 0.023761000 seconds
Time relative to first packet: 0.024106000 seconds
Frame Number: 4
Packet Length: 95 bytes
Capture Length: 95 bytes
Ethernet II, Src: 00:00:00:00:00:00, Dst: 00:00:00:00:00:00
Destination: 00:00:00:00:00:00 (00:00:00:00:00:00)
Source: 00:00:00:00:00:00 (00:00:00:00:00:00)
Type: IP (0x0800)
Internet Protocol, Src Addr: 127.0.0.1 (127.0.0.1), Dst Addr: 127.0.0.1 (127.0.0.1)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 81
Identification: 0xa7f9
Flags: 0x04
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (0x06)
Header checksum: 0x94ab (correct)
Source: 127.0.0.1 (127.0.0.1)
Destination: 127.0.0.1 (127.0.0.1)
Transmission Control Protocol, Src Port: 34566 (34566), Dst Port: 179 (179), Seq: 1097229384, Ack: 1091345564, Len: 29
Source port: 34566 (34566)
Destination port: 179 (179)
Sequence number: 1097229384
Next sequence number: 1097229413
Acknowledgement number: 1091345564
Header length: 32 bytes
Flags: 0x0018 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 32767
Checksum: 0x5e00 (correct)
Options: (12 bytes)
NOP
NOP
Time stamp: tsval 17744818, tsecr 17744816
Border Gateway Protocol
OPEN Message
Marker: 16 bytes
Length: 29 bytes
Type: OPEN Message (1)
Version: 4
My AS: 100
Hold time: 180
BGP identifier: 169.213.89.247
Optional parameters length: 0 bytes
07:59:45.875087 IP 127.0.0.1.33172 > 127.0.0.1.179: P 1:48(47) ack 1 win 32767 <
nop,nop,timestamp 560183 560182>: BGP, length: 47
Open Message (1), length: 45
Version 4, my AS 888, Holdtime 180s, ID 192.168.10.50
Optional parameters, length: 16
Option Capabilities Advertisement (2), length: 6
Multiprotocol Extensions, length: 4
AFI IPv4 (1), SAFI Unicast (1)
Option Capabilities Advertisement (2), length: 2
Unknown, length: 56
no decoder for Capability 120
Option Unknown (48), length: 0
no decoder for option 48
Option 2, length: 2 (DF)
0x0000 4500 0063 da0e 4000 4006 6284 7f00 0001 E..c..@.@.b.....
0x0010 7f00 0001 8194 00b3 257e 563b 25bd 0603 ........%~V;%...
0x0020 8018 7fff 8d5c 0000 0101 080a 0008 8c37 .....\.........7
0x0030 0008 8c36 ffff ffff ffff ffff ffff ffff ...6............
0x0040 ffff ffff 002d 0104 0378 00b4 c0a8 0a32 .....-...x.....2
0x0050 1002 0601 0400 0100 0102 0278 3830 0002 ...........x80..
0x0060 0202 00
For another example, pretend you need to generate a SSL ClientHello, the first message in the SSL handshake and the first packet after the 3-way handshake
21:50:25.651111 192.168.0.230.2798 > 192.168.1 .24.443: S 2776748878:2776748878(0) wi
n 16060 (DF)
0x0000 4500 003c 4baa 4000 4006 90ea 0a14 00e6 E...{...........
0x0030 000a a9ed 0000 0000 0103 0300 ............
21:50:25.839591 192.168.1 .24.443 > 192.168.0.230.2798: S 1134979098:1134979098(0) ac
k 2776748879 win 17376
0x0000 4500 0040 70eb 0000 2f06 bca5 ac15 a718 E..@p.../.......
0x0010 0a14 00e6 01bb 0aee 43a6 681a a581 d34f ........C.h....O
0x0020 b012 43e0 09c4 0000 0204 05b4 0101 0402 ..C.............
0x0030 0103 0300 0101 080a 0055 ae9d 000a a9ed .........U......
0x0040 5689 4c73 V.Ls
21:50:25.839652 192.168.0.230.2798 > 192.168.1 .24.443: . ack 1 win 16060 (DF)
0x0000 4500 0034 4bac 4000 4006 90f0 0a14 00e6 E..4K.@.@.......
0x0010 ac15 a718 0aee 01bb a581 d34f 43a6 681b ...........OC.h.
0x0020 8010 3ebc 4fa1 0000 0101 080a 000a a9ff ..>.O...........
0x0030 0055 ae9d .U..
21:50:25.840106 192.168.0.230.2798 > 192.168.1 .24.443: P 1:73(72) ack 1 win 16060 (DF)
0x0000 4500 007c 4bad 4000 4006 90a7 0a14 00e6 E..|K.@.@.......
0x0010 ac15 a718 0aee 01bb a581 d34f 43a6 681b ...........OC.h.
0x0020 8018 3ebc b8de 0000 0101 080a 000a a9ff ..>.............
0x0030 0055 ae9d 8046 0103 0100 2d00 0000 1001 .U...F....-.....
0x0040 0080 0700 c003 0080 0600 4002 0080 0400 ..........@.....
0x0050 8000 0004 00fe ff00 000a 00fe fe00 0009 ................
0x0060 0000 6400 0062 0000 0300 0006 11d1 0e76 ..d..b.........v
0x0070 979a c8f4 8494 0abc 2875 a587 ........(u..
SSLDump Output
1 1 0.1889 (0.1889) C>S SSLv2 compatible client hello
Version 3.1
cipher suites
SSL2_CK_RC4
SSL2_CK_3DES
SSL2_CK_RC2
SSL2_CK_DES
SSL2_CK_RC4_EXPORT40
SSL2_CK_RC2_EXPORT40
TLS_RSA_WITH_RC4_128_MD5
Unknown value 0xfeff
TLS_RSA_WITH_3DES_EDE_CBC_SHA
Unknown value 0xfefe
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT_WITH_RC4_40_MD5
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
Packet data[72]=
80 46 01 03 01 00 2d 00 00 00 10 01 00 80 07 00
c0 03 00 80 06 00 40 02 00 80 04 00 80 00 00 04
00 fe ff 00 00 0a 00 fe fe 00 00 09 00 00 64 00
00 62 00 00 03 00 00 06 11 d1 0e 76 97 9a c8 f4
84 94 0a bc 28 75 a5 87
Default iplayer output (TCP & APPLICATION LAYER)
[---- TCP
SRC: 2798 DST: 443 SEQ: 2776748879 ACK: 1134979099 HLEN: 32 FlAGS: PA WIN: 16060
CSUM: 47326
0a ee 01 bb a5 81 d3 4f 43 a6 68 1b 80 18 3e bc b8 de 00 00 01 01 08 0a 00 0a a9 ff 00 55 ae 9d
[--- DATA
80 46 1 3 1 0 2d 0 0 0 10 1 0 80 7 0 c0 3 0 80 6 0 40 2 0 80 4 0 80 0 0 4 0 fe ff 0 0 a 0 fe fe 0 0 9 0 0 64 0 0 62 0 0 3 0 0 6 11 d1 e 76 97 9a c8 f4 84 94 a bc 28 7 5 a5 87
So this doesn't help us much, but let's change the output so that the app
layer is ready to paste into a NASL script:
#iplayer -s 2 -r ssl
[---- TCP
SRC: 2798 DST: 443 SEQ: 2776748879 ACK: 1134979099 HLEN: 32 FlAGS: PA WIN: 16060
CSUM: 47326
0x0a,0xee,0x01,0xbb,0xa5,0x81,0xd3,0x4f,0x43,0xa6,0x68,0x1b,0x80,0x18,0x3e,0xbc,0xb
8,0xde,0x00,0x00,0x01,0x01,0x08,0x0a,0x00,0x0a,0xa9,0xff,0x00,0x55,0xae,0x9d,
[--- DATA
0x80,0x46,0x1,0x3,0x1,0x0,0x2d,0x0,0x0,0x0,0x10,0x1,0x0,0x80,0x7,0x0,0xc0,0x3,0x0,0x80,0x6,0x0,0x40,0x2,0x0,0x80,0x4,0x0,0x80,0x0,0x0,0x4,0x0,0xfe,0xff,0x0,0x0,0xa,0x 0,0xfe,0xfe,0x0,0x0,0x9,0x0,0x0,0x64,0x0,0x0,0x62,0x0,0x0,0x3,0x0,0x0,0x6,0x11,0xd1 ,0xe,0x76,0x97,0x9a,0xc8,0xf4,0x84,0x94,0xa,0xbc,0x28,0x75,0xa5,0x87,
[ssl-clienthello.nasl]
a = raw_string(0x80,0x46,0x1,0x3,0x1,0x0,0x2d,0x0,0x0,0x0,0x10,0x1,0x0,0x80,0x7,0x0,0xc0,0x3,0x0,0x80,0x6,0 x0,0x40,0x2,0x0,0x80,0x4,0x0,0x80,0x0,0x0,0x4,0x0,0xfe,0xff,0x0,0x0,0xa,0x 0,0xfe,0xfe,0x0,0x0,0x9,0x0,0x0,0x64,0x0,0x0,0x62,0x0,0x0,0x3,0x0,0x0,0x6,0x11,0xd1,0xe,0x76,0x97,0x9a,0xc8,0xf4,0x84,0x94,0xa,0xbc,0x28,0x75,0xa5,0x87);
for (i=0;i<10;i++)
{
socket = open_sock_tcp(443);
if(soc)
{
send(socket:soc, data:a);
r = recv(socket:soc, length:1024);
display(r,"\n");
}
}
Building and ISAKMP Main Mode Proposals with iplayer and sendip
1 192.168.0.203 -> 192.168.1.235 ISAKMP Identity Protection (Main Mode)
2 192.168.1.235 -> 192.168.0.203 ISAKMP Identity Protection (Main Mode)
3 192.168.0.203 -> 192.168.1.235 ISAKMP Identity Protection (Main Mode)
4 192.168.1.235 -> 192.168.0.203 ISAKMP Identity Protection (Main Mode)
5 192.168.0.203 -> 192.168.1.235 ISAKMP Identity Protection (Main Mode)
6 192.168.1.235 -> 192.168.0.203 ISAKMP Identity Protection (Main Mode)
7 192.168.0.203 -> 192.168.1.235 ISAKMP Quick Mode
8 192.168.1.235 -> 192.168.0.203 ISAKMP Quick Mode
9 192.168.0.203 -> 192.168.1.235 ISAKMP Quick Mode
10 192.168.0.203 -> 192.168.1.235 ESP ESP (SPI=0x806e9107)
11 192.168.1.235 -> 192.168.0.203 ESP ESP (SPI=0x4ce84d44)
Now here's the first packet:
User Datagram Protocol
Source port: 500 (500)
Destination port: 500 (500)
Length: 184
Checksum: 0xb981 (correct)
Internet Security Association and Key Management Protocol
Initiator cookie
Responder cookie
Next payload: Security Association (1)
Version: 1.0
Exchange type: Identity Protection (Main Mode) (2)
Flags
.... ...0 = No encryption
.... ..0. = No commit
.... .0.. = No authentication
Message ID: 0x00000000
Length: 176
Security Association payload
Next payload: NONE (0)
Length: 148
Domain of interpretation: IPSEC (1)
Situation: IDENTITY (1)
Proposal payload
Next payload: NONE (0)
Length: 136
Proposal number: 0
Protocol ID: ISAKMP (1)
SPI size: 0
Number of transforms: 4
Transform payload
Next payload: Transform (3)
Length: 32
Transform number: 0
Transform ID: KEY_IKE (1)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (3600)
Encryption-Algorithm (1): 3DES-CBC (5)
Hash-Algorithm (2): SHA (2)
Authentication-Method (3): PSK (1)
Group-Description (4): Group-Value (2)
Transform payload
Next payload: Transform (3)
Length: 32
Transform number: 1
Transform ID: KEY_IKE (1)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (3600)
Encryption-Algorithm (1): 3DES-CBC (5)
Hash-Algorithm (2): MD5 (1)
Authentication-Method (3): PSK (1)
Group-Description (4): Group-Value (2)
Transform payload
Next payload: Transform (3)
Length: 32
Transform number: 2
Transform ID: KEY_IKE (1)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (3600)
Encryption-Algorithm (1): 3DES-CBC (5)
Hash-Algorithm (2): MD5 (1)
Authentication-Method (3): PSK (1)
Group-Description (4): Group-Value (1)
Transform payload
Next payload: NONE (0)
Length: 32
Transform number: 3
Transform ID: KEY_IKE (1)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (3600)
Encryption-Algorithm (1): 3DES-CBC (5)
Hash-Algorithm (2): SHA (2)
Authentication-Method (3): PSK (1)
Group-Description (4): Group-Value (1)
0 0010 0dd4 0800 00a0 c919 6b91 0800 4500 ..........k...E.
10 00cc 5730 0000 4011 7e0f ac15 a6cb ac15 ..W0..@.~.......
20 a5eb 01f4 01f4 00b8 b981 f35c 1dea 6e81 ...........\..n.
30 cf0a 0000 0000 0000 0000 0110 0200 0000 ................
40 0000 0000 00b0 0000 0094 0000 0001 0000 ................
50 0001 0000 0088 0001 0004 0300 0020 0001 ............. ..
60 0000 800b 0001 800c 0e10 8001 0005 8002 ................
70 0002 8003 0001 8004 0002 0300 0020 0101 ............. ..
80 0000 800b 0001 800c 0e10 8001 0005 8002 ................
90 0001 8003 0001 8004 0002 0300 0020 0201 ............. ..
a0 0000 800b 0001 800c 0e10 8001 0005 8002 ................
b0 0001 8003 0001 8004 0001 0000 0020 0301 ............. ..
c0 0000 800b 0001 800c 0e10 8001 0005 8002 ................
d0 0002 8003 0001 8004 0001 ..........
# sendip 192.168.0.1 -p UDP -ud 500 -us 500 -d F35C1DEA6E81CF0A00000000000000000110020000000000000000B000000094000000010000000100000088000100040300002000010000 800B0001800C0E10800100058002000280030001800400020300002001010000800B0001800C0E10800100058002000180030001800400020300002002010000800B0001800C0E10800100058002000180030001800400010000002003010000800B0001800C0E1080010005800200028003000180040001