Network Packet Crafting, Sniffing, and Parsing:

A primer on crafting, sensing and formatting the output of TCP/UDP/ICMP/rawIP packets

using three popular freeware security utilities for UNIX-Based systems

1. GOAL

To find a flexible freeware packet crafting tool, learn its usage and options, verify its output using TCPdump, and parse
this output into an easy-to-read format.

2. TOOLS USED

Hping 2 Beta ver. 5.4 packet assembler/analyzer tool

http://www.kyuzz.org/antirez/hping.html
TCPdump 3.6.2 robust utility that dumps headers of packets from network traffic
http://www.tcpdump.org/
Packprint simply formats TCPdump output into a clearer scheme
http://www.earth.li/projectpurple/progs/packprint.html

Notes:
1.It is important that the latest version of tcpdump is used. The version that comes bundled with a standard *NIX
installation is often dated, and doesn't support the -X switch for example.
2.These and other utilities are available in the software repository on the internal CSL network at http://10.17.0.101

3. BACKGROUND

Hping2 and other packet generating utilities follow the same order of operations when creating and sending packets
onto a network. These operations are as follows:

memory initialization (specifying enough memory for the packet)

network initialization (call to code library that returns RAW socket and connects link-layer interface)
packet construction (the setting or filling of a specific protocol's flags, headers, and payload)
packet injection (dropping the packet onto the network
For example: different process for IP than for Link Layer)

Hping2's implementation makes the above steps transparent to the user, producing a network tool that easily assembles
and sends custom ICMP/UDP/TCP packets, and displays target replies in the same way ping does with ICMP replies. It
handles fragmentation and arbitrary packet body and size, and it can be used to transfer files under the above supported
protocols. Hping2 is command-line oriented, and employs a large number of extensions.

As described by its programmers, Hping2 can be used for:

• Firewall testing
• Advanced port scanning
• Network testing, using different protocols, TOS, fragmentation
• Manual path MTU discovery
• Traceroute like, under all the supported protocols
• Remote OS fingerprinting
• TCP/IP stacks auditing

hping is also a useful tool for students that are learning TCP/IP.
4. PROCEDURE

Installation of all three utilities is relatively straightforward (see the README of each). In the following examples,
packprint, tcpdump, and hping2 reside in the directory "/usr/local/sbin" because this directory is in the system path by
default.

The following examples all take place on a linux terminal with root access, connected to a local network, running the
KDE environment, and the following setup:
First rootshell window: for running TCPdump and Packprint.
Second rootshell window: for running Hping2

5. EXAMPLES

1. Creating a simple TCP packet and sniffing it with TCPDUMP:

rootshell 1

rootshell
2

In the above example, tcpdump is started first (in rootshell 2), with "host 10.17.0.101" specifying the IP address of a
local machine in the lab. This parameter is necessary because we only want to see traffic to and from that specific IP.
Without it, tcpdump would display ALL local network traffic, making the exercise unnecessarily confusing.

With tcpdump listening, we then proceed to create a packet and send it to "10.17.0.101" by invoking "hping2" in
rootshell 1. The switch "-c 1" specifies that the count (number of packets to send) is one. Again, this is done to keep
the output simple and uncluttered. Upon hitting enter, we see a quick summary of the packet that has been created. By
default, the packet has a TCP header with no flags set, and no data bytes (ie. no payload). In the next line we see the
machine respond by resetting the ttl to 255 (from 64), assign an id, etc. Following this are statistics about the packets
journey to and from the host computer.

In general, usage for hping2 is as follows:

hping2 (host) [options]

2
Looking again at rootshell 2, we see the network traffic our synthesized packet has created, complete with standard arp
who-has request, arp reply, and a timestamp of each event.
Before performing any more examples, it is necessary to recall the structure of this basic TCP header and the headers of
a couple of other protocols. Below is a diagram of each, followed by a complete list of the switches which are used
with Hping2 to craft such packets, populate their fields, and set their flags. Matching the switches in the list with the
appropriate field in the diagrams is a quick way to regain familiarity with the protocols as well as the values of the
default settings and how to change each.

3
 0 15 16 IP H E A D E R 31
4 - b it 4 - b it h e a d e r 8 - b it t y p e o f s e r v ic e 1 6 - b it t o ta l le n g t h ( in b y t e s )
v e r s io n le n g t h (T O S )
3 - b it
1 6 - b it i d e n t if ic a t io n f la g s 1 3 - b it f r a g m e n t o f f s e t

8 - b it t im e t o liv e 8 - b it p r o t o c o l 1 6 - b it h e a d e r c h e c k s u m 2 0 b y te s
(T T L )

3 2 - b it s o u r c e IP a d d r e s s

3 2 - b it d e s t in a t io n IP a d d r e s s

O p t io n s ( if a n y )

D a ta

0 15 16 UDP HEADER 31
1 6 - b it s o u r c e p o r t n u m b e r 1 6 - b it d e s t in a t io n p o r t n u m b e r
8 b y te s
1 6 - b it U D P le n g t h 1 6 - b it U D P c h e c k s u m

D a ta ( if a n y )

0 15 16 TCP HEADER 31
1 6 - b it s o u r c e p o r t n u m b e r 1 6 - b it d e s t in a t io n p o r t n u m b e r

3 2 - b it s e q u e n c e n u m b e r

3 2 - b it a c k n o w le d g m e n t n u m b e r 2 0 b y te s

4 - b it h e a d e r R e s e rv e d U A P R S F
le n g t h ( 6 b it s ) R C S S Y I 1 6 - b it w in d o w s iz e
G K H T N N
1 6 - b it T C P c h e c k s u m 1 6 - b it u r g e n t p o in t e r

O p t io n s ( if a n y )

D a ta ( if a n y )

usage: hping host [options]

-h --help show this help

-v --version show version
-c --count packet count
-i --interval wait (uX for X microseconds, for example -i u1000)

4
 -n --numeric numeric output
-q --quiet quiet
-I --interface interface name (otherwise default routing interface)
-V --verbose verbose mode
-D --debug debugging info
-z --bind bind ctrl+z to ttl (default to dst port)
-Z --unbind unbind ctrl+z

Mode
default mode TCP
-0 --rawip RAW IP mode
-1 --icmp ICMP mode
-2 --udp UDP mode
-9 --listen listen mode

IP
-a --spoof spoof source address
-t --ttl ttl (default 64)
-N --id id (default random)
-W --winid use win* id byte ordering
-r --rel relativize id field (to estimate host traffic)
-f --frag split packets in more frag. (may pass weak acl)
-x --morefrag set more fragments flag
-y --dontfrag set dont fragment flag
-g --fragoff set the fragment offset
-m --mtu set virtual mtu, implies --frag if packet size > mtu
-o --tos type of service (default 0x00), try --tos help
-G --rroute includes RECORD_ROUTE option and display the route buffer
-H --ipproto set the IP protocol field, only in RAW IP mode

ICMP
-C --icmptype icmp type (default echo request), try --icmptype help
-K --icmpcode icmp code (default 0)
--icmp-help display help for others icmp options

UDP/TCP
-s --baseport base source port (default random)
-p --destport [+][+]<port> destination port(default 0) ctrl+z inc/dec
-k --keep keep still source port
-w --win winsize (default 64)
-O --tcpoff set fake tcp data offset (instead of tcphdrlen / 4)
-Q --seqnum shows only tcp sequence number
-b --badcksum send packets with a bad IP checksum
-M --setseq set TCP sequence number
-L --setack set TCP ack
-F --fin set FIN flag
-S --syn set SYN flag
-R --rst set RST flag
-P --push set PUSH flag
-A --ack set ACK flag
-U --urg set URG flag
-X --xmas set X unused flag (0x40)
-Y --ymas set Y unused flag (0x80)
--tcpexitcode use last tcp->th_flags as exit code

Common
-d --data data size (default is 0)
-E --file data from file
-e --sign add 'signature'
-j --dump dump packets in hex
-J --print dump printable characters
-B --safe enable 'safe' protocol
-u --end tell you when --file reached EOF and prevent rewind
-T --traceroute traceroute mode (implies --bind)

5
 2. Creating, sniffing, and parsing the same TCP Packet

This time we've piped the output of tcpdump to a parser called Pckprint that re-formats the information and makes it
more readable, the second window displays a fragment of this information. Although this method is sometimes buggy,
we can parse the tcpdump output with packprint in (almost) real-time with the command shown in the window.

The "-s 65535" defines the maximum number of bytes of data that tcpdump captures for each packet. Without this,
tcpdump only captures a default of 68 bytes. The entire packet must be captured for the parser to process the data
properly. The "-c 1" is used in the same way as for hping2 in Example 1. That is, to limit the number of packets (in
this case captured) to 1. The "-w" switch indicates that the traffic is to be dumped to a file ( "-" in this case indicates
that the file is actually the screen) and "packprint -" processes this 'file'.

If this command seems counter-intuitive, it is acceptable to first capture the traffic to a file, and then process it, as
below:
>> tcpdump host 10.17.0.101 -s 65535 -c 5 -w out.txt
>> packprint out.txt

6
 3. Creating and sniffing a raw IP packet with a spoofed source address

To see how we can spoof the source address, tcpdump is set running in rootshell 2 and the hping2 command with the
"-a" switch is executed as shown in rootshell 1. To create a raw IP packet, "-0" was specified as per the usage menu.

Note that in this case, although we did assemble and inject the packet -- successfully spoofing the source address as
"microsoft.com" -- the host could not establish a connection because the synthesized packet is only the first step in the
protocol's handshake (see the line "1 packets transmitted, 0 packets received, 100% packet loss"). Faking the source IP
is little more than a neat trick without the trust-exploitation in place that would make it useful in compromising a
system.

4. Creating and sniffing a TCP packet with a fake TCP data offset, a specific starting TTL, a non-
random ID, a SYN flag set, and a specific TCP sequence number.

7
The above is an example of a very customized packet; made so with the appropriate switches and chosen values as
shown. The "-vv" in the tcpdump command is to give more detailed (verbose) output. Note that all the values specified
at the command line in rootshell 1 appear in the tcpdump stream in rootshell 2

5. Generating and sniffing a specific payload in a simple TCP packet.

By adding the switch "-d 108" we specify that the data field of
the packet will have a size of 108 bytes, the "-E in.txt" specifies
the location from which this payload is extracted. While being
written in the editor, the file looked as shown to the right. The
same text is plainly visible in both hex and ascii outputs of the
tcpdump stream. Literally any information can be transferred in
the clear this way between trusted machines.

8
HPING AND TCPDUMP IN ACTION

There is no end to the amount of network traffic and security information that can be gathered using basic utilities like
Hping2 and TCPdump. Hping2 is a rather small program, but it can perform sophisticated, stealthy scans of net sites
and create the illusion of probes from widely dispersed locations. Network weaknesses to certain protocols can be
identified, firewalls can be tested, and entire files can be transferred within the payloads of packets that are
masquerading as something much more benign. With the right series of scripts taking advantage of the flexibility of
Hping and the thoroughness of TCPDump, it is possible to identify very many network vulnerabilities.

With Hping3 currently in the works, and the source code for the current version freely available, Hping2 offers an
excellent starting point for new code that can demonstrate the vulnerability of higher-level protocols. A significant
example is a trojan that encapsulates and transmits (with no interference from the firewall) private information inside
something as innocent as an http request.