Packet Crafting with Colasoft Packet Builder

at 11:12 PM Saturday, December 30, 2017 0 comments
In this tutorial we are going to discuss Packet Crafting by using a great tool Colasoft packet builder which is quite useful in testing strength of Firewall and IDS and several servers against malicious Flood of network traffic such as TCP and UDP Dos attack. This tool is very easy to use especially for beginners.

Packet crafting is a technique that allows network administrators to probe firewall rule-sets and find entry points into a targeted system or network. This is done by manually generating packets to test network devices and behavior, instead of using existing network traffic. Testing may target the firewall, IDSTCP/IP stackrouter or any other component of the network. Packets are usually created by using a packet generator or packet analyzer which allows for specific options and flags to be set on the created packets. The act of packet crafting can be broken into four stages: Packet Assembly, Packet Editing, Packet Play and Packet Decoding.
For more detail visit Wikipedia.org

Mode of Operation

Packet Assembly: It is the initial state of packet crafting where tester needs to decide the network that can be compromise easily by creating a packet which can exploit the network by shooting its vulnerability. The packet should be design in a manner that it maintains its ability to being undetectable in target’s network.

Famous Tools for Packet Assembly are: Hping3 and Yersinia   

Packet Editing: In this stage captured packet is edited or modified which cannot be possible to do in Packet Assembly phase. In this phase packet is edited in a manner that it can dump more and more information of target’s network by making small amount of change in it. For example change data length (payload) of packets.
Famous Tool of packet Editing: Colasoft and Scapy   

Packet Playing: In this phase when packet is ready to launch then it sends to target’s network for exploiting its network and collect the information. This is the actual arena where above both actions is tested and if packet is failed to complete its goal of retrieving victim’s information or exploit its vulnerability then again the packet send back to Packet Editing phase for modification.

Packet Analysis: This is the last stage where packet is analysis when it received on targeted network. The captured packet is decoded for further investigating for retrieving its internal details which can speak up its goal for establishing connection on target’s network.
Famous Tool of Packet Analysis: wireshark and Tcpdump

Colasoft Packet Builder enables creating custom network packets; users can use this tool to check their network protection against attacks and intruders. Colasoft Packet Builder includes a very powerful editing feature. Besides common HEX editing raw data, it features a Decoding Editor allowing users to edit specific protocol field values much easier.
Users are also able to edit decoding information in two editors - Decode Editor and Hex Editor. Users can select one from the provided templates Ethernet Packet, ARP Packet, IP Packet, TCP Packet and UDP Packet, and change the parameters in the decoder editor, hexadecimal editor or ASCII editor to create packets. Any changes will be immediately displayed in the other two windows. In addition to building packets, Colasoft Packet Builder also supports saving packets to packet files and sending packets to network.

From:  http://www.colasoft.com/packet_builder/

Let’s start!!!

TCP Packet Crafting

You can download it from above given link, once it get downloaded then run the applictaion as administrator to begin with crafting various Packets. As I had example above a packet crafting involves 4 phases, lets  start it by adding the packet which we will craft for testing our newtork.


Click on ADD given in menu bar.


A small window will pop up to select mode of IP packet to be crafted. Here we are going to choose TCP packet for crafting for example by increasing the size of the packet or by sending the individual flag of the Tcp Protocol to the destination IP address. Well if you will notice given below image then you will observe that I had set delta time 0.1 sec as time elapse for flow of traffic for all crafted packets. The delta time is the time gap between the each packet.


Window is categories into three phases as Decode Editor, Hex Editor and packet List. From given image you can observe following information which I had edited for TCP packet
Decode Editor: This section contains packet information such as protocol, Time to live and etc. Here you need to add source address responsible for sending packet and then add destination address which is responsible for receiving incoming packet traffic.

Source address: 192.168.1.102
Destination address: 192.168.1.107

Hex Editor:  This section displays the raw information (Hexa decimal) releated to the data size of the packet. By typing random string you can increase the size of the packet.
Packet size: 77 bytes
 This phase is also known as Packet Editing mode where we can modify our packet.


Packet List: It displays complete information of your packet which contains source address, destination address, time to live and and other information which we had edited.


Click on Adpter  given in the menu bar to select specific adpter from which packets will be sent. From given below image you can observe it, it showning adapter status: LAN Operational.
Note: It is only availabe when you have run the application as adminsitrator.


Click on Send option from menu bar and enable the check box for “Burst Mode” and “Loop sending” and adjust the number of packets to be sent to the Destination Network and the delay time gap between the each packets.
Then click on start to send the TCP packets. This phase is know as Packet playing mode where are ready to sent packet on target netwok.



Using wireshark we can capture packet and traffic between source and destination. So here you can perceive that infinite TCP packet is being transferring to target’s network. This phase is known as packet analysis mode where sent packet is sniff or analysis for identifying sender objectives behind sending the packet.


ARP  Packet Crafting
Again repeat the same to choose ARP packet for crafting Packet for ARP protocol on target’s network. Well if you will notice given below image again then you will observe that I had set same delta time 0.1 sec.


Apart from editing source and destination IP here we need to add source and destination physical address also.
Hence this time I had set below information in decoder Editor and Hex editor.
Source MAC: AA:AA:AA:AA:AA:AA
Source address: 192.168.1.102
Destination MAC: BB:BB:BB:BB:BB:BB
Destination address: 192.168.1.107
Packet size: 78 bytes

You can use any method to find destination MAC address.


After editing your packet information verifies that changes through packet list given on right side of window before sending the packet. If you notice given image below then you can read the summary where it is show broadcasting ARP message who is 192.168.1.107?


Click on Adpter  given in menu bar to select specific adpter for network selection. From given below image you can observe it  showning adapter status: LAN Operational.


Click on Send option from menu bar and enable the check box for “Burst Mode” and “Loop sending” and adjust the number of packet to be sent to the Destination network according to your wish.
Then click on start to launch sending process of ARP packet. This action is known as Packet playing.


Form given below image you can observe the continue ARP packet making request for who is 192.168.1.107, which meaning our packet playing is gives positive result. From wireshark target is able to analysis the goal of packet received from sender’s network.


IPv4 Packet Crafting 
Again repeat the same process to choose IP packet for crafting Packet for IPv4 protocol on target’s network. Again if you will notice given below image again then you will observe that I had set same delta time 0.1 sec.


This time I had set below information in decoder Editor and Hex editor for Editing Packet.
Source address: 192.168.1.102
Destination address: 192.168.1.107
Packet size: 71 bytes



After editing your packet information verifies that changes through packet list given on right side of window before sending the packet.


Click on Adpter  given in menu bar to select specific adpter for sending the packet. From given below image you can observe it  showning adapter status: LAN Operational.


Click on Send option from menu bar and enable the check box for “Burst Mode” and “Loop sending” and adjust the number of packet to be sent to the Destination network according to your wish.
Then click on start to send the IPv4 packet.


You can clearly observe in given below image the flow of traffic of IPv4 packets from senders network to Receivers network in packet analyzing mode.



UDP Packet Crafting
Again repeat the same to choose UDP packet for crafting UDP Packet. If you will notice given below image then you will observe that again I had set delta time 0.1 sec as time elapse for flow of traffic for all packets.


This time I had Editied below information in decoder Editor and Hex editor for desigining my packet.
Source address: 192.168.1.102
Destination address: 192.168.1.107
Packet size: 72 bytes


After editing your packet information verifies that changes through packet list given on right side of window.


Click on Adpter to select specific adpter for sending the packets. From given below image you can observe it  showning adapter status: LAN Operational.


Click on Send option from menu bar and enable the check box for “Burst Mode” and “Loop sending” and adjust the number of packet to be sent to the Destination network according to your wish.
Then click on start button to sending the crafted UDP packet.


You can clearly observe in given below image the flow of traffic of UDP packets from senders network to the Receivers network.
Hence in this tutorial we tried to explain all for mode of operation of crafting a packet for testing a network using colasoft and wireshark.



Labels:

DHCP Penetration Testing

at 8:24 AM Friday, December 29, 2017 0 comments
DHCP stands for Dynamic Host Configuration Protocol and a DHCP server dynamically assigns an IP address to enable hosts (DHCP Clients). Basically DHCP server reduce the manually effort of administer of configuring IP address in client machine by assign a valid IP automatically to each network devices. A DHCP is available for distributing IP address of any Class among: A B C D E basis on their netmask description which means it is applicable even for small network or a huge network.
DHCP uses UDP as its transport protocol. The client sends messages to the server on port 67 and the server sends messages to the client on port 68.
There are three mechanisms used to assign an IP address to the client. They are:
·         Automatic allocation - DHCP assigns a permanent IP address to a client
·         Manual allocation - Client's IP address is assigned by the administrator, DHCP conveys the address to the client.
·         Dynamic allocation- DHCP assigns an IP address to the client for a limited period of time (lease).

Mode of Operation DHCP server and DHCP Client

·         DHCP Discover: DHCP client broadcast a DHCP discover message to DHCP server for an IP address lease request through subnet mask for e.g. 255.255.255.255.
·         DHCP Offer: DHCP server receives DHCP Discover message for an IP address lease form DHCP client and reserve IP for it and send DHCP OFFER message to DHCP Client for IP lease.   
·         DHCP Request: DHCP client broadcast a message to DHCP server for acceptance of IP by receiving Offered IP packets and make DHCP request for IP parameter configuration.
·         DHCP Acknowledgment: DHCP server receives DHCP client request for IP configuration process and as responds DHCPACK message sent to client with committed IP address and its configuration and with some additional information such lease time of offered IP.

·         DHCP Release:  DHCP client sends a DHCP Release packet to the DHCP server to release the IP address.



DHCP Starvation Attack

A DHCP starvation attack may also categories as DHCP DOS attack where the attacker broadcasting fake DHCP requests with spoofed MAC addresses. If official replies to this fake request then it can exhaust the address space available to the DHCP servers for a period of time. This can be performed by using attacking tools such as “Yersinia”.
Now attacker may place rouge server in the network and respond to new DHCP requests from clients.

Form given below image you can observe that by executing given command we discovered bind hardware with our official router. Here we had used CISCO router for DHCP penetration testing.
ip  dhcp binding


Launch DHCP Starvation Attack using Yersinia


Yersinia is a network tool designed to take advantage of some weakness in different network protocols. It pretends to be a solid framework for analyzing and testing the deployed networks and systems.

Currently yersinia supports:
Spanning Tree Protocol (STP)
Cisco Discovery Protocol (CDP)
Dynamic Trunking Protocol (DTP)
Dynamic Host Configuration Protocol (DHCP)
Hot Standby Router Protocol (HSRP)
IEEE 802.1Q
IEEE 802.1X
Inter-Switch Link Protocol (ISL)
VLAN Trunking Protocol (VTP)
From http://www.yersinia.net/

By default in Kali Linux installed yersinia is available for DHcp penetration testing, open the terminal and execute given command which will open yersinia in GUI mode as shown in given below image.
yersinia -G


You will observe few tabs in menu bar click on launch attack; a small window will pop up for choosing protocol for attack  here we had select DHCP, now enable the option for sending  DISCOVER packet.



Now it will start sending Discovered packet to the router for release IP for each of its fake Discover message as shown in given image.


From given below image you can observe wireshark has capture the DHCP packet where the attacker machine as source 0.0.0.0 is broadcasting DISCOVER message to Destination on 255.255.255.255. This is DHCP starvation attack which also considered as DHCP Dos attack because its send Discover message infinitely in network to block the responded server for other genuine request from other DHCP client.


Now when again you will check our router IP table then you will observe that all IP is allocated on some different-different Hardware address as shown in given below image.


Rogue DHCP Server
A rough DHCP server is a forged server of attacker which is place in a local network for stealing information that is being shared among several clients. After DHCP starvation attack, the official DHCP server is unable to Offer IP to DHCP client. Therefore when a client release its old IP and request new IP by broadcasting DHCP Discover message then rough server offer an IP as responds to the DHCP client and hence Client request for IP configuration from fake server and get trap into fake network. Now if client is transferring any information over fake network that can easily sniff by rough server. 


Form given below image you check attacker’s machine IP is 192.168.1.104 which will reflect as DNS address in victim’s machine (Windows’s).


Now open the terminal and type “msfconsole” for metasploit framework and execute given below commands which will create your Rouge server in the network.

use auxiliary/server/dhcp
msf auxiliary(dhcp) > set srvhost 192.168.104
msf auxiliary(dhcp) >set netmask 255.255.255.0
msf auxiliary(dhcp) >set DHCPIPSTART 192.168.1.200
msf auxiliary(dhcp) >set DHCPIPEND 192.168.1.205
msf auxiliary(dhcp) >Exploit

If you perceive above command then you will find that it will Start DHCP service and behave like a DHCP server which will offer Class C IP to official DHCP client form specified pool between 192.168.1.200 to 192.168.1.205.
Now turn on any another system in network and check its IP configuration.


Let’s study the given image where attack is broadcasting Offer packet in the network and then in 2nd packet we saw DHCP ACK which means some DHCP client ask for offered IP configuration then we can see DNS query send from an IP 192.168.1.202 to 192.168.1.104.


Form given below image you can observed that 192.168.1.202 IP is allocated to ubuntu which is official DHCP client. Now if client is transferring any information over fake network that can easily sniff by rough server.  For detail read our previous article “Comprehensive guide on sniffing



Labels:

DOS Attack Penetration Testing (Part 2)

at 8:18 AM Tuesday, December 26, 2017 0 comments
In our previous “DOS Attack Penetration testing” we had described about several scenario of DOS attack and receive alert for Dos attack through snort. DOS can be performed in many ways either using command line tool such as Hping3 or GUI based tool. So today you will learn how to Perform Dos attack using GUI tools as well as command line tool and get an alert through snort.

Let start!!
TCP Flood Attack  using LOIC
As we have discribed in our both article Part 1 and part 2 that in target system Snort is working as NIDS for analysing network traffic packets.  Therefore first we had build a rule for in snort to analysis random TCP packets coming in our network rapiditly.

Execute given below command in ubuntu’s terminal to open snort local rule file in text editor.
sudo gedit /etc/snort/rules/local.rules
alert TCP any any -> 192.168.1.10 any (msg: “TCP Flood”; sid:1000001;)

Above rule will monitor incoming TCP packets on 192.168.1.10 by generating alert for it as “TCP Flood”. Now turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0


LOIC: It stands for low Orbit iron cannon which is GUI tool developed by Praetox Technologies which is network stress testing tool. We had used it only for educational purpose in our local network, using it over public sector will consider as crime and take as illegal job.  Download it from Google.  

We had downloaded LOIC in our Windows system run the setup file for installation. Start the tool follow the given below step:
Select your target: Here we will go with IP option and enter the victims IP: 192.168.1.10 then click on Lock on tab.
Attack Option: Enter port no. and select method such as TCP and enter no. of threads. If you want to wait for reply packet from victim’s network then enable the check box else disable it.
Adjust the scale:  Drawn the cursor left or right for setting the speed of your TCP packet either faster or slower mode.
Attack status: describe the attack state such as connecting or request or etc.
Ready:  Now click on IMMA CHARGIN MAH LAZER to launch the DOS attack and click on stop flood In order to stop DOS attack.


We are involving wireshark in this tutorial so that you can clearly see the packet sends from attacker network to targets network. Hence in given below image you can notice endless TCP packet has been sent on target’s network. It is considered as Volume Based DOS Attack which floods the target network by sending infinite packets to demolish its network for other legitimate users.


Return to over your target machine where you will notice that snort is exactly in same way capturing all in coming traffic, here you will observe that it is generating alerts for “TCP Flood”.  Hence you can block attacker’s IP (192.168.1.16) to protect your network from discard all further coming packets toward your network.


UDP Flood Attack  using LOIC
I think now everything is clear to you how you can build rule in snort get alert for suspicious network again repeat the same and  execute given below command in ubuntu’s terminal to open snort local rule file in text editor and add rule for UDP flood.
sudo gedit /etc/snort/rules/local.rules
alert UDP any any -> 192.168.1.10 any (msg: “UDP Flood”; sid:1000003;)

Above rule will monitor incoming UDP packets on 192.168.1.10 by generating alert for it as “UDP Flood”. Now turn on IDS mode of snort by executing given below command in terminal:
sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0


Repeat the whole steps as done above only change the method attack option choose UDP method and launch the DOS attack on target IP. You can set any set number of threads for attack since it is tutorial therefore I had set 20 for UDP. It is considered as Volume Based DOS Attack which floods the target network by sending infinite packets to demolish its network for other legitimate users.


Return to over your target machine where you will observe that snort is precisely capturing all in coming traffic in same way, here you will observe that it is generating alerts for “UDP Flood”.  Hence again you can block attacker’s IP (192.168.1.16) to protect your network from discard all further coming packets toward your network on port 80.


TCP Flood Attack  using HOIC
Next we are using HOIC which is alos GUI tool for tcp attack and if you remember we ahd already configure TCP flood rule in our local rule file. Now turn on IDS mode of snort by executing given below command in terminal:
sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

HOIC: It stands for higher orbit ion cannon developed by Praetox Technologies which is network stress testing tool. We had used it only for educational purpose in our local network, using it over public sector will consider as crime and take as illegal job. Download it from Google.
We had downloaded HOIC in our Windows system run the setup file for installation. Start the tool follow the given below step:
Add the target by making Click on plus symbol “+


A list of attack option will get pop up as shown in given below image and follow the given below step:
 URL: Enter your target network address as http://192.168.1.10
Power: Low/medium/high to decide the speed of packet to bent to target machine.
At last click on Add.


From give below image you can check status of attack “ready”, now set number of threads and then click on FIRE THE LAZER tab to lunch the dos attack.


You can clearly observe the TCP packet is sending from attacker network to targets network. In given below image you can notice the endless TCP packet has been sent on target’s network using TCP Flags such as SYN/RST/ACK. It is considered as Volume Based DOS Attack which floods the target network by sending infinite packets to demolish its network for other legitimate users.


Return to over your target machine where you will notice that snort is capturing all in coming traffic exactly in same way as above, here you will observe that it is generating alerts for “TCP Flood”.  Hence you can block attacker’s IP (192.168.1.11) to protect your network from discard all further coming packets toward your network on port 80.


GoldenEye
Goldeneye is command line tool use for security testing purpose we had used only for tutorial don’t use it over public sector it will consider as crime and take as illegal job. Execute given below in your kali Linux to download it from github.

git clone https://github.com/jseidl/GoldenEye.git


Now give all permission to the python script and execute given below command for Launching DOS attack on target network. Basically goldeneye is used for HTTP dos testing for testing any webserver network security.
 ./goldeneye.py http://192.168.1.10


Using wireshark you can observe the flow of traffic between victim and attacker network. So if notices given below image then you will find that first attacker (192.168.1.103) sends TCP syn packet for establishing connection with victim’s network then attacker is sending http packet over victim’s network.


Here you will observe that it is generating alerts for “TCP Flood” since port is 80 follow TCP protocol therefore snort captured the traffic generated by goldeneyes. Hence you can block attacker’s IP (192.168.1.103) to protect your network from discard all further coming packets toward your network on port 80.


Slowloris
Slowloris is command line tool use for security testing purpose we had used only for tutorial don’t use it over public sector it will consider as crime and take as illegal job. Execute given below in your kali Linux to download it from github.

git clone https://github.com/llaera/slowloris.pl.git


Now give all permission to the perl script and execute given below command for Launching DOS attack on target network.
perl slowloris.pl -dns 192.1681.10


Using wireshark you can observe the flow of traffic between victim and attacker network. So if notices given below image then you will find that first attacker (192.168.1.103) sends TCP syn packet for establishing connection with victim’s network then victim’s is sending SYN,ACK packet over attacker’s network and then attacker sends ACK packet and this will keep on looping.


Return to over your target machine where you will notice that snort is capturing all in coming traffic exactly in same way as above, here you will observe that it is generating alerts for “TCP Flood”.  Hence you can block attacker’s IP (192.168.1.11) to protect your network from discard all further coming packets toward your network on port 80.


Xerxes
Xerxer is command line tool use for security testing purpose we had used only for tutorial don’t use it over public sector it will consider as crime and take as illegal job. Execute given below in your kali Linux to download it from github.

git clone https://github.com/zanyarjamal/xerxes.git


Since it is written in c language there we need to compile it using gcc as shown in given below command and run then run the script in order to launch DOS attack.
gcc xerxes.c -o xerxes
./xerxes 192.168.1.10 80


You can clearly observe the TCP packet is sending from attacker network to targets network. In given below image you can notice the endless TCP packet has been sent on target’s network using TCP Flags such as SYN/ACK/PSH. These packet are sent in a loop between attacker can target network.


Return to over your target machine where you will notice that snort is capturing all in coming traffic exactly in same way as above, here you will observe that it is generating alerts for “TCP Flood”.  Hence you can block attacker’s IP (192.168.1.11) to protect your network from discard all further coming packets toward your network on port 80.

Well in this tutorial we had use most powerful top 5 tool for DOS attack.


Labels:
Subscribe to: Posts (Atom)