Jump to content

Search the Community

Showing results for tags 'packets'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Occupation


Interests


Biography


Location

Found 3 results

  1. Packet crafting is the art of creating a packet according to various requirements to carry out attacks and to exploit vulnerabilities in a network. It’s mainly used to penetrate into a network’s structure. There are various vulnerability assessment tools used to craft such packets. As a coin has two sides, these tools could be used by hackers to find the vulnerabilities of a targeted system. Crafting is technically advanced and a complex type of vulnerability exploitation, and it’s difficult to detect and diagnose. Steps Involved in Packet Crafting The idea behind crafting is to try to simulate an attack and to identify the properties of a network. They are commonly used to invade firewalls and intrusion detection software. The following are the steps involved in packet crafting: Packet Assembly: This is the first step involved in packet crafting. In this process, the attacker selects the network to be cracked, collects the possible vulnerability information and creates the packet. The packet should be designed in such a way that it should be invisible while passing through a network. For example, for a packet to be invisible, the source address could be spoofed before sending it to a network. Packet Editing: In this step, the packets are tested before sending. The packets are edited in such a way that maximum information could be retrieved by injecting a minimum number of packets. Packet Playing: When the packets are ready, packet playing sends them to the targeted machine and collects the resultant packets for further analysis. If the required information is not obtained, the attacker again moves to the editing phase to modify the packet to obtain the required result. Packet Analysis: The sent packets are received by the attacker and they are analyzed to extract the information. Various sniffing tools like Wireshark, tcpdump, dsniff, etc. are used for this purpose. This step gives a route to the targeted system, or at least gives attackers enough data to tune up the attack. Tools For Packet Crafting: Hping, Nemesis, Netcat, Scapy, Socat Let’s carry out a test to understand the creation and working of a crafted packet and its effect on a firewall. Test Requirements Two Machines (One with Hping and Other with Snort installed). Working connection between two machines. Hping This is a utility that helps us to assemble and send ICMP, UDP or TCP packets and then display the results. It’s similar to the ping command, but it offers far more options to customize the packet to be sent. This helps to map the firewall set rules of a targeted system. Snort Sort is a free network intrusion detection and prevention software. It helps us to carry out real time traffic analysis packet logging, protocol analysis, content searching, etc. on a network. Testing Figure 1: Packet Crafting test setup Now we are going to check how a packet can be crafted from a system using Hping, and how it can be customized to be invisible in a network. We are using Snort as the IDS in the target machine. This could prove that packet crafting is a serious issue that should be studied to prevent attacks. Firstly install Hping on the source machine. It’s a command line multi-platform software. We are using two Linux machines for the test. The installation package could be downloaded from various websites. The next step is to install the intrusion detection software at the destination end. Download the latest version Snort with Winpcap and install it on the machine. Winpcap is a driver that helps in collecting packets. After setting up two machines, establish a connection between the two machines to transfer the packets. Check the connection before sending the packets. These are the steps to setup the test environment. Now we have to craft the packet using Hping. In Hping there are various arguments to modify the packet to be sent according to the requirement. These could be obtained from the manual page of Hping. Before sending the packet, determine the address of the target machine. Here it is 192.168.0.10. Now write the command for packet creation. Hping is a command line software. For creating the packets, the commands should be given in a perfect way so that the packet penetrates into the targeted system without being detected. An example is given below: hping 192.168.0.10 –udp –spoof 192.168.1.150 The packets are sent to the UDP port of machine 192.168.0.10 with a spoofed source IP of 192.168.1.150. Figure 2: Spoofing to UDP port. Figure 3: Spoofed address on target system hiding original address Packet crafting could be used to carry out DOS attacks to a targeted machine. This could be done by flooding packets to a predetermined port. The number of packets reaching the port is beyond the managing capacity of that port. This results in the failure of the system and finally becomes non-responsive to any request made to that particular system. Port Scanning Before sending a packet to the system Hping could be used to carry out a port scan. This helps the attacker to get the information on available open ports to carry out attack easily. The weakest port is selected to gain access to the system. hping3 -S 192.168.0.10 -p 80 -c 2 This command scans port number 80 of machine with IP 192.168.0.10. There are even commands to scan the complete ports in a machine. This will give the attacker the complete status of the ports in a system. hping 192.168.0.10 –S -p 22 –rand-source –flood This command floods the port number 22 of the mentioned machine. As the flooding starts, the machine becomes non responsive. When the flooding is stopped, the machine comes back to its normal state. Figure 4: Command for flooding a machine Figure 5: Result displayed by Snort after flooding. We can see from the above image that a large number of packets have been dumped to the targeted machine within a small amount of time. The IDS software does not detect the packets while the flooding is in process. But as soon as the flooding is stopped, Snort displays only the number of packets received. The traffic created by flooding the packets cannot be handled by the system and becomes non-responsive. No Signatures are generated during the process. DNS and ICMP Packet Crafting Domain Name System is the system responsible for resolving domain names. DNS uses ports 53 UDP for normal operations and can enlist port 53 TCP for zone transfers and other oversized replies. Once the address is entered into the URL, the browser will try to resolve the IP. If the address is not known, then a DNS request will be sent to the DNS server configured on the client. We could craft such a packet using Hping so that the firewall does not block the packet. hping -2 –p 53 -E data.dns -d 31 192.168.0.10 Here the packet is sent to the port number 53 of the target (192.168.0.10), with the packet containing a file called “data.dns”. The packet size has also been specified as 31. Figure 6: Sending a file to target’s DNS port When sending a data file through Hping, the IDS used in the target’s machine does not detect the presence of the attached file. It only displays the total number of packets transmitted and received. Even tough it shows unreachable, the packets are received at the target location. Hping can also be used to send ICMP (Internet Control Message Protocol) packets. ICMP packets are usually used to troubleshoot networks and for gathering basic information. These packets could be used to check whether a host is alive or not. In most of the firewalls, packets like ICMP and DNS request have the ability to pass by. These crafted ICMP packets helps us to pass through the firewall. At the senders end, we have to specify the type of packet, destination and other details for proper communication. hping 192.168.0.11 –d 100 –icmp –file /data.dns Here the file “data.dns” is sent to the target 192.168.0.11 using an ICMP packet. Figure 7: File sent using ICMP packet Using such crafted packets, a traffic firewall could be breached. From the above test, we can agree to the fact that packet crafting is a serious issue that should be taken care of. References Snort: 5 Steps to Install and Configure Snort on Linux LINUX HELP ALL: INSTALLING AND CONFIGURING SNORT ON REDHAT/CENTOS v5.5 Cyber Attacks Explained: Packet Crafting - Open Source For You Article : Cyber Security Packet crafting : Ethical Hacking Penetration Test Pune,India - Valency Networks Tools for creating TCP/IP packets | Linux Blog http://www.securitybistro.com/?p=8881 Source
  2. The Packet Let's look at the packet. That's the thing that makes the internet work, lots of data goes on those, anywhere from 20bytes to 65335 bytes. However, in practice packets are usually around 600 bytes in size. That data stores a lot of info; some is redundant, some is needed, and some is 0'd out. There's a header, a body, extra space, and then error check and footer. It's actually kind of easy to end up with a couple screwed up bits in a packet (obviously not every packet is screwed up, but its not 1 out of every million either). Changing a little bit of the Packet What packet steganography is about is changing a couple of bits over a couple of packets. Similar to image steganography, it's almost impossible to detect (in small quantities) (assuming feds are downloading all the data) as packets are not known to all be made equally. I'm going to quickly give an example. Game A wants to send packet [00010101010001000010101010...000010101011000101...] to Game Server 3. However, you can copy that packet and then resend a slightly modified one, which will look like: [00010101010001000010101010...111110101001001000...] Since a massive amount of data is constantly being sent back and forth from the server to you, the packets can be modified a decent amount so information is carried, but one doesn't have to break the checksum by modifying too many bytes. Multiply 40 bits over a couple thousand packets, and a decent amount of data can be sent covertly from you to the server. What's the best part of this? If you hack servers that get a lot of traffic, it's almost impossible to tell who sent what modded packets to the server even if all of the data is logged because every single packet appears to be legitimate. While there is a decent amount of modded data transferred you can't just go and start downloading ripped movies with this. The point of packet steganography isn't to anonymize your downloads, but to send little messages over networks that won't be found by normal means. Obviously, if person A tries to send messages to person B, A won't send them directly. Instead, he could keep them in an encrypted part of a server. When person B wants to see the message, he unlocks the message by passing the correct key. Psuedocode example using MS Maplestory packets are nice, because they used to be pretty obvious as to what was going on. After the packet header the data of A)what action you were doing and (if a message) what the message was. The message was in plaintext hexidecimal format. Using the code below, we are going to edit a little character of every single message. To anyone looking at the packet it still appears to be a normal message, just with a small typing error. However, to the server and to you, the message really is no longer a message anymore. It's a specific set of instructions. The first couple of whispers to some random person validates to the server that you are the IP to grab the packets from. The final whisper (or packet) the server sees is a specific command to the server. It could be wipe the program on it, it could be tell these servers to do x, y, and z, or it could just be telling the server that there is going to be a new pattern to look out for, and at what certain time. Code for your side: public Whatever{ //obviously it depends for whatever server you hacked into, and what app communicates with the server, but for now lets pretend we hacked into a maplestory server //cool thing about MS is that the packets are pretty easy to understand //yes I realize I am turning Java into a scripting language below, but w/e public void initContact{ for(int i=0; i<10; i++){ String x=scan.grabPacket(); x=x.substring(0,12)+Integer.toHexString(i)+Integer.toHexString(i)+x.substri?ng(14,x.length()); XClass.sendPacket(x); //totally possible if string x winds up being a valid packet, which it is since it's just hex //obviously you have to make a sendPacket method if(scan.nextPacket.equals(neededPacket) XClass.sendPacket(endPacket(Action, Type, IP, Add_Instruct) else System.out.println("Connection was unable to be made"); } } public String endPacket(String x1, String x2, String x3, String x4){ return grabHeader() + " 3A BB 0C FF 2D "+mod(x1)+" "+mod(x2)+" 3C "+mod(x3)+" 85 26 "+mod(x4)+grabFooter(); } } Code for the server(the server is not constantly loading all packets, it only works for a specific amount of time): import everything2.etc //you have to watch out the data storage for this one class ServerInner{ public void acceptEverything() { //kills program in 2 minutes long num = 2 * 60 * 1000; //min*sec*milli Timer t = new Timer(); t.schedule( new TimerTask(){public void run(){} }, num); // no this isn't a legit method, you'd want to use outside resources for this part //but at least the method dies in the two minute timeframe XClass.storeAllPackets(); } public void sortThrough(PacketList P, Method a){ int x=p.length() for(int i=0; i<p.length(); i++){ if(!a.follows(p.get(i))){ p.rem(i); i--; } } //after that method runs, the only packets left should be from you //obviously it is theoretically possible someone else did the exact same as you, so you'd then check them for(int i=0; i<p.length(); i++){ if(!a.check(p.get(i))){ p.rem(i); i--; } } //now all that's left is the correct one } public void finishUP(){ if(p.length()>0){ //translates the info packet from the correct IP if an ip was gathered translate(XClass.nextPacketFrom(p.get1IP()), a); //runs whatever it got run(); } //wipes all data that was stored, logs in database StartClass.wipe(); } } Rough Example in Real Life Application Packet steganography can also be used for sending out instructions to a botnet since you don't really need to send that much information to tell x to DDOS y, now do you? Here's a rough guide of how you'd accomplish communicate through your bots to start a DDOS attack w/ packet steganoraphy, from the setting up the server to the attacking the kid who beat you in MW3 1) Find a good server that has a decent amount of traffic, but nothing too sketchy. 2) Get root access on this server. 3) Download wireshark if you don't already have it. 4a)Write your program to test the wireshark logs to find a pattern in packet anomalies (you figure this one out on your own ). 4b)Write the program that can send out edited packets from your machine. 5) Set up another program that connects the wireshark program with your botnet server. 6) Set up a last program that wipes your traces of you fucking off with the server. 7) Run 6 and leave the shell you set up if you want (I suggest keeping some part of it intact though, depends on what you want to do). 8) Set up a couple more of these steno servers. 9) Realize that you can now send instructions easily but make it look like its a normal connection. Want to ddos server agh554? Connect with one of those servers and send the right kind of packets for a little while. Next thing you know your DDOS servers will be connecting with each other to get the details down and start the attack at the time specified. Because of the way the information is transferred from you to the server it'll be hard to trace the botnet back to you and then convict you as the one who pulled the strings behind a DDOS of a n00b MW3 player. I know that a couple people already do this, but now you know how too. Ending Thoughts (Read it though) So why the hell does this matter? A) all the data will look legitimate you can send it from different sources and it doesn't really matter as long as the packets are getting screwed correctly C) You think it's easy to look through every single packet sent to a server that gets a lot of traffic for the past 4ish months and then find the packets that link with the pattern? D) can be used for stuff other than botnets i) You can send encryption keys through this and then wipe the programs you installed. ii) anonymous communcation E) MITM attacks don't matter unless the MITM got your src(look at number 4) Problems with this? 1) Server gets taken by the feds. They won't be too happy about this 2) A wingding manages to replicate the correct stream, and then gives out commands for your server. This is something you'll just have to accept. Anonymity is what we are going for, too many traces = too many chances of someone finding a link 3) No well known VPNs allow packet modification at the moment. 4) if the feds got your SRC since you and 800 other skids are using the same program, and they catch you are modding packets, you're kinda screwed if they catch you redhanded 5) "I don't get it" Solutions to the problems 1) If modded packets are the only connections between your bots and your servers, its a lot harder to trace since the server has a massive amount of people using it 2) Nothing really, make it so it can't easily be replicated 3) wait for it [breathing intensifies] 4) Don't be a skid 5) See above. Or, read the links at the bottom of the page, learn something interesting, and prove to me that there are users with brains here Credits: TF
  3. Author: Pavel Odintsov pavel.odintsov at gmail.com My Twitter License: GPLv2 FastNetMon - A high performance DoS/DDoS and netflowk load analyzer built on top of multiple packet capture engines (netmap, PF_RING, sFLOW, Netflow, PCAP). What can we do? We can detect hosts in our own network with a large amount of packets per second/bytes per second or flow per second incoming or outgoing from certain hosts. And we can call an external script which can notify you, switch off a server or blackhole the client. Why did we write this? Because we can't find any software for solving this problem in the open source world! Install manual for any Linux Install manual for FreeBSD Install manual for Mac OS X Install manual for Slackware Features: Can process incoming and outgoing traffic Can trigger block script if certain IP loads network with a large amount of packets per second Can trigger block script if certain IP loads network with a large amount of bytes per second Can trigger block script if certain IP loads network with a large amount of flows per second netmap support (open source; wire speed processing; only Intel hardware NICs or any hypervisor VM type) PF_RING ZC/DNA support (wire speed processing on tens of MPPS but needs license) Can process sFLOW v5 Can process NetFlow v5, v9, ipfix Can use PCAP for packet sniffing Can work on mirror/SPAN ports Supports L2TP decapsulation, VLAN untagging and MPLS processing in mirror mode Can work on server/soft-router Can detect DoS/DDoS in 1-2 seconds Tested up to 10GE with 5-6 Mpps on Intel i7 2600 with Intel Nic 82599 Complete plugin support Supported platforms: Linux (Debian 6/7, CentOS 6/7, Ubuntu 12+) FreeBSD 9, 10, 11 Mac OS X Yosemite What is "flow" in FastNetMon terms? It's one or multiple udp, tcp, icmp connections with unique src IP, dst IP, src port, dst port and protocol. Main program screen image: Example for cpu load on Intel i7 2600 with Intel X540/82599 NIC on 400 kpps load: Example deployment scheme: Example of first notification: subject: Myflower Guard: IP xx.xx.xx.xx blocked because incoming attack with power 120613 pps body: IP: XX.XX.XX.XX Initial attack power: 98285 packets per second Peak attack power: 98285 packets per second Attack direction: outgoing Incoming traffic: 62 mbps Outgoing traffic: 65 mbps Incoming pps: 66628 packets per second Outgoing pps: 98285 packets per second Incoming flows: 16 Outgoing flows: 16 Incoming UDP xx.xx.xx.xx:33611 < 216.239.32.109:53 729021 bytes 5927 packets xx.xx.xx.xx:33611 < 216.239.34.109:53 231609 bytes 1883 packets xx.xx.xx.xx:33611 < 216.239.36.109:53 728652 bytes 5924 packets xx.xx.xx.xx:33611 < 216.239.38.109:53 414387 bytes 3369 packets xx.xx.xx.xx:38458 < 216.239.32.109:53 724347 bytes 5889 packets xx.xx.xx.xx:38458 < 216.239.34.109:53 222753 bytes 1811 packets xx.xx.xx.xx:38458 < 216.239.36.109:53 729267 bytes 5929 packets xx.xx.xx.xx:38458 < 216.239.38.109:53 383514 bytes 3118 packets xx.xx.xx.xx:42279 < 216.239.32.109:53 687201 bytes 5587 packets xx.xx.xx.xx:42279 < 216.239.34.109:53 248091 bytes 2017 packets xx.xx.xx.xx:42279 < 216.239.36.109:53 737508 bytes 5996 packets xx.xx.xx.xx:42279 < 216.239.38.109:53 321276 bytes 2612 packets xx.xx.xx.xx:51469 < 216.239.32.109:53 735663 bytes 5981 packets xx.xx.xx.xx:51469 < 216.239.34.109:53 237267 bytes 1929 packets xx.xx.xx.xx:51469 < 216.239.36.109:53 735663 bytes 5981 packets xx.xx.xx.xx:51469 < 216.239.38.109:53 318570 bytes 2590 packets Outgoing UDP xx.xx.xx.xx:33611 > 216.239.32.109:53 531309 bytes 6107 packets xx.xx.xx.xx:33611 > 216.239.34.109:53 531222 bytes 6106 packets xx.xx.xx.xx:33611 > 216.239.36.109:53 531222 bytes 6106 packets xx.xx.xx.xx:33611 > 216.239.38.109:53 531222 bytes 6106 packets xx.xx.xx.xx:38458 > 216.239.32.109:53 527220 bytes 6060 packets xx.xx.xx.xx:38458 > 216.239.34.109:53 527133 bytes 6059 packets xx.xx.xx.xx:38458 > 216.239.36.109:53 527133 bytes 6059 packets xx.xx.xx.xx:38458 > 216.239.38.109:53 527220 bytes 6060 packets xx.xx.xx.xx:42279 > 216.239.32.109:53 539052 bytes 6196 packets xx.xx.xx.xx:42279 > 216.239.34.109:53 539052 bytes 6196 packets xx.xx.xx.xx:42279 > 216.239.36.109:53 539139 bytes 6197 packets xx.xx.xx.xx:42279 > 216.239.38.109:53 539139 bytes 6197 packets xx.xx.xx.xx:51469 > 216.239.32.109:53 532701 bytes 6123 packets xx.xx.xx.xx:51469 > 216.239.34.109:53 532701 bytes 6123 packets xx.xx.xx.xx:51469 > 216.239.36.109:53 532701 bytes 6123 packets xx.xx.xx.xx:51469 > 216.239.38.109:53 532788 bytes 6124 packets Example of second notification: subject: Myflower Guard: IP xx.xx.xx.xx blocked because incoming attack with power 120613 pps body: IP: xx.zz.xx.1 2014-11-21 08:01:11.419798 216.239.32.109:53 > xx.xx.xx.xx:38458 protocol: udp flags: size: 123 bytes 2014-11-21 08:01:11.419799 216.239.32.109:53 > xx.xx.xx.xx:38458 protocol: udp flags: size: 123 bytes 2014-11-21 08:01:11.419816 xx.xx.xx.xx:51469 > 216.239.36.109:53 protocol: udp flags: size: 87 bytes 2014-11-21 08:01:11.419837 216.239.38.109:53 > xx.xx.xx.xx:33611 protocol: udp flags: size: 123 bytes 2014-11-21 08:01:11.419838 216.239.34.109:53 > xx.xx.xx.xx:33611 protocol: udp flags: size: 123 bytes 2014-11-21 08:01:11.419859 216.239.38.109:53 > xx.xx.xx.xx:42279 protocol: udp flags: size: 123 bytes 2014-11-21 08:01:11.419877 xx.xx.xx.xx:51469 > 216.239.38.109:53 protocol: udp flags: size: 87 bytes 2014-11-21 08:01:11.419884 216.239.38.109:53 > xx.xx.xx.xx:33611 protocol: udp flags: size: 123 bytes 2014-11-21 08:01:11.419891 216.239.32.109:53 > xx.xx.xx.xx:38458 protocol: udp flags: size: 123 bytes 2014-11-21 08:01:11.419906 216.239.38.109:53 > xx.xx.xx.xx:33611 protocol: udp flags: size: 123 bytes 2014-11-21 08:01:11.419907 216.239.38.109:53 > xx.xx.xx.xx:42279 protocol: udp flags: size: 123 bytes 2014-11-21 08:01:11.419908 216.239.38.109:53 > xx.xx.xx.xx:42279 protocol: udp flags: size: 123 bytes 2014-11-21 08:01:11.419916 216.239.32.109:53 > xx.xx.xx.xx:38458 protocol: udp flags: size: 123 bytes 2014-11-21 08:01:11.419917 216.239.32.109:53 > xx.xx.xx.xx:38458 protocol: udp flags: size: 123 bytes 2014-11-21 08:01:11.419929 216.239.38.109:53 > xx.xx.xx.xx:33611 protocol: udp flags: size: 123 bytes 2014-11-21 08:01:11.419961 216.239.32.109:53 > xx.xx.xx.xx:38458 protocol: udp flags: size: 123 bytes 2014-11-21 08:01:11.419962 216.239.32.109:53 > xx.xx.xx.xx:38458 protocol: udp flags: size: 123 bytes 2014-11-21 08:01:11.419963 216.239.32.109:53 > xx.xx.xx.xx:38458 protocol: udp flags: size: 123 bytes 2014-11-21 08:01:11.419963 216.239.32.109:53 > xx.xx.xx.xx:38458 protocol: udp flags: size: 123 bytes To enable sFLOW simply specify IP of server with installed FastNetMon and specify port 6343. To enable netflow simply specify IP of server with installed FastNetMon and specify port 2055. How I can help project? Test it! Share your experience Share your improvements Test it with different equipment Create feature requests Link: https://github.com/FastVPSEestiOu/fastnetmon
×
×
  • Create New...