Packet Generators

From Network Security Wiki
Jump to navigation Jump to search

Ostinato

Installation:

 
 sudo sh -c 'echo deb http://widehat.opensuse.org/repositories/home:/pstavirs:/ostinato/xUbuntu_12.04/ ./ > /etc/apt/sources.list.d/obs-ostinato.sources.list'
 wget http://download.opensuse.org/repositories/home:/pstavirs:/ostinato/xUbuntu_12.04/Release.key -O- | sudo apt-key add -
 sudo apt-get update
 sudo apt-get install ostinato
Quickstart Guide
  • Workspace is divided into 3 main sections - the ports list, streams list and statistics window.
  • You should see a port group entry for "127.0.0.1" in the ports list with a "green" (connected) status
  • Expand the port group and you should see all the ports on your local system (if you don't run it with admin privileges)
  • Select a port in the ports list
  • In the Stream List pane, right click and create a new stream
  • Select the newly created stream and right click to edit it (or double-click on the stream icon to edit)
  • In the just opened Stream Configuration Dialog, select the protocols, fill in the protocol fields, configure no of packets, burst parameters and rates.
  • Click the "Apply" Button in the Stream List pane (IMPORTANT)
  • In the Statistics window, select the same port (select the whole column by clicking on the port heading) for which you configured the stream (IMPORTANT)
  • Click the "Start Transmit" button.

HPing2

   Paste.png     This section is under construction.

Scapy

Source: secdev.org

  • Installation:
sudo apt-get install tcpdump graphviz imagemagick python-gnuplot python-crypto python-pyx
sudo apt-get install python-scapy
  • Plotting:
>>> p=sniff(count=50)
>>> p.plot(lambda x:len(x))
  • 2D graphics:
>>> p=IP()/ICMP()
>>> p.pdfdump("test.pdf")
  • Graphs
>>> p=readpcap("myfile.pcap")
>>> p.conversations(type="jpg", target="> test.jpg")
  • 3D graphics
>>> a,u=traceroute(["www.python.org", "google.com","slashdot.org"])
>>> a.trace3D()
  • WEP decryption
Download: http://weplab.sourceforge.net/caps/weplab-64bit-AA-managed.pcap
>>> enc=rdpcap("weplab-64bit-AA-managed.pcap")
>>> enc.show()
>>> enc[0]
  >>> conf.wepkey="AA\x00\x00\x00"
  >>> dec=Dot11PacketList(enc).toEthernet()
  >>> dec.show()
  >>> dec[0]
  • Plot
>>> r2,unans=traceroute(["www.voila.com"],maxttl=20)
>>> r2.graph()
>>> res,unans = traceroute(["www.microsoft.com","www.cisco.com","www.yahoo.com","www.wanadoo.fr","www.pacsec.com"],dport=[80,443],maxttl=20,retry=-2)
>>> res.graph()

Simple Examples

  • Crafting ICMP Packet:
>>> i = IP() 
>>> i.dst="192.168.1.1" 
>>> i.display() 
>>> ic = ICMP() 
>>> ic.display() 

sr1(i/ic)
sr1(i/ic/”aman.info.tm”)
  • Crafting ARP Packet:

Be careful with this example, it will may break cause LAN issues for some time.
You need to clear arp cache or wait for timeout on the device/router 192.168.1.10.

>>> a = ARP() 
>>> a.pdst="192.168.1.10" 
>>> a.hwsrc="11:11:11:11:11:11" 
>>> a.psrc="1.1.1.1" 
>>> a.hwdst="ff:ff:ff:ff:ff:ff" 
>>> a.display() 

send(a) 
arp –a

Complex Examples

  • Each packet can be build:
>>> str(IP())
'E\x00\x00\x14\x00\x01\x00\x00@\x00|\xe7\x7f\x00\x00\x01\x7f\x00\x00\x01'
>>> IP(_)
<IP version=4L ihl=5L tos=0x0 len=20 id=1 flags= frag=0L ttl=64 proto=IP
 chksum=0x7ce7 src=127.0.0.1 dst=127.0.0.1 |>
>>>  a=Ether()/IP(dst="www.slashdot.org")/TCP()/"GET /index.html HTTP/1.0 \n\n"
>>>  hexdump(a)   
00 02 15 37 A2 44 00 AE F3 52 AA D1 08 00 45 00  ...7.D...R....E.
00 43 00 01 00 00 40 06 78 3C C0 A8 05 15 42 23  .C....@.x<....B#
FA 97 00 14 00 50 00 00 00 00 00 00 00 00 50 02  .....P........P.
20 00 BB 39 00 00 47 45 54 20 2F 69 6E 64 65 78   ..9..GET /index
2E 68 74 6D 6C 20 48 54 54 50 2F 31 2E 30 20 0A  .html HTTP/1.0 .
0A                                               .
>>> b=str(a)
>>> b
'\x00\x02\x157\xa2D\x00\xae\xf3R\xaa\xd1\x08\x00E\x00\x00C\x00\x01\x00\x00@\x06x<\xc0
 \xa8\x05\x15B#\xfa\x97\x00\x14\x00P\x00\x00\x00\x00\x00\x00\x00\x00P\x02 \x00
 \xbb9\x00\x00GET /index.html HTTP/1.0 \n\n'
>>> c=Ether(b)
>>> c
<Ether dst=00:02:15:37:a2:44 src=00:ae:f3:52:aa:d1 type=0x800 |<IP version=4L
 ihl=5L tos=0x0 len=67 id=1 flags= frag=0L ttl=64 proto=TCP chksum=0x783c
 src=192.168.5.21 dst=66.35.250.151  |<TCP sport=20 dport=80 seq=0L
 ack=0L dataofs=5L reserved=0L flags=S window=8192 chksum=0xbb39 urgptr=0
 options=[] |<Raw load='GET /index.html HTTP/1.0 \n\n' |>>>>
  • Sets of packets:
a=IP(dst="www.slashdot.org/30")
[p for p in a]
b=IP(ttl=[1,2,(5,9)])
[p for p in b]
c=TCP(dport=[80,443])
[p for p in a/c]
<IP  frag=0 proto=tcp dst=216.34.181.48 |<TCP  dport=http |>>, 
<IP  frag=0 proto=tcp dst=216.34.181.48 |<TCP  dport=https |>>, 
<IP  frag=0 proto=tcp dst=216.34.181.49 |<TCP  dport=http |>>, 
<IP  frag=0 proto=tcp dst=216.34.181.49 |<TCP  dport=https |>>, 
<IP  frag=0 proto=tcp dst=216.34.181.50 |<TCP  dport=http |>>, 
<IP  frag=0 proto=tcp dst=216.34.181.50 |<TCP  dport=https |>>, 
<IP  frag=0 proto=tcp dst=216.34.181.51 |<TCP  dport=http |>>, 
<IP  frag=0 proto=tcp dst=216.34.181.51 |<TCP  dport=https |>>
  • The send() function will send packets at layer 3. That is to say it will handle routing and layer 2 for you.
  • The sendp() function will work at layer 2. It's up to you to choose the right interface and the right link layer protocol.
  • Send Packets:
send(IP(dst="1.2.3.4")/ICMP())
sendp(Ether()/IP(dst="1.2.3.4",ttl=(1,4)), iface="eth1")
sendp("I'm travelling on Ethernet", iface="eth1", loop=1, inter=0.2)
sendp(rdpcap("/tmp/pcapfile")) # tcpreplay


  • The sr() function is for sending packets and receiving answers.
  • The function returns a couple of packet and answers, and the unanswered packets.
  • The function sr1() is a variant that only return one packet that answered the packet (or the packet set) sent.
  • The packets must be layer 3 packets (IP, ARP, etc.)
  • The function srp() do the same for layer 2 packets (Ethernet, 802.3, etc.)
>>> p=sr1(IP(dst="www.slashdot.org")/ICMP()/"XXXXXXXXXXX")
Begin emission:
...Finished to send 1 packets.
.*
Received 5 packets, got 1 answers, remaining 0 packets
>>> p
<IP version=4L ihl=5L tos=0x0 len=39 id=15489 flags= frag=0L ttl=42 proto=ICMP
 chksum=0x51dd src=66.35.250.151 dst=192.168.5.21  |<ICMP type=echo-reply
 code=0 chksum=0xee45 id=0x0 seq=0x0 |<Raw load='XXXXXXXXXXX'
 |<Padding load='\x00\x00\x00\x00' |>>>>
>>> p.show()
---[ IP ]---
version   = 4L
ihl       = 5L
tos       = 0x0
len       = 39
id        = 15489
flags     = 
frag      = 0L
ttl       = 42
proto     = ICMP
chksum    = 0x51dd
src       = 66.35.250.151
dst       = 192.168.5.21
options   = 
---[ ICMP ]---
   type      = echo-reply
   code      = 0
   chksum    = 0xee45
   id        = 0x0
   seq       = 0x0
---[ Raw ]---
     load      = 'XXXXXXXXXXX'
---[ Padding ]---
        load      = '\x00\x00\x00\x00'


  • DNS query (rd = recursion desired):
>>> sr1(IP(dst="192.168.5.1")/UDP()/DNS(rd=1,qd=DNSQR(qname="www.slashdot.org")))


  • A TCP traceroute.
>>> ans,unans=sr(IP(dst=target, ttl=(4,25),id=RandShort())/TCP(flags=0x2))
  • Packet Captures:
>>> sniff(filter="icmp and host 66.35.250.151", count=2)
>>> a=_
>>>  a.nsummary()
>>> sniff(iface="wifi0", prn=lambda x: x.summary()) 
>>> sniff(iface="eth1", prn=lambda x: x.show())


  • FTP:
dst, dport, sport = "ftp.free.fr", 21, int(RandShort())
p0 = IP(dst=dst)/TCP(sport=sport, dport=dport, flags="S")
p1 = sr1(p0)
p2 = IP(dst=dst)/TCP(sport=sport, dport=dport, seq=p1.ack, ack=p1.seq+1, flags="A")
p3 = sr1(p2)
  • Sniffing the network gives:
>>> s.summary()
Ether / IP / TCP 91.121.51.205:44857 > 212.27.60.27:ftp S
Ether / IP / TCP 212.27.60.27:ftp > 91.121.51.205:44857 SA
Ether / IP / TCP 91.121.51.205:44857 > 212.27.60.27:ftp A
Ether / IP / TCP 212.27.60.27:ftp > 91.121.51.205:44857 PA / Raw
>>> s[3][Raw]
<Raw  load='220 Welcome to ProXad FTP server\r\n' |>
sudo tcpdump port 21 or port 20
ans=sr1((IP(dst="10.100.10.22")/TCP(sport=rand, dport=21,flags="S",options=[('MSS', 1460), ('SAckOK', ), ('Timestamp', (5693231, 0)), ('NOP', None), ('WScale', 6)])))
sseq=ans.seq
sack=ans.ack
ans=sr1((IP(proto=6, tos=0, dst='10.100.10.22', options=, version=4L)/TCP(seq=sack, ack=sseq+1, dport=21, flags="A", options=[('NOP', None), ('NOP', None), ('Timestamp', (981592, 525503134))])))

PackEth

   Paste.png     This section is under construction.


Misc

  • Generating 100 FTP requests

Need to install 'parallel' first

sudo apt-get install parallel
seq 100 | parallel -j0 -joblog log curl ftp://test:test@10.107.88.93/log ">" {}.txt





blog comments powered by Disqus