Packet Mangling
I’ve recently had the need to seriously mess with packets on the IP and TCP layer and went on the hunt for some good tools to do so. A quick search and some general knowledge led me to some of the most useful packeteers out there today - Tcpreplay, Bit-Twist, and of course Scapy. While I’m being a link whore, I should mention geek00l’s blog, which seems to have posts on quite a bit of packet mangling that have come in very useful. In any case, here’s a few interesting examples of how I used these:
# Using a sniffed packet and modifying it to generate other traffic
# tcpreplay makes a lot of noise!
./bittwiste -I tcpdump_packets.pcap -O mod.pcap -T tcp -s 80:443 -d 80:443
./bittwiste -I mod.pcap -O mod2.pcap -T ip -s 192.168.0.1:192.168.0.86 -d 192.168.0.1:192.168.0.86
mv mod2.pcap mod.pcap
tcpreplay -R -i eth0 -l 0 mod.pcap
Or scapy’s awesome ability to read in pcap’s:
# Using scapy to fuzz sniffed traffic
a=rdpcap(”tcpdump_packets.pcap”)
z=IP(src=”192.168.0.86″,dst=”1.2.3.4″)/fuzz(TCP(dport=22,dataofs=5,reserved=0,flags=”PA”,window=65535,chksum=0×23,urgptr=0,options=[]))/Raw(load=a[0].load)
send(z,loop=1)
That was way too easy. Fuzzing with scapy? Look above…it’s got a FUZZ method?! It couldn’t be easier. I love the world we live in.
4 Comments so far
Leave a comment
Stupid question, but what parameters are you fuzzing with Scapy in that example? Is the idea that you send whatever is in the PCAP file to various ports to test their response, or is it doing something SSH specific (judging by dport 22)? At first I thought you were fuzzing various IP packet attributes to test an IP stack (or are you?)
By vitalyon 01.08.07 1:44 am
Scapy fuzzes whatever parameters you don’t specify. In the case above, I was mainly concerned with having different destination ports. If you do an ls(TCP) in Scapy, you’ll see all the different fields available.
So that example basically tested sending whatever was in the pcap file to the SSH port from different source ports while fuzzing some of the other TCP parameters. Another fun thing to do without using the previous pcap is to specify the following for the Raw load:
Raw(load=RandBin(500))
That will set the load to 500 bytes(?) of random binary data. Funfun.
By Damonon 01.08.07 9:30 am
Pretty cool, I’ve been meaning to play with Scapy, though my Python skills are non-existent. Have you fuzzed any Layer 7 protocols with it as a way of testing specific daemons/services? I am thinking along the lines of giving it a list of common verbs for a protocol and throwing it against various servers for that protocol (IIS vs Apache vs whatever.)
By Vitalyon 01.08.07 2:49 pm
Can’t say that I have yet, but the RandBin functionality as described in my last comment would probably come in quite handy for that!
By Damonon 01.09.07 12:03 am
Leave a comment
Line and paragraph breaks automatic, e-mail address never displayed, HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>