Packet Editing in Python [introduction to]

Post by **maboroshi** » 23 Sep 2009, 09:48

Packet Editing in Python

Welcome to the Dark art that is Packet Editing. I have been turned on to this numerous times but never found a suitable method for accomplishing this. Being a coder and also having worked on Scapy source a little, there is a small really unknown function in the src it does not do much but spawn a process in either unix or windows

here is the function:

Code: Select all

def hexedit(x):
    x = str(x)
    if WINDOWS:
        f = os.tempnam("", "scapy")
    else:
        f = os.tempnam("scapy")
    open(f,"w").write(x)
    if WINDOWS:
        subprocess.call([conf.prog.hexedit, f])
    else:
        os.spawnlp(os.P_WAIT, conf.prog.hexedit, conf.prog.hexedit, f)
    x = open(f).read()
    os.unlink(f)
    return x

This process opens a hex editor you define and can be used in conjunction with Scapy's awesome networking abilities

Alright then lets start

first download a hex editor of your choosing. I personally like hex edit or frhed you can find the resources at the end of this article.

Once that is done add them to your environment variables (also known as your system path). Next step is to run scapy. For a tutorial on installing scapy on your operating system visit

Code: Select all

http://www.secdev.org/projects/scapy/doc/installation.html#platform-specific-instructions

When scapy is up and running enter in this line

Code: Select all

conf.prog.hexedit = "frhed"

Where frhed is the name of the executable hex editor on my system path. Ok test to see that it works

enter this

Code: Select all

hexedit("AAAAAAA")

you should see your hexeditor window open up and print 41 41 etc this is good try modifying the values and saving then exiting

Ok for now until I get a bit better at doing stuff with this where just going to send a packet and modify its src ip.

Enter this

Code: Select all

send(IP(hexedit(IP(dst="www.google.ca")))/TCP())

This will open your hexeditor

You can then modify the src address to find your src address visit this site

Code: Select all

http://www.kloth.net/services/iplocate.php

it will take some figuring out to find where the IP address is in the packet if you don't know hex

It should then result in

sent 1 packet

You can use many different variations of scapy's networking methods to forge and edit packets please see scapy documentation to find out what you can do

resources

Code: Select all

http://www.kloth.net/services/iplocate.php
http://www.secdev.org/projects/scapy/
http://frhed.sourceforge.net/ hex editor frhed
http://www.physics.ohio-state.edu/~prewett/hexedit/ hexedit

Post by **DNR** » 23 Sep 2009, 12:53

we are going to have to work together to do a wifi example with packet editing.

DNR

Post by **bad_brain** » 23 Sep 2009, 13:09

good one professor mab...

Post by **maboroshi** » 24 Sep 2009, 13:31

Hey DNR thats not a bad idea

what did you have in mind?

I would like to get into wifi stuff a bit more.

Post by **DNR** » 24 Sep 2009, 13:59

ok lets start with an app that can be ported to windows (vista please) that can dissassociate all users (except me) from a wifi AP.

Omerta
Disassociates all 802.11 network connections within range on the same channel as the card in the machine. Built on top of libradiate. Source code.
http://www.securityfocus.com/archive/89/326248

Check out the code, let me know if you can make a new app!

DNR

Post by **lilrofl** » 24 Sep 2009, 14:19

Truly interesting, thanks for bringing this to our attention, seems like I have something to mess with over the weekend after all XD

Post by **DNR** » 24 Sep 2009, 21:15

The tool can work on the MAC and physical layers (layer 2) of the network. You got control frames and management frames to alter and send.

not sure if you are going to be crafting packets for IGMP
16 1.278836 192.168.0.7 IGMP.MCAST.NET IGMP V3 Membership Report / Leave group 239.255.255.250

or fake a ARP to change IP:MAC on the users?
43 2.276809 GemtekTe_f1:f9:75 LiteonTe_72:6e:b3 ARP 192.168.0.1 is at 00:90:4b:f1:f9:75
or just a ICMP
45 2.278022 192.168.0.1 192.168.0.7 ICMP Destination unreachable (Port unreachable)

http://www.manageengine.com/products/wi ... ttack.html
How does the attack work ?
•The attacker initially identifies the targets (wireless clients) and their association (Access point to which it is associated).
•Injects disassociation frames into the WLAN by spoofing the source and destination MAC to that of the Access point and wireless client respectively.
•The wireless client upon reception of the frames disassociate themselves from the Access point, thinking that the packets have come from the Access point.
•After disrupting an wireless client of the wireless service, the attacker would continue the same with the other wireless clients in the WLAN to keep them all out of the WLAN.
•Typically the wireless clients will re-associate themselves to regain service, but this will be short lived as the attacker will be continuously sending the disassociation packets.

MDK3 is in backtrack and is the linux version of the DoS tool