Sending network packets is commonplace on any network, but did you know that a custom packet may be crafted to send a message over a network, hiding the text in a SYN packet? This is how to do this easily using the Nmap package on Linux. Nmap comes with a nice utility called nping, this allows us to craft a custom TCP packet that is intended to send a small message in a packet payload. A nice exercise for learning about Wireshark for sure.
And it is great fun.
Use this example to send a custom ICMP ping packet with nping on Linux.
jason@hoshi:~$ sudo nping -c 1 --data-string "Hello World" --tcp -p 80,443 192.168.1.5 |
This will send a custom ICMP ping packet to a machine. The below example shows the output captured in Wireshark.
0000 d0 50 99 0d ab 0f 00 0c 29 6f 3b 80 08 00 45 00 ÐP..«...)o;...E. 0010 00 33 fe 5d 00 00 40 06 f9 0d c0 a8 01 04 c0 a8 .3þ]..@.ù.À¨..À¨ 0020 01 05 13 0e 01 bb 36 ee ac df 00 00 00 00 50 02 .....»6î¬ß....P. 0030 05 c8 dc 50 00 00 48 65 6c 6c 6f 20 57 6f 72 6c .ÈÜP..Hello Worl 0040 64 d |
This is the packet summary as well.
8141 571.259113 192.168.1.4 192.168.1.5 TCP 65 4878 → 443 [SYN] Seq=0 Win=1480 Len=11 |
This is a very neat trick. This could be used to send messages over a network. But I have found that if you send them over SSH, they are encrypted and cannot be read.
Here is another example, this is sending a longer string. This seems to take out the whole payload.
jason@hoshi:~$ sudo nping -c 1 --data-string "Hello World. This is a custom ICMP packet." --tcp -p 80,443 192.168.1.5 |
Our resulting TCP payload.
0000 48 65 6c 6c 6f 20 57 6f 72 6c 64 2e 20 54 68 69 Hello World. Thi 0010 73 20 69 73 20 61 20 63 75 73 74 6f 6d 20 49 43 s is a custom IC 0020 4d 50 20 70 61 63 6b 65 74 2e MP packet. |
So, this is a good way to send a custom TCP payload to another machine, as long as they have Wireshark or tcpdump running to catch the packets as they arrive.
Type sudo apt install nmap to install the nping utility. This is very useful for learning how a network packet can be manipulated.
Further reading.
https://www.systutorials.com/docs/linux/man/1-nping/.
Another option is to use icmpush to send packets.
jason@hoshi:~/Docum$ sudo icmpush -echo -gw 192.168.1.1 google.com [sudo] password for jason: syd15s01-in-f78.1e100.net -> 20272500.0 ms |
Another example.
The ICMP router discovery requests are called Router Solicitations. Each router periodically multicasts a Router Advertisement (ICMP Type 9) from each of its multicast interfaces, which in turn announces the IP address(es) of that interface. The example below shows how to send a Router Solicitation Message to find a router on the network.
jason@hoshi:~/Docum$ sudo icmpush -vv -rts 192.168.1.5 -> Outgoing interface = 192.168.1.4 -> ICMP total size = 8 bytes -> Outgoing interface = 192.168.1.4 -> MTU = 1500 bytes -> Total packet size (ICMP + IP) = 28 bytes ICMP Router Solicitation packet sent to 192.168.1.5 (192.168.1.5) Receiving ICMP replies ... icmpush: Program finished OK |
This example shown below transmits an ICMP timestamp request to a gateway IP address.
jason@Yog-Sothoth:~$ icmpush -vv -tstamp 192.168.1.1 -> Outgoing interface = 192.168.1.5 icmpush: Can't build RAW sockets -> Operation not permitted jason@Yog-Sothoth:~$ sudo icmpush -vv -tstamp 192.168.1.1 -> Outgoing interface = 192.168.1.5 -> ICMP total size = 20 bytes -> Outgoing interface = 192.168.1.5 -> MTU = 1500 bytes -> Total packet size (ICMP + IP) = 40 bytes ICMP Timestamp Request packet sent to 192.168.1.1 (192.168.1.1) Receiving ICMP replies ... _gateway -> Timestamp Reply transmited at 10:00:00 icmpush: Program finished OK |
A final example. This is unsent packet fragmenting. It is firstly necessary to construct a packet with a fragmented offset and send it to a host. Instead of assembling another fragmented datagram to complete the packet, the client will let the initial fragmented datagram timeout, leaving the server waiting for the next expected packet in the sequence.
I used this hping3 example.
jason@Yog-Sothoth:~$ sudo hping3 -c 1 -x -y 192.168.1.1 |
And I got this in tcpdump.
17:54:01.486051 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has Yog-Sothoth tell _gateway, length 46 17:54:01.486088 ARP, Ethernet (len 6), IPv4 (len 4), Reply Yog-Sothoth is-at d0:50:99:0d:ab:0f (oui Unknown), length 28 17:54:02.223733 IP (tos 0x0, ttl 64, id 12747, offset 0, flags [DF], proto TCP (6), length 52) Yog-Sothoth.34656 > www.4chan-x.net.https: Flags [.], cksum 0x48f6 (incorrect -> 0x452f), seq 590243467, ack 3916959228, win 49, options [nop,nop,TS val 2320415490 ecr 3192249004], length 0 17:54:02.223763 IP (tos 0x0, ttl 64, id 26524, offset 0, flags [DF], proto TCP (6), length 52) Yog-Sothoth.51510 > 58.7.149.122.sta.dodo.net.au.http: Flags [.], cksum 0x43a3 (incorrect -> 0xe6ad), seq 2948085200, ack 3396365798, win 31, options [nop,nop,TS val 951397591 ecr 518512793], length 0 17:54:02.226694 IP (tos 0x0, ttl 64, id 21874, offset 0, flags [DF], proto UDP (17), length 73) Yog-Sothoth.52571 > _gateway.domain: [bad udp cksum 0x839d -> 0xd119!] 9620+ PTR? 86.231.203.159.in-addr.arpa. (45) 17:54:02.245027 IP (tos 0x0, ttl 60, id 64131, offset 0, flags [DF], proto TCP (6), length 52) 58.7.149.122.sta.dodo.net.au.http > Yog-Sothoth.51510: Flags [.], cksum 0x3568 (correct), seq 1, ack 1, win 235, options [nop,nop,TS val 518523033 ecr 951366992], length 0 17:54:02.256812 STP 802.1d, Config, Flags [none], bridge-id 8000.c8:14:51:5f:a9:47.8004, length 43 message-age 0.00s, max-age 20.00s, hello-time 2.00s, forwarding-delay 0.00s root-id 8000.c8:14:51:5f:a9:47, root-pathcost 0 17:54:02.398276 IP (tos 0x0, ttl 54, id 13618, offset 0, flags [DF], proto TCP (6), length 52) www.4chan-x.net.https > Yog-Sothoth.34656: Flags [.], cksum 0xb050 (correct), seq 1, ack 1, win 486, options [nop,nop,TS val 3192251564 ecr 2320385067], length 0 17:54:02.398629 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 102) _gateway.domain > Yog-Sothoth.52571: [udp sum ok] 9620 q: PTR? 86.231.203.159.in-addr.arpa. 1/0/0 86.231.203.159.in-addr.arpa. PTR www.4chan-x.net. (74) 17:54:02.402629 IP (tos 0x0, ttl 64, id 21918, offset 0, flags [DF], proto UDP (17), length 71) Yog-Sothoth.34231 > _gateway.domain: [bad udp cksum 0x839b -> 0xa302!] 51082+ PTR? 58.7.149.122.in-addr.arpa. (43) 17:54:04.256367 STP 802.1d, Config, Flags [none], bridge-id 8000.c8:14:51:5f:a9:47.8004, length 43 message-age 0.00s, max-age 20.00s, hello-time 2.00s, forwarding-delay 0.00s root-id 8000.c8:14:51:5f:a9:47, root-pathcost 0 17:54:06.255946 STP 802.1d, Config, Flags [none], bridge-id 8000.c8:14:51:5f:a9:47.8004, length 43 message-age 0.00s, max-age 20.00s, hello-time 2.00s, forwarding-delay 0.00s root-id 8000.c8:14:51:5f:a9:47, root-pathcost 0 |
This tells me I got a bad UDP checksum for the network packets. This is still a response from the server. You could have a lot of fun sending all sorts of mangled packets to servers, and determining how they respond.
Here is another option for creating custom packets on Linux.
https://linux.die.net/man/8/icmpush
This could be another good alternative for creating nice custom packets.