Monday, March 21, 2016

Remote Send from the Comfort of Your Packet Crafting Shell

I've been spending a lot of time updating the Perl Packet Crafter to a new version - a complete rewrite with lots of new features and plugins.

During the course of testing, I thought about remote sending and remote capture, that is, using the shell to create the packets and passing them to an agent on a remote machine for sending. Like a the old Network General / Associates distributed Sniffer concept, but distributed sender in this case.

Low and behold, WinPcap and Wireshark have the remote capture functionality, but remote sending? That required some research.

I spent some time creating a utility that accepts a hex-string representation of a packet and sends it. That part was easy. Making the sent packet actually make sense was much more difficult.

Creating a packet with PPC is pretty easy if you specify an interface. All the important bits like source and destination MAC addresses and source IPv4/v6 addresses are auto-populated. But when that packet is delivered to the network from a different host with a different MAC address and potentially a different gateway MAC address and a different source IP address, all sorts of things are wrong least of which are packet checksums - all leading to garbage being sent if anything at all.

My utility got a lot more complex obtaining the sending host information and rewriting the packet before sending. And it worked! It handles basic cases; nothing too complex and it compiles only on Windows, but it's a start. Actual delivery of the packet from the PPC host to the sending host is done with a netcat sender and listener on the hosts.

PPC Host:

ppc> system ("echo " . S2H($packet->pack) . " | nc64 sendhost.localdomain 7070 ");

Sending Host:

nc64 -lp 7070 | pcaps -gm4 \Device\NPF_{...

But is there a better way? I stumbled upon Remote PCap in my reading. Included with WinPcap is a utility rpcapd.exe which is essentially a remote agent for capture that can be controlled from a central source. So a single Wireshark install can capture packets from the local host as well as any remote host running the remote capture daemon.

There is surprisingly little on the RPCAP protocol version 0 (experimental) (as it's called). But looking in the WinPcap source, the winpcap/wpcap/libpcap/pcap-remote.h header has just about everything you need to understand the protocol. And of course, using Wireshark to decode the protocol works too (although it seems a bit incestuous).

There is no facility for sending a packet. And just to confirm, I set up rpcapd.exe on one host and PPC on another. I ran Wireshark on both hosts. PPC was able to set a remote device and capture from it (Yay!), but sending yielded nothing. Both sides show the remote adapter open request and reply followed immediately by a close without any packet data being sent.

Netcat will have to do for now.

No comments :

 

Copyright © VinsWorld. All Rights Reserved.