Discussion:
Any way to automatically change arbitrary headers of IP packets on-the-fly?
João Paulo Caldas Campello
2005-04-11 22:39:25 UTC
Permalink
Hi,

Does anybody know any userland tool, Linux kernel module,
iptables/netfilter module, or whatever mechanism to change arbitrary
headers of IP packets on-the-fly as long as they traverse the IP
stack? Is there any known paper regarding this subject?

The whole story is that I'm doing some research and lab tests on
semi-blind IP spoofing (i.e. Loose/Strict IP Source Routing) on
borders routers and firewalls, so I need an easy way to alter the "IP
Options" fields of IP packets to test if the routers/firewalls are
vulnerable to IP spoofing (e.g. not doing ingress filtering) in
conjunction with source routing techniques.

Yes, I know most modern firewalls should just drop IP Options
flagged packets, but not all firewalls do that with default
configurations.

Sure I can construct raw IP packets with the proper IP Options
fields set on, but I'm also doing sort of a penetration test so I need
a way to automate this task as the packets traverse the stack. This
way I could still use well-known and proven penetration test tools
such as port and vulnerability scanners, web spiders, and so on.

I've already read Netfilter documentation (specially the "Linux
netfilter Hacking HOWTO") so I know this kind of packet mangling can
be done in userspace. I thought it could be done in the "MANGLE" table
of netfilter, but I found no TARGET that achieves that nor any
documentation about altering arbitrary IP headers.

The question is:

- Does already exist such a tool, module or whatever way to change
arbitrary headers of IP packets on-the-fly or will I have to (try to)
write one? =)

Cheers,

João Paulo Campello,
Network Security Analyst,
Tempest Security Technologies.
Sebastian Muñiz
2005-04-13 15:14:21 UTC
Permalink
Post by João Paulo Caldas Campello
- Does already exist such a tool, module or whatever way to change
arbitrary headers of IP packets on-the-fly or will I have to (try to)
write one? =)
I have never used it but there is a kernel module that calls himself
"Packet Generator" and warns "Use with care"
Symbol: NET_PKTGEN [=m]

Prompt: Packet Generator (USE WITH CAUTION)

Defined at net/Kconfig:615

Depends on: NET && PROC_FS

Location:

-> Device Drivers

-> Networking support

-> Networking support (NET [=y])

-> Networking options

-> Network testing
Seems you can go on reading
file:Documentation/networking/pktgen.txt

Regards.
Sebastian Muñiz
Foundation Linux
2005-04-13 16:52:03 UTC
Permalink
Hi,
<snip>
I've already read Netfilter documentation (specially the "Linux
netfilter Hacking HOWTO") so I know this kind of packet mangling can
be done in userspace. I thought it could be done in the "MANGLE" table
of netfilter, but I found no TARGET that achieves that nor any
documentation about altering arbitrary IP headers.
- Does already exist such a tool, module or whatever way to change
arbitrary headers of IP packets on-the-fly or will I have to (try to)
write one? =)
Cheers,
João Paulo Campello,
Network Security Analyst,
Tempest Security Technologies.
Well, mangle in iptables only accepts TOS, TTL and MARK as valid targets
so you can't change arbitrary IP headers that way. However, if TOS is
where you're fiddling, it might work. Check out
http://www.faqs.org/docs/iptables/mangletable.html for a bit more info
as well as http://www.faqs.org/docs/iptables/targets.html#TOSTARGET.

The other option I can think of would be (in theory) to set nc (netcat)
up as a TCP proxy and script it to do what you want -- recreate a
duplicate packet with source-routing enabled.
http://www.die.net/doc/linux/man/man1/nc.1.html


-Charles
DJ Ether
2005-04-13 20:50:14 UTC
Permalink
Perhaps this tool will help you. I wrote it a long time ago. It allows
you to create any type of ipv4 packet and send them off at high speeds.
You can customize most parts of the IP and overlying protocol headers.
It's called `rain` and I believe it is in many ports on various distros,
but here is a version I never publically released (well until this list):

http://www.ethericmist.net/files/rain-1.2.8r4.tar.gz

md5sum: a06b4eef3b4635de47d82aba0064187f

Hope you find it useful.

_e
Post by João Paulo Caldas Campello
Hi,
Does anybody know any userland tool, Linux kernel module,
iptables/netfilter module, or whatever mechanism to change arbitrary
headers of IP packets on-the-fly as long as they traverse the IP
stack? Is there any known paper regarding this subject?
The whole story is that I'm doing some research and lab tests on
semi-blind IP spoofing (i.e. Loose/Strict IP Source Routing) on
borders routers and firewalls, so I need an easy way to alter the "IP
Options" fields of IP packets to test if the routers/firewalls are
vulnerable to IP spoofing (e.g. not doing ingress filtering) in
conjunction with source routing techniques.
Yes, I know most modern firewalls should just drop IP Options
flagged packets, but not all firewalls do that with default
configurations.
Sure I can construct raw IP packets with the proper IP Options
fields set on, but I'm also doing sort of a penetration test so I need
a way to automate this task as the packets traverse the stack. This
way I could still use well-known and proven penetration test tools
such as port and vulnerability scanners, web spiders, and so on.
I've already read Netfilter documentation (specially the "Linux
netfilter Hacking HOWTO") so I know this kind of packet mangling can
be done in userspace. I thought it could be done in the "MANGLE" table
of netfilter, but I found no TARGET that achieves that nor any
documentation about altering arbitrary IP headers.
- Does already exist such a tool, module or whatever way to change
arbitrary headers of IP packets on-the-fly or will I have to (try to)
write one? =)
Cheers,
João Paulo Campello,
Network Security Analyst,
Tempest Security Technologies.
V***@vt.edu
2005-04-14 05:23:31 UTC
Permalink
Post by João Paulo Caldas Campello
I've already read Netfilter documentation (specially the "Linux
netfilter Hacking HOWTO") so I know this kind of packet mangling can
be done in userspace. I thought it could be done in the "MANGLE" table
of netfilter, but I found no TARGET that achieves that nor any
documentation about altering arbitrary IP headers.
Currently, iptables doesn't seem to support that, probably to keep you from
shooting yourself in the foot. Consider for example how fast the kernel will
fold up if you change that first nybble of the packet from an x'4' to an x'6'
without changing the rest of the packet to match. Suddenly, that sk_buff is
a lot too short.. ;)
João Paulo Caldas Campello
2005-04-15 23:12:24 UTC
Permalink
Post by V***@vt.edu
Currently, iptables doesn't seem to support that, probably to keep you from
shooting yourself in the foot. Consider for example how fast the kernel will
fold up if you change that first nybble of the packet from an x'4' to an x'6'
without changing the rest of the packet to match. Suddenly, that sk_buff is
a lot too short.. ;)
Yeah, maybe, who knows :P

Well, I've did some searching last days and found a couple ways to
achieve what I've described in my email.

One is using "DIVERT sockets" and other is the use of the "-j QUEUE"
target of iptables/netfilter. Both approaches are similar: you match a
packet using iptables to flush them to userspace, where you can mangle
the entire packet as you like and send it back to iptables, who will
put it again onto the stack.

The "-j QUEUE" approach is manipulated through the "libipq" API:

- netfilter can feed userspace using IPQUEUE:
* http://www.crhc.uiuc.edu/~grier/projects/libipq.html

- Perl:
* http://www.intercode.com.au/jmorris/perlipq/

- Python:
* http://woozle.org/~neale/src/ipqueue/

As you can see, there's already libraries written in Perl and Python
to query IPQUEUE, so the effort of writing userspace code to deal with
IP packets wiil be much more easier.

That's it =)

Cheers,

João Paulo.
Manu Garg
2005-04-20 06:26:32 UTC
Permalink
If you are willing to write some code, then you can write a small
kernel module which will collect all the packets from ethernet card.
You get the packet, manipulate it, recalculate the checksum and push
it back to the card. I have tried doing this to manipulate some other
fields. It works.

For reference see the following article from phrack:
http://www.phrack.org/phrack/55/P55-12

cheers,
~Manu
Post by João Paulo Caldas Campello
Post by V***@vt.edu
Currently, iptables doesn't seem to support that, probably to keep you from
shooting yourself in the foot. Consider for example how fast the kernel will
fold up if you change that first nybble of the packet from an x'4' to an x'6'
without changing the rest of the packet to match. Suddenly, that sk_buff is
a lot too short.. ;)
Yeah, maybe, who knows :P
Well, I've did some searching last days and found a couple ways to
achieve what I've described in my email.
One is using "DIVERT sockets" and other is the use of the "-j QUEUE"
target of iptables/netfilter. Both approaches are similar: you match a
packet using iptables to flush them to userspace, where you can mangle
the entire packet as you like and send it back to iptables, who will
put it again onto the stack.
* http://www.crhc.uiuc.edu/~grier/projects/libipq.html
* http://www.intercode.com.au/jmorris/perlipq/
* http://woozle.org/~neale/src/ipqueue/
As you can see, there's already libraries written in Perl and Python
to query IPQUEUE, so the effort of writing userspace code to deal with
IP packets wiil be much more easier.
That's it =)
Cheers,
João Paulo.
--
Manu Garg
http://manugarg.freezope.org
"Truth will set you free!"
G P
2005-04-19 01:50:42 UTC
Permalink
Use NetSED:

http://www.mirrors.wiretapped.net/security/packet-construction/netsed/netsed-README.txt
Post by V***@vt.edu
Post by V***@vt.edu
Currently, iptables doesn't seem to support that,
probably to keep you from
Post by V***@vt.edu
shooting yourself in the foot. Consider for
example how fast the kernel will
Post by V***@vt.edu
fold up if you change that first nybble of the
packet from an x'4' to an x'6'
Post by V***@vt.edu
without changing the rest of the packet to match.
Suddenly, that sk_buff is
Post by V***@vt.edu
a lot too short.. ;)
Yeah, maybe, who knows :P
Well, I've did some searching last days and found a
couple ways to
achieve what I've described in my email.
One is using "DIVERT sockets" and other is the use
of the "-j QUEUE"
target of iptables/netfilter. Both approaches are
similar: you match a
packet using iptables to flush them to userspace,
where you can mangle
the entire packet as you like and send it back to
iptables, who will
put it again onto the stack.
The "-j QUEUE" approach is manipulated through the
*
http://www.crhc.uiuc.edu/~grier/projects/libipq.html
* http://www.intercode.com.au/jmorris/perlipq/
* http://woozle.org/~neale/src/ipqueue/
As you can see, there's already libraries written in
Perl and Python
to query IPQUEUE, so the effort of writing userspace
code to deal with
IP packets wiil be much more easier.
That's it =)
Cheers,
Jo�o Paulo.
Loading...