Packet crafting

Packet crafting is a technique that allows network administrators to probe firewall rule-sets and find entry points into a targeted system or network. This is done by manually generating packets to test network devices and behaviour, instead of using existing network traffic.^[1] Testing may target the firewall, IDS, TCP/IP stack, router or any other component of the network.^[1]^[2] Packets are usually created by using a packet generator or packet analyzer which allows for specific options and flags to be set on the created packets. The act of packet crafting can be broken into four stages: Packet Assembly, Packet Editing, Packet Play and Packet Decoding.^[1]^[2] Tools exist for each of the stages - some tools are focused only on one stage while others such as Ostinato try to encompass all stages.

Packet assembly[edit]

Packet Assembly is the creation of the packets to be sent. Some popular programs used for packet assembly are Hping, Nemesis, Ostinato, Cat Karat packet builder, Libcrafter, libtins, PcapPlusPlus, Scapy, Wirefloss and Yersinia.^[1]^[2]^[3] Packets may be of any protocol and are designed to test specific rules or situations. For example, a TCP packet may be created with a set of erroneous flags to ensure that the target machine sends a RESET command or that the firewall blocks any response.^[1]^[2]

Packet editing[edit]

Packet Editing is the modification of created or captured packets. This involves modifying packets in manners which are difficult or impossible to do in the Packet Assembly stage, such as modifying the payload of a packet.^[2] Programs such as Scapy, Ostinato, Netdude allow a user to modify recorded packets' fields, checksums and payloads quite easily.^[1] These modified packets can be saved in packet streams which may be stored in pcap files to be replayed later.

Packet play[edit]

Packet Play or Packet Replay is the act of sending a pre-generated or captured series of packets. Packets may come from Packet Assembly and Editing or from captured network attacks. This allows for testing of a given usage or attack scenario for the targeted network. Tcpreplay is the most common program for this task since it is capable of taking a stored packet stream in the pcap format and sending those packets at the original rate or a user-defined rate. Scapy also supports send functions to replay any saved packets/pcap. Ostinato added support for pcap files in version 0.4.^[4] Some packet analyzers are also capable of packet replay.

Packet decoding[edit]

Packet Decoding is the capture and analysis of the network traffic generated during Packet Play. In order to determine the targeted network's response to the scenario created by Packet Play, the response must be captured by a packet analyzer and decoded according to the appropriate specifications. Depending on the packets sent, a desired response may be no packets were returned or that a connection was successfully established, among others. The most famous tools for that task are Wireshark and Scapy.

References[edit]

^ ^a ^b ^c ^d ^e ^f Zereneh, William. "Packet Crafting" (PDF). Retrieved 2010-08-01.
^ ^a ^b ^c ^d ^e Poor, Mike. "Packet Craft for Defense-in-Depth" (PDF). InGuardians. Retrieved 2010-08-01.
^ "Top 4 Packet Crafting Tools". SecTools.org. Retrieved 2010-08-01.
^ "Ostinato ChangeLog". Retrieved 2011-04-30.

External links[edit]

Packet Crafting for Firewall & IDS Audits (Part 1 of 2) by Don Parker [1]
Wikiformat article detailing Packet crafting
Bit-Twist - Libpcap-based Ethernet packet generator [2]
Packet Sender - open source packet generator focused on ease-of-use

[zereneh-1] ^ ^a ^b ^c ^d ^e ^f Zereneh, William. "Packet Crafting" (PDF). Retrieved 2010-08-01.

[poor-2] Poor, Mike. "Packet Craft for Defense-in-Depth" (PDF). InGuardians. Retrieved 2010-08-01.

[sectools-3] "Top 4 Packet Crafting Tools". SecTools.org. Retrieved 2010-08-01.

[ostcl-4] "Ostinato ChangeLog". Retrieved 2011-04-30.

[1]

[2]

[3]

[4]