Packet Crafting and Analysis 1: Layers, Protocols and Packets
This article will be one in a series all about crafting and analyzing packets. Being able to create your own custom packets can be applied for various security purposes including scanning remote hosts, networks based attacks like DOS and buffer overflows, IDS evasion, spoofing, and more.
To begin this series I'll be going over some basic info, layers and protocols. This background info will be needed for packet analysis and packet crafting. The information below is by no means comprehensive, but is the minimum background knowledge for this series of articles. I would encourage readers with little experience with networking to does some supplementary research.
Packets and Layers
All data that is sent across a network is broken up and send as small pieces of data called packets. They contain the data to be sent as well as protocol information, the source and destination address. Packets are structured by layers, with protocols associated with each layer. Each layer is comprised of two parts, the header and the body. The header contains the protocol and routing information, and the body contains the data. Packets are layered in a process called encapsulation. When data travels across a network it is encapsulated at each layer of the OSI model. There is already a ton of information about the OSI model online, so you may want to take some time to read a little about it if you haven't had much experience with it before. Below I have listed the layers the you will deal with the most and the protocols associated with them. These are the ones that will be covered in this article since knowledge of these will be needed for the other articles in this series.
The Data link Layer
This is the layer on which ethernet exists, and is used to coordinate the transfer of data across a local network(LAN) using ethernet ports. Hardware addresses or MAC addresses are used for this. MAC addresses come in the format six hexadecimal numbers separated by colons. Example: 00:7C:89:F3:45:A2.
The Network Layer
This is basically the layer of the internet, the primary protocol being IP, internet protocol. On this layer devices are identified by their IP addresses. There are two types of IP addresses, local and external also called public and private. Local IP addresses are used on local networks, like between you and your router. Local IPs are easily identified as they usually start with '192.168'. External IPs are the ones that are used used over the internet. Most small networks will share one IP address(external), owned by a router. On one of these networks if you send a packet across the internet your computer will first use it's local IP address to send it to the router. The router will then send it across the internet using its external IP address. This is why if you use ipconfig or ifconfig your IP address will look something like 192.168.10.102, your local address, but if you look up your IP address on google it will show a different address, your external or public address. Another notable protocol on this layer is ICMP, which is used for ping requests.
ARP, address resolution protocol, is a protocol that takes places between the network and data link layers. It actually is the method of communicating between the two layers. Basically what it does is translate IP addresses to MAC addresses and vise versa. I’ll go into more detail on these later when we craft some and show how they can be used as an attacker.
The Transport Layer
This layer is used for the communication of data between applications. The primary protocols for the transport layer are TCP and UDP. The main difference between these two is that TCP, transmission control protocol, requires a connection(handshake and what not) and checks to make sure all packets have arrived and are in tact. TCP is used for the majority of communication over the internet. UDP, user datagram protocol, on the other hand is a connectionless form of communication and it does not check to make sure every single packet has arrived. UDP is often used for streaming media and online gaming since every single packet is not necessarily needed and having to wait on every single packet would hurt performance.
This is the layer on which sockets exist. Sockets are used by programmers to send data across a network through the operating system. The two types of sockets are representative of the protocols they use, stream sockets(TCP) and datagram sockets(UDP). A raw socket is a socket that does not have a specified protocol. Raw sockets can be used for capturing, creating, and sending custom packets.
The Application Layer
This Layer is the one most people are more familiar with. While the other layers are used for getting the packets to the right place, this layer actually contains and transfers the data. Protocols on this layer include FTP, HTTP, SSH, ect.
Now to get a little more hands on. For these articles I will be using Scapy to craft packets and explain there structure. Scapy is a program used for crafting, capturing, and otherwise manipulating packets. It it written in python and can be imported as a library into your python scripts. It also has its own interpreter similar to pythons. Scapy should be available for all major operating systems. For most linux distros, Scapy should be available in the repositories. In something debian based simply sudo apt-get install scapy. To use it just type scapy into your terminal and hit enter, that will open the interpreter. Note: To use most of scapy's features you will need to run it under root privileges.
Lets start with some scapy basics. To begin making a packet you can set it like a variable, though it is really more like an object in oop. Set the packet equal to one the protocols like TCP() or IP().
Packet1 = TCP()
Packet2 = IP()
As I explained above packets are made of multiple layers. The “/” is used to stack different layers. Here is how to make a TCP packet by stacking layers.
Packet1 = Ether()/IP()/TCP()
Scapy will take care of any layers you do not specifically add to your packet by setting them to default values. So you will want to stack your packets using the layers whose values you will want to set yourself. To see the values corresponding to each layer of your packet use the show function.
Now that you know what the values are you can set them the same way you would with an object in most programming languages. Or you can set them as arguments at the same time as you initialize the packet.
Once you have gotten all of your values set to what you want you can send your packet using the send function. Also remember that scapy is basically a python library so if you want to send your packet multiple times you can use python with a loop or something.
send(Packet1) #sending a packet requires root privileges.
One last note on scapy, to import and use it in a python script use the following line:
from scapy.all import *
Note: As of writing the article scapy really only works with python version 2.x
In the next articles in the series I'll continue be going more in depth with structure of different packets and explain what their values actually mean as well as there uses security wise.
Cast your vote on this article 10 - Highest, 1 - Lowest
Comments: Published: 3 comments.
HackThisSite is is the collective work of the HackThisSite staff, licensed under a CC BY-NC license.
We ask that you inform us upon sharing or distributing.