185 A number of different programs will construct custom packets for you. The utilities vary considerably in the amount of control you actually have. As all require a thorough understanding of the underlying protocols, none of these tools are particularly easy to use. All of the ones I am familiar with are command-line programs. This is really a plus since, if you find yourself using these programs heavily, you will want to call them from scripts. Two programs, hping and nemesis, are briefly described here. A number of additional tools are cited at the end of this section in case these utilities dont provide the exact functionality you want or arent easily ported to your system. Of the two, hping is probably the better known, but nemesis has features that recommend it. Neither is perfect. Generally, once you have the idea of how to use one of these tools, learning another is simply a matter of identifying the options of interest. Most custom packet generators have a reasonable set of defaults that you can start with. Depending on what you want to do, you select the appropriate options to change just what is necessary—ideally as little as possible. Custom packet tools have a mixed reputation. They are extremely powerful tools and, as such, can be abused. And some of their authors seem to take great pride in this potential. These are definitely tools that you should use with care. For some purposes, such as testing firewalls, they can be indispensable. Just make sure it is your firewall, and not someone elses, that you are testing.

9.1.1.1 hping

hping, or hping2 as it is sometimes called, was written by Salvatore Sanfilippo. The documentation is a little rough at times and suggests uses that are inappropriate. Nonetheless, it is a powerful, versatile program. When run with the default parameters, it looks a lot like ping and is useful for checking connectivity: lnx1 hping 205.153.63.30 eth0 default routing interface selected according to proc HPING 205.153.63.30 eth0 205.153.63.30: NO FLAGS are set, 40 headers + 0 data bytes 46 bytes from 205.153.63.30: flags=RA seq=0 ttl=126 id=786 win=0 rtt=4.4 ms 46 bytes from 205.153.63.30: flags=RA seq=1 ttl=126 id=1554 win=0 rtt=4.5 ms 46 bytes from 205.153.63.30: flags=RA seq=2 ttl=126 id=2066 win=0 rtt=4.6 ms 46 bytes from 205.153.63.30: flags=RA seq=3 ttl=126 id=2578 win=0 rtt=5.5 ms 46 bytes from 205.153.63.30: flags=RA seq=4 ttl=126 id=3090 win=0 rtt=4.5 ms --- 205.153.63.30 hping statistic --- 5 packets tramitted, 5 packets received, 0 packet loss round-trip minavgmax = 4.44.75.5 ms At first glance, the output looks almost identical to pings. Actually, by default, hping does not send ICMP packets. It sends TCP packets to port 0. You can change ports with the -p option. Since this port is almost never used, most systems will reply with a RESET message. Consequently, hping will sometimes get responses from systems that block ping. On the other hand, it may trigger intrusion detection systems as well. If you want to mimic ping, you can use the -1 argument, which specifies ICMP. Or, if you prefer, you can use -2 to send UDP packets. When using ICMP, this is what one of the replies from the output looks like: 46 bytes from 205.153.63.30: icmp_seq=0 ttl=126 id=53524 rtt=2.2 ms 186 Otherwise, the output will be almost identical to the default behavior. If you want more information, you can use -V for verbose mode. Here is what a reply looks like with this option: 46 bytes from 172.16.2.236: flags=RA seq=0 ttl=63 id=12961 win=0 rtt=1.0 ms tos = 0 len = 40 seq = 0 ack = 108515096 sum = a5bc urp = 0 There is also a debug mode if you are having problems with hping. Other options that control the general behavior of hping include -c to set the number of packets to send, -i to set the time between packets, -n for numeric output no name resolution, and -q for quiet output just summary lines when done. Another group of options allows you to control the contents of the packet header. For example, the -a option can be used to specify an arbitrary source address for a packet. Here is an example: lnx1 hping2 -a 205.153.63.30 172.16.2.236 eth0 default routing interface selected according to proc HPING 172.16.2.236 eth0 172.16.2.236: NO FLAGS are set, 40 headers + 0 data bytes --- 172.16.2.236 hping statistic --- 4 packets tramitted, 0 packets received, 100 packet loss round-trip minavgmax = 0.00.00.0 ms In this case, the packet has been sent from a computer whose actual source address is 172.16.3.234. The packet, however, will have 205.153.63.30 in its IP header as the source address. Of course, any reply from the destination will go back to the spoofed source address, not the actual source address. If this a valid address that belongs to someone else, they may not look kindly on your testing. Spoofing source addresses can be useful when testing router and firewall setup, but you should do this in a controlled environment. All routers should be configured to drop any packets with invalid source addresses. That is, if a packet claims to have a source that is not on the local network or that is not from a device for which the local network should be forwarding a packet, then the source address is illegal and the packet should be dropped. By creating packets with illegal source addresses, you can test your routers to be sure they are, in fact, dropping these packets. Of course, you need to use a tool like ethereal or tcpdump to see what is getting through and what is blocked. [1] [1] If this is all you are testing, you may prefer to use a specialized tool like egressor. The source port can be changed with the -s option. The TTL field can be set with the -t option. There are options to set the various TCP flags: -A for ACK, -F for FIN, -P for PUSH, -R for RST, -S for SYN, and -U for URG. Oddly, although you can set the urgent flag, there doesnt seem to be a way to set the urgent pointer. You can set the packet size with the -d option, set the TCP header length with the -O option, and read the packets data from a file with the -E option. Here is an example of sending a DNS packet using data in the file data.dns: bsd2 hping -2 -p 53 -E data.dns -d 31 205.153.63.30 hping generated an error on my system with this command, but the packet was sent correctly. 187 Be warned, constructing a usable data file is nontrivial. Here is a crude C program that will construct the data needed for this DNS example: include stdio.h main { FILE fp; fp=fopendata.dns, w; fprintffp, cccc, 0x00, 0x01, 0x01, 0x00; fprintffp, cccc, 0x00, 0x01, 0x00, 0x00; fprintffp, cccc, 0x00, 0x00, 0x00, 0x00; fprintffp, cs, 0x03, www; fprintffp, cs, 0x05, cisco; fprintffp, csc, 0x03, com, 0x00; fprintffp, cccc, 0x00, 0x01, 0x00, 0x01; fclosefp; } Even if you dont use C, it should be fairly clear how this works. The fopen command creates the file, and the fprintf commands write out the data. c and s are used to identify the datatype when formatting the output. The remaining arguments are the actual values for the data. Im sure there are cleaner ways to create this data, but this will work. Finally, hping can also be put in dump mode so that the contents of the reply packets are displayed in hex: bsd2 hping -c 1 -j 172.16.2.230 HPING 172.16.2.230 ep0 172.16.2.230: NO FLAGS are set, 40 headers + 0 data bytes 46 bytes from 172.16.2.230: flags=RA seq=0 ttl=128 id=60017 win=0 rtt=2.1 ms 0060 9706 2222 0060 088f 5f0e 0800 4500 0028 ea71 0000 8006 f26b ac10 02e6 ac10 02ec 0000 0a88 0000 0000 1f41 a761 5014 0000 80b3 0000 0000 0000 0000 --- 172.16.2.230 hping statistic --- 1 packets transmitted, 1 packets received, 0 packet loss round-trip minavgmax = 2.12.12.1 ms Numerous other options are described in hpings documentation. You can get a very handy summary of options if you run hping with the -h option. I strongly recommend you print this to use while you are learning the program.

9.1.1.2 nemesis