Friday, 22 August 2008

Packet Injection and Replay

Netcat can be used to replay packets (and I will detail this in the next post). First, I will look at an easier way of doing this. As such, I have listed a small set of replay (and capture/crafting) tools.

York (Windows)
York is a simple Windows based network capture tool. It has the capability to save in a pcap format as well as being able to replay previously saved pcap files.

There are many other (and better) capture tools, but York is one of the simplest.

You can download York from:
http://www.geocities.com/the_real_sz/misc/york_.htm

Nemesis - A packet injection tool
Nemesis is another tool that allows for packet crafting and injection. The main benifit of Nemisis is that it can be used to construct packets. It supports several protocols and is highly configurable. You can use it to add a payload and send the crafted packet to a remote system. Great for protocol fuzzing.

Download it from:
http://nemesis.sourceforge.net/

The Windows version requires WinPcap. Both Packet.dll and wpcap.dll should be installed on your system.

Hping3 - packet injection tool
Hping is THE tool for probing networks and injecting packets. For Pen testing with the crafting of an exploit packet, or in protocol fuzzing, HPing is my personal choice.

You can download the latest version of hping source code from http://www.hping.org/

To install it, you need to compile it for your system. First change the file "libpcap_stuff.c" by modifying the line:
The process is a standard make from here:
#./configure
#make
#make install


TCPRelay - Packet Replay
tcpreplay provides the capability to replay packets (for replay attacks in Pen Tests, Fuzzing with a saved packet etc).

You can download tcpreplay from:
http://dries.ulyssis.org/rpm/packages/libnet/info.html

You need to have libnet version 1.1 or higher installed first.
http://www.packetfactory.net/projects/libnet/
"Libnet is a high-level API (toolkit) allowing the application programmer toconstruct and inject network packets."

No comments: