########### ##### ############ ########### ##### ##### # ## # ## # ## # ## # ## # # # ### ## # ## # #### ## # ####### # ### # # ## # ## # ## # # # # # ### ## # ######## # ###### ## # ####### # ### # # ## # ## # # # ## # ## # ## # # ########### ########### #### #### ########### ##### ##### ############ ##### ##### ############ ############ ##### ########### # ## # # # ## # ## # ## # ## # ## # #### ## # # # ## # ######## # ##### # ## # ######## # ## # ## ## # # ##### # ### # ## # ## # ###### ## # # # ## # ##### # # ##### # ######## ####### ## # # # ## # ## ## # ## # ## # ## # ## #### #### ##### ###### ############ ############ ########### ########### [ PACKET INJECTION ] { http://www.BlackAngels.it } [ Table of contents ] 1 - Legal notes 2 - Introduction 3 - General knowledges 4 - Packets building 5 - Injector's structure and work 6 - Packets injecting [1] Legal notes ===============  The BlackAngels staff refuse all responsabilities for an incorrect or illegal use of the informations supplied with this paper or for eventual damages to others systems. This paper has been wrote in the respect of the Article 21 ( Italian Constitution ).     [2] Introduction ================   This paper will introduce the reader to the TCP/IP protocol, specially to the packet injection tecnique. With this tecnique is possible to sniff all network traffic and to inject new packets. A basic knowledge of C language is required.   [3] General knowledges ======================   The base of the Internet working is the layering. When two computers are connected and the first send data to the second, the data will pass before from others protocol layers, that will do a part of the work. On Internet there are three layer's types : [a] Transport layer : This layer takes all data transmitted and divides it in a lot of small packets; it is used from the TCP ( Transfer Control Protocol ) and the UDP ( User Datagram Protocol ) protocols. [b] Internet layer : This layer gives to all hosts an unic identifier and routes all packets from the source host, to the destination host, without giving the certainty of a secure transmission. The protocol used from this layer is the IP ( Internet Protocol ). [c] Link layer : This layer depend from the various hardware's connection types. It use the BBE, IEEE 802, X.25, PPP, SLIP and IP protocols.   [4] Packets building ====================   The packets building is a very hard tecnique, then we will start studing the structure of a packet. The basic structure of a packet is something like this : +-------------------------------+ | Ethernet header | Main packet | +-------------------------------+ The first block is required and used to detect the packet's source, type and protocol; the end of the first block is identified with the character "e" ( end of Ethernet header ). Now, the basic structure of a TCP/IP Main packet is like this : +--------------------------+ | IP datagram | TCP packet | +--------------------------+ The TCP packet is also divided in others blocks. Finally a TCP packet has this form : +-------------------------------------------------------+ | Ethernet header | IP datagram | TCP Header | TCP Data | +-------------------------------------------------------+ So if we want to build a TCP packet, is required the packet's header and the main TCP packet; for others packets like ARP, is the same thing ( then Ethernet header and ARP main packet ). [5] Injector's structure and work =================================  A packets injector is divided into two parts : [1] Network sniffer [2] Console The first part sniff the network traffic and capture all packets; so the injector try to identify all packets ( type, source, destination, protocol ) and print them on the screen. The second part give to the user the possibility to interact with the injector and to set a list of filters, to choose what type of packets sniff. A packets injector could filter packets in a lot of ways : [1] Packet's type [2] Packet's type in an IP Datagram [3] Source IP [4] Destination IP [5] Source port [6] Destination port Now we can see the real interesting function of this tool : the packets injecting. [6] Packets injecting ===================== This is the more important function of a packets injector. It gives the possibility to build packets and to send them on the network; they could also be inserted in an existent transmission by two hosts. The packets injector use a list of simple commands, for example if our packet is called "test.pkt", the instructions for the program are : set infile test.pkt <- Specify the packet's file to inject do inject <- Gives the order to inject the packet This is only a simple example, but the injector require others parameters, like the source and the destination Ethernet addresses : setmyeth aa:aa:aa:aa:aa:aa <- Set the source Ethernet address as aa:aa:aa:aa:aa:aa setethto bb:bb:bb:bb:bb:bb <- Set the destination Ethernet address as bb:bb:bb:bb:bb:bb set filleth x <- Set filleth to x ( where x is a number ) set fillethto x <- Set fillethto to x ( where x is a number ) set infile test.pkt <- Specify the packet's file to inject do inject <- Gives the order to inject the packet There are others function, but they aren't really important. Now we can say, that a packets injector is divided in three fundamental functions : +-----------------+ +------------------+ +--------------------+ | Packets sniffer | -> | Packets injector | -> | Packets classifier | +-----------------+ +------------------+ +--------------------+ The following is the code of a packets injector, programmed using Libnet : packetsinjector.c #include int main(void) { int network; /* "network" is returned by `libnet_open_link_interface()'. and it is used when writing packets and when closing the interface */ int packet_size; /* "packetsize" is used when initializing heap memory with `libnet_init_packet()' and argumented when writing packet */ int n; /* Sent bytes */ u_char *packet; /* The packet */ u_long src_ip, dst_ip; /* This should be changed into argv[] */ u_short src_port, dst_port; *_ip is returned by `libnet_name_resolve("123.123.123.123", LIBNET_RESOLVE)'.. *_port is simple short int */ src_ip = libnet_name_resolve("192.168.9.17", LIBNET_RESOLVE); /* Setting up addressing */ if (!src_ip) libnet_error(LIBNET_ERR_FATAL, "Bad destination IP\n"); src_port = 5000; dst_ip = libnet_name_resolve("213.93.39.87", LIBNET_RESOLVE); if (!dst_ip) libnet_error(LIBNET_ERR_FATAL, "Bad src IP\n"); dst_port = 80; packet_size = LIBNET_IPV4_H + LIBNET_TCP_H; /* Defining packet size Only defining TCP and IP header.. still using link-layer interface though */ libnet_init_packet (packet_size, &packet); /* Allocate memory */ if (!packet) libnet_error(LIBNET_ERR_FATAL, "libnet_init_packet failed\n"); network = libnet_open_raw_sock (IPPROTO_RAW); /* Open network interface */ if (network == -1) libnet_error(LIBNET_ERR_FATAL, "Cannot open network interface\n"); /* Packet construction - Building IP */ libnet_build_ip (LIBNET_TCP_H, /* Size */ IPTOS_LOWDELAY, 242, /* IPID */ 0, /* No fragmentation */   48, /* Time To Live */ IPPROTO_TCP, /* Protocol */ src_ip, /* Source IP address */ dst_ip, /* Destination IP address */ NULL, /* Payload */ 0, /* Length of payload */ packet); /* Packet header memory */ /* Packet construction - Building TCP */ libnet_build_tcp (src_port, /* Source TCP port */ dst_port, /* Destination TCP Port */ 0xa1d95, /* Sequence number */ 0x53, /* Ack number */ TH_SYN, /* Set SYN flag */ 1024, /* Window size */ 0, /* Urgent off */ NULL, /* Payload */ 0, /* Payload length */ packet + LIBNET_IPV4_H); /* Packet header memory */ if (libnet_do_checksum(packet, IPPROTO_TCP, LIBNET_TCP_H) == -1) /* Checksum */ libnet_error(LIBNET_ERR_FATAL, "libnet_do_checksum failed\n"); n = libnet_write_ip (network, packet, packet_size); /* INJECTION */ if (n < packet_size) libnet_error(LN_ERR_WARNING, "libnet_write_ip only wrote %d bytes\n", n); else printf("Construction and injection completed, wrote all %d bytes\n", n); if (libnet_close_raw_sock(network) == -1) /* Cleanup */ libnet_error(LN_ERR_WARNING, "libnet_close_raw_sock couldn't close interface\n"); libnet_destroy_packet(&packet); /* Free packet stuff */ return (n == -1 ? EXIT_FAILURE : EXIT_SUCCESS); } Another simple example could be the following, that has been coded by using Perl's Net modules : #!/usr/bin/perl use Net::RawIP; use Net::PcapUtils; use NetPacket::Ethernet qw(:strip); use NetPacket::TCP; use NetPacket::IP qw(:strip); printf "\n[ Simple Packets Injector ]\n\n"; printf "Functions :\n"; printf "[1] - Promiscuous packets sniffer\n"; printf "[2] - Packets injector\n\n"; printf "Input function's number : "; $funct = ; chomp $funct; if ($funct eq "1") { sniffer(); } elsif ($funct eq "2") { injector(); } else { printf "\n\nUnknown function ...\n\n"; exit(1); } sub sniffer { if($> != 0) {die "You need EUID 0 to sniff network traffic ...\n\n";} Net::PcapUtils::loop(\&sniffit, Promisc => 1, FILTER => 'tcp', DEV => 'eth0'); sub sniffit { my ($args,$header,$packet) = @_; $ip = NetPacket::IP->decode(eth_strip($packet)); $tcp = NetPacket::TCP->decode($ip->{data}); print "$ip->{src_ip}:$tcp->{src_port} --> $ip->{dest_ip}:$tcp->{dest_port}\n"; } } sub injector { $packet = new Net::RawIP; $packet->set({ ip => { saddr => '192.168.1.1', daddr => '192.168.1.2' }, tcp => { source => 2323, dest => 23, ack => 1, seq => 10000000, ack_seq => 10000000, data => 'Testing Net::RawIP' } }); $packet->send(0,1); } With this simple code, i close this paper. For more informations send me a message to : sedn4[at]blackangels.it Thank you for reading this paper.