Solved

Packet Changer

Posted on 2007-03-21
25
748 Views
Last Modified: 2013-12-07
Are there any freeware tools that can create new packets, and modify and delete packets already sent?
0
Comment
Question by:jackmcbarn
  • 10
  • 5
  • 4
  • +1
25 Comments
 
LVL 30

Expert Comment

by:pgm554
ID: 18790146
I think you can do that in Wireshark.
0
 
LVL 4

Author Comment

by:jackmcbarn
ID: 18792378
I looked and didn't see it.  Can you tell me how?
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18793770
tcpdump on linux windump on windows.

1. Capture the traffic using ethereal (wireshark).
2. Save a pcap files.
3. Edit with the above tools.

Also may I ask why do you want to do this?

Cheers,
Rajesh
0
 
LVL 4

Author Comment

by:jackmcbarn
ID: 18794147
I mean "tamper with" packets as they are going over the network.  And don't forget I need a tool to create packets too.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18797435
I believe this question is going against the ethics of this site and these questions won't be answered here... Sorry...

Cheers,
Rajesh
0
 
LVL 30

Expert Comment

by:pgm554
ID: 18797880
What are you trying to accomplish?

I can see need to alter packets to test infrastructure and securiry,so give me an idea of why you want to do this.
0
 
LVL 4

Author Comment

by:jackmcbarn
ID: 18799317
I'm running some network security tests.  I know real hackers get ones they pay for.
0
 
LVL 4

Author Comment

by:jackmcbarn
ID: 18801857
No problem.
0
 
LVL 30

Assisted Solution

by:pgm554
pgm554 earned 20 total points
ID: 18802544
0
 
LVL 4

Author Comment

by:jackmcbarn
ID: 18802812
I don't have GUI access to a Linux system.  BitTwist looks good for making packets from scratch.  I'll try it out.
0
 
LVL 4

Author Comment

by:jackmcbarn
ID: 18803077
BitTwist looks pretty good, but don't forget I wanted to be able to modify packets as they were being sent.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 2

Accepted Solution

by:
jaredcall earned 65 total points
ID: 18819460
Modifying packets _during_ transmission is called a man-in-the-middle attack.  

To modify packets as they're being sent, you need to modify them somewhere in the routing path of the packet.  The routing path consists of 1) the node sending the packet, 2) any routers/switches that the packet uses to travel to the destination, 3) the node receiving the packet.

In other words, imagine a bunch of people, in a line, all passing a typewritten letter from one person to another from one end of the line to the other.  You have to be one of the people in that line, grab the packet, and replace it with one of your own creation.  If you're sitting on the sidelines, yelling to everyone "Hey!  Disregard that packet!  _MY_ packet is the one you want!' you'll simply get ignored.

If you're using something like sniffer/wireshark/tcpdump to capture and then regenerate the packets, all you're doing is sending near-duplicate packets that will ultimately get dropped anyway.  You're the guy on the sidelines.

What, specifically, are you trying to test?  Are you sure it's mid-transmission alteration?  Man-in-the-middle is hard to do without direct control of hardware in the traffic flow.
0
 
LVL 4

Author Comment

by:jackmcbarn
ID: 18820454
I have access to all the hardware.
>If you're using something like sniffer/wireshark/tcpdump to capture and then regenerate the packets, all >you're doing is sending near-duplicate packets that will ultimately get dropped anyway.  You're the guy on >the sidelines.
A man-in-the-middle attack IS exactly what I'm trying to test.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18821141
Hunt is one good tool to use for testing this purpose.

Just google 'hunt tool' and go for first link.

Cheers,
Rajesh
0
 
LVL 2

Assisted Solution

by:jaredcall
jaredcall earned 65 total points
ID: 18821615
I understand that you have all the hardware.  Even so, the hardware is currently set up to actually route packets from the source to the destination.  The nature of a man-in-the-middle attack is that you intercept the packets, prevent them from going to the destination, and then send your packets instead.  

Even if you are successful in IP spoofing, or TCP hijacking, what you're doing is pretending to be someone you're not.  You're not actually transforming packets as they're being transmitted.

That may be splitting hairs, but I'm not sure if you want to simply _look_ like you're transmitting to node 2 from node 1, or actually capture traffic from node 1 that's going to node 2, alter it, and deliver it to node 2 without either node 1 or node 2 having any idea that there is a problem.  That's harder.  There may be tools out there to do it, but you'd have to either:
1 - run 2 NICs in your PC and run the tool on your PC after having put your PC in the routing path
2 - the software would successfully alter routing tables on other nodes in your network to make them think that they _needed_ to route through your PC.
0
 
LVL 4

Author Comment

by:jackmcbarn
ID: 18833436
>1 - run 2 NICs in your PC and run the tool on your PC after having put your PC in the routing path
This is what I'll probably do.  Can you give me more details?
0
 
LVL 2

Assisted Solution

by:jaredcall
jaredcall earned 65 total points
ID: 18834286
You'd have to turn your PC into a router.  Install a 2nd network card, give it a different IP address, then enable routing on your PC.  Essentially, it would go like this:

PC1:  This is the origin of the traffic you'll be intercepting and man-in-the-middle-ing.
PCrouter:  This is the PC with 2 network cards in it
PC3:  This is the destination of the traffic that PC1 started.

In other words, if PC1 is looking at a web page, PC3 is the web server.  PCrouter is the one intercepting and spoofing the traffic.

PC1:  connects to hub1 (or directly via crossover cable) where NIC1 on PCrouter is connected.
PC3:  connects to hub2 (or directly via a 2nd crossover cable) where NIC2 on PCrouter is connected.

PC1 and PCrouter's NIC1 have IP addresses of 10.0.0.1 and 10.0.0.254, respectively.  PC1's default gateway is 10.0.0.254.

PCrouter's NIC2 and PC3 have IP addresses of 172.20.1.254 and 172.20.1.3, respectively.  PC3's default gateway is 172.20.1.254.

Make sure that PC1 can access the web page on PC3.  If this doesn't work, the networking setup is incorrect.

Once PC1 can access the web page (assuming the test is to access a web page), your task is now to intercept the traffic using PCrouter and make it look like PC1 is actually requesting a different web page.  In other words:
1) PC1 requests page1.html
2) PCrouter intercepts the request, changes the request from page1.html to page2.html
3) PC3 sees the request from PC1 for page2.html (because you've had PCrouter mess with the request) and sends the content to page2.html to PC1.
4) PC1 gets the content for page2.html, having requested page1.html.

If you're running XP, you'll have to turn on "Internet Connection Sharing" but I'm not sure if that'll be enough.  See http://www.practicallynetworked.com/sharing/xp_ics/ for more details on setting up ICS.

You could always use a Live CD router bootable CD (wouldn't touch your hard drive -- all run from the CD) to run Linux as a router on your PC.  If you want to try that route, look at something like http://www.wifi.com.ar/cdrouter.html . I'm sure it's not the only one out there, but it was one of the first Google results.  :)

Have fun!

-jared
0
 
LVL 2

Expert Comment

by:jaredcall
ID: 18834289
I should note that that's how it'd work in theory.  In practice, I'm likely of no use trying to troubleshoot any interception tool you might use on PCrouter.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18834297
Granted that this is a *test attack* on the internal traffic; take a look at hunt.

Hunt works in 2 ways. 1st it poisons arp cache of the victim and the server.

Then the traffic flows through the attack pc and you don't need 2 nic cards on that.

Cheers,
Rajesh
0
 
LVL 4

Author Comment

by:jackmcbarn
ID: 18835784
I can't use Hunt.  I'm running only Windows.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18836361
One of the first thing to realize is that, you need to use linux for such tests as most of the tools are written for this OS.

As well, you could've used google to find out the ones what are written for windows specifically;

http://www.google.com/search?q=tcp+hijacking+tool+for+windows&btnG=Search&hl=en&client=opera&rls=en&hs=jbh

Cheers,
Rajesh
0
 
LVL 4

Author Comment

by:jackmcbarn
ID: 18889597
I will close.  Points split.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Large and small networks have one same need, Service monitoring. Service monitoring consists of watch services of the several servers in the network. To monitor means that the administrator will receive an alert when a service is down or it's state …
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now