Crafting Network Protocols
3.10.2017
Terms of use
All the content and resources have been provided in the hope that it will be useful. Author do not take responsibility for any misapplication of it. The document is distributed in the hope that will be useful, but WITHOUT ANY WARRANTY.
Introduction
The document describes the methods and approach how to craft any protocol message which could be used to try to find vulnerabilities also in not common protocols. The precondition is to have some existing traffic capture (pcap) and that the protocol is dissected by the wireshark.
Background
When dealing and performing the security assessment of network protocols we can consider two types of approaches. One is the passive analysis of the traffic capture (pcap). Second is the active injection of the messages towards the target system. While the passive approach is useful for analyzing the current network flows, the active injection of the messages is valuable to detect new vulnerabilities on the target system.
Using Wireshark to identify the payload
Wireshark can be used to decode the pcap. The hex payload from corresponding protocol layer can be copied from wireshark.
To copy the HEX stream perform:
right click on the protocol layer -> copy -> .. as a Hex Stream
Replaying the payload using netcat
The hex payload from wireshark can be then replayd using netcat over the network. The example is by using the following commands bellow.
# Send hex payload over network by using TCP
echo "aabbccddeeff" | xxd -r -p | nc 127.0.0.1 8080
# Send hex payload over network by using UDP
echo "aabbccddeeff" | xxd -r -p | nc -u 127.0.0.1 8080
The whole example for DNS protocol can look like the following:
- Run wireshark to be able to make traffic capture on your laptop
- Run nslookup www.google.com
- Select the DNS captured packet in wireshark and copy the Hex stream from DNS layer
- Replay it by using the following command (note: the hex payload is from the wireshark)
echo "803f010000010000000000000377777706676f6f676c6503636f6d0000010001" | xxd -r -p | nc -u 8.8.8.8 53
Why doing this?
The main added value of this approach is that any standalone message of any protocol which is transported over TCP/UDP can be send/replayed to any new host also without having the capability to encode or decode such protocol. So this approach can be used also for new or not well known protocols.
Replaying the payload using python scripts
The similar approach as using the netcat command can be achieved by using various programming languages. Bellow is simple example for using python script.
#!/usr/local/bin/python
import socket
use_udp = True
if (use_udp):
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.bind(('0.0.0.0', 12345))
sock.connect(("8.8.8.8", 53))
packet = "803f010000010000000000000377777706676f6f676c6503636f6d0000010001"
sock.send(packet.decode('hex'))
sock.close()
Fuzzing of the messages
Additionally the message can be fuzzed by using script. Here is the simple example of random byte replacement in the hex stream from previous example (the packet variable contains the hex stream in ASCII string format).
# number of fuzzed bytes, right now fuzz only 1 byte
for j in range (0, random.randint(1,1)):
position = int(random.randint(0, len(packet))/2)
position = position * 2
fuzz = ''
# length of inserted fuzzed string, right now insert only 1 byte
for k in range (0, random.randint(1,1)):
fuzz = fuzz + format(random.randint(0, 255), '02x')
packet = packet[:position] + fuzz + packet[position + 2:]
Encoding of the payloads and crafting new messages
Different libraries can be used to encode/decode the various application layers.
For specific protocols the specific libraries should be checked if they are available for the selected programming language binding.
For python the known more generic libraries are scapy or pycrate. The libraries can be used to encode/decode various protocols.
Additionally also the packets can be hex edited by using wireedit or wireshark experimental packet editor feature with older wireshark versions. Unfortunately it is not included in Wireshark 2.0 and later yet (Bug 11840).
Also the experimental python script json2pcap can be used for light packet editing. The script is included in wireshark tools and the development version is located here.