Crafting Network Protocols

3.10.2017

Terms of use

All the content and resources have been provided in the hope that it will be useful. Author do not take responsibility for any misapplication of it. The document is distributed in the hope that will be useful, but WITHOUT ANY WARRANTY.


Introduction

The document describes the methods and approach how to craft any protocol message which could be used to try to find vulnerabilities also in not common protocols. The precondition is to have some existing traffic capture (pcap) and that the protocol is dissected by the wireshark.


Background

When dealing and performing the security assessment of network protocols we can consider two types of approaches. One is the passive analysis of the traffic capture (pcap). Second is the active injection of the messages towards the target system. While the passive approach is useful for analyzing the current network flows, the active injection of the messages is valuable to detect new vulnerabilities on the target system.


Using Wireshark to identify the payload

Wireshark can be used to decode the pcap. The hex payload from corresponding protocol layer can be copied from wireshark.

To copy the HEX stream perform:

right click on the protocol layer -> copy -> .. as a Hex Stream

Replaying the payload using netcat

The hex payload from wireshark can be then replayd using netcat over the network. The example is by using the following commands bellow.

# Send hex payload over network by using TCP

echo "aabbccddeeff" | xxd -r -p | nc 127.0.0.1 8080

# Send hex payload over network by using UDP

echo "aabbccddeeff" | xxd -r -p | nc -u 127.0.0.1 8080


The whole example for DNS protocol can look like the following:

  1. Run wireshark to be able to make traffic capture on your laptop
  2. Run nslookup www.google.com
  3. Select the DNS captured packet in wireshark and copy the Hex stream from DNS layer
  4. Replay it by using the following command (note: the hex payload is from the wireshark)
  5. echo "803f010000010000000000000377777706676f6f676c6503636f6d0000010001" | xxd -r -p | nc -u 8.8.8.8 53

Why doing this?

The main added value of this approach is that any standalone message of any protocol which is transported over TCP/UDP can be send/replayed to any new host also without having the capability to encode or decode such protocol. So this approach can be used also for new or not well known protocols.

Replaying the payload using python scripts

The similar approach as using the netcat command can be achieved by using various programming languages. Bellow is simple example for using python script.


#!/usr/local/bin/python
import socket
use_udp = True
if (use_udp): sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.bind(('0.0.0.0', 12345)) sock.connect(("8.8.8.8", 53)) packet = "803f010000010000000000000377777706676f6f676c6503636f6d0000010001" sock.send(packet.decode('hex')) sock.close()


Fuzzing of the messages

Additionally the message can be fuzzed by using script. Here is the simple example of random byte replacement in the hex stream from previous example (the packet variable contains the hex stream in ASCII string format).


# number of fuzzed bytes, right now fuzz only 1 bytefor j in range (0, random.randint(1,1)): position = int(random.randint(0, len(packet))/2) position = position * 2 fuzz = '' # length of inserted fuzzed string, right now insert only 1 byte for k in range (0, random.randint(1,1)): fuzz = fuzz + format(random.randint(0, 255), '02x') packet = packet[:position] + fuzz + packet[position + 2:]


Encoding of the payloads and crafting new messages

Different libraries can be used to encode/decode the various application layers.

For specific protocols the specific libraries should be checked if they are available for the selected programming language binding.

For python the known more generic libraries are scapy or pycrate. The libraries can be used to encode/decode various protocols.

Additionally also the packets can be hex edited by using wireedit or wireshark experimental packet editor feature with older wireshark versions. Unfortunately it is not included in Wireshark 2.0 and later yet (Bug 11840).

Also the experimental python script json2pcap can be used for light packet editing. The script is included in wireshark tools and the development version is located here.