CompTIA Pentest+ PT0-002 – Section 5: Active Reconnaissance Part 4

43. Packet Crafting (OBJ 2.2)

As a penetration tester, you’ll often find that there are times where you need to manipulate the way TCP/IP works in a given network. When we do this manipulation we call it packet crafting. Packet crafting is a technique that allows someone to generate a network packet with a specific data content described by that attacker or penetration tester. The crafted packet can then be used to conduct diagnostics, probing attacks, and testing of different network defenses and firewalls. There are two commonly used tools when conducting packet crafting Hping and Scapy.

Before I start showing you some examples of these tools let’s first talk about when you might want to craft a packet. You might want to do this when you’re trying to set unusual TCP flags to see how a firewall responds to that and whether or not it might allow you to get that packet through their defenses. For example, if you want to set up a packet under what is called a Christmas tree you’re going to set the flags for fin urge and push to on and making them a value of one each. This lights up like a Christmas tree when it hits a firewall.

Now, if a firewall has a strict interpretation of the TCP standard it’s actually going to allow that to go straight through because it doesn’t understand that type of packet. Now, most modern firewalls are not going to fall for this trick but some of the older ones and some of the legacy device out there may. Another reason to connect packet crafting is when you want to fragment packets that way you can break them up into smaller pieces and try to sneak them by a sensor on an intrusion detection or intrusion prevention system.

Also, you may want to create these fragmented packets that can’t be reassembled. This way it starts consuming up the resources on a given system or target and that can actually cause a denial of service. Now, as a penetration tester we really wouldn’t want to do that because we don’t want to crash somebody’s systems, but an attacker might so it is something you may be asked to test to verify if that system is vulnerable to this type of an attack.

Now, our goal in all of this is to be able to use as few packets as possible to create our desired objective. Our goal is to be silent and sneaky and evade detection here. So when we do packet crafting, our goal is to try to sneak on through these defenses by manipulating these TCP packets. Now, when we talk about packet crafting there’s really four stages that you have to go through. You have assemble, edit, play, and decode. Now, when you assemble, you are creating the packet that’s going to be sent.

When you edit, you’re going to modify the contents of that created or captured packet so it’s getting ready to be sent. When you play, you’re going to send or resend that packet onto the network and when you decode, you’re going to capture and analyze traffic that was generated by using a packet analyzer like Wireshark in response to the packet you set. Now, when you’re crafting your packets you can do this using a command line tool, a graphical user interface tool, or some kind of a script. In the case of Hping, it’s a command line tool. In the case of Scapy, it’s actually a Python script. All right, with that background behind us let’s go ahead and take a look at Hping first.

Now Hping is used to do packet crafting and manipulation and this is often used by attackers. Now, Hping is an open-source spoofing tool that provides a PenTest with the ability to craft their own network packets, to exploit vulnerable firewalls and intrusion detection and intrusion prevention systems. The idea with Hping, is to do a lot of different functions for you. You can do things like host and port detection and firewall testing, you can do timestamping, you can use Traceroute.

You can do fragmentation, or you can even do Denial of Services and use it as an attack tool. We’re going to talk about each of those now. First host and port detection and firewall testing this is one of the functions of Hping just like we could craft things with Nmap and the way we use SYN or ACK packets to do our detection we can do the same thing with Hping. So if I wanted to use Hping here I can type it in something like this. Hping three dash S dash P80 dash C1 192.168.1.1.

Now, what is this command telling Hping to do? It’s saying send a SYN packet that’s the dash S over port 80, which is the port I want to target with a count of one, meaning send only one SYN packet to this IP address. So this is going to be very stealthy because I’m only sending one packet out and trying to get a response to see if you’re awake. This will allow me to enumerate your network very quietly and very stately against a single IP address just shown here. Now, the next thing we can do is we can use something like dash A.

Now with Hping three dash A and the rest of it’s all the same. I’m going to use an acknowledgment packet instead of a SYN packet so I can send whatever kind of packet I want. I can choose using Hping because I’m manipulating and crafting this packet that I’m going to send across the network. Both of these are ways to help you avoid detection via a firewall or IDS or IPS. Next we can also do timestamping using Hping. This allows to determine the systems uptime.

How long has that host been online? Now, if you look at a workstation they generally are rebooted every night, but servers they may be up for a long, long time. The other thing that uptime tells you is you have a server that’s been up for say a year. That means they probably haven’t installed all the patches or upgrades because usually you have to reboot a server when you put in those larger patches and upgrades so timestamping is useful for that. To send this type of a packet, you would use Hping three dash C2 or C1 in this case, C2 dash S P80 dash dash TCP dash timestamp and then the IP address. So in this case, I’m sending two SYN packets over port 80 to determine the uptime of that system. Now, the reason I’m sending two packets here is it’s usually going to be a little bit more effective SYN two when you’re doing a timestamp than just doing one.

Next, we’re going to use trace route now trace route is going to use arbitrary packet formats such as probing DNS ports, using TCP or UDP to be able to perform traces when you can’t use ICMP in a given network, because it’s blocked. As I said back, when we talked about Mmap, Traceroute and ping can often be blocked by firewalls because they’re not going to allow echo reply packets which use ICMP to go out the network. So you can start using different packet formats like SYN packets and acknowledge packets to be able to do that trace route for you. Next one we want to talk about is fragmentation. Now fragmentation attempts to evade detection by the IDS and IPSs and firewalls by sending fragment and packets across the network for later reassembly.

Because we’re using TCP, I can send the packets in any order I want and fragmented and the system, once it receives them all will put them back together. In older days, you could actually send fragments through so that detection wouldn’t be caught. In most modern operating systems, they are going to get caught even if you’re using fragmentation. Now, the next one we’re going to talk about and the last one we’re going to talk about is denial of service or DoS. This can be used to perform flood-based Denial of Service attacks from randomized source IPs. Additionally, you can actually craft that packet any way you want. So if you think back to your security plus you talked about things like the ping of death.

Well, if you’re doing the ping of death, you took a packet and you made a really, really large size packet that was over the size of a ping packet that’s allowed, which is 65,535 bytes and so if you had one that was larger than that it could actually corrupt the system and make it crash. These days, most systems are not vulnerable to a ping of death.

So you’re not going to be able to do Denial of Service that way but using Hping was a valid way to do it because you could craft the packet and make it whatever size you want it. Now, again, I want to bring up the point that fragmentation and Denial of Service while they are used in Hping they’re not going to be something that’s going to be very effective in today’s environment because most modern operating systems and network appliances know these attacks occur and so they don’t allow fragmentation to occur to be able to sneak things through they’ll reassemble the packets first and then scan them against the IDS or the Denial of Service.

Those things will be blocked because they know they’re coming. Now, if you’re going against some kind of a legacy system or some kind of a skater or ICS or embedded system some of those attacks may still work using fragmentation or Denial of Service. So it is still something that’s valid to try as a penetration tester, but again, for the most case, most of our modern OSS are going to be invulnerable to this type of an attack. As you can see, Hping has a lot of great capabilities. Now, the other commonly used tool for this is known Scapy. Now, Scapy is a powerful, interactive packet manipulation tool, packet generator, network scanner, network discovery, packet sniffer and more all put into one simple script.

Now, at the moment I’m recording this, this tool already has a ton of capability and it can replace most of what Hping can do, a lot of what Mmap can do, as well as other tools like ARP spoof, Arping, TCP Dub, Enthrill and PLF. When you’re using Scapy you’re going to define a set of packets and then you’re going to send those receive the answers, match those re
quests with the answers and return a list of packet couples that actually have the request and answers as well as a list of any unmatched packets. This is one of the advantages of using a tool like Scapy because it comes back with this packet couples and so you’re not just getting an open, closed or filtered port state, but you’re actually getting the whole packet for further analysis if you need it. Now, when you want to use Scapy, it’s a pretty easy tool to use.

There’s currently two different versions of Scapy. There is Scapy and Scapy three. The difference is Scapy runs on Python two and Scapy three runs on Python three which is a newer version. Now to learn how to use Scapy you can simply type in Scapy three dash H and you’ll see the usage. You’re going to first type in Scapy and then the options you want. For example, if you use dash S you can specify a session file. If you use dash lowercase C, you can have a new startup file. If you use dash lowercase P, you’ll get a new pre-start file.

If you use dash capital C you’re going to get a command that says do not read the startup file and if you use dash capital P, you’re going to get do not read the pre-startup file. If you use dash capital H this is considered a header-less startup which means, it’s going to run in the background and not give you a lot of interactive activity while it’s doing its business. If you want to learn a little bit more about Scapy and how to use it, I do recommend going and doing some additional research and finding some great walkthroughs that are available online. The usage of Scapy itself is not covered by the exam but the fact that Scapy is a packet crafting tool is something you need to know.

44. Eavesdropping (OBJ 2.2)

Another option for active reconnaissance during the information gathering phase of an engagement, is the use of electronic surveillance or eavesdropping. Now eavesdropping is the act of secretly, or stealthy listening to the private conversation, or communications of other people without their consent, in order to gain information, this can be conducted using non-technical means through social engineering, or technical means using technology. For example, maybe I know that the system administrators like to go to the bar at five o’clock, every Friday afternoon after work, I can simply go to that bar, grab a drink, and listen to what types of information I could gather by eavesdropping onto their conversations. Alternatively, I can also conduct eavesdropping using more technical methods, such as placing a network tap on the organization’s way in connection, conducting an on path attack to reroute their traffic through a proxy server, or rogue wireless access point that I control, or even joining their wireless network, and setting my wireless card into promiscuous mode, which would allow me to collect all the traffic as it’s passing through the air. In technical eavesdropping, our goal is to try and capture the information from the data packets as they’re crossing the network, or passing across the internet. Remember though, you have to check if eavesdropping is within the scope of your engagement, and has been agreed upon by you and the organization before you conduct it.

If it is within the scope of the engagement, then by all means it would be a valid technique to use. Wireless devices of all kinds are also great targets for eavesdropping, if you can get close enough to the facility, or an employee with a device outside of their office, by using specialized equipment to capture radio frequencies, a penetration tester, or an attacker, can capture data from cell phones, wireless devices, Bluetooth devices, near-field communication devices, and other sources, then they can attempt to crack any encryption used that protects those devices, and if they’re able to do that, they can then analyze the information that was transmitted because they now have it captured. Now capturing cell phone communications is probably not something you’re going to do as a penetration tester, unless you work for the federal government or the military, but it is considered a valid penetration testing technique, and a valid attack technique, because attackers usually don’t care too much about the law. These frequencies may be captured right out of the air, and depending on the quality of your antenna, you can actually capture that without being that close to the actual target.

Now, if we have a really strong antenna, for example, we might pick up the signal from a further distance away, but we’re still going to have to have specialized tools to turn that scrambled or encrypted data, into usable information. Now, in addition to capturing the frequencies, a more common type of eavesdropping is known as network traffic capture or packet sniffing. This involves capturing all the data packets that were set over the targeted network, and then putting them into a file, packet sniffing attempts to intercept and log all of that traffic from a wired or wireless network, and if you’re able to gain access to a host computer during your initial foothold of your attack and exploitation phase, you can actually turn that computer into a network sniffer for you, by using utilities inside of the Metasploit framework to further your enumeration of the network, and gain additional access to conduct lateral movement.

Now, as you’re going to find out, once you enter into phase three of your engagement, you’re often going to be going back and forth between phase three and phase two, so you can conduct additional reconnaissance, and enumeration based on where you’re now at, with your initial foothold in that organization’s network. Oftentimes our penetration testing methodology becomes very cyclical in nature, and we go between phase two to phase three, back to two, back to three, and back and forth over and over again, until we reach the end of the engagement, and move fully into phase four, which is reporting and communication. Now, if you’re conducting network sniffing, you’re often going to use a software tool, like Wireshark or TCPDump, to conduct the packet capture and analysis, these tools are known as protocol analyzers, and they have the ability to also conduct packet capturing because they are packet capture tools as well. Now to perform network sniffing, you need to place your network card into what is known as promiscuous mode, this allows the card to capture all the traffic it sees on the network segment, and then writes those packets into a PCAP file, which we call a packet capture file.

Now this PCAP file can later be analyzed using offline methods, using a protocol analyzer, like Wireshark or TCPDump, so you don’t have to do this all in real time. A protocol analyzer is just a specialized type of software that collects raw packets from the network, and these packets are then analyzed, which can be helpful for troubleshooting network connectivity issues, if you’re a network engineer, or for assessing security, if you’re a penetration tester. Now when capturing this raw network traffic, the sniffer is going to not transmit any data back into the network, and so it makes it really difficult for network defenders to see us and detect us. This is really a passive thing when we’re collecting the data, but we put it under active reconnaissance because to gain access to that network, to install that sniffer was an active activity.

Now, in order to protect the data as it moves across the networks, most network defenders and system administrators, are going to utilize encryption techniques, to protect the data in transit, if they failed to do that, then it makes our job as a penetration tester, or an attacker really easy, because we can easily read that information from the packets we captured, using Wireshark or TCPDump. Now many different protocol analyzers are available out there, but again, the most widely utilized is Wireshark, and it has a graphical user interface that can be used to capture packets, analyze those packets, and identify the desired information, if it was unencrypted when it was sent. Even some forms of encryption can be decrypted by Wireshark 2, if they’re vulnerable to exploitation, like some of the older versions of SSL are. During an engagement protocol, analyzers can be used to help prove or disprove statements that are made by system administrators. For example, maybe you’re conducting an audit, and the administrator claims that certain types of network traffic are encrypted.

Well, you can easily verify whether or not that’s accurate by conducting network sniffing, and analyzing the captured packets. If it’s not encrypted, you’re going to be able to see everything, including user names and passwords really quickly. Now, if our target is using a hub on their network, or the organization is running a wireless network, we’re going to be able to see a lot of information going across that network, and be in a great position to capture it. If we’re using a switch based network though, those switches are only passing information to the designated ports based on the Mac addresses, so we’re only going to see what is going to and from our computer. Now, if this is the case, we have to connect to a wired port that’s configured as a SPAN port or mirrored port, in order for us to be able to see all the traffic in that wired network.

Now, if we can’t find a SPAN port or mirrored port, then we’re going to have to conduct a network attack to overload the CAM table of that switch, and force it into promiscuous mode, but this is obviously more noisy, and much easier for a network defender to catch. Wireless networks on the other hand, are much easier to perform packet capturing on because we can connect to them, we can then capture everything they have, because they’re operating like a hub, and they rebroadcast all that traffic to the entire network segment. To break into one of those networks, in the attack and exploitation phase, you’re going to use tools like Aircrack-NG, which is a wonderful suite of tools, that can help us break into WEP, WPA, WPA2 and WPA3 encrypted networks. As soon as we’re in that network, we can then start capturing all the packets, and then harvest a great deal of information from it. Now you may be wondering, if I’m capturing encrypted data into a packet capture, that’s pretty useful if I can decrypt it, but what if I can’t? Is it still useful? Well, the answer is, sometimes, this really depends on your goals during the engagement, but just because the data is encrypted in the payload, doesn’t mean that the packet itself is useless.

The encrypted data still has a lot of useful metadata in the packet header, and we can identify things, like the source and destination IP addresses, or the source and destination ports, the type of protocols in use, and the volume of data being sent, all of this can be captured as we’re doing our packet captures, even if the payload has been encrypted. For example, let’s say I capture the network packets over a seven-day period, for a given organization during an engagement, even though the contents were encrypted, I can still learn a lot about that organization, I may see there’s a large volume of data, that’s leaving the organization’s network, every evening from 1:00 AM to 4:00 AM, I can see the IP address that the data was sent to, and I can look that up and figure out, maybe it’s owned by Amazon Web Services.

This now tells me this organization might be conducting offsite backups to their cloud provider, every night between 1:00 AM and 4:00 AM. Similarly, if I see a lot of VPN traffic going from their headquarters to another location, I can identify potential areas for attacks at those locations too, based on their IP addresses and the ports they’re using, those locations might be branch offices, and as I’ve said before, branch offices tend to be less secure than the headquarters building, so it may be an easier way for you to break into the network. When we collect these encrypted types of information, another thing we can use it for, is to build out a flow analysis, this helps us identify the resources and servers that are communicating with each other, and what types of devices or locations, they’re communicating with. The benefit of flow analysis is that allows us to highlight these trends and patterns, inside of the network traffic.

We can also set up alerts based on anomalies that we detect based on different patterns and triggers, as they’re being observed. Flow analysis can also use visualization tools to quickly create maps of different network connections, and their flow patterns, as well as to highlight any abnormal traffic patterns that might reveal data exfiltration by another attacker, malware beaconing by another attacker or other maladies. A tool like NetFlow can be used to conduct flow analysis, and it’s going to show you the metadata, and visualizations for the captured traffic, even if those packet contents were encrypted.

Remember flow analysis is focused on metadata, but protocol analyzers can actually look into the packets, and see the data they contain. This makes protocol analyzers exceptional tools, for finding insights into HTTP sessions, by extracting files contained within those sessions, identifying malware connections to remote hosts, identifying vulnerable versions of software, finding evidence of Brute Force attempts and much more. You can even capture all the API requests and responses that are being sent, to and from a vulnerable web application, by doing this packet capture too.

• Category: Uncategorized