photo lineviral_1.png
» » » » Forging Arp, Udp, Icmp Or Custom Packets Amongst Packetforge-Ng
, ,

Forging Arp, Udp, Icmp Or Custom Packets Amongst Packetforge-Ng

The utilization of packetforge-ng is to practise encrypted packets that tin afterwards endure used for injection. You may practise diverse types of packets such every bit arp requests, UDP, ICMP in addition to custom packets. The nearly mutual utilization is to practise ARP requests for subsequent injection.


To practise an encrypted packet, you lot must own got a PRGA (pseudo random genration algorithm) file. This is used to encrypt the package you lot create. This is typically obtained from aireplay-ng chopchop or fragmentation attacks.


Forging ARP, UDP, ICMP or custom packets alongside packetforge-ng


root@kali: # packetforge-ng --help

Packetforge-ng 1.2 rc4 - (C) 2006-2015 Thomas d'Otreppe
Original work: Martin Beck
http://www.aircrack-ng.org

Usage: packetforge-ng <mode> <options>

Forge options:

-p <fctrl>     : laid frame command give-and-take (hex)
-a <bssid>     : laid Access Point MAC address
-c <dmac>      : laid Destination  MAC address
-h <smac>      : laid Source       MAC address
-j             : laid FromDS bit
-o             : clear ToDS bit
-e             : disables WEP encryption
-k <ip[:port]> : laid Destination IP [Port]
-l <ip[:port]> : laid Source      IP [Port]
-t ttl         : laid Time To Live
-w <file>      : write package to this pcap file
-s <size>      : specify size of cipher packet
-n <packets>   : laid release of packets to generate

Source options:

-r <file>      : read package from this raw file
-y <file>      : read PRGA from this file

Modes:

--arp          : forge an ARP package    (-0)
--udp          : forge an UDP package    (-1)
--icmp         : forge an ICMP package   (-2)
--null         : construct a cipher package    (-3)
--custom       : construct a custom package  (-9)

--help         : Displays this usage screen

Usage Example


Generating an arp asking packet


Here is an instance of how to generate an arp asking packet.


First, obtain a xor file (PRGA) alongside either the aireplay-ng chopchop or fragmentation method.


Then utilization the next command:


packetforge-ng -0 -a 00:14:6C:7E:40:80 -h 00:0F:B5:AB:CB:9D -k 192.168.1.100 -l 192.168.1.1 -y fragment-0124-161129.xor -w arp-request

Where:



  • -0 indicates you lot desire a arp asking package generated

  • -a 00:14:6C:7E:40:80 is the Access Point MAC address

  • -h 00:0F:B5:AB:CB:9D is the source MAC address you lot want to use

  • -k 192.168.1.100 is the finish IP. IE In an arp it is the “Who has this IP”

  • -l 192.168.1.1 is the source IP. IE In an arp it is the “Tell this IP”

  • -y fragment-0124-161129.xor

  • -w arp-packet


Assuming you lot are experimenting alongside your ain access point, arp asking package generated higher upwards tin endure decrypted alongside your ain key. So to run across that package nosotros just created tin endure decrypted:


Enter airdecap-ng -w <access dot encryption key> arp-request


The results human face similar this:


Total release of packets read             1
Total release of WEP information packets         1
Total release of WPA information packets         0
Number of plaintext information packets         0
Number of decrypted WEP  packets         1
Number of decrypted WPA  packets         0

To persuasion the package that was just decrypted, move inward tcpdump -n -vvv -e -s0 -r arp-request-dec.


The results human face similar this:


reading from file arp-request-dec, link-type EN10MB (Ethernet)
18:09:27.743303 00:0f:b5:ab:cb:9d > Broadcast, ethertype ARP (0x0806), length 42: arp who-has 192.168.1.100 state 192.168.1.1

Which is just what nosotros expected. Now you lot tin inject this arp asking package every bit follows aireplay-ng -2 -r arp-request ath0.


The plan volition answer every bit follows:


      Size: 68, FromDS: 0, ToDS: 1 (WEP)

           BSSID  =  00:14:6C:7E:40:80
       Dest. MAC  =  FF:FF:FF:FF:FF:FF
      Source MAC  =  00:0F:B5:AB:CB:9D

      0x0000:  0841 0201 0014 6c7e 4080 000f b5ab cb9d  .A....l @.......
      0x0010:  ffff ffff ffff 8001 6c48 0000 0999 881a  ........lH......
      0x0020:  49fc 21ff 781a dc42 2f96 8fcc 9430 144d  I.!.x..B/....0.M
      0x0030:  3ab2 cff5 d4d1 6743 8056 24ec 9192 c1e1  :.....gC.V$.....
      0x0040:  d64f b709                                .O..

Use this package ? y

Saving chosen package inward replay_src-0124-163529.cap
You should also start airodump-ng to capture replies.
End of file.

By entering “y” above, the package you lot created alongside packetforge-ng is in addition to therefore injected.


Generating a cipher packet


This choice allows you lot to generate LLC cipher packets. These are the smallest possible packets in addition to incorporate no data. The switch “-s” is used to manually laid the size of the packet. This a uncomplicated way to generate pocket-size packets for injection.


Remember that the size value (-s) defines the absolute size of an unencrypted packet, therefore you lot postulate to add together eight bytes to larn its end length after encrypting it (4 bytes for iv+idx in addition to iv bytes for icv). This value also includes the 802.11 header alongside a length of 24bytes.


The command is:


 packetforge-ng --null -s 42 -a BSSID -h SMAC -w short-packet.cap -y fragment.xor

Where:



  • –null agency generate a LLC cipher package (requires double dash).

  • -s 42 specifies the package length to endure generated.

  • -a BSSID is the MAC address of the access point.

  • -h SMAC is the source MAC address of the package to endure generated.

  • -w short-packet.cap is the advert of the output file.

  • -y fragment.xor is the advert of the file containing the PRGA.


Generating a custom packet


If you lot desire to generate a client packet, commencement practise a package alongside the tool of your choice. This could endure a specialized tool, a hex editor or fifty-fifty from a previous capture. Then salve it every bit a pcap file. Following this, run the command:


 packetforge-ng -9 -r input.cap -y keystream.xor -w output.cap

Where:



  • -9 agency generate a custom packet.

  • -r input.cap is the input file.

  • -y keystream.xor is the file containing the PRGA.

  • -w output.cap is the output file.


When it runs, packetforge-ng volition inquire you lot which package to utilization in addition to and therefore output the file.


Usage Tips


Most access points actually don’t aid what IPs are used for the arp request. So every bit a effect you lot tin utilization 255.255.255.255 for source in addition to finish IPs.


So the packetforge-ng command becomes:


 packetforge-ng -0 -a 00:14:6C:7E:40:80 -h 00:0F:B5:AB:CB:9D -k 255.255.255.255 -l 255.255.255.255 -y fragment-0124-161129.xor -w arp-request

Usage Troubleshooting


Including both -j in addition to -o flags


A mutual fault people brand is to include either or both -j in addition to -o flags in addition to practise invalid packets. These flags arrange the FromDS in addition to ToDS flages inward the package generated. Unless you lot are doing something exceptional in addition to actually know what you lot are doing, don’t utilization them. In general, they are non needed.


Error message “Mode already specified”


This is unremarkably caused past times using the release ane (-1) instead of dash lowercase L (-l) inward the command.


Entering:


 packetforge-ng -0 -a 00:14:6C:7E:40:80 -h 00:09:5B:EC:EE:F2 -k 255.255.255.255 -1 255.255.255.255 -y 00:14:6C:7E:40:80-03-00-14-6C-7E-40-80.xor -w arp-request

Gives:


 Mode already specified.
 "packetforge-ng --help" for help.

This because -1 (number one) was used instead of the right -l (the alphabetic lineament ell). So only utilization “-l”.


Source:


Author: Thomas d’Otreppe, Original work: Christophe Devine


License: GPLv2



Buat lebih berguna, kongsi:
close