Table of Contents Cyber Attacks Explained: Packet Crafting
Scope of Article
In the previous articles of this series we covered common attacks found in most of the infrastructure vulnerability exploitation scenarios. This article takes a step forward, in terms of describing a technically advanced attack which can badly impact networks because it is tough to detect it. Packet crafting is a commonly used and yet complex way of exploiting the vulnerabilities and hence it is important for network administrators to know about it, and also to understand various ways to protect their infrastructure against it. We will also discuss how to protect FOSS based systems from a packet crafting attack.
What is Packet Crafting?
Crafting by definition means to make or create something skillfully. As we know, all the vulnerability assessment tools used by network administrators for testing the security of their networks are a blessing as well as a curse. This is because the same set of tools can also be used by evil hackers to find vulnerabilities and then exploit those to their benefit. Packet crafting too, is not an exception to this and it is believed to be a technically advanced and yet a complex type of vulnerability exploitation which makes it difficult to detect and diagnose.
Let’s look at a TCP packet and its fields in details, in order to understand packet crafting attack better. Please refer to Fig 1. which shows a basic Ethernet packet as well as the TCPIP packet frame which rides on top of it. The Ethernet frame contains multiple fields which typically take care of Layer-2 communication whereas the TCP and IP packet chunks carry data fields for upper layers. TCP part of the packet brings connection oriented sense, while the IP packet contains source and destination addresses and ports.
We already learnt in previous articles of this series, that the TCPIP communication is comprised of a three way handshake (SYN, SYN-ACK, ACK), which sets up a communication channel between two network interface cards. The data flows between them using this channel, and it is terminated by using a FIN/FIN-ACK handshake.
We also learnt that each of these packet fields can be modified by a hacker to his benefit. The source and destination IP address or ports are very commonly attacked fields in the denial of service and spoofing attacks and network penetrations. It is important to understand here, that it’s not just these fields which could be modified, but in fact each and every flag and field in a TCP frame and the underlying Ethernet frame can be modified or altered, for the purpose of network penetration.
Please note that, the packet crafting and packet spoofing are usually misunderstood to be the same technique; however those are different from the impact standpoint. Spoofing is used by hacker to hide his identity and presence on the network. Spoofing is primarily used to gain network information such as open ports, running services, active hosts etc; however the target host fails to trace back to the attacker. On the other hand, the packet crafting takes a step further by trying to test the presence, functionality or the accuracy of firewall rules, and intrusion detection systems.
Packet crafting requires in depth knowledge of TCP packet and its working, and is more of a manually orchestrated attack than a programmatic one. This makes it a technically advanced way of trying to hack into networks.
Packet Crafting in Action
Packet crafting is a task which is methodically carried out to penetrate into a network infrastructure. Please refer to Fig 2 which shows four distinct steps involved in the packet crafting attack. Let’s understand each of these steps in bit more details.
1. Packet Assembly
This is the first step in the crafting process wherein, a hacker decides which network needs to be hacked, tries to gather possible vulnerability information and creates or fabricates the packets to be sent. This packet is then checked for accuracy, especially to ensure that the attack is as sneaky on the network as possible to go un-detected. For example, the packet being created can have a spoofed source address and a dummy TCP sequence number. The assembly of a packet need not be done from scratch; a packet going over the wire can be captured and its contents can be modified to serve the hacking purpose.
2. Packet Editing
In this step, usually a dry run on the assembled packet is tested and based on the results gathered, the packet is tuned up or corrected before moving to the next step. In the editing phase, the focus is usually to be able to gather maximum amount of information by injecting minimum amount of packets on the network. For example, to test how a firewall responds to malformed packets, a simple packet with a false source IP address and with ACK field bit set, can be created. The firewall in ideal situations should drop such a packet.
3. Packet Playing
Once the correct packet or a stream of packets is created, the packet playing sends it on the network, and collects the resultant packets to perform further analysis and co-relation. This is the step when an actual attack is performed. If the expected outcome is not achieved, hacker goes back to the editing phase to change attack scenario.
4. Packet Analyzing
In this process, the packet streams are gathered to decode the presented response by the target network. Hacker may use simple packet sniffing tools for this purpose, or can capture those in the form of a log file and perform analysis. This step either provides evidence to the hacker that he was successful in penetration, or at least gives him enough inputs to tune up the attack, or change the methodology.
As seen above, the whole idea behind packet crafting is to try simulating an attack, and thus learning the behavior of various network devices to gain knowledge about the vulnerabilities. Crafting is very typically used to invade into firewalls and intrusion detection devices, but can also be used to attack web servers and other application gateways.
Common Packet Crafting Techniques
- Ping fragmentation – A malformed ICMP ping packet is created to contain more than 65535 bytes, resulting in a denial of service attack. Variants include setting ACK flag or sending variable byte packets to overwhelm the system.
- Packet Flag manipulation – Modifying flags such as SYN, RST, FIN, SYN-ACK or ACK to confuse destination systems. Older firewalls are known to be vulnerable to FIN attacks.
- Packet duplication – Capturing a series of packets and resending them to confuse the target. Commonly used in denial of service attacks by sending duplicate ACK or FIN packets.
- Protocol manipulation – Setting both TCP and UDP flags or none at all to confuse firewalls and switches. Legacy devices may fail to handle malformed packets, leading to shutdowns or bypasses.
- Half open packets – Sending SYN packets repeatedly without completing handshake, exhausting target host resources and causing denial of service.
Protecting FOSS Systems
As mentioned earlier, the packet crafting attack is a tough one to tackle. Despite of this, there are ways to protect FOSS networks. The very simple and correct method is in fact to use packet crafting tools themselves, to test the infrastructure. First step is to understand the network, create security testing scenarios for testing critical security components such as firewall, router, IDS system etc.
Tools such as Hping and TCPReplay could be used to fabricate packets and send those to gather statistics and logs. A packet sniffer and analyzer such as Wireshark can be used for this purpose. Firewalls and IDS systems built on FOSS technology, should be tested against Layer-2 to Layer-7. Performing such tests at regular intervals and keeping up-to-date with the intrusion detection vulnerability signatures is an appropriate way to be protected.
To protect FOSS web servers, a latest Layer-7 content filtering firewall which is capable of performing a state-ful packet inspection, and equipped to detect and shun a denial of service attack should be implemented. As for any Linux distros, there is a lack of built-in strong security module to fight against packet crafting attack; hence a properly designed perimeter defense system should be deployed to protect the infrastructure.
Summary
Packet crafting is a good way to audit your network; however it can be used by evil hackers to penetrate into a network, by exploiting vulnerabilities. Properly configuring firewalls, switches and routers is an important step to prevent networks from crafting attacks and the network administrators should understand it’s important. Packet crafting attacks typically can happen from outside the firm’s local area network, which demands for a carefully designed perimeter defense security system for network infrastructure.
About the Author
The author has over 18 years of experience in the field of IT hardware, networking, web technologies and IT security. Prashant is MCSE, MCDBA certified and also F5 load balancer expert. In the IT security world he is an ethical hacker and net-forensic specialist.
Prashant runs his own firm named Valency Networks in India (www.valencynetworks.com) providing consultancy in IT security design, security audit, infrastructure technology and business process management. He can be reached at prashant@valencynetworks.com.
