Subtitles of the Movie

In continuing our discussion on penetration testing tools, let's talk about packet crafters for a moment. Now we've already talked about Hping2 and 3, which are very good packet manipulation and crafting tools. Colasoft Packet Builder is a little bit different, though, because it's a Windows-based tool, therefore it has a really nice GUI to get around in. Now Hping is probably the packet craft of choice for penetration testers, hackers and so forth, because it appeals to the Command Line junkies, of course and it's very versatile. It can do a lot of things. Colasoft Packet Builder is a good tool as well and it's good for the novice or the beginning packet crafter and since it's a Windows GUI it's very easy to use. Now it's a packet crafting tool and it's used for creating customized packets and network traffic and sending it across the network. You can do all kinds of things with Colasoft Packet Builder. It's very easy to use. It has to be installed on Windows after you download it and then you can either create packets from scratch, which I would recommend that you do once you're experienced, or you can import packet captures from say Wireshark or Ethereal. Now once you import those captures you can actually modify them using the GUI and then resend them back on the wire, or you can save them to a file for later sending. Let's go ahead and look at Colasoft Packet Builder. Now we're looking at a Wireshark capture that I've saved and just to show you how the capture started we've got a ping, a simple echo reply, echo request sequence from the .10 box, the Windows XP Professional Vm to the Windows 2000 Server Vm, which is .45 - very simple. Here we see a ping request and then an ARP. Now the ARP has to come out because .45 doesn't know who .10 is and it needs to know what mike address belongs to .10, so then there's an ARP reply, of course and then 45 can go ahead and reply back to the ping request at the network level using IP. So there's a little conversation there between reply-request, reply-request and so forth. So you save that packet capture, it's ping underscore capture. cap. Now we're going to import that capture into Colasoft Packet Builder and manipulate it. Let's switch to Colasoft and as you can see it's not that difficult of an interface. You've got three panes, and let's go ahead and import our Packet Capture and as you can see this is the capture we just looked at and the three panes that you have, you've got a packet list and that details the packets, basically the way we saw them in Wireshark and if you click through you'll find that the information on the packet, just like in Wireshark, is displayed in the center pane and it gives you all the details of the packet and in the bottom pane is a hexadecimal representation of the data. What we want to do basically is just change the simple ping conversation around just a little bit. We're going to change it around such that we send a ping from a different host and have the target computer respond to a different computer. So we're going to spoof a host in other words and this is a very simple packet capture that we're going to do - packet manipulation rather - we're going to do a very simple one where we simply change the IP address information, the Mac address information. All we're going to do is spoof an IP address. The address we're going to spoof is dot 60. Now all we really need to spoof is the sending packets; we do not need the destination packet so there are a few we can get rid of. We can get rid of all the destination ones coming back from 45, because we're not going to manipulate them and there are just a few to get rid, there should be four and the typical ping conversation with Windows, because by default Windows sends out four packets - four for requests and four for reply. So we've got the packets sent out, so what we want to do is modify the source address to these packets. Let's go ahead and do that. Let's change the Source IP here; let's change that to. 60. We're going to change it on all of them. We've got two more to change. So now we've manipulated the Source Address to the packet and one thing we want to do too, if we want this to work alright we need to play with the ARP packets as well. What we want to do is send an ARP request and it's probably going to be a gratuitous ARP request, rather, because we know that 45 may reply back and say, hey who is that IP address and we don't want to reply back to this. 10, we want to reply back to this. 60, so what we're going to do is modify this a little bit. We're going to change that as well, so now we've changed that. Let's go ahead and get our conversation set up so we've got four ECHO REQUESTS that are going to go out and we're going to ARP reply because we believe that 45's probably going to reply with an ARP request out before it replies back. So now that we have our conversation what we can do is send this out on the wire, so we click the Send All button. Before we do that we need to restart Wireshark. Let's clear this out a little bit. Now let's resend all these packets and let's make sure that we get replies back from those. Now there are several things you can manipulate here, but let's go ahead and click Start. Not it's sending our packets and let's see what our Wireshark capture looked like. We got some replies back there. Let's go ahead and stop the capture. So let's see what happened here. Well, we have a source packet, an ICMP Source, or ECHO REQUEST, going out from. 60.; Now as soon as that hit, dot 45 said, hey who is the Mac address that has. 60? And of course, we already had a prefabricated ARP reply that went out that says. 60 is at this Mac address. So that told. 45 they could go ahead and reply back to that Mac address and IP address and here the conversation continued: reply-request, reply-request and it looks like, if you just look at the simple traffic capture that it was a. 60 host sending out the traffic, not a. 10. So we essentially spoofed an IP address and we got the receiving computer to reply back to that spoofed IP address. If we had not modified the ARP packets then probably what would have happened is the computer would have ARPed out and said, hey, who is. 60 and no one would have replied back. So then it probably would not have replied back to the ping request, so we'd have had a one-way conversation there and sometimes the goal is to get the computer to reply back to a request from a machine using a spoofed IP address. So we were able to do that. So that is essentially all there is to Colasoft Packet Builder. Now, there are some other things, of course, we can do with this. We can save these as well. This packet cache, in case we want to do this again, and there are so many other things we could have manipulated during this session. We just simply did a simple source IP address from a ping packet, from an ICMP packet. This could have been any other kind of IP packet, TCP packet, and so forth, an entire conversation. We could have manipulated not only the Source and Destination addresses but the Protocols and intricate details of the Payloads of the Protocols, so as you can see, if you had knowledge about how to spoof packets to the extent that you could do some complex stuff with, then this would be a very useful tool. And again, this is a good tool for beginners and seasoned professionals alike. A lot of people prefer the Command Line stuff with Hping and Hping3 and they're very good tools, don't get me wrong, but Colasoft Packet Builder is an excellent tool if you're just starting out and youÔre trying to learn and understand how packet crafting works, or even if you're a seasoned professional and you just need a really quick way to do things and if you're the kind of person that operates visually rather than at the Command Line, so that's Colasoft Packet Builder - a demonstration of a really good packet crafting software.