Scope of article
In the previous articles of this series we covered common attacks found in most of the infrastructure vulnerability exploitation scenarios. This article takes a step forward, in terms of describing a technically advanced attack which can badly impact networks because it is tough to detect it. Packet crafting is a commonly used and yet complex way of exploiting the vulnerabilities and hence it is important for network administrators to know about it, and also to understand various ways to protect their infrastructure against it. We will also discuss how to protect FOSS based systems from a packet crafting attack.
What is packet crafting?
Crafting by definition means to make or create something skillfully. As we know, all the vulnerability assessment tools used by network administrators for testing the security of their networks are a blessing as well as a curse. This is because the same set of tools can also be used by evil hackers to find vulnerabilities and then exploit those to their benefit. Packet crafting too, is not an exception to this and it is believed to be a technically advanced and yet a complex type of vulnerability exploitation which makes it difficult to detect and diagnose. Let’s look at a TCP packet and its fields in details, in order to understand packet crafting attack better. Please refer to Fig 1. which shows a basic Ethernet packet as well as the TCPIP packet frame which rides on top of it. The Ethernet frame contains multiple fields which typically take care of Layer-2 communication whereas the TCP and IP packet chunks carry data fields for upper layers. TCP part of the packet brings connection oriented sense, while the IP packet contains source and destination addresses and ports. We already learnt in previous articles of this series, that the TCPIP communication is comprised of a three way handshake (SYN, SYN-ACK, ACK), which sets up a communication channel between two network interface cards. The data flows between them using this channel, and it is terminated by using a FIN/FIN-ACK handshake.
We also learnt that each of these packet fields can be modified by a hacker to his benefit. The source and destination IP address or ports are very commonly attacked fields in the denial of service and spoofing attacks and network penetrations. It is important to understand here, that it’s not just these fields which could be modified, but in fact each and every flag and field in a TCP frame and the underlying Ethernet frame can be modified or altered, for the purpose of network penetration. Please note that, the packet crafting and packet spoofing are usually misunderstood to be the same technique; however those are different from the impact standpoint. Spoofing is used by hacker to hide his identity and presence on the network. Spoofing is primarily used to gain network information such as open ports, running services, active hosts etc; however the target host fails to trace back to the attacker. On the other hand, the packet crafting takes a step further by trying to test the presence, functionality or the accuracy of firewall rules, and intrusion detection systems. Packet crafting requires in depth knowledge of TCP packet and its working, and is more of a manually orchestrated attack than a programmatic one. This makes it a technically advanced way of trying to hack into networks.
Packet crafting in action
Packet crafting is a task which is methodically carried out to penetrate into a network infrastructure. Please refer to Fig 2 which shows four distinct steps involved in the packet crafting attack. Let’s understand each of these steps in bit more details.
Packet Assembly – This is the first step in the crafting process wherein, a hacker decides which network needs to be hacked, tries to gather possible vulnerability information and creates or fabricates the packets to be sent. This packet is then checked for accuracy, especially to ensure that the attack is as sneaky on the network as possible to go un-detected. For example, the packet being created can have a spoofed source address and a dummy TCP sequence number. The assembly of a packet need not be done from scratch; a packet going over the wire can be captured and its contents can be modified to serve the hacking purpose.
Packet Editing – In this step, usually a dry run on the assembled packet is tested and based on the results gathered, the packet is tuned up or corrected before moving to the next step. In the editing phase, the focus is usually to be able to gather maximum amount of information by injecting minimum amount of packets on the network. For example, to test how a firewall responds to malformed packets, a simple packet with a false source IP address and with ACK field bit set, can be created. The firewall in ideal situations should drop such a packet.
Packet Playing – Once the correct packet or a stream of packets is created, the packet playing sends it on the network, and collects the resultant packets to perform further analysis and co-relation. This is the step when an actual attack is performed. If the expected outcome is not achieved, hacker goes back to the editing phase to change attack scenario.
Packet analyzing — In this process, the packet streams are gathered to decode the presented response by the target network. Hacker may use simple packet sniffing tools for this purpose, or can capture those in the form of a log file and perform analysis. This step either provides evidence to the hacker that he was successful in penetration, or at least gives him enough inputs to tune up the attack, or change the methodology.
As seen above, the whole idea behind packet crafting is to try simulating an attack, and thus learning the behavior of various network devices to gain knowledge about the vulnerabilities. Crafting is very typically used to invade into firewalls and intrusion detection devices, but can also be used to attack web servers and other application gateways. Now let’s discuss few common packet crafting techniques.
Ping fragmentation – In this type, instead of a standard ICMP ping packet, a malformed ping packet is created to contain more than 65535 bytes, which is a maximum allowed packet size. This results in destination system responding with an echo reply which also consumes a larger packet frame and thus eventually results into a denial of service attack. One technique also sets ACK flag in the packet, confusing the destination service, whereas in another variety instead of a larger frame, a variable number of bytes are sent to overwhelm the system.
Packet Flag manipulation – As we discussed before, there are multiple fields in the TCP datagram. One of the fields contains flags or bits which could be set programmatically. For example, a SYN flag can be set and the packet can be sent over the wire to a destination to establish a valid TCP communication. This would be a healthy way of initiating a TCP handshake; however it can be exploited by sending a RST or FIN packet, which can confuse a destination system. Older firewalls are known to be susceptible to FIN attacks, because they cannot properly differentiate between a valid packet and a bogus FIN packet. In another variety, a malformed SYN-ACK packet or ACK packet can cause similar effects too.
Packet duplication – In this type hacker captures a series of packets and simply re-sends it over the network. This causes confusion at the destination thinking that the previous session was not properly answered or terminated. Typical example of this attack is sending a duplicate ACK or FIN packet without modifying any other content of the packet frame. This method is commonly used in a denial of service attack.
Protocol manipulation – This type is mainly used to test firewall vulnerabilities. Here the TCP and UDP flags are both set in a packet to confuse the firewall rule set. If the firewall is modern, it can identify such a packet as a malformed one and simply drops it. However for legacy firewalls, if there are multiple rules set to handle TCP and UDP packets, both rules get executed causing an erroneous effect, which can lead to shutting down the firewall. Another way is to not set TCP or UDP flag at all, a trick which is found to trick Layer-3 managed switch devices.
Half open packets – In this method, hacker initiates connection with a target host using a SYN packet. The target sends Syn-ACK, however hacker doesn’t respond to it, and instead creates a spoofed packet by changing source IP and sends another SYN packet. This process continues, till the target host exhausts its resources thus being a denial of service victim.
Protecting FOSS systems
As mentioned earlier, the packet crafting attack is a tough one to tackle. Despite of this, there are ways to protect FOSS networks. The very simple and correct method is in fact to use packet crafting tools themselves, to test the infrastructure. First step is to understand the network, create security testing scenarios for testing critical security components such as firewall, router, IDS system etc. Tools such as Hping and TCPReplay could be used to fabricate packets and send those to gather statistics and logs. A packet sniffer and analyzer such as wireshark can be used for this purpose. Firewalls and IDS systems built on FOSS technology, should be tested against Layer-2 to Layer-7. Performing such tests at regular intervals and keeping up-to-date with the intrusion detection vulnerability signatures is an appropriate way to be protected. To protect FOSS web servers, a latest Layer-7 content filtering firewall which is capable of performing a state-ful packet inspection, and equipped to detect and shun a denial of service attack should be implemented. As for any Linux distros, there is a lack of built-in strong security module to fight against packet crafting attack; hence a properly designed perimeter defense system should be deployed to protect the infrastructure.
Packet crafting is a good way to audit your network; however it can be used by evil hackers to penetrate into a network, by exploiting vulnerabilities. Properly configuring firewalls, switches and routers is an important step to prevent networks from crafting attacks and the network administrators should understand it’s important. Packet crafting attacks typically can happen from outside the firm’s local area network, which demands for a carefully designed perimeter defense security system for network infrastructure.