If you are reading this post you must have seen my previous post on Ostinato. With this post I wanted to give you all a first hands on experience in capturing a packet with Wireshark, editing the payload and replying it.
We aren’t going to to anything nasty just go through the basic interface and play with a ping packet.
Step1: “Capture the traffic”
In the first faze we want to capture a basis packet we will modify later. We could start crafting a packet from the ground up but that could be a though and time consuming task.
What we will do is fire up wireshark and just start a ping to an internal server, capture the traffic and isolate one single icmp request saving it off to a pcap file.
1. start your wireshark and create a display filter for icmp to get rid of all the clutter.
2. start a dos box and ping your target system
that should give you 4 successful ping’s and 8 captured packets
3. isolate one single icmp request as this will be the basis of our crafting
an easy way of doing this in wireshark is just referencing the frame number using the syntax frame.number == <frame nr>
4. save only the displayed packet by clicking the radio button and give the pcap file an easy to remember name
Step2: “Edit the packet”
1. To do this you need to fire up your Ostinato
2. open up the port group and select your interface
3. right click the steam area and choose open streams
select your file and click open
4. accept the import option
5. if all you want to do is reply the packet you are ready, however we want to play wit the packet just a little this time so we right click the stream and goto edit stream
If you are familiar with network protocols this should all make sense to you and you will recognize a very structured buildup throughout the screens.
6. let’s go out to the protocol and choose the HEXDump area for now.
7. Here we see the hex data being sent over the wire to the server and recognize the typical alphabet, however we want to surprise the server and send it “Ostinato Rocks”. Of course in order to do this we need to translate the string to hex. There are a million website you can use for this, I used http://www.dolcevie.com/js/converter.html
Just cut/past the hex string into the hex area in ostinato
8. Now by just doing this your packet will not play as modifying the payload also means the checksum will be incorrect. So we need to go up one in the stack and in the ICMP tab uncheck the box to set the Checksum
9. we are just about ready but how much fun would one packet be? Let’s play it save and ensure we see this thing fly, so head out to the next tab stream control and in the number of packets let’s specify we want to send this packet not 1 time but 50 times
when you are done, press ok and in the home screen press the apply button
Step3: “Replay the modified packet”
Now we are ready to send you neatly crafted packet back onto the wire. To do this, in the statistics screen, click the interface you will be letting these 50 packets out on
fire up your wireshark on your server
and then press the little play icon
while this is running you should see the transmit state go to on and you should see frames sent increase
On the server side you should have received 50 ICMP request frames with the Ostinato Rocks text in the data area
Now just imagine what you can do with this tool next, and if you have not done so, have a look at the drone option that comes with Ostinato!
Enjoy
Tom