Packet Spoofing

[Altar314]

Hi! I just had a question. I know when you go and do anything online, everything is done by sending and receiving packets. I just wanted to know if it was possible to send fake packets? My scenario is this, I have a test network set up, and I'm connected to a device via metasploits meterpreter. I would like to be able to send a fake packet to a computer, and have to computer act on that, if it makes sense. And is there some tool I could use, say, over wifi on kali to do it, say if I'm in the actual location on their internet? Thanks!

 

--Altair

[i8igmac]

Hping3 can send a spoofed packet

[Dave-ee Jones]

On 4/2/2018 at 1:36 AM, i8igmac said:

Hping3 can send a spoofed packet

Nice.

On 4/1/2018 at 9:43 AM, Altar314 said:

I just wanted to know if it was possible to send fake packets?

Yes, you can. The most common usage is with WiFi adapters. Some WiFi adapters support a mode called "monitor-mode" which allows them to monitor extra traffic passing by over WiFi, and also allows it to inject packets into a network. However, you don't need a WiFi adapter. I think there are a few Android apps that allow you to send packets over a network (dummy packets), so what you could do to have a play around is use something like those apps and then have another machine on the network use Wireshark to see the packets - giving you an idea of how it all works.

[Altar314]

Hping3 looks like it would be really great, but I'm not entirely sure how to go about doing what I need to do. So in this hypothetical situation, let's say I've gotten into a fast food place. Lets say from observing the traffic, I know that in observing the traffic, the orders with a hamburger have a line that tells it to make a hamburger (I don't know enough about the internals of packets to pretend to know how to write that) Is there a way I could tell it do do the same thing by putting in the same kind of line?

[Dave-ee Jones]

Potentially, but the box receiving the data might only be listening to traffic coming from specific boxes (via their IP or MAC), or there's some other kind of security handshake.

Hypothetically, if there was no security and it was open to anyone injecting traffic into it, you could probably copy the packet and replay it, but you would need to capture the whole packet first.

I can't really help you from here as I've never done it, I just know it's possible. :P

[Forkish]

9 hours ago, Dave-ee Jones said:

I can't really help you from here ... I just know it's possible. :P

If we’re ever at a pub together, the first round is on me.

[Altar314]

11 hours ago, Dave-ee Jones said:

Potentially, but the box receiving the data might only be listening to traffic coming from specific boxes (via their IP or MAC), or there's some other kind of security handshake.

Hypothetically, if there was no security and it was open to anyone injecting traffic into it, you could probably copy the packet and replay it, but you would need to capture the whole packet first.

I can't really help you from here as I've never done it, I just know it's possible. :P

Hypothetically if I got in, couldn't I pivot around the network to the machine itself? Or if I was there in person, couldn't I spoof my mac?

[Dave-ee Jones]

10 hours ago, Spoonish said:

If we’re ever at a pub together, the first round is on me.

8 hours ago, Altar314 said:

Hypothetically if I got in, couldn't I pivot around the network to the machine itself? Or if I was there in person, couldn't I spoof my mac?

If your connecting via WiFi there are 2 possible walls to your plan:

1. MAC Spoofing can easily be detected by a majority of APs these days because they can see 2 separate devices (with different hostnames and stuff) using the same MAC address, so they know one of them is fake - and they're probably going to boot off the one that joined last by default. Some less-smart APs might see one device, not knowing that it's actually 2 using the same MAC address, but that would only be older APs I would think..

2. The WiFi network is probably on a separate VLAN. If the business has IT people that know what they're doing with a WiFi guest network then they'll know to put it on a separate VLAN (or even a different network entirely), making it extremely difficult for hackers to get onto the real network where all the important data is stored and sent over. You can usually tell if this is the case by looking at the nearby WiFi networks, and see if some look like this: BURGER Guest, BURGER Staff. If that's the case, 99% of the time it means that the WiFis are separated over 2 separate VLANs - the Guest one most likely just being for internet and that's it - the Staff one being for internet and internal data storage and orders etc.

What do you mean pivot around the network to the machine itself?

[PoSHMagiC0de]

So, lets look at how a franchise network "should" look like.  I have cleaned up a few.  First of all, most franchises take credit card payments.  This means they have the be PCI compliant.  This also means they get a questionnaire from the bank that handles their transactions for their machines every year.  This questionnaire is filled out by their IT folks and covers things that need to be done.  Pretty much you answer wrong on a question, you failed compliance and have to make it right before the deadline or they stop taking transactions for you.  The questionnaire is dynamic meaning depending on how you answer one question may extend into more sub questions.  It is a pain in the ass.  I am glad the few sites I have cleaned up didn't use wifi POS devices as this gets more in depth.

Anyway, the way they are done is you have APs that can serve 2 ssids.  They all talk to a wifi server.  The guest network always should only serve internet if you wish but not see anything internal. That can either be done by vlaning it or the more popular blocking all private subnets.  Block subnets also makes it so each device cannot see each other and/or mess with each other.  The staff one is still not on the POS network.  That is for administration usually.  The more that interacts with the POS network (Point of Sale, the machines that handle sales and credit card transactions) the more the questionnaire will want you to secure all those other machines.  So, mostly those wifis are not going to point at their internal POS system.  That is usually hidden and enterprise if is unless it is one of those small shops and they are using that Square app.  I only say this because my donut shop I like to pickup from I happen to see they were on WEP still and their IPad using Square was using it.  Talked to their IT guy (a family member hehe) and helped him fix that.  Anyway, unless they are lying to their bank and severely negligent, that Staff wifi will only get you access to administration where you will only be able to get reports and stuff.  Now, others may be different hehe.

Now, if so happen you do have access to a POS network and the data is cleartext, you will not be able to see it just sitting their unless they are using hubs.  :-P

You are going to have to MiTM one of their devices and the server/mainframe.  Lookup MiTM to learn about that.  Anyway, if you do then you will see the traffic.  You will not need to spoof a packet.  You can inspect it and its payload and see what the formatting is for order placements.  Just capture a bunch, see what they are.  They are probably codes for the orders so you will need to decipher those.  Maybe go in a order a few things and see what the codes are for those orders and then send your own.  If the packet is specialized you can use python scapy to craft your own following the original packet's schema.  if it is http then you may can use something like postman or Burp.

 

Please don't ask me how to do all the above, that is a minibook I do not care to write.

[Dave-ee Jones]

1 hour ago, PoSHMagiC0de said:

Please don't ask me how to do all the above, that is a minibook I do not care to write.

Might as well finish it at this point..

[PoSHMagiC0de]

12 hours ago, Dave-ee Jones said:

Might as well finish it at this point..

Nah, I am lazy.  Tag, someone else is it.

[Altar314]

On 4/4/2018 at 6:11 PM, Dave-ee Jones said:

What do you mean pivot around the network to the machine itself?

 

I'm still very new to this, and I just know pivoting as a way to get to one device to the other, I think. I'm not entirely sure. Like I said, I'm new.

[i8igmac]

17 hours ago, Altar314 said:

I'm still very new to this, and I just know pivoting as a way to get to one device to the other, I think. I'm not entirely sure. Like I said, I'm new.

Pivot scenario.

I have installed meterpreter on my phone. When my phone is connected to a persons wifi network I can connect back to my kali desktop and perform network scanning to discover devices and launch exploits onto the network.

 

Once you upload meterpreter to a domain, you can pivot around the network.

 

A reverse proxy is another term.

[Altar314]

21 hours ago, i8igmac said:

Pivot scenario.

I have installed meterpreter on my phone. When my phone is connected to a persons wifi network I can connect back to my kali desktop and perform network scanning to discover devices and launch exploits onto the network.

 

Once you upload meterpreter to a domain, you can pivot around the network.

 

A reverse proxy is another term.

Just to make sure I have this correctly, you intentionally infected your phone to be able to do that? 

[i8igmac]

Just now, Altar314 said:

Just to make sure I have this correctly, you intentionally infected your phone to be able to do that? 

Yes meterpreter is installed on my phone.

 

i could pivot my kali desktop into any network.

[Dave-ee Jones]

On 4/8/2018 at 4:06 AM, Altar314 said:

Just to make sure I have this correctly, you intentionally infected your phone to be able to do that? 

It's basically acts as an "open" inside device, allowing himself to remote into his phone which is on the network and from there he can perform diagnostics. Simple trick, but effective. I just wasn't used to the terminology you guys are using.

[Forkish]

On 4/7/2018 at 2:08 PM, i8igmac said:

Yes meterpreter is installed on my phone.

Which phone do think is most excellent for this extremely gnarly know how?

Bill and Ted was on tonight. I can’t get this voice out of my head.

[Dave-ee Jones]

18 hours ago, Spoonish said:

Which phone do think is most excellent for this extremely gnarly know how?

Bill and Ted was on tonight. I can’t get this voice out of my head.

Rooted Razer phone would be quite juicy, especially with that 120 Hz display..IPs would still race across your screen - but smoothly. :P