One Little PIG

by Rafael Santiago

Ten years ago, I had written a network sniffer able to work with a domain-specific language in order to define the filters.

With this sniffer I could not only log the capturing events, but also kill the sniffed connections.

O.K., why kill connections?  Think about a guy who was having fun with raw sockets for whom, in this phase, nothing was more exciting than killing connections.  Anyway, this approach got me to implement several filters which in the end became a minimalist IDS/IPS.

This new sub-project brought a new question, which was: "How can I test this IDS without screwing up my machines or infecting my system?"

So I had the idea of creating a program that would be able to inject spurious traffic onto the network.  In a bit of time, I created an application which did it for me.  Afterwards, I discovered that there already existed a name for this operation: "packet crafting."

Ah!  O.K...  So what was the name of the application that I wrote?  I used the infamous name Packet Intruder Generator (PIG).  Yes, horrible, but effective!

Now we arrive at the point of this article.  I want to talk about packet crafting and how you can use it for a bunch of useful things.  To demonstrate this, I will use my own application.

Packet crafting is a technique where you assemble network packets and inject this data onto the network.  Generally, this is used for testing issues such as IDS/IPS testing or firewall testing.  Some people could potentially use it to mask a real attack flooding the network with a bunch of minor attack signatures.

Nowadays, there are several packet crafting tools.

Some tools allow for response analysis.  A few months ago, I decided to do some refining of my packet crafting tool.  However, the truth is that I rewrote it from scratch.  Until now, you could generate IPv4 packets, bringing TCP or UDP packets with PIG.  If you are familiar with hexadecimal, you can put virtually anything to the IP payload beyond TCP/UDP.

PIG allows you to create in a 'non-brain dead" way (yes, you need to use your brain and fingers) packet signatures.

You can forge source and destination and you can also specify IP addresses by geographic location (class C).  PIG does not analyze the responses generated from the fake packets' injection.  This application is a good choice for those of you who want to test your firewall, IDS, or IPS - or for those of you who just want to flood because you are evil (but please do not do it, come on...).

By the way, in PIG, a signature file is affectionately called "pigsty file."  It can bring a collection of signatures.

Let's see a rather pure pigsty (supposing that this file is named as "oink.pigsty"):

[ signature = "oink", ip.version = 4, ip.ihl = 5, ip.tos = 0, ip.src = 127.0.0.1, ip.dst = 127.0.0.1, ip.protocol = 17, udp.dst = 1008, udp.src = 32000, udp.payload = "Oink!!\n" ]

Yes, this pigsty will go to heaven.

To test, put the Netcat on listen mode/port 1008/UDP:

$ nc -u -l -p 1008

Now, in another TTY, you run PIG.

Supposing that your gateway's address is 10.0.0.2, your network mask is 255.255.255.0, and your network interface is named as eth0:

$ ./pig --signatures=./oink.pigsty --gateway=10.0.0.2 --net-mask=255.255.255.0 --lo-iface=eth0

As a result, your Netcat must be receiving several "oinks."

Maybe in this example, the necessity of the gateway address, the network mask, and the network interface might be a little bit useless, but PIG can build the network packet from the Ethernet until the Layer 7.

These options are important due to routing issues.  In this way, you can fake packet from other hosts using your own machine.

Now, let's see some practical stuff:

[ signature = "Nail Worm(1)", ip.version = 0x4, ip.ihl = 0x5, ip.tos = 0x0, ip.id = 0x3779, ip.flags = 0x4, ip.offset = 0, ip.ttl = 0x40, ip.protocol = 0x6, ip.src = asian-ip, ip.dst = user-defined-ip, tcp.src = 110, tcp.seqno = 0x77aace8b, tcp.ackno = 0, tcp.reserv = 0x0, tcp.size = 0x5, tcp.fin = 0, tcp.syn = 0, tcp.urg = 0, tcp.ack = 1, tcp.psh = 0, tcp.rst = 0, tcp.wsize = 0x1920, tcp.urgp = 0x0, tcp.payload = "\x4D \x61 \x72 \x6B \x65 \x74 \x20 \x73 \x68 \x61 \x72 \x65 \x20 \x74 \x69 \x70 \x6F \x66 \x66" ]

The shown pigsty creates a packet with an Asian Class C source address and the destination IP must be supplied by you:

$ ./pig --signatures=./worms.pigsty --targets=192.30.70.10 --gateway=192.30.70.1 --net-mask=255.255.255.0 --lo-iface=eth0

In this example, the destination IP address will be "192.30.70.10."  If you use this:

$ ./pig --signatures=./worms.pigsty --targets=192.30.70.10,192.168.*.*,192.16.10.2/20 --gateway=192.30.70.1 --net-mask=255.255.255.0 --lo-iface=eth0

The target will be randomized from the target pool that you created.

Timeout?  Yes, you can (in milliseconds):

$ ./pig --signatures=./worms.pigsty --gateway=192.30.70.1 --net-mask=255.255.255.0 --lo-iface=eth0 --targets=192.30.70.10,192.168.*.*,192.16.10.2/20 --timeout=1

For sending protocols different from 6 and 17, you must define this protocol in raw form using the field "ip-payload":

[ signature = "Nail Worm(1)", ip.version = 0x4, ip.ihl = 0x5, ip.tos = 0x0, ip.id = 0x3779, ip.flags = 0x4, ip.offset = 0, ip.ttl = 0x40, ip.protocol = 0x6, ip.src = asian-ip, ip.dst = user-defined-ip, ip.payload = "\x00\x00\x01" ]

As you can see, packet crafting, while a simple technique, is a useful way to verify your firewall, IDS, and IPS rules.

It's an essential tool for pen-tests, a good friend for sysadmins, and a pain in the neck for lousy network environments...

If you liked "PIG," you can get the code at github.com/rafael-santiago/pig.

There you can read the documentation and learn more about this tool.