What is IPLayer?

IPLayer (pronounced IP-layer) is a console based sniffer that is useful for building packets using command-line packet generation tools. IPLayer was based on Ipgrab 0.8.2 by Mike Borella which is available at http://ipgrab.sourceforge.net. Iplayer was developed (using the term very loosely) by Matthew Franz as part of Trinux: A Linux Security Toolkit

Links

  • Ethereal - the mother of all sniffers
  • Bvi - binary editor
  • Nemesis - Libnet based command-line packet generation tool
  • Libdnet - Doug Song's "dumb" packet building library (especially see the dnet tool)

    Examples

    Let's say you've identified a protocol that you want to build packets for and you do not have an easy way to do it. None of the existing tools such as hping or nemesis (or whatever) allow you to generate the packet easily and you don't have the time to implement the protocol in Libnet.

    Let's say you wanted to generate a BGP Open.

    [---- ETHERNET
    SRC: 0:9:43:5f:bc:73  DST: 0:8:e3:60:f:80  PROTO: 800H PLEN: 103  HLEN: 14
    \x00\x08\xE3\x60\x0F\x80\x00\x09\x43\x5F\xBC\x73\x08\x00
    
    [---- IP
    SRC: 192.168.10.50 DST: 192.168.10.25
    HLEN: 20  LEN: 85  ID: 1  FO: 0 TTL: 1  PROTO: 6  HCSUM: 9031 
    \x45\xC0\x00\x55\x00\x01\x00\x00\x01\x06\x23\x47\xC0\xA8\x0A\x32\xC0\xA8\x0A\x19
    
    [---- TCP
    SRC: 179 DST: 11001 SEQ: 3610976348 ACK: 200639118 HLEN: 20 FlAGS: PA WIN: 16339
    CSUM: 14248
    \x00\xB3\x2A\xF9\xD7\x3B\x20\x5C\x0B\xF5\x82\x8E\x50\x18\x3F\xD3\x37\xA8\x00\x00
    
    [--- APPLICATION
    \xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x1D\x01\x04\x00\x64\x00\xB4\xA9\xD5\x59\xF7\x00
    
    
    Now you just past the application payload
    # dnet hex "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x1D\x01\x04\x00\x64\x00\xB4\xA9\xD5\x59\xF7\x00" | nc 127.0.0.1 179
    

    So the output in tethereal would be:

    
    Frame 4 (95 bytes on wire, 95 bytes captured)
        Arrival Time: May 12, 2003 17:35:41.750849000
        Time delta from previous packet: 0.023761000 seconds
        Time relative to first packet: 0.024106000 seconds
        Frame Number: 4
        Packet Length: 95 bytes
        Capture Length: 95 bytes
    Ethernet II, Src: 00:00:00:00:00:00, Dst: 00:00:00:00:00:00
        Destination: 00:00:00:00:00:00 (00:00:00:00:00:00)
        Source: 00:00:00:00:00:00 (00:00:00:00:00:00)
        Type: IP (0x0800)
    Internet Protocol, Src Addr: 127.0.0.1 (127.0.0.1), Dst Addr: 127.0.0.1 (127.0.0.1)
        Version: 4
        Header length: 20 bytes
        Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
            0000 00.. = Differentiated Services Codepoint: Default (0x00)
            .... ..0. = ECN-Capable Transport (ECT): 0
            .... ...0 = ECN-CE: 0
        Total Length: 81
        Identification: 0xa7f9
        Flags: 0x04
            .1.. = Don't fragment: Set
            ..0. = More fragments: Not set
        Fragment offset: 0
        Time to live: 64
        Protocol: TCP (0x06)
        Header checksum: 0x94ab (correct)
        Source: 127.0.0.1 (127.0.0.1)
        Destination: 127.0.0.1 (127.0.0.1)
    Transmission Control Protocol, Src Port: 34566 (34566), Dst Port: 179 (179), Seq: 1097229384, Ack: 1091345564, Len: 29
        Source port: 34566 (34566)
        Destination port: 179 (179)
        Sequence number: 1097229384
        Next sequence number: 1097229413
        Acknowledgement number: 1091345564
        Header length: 32 bytes
        Flags: 0x0018 (PSH, ACK)
            0... .... = Congestion Window Reduced (CWR): Not set
            .0.. .... = ECN-Echo: Not set
            ..0. .... = Urgent: Not set
            ...1 .... = Acknowledgment: Set
            .... 1... = Push: Set
            .... .0.. = Reset: Not set
            .... ..0. = Syn: Not set
            .... ...0 = Fin: Not set
        Window size: 32767
        Checksum: 0x5e00 (correct)
        Options: (12 bytes)
            NOP
            NOP
            Time stamp: tsval 17744818, tsecr 17744816
    Border Gateway Protocol
    
        OPEN Message
            Marker: 16 bytes
            Length: 29 bytes
            Type: OPEN Message (1)
            Version: 4
            My AS: 100
            Hold time: 180
            BGP identifier: 169.213.89.247
            Optional parameters length: 0 bytes
    
    
    
    
    07:59:45.875087 IP 127.0.0.1.33172 > 127.0.0.1.179: P 1:48(47) ack 1 win 32767 <
    nop,nop,timestamp 560183 560182>: BGP, length: 47
            Open Message (1), length: 45
              Version 4, my AS 888, Holdtime 180s, ID 192.168.10.50
              Optional parameters, length: 16
                Option Capabilities Advertisement (2), length: 6
                  Multiprotocol Extensions, length: 4
                    AFI IPv4 (1), SAFI Unicast (1)
                Option Capabilities Advertisement (2), length: 2
                  Unknown, length: 56
                    no decoder for Capability 120
                Option Unknown (48), length: 0
                  no decoder for option 48
                 Option 2, length: 2 (DF)
    0x0000   4500 0063 da0e 4000 4006 6284 7f00 0001        E..c..@.@.b.....
    0x0010   7f00 0001 8194 00b3 257e 563b 25bd 0603        ........%~V;%...
    0x0020   8018 7fff 8d5c 0000 0101 080a 0008 8c37        .....\.........7
    0x0030   0008 8c36 ffff ffff ffff ffff ffff ffff        ...6............
    0x0040   ffff ffff 002d 0104 0378 00b4 c0a8 0a32        .....-...x.....2
    0x0050   1002 0601 0400 0100 0102 0278 3830 0002        ...........x80..
    0x0060   0202 00 
    
    

    For another example, pretend you need to generate a SSL ClientHello, the first message in the SSL handshake and the first packet after the 3-way handshake

    
    21:50:25.651111 192.168.0.230.2798 > 192.168.1 .24.443: S 2776748878:2776748878(0) wi
    n 16060  (DF)
    0x0000   4500 003c 4baa 4000 4006 90ea 0a14 00e6        E...{...........
    0x0030   000a a9ed 0000 0000 0103 0300                  ............
    21:50:25.839591 192.168.1 .24.443 > 192.168.0.230.2798: S 1134979098:1134979098(0) ac
    k 2776748879 win 17376 
    0x0000   4500 0040 70eb 0000 2f06 bca5 ac15 a718        E..@p.../.......
    0x0010   0a14 00e6 01bb 0aee 43a6 681a a581 d34f        ........C.h....O
    0x0020   b012 43e0 09c4 0000 0204 05b4 0101 0402        ..C.............
    0x0030   0103 0300 0101 080a 0055 ae9d 000a a9ed        .........U......
    0x0040   5689 4c73                                      V.Ls
    21:50:25.839652 192.168.0.230.2798 > 192.168.1 .24.443: . ack 1 win 16060  (DF)
    0x0000   4500 0034 4bac 4000 4006 90f0 0a14 00e6        E..4K.@.@.......
    0x0010   ac15 a718 0aee 01bb a581 d34f 43a6 681b        ...........OC.h.
    0x0020   8010 3ebc 4fa1 0000 0101 080a 000a a9ff        ..>.O...........
    0x0030   0055 ae9d                                      .U..
    21:50:25.840106 192.168.0.230.2798 > 192.168.1 .24.443: P 1:73(72) ack 1 win 16060  (DF)
    0x0000   4500 007c 4bad 4000 4006 90a7 0a14 00e6        E..|K.@.@.......
    0x0010   ac15 a718 0aee 01bb a581 d34f 43a6 681b        ...........OC.h.
    0x0020   8018 3ebc b8de 0000 0101 080a 000a a9ff        ..>.............
    0x0030   0055 ae9d 8046 0103 0100 2d00 0000 1001        .U...F....-.....
    0x0040   0080 0700 c003 0080 0600 4002 0080 0400        ..........@.....
    0x0050   8000 0004 00fe ff00 000a 00fe fe00 0009        ................
    0x0060   0000 6400 0062 0000 0300 0006 11d1 0e76        ..d..b.........v
    0x0070   979a c8f4 8494 0abc 2875 a587                  ........(u..
    
    SSLDump Output
    
    1 1  0.1889 (0.1889)  C>S SSLv2 compatible client hello
      Version 3.1 
      cipher suites
      SSL2_CK_RC4  
      SSL2_CK_3DES  
      SSL2_CK_RC2  
      SSL2_CK_DES  
      SSL2_CK_RC4_EXPORT40  
      SSL2_CK_RC2_EXPORT40  
      TLS_RSA_WITH_RC4_128_MD5  
      Unknown value 0xfeff  
      TLS_RSA_WITH_3DES_EDE_CBC_SHA  
      Unknown value 0xfefe  
      TLS_RSA_WITH_DES_CBC_SHA  
      TLS_RSA_EXPORT1024_WITH_RC4_56_SHA  
      TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA  
      TLS_RSA_EXPORT_WITH_RC4_40_MD5  
      TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5  
      Packet data[72]=
        80 46 01 03 01 00 2d 00 00 00 10 01 00 80 07 00 
        c0 03 00 80 06 00 40 02 00 80 04 00 80 00 00 04 
        00 fe ff 00 00 0a 00 fe fe 00 00 09 00 00 64 00 
        00 62 00 00 03 00 00 06 11 d1 0e 76 97 9a c8 f4 
        84 94 0a bc 28 75 a5 87 
    
    Default iplayer output (TCP & APPLICATION LAYER)
    
    [---- TCP
    SRC: 2798 DST: 443 SEQ: 2776748879 ACK: 1134979099 HLEN: 32 FlAGS: PA WIN: 16060
    CSUM: 47326
    0a ee 01 bb a5 81 d3 4f 43 a6 68 1b 80 18 3e bc b8 de 00 00 01 01 08 0a 00 0a a9 ff 00 55 ae 9d 
    
    [--- DATA
    80 46 1 3 1 0 2d 0 0 0 10 1 0 80 7 0 c0 3 0 80 6 0 40 2 0 80 4 0 80 0 0 4 0 fe ff 0 0 a 0 fe fe 0 0 9 0 0 64 0 0 62 0 0 3 0 0 6 11 d1 e 76 97 9a c8 f4 84 94 a bc 28 7 5 a5 87 
    
    So this doesn't help us much, but let's change the output so that the app   
    layer is ready to paste into a NASL script:
    
    #iplayer -s 2 -r ssl
    
      
    [---- TCP
    SRC: 2798 DST: 443 SEQ: 2776748879 ACK: 1134979099 HLEN: 32 FlAGS: PA WIN: 16060
    CSUM: 47326
    0x0a,0xee,0x01,0xbb,0xa5,0x81,0xd3,0x4f,0x43,0xa6,0x68,0x1b,0x80,0x18,0x3e,0xbc,0xb
    8,0xde,0x00,0x00,0x01,0x01,0x08,0x0a,0x00,0x0a,0xa9,0xff,0x00,0x55,0xae,0x9d,
    
    [--- DATA
    0x80,0x46,0x1,0x3,0x1,0x0,0x2d,0x0,0x0,0x0,0x10,0x1,0x0,0x80,0x7,0x0,0xc0,0x3,0x0,0x80,0x6,0x0,0x40,0x2,0x0,0x80,0x4,0x0,0x80,0x0,0x0,0x4,0x0,0xfe,0xff,0x0,0x0,0xa,0x 0,0xfe,0xfe,0x0,0x0,0x9,0x0,0x0,0x64,0x0,0x0,0x62,0x0,0x0,0x3,0x0,0x0,0x6,0x11,0xd1 ,0xe,0x76,0x97,0x9a,0xc8,0xf4,0x84,0x94,0xa,0xbc,0x28,0x75,0xa5,0x87,
    
    
    [ssl-clienthello.nasl]
    
    a = raw_string(0x80,0x46,0x1,0x3,0x1,0x0,0x2d,0x0,0x0,0x0,0x10,0x1,0x0,0x80,0x7,0x0,0xc0,0x3,0x0,0x80,0x6,0 x0,0x40,0x2,0x0,0x80,0x4,0x0,0x80,0x0,0x0,0x4,0x0,0xfe,0xff,0x0,0x0,0xa,0x 0,0xfe,0xfe,0x0,0x0,0x9,0x0,0x0,0x64,0x0,0x0,0x62,0x0,0x0,0x3,0x0,0x0,0x6,0x11,0xd1,0xe,0x76,0x97,0x9a,0xc8,0xf4,0x84,0x94,0xa,0xbc,0x28,0x75,0xa5,0x87);
    
    for (i=0;i<10;i++)
    {
        socket = open_sock_tcp(443);
        if(soc)
        {
         send(socket:soc, data:a);
         r = recv(socket:soc, length:1024);
         display(r,"\n");
        }
    }
    

    Building and ISAKMP Main Mode Proposals with iplayer and sendip

    
      1   192.168.0.203 -> 192.168.1.235 ISAKMP Identity Protection (Main Mode)
      2   192.168.1.235 -> 192.168.0.203 ISAKMP Identity Protection (Main Mode)
      3   192.168.0.203 -> 192.168.1.235 ISAKMP Identity Protection (Main Mode)
      4   192.168.1.235 -> 192.168.0.203 ISAKMP Identity Protection (Main Mode)
      5   192.168.0.203 -> 192.168.1.235 ISAKMP Identity Protection (Main Mode)
      6   192.168.1.235 -> 192.168.0.203 ISAKMP Identity Protection (Main Mode)
      7   192.168.0.203 -> 192.168.1.235 ISAKMP Quick Mode
      8   192.168.1.235 -> 192.168.0.203 ISAKMP Quick Mode
      9   192.168.0.203 -> 192.168.1.235 ISAKMP Quick Mode
     10   192.168.0.203 -> 192.168.1.235 ESP ESP (SPI=0x806e9107)
     11   192.168.1.235 -> 192.168.0.203 ESP ESP (SPI=0x4ce84d44)
    
    Now here's the first packet:
    User Datagram Protocol
        Source port: 500 (500)
        Destination port: 500 (500)
        Length: 184
        Checksum: 0xb981 (correct)
    Internet Security Association and Key Management Protocol
        Initiator cookie
        Responder cookie
        Next payload: Security Association (1)
        Version: 1.0
        Exchange type: Identity Protection (Main Mode) (2)
        Flags
            .... ...0 = No encryption
            .... ..0. = No commit
            .... .0.. = No authentication
        Message ID: 0x00000000
        Length: 176
        Security Association payload
            Next payload: NONE (0)
            Length: 148
            Domain of interpretation: IPSEC (1)
            Situation: IDENTITY (1)
            Proposal payload
                Next payload: NONE (0)
                Length: 136
                Proposal number: 0
                Protocol ID: ISAKMP (1)
                SPI size: 0
                Number of transforms: 4
                Transform payload
                    Next payload: Transform (3)
                    Length: 32
                    Transform number: 0
                    Transform ID: KEY_IKE (1)
                    Life-Type (11): Seconds (1)
                    Life-Duration (12): Duration-Value (3600)
                    Encryption-Algorithm (1): 3DES-CBC (5)
                    Hash-Algorithm (2): SHA (2)
                   Authentication-Method (3): PSK (1)
                    Group-Description (4): Group-Value (2)
                Transform payload
                    Next payload: Transform (3)
                    Length: 32
                    Transform number: 1
                    Transform ID: KEY_IKE (1)
                    Life-Type (11): Seconds (1)
                    Life-Duration (12): Duration-Value (3600)
                    Encryption-Algorithm (1): 3DES-CBC (5)
                    Hash-Algorithm (2): MD5 (1)
                    Authentication-Method (3): PSK (1)
                    Group-Description (4): Group-Value (2)
                Transform payload
                    Next payload: Transform (3)
                    Length: 32
                    Transform number: 2
                    Transform ID: KEY_IKE (1)
                    Life-Type (11): Seconds (1)
                    Life-Duration (12): Duration-Value (3600)
                    Encryption-Algorithm (1): 3DES-CBC (5)
                    Hash-Algorithm (2): MD5 (1)
                    Authentication-Method (3): PSK (1)
                    Group-Description (4): Group-Value (1)
                Transform payload
                    Next payload: NONE (0)
                    Length: 32
                    Transform number: 3
                    Transform ID: KEY_IKE (1)
                    Life-Type (11): Seconds (1)
    
                    Life-Duration (12): Duration-Value (3600)
                    Encryption-Algorithm (1): 3DES-CBC (5)
                    Hash-Algorithm (2): SHA (2)
                    Authentication-Method (3): PSK (1)
                    Group-Description (4): Group-Value (1)
    
       0  0010 0dd4 0800 00a0 c919 6b91 0800 4500   ..........k...E. 
      10  00cc 5730 0000 4011 7e0f ac15 a6cb ac15   ..W0..@.~....... 
      20  a5eb 01f4 01f4 00b8 b981 f35c 1dea 6e81   ...........\..n. 
      30  cf0a 0000 0000 0000 0000 0110 0200 0000   ................ 
      40  0000 0000 00b0 0000 0094 0000 0001 0000   ................ 
      50  0001 0000 0088 0001 0004 0300 0020 0001   ............. .. 
      60  0000 800b 0001 800c 0e10 8001 0005 8002   ................ 
      70  0002 8003 0001 8004 0002 0300 0020 0101   ............. .. 
      80  0000 800b 0001 800c 0e10 8001 0005 8002   ................ 
      90  0001 8003 0001 8004 0002 0300 0020 0201   ............. .. 
      a0  0000 800b 0001 800c 0e10 8001 0005 8002   ................ 
      b0  0001 8003 0001 8004 0001 0000 0020 0301   ............. .. 
      c0  0000 800b 0001 800c 0e10 8001 0005 8002   ................ 
      d0  0002 8003 0001 8004 0001                  .......... 
    
    
    
    # sendip 192.168.0.1 -p UDP -ud 500 -us 500 -d F35C1DEA6E81CF0A00000000000000000110020000000000000000B000000094000000010000000100000088000100040300002000010000 800B0001800C0E10800100058002000280030001800400020300002001010000800B0001800C0E10800100058002000180030001800400020300002002010000800B0001800C0E10800100058002000180030001800400010000002003010000800B0001800C0E1080010005800200028003000180040001