Penetration Testing

Replay captured UDP traffic

There are a number of situations where an engagement will demand testing the communication between two or more services, applications and/or clients. This will require you to put your wired card (NIC) or your wireless card (WNIC) in promiscuous (promisc) mode. Putting your network card in promisc/monitoring mode will instruct it to pass all network traffic it receives to the OS kernel. You will then be able to capture data/packets in transit on the network, that were not intended to be delivered to your MAC address (packet sniffing).

In this post we will show you how to put your wired network card in promisc mode, capture UDP packets using Wireshark and replay these captured UDP packets using udpreplay tool.

UDP Protocol

UDP uses a simple connectionless communication model with a minimum of protocol mechanisms. UDP provides checksums for data integrity, and port numbers for addressing different functions at the source and destination of the datagram. It has no handshaking dialogues, and thus exposes the user’s program to any unreliability of the underlying network; there is no guarantee of delivery, ordering, or duplicate protection. UDP is suitable for purposes where error checking and correction are either not necessary or are performed in the application; UDP avoids the overhead of such processing in the protocol stack. Time-sensitive applications often use UDP because dropping packets is preferable to waiting for packets delayed due to retransmission, which may not be an option in a real-time system.

https://en.wikipedia.org/wiki/User_Datagram_Protocol

Network interface controller

A network interface controller (NIC, also known as a network interface card, network adapter, LAN adapter or physical network interface, and by similar terms) is a computer hardware component that connects a computer to a computer network. Early network interface controllers were commonly implemented on expansion cards that plugged into a computer bus. The low cost and ubiquity of the Ethernet standard means that most newer computers have a network interface built into the motherboard. Modern network interface controllers offer advanced features such as interrupt and DMA interfaces to the host processors, support for multiple receive and transmit queues, partitioning into multiple logical interfaces, and on-controller network traffic processing such as the TCP offload engine.

https://en.wikipedia.org/wiki/Network_interface_controller

Wireless network interface controller

A wireless network interface controller (WNIC) is a network interface controller which connects to a wireless radio-based computer network, rather than a wired network, such as Token Ring or Ethernet. A WNIC, just like other NICs, works on the Layer 1 and Layer 2 of the OSI Model. This card uses an antenna to communicate via microwave radiation. A WNIC in a desktop computer is traditionally connected using the PCI bus. Other connectivity options are USB and PC card. Integrated WNICs are also available. Early wireless network interface controllers were commonly implemented on expansion cards that plugged into a computer bus. The low cost and ubiquity of the Wi-Fi standard means that many newer mobile computers have a wireless network interface built into the motherboard. The term is usually applied to IEEE 802.11 adapters; it may also apply to a NIC using protocols other than 802.11, such as one implementing Bluetooth connections.

https://en.wikipedia.org/wiki/Wireless_network_interface_controller

Promiscuous mode

Promiscuous mode is a mode for a wired network interface controller (NIC) or wireless network interface controller (WNIC) that causes the controller to pass all traffic it receives to the central processing unit (CPU) rather than passing only the frames that the controller is specifically programmed to receive. This mode is normally used for packet sniffing that takes place on a router or on a computer connected to a wired network or one being part of a wireless LAN. Interfaces are placed into promiscuous mode by software bridges often used with hardware virtualization. In IEEE 802 networks such as Ethernet or IEEE 802.11, each frame includes a destination MAC address. In non-promiscuous mode, when a NIC receives a frame, it drops it unless the frame is addressed to that NIC’s MAC address or is a broadcast or multicast addressed frame. In promiscuous mode, however, the NIC allows all frames through, thus allowing the computer to read frames intended for other machines or network devices.

https://en.wikipedia.org/wiki/Promiscuous_mode

Wireshark – network protocol analyzer

Wireshark is a network protocol analyzer. It lets you see what’s happening on your network at a microscopic level. It has a rich feature set which includes the following:

  • Deep inspection of hundreds of protocols.
  • Live capture and offline analysis.
  • Standard three-pane packet browser.
  • Multi-platform: Runs on Windows, Linux, macOS, Solaris, FreeBSD, NetBSD, and many others.
  • Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility.
  • Rich VoIP analysis.
  • Read/write many different capture file formats.
  • Capture files compressed with gzip can be decompressed on the fly.
  • Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others.
  • Decryption support for many protocols.

https://www.wireshark.org/

Udpreplay – Replaying UDP unicast and multicast streams

Udpreplay is a lightweight alternative to tcpreplay for replaying UDP unicast and multicast streams from a pcap file.

https://github.com/rigtorp/udpreplay

Usage

usage: udpreplay [-i iface] [-l] [-s speed] [-c millisec] [-r repeat] [-t ttl] pcap

  -i iface    interface to send packets through
  -l          enable loopback
  -c millisec constant milliseconds between packets
  -r repeat   number of times to loop data
  -s speed    replay speed relative to pcap timestamps
  -t ttl      packet ttl
  -b          enable broadcast (SO_BROADCAST)

Example

udpreplay -i <interface> -c <milliseconds> -r <loop> capture-packets.pcapng

Put wired card in Promisc Mode

If you run the following command, you will normally get a list of all your network cards available in the system. None of them will be in promiscuous mode.

ip a

If you now execute the following command you will put your wired network card in promisc mode.

sudo ifconfig <interface> promisc

Capture UDP network packets

Run your installed Wireshark as root, choose a network interface and apply “UDP” filter.

sudo wireshark

Save captured UDP packets to pcap file

Click File -> Export Specified Packets…

Replay captured UDP packets

To replay the UDP captured packets e.g. 10 times, all you have to do is running the following command.

sudo ./udpreplay -i <interface> -c 1000 -r 10 udp-packets.pcapng
  • -i <interface>: interface to send packets through
  • -c 1000: 1000 milliseconds between packets
  • -r 10: loop data 10 times
  • udp-packets.pcapng: pcap file