Luigi Auriemma

aluigi.org (ARCHIVE-ONLY FORUM!)
It is currently 19 Jul 2012 13:35

All times are UTC [ DST ]





Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 11 posts ] 
Author Message
 Post subject: Modifying Packets
PostPosted: 20 Mar 2011 21:57 

Joined: 27 Apr 2009 20:14
Posts: 19
Hello,

I have been trying to modify packets for quite a while and for this I have used tools like WPEpro, redox packet editor(kinda like wpe but more advanced) and of course your Proxocket although its a bit too advanced for me, i'm not a coder.

What I am trying to do now is modify a packet's header (or whatever its called the string BEFORE any other data). E.g. I'd like to change the flag on an incoming packet, eg FIN

Please see the pic...this is the empty packet with no data except the header, and WPE or redox dont seem to pick up on it at all, as it is not among the sniffed packets, but wireshark does and this is the screencap. If I would like to change say the FIN value to "not set" how would I do that?

Image


Top
 Profile  
 
 
 Post subject: Re: Modifying Packets
PostPosted: 20 Mar 2011 22:25 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
I understand what you mean but it's a too low level thing so the normal program can't reach it but you can reach the same effect in other ways.

it's clear that in your case you want that a connection gets closed when you receive a certain packet so you can do the same by setting the size of the packet to 0 o setting all its content to 0 or other bad values.

anyway remember that it's a tcp stream so you will never receive the packets as you expect, the rule for the tcp streams is that you can even receive the data 1 byte per packet making really hard to make a filter (you should rebuild the whole packet and then checking the filter, terrible).


Top
 Profile  
 
 Post subject: Re: Modifying Packets
PostPosted: 21 Mar 2011 17:33 

Joined: 27 Apr 2009 20:14
Posts: 19
aluigi wrote:
it's clear that in your case you want that a connection gets closed when you receive a certain packet so you can do the same by setting the size of the packet to 0 o setting all its content to 0 or other bad values.


Actually I don't want the connection to get closed, in this case FIN set to 1 will close it (this is from a flash based chat), and I am trying to change it to something else so the chat app don't see the kick command which I believe is just that FIN value 1.

I have nothing against blocking this type of empty packets by other means, but it looks like I won't be able to do it in wpe or similar tools, or maybe I can?
I remember using your proxocket before too, compiled it OK and used for some other stuff, but I am not sure how to achieve this type of thing. So if I may ask you for the piece of code that would be doing this, it would be really great.

Thanks again


Top
 Profile  
 
 Post subject: Re: Modifying Packets
PostPosted: 21 Mar 2011 23:13 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
FIN and RST close the connection, so the filtering of the content of the packet is the only choice


Top
 Profile  
 
 Post subject: Re: Modifying Packets
PostPosted: 22 Mar 2011 11:40 

Joined: 27 Apr 2009 20:14
Posts: 19
aluigi wrote:
FIN and RST close the connection, so the filtering of the content of the packet is the only choice

I'm not sure I understand. There is no content besides this whats on the pic. There is no data after the TCP info. Is there a way to modify this kind of packet (change the FIN value)?


Top
 Profile  
 
 Post subject: Re: Modifying Packets
PostPosted: 23 Mar 2011 02:21 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
uhmmm there is something I don't understand.
a FIN packet without content is used to terminate the connection but maybe I'm watching the thing from another point of view.

in short I though you were referring to receiving a FIN packet while I guess that you refer to your program that sends the FIN packet for terminating the connection and instead you want to keep it up, right?

uhmmm in that case I guess it's easy to avoid the calling of closesocket in the program


Top
 Profile  
 
 Post subject: Re: Modifying Packets
PostPosted: 23 Mar 2011 22:45 

Joined: 27 Apr 2009 20:14
Posts: 19
aluigi wrote:
in short I though you were referring to receiving a FIN packet while I guess that you refer to your program that sends the FIN packet for terminating the connection and instead you want to keep it up, right?

My mistake, I should have said from the beginning that the packet on the pic is a Recv packet.
So they send it and the flash app on my end terminates the connection, but it first sends a couple of packets back to the server (also with FIN=1 and ACK=1). One final packet from their server with ACK=1 is sent to me and thats the last packet with this remote port (always 7666), after that you're disconnected.
And yes, I would like to keep the connection up. Any ideas?


Top
 Profile  
 
 Post subject: Re: Modifying Packets
PostPosted: 02 Apr 2011 16:00 

Joined: 24 Sep 2007 02:12
Posts: 1114
Location: http://sethioz.co.uk
ehehe not really your field Luigi, is it :)

you should have said from beginning that you are trying to make "anti ban/kick" hack in flash based chatroom.
where is that chat running ? in web browser ?
use paros proxy, burp suite or webscarab. it should do the trick. for example i used paros proxy to make permanent filter to have admin rights in ANY "tufat flashchat" i visited.

whats wrong with WPE pro and/or redox ? they should be able to see this kind of info.

you're also using gay wireshark, use commview. its much easier to understand and it has way better filters/rules (live rules, you dont have to start/stop capture to set rules, they take effect as soon as you set them.


Top
 Profile  
 
 Post subject: Re: Modifying Packets
PostPosted: 07 Apr 2011 15:38 

Joined: 27 Apr 2009 20:14
Posts: 19
Sethioz wrote:
you should have said from beginning that you are trying to make "anti ban/kick" hack in flash based chatroom.
where is that chat running ? in web browser ?

Yes
Quote:
use paros proxy, burp suite or webscarab. it should do the trick. for example i used paros proxy to make permanent filter to have admin rights in ANY "tufat flashchat" i visited.

I use burpsuite and i used paros and webscarab. I use them for http interception. This is udp/tcp stuff. If it can be intercepted and modified by those tools, please tell me how, I'd be grateful. My goal is not to have admin rights, just to bounce off/modify the kick packet
Quote:
whats wrong with WPE pro and/or redox ? they should be able to see this kind of info.

Nothing is wrong with WPEpro except that it doesn't "see" the crucial packet and hence it can't modify it. It's an empty, header only, packet. Look above
Quote:
you're also using gay wireshark, use commview. its much easier to understand and it has way better filters/rules (live rules, you dont have to start/stop capture to set rules, they take effect as soon as you set them.

Not the issue here, wireshark can catch this crucial packet and thats all I need it for here. I know commview is cool, btw do you have % of their sales? ;)


Top
 Profile  
 
 Post subject: Re: Modifying Packets
PostPosted: 07 Apr 2011 16:05 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
Quote:
I know commview is cool, btw do you have % of their sales? ;)

ih ih ih sometimes I have the same suspect too :)


Top
 Profile  
 
 Post subject: Re: Modifying Packets
PostPosted: 08 Apr 2011 19:50 

Joined: 24 Sep 2007 02:12
Posts: 1114
Location: http://sethioz.co.uk
i assume Luigi do not want this discussion here, post it on my forum and ill see to it.
post all details. start with website (full link to that thingy) and post what have you done, including the packet you are trying to capture, intercept and modify.
so i can start where you left off.

however it might take some time, i had some pc issues duo the fucking blackouts and im on gay7 now. dont have my tools ready.
Quote:
I know commview is cool, btw do you have % of their sales? ;)


Quote:
ih ih ih sometimes I have the same suspect too :)


ehehe very funny, but i should ask them :)
i just like commview and their support is on the level. once i reported one bug and their reply was something like "we will see to it right now and it will be fixed in new version" and new version was out few days later.


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 11 posts ] 

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for: