Packet crafting techniques
As seen above, the whole idea behind packet crafting is to try to simulate an attack, thus learning the behavior of various network devices in order to gain knowledge about the vulnerabilities. Crafting is typically used to invade into firewalls and intrusion detection devices, but can also be used to attack Web servers and other application gateways. Now let’s discuss a few common packet crafting techniques.
Ping fragmentation: In this type, instead of a standard ICMP ping packet, a malformed ping packet is created with more than 65535 bytes, which is the maximum allowed in a packet. This results in the destination system responding with an echo reply, which also consumes a larger packet frame and thus eventually results in a denial of service attack. One technique also sets an ACK flag in the packet, confusing the destination service, while in another type of attack, instead of a larger frame, a variable number of bytes are sent to overwhelm the system.
Packet flag manipulation: As we discussed before, there are multiple fields in the TCP datagram. One of the fields contains flags or bits, which could be set programmatically. For example, a SYN flag can be set and the packet can be sent over the wire to a destination to establish a valid TCP communication. This would be a healthy way of initiating a TCP handshake; however, it can be exploited by sending a RST or FIN packet, which can confuse the destination system. Older firewalls are known to be susceptible to FIN attacks, because they cannot properly differentiate between a valid packet and a bogus FIN packet. In another variety, a malformed SYN-ACK packet or ACK packet can cause a similar effect.
Packet duplication: Here, hackers capture a series of packets and simply re-send it over the network. This causes confusion at the destination system, which assumes that the previous session was not properly answered or terminated. A typical example of this attack is when a duplicate ACK or FIN packet is sent without modifying any other content of the packet frame. This method is commonly used in a denial of service attack.
Protocol manipulation: This is mainly used to test firewall vulnerabilities. Here the TCP and UDP flags are both set in a packet to confuse the firewall rule set. If the firewall is one of the latest, it can identify such a packet as a malformed one and will simply drop it. However, for legacy firewalls, if there are multiple rules set to handle TCP and UDP packets, both rules get executed causing an erroneous effect, which can lead to