What is Packet Injection?
Every network equipment maker would want to test different features and also ensure that the equipment is not susceptible to (1) malicious attacks, (2) malfunctioning devices.
Packet injection is one of the ways to replay these message sequences from the client-side and check the stability and security of the device under test. For example, you can send directed probe requests from the clients so as to test how well an AP can handle probes from several clients or a single rogue client.
The open nature of wireless networks makes it easier for an attacker who is within the range of the network to inject packets into the datastream of an application. Through this, the attacker may hijack a user session or do a man-in-the-middle attack. Wireless technologies offer little or no protection for the users in the network against such scenarios.
Wireless packet injection tools are evolving rapidly and there are many tools providing different capabilities on different networks. So it is essential for network equipment vendors to test these scenarios.
SWAT WiCheck, a Wi-Fi multi client simulator provides packet injection as a traffic so that packets can be injected from multiple WiCheck clients simultaneously and the system tested.
To perform packet injection with WiCheck, we need a pcap file which can be
- Existing traces/pcaps or
- Existing traces with some parameters modified or
- A packet sequence that is created completely from scratch
Modification of parameters from existing Capture
To perform packet injection, we must be aware of packet editing tools so that we can edit pcap files as per the requirement.
Packet Capture editors
There are many packet editors available in the market for editing pcap/pcapng files. A list of these can be found at https://wiki.wireshark.org/Tools in the section Capture file editors and/or anonymize.
Of these, Wiredit comes with a UI and comes with a monthly subscription of usage. Most of the other tools like TCP rewrite are Command LinA based packet editors.
In this post, we will discuss Scapy, a tool where you can create your own packets or edit packets using Python.
Scapy
Scapy is an easy-to-use python programming module to edit Pcap files. We have given an example below on how to edit Pcap Files with Scapy
For Packet injection, we should first select a list of messages that are to be injected. This can be easily done using Wireshark by selecting the messages based on any filter (source, destination, protocol etc)
Here is an example of a sample selected message.
Here the TCP packets selected are the ones from IP 192.168.0.132 to 192.168.0.10.
MAC address of machine with IP 192.168.0.132 is 02:06:57:00:00:00
MAC address of machine with IP 192.168.0.10 is c8:9c:dc:d1:26:d6
Now using a Scapy program below we can change the destination MAC address to ab:ab:ab:ab:ab:ab
Now the program has to be run on terminal (linux)
# python change_mac.py
The output file looks as below.
There are many fields that can be changed programmatically from Scapy
Making your own packet sequence
You can create your own Pcap file using Scapy. The python script below is used for creating a Pcap file with a single packet, generates a reassociation request packet which is built by adding predefined data / headers:
- Dot11
- Dot11ReassocReq
- Dot11Elt packets and
- a RadioTap header is added to it.
We create a class from scapy.packet for adding information fields manually and then extend it to the packet created.
In the next post, we will discuss how to use SWAT WiCheck products to inject packets and test how AP handles the probe requests at scale.