since i see alot of people writing papers here, i will post one i wrote over 10 years ago (keep in mind i don't have fancy highlighting or fonts)
i started writing out my own payloads and used netcat to fire them off years ago. this example will show how to request an entire route table from a RIP v 1 router
first, you can either sniff/search/ or copy what i am about to post. the following is a 24 byte payload for RIP1 request for entire route (i came across this information through standard online RFCs---with any payload you are about to inject, i suggest you follow that route)
you want to open a hex editor since we can't write these values down as basic text. the payload is as follows
01 01 00 00 00 02 00 00 00 00 [hr] sorry, i hit the post button too early---continuing...
(each of these values can be looked up and referenced with the corresponding RFC unless you want me to elaborate on each)
the above values you type into a hex editor and save as whatever you want "RIP.test"
you then open a cmd prompt (windows users here) and type this :
type ("then the path to the file you just created") | nc -v -n -u -p 520 (ip of router running RIP) 520 *the source port also stays at 520 since most routers won't respond unless the source and destination ports match*
hitting enter will send the packet you just made to a RIP server and the payload in question is asking for the entire route table to be sent back to you. since this is RIP 1 and there is no authentication in place, it will gladly offer it up to you! good luck though finding RIP1 routers. most don't run the protocol anymore since it is rather ancient, and it's predessessor, v2, allows for password authentication. also most windows machines that run the RIP server run "silent RIP", meaning they will receive updates but will not send any back
like i said, not a fancy paper, but you get the correct info and the way to do the task
thanks
(keep in mind, you can do this will any protocol (TCP/UDP) through netcat as long as you create the proper payloads
thanks. my next paper could be on scanning w/NMAP and using ARP poisoning to hide your IP and borrow any machine not in use on your local subnet as the source (something i have done for years)
(the kids who think "spoofing" your IP while scanning are idiots, for a true spoof would never allow you to receive a reply back!)
thanks. my next paper could be on scanning w/NMAP and using ARP poisoning to hide your IP and borrow any machine not in use on your local subnet as the source (something i have done for years)
Definitely looking forward to that paper McKittrick
ok. i have the time so here is your info on the NMAP deal. again, this is old for me but maybe new to some of you because this concept is not documented, i had to learn it on my own
so to start off--the ONLY way you will ever spoof an IP and have any real value come of it is to be able to see the data coming back. the only way this can be done is with a direct route back to your subnet. one can either go the strict source route/loose source? or one can take control of router endpoints and create a GRE tunnel, or one can do the easier method which is an ARP poison on your subnet. the other methods i mention are either not used anymore or are almost impossible to perform these days
i will tell you how i did it back then. you can use a tool that creates the gratouitous ARP reply packets (i used one called STERM --a telnet console that performs an ARP hijack used for the session) you can use any tool that will send ARP reply packets. you can do a simple ping scan on your local subnet to see what hosts are available to hijack (ones not in use or ones running that are succeptible to an ARP table poisoning)
after using STERM to create the packet needed (ARP REPLY) you then fire up nmap and set your source as the subnet IP you just "borrowed". you also want to specify your interface, since nmap gets a bit picky about that
the finished product will look like the this>
nmap -v -n -sS -reason -max-retries 1 -S (ip of host you are ARP replying w/) -e eth0 (ip to scan)
the flags you see are the ones i use in nmap on a standard basis. keep in mind you are sometimes limited in how log you can "borrow" that IP you are using because the ARP table will eventually refresh or the gateway will eventually respond and cancel out your reply (proxy ARP) which in that case you simply go down the list of your subnet IPs and grab another
hope you guys enjoy all that![hr] if you like what i offered up, feel free to edit and move the thread and make it it's own seperate piece "Using NMAP w/ ARP Poisoning To "Hide" Yourself On The Net". i was simply just firing off what i said i would do the day before, then i realized it could be it's own topic