Packet injection

My mind's distracted by the light refracted... I drift offworld to avoid detection.

Ethernet packet injection works by creating and transmitting custom Ethernet packets on a network. This technique can be used to manipulate higher-level protocols that rely on Ethernet frames for communication, such as TCP/IP, by modifying the content of the packets being transmitted.

To manipulate higher-level protocols using packet injection, an attacker could use a packet crafting tool to create and send custom Ethernet frames with modified headers and payloads. For example, an attacker could modify the destination MAC address of an Ethernet frame to make it appear as though it came from a legitimate source, or they could modify the payload of the frame to include malicious code.

Once the custom Ethernet frames are sent, the higher-level protocols that rely on them for communication, such as TCP/IP, would interpret the modified frames as legitimate traffic. This could allow an attacker to perform a range of attacks, including:

  1. Spoofing attacks: By modifying the source MAC address of an Ethernet frame, an attacker could spoof the identity of a legitimate device on the network. This could allow them to intercept and manipulate traffic intended for that device.

  2. Man-in-the-middle attacks: By intercepting and modifying Ethernet frames in transit, an attacker could insert themselves into the communication between two devices. This could allow them to eavesdrop on or manipulate the traffic being exchanged.

  3. Denial-of-service attacks: By flooding a network with custom Ethernet frames, an attacker could overwhelm the network and cause it to crash or become unresponsive.

Packet injection techniques are often used anywhere that a normal network service can't be used; for instance when the device has no IP address of its own (such as in BRIDGE or TRANSPARENT modes on the Packet Squirrel), or when the device is interacting with network traffic outside the role of a traditional server. On the Packet Squirrel, direct packet injection is used by several tools; KILLPORT and KILLSTREAM, as well as SPOOFDNS all operate by creating high-level packets directly as Ethernet packets and injecting them to the network.

Injection libraries

Packet injection is possible with no library support, however several libraries exist for packet crafting which can automate the tedious and boring parts:

  • Scapy https://scapy.net/ Written in Python, Scapy is a long-standing tool for decoding and crafting raw packets. Unfortunately, as it is written in Python, it can also be one of the slower options, and on embedded devices or in busy network environments may not be able to keep up with the network traffic.

  • TINS http://libtins.github.io/ Written in C++, libTINS offers a similar API to Scapy, but with the higher performance of a fully compiled tool. This comes with the cost of requiring the C++ runtime and compiling the tool for the target platform.

Last updated