Packet injection

Packet injection (also known as forging packets or spoofing packets) is a computer networking term that refers to the process of interfering with an established network connection, by means of constructing packets to appear as if they are part of the normal communication stream. The packet injection process allows an unknown third party to disrupt or intercept packets from the consenting parties that are communicating, which can lead to degradation or blockage of users' ability to utilize certain network services or protocols. Packet injection is commonly used in man in the middle attacks and denial of service attacks.

Capabilities

By utilizing raw sockets, NDIS function calls, or direct access to a network adapter kernel mode driver, arbitrary packets can be constructed and injected into a computer network. These arbitrary packets can be constructed from any type of packet protocol (ICMP, TCP, UDP, and others) since there is full control over the packet header while the packet is being assembled.

General Procedure

• Raw socket must be created
• Create the ethernet header in memory
• Create the IP header in memory
• Create the TCP header or UDP header in memory
• Create the data in memory
• Assemble the headers and data together (concatenate) to form the packet
• Compute and set correct IP and TCP or UDP checksums
• Send the packet out through the raw socket

Uses

Packet injection has been used for:

• Disrupting certain services (file sharing or HTTP) by internet service providers and wireless access points^[1][2]
• Compromising wireless access points and circumventing their security
• Exploiting certain functionality in online games
• Determining the presence of internet censorship
• Allows for custom packet designers to test their custom packets by directly placing them onto a computer network
• Simulation of specific network traffic and scenarios
• Testing of network firewalls and intrusion detection systems
• Computer network auditing and troubleshooting computer network related issues

Detecting Packet Injection

Through the process of running a packet analyzer or packet sniffer on both network service access points trying to establish communication, the results can be compared. If point A has no record of sending certain packets that show up in the log at point B, and vice versa, then the packet log inconsistencies show that those packets have been forged and injected by an intermediary access point. Usually TCP resets are sent to both access points to disrupt communication.^[2][3][4]

Software

• lorcon, part of Airpwn
• Aireplay-ng (part of the aircrack-ng suite)
• Nemesis
• KisMAC
• Ostinato
• pcap
• WinPCap
• Winsock
• T50
• Void11
• CommView for WiFi Packet Generator
• File2air
• AirJack
• libradiate
• Scapy
• BackTrack

See also

• Packet capture
• Packet generation model
• Raw socket
• Packet crafting
• Packet sniffer

External links

• PacketEditor
• Void11
• Winsock Packet Editor
• Nemesis
• Ostinato
• Packet Injection using raw sockets
• aircrack-ng
• Bit-Twist

References

1. ↑ http://s2.ist.psu.edu/paper/cross-TR.pdf
2. ↑ 2.0 2.1 https://www.eff.org/ja/wp/packet-forgery-isps-report-comcast-affair
3. ↑ https://www.eff.org/wp/detecting-packet-injection
4. ↑ http://www.icir.org/vern/papers/reset-injection.ndss09.pdf