HexInject
The power of hex raw network access...
Intro
HexInject is a very versatile packet injector and sniffer, that provide a command-line framework for raw network access.It's designed to work together with others command-line utilities, and for this reason it facilitates the creation of powerful shell scripts capable of reading, intercepting and modifying network traffic in a transparent manner.
In a single line, why should you consider hexinject? Because it's able to inject anything into the network, and, for the TCP/IP protocols, it automatically calculates the checksum and the packet size fields.
There are few tools that provide this functionality, and fewer that can be combined with the standard command-line utilities. Try it out!
HexInject as sniffer
Hexinject can be used as sniffer when the options "-s" is provided. It can print network traffic in both hexadecimal and raw format.Example:
root@backtrack-base# hexinject -s -i eth0
1C AF F7 6B 0E 4D AA 00 04 00 0A 04 08 00 45 00 00 3C 9A 88 40 00 40 06 51 04 C0 A8 01 09 5B 05 32 79 C9 45 01 BB 61 5E 85 79 00 00 00 00 A0 02 16 D0 0D 2F 00 00 02 04 05 B4 04 02 08 0A 00 0D 22 EC 00 00 00 00 01 03 03 07 FF FF FF FF FF FF AA 00 04 00 0A 04 08 06 00 01 08 00 06 04 00 01 AA 00 04 00 0A 04 C0 A8 01 09 00 00 00 00 00 00 C0 A8 01 04
AB 00 00 03 00 00 AA 00 04 00 0A 04 60 03 22 00 0D 02 00 00 AA 00 04 00 0A 04 03 DA 05 00 00 00 00 00 00 00 00 00 AA 00 04 00 00 00 0A 00 00 02 AA AA FF FF FF FF FF FF AA 00 04 00 0A 04 08 06 00 01 08 00 06 04 00 01 AA 00 04 00 0A 04 C0 A8 01 09 00 00 00 00 00 00 C0 A8 01 04
But what about reading in real time what passes for the network? For example we can print in readable format some HTTP headers:
root@backtrack-base# hexinject -s -i eth0 -r | strings | grep 'Host:'
Host: youtube.com
Host: www.youtube.com
Host: s.ytimg.com
...
In this case the "raw dump" mode must be used. With "strings" we extract all the readable text from the network, and then it's easy to "grep" what we need...
HexInject as injector
Hexinject can be used as injector when the options "-p" is provided. It can inject network traffic in both hexadecimal and raw format.Example:
root@backtrack-base# echo "01 02 03 04" | hexinject -p -i eth0
produce the following result in wireshark:
Let's do some magic
With hexinject we can easily modify network packets on-the-fly. For example we can transform an ARP request in an ARP response just changing one bit of the packet:root@backtrack-base# hexinject -s -i eth0 -c 1 -f 'arp' | replace '06 04 00 01' '06 04 00 02' | hexinject -p -i eth0
Wireshark dump:
We have only piped two hexinject (one sniffer and one injector) and the command-line utility "replace". In this example the option "-f" is used to provide a custom pcap filter (more info here).
Here's one last example to conclude the presentation of the tool. A simple transparent bridge built using only two lines of bash:
root@backtrack-base# hexinject -s -i eth0 -c 1 -f 'src host 192.168.1.9' | hexinject -p -i eth1
root@backtrack-base# hexinject -s -i eth1 -c 1 -f 'dst host 192.168.1.9' | hexinject -p -i eth0
Et voila! A transparent bridge for the host 192.168.1.9. Actually this example can surely be improved, it just demonstrate the versatility of the tools.
root@backtrack-base# hexinject -s -i eth0 -c 1 -f 'src host 192.168.1.9' | replace 'C0 A8 01 09' 'C0 A8 01 04' | hexinject -p -i eth1
root@backtrack-base# hexinject -s -i eth1 -c 1 -f 'dst host 192.168.1.9' | replace 'C0 A8 01 04' 'C0 A8 01 09' | hexinject -p -i eth0
Note: these two examples lack the management of MAC addresses, that can be implemented as a script placed in the middle of the pipe. Nevertheless the examples give an idea of what is possible to do.
Raw wireless access
Do you think that accessing raw wireless traffic require strange and complex libraries and is difficulto to implement? This is not true at all: with hexinject even a simple bash script can read raw wireless traffic on a monitor interface.
root@backtrack-base# airmon-ng start wlan1
Interface Chipset Driver
wlan1 RTL8187 rtl8187 - [phy0]
(monitor mode enabled on mon0)
Then it's possible to capture, for example, beacon frames generated by an access point:
root@backtrack-base# hexinject -s -i mon0
00 00 0D 00 04 80 02 00 02 00 00 00 00 80 00 00 00 FF FF FF FF FF FF AA BB CC DD EE FF AA BB CC DD EE FF 70 01 42 BB 6B EB AC A6 04 00 64 00 01 04 00 07 44 45 46 41 55 4C 54 01 04 02 04 0B 16 32 08 0C 12 18 24 30 48 60 6C 03 01 01
00 00 0C 00 04 80 00 00 02 00 18 00 80 00 00 00 FF FF FF FF FF FF AA BB CC DD EE FF AA BB CC DD EE FF 80 01 CD 46 6D EB AC A6 04 00 64 00 01 04 00 00 01 04 02 04 0B 16 32 08 0C 12 18 24 30 48 60 6C 03 01 01
The access point has ESSID "DEFAULT".
To extract this information we can use a feature introduced with hexinject v1.3, the conversion modes. These operation modes simply convert and hexadecimal string to a raw string and vice-versa.
Let's suppose we saved the last packet in the file wifi_frame.hex (the ESSID will be clearly printed out with some garbage data...):
root@backtrack-base# cat wifi_frame.hex | hexinject -y | strings
DEFAULT
$0H`l
The possibilities are not limited to sniff, what's most interesting is the injection of raw wireless frames. To inject a frame we need a minimal valid preamble (otherwise the injerface will not inject anything):
root@backtrack-base# cat minimal_beacon.hex
00 00 0D 00 04 80 02 00 02 00 00 00 00 80 00 00 00
To remain simple, we prepare a raw ascii message to inject and convert it to an hexstring (adding a 00 at the end to terminate the string):
root@backtrack-base# echo 'Hello, world!' | hexinject -x
48 65 6C 6C 6F 2C 20 77 6F 72 6C 64 21 0A 00
We can now inject everything in the air:
root@backtrack-base# cat assembled_packet.hex | hexinject -p -i mon0
If another machine wants to read the message:
root@backtrack-base# hexinject -s -r -i mon1 | strings
Hello, world!
It's very easy to write, even in bash, a simple messaging tool that uses raw wireless frames (even if such a tool sounds weird).
Or you can use hexinject as a wireless fuzzer to search vulnerabilities in operating system wireless drivers.
It's easy: don't hesitate to experiment!
Other possibilities: USB
Since pcap libraries can capture raw USB traffic, hexinject is able to sniff on your USB ports. You can capture raw USB packets, in the same way you use hexinject on your network interfaces:root@backtrack-base# hexinject -s -i usbmon3
80 3A DF 2A 01 88 FF FF 43 01 81 02 03 00 2D 00 8D 43 E7 4D 00 00 00 00 AA 38 00 00 00 00 00 00 06 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 04 02 00 00 00 00 00 00 01 00 00 00 00 00
80 3A DF 2A 01 88 FF FF 53 01 81 02 03 00 2D 3C 8D 43 E7 4D 00 00 00 00 BD 38 00 00 8D FF FF FF 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 04 02 00 00 00 00 00 00
root@backtrack-base# sudo hexinject -s -i usbmon3 | awk -f mouse_click.awk
left click
click released
central click
click released
left+right click
click released
If you want to read the article: Fun with HexInject and USB protocols
Packet disassembling and pretty printing
Since version 1.4, hexinject can disassemble and print the fields of captured packets.This feature is very simple to use activate, and allows to inspect in great detail every part of the supported protocols:
root@backtrack-base# hexinject -s -D
Ethernet Header: AA 00 04 00 0A 04 Destination hardware address 1C AF F7 6B 0E 4D Source hardware address 08 00 Type IP Header: 45 Version / Header length 00 ToS / DFS 00 3E Total length 00 00 ID 40 00 Flags / Fragment offset 35 TTL 11 Protocol D6 DD Checksum D0 43 DC DC Source address C0 A8 01 09 Destination address UDP Header: 00 35 Source port EA 94 Destination port 00 2A Length 38 01 Checksum Payload: 5D 5B 81 80 00 01 00 00 00 00 00 00 03 77 77 77 01 6C 06 67 6F 6F 67 6C 65 03 63 6F 6D 00 00 0F 00 01 ----------- Ethernet Header: 1C AF F7 6B 0E 4D Destination hardware address AA 00 04 00 0A 04 Source hardware address 08 00 Type IP Header: 45 Version / Header length 00 ToS / DFS 00 54 Total length 00 00 ID 40 00 Flags / Fragment offset 40 TTL 01 Protocol 54 4E Checksum C0 A8 01 09 Source address C0 A8 64 01 Destination address ICMP Header: 08 Type 00 Code 4C 66 Checksum 3A 48 ID 00 01 Sequence number Payload: 0D 1F DE 4E 00 00 00 00 B8 0F 0F 00 00 00 00 00 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37 ----------- ...Another new option has been added: -L packet_type, that print a single disassembled packet of the specified protocol.
These are example packets, stored inside the application, to give a quick reference of various protocol headers.
So, if you need to know the size of the TCP Sequence Number field, you no longer need to capture a packet or search a diagram on the web, just use:
root@backtrack-base# hexinject -L tcp
Currently supported protocols are: tcp, udp, icmp, arp (and, of course, protocols on lower layers: ethernet, ip).
Adding a new protocol is easy, you can connect your disassemble function in the file prettypacket.h, using the simple interface provided.