Manually create and send raw TCP/IP packets

In this chapter we are going to to use our knowledge on packets to manually craft and put them on the wire.

The blueprint

We now want to craft a packet and send it through the network. Let’s start by identifying the properties our packet should have:

IPv4 packet
TCP SYN packet
from our client (10.10.10.2) to the server (10.10.10.1)
from port 12345 to port 80
fill up the other headers with the necessary data

We will use our packet blueprints from the previous part of this series to aid us in creating the packet:

Based on our knowledge from the previous parts of this series we filled our blueprint with the relevant values (Identification and Window Size are just random in this case). As a small exercise, try to understand the meaning behind the values in Total Length and Data Offset.

You might have seen, that two values are missing for now, the Header Checksum for the IP segment and the Checksum from the TCP segment.

TCP Checksum & IP Header Checksum

TCP Checksum

Let’s start with the TCP checksum. Remembering from the first part of this series we know, that the checksum consists of values of the TCP Header itself, as well as a pseudo-header. For the calculations, all necessary values are used in 16 bit words and added together as shown below. In case the value isn’t 16 bit long, it will be prepended with zeros.

Description	Value	Additional Description
?Protocol	0x0006 +	06
Source Address (IP)	0x0a0a + 0x0a02 +	10.10.10.2
Destination Address (IP)	0x0a0a + 0x0a01 +	10.10.10.1
TCP length (including the data part) in byte (no actual header field, has to be counted!)	0x0014 +	20 bytes (= 14 in hex)
Source + Destination Port	0x3039 + 0x0050 +	1234 and 80
Sequence Number	0x0000 + 0x0000 +	00 00 00 00
Acknowledgement Number	0x0000 + 0x0000 +	00 00 00 00
Data Offset, Reserved, Flags, Window Size	0x5002 + 0x7110 +	0101 000 000000010 and 71 10
Checksum (set to 0x0000 in calculation), Urgent Pointer	0x0000 + 0x0000 =
Subtotal	0x119cc
Removing the carryover	0x19cc + 0x0001 = 0x19cd
Negation with 0xffff	0xffff – 0x19cd =
Checksum	0xe632

IP Header Checksum

The IP header checksum is easy to calculate. It consists out of all values in the IP header, again added in 16 bit words and prepended with zeros in case the value is too short:

Description	Value	Additional Description
Version, IHL, Type of Service + Total Length	0x4500 + 0x0028 +	–
Identification + Flags, Fragment Offset	0xabcd + 0x0000 +	–
TTL, Protocol + Header Checksum (0x0000 in calculation)	0x4006 + 0x0000 +	–
Source Address (IP)	0x0a0a + 0x0a02 +	10.10.10.2
Destination Address (IP)	0x0a0a + 0x0a01 =	10.10.10.1
Subtotal	0x15912
Removing the carryover	0x5912 + 0x0001 = 0x5913
Negation with 0xffff	0xffff – 0x5913 =
Header Checksum	0xa6ec

As you could see, both checksums follow the same algorithm, just their input values are different.

Now let’s put the calculated checksums in our blueprint. For better readability, they are arranged like this:

45	00	00	28
ab	cd	00	00
40	06	a6	ec
0a	0a	0a	02
0a	0a	0a	01
30	39	00	50
00	00	00	00
00	00	00	00
50	02	71	10
e6	32	00	00

Sending a self crafted packet

After we have now manually created our first TCP/IP packet, let’s put it on the wire. As this is a [SYN] packet we are sending to our webserver, we expect him to respond with a [SYN, ACK] if everything works as planned. For this example we are going to use Python’s built-in socket module:

import socket

s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_TCP)
s.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)

ip_header  = b'\x45\x00\x00\x28'  # Version, IHL, Type of Service | Total Length
ip_header += b'\xab\xcd\x00\x00'  # Identification | Flags, Fragment Offset
ip_header += b'\x40\x06\xa6\xec'  # TTL, Protocol | Header Checksum
ip_header += b'\x0a\x0a\x0a\x02'  # Source Address
ip_header += b'\x0a\x0a\x0a\x01'  # Destination Address

tcp_header  = b'\x30\x39\x00\x50' # Source Port | Destination Port
tcp_header += b'\x00\x00\x00\x00' # Sequence Number
tcp_header += b'\x00\x00\x00\x00' # Acknowledgement Number
tcp_header += b'\x50\x02\x71\x10' # Data Offset, Reserved, Flags | Window Size
tcp_header += b'\xe6\x32\x00\x00' # Checksum | Urgent Pointer

packet = ip_header + tcp_header
s.sendto(packet, ('10.10.10.1', 0))

We are creating a socket s out of the Internet Protocol family AF_INET, in “raw” mode SOCK_RAW which will be sending TCP packets IPPROTO_TCP. With the setsockopt() we tell the kernel not to generate an IP header, since we are providing it ourselves. For further details on the Python socket module, I recommend the Python documentation on sockets. When working with raw sockets in scripts, most operating system require advanced privileges (e.g. root user) to run them:

root@kali:~# python3 send_first_packet.py

Utilizing Wireshark, we observe what happens when we send the packet:

As expected, our Python script sends a [SYN] packet to port 80 of our webserver. This server replies with a [SYN, ACK], the second step of a typical TCP three-way handshake. The third packet however is a [RST] reset sent from our client to the server. This happened because of the value we set as source port of our packet. Despite providing 12345 as source port, there is no application on our side listening on that port to accept the incoming [SYN, ACK]. Therefore, a reset packet is sent, and the connection establishment is canceled.

In case you don’t get the upper result, check whether your calculated checksums are correct. To verify them in Wireshark, go: Right click (on any packet) > Protocol Preferences > “Validate the TCP checksum if possible”.

Improving our crafted packet

Having again a closer look at the first packet we sent, we will see that there are 14 more bytes in front of our IP header (highlighted in blue).

These bytes are the ethernet layer, the layer below the internet and transport layer:

Destination MAC Address	Source MAC Address	Protocol Type
00 0c 29 d3 be d6	00 0c 29 e0 c4 af	08 00? (= IPv4)

Since we want to create the complete packet by hand, we need to slightly modify our Python script by manually adding the ethernet layer:

import socket

s = socket.socket(socket.AF_PACKET, socket.SOCK_RAW)
s.bind(("eth0", 0))

ethernet  = b'\x00\x0c\x29\xd3\xbe\xd6' # MAC Address Destination
ethernet += b'\x00\x0c\x29\xe0\xc4\xaf' # MAC Address Source
ethernet += b'\x08\x00'                 # Protocol-Type: IPv4

ip_header  = b'\x45\x00\x00\x28'  # Version, IHL, Type of Service | Total Length
ip_header += b'\xab\xcd\x00\x00'  # Identification | Flags, Fragment Offset
ip_header += b'\x40\x06\xa6\xec'  # TTL, Protocol | Header Checksum
ip_header += b'\x0a\x0a\x0a\x02'  # Source Address
ip_header += b'\x0a\x0a\x0a\x01'  # Destination Address

tcp_header  = b'\x30\x39\x00\x50' # Source Port | Destination Port
tcp_header += b'\x00\x00\x00\x00' # Sequence Number
tcp_header += b'\x00\x00\x00\x00' # Acknowledgement Number
tcp_header += b'\x50\x02\x71\x10' # Data Offset, Reserved, Flags | Window Size
tcp_header += b'\xe6\x32\x00\x00' # Checksum | Urgent Pointer

packet = ethernet + ip_header + tcp_header
s.send(packet)

We are again creating a “raw” socket, but this time from the address family “packet”, allowing us to play on a very low protocol level. Then we bind the socket to our network interface eth0 (might be a different one for you; check that e.g. with “ifconfig” command).

root@kali:~# python3 send_first_packet_v2.py

After executing the new script we observe the output of Wireshark again:

Everything worked as expected, we have the start of the three-way handshake followed by the reset.

Now we have learned how we can manually create any kind TCP/IP packet we want to. This knowledge has a very large application range, e.g. starting from low level programming to pentesting and fuzzing. An example of what you can do with this will be shown in the next part of the tutorial series where we create a stealth port scanner.