
[Introduction]

Iplayer (pronouced ip-layer) was developed because existing sniffers
(tcpdump, ethereal, ipgrab) were less than ideal for building cut-n-paste
packets. but it cannot stand on its own. You need to use one of the sniffers
listed above when analyzing and building packets using iplayer.
 
[What is Cut-n-Paste Packet Building?]

Let's say you've identified a protocol that you want to build packets for
and you do not have an easy way to do it. None of the existing tools such
as hping or nemesis (or whatever) allow you to generate the packet easily.

For example, pretend you need to generate a SSL ClientHello, the first
message in the SSL handshake and the first packet after the 3-way handshake

21:50:25.651111 192.168.0.230.2798 > 192.168.1 .24.443: S 2776748878:2776748878(0) wi
n 16060 <mss 1460,sackOK,timestamp 698861 0,nop,wscale 0> (DF)
0x0000   4500 003c 4baa 4000 4006 90ea 0a14 00e6        E..<K.@.@.......
0x0010   ac15 a718 0aee 01bb a581 d34e 0000 0000        ...........N....
0x0020   a002 3ebc 7bb2 0000 0204 05b4 0402 080a        ..>.{...........
0x0030   000a a9ed 0000 0000 0103 0300                  ............
21:50:25.839591 192.168.1 .24.443 > 192.168.0.230.2798: S 1134979098:1134979098(0) ac
k 2776748879 win 17376 <mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 5615
261 698861>
0x0000   4500 0040 70eb 0000 2f06 bca5 ac15 a718        E..@p.../.......
0x0010   0a14 00e6 01bb 0aee 43a6 681a a581 d34f        ........C.h....O
0x0020   b012 43e0 09c4 0000 0204 05b4 0101 0402        ..C.............
0x0030   0103 0300 0101 080a 0055 ae9d 000a a9ed        .........U......
0x0040   5689 4c73                                      V.Ls
21:50:25.839652 192.168.0.230.2798 > 192.168.1 .24.443: . ack 1 win 16060 <nop,nop,ti
mestamp 698879 5615261> (DF)
0x0000   4500 0034 4bac 4000 4006 90f0 0a14 00e6        E..4K.@.@.......
0x0010   ac15 a718 0aee 01bb a581 d34f 43a6 681b        ...........OC.h.
0x0020   8010 3ebc 4fa1 0000 0101 080a 000a a9ff        ..>.O...........
0x0030   0055 ae9d                                      .U..
21:50:25.840106 192.168.0.230.2798 > 192.168.1 .24.443: P 1:73(72) ack 1 win 16060 <n
op,nop,timestamp 698879 5615261> (DF)
0x0000   4500 007c 4bad 4000 4006 90a7 0a14 00e6        E..|K.@.@.......
0x0010   ac15 a718 0aee 01bb a581 d34f 43a6 681b        ...........OC.h.
0x0020   8018 3ebc b8de 0000 0101 080a 000a a9ff        ..>.............
0x0030   0055 ae9d 8046 0103 0100 2d00 0000 1001        .U...F....-.....
0x0040   0080 0700 c003 0080 0600 4002 0080 0400        ..........@.....
0x0050   8000 0004 00fe ff00 000a 00fe fe00 0009        ................
0x0060   0000 6400 0062 0000 0300 0006 11d1 0e76        ..d..b.........v
0x0070   979a c8f4 8494 0abc 2875 a587                  ........(u..


SSL Dump Output

1 1  0.1889 (0.1889)  C>S SSLv2 compatible client hello
  Version 3.1 
  cipher suites
  SSL2_CK_RC4  
  SSL2_CK_3DES  
  SSL2_CK_RC2  
  SSL2_CK_DES  
  SSL2_CK_RC4_EXPORT40  
  SSL2_CK_RC2_EXPORT40  
  TLS_RSA_WITH_RC4_128_MD5  
  Unknown value 0xfeff  
  TLS_RSA_WITH_3DES_EDE_CBC_SHA  
  Unknown value 0xfefe  
  TLS_RSA_WITH_DES_CBC_SHA  
  TLS_RSA_EXPORT1024_WITH_RC4_56_SHA  
  TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA  
  TLS_RSA_EXPORT_WITH_RC4_40_MD5  
  TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5  
  Packet data[72]=
    80 46 01 03 01 00 2d 00 00 00 10 01 00 80 07 00 
    c0 03 00 80 06 00 40 02 00 80 04 00 80 00 00 04 
    00 fe ff 00 00 0a 00 fe fe 00 00 09 00 00 64 00 
    00 62 00 00 03 00 00 06 11 d1 0e 76 97 9a c8 f4 
    84 94 0a bc 28 75 a5 87 

Default iplayer output (TCP & APPLICATION LAYER)

[---- TCP
SRC: 2798 DST: 443 SEQ: 2776748879 ACK: 1134979099 HLEN: 32 FlAGS: PA WIN: 16060
CSUM: 47326
0a ee 01 bb a5 81 d3 4f 43 a6 68 1b 80 18 3e bc b8 de 00 00 01 01 08 0a 00 0a a9 ff 00 55 ae 9d 

[--- DATA
80 46 1 3 1 0 2d 0 0 0 10 1 0 80 7 0 c0 3 0 80 6 0 40 2 0 80 4 0 80 0 0 4 0 fe ff 0 0 a 0 fe fe 0 0 9 0 0 64 0 0 62 0 0 3 0 0 6 11 d1 e 76 97 9a c8 f4 84 94 a bc 28 7 5 a5 87 

So this doesn't help us much, but let's change the output so that the app   
layer is ready to paste into a NASL script:

#iplayer -s 2 -r ssl

  
[---- TCP
SRC: 2798 DST: 443 SEQ: 2776748879 ACK: 1134979099 HLEN: 32 FlAGS: PA WIN: 16060
CSUM: 47326
0x0a,0xee,0x01,0xbb,0xa5,0x81,0xd3,0x4f,0x43,0xa6,0x68,0x1b,0x80,0x18,0x3e,0xbc,0xb
8,0xde,0x00,0x00,0x01,0x01,0x08,0x0a,0x00,0x0a,0xa9,0xff,0x00,0x55,0xae,0x9d,

[--- DATA
0x80,0x46,0x1,0x3,0x1,0x0,0x2d,0x0,0x0,0x0,0x10,0x1,0x0,0x80,0x7,0x0,0xc0,0x3,0x0,0x80,0x6,0x0,0x40,0x2,0x0,0x80,0x4,0x0,0x80,0x0,0x0,0x4,0x0,0xfe,0xff,0x0,0x0,0xa,0x 0,0xfe,0xfe,0x0,0x0,0x9,0x0,0x0,0x64,0x0,0x0,0x62,0x0,0x0,0x3,0x0,0x0,0x6,0x11,0xd1 ,0xe,0x76,0x97,0x9a,0xc8,0xf4,0x84,0x94,0xa,0xbc,0x28,0x75,0xa5,0x87,


[ssl-clienthello.nasl]

a = raw_string(0x80,0x46,0x1,0x3,0x1,0x0,0x2d,0x0,0x0,0x0,0x10,0x1,0x0,0x80,0x7,0x0,0xc0,0x3,0x0,0x80,0x6,0 x0,0x40,0x2,0x0,0x80,0x4,0x0,0x80,0x0,0x0,0x4,0x0,0xfe,0xff,0x0,0x0,0xa,0x 0,0xfe,0xfe,0x0,0x0,0x9,0x0,0x0,0x64,0x0,0x0,0x62,0x0,0x0,0x3,0x0,0x0,0x6,0x11,0xd1,0xe,0x76,0x97,0x9a,0xc8,0xf4,0x84,0x94,0xa,0xbc,0x28,0x75,0xa5,0x87);

for (i=0;i<10;i++)
{
    socket = open_sock_tcp(443);
    if(soc)
    {
     send(socket:soc, data:a);
     r = recv(socket:soc, length:1024);
     display(r,"\n");
    }
}

[Another Example: ISAKMP]

  1   192.168.0.203 -> 192.168.1.235 ISAKMP Identity Protection (Main Mode)
  2   192.168.1.235 -> 192.168.0.203 ISAKMP Identity Protection (Main Mode)
  3   192.168.0.203 -> 192.168.1.235 ISAKMP Identity Protection (Main Mode)
  4   192.168.1.235 -> 192.168.0.203 ISAKMP Identity Protection (Main Mode)
  5   192.168.0.203 -> 192.168.1.235 ISAKMP Identity Protection (Main Mode)
  6   192.168.1.235 -> 192.168.0.203 ISAKMP Identity Protection (Main Mode)
  7   192.168.0.203 -> 192.168.1.235 ISAKMP Quick Mode
  8   192.168.1.235 -> 192.168.0.203 ISAKMP Quick Mode
  9   192.168.0.203 -> 192.168.1.235 ISAKMP Quick Mode
 10   192.168.0.203 -> 192.168.1.235 ESP ESP (SPI=0x806e9107)
 11   192.168.1.235 -> 192.168.0.203 ESP ESP (SPI=0x4ce84d44)

Now here's the first packet:

User Datagram Protocol
    Source port: 500 (500)
    Destination port: 500 (500)
    Length: 184
    Checksum: 0xb981 (correct)
Internet Security Association and Key Management Protocol
    Initiator cookie
    Responder cookie
    Next payload: Security Association (1)
    Version: 1.0
    Exchange type: Identity Protection (Main Mode) (2)
    Flags
        .... ...0 = No encryption
        .... ..0. = No commit
        .... .0.. = No authentication
    Message ID: 0x00000000
    Length: 176
    Security Association payload
        Next payload: NONE (0)
        Length: 148
        Domain of interpretation: IPSEC (1)
        Situation: IDENTITY (1)
        Proposal payload
            Next payload: NONE (0)
            Length: 136
            Proposal number: 0
            Protocol ID: ISAKMP (1)
            SPI size: 0
            Number of transforms: 4
            Transform payload
                Next payload: Transform (3)
                Length: 32
                Transform number: 0
                Transform ID: KEY_IKE (1)
                Life-Type (11): Seconds (1)
                Life-Duration (12): Duration-Value (3600)
                Encryption-Algorithm (1): 3DES-CBC (5)
                Hash-Algorithm (2): SHA (2)
               Authentication-Method (3): PSK (1)
                Group-Description (4): Group-Value (2)
            Transform payload
                Next payload: Transform (3)
                Length: 32
                Transform number: 1
                Transform ID: KEY_IKE (1)
                Life-Type (11): Seconds (1)
                Life-Duration (12): Duration-Value (3600)
                Encryption-Algorithm (1): 3DES-CBC (5)
                Hash-Algorithm (2): MD5 (1)
                Authentication-Method (3): PSK (1)
                Group-Description (4): Group-Value (2)
            Transform payload
                Next payload: Transform (3)
                Length: 32
                Transform number: 2
                Transform ID: KEY_IKE (1)
                Life-Type (11): Seconds (1)
                Life-Duration (12): Duration-Value (3600)
                Encryption-Algorithm (1): 3DES-CBC (5)
                Hash-Algorithm (2): MD5 (1)
                Authentication-Method (3): PSK (1)
                Group-Description (4): Group-Value (1)
            Transform payload
                Next payload: NONE (0)
                Length: 32
                Transform number: 3
                Transform ID: KEY_IKE (1)
                Life-Type (11): Seconds (1)

                Life-Duration (12): Duration-Value (3600)
                Encryption-Algorithm (1): 3DES-CBC (5)
                Hash-Algorithm (2): SHA (2)
                Authentication-Method (3): PSK (1)
                Group-Description (4): Group-Value (1)

   0  0010 0dd4 0800 00a0 c919 6b91 0800 4500   ..........k...E. 
  10  00cc 5730 0000 4011 7e0f ac15 a6cb ac15   ..W0..@.~....... 
  20  a5eb 01f4 01f4 00b8 b981 f35c 1dea 6e81   ...........\..n. 
  30  cf0a 0000 0000 0000 0000 0110 0200 0000   ................ 
  40  0000 0000 00b0 0000 0094 0000 0001 0000   ................ 
  50  0001 0000 0088 0001 0004 0300 0020 0001   ............. .. 
  60  0000 800b 0001 800c 0e10 8001 0005 8002   ................ 
  70  0002 8003 0001 8004 0002 0300 0020 0101   ............. .. 
  80  0000 800b 0001 800c 0e10 8001 0005 8002   ................ 
  90  0001 8003 0001 8004 0002 0300 0020 0201   ............. .. 
  a0  0000 800b 0001 800c 0e10 8001 0005 8002   ................ 
  b0  0001 8003 0001 8004 0001 0000 0020 0301   ............. .. 
  c0  0000 800b 0001 800c 0e10 8001 0005 8002   ................ 
  d0  0002 8003 0001 8004 0001                  .......... 



# sendip 192.168.0.1 -p UDP -us 500 -d F35C1DEA6E81CF0A00000000000000000110020000000000000000B000000094000000010000000100000088000100040300002000010000 800B0001800C0E10800100058002000280030001800400020300002001010000800B0001800C0E10800100058002000180030001800400020300002002010000800B0001800C0E10800100058002000180030001800400010000002003010000800B0001800C0E1080010005800200028003000180040001

Also see the README.ipgrab
