INTRO
=====
This software has been developped to test IPS capacity to handle properly application layer fragmentation and insertion technique based on bad TCP checksums.

It relies on hping for raw packets creation and iptables to prevent unwanted RST to be generated by our station. The command executed will be the following:

iptables -A OUTPUT -p 6 -d $target --dport $DPORT --tcp-flags RST RST -j DROP

Anyway, you probably know it as you would never execute such tool without looking at the source, would you ?

HOWTO
=====

0. Make sure the follwing commands are in your path
   - hping
   - iptables

1. Launch http-insert.pl

2. Fill-up target IP and source port to be used

3. Available commands :
    - D : data that will be sent in the current paquet
    - Q : Leave packet editor

4. Available options (to use with command D) :
    - B : this packet will have a bad TCP checksum
    - E : auto fill the packet with trailing "HTTP/1.0"
    - O : will use the same sequence number as the preceding packet
    - N : nothing special

5. Packet is send and hping output is provided


EXAMPLE
=======

0. Let's say we want to test a stupid signature based IPS. We are trying to have the /cmd.exe URL pass to the server.

1. Set a baseline for legitimate traffic

Simply test for / and see what is the output.

>>>>>>>
[root@localhost progs]# ./http-insert.pl 
enter target host : 10.0.0.105
enter source port : 43321
Enter command (D)ata,(Q)uit: D
Enter data: GET /
Enter an option (B)ad checksum, (E)nd HTML, (O)verwrite previous, (N)one: E
Enter command (D)ata,(Q)uit: Q
sent : GET / HTTP/1.0


using eth0, addr: 192.168.202.108, MTU: 1500
HPING 10.0.0.105 (eth0 10.0.0.105): A set, 40 headers + 18 data bytes
len=46 ip=10.0.0.105 ttl=127 DF id=64307 tos=0 iplen=40
sport=80 flags=A seq=0 win=16598 rtt=165.8 ms
seq=2815712711 ack=12364 sum=efa urp=0
<<<<<<<

hping output states "flags=A". Everything is ok.

2. Set a baseline for malicious traffic

We test for /cmd.exe (i said we test a stupid signature based IPS).

>>>>>>>
[root@localhost progs]# ./http-insert.pl 
enter target host : 10.0.0.105
enter source port : 22121
Enter command (D)ata,(Q)uit: D
Enter data: GET /cmd.exe
Enter an option (B)ad checksum, (E)nd HTML, (O)verwrite previous, (N)one: E
Enter command (D)ata,(Q)uit: Q
sent : GET /cmd.exe HTTP/1.0


using eth0, addr: 192.168.202.108, MTU: 1500
HPING 10.0.0.105 (eth0 10.0.0.105): A set, 40 headers + 25 data bytes 
<<<<<<<

hping got nothing back. Our request has been dropped.

3. Test for insertion

3.a provide basic info

>>>>>>>
[root@localhost progs]# ./http-insert.pl 
enter target host : 10.0.0.105
enter source port : 54343
<<<<<<<


3.b send the begining of the request : 
We send GET /cm 

>>>>>>>
Enter command (D)ata,(Q)uit: D
Enter data: GET /cm
Enter an option (B)ad checksum, (E)nd HTML, (O)verwrite previous, (N)one: N
<<<<<<<

3.c send garbage with a bad checksum :  

>>>>>>>
Enter command (D)ata,(Q)uit: D
Enter data: aaa  
Enter an option (B)ad checksum, (E)nd HTML, (O)verwrite previous, (N)one: B
<<<<<<<

3.d send the end of the malicious URL
Here we overlap the previous, bad chesumed, packet.   

>>>>>>>
Enter command (D)ata,(Q)uit: D
Enter data: d.exe
Enter an option (B)ad checksum, (E)nd HTML, (O)verwrite previous, (N)one: O
<<<<<<<

3.e finish html and get the result

>>>>>>>
Enter command (D)ata,(Q)uit: D
Enter data: 
Enter an option (B)ad checksum, (E)nd HTML, (O)verwrite previous, (N)one: E
Enter command (D)ata,(Q)uit: Q
sent : GET /cmaaad.exe HTTP/1.0


using eth0, addr: 192.168.202.108, MTU: 1500
HPING 10.0.0.105 (eth0 10.0.0.105): A set, 40 headers + 13 data bytes
len=46 ip=10.0.0.105 ttl=127 DF id=64339 tos=0 iplen=40
sport=80 flags=A seq=0 win=16591 rtt=167.2 ms
seq=2860451233 ack=12371 sum=7c24 urp=0
<<<<<<<

We got the A flag. Let's see what we have in access.log : 

192.168.202.108 - - [11/Aug/2005:23:14:18 +0200] "GET /cmd.exe HTTP/1.0" 404 3352 "-" "-"

4. use your imagination


ABOUT INSERTION
===============

1. Bad checksum insertion
Example above should be self explanatory.

2. HTTP overlapping
As it "should" be for TCP if to packets overlap (same sequence number), the data of the first one is kept. If data length of the second is greater than that of the first one, exceding data are appended to that of the first.

First : aa
Second (overlapping) : bbbb
Result : aabb

This provides a lot of possibilities in terms of I(D|P)S bypassing.

WHO
===
Renaud Bidou 
-> renaudb at radware.com
-> renaud.bidou at iv2-technologies.com