More Packet Hacking with PowerShell – UDP Manipulation

In the last post, I talked about how I used PowerShell to "STUN Roll" the open WiFi at DefCon. How much code was that? Was it hard?

stun_roll

It turns out that it was pretty reasonable – less than 60 lines of PowerShell.

001
002
003
004
005
006
007
008
009
010
011
012
013
014
015
016
017
018
019
020
021
022
023
024
025
026
027
028
029
030
031
032
033
034
035
036
037
038
039
040
041
042
043
044
045
046
047
048
049
050
051
052
053
054
055
056
057
058
059
060
061
062
063
064
065
066
067
068
069
070
071
072
073
074
075
076
077
078
079
080
081
082
083
084
085
086
087
088
089
090
091
092
093
094
095
096
097
098
099
100
101
## Convert a string in the form of hexadecimal characters into the
## equivalent bytes.

function ConvertFrom-HexString
{
   
param($HexString
)

    $HexString -split "(..)" | ? { $_ } | % { [Convert]::ToByte($_, 16) }
}

## Get the broadcast address for a subnet.
## Modified from
## http://powershell.com/cs/blogs/tips/archive/2013/06/03/calculate-broadcast-address.aspx

function Get-BroadcastAddress
{
   
$ipConfiguration = Get-WmiObject Win32_NetworkAdapterConfiguration |
        Where-Object IPAddress | Select -First 1
    $ipAddress = @($ipConfiguration.IPAddress)[0]
    $subnetMask = @($ipConfiguration.IPSubnet)[0]

    [UInt32]$ip = [IPAddress]::Parse($IPAddress).Address
   
[UInt32]$subnet = [IPAddress]::Parse($SubnetMask).
Address
   
[UInt32]$broadcast = $ip -band $subnet

    New-Object IPAddress ($broadcast -bor -bnot $subnet)
}

## Send the actual STUN packet for some given text
function Send-StunPacket
{
   
param([string] $Text
)

    ## Some header bytes that I got from reviewing the
    ## hexadecimal packet data in WireShark
    $headerContent = "000100"
 
   
$bytes = ConvertFrom-HexString $headerContent

    ## After the header bytes is the length of the packet
    ## Found by experimentation
    $bytes += [Byte] (4 + $Text.
Length)

    ## And then some more header bytes that I didn’t really know
    ## or care what they did
    $bytes += ConvertFrom-HexString "2112a4426274336f6754616876713150000600"
    $bytes += [Byte] $Text.
Length

    ## Get the bytes for the message, add them to the packet.
    ## This section of the packet is usually for the user’s ID.
    $messageBytes = [System.Text.Encoding]::ASCII.GetBytes($Text
)
   
$bytes += $messageBytes

    ## Configure the destination IP address and port
    $dstPort = 3478
    $endpoint = New-Object System.Net.IPEndPoint (Get-BroadcastAddress),$dstPort

    ## And send the packet
    $udpClient = New-Object System.Net.Sockets.UdpClient
    $null = $udpClient.Send($bytes, $bytes.Length, $endpoint
)
   
$udpClient.
Close()
}

## The payload :)
$lyrics = 
@"
We’re no strangers to love
You know the rules and so do I
A full commitment’s what I’m thinking of
You wouldn’t get this from any other guy
I just wanna tell you how I’m feeling
Gotta make you understand
 
CHORUS
Never gonna give you up,
Never gonna let you down
Never gonna run around and desert you
Never gonna make you cry,
Never gonna say goodbye
Never gonna tell a lie and hurt you
 
We’ve known each other for so long
Your heart’s been aching but you’re too shy to say it
Inside we both know what’s been going on
We know the game and we’re gonna play it
And if you ask me how I’m feeling
Don’t tell me you’re too blind to see (CHORUS)
 
CHORUS
(Ooh give you up)
(Ooh give you up)
(Ooh) never gonna give, never gonna give
(give you up)
(Ooh) never gonna give, never gonna give
(give you up)
 
We’ve known each other for so long
Your heart’s been aching but you’re too shy to say it
Inside we both know what’s been going on
We know the game and we’re gonna play it (TO FRONT)
"@

$lines = $lyrics -split "`r`n"
$lines | % { Send-StunPacket $_.Trim() }

 

Happy packet hacking!

One Response to “More Packet Hacking with PowerShell – UDP Manipulation”

  1. Neothwin writes:

    Hi,

    Good one to play around :) Thanks

    In PS v2, I have to convert type after using -bnot.

    # New-Object IPAddress ($broadcast -bor -bnot $subnet)
    New-Object IPAddress ($broadcast -bor ([convert]::toUint32([Convert]::ToString((-bnot $subnet), 16),16) ))

    Of course “Where-Object IPAddress” also replaced in ps v2 format :)

    rgds,

Leave a Reply