More Packet Hacking with PowerShell - UDP Manipulation

Fri, Aug 16, 2013 3-minute read

In the last post, I talked about how I used PowerShell to “STUN Roll” the open WiFi at DefCon. How much code was that? Was it hard?

stun_roll

It turns out that it was pretty reasonable - less than 60 lines of PowerShell.

## Convert a string in the form of hexadecimal characters into the
## equivalent bytes.
function ConvertFrom-HexString
{
    param($HexString)
    $HexString -split "(..)" | ? { $_ } | % { [Convert]::ToByte($_, 16) }
}

## Get the broadcast address for a subnet.
## Modified from
## http://powershell.com/cs/blogs/tips/archive/2013/06/03/calculate-broadcast-address.aspx
function Get-BroadcastAddress
{
    $ipConfiguration = Get-WmiObject Win32_NetworkAdapterConfiguration |
        Where-Object IPAddress | Select -First 1
    $ipAddress = @($ipConfiguration.IPAddress)[0]
    $subnetMask = @($ipConfiguration.IPSubnet)[0]

    [UInt32]$ip = [IPAddress]::Parse($IPAddress).Address
    [UInt32]$subnet = [IPAddress]::Parse($SubnetMask).Address
    [UInt32]$broadcast = $ip -band $subnet

    New-Object IPAddress ($broadcast -bor -bnot $subnet)
}

## Send the actual STUN packet for some given text
function Send-StunPacket
{
    param([string] $Text)

    ## Some header bytes that I got from reviewing the
    ## hexadecimal packet data in WireShark
    $headerContent = "000100" 
    $bytes = ConvertFrom-HexString $headerContent

    ## After the header bytes is the length of the packet
    ## Found by experimentation
    $bytes += [Byte] (4 + $Text.Length)

    ## And then some more header bytes that I didn't really know
    ## or care what they did
    $bytes += ConvertFrom-HexString "2112a4426274336f6754616876713150000600"
    $bytes += [Byte] $Text.Length

    ## Get the bytes for the message, add them to the packet.
    ## This section of the packet is usually for the user's ID.
    $messageBytes = [System.Text.Encoding]::ASCII.GetBytes($Text)
    $bytes += $messageBytes

    ## Configure the destination IP address and port
    $dstPort = 3478
    $endpoint = New-Object System.Net.IPEndPoint (Get-BroadcastAddress),$dstPort

    ## And send the packet
    $udpClient = New-Object System.Net.Sockets.UdpClient
    $null = $udpClient.Send($bytes, $bytes.Length, $endpoint)
    $udpClient.Close()
}

## The payload 🙂
$lyrics = @"
We're no strangers to love
You know the rules and so do I
A full commitment's what I'm thinking of
You wouldn't get this from any other guy
I just wanna tell you how I'm feeling
Gotta make you understand
 
CHORUS
Never gonna give you up,
Never gonna let you down
Never gonna run around and desert you
Never gonna make you cry,
Never gonna say goodbye
Never gonna tell a lie and hurt you
 
We've known each other for so long
Your heart's been aching but you're too shy to say it
Inside we both know what's been going on
We know the game and we're gonna play it
And if you ask me how I'm feeling
Don't tell me you're too blind to see (CHORUS)
 
CHORUS
(Ooh give you up)
(Ooh give you up)
(Ooh) never gonna give, never gonna give
(give you up)
(Ooh) never gonna give, never gonna give
(give you up)
 
We've known each other for so long
Your heart's been aching but you're too shy to say it
Inside we both know what's been going on
We know the game and we're gonna play it (TO FRONT)
"@

$lines = $lyrics -split "`r`n"
$lines | % { Send-StunPacket $_.Trim() }

Happy packet hacking!