Hexinject Introduction

NETWORK MANIPULATION IN A HEX FASHION:
An introduction to HexInject
A1 EA CC 1B F5 36 32 BC 40 D0 81 1E C6 87 DC CD D1 62 6F 4D 29 FD 44 44
22 35 27 D5 28 54 81 A7 4F 92 65 23 79 E7 22 3F BC AD BA BB AD E9 6E 74
8C 78 8A AA 62 BA 6B 2D 2F B6 4B 18 FE 9F 0A 5C FF 3F 72 31 60 CD 1D 74
73 DA A8 AE 1B FD 33 FE 8E 80 81 00 0A 04 14 47 B8 94 26 87 8B 83 4E 2F
37 3A EB E9 2F 1B 52 DF A5 6B 8E A2 8B 99 50 C8 D6 67 43 3E 3B BF FF D9
FF EE 70 BB BC 35 52 B5 46 50 19 4F EE 05 24 02 9B 97 40 38 04 4D 06 EE
0B D8 30 1C 23 41 33 D2 D7 95 3C E5 B7 2F 66 CB 62 0C 64 0F 8D FF FB 78
64 D0 00 04 44 6C 63 69 E9 42 CE 36 26 EC 2D 08 03 B3 91 B1 D7 78 67 A0
73 F8 CF 92 AE B4 70 0B 00 B7 3A 84 0E 22 E2 4B FA 3A 10 8F D3 D2 92 65
CF A3 89 C4 A5 AD 24 ED 5F 75 A2 C1 06 C9 6C CC 3D 50 8B 20 C0 D9 E2 93
2F 0C 93 69 4D 6F 51 1F FF DF 32 38 70 B9 21 38 90 D3 47 D5 A3 D4 8B 17
0F 32 88 21 F8 57 CB F5 FD DF D6 E2 B5 90 8A 40 5B D7 DC E5 78 02 49 97
95 FE 9A 6D 9A 6D 0F 18 FF 56 2E 0F AF 4C 32 CC 8D 22 16 18 65 7C 5A FB
C2 2C 0C 28 00 01 82 8E C2 E3 52 20 E4 FF EE A5 3B 7E CA F4 44 99 AC 02
E4 7F ED FE 4F FF FC EE EE EC 66 1D 37 A5 11 A4 73 3D 56 D3 74 8D C4 A4
04 A3 BB B6 23 46 B3 2C D5 65 C3 8A BA 77 87 24 FA AA C5 99 AF 74 6A AF
BB 37 87 ED 71 33 D0 B5 4A F1 D5 76 EB A5 EA 3C E8 09 F1 6A F4 67 30 8D
53 75 73 EC C7 3B 91 79 16 8C B9 E0 F1 62 CC E3 25 5A 7E 77 3E 8D A1 D1
C3 9C 7D A6 0A 46 A8 54 D2 23 83 69 5A AE 21 8C E8 10 85 B5 BE CE 9C 45
EA AD A0 23 21 9C D0 C5 36 83 37 C9 D9 F2 66 7F DF 2A 08 CC DC 35 98 17
85 3F FA 78 60 AB 00 81 05 19 4C 22 98 5F 8F 7F F3 B8 88 09 14 0C 02 36
00 00 3B BD 8E BD 0C AE 8E 1E 8B 7E 20 30 10 94 7A 8E 88 FD 5F FF FF FF
FF FE DA 2E F1 AC 17 BB A7 12 93 DF 64 A9 3B 3B 0B 3D B7 FE EA 37 56 00
82 CA 4A B4 52 6A 5E 92 16 A7 95 7D B6 5D C9 A1 C1 D9 EA FB 05 8F FC 16
C5 90 45 8D A7 49 AD 81 B3 B2 0A A6 63 8D 77 92 EA 98 D1 D4 25 FF FB 78
2! " E#$nue%e Acri
&cro''(o)er*($c+tr$c+"%inux,or-.
S/eci$% t0$n+ to:
1$c+Tr$c+ Linux St$22
&0tt/:33))),($c+tr$c+"%inux,or-3.
1/26
Index
Introduction..........................................................................................................................................3
Usage...............................................................................................................................................3
Why hexadecimal?...........................................................................................................................3
Basic usage...........................................................................................................................................6
HexInject as ni!!er.........................................................................................................................6
"extual #rotocols.........................................................................................................................$
%ixed #rotocols..........................................................................................................................$
HexInject as Injector........................................................................................................................&
Injecting......................................................................................................................................&
'd(anced usage..................................................................................................................................11
Binary #rotocols.............................................................................................................................11
)xtract *inary !ields..................................................................................................................12
'd(anced #i#ing............................................................................................................................1+
'##endix............................................................................................................................................1$
',- cheatsheet..............................................................................................................................1$
I.%- cheatsheet............................................................................................................................1&
U/- cheatsheet..............................................................................................................................22
".- cheatsheet...............................................................................................................................2+
2/26
Introduction
HexInject 0htt#1//hexinject.source!orge.net/2 is a (ery (ersatile #ac3et injector and sni!!er4 that
#ro(ide a command5line !rame6or3 !or ra6 net6or3 access.
It7s designed to 6or3 together 6ith others command5line utilities4 the utilities you usually use !or
#rocessing text out#ut !rom executa*les or scri#ts 0re#lace4 sed4 a632.
"his 8com#ati*ility9 !acilitates the creation o! #o6er!ul shell scri#ts4 in a (ery little time4 ca#a*le o!
reading4 interce#ting and modi!ying net6or3 tra!!ic.
It7s li3e using li*#ca# 0htt#1//666.tc#dum#.org/24 !rom the command line4 6ithout messing 6ith the
'-I. :rom a 0la;y2 #rogrammer #ers#ecti(e that7s !antastic<
Usage
"his is a screenshot o! the current usage o! the tool4 the o#tions should *e sel!5ex#lanating1
Basically it has t6o execution modalities1 'ni22 and inject4 and t6o data !ormat1 0ex$deci#$% and
r$) 0the !irst data !ormat is the de!ault4 the second is un#arsed net6or3 tra!!ic2.
=ou can #ro(ide a custom #ca# !ilters to select tra!!ic to ca#ture4 (ery use!ul !or ad(anced uses.
'nd !inally4 *ecause HexInject is ca#a*le to set the correct chec3sum !or the #ac3ets injected4
there7s a !lag to disa*le this !eature.
3/26
Why hexadecimal?
"he tools is 6ritten to read and inject data in hexadecimal4 6hy?
We7ll not d6ell on the ad(antages o! hexadecimal to re#resent the *inary !ormat.
"he reasons are just t6o1 *ecause a !ixed t6o character string can re#resent all the #ossi*le (alues
o! a *yte 0*ut you already 3no6 this...2 and *ecause the hexadecimal allo6 to !ollo6 the #rinci#les
o! Data-Driven Programming.
8When doing data5dri(en #rogramming4 one clearly distinguishes code !rom the data structures on
6hich it acts4 and designs *oth so that one can ma3e changes to the logic o! the #rogram *y editing
not the code *ut the data structure.9 0htt#1//666.!a>s.org/docs/artu/ch?&s?1.html2.
"his is (ery im#ortant to ma3e clear and maintaina*le #rograms or scri#ts. Ho6e(er4 not all the
li*raries that #ro(ide ra6 net6or3 access !ollo6 this #rinci#le.
:or exam#le4 li*net uses !unctions to hide data4 as 6e can see !rom this sni##et o! code 0!rom
netdisco(er4 htt#1//666.nixgeneration.com/@jaime/netdisco(er/21
/* Forge Arp Packet, using libnet */
void forge_arp(char *source_ip, char *dest_ip, char *disp)
{
static libnet_ptag_t arp=, eth=!
static u_char d"ac#$%&_A'$() = {*FF, *FF, *FF, *FF, *FF, *FF+!
static u_char sip#,P_A'$()!
static u_char dip#,P_A'$()!
u_int-._t otherip, "/ip!

/* get src 0 dst ip address */
otherip = libnet_na"e.addr1(libnet, dest_ip, ',2($%_3$45'6$)!
"e"cp/(dip, (char*)0otherip, ,P_A'$()!
"/ip = libnet_na"e.addr1(libnet, source_ip, ',2($%_3$45'6$)!
"e"cp/(sip, (char*)0"/ip, ,P_A'$()!

/* forge arp data */
arp = libnet_build_arp(
A3P&37_$%&$3,
$%&$3%8P$_,P,
$%&_A'$(, ,P_A'$(,
A3P5P_3$9:$4%,
s"ac, sip,
d"ac, dip,
(:'', ,
libnet,
arp)!

/* forge ethernet header */
eth = libnet_build_ethernet(
d"ac, s"ac,
$%&$3%8P$_A3P,
(:'', ,
libnet,
eth)!

/* ,n;ect the packet */
libnet_<rite(libnet)!
+
+/26
Ai*netB*uildBar#02 and li*netB*uildBethernet02 are com#lex !unctions4 that re>uires a lot o!
(aria*les and #ointers 0many o! them li*net5s#eci!ic2. .ertainly their use is not intuiti(e.
"he result is4 in my o#inion4 con!using and ugly. But4 o! course4 the !unction can *e re6ritten in a
di!!erent style1
/* Forge Arp Packet, using libpcap */
void forge_arp(char *source_ip, char *dest_ip, char *disp)
{
in_addr_t sip, dip!

char ra<_arp#) =
=>*ff>*ff>*ff>*ff>*ff>*ff= // "ac destination
=>*>*>*>*>*>*= // "ac source
=>*?>*@= // t/pe
=>*>*A= // h< t/pe
=>*?>*= // protocol t/pe
=>*@= // h< siBe
=>*1= // protocol siBe
=>*>*A= // opcode
=>*>*>*>*>*>*= // sender "ac
=>*>*>*>*= // sender ip
=>*ff>*ff>*ff>*ff>*ff>*ff= // target "ac
=>*>*>*>*=! // target ip

/* get src 0 dst ip address */
dip = inet_addr(dest_ip)!
sip = inet_addr(source_ip)!

"e"cp/(ra<_arp C .?, (char*) 0sip, ,P_A'$()!
"e"cp/(ra<_arp C -?, (char*) 0dip, ,P_A'$()!

/* set "ac addr */
"e"cp/(ra<_arp C @, s"ac, $%&_A'$()!
"e"cp/(ra<_arp C .., s"ac, $%&_A'$()!

/* ,n;ect the packet */
pcap_sendpacket(in;ect, (unsigned char *) ra<_arp, siBeof(ra<_arp)DA)!
+
"he second (ersion o! !orgeBar#02 uses a data-driven a##roach1 less (aria*les4 a clear re#resentation
o! the ',- #ac3et4 standard !unctions and standard data5ty#es. "he #ac3et can *e modi!ied in
e(ery as#ect 6ithout altering the code.
"his a##roach is some6hat similar to 06ell56ritten2 ex#loits4 6here the assem*ly shellcode
0hexadecimal4 o! course2 has e(ery o#code commented4 and it7s easy to ada#t to the target.
HexInject is similar to this second (ersion o! !orgeBar#024 only much sim#ler.
Note: you can do6nload a #atch to eliminate the li*net de#endency !rom the last release o!
netdisco(er4 !rom my site1 htt#1//*ac3trac3.it/@cross*o6er/netdisco(er?.35*eta$5no5li*net.#atch.
Use!ul !or recent systems that do not su##ort old (ersions o! li*net...
C/26
Basic usage
I believe without exception that theory follows practice.
Whenever there is a conflict between theory and practice, theory is wrong.
4$5id 1$+er
"his #ractical section o! the document sho6 (arious uses o! HexInject4 using a lot o! exam#les.
"he o#erating en(ironment is 1$c+Tr$c+ 6 R! 0do6nloada*le !rom here1 htt#1//666.*ac3trac35
linux.org/do6nloads/24 (irtuali;ed 6ith DirtualBox.
It7s assumed that the system has t6o net6or3 inter!aces 0et04 et0!24 i! these di!!er !rom your4 you
must ada#t the exam#les to your system 0not di!!icult2.
HexInject as Sniffer
's seen *e!ore4 HexInject can *e used as sni!!er 6hen the o#tions E5sE is #ro(ided. It can #rint
net6or3 tra!!ic in *oth hexadecimal and ra6 !ormat.
' !irst test o! the !unctionality can *e1
root@backtrack-base# hexinject -s -i eth0
1C AF F7 6B 0E 4D AA 00 04 00 0A 04 08 00 45 00 00 3C 9A 88 40 00 40 06 51 04 C0
A8 01 09 5B 05 32 79 C9 45 01 BB 61 5E 85 79 00 00 00 00 A0 02 16 D0 0D 2F 00 00
02 04 05 B4 04 02 08 0A 00 0D 22 EC 00 00 00 00 01 03 03 07 FF FF FF FF FF FF AA
00 04 00 0A 04 08 06 00 01 08 00 06 04 00 01 AA 00 04 00 0A 04 C0 A8 01 09 00 00
00 00 00 00 C0 A8 01 04
AB 00 00 03 00 00 AA 00 04 00 0A 04 60 03 22 00 0D 02 00 00 AA 00 04 00 0A 04 03
DA 05 00 00 00 00 00 00 00 00 00 AA 00 04 00 00 00 0A 00 00 02 AA AA FF FF FF FF
FF FF AA 00 04 00 0A 04 08 06 00 01 08 00 06 04 00 01 AA 00 04 00 0A 04 C0 A8 01
09 00 00 00 00 00 00 C0 A8 01 04
"he de!ault data !ormat is hexadecimal1 *ytes are se#arated *y a single s#ace4 and #ac3ets are
se#arated *y the 8ne6line9 character. "his !ormat is (ery easy to #arse *y standard unix cmd5line
utilities 0li3e sed4 a634 tr...2 and *y scri#ting language inter#reters 0#erl4 #ython4 tcl... or e(en *ash2.
Instead4 i! ra6 data !ormat is s#eci!ied4 the out#ut 6ill *e similar to this1
root@backtrack-base# hexinject -s -i eth0 -r
#
##kEk@3#5E[#!# "#$#r#C##%&##
'9 1D50()#9##
!#
*+, 'C-$#k.#
E4/@@#0# [#!#1#C$#####
72'93C
Fet6or3 #ac3ets are are mainly com#osed o! non #rinta*le characters. :or this reason4 i! 6e 6ant to
extract use!ul in!ormation !rom net6or3 streams 6e need the hel# o! some utilities.
Dery use!ul is the tool 'trin-'4 that extracts and #rints #rinta*le character se>uences delimited *y
un#rinta*le characters. %ainly de(elo#ed !or determining the contents o! non5text !iles4 it 6or3s
(ery 6ell !or our #ur#ose.
6/26
Aet7s see1
root@backtrack-base# hexinject -s -i eth0 -r | strings
4220 Ft5 67r+4are 85-ate 8t797t
:;E< test
331 =ass4or- 59ease#
=A;; test
>421 ?o@7A 7Acorrect#
[421 ?o@7A 7Acorrect#
B9B5
3C
Interesting... 6e just interce#ted an :"- connection to an em*edded de(ice 0in this case a /Ain3
,outer2.
:"- commands are #lain text so it7s easy to extract the username and the #ass6ord !rom the stream1
:;E< test
=A;; test
Textual protocols
We can o! course do something a little more ad(anced... :or exam#le 6e can extract and #rint some
H""- headers.
H""- is a textual #rotocol used to retrie(e 6e* #ages !rom 6e*ser(ers 0*ut not only2. 'n H""-
re>uest or res#onse is com#osed *y the message headers and the message *ody.
"he headers are easy to #arse *ecause they are se#arated *y the character se>uence 8GrGn9 0?x?/
?x?'24 so4 !rom a 8ra6 !ormat9 #ers#ecti(e4 one header #er line.
Aet7s try to extract the host header to see 6hat 6e*sites are *eing (isited on our A'F1
root@backtrack-base# hexinject -s -i eth0 -r | strings | grep 'Host:'
!ostC o8t8be#co+
!ostC 444#o8t8be#co+
!ostC s#t7+@#co+
###
)(en in this exam#le 6e used only common utilities 0'trin-' and -re/24 creating a 8s#eciali;ed9
sni!!er 6ithout 6riting a line o! code.
8H394 =ou can thin34 8this is easy i! the #rotocol is textual4 *ut 6hat a*out *inary #rotocols?9
/on7t 6orry4 6ith a *it o! *lac3 sorcery4 6e can do that and more...
Mixed protocols
We just introduced H""-4 *ut there7s another #rotocol 6ithout 6hich the user ex#erience o! the 6e*
6ould not *e the same1 /omain Fame ystem.
"he /F #rotocol4 translates domain names4 meaning!ul to humans4 into *inary identi!iers 0I-
adresses2. o4 i! a user ty#es 8666.*ac3trac35linux.org9 into his *ro6ser location *ar4 he 6ill *e
#ro#erly addressed to 6$.23.$?.624 the I- address o! the 6e*ser(er.
/F is a *inary #rotocol4 *ut contains se>uences o! #rinta*le characters and it7s 6idely used4 !or
this reason it7s a good exam#le o! 8mixed #rotocol9 0*inary data I #rinta*le se>uences2. We 6ill
no6 6rite a re>uest sni!!er !or it.
$/26
"he strings 6e 6ant to extract 0the domain names re>uested24 are not transmitted entirely in a
#rinta*le !ormat1 the domain le(els are se#arated *y one *yte containing the num*er o! characters
o! the next string.
Just to (isuali;e the se>uence4 a resolution re>uest !or E666.google.comE 6ill a##ear as1
HEA4ER ,,, 7 ))) 8 -oo-%e 7 co# ,,,
We need to extract and decode something li3e this1
9:x7))):x8-oo-%e:x7co#:x;
ince 6e 6ant to use only common shell tools4 a good choice to con(ert *inary characters in
#rinta*le ones is tr4 a tool used to translate set o! character. ets can *e strings o! #rinta*le
characters 0re#resent themsel(es24 or inter#reted se>uences.
:rom the manual o! tr1
Interpreted sequences are:
\NNN character with octal value NNN (1 to 3 octal digits)
o4 6ith a little tric34 6e can con(ert the domain name o! /F re>uests in a #rinta*le string1
tr '\001-\015' '.'
"his con(ert *inary (alues *et6een 1 0G??12 and 13 0G?1C2 into dots4 joining the domain le(els o!
/F re>uests.
But it7s not enough... We must do a *etter selection o! the data. "his can *e done 6ith the o#tion "24
#ro(iding a custom #ca# !ilter 0htt#1//666.man#age;.com/man/$/#ca#5!ilter/2.
"he !ollo6ing is the !ilter to ca#ture only /F re>uests4 since /F uses U/- as net6or3 #rotocol
and the standard ser(er #ort is C31
udp dstport=53
"he last thing to do is to ignore the 0!e62 extracted !ields that are not domain name1
grep -o -E '[a-!-"0-#$-%&[a-!-"0-#\.$-%&'
-utting it all together1
root@backtrack-base# hexinject -s -i eth0 -' 'udp dstport=53' -r -c 10 | tr
'\001-\015' '.' | strings --()tes=* | grep -o -E '[a-!-"0-#$-%&[a-!-"0-#\.$-%
&'
444#Dkc-#or@
444#Dkc-#or@
444#@oo@9e#co#8k
444#@oo@9e#co+
444#@oo@9e#co#8k
444#@oo@9e#co+
444#Dkc-#or@
)t (oila< ' one5line /F sni!!er< .om#ared to 6riting a sni!!er in . or e(en -ython or -erl4 ho6
much time 6as sa(ed?
We7ll ex#lore more exam#le o! *inary #rotocol analysis in the ad(anced section.
K/26
HexInject as Injector
HexInject can *e used as injector 6hen the o#tion 8"/; is #ro(ided. "his !unctionality is
com#lementary to the sni!!ing mode4 and4 6hen com*ined together4 they can lead to rather
interesting results.
:or no6 6e7ll *rie!ly ex#lore ho6 to use HexInject as an injection tool.
Injecting
im#ly4 6e can choose to inject data in ra6 or hexadecimal !ormat4 as seen *e!ore 6ith the sni!!ing
mode. HexInject reads data !rom the standard in#ut 0stdint24 so4 to #ro(ide him custom strings4 6e
must use the #i#e o#erator1
root@backtrack-base# echo +01 0, 03 0-+ | hexinject -p -i eth0

ome hex *ytes ha(e just *een injected1
"he same thing can *e done in ra6 mode1
root@backtrack-base# echo '.u/... pia0' | hexinject -p -i eth0 -r
"he result4 as you can imagine4 is1
&/26
"he i#/ort$nt thing to note4 is that the tool injects #ac3ets as they are in the net6or34 6ithout
#er!orming any 3ind o! #arsing 0the only exce#tion is the chec3sum calculation4 *ut the !eature can
*e disa*led2.
o4 to *e correctly inter#reted *y other hosts on the net6or34 the #ac3ets must ha(e a correct
structure4 and must *e #ro#erly enca#sulated.
HexInject o#erates at the /ata Ain3 layer o! the HI model 0image !rom
htt#1//en.6i3i#edia.org/6i3i/HIBmodel21
Build your o6n #ac3ages ta3ing this into account.
"he 8*asic usage9 #art o! this document is o(er. "he next sections 6ill sho6 more ad(anced uses o!
the tool.
1?/26
Adanced usage
!ou don"t have to coo# fancy or complicated masterpieces,
$ust good food from fresh ingredients.
<u%i$ =0i%d
"his section 6ill sho6 more ad(anced uses o! HexInject4 *ut the material 6ill al6ays *e #resented
as sim#ly as #ossi*le and 6ith extensi(e use o! exam#les.
"he o#erating en(ironment is 1$c+Tr$c+ 6 R! 0do6nloada*le !rom here1 htt#1//666.*ac3trac35
linux.org/do6nloads/24 (irtuali;ed 6ith %irtual&ox.
It7s assumed that the system has t6o net6or3 inter!aces 0et04 et0!24 i! these di!!er !rom your4 you
must ada#t the exam#les to your system 0not di!!icult2.
Binary protocols
We ha(e seen ho6 to extract in!ormation !rom textual and 8mixed9 #rotocols. Fo6 6e7ll see ho6 to
extract in!ormation !rom *inary #rotocols and ho6 to read *inary header !ields.
' common A'F #rotocol 6e can easily s#ot 8in5the56ild9 is 'ddress ,esolution -rotocol 0',-2.
"his #rotocol is used to determine a net6or3 host7s hard6are address 0%'.2 6hen only it7s net6or3
layer address 0I- address2 is 3no6n.
"he structure o! the #rotocol is sim#le1 it includes the addresses o! the sender and reci#ient and a
!ield indicating 6hether the #ac3et is a re>uest or a res#onse.
Aet7s try to ca#ture a #ac3et to ex#eriment on1
root@backtrack-base# hexinject -s -i eth0 -' 'arp' -c 1
FF FF FF FF FF FF AA 00 04 00 0A 04 08 06 00 01 08 00 06 04 00 01 AA 00 04 00 0A
04 C0 A8 01 09 00 00 00 00 00 00 C0 A8 01 04
We can sa(e the ca#tured #ac3et in the !ile 7ar#.exam#le7.
Ha(ing a little 3no6ledge o! the ',- structure it7s #ossi*le to di(ide the #rotocol header !rom the
ethernet !rame1
04 C0 A8 01 09 00 00 00 00 00 00 C0 A8 01 04
"he red #art is the ethernet !rame. It contains the destination %'. address 0in this case
!!1!!1!!1!!1!!1!!4 *roadcast24 the sender %'. address 0aa1??1?+1??1?a1?+2 and the next header ty#e 0in
this case ',-4 ?x?K?62.
"he red #art is the ',- header1
11/26
Aet7s see 6hat can 6e extract !rom this *unch o! *ytes.
!xtract "inary fields
Hur goal is to create a com#lete ',- sni!!er to #rint hexadecimal data in a com#rehensi*le manner.
We7ll 6rite it in !orm o! shell scri#t using only *ash and a63.
"he !irst t6o !ields to extract are Hard6are "y#e and -rotocol "y#e4 usually set to 8?x???19
0)thernet2 and 8?x?K??9 0I#(+2. ince these !ields are o! a !ixed length o! 2 *ytes 6e can easily
#rint them using $)+.
root@backtrack-base# cat arp.exa/p1e | a23 '4 print +0x+515516 7'
0D0001
root@backtrack-base# cat arp.exa/p1e | a23 '4 print +0x+51851* 7'
0D0800
In the scri#t 6e7ll add a !unction to con(ert the (alue in the #rotocol name.
"he next ste# is #rinting the length o! the #rotocol addresses. ince a decimal (alue it7s more use!ul
6e ha(e to change a little the a63 command1
root@backtrack-base# cat arp.exa/p1e | a23 --non-deci/a1-data
'4 print'9+:d+;+0x+51#< 7'
6
root@backtrack-base# cat arp.exa/p1e | a23 --non-deci/a1-data
'4 print'9+:d+;+0x+5,0< 7'
4
"he result is correct1 6 *ytes !or %'. addresses and + *ytes !or I- num*ers. Fote1 the o#tion 7--
non-decimal-data7 has *een introduced more recently in LFU a634 and is o#tional *ecause it7s not
com#ati*le 6ith old scri#ts4 *ut it is (ery use!ul to inter#ret hexadecimal num*ers as in#uts.
Fo6 6e can analy;e the o#code1
root@backtrack-base# cat arp.exa/p1e | a23 '4 print +0x+5,15,, 7'
0D0001
In this case it7s an ',- re>uest 0o#code ?x???124 *ut you can encounter also res#onses 0o#cade
?x???22.
"he last things le!t to *e extracted are the %'. and I- address o! the source and the target.
ource addresses1
root@backtrack-base# cat arp.exa/p1e | a23 '4 print
5,3+:+5,-+:+5,5+:+5,6+:+5,8+:+5,* 7'
AAC00C04C00C0AC04
root@backtrack-base# cat arp.exa/p1e | a23 --non-deci/a1-data '4 print'9+:d.:d.
:d.:d+; +0x+5,#; +0x+530; +0x+531; +0x+53,<= 7'
192#168#1#9
12/26
"arget addresses1
root@backtrack-base# cat arp.exa/p1e | a23 '4 print
533+:+53-+:+535+:+536+:+538+:+53* 7'
00C00C00C00C00C00
root@backtrack-base# cat arp.exa/p1e | a23 --non-deci/a1-data '4 print'9+:d.:d.
:d.:d+; +0x+53#; +0x+5-0; +0x+5-1; +0x+5-,<= 7'
192#168#1#4
)asy4 isn7t it?
We7(e con(erted I- address to dotted decimal style using a637s #rint!02 0as *e!ore 6e need the
o#tion Mnon5decimal5data24 and 8decoded9 %'. addresses just joining the 6 *ytes 6ith 819
characters.
Fo6 that 6e 3no6 ho6 to get all the in!ormation 6e need4 let7s see i! 6e can #ut these commands
together to create a scri#t. It 6ill dis#lay the #ac3et in a #retty manner1
EF/bin/bash
a<k DDnonDdeci"alDdata G
{
print =CDDD h< t/pe DDDCDDD pr t/pe DDDC=!
print =H *= IAJIA@ = H *= IAKIA? = H=!

print =CDDD h< siBe DDDCDDD pr siBe DDDC=!
print =H *= IAL = H *= I. = H=!
print =CDDDDDDDD opcode (t/pe) DDDDDDDDC=!
print =H *= I.AI.. = = (I.. == A M =reNuest= O =response=) = H=!
print =CDDDDDDDDDD source h< DDDDDDDDDDC=!
print =H = I.-=O=I.1=O=I.J=O=I.@=O=I.K=O=I.? = H=!
print =CDDDDDDDDDD source pr DDDDDDDDDDC=!
ipA = sprintf(=PdQPdQPdQPd=, =*=I.L, =*=I-, =*=I-A, =*=I-.)!
lenA = length(ipA)!
printf(=H PsP*c>n=, ipA, .1DlenA, =H=)!
print =CDDDDDDDDDD target h< DDDDDDDDDDC=!
print =H = I--=O=I-1=O=I-J=O=I-@=O=I-K=O=I-? = H=!
print =CDDDDDDDDDD target pr DDDDDDDDDDC=!
ip. = sprintf(=PdQPdQPdQPd=, =*=I-L, =*=I1, =*=I1A, =*=I1.)!
len. = length(ip.)!
printf(=H PsP*c>n=, ip., .1Dlen., =H=)!
print =CDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDC=!
print ==!
+
G
13/26
"he scri#t is (ery sim#le4 *ut it is di!!icult to mentally (isuali;e its out#ut 6ithout running it
0o*(iously you can also #i#e the scri#t to a running HexInject #rocess to !ormat #ac3ets in real
time21
root@backtrack-base# cat arp.exa/p1e | .>arp$decode.sh
E--- F4 t5e ---E--- 5r t5e ---E
G 0D0001 G 0D0800 G
E--- F4 s7)e ---E--- 5r s7)e ---E
G 0D06 G 0D04 G
E-------- o5co-e 't5eH --------E
G 0D0001 reI8est G
E---------- so8rce F4 ----------E
G AAC00C04C00C0AC04 G
E---------- so8rce 5r ----------E
G 192#168#1#9 G
E---------- tar@et F4 ----------E
G 00C00C00C00C00C00 G
E---------- tar@et 5r ----------E
G 192#168#1#4 G
E-------------------------------E
'lthough it is only a scri#t4 through the a63 language it7s #ossi*le to con(ert4 edit and !ormat any
3ind o! textual out#ut4 ma3ing this the #er!ect language !or our #ur#oses.
's you7(e seen4 sometimes4 sim#le scri#ts and #i#elines are as #o6er!ul as com#lex #rograms. "he
di!!erence is in de(elo#ment time and (ersatility.
In the a##endix you can !ind (arious cheatsheet to extract !ield !rom the most common #rotocols.
Be sure to gi(e a loo3...
Adanced piping
o !ar 6e only used #i#es com#rising one instance o! HexInject4 either reading or injecting data.
Is4 o! course4 #ossi*le to com*ine t6o di!!erent HexInject #rocesses4 6hich4 running in di!!erent
modalities4 allo6 the modi!ication o! net6or3 #ac3ets 8on the !ly9.
'n intuiti(e #attern4 generally a##lica*le 6hen 6e need to alter a !lo6 o! data is the !ollo6ing1
0exinject "' "i >'rc int> "2 >2i%ter> ? @ ? @ ? 0exinject "/ "i >d't int>
' !irst instance o! HexInject read the data !rom the source interface usually selecting the data
through a pcap filter 0it7s rare the necessity to analy;e all the tra!!ic4 so the use o! !ilters is strongly
encouraged2.
"hen the tra!!ic is analysed *y a serie o! !ilters 0cmd5line tools2 and modi!ied.
:inally the tra!!ic is re5injected in the net6or3 *y a second instance o! HexInject4 running on the
destination interface 06hich may *e or not the same as the source inter!ace2.
' sim#le exam#le o! this is a 8con(ersion9 o! an ',- re>uest in an ',- res#onse just changing one
*it o! the #ac3et1
root@backtrack-base# hexinject -s -i eth0 -c 1 -' 'arp' | rep1ace '06 0- 00 01'
'06 0- 00 0,' | hexinject -p -i eth0
1+/26
Wireshar3 dum#1
Note that the strings #assed to replace are >uite long4 though they di!!ers in only one *it. "his is
*ecause the #i#e is EstatelessE4 so there7s the ris3 o! altering 6rong #arts o! the #ac3ets.
I! you #lan to do the same thing 6ith a 8smarter9 #i#e you can ada#t the shell scri#t seen #re(iously
!or the #arsing and dum#ing o! ',- #ac3ets.
We said that the source inter!ace may not coincide 6ith the destination inter!ace. "his o#ens u#
se(eral ne6 #ossi*ilities.
We could #ut u# a #seudo trans#arent *ridge *uilt using only t6o lines o! *ash1
root@backtrack-base# hexinject -s -i eth0 -c 1 -' 'src host 1#,.16*.1.#' |
hexinject -p -i eth1
root@backtrack-base# hexinject -s -i eth1 -c 1 -' 'dst host 1#,.16*.1.#' |
hexinject -p -i eth0
'ctually this exam#le can surely *e im#ro(ed4 it just demonstrate the (ersatility o! the tools.
It7s e(en #ossi*le to emulate F'" o##ortunely re#lacing the I-1
root@backtrack-base# hexinject -s -i eth0 -c 1 -' 'src host 1#,.16*.1.#' |
rep1ace '?0 !* 01 0#' '?0 !* 01 0-' | hexinject -p -i eth1
root@backtrack-base# hexinject -s -i eth1 -c 1 -' 'dst host 1#,.16*.1.#' |
rep1ace '?0 !* 01 0-' '?0 !* 01 0#' | hexinject -p -i eth0
1C/26
Note that these t6o exam#les lac3 the management o! %'. addresses4 that can *e im#lemented as
a scri#t #laced in the middle o! the #i#e. Fe(ertheless the exam#les gi(e an idea o! 6hat is #ossi*le
to do.
' !inal4 *ut (ery interesting4 exam#le o! ad(anced #i#es is the com*ined use o! netcat and hexinject
to create a re#ote 'ni22er.
"he sni!!er is located on the machine 8!A2,!8B,C8,!!94 a *ac3trac3 *ox running in'ide 5irtu$%(ox4
that has not direct access to the internet1
Fost@192#168#56#101# hexinject -s -i eth0 -' 'not dst host 1#,.16*.56.1' | nc -u
1#,.16*.56.1 5555
Note the use o! #ca# !ilters to a(oid an in!inite loo#s o! sni!!ed and transmitted #ac3ets.
"he recei(er is located on 8!A2,!8B,!,A9 or 8!A2,!8B,C8,!9 inside the (irtual*ox net6or3. "o
recei(e tra!!ic 6e need just a listening netcat1
Fost@192#168#1#9# nc -1 -p 5555 -u
0A 00 27 00 00 00 08 00 27 49 48 03 08 00 45 00 00 54 00 00 40 00 40 01 7F EC C0
A8 38 65 C0 A8 01 07 08 00 17 93 59 1A 00 02 DB 42 A7 4C 18 BE 01 00 08 09 0A 0B
0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26
27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37
0A 00 27 00 00 00 08 00 27 49 48 03 08 00 45 00 00 54 00 00 40 00 40 01 7F EC C0
A8 38 65 C0 A8 01 07 08 00 AC 92 59 1A 00 03 DC 42 A7 4C 82 BD 01 00 08 09 0A 0B
0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26
27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37
###
's you can see4 some I.%- #ac3ets 0generated *y the #ing utility2 has *een ca#tured and remotely
transmitted to the recei(er machine. Fo tunneling #rotocols4 no L,)4 just netcat and hexinject4 t6o
sim#le standalone tools.
"o conclude this last section 6e can only say that the #ossi*ilities and com*inations o! tools are
(irtually endless4 and the only limit is our imagination.
I ho#e this document has not *ored you4 #lease contact me (ia email i! you !ind ne6 interesting
uses o! the tool4 so that i can add ne6 exam#les to this document.
16/26
Appendix
8If you can"t explain it simply, you don"t understand it well enough
A%(ert Ein'tein
'he ability to simplify means to eliminate the unnecessary so that the necessary may spea#
H$n' Ho2#$nn
"his a##endix contains (arious cheatsheets use!ul to 8decry#t9 hexadecimal #ac3et dum#. "hey
descri*e the structure o! the most common #rotocols and ho6 to extract their !ields using only
sim#le command5line tools.
urely a la;y #rogrammer/#enstester aid N2
"he a##endix includes also some (isual re#resentation o! #rotocol headers !rom Wi3i#edia
0htt#1//666.6i3i#edia.org 2 .
ARP cheatsheet
Disual re#resentation1
1$/26
.a#ture exam#le1
04 C0 A8 01 09 00 00 00 00 00 00 C0 A8 01 04
.a#ture ex#lanation1
FF FF FF FF FF FF
/estination hard6are address
AA 00 04 00 0A 04
ource hard6are address
08 06
"y#e
00 01
Hard6are ty#e
08 00
-rotocol ty#e
06 J
Hard6are si;e
04 J
-rotocol si;e
00 01
H#code
AA 00 04 00 0A 04
ender hard6are address
C0 A8 01 09
ender #rotocol address
00 00 00 00 00 00
"arget hard6are address
C0 A8 01 04
"arget #rotocol address
:ield extraction cheatsheet1
Fie%d =o##$ndD'E Re'u%t
/estination h6 address
a63 7O #rint P1E1EP2E1EP3E1EP+E1EPCE1EP6 Q7
::1::1::1::1::1::
ource h6 address a63 7O #rint P$E1EPKE1EP&E1EP1?E1EP11E1EP12 Q7 ''1??1?+1??1?'1?+
"y#e
a63 7O #rint E?xEP13P1+ Q7
?x?K?6
Hard6are ty#e a63 7O #rint E?xEP1CP16 Q7 ?x???1
-rotocol ty#e
a63 7O #rint E?xEP1$P1K Q7
?x?K??
Hard6are si;e a63 7O #rint E?xEP1& Q7 ?x?6
-rotocol si;e
a63 7O #rint E?xEP2? Q7
?x?+
H#code a63 7O #rint E?xEP21P22 Q7 ?x???1
ender h6 address
a63 7O #rint P23E1EP2+E1EP2CE1EP26E1EP2$E1EP2K Q7
''1??1?+1??1?'1?+
ender #roto address a63 55non5decimal5data 7O #rint!0ERd.Rd.Rd.RdE4
E?xEP2&4 E?xEP3?4 E?xEP314 E?xEP322N Q7
1&2.16K.1.&
"arget h6 address
a63 7O #rint P33E1EP3+E1EP3CE1EP36E1EP3$E1EP3K Q7
??1??1??1??1??1??
"arget #roto address a63 55non5decimal5data 7O #rint!0ERd.Rd.Rd.RdE4
E?xEP3&4 E?xEP+?4 E?xEP+14 E?xEP+22N Q7
1&2.16K.1.+
1K/26
I#M$ cheatsheet
Disual re#resentation 0I-21
Disual re#resentation 0I.%-21
.a#ture exam#le1
1C AF F7 6B 0E 4D AA 00 04 00 0A 04 08 00 45 00 00 54 00 00 40 00 40 01 54 4E C0
A8 01 09 C0 A8 64 01 08 00 34 98 D7 10 00 01 5B 68 98 4C 00 00 00 00 2D CE 0C 00
00 00 00 00 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26
27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37
1C AF F7 6B 0E 4D
AA 00 04 00 0A 04
08 00
"y#e
45
Dersion / Header length
00 J
"o//:
00 54
"otal length
00 00
I/
40 00
:lags/:ragment o!!set
1&/26
40
""A
01 J
-rotocol
54 4E
.hec3sum
C0 A8 01 09
ource address
C0 A8 64 01
/estination address
08 J
"y#e
00 J
.ode
34 98
.hec3sum
D7 10
I/
00 01
e>uence num*er
5B 68 98 4C 00 00 00 00 2D CE 0C 00 00
00 00 00 10 11 12 13 14 15 16 17 18 19
1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26
27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33
34 35 36 37
/ata
/estination h6 address a63 7O #rint P1E1EP2E1EP3E1EP+E1EPCE1EP6 Q7
1CCAFCF7C6BC0EC4D
ource h6 address
a63 7O #rint P$E1EPKE1EP&E1EP1?E1EP11E1EP12 Q7
''1??1?+1??1?'1?+
"y#e a63 7O #rint E?xEP13P1+ Q7 ?x?K??
Dersion
a63 55non5decimal5data 7O #rint rshi!t0E?xEP1C4 +2 Q7
+
Header length a63 55non5decimal5data 7O #rint and0E?xEP1C4 ?x!2S+
Q7
2?
"o//:
a63 7O #rint E?xEP16 Q7
?x??
"otal length a63 55non5decimal5data
7O #rint!0ERdE4E?xEP1$P1K2 Q7
K+
I/
a63 7O #rint E?xEP1&P2? Q7
?x????
:lags a63 55non5decimal5data 7O #rint
rshi!t0E?xEP21P224132 Q7
2
a63 55non5decimal5data
7O PaTrshi!t0E?xEP21P224132N i!0and0Pa4+22 O #rint
E,eser(edE Q i!0and0Pa4222 O #rint E/o not !ragmentE
Q i!0and0Pa4122 O #rint E%ore !ragmentsE Q Q7
/o not !ragment
:ragment o!!set a63 55non5decimal5data 7O #rint and0E?xEP21P224132
Q7
?
""A
?x+?
-rotocol a63 7O #rint E?xEP2+ Q7 ?x?1
2?/26
.hec3sum a63 7O #rint E?xEP2CP26 Q7 ?xC++)
ource address
a63 55non5decimal5data 7O #rint!0ERd.Rd.Rd.RdE4
E?xEP2$4 E?xEP2K4 E?xEP2&4 E?xEP3?2N Q7
1&2.16K.1.&
/estination address a63 55non5decimal5data 7O #rint!0ERd.Rd.Rd.RdE4
E?xEP314 E?xEP324 E?xEP334 E?xEP3+2N Q7
1&2.16K.1??.1
"y#e
a63 7O #rint E?xEP3C Q7
?x?K
.ode a63 7O #rint E?xEP36 Q7 ?x??
.hec3sum
a63 7O #rint E?xEP3$P3K Q7 0D3498
I/
a63 7O #rint E?xEP3&P+? Q7
?xD710
e>uence num*er a63 7O #rint E?xEP+1P+2 Q7 ?x???1
/ata
sed 7s/.GO12CGQ//7 U re#lace 7 7 7GGx7 U xargs #rint!
Vh A5
WWWWWWWWWWWWWW
WW <EWP
RX702SI45./?123+C6$
21/26
U%$ cheatsheet
.a#ture exam#le1
1C AF F7 6B 0E 4D AA 00 04 00 0A 04 08 00 45 00 00 3C 9B 23 00 00 40 11 70 BC C0
A8 01 09 D0 43 DC DC 91 02 00 35 00 28 6F 0B AE 9C 01 00 00 01 00 00 00 00 00 00
03 77 77 77 06 67 6F 6F 67 6C 65 03 63 6F 6D 00 00 01 00 01
1C AF F7 6B 0E 4D
AA 00 04 00 0A 04
08 00
"y#e
45
00 J
"o//:
00 3C
"otal length
9B 23
I/
00 00
40
""A
11 J
-rotocol
70 BC
.hec3sum
C0 A8 01 09
ource address
D0 43 DC DC
/estination address
91 02
orce #ort
00 35
/estination #ort
00 28
Aength
6F 0B
.hec3sum
AE 9C 01 00 00 01 00 00 00 00 00 00 03
77 77 77 06 67 6F 6F 67 6C 65 03 63 6F
/ata
22/26
6D 00 00 01 00 01
/estination h6 address a63 7O #rint P1E1EP2E1EP3E1EP+E1EPCE1EP6 Q7
1CCAFCF7C6BC0EC4D
ource h6 address
a63 7O #rint P$E1EPKE1EP&E1EP1?E1EP11E1EP12 Q7
''1??1?+1??1?'1?+
"y#e a63 7O #rint E?xEP13P1+ Q7 ?x?K??
Dersion
a63 55non5decimal5data 7O #rint rshi!t0E?xEP1C4 +2 Q7
+
Header length a63 55non5decimal5data 7O #rint and0E?xEP1C4
?x!2S+ Q7
2?
"o//:
?x??
"otal length a63 55non5decimal5data
6?
I/
a63 7O #rint E?xEP1&P2? Q7
?x&B23
:lags a63 55non5decimal5data 7O #rint
?
a63 55non5decimal5data 7O PaTrshi!t0E?xEP21P224132N
i!0and0Pa4+22 O #rint E,eser(edE Q i!0and0Pa4222
O #rint E/o not !ragmentE Q i!0and0Pa4122 O #rint
E%ore !ragmentsE Q Q7
:ragment o!!set a63 55non5decimal5data 7O #rint
and0E?xEP21P224132 Q7
?
""A
?x+?
-rotocol a63 7O #rint E?xEP2+ Q7 ?x11
.hec3sum
a63 7O #rint E?xEP2CP26 Q7
?x$?B.
ource address a63 55non5decimal5data 7O #rint!0ERd.Rd.Rd.RdE4
1&2.16K.1.&
/estination address
2?K.6$.22?.22?
ource #ort a63 55non5decimal5data 7O #rint!0ERdE4
E?xEP3CP362 Q7
3$122
/estination #ort
a63 55non5decimal5data 7O #rint!0ERdE4
E?xEP3$P3K2 Q7
C3
Aength a63 55non5decimal5data 7O #rint!0ERdE4
E?xEP3&P+?2 Q7
40
.hec3sum
a63 7O #rint E?xEP+1P+2 Q7
?x6:?B
/ata sed 7s/.GO12CGQ//7 U re#lace 7 7 7GGx7 U xargs #rint! WWW666Wgoogl
eWcomWW
23/26
T#$ cheatsheet
.a#ture exam#le1
1C AF F7 6B 0E 4D AA 00 04 00 0A 04 08 00 45 00 00 34 5A AE 40 00 40 06 5E 67 C0
A8 01 09 58 BF 67 3E 9B 44 00 50 8E B5 C6 AC 15 93 47 9E 80 10 00 58 A5 A0 00 00
01 01 08 0A 00 09 C3 B2 42 5B FA D6
1C AF F7 6B 0E 4D
AA 00 04 00 0A 04
08 00
"y#e
45
00 J
"o//:
00 34
"otal length
5A AE
I/
40 00
40
""A
06 J
-rotocol
5E 67 J
.hec3sum
C0 A8 01 09
ource address
58 BF 67 3E
/estination address
9B 44
orce #ort
00 50
/estination #ort
8E B5 C6 AC
e>uence num*er
15 93 47 9E
'c3 num*er
2+/26
80
Header length
10
:lags
00 58
Windo6
A5 A0
.hec3sum
00 00
-adding
01 01 08 0A 00 09 C3 B2 42 5B FA D6
H#tions
/estination h6 address
a63 7O #rint P1E1EP2E1EP3E1EP+E1EPCE1EP6 Q7 1CCAFCF7C6BC0EC4D
ource h6 address a63 7O #rint P$E1EPKE1EP&E1EP1?E1EP11E1EP12 Q7 ''1??1?+1??1?'1?+
"y#e
a63 7O #rint E?xEP13P1+ Q7
?x?K??
Dersion a63 55non5decimal5data 7O #rint rshi!t0E?xEP1C4 +2 Q7 +
Header length
a63 55non5decimal5data 7O #rint and0E?xEP1C4 ?x!2S+
Q7
2?
"o//: a63 7O #rint E?xEP16 Q7 ?x??
"otal length
C2
I/ a63 7O #rint E?xEP1&P2? Q7 ?xC'')
:lags
a63 55non5decimal5data 7O #rint
2
7O PaTrshi!t0E?xEP21P224132N i!0and0Pa4+22 O #rint
E,eser(edE Q i!0and0Pa4222 O #rint E/o not !ragmentE
Q i!0and0Pa4122 O #rint E%ore !ragmentsE Q Q7
/o not !ragment
:ragment o!!set
a63 55non5decimal5data 7O #rint and0E?xEP21P224132
Q7
?
""A a63 7O #rint E?xEP23 Q7 ?x+?
-rotocol
a63 7O #rint E?xEP2+ Q7
?x?6
.hec3sum a63 7O #rint E?xEP2CP26 Q7 ?x$?B.
ource address
1&2.16K.1.&
/estination address a63 55non5decimal5data 7O #rint!0ERd.Rd.Rd.RdE4
KK.1&1.1?3.62
ource #ort
a63 55non5decimal5data 7O #rint!0ERdE4 E?xEP3CP362
Q7
3&$+K
/estination #ort a63 55non5decimal5data 7O #rint!0ERdE4 E?xEP3$P3K2
Q7
K?
e>uence num*er
23&+2$$C+K
2C/26
E?xEP3&P+?P+1P+22 Q7
'c3 num*er a63 55non5decimal5data 7O #rint!0ERdE4
E?xEP+3P++P+CP+62 Q7
361&$3662
Header length
rshi!t0E?xEP+$4+2S+2 Q7
32
:lags a63 55non5decimal5data 7O PaTE?xEP+KN
i!0and0Pa412K22 O #rint E.W,E Q i!0and0Pa46+22
O #rint E).F5)choE Q i!0and0Pa43222 O #rint EUrgE Q
i!0and0Pa41622 O #rint E'c3E Q i!0and0Pa4K22 O #rint
E-ushE Q i!0and0Pa4+22 O #rint E,stE Q i!0and0Pa4222
O #rint EynE Q i!0and0Pa4122 O #rint E:inE Q Q7
'c3
Windo6
a63 55non5decimal5data 7O #rint!0ERdE4 E?xEP+&PC?2
Q7
KK
.hec3sum a63 7O #rint E?xEPC1PC2 Q7 ?
-adding
...
...
H#tions ... ...
/ata
sed 7s/.GO1&$GQ//7 U re#lace 7 7 7GGx7 U xargs #rint!
0"he o!!set may (ary4 o#tions de#endent2
...
26/26

Hexinject Introduction

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Hexinject Introduction

Uploaded by

Copyright:

Available Formats

NETWORK MANIPULATION IN A HEX FASHION:

You might also like