Click to get Security Testing Quote

Plynt Blog

The Wonders of Packet Editors

by Roshen Chandran  | 22 Jul 2005 | Comments

In a recent pen test, the Windows Packet Editor became our unlikely tool of choice to perform a replay attack.

While testing a web application recently, we observed that it was sending a hash value of the password during login. Since a password is hashed to the same value on each login, we guessed that the application would be vulnerable to password replay attacks. But to show this we had to intercept and modify the data. For HTTP traffic, this is generally done using application proxies like Burp Proxy that we discussed a few weeks ago.

However, we could not use Burp Proxy in this application as the application was using a java applet for sending the data to a non HTTP port. The applet was establishing a direct socket connection to the server. The web proxy tool was unable to capture any data as it was not going via the browser, but directly from the applet via the socket. There was no place to configure the applet to send the data via a proxy.

We then took a different approach and decided to use a TCP packet editor such as Windows Packet Editor (WpePro). WpePro allows modification of data at TCP level. Using WpePro one can select a running process from the memory and modify the data sent by it before it reaches the destination.

WpePro

For testing our application we began by defining a filter in WpePro (filters are defined in WpePro to modify data at TCP level). In the filter the hexadecimal value of an incorrect password was replaced by the value of a correct password. The filter was then applied and WpePro was configured to modify data generated by the applet.

After this, we entered the incorrect password in the application. The applet created a hash of the incorrect password and sent it to the server. But WpePro replaced the hash value of incorrect password with the hash value of correct password as defined in the filter and we logged into the application, proving the application was vulnerable to a real replay attack.

WpePro could be a useful tool for testing thick client applications or web applications which use applets to establish socket connections on non http ports. There’s a lot more about WpePro here.


Plynt provides penetration testing and code review services to clients worldwide. If you are interested, please contact us for a quote. We’ll get back to you within one working day.
Add yours.closed for this post.

1. Guest | 22 Oct 2005 9:13 AM

I don't quite comprehend what's really happening... are you saying that WPE can send your password of a game to somewhere?

2. Varun Chaudhry | 22 Oct 2005 1:15 PM

WPE Pro is a packet sniffing/editing tool which is generally used to hack multiplayer games.

We used it while testing a web application. The password mentioned is the one used by the user to log into the application.

3. sup | 02 Nov 2005 6:46 AM

where can i get it?

4. Guest | 05 Nov 2005 2:12 AM

Can someone send me FAQ to this program on mail ? ;)
sebastian.m@interia.pl

5. Varun Chaudhry | 07 Nov 2005 10:24 AM

Hi,

My apologies first for replying to the post so late.

'Sup' you can download it from this link

http://www.hypothetic.org/wpeproalpha.zip

A good tutorial on as to how to use it can be read here

http://pc.nanobot2k.org/Tutorials/packet.htm

6. MaTi | 22 Nov 2005 5:01 PM

when i try to target process i get "DLL injection failed" error :( How to fix this???

7. Varun Chaudhry | 23 Nov 2005 3:15 PM

Hi Mati,

Check if you have any antivirus program installed on your machine. Most of the antivirus programs classify WpePro as a Trojan software and will prevent it from being properly executed.

You will need to add WpePro to the exclusion list of your antivirus program.

8. dale | 24 Nov 2005 12:13 AM

where can i get the source code?

9. allan | 05 Dec 2005 7:11 PM

wpe have no send button why?

pls tell me where can i download wpe pro!

thanks

10. Varun Chaudhry | 15 Dec 2005 11:30 AM

With Wpe Pro you need to create predefined filters and select the target program.

It does not have the functionality which allows a user to intercept and modify data on the fly, therefore it does not have a 'send' button.

The download link is there in an earlier post, not sure if the source code is available.

11. Anonymous Reader | 02 Jan 2006 2:03 PM

do you know of any similar to wpe pro programs for packet editing?

12. River | 05 Jan 2006 9:18 PM

thanks to 5 floor.
but the version of WPE has no sending package function.
or I don't find it yet?

13. Ramiz | 06 Jan 2006 1:26 AM

i didnt exactly get it ...isit..game id cracker or something ?

14. Ramiz | 06 Jan 2006 1:30 AM

Kind of complicated...it is ..tell me can i use them to crack kalonline id's coz basicly i was looking something like that but i m not quite

15. INJECTION FAILLED | 10 Jan 2006 8:10 AM

my problem is..... I CANT TARGET A FILE IT KEEP "DLL INJECTION FAILED"

16. injection failled | 10 Jan 2006 8:14 AM

even i close anti virus it also say... injection failed

17. Varun Chaudhry | 10 Jan 2006 4:23 PM

Hi,

While using WpePro I did not recieve any DLL Injection errors. So I am not really sure as to what could be the possible reason for its occurence.

You could however ensure the following and check if the error still persists

1) Check that you have downloaded the correct version according to your OS.

2) Add WpePro to the exclusion list of your antivirus.

3) Ensure that the executable file and the dll are in the same directory.

4) Download from a different location to check for corrupt files.

At the moment I am not aware of other similar programs. In case any one else is, would be glad to hear bout it.

18. Guest | 13 Jan 2006 3:14 AM

This is a very popular hacking tool and most game developers have known of this program and its uses. Most of the games you are playing have Hacking Prevention systems that block DLL injections to their games, there are ways to bypass the system but thats on your own.

There are many forums where you can go to to learn more
www.mpcforum.com

Hope I answered some questions

19. Jake | 27 Jan 2006 2:15 PM

Where exactly am I to extract these files.

20. Jake | 27 Jan 2006 2:16 PM

Where exactly am I to extract these files.
Also, The second link (How to use WPE) doesn't work.

21. Jeus | 01 Feb 2006 12:46 AM

God damn you idiots, WPE just edits packets realtime
the only use would be debugging or malicious.

22. Piyush | 11 Feb 2006 3:27 AM

i hav the error in wpe that says"dll injection failed".i hav got no antivirus,all files of wpe r in the same folder n other gamers at the same site r being able 2 use wpe but i cant cuz of the error.plz som1 help me:teenprince@gmail.com

23. someone | 14 Feb 2006 5:15 AM

yo i dled it but wenever i click on open, the wpe pro dusnt open? whats wrong?

24. Creep | 15 Feb 2006 2:44 AM

a decent article ruined by lamers, yes, wpepro can send packets, once you edit the packets you have the option of number of times you wish to send, and at how many intervals.

25. Xain | 25 Feb 2006 2:04 AM

Can you edit packets of web-based game? How do i know what to change?