interface of the Polymorph framework. It is really useful to make use of for duties comparable to amendment of easy protocols or execution of up to now generated templates.
Using the Polymorph primary interface
For examples and documentation please check with:
Using the Phcli
Dissecting virtually any community protocol
Let’s get started through seeing how Polymorph dissects the fields of various community protocols, it’ll be helpful to check with them if we wish to regulate any of this fields in actual time. You can check out any protocol that comes in your thoughts.
- HTTP protocol, exhibit best the HTTP layer and the fields belonging to it.
# phcli --protocol http --show-fields
- Show the whole HTTP packet and the fields belonging to it.
# phcli --protocol http --show-packet
You too can observe filters on community packets, as an example, you’ll point out that best the ones containing a definite string or quantity are displayed.
# phcli -p dns --show-fields --in-pkt "phrack"
# phcli -p icmp --show-packet --in-pkt "84" --type "int"
- You too can concatenate filters.
# phcli -p http --show-packet --in-pkt "phrack;GET;problems"
# phcli -p icmp --show-packet --in-pkt "012345;84" --type "str;int"
- You can filter out through the identify of the fields that the protocol accommodates, however take note that this identify is the one that Polymorph supplies when it dissects the community packet.
# phcli -p icmp --show-packet --field "chksum"
- You too can concatenate fields.
# phcli -p mqtt --show-packet --field "matter;msg"
Modifying community packets in actual time
Now that we all know the Polymorph illustration of the community packet that we wish to regulate, we can see how one can regulate it in actual time.
Let’s get started with some examples. All the filters defined all the way through the former phase will also be implemented right here.
- This will simply regulate a packet that accommodates the strings
GETthrough putting within the
request_urisubject the worth
/problems/61/1.html. So when the consumer seek advice from the browser will seek advice from
# phcli -p http --field "request_uri" --value "/problems/61/1.html" --in-pkt "/problems/40/1.html;GET"
- The earlier command will paintings if we’re in the midst of the conversation between a system and the gateway. Probably the consumer needs to ascertain himself within the heart, for this he can use arp spoofing.
# phcli --spoof arp --target 192.168.1.20 --gateway 192.168.1.1 -p http -f "request_uri" -v "/problems/61/1.html" --in-pkt "/problems/40/1.html;GET"
- Or perhaps the consumer needs to take a look at it on localhost, for that he best has to switch the rule that Polymorph establishes through default.
# phcli -p http -f "request_uri" -v "/problems/61/1.html" --in-pkt "/problems/40/1.html;GET" -ipt "iptables -A OUTPUT -j NFQUEUE --queue-num 1"
It is also the case that the consumer needs to switch a collection of bytes of a community packet that experience now not been interpreted as a subject through Polymorph. For this you’ll immediately get entry to the packet bytes the usage of a slice. (Remember so as to add the iptables rule in case you check out it in localhost)
# phcli -p icmp --bytes "50:55" --value "hi" --in-pkt "012345"
# phcli -p icmp -b "-6:-1" --value "hi" --in-pkt "012345"
# phcli -p tcp -b "-54:-20" -v '">' --in-pkt "