Tool to play with spoofing the source IP on a UDP datagram. It's written in Golang using the gopacket library and, hopefully, provides a useful example for creating packets using gopacket.
To build the binaries from source, you'll need Golang installed and your GOPATH environment variable configured. I developed the code using Golang 1.9.
gopacket, the library used from Google, is not written in pure
Golang. It's uses libpcap-dev (package name on Linux systems) and
provides bindings using cgo which requires a C compiler. I'm told the
installation needed to build gopacket projects on Windows can be
complicated, but it's fairly easy on Linux and macOS.
udpspoof creates raw packets which requires special permissions. If
you don't wish to use sudo or run udpspoof as root, you can
assign the needed capability directly to the executable on Linux
systems:
$ sudo setcap 'CAP_NET_RAW+eip' $GOPATH/bin/udpspoof
On macOS, if you installed Wireshark, your user was most likely already
granted the needed permissions to run udpspoof without sudo.
udpreceiver does not use gopacket and requires no special permissions
to run on ports >= 1024.
Install udpreceiver and udpspoof:
$ go get -u github.com/dimalinux/spoofsourceip/...
Only build/install the receiver (which does not depend on libpcap-dev):
go get -u github.com/dimalinux/spoofsourceip/udpreceiver
Only build/install the sender:
go get -u github.com/dimalinux/spoofsourceip/udpspoof
The binaries will be in $GOPATH/bin/ and the source in $GOPATH/src/github.com/dimalinux/spoofsourceip/.
You can test if your spoofed datagrams are getting through with
udpreceiver. It does not depend on libpcap-dev and is easy to build
and run anywhere. By default, udpreceiver listens for UDP datagrams on
port 8888 for any local IP, but this can be modified with the flag
--listen IPv4:port. For IPv6, use --listen [IPv6]:port. To listen
on a specific port from any local IP address, use --listen :port.
You can sanity check the receiver using nmap:
$ sudo nmap -sU -p 8888 --data-length 9 PUT_IP_ADDRESS_HERE
In response to the above command, udpreceiver will show output like this:
2018/01/01 11:28:59 Datagram received fromIP=192.168.0.101 fromPort=44258 payload=0x1d0fda75758fb8e2ba
udpspoof injects a UDP packet at the Ethernet frame level on the interface
specified by the --interface (-i) flag. For udpspoof to work, the
destination MAC needs to be different from the MAC address of the interface
performing the injection. Either use 2 hosts, or a single host with
multiple interfaces (e.g. a host with both wired and wireless interfaces).
You cannot use the loopback interface for testing, as the loopback interface operates above the ethernet frame level and has no MAC address.
The source MAC and source IP are both spoofable.
View the full options list with the --help flag:
$ udpspoof --help
Usage of udpspoof:
-i, --interface string Network interface for packet injection (default "en0")
--source-mac string MAC address in the Ethernet frame source (default is not spoofed)
--source-ip string Sending address in the IP header (default is not spoofed)
--source-port uint16 UDP Source port (default 9999)
--dest-mac string MAC address of the destination IP or gateway (required)
--dest-ip string Destination IP address (required)
--dest-port uint16 Destination port (default 8888)
-p, --payload string UDP payload specified in hex (default "DEADBEEF")
Start the UDP receiver on a 2nd host which will receive a DNS response from Google's DNS server. The default port of 8888 is fine for our needs:
host2$ udpreceiver
2018/01/01 11:35:42 Listening on [::]:8888
I've pre-captured the UDP payload of a DNS query looking up
"www.google.com" below. (If you want a different query, it's easy
to capture your own in Wireshark.) We'll send that payload to 8.8.8.8
(Google's public DNS server), but set the source IP and port to match
our second host above that is running udpreceiver. Since the
destination IP (8.8.8.8) is not on the local network, we set the
destination hardware MAC address to the local network MAC on our
router-gateway.
On macOS and Linux, you can use the arp command to retrieve the MAC
address of your gateway (or any local peer by IP):
$ arp 45.63.20.1
Address HWtype HWaddress Flags Mask Iface
45.63.20.1 ether fe:00:01:4a:6f:91 C ens3
Run the DNS query on host1 with the source IP/port set to the values for the UDP receiver on host2. The destination IP, 8.8.8.8 (Google's public DNS server), is not on your local network, so set the destination MAC address to your gateway router's LAN MAC address.
host1 $ udpspoof -i LOCAL_NETWORK_INTERFACE \
--source-ip HOST2_IP --source-port 8888
--dest-ip 8.8.8.8 --dest-port 53
--dest-mac YOUR_GATEWAY_ROUTERS_LAN_MAC_ADDR
--payload 519f012000010000000000010377777706676f6f676c6503636f6d00000100010000291000000000000000
After issuing the DNS query from host1, host2, will get a response like this one.
2018/01/01 11:38:24 Datagram received from=8.8.8.8:53 truncated=false payloadHex=519f818000010001000000010377777706676f6
f676c6503636f6d0000010001c00c00010001000000330004acd902e40000290200000000000000
Note 1: Your response payload won't look the same as above since, among other reasons, the IP address you receive for www.google.com will be different.
Note 2: In most cases, the above example will work even if host1 and host 2 are sitting behind a NAT firewall. The source IP will be replaced by the NAT router's IP before the query is sent to Google. When Google sends the DNS response, the NAT router will forward it to the forged source IP of the original DNS request.