Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Question about IPTV pentestng - packet manipulation for subscribing charged content
From: 김무성 <kimms () infosec co kr>
Date: Mon, 25 Jan 2010 19:04:05 +0900

Hello list.

2010.1.14, I sent to list Below e-mail.

So someone gave me information. about netsed


It was a tool which I want



Monitor - IPTV STB - PC(attacker) - VDSL modem - internet


PC have two NIC.

Bridge mode.


Ex)      ifconfig eth0

           Ifconfig eth1

           Brctl addbr br0

           Brctl addif br0 eth0

           Brctl addif br0 eth1

           Ifconfig br0 up


And then run tcpdump


bash# tcpdump -n -i eth0                         


         (lots of funny stuff)


bash# tcpdump -n -i eth1


         (lots of funny stuff)


And I could watch IPTV normally.


Netsed have a localport.

So if packet is sent localport, netsed will edit this packet and forward.


Bash# netsed     tcp      10000      0           0       s/abc/def

                 Protocol  localport  remoteIP   rPort     rule


For IPTV packet forwarding to netsed’s localport, run these command. 


bash# ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 \

        --ip-destination-port 80 -j redirect --redirect-target ACCEPT


bash# iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 \

        -j REDIRECT --to-port 10000


Because IPTV is on bridge network, I use ebtables and iptables.


Finally, when IPTV want to look for VoD list, it send http packet.

But netsed cannot receive forwarded packet. So I cannot watch VoD list.


All of this is to subscribe charged content.

What was wrong?



Hello list.


I’m pen testing IPTV.




Monitor - IPTV STB - PC(attacker) - VDSL modem - internet

PC has two NIC

Two NIC are bridge mode


IPTV STB sends request packet for knowing that where is specific file for playing.


To server port 8080.

POST /VoD/whereisvod.cgi




Server’s response is 


HTTP/1.1 200 OK


And then

IPTV STB sends RTSP packet to


To server port 554

           DESCRIBE a1d1.mpg


And play.


I wanna edit this file name. (a1d1.mpg is free, a1d2.mpg not free)


POST /VoD/whereisvod.cgi



DESCRIBE a1d2.mpg


For this, I have to packet sniffing and blocking them and manipulation packet and resend.

Are there tools?


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]