The art of exploitation - Chapter 4

[轉自http://jhz.me/post/86.html《 The art of exploitation - Chapter 4 》]

* OSI model

 

* Socket Functions:

Sockets area just a programmer's abstraction that take care of all the nitty-gritty details of the OSI model.The data is transmitted at the session layer 5.
The most common types are stream sockets and datagram sockets.

Sockets behave like files that you can use read() and write() functions to receive and send data.

These functions have their prototypes defined in /usr/include/sys/sockets.h

 

 

socket(int domain, int type, int protocol)

 

Used to create a new socket, returns a file descriptor for the socket or -1 on error.

the domain are defined in bits/socket.h,which automatically included by sys/socket.h.
          Domain: PF_INET

Type: SOCK_STREAM | SOCK_DGRAM

Protocol: 0 --> 0 for no multiple protocols within a protocol family.

 

 

connect(int fd, struct sockaddr *remote_host, socklen_t addr_length)

 

Connects a socket (described by file descriptor fd) to a remote host. Returns 0 on success and -1 on error.

 

 

bind(int fd, struct sockaddr *local_addr, socklen_t addr_length)

 

Binds a socket to a local address so it can listen for incoming connections. Returns 0 on success and -1 on error.

 

 

listen(int fd, int backlog_queue_size)

 

Listens for incoming connections and queues connection requests up to backlog_queue_size. Returns 0 on success and -1 on error.

 

 

accept(int fd, sockaddr *remote_host, socklen_t *addr_length)

 

Accepts an incoming connection on a bound socket. The address information from the remote host is written into the remote_host structure and the actual size of the address structure is written into *addr_length. This function returns a new socket file descriptor to identify the connected socket or -1 on error.

 

 

send(int fd, void *buffer, size_t n, int flags)

 

Sends n bytes from *buffer to socket fd; returns the number of bytes sent or -1 on error.

 

 

recv(int fd, void *buffer, size_t n, int flags)

 

Receives n bytes from socket fd into *buffer; returns the number of bytes received or -1 on error.

 

* Address Family:

From /usr/include/bits/socket.h

Code View:

/* Get the definition of the macro to define the common sockaddr members.  */
#include <bits/sockaddr.h>

/* Structure describing a generic socket address. */
struct sockaddr
  {
    __SOCKADDR_COMMON (sa_);  /* Common data: address family and length.  */
    char sa_data[14];   /* Address data.  */
  };__SOCKADDR_COMMON 封裝了多種不同的地址.因爲socket可以利用多種的protocols而每種的protocols地址不一樣.The address family of PF_inet is AF_inet which is defined in netinet/in.h file.

/* Structure describing an Internet socket address.  */
struct sockaddr_in
  {
    __SOCKADDR_COMMON (sin_);
    in_port_t sin_port;     /* Port number.  */
    struct in_addr sin_addr;    /* Internet address.  */

    /* Pad to size of 'struct sockaddr'.  */
    unsigned char sin_zero[sizeof (struct sockaddr) -
         __SOCKADDR_COMMON_SIZE -
         sizeof (in_port_t) -
         sizeof (struct in_addr)];
  };

*Network Byte Order: netinet/in.h and arpa/inet.h

The port number and IP address used in the AF_INET socket address structure

are expected to follow the network byte ordering, which is big-endian.

* htonl (host to network long 32 bits) | htons (host to network short 16 bits)

* ntohl (network to host long 32 bits) | ntohs (network to host short 16 bits)

 

* Internet address conversion:

ASCII to Network:

inet_aton(char *ascii_addr, struct in_addr *network_addr)

This function converts an ASCII string containing an IP address in dottednumber format into an in_addr structure,

which, as you remember, only contains a 32-bit integer representing the IP address in network byte order.

Network to ASCII:

inet_ntoa(struct in_addr *network_addr)

The function returns a character pointer to an ASCII string containing the IP address in dotted-number format.

This string is held in a statically allocated memory buffer in the function, so it can be accessed until the next call to inet_ntoa(), when the string will be overwritten.

 

* HTTP protocols expects "/r" "/n" : 0x0D 0x0A as line terminator.

 

Peeling back the lower layer:

Arp request | reply

IP:

ICMP message are used for messaging and diagnostic.

TCP:

三次握手的過程: 注意只有在三次握手時syn 和 ack的 flags纔會同時 on.

 

* RawSocket:

It is possible to access the network at lower layers using raw sockets.

Example: Only capture TCP stream. | and inconsistent between systems.

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>

#include "hacking.h"

int main(void) {
   int i, recv_length, sockfd;

   u_char buffer[9000];

   if ((sockfd = socket(PF_INET, SOCK_RAW, IPPROTO_TCP)) == -1)
      fatal("in socket");

   for(i=0; i < 3; i++) {
      recv_length = recv(sockfd, buffer, 8000, 0);
      printf("Got a %d byte packet/n", recv_length);
      dump(buffer, recv_length);
   }
}

* Libpcap Sniffer: 

standardized programming library called libpcap can be used to smooth out the inconsistencies of raw sockets.

But the library knows how to correctly work with raw sockets on multiple architectures.

#include <pcap.h>
#include "hacking.h"

void pcap_fatal(const char *failed_in, const char *errbuf) {
   printf("Fatal Error in %s: %s/n", failed_in, errbuf);
   exit(1);
}

int main() {
   struct pcap_pkthdr header;
   const u_char *packet;
   char errbuf[PCAP_ERRBUF_SIZE];
   char *device;
   pcap_t *pcap_handle;
   int i;

   device = pcap_lookupdev(errbuf);
   if(device == NULL)
      pcap_fatal("pcap_lookupdev", errbuf);

   printf("Sniffing on device %s/n", device);
   pcap_handle = pcap_open_live(device, 4096, 1, 0, errbuf);

   if(pcap_handle == NULL)
      pcap_fatal("pcap_open_live", errbuf);
   for(i=0; i < 3; i++) {
      packet = pcap_next(pcap_handle, &header);
      printf("Got a %d byte packet/n", header.len);
      dump(packet, header.len);
   }
   pcap_close(pcap_handle);
}

# gcc -o pcap_sniff pcap_sniff.c -l pcap  --> libarary

 

pcap_loop(); --> which is better way to capture packets than just looping on pcap_next() call.

int pcap_loop(pcap_t *handle, int count, pcap_handler callback, u_char *args);

if count is -1 it will loop until the function breaks out of it.

u_char *args --> additional pointer pass to callback | NULL

 

void callback(u_char *args, const struct pcap_pkthdr *cap_header, const u_char *packet);

 

例如:

pcap_loop(pcap_handle, 3, caught_packet, NULL); --> 收到packet的時候 轉給caught_packet.

void caught_packet(u_char *, const struct pcap_pkthdr *, const u_char *);

 

* Nemesis uses a C library called libnet to craft spoofed packets and inject them. Similar to libpcap, this library uses raw sockets and evens out the inconsistencies between platforms with a standardized interface. libnet also provides several convenient functions for dealing with network packets, such as checksum generation  |  man libnet

 

* libpcap 可以接收和分析數據包 gcc -lpcap | libnet 可以僞造數據包 gcc $(libnet-config --defines) -lnet

 

* learn from the source code + and man libraries.

 

* Denial of Services:

1. SYN flooding

2. The ping of death

3. Teardrop

4. Ping Flooding

5. Amplification Attacks.

6. DDOS

* TCP hijacking:

* Port scanning:

SYN scanning | Fin, X-mas, Null scans | Spoofing decoys

Idle scanning:

Proactive Defense: 製造虛假的feedback.
FIN | X-mas | NULL --> sending reset packets even when port is listening.

SYN: return ack on close port.