The Libnet Library

Download Report

Transcript The Libnet Library 

The Libnet Library
이병영
[email protected]
2004/05/06
PLUS 내부 세미나
1/22
CONTENTS



Introduction of libnet
Building packets (with libnet-1.1)
 Four steps to send a packet
Practical use example with libnet
 ARP spoofing
 TCP RESET attack
PLUS 내부 세미나
2/22
Introduction of Libnet

Libnet is a C library providing
a high-level interface to packet injection.

Previous to libnet, programmers had to
wrestle with confusing, obscure, and poorly
documented interfaces to build and write
network packets .
PLUS 내부 세미나
3/22
Introduction of Libnet
PLUS 내부 세미나
4/22
Introduction of Libnet

Libnet is a wonderful utility for writing
security-related applications, tools and
modules.

Many recent exploits and tools have been
rapidly developed using libnet.
PLUS 내부 세미나
5/22
Building packets

Libnet contexts

typedef struct {
... /* some declarations */
} libnet_t;
PLUS 내부 세미나
6/22
Building packets


Libnet pblock(packet block)
struct libnet_protocol_block {
… /* some declarations */
};
typedef struct libnet_protocol_block
libnet_pblock_t;
PLUS 내부 세미나
7/22
Building packets
- our example’s plan

Suppose that we want to
 build a simple UDP packet
 work in link layer level

So we have to build
a UDP, IPV4, ethernet header(pblock)
in libnet contexts.
PLUS 내부 세미나
8/22
PLUS 내부 세미나
9/22
Building packets
(1)Initializing the context

libnet_t* libnet_init ( int injection_type,
char * device,
char * err_buf)
 injection type
Decides your working level
 LIBNET_RAW4, LIBNET_LINK
 device
 Specify the device you will use
 err_buf
 Buffer to write the error message

PLUS 내부 세미나
10/22
Building packets
(2)Building pblock (UDP)

Build a UDP header
libnet_ptag_t libnet_build_udp(
u_int16_t sp,
// The src UDP port
u_int16_t dp,
// The dst UDP port
u_int16_t len,
// Length of UDP packet
u_int16_t sum, // Checksum, 0 for libnet autofill
u_int8_t *payload, // Optional payload
u_int32_t payload_s, // Payload size
libnet_t *l,
// The libnet context pointer
libnet_ptag_t ptag // Protocol tag
);
PLUS 내부 세미나
11/22
Building packets
(2)Building pblock (IPV4)

Build a IPV4 header
libnet_ptag_t libnet_build_ipv4(
u_int16_t len,
//
u_int8_t tos,
//
u_int16_t id,
//
u_int16_t frag,
//
u_int8_t ttl,
//
u_int8_t prot,
//
u_int16_t sum,
//
u_int32_t src,
//
u_int32_t dst,
//
u_int8_t *payload,
//
u_int32_t payload_s,
//
libnet_t *l,
//
libnet_ptag_t ptag);
//
Length of IPV4 packet
Type of service bits
IP identification
Fragmentation bits
Time to live
Upper layer protocol
Checksum, 0 for libnet autofill
Src IP address
Dst IP address
Optional payload
Payload size
The libnet context pointer
Protocol tag
PLUS 내부 세미나
12/22
Building packets
(2)Building pblock (Ethernet)

Bulid a ethernet header
libnet_ptag_t libnet_build_ethernet(
u_int8_t *dst,
// Dst ethernet address
u_int8_t *src,
// Src ethernet address
u_int16_t type,
// Upper layer type
u_int8_t *payload,
// Optional payload
u_int32_t payload_s,
// Payload size
libnet_t *l,
// The libnet context pointer
libnet_ptag_t ptag);
// Protocal tag
PLUS 내부 세미나
13/22
Building packets
(3)Write the packet to wire

After building pblock, just call the function
libnet_write with argument of libnet_t pointer.

int libnet_write ( libnet_t * )
 Returns the amount of bytes
written to the wire.
PLUS 내부 세미나
14/22
Building packets
(4)Clean up a libnet context

void libnet_destroy ( libnet_t * )
 This function frees memeory of libnet context.
PLUS 내부 세미나
15/22
PLUS 내부 세미나
16/22
Building packets
- confirm with tcpdump
PLUS 내부 세미나
17/22
Practical use – (1) ARP spoofing
PLUS 내부 세미나
18/22
Practical use – (2) TCP RESET attack

In a traditional sequence number attack, the exact
sequence number considered valid and accepted by
the receiving TCP endpoint.

The utilization of the TCP window size to reduce the
number of sequence numbers that must be guessed.

More details are in document “Slippling in the
window : TCP Reset Attacks”.
PLUS 내부 세미나
19/22
Practical use – (2) TCP RESET attack
PLUS 내부 세미나
20/22
Practical use – (2) TCP RESET attack
PLUS 내부 세미나
21/22
References

1. Libnet reference manual
 http://www.packetfactory.net/libnet/dist/deprecated/manual

2. Building packets for dummies and others with libnet
 http://www.security-labs.org/index.php3?page=libnet

3. TCP/IP Illustrated, Volume1 by Stevens

4. Slippling in the window : TCP Reset Attacks
 http://www.frame4.com/php/printout2615.html
PLUS 내부 세미나
22/22