_________________ /_ /\ \/ _______ / \ / / / / / / /______/ / / / __/ / / _______ \ __/ / / / / \ / /______/ / / _/ / / /______________/ / BLACK SUN RESEARCH FACILITY \ \ / http://blacksun.box.sk/ \______________\/ WINDOWS INTERNET PROGRAMMING PART 3 ================================================= WRITTEN BY [ cos125@hotmail.com :E-MAIL ] BINARY RAPE [ 114603188 :ICQ# ] [ http://blacksun.box.sk/ :TURORIALS ] Thanks to cyberwolf for letting me write this and BSRF for releasing it. Disclaimer ======================================= None of the information or code in this tutorial is meant to be used against others or to purposely damage computer systems or cause any loss of or damage to property. Further more neither myself or any other contributor to, or member of, the Blacksun research Facility (BSRF) can be held responsible for damage or loss of property of computer systems as a result of this tutorial. In this tutorial the code is provided as a learning aid so you can see how its done its not meant for you to use against yourself or others. Also you are encouraged to alter the code and improve it. I say create or build a program to do something not create or build a program to do something and use it for that purpose. CONTENTS ======================================= 1. Introduction 2. What are Raw Sockets? 3. The Internet Headers 3.1 The IP Header 3.2 The TCP Header 3.3 The UDP Header 3.4 The ICMP Header 4. Creating a Packet 4.1 Setsockopt() 4.2 Socket() 5. Building Headers in code. 5.1 The IP Header 5.2 The TCP Header 5.3 The UDP Header 5.4 The ICMP Header 5.5 The Psuedo Header 5.6 The Checksum Function 6. Source Code 6.1 ICMP Echo Request 6.2 TCP ACK Packet 7. Recieving Raw Sockets 8. Last Words ________________________________________________________________________________________________________ 1.0 INTRODUCTION ======================================= Welcome to the 3rd and quite possibly.. the last in this little series of ours, its been fun.. kinda.. but never fear there may be one last part to come in future covering advanced topics like multicasting and we'll always have updates on the tutorials. Of course ive saved the best topic for last, Raw Socket programming, and even more so its in Windows! A topic which in this place has a certain member of the computer security world huffing and yes indeed there is puffing also. Head on over to grc.com for more information and listen to him piss his pants scared because of raw sockets support in Windows XP... you see Steve Gibson of grc.com believes that because of windows xp's raw socket support is available to all users on a windows XP Home Edition computer he foresee's the following scenario: A few kids, it would only take a small group, maybe friends in school, they meet each day in a dark little ol' alley at the back of school and decide who there next "target" is going to be, they then all decide on a time to attack and as Gibson puts it "synchronises their watches", then at the decided time they fire up the DoS tools on their new copy of windows XP Home Edition and launch their attack upon whatever ill-faithed domain name that the kids had decided earlier. Hmmm.... interesting, well mostly Gibson you focus upon Home Edition of windows XP, why? well of course its because of its support for Raw Sockets for all users, yes but in your dark and devious example of "Junior and his XP gang" you refer to that upgrade the kids would get to windows XP home edition well what if they had a copy of Windows XP professional or Windows 2000, or even Windows NT for that matter of course these other operating systems dont have support for Raw Sockets to all its users but if its the kids that are installing these Os's wouldn't set up the admin account or give themselves admin priv's? then they would have raw socket support anyway. ok Gibson lets give ya a little break in fairness Raw Socket support on Home Edition may be dangerous and people are of course likely to exploit this feature (no Steven it is not a bug it is a feature) and create DDoS tools with it but lets look at things, will it really make things bad, will this put an end to the threat of DDoS attacks from Windows Systems? Well no actually huh! shock horror there is yet still raw socket support on systems other than windows xp, Win2k only supports raw sockets for admin users, what if some-1 gains admin privilages they could still use it hell with NT all you have to do is change an entry in the registry, ok lets pull out raw socket support for these 3 operating systems all together and we'll be safe right? Well unfortunately Win9x systems with Winsock v2.0 also have Raw Socket support limited as it is. Thankfully with Windows 9x you can only create ICMP packets... but am.. theres still a load of things i could do with just ICMP Steveo, I could get a subnetmask, ping and traceroute, firewalk, fact of the matter is I could even create a trojan with icmp tunneling! and this is all without even touching icmp based DoS attacks! Well the answer is simple then isn't it Steve all we have to do is pull raw socket support from Winsock v2.0, but yes Steve all we have to do is create a dll or use an already existing C++ library to create raw socket abilities in our applications, you do comment on this in your site saying how it doesn't matter because in the past we would have to install new drivers and things, wow, do you think that some-1 that really wanted to create a DoS attack would be stopped by the need to download 1 more little piece, the application could even install any drivers or dll's it needed on its own. Yes Steve Gibson, there could be raw socket support now on Windows XP computers.. but then again there always was raw socket support on all windows boxes if you really looked and yes there will be DDoS attacks to come, just like there always would have been even without its canned support in windows boxes, also you refered to linuxs support for raw sockets as if it didnt matter because of the size of its distribution, more and more people are using linux and realising its benefits and we are seeing the beginning of "The Linux Lamer" 2 words which sadly should never have been mentioned in the same sentence, these people could still use DDoS linux tools. What will Raw Sockets bring? DDoS tools? certainly, Better firewalls on Windows systems? Yes. The availability of security scanners and a wider understanding of the internet and its protocols to windows programmers? well yup and probably alot more, maybe you are just setting up so much hype for the very reason you gave Mr. Gibson sir, You didnt shout out when scripting support was added to mail clients, now you can cause such a large amount of confusion and fear in people and have alot of people shouting no at you that once the very first stupid little DoS tool that comes along for windows XP that you can say haha yes! I told you so, I was right, you were wrong, but you see the thing is we're not saying your wrong, infact, your right, there will be DDoS tools and we all know that but all your managing to do is cause fear and confusion altough who knows, maybe you just make it your jollies getting people to complain and send flames to secure@microsoft.com so that they remove raw socket support from windows and you can feel like your a big man getting the big bad microsoft empire to do what you want? even the security manager at microsoft says: ". . . 'are DDoS attacks going to happen?' Yes. They will happen; and they will happen on Windows XP. " He is not admitting the great 'flaw' in the Windows XP operating system he is being realistic, maybe you should try it it'll be a new experience for ya. Any-1 in the computer security field will happily admit, no system can be completely secure and things like what your talking about will happen, but they don't even need raw socket support to do so. Maybe ive been wrong about you all the time maybe you just want to shout so much about the damn thing and even pass out source code for such tools so that some-1 will come across read your files, get the stuff into their head and run along with a hand-full of your little code and propeganda and finally design a tool like this, the more publicity you give this the more likely such a scenario like this will happen, of course that could be your whole point to get whatever it is your after, or it could be that if some-1 does design a bad DoS tool microsoft will have to pull the raw support and again you can get your jollies from being correct, forgetting every-1 that did agree with you but still saw your utter stupidity. Just to let every-1 know incase they are a bit concerned about Gibson's evil Windows XP Raw Socket support, the source code he created using raw sockets to show how bad they are doesn't actually work, there was a problem in his bind() function, after realising this he stated, "it's not clear to me what it even means to 'bind' a raw socket" and of course around the same time hes really getting at microsoft for their stupidity and complete lack of security or as you like to phrase it " MICROSOFT SECURITY " " The Oxymoron that keeps on giving ". One of the best things youve said troughout all this was infact: "a good thing for Windows raw socket security!" What was that the time you realised you were wrong about microsofts security or the time you went out to lunch and SHUT YOUR FUCKING ASS FOR 5 MINUTES AND STOPPED WRECKING EVERY-1'S FUCKING HEAD YOU ASSHOLE. I am so lucky that unlike people at microsoft.com's security devision I don't have to listen to either you or the countless number of people that you have scared into doing your bidding by exagerating facts and twisting other people's words to give the wrong idea, my hat goes off to Greg at Microsoft, personally I couldn't have done the same as he has done, not only did he immediately help out Steve with his enquiries he even kept steve up to date step by step in reveiwing his concerns. Steve quickly returned Greg's hospitality and consideration by insulting the amount of work he has done on his behalf and its quality. This particular behaviour is probably to be expected i guess from some-1 who is so egotistical, some-1 that would pretty much say people who say its good because its a standard are morons because they are following the pack and that its a standard just because some-1 said it is, no Steve its a standard because its a part of the standard specification for sockets, thats why its supported, 'as standard' if you will by all operating systems except from microsoft up to this point. Apparently trough it all Gibson just wants a time machine to travel a few years back where people still believed like he does that the best security is obscurity. One last point on this subject, The Firewall that comes with versions of windows XP, once again 'As Standard' blocks the types of attacks that Steve Gibson is describing, you think thats also a good thing for microsofts security Steve? So why all the fuss and anger in the last few paragraphs? Taught id never shut up didnt ya :P. Well as ive been researching Windows XP's raw socket abilities ive been effectively blocked by the constant reoccuring pages found concerning Gibsons bullshit and fear spreading tactics, after using a total of 8 different combinations of keywords and reading many many pages i finally found a grand total of 4 examples of windows raw socket programs, btw only one of them had ever been run on windows XP and im not even sure about that I think his code may actually have been run on windows 2000. One of them had only been run on a Windows 9x system !! Basically there isn't that much documentation to learn from out there in the void so I think it could do with me adding a little more, besides few guys flamed me a while back on 1 of the channels on box.sk's irc server, (not in #bsrf or #code), for saying that there was raw socket support in windows so I kinda wrote this for them as well, here ya go guys ;). So anyway without further delay lets get onto some real substance in this tutorial with the most common question of all. 2.0 WHAT ARE RAW SOCKETS? ======================================= Raw sockets are very similiar to normal sockets but with raw sockets you can control the packets that you send better and can control them. Raw sockets don't have anything to do with packets themselves they are purely a programming concept. You see with normal socket programming we would supply a certain amount of information like the ip address we were sending it to, the port, the buffer containg the text we were sending, and whatever protocol we would be sending it with like TCP or UDP, we would supply all this information by filling up structures and send the information by calling a couple of functions. The difference with Raw sockets is that we create our own structures for the headers and tell the Winsock that we wanted to use that information, now we would fill out these structures with a bit more information like our source IP address and fields like the Time To Live (TTL) that we discussed in the first part of this tutorial. using this method we can do many things with the Packets that we use like the following: * Get the Subnetmask from a computer. * Bypass firewalls and routers using various methods. * Map networks. * Send information covertly. * Exploit Network Stack vulnerabilities. * Perform a stealth port scan. * Remote OS identification. * Build a firewall. And theres way more that you could do as well. Until the release of Winsock 2.0 Raw Sockets could not be possible unfortunately, Winsock 1.1 never included the ability which was specified in the Berkeley Sockets specification (mostly because microsoft was in a rush to release the winsock stack). Luckily even if you dont have Winsock v2 (which more than likely you will) you can still download version 2.0 for your version of windows from the microsoft website, windows 3.1 unfortunately does not have a 2.0 version microsoft has decided not to release a 16 bit one. Of course if you have Windows 3.1 what the fuck are you doing? suddenly springs to mind, oh well, go away. Now Windows32 systems have Winsock however different versions have varying amounts of support for raw sockets. All Version 2 stacks have support for creating ICMP packets using Raw Sockets but Only Windows NT4, 2000 and XP have the capability for creating TCP and UDP packets. D'ont worry there is still alot of things you can do with ICMP alone if you use a Win 9x system. Before we go into the programming side of things we must now cover the IP, ICMP, TCP and UDP protocols in more detail. If you have read Part 1 of this tutorial you should have a pretty good idea about how all the protocols work if not thats ok it shouldn't be too bad and you should be able to understand things, so please read on for explenations of the Protocols. 3.0 THE INTERNET HEADERS ======================================= In part 1 we discussed the different Internet protocols and how they fit together with packets so you should know pretty well how data is transfered across the internet and understand many of the fields within the different headers, if you aren't sure or cant quite remember I suggest you read the first few sections of Part 1 of this tutorial. Well now that you have a pretty good idea about the different headers and understand the idea behind them we are going to have to go into slightly more detail about the different headers and their respective fields. 3.1 THE IP HEADER ======================================= +---------------------------------+--------------------------------+ |Version | IHL | TOS | Total Length | | 4 bits | 4 bits | 8 bits | 16 bits | +--------+--------+---------------+------+-------------------------+ | Identification |Flags | Fragment Offset | | 16 bits |3 bits| 13 bits | +-----------------+---------------+------+-------------------------+ | Time to Live | Protocol | Header Checksum | | 8 bits | 8 bits | 16 bits | +-----------------+---------------+--------------------------------+ | Source Address | | 32 bits | +------------------------------------------------------------------+ | Destination Address | | 32 bits | +------------------------------------------------+-----------------+ | Options | Padding | +------------------------------------------------+-----------------+ FIG 1.0 - Structure of an IP Header As you can see above the IP header has a total of 14 Fields. 1. Version 2. IHL 3. TOS 4. Total Length 5. Identification 6. Flags 7. Fragment Offset 8. Time To Live 9. Protocol 10. Header Checksum 11. Source Address 12. Destination Address 13. Options 14. Padding 1. Version - The version field describes what version of the IP Protocol is being used, we will be using IPv4 because it is more supported and IPv6 is not yet fully implemented. 2. IHL - The Internet Header Length (IHL) contains the length of the Internet Header in 32 bit words. Minimum value for a header is 5. 3. TOS - The Type Of Servive (TOS) field was designed to tell routers how the packet is to be handled for example so that packets that need to move quickly like streaming audio would have a higher TOS value than other packets so that routers would send them across the network faster. These days most routers do not process the TOS field because it would waste too much of the routers time so we usually just set the TOS field to 0. 4. Total Length - This field contains the total size of the Internet Packet including headers and data. Typical IP headers are 20 bytes in size, same with TCP ones, so an Internet Packet with an IP Header, a TCP Header and no data would be 20 + 20 = 40 bytes in length, Total Length = 40 Bytes. 5. Identification - This field is used to aid in tracking fragmented packets, each fragment has the same ID as the first datagram, the ID's of datagrams following each other is usually incremented, because this value must be unique most applications use there process id to fill in this field. 6. Flags - Flags are used with IP to control fragmentation, there are 4 flags. 1-NO FLAGS [VALUE = 0x00] Does not specify any fragmentation options 2-MORE FRAGMENT [VALUE - 0X01] Means there is more fragments to be recieved after this packet 3-DONT FRAGMENT [VALUE = 0X02] Tells the stack not to fragment this packet 4-MORE & DONT [VALUE = 0X03] Tells the stack that there are more packets to be recieved after this one and not to fragment it NOTE: THE LAST FRAGMENT CANNOT HAVE A FLAG OF 0X01 (MORE FRAG) AS THERE ARE NO OTHER PACKETS TO FOLLOW. 7. Fragment Offset - The fragment offset is used for placing different packets in the correct order when reassembling Datagrams. The first fragment must have a value of 0 and the last must be equal to the value of Total Length. Value is measured in units of 64 bits (8 octets). 8. Time To Live - The Time To Live (TTL) field was created so that if a packet cannot find its destination it will be destroyed rather than travel across the internet indefinately, if packets kept mounting in this fashion it would seriously degrade network performance. Each router that a packet meets decrements the value of the TTL field by one. If the value is decremented to 0 before it reaches its destination the packet will be destroyed and an error sent back to the computer that the packet originated from. If the TTL is set to 0 on creation it will immediately be destroyed. 9. Protocol - This field specifies what protocol is being carried in the datagram eg; TCP. The most common values are as follows: IPPROTO_TCP = TCP IPPROTO_UDP = UDP IPPROTO_ICMP = ICMP Other protocols and there values will be specified later. 10. Header Checksum - The checksum is the size of the Internet Header, it is used to verify the integrity of a packet by comparing the headers size with the value of the checksum. Certain fields in the IP Header change troughout transport such as the TTL field because of this the checksum is recalculated and verified by each router or gateway it encounters. 11. Source Address - The IP Address of the computer that the packet originated from. In other words if you sent a packet this field would contain your IP Address. This lets the computer being sent the packet know where it came from and where to send a reply. 12. Destination Address - The IP Address of the computer that the packet is being sent. Lets routers that the packet meets know where to send the packet to. 13. Options - Mostly the options aren't filled out and they are very rarely used at all so we wont discuss them very much. There are however 3 interesting options that we will discuss here, they are: 1. Loose Source Routing 2. Strict Source Routing 3. Record Routing. 1. Loose Routing Loose Routing allows us to specify the source computer (us) and the destination computer's IP Address's in the IP header along with the address's of a couple of other routers that the packet must travel across between, then we can better control how the packet travels across the internet. 2. Strict Routing Strict Routing allows us to specify the source computer (us) and the destination computer's IP Address's in the IP header along with the address's of other routers, the packet then has to travel along this exact route to get to its destination, using this we can route our packets around routers or gateways that are down or not responding, this also means that if you wanted to you could ensure that the packet travels across certain networks and passes certain routers, of course this isn't recommended as you could 'accidentaly' bypass security restrictions on some networks by using this method, which is naughty. 3. Record Routing Im sure we are all familiar with the traceroute program which uses the ICMP protocol to tell us what routers our packets are traveling trough to get to there destination, record routing can be used ina similiar way, by setting this option every router that the packet meets places its IP Address into the IP Header, we can then examine the packet and see what IP Address's it contains. NOTE: AN IP HEADER CAN ONLY BE A MAXIMUM OF 60 BYTES LONG AND THE HEADER IS 20 BYTES IN LENGTH, EACH IP ADDRESS IS 4 BYTES IN SIZE SO AN IP HEADER CAN ONLY CONTAIN A MAXIMUM OF 10 IP ADDRESS'S EACH. 14. Padding - Padding is there to respect the 32 bits boundary, its composed of 0's. 3.2 THE TCP HEADER ======================================= Well before we get into the TCP header we first have to explain how exactly a TCP connection is formed between two hosts. The First host sends a TCP packet with one of the fields in the header set with a value of SYN, this is known as a SYN (synchronise) packet. So what is this packet synchronising? A potential problem with a TCP connection would be if a connection was established between some internet user at home and a shop on the internet, the user views his details but in the mean time some-1 were to pretend they were that user and the webshop sent that users details to that person instead of the real user (such as the real users credit card numbers?). Because of this a thing called an acknowledgement number was created, the number is defined by the server and the syn packet is used to transmit this number to the host, both sides of the connection now have the same Acknowledgement number and they are synchronised! The Acknowledgement number will be contained in all TCP packets troughout this session and if any packets recieved at either side have a wrong Acknowledgement number then the packet will be discarded. The second host will now send another TCP packet this time with a field set to ACK (Acknowledge) this is known as a SYN_ACK packet. Its purpose is to acknowledge the reception of the SYN packet. Once the first host has recieved the SYN_ACK packet it sends one last ACK packet, just to be sure to be sure. As you can see this process involves 3 steps. 1. Host sends SYN packet to target start a connection 2. Target sends host an ACK packet saying it recieved the SYN. 3. Host sends target an ACK packet to confirm and connection is established. Because of these 3 steps the TCP connection is known as the Three-Way-Handshake. +---------------------------------+--------------------------------+ | Source Port | Destination Port | | 16 bits | 16 bits | +---------------------------------+--------------------------------+ | Sequence Number | | 32 bits | +------------------------------------------------------------------+ | Acknowledgment Number | | 32 bits | +--------+------------+-----------+--------------------------------+ |D-Offset| Reserved | Ctrl Bits | Window | | 4 bits | 6 bits | 6 bits | 16 bits | +--------+------------+-----------+--------------------------------+ | Checksum | Urgent Pointer | | 16 bits | 16 bits | +---------------------------------+--------------+-----------------+ | Options | Padding | +------------------------------------------------+-----------------+ | Data | +------------------------------------------------------------------+ FIG 1.1 - Structure of a TCP Header There are 12 fields in total in the TCP Header and your Datagram. 1. Source Port 2. Destination Port 3. Sequence Number 4. Acknowledgement Number 5. Data Offset 6. Reserved 7. Control Bits 8. Window 9. Checksum 10. Urgent Pointer 11. Options 12. Padding 1. Source Port - The Source port number. 2. Destination Port - The Destination port number. 3. Sequence No. - The sequence number is used to ensure that segments recieved by a host are from where they claim to be, this prevents people from hijacking connections. 4. Acknowledgement No. - The acknowledgement number to ensure both sides of the connection are authentic, as explained above. 5. Data Offset - The Data Offset in the header is expressed in 32 bit words. The default is 5 if you have no options set in the TCP header. 6. Reserved - This field is reserved for future use, you must have it set to 0. 7. Control Bits - This is the field that contains values such as SYN and ACK. It has a total of 6 values. URG: Send Urgent Data to destination. ACK: Acknowledgment of Data. PSH: Push Data to destination. RST: Reset the connection. SYN: Synchronize sequence numbers. FIN: No more data from sender. 8. Window - Specifies the maximum size of a segment that you can accept, if the segment is larger than this then it must be fragmented. 9. Checksum - The TCP checksum just like we explained with the IP header, is to ensure that there is no loss of Data during transport, it gets the size of the packet and when it gets to the host the host compares the size of the packet with the value of the checksum and if they dont match you can see the packet was mangled during transport. The TCP Checksum is calculated using a psuedo header which is prefixed to the TCP Header. The purpose of this Psuedo Header is to protect the TCP packet from misrouted segments. The Psuedo Header contains 4 main pieces of information, the Source IP, the Destination IP numbers, the protocol and the TCP length. +-----------------------------------+ | Source Address | +-----------------------------------+ | Destination Address | +--------+--------+--------+--------+ | zero | PTCL | TCP Length | +--------+--------+--------+--------+ FIG 1.3 - The structure of a Psuedo Header The TCP Length field is the length of the TCP Header + length of the Data and does not count the length of the Psuedo Header (12 Bytes). 10. Urgent Pointer - This field is only to be set when the URG control bit is set. It points to a Data area. 11. Options - The TCP options field is very similiar to the IP Options field except it has fewer interesting parts that need to be mentioned here... none. 12. Padding - The same as the IP Padding Field. 3.3 THE UDP HEADER ======================================= +---------------------------------+--------------------------------+ | Source Port | Destination Port | | 16 bits | 16 bits | +---------------------------------+--------------------------------+ | Length | Checksum | | 16 bits | 16 bits | +---------------------------------+--------------------------------+ FIG 1.4 - The Structure of a UDP Header The UDP Header is more basic than previous Headers, it has only 4 fields. 1. Source Port 2. Destination Port 3. Length 4. Checksum 1. Source Port - Same as in TCP. 2. Destination Port - Same as in TCP. 3. Length - The length of the Datagram, including UDP Header and Data. Size must be at least 8. 4. Checksum - Same as TCP this field protects against misrouted packets it also uses the same Psuedo Header as TCP. 3.4 THE ICMP HEADER ======================================= +----------------+----------------+--------------------------------+ | Type | Code | Checksum | | 8 bits | 8 bits | 16 bits | +----------------+----------------+--------------------------------+ | Unused | | 32 bits | +------------------------------------------------------------------+ | Internet Header + 64 bits of Original Data | | 32 bits | +------------------------------------------------------------------+ FIG 1.5 - The Standard Structure of an ICMP Header The ICMP Header changes depending on the message it is sending. Different ICMP Messages are conveyed by combinations of different values and the Unused Field can contain different values and become used depending upon the different ICMP messages being sent. For example in some messages you may need to specify the general Type of message and then its code, this certain message may require additional information such as the IP Address of a computer, this address would then be stored in the Unused Field. The ICMP protocol is similiar to UDP in that it is used in messages of 1 Datagram in size, however, ICMP is more like an extension of IP and certain fields must also be set for use with ICMP. The Standard ICMP Header has 4 main fields. 1. Type 2. Code 3. Checksum 4. Unused 1. Type - Field declaring the type of ICMP Message. 2. Code - Field specifying the messages code to identify its meaning. 3. Checksum - Calculated the same as other headers, the kernel may pad this if the checksum is an odd number to respect 32 bit boundaries in most ICMP messages but Checksum is not calculated in some ICMP Messages. 4. Unused - The value of this field varies depending on the type of ICMP message, if no value is to be entered in this field it must be specified as 0. There are several different ICMP messages but here we are only going to refer to the 2 most interesting types Echo and Netmask request and reply's. ====================== Echo Request and Reply ====================== Description: These two ICMP Messages are commonly used in conjunction to form the ping program. First we send an Echo Request to a host and that host then sends us an echo reply. By sending multiple requests to a host and comparing the time they were sent with the time that the Echo Reply was recieved we can calculate the mean time that packets are sent between us and that host. This Message is also useful to determine whether a host is reachable and connected to the internet or not. Data can be inserted into an Echo request, perhaps for checking the integrity of a packet which it is returned? Type: Echo Request = 8 Echo Reply = 0 Code: Field Unused = 0 Checksum: As specified above. Identifier: Same as the IP Identifier, useful to determine which ICMP Echo Reply belongs to which Echo Request. Sequence Number: Used in the same way as the Identifier is above, useful for matching Echo Reply's with Requests. ==================================================================== ========================= Netmask Request and Reply ========================= Description: We can send a netmask request to a host and it will return a netmask reply containing its subnetmask, getting subnetmasks is useful for mapping out and gathering information on network topology. Type: Netmask Request = 17 Netmask Reply = 18 Code: Field Unused = 0 Checksum: Same as above. Identifier: Same as the IP Identifier, useful to determine which ICMP Netmask Reply belongs to which Netmask Request. Sequence Number: Used in the same way as the Identifier is above, useful for matching Netmask Reply's with Requests. ==================================================================== 4.0 CREATING A PACKET ======================================= OK well thats enough Protocol Header theory, lets look at how we are going to construct a raw socket in code and the differences between coding raw sockets and normal windows sockets code. Now with normal Sockets we give certain information to the stack in the case of windows, the Winsock. This information comprises of things like what transport layer were gonna use, TCP or UDP, the address of the host we are going to send it to, the port for it to go to, the Data to be contained within the Datagram, we name the socket call the sendto() function and off it goes. What we should consider now is what then happens to the information that we just provided, we know how the IP protocol sends it off zooming across the internet and how the host handles and sends this Data, but what happens inbetween the time we called sendto() and the time that packet leaves our computer? Well we passed this information to the winsock, the winsock then takes information such as the Destination address and our own address along with the protocol we specified and fills out the relevant fields in the protocol header, it then sets the TTL with its own default value of 35. Then the winsock uses the other information we provided, the source and destination port numbers, and fills the relevant TCP or UDP Header fields, and constructs the header, wraps the headers around the Data we specified and calculates things such as fragmentation and fills in the fields. Once everything is filled out and wrapped up the winsock calculates the size of the packet and specifies the checksum value. With all this done the winsock sends the packet off to whiz around the internet. So with normal sockets we dont have to specify all those nasty fields in the Headers we leave it up to good ol' winsock and it handles that but we want to create our own headers so how do we stop the winsock from prefixing its headers onto our packet? 4.1 SETSOCKOPT() ======================================= The setsockopt() function is very important in raw sockets, its here that we tell the winsock that we want to use our own headers for this packet and for it to not add its own to ours. The setsockopt() function has 5 parameters: 1. Socket 2. Level 3. Option Name 4. Option value 5. Option Length 1. Socket - Just like in normal sockets this is a Socket that we made earlier in the program. 2. Level - This is the protocol we are going to be using in the program, it has values such as IPPROTO_TCP and IPPROTO_IP. 3. Option Name - The socket option we are going to set, we will be setting this to IP_HDRINCL, this option is what tells the winsock we want to include our own headers for the packet. 4. Option Value - Pointer to the buffer in which the value for the requested option is supplied. We will be using a boolean called bOpt set to true for this, set to false would mean that we dont want to use the IP_HDRINCL option. 5. Option Length - The size of the buffer which supplies the value. We will use sizeof(bOpt) for this. The setsockopt() function well be looking at so will look like this: setsockopt(myraw, IPPROTO_IP, IP_HDRINCL, (char *)&bOpt, sizeof(bOpt) So now how do we tell the winsock that we want to use raw sockets instead of normal sockets in the first place? 4.2 SOCKET() ======================================= Of course weve already covered the socket() function in the past and are familiar with its different parameters but what we have to be concerned about two of its parameters, its type and protocol. A normal socket looks like the following: socket(AF_INET, SOCK_STREAM, 0) Before we used to set its type as SOCK_STREAM or SOCK_DGRAM for TCP and UDP respectively. In raw sockets however we will set the type parameter to SOCK_RAW and the protocol to IPPROTO_RAW. A Raw Socket looks like this: socket(AF_INET, SOCK_RAW, IPPROTO_RAW); So thats how we tell the winsock that its a raw socket that we will be using which still leaves the question how do we build the actual header? 5.0 BUILDING HEADERS IN CODE ======================================= The Headers are built using normal C structures, we declare a struct for each header we want to build and declare a variable for each field of the Header that we will be using. While creating the structure we must remember that there are certain expectations and limitations on the size of Headers, an IP Header is 20 Bytes in size, so we will have to use certain types of variables to reflect the sizes of these fields the different variable types and there sizes are as follows: unsigned char = 1 byte (8 bits) unsigned short int = 2 bytes (16 bits) unsigned int = 4 bytes (32 bits) 5.1 THE IP HEADER ======================================= The IP Header as explained above will be built using a structure containing all of the fields in the IP Header. As you will remember there are 14 fields in the IP Header, however we will not be using any of the IP's Options or the padding, also in our examples we will only be using single Datagrams so there will be no need for fragmenting the packets so we will not be using the flags field and we will just set the Fragment Offset to 0. So with a total of 14 fields in the IP Header we will not be using 3 of them so that leaves us with 11 fields, also we will be storing the Ip version and length in one variable so that means we will be using a total of 10 variables for our code when building the Header. Well here is the structure we will be using to build the IP Header: typedef struct ip_hdr { unsigned char ip_verlen; // version & IHL => 1 Bytes (combined size of both) unsigned char ip_tos; // TOS => 1 Bytes unsigned short ip_totallength; // Total length => 2 Bytes unsigned short ip_id; // Identification => 2 Bytes unsigned short ip_offset; // Fragment Offset => 2 Bytes unsigned char ip_ttl; // Time to live => 1 Bytes unsigned char ip_protocol; // Protocol => 1 Bytes unsigned short ip_checksum; // Header checksum => 2 Bytes unsigned int ip_srcaddr; // Source address => 4 Bytes unsigned int ip_destaddr; // Destination address => + 4 Bytes // = 20 Bytes }IP_HDR; This structure contains all of the fields we will be using and the sizes of the variables add up to 20 Bytes, the correct size of an IP Header, note however that the Fragment Offset field is given a value of 2 Bytes which is equal to 16 bits, the true size of the frag offset is 13 but we altered it here to make up for the missing 3 bits of the flag field but it wont make any difference to the packet this is still a perfectly formed IP Header. 5.2 THE TCP HEADER ======================================= With the below structure you will again notice that there are a few of the TCP Headers fields missing, again Options and Padding are not included as we will not be using them, that leaves us with a total of 10 fields and the reserved field has been left out because it is not currently implemented by TCP so we are left with 9 fields to fill. With the missing fields of the Header we have increased the sizes of the Control Bits and Data Offset fields both to 1 Byte to make up the 20 Byte size of the TCP Header. So here is the TCP Structure: typedef struct tcp_hdr { unsigned short sport; // Source Port => 2 Bytes unsigned short dport; // Destination Port => 2 Bytes unsigned int seqnum; // Sequence Number => 4 Bytes unsigned int acknum; // Acknowledgement Number => 4 Bytes unsigned char DataOffset; // Data Offset => 1 Bytes unsigned char Flags; // Control Bits => 1 Bytes unsigned short Windows; // Window => 2 Bytes unsigned short Checksum; // Checksum => 2 Bytes unsigned short UrgPointer; // Urgent Pointer => + 2 Bytes // = 20 Bytes }TCP_HDR; 5.3 THE UDP HEADER ======================================= The below structure is the UDP Header, unlike previous headers it is not missing any fields and adds up to a totalsize of 8 Bytes. typedef struct udp_hdr { unsigned short sport; // Source Port => 2 Bytes unsigned short dport; // Destination Port => 2 Bytes unsigned short Length; // Length => 2 Bytes unsigned short Checksum; // Checksum => + 2 Bytes // = 8 Bytes }UDP_HDR; 5.4 THE ICMP HEADER ======================================= The ICMP Header is similiar to the UDP Header, it has very few fields and it adds up to a size of 8 Bytes. typedef struct tagICMPHDR { unsigned char icmp_type; // Type of message => 1 Bytes unsigned char icmp_code; // Type sub code => 1 Bytes unsigned short icmp_cksum; // Checksum => 2 Bytes unsigned short icmp_id; // Identifer => 2 Bytes unsigned short icmp_seq; // sequence number => + 2 Bytes // = 8 Bytes } ICMPHDR, *PICMPHDR; 5.5 THE PSUEDO HEADER ======================================= The Psuedo Header is used to protect against misrouted segments, its size is 12 Bytes, the following structure forms the Psuedo Header: typedef struct ps_hdr { unsigned int source_address; // Source Address => 4 Bytes unsigned int dest_address; // Destination Address => 4 Bytes unsigned char placeholder; // Place Holder => 1 Bytes unsigned char protocol; // Protocol => 1 Bytes unsigned short tcp_length; // TCP Length => + 2 Bytes // = 12 Bytes struct tcp_hdr tcp; }PS_HDR; 5.6 THE CHECKSUM FUNCTION ======================================= The Checksum Function is needed to calculate the size of the packet, here is the functions code: USHORT checksum(USHORT *buffer, int size) { unsigned long cksum=0; while (size > 1) { cksum += *buffer++; size -= sizeof(USHORT); } if (size) { cksum += *(UCHAR*)buffer; } cksum = (cksum >> 16) + (cksum & 0xffff); cksum += (cksum >>16); return (USHORT)(~cksum); } 6.0 SOURCE CODE ======================================= Well in the Source Code we are first going to look at code which is supported by all Winsock 2 Systems including Win 9x ones so that every-1 can av' a go as it were. So in this section we are going to put what weve learned so far together and create a working internet application by using the icmp protocol to send an ICMP Echo Request message, the first part of a ping program. First tough we are going to create a header ".h" file for the application, the file contains the checksum function and structures for the IP and ICMP headers. Remember you will have to make sure that the header file is included correctly with the source file and that you linked to Ws2_32.lib. 6.1 ICMP ECHO REQUEST ======================================= /********************* icmp.h header file ************************/ // ICMP message types #define ICMP_ECHOREQ 13 // Echo request query // IP Header typedef struct ip_hdr { unsigned char ip_verlen; // version & IHL => 1 Bytes (combined size of both) unsigned char ip_tos; // TOS => 1 Bytes unsigned short ip_totallength; // Total length => 2 Bytes unsigned short ip_id; // Identification => 2 Bytes unsigned short ip_offset; // Fragment Offset => 2 Bytes unsigned char ip_ttl; // Time to live => 1 Bytes unsigned char ip_protocol; // Protocol => 1 Bytes unsigned short ip_checksum; // Header checksum => 2 Bytes unsigned int ip_srcaddr; // Source address => 4 Bytes unsigned int ip_destaddr; // Destination address => + 4 Bytes // = 20 Bytes }IP_HDR; // ICMP Header typedef struct tagICMPHDR { unsigned char icmp_type; // Type of message => 1 Bytes unsigned char icmp_code; // Type sub code => 1 Bytes unsigned short icmp_cksum; // Checksum => 2 Bytes unsigned short icmp_id; // Identifer => 2 Bytes unsigned short icmp_seq; // sequence number => + 2 Bytes // = 8 Bytes } ICMPHDR, *PICMPHDR; #define REQ_DATASIZE 32 // Echo Request Data size // ICMP Echo Request typedef struct tagECHOREQUEST { ICMPHDR icmpHdr; char cData[REQ_DATASIZE]; } ECHOREQUEST, *PECHOREQUEST; USHORT checksum(USHORT *buffer, int size) { unsigned long cksum=0; while (size > 1) { cksum += *buffer++; size -= sizeof(USHORT); } if (size) { cksum += *(UCHAR*)buffer; } cksum = (cksum >> 16) + (cksum & 0xffff); cksum += (cksum >>16); return (USHORT)(~cksum); } /********************* icmp.h header file ************************/ So in the header file we first #defined some code type for ICMP Echo Request to make things a bit more readable later on, then we set up our IP and ICMP structures by giving variables for each field in the Protocol headers. Notice the sizes of each field add up correctly for the sizes of the protocol headers, we also have a structure called ECHOREQUEST, all icmp messages have different fields except for the common ones defined in the icmp header above, the fields of ECHOREQUEST are the extra fields nedded for echo's. We then have a function to calculate the checksum, all these bits of code are just placed inside our .h file to keep things shorter and more readable in the main program, speaking of which... /********************* icmp.c source file ************************/ // Make sure you always include your headers and link your libraries :) #include <winsock2.h> #include <ws2tcpip.h> #include <stdio.h> #include <stdlib.h> #include "icmp.h" void main(int argc, char **argv) { DWORD dip = inet_addr(argv[1]); WSADATA wsaData; SOCKET sock; static ECHOREQUEST echo_req; struct sockaddr_in sin; // Startup WinSock if (WSAStartup(MAKEWORD(2,2), &wsaData) != 0) { printf("WSAStartup failure!"); } // Create a raw socket if ((sock = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP)) == SOCKET_ERROR) { printf("Error starting socket"); } sin.sin_family = AF_INET; sin.sin_port = htons(0); sin.sin_addr.s_addr = dip; // Fill in echo request echo_req.icmpHdr.icmp_type = ICMP_ECHOREQ; echo_req.icmpHdr.icmp_code = 0; echo_req.icmpHdr.icmp_cksum = 0; echo_req.icmpHdr.icmp_id = 1; echo_req.icmpHdr.icmp_seq = 1; // Fill in some data to send memset(echo_req.cData, ' ', REQ_DATASIZE); // Compute checksum echo_req.icmpHdr.icmp_cksum = checksum((unsigned short *)&echo_req, sizeof(ECHOREQUEST)); // Status mesage printf("Sending Echo Request to <%s>.\n", argv[1]); // Send the echo request if (sendto(sock, (const char *) &echo_req, sizeof(ECHOREQUEST), 0, (SOCKADDR *) dip, sizeof(SOCKADDR_IN)) == SOCKET_ERROR) { printf("sendto() failed: %d\n", WSAGetLastError()); return -1; } // Status mesage printf("Message Sent\n"); // Close socket and WinSock closesocket(sock); WSACleanup(); return 0; } /********************* icmp.c source file ************************/ Well start up your compiler and link to the Ws2_32.lib file then add the icmp.c and icmp.h files to a new project. Compile and run this program by typing icmp 127.0.0.1 at the command line. The program takes the argument passed to it, 127.0.0.1 or any other IP Address you want and sends an ICMP message with a type of 13 and a code of 0, this setting is an ICMP echo request. Now remember that whatever values you enter in the code for the ICMP headers fields, that is the type of ICMP Message that is sent. For example, if we were to change the type to 17 then we would be sending a ICMP Netmask request, the target machine would then send back a Netmask Reply which we could use to map a target network. Or say if we went to www.tlsecurity.com and browsed for vulnerabilities and the words ICMP and Win98 were to catch our eye, here we would find a vulnerability for Windows 98 called p-smash. Now this advisory tells us that if we sent an icmp message to a computer running Windows 98 that had a Type of 9 and a code of 0 then the thing halt and stop responding. Therefore all we have to do with the above program is change: #define ICMP_ECHOREQ 13 to #define ICMP_ECHOREQ 19 in the header file, then when we send this to a Windows 98 machine the thing halts, an icmp DoS tool. Lamer Alert: I was using the above as an example DoS tools are indeed very lame!! and just shouldn't be used or designed, advisories are of course a good thing, they prompt vendors to do something about security vulnerabilities and promote security awareness, don't be lame, don't use DoS tools, otherwise you'll give Steve Gibson more stuff to prattle on about and ill have to bore ya to death with more flaming of 'the prick' (yes by flaming of the prick i am refering to Giving out about Gibson not medical conditions, I know what you were thinking cyberwolf!). 6.2 TCP ACK PACKET ======================================= /*********************** ip.h header file *************************/ #include <winsock2.h> #include <windows.h> #include <ws2tcpip.h> #include <stdio.h> struct tcpheader { unsigned short int th_sport; unsigned short int th_dport; unsigned int th_seq; unsigned int th_ack; unsigned char th_x2:4, th_off:4; unsigned char th_flags; unsigned short int th_win; unsigned short int th_sum; unsigned short int th_urp; }; /* total tcp header length: 20 bytes (=160 bits) */ struct ipheader { unsigned char ip_hl:4, ip_v:4; /* this means that each member is 4 bits */ unsigned char ip_tos; unsigned short int ip_len; unsigned short int ip_id; unsigned short int ip_off; unsigned char ip_ttl; unsigned char ip_p; unsigned short int ip_sum; unsigned int ip_src; unsigned int ip_dst; }; /* total ip header length: 20 bytes (=160 bits) */ // Psuedo Header typedef struct ps_hdr { unsigned int source_address; // Source Address => 4 Bytes unsigned int dest_address; // Destination Address => 4 Bytes unsigned char placeholder; // Place Holder => 1 Bytes unsigned char protocol; // Protocol => 1 Bytes unsigned short tcp_length; // TCP Length => + 2 Bytes // = 12 Bytes struct tcpheader tcp; }PS_HDR; // IP/TCP/UDP Checksum Function USHORT checksum(USHORT *buffer, int size) { unsigned long cksum=0; while (size > 1) { cksum += *buffer++; size -= sizeof(USHORT); } if (size) { cksum += *(UCHAR*)buffer; } cksum = (cksum >> 16) + (cksum & 0xffff); cksum += (cksum >>16); return (USHORT)(~cksum); } /*********************** ip.h header file *************************/ Well that header file contained a few #define's, these dealt with TCP's control bits like ack and sequence and so on to make things more readable later. We then setup up the structures for the IP, TCP and Psuedo Headers and the function to calculate the checksum. Now lets put the header to use with the ack program, this program will send a single ACK packet to whatever computer you specify. /********************** main.c source file ************************/ #include "ip.h" #define PORT 25 int main (void) { WSADATA wsd; char datagram[4096]; bool bOpt = 1; if (WSAStartup(MAKEWORD(2,2), &wsd) != 0) { printf("WSAStartup() failed: %d\n", GetLastError()); return -1; } // Create a raw socket SOCKET s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); if (s == INVALID_SOCKET) { printf("WSASocket() failed: %d\n", WSAGetLastError()); return -1; } struct ipheader *iph = (struct ipheader *) datagram; struct tcpheader *tcph = (struct tcpheader *) datagram + sizeof (struct ipheader); struct sockaddr_in sin; PS_HDR pseudo_header; sin.sin_family = AF_INET; sin.sin_port = htons (PORT); sin.sin_addr.s_addr = inet_addr ("127.0.0.1"); memset (datagram, 0, 4096); /* zero out the buffer */ iph->ip_hl = 5; iph->ip_v = 4; iph->ip_tos = 0; iph->ip_len = sizeof (struct ipheader) + sizeof (struct tcpheader); iph->ip_id = 1; iph->ip_off = 0; iph->ip_ttl = 255; iph->ip_p = 6; iph->ip_sum = 0; iph->ip_src = inet_addr ("1.2.3.4"); iph->ip_dst = sin.sin_addr.s_addr; tcph->th_sport = htons (1234); tcph->th_dport = htons (PORT); tcph->th_seq = rand(); tcph->th_ack = 0; tcph->th_x2 = 0; tcph->th_off = 0; tcph->th_flags = 2; // SYN tcph->th_win = htons(65535); tcph->th_sum = 0; tcph->th_urp = 0; // Build the Psuedo Header pseudo_header.source_address = inet_addr ("1.2.3.4"); pseudo_header.dest_address = sin.sin_addr.s_addr; pseudo_header.placeholder = 0; pseudo_header.protocol = IPPROTO_TCP; pseudo_header.tcp_length = htons(sizeof(tcpheader)); // Calculate Checksum tcph->th_sum = checksum((unsigned short *)&pseudo_header, sizeof(pseudo_header)); iph->ip_sum = checksum((unsigned short *)&iph, sizeof(ipheader)); // ENABLE IPHDRINCL if (setsockopt(s, IPPROTO_IP, IP_HDRINCL, (char *)&bOpt, sizeof(bOpt)) == SOCKET_ERROR) { printf("setsockopt(IP_HDRINCL) failed: %d\n", WSAGetLastError()); return -1; } while (1) { // Send The Packet if (sendto(s, datagram, sizeof(datagram), 0, (SOCKADDR *)&sin, sizeof(sin)) == SOCKET_ERROR) { printf("sendto() failed: %d\n", WSAGetLastError()); return -1; } } return 0; } /********************** main.c source file ************************/ This program sends a tcp SYN packet to a target (you), it is a simple program but a very powerful one. You can edit all of the header fields enabling us to spoof our ip address amongst other things. Notice that we can also set the port numbers, some firewalls will let a packet with a port of 53 trough and not even log it, by knowing security tid bits like this we can build better more sophisticated programs. 7.0 RECIEVING RAW PACKETS ======================================= Recieving Raw Packets was never dealt with in the Berkeley Raw Socket specification, so far only linux 2.2.3 and up I believe ever dealt with them, it is of course therefore surprising that Microsoft has indeed supported a way to recieve raw packets with our programs! Yes indeed I am starting to like the guy who came up with the idea of supporting raw sockets in Windows more and more! But how do we do it? Well what we do is this: sniff all incomming packets on our computer and filter them for the packet we are looking for. This method can be used for, obviously, creating a packet sniffer and also for a firewall or some port redirection tool. Very good idea. We do it by creating a new raw socket and binding it to the interface, go into promiscuous mode and grab all the incomming packets. As usual we would set up our socket with something like the following: SOCKET sniffsock; SOCKADDR_IN if0; sniffsock = socket(AF_INET, SOCK_RAW, IPPROTO_IP); and then call bind() with this raw socket: bind(sniffsock, (SOCKADDR *)&if0, sizeof(if0)); we then go into Promiscuous mode and recieve all of the packets by calling WSAIoctl() with SIO_RCVALL set: WSAIoctl(sniffsock, SIO_RCVALL, &optval, sizeof(optval), NULL, 0, &dwBytesRet, NULL, NULL); we can then use the WSARecv() function to grab the packets and feed them into a buffer like so: recv(sniffsock, RecvBuf, sizeof(RecvBuf), 0); We then use our own filterpacket() function to look for the particular packet that we want. So now for some example source code, this program will capture all packets sent to your computer for as long as the program is running, to do this well use a while loop to capture the packets then pass the packet to a function called filterpacket() in order to get the information from the packets headers. First create a new project and add a .cpp c++ source file. Here comes the science bit. /********************** recv.c source file ************************/ #include <winsock2.h> #include <windows.h> #include <ws2tcpip.h> #include <stdio.h> void outtie(char *p) { FILE *fp = fopen("Sniffer1.txt","a+"); fprintf(fp,"%s\n",p); fclose(fp); } #define SIO_RCVALL _WSAIOW(IOC_VENDOR,1) #define MAX_ADDR_LEN 16 #define MAX_HOSTNAME_LAN 255 typedef struct _iphdr { unsigned char h_lenver; unsigned char tos; unsigned short total_len; unsigned short ident; unsigned short frag_and_flags; unsigned char ttl; unsigned char proto; unsigned short checksum; unsigned int sourceIP; unsigned int destIP; }IP_HDR; void RecvPacket(); int filterpacket(char *buf); char output[500]; void main() { RecvPacket(); } void RecvPacket() { SOCKET sock; WSADATA wsd; char RecvBuf[65535] = {0}; DWORD dwBytesRet; unsigned int optval = 1; WSAStartup(MAKEWORD(2,1),&wsd); sock = socket(AF_INET, SOCK_RAW, IPPROTO_IP); char FAR name[MAX_HOSTNAME_LAN]; gethostname(name, MAX_HOSTNAME_LAN); struct hostent FAR * pHostent; pHostent = (struct hostent * )malloc(sizeof(struct hostent)); pHostent = gethostbyname(name); SOCKADDR_IN sa; sa.sin_family = AF_INET; sa.sin_port = htons(6000); memcpy(&sa.sin_addr.S_un.S_addr, pHostent->h_addr_list[0], pHostent->h_length); bind(sock, (SOCKADDR *)&sa, sizeof(sa)); WSAIoctl(sock, SIO_RCVALL, &optval, sizeof(optval), NULL, 0, &dwBytesRet, NULL, NULL); while (1) { memset(RecvBuf, 0, sizeof(RecvBuf)); recv(sock, RecvBuf, sizeof(RecvBuf), 0); filterpacket(RecvBuf); } } // Filter the Packet int filterpacket(char *buf) { IP_HDR *pIpheader; char szSourceIP[MAX_ADDR_LEN], szDestIP[MAX_ADDR_LEN]; SOCKADDR_IN saSource, saDest; int iProtocol, iTTL; pIpheader = (IP_HDR *)buf; //Check Proto iProtocol = pIpheader->proto; if(iProtocol==IPPROTO_TCP) { sprintf(output,"Protocol is TCP"); outtie(output); } if(iProtocol==IPPROTO_UDP) { sprintf(output,"Protocol is UDP"); outtie(output); } if(iProtocol==IPPROTO_ICMP) { sprintf(output,"Protocol is ICMP"); outtie(output); } //Check Source IP saSource.sin_addr.s_addr = pIpheader->sourceIP; strncpy(szSourceIP, inet_ntoa(saSource.sin_addr), MAX_ADDR_LEN); //Check Dest IP saDest.sin_addr.s_addr = pIpheader->destIP; strncpy(szDestIP, inet_ntoa(saDest.sin_addr), MAX_ADDR_LEN); iTTL = pIpheader->ttl; //Output sprintf(output,"%s->%s", szSourceIP, szDestIP); outtie(output); sprintf(output,"TTL=%d", iTTL); outtie(output); printf("\n"); return true; } /********************** recv.c source file ************************/ As i said this program will simply capture all packets sent to your machine, it will then output their details to a file called Sniffer.txt in the same directory as the program, as long as the program is running the window will remain black but it is still outputting the information. To enhance this program you could check the value of pIpheader->proto field and add code to handle the underlying tcp header or just format the output better. You will notice the line #define SIO_RCVALL _WSAIOW(IOC_VENDOR,1) at the top of the file, this must be defined in all programs that capture packets, not sure why it wasn't just defined in one of the standard header files but what can we do. You could use this and the previous program in unison to send a packet and recv, checking received packets header fields to match values you sent out, working the two together to build up a more complex program. 8.0 Last Words. ======================================= With a tear in my eye its time unfortunately, to go. I hope you enjoyed this final tutorial in the series and learnt alot from the series as a whole and I hope you go on to apply the knowledge you have learned from this tutorial and from source code and create some great security applications, maybe you can put all of the knowledge you have together to create something good and now with an understanding of protocols and how to implement them trough code you can review some security features on the internet and create some excellent new programs. So I leave you now with my TOP 5 suggestions to use your new knowledge, seperately or in unison. 1. A stealth port scanner, sending ACK packets and listening for the packets returned to find out if the port is open (A SYN packet) closed (A RST Packet) or filtered (ICMP Blocked message). 2. OS Fingerprinting, filtering the packets sent by a computer to your own to identify the operating system in use. 3. Packet capturing, dumping the packets you sniff to a text file to examine them and learn protocols like icq or napster. 4. Stealth Communication, sending data in ICMP or ACK packets so there not found by firewalls. 5. Build a firewall, filter the recieved packets to watch for signs of attack or system penetration (sounds kinky :P). Now you could even alter existing programs to add new features, send packets on ports 53 or 81 to bypass firewalls like checkpoint. OS finger print recieved packets to uncover firewall tricks like spoofing the source ip of the target your trying to get to, any many other things to aid in system security, or insecurity. [ SHOUTS! ] Starman_Jones - Thanks for everything over the years (especially for my own room). Vsus - I am never drinking Tsambuca with you again :P. Delusive - Delusive's breasts owns j00!!!! BSRF - Thanks to every-1 at BSRF for releasing this and for being a good laugh :). secure@microsoft.com - The things you poor people must have to go trough. Greg from microsoft - Your a better man than I.