_________________

             /_               /\  

              \/  _______    /  \

              /  /      /   /   /

             /  /______/   /   /

            /           __/   /

           /  _______   \  __/

          /  /      /   /  \

         /  /______/   /   / 

       _/             /   /      

      /______________/   /       BLACK SUN RESEARCH FACILITY

      \              \  /      	   http://blacksun.box.sk/

       \______________\/











WINDOWS INTERNET PROGRAMMING PART 3

=================================================







   WRITTEN BY                 [ cos125@hotmail.com                :E-MAIL    ]      

           BINARY RAPE        [ 114603188                         :ICQ#      ]      

                              [ http://blacksun.box.sk/           :TURORIALS ]      











Thanks to cyberwolf for letting me write this and BSRF for releasing it.







Disclaimer

=======================================





None of the information or code in this tutorial is meant to be used against others

or to purposely damage computer systems or cause any loss of or damage to property.



Further more neither myself or any other contributor to, or member of, the Blacksun

research Facility (BSRF) can be held responsible for damage or loss of property of

computer systems as a result of this tutorial.



In this tutorial the code is provided as a learning aid so you can see how its done

its not meant for you to use against yourself or others.



Also  you are encouraged to alter the code and improve it. I say create or build a

program to do something not create or build a program to do something and use it for

that purpose.





CONTENTS

=======================================



1.  Introduction

2.  What are Raw Sockets?

3.  The Internet Headers

   

    3.1 The IP Header

    3.2 The TCP Header

    3.3 The UDP Header

    3.4 The ICMP Header



4.  Creating a Packet



    4.1 Setsockopt()

    4.2 Socket()



5.  Building Headers in code.

   

    5.1 The IP Header

    5.2 The TCP Header

    5.3 The UDP Header

    5.4 The ICMP Header

    5.5 The Psuedo Header

    5.6 The Checksum Function



6.  Source Code



    6.1 ICMP Echo Request

    6.2 TCP ACK Packet





7.  Recieving Raw Sockets

8.  Last Words









________________________________________________________________________________________________________







1.0 INTRODUCTION

=======================================



Welcome to the 3rd and quite possibly.. the last in this little series

of ours, its been fun.. kinda..  but never fear there may be one last

part to come in future covering advanced topics like multicasting and

we'll always have updates on the tutorials. Of course ive saved the

best topic for last, Raw Socket programming, and even more so its in

Windows! A topic which in this place has a certain member of the

computer security world huffing and yes indeed there is puffing also.

Head on over to grc.com for more information and listen to him piss his

pants scared because of raw sockets support in Windows XP...  you see

Steve Gibson of grc.com believes that because of windows xp's raw

socket support is available to all users on a windows XP Home Edition

computer he foresee's the following scenario:



A few kids, it would only take a small group, maybe friends in school,

they meet each day in a dark little ol' alley at the back of school

and decide who there next "target" is going to be, they then all

decide on a time to attack and as Gibson puts it "synchronises their

watches", then at the decided time they fire up the DoS tools on

their new copy of windows XP Home Edition and launch their attack upon

whatever ill-faithed domain name that the kids had decided earlier.



Hmmm....  interesting, well mostly Gibson you focus upon Home Edition

of windows XP, why? well of course its because of its support for Raw

Sockets for all users, yes but in your dark and devious example of

"Junior and his XP gang" you refer to that upgrade the kids would get

to windows XP home edition well what if they had a copy of Windows XP

professional or Windows 2000, or even Windows NT for that matter of

course these other operating systems dont have support for Raw Sockets

to all its users but if its the kids that are installing these Os's

wouldn't set up the admin account or give themselves admin priv's?

then they would have raw socket support anyway. ok Gibson lets give ya

a little break in fairness Raw Socket support on Home Edition may be

dangerous and people are of course likely to exploit this feature (no

Steven it is not a bug it is a feature) and create DDoS tools with it

but lets look at things, will it really make things bad, will this put

an end to the threat of DDoS attacks from Windows Systems? Well no

actually huh! shock horror there is yet still raw socket support on

systems other than windows xp, Win2k only supports raw sockets for

admin users, what if some-1 gains admin privilages they could still

use it hell with NT all you have to do is change an entry in the

registry, ok lets pull out raw socket support for these 3 operating

systems all together and we'll be safe right? Well unfortunately Win9x

systems with Winsock v2.0 also have Raw Socket support limited as it is.

Thankfully with Windows 9x you can only create ICMP packets... but am..

theres still a load of things i could do with just ICMP Steveo, I

could get a subnetmask, ping and traceroute, firewalk, fact of the

matter is I could even create a trojan with icmp tunneling! and this

is all without even touching icmp based DoS attacks! Well the answer is

simple then isn't it Steve all we have to do is pull raw socket support

from Winsock v2.0, but yes Steve all we have to do is create a dll or

use an already existing C++ library to create raw socket abilities

in our applications, you do comment on this in your site saying how it

doesn't matter because in the past we would have to install new drivers

and things, wow, do you think that some-1 that really wanted to create

a DoS attack would be stopped by the need to download 1 more little

piece, the application could even install any drivers or dll's it

needed on its own. Yes Steve Gibson, there could be raw socket support

now on Windows XP computers..  but then again there always was raw

socket support on all windows boxes if you really looked and yes there

will be DDoS attacks to come, just like there always would have been

even without its canned support in windows boxes, also you refered

to linuxs support for raw sockets as if it didnt matter because of

the size of its distribution, more and more people are using linux and

realising its benefits and we are seeing the beginning of "The Linux

Lamer" 2 words which sadly should never have been mentioned in the

same sentence, these people could still use DDoS linux tools. What will

Raw Sockets bring? DDoS tools? certainly, Better firewalls on Windows

systems? Yes. The availability of security scanners and a wider

understanding of the internet and its protocols to windows programmers?

well yup and probably alot more, maybe you are just setting up so much

hype for the very reason you gave Mr. Gibson sir, You didnt shout out

when scripting support was added to mail clients, now you can cause

such a large amount of confusion and fear in people and have alot of

people shouting no at you that once the very first stupid little DoS

tool that comes along for windows XP that you can say haha yes! I told

you so, I was right, you were wrong, but you see the thing is we're not

saying your wrong, infact, your right, there will be DDoS tools and

we all know that but all your managing to do is cause fear and confusion

altough who knows, maybe you just make it your jollies getting people

to complain and send flames to secure@microsoft.com so that they remove

raw socket support from windows and you can feel like your a big man

getting the big bad microsoft empire to do what you want? even the

security manager at microsoft says:



". . . 'are DDoS attacks going to happen?' Yes. They  

will happen; and they will happen on Windows XP. "



He is not admitting the great 'flaw' in the Windows XP operating system

he is being realistic, maybe you should try it it'll be a new experience

for ya. Any-1 in the computer security field will happily admit, no

system can be completely secure and things like what your talking about

will happen, but they don't even need raw socket support to do so.

Maybe ive been wrong about you all the time maybe you just want to shout

so much about the damn thing and even pass out source code for such tools

so that some-1 will come across read your files, get the stuff into their

head and run along with a hand-full of your little code and propeganda

and finally design a tool like this, the more publicity you give this

the more likely such a scenario like this will happen, of course that could

be your whole point to get whatever it is your after, or it could be that

if some-1 does design a bad DoS tool microsoft will have to pull the raw

support and again you can get your jollies from being correct, forgetting

every-1 that did agree with you but still saw your utter stupidity.



Just to let every-1 know incase they are a bit concerned about Gibson's

evil Windows XP Raw Socket support, the source code he created using raw

sockets to show how bad they are doesn't actually work, there was a problem

in his bind() function, after realising this he stated,



"it's not clear to me what it even means to 'bind' a raw socket"



and of course around the same time hes really getting at microsoft for

their stupidity and complete lack of security or as you like to phrase it

" MICROSOFT SECURITY " " The Oxymoron that keeps on giving ".



One of the best things youve said troughout all this was infact:



"a good thing for Windows raw socket security!"



What was that the time you realised you were wrong about microsofts

security or the time you went out to lunch and SHUT YOUR FUCKING ASS

FOR 5 MINUTES AND STOPPED WRECKING EVERY-1'S FUCKING HEAD YOU ASSHOLE.

I am so lucky that unlike people at microsoft.com's security devision

I don't have to listen to either you or the countless number of people

that you have scared into doing your bidding by exagerating facts and

twisting other people's words to give the wrong idea, my hat goes off

to Greg at Microsoft, personally I couldn't have done the same as he

has done, not only did he immediately help out Steve with his enquiries

he even kept steve up to date step by step in reveiwing his concerns.

Steve quickly returned Greg's hospitality and consideration by insulting

the amount of work he has done on his behalf and its quality. This

particular behaviour is probably to be expected i guess from some-1

who is so egotistical, some-1 that would pretty much say people who say

its good because its a standard are morons because they are following

the pack and that its a standard just because some-1 said it is,

no Steve its a standard because its a part of the standard specification

for sockets, thats why its supported, 'as standard' if you will by all

operating systems except from microsoft up to this point. Apparently

trough it all Gibson just wants a time machine to travel a few years

back where people still believed like he does that the best security

is obscurity.



One last point on this subject, The Firewall that comes with versions

of windows XP, once again 'As Standard' blocks the types of attacks

that Steve Gibson is describing, you think thats also a good thing

for microsofts security Steve?





So why all the fuss and anger in the last few paragraphs? Taught id

never shut up didnt ya :P. Well as ive been researching Windows XP's

raw socket abilities ive been effectively blocked by the constant

reoccuring pages found concerning Gibsons bullshit and fear spreading

tactics, after using a total of 8 different combinations of keywords

and reading many many pages i finally found a grand total of 4

examples of windows raw socket programs, btw only one of them had

ever been run on windows XP and im not even sure about that I think

his code may actually have been run on windows 2000. One of them had

only been run on a Windows 9x system !! Basically there isn't that much

documentation to learn from out there in the void so I think it could

do with me adding a little more, besides few guys flamed me a while back

on 1 of the channels on box.sk's irc server, (not in #bsrf or #code),

for saying that there was raw socket support in windows so I kinda

wrote this for them as well, here ya go guys ;).



So anyway without further delay lets get onto some real substance in

this tutorial with the most common question of all.





2.0 WHAT ARE RAW SOCKETS?

=======================================



Raw sockets are very similiar to normal sockets but with raw sockets

you can control the packets that you send better and can control them.

Raw sockets don't have anything to do with packets themselves they

are purely a programming concept. You see with normal socket programming

we would supply a certain amount of information like the ip address we

were sending it to, the port, the buffer containg the text we were

sending, and whatever protocol we would be sending it with like TCP or

UDP, we would supply all this information by filling up structures and

send the information by calling a couple of functions.



The difference with Raw sockets is that we create our own structures

for the headers and tell the Winsock that we wanted to use that

information, now we would fill out these structures with a bit more

information like our source IP address and fields like the Time To

Live (TTL) that we discussed in the first part of this tutorial.



using this method we can do many things with the Packets that we use

like the following:



* Get the Subnetmask from a computer.

* Bypass firewalls and routers using various methods.

* Map networks.

* Send information covertly.

* Exploit Network Stack vulnerabilities.

* Perform a stealth port scan.

* Remote OS identification.

* Build a firewall.



And theres way more that you could do as well. Until the release of

Winsock 2.0 Raw Sockets could not be possible unfortunately, Winsock

1.1 never included the ability which was specified in the Berkeley

Sockets specification (mostly because microsoft was in a rush to

release the winsock stack). Luckily even if you dont have Winsock v2

(which more than likely you will) you can still download version 2.0

for your version of windows from the microsoft website, windows 3.1

unfortunately does not have a 2.0 version microsoft has decided not

to release a 16 bit one. Of course if you have Windows 3.1 what the

fuck are you doing? suddenly springs to mind, oh well, go away. Now

Windows32 systems have Winsock however different versions have varying

amounts of support for raw sockets. All Version 2 stacks have support

for creating ICMP packets using Raw Sockets but Only Windows NT4, 2000

and XP have the capability for creating TCP and UDP packets. D'ont

worry there is still alot of things you can do with ICMP alone if you

use a Win 9x system. Before we go into the programming side of things

we must now cover the IP, ICMP, TCP and UDP protocols in more detail.

If you have read Part 1 of this tutorial you should have a pretty good

idea about how all the protocols work if not thats ok it shouldn't be

too bad and you should be able to understand things, so please read

on for explenations of the Protocols.





3.0 THE INTERNET HEADERS

=======================================



In part 1 we discussed the different Internet protocols and how they

fit together with packets so you should know pretty well how data is

transfered across the internet and understand many of the fields

within the different headers, if you aren't sure or cant quite

remember I suggest you read the first few sections of Part 1 of this

tutorial. Well now that you have a pretty good idea about the different

headers and understand the idea behind them we are going to have to go

into slightly more detail about the different headers and their

respective fields.







3.1 THE IP HEADER

=======================================



   +---------------------------------+--------------------------------+

   |Version |  IHL   |     TOS       |         Total Length           |

   | 4 bits | 4 bits |    8 bits     |            16 bits             |

   +--------+--------+---------------+------+-------------------------+

   |        Identification           |Flags |     Fragment Offset     |

   |            16 bits              |3 bits|         13 bits         |

   +-----------------+---------------+------+-------------------------+

   |  Time to Live   |   Protocol    |        Header Checksum         |

   |      8 bits     |    8 bits     |             16 bits            |

   +-----------------+---------------+--------------------------------+

   |                        Source Address                            |

   |                            32 bits                               |

   +------------------------------------------------------------------+

   |                      Destination Address                         |

   |                            32 bits                               |

   +------------------------------------------------+-----------------+

   |                     Options                    |     Padding     |

   +------------------------------------------------+-----------------+



   FIG 1.0  - Structure of an IP Header





As you can see above the IP header has a total of 14 Fields.



1.  Version

2.  IHL

3.  TOS

4.  Total Length

5.  Identification

6.  Flags

7.  Fragment Offset

8.  Time To Live

9.  Protocol

10. Header Checksum

11. Source Address

12. Destination Address

13. Options

14. Padding





1.  Version		- The version field describes what version of the IP Protocol

			  is being used, we will be using IPv4 because it is more

			  supported and IPv6 is not yet fully implemented.



2.  IHL			- The Internet Header Length (IHL) contains the length of the

			  Internet Header in 32 bit words. Minimum value for a header

			  is 5.



3.  TOS			- The Type Of Servive (TOS) field was designed to tell routers

			  how the packet is to be handled for example so that packets

			  that need to move quickly like streaming audio would have a

			  higher TOS value than other packets so that routers would

			  send them across the network faster. These days most routers

			  do not process the TOS field because it would waste too much

			  of the routers time so we usually just set the TOS field to

			  0.



4.  Total Length 		- This field contains the total size of the Internet Packet

			  including headers and data. Typical IP headers are 20 bytes

			  in size, same with TCP ones, so an Internet Packet with an

			  IP Header, a TCP Header and no data would be 20 + 20 = 40

			  bytes in length, Total Length = 40 Bytes.



5.  Identification		- This field is used to aid in tracking fragmented packets,

			  each fragment has the same ID as the first datagram, the

			  ID's of datagrams following each other is usually

			  incremented, because this value must be unique most

			  applications use there process id to fill in this field.



6.  Flags			- Flags are used with IP to control fragmentation, there are

			  4 flags.





			1-NO FLAGS		       [VALUE = 0x00]



			  Does not specify any fragmentation options



			  		     





			2-MORE FRAGMENT		       [VALUE - 0X01]



			  Means there is more fragments to be

			  recieved after this packet



			  		     





			3-DONT FRAGMENT		       [VALUE = 0X02]



			  Tells the stack not to fragment this packet



			

			4-MORE & DONT		       [VALUE = 0X03]



			  Tells the stack that there are more packets

			  to be recieved after this one and not to

			  fragment it



			  		     





		    NOTE: THE LAST FRAGMENT CANNOT HAVE A FLAG OF 0X01 (MORE FRAG)

			  AS THERE ARE NO OTHER PACKETS TO FOLLOW.







7.  Fragment Offset	- The fragment offset is used for placing different packets

			  in the correct order when reassembling Datagrams. The first

			  fragment must have a value of 0 and the last must be equal

			  to the value of Total Length. Value is measured in units of

			  64 bits (8 octets).



8.  Time To Live	- The Time To Live (TTL) field was created so that if a packet

			  cannot find its destination it will be destroyed rather than

			  travel across the internet indefinately, if packets kept

			  mounting in this fashion it would seriously degrade network

			  performance. Each router that a packet meets decrements the

			  value of the TTL field by one. If the value is decremented

			  to 0 before it reaches its destination the packet will be

			  destroyed and an error sent back to the computer that the

			  packet originated from. If the TTL is set to 0 on creation

			  it will immediately be destroyed.



9.  Protocol		- This field specifies what protocol is being carried in the

			  datagram eg; TCP.



			  The most common values are as follows:



			  IPPROTO_TCP	= TCP

			  IPPROTO_UDP	= UDP

			  IPPROTO_ICMP	= ICMP



			  Other protocols and there values will be specified later.



10. Header Checksum	- The checksum is the size of the Internet Header, it is used

			  to verify the integrity of a packet by comparing the headers

			  size with the value of the checksum. Certain fields in the

			  IP Header change troughout transport such as the TTL field

			  because of this the checksum is recalculated and verified

			  by each router or gateway it encounters.



11. Source Address		- The IP Address of the computer that the packet originated

			  from. In other words if you sent a packet this field would

			  contain your IP Address. This lets the computer being sent

			  the packet know where it came from and where to send a reply.



12. Destination Address 	- The IP Address of the computer that the packet is being sent.

			  Lets routers that the packet meets know where to send the

			  packet to.



13. Options		- Mostly the options aren't filled out and they are very rarely

			  used at all so we wont discuss them very much. There are

			  however 3 interesting options that we will discuss here,

			  they are:



			  1. Loose Source Routing

			  2. Strict Source Routing

			  3. Record Routing.



			  1. Loose Routing

			  

			  Loose Routing allows us to specify the source computer (us)

			  and the destination computer's IP Address's in the IP

			  header along with the address's of a couple of other routers

			  that the packet must travel across between, then we can

			  better control how the packet travels across the internet.



			  2. Strict Routing



			  Strict Routing allows us to specify the source computer (us)

			  and the destination computer's IP Address's in the IP

			  header along with the address's of other routers, the packet

			  then has to travel along this exact route to get to its

			  destination, using this we can route our packets around

			  routers or gateways that are down or not responding, this

			  also means that if you wanted to you could ensure that the

			  packet travels across certain networks and passes certain

			  routers, of course this isn't recommended as you could

			  'accidentaly' bypass security restrictions on some networks

			  by using this method, which is naughty.



			  3. Record Routing



			  Im sure we are all familiar with the traceroute program

			  which uses the ICMP protocol to tell us what routers our

			  packets are traveling trough to get to there destination,

			  record routing can be used ina  similiar way, by setting

			  this option every router that the packet meets places its

			  IP Address into the IP Header, we can then examine the packet

			  and see what IP Address's it contains.



		    NOTE: AN IP HEADER CAN ONLY BE A MAXIMUM OF 60 BYTES LONG AND THE

			  HEADER IS 20 BYTES IN LENGTH, EACH IP ADDRESS IS 4 BYTES IN

			  SIZE SO AN IP HEADER CAN ONLY CONTAIN A MAXIMUM OF 10 IP

			  ADDRESS'S EACH.





14. Padding		- Padding is there to respect the 32 bits boundary, its composed

			  of 0's.







3.2 THE TCP HEADER

=======================================



Well before we get into the TCP header we first have to explain how exactly a TCP connection

is formed between two hosts. The First host sends a TCP packet with one of the fields in the

header set with a value of SYN, this is known as a SYN (synchronise) packet. So what is this

packet synchronising? A potential problem with a TCP connection would be  if a connection was

established between some internet user at home and a shop on the internet, the user views his

details but in the mean time some-1 were to pretend they were that user and the webshop sent

that users details to that person instead of the real user (such as the real users credit

card numbers?). Because of this a thing called an acknowledgement number was created, the

number is defined by the server and the syn packet is used to transmit this number to the

host, both sides of the connection now have the same Acknowledgement number and they are

synchronised! The Acknowledgement number will be contained in all TCP packets troughout this

session and if any packets recieved at either side have a wrong Acknowledgement number then

the packet will be discarded.



The second host will now send another TCP packet this time with a field set to ACK

(Acknowledge) this is known as a SYN_ACK packet. Its purpose is to acknowledge the reception

of the SYN packet.



Once the first host has recieved the SYN_ACK packet it sends one last ACK packet, just to be

sure to be sure.



As you can see this process involves 3 steps.



1. Host sends SYN packet to target start a connection

2. Target sends host an ACK packet saying it recieved the SYN.

3. Host sends target an ACK packet to confirm and connection is established.



Because of these 3 steps the TCP connection is known as the Three-Way-Handshake.







   +---------------------------------+--------------------------------+

   |          Source Port            |       Destination Port         |

   |            16 bits              |           16 bits              |

   +---------------------------------+--------------------------------+

   |                          Sequence Number                         |

   |                              32 bits                             |

   +------------------------------------------------------------------+

   |                      Acknowledgment Number                       |

   |				  32 bits			      |

   +--------+------------+-----------+--------------------------------+

   |D-Offset|  Reserved  | Ctrl Bits |   	   Window               |

   | 4 bits |   6 bits   |   6 bits  |	   16 bits              |

   +--------+------------+-----------+--------------------------------+

   |            Checksum             |        Urgent Pointer          |

   |             16 bits             |            16 bits             |

   +---------------------------------+--------------+-----------------+

   |                     Options                    |     Padding     |

   +------------------------------------------------+-----------------+

   |				Data			      |

   +------------------------------------------------------------------+





   FIG 1.1  - Structure of a TCP Header





There are 12 fields in total in the TCP Header and your Datagram.



1.  Source Port

2.  Destination Port

3.  Sequence Number

4.  Acknowledgement Number

5.  Data Offset

6.  Reserved

7.  Control Bits

8.  Window

9.  Checksum

10. Urgent Pointer

11. Options

12. Padding







1.  Source Port		- The Source port number.



2.  Destination Port	- The Destination port number.



3.  Sequence No.		- The sequence number is used to ensure that segments

			  recieved by a host are from where they claim to be,

			  this prevents people from hijacking connections.



4.  Acknowledgement No. 	- The acknowledgement number to ensure both sides of

			  the connection are authentic, as explained above.



5.  Data Offset		- The Data Offset in the header is expressed in 32 bit

			  words. The default is 5 if you have no options set

			  in the TCP header.



6.  Reserved		- This field is reserved for future use, you must have

			  it set to 0.



7.  Control Bits		- This is the field that contains values such as SYN

			  and ACK. It has a total of 6 values.



    		    	  URG:  Send Urgent Data to destination.

    		    	  ACK:  Acknowledgment of Data.

    			  PSH:  Push Data to destination.

    			  RST:  Reset the connection.

    			  SYN:  Synchronize sequence numbers.

    			  FIN:  No more data from sender.



8.  Window		- Specifies the maximum size of a segment that you can

			  accept, if the segment is larger than this then it

			  must be fragmented.



9.  Checksum		- The TCP checksum just like we explained with the IP

			  header, is to ensure that there is no loss of Data

			  during transport, it gets the size of the packet and

			  when it gets to the host the host compares the size

			  of the packet with the value of the checksum and if

			  they dont match you can see the packet was mangled

			  during transport.



			  The TCP Checksum is calculated using a psuedo header

			  which is prefixed to the TCP Header. The purpose of

			  this Psuedo Header is to protect the TCP packet from

			  misrouted segments. The Psuedo Header contains 4

			  main pieces of information, the Source IP, the

			  Destination IP numbers, the protocol and the TCP

			  length.





   			  +-----------------------------------+

   			  |           Source Address          |

   			  +-----------------------------------+

   			  |         Destination Address       |

   			  +--------+--------+--------+--------+

   			  |  zero  |  PTCL  |    TCP Length   |

   			  +--------+--------+--------+--------+



			  FIG 1.3  - The structure of a Psuedo Header





			  The TCP Length field is the length of the TCP Header

			  + length of the Data and does not count the length of

			  the Psuedo Header (12 Bytes).



10. Urgent Pointer	- This field is only to be set when the URG control bit

			  is set. It points to a Data area.



11. Options		- The TCP options field is very similiar to the IP Options

			  field except it has fewer interesting parts that need

			  to be mentioned here...  none.



12. Padding		- The same as the IP Padding Field.









3.3 THE UDP HEADER

=======================================



   +---------------------------------+--------------------------------+

   |          Source Port            |       Destination Port         |

   |            16 bits              |           16 bits              |

   +---------------------------------+--------------------------------+

   |            Length               |           Checksum             |

   |            16 bits              |           16 bits              |

   +---------------------------------+--------------------------------+



   FIG 1.4  - The Structure of a UDP Header



The UDP Header is more basic than previous Headers, it has only 4 fields.



1. Source Port

2. Destination Port

3. Length

4. Checksum





1.  Source Port		- Same as in TCP.



2.  Destination Port	- Same as in TCP.



3.  Length		- The length of the Datagram, including UDP Header and

			  Data. Size must be at least 8.



4.  Checksum		- Same as TCP this field protects against misrouted packets

			  it also uses the same Psuedo Header as TCP.







3.4 THE ICMP HEADER

=======================================



   +----------------+----------------+--------------------------------+

   |      Type      |     Code       |           Checksum             |

   |     8 bits     |    8 bits      |           16 bits              |

   +----------------+----------------+--------------------------------+

   |                              Unused                              |

   |                              32 bits                             |

   +------------------------------------------------------------------+

   |            Internet Header + 64 bits of Original Data            |

   |                              32 bits                             |

   +------------------------------------------------------------------+



   FIG 1.5  - The Standard Structure of an ICMP Header



The ICMP Header changes depending on the message it is sending. Different

ICMP Messages are conveyed by combinations of different values and the

Unused Field can contain different values and become used depending upon

the different ICMP messages being sent. For example in some messages you

may need to specify the general Type of message and then its code, this

certain message may require additional information such as the IP Address

of a computer, this address would then be stored in the Unused Field.



The ICMP protocol is similiar to UDP in that it is used in messages of 1

Datagram in size, however, ICMP is more like an extension of IP and certain

fields must also be set for use with ICMP.





The Standard ICMP Header has 4 main fields.



1. Type

2. Code

3. Checksum

4. Unused





1.  Type		- Field declaring the type of ICMP Message.



2.  Code		- Field specifying the messages code to identify its

			  meaning.



3.  Checksum	- Calculated the same as other headers, the kernel may pad

			  this if the checksum is an odd number to respect 32 bit

			  boundaries in most ICMP messages but Checksum is not

			  calculated in some ICMP Messages.



4.  Unused	- The value of this field varies depending on the type of

			  ICMP message, if no value is to be entered in this field

			  it must be specified as 0.





There are several different ICMP messages but here we are only going to refer

to the 2 most interesting types Echo and Netmask request and reply's.



======================

Echo Request and Reply

======================



Description:



These two ICMP Messages are commonly used in conjunction to form

the ping program. First we send an Echo Request to a host and

that host then sends us an echo reply. By sending multiple requests

to a host and comparing the time they were sent with the time that

the Echo Reply was recieved we can calculate the mean time that

packets are sent between us and that host. This Message is also

useful to determine whether a host is reachable and connected to the

internet or not.



Data can be inserted into an Echo request, perhaps for checking

the integrity of a packet which it is returned?





Type:



Echo Request	= 8

Echo Reply 	= 0





Code:



Field Unused	= 0





Checksum:



As specified above.





Identifier:



Same as the IP Identifier, useful to determine which ICMP Echo Reply

belongs to which Echo Request.





Sequence Number:



Used in the same way as the Identifier is above, useful for matching

Echo Reply's with Requests.



====================================================================



=========================

Netmask Request and Reply

=========================



Description:



We can send a netmask request to a host and it will return a netmask

reply containing its subnetmask, getting subnetmasks is useful for

mapping out and gathering information on network topology.





Type:



Netmask Request	= 17

Netmask Reply	= 18





Code:



Field Unused	= 0





Checksum:



Same as above.





Identifier:



Same as the IP Identifier, useful to determine which ICMP Netmask

Reply belongs to which Netmask Request.





Sequence Number:



Used in the same way as the Identifier is above, useful for matching

Netmask Reply's with Requests.



====================================================================







4.0 CREATING A PACKET

=======================================



OK well thats enough Protocol Header theory, lets look at how we are

going to construct a raw socket in code and the differences between

coding raw sockets and normal windows sockets code.



Now with normal Sockets we give certain information to the stack in

the case of windows, the Winsock. This information comprises of things

like what transport layer were gonna use, TCP or UDP, the address of

the host we are going to send it to, the port for it to go to, the

Data to be contained within the Datagram, we name the socket call

the sendto() function and off it goes. What we should consider now

is what then happens to the information that we just provided, we know

how the IP protocol sends it off zooming across the internet and how

the host handles and sends this Data, but what happens inbetween the

time we called sendto() and the time that packet leaves our computer?



Well we passed this information to the winsock, the winsock then

takes information such as the Destination address and our own address

along with the protocol we specified and fills out the relevant

fields in the protocol header, it then sets the TTL with its own

default value of 35.



Then the winsock uses the other information we provided, the source

and destination port numbers, and fills the relevant TCP or UDP

Header fields, and constructs the header, wraps the headers around

the Data we specified and calculates things such as fragmentation

and fills in the fields. Once everything is filled out and wrapped

up the winsock calculates the size of the packet and specifies the

checksum value.



With all this done the winsock sends the packet off to whiz around

the internet.



So with normal sockets we dont have to specify all those nasty fields

in the Headers we leave it up to good ol' winsock and it handles that

but we want to create our own headers so how do we stop the winsock

from prefixing its headers onto our packet?





4.1 SETSOCKOPT()

=======================================



The setsockopt() function is very important in raw sockets, its here

that we tell the winsock that we want to use our own headers for this

packet and for it to not add its own to ours.



The setsockopt() function has 5 parameters:



1. Socket

2. Level

3. Option Name

4. Option value

5. Option Length





1. Socket		- Just like in normal sockets this is a Socket

		 	  that we made earlier in the program.



2. Level		- This is the protocol we are going to be using

		 	  in the program, it has values such as

		 	  IPPROTO_TCP and IPPROTO_IP.



3. Option Name		- The socket option we are going to set, we will

			  be setting this to IP_HDRINCL, this option is

			  what tells the winsock we want to include our

			  own headers for the packet.



4. Option Value		- Pointer to the buffer in which the value for

			  the requested option is supplied. We will be

			  using a boolean called bOpt set to true for

			  this, set to false would mean that we dont want

			  to use the IP_HDRINCL option.



5. Option Length	- The size of the buffer which supplies the

			  value. We will use sizeof(bOpt) for this.





The setsockopt() function well be looking at so will look like this:



setsockopt(myraw, IPPROTO_IP, IP_HDRINCL, (char *)&bOpt, sizeof(bOpt)





So now how do we tell the winsock that we want to use raw sockets

instead of normal sockets in the first place?





4.2 SOCKET()

=======================================



Of course weve already covered the socket() function in the past and

are familiar with its different parameters but what we have to be

concerned about two of its parameters, its type and protocol.



A normal socket looks like the following:



socket(AF_INET, SOCK_STREAM, 0)



Before we used to set its type as SOCK_STREAM or SOCK_DGRAM for TCP

and UDP respectively. In raw sockets however we will set the type

parameter to SOCK_RAW and the protocol to IPPROTO_RAW.



A Raw Socket looks like this:



socket(AF_INET, SOCK_RAW, IPPROTO_RAW);



So thats how we tell the winsock that its a raw socket that we will

be using which still leaves the question how do we build the actual

header?





5.0 BUILDING HEADERS IN CODE

=======================================



The Headers are built using normal C structures, we declare a struct

for each header we want to build and declare a variable for each field

of the Header that we will be using.



While creating the structure we must remember that there are certain

expectations and limitations on the size of Headers, an IP Header is

20 Bytes in size, so we will have to use certain types of variables

to reflect the sizes of these fields the different variable types and

there sizes are as follows:



unsigned char 		= 1 byte  (8 bits)

unsigned short int 	= 2 bytes (16 bits)

unsigned int 		= 4 bytes (32 bits)





5.1 THE IP HEADER

=======================================



The IP Header as explained above will be built using a structure

containing all of the fields in the IP Header. As you will remember

there are 14 fields in the IP Header, however we will not be using

any of the IP's Options or the padding, also in our examples we will

only be using single Datagrams so there will be no need for fragmenting

the packets so we will not be using the flags field and we will just

set the Fragment Offset to 0.



So with a total of 14 fields in the IP Header we will not be using 3

of them so that leaves us with 11 fields, also we will be storing the

Ip version and length in one variable so that means we will be using

a total of 10 variables for our code when building the Header.





Well here is the structure we will be using to build the IP Header:





typedef struct ip_hdr

{

    unsigned char  ip_verlen;        // version & IHL		 =>	  1 Bytes  (combined size of both)

    unsigned char  ip_tos;           // TOS			 =>	  1 Bytes

    unsigned short ip_totallength;   // Total length		 =>	  2 Bytes

    unsigned short ip_id;            // Identification	 	 =>	  2 Bytes

    unsigned short ip_offset;        // Fragment Offset		 =>	  2 Bytes

    unsigned char  ip_ttl;           // Time to live		 =>	  1 Bytes

    unsigned char  ip_protocol;      // Protocol		 =>	  1 Bytes

    unsigned short ip_checksum;      // Header checksum		 =>	  2 Bytes

    unsigned int   ip_srcaddr;       // Source address		 => 	  4 Bytes

    unsigned int   ip_destaddr;      // Destination address	 =>    +  4 Bytes

				     //				       = 20 Bytes

}IP_HDR; 





This structure contains all of the fields we will be using and the sizes

of the variables add up to 20 Bytes, the correct size of an IP Header,

note however that the Fragment Offset field is given a value of 2 Bytes

which is equal to 16 bits, the true size of the frag offset is 13 but we

altered it here to make up for the missing 3 bits of the flag field but

it wont make any difference to the packet this is still a perfectly formed

IP Header.





5.2 THE TCP HEADER

=======================================



With the below structure you will again notice that there are a few

of the TCP Headers fields missing, again Options and Padding are not

included as we will not be using them, that leaves us with a total of

10 fields and the reserved field has been left out because it is not

currently implemented by TCP so we are left with 9 fields to fill.



With the missing fields of the Header we have increased the sizes of

the Control Bits and Data Offset fields both to 1 Byte to make up the

20 Byte size of the TCP Header.



So here is the TCP Structure:





typedef struct tcp_hdr

{

    unsigned short sport;	     // Source Port		 =>	  2 Bytes

    unsigned short dport;	     // Destination Port	 =>	  2 Bytes

    unsigned int   seqnum;	     // Sequence Number		 =>	  4 Bytes

    unsigned int   acknum;	     // Acknowledgement Number   =>	  4 Bytes

    unsigned char  DataOffset;	     // Data Offset		 =>	  1 Bytes

    unsigned char  Flags;	     // Control Bits		 =>	  1 Bytes

    unsigned short Windows;	     // Window			 =>	  2 Bytes

    unsigned short Checksum; 	     // Checksum		 =>	  2 Bytes

    unsigned short UrgPointer;       // Urgent Pointer		 =>    +  2 Bytes

				     //				       = 20 Bytes

}TCP_HDR;





5.3 THE UDP HEADER

=======================================



The below structure is the UDP Header, unlike previous headers it is

not missing any fields and adds up to a totalsize of 8 Bytes.





typedef struct udp_hdr

{

    unsigned short sport;	     // Source Port		 =>	  2 Bytes

    unsigned short dport;	     // Destination Port	 =>	  2 Bytes

    unsigned short Length; 	     // Length			 =>	  2 Bytes

    unsigned short Checksum;	     // Checksum		 =>    +  2 Bytes

				     //				       =  8 Bytes

}UDP_HDR;





5.4 THE ICMP HEADER

=======================================



The ICMP Header is similiar to the UDP Header, it has very few fields

and it adds up to a size of 8 Bytes.





typedef struct tagICMPHDR

{ 

    unsigned char  icmp_type;	     // Type of message		 =>	  1 Bytes

    unsigned char  icmp_code;        // Type sub code		 =>	  1 Bytes

    unsigned short icmp_cksum;       // Checksum		 =>	  2 Bytes	

    unsigned short icmp_id;          // Identifer		 =>	  2 Bytes

    unsigned short icmp_seq;         // sequence number		 =>	+ 2 Bytes

				     //					= 8 Bytes

} ICMPHDR, *PICMPHDR;





5.5 THE PSUEDO HEADER

=======================================



The Psuedo Header is used to protect against misrouted segments,

its size is 12 Bytes, the following structure forms the Psuedo

Header:





typedef struct ps_hdr

{

    unsigned int   source_address;   // Source Address		 =>	  4 Bytes

    unsigned int   dest_address;     // Destination Address	 =>	  4 Bytes

    unsigned char  placeholder;	     // Place Holder		 =>	  1 Bytes

    unsigned char  protocol;	     // Protocol		 =>	  1 Bytes

    unsigned short tcp_length;	     // TCP Length		 =>    +  2 Bytes

				     //				       = 12 Bytes

    struct tcp_hdr tcp;



}PS_HDR;





5.6 THE CHECKSUM FUNCTION

=======================================



The Checksum Function is needed to calculate the size of the

packet, here is the functions code:





USHORT checksum(USHORT *buffer, int size)

{

    unsigned long cksum=0;

    while (size > 1)

    {

        cksum += *buffer++;

        size  -= sizeof(USHORT);   

    }

    if (size)

    {

        cksum += *(UCHAR*)buffer;   

    }

    cksum = (cksum >> 16) + (cksum & 0xffff);

    cksum += (cksum >>16); 

    return (USHORT)(~cksum); 

}







6.0 SOURCE CODE

=======================================



Well in the Source Code we are first going to look at code which is

supported by all Winsock 2 Systems including Win 9x ones so that

every-1 can av' a go as it were. So in this section we are going to

put what weve learned so far together and create a working internet

application by using the icmp protocol to send an ICMP Echo Request

message, the first part of a ping program. First tough we are going

to create a header ".h" file for the application, the file contains

the checksum function and structures for the IP and ICMP headers.



Remember you will have to make sure that the header file is included

correctly with the source file and that you linked to Ws2_32.lib.



6.1 ICMP ECHO REQUEST

=======================================





/********************* icmp.h header file ************************/



// ICMP message types

#define ICMP_ECHOREQ		13	// Echo request query





// IP Header

typedef struct ip_hdr

{

    unsigned char  ip_verlen;        // version & IHL		 =>	  1 Bytes  (combined size of both)

    unsigned char  ip_tos;           // TOS			 =>	  1 Bytes

    unsigned short ip_totallength;   // Total length		 =>	  2 Bytes

    unsigned short ip_id;            // Identification	 	 =>	  2 Bytes

    unsigned short ip_offset;        // Fragment Offset		 =>	  2 Bytes

    unsigned char  ip_ttl;           // Time to live		 =>	  1 Bytes

    unsigned char  ip_protocol;      // Protocol		 =>	  1 Bytes

    unsigned short ip_checksum;      // Header checksum		 =>	  2 Bytes

    unsigned int   ip_srcaddr;       // Source address		 => 	  4 Bytes

    unsigned int   ip_destaddr;      // Destination address	 =>    +  4 Bytes

				     //				       = 20 Bytes

}IP_HDR; 





// ICMP Header

typedef struct tagICMPHDR

{ 

    unsigned char  icmp_type;	     // Type of message		 =>	  1 Bytes

    unsigned char  icmp_code;        // Type sub code		 =>	  1 Bytes

    unsigned short icmp_cksum;       // Checksum		 =>	  2 Bytes	

    unsigned short icmp_id;          // Identifer		 =>	  2 Bytes

    unsigned short icmp_seq;         // sequence number		 =>	+ 2 Bytes

				     //					= 8 Bytes

} ICMPHDR, *PICMPHDR;





#define REQ_DATASIZE 32		// Echo Request Data size





// ICMP Echo Request

typedef struct tagECHOREQUEST

{

    ICMPHDR icmpHdr;

    char    cData[REQ_DATASIZE];



} ECHOREQUEST, *PECHOREQUEST;





USHORT checksum(USHORT *buffer, int size)

{

    unsigned long cksum=0;

    while (size > 1)

    {

        cksum += *buffer++;

        size  -= sizeof(USHORT);   

    }

    if (size)

    {

        cksum += *(UCHAR*)buffer;   

    }

    cksum = (cksum >> 16) + (cksum & 0xffff);

    cksum += (cksum >>16); 

    return (USHORT)(~cksum); 

}



/********************* icmp.h header file ************************/





So in the header file we first #defined some code type for ICMP

Echo Request to make things a bit more readable later on, then we

set up our IP and ICMP structures by giving variables for each field

in the Protocol headers. Notice the sizes of each field add up

correctly for the sizes of the protocol headers, we also have a

structure called ECHOREQUEST, all icmp messages have different

fields except for the common ones defined in the icmp header above,

the fields of ECHOREQUEST are the extra fields nedded for echo's.

We then have a function to calculate the checksum, all these bits

of code are just placed inside our .h file to keep things shorter

and more readable in the main program, speaking of which...



/********************* icmp.c source file ************************/



// Make sure you always include your headers and link your libraries :)



#include <winsock2.h>

#include <ws2tcpip.h>

#include <stdio.h>

#include <stdlib.h>

#include "icmp.h"





void main(int argc, char **argv)

{



    DWORD dip = inet_addr(argv[1]);



    WSADATA		wsaData;

    SOCKET		sock;



    static ECHOREQUEST	echo_req;



    struct sockaddr_in sin;



    // Startup WinSock

    if (WSAStartup(MAKEWORD(2,2), &wsaData) != 0)

    {

	printf("WSAStartup failure!");

    }



    // Create a raw socket

    if ((sock = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP)) == SOCKET_ERROR)

    {

        printf("Error starting socket");

    }



    sin.sin_family	= AF_INET;

    sin.sin_port	= htons(0);

    sin.sin_addr.s_addr = dip;





    // Fill in echo request

    echo_req.icmpHdr.icmp_type	= ICMP_ECHOREQ;

    echo_req.icmpHdr.icmp_code	= 0;

    echo_req.icmpHdr.icmp_cksum	= 0;

    echo_req.icmpHdr.icmp_id	= 1;

    echo_req.icmpHdr.icmp_seq	= 1;



    // Fill in some data to send

    memset(echo_req.cData, ' ', REQ_DATASIZE);



    // Compute checksum

    echo_req.icmpHdr.icmp_cksum = checksum((unsigned short *)&echo_req, sizeof(ECHOREQUEST));

	

    // Status mesage

    printf("Sending Echo Request to <%s>.\n", argv[1]);



    // Send the echo request  								  

    if (sendto(sock, (const char *) &echo_req, sizeof(ECHOREQUEST), 0, (SOCKADDR *) dip, sizeof(SOCKADDR_IN)) == SOCKET_ERROR)

    {

       printf("sendto() failed: %d\n", WSAGetLastError());

       return -1;

    }





    // Status mesage

    printf("Message Sent\n");



    // Close socket and WinSock

    closesocket(sock);

    WSACleanup();

    return 0;

}



/********************* icmp.c source file ************************/



Well start up your compiler and link to the Ws2_32.lib file then

add the icmp.c and icmp.h files to a new project. Compile and run

this program by typing icmp 127.0.0.1 at the command line. The

program takes the argument passed to it, 127.0.0.1 or any other

IP Address you want and sends an ICMP message with a type of 13 and

a code of 0, this setting is an ICMP echo request. Now remember

that whatever values you enter in the code for the ICMP headers

fields, that is the type of ICMP Message that is sent. For example,

if we were to change the type to 17 then we would be sending a ICMP

Netmask request, the target machine would then send back a Netmask

Reply which we could use to map a target network. Or say if we went

to www.tlsecurity.com and browsed for vulnerabilities and the words

ICMP and Win98 were to catch our eye, here we would find a

vulnerability for Windows 98 called p-smash. Now this advisory

tells us that if we sent an icmp message to a computer running

Windows 98 that had a Type of 9 and a code of 0 then the thing

halt and stop responding. Therefore all we have to do with the

above program is change:



#define ICMP_ECHOREQ		13



	to



#define ICMP_ECHOREQ		19



in the header file, then when we send this to a Windows 98 machine

the thing halts, an icmp DoS tool.



Lamer Alert: I was using the above as an example DoS tools are

indeed very lame!! and just shouldn't be used or designed, advisories

are of course a good thing, they prompt vendors to do something about

security vulnerabilities and promote security awareness, don't be

lame, don't use DoS tools, otherwise you'll give Steve Gibson more

stuff to prattle on about and ill have to bore ya to death with more

flaming of 'the prick' (yes by flaming of the prick i am refering to

Giving out about Gibson not medical conditions, I know what you were

thinking cyberwolf!).





6.2 TCP ACK PACKET

=======================================



/*********************** ip.h header file *************************/



#include <winsock2.h>

#include <windows.h>

#include <ws2tcpip.h>

#include <stdio.h>



struct tcpheader {

 unsigned short int th_sport;

 unsigned short int th_dport;

 unsigned int th_seq;

 unsigned int th_ack;

 unsigned char th_x2:4, th_off:4;

 unsigned char th_flags;

 unsigned short int th_win;

 unsigned short int th_sum;

 unsigned short int th_urp;

}; /* total tcp header length: 20 bytes (=160 bits) */



struct ipheader {

 unsigned char ip_hl:4, ip_v:4; /* this means that each member is 4 bits */

 unsigned char ip_tos;

 unsigned short int ip_len;

 unsigned short int ip_id;

 unsigned short int ip_off;

 unsigned char ip_ttl;

 unsigned char ip_p;

 unsigned short int ip_sum;

 unsigned int ip_src;

 unsigned int ip_dst;

}; /* total ip header length: 20 bytes (=160 bits) */



// Psuedo Header



typedef struct ps_hdr

{

    unsigned int   source_address;   // Source Address		 =>	  4 Bytes

    unsigned int   dest_address;     // Destination Address	 =>	  4 Bytes

    unsigned char  placeholder;	     // Place Holder		 =>	  1 Bytes

    unsigned char  protocol;	     // Protocol		 =>	  1 Bytes

    unsigned short tcp_length;	     // TCP Length		 =>    +  2 Bytes

				     //				       = 12 Bytes

    struct tcpheader tcp;



}PS_HDR;



// IP/TCP/UDP Checksum Function



USHORT checksum(USHORT *buffer, int size)

{

    unsigned long cksum=0;

    while (size > 1)

    {

        cksum += *buffer++;

        size  -= sizeof(USHORT);   

    }

    if (size)

    {

        cksum += *(UCHAR*)buffer;   

    }

    cksum = (cksum >> 16) + (cksum & 0xffff);

    cksum += (cksum >>16); 

    return (USHORT)(~cksum); 

}



/*********************** ip.h header file *************************/



Well that header file contained a few #define's, these dealt with

TCP's control bits like ack and sequence and so on to make things

more readable later. We then setup up the structures for the IP,

TCP and Psuedo Headers and the function to calculate the checksum.

Now lets put the header to use with the ack program, this program

will send a single ACK packet to whatever computer you specify.



/********************** main.c source file ************************/



#include "ip.h"



#define PORT 25



int main (void)

{



	WSADATA wsd;

	char datagram[4096];

	bool bOpt = 1;



    if (WSAStartup(MAKEWORD(2,2), &wsd) != 0)

    {

	   printf("WSAStartup() failed: %d\n", GetLastError());

	   return -1;

    }



// Create a raw socket



    SOCKET s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);

    if (s == INVALID_SOCKET)

    {

       printf("WSASocket() failed: %d\n", WSAGetLastError());

       return -1;

    }



  struct ipheader *iph = (struct ipheader *) datagram;

  struct tcpheader *tcph = (struct tcpheader *) datagram + sizeof (struct ipheader);

  struct sockaddr_in sin;



  PS_HDR pseudo_header;



  sin.sin_family = AF_INET;

  sin.sin_port = htons (PORT);

  sin.sin_addr.s_addr = inet_addr ("127.0.0.1");



  memset (datagram, 0, 4096);	/* zero out the buffer */



  iph->ip_hl		 = 5;

  iph->ip_v			 = 4;

  iph->ip_tos		 = 0;

  iph->ip_len		 = sizeof (struct ipheader) + sizeof (struct tcpheader);

  iph->ip_id		 = 1;

  iph->ip_off		 = 0;

  iph->ip_ttl		 = 255;

  iph->ip_p			 = 6;

  iph->ip_sum		 = 0;

  iph->ip_src		 = inet_addr ("1.2.3.4");

  iph->ip_dst		 = sin.sin_addr.s_addr;



  tcph->th_sport	 = htons (1234);

  tcph->th_dport	 = htons (PORT);

  tcph->th_seq		 = rand();

  tcph->th_ack		 = 0;

  tcph->th_x2		 = 0;

  tcph->th_off		 = 0;

  tcph->th_flags	 = 2; // SYN

  tcph->th_win		 = htons(65535);

  tcph->th_sum		 = 0;

  tcph->th_urp		 = 0;



  // Build the Psuedo Header



  pseudo_header.source_address    = inet_addr ("1.2.3.4");

  pseudo_header.dest_address	  = sin.sin_addr.s_addr;

  pseudo_header.placeholder		  = 0;

  pseudo_header.protocol		  = IPPROTO_TCP;

  pseudo_header.tcp_length		  = htons(sizeof(tcpheader));



// Calculate Checksum



  tcph->th_sum = checksum((unsigned short *)&pseudo_header, sizeof(pseudo_header));

  iph->ip_sum  = checksum((unsigned short *)&iph, sizeof(ipheader));

// ENABLE IPHDRINCL 



    if (setsockopt(s, IPPROTO_IP, IP_HDRINCL, (char *)&bOpt, sizeof(bOpt)) == SOCKET_ERROR)

    {

	   printf("setsockopt(IP_HDRINCL) failed: %d\n", WSAGetLastError());

	   return -1;

    }



  while (1)

    {

      // Send The Packet



    if (sendto(s, datagram, sizeof(datagram), 0, (SOCKADDR *)&sin, sizeof(sin)) == SOCKET_ERROR)

    {

       	   printf("sendto() failed: %d\n", WSAGetLastError());

	   return -1;

    }

    }



  return 0;

}



/********************** main.c source file ************************/



This program sends a tcp SYN packet to a target (you), it is a simple

program but a very powerful one. You can edit all of the header fields

enabling us to spoof our ip address amongst other things.



Notice that we can also set the port numbers, some firewalls will

let a packet with a port of 53 trough and not even log it, by knowing

security tid bits like this we can build better more sophisticated

programs.





7.0 RECIEVING RAW PACKETS

=======================================



Recieving Raw Packets was never dealt with in the Berkeley Raw Socket

specification, so far only linux 2.2.3 and up I believe ever dealt

with them, it is of course therefore surprising that Microsoft has

indeed supported a way to recieve raw packets with our programs! Yes

indeed I am starting to like the guy who came up with the idea of

supporting raw sockets in Windows more and more! But how do we do it?

Well what we do is this: sniff all incomming packets on our computer

and filter them for the packet we are looking for. This method can

be used for, obviously, creating a packet sniffer and also for a

firewall or some port redirection tool. Very good idea.



We do it by creating a new raw socket and binding it to the interface,

go into promiscuous mode and grab all the incomming packets.



As usual we would set up our socket with something like the following:



    SOCKET        sniffsock;

    SOCKADDR_IN   if0;





    sniffsock = socket(AF_INET, SOCK_RAW, IPPROTO_IP);





and then call bind() with this raw socket:





    bind(sniffsock, (SOCKADDR *)&if0, sizeof(if0));





we then go into Promiscuous mode and recieve all of the packets by

calling WSAIoctl() with SIO_RCVALL set:





   WSAIoctl(sniffsock, SIO_RCVALL, &optval, sizeof(optval), NULL, 0, &dwBytesRet, NULL,	NULL);





we can then use the WSARecv() function to grab the packets and feed

them into a buffer like so:





   recv(sniffsock, RecvBuf, sizeof(RecvBuf), 0);





We then use our own filterpacket() function to look for the particular

packet that we want.





So now for some example source code, this program will capture all packets

sent to your computer for as long as the program is running, to do this well

use a while loop to capture the packets then pass the packet to a function

called filterpacket() in order to get the information from the packets

headers. First create a new project and add a .cpp c++ source file.

Here comes the science bit.





/********************** recv.c source file ************************/



#include <winsock2.h>

#include <windows.h>

#include <ws2tcpip.h>

#include <stdio.h>



void outtie(char *p)

{

	FILE *fp = fopen("Sniffer1.txt","a+");

	fprintf(fp,"%s\n",p);

	fclose(fp);

}



#define SIO_RCVALL _WSAIOW(IOC_VENDOR,1)

#define MAX_ADDR_LEN 16

#define MAX_HOSTNAME_LAN 255



typedef struct _iphdr

{

unsigned char	h_lenver;

unsigned char	tos;

unsigned short	total_len;

unsigned short	ident;

unsigned short	frag_and_flags;

unsigned char	ttl;

unsigned char	proto;

unsigned short	checksum;

unsigned int	sourceIP;

unsigned int	destIP;

}IP_HDR;



void RecvPacket();

int filterpacket(char *buf);



char     output[500];



void main()

{

RecvPacket();

}



void RecvPacket()

{

    SOCKET        sock;

    WSADATA       wsd;

    char RecvBuf[65535] = {0};

	DWORD		  dwBytesRet;

	unsigned int  optval = 1;



	WSAStartup(MAKEWORD(2,1),&wsd);



	sock = socket(AF_INET, SOCK_RAW, IPPROTO_IP);



	char FAR name[MAX_HOSTNAME_LAN];

	gethostname(name, MAX_HOSTNAME_LAN);



	struct hostent FAR * pHostent;

	pHostent = (struct hostent * )malloc(sizeof(struct hostent));

	pHostent = gethostbyname(name);



	SOCKADDR_IN sa;

	sa.sin_family = AF_INET;

	sa.sin_port = htons(6000);



	memcpy(&sa.sin_addr.S_un.S_addr, pHostent->h_addr_list[0], pHostent->h_length);



	bind(sock, (SOCKADDR *)&sa, sizeof(sa));



	WSAIoctl(sock, SIO_RCVALL, &optval, sizeof(optval), NULL, 0, &dwBytesRet, NULL, NULL);



	while (1)

    {

    memset(RecvBuf, 0, sizeof(RecvBuf));



	recv(sock, RecvBuf, sizeof(RecvBuf), 0);



	filterpacket(RecvBuf);

    }



}





// Filter the Packet



int filterpacket(char *buf)

{

IP_HDR *pIpheader;



char szSourceIP[MAX_ADDR_LEN], szDestIP[MAX_ADDR_LEN];

SOCKADDR_IN saSource, saDest;



int iProtocol, iTTL;



pIpheader = (IP_HDR *)buf;



//Check Proto

iProtocol = pIpheader->proto;



if(iProtocol==IPPROTO_TCP)

{

	sprintf(output,"Protocol is TCP");

	outtie(output);

}

if(iProtocol==IPPROTO_UDP)

{

	sprintf(output,"Protocol is UDP");

	outtie(output);

}

if(iProtocol==IPPROTO_ICMP)

{

	sprintf(output,"Protocol is ICMP");

	outtie(output);

}



//Check Source IP

saSource.sin_addr.s_addr = pIpheader->sourceIP;

strncpy(szSourceIP, inet_ntoa(saSource.sin_addr), MAX_ADDR_LEN);





//Check Dest IP

saDest.sin_addr.s_addr = pIpheader->destIP;

strncpy(szDestIP, inet_ntoa(saDest.sin_addr), MAX_ADDR_LEN);





iTTL = pIpheader->ttl;



//Output

sprintf(output,"%s->%s", szSourceIP, szDestIP);

outtie(output);



sprintf(output,"TTL=%d", iTTL);

outtie(output);



printf("\n");

return true;

}



/********************** recv.c source file ************************/



As i said this program will simply capture all packets sent to your

machine, it will then output their details to a file called Sniffer.txt

in the same directory as the program, as long as the program is running

the window will remain black but it is still outputting the information.



To enhance this program you could check the value of pIpheader->proto

field and add code to handle the underlying tcp header or just format

the output better.



You will notice the line #define SIO_RCVALL _WSAIOW(IOC_VENDOR,1) at the

top of the file, this must be defined in all programs that capture packets,

not sure why it wasn't just defined in one of the standard header files

but what can we do.



You could use this and the previous program in unison to send a packet

and recv, checking received packets header fields to match values you

sent out, working the two together to build up a more complex program.





8.0 Last Words.

=======================================



With a tear in my eye its time unfortunately, to go. I hope you enjoyed

this final tutorial in the series and learnt alot from the series as a

whole and I hope you go on to  apply the knowledge you have learned from

this tutorial and from source code and create some great security

applications, maybe you can put all of the knowledge you have together

to create something good and now with an understanding of protocols and

how to implement them trough code you can review some security features

on the internet and create some excellent new programs. So I leave you

now with my TOP 5 suggestions to use your new knowledge, seperately or

in unison.



1. A stealth port scanner, sending ACK packets and listening for the

packets returned to find out if the port is open (A SYN packet) closed

(A RST Packet) or filtered (ICMP Blocked message).



2. OS Fingerprinting, filtering the packets sent by a computer to your

own to identify the operating system in use.



3. Packet capturing, dumping the packets you sniff to a text file to

examine them and learn protocols like icq or napster.



4. Stealth Communication, sending data in ICMP or ACK packets so there

not found by firewalls.



5. Build a firewall, filter the recieved packets to watch for signs of

attack or system penetration (sounds kinky :P).





Now you could even alter existing programs to add new features, send

packets on ports 53 or 81 to bypass firewalls like checkpoint. OS

finger print recieved packets to uncover firewall tricks like spoofing

the source ip of the target your trying to get to, any many other

things to aid in system security, or insecurity.





[ SHOUTS! ]



Starman_Jones		- Thanks for everything over the years (especially for my own room).



Vsus			- I am never drinking Tsambuca with you again :P.



Delusive			- Delusive's breasts owns j00!!!!



BSRF			- Thanks to every-1 at BSRF for releasing this and for being a good laugh :).



secure@microsoft.com	- The things you poor people must have to go trough.



Greg from microsoft	- Your a better man than I.