161.htm

unix高级编程原吗

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title>CTerm非常精华下载</title>
</head>
<body bgcolor="#FFFFFF">
<table border="0" width="100%" cellspacing="0" cellpadding="0" height="577">
<tr><td width="32%" rowspan="3" height="123"><img src="DDl_back.jpg" width="300" height="129" alt="DDl_back.jpg"></td><td width="30%" background="DDl_back2.jpg" height="35"><p align="center"><a href="http://apue.dhs.org"><font face="黑体"><big><big>apue</big></big></font></a></td></tr>
<tr>
<td width="68%" background="DDl_back2.jpg" height="44"><big><big><font face="黑体"><p align="center">               ● UNIX网络编程                       (BM: clown)                </font></big></big></td></tr>
<tr>
<td width="68%" height="44" bgcolor="#000000"><font face="黑体"><big><big><p   align="center"></big></big><a href="http://cterm.163.net"><img src="banner.gif" width="400" height="60" alt="banner.gif"border="0"></a></font></td>
</tr>
<tr><td width="100%" colspan="2" height="100" align="center" valign="top"><br><p align="center">[<a href="index.htm">回到开始</a>][<a href="8.htm">上一层</a>][<a href="162.htm">下一篇</a>]
<hr><p align="left"><small>发信人: guru (好读书，不求甚解), 信区: UNP <br>
标  题: phrack 49-6 <br>
发信站: UNIX编程 (2001年08月12日09:02:04 星期天), 站内信件 <br>
  <br>
   .oO Phrack Magazine Oo. <br>
  <br>
                          Volume Seven, Issue Forty-Nine <br>
  <br>
                                  File 06 of 16 <br>
  <br>
           [ Project Loki ] <br>
  <br>
          whitepaper by daemon9 AKA route <br>
         sourcecode by daemon9 && alhambra <br>
        for Phrack Magazine <br>
        August 1996 Guild Productions, kid <br>
  <br>
    comments to route@infonexus.com/alhambra@infonexus.com <br>
  <br>
  <br>
  --[ Introduction ]-- <br>
  <br>
  <br>
  <br>
 Ping traffic is ubiquitous to almost every TCP/IP based network and <br>
subnetwork.  It has a standard packet format recognized by every IP-speaking <br>
router and is used universally for network management, testing, and <br>
measurement.  As such, many firewalls and networks consider ping traffic <br>
to be benign and will allow it to pass through, unmolested.  This project <br>
explores why that practice can be insecure.  Ignoring the obvious threat of <br>
the done-to-death denial of service attack, use of ping traffic can open up <br>
covert channels through the networks in which it is allowed. <br>
  <br>
 Loki, Norse God of deceit and trickery, the 'Lord of Misrule' was <br>
well known for his subversive behavior.  Inversion and reversal of all sorts <br>
was typical for him.  Due to it's clandestine nature, we chose to name this <br>
project after him. <br>
  <br>
 The Loki Project consists of a whitepaper covering this covert channel <br>
in detail.  The sourcecode is not for distribution at this time. <br>
  <br>
  <br>
  --[ Overview  ]-- <br>
  <br>
  <br>
 This whitepaper is intended as a complete description of the covert <br>

channel that exists in networks that allow ping traffic (hereon referred to <br>
in the more general sense of ICMP_ECHO traffic --see below) to pass.  It is <br>
organized into sections: <br>
  <br>
 Section I. ICMP Background Info and the Ping Program <br>
 Section II. Basic Firewall Theory and Covert Channels <br>
 Section III. The Loki Premise <br>
 Section IV. Discussion, Detection, and Prevention <br>
 Section V. References <br>
  <br>
(Note that readers unfamiliar with the TCP/IP protocol suite may wish to first <br>
read ftp://ftp.infonexus.com/pub/Philes/NetTech/TCP-IP/tcipIp.intro.txt.gz) <br>
  <br>
  <br>
  Section I. ICMP Background Info and the Ping Program <br>
  <br>
  <br>
 The Internet Control Message Protocol is an adjunct to the IP layer. <br>
It is a connectionless protocol used to convey error messages and other <br>
information to unicast addresses.  ICMP packets are encapsulated inside of IP <br>
datagrams.  The first 4-bytes of the header are same for every ICMP message, <br>
with the remainder of the header differing for different ICMP message types. <br>

There are 15 different types of ICMP messages. <br>
  <br>
 The ICMP types we are concerned with are type 0x0 and type 0x8. <br>
ICMP type 0x0 specifies an ICMP_ECHOREPLY (the response) and type <br>
0x8 indicates an ICMP_ECHO (the query).  The normal course of action is <br>
for a type 0x8 to elicit a type 0x0 response from a listening server. <br>
(Normally, this server is actually the OS kernel of the target host.  Most <br>
ICMP traffic is, by default, handled by the kernel).  This is what the ping <br>
program does. <br>
  <br>
 Ping sends one or more ICMP_ECHO packets to a host.  The purpose <br>
may just be to determine if a host is in fact alive (reachable).  ICMP_ECHO <br>
packets also have the option to include a data section.  This data section <br>
is used when the record route option is specified, or, the more common case, <br>
(usually the default) to store timing information to determine round-trip <br>
times.  (See the ping(8) man page for more information on these topics). <br>
An excerpt from the ping man page: <br>
  <br>
 "...An IP header without options is 20 bytes.  An ICMP ECHO_REQUEST packet <br>
     contains an additional 8 bytes worth of ICMP header followed by an <br>
     arbitrary-amount of data.  When a packetsize is given, this indicated the <br>
     size of this extra piece of data (the default is 56).  Thus the amount of <br>

     data received inside of an IP packet of type ICMP ECHO_REPLY will always <br>
     be 8 bytes more than the requested data space (the ICMP header)..." <br>
  <br>
 Although the payload is often timing information, there is no check by <br>
any device as to the content of the data.  So, as it turns out, this amount of <br>
data can also be arbitrary in content as well.  Therein lies the covert <br>
channel. <br>
  <br>
  <br>
  Section II. Basic Firewall Theory and Covert Channels <br>
  <br>
  <br>
 The basic tenet of firewall theory is simple:  To shield one network <br>
from another.  This can be clarified further into 3 provisional rules: <br>
1. All traffic passing between the two networks must pass through the firewall. <br>
2. Only traffic authorized by the firewall may pass through (as dictated by <br>
the security policy of the site it protects). <br>
3. The firewall itself is immune to compromise. <br>
  <br>
 A covert channel is a vessel in which information can pass, but this <br>
vessel is not ordinarily used for information exchange.  Therefore, as a <br>
matter of consequence, covert channels are impossible to detect and deter <br>

using a system's normal (read: unmodified) security policy.  In theory, <br>
almost any process or bit of data can be a covert channel.  In practice, it <br>
is usually quite difficult to elicit meaningful data from most covert <br>
channels in a timely fashion.  In the case of Loki, however, it is quite <br>
simple to exploit. <br>
  <br>
 A firewall, in it's most basic sense, seeks to preserve the security <br>
policy of the site it protects.  It does so by enforcing the 3 rules above. <br>
Covert channels, however, by very definition, are not subject to a site's <br>
normal security policy. <br>
  <br>
  <br>
  Section III. The Loki Premise <br>
  <br>
  <br>
 The concept of the Loki Project is simple: arbitrary information <br>
tunneling in the data portion of ICMP_ECHO and ICMP_ECHOREPLY packets.  Loki <br>
exploits the covert channel that exists inside of ICMP_ECHO traffic.  This <br>
channel exists because network devices do not filter the contents of ICMP_ECHO <br>
traffic.  They simply pass them, drop them, or return them. The trojan packets <br>
themselves are masqueraded as common ICMP_ECHO traffic.  We can encapsulate <br>
(tunnel) any information we want.  From here on out, Loki traffic will refer <br>

to ICMP_ECHO traffic that tunnels information.  (Astute readers will note that <br>
Loki is simply a form of steganography). <br>
  <br>
 Loki is not a compromise tool.  It has many uses, none of which are <br>
breaking into a machine.  It can be used as a backdoor into a system by <br>
providing a covert method of getting commands executed on a target machine. <br>
It can be used as a way of clandestinely leeching information off of a <br>
machine.  It can be used as a covert method of user-machine or user-user <br>
communication.  In essence the channel is simply a way to secretly shuffle <br>
data (confidentiality and authenticity can be added by way of cryptography). <br>
  <br>
 Loki is touted as a firewall subversion technique, but in reality it <br>
is simple a vessel to covertly move data.  *Through* exactly what we move this <br>
data is not so much an issue, as long as it passes ICMP_ECHO traffic.  It does <br>
not matter: routers, firewalls, packet-filters, dual-homed hosts, etc...  all <br>
can serve as conduits for Loki. <br>
  <br>
  <br>
  Section IV. Discussion, Detection and Prevention <br>
  <br>
  <br>
 If ICMP_ECHO traffic is allowed, then this channel exists.  If this <br>

channel exists, then it is unbeatable for a backdoor (once the system is <br>
compromised).  Even with extensive firewalling and packet-filtering <br>
mechanisms in place, this channel continues to exist (provided, of course, <br>
they do not deny the passing of ICMP_ECHO traffic).  With a proper <br>
implementation, the channel can go completely undetected for the duration of <br>
its existence. <br>
  <br>
 Detection can be difficult.  If you know what to look for, you may <br>
find that the channel is being used on your system.  However, knowing when <br>
to look, where to look, and the mere fact that you *should* be looking all <br>
have to be in place.  A surplus of ICMP_ECHOREPLY packets with a garbled <br>
payload can be ready indication the channel is in use.  The standalone Loki <br>
server program can also be a dead give-away.  However, if the attacker can <br>
keep traffic on the channel down to a minimum, and was to hide the Loki <br>
server *inside* the kernel, detection suddenly becomes much more difficult. <br>
  <br>
 Disruption of this channel is simply preventative.  Disallow ICMP_ECHO <br>
traffic entirely.  ICMP_ECHO traffic, when weighed against the security <br>
liabilities it imposes, is simply not *that* necessary.  Restricting ICMP_ECHO <br>
traffic to be accepted from trusted hosts only is ludicrous with a <br>
connectionless protocol such as ICMP.  Forged traffic can still reach the <br>
target host.  The LOKI packet with a forged source IP address will arrive at <br>

the target (and will elicit a legitimate ICMP_ECHOREPLY, which will <br>
travel to the spoofed host, and will be subsequently dropped silently) and <br>
can contain the 4-byte IP address of the desired target of the Loki response <br>
packets, as well as 51-bytes of malevolent data...  While the possibility <br>
exists for a smart packet filter to check the payload field and ensure that <br>
it *only* contains legal information, such a filter for ICMP is not in wide <br>
usage, and could still be open to fooling.  The only sure way to destroy this <br>
channel is to deny ALL ICMP_ECHO traffic into your network. <br>
  <br>
NOTE: This channel exists in many other protocols.  Loki Simply covers <br>
ICMP, but in theory (and practice) any protocol is vulnerable to covert <br>
data tunneling.  All that is required is the ingenuity... <br>
  <br>
  Section V. References <br>
  <br>
  <br>
  Books: TCP Illustrated vols. I, II, III <br>
  RFCs: rfc 792 <br>
  Source: Loki v1.0 <br>
  Ppl: We did not pioneer this concept  To our knowledge, <br>
  it was discovered independently of our efforts, prior to our <br>
  research.  This party wishes to remain aloof. <br>

  <br>
  <br>
This project made possible by a grant from the Guild Corporation. <br>
  <br>
  <br>
EOF <br>
  <br>
  <br>
  <br>
  <br>
  <br>
  <br>
  <br>
papaskin@papaskin.com 2001-07-27 <br>
Project Loki: ICMP Tunneling phrack 49-6 <br>
  <br>
  <br>
I can't believe how old this article is!! Here it is July of 2001 and I'm <br>
tracking this Loki down myself. I'm in Network IDS and very new to it, and <br>
being told that this Loki icmp packet I see hitting our primary dns server <br>
is "normal network traffic". Only problem is that on the <br>
outgoing side of the dns server, it's throwing port probes and packets like <br>

there's not tommorrow. I'm thinking this has been converted to use UDP <br>
packets and even port 53 to mask itself as actual usable traffic. I guess <br>
it's time for me to pull the packets down and open each one. I pray to <br>
find Loki active actually in the raw packet data so I can say "ha <br>
ha" to my sys admins. <br>
  <br>
  <br>
  <br>
  <br>
-- <br>
Target Locked:Guru In Darkness. <br>
我只是一只静静卧着的狮子。。。 <br>
※ 来源:·UNIX编程 www.tiaozhan.com/unixbbs/·[FROM: 202.114.36.196] <br>
</small><hr>
<p align="center">[<a href="index.htm">回到开始</a>][<a href="8.htm">上一层</a>][<a href="162.htm">下一篇</a>]
<p align="center"><a href="http://cterm.163.net">欢迎访问Cterm主页</a></p>
</table>
</body>
</html>