The Libnet Library

PLUS 내부 세미나 1/22

The Libnet Library

이병영[email protected]

2004/05/06


CONTENTS

Introduction of libnet Building packets (with libnet-1.1)

Four steps to send a packet Practical use example with libnet

ARP spoofing TCP RESET attack


Introduction of Libnet

Libnet is a C library providing a high-level interface to packet injection.

Previous to libnet, programmers had to wrestle with confusing, obscure, and poorly documented interfaces to build and write network packets .



Libnet is a wonderful utility for writing security-related applications, tools and modules.

Many recent exploits and tools have been rapidly developed using libnet.


Building packets

Libnet contexts

typedef struct { ... /* some declarations */ } libnet_t;


Building packets

Libnet pblock(packet block)

struct libnet_protocol_block { … /* some declarations */ }; typedef struct libnet_protocol_block libnet_pblock_t;


Building packets - our example’s plan

Suppose that we want to build a simple UDP packet work in link layer level

So we have to builda UDP, IPV4, ethernet header(pblock)in libnet contexts.


Building packets (1)Initializing the context

libnet_t* libnet_init ( int injection_type, char * device, char * err_buf)

injection type Decides your working level LIBNET_RAW4, LIBNET_LINK

device Specify the device you will use

err_buf Buffer to write the error message


Building packets (2)Building pblock (UDP)

Build a UDP headerlibnet_ptag_t libnet_build_udp( u_int16_t sp, // The src UDP port

u_int16_t dp, // The dst UDP portu_int16_t len, // Length of UDP pac

ket u_int16_t sum, // Checksum, 0 for libnet autofill u_int8_t *payload, // Optional payload u_int32_t payload_s, // Payload size

libnet_t *l, // The libnet context pointer libnet_ptag_t ptag // Protocol tag

);


Building packets (2)Building pblock (IPV4)

Build a IPV4 header libnet_ptag_t libnet_build_ipv4(

u_int16_t len, // Length of IPV4 packetu_int8_t tos, // Type of service bitsu_int16_t id, // IP identificationu_int16_t frag, // Fragmentation bitsu_int8_t ttl, // Time to liveu_int8_t prot, // Upper layer protocolu_int16_t sum, // Checksum, 0 for libnet autofillu_int32_t src, // Src IP addressu_int32_t dst, // Dst IP addressu_int8_t *payload, // Optional payload

u_int32_t payload_s, // Payload sizelibnet_t *l, // The libnet context pointerlibnet_ptag_t ptag); // Protocol tag


Building packets (2)Building pblock (Ethernet)

Bulid a ethernet headerlibnet_ptag_t libnet_build_ethernet(

u_int8_t *dst, // Dst ethernet addressu_int8_t *src, // Src ethernet addressu_int16_t type, // Upper layer typeu_int8_t *payload, // Optional payloadu_int32_t payload_s, // Payload sizelibnet_t *l, // The libnet context pointer

libnet_ptag_t ptag); // Protocal tag


Building packets (3)Write the packet to wire

After building pblock, just call the function libnet_write with argument of libnet_t pointer.

int libnet_write ( libnet_t * ) Returns the amount of bytes

written to the wire.


Building packets (4)Clean up a libnet context

void libnet_destroy ( libnet_t * ) This function frees memeory of libnet context.


Building packets- confirm with tcpdump


Practical use – (1) ARP spoofing


Practical use – (2) TCP RESET attack

In a traditional sequence number attack, the exact sequence number considered valid and accepted by the receiving TCP endpoint.

The utilization of the TCP window size to reduce the number of sequence numbers that must be guessed.

More details are in document “Slippling in the window : TCP Reset Attacks”.


References

1. Libnet reference manual http://www.packetfactory.net/libnet/dist/deprecated/manual

2. Building packets for dummies and others with libnet http://www.security-labs.org/index.php3?page=libnet

3. TCP/IP Illustrated, Volume1 by Stevens

4. Slippling in the window : TCP Reset Attacks http://www.frame4.com/php/printout2615.html

The Libnet Library

Documents

Transcript of The Libnet Library