The IP Protocol injected, inspected, detected, infected - Part II

On the previous chapter of "IP injected, inspected, detected, infected" -

• "Programmers that deal with networks and TCP/IP, sometimes want or need to do the following nasty things to or with the protocol..."
• "Inspecting IP packets flowing through the network..."
• "Detecting IP packets, doing some automatic analysis to the packets..."

Today we will look at the other part - injecting new IP packets, and infecting existing IP packets.

IP Injection - This is raw stuff, human!

• Injecting IP packets is historically done using "raw sockets".
• These sockets work at the IP protocol level:
  1. They see everything (coming to the machine).
  2. They allow creating packets (at the IP protocol level).
  3. Two modes of operation:
     1. Mode I - we let the kernel form the IP header.
     2. Mode II - we form the entire IP header ourselves.

Creating Raw Sockets

#include <sys/types.h>
#include <sys/socket.h>

int s = socket(PF_NET, SOCK_RAW, IPPROTO_ICMP);
if (s == -1) {
    perror("raw socket():");
    exit(1);
}

Sending A Packet Via The Raw Socket

#include <netinet/ip_icmp.h>

struct icmphdr icmphdr

/* clear out the packet, and fill with contents. */
memset(&icmphdr, 0, sizeof(struct icmphdr));
icmphdr.type = ICMP_ECHO;
icmphdr.un.echo.sequence = 50;  /* just some random number. */
icmphdr.un.echo.id = 48;        /* just some random number. */
icmphdr.checksum =
    in_cksum((unsigned short*)&icmphdr, sizeof(struct icmphdr));

Sending A Packet Via The Raw Socket (Cont.)

#include <netinet/in.h>
#include <arpa/inet.h>

struct sockaddr_in addr;

// prepare the address we're sending the packet to.
memset(&addr, 0, sizeof(addr));
addr.sin_family = AF_INET;
inet_aton("127.0.0.1", &addr.sin_addr);

// finally, send the packet.
rc = sendto(s,
            &icpmhdr, sizeof(struct icmphdr),
            0 /* flags */,
            (struct sockaddr*)&addr, sizeof(addr));
if (rc == -1) {
    perror("sendto:");
    exit(1);
}

Receiving Packets Using A Raw Socket

/* the received packet contains the IP header... */
char rbuf[sizeof(struct iphdr) + sizeof(struct icmp)];
struct sockaddr_in raddr;
socklen_t raddr_len;

// receive the packet that we sent (since we sent it to ourselves,
// and a raw socket sees everything...).
rc = recvfrom(s,
              rbuf, sizeof(rbuf),
              0 /* flags */,
              (struct sockaddr*)&raddr, &raddr_len);
if (rc == -1) {
    perror("recvfrom 1:");
    exit(1);
}

Parse The Received Packet

struct iphdr* iphdr = NULL;
struct icmphdr* recv_icmphdr = NULL;

// we got an IP packet - verify that it contains an ICMP message.
iphdr = (struct iphdr*)rbuf;
if (iphdr->protocol != IPPROTO_ICMP) {
    fprintf(stderr, "Expected ICMP packet, got %u\n", iphdr->protocol);
    exit(1);
}

Parse The Received Packet (Cont.)

// verify that it's an ICMP echo request, with the expected seq. num + id.
icmphdr = (struct icmphdr*)(rbuf + (iphdr->ihl * 4));
if (icmphdr->type != ICMP_ECHOREPLY) {
    fprintf(stderr, "Expected ICMP echo-reply, got %u\n", icmphdr->type);
    exit(1);
}
if (icmphdr->un.echo.sequence != 50) {
    fprintf(stderr,
            "Expected sequence 50, got %d\n", icmphdr->un.echo.sequence);
    exit(1);
}
if (icmphdr->un.echo.id != 48) {
    fprintf(stderr,
            "Expected id 48, got %d\n", icmphdr->un.echo.id);
    exit(1);
}
printf("Got the expected ICMP echo-request\n");

Creating The IP Header Too

In order to create the complete IP packet (including the header), we use a socket option:

char on = 1;
setsockopt(s, IPPROTO_IP, IP_HDRINCL, &on, sizeof(on));

Netfilter, ip_queue And Netlink

• Netfilter (Linux's firewall) supports a unique target - passing packets to a user program for control purposes.
• We specify an iptables rule with the QUEUE target...
• And write a program that 'judges' packets - "this one goes, this one stays, this one gets modified...".

Defining The Iptables Rule

• Decide which packets you want filtered.
• Lets filter all ICMP packets coming through the loopback interface:

  • iptables -I INPUT 1 --in-interface lo --proto icmp --jump QUEUE

  (the '-I ... 1' inserts this as the first filtering rule).
• By default, matching packets will be discarded, until we have a program listening for them.

The 'ipq' Library

• libipq makes it easier to access packets queued via netlink.
• Download the iptables source from http://www.netfilter.org/downloads.html
• Compile it, but only install the development part ("make install-devel").
• You'll get "/usr/local/include/libipq.h", "/usr/local/lib/libiptc.a" and "/usr/local/lib/libipq.a".

Initializing libipq

#include <linux/netfilter.h>  /* \ for libipq methods */
#include <libipq.h>           /* / and types.         */

/* we want to get IP traffic. */
struct ipq_handle *h = ipq_create_handle(0, PF_INET);
if (!h) {
    ipq_perror("ipq_create_handle:");
    exit(1);
}

// set the queuing mode - we want to have the packets copied
// to user space, with up to BUFSIZE octets copied.
#define BUFSIZE 2048
rc = ipq_set_mode(h, IPQ_COPY_PACKET, BUFSIZE);
if (rc < 0) {
    ipq_perror("ipq_set_mode:");
    ipq_destroy_handle(h);
    exit(1);
}

Reading Packets From The Queue

• In order to read a message, we use the 'ipq_read()' function:

  unsigned char buf[BUFSIZE];
  int rc = ipq_read(h, buf, BUFSIZE, 0 /*blocking*/);
  

• In order to check what type of message we got (packet, error....):

  int msg_type = ipq_message_type(buf);

• The interesting message type is IPQM_PACKET - a real (IP) packet.

"Judging Them Little Buggers"

• To tell the kernel what to do with a packet, we need to give verdict:

  • int rc = ipq_set_verdict(h, msg->packet_id, NF_ACCEPT, 0, NULL);

    The '0' and 'NULL' mean "forward the original packet, I'm not supplying a replacement payload".
• Possible verdicts:
  1. NF_ACCEPT - allow the packet to continue its route.
  2. NF_DROP - drop the packet (without telling anyone, shh!).

A Packet Reading Loop

// loop forever, reading packets.
while (1) {
    int msg_type;

    rc = ipq_read(h, buf, BUFSIZE, 0);
    if (rc < 0) {
        ipq_perror("ipq_read:");
        ipq_destroy_handle(h);
        exit(1);
    }

    msg_type = ipq_message_type(buf);
    switch (msg_type) {
        case NLMSG_ERROR:
            fprintf(stderr, "ipq_read got error %d",
                    ipq_get_msgerr(buf));
            break;
        case IPQM_PACKET:
            {
                ipq_packet_msg_t* msg = ipq_get_packet(buf);
                rc = ipq_set_verdict(h, msg->packet_id, NF_ACCEPT, 0, NULL);
            }
            break;
        default:
            fprintf(stderr, "unknown ipq msg type %d\n", msg_type);
    }
}

References

1. Raw IP Networking FAQ - http://www.faqs.org/faqs/internet/tcp-ip/raw-ip-faq/
2. The "libnet" Packet Construction Library - http://www.packetfactory.net/Projects/Libnet/
3. Iptables Download - http://www.netfilter.org/downloads.html
4. man libipq

Originally written by guy keren