CSCE 665: Lab Basics. Virtual Machine. Guofei Gu

Transcription

1 CSCE 665: Lab Basics Guofei Gu Virtual Machine Virtual Machine: a so?ware implementacon of a programmable machine(client), where the so?ware implementacon is constrained within another computer(host) at a higher or lower level of symbolic abstraccon.[wiki]

2 Virtual Machine in Security Research You can run malware without damage!! No OS crash happened again!!! Honeynet and capture malware What you need to know: How to create a virtual machine/virtual team How to isolate your machine? And how to let them visit internet How to create snapshot so you can recover from crash or malware infeccon. So?ware: Vmware Player/Virtual Box VMWare Player Free So?ware Run mulcple OS at the same Cme on your PC Host OS: Windows 8, Windows 7, Chrome OS, Linux Homepage: h^p:// Download h^ps://my.vmware.com/web/vmware/ free#desktop_end_user_compucng/vmware_player/ 5_0

3 Download Cont. Create a new VM Open an exiscng VM

4 Cont. ConfiguraCon Network ConfiguraCon Start VM

5 File Sharing with the host Contd. Shared Folder Path

6 9/3/13 CommunicaCon between two VMs Create and Configure two VMs CommunicaCon between two VMs VM One IP for VM One IP for VM Two VM Two

7 Virtual Box Free So?ware Run mulcple OS at the same Cme on your PC Host OS: Windows, Linux, Mac OS Homepage: h^ps:// Download h^ps://

8 9/3/13 Basic Unix/Linux programming Accessing CS systems PuTTY (pu^y.exe) a Telnet and SSH client Common hosts: unix.cs.tamu.edu linux.cs.tamu.edu Port 22 and SSH opcon Accept key if prompted Open and enter CS username and password

9 Common Commands ls list current directory (ignores files that are invisible ) cd bob change directory to bob folder cd.. (jumps one level up in directory) mkdir filename makes a folder of given filename rm blah removes file rm *.ext removes everything in current directory of a given extension ext pwd lists the path of the current directory other commands can be found at h^ps://wiki.cse.tamu.edu/index.php/ Basic_UNIX_Commands File Editors As the directory you log into with unix and linux is the same as your H drive in most cases, you can modify files in a normal windows environment Visual Studio, Notepad++, GVIM, etc. If you want to modify files in the pu^y system, common editors are pico (gives help at bo^om) and vi (has more syntacccal highlighcng) pico filename vi filename

10 Compiling C programs gcc filename.c - compiles and links c program, generacng an executable file C++ g++ filename.cpp - compiles and links c++ program, generacng an executable file OpCons for both - c compiles only, thus a main funccon is not needed - o renames the executable or compiled part in case of c, thus your executable no longer must go under the a.out name Debugging Unix/Linux debugger GDB First compile and link your program (gcc or g++) gdb executable starts up gdb run executes the program and returns details about errors if any For more info that concerns insercng breakpoints and stepping through your code look at h^p:// gdbtoc.html

11 Makefiles Makefiles are ways you can simplify compilacon and linking on large projects by specifying once the order of linking/upkeep of the compilacon process More info on creacon and use of these files can be found at h^p:// maketutorial/make.html and h^p://frank.mtsu.edu/~csdept/ FaciliCesAndResources/make.htm Tools and Useful Reference C/C++ program IDE: CodeBlock h^p:// Eclipse h^p:// Linux Programming References: [Richard Stevens]UNIX Network Programming [ Neil Ma^hew] Beginning Linux Programming Vmware Network: What is the differences among NAT, Host only and Bridge: h^p://blog- rat.blogspot.com/2009/05/bridged- vs- host- only- vs- nat.html

12 Libpcap Programming: Packet Sniffing for Security libpcap is an open source C library for pusng your NIC in promiscuous mode. Today I ll go over a few C gotchas and how to use the libpcap API Now, many wrappers for cap have developed to support other programming language, such as: pylibpcap for python, jnetpcap for Java IntroducCon libpcap is an open source C library for pusng your NIC in promiscuous mode. Today I ll go over a few C gotchas and how to use the libpcap API 24

13 Agenda Installing libpcap Basic libpcap program Grab a device to sniff Filters/Event Loops Packet structure 25 Linux: for Ubuntu user: Gesng the library sudo apt- get install libpcap- dev Compiled from source: h9p://sourceforge.net/projects/libpcap/ 26

14 Install on Linux gunzip libpcap tar.gz tar - xvf libpcap tar cd libpcap /configure make 27 Overview of libpcap Open live What to include and how to compile Going Live ether Main Event Loop Reading from a packet Filters TCP UDP IP ARP ICMP 28

15 What to include and how to compile gcc sniff.c - lpcap o sniff You must be root or admin Some headers I ve used. #include <pcap.h> #include <stdio.h> #include <stdlib.h> #include <sys/socket.h> #include<necnet/if_ether.h> #include<necnet/in.h> #include <necnet/ip.h> #include <necnet/tcp.h> #include <arpa/inet.h> For Windows,maybe you need: #include <winsock.h> 29 Gesng onto the NIC int main(int argc, char **argv) { char *dev; /* name of the device to use */ pcap_t* descr; /* pointer to device descriptor */ struct pcap_pkthdr hdr; /* struct: packet header */ const u_char *packet; /* pointer to packet */ bpf_u_int32 maskp; /* subnet mask */ bpf_u_int32 netp; /* ip */ char errbuf[pcap_errbuf_size]; /* ask pcap to find a valid device to sniff */ dev = pcap_lookupdev(errbuf); if(dev == NULL) { printf("%s\n",errbuf); exit(1); } printf("dev: %s\n",dev); 30

16 Going Live! descr = pcap_open_live(dev,bufsiz, 0, -1,errbuf); /* BUFSIZ is max packet size to capture, 0 is promiscous, -1 means don t wait for read to time out. */ if(descr == NULL) { printf("pcap_open_live(): %s\n",errbuf); } exit(1); AlternaCvely you can also use pcap_open_offline() to open a dump file 31 Once live, capture a packet. packet = pcap_next(descr, &hdr); if (packet == NULL) { printf( It got away!\n"); exit(1); } else printf( one lonely packet.\n ); return 0; } //end main 32

17 Main Event Loop void my_callback(u_char *useless,const struct pcap_pkthdr* pkthdr,const u_char* packet) { //do stuff here with packet } int main(int argc, char **argv) { //open and go live } pcap_loop(descr,-1,my_callback,null); return 0; 33 What is an ethernet header? From #include<necnet/if_ether.h> struct ether_header { u_int8_t ether_dhost[eth_alen]; /* 6 bytes destination */ u_int8_t ether_shost[eth_alen]; /* 6 bytes source addr */ u_int16_t ether_type; /* 2 bytes ID type */ } attribute (( packed )); Some ID types: #define ETHERTYPE_IP 0x0800 /* IP */ #define ETHERTYPE_ARP 0x0806 /* Address resolution */ Is this platform independent? 34

18 Cont. So we may need to swap bytes to read the data. struct ether_header *eptr; /* where does this go? */ eptr = (struct ether_header *) packet; /* Do a couple of checks to see what packet type we have..*/ if (ntohs (eptr->ether_type) == ETHERTYPE_IP) { printf("ethernet type hex:%x dec:%d is an IP packet\n", ntohs(eptr->ether_type), ntohs(eptr->ether_type)); } else if (ntohs (eptr->ether_type) == ETHERTYPE_ARP) { printf("ethernet type hex:%x dec:%d is an ARP packet\n, ntohs(eptr->ether_type), ntohs(eptr->ether_type)); } 35 Filter we don t need to see every packet! Filters are strings. They get compiled into programs struct bpf_program fp; //where does it go? Just before the event loop: if (pcap_compile(descr,&fp,argv[1],0,netp) == -1) { fprintf(stderr,"error calling pcap_compile\n"); exit(1); } if (pcap_setfilter(descr,&fp) == -1) { fprintf(stderr,"error setting filter\n"); exit(1); } 36

19 References h^p:// seccon1.html h^p:// h^p://mixter.void.ru/rawip.html h^p:// group wpcapsamps.html h^p://users.soe.ucsc.edu/~aneeman/libpcap.ppt