CSCE 665: Lab Basics Guofei Gu Virtual Machine Virtual Machine: a so?ware implementacon of a programmable machine(client), where the so?ware implementacon is constrained within another computer(host) at a higher or lower level of symbolic abstraccon.[wiki]
Virtual Machine in Security Research You can run malware without damage!! No OS crash happened again!!! Honeynet and capture malware What you need to know: How to create a virtual machine/virtual team How to isolate your machine? And how to let them visit internet How to create snapshot so you can recover from crash or malware infeccon. So?ware: Vmware Player/Virtual Box VMWare Player Free So?ware Run mulcple OS at the same Cme on your PC Host OS: Windows 8, Windows 7, Chrome OS, Linux Homepage: h^p://www.vmware.com/products/player/ Download h^ps://my.vmware.com/web/vmware/ free#desktop_end_user_compucng/vmware_player/ 5_0
Download Cont. Create a new VM Open an exiscng VM
Cont. ConfiguraCon Network ConfiguraCon Start VM
File Sharing with the host Contd. Shared Folder Path
9/3/13 CommunicaCon between two VMs Create and Configure two VMs CommunicaCon between two VMs VM One IP for VM One IP for VM Two VM Two
Virtual Box Free So?ware Run mulcple OS at the same Cme on your PC Host OS: Windows, Linux, Mac OS Homepage: h^ps://www.virtualbox.org/ Download h^ps://www.virtualbox.org/wiki/downloads
9/3/13 Basic Unix/Linux programming Accessing CS systems PuTTY (pu^y.exe) a Telnet and SSH client Common hosts: unix.cs.tamu.edu linux.cs.tamu.edu Port 22 and SSH opcon Accept key if prompted Open and enter CS username and password
Common Commands ls list current directory (ignores files that are invisible ) cd bob change directory to bob folder cd.. (jumps one level up in directory) mkdir filename makes a folder of given filename rm blah removes file rm *.ext removes everything in current directory of a given extension ext pwd lists the path of the current directory other commands can be found at h^ps://wiki.cse.tamu.edu/index.php/ Basic_UNIX_Commands File Editors As the directory you log into with unix and linux is the same as your H drive in most cases, you can modify files in a normal windows environment Visual Studio, Notepad++, GVIM, etc. If you want to modify files in the pu^y system, common editors are pico (gives help at bo^om) and vi (has more syntacccal highlighcng) pico filename vi filename
Compiling C programs gcc filename.c - compiles and links c program, generacng an executable file C++ g++ filename.cpp - compiles and links c++ program, generacng an executable file OpCons for both - c compiles only, thus a main funccon is not needed - o renames the executable or compiled part in case of c, thus your executable no longer must go under the a.out name Debugging Unix/Linux debugger GDB First compile and link your program (gcc or g++) gdb executable starts up gdb run executes the program and returns details about errors if any For more info that concerns insercng breakpoints and stepping through your code look at h^p://www.unknownroad.com/rom/gdbtut/ gdbtoc.html
Makefiles Makefiles are ways you can simplify compilacon and linking on large projects by specifying once the order of linking/upkeep of the compilacon process More info on creacon and use of these files can be found at h^p://www.emba.uvm.edu/~snapp/ maketutorial/make.html and h^p://frank.mtsu.edu/~csdept/ FaciliCesAndResources/make.htm Tools and Useful Reference C/C++ program IDE: CodeBlock h^p://www.codeblocks.org/ Eclipse h^p://www.eclipse.org/ Linux Programming References: [Richard Stevens]UNIX Network Programming [ Neil Ma^hew] Beginning Linux Programming Vmware Network: What is the differences among NAT, Host only and Bridge: h^p://blog- rat.blogspot.com/2009/05/bridged- vs- host- only- vs- nat.html
Libpcap Programming: Packet Sniffing for Security libpcap is an open source C library for pusng your NIC in promiscuous mode. Today I ll go over a few C gotchas and how to use the libpcap API Now, many wrappers for cap have developed to support other programming language, such as: pylibpcap for python, jnetpcap for Java IntroducCon libpcap is an open source C library for pusng your NIC in promiscuous mode. Today I ll go over a few C gotchas and how to use the libpcap API 24
Agenda Installing libpcap Basic libpcap program Grab a device to sniff Filters/Event Loops Packet structure 25 Linux: for Ubuntu user: Gesng the library sudo apt- get install libpcap- dev Compiled from source: h9p://sourceforge.net/projects/libpcap/ 26
Install on Linux gunzip libpcap- 0.7.1.tar.gz tar - xvf libpcap- 0.7.1.tar cd libpcap- 0.7.1./configure make 27 Overview of libpcap Open live What to include and how to compile Going Live ether Main Event Loop Reading from a packet Filters TCP UDP IP ARP ICMP 28
What to include and how to compile gcc sniff.c - lpcap o sniff You must be root or admin Some headers I ve used. #include <pcap.h> #include <stdio.h> #include <stdlib.h> #include <sys/socket.h> #include<necnet/if_ether.h> #include<necnet/in.h> #include <necnet/ip.h> #include <necnet/tcp.h> #include <arpa/inet.h> For Windows,maybe you need: #include <winsock.h> 29 Gesng onto the NIC int main(int argc, char **argv) { char *dev; /* name of the device to use */ pcap_t* descr; /* pointer to device descriptor */ struct pcap_pkthdr hdr; /* struct: packet header */ const u_char *packet; /* pointer to packet */ bpf_u_int32 maskp; /* subnet mask */ bpf_u_int32 netp; /* ip */ char errbuf[pcap_errbuf_size]; /* ask pcap to find a valid device to sniff */ dev = pcap_lookupdev(errbuf); if(dev == NULL) { printf("%s\n",errbuf); exit(1); } printf("dev: %s\n",dev); 30
Going Live! descr = pcap_open_live(dev,bufsiz, 0, -1,errbuf); /* BUFSIZ is max packet size to capture, 0 is promiscous, -1 means don t wait for read to time out. */ if(descr == NULL) { printf("pcap_open_live(): %s\n",errbuf); } exit(1); AlternaCvely you can also use pcap_open_offline() to open a dump file 31 Once live, capture a packet. packet = pcap_next(descr, &hdr); if (packet == NULL) { printf( It got away!\n"); exit(1); } else printf( one lonely packet.\n ); return 0; } //end main 32
Main Event Loop void my_callback(u_char *useless,const struct pcap_pkthdr* pkthdr,const u_char* packet) { //do stuff here with packet } int main(int argc, char **argv) { //open and go live } pcap_loop(descr,-1,my_callback,null); return 0; 33 What is an ethernet header? From #include<necnet/if_ether.h> struct ether_header { u_int8_t ether_dhost[eth_alen]; /* 6 bytes destination */ u_int8_t ether_shost[eth_alen]; /* 6 bytes source addr */ u_int16_t ether_type; /* 2 bytes ID type */ } attribute (( packed )); Some ID types: #define ETHERTYPE_IP 0x0800 /* IP */ #define ETHERTYPE_ARP 0x0806 /* Address resolution */ Is this platform independent? 34
Cont. So we may need to swap bytes to read the data. struct ether_header *eptr; /* where does this go? */ eptr = (struct ether_header *) packet; /* Do a couple of checks to see what packet type we have..*/ if (ntohs (eptr->ether_type) == ETHERTYPE_IP) { printf("ethernet type hex:%x dec:%d is an IP packet\n", ntohs(eptr->ether_type), ntohs(eptr->ether_type)); } else if (ntohs (eptr->ether_type) == ETHERTYPE_ARP) { printf("ethernet type hex:%x dec:%d is an ARP packet\n, ntohs(eptr->ether_type), ntohs(eptr->ether_type)); } 35 Filter we don t need to see every packet! Filters are strings. They get compiled into programs struct bpf_program fp; //where does it go? Just before the event loop: if (pcap_compile(descr,&fp,argv[1],0,netp) == -1) { fprintf(stderr,"error calling pcap_compile\n"); exit(1); } if (pcap_setfilter(descr,&fp) == -1) { fprintf(stderr,"error setting filter\n"); exit(1); } 36
References h^p://www.cet.nau.edu/~mc8/socket/tutorials/ seccon1.html h^p://www.tcpdump.org/pcap.htm h^p://mixter.void.ru/rawip.html h^p://www.winpcap.org/docs/docs_40_2/html/ group wpcapsamps.html h^p://users.soe.ucsc.edu/~aneeman/libpcap.ppt