15.1. In the pcap-based sniffer program shown in Listing C.4 (C is the chapter number of the Packet Sniffing and Spoofing chapter; its actual value depends on which version of the book you are using), we added a check to see whether handle is NULL or not. When running this program, we get an error message, saying "NULL: No such device". What is the cause of the problem?
handle = pcap_open_live("eth1", BUFSIZ, 1, 1000, errbuf);
if (handle == NULL) {
perror("NULL");
}
Error message:
NULL: No such device
在基于pcap的嗅探器程序中,如清单C.4所示(C是包嗅探和欺骗章节的章节号;它的实际值取决于您使用的书籍的版本),我们添加了一个检查来查看句柄是否为NULL。当运行这个程序时,我们得到一个错误消息,说“空:没有这样的设备”。问题的原因是什么?
15.2. In the pcap-based sniffer program shown in Listing C.4 (C is the chapter number of the Packet Sniffing and Spoofing chapter; its actual value depends on which version of the book you are using), we replace Line À with the following line. After that, when we run the sniffing program, we can only capture the packets in or out of our own computer, but we are not able to capture the packets among other computers that are on the same network. What is the cause of this problem?
handle = pcap_open_live("eth3", BUFSIZ, 0, 1000, errbuf);
在基于pcap的嗅探器程序中,如清单C.4所示(C是包嗅探和欺骗章节的章节号;它的实际价值取决于您使用的是哪一版本的书),我们用下面的一行替换第À行。之后,当我们运行嗅探程序时,我们只能在自己的计算机内外捕获数据包,但无法在同一网络上的其他计算机之间捕获数据包。这个问题的原因是什么?
15.3. Which line in Listing C.4 requires the root privilege (C is the chapter number of the Packet Sniffing and Spoofing chapter; its actual value depends on which version of the book you are using)? If you do not run the program with the root privilege, what is going to happen?
清单C.4中的哪一行需要root特权(C是包嗅探和欺骗章节的章节号;它的实际价值取决于你所用的书的版本?如果不使用root权限运行程序,会发生什么情况?
15.4. The pcap setfilter() call in Listing C.4 sets the filter inside the kernel, so it seems that the root privilege is required for this call to be successful. Please design an experiment to either prove or disapprove this hypothesis (C is the chapter number of the Packet Sniffing and Spoofing chapter; its actual value depends on which version of the book you are using).
清单C.4中的pcap setfilter()调用在内核中设置过滤器,因此似乎需要root权限才能成功调用。请设计一个实验来证明或否定这个假设(C是数据包嗅探和欺骗章节的章节号;它的实际价值取决于你所使用的书的版本)。
15.5. There are two typical approaches for a sniffer program to filter out unwanted packets. The first approach gets all the packets from the system, and then filters out unwanted ones, before presenting the results to users (or save to files). The second approach uses pcap setfilter to set the filter. Please describe the differences of these two approaches.
嗅探器程序有两种典型的方法来过滤掉不需要的数据包。第一种方法从系统中获取所有数据包,然后过滤掉不需要的数据包,然后将结果呈现给用户(或保存到文件)。第二种方法使用pcap setfilter来设置过滤器。请描述这两种方法的区别。
15.6. As we have learned that for a program to turn on the promiscuous mode or to simply be able to sniff packets on the local machine, the program needs to have a special privilege; normal users do not have that privilege. With this in mind, we checked the privilege of the wireshark process like the following:
$ pgrep wireshark
7598
$ ps -fp 7598
UID PID PPID C STIME TTY TIME CMD
seed 7598 1 0 10:01 ? 00:00:01 /usr/bin/wireshark
From the result, we can see that the UID (effective user ID) of the wireshark process is seed. We also know that wireshark can capture all the packets on the local network, regardless of whether a packet is from/to where the program runs. This does not seem possible based on our knowledge about how sniffers work. Please conduct an investigation to solve this mystery.
Hint: start packet capturing in wireshark, and then show what child process is launched by wireshark. You can use the "pstree -p 7598" command to get the IDs of process 7598’s child processes. Focus on the program executed by the child processes.
正如我们所了解到的,对于一个要打开混杂模式的程序,或者仅仅能够在本地机器上嗅探数据包,程序需要有一个特殊的特权;普通用户没有这种特权。考虑到这一点,我们检查了wireshark进程的权限,如下所示:
从结果中,我们可以看到wireshark进程的UID(有效用户ID)是seed。我们还知道wireshark可以捕获本地网络上的所有数据包,而不管数据包是否来自/到程序运行的位置。基于我们对嗅探器工作原理的了解,这似乎是不可能的。请进行调查以解开这个谜。
提示:在wireshark中启动包捕获,然后显示wireshark启动的子进程。您可以使用“pstree-p7598”命令来获取进程7598的子进程的id。关注子进程执行的程序。
15.7. The tcpdump program is also a sniffer program, which predates wireshark. This program only produces text-only outputs or saves the captured packets into files. The program needs to run with the root privilege. However, it comes with an -Z option, with which, the tcpdump program will drop privileges (if root) and changes the user ID to whatever is specified in the option. For example, if we use "-Z seed", the program’s effective user ID will be dropped to seed. Please explain why this option is provided and how can the program still work after dropping the privilege.
tcpdump程序也是一个嗅探器程序,它早于wireshark。此程序只生成纯文本输出或将捕获的数据包保存到文件中。程序需要以root权限运行。但是,它附带了一个-Z选项,使用该选项,tcpdump程序将删除特权(如果是root用户),并将用户ID更改为该选项中指定的任何值。例如,如果我们使用“-Z seed”,程序的有效用户ID将被删除为seed。请解释为什么提供此选项,以及在放弃特权后程序如何继续工作。
15.8. Based on the investigation conducted in Problem 15.6., please describe how you can apply the Principle of Least Privilege to reduce the attack surface for the sniffer program shown in Listing C.3 (C is the chapter number of the Packet Sniffing and Spoofing chapter; its actual value depends on which version of the book you are using).
根据问题15.6中的调查,请描述如何应用最小特权原则来减少清单C.3中所示的嗅探器程序的攻击面(C是数据包嗅探和欺骗章节的章节号;它的实际价值取决于你所使用的书的版本)。
15.9. An integer 0xAABBCCDD is stored in a memory address starting from 0x1000. If the machine is a Big-Endian machine, what is the value stored in addresses 0x1000, 0x1001, 0x1002, and 0x1003, respectively? If the machine is a Little-Endian machine, how is this integer stored?
整数0xAABBCCDD存储在从0x1000开始的内存地址中。如果机器是Big-Endian机器,那么地址0x1000、0x1001、0x1002和0x1003中分别存储的值是多少?如果机器是一个小端机,这个整数是如何存储的?
15.10. A network protocol contains a four-byte integer, specifying the length of the payload in the packet. The implementation of this protocol has a mistake in it. When a packet is received, the protocol implementation needs to copy the payload to a buffer. It first copies the length field from the packet header to a variable, but the program forgets to convert the number into the host order. Assume the value of this variable is X. The program then allocates X bytes of memory to hold a copy of the payload. On a Little-Endian machine, if the payload of a received packet is 255 bytes, how much memory will be allocated? What is a likely consequence of this mistake?
网络协议包含一个四字节整数,用于指定数据包中有效负载的长度。这个协议的实现有一个错误。当接收到数据包时,协议实现需要将有效负载复制到缓冲区。它首先将数据包头中的长度字段复制到一个变量中,但程序忘记了将数字转换为主机顺序。假设这个变量的值是X。然后程序分配X字节的内存来保存有效负载的副本。在Little Endian机器上,如果接收到的数据包的有效负载是255字节,将分配多少内存?这个错误的可能后果是什么?
15.11. Please describe the printing result of the following program on (1) a Little-Endian machine, and (2) a Big-Endian machine.
void main()
{
int a = 255;
printf("%u\n", htonl(a));
printf("%u\n", ntohl(a));
}
请描述下列程序在(1)小端机和(2)大端机上的打印结果。
15.12. Assume that machines A and B are on the same network 10.3.2.0/24. Machine A sends out spoofed packets, and Machine B tries to sniff on the network. When Machine A spoofs packets with a destination 1.2.3.4, B can always observe the spoofed packets. However, when Machine A tries to spoof packets with a destination IP address 10.3.2.30, B cannot see the spoofed packets. There is nothing wrong with the spoofing or sniffing program. Apparently, the spoofed packet has never been sent out. What could be the reason?
假设机器A和B在同一个网络10.3.2.0/24上。机器A发送伪造的数据包,机器B尝试在网络上嗅探。当机器A用目的地1.2.3.4欺骗数据包时,B总是可以观察到 伪造的数据包。但是,当机器A试图欺骗目标IP地址为10.3.2.30的数据包时,B看不到被欺骗的数据包。欺骗或嗅探程序没有错。显然,这个伪造的数据包从未发出过。原因是什么?
15.13. A news report says that company XYZ’s network was attacked by outsiders, who apparently sent a lot of spoofed ARP requests/responses from remote machines to the company’s network, trying to launch ARP cache poisoning attacks. Please comment on whether this is fake news or not.
一份新闻报道说,XYZ公司的网络遭到了外人的攻击,外人显然从远程机器向该公司的网络发送了大量伪造的ARP请求/响应,试图发起ARP缓存中毒攻击。请评论这是否是假新闻。
15.14. Is it possible to spoof a packet with a size larger than 65535, which is the up limit of the IP packet size (the length field in the IP header has only 16 bits)?
有没有可能欺骗一个大小大于65535的数据包,这是IP数据包大小的上限(IP报头中的长度字段只有16位)?
15.15. In the past, one can send a broadcast packet to all the machines on a subnet. This is called Directed Broadcast. If the subnet is 10.0.2.0/24, the directed broadcast address is 10.0.2.255. How can we use this feature to launch a denial-of-service attack on a victim? Basically, we would like to send a lot of packets to the target machine, but we cannot afford to do it ourselves, because the target has a larger bandwidth than us. We need to find a way to turn one packet into many.
在过去,一个人可以发送一个广播包到一个子网上的所有机器。这叫做定向广播。如果子网为10.0.2.0/24,则定向广播地址为10.0.2.255。我们如何使用此功能对受害者发起拒绝服务攻击?基本上,我们希望向目标机器发送大量数据包,但我们自己却负担不起,因为目标机器的带宽比我们大。我们得想办法把一包变成多包。
15.16. When an UDP server provides a response to a request, the size of the response packet is significantly large than the size of the request packet. Please leverage this UDP server to magnify your power in a denial-of-service attack against a victim machine. Hint: search the term “UDP Amplification Attacks” to learn more about this type of attack.
当UDP服务器对请求提供响应时,响应数据包的大小明显大于请求数据包的大小。请利用此UDP服务器放大您在针对受害者计算机的拒绝服务攻击中的能力。提示:搜索术语“UDP放大攻击”以了解有关此类攻击的更多信息。