ICMP Server Called Logan

I had previously struggled to code up a client program similar to Loki. It sends out data using the ICMP protocol. The idea is to sneak past firewalls that do not block ICMP. Now I needed a server to listen for ICMP messages from my client. I will call this server program Logan.

Started off with some lessons learned from coding up Loki. Must run this program as Windows administrator to prevent the raw socket usage from being blocked. I was a bit confused about needing a call to bind() before I recvfrom(). However when I skipped the bind() call, I got error code 10022, also known as WSAEINVAL.

Okay. So I need to do a bind(). I want to get ICMP packets from anywhere. Therefore I specify an address of INADDR_ANY. But I need to set the port parameter too. The only problem is that, unlike TCP and UDP, ICMP does not use ports. It does not make sense. For now I am using port 7, also known by IPPORT_ECHO. Who knows? Maybe the port number is a don't care.

All I do know is that I can detect and capture packets sent by my Loki program. So the next step is to put intelligent messages in my ICMP packets to "do things" on the target computer. Let's maybe start with some cool but harmless actions and see where it leads. Eventually I will need to figure out how to distribute my server program and run it as Windows administrator.

Baby steps. One thing at a time first.


Rolling my own ICMP client

I searched around on the Internet for a program named Loki. It was supposed to send traffic using ICMP. The idea is to hide stuff in there that firewalls would not detect/block. I did find rumors of this program. But could not find the program or even the code for it. Damn.

What is a programmer to do? Write my own version I say. I broke out Microsoft Visual Studio and wrote some C++ code. There were surprisingly few lines of code in my program. Essentially I am making a socket() call to set up the communications, and a sendto() call to push out the data.

Unfortunately the socket() call kept failing with an error of 10013, which is also called WSAEACCES. This is some kind of permission denial on Windows. I tried overriding this by setting a value in the Windows registry. No luck. I am logged on as an administrator on my machine. So I should be able to open up a raw socket.

A couple web site gave me some other ideas. In the end, I had to start my Visual Studio IDE, running it as an administrator. So to begin I just was sending myself some ICMP packets. At least I thought I was. Downloaded Wireshark to record the output and prove the thing was working.

Initially Wireshark did not pick anything up. I broke out the Windows ping program to test Wireshark. It captured that data, but not my own program's messages. Then I modified my program to send some ICMP packet to Google instead of myself. Bam. We are rocking and rolling.

Right now I just send a bunch of garbage in my ICMP packets (sorry Google). And this is just the client end that sends messages. I need to write a server end that runs on another machine. And instead of sending garbage data, I might just have to send some commands over ICMP that "take control" so to say.

This has been an exciting start to researching programs of interest that bypass firewalls. There were some rough patches. But I am learning to power through adversity, like not being able to find my programs. Also broke out an old but good book "UNIX Network Programming" by Richard Stevens. Good stuff.

Covert ICMP using Loki

I have recently been made aware of lots of software. This is in the context of things that might compromise or help you punch through a firewall. So I have decided to go find said software and play with it. I figure the experience will be good.

First up on the list is Loki. This is a server on UNIX that lets you covertly communicate by hiding messages in ICMP packets. It is an old trick. Phrack magazine issue 49 from way back in 1996 introduced the idea. But it did not release the code or program.

Strangely enough, I was never able to locate the Loki program. Damn. How is a brother supposed to learn about this stuff? I know. I can roll my own version. I can write code. How hard could it be? Just got to study up a bit on ICMP, which I hope is fully documented. Then I am off to the races.

I think I am going to have to spin up a Linux instance somewhere to play with the software I find. Loki was for UNIX. And next I want to investigate netcat, which I presume is also a UNIX program. For now I can write my own Loki for Windows. But I can't write all the software. Who has time for that?

Cisco Packet Tracer

I downloaded this software for free from Cisco. From the name "Packet Tracer", you would think this is some type of packet capture/analysis tool similar to Wireshark. Nope. This is actually a network simulator and trainer. Of course all the components will be Cisco devices. But hey. It is free.

I went through an exercise in this tracer. My head is still reeling from all the terms. Basically I was setting up a virtual security appliance called the Cisco ASA 5505. Sure I could buy a physical box for $250 used. But this simulation made learning a lot easier. Plus the module gave me hints all throughout.

So far I configured some network interfaces, address translation, a DHCP server, authentication, a DMZ, static NAT to my server, and some ACLs. And that was just in the first hour. My head is definitely still spinning. This tool can definitely help you learn the Cisco operating system command line, as well as network security topics in general.

Gooligan Infects Older Versions of Android

Read an update from CheckPoint Software on Gooligan. This is some malware that compromises Google data access. You get infected by downloading fake apps onto your Android device. This affects versions 4 (Ice Cream Sandwich, Jellybean, Kit Kat) and 5 (Lollipop) of Android .

The kicker is that the fake apps come from third party app stores. You would not find these in the Google Play store. I see that there are a couple of themes in the fake apps that infect you:
  • Sex stuff (sex photo app, sex cademy app, and sexy hot wallpaper)
  • Games (HTML5 games, snake, slots mania)
  • Tools (wifi enhancer, GPS, youtubeplayer, calculator)
The apps download a rootkit. Then they do nasty things such as download other apps and even rating them on Google Play. The fix is to get some antivirus software pronto. And prevent it in the first  place by steering clear of third party app store. You never know what you are getting.

Crooks Getting Smarter

I logged into an old email account of mine recently. Saw a spam message from a few years ago. The thing was really good. Official looking return address at the top. No grammatical errors. Lots of specific numbers cited. Bitmap signature. Link to an official web site. Damn.

The real question is why are they sending me this spam? Are they trying to get some personal details out of me for a further hustle? Seems like a lot of hard work went into crafting this email. The only things that were sketchy were that the contains were all contained in a jpeg image, and they were telling me I won a lottery that I did not enter.

Crooks are getting better at running their scams. Watch out and warn your peoples.

The Cisco Command Line Interface

I have been digging in deep lately, trying to learn networking basics. Down at OSI layer 2. Studying how switches work in minute detail. Moving up to understand how routing works at OSI layer 3 as well. There is a lot going on.

Got access to a simulator. I can pretend to log into Cisco switches and routers. Access them through a command line interface (CLI). The problem is that there is a whole language I got to learn. It also feels like a wonky version of MS-DOS.

Just when I thought all was lost, I got ahold of a "cheat sheet" full of Cisco commands. I was off to the races ... until I discovered the cheat sheet was locked. It was distributed in the form of a PDF. But the file had security turned on, and I could not even print out the damn thing.

Well PDFUnlock came to the rescue. My file was a small one. PDFUnlock let's you break the password for free online. That's a good URL to have if you get into a bind like I Was. All right. Watch out world. I am gaining networking power as we speak.